Fortinet 400 Network Card User Manual
Contents
1. Service name Description Protocol Port H323 H 323 multimedia protocol H 323 is a standard tcp 1720 1503 approved by the International Telecommunication Union ITU that defines how audiovisual conferencing data is transmitted across networks HTTP HTTP is the protocol used by the word wide tcp 80 web for transferring data for web pages HTTPS HTTP with secure socket layer SSL service tcp 443 for secure communication with web servers IKE IKE is the protocol to obtain authenticated udp 500 keying material for use with ISAKMP for IPSEC IMAP Internet Message Access Protocol is a protocol tcp 143 used for retrieving email messages Internet Locator Internet Locator Service includes LDAP User tcp 389 Service Locator Service and LDAP over TLS SSL IRC Internet Relay Chat allows people connected to tcp 6660 6669 the Internet to join live discussions L2TP L2TP is a PPP based tunnel protocol for tcp 1701 remote access LDAP Lightweight Directory Access Protocol is a set tcp 389 of protocols used to access information directories NetMeeting NetMeeting allows users to teleconference tcp 1720 using the Internet as the transmission medium NFS Network File System allows network users to tcp 111 2049 access shared files stored on computers of different types NNTP Network News Transport Protocol is a protocol tcp 119 used to post distribute and retrieve USENET messages NTP Net2. Deleting RADIUS servers You cannot delete RADIUS servers that have been added to user groups 1 Go to User gt RADIUS Select Delete JJ beside the RADIUS server name that you want to delete Select OK 204 Fortinet Inc Users and authentication Configuring LDAP support Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server the FortiGate unit contacts the LDAP server for authentication To authentication with the FortiGate unit the user enters a user name and password The FortiGate unit sends this user name and password to the LDAP server If the LDAP server can authenticate the user the user is successfully authenticated with the FortiGate unit If the LDAP server cannot authenticate the user the connection is refused by the FortiGate unit The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords ForitGate LDAP supports all LDAP servers compliant with LDAP v3 FortiGate LDAP support does not extend to proprietary functionality such as notification of password expiration that is available from some LDAP servers FortiGate LDAP support does not supply information to the user about why authentication failed LDAP user authentication is supported for PPTP L2TP IPSec VPN and firewall authentication With PPTP L2TP and IPSec VPN PAP packet authentication protocol is sup
3. To set Prevention signature threshold values Go to NIDS gt Prevention Select Modify E beside the signature for which you want to set the Threshold value Signatures that do not have threshold values do not have Modify 4 icons Type the Threshold value Select the Enable check box Select OK FortiGate 400 Installation and Configuration Guide 255 Logging attacks Network Intrusion Detection System NIDS Configuring synflood signature values ao a fF WN For synflood signatures you can set the threshold queue size and keep alive values Value Description Minimum Maximum Default value value value Threshold Number of SYN requests sent to a 30 3000 200 destination host or server per second If the SYN requests are being sent to all ports on the destination as opposed to just one port the threshold quadruples 4 x Queue Size Maximum number of proxied connections 10 10240 1024 that the FortiGate unit handles The FortiGate unit discards additional proxy requests Timeout Number of seconds for the SYN cookie to 3 60 15 keep a proxied connection alive This value limits the size of the proxy connection table Go to NIDS gt Prevention Select Modify for the synflood signature Type the Threshold value Type the Queue Size Type the Timeout value Select the Enable check box Alternatively select the synflood Enable check box in the Prevention signature list Select OK Logging
4. cceceeeeeeeeeeneeeeeeeeeeeeeeeeeeeaeeeeseneaeeeseeeaneees 47 Using the command line interface ccceeeeceeee eee eecneee eee eaaeee eee eaaeeeeeetaeeeeeeeiaeeeeee 47 Configuring the FortiGate unit to operate in NAT Route mode ccceeeeeeeeeeees 47 Connecting the FortiGate unit to your NEtWOFKS eee eeeeeeeeeeeeneeeeeeeeeeaeeeeeeeetaeeeeeeeaees 49 Configuring your network sessie a EE EAEE E AEA EA 50 Completing the configuration c cece ceeeeee eee eeeeeeeeeeeeaeeeeeeeaaeeeeeeenaeeeeeeeenaeeeeeeenaees 50 Configuring INLET ACES ves2eccdcccdadecectedsseeeedtciseebdbadisbeeauidiiel totals la ebledel ae deuilidedadeicide 50 Configuring interlace SHA aise secesectcans cess cecddenesencedeuweeeddeaeeueblecdes etiveieeeaevelcdtaeveearnandeeee 51 Setting the date and time ccs2 ccdadiiiiecccdagietesadidehecettaiele Mewes AEE 51 Enabling antivirus protection 0 cccccccceceeccccceeesecceeeeeesecceeeeeeneeceeeeeneaceeeeeentneaeeeeeneanees 51 Registering your FortiGate Unit 0 0 2 ccccceceeecaeeeeeeecceeeeeeeeeceeeeeeseeceeeeenecaateeeenecaeetenseeaaes 51 Configuring virus and attack definition updates ce eceeeeeeeeteeee eee eeeeeeeeeettaeeeeeeeee 52 Configuration example Multiple connections to the Internet eceeeeeeeeeeteeeeeeeeees 52 CONTIQUIFING PING SCIVONS scceeid cect ccteveesehenseeeslcasedees anaes teveneetasessucddesenveelieeneeestndaceeee 53 Destination based routing
5. ManualKey Phase2 Phase1 Concentrator a Remote gateway Lifetime Timeout Proxy ID Source Proxy ID Destination 192 168 100 124 1800 secs 79 14 14 14 0 255 255 255 0 192 168 100 124 255 255 255 255 192 168 100 40 1800 secs 3585 14 14 14 0 255 255 255 0 192 168 100 40 255 255 255 255 To confirm that a VPN between two networks has been configured correctly use the ping command from one internal network to connect to a computer on the other internal network The IPSec VPN tunnel starts automatically when the first data packet destined for the VPN is intercepted by the FortiGate unit To confirm that a VPN between a network and one or more clients has been configured correctly start a VPN client and use the ping command to connect to a computer on the internal network The VPN tunnel initializes automatically when the client makes a connection attempt You can start the tunnel and test it at the same time by pinging from the client to an address on the internal network Fortinet Inc RAT MET PPTP and L2TP VPN You can use PPTP and L2TP to create a virtual private network VPN between a remote client PC running the Windows operating system and your internal network Because they are is a Windows standards PPTP and L2TP do not require third party software on the client computer So long as the Internet Service Provider supports PPTP and L2TP connections you can create a secure connection by making relative
6. The destination address of each remote VPN spoke A separate outbound encrypt policy for each remote VPN spoke These policies allow the local VPN spoke to initiate encrypted connections e A single inbound encrypt policy This policy allows the local VPN spoke to accept encrypted connections To create a VPN spoke configuration 1 Configure a tunnel between the spoke and the hub Choose between a manual key tunnel or an AutolKE tunnel e To add a manual key tunnel see Manual key IPSec VPNs on page 211 To add an AutolKE tunnel see AutolKE IPSec VPNs on page 213 2 Add the source address One source address is required for the local VPN spoke See Adding a source address on page 225 3 Add a destination addresses for each remote VPN spoke The destination address is the address of the spoke either a client on the Internet or a network located behind a gateway See Adding a destination address on page 225 4 Add a separate outbound encrypt policy for each remote VPN spoke These policies control the encrypted connections initiated by the local VPN spoke The encrypt policy must include the appropriate source and destination addresses and the tunnel added in step 1 Use the following configuration Source The local VPN spoke address Destination The remote VPN spoke address Action ENCRYPT VPN Tunnel ts a tunnel name added in step 1 Use the same tunnel for all encrypt policies Allow inbound D
7. 0 ee ccceeeeeeseeeeeeeeeteeeeeeeetaeeeeeeenaaes 101 Installing and using a backup firmware iMaQe 0 cccceeeceeeeeeeeeeeeeeeeeneeeeeeetaeeeeeseaaas 103 Manual virus definition updates ccc eeeeeeeeecenee cae ceeeeeeeeeeeeeecaeeaaeaaecaeeeeeeeeeeeseeeeeneenaees 106 Manual attack definition updates 2 0 2 2 cee ceeeeeeeeceeecae cee ee eee eee eee eeecaaeaaecaeeeeeeeeeeeeeteeeennaeees 107 Displaying the FortiGate serial NUMDEM cccceeeeeeeeeeee eee eeeeeeeeeseeeeaeeeeeeeeeaeeeeeeeenaaees 107 Displaying the FortiGate Up time ee ceeeeeeeeeeeee eerste eee ee eeeeaeeeeeeeeaeeeeeeeeiaeeeeeeenaaes 107 Displaying log hard disk Status 0 ccc cceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeaeeeeeeeeeeaeeeeseeeaeeeeteeeaaees 107 Backing Up System Seting S iiei ra aa ESN N 108 Restoring system Settings 222s5 csecceccceceectec nnan KA REAA EREA aaRS 108 Restoring system settings to factory defaults 20 00 eeeeeeeeeeeeeneeeeeeeeneeeeeeeenaeeeeeeenaaes 108 Changing to Transparent MOE eeeceeceeeeeenee cece tener ee eee tanner A 109 Changing to NAT Route MOdE eee ee eeeeee ee eeeeeaeeeeeeeaaeeeeeeeeeaeeeeeeeeaeeeeeeetaeeeeeeeaaas 109 Restarting the FortiGate Unit 2 02 2 ccccecieecceeeedceeeeeneeeseesieneedenbenededensbennd Cenesbennedenesbiands 109 Shutting down the FortiGate Unit cccceeeceecceceeeseeeeeceenseeeeceeenseeeeeeeeeseeeeeeeeenseeeeeneenaaes 110 System StAtUs i vendacters tone
8. Enter a Group Name to identify the address group The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed To add addresses to the address group select an address from the Available Addresses list and select the right arrow to add it to the Members list FortiGate 400 Installation and Configuration Guide 237 Configuring PPTP 238 ao a fF WN N 9 PPTP and L2TP VPN To remove addresses from the address group select an address from the Members list and select the left arrow to remove it from the group Select OK to add the address group Adding a destination address Add an address to which PPTP users can connect Go to Firewall gt Address Select the internal interface or the DMZ interface Methods will differ slightly between FortiGate models Select New to add an address Enter the Address Name IP Address and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer Select OK to save the source address Adding a firewall policy Add a policy which specifies the source and destination addresses and sets the service for the policy to the traffic type inside the PPTP VPN tunnel Go to Firewall gt Policy Use the policy grid to choose the policy list to which to add the policy Select New to add a new policy Set Source to the group that matc
9. Least Connection Least connection load balancing If the FortiGate units are connected using switches select Least connection to distribute traffic to the cluster unit with the fewest concurrent connections Round Robin Round robin load balancing If the FortiGate units are connected using switches select round robin to distribute traffic to the next available cluster unit Weighted Round Weighted round robin load balancing Similar to round robin but Robin weighted values are assigned to each of the units in a cluster based on their capacity and on how many connections they are currently processing For example the primary unit should have a lower weighted value because it handles scheduling and forwards traffic Weighted round robin distributes traffic more evenly because units that are not processing traffic will be more likely to receive new connections than units that are very busy Random Random load balancing If the FortiGate units are connected using switches select random to randomly distribute traffic to cluster units IP Load balancing according to IP address If the FortiGate units are connected using switches select IP to distribute traffic to units in a cluster based on the Source IP and Destination IP of the packet IP Port Load balancing according to IP address and port If the FortiGate units are connected using switches select IP Port to distribute traffic to units in a cluster based on the Source IP Source Port
10. SSH To allow secure SSH connections to the CLI through this interface SNMP To allow a remote SNMP manager to request SNMP information by connecting to this interface See Configuring SNMP on page 162 5 Select Apply to save your changes Configuring VLANs Using Virtual LAN VLAN technology a single FortiGate unit can provide security services and control connections between multiple security domains Traffic from each security domain is given a different VLAN ID The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between security domains The FortiGate unit can also apply authentication content filtering and antivirus protection for network and VPN traffic that is allowed to pass between security domains This section describes a basic VLAN network configuration provides an overview of what is required to configure the FortiGate unit to support VLANs and describes how to add VLAN subinterfaces VLAN subinterfaces function like any FortiGate interface You can add firewall addresses for a VLAN subinterface to add it to the policy grid You can also add VLAN subinterfaces to zones VLAN support is available when the FortiGate unit is operating in NAT Route mode This section describes e VLAN network configuration e Adding VLAN subinterfaces VLAN network configuration Fortigate units support IEEE 802 1Q compliant VLAN tags A VLAN tag is a series of added bits i
11. Select Refresh to manually update the information displayed and intrusions status Use the virus and intrusions status display to track when viruses are found by the FortiGate antivirus system and to track when the NIDS detects a network based attack Go to System gt Status gt Monitor Select Virus amp Intrusions Virus and intrusions status is displayed The display includes bar graphs of the number viruses and intrusions detected per hour as well as line graphs of the number of viruses and intrusions detected for the last 20 hours Fortinet Inc System status Session list Figure 3 Sessions and network status monitor Automatic Refresh Interval 20 seconds x CPU amp Memory Sessions amp Network Virus amp Intrusions Virus Virus History LJ FEE HEEHE EEE last 20 hours Intrusions Intrusion History LJ P last 20 hours 3 Set the automatic refresh interval and select Go to control how often the web based manager updates the display More frequent updates use system resources and increase network traffic However this only occurs when you are viewing the display using the web based manager The line graph scales are shown on the upper right corner of the graph 4 Select Refresh to manually update the information displayed Session list The session list displays information about the communications sessions currently being processed by the FortiGate unit You can use the session list to v
12. ahh AMMAN LLL AAM i VA WA Vath WA Wa AY TL LLL LR RARRRRARLL SOAWAAAAAVAL DALLA eaTEtee VeabAAAb IL LLLT TILLIT an ALCITITITEA vnn FGRTIMET E FortiGate User Manual Volume 1 Version 2 50 MR2 18 August 2003 Copyright 2003 Fortinet Inc All rights reserved No part of this publication including text examples diagrams or illustrations may be reproduced transmitted or translated in any form or by any means electronic mechanical manual optical or otherwise for any purpose without prior written permission of Fortinet Inc FortiGate 400 Installation and Configuration Guide Version 2 50 MR2 18 August 2003 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS CAUTION RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS For technical support please visit http www fortinet com Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc fortinet com Contents Table of Contents litro dtg MOMania a E E a aE 15 Antivirus PROTEC CON i assoni kiona daea aaa iaaa ai ia aaa aaa 15 Web content Mering ainne si e a a E 16 Emal Meng oce seen sh davee cd eeatesven weg ecucd eter eesti ead ade 16 Firewall ccsiccteas snadatenvenadecsavsanacntusnandsatdas eebdarttasdenddd
13. General configuration steps To use the Cerberian web filter you must Install a Cerberian web filter license key See Installing a Cerberian license key on the FortiGate unit on page 272 Add users that will be using the Cerberian web filter See Adding a Cerberian user to the FortiGate unit on page 272 Configure the Cerberian web filter See Using the Cerberian web filter on page 272 Enable Cerberian URL filtering See Using the Cerberian web filter on page 272 Note To use Cerberian web filtering the FortiGate unit must have access to the Internet Installing a Cerberian license key on the FortiGate unit Before you can use the Cerberian web filter you must install a license key The license key determines the number of end users allowed to use Cerberian web filtering through the FortiGate unit Go to Web Filter gt URL Block Select Cerberian URL Filtering Enter the license number Select Apply Adding a Cerberian user to the FortiGate unit The Cerberian web policies can only be applied to user groups You can add users on the FortiGate unit and then add the users to user groups on the Cerberian administration web site When the end user tries to access a URL the FortiGate unit will check to see if the user s IP address is in the IP address list on the FortiGate unit If the user s IP address is in the list the request will be sent to the Cerberian server Otherwise an error message will b
14. Key management IPSec VPN Key management 210 Manual Keys There are three basic elements in any encryption system e analgorithm which changes information into code e a cryptographic key which serves as a secret starting point for the algorithm amanagement system to control the key IPSec provides two ways to handle key exchange and management manual keying and IKE for automated key management e Manual Keys e Automatic Internet Key Exchange AutolIKE with pre shared keys or certificates When manual keys are employed matching security parameters must be entered at both ends of the tunnel These settings which include both the encryption and authentication keys must be kept secret so that unauthorized parties cannot decrypt the data even if they know which encryption algorithm is being used Automatic Internet Key Exchange AutolKE with pre shared keys or certificates To facilitate deployment of multiple tunnels an automated system of key management is required IPSec supports the automated generation and negotiation of keys using the Internet Key Exchange protocol This method of key management is typically referred to as AutolKE Fortinet supports AutolKE with pre shared keys and AutolIKE with certificates AutolKE with pre shared keys When both peers in a session have been configured with the same pre shared key they can use it to authenticate themselves to each other The peers do not actually send the key
15. You can also enable any pattern in the email exempt list by checking the box in the Enable column Adding a subject tag 280 When the FortiGate unit receives email from an unwanted address or email that contains an item in the email banned word list the FortiGate unit adds a tag to the subject line and sends the message to the destination email address Email users can use their mail client software to filter the messages based on the subject tag To add a subject tag Go to Email Filter gt Config Type the Subject Tag that you want to display in the subject line of email received from unwanted addresses or that contains banned words For example type Unwanted Mail Note Do not use quotation marks in the subject tags Select Apply The FortiGate unit adds the tag to the subject line of all unwanted email Fortinet Inc RAT MET Logging and reporting You can configure the FortiGate unit to log network activity from routine configuration changes and traffic sessions to emergency events You can also configure the FortiGate unit to send alert email messages to inform system administrators about events such as network attacks virus incidents and firewall and VPN events This chapter describes e Recording logs e Filtering log messages e Configuring traffic logging e Viewing logs saved to memory e Viewing and managing logs saved to the hard disk e Configuring alert email Recording logs You can configure logg
16. on page 201 The default Auth Timeout is 15 minutes The maximum Auth Timeout is 480 minutes 8 hours To select a language for the web based manager 1 From the Languages list select a language that the web based manager uses 2 Select Apply You can choose from English Simplified Chinese Japanese Korean or Traditional Chinese amp Note When the web based manager language is set to use Simplified Chinese Japanese XS Korean or Traditional Chinese you can change to English by selecting the English button on A the upper right of the web based manager To set PIN protection for the LCD panel 1 Select PIN Protection under LCD Panel 2 Type a 6 digit PIN Administrators must enter the PIN to use the control buttons and LCD 3 Select Apply To modify the Dead Gateway Detection settings Modify dead gateway detection to control how the FortiGate unit confirms connectivity with a ping server added to an interface configuration To add a ping server to an interface see Adding a ping server to an interface on page 136 1 For Detection Interval type a number in seconds to specify how often the FortiGate unit tests the connection to the ping target 2 For Fail over Detection type a number of times that the connection test fails before the FortiGate unit assumes that the gateway is no longer functioning 3 Select Apply FortiGate 400 Installation and Configuration Guide 159 Adding and editing administrator accou
17. 2 If they have not already been added add the primary and secondary DNS server addresses provided to you by your ISP 3 Select Apply To add alert email addresses 1 Go to Log amp Report gt Alert Mail gt Configuration Select Authentication if your email server requires an SMTP password In the SMTP Server field type the name of the SMTP server to which the FortiGate unit should send email in the format smtp domain com The SMTP server can be located on any network connected to the FortiGate unit 4 In the SMTP User field type a valid email address in the format user domain com This address appears in the From header of the alert email 5 In the Password field type the password that the SMTP user needs to access the SMTP server A password is required if you select Authentication 292 Fortinet Inc Logging and reporting Configuring alert email 6 Type up to three destination email addresses in the Email To fields These are the actual email addresses to which the FortiGate unit sends alert email 7 Select Apply Testing alert email You can test the alert email settings by sending a test email 1 Go to Log amp Report gt Alert Mail gt Configuration 2 Select Test to send test email messages from the FortiGate unit to the Email To addresses that you have configured Enabling alert email You can configure the FortiGate unit to send alert email in response to virus incidents intrusion attempts and critical firewall
18. If the FDN must connect to the FortiGate unit through a NAT device see Push updates through a NAT device on page 120 Push updates are not supported if the FortiGate unit must use a proxy server to connect to the FDN See Scheduled updates through a proxy server on page 124 for more information FortiGate 400 Installation and Configuration Guide 119 Updating antivirus and attack definitions 120 Virus and attack definitions updates and registration To enable push updates Go to System gt Update Select Allow Push Update Select Apply About push updates When you configure a FortiGate unit to allow push updates the FortiGate unit sends a SETUP message to the FDN The next time a new antivirus engine new antivirus definitions or new attack definitions are released the FDN notifies all FortiGate units configured for push updates that a new update is available Within 60 seconds of receiving a push notification the FortiGate unit attempts to request an update from the FDN If available for your network configuration configuring push updates is recommended in addition to configuring scheduled updates Push updates mean that on average the FortiGate unit receives new updates sooner than if the FortiGate just receives scheduled updates However scheduled updates make sure that the FortiGate unit does eventually receives the latest updates Enabling push updates is not recommended as the only method for obtaining upd
19. Select Upload Type the path and filename of the text file for the user defined signature list or select Browse and locate the file Select OK to upload the text file for the user defined signature list Select Return to display the uploaded user defined signature list Fortinet Inc Network Intrusion Detection System NIDS Preventing attacks Figure 35 Example user defined signature list General y Signature List User Defined Signature List User Defined Signature Detail ID Rule Name Revision 298319873 TFTP GET Admin dll vk 113770498 Possible SYN FIN scan 1 113770499 CGI PHF access 1 Downloading the user defined signature list You can back up the user defined signature list by downloading it to a text file on the management computer 1 Go to NIDS gt Detection gt User Defined Signature List 2 Select Download The FortiGate unit downloads the user defined signature list to a text file on the management computer You can specify a location to which to download the text file as well as a name for the text file Preventing attacks NIDS attack prevention protects the FortiGate unit and the networks connected to it from common TCP ICMP UDP and IP attacks You can enable the NIDS attack prevention to prevent a set of default attacks with default threshold values You can also enable and set the threshold values for individual attack signatures a Note After the FortiGate unit reboots the NIDS attac
20. The addresses in the IP pool range cannot conflict with other addresses on the same network as the interface for which you are adding the IP pool You can add multiple IP pools to any interface but only the first IP pool is used by the Firewall This section describes e Adding an IP pool e IP Pools for firewall policies that use fixed ports e IP pools and dynamic NAT Adding an IP pool 192 To add an IP pool Go to Firewall gt IP Pool Select the interface to which to add the IP pool You can select a firewall interface or a VLAN subinterface Select New to add a new IP pool to the selected interface Enter the Start IP and End IP addresses for the range of addresses in the IP pool The Start IP and End IP must define the start and end of an address range The Start IP must be lower than the End IP The Start IP and End IP must be on the same subnet as the IP address of the interface for which you are adding the IP pool Select OK to save the IP pool Fortinet Inc Firewall configuration IP MAC binding Figure 14 Adding an IP Pool Dynamic IP Pool A New Dynamic IP Pool Interface internal Start IP 192 168 1 10 End IP 192 168 1 20 IP Pools for firewall policies that use fixed ports Some network configurations will not operate correctly if a NAT policy translates the source port of packets used by the connection NAT translates source ports to keep track of connections for a particular service You c
21. Web Exempt List Email Block List E E Email Exempt List B E Email Content Block E E C block C block C block C block C block Oversized File Email pass pass pass pass pass Pass Fragmented Emails a D E Enable file blocking to remove all files that pose a potential threat and to provide the best protection from active computer virus attacks Blocking files is the only protection available from a virus that is so new that antivirus scanning cannot detect it You would not normally run the FortiGate unit with blocking enabled However it is available for extremely high risk situations in which there is no other way to prevent viruses from entering your network On a FortiGate unit with a hard disk if quarantining is enabled for blocked files for the matching traffic protocol the FortiGate unit adds the file to the quarantine list File blocking deletes all files that match a list of enabled file patterns The FortiGate unit replaces the file with an alert message that is forwarded to the user The FortiGate unit also writes a message to the virus log and sends an alert email if it is configured to do so Note If both blocking and scanning are enabled the FortiGate unit blocks files that match enabled file patterns and does not scan these files for viruses FortiGate 400 Installation and Configuration Guide 261 File blocking 262 Blocking files Antivirus protection By default when blocking is enabled the
22. tcp F synfin syn with fin attack TCP E noflag tcp with no flag attack TCP J finnoack fin without ack attack TCP Vv sresession source session limit TCP r EJ winnuke _winnuke attack TER E land e Pe ane sei ee Te e e ftpovfl ftp buffer overflow attack TCP E Ez smtpovefl smtp buffer overflow attack TCP E E pop3ovfi pop3 buffer overflow attack TCP M url invalid url attack TCP m udpflood udp flood attack UDP T Ey udpland udp land attack UDP r udpsresession udp source session limit UDP T Ey icmpflood icmp flood attack ICMP Iv Ey icmpfrag icmp fragment attack ICMP IV icmpdeath ping of death attack ICMP r R icmplarge large icmp packet attack cue T Setting signature threshold values You can change the default threshold values for the NIDS Prevention signatures listed in Table 7 The threshold depends on the type of attack For flooding attacks the threshold is the maximum number of packets received per second For overflow attacks the threshold is the buffer size for the command For large ICMP attacks the threshold is the ICMP packet size limit to pass through 254 Fortinet Inc Network Intrusion Detection System NIDS Preventing attacks For example setting the icmpflood signature threshold to 500 will allow 500 echo requests from a source address to which the system sends echo replies If the number of requests is 501 or higher the FortiGate unit will
23. Check the type of traffic on which to run Checksum Verifications Select Apply Figure 33 Example NIDS detection configuration General D Attack List Monitored Interface none poti port pot3 port4 ha Checksum Verifications IP Q tep O upp C temp 250 Fortinet Inc Network Intrusion Detection System NIDS Detecting attacks Viewing the signature list To display the current list of NIDS signature groups and to view the members of a signature group Go to NIDS gt Detection gt Signature List View the names and action status of the signature groups in the list The NIDS detects attacks listed in all the signature groups that are checked in the Modify or Details column Note The user defined signature group is the last item in the signature list See Adding user defined signatures on page 252 Select View Details GE to display the members of a signature group The Signature Group Members list displays the attack ID Rule Name and Revision number for each group member Viewing attack descriptions S Fortinet provides online information for all NIDS attacks To view the FortiResponse Attack Analysis web page for an attack listed on the signature list Go to NIDS gt Detection gt Signature List Select View Details GE to display the members of a signature group Select a signature and copy its attack ID Open a web browser and enter this URL http www fortinet com ids ID
24. Contiguring trafic lOQGiNnG a ii1c 1 ciieiee ttre aE S 286 Enabling romec OGQING eese T aieeeteee dead eee eed 286 Configuring traffic filter SEttINGS eee eeceee eee ceeeee eee eeeeeee eee seeeeaeeeeteeeeaeeeeteeeaeeeeeeeenaees 287 Adding traffic filter entries 2 cccccccecececcceceeececeeeseeeeneeeeseecceceeeseeaceeeeeseedaadaneneeeeeeeeensecee 288 Viewing logs Saved tO MEMOSY c cccceeeceeeeeeeeeeeeeeeeeseeeeeeeeeseneeeeeeeseeeaeeeeseeeaeeeetenenaeeees 289 MIGWING lgs ccnn a since acid aacdeneetaacnnens scl E R 289 SEANCNING 1OGS wiissss sestest de acveesths E E eds 289 Viewing and managing logs saved to the Nard iSK ccceeeeeeseeeeeeeeeeteeeeeeeeetaeeeeeeeeaas 290 WVIGWIING 1OQS diosa ccacdes dane A Alene A E undies aay sadeueessnseede cnvanesd eh speeedesee 290 Seeng 1OGS ressida aa a SE 290 Downloading a log file to the management computer sseessseseeeseeeresseserrneseeeensssrees 291 Deleting all messages in an active 10 eect settee eee teeeeeeeeeeeeeeeeeeteeeaaeeeteeeaeeees 291 Deleting a saved log file 2 cccsccccceeeeeeteeeeeeeeneceeedecateceeedeaahecneedecaneceeedecneeeedeedneneess 292 Configuring alert email ec ceeeeeeeeeeeee eee eeeeeeeeeeeeeeaaeeeeseeaaaeeeeseeaaaeeeeeeeaaeeeeesenaeeeeeeeaas 292 Adding alert email AddreSSES eee eececceeeeenne eee ee eeceee ee eeaaeeeeeetaaeeeeeeeaeeeeeeeenaeeeeeeeeaas 292 Testing alert emal scaceich jacacey luasgacdee ave pececciacpd deen steed centi
25. Metric This interface can send RIP1 routing broadcasts to routers on its network The routing broadcasts are UDP packets with a destination port of 520 This interface can receive RIP1 routing broadcasts The interface listens on port 520 for broadcast RIP1 messages This interface can send RIP2 routing broadcasts to its network The routing broadcasts are UDP packets with a destination port of 520 This interface can receive RIP2 routing broadcasts The interface listens on port 520 for broadcast RIP2 messages Configure split horizon to prevent routing loops By default split horizon is enabled This option should only be disabled if you are sure that routing loops cannot be created from this interface Enable authentication for RIP2 packets sent and received by this interface Authentication is only supported by RIP2 Do not select authentication if you are configuring the interface for RIP1 Enter the password to be included in RIP2 requests The password can be up to 16 characters long Defines how the FortiGate authenticates RIP2 packets Select None Clear or MD5 None means do not send the password Clear means send the password is plain text MD5 means use MD5 authentication Changes the metric for routes sent by this interface All routes sent from this interface will have this metric added to their current metric value You can change interface metrics to give higher priorities to some interfaces For example if you
26. Registering FortiGate units Updating registration information Registering a FortiGate unit after an RMA Updating antivirus and attack definitions You can configure the FortiGate unit to connect to the FortiResponse Distribution Network FDN to automatically receive the latest antivirus and attack definitions and antivirus engine updates The FortiGate unit supports the following antivirus and attack definition update features User initiated manual updates from the FDN Hourly daily or weekly scheduled antivirus and attack definition and antivirus engine updates from the FDN Push updates from the FDN View the update status including version numbers expiry dates and update dates and times Push updates through a NAT device FortiGate 400 Installation and Configuration Guide 115 Updating antivirus and attack definitions Virus and attack definitions updates and registration 116 The System gt Update page web based manager displays the following antivirus and attack definition update information Version Displays the current antivirus engine virus definition and attack definition version numbers Expiry date Displays the expiry date of your license for antivirus engine virus definition and attack definition updates Last update Displays the date and time on which the FortiGate unit last attempted to attempt download antivirus engine virus definition and attack definition updates Last update Displays the succe
27. Routes received from neighbors are filtered using the selected RIP filter or RIP filter list Adding a routes filter You can select a single RIP filter or a RIP filter list to be the routes filter 1 Go to System gt RIP gt Filter Add RIP filters and RIP filter lists as required For Routes Filter select the name of the RIP filter or RIP filter list to become the routes filter 4 Select Apply Routes sent by the FortiGate unit are filtered using the selected RIP filter or RIP filter list Figure 3 Example RIP Filter configuration Neighbors Filter Filter_1 v Routes Filter Filter_List_2 x Apply filter IP Mask Action Interface modify Filter_1 2 3 4 5 255 255 255 0 allow internal O Filter_List_1 2 3 4 5 2592992990 deny internal oO ww 2 6 5 4 259 259 299 0 allow internal El 5 3 4 6 255 255 255 0 deny internal El 24567 2552592580 deny external O Filter_2 3 2 5 6 255 255 255 0 allow internal O w Filter_List_2 3 2 4 5 255 259 299 0 allow internal oO w 5 34 8 9 255 255 255 0 deny internal O 156 Fortinet Inc RAT MET System configuration Go to System gt Config to make any of the following changes to the FortiGate system configuration e Setting system date and time e Changing web based manager options e Adding and editing administrator accounts e Configuring SNMP e Customizing replacement messages Setting system date and time For effective scheduling and logging th
28. Switch Switeh Management Computer T He Port 4 HA Router Port 1 Port 2 Internet SS When you have connected the cluster proceed to Starting the HA cluster FortiGate 400 Installation and Configuration Guide 81 HA in Transparent mode High availability Starting the HA cluster After all of the FortiGate units in the cluster are configured for HA and once the cluster is connected use the following procedure to start the HA cluster Power on all of the HA units in the cluster As the units power on they negotiate to choose the primary cluster unit and the subordinate units This negotiation occurs with no user intervention When negotiation is complete the cluster is ready to begin processing network traffic You can use the information in Managing the HA cluster on page 86 to log into and manage the cluster HA in Transparent mode 82 Use the following steps to configure a group of FortiGate units to operate as an HA cluster in Transparent mode e Installing and configuring the FortiGate units e Configuring the HA interface and HA IP address e Configuring the HA cluster Connecting the HA cluster to your network Starting the HA cluster Installing and configuring the FortiGate units Follow the instructions in Transparent mode installation on page 61 to install and configure the FortiGate units All of the FortiGate units in the HA cluster should have the same configuration Do not
29. available to traffic processed by the policy O Authentication Authentication is not selected Users do not have to authenticate with the firewall before connecting to their destination address You can configure user groups and select this option to require users to authenticate with the firewall before they can connect through the firewall O Antivirus amp Web Filter Antivirus amp Web Filter is not selected This policy does not include a content profile that applies antivirus protection web content filtering or email filtering to content traffic processed by this policy You can select this option and select a content profile to apply different levels of content protection to traffic processed by this policy O Log Traffic Log Traffic is not selected This policy does not record messages to the traffic log for the traffic processed by this policy You can configure FortiGate logging and select Log Traffic to record all connections through the firewall that are accepted by this policy Factory default content profiles You can use content profiles to apply different protection settings for content traffic controlled by firewall policies You can use content profiles for Antivirus protection of HTTP FTP IMAP POP3 and SMTP network traffic Web content filtering for HTTP network traffic Email filtering for IMAP and POP3 network traffic Oversized file and email blocking for HTTP FTP POP3 SMTP
30. blocks the URLs of 12 categories You can modify the default policy and apply it to any user groups To configure the Cerberian web filtering 1 Add the user name which is the alias you added on the FortiGate unit to a user group on the Cerberian server because the web policies can only be applied to the user groups If you did not enter an alias for the user IP on the FortiGate unit the user IP is automatically added to the default group Create your policies by selecting the web categories that you want to block Apply the policy to a user group which contains the user For detailed procedures see the online help on the Cerberian Web Filter web page Enabling Cerberian URL filtering After you add the Cerberian users groups and configure the Cerberian web filter you can enable Cerberian URL filtering You must enable it in three places e The Cerberian URL Filtering page e The content profile The policy that uses the content profile 1 Go to Web Filter gt URL Block 2 Select Cerberian URL Filtering FortiGate 400 Installation and Configuration Guide 273 Script filtering O O ON OO W _ Script filtering a Web filtering Select the Cerberian URL Filtering option Go to Firewall gt Content Profile Create a new or select an existing content profile and enable Web URL Block Go to Firewall gt Policy Create a new or select an existing policy that will use the content profile Select Anti Virus amp
31. set the operating mode and use the setup wizard to customize FortiGate IP addresses for your network and the FortiGate unit is set to protect your network You can then use the web based manager to customize advanced FortiGate features to meet your needs You can also create a basic configuration using the FortiGate front panel control buttons and LCD Web based manager Using HTTP or a secure HTTPS connection from any computer running Internet Explorer you can configure and manage the FortiGate unit The web based manager supports multiple languages You can configure the FortiGate unit for HTTP and HTTPs administration from any FortiGate interface You can use the web based manager for most FortiGate configuration settings You can also use the web based manager to monitor the status of the FortiGate unit Configuration changes made with the web based manager are effective immediately without the need to reset the firewall or interrupt service Once a satisfactory configuration has been established it can be downloaded and saved The saved configuration can be restored at any time Figure 1 The FortiGate web based manager and setup wizard EEERTINET s Phase 2 i New VPN Tunnel Policy M J Service Remote Gateway STATIC X E Schedule P2 Proposal 1 Encryption 3DES z Authentication SHA1 z Virtual iP 2 Encryption 3DES Authentication mD5 z amp E IP Pool i een g TR ZMAERNANA REE Conte
32. 1 Connect to the CLI using the null modem cable and FortiGate console port Make sure that the TFTP server is running Copy the new firmware image file to the root directory of your TFTP server FortiGate 400 Installation and Configuration Guide 103 Changing the FortiGate firmware System status 104 10 11 To confirm that the FortiGate unit can connect to the TFTP server use the following command to ping the computer running the TFTP server For example if the TFTP server s IP address is 192 168 1 168 execute ping 192 168 1 168 Enter the following command to restart the FortiGate unit execute reboot As the FortiGate units starts a series of system startup messages are displayed When one of the following messages appears Press any key to enter configuration menu Immediately press any key to interrupt the system startup Note You only have 3 seconds to press any key If you do not press any key soon enough the FortiGate unit reboots and you must log in and repeat the execute reboot command If you successfully interrupt the startup process one of the following messages appears G Get firmware image from TFTP server Format boot device Boot with backup firmware and set as default Quit menu and continue to boot with default firmware F B QO H Display this list of options F B Q H Enter G F B Q or H Type G to get the new firmware image from the TFTP server Type the
33. 400 Installation and Configuration Guide 53 54 Configuration example Multiple connections to the Internet NAT Route mode installation Using the CLI Add a ping server to port2 set system interface port2 config detectserver 1 1 1 1 gwdetect enable Add a ping server to port3 set system interface port3 config detectserver 2 2 2 1 gwdetect enable Destination based routing examples This section describes the following destination based routing examples e Primary and backup links to the Internet e Load sharing e Load sharing and primary and secondary connections Primary and backup links to the Internet Use the following procedure to add a default destination based route that directs all outgoing traffic to Gateway 1 If Gateway 1 fails all connections are re directed to Gateway 2 Gateway 1 is the primary link to the Internet and Gateway 2 is the backup link Go to System gt Network gt Routing Table Select New e Destination IP 0 0 0 0 e Mask 0 0 0 0 e Gateway 1 1 1 1 1 e Gateway 2 2 2 2 1 e Device 1 port2 e Device 2 port3 e Select OK Using the CLI Add the route to the routing table set system route number 0 dst 0 0 0 0 0 0 0 0 gwl 1 1 1 1 devl port2 gw2 2 2 2 1 dev2 dmz Table 11 Route for primary and backup links Destination IP Mask Gateway 1 Device 1 Gateway 2 Device 2 0 0 0 0 0 0 0 0 1 1 1 1 port2 2 2 2 1 port3 Fortinet Inc NAT Route
34. 400 Installation and Configuration Guide 97 Changing the FortiGate firmware System status 98 A gt kh ON 10 11 Note Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing When you have installed new firmware use the procedure Manually updating antivirus and attack definitions on page 119 to make sure that antivirus and attack definitions are up to date You can also use the CLI command execute updatecenter updatenow to update the antivirus and attack definitions To use the following procedure you must have a TFTP server that you can connect to from the FortiGate unit Make sure that the TFTP server is running Copy the new firmware image file to the root directory of the TFTP server Login to the FortiGate CLI as the admin administrative user Make sure the FortiGate unit can connect to the TFTP server You can use the following command to ping the computer running the TFTP server For example if the TFTP server s IP address is 192 168 1 168 execute ping 192 168 1 168 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit xecute restore image lt name_str gt lt tftp_ip gt Where lt name_str gt is the name of the firmware image file on the TFTP server and lt tftp_ip gt is the IP address of the TFTP server For example if the firmware image file na
35. 41 FGT 300 052 3 6_4 77 2 36 1 41 FGT 400 OS2 3 6_4 77 2 36 1 41 FGT 500 OS2 3 6_4 77 2 36 1 41 FGT 1000 2 36 1 41 FGT 3000 052 3 6_4 77 2 36 1 41 FGT 3600 2 36 1 41 For information about how to install the downloaded files see Manual virus definition updates on page 106 and Manual attack definition updates on page 107 Registering a FortiGate unit after an RMA The Return Material Authorization RMA process starts when a customer s registered FortiGate unit doesn t work properly due to a hardware failure If this happens while the FortiGate unit is still protected by hardware coverage you can return the FortiGate unit that is not functioning to your reseller or distributor The RMA is recorded and you will receive a replacement unit Fortinet adds the RMA information to the Fortinet support database When you receive the replacement unit you can use the following procedure to update your product registration information 1 Go to System gt Update gt Support and select Support Login Enter your Fortinet support user name and password to log in Select Add Registration Select the link to replace a unit with a new unit from an RMA a A WwW N Select Finish The list of FortiGate products that you have registered is displayed The list now includes the replacement FortiGate unit All support levels are transferred to the replacement unit FortiGate 400 Installation and Configuration Guide 131 Register
36. Access Ping IP 0 0 0 0 Interface 3 Netmask 0 0 0 0 Management Access HTTPS Ping Fortinet Inc Getting started Factory default FortiGate configuration settings Table 2 Factory default NAT Route mode network configuration Continued Interface 4 HA IP 0 0 0 0 Netmask 0 0 0 0 Management Access Ping Factory default Transparent mode network configuration If you switch the FortiGate unit to Transparent mode it has the default network configuration listed in Table 3 Table 3 Factory default Transparent mode network configuration Administrator User name admin account Password none IP 10 10 10 1 Management IP Netmask 255 255 255 0 DNS Primary DNS Server 207 194 200 1 Secondary DNS Server 207 194 200 129 Interface 1 HTTPS Ping Interface 2 Ping Management access Interface 3 Ping Interface 4 HA Ping Factory default firewall configuration The factory default firewall configuration is the same in NAT Route and Transparent mode Table 4 Factory default firewall configuration Port 1 Address Port1_Alll IP 0 0 0 0 Mask 0 0 0 0 Represents all of the IP addresses on the network connected to port 1 Port 2 Address Port2_Alll IP 0 0 0 0 Mask 0 0 0 0 Represents all of the IP addresses on the network connected to port 2 Recurring Schedule Always The schedule is valid at all times This
37. Adding a phase 2 configuration for an AutolKE VPN Add a phase 2 configuration to specify the parameters used to create and maintain a VPN tunnel between the local VPN peer the FortiGate unit and the remote VPN peer the VPN gateway or client To add a phase 2 configuration 1 Go to VPN gt IPSEC gt Phase 2 Select New to add a new phase 2 configuration Enter a Tunnel Name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed FortiGate 400 Installation and Configuration Guide Note Adding a Phase 2 configuration is the same for pre shared key and certification VPNs 217 AutolKE IPSec VPNs 218 10 11 12 IPSec VPN Select a Remote Gateway to associate with the VPN tunnel A remote gateway can be either a gateway to another network or an individual client on the Internet Remote gateways are added as part of the phase 1 configuration For details see Adding a phase 1 configuration for an AutoIKE VPN on page 213 Choose either a single DIALUP remote gateway or up to three STATIC remote gateways Multiple STATIC remote gateways are necessary if you are configuring IPSec redundancy For information about IPSec redundancy see Redundant IPSec VPNs on page 231 Configure the P2 Proposal Select up to three encryption and authentication algorithm combinations to propose for phase 2 T
38. Configure the two FortiGate units with symmetrical settings for their connections to the Internet For example if the remote FortiGate unit has two external interfaces grouped within one zone then the local FortiGate unit should have two external interfaces grouped within one zone Similarly if the remote FortiGate has two external interfaces in separate zones then the local FortiGate unit should have two external interfaces in separate zones Configuration is made simpler if all external interfaces are grouped within a single zone rather than multiple zones However this may not always be possible due to security considerations or other reasons After you have defined the Internet connections for both FortiGate units you can proceed to configure the VPN tunnel To configure IPSec redundancy Add the phase 1 parameters for up to three VPN connections Enter identical values for each VPN connection with the exception of the Gateway Name and IP Address Make sure that the remote VPN peer Remote Gateway has a static IP address See Adding a phase 1 configuration for an Autol KE VPN on page 213 Add the phase 2 parameters VPN tunnel for up to three VPN connections e Ifthe Internet connections are in the same zone add one VPN tunnel and add the remote gateways to it You can add up to three remote gateways Ifthe Internet connections are in separate zones or assigned to unique interfaces add a VPN tunnel for each remo
39. Connecting to the web based manager Getting started Connecting to the web based manager Use the following procedure to connect to the web based manager for the first time Configuration changes made with the web based manager are effective immediately without the need to reset the firewall or interrupt service To connect to the web based manager you need e acomputer with an ethernet connection e Internet Explorer version 4 0 or higher a crossover cable or an ethernet hub and two ethernet cables A Note You can use the web based manager with recent versions of most popular web browsers ce The web based manager is fully supported for Internet Explorer version 4 0 or higher Connecting to the web based manager 1 Set the IP address of the computer with an ethernet connection to the static IP address 192 168 1 2 and a netmask of 255 255 255 0 2 Using the crossover cable or the ethernet hub and cables connect interface 1 of the FortiGate unit to the computer ethernet connection 3 Start Internet Explorer and browse to the address https 192 168 1 99 remember to include the s in https The FortiGate login is displayed 4 Type admin in the Name field and select Login The Register Now window is displayed Use the information on this window to register your FortiGate unit so that Fortinet can contact you for firmware updates You must also register to receive updates to the FortiGate virus and attack definitions Fig
40. Content Block Mw Web Script Filter O Web Exempt List O Email Block List m O O Email Exempt List O O Email Content Block O O Oversized File Email Block pass pass pass pass pass Pass Fragmented Emails O O O Unfiltered content profile Use the unfiltered content profile if you do not want to apply any content protection to content traffic You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected Table 8 Unfiltered content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan O O O O m File Block O O O Oo o Quarantine O O O o o Web URL Block O Web Content Block O Web Script Filter O Web Exempt List m Email Block List O O O Email Exempt List Mw M Email Content Block O oO Oversized File Email Block pass pass pass pass pass Pass Fragmented Emails l MV MV 38 Fortinet Inc Getting started Planning your FortiGate configuration Planning your FortiGate configuration Before beginning to configure the FortiGate unit you need to plan how to integrate the unit into your network Among other things you have to decide whether or not the unit will be visible to the network which firewall functions it will provide and how it will control the traffic flowing between its interfaces Your configuration plan is dependent upon the opera
41. Destination IP and Destination port of the packet FortiGate 400 Installation and Configuration Guide 79 HA in NAT Route mode High availability Under Monitor on Interface select the names of the interfaces to be monitored Monitor FortiGate interfaces to make sure they are functioning properly and that they are connected to their networks If a monitored interface fails or is disconnected from its network the FortiGate unit stops processing traffic and is removed from the cluster If you can re establish traffic flow through the interface for example if you re connect a disconnected network cable the FortiGate unit rejoins the cluster You should only monitor interfaces that are connected to networks Select Apply The FortiGate unit negotiates to establish an HA cluster When you select apply you may temporarily loose connectivity with the FortiGate unit as the HA cluster negotiates Figure 13 Example Active Active HA configuration C Standalone Mode wa Active Active x Password PEPEE E E AE e a Ea E E e Retype Password PrrrerercmcrCr KI Group ID 7 Schedule Least Connection x Monitor on interface M porti M port2 ports Repeat this procedure to add each FortiGate unit in the HA cluster When you have configured all of the FortiGate units proceed to Connecting the HA cluster to your network Connecting the HA cluster to your network 80 To connect the HA cluster to your network you must
42. File Email Block block block block block block Pass Fragmented Emails O O El Scan content profile Use the scan content profile to apply antivirus scanning to HTTP FTP IMAP POP3 and SMTP content traffic Quarantine is also selected for all content services On FortiGate models with a hard drive if antivirus scanning finds a virus in a file the file is quarantined on the FortiGate hard disk If required system administrators can recover quarantined files Table 6 Scan content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan Mw T yw MV mi File Block O O oO o o Quarantine Mw M Tj 4 ra Web URL Block O Web Content Block O Web Script Filter O Web Exempt List O Email Block List O O Email Exempt List E O Email Content Block O m Oversized File Email Block pass pass pass pass pass Pass Fragmented Emails O O O FortiGate 400 Installation and Configuration Guide 37 Factory default FortiGate configuration settings Getting started Web content profile Use the web content profile to apply antivirus scanning and Web content blocking to HTTP content traffic You can add this content profile to firewall policies that control HTTP traffic Table 7 Web content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan Mw O O E Oo File Block oO O O o o Quarantine Mw O O Oo Oo Web URL Block Mw Web
43. Filter Log To delete all messages select Empty Log E Select OK to delete the messages FortiGate 400 Installation and Configuration Guide 291 Configuring alert email Logging and reporting Deleting a saved log file Use the following procedure to delete a saved log file 1 Go to Log amp Report gt Logging 2 Select Traffic Log Event Log Attack log Antivirus Log Web Filter Log or Email Filter Log The web based manager lists all saved logs of the selected type with the active log at the top of the list For each log the list shows the date and time at which an entry was last added to the log the size of the log file and its name To delete a saved log file select Delete T Select OK to delete the log file Configuring alert email You can configure the FortiGate unit to send alert email to up to three email addresses when there are virus incidents block incidents network intrusions and other firewall or VPN events or violations After you set up the email addresses you can test the settings by sending test email e Adding alert email addresses e Testing alert email e Enabling alert email Adding alert email addresses Because the FortiGate unit uses the SMTP server name to connect to the mail server it must be able to look up this name on your DNS server Therefore before configuring alert email ensure that you have configured at least one DNS server To add a DNS server 1 Go to System gt Network gt DNS
44. FortiGate unit blocks the following file patterns e executable files bat com and exe compressed or archive files gz rar tar tgz and zip e dynamic link libraries dll e HTML application hta e Microsoft Office files doc ppt xI e Microsoft Works files wps e Visual Basic files vb e screen saver files scr in firewall traffic Use content profiles to apply file blocking to HTTP FTP POP3 IMAP and SMTP traffic controlled by firewall policies Select file blocking in a content profile See Adding a content profile on page 197 Add this content profile to firewall policies to apply content blocking to the traffic controlled by the firewall policy See Adding a content profile to a policy on page 199 Adding file patterns to block 1 2 3 Go to Anti Virus gt File Block Select New Type the new pattern in the File Pattern field You can use an asterisk to represent any characters and a question mark 7 to represent any single character For example dot blocks Microsoft Word template files and do blocks both Microsoft Word template files and document files Select the check box beside the traffic protocols for which you want to enable blocking of this file pattern Select OK Fortinet Inc Antivirus protection Quarantine Quarantine FortiGate with hard disks can be configured to quarantine blocked or infected files The quarantin
45. FortiGate unit matches the traffic with the policy routes added to the RPDB starting at the top of the list The first policy route to match the traffic is used to set the route for the traffic The route supplies the net hop gateway as well as the FortiGate interface to be used by the traffic Packets are matched with policy routes before they are matched with destination routes If a packet does not match a policy route it is routed using destination routes The gateway added to a policy route must also be added to a destination route When the FortiGate unit matches packets with a route in the RPDB the FortiGate unit looks in the destination routing table for the gateway that was added to the policy route Ifa match is found the FortiGate routes the packet using the matched destination route If a match is not found the FortiGate routes the packet using normal routing To find a route with a matching gateway the FortiGate unit starts at the top of the destination routing table and searches until it finds the first matching destination route This matched route is used to route the packet For policy routing examples see Policy routing examples on page 57 Policy routing command syntax Configure policy routing using the following CLI command set system route policy lt route_int gt src lt source_ip gt lt source_mask gt iifname lt source interface_name gt dst lt destination_ip gt lt destination_mask gt oifname lt des
46. HTTP connections are not secure and can be intercepted by a third party To allow secure SSH connections to the CLI through this VLAN subinterface To allow a remote SNMP manager to request SNMP information by connecting to this VLAN subinterface See Configuring SNMP on page 162 To allow Telnet connections to the CLI through this VLAN subinterface Telnet connections are not secure and can be intercepted by a third party Figure 10 Adding a VLAN subinterface e Interface DNS Routing Table Routing Name LAN_Internall Interface fintenal LAN ID 222 IP 12 24 33 46 Netmask 255 255 255 0 Access MHTTPS TF PING I SSH F SNMP Select OK to save your changes The FortiGate unit adds the new subinterface to the interface that you selected in step 4 Fortinet Inc Network configuration Configuring routing Configuring routing This section describes how to configure FortiGate routing You can configure routing to add static routes from the FortiGate unit to local routers Using policy routing you can increase the flexibility of FortiGate routing to support more advanced routing functions You can also use routing to create a multiple Internet connection configuration that supports redundancy and load sharing between the two Internet connections For more information about configuring routing for multiple internet connections and for configuration examples see Configuration example Mul
47. IP MAC binding for packets going through the firewall kh OO N 194 Use the following procedure to use IP MAC binding to filter packets that would normally be allowed through the firewall by a firewall policy Go to Firewall gt IP MAC Binding gt Setting Select Enable IP MAC binding going through the firewall Go to Firewall gt IP MAC Binding gt Static IP MAC Select New to add IP MAC binding pairs to the IP MAC binding list All packets that would normally be allowed through the firewall by a firewall policy are first compared with the entries in the IP MAC binding list If a match is found then the firewall attempts to match the packet with a policy For example if the IP MAC pair IP 1 1 1 1 and 12 34 56 78 90 ab cd is added to the IP MAC binding list e A packet with IP address 1 1 1 1 and MAC address 12 34 56 78 90 ab cd is allowed to go on to be matched with a firewall policy A packet with IP 1 1 1 1 but with a different MAC address is dropped immediately to prevent IP spoofing A packet with a different IP address but with a MAC address of 12 34 56 78 90 ab cd is dropped immediately to prevent IP spoofing e A packet with both the IP address and MAC address not defined in the IP MAC binding table e is allowed to go on to be matched with a firewall policy if IP MAC binding is set to Allow traffic e is blocked if IP MAC binding is set to Block traffic Fortinet Inc Firewall configuration IP MAC b
48. Installation and Configuration Guide 173 Adding firewall policies 174 Firewall configuration For NAT Route mode policies where the address on the destination network is hidden from the source network using NAT the destination can also be a virtual IP that maps the destination address of the packet to a hidden destination address See Virtual IPs on page 188 Schedule Select a schedule that controls when the policy is available to be matched with connections See Schedules on page 186 Service Select a service that matches the service port number of the packet You can select from a wide range of predefined services or add custom services and service groups See Services on page 182 Action Select how the firewall should respond when the policy matches a connection attempt ACCEPT Accept the connection If you select ACCEPT you can also configure NAT and Authentication for the policy DENY Deny the connection The only other policy option that you can configure is log traffic to log the connections denied by this policy ENCRYPT Make this policy an IPSec VPN policy If you select ENCRYPT you can select an AutolKE key or Manual Key VPN tunnel for the policy and configure other IPSec settings You cannot add authentication to an ENCRYPT policy ENCRYPT is not available in Transparent mode See Configuring encrypt policies on page 224 NAT Configure the policy for NAT NAT translates the sourc
49. Internet while blocking Internet access to internal networks You can modify this firewall configuration to place controls on access to the Internet from the protected networks and to allow controlled access to internal networks FortiGate policies include a complete range of options that control all incoming and outgoing network traffic e control encrypted VPN traffic e apply antivirus protection and web content filtering block or allow access for all policy options e control when individual policies are in effect e accept or deny traffic to and from individual addresses e control standard and user defined network services individually or in groups e require users to authenticate before gaining access e include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy e include logging to track connections for individual policies e include Network address translation NAT mode and Route mode policies e include Mixed NAT and Route mode policies The FortiGate firewall can operate in NAT Route mode or Transparent mode NAT Route mode In NAT Route mode you can create NAT mode policies and Route mode policies NAT mode policies use network address translation to hide the addresses in a more secure zone from users in a less secure zone e Route mode policies accept or deny connections between zones without performing address translation FortiGate 400 Installation and Configura
50. List Select New to add an address pattern to the Email Block list Type a Block Pattern e To tag email from a specific email address type the email address For example sender abccompany com e To tag email from a specific domain type the domain name For example abccompany com To tag email from a specific subdomain type the subdomain name For example mail abccompany com To tag email from an entire organization category type the top level domain name For example type com to tag email sent from all organizations that use com as the top level domain The pattern can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters hyphen underscore and Spaces and other special characters are not allowed Select Enable to tag the email if part or all of the email address match the block pattern Select OK to add the address pattern to the Email Block list You can enter multiple address patterns and then select Check All is to enable all patterns in the Email Block list You can also enable any pattern in the Email Block list by checking the box in the Enable column Email exempt list Add address patterns to the exempt list to allow legitimate IMAP and POP3 traffic that might otherwise be tagged by email or content blocking For example if the email banned word list is set to block email that contains pornography related words and a reputable company sends email that cont
51. N AE EIE E E A A ean earn 170 VLAN subinterfaces 00 2 ceeere eee eene eee etree ee tntu Ennn eee teeee eee AE EEES ASEENA RAE EEE En aneen nanan 170 LOONES e a A A A 171 ACOIOSS6S occae i AEE A 171 SOMVICES are a deans Geues cuted oe dvadeus tiyudeevi dp ceecetatccdvagens bavueeceva padiectiands 172 Schedules 0 ee cseeceeececeseneeeeceseneeeeeeaaneeeeesesaneeeesessaneeseeenansesesanenaeeseeaneaaaeeseeeenaeeeeenenaaes 172 Content profile S ize cciedeccsesadateeds sawed cccavaardedeansadacaduseeaddsedeawaundaduansdnedacdas a aa a aa 172 Adding firewall POl Chess scncese eeeeel cenabececevenaedeeuieetadecuesceaeeetavbede 172 Firewall Policy OPWonS scion agaa caccenceenanveasunad adsehageddeesue dead 173 CONTIQUNING POLICY ISIS rece sece cetentocnctecatons Cuedeebeneacdeersreudeedseeenenc aa yinen A 177 Policy matching in detail seccceci ccccctsssscccees tessceces eisasceeeeedeaeececseaeseeteceeseceeneetsusenntestaetenees 177 Changing the order of policies in a policy liSt ec eceeeeeeeeeeeeeeeeeeenteeeeeeetneeeeeeread 178 Enabling and disabling policies 0 0 2 eeeecseeeeeeeeeeeeeeeeeecneee eee eeaaeeeeeesaeeeeeeenaeeeeeseaaas 178 Addresses armain a s stad daa vyeddeceanasidldega vhs d Getae vival eeaeastes 179 Adding AddICSSES oessa an eeeaslagebrvladecepiviliieeennlaie 179 Eding AddreSS S 5 sirope EET N 180 Deleting addresses aeessneesseseeerneseesrnnnstennnnntntnannntinnnantinananttannaadtaaaaaatannaaaaaaaaaana ana 180 Organi
52. Selecting the interfaces to MOMItOM ec cceeceeeeeeeeeeeeeeeeeseceeeeeeeseneeeeeeseneeaaeeeseeeaeeees 250 Disabling the NIDS 0000 0 ceceeeee teeter ee erent ee eee taaeee eee saeeeeeeseeeeeeetieeeeeeseiieeeeeeeeaa 250 Configuring checksum verification ccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeeaeeeseeeaeeeeseeenaeeees 250 Viewing the signature ISt ieccce ieeeesied esse eed seigenitedeceenshdecsdenbehes ddanesteddstanentedvetennaides 251 Viewing attack deSCTriptions ccccccecceesceceeeceeeeeeceeeneneeeeeeenenaeeeeeeneaaeceeensneaeeeeenenenees 251 Enabling and disabling NIDS attack Signatures 0 0 e ccc ceeeeeneeeeeeeeetteeeeeeeetteeeeeeeaaes 252 Adding user defined signatures ccccceeeeeeeeeeneeeeeeeeeneeeeseeeaaeeeeeeeeaeeeeeeeenaeeeeeeeeaas 252 Preventing AttACKS 2 ccgecc vie decece eden ceed Yeti deeds ceneeeeted deb ceceeeesdaaeeeta casaeeeee cd baleen stead ved 253 Enabling NIDS attack prevention cceceeceeeeeeeneeeeeeeeneeeeeeeeaeeeeeeeeaeeeeeeeneeeeeeeeaas 253 Enabling NIDS attack prevention signatures cee eeceeeeeeeeeteeeeeeeettaeeeeeeenaeeeeeeeaaas 254 Setting signature threshold values ssesesssssessssrsessssrnnaasrennanatnnnnasnnnnnnaenannnadanennaaatnan 254 Configuring synflood signature values ccecceeeeeeeeeeeeeeeneeee eee teceeeeeetaaeeeeeeetnneeeeten 256 LOGGING AtLACKS wi cc cstcheseedecsteteees HetveeceetcdaaeeeDeceseteenctcaenhduees iedeveddersianeences
53. Services 5 Specify a Source and Destination Port number range for the service by entering the low and high port numbers If the service uses one port number enter this number in both the low and high fields 6 If the service has more than one port range select Add to specify additional protocols and port ranges If you mistakenly add too many port range rows select Delete 1 to remove each extra row 7 Select OK to add the custom service You can now add this custom service to a policy Grouping services To make it easier to add policies you can create groups of services and then add one policy to provide or block access for all the services in the group A service group can contain predefined services and custom services in any combination You cannot add service groups to another service group 1 Go to Firewall gt Service gt Group Select New Enter a Group Name to identify the group This name appears in the service list when you add a policy and cannot be the same as a predefined service name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 To add services to the service group select a service from the Available Services list and select the right arrow to copy it to the Members list 5 To remove services from the service group select a service from the Members list and select the left arrow to re
54. Set the time in seconds that the local VPN peer unit waits between retrying DPD probes Set the period of time in seconds that a link must remain unused before the local VPN peer pro actively probes its state After this period of time expires the local peer will send a DPD probe to determine the status of the link even if there is no traffic between the local peer and the remote peer Select OK to save the phase 1 parameters Fortinet Inc IPSec VPN Figure 21 Adding a phase 1 configuration Manual Key Phase 2 Phase 1 YY Concentrator Dialup Monitor AutolIKE IPSec VPNs Gateway Name Remote_Client_2 New VPN Gateway Remote Gateway Static IP Address gt IP Address 2 2 2 2 Mode C Aggressive Main ID protection P1 Proposal 1 Eneryption 3DES Z Authentication SHA1 Z 2 Eneryption 3DES z Authentication MDS Ha DH Group 10 20 sM Keylife 28800 seconds Authentication Method Preshared Key Pre shared Key pe Local ID optional M Advanced Options Dialup Group Peer XAUTH Nat Traversal DPD Peer Options Accept any peer ID C Accept this peer ID C Accept peer ID in dialup group XAuth Disable C Enable as Client Enable as Server Nat traversal M Enable Keepalive Frequency 5 seconds Dead Peer Detection M Enable Short Idle 10 seconds Retry Count 3 times Retry Interval 5 seconds Long Idle 300 seconds E Ccana
55. The netmask should correspond to the type of address that you are adding For example The netmask for the IP address of a single computer should be 255 255 255 255 The netmask for a class A subnet should be 255 0 0 0 e The netmask for a class B subnet should be 255 255 0 0 e The netmask for a class C subnet should be 255 255 255 0 e The netmask for all addresses should be 0 0 0 0 Note To add an address to represent any address on a network set the IP Address to 0 0 0 0 and the Netmask to 0 0 0 0 To add an address Select OK to add the address Figure 7 Adding an internal address Address N Group New Address Interface internal Address Name Internal Server IP Address 192 63 16 45 _ Netmask 255 255 255 255 Editing addresses 1 2 3 4 Edit an address to change its IP address and netmask You cannot edit the address name To change the address name you must delete the address entry and then add the address again with a new name Go to Firewall gt Address Select the interface list containing the address that you want to edit Choose an address to edit and select Edit Address Z Make the required changes and select OK to save your changes Deleting addresses Deleting an address removes it from an address list To delete an address that has been added to a policy you must first remove the address from the policy Go to Firewall gt Address Select the interface list containing the address
56. Type E Mail z e mail fone fortinet com Optional Information Orgnization Unit Moo Orgnization Fortinet Locality City vancouver State Province Be 87F rt t i a a ONTCW Country canab o e mail Key Type SA Key Size 1024 Bit z Downloading the certificate request With this procedure you download the certificate request from the FortiGate unit to the management computer To download the certificate request Go to VPN gt Local Certificates Select Download to download the local certificate to the management computer Select Save Name the file and save it in a directory on the management computer Requesting the signed local certificate With this procedure you copy and paste the certificate request from the management computer to the CA web server To request the signed local certificate On the management computer open the local certificate request in a text editor Copy the certificate request Connect the CA web server FortiGate 400 Installation and Configuration Guide 221 Managing digital certificates 222 IPSec VPN Request the signed local certificate Follow the CA web server instructions to e adda base64 encoded PKCS 10 certificate request to the CA web server paste the certificate request to the CA web server e submit the certificate request to the CA web server The certificate request is submitted to the CA for it to sign Figure 24 Opening a cer
57. a Ping server Set Ping Server to the IP address of the next hop router on the network connected to the interface 4 Select Enable The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to make sure that the FortiGate unit can connect to the this IP address To configure dead gateway detection see To modify the Dead Gateway Detection settings on page 159 5 Select OK to save your changes 136 Fortinet Inc Network configuration Configuring interfaces Controlling management access to an interface 1 2 3 4 Go to System gt Network gt Interface Select Modify Z4 for the interface for which to configure management access Select the management Access methods for the interface HTTPS To allow secure HTTPS connections to the web based manager through this interface PING If you want this interface to respond to pings Use this setting to verify your installation and for testing HTTP To allow HTTP connections to the web based manager through this interface HTTP connections are not secure and can be intercepted by a third party SSH To allow SSH connections to the CLI through this interface SNMP To allow a remote SNMP manager to request SNMP information by connecting to this interface See Configuring SNMP on page 162 TELNET To allow Telnet connections to the CLI through this interface Telnet connections are not secure and can be intercepted by a third party Configu
58. address of the TFTP server and press Enter The following message appears Enter Local Address 192 168 1 188 Type the address of the interface of the FortiGate unit that can connect to the TFTP server and press Enter The following message appears Enter File Name image out Enter the firmware image file name and press Enter The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear Save as Default firmware Backup firmware Run image without saving D B R Type B The FortiGate unit saves the backup firmware image and restarts When the FortiGate unit restarts it is running the previously installed firmware version Fortinet Inc System status Changing the FortiGate firmware Switching to the backup firmware image Use this procedure to switch your FortiGate unit to operating with a backup firmware image that you have previous installed When you switch the FortiGate unit to the backup firmware image the FortiGate unit operates using the configuration that was saved with that firmware image If you install a new backup image from a reboot the configuration saved with this firmware image is the factory default configuration If you use the procedure Switching back to the default firmware image on page 106 to switch to a backup firmware image that was previously running as the default firmware image the configuration saved with this firmware image i
59. and Reporti esiseina EE RAEE E E eel eee 24 About thissdOCUMO Mircccticeoccieciieines sd dlisted ete grand 25 Document CONVENTIONS ccccceceeeeeeeeeeeeeeeeneaaeeeeeeeeeeeeetedeceaaaaecaeceeeeeeeeeeeesessnneensaaeeees 26 Fortinet documentation ssc csteee cece casera divcaveste a a bende aia 27 Comments on Fortinet technical documentation ccccccecceeeeeteeeeeeetetneeeeeetnieeeeeeeea 27 Customer service and technical SUPPOSt cececceceeeeeeeeeeeeeeeacaeceeeeeeeeeseeseeeennnaeeees 28 Getting Started scion 29 Package contents ecco 30 MOU UNG ess RS 30 Powernng OFM tes ccvtcceas veil neces evebhetea a a a dapereden es deltas eeteile 31 Connecting to the web based manager cccceceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaeeeeteeeaaeeeseeeaeeess 32 Connecting to the command line interface CLI eceeeeeeeenteeeeeeeeneeeeeeeeneeeeeetneeeeeeees 33 Factory default FortiGate configuration settings 0 ccccceeeeeeeeeeeeeeeeeeeeeetneeeeeeetneeeeertee 33 Factory default NAT Route mode network Configuration eccceeeeeeeeeeeeeeetteeeeeeeenaes 34 Factory default Transparent mode network configuration c cceeeeeeeeeeeeeeeeteeeeeeeeaes 35 Factory default firewall Configuration 0 ccceeeeeeceeeeeeeeteeeeeetetieeeeeetieeeeeetieeeeeteea 35 Factory default content profiles cc ccccccsesscccceeeesesenceteenesccassendedeceseensceneestenscceneneneecen 36 FortiGate 400 Installation and
60. and Configuration Guide 49 Configuring your network NAT Route mode installation Figure 7 FortiGate 400 NAT Route mode connections Internal Network DMZ Network Web Server Mail Server Hub or Switch Port 1 Port 3 Sie i Hub or Switch a a E A O D FortiGate 400 Port 2 Public Switch SES or Router Internet y If you are running the FortiGate unit in NAT Route mode your networks must be configured to route all Internet traffic to the IP address of the FortiGate interface to which they are connected Configuring your network Completing the configuration Use the information in this section to complete the initial configuration of the FortiGate unit Configuring interface 3 Use the following procedure to configure interface 3 to connect to a network Log into the web based manager Go to System gt Network gt Interface Choose port3 and select Modify 2 Change the IP address and Netmask as required a A WO N Select Apply 50 Fortinet Inc NAT Route mode installation Completing the configuration Configuring interface 4 HA Use the following procedure to configure interface 4 HA to connect to a network 1 Log into the web based manager Go to System gt Network gt Interface Choose port4 ha and select Modify i Make sure that Work as HA is not selected Change the IP address and Netmask as required O a A Ww N Select Apply Setting the date and time
61. and disabling NIDS attack signatures on page 252 FortiGate 400 Installation and Configuration Guide 257 Logging attacks Network Intrusion Detection System NIDS 258 Fortinet Inc RAT MET Antivirus protection Antivirus protection is enabled in firewall policies When you enable antivirus protection for a firewall policy you select a content profile that controls how the antivirus protection behaves Content profiles control the type of traffic protected HTTP FTP IMAP POP3 SMTP the type of antivirus protection and the treatment of fragmented email and oversized files or email This chapter describes e General configuration steps e Antivirus scanning e File blocking e Quarantine e Blocking oversized files and emails e Exempting fragmented email from blocking e Viewing the virus list General configuration steps Configuring antivirus protection involves the following general steps 1 Select antivirus protection options in a new or existing content profile See Adding a content profile on page 197 2 Select the Anti Virus amp Web filter option in firewall policies that allow web HTTP FTP and email IMAP POP3 and SMTP connections through the FortiGate unit Select a content profile that provides the antivirus protection options that you want to apply to a policy See Adding a content profile to a policy on page 199 3 Configure antivirus protection settings to control how the FortiGate unit
62. attacks 256 Whenever the NIDS detects or prevents an attack it generates an attack message You can configure the system to add the message to the attack log e Logging attack messages to the attack log e Reducing the number of NIDS attack log and email messages Logging attack messages to the attack log a Ff QO N Use the following procedure to log attack messages to the attack log Go to Log amp Report gt Log Setting Select Config Policy for the log locations you have set Select Attack Log Select Attack Detection and Attack Prevention Select OK Note For information about log message content and formats and about log locations see the Logging Configuration and Reference Guide Fortinet Inc Network Intrusion Detection System NIDS Logging attacks Reducing the number of NIDS attack log and email messages Intrusion attempts may generate an excessive number of attack messages To help you distinguish real warnings from false alarms the FortiGate unit provides methods to reduce the number of unnecessary messages Based on the frequency that messages are generated the FortiGate unit will automatically delete duplicates If you determine that you are still receiving an excessive number of unnecessary messages you can manually disable message generation for signature groups Automatic message reduction The content of the attack log and alert email messages that the NIDS produces includes the ID number and name
63. base manager 95 96 first trap receiver IP address SNMP 163 fixed port 174 FortiCare service contracts 125 support contract number 129 Fortinet customer service 28 Fortinet support recovering a lost password 128 FortiResponse Distribution Network 116 connecting to 116 FortiResponse Distribution Server 116 from IP system status 113 from port system status 113 front keypad and LCD configuring IP address 63 G get community SNMP 162 grouping services 185 groups address 181 user 207 guaranteed bandwidth 175 H HA 75 configuring 4 HA interface 77 82 configuring HA group 78 83 configuring HA interfaces 77 82 installing and configuring FortiGate units 77 82 managing HA group 86 NAT Route mode 77 network connection 80 85 replacing FortiGate unit after fail over 90 returning to standalone 90 Transparent mode 82 hard disk recording logs 283 status 107 hard disk full alert email 293 high availability 75 introduction 19 HTTP enabling web filtering 267 277 301 Index HTTPS 20 139 183 295 ICMP 183 295 configuring checksum verification 250 idle timeout web based manager 158 IDS log viewing 289 IKE 295 IMAP 183 295 Inbound NAT encrypt policy 175 interface RIP 152 internal address example 180 internal address group example 181 internal network configuring 50 Internet blocking access to Internet sites 269 279 blocking access to URLs 269 279 Internet key exchange 295 intrusion attempts alert ema
64. can send traps to up to three SNMP trap receivers on your network that are configured to receive traps from the FortiGate unit For these SNMP managers to receive traps you must load and compile the Fortinet trap MIB onto the SNMP manager The FortiGate agent sends the traps listed in Table 2 Table 2 FortiGate traps Trap message Description The lt interface_name gt Interface IP is changed to lt new_ P gt Fortigate Serial No lt FortiGate_serial_no gt The IP address of an interface of a FortiGate unit has changed The trap message includes the name of the interface for which the IP address changed the new IP address of the interface and the serial number of the FortiGate unit This trap can be used to track interface IP address changes for interfaces configured with dynamic IP addresses set using DHCP or PPPoE System Down The FortiGate unit is shutting down Agent Down An administrator has disabled the SNMP agent This trap is also sent when the agent stops before a system shutdown Cold Start The FortiGate unit starts or restarts An administrator enables the SNMP agent or changes FortiGate SNMP settings This trap is sent when the agent starts during system startup Authentication failure An SNMP manager community string does not match the FortiGate get community string Customizing replacement messages 164 Replacement messages are added to content passing through the firewa
65. cause unpredictable results You can manage the cluster by connecting to any cluster interface configured for management access FortiGate units can be configured to operate in active passive A P or active active A A HA mode Active active and active passive HA are supported in both NAT Route and Transparent modes This chapter provides an overview of HA functionality and describes how to configure and manage HA clusters in NAT Route mode and in Transparent mode e Active passive HA e Active active HA e HA in NAT Route mode HA in Transparent mode e Managing the HA cluster e Advanced HA options Active passive HA An Active passive A P HA cluster also referred to as hot standby HA consists of a primary FortiGate unit that is processing traffic and one or more subordinate FortiGate units connected to the network and to the primary FortiGate unit but not processing traffic 1 HA does not provide session failover for PPPoE DHCP PPTP and L2TP services FortiGate 400 Installation and Configuration Guide 75 Active active HA High availability During startup the members of an HA cluster negotiate to select the primary unit The primary unit allows other FortiGate units to join the HA cluster as subordinate units and assigns each subordinate unit a priority The primary FortiGate unit sends session messages to the subordinate units through the FortiGate HA interfaces All FortiGate units in the cluster maintain all
66. connect all matching interfaces in the cluster to the same hub or switch Then you must connect these interfaces to their networks using the same hub or switch Also you must connect all of the HA interfaces in the cluster to their own hub or switch You can also connect a management computer to this hub or switch The units in the cluster are constantly communicating HA status information to make sure the cluster is functioning properly For this reason the connection between the HA ports of all of the FortiGate units in the cluster must be well maintained An interruption of this communication can cause unpredictable results Switches are recommended for performance reasons Fortinet Inc High availability HA in NAT Route mode The network equipment to use and the procedure to follow are the same whether you are configuring the FortiGate units for active active HA or active passive HA To connect the FortiGate units to your network 1 Connect port 1 of each FortiGate unit to a switch or hub connected to your internal network 2 Connect port 2 of each FortiGate unit to a switch or hub connected to your external network 3 Optionally connect port 3 of each FortiGate unit to a switch or hub connected to another network 4 Connect the 4 HA interfaces of the FortiGate units to another switch or hub Figure 14 HA network configuration Internal Network Port 1 Port 2 oma EE cain rae Port 4 HA i or
67. connect the FortiGate units to the network Instead proceed to Configuring the HA interface and HA IP address Configuring the HA interface and HA IP address kh OO N Configure the 4 HA interfaces of all of the FortiGate 400s in the HA cluster to operate in HA mode When you switch the 4 HA interface to HA mode the System gt Config gt HA options become active When running in HA mode the 4 HA interfaces cannot be connected to a network because they are dedicated to HA communication The 4 HA interface of each FortiGate 400 unit must be configured with a different IP address The addresses of the 4 HA interfaces must be on the same subnet and they must be configured for management access Repeat the following procedure for each FortiGate unit in the HA cluster Connect to the FortiGate unit and log into the web based manager Go to System gt Network gt Management For the port4 ha interface select HA to configure port4 ha for HA operation Select the management Access methods for the port4 ha interface Fortinet Inc High availability HA in Transparent mode HTTPS To allow secure HTTPS connections to the web based manager through this interface PING If you want this interface to respond to pings Use this setting to verify your installation and for testing HTTP To allow HTTP connections to the web based manager through this interface HTTP connections are not secure and can be intercepted by a third party
68. duplicate policies for connections between the internal network and both interfaces connected to the Internet As well as you add redundant policies you must arrange them in both policy lists in the same order Restricting access to a single Internet connection In some cases you might want to limit some traffic to only being able to use one Internet connection For example in the topology shown in Figure 8 on page 53 the organization might want its mail server to only be able to connect to the SMTP mail server of ISP1 To do this you add a single port1 gt port2 firewall policy for SMTP connections Because redundant policies have not been added SMTP traffic from the Internet network is always connected to ISP1 If the connection to ISP1 fails the SMTP connection is not available FortiGate 400 Installation and Configuration Guide 59 Configuration example Multiple connections to the Internet NAT Route mode installation 60 Fortinet Inc RAT MET Transparent mode installation This chapter describes how to install your FortiGate unit in Transparent mode If you want to install the FortiGate unit in NAT Route mode see NAT Route mode installation on page 45 If you want to install two or more FortiGate units in HA mode see High availability on page 75 This chapter describes Preparing to configure Transparent mode Using the setup wizard Using the front control buttons and LCD Using the command line interface
69. external x C Static NAT Port Forwarding 64 230 123 149 Type External IP Address External Service Port 45001 Map to IP f92 168 1 99 Map to Port baaa Protocol C TCP UDP Adding a firewall policy for the port forwarding virtual IP To configure the FortiGate NAT device Add a new external to internal firewall policy Configure the policy with the following settings Source External_All Destination The virtual IP added above Schedule Always Service ANY Action Accept NAT Selected Select OK Configure the FortiGate unit with an override push IP and port To configure the FortiGate unit on the internal network Go to System gt Update Select Allow Push Update Select Use override push Set IP to the External IP Address added to the virtual IP For the example topology enter 64 230 123 149 123 Updating antivirus and attack definitions Virus and attack definitions updates and registration 124 Set Port to the External Service Port added to the virtual IP For the example topology enter 45001 Select Apply The FortiGate unit sends the override push IP address and Port to the FDN The FDN will now use this IP address and port for push updates to the FortiGate unit on the internal network If the External IP Address or External Service Port change add the changes to the Use override push configuration and select Apply to update the push information on the FDN Figure 4 Example p
70. gt Log Setting 2 Select Config Policy for the type of logs that the FortiGate unit is configured to record See Recording logs on page 281 3 Select Update to record log messages when the FortiGate unit updates antivirus and attack definitions 4 Select the following update log options Failed Update The FortiGate unit records a log message whenever and update attempt fails Successful The Fortigate unit records a log message whenever an update attempt is Update successful FDN error The FortiGate unit records a log messages whenever it cannot connect to the FDN or whenever it receives an error message from the FDN 5 Select OK Fortinet Inc Virus and attack definitions updates and registration Updating antivirus and attack definitions Adding an override server If you cannot connect to the FDN or if your organization provides antivirus and attack updates using their own FortiResponse server you can use the following procedure to add the IP address of an override FortiResponse server 1 Go to System gt Update 2 Select Use override server address and add the IP address of a FortiResponse server 3 Select Apply The FortiGate unit tests the connection to the override server If the FortiResponse Distribution Network setting changes to available the FortiGate unit has successfully connected to the override server If the FortiResponse Distribution Network stays set to not available the FortiGate unit cannot
71. have two interfaces that can be used to route packets to the same destination if you set the metric of one interface higher than the other the routes to the interface with the lower metric will seem to have a lower cost so more traffic will use routes to the interface with the lower metric The metric can be from 1 to 16 Fortinet Inc RIP configuration Adding RIP neighbors JA Note MD5 authentication is used to verify the integrity of the routing message sent by the S FortiGate unit Using MD5 authentication the password is added to the routing message and MD5 is applied to create the MD5 digest of the routing message The password is replaced in the routing message with this MD5 digest and this message is broadcast When a router receives the routing message it replaces the MD5 digest with the password computes the MD5 digest of this new messaged and then compares the result with the MD5 digest sent with the original message If the two MD5 digests are identical the receiver accepts the message If they are not the receiver rejects the message 4 Select OK to save the RIP configuration for the selected interface Figure 2 Example RIP configuration for an internal interface Edit RIP on Interface Interface internal RIP1 Send RIP1 Receive M RIP2 Send M RIP2 Receive M Split Horizon M Authentication Password Jeeeeee Mode Clear x Metric fa 1 16 Adding RIP neighbors Add RIP neighbors to define a neigh
72. hour Select OK to run the search The web based manager displays the messages that match the search criteria You can scroll through the messages or run another search Note After running a search to display all log messages again run another search but leave all the search fields blank FortiGate 400 Installation and Configuration Guide 289 Viewing and managing logs saved to the hard disk Logging and reporting Viewing and managing logs saved to the hard disk 290 Viewing logs 8 If your FortiGate unit contains a hard disk for recording logs you can use the following procedures to view search and maintain logs e Viewing logs e Searching logs e Downloading a log file to the management computer e Deleting all messages in an active log e Deleting a saved log file Log messages are listed with the most recent message at the top You can view the active or saved logs using the following procedure Go to Log amp Report gt Logging Select Traffic Log Event Log Attack Log Antivirus Log Web Filter Log or Email Filter Log The web based manager lists all saved logs of the selected type with the active log at the top of the list For each log the list shows the date and time at which an entry was last added to the log the size of the log file and its name To view a log file select View ey The web based manager displays the messages in the selected log You can set the number of log messages to view on a si
73. not allow L2TP traffic without IPSec encryption You can disable default behavior by editing the Windows 2000 Registry as described in the following steps See the Microsoft documentation for editing the Windows Registry Ve on hwnd Ki 7 Use the registry editor regedit to locate the following key in the registry HKEY_LOCAL_MACHINE System CurrentControlSet Services Rasman Parameters FortiGate 400 Installation and Configuration Guide 245 Configuring L2TP 246 kh OO N PPTP and L2TP VPN Add the following registry value to this key Value Name ProhibitIpSec Data Type REG _DWORD Value 1 Save your changes and restart the computer for the changes to take effect You must add the ProhibitIpSec registry value to each Windows 2000 based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created When the ProhibitIpSec registry value is set to 1 your Windows 2000 based computer does not create the automatic filter that uses CA authentication Instead it checks for a local or active directory IPSec policy Connecting to the L2TP VPN Start the dialup connection that you configured in the previous procedure Enter your L2TP VPN User Name and Password Select Connect In the connect window enter the User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN us
74. of the attack that generated the message The attack ID number and name in the message are identical to the ID number and rule name that appear on the NIDS Signature Group Members list The FortiGate unit uses an alert email queue in which each new message is compared with the previous messages If the new message is not a duplicate the FortiGate unit sends it immediately and puts a copy in the queue If the new message is a duplicate the FortiGate unit deletes it and increases an internal counter for the number of message copies in the queue The FortiGate unit holds duplicate alert email messages for 60 seconds If a duplicate message has been in the queue for more than 60 seconds the FortiGate unit deletes the message and increases the copy number If the copy number is greater than 1 the FortiGate unit sends a summary email that includes Repeated x times in the subject header the statement The following email has been repeated x times in the last y seconds and the original message Manual message reduction If you want to reduce the number of alerts that the NIDS generates you can review the content of attack log messages and alert email If a large number of the alerts are nuisance alerts for example web attacks when you are not running a web server you can disable the signature group for that attack type Use the ID number in the attack log or alert email to locate the attack in the signature group list See Enabling
75. on the same subnet as a FortiGate interface or VLAN subinterface the system sends the traffic to that interface e Ifthe Gateway 1 IP address is not on the same subnet as a FortiGate interface or VLAN subinterface the system routes the traffic to interface 2 using the default route You can use Device 1 to send packets to an interface that is on a different subnet than the destination IP address of the packets without routing them using the default route Set Device 2 to the FortiGate interface or VLAN subinterface through which to route traffic to connect to Gateway 2 You can select the name of an interface VLAN subinterface or Auto the default If you select the name of an interface or VLAN subinterface the traffic is routed to that interface If you select Auto the system selects the interface according to the following rules e Ifthe Gateway 2 IP address is on the same subnet as a FortiGate interface or VLAN subinterface the system sends the traffic to that interface Ifthe Gateway 2 IP address is not on the same subnet as a FortiGate interface or VLAN subinterface the system routes the traffic to interface 2 using the default route You can use Device 2 to send packets to an interface that is on a different subnet than the destination IP address of the packets without routing them using the default route Select OK to save the route Fortinet Inc Network configuration we gt Configuring rout
76. or VPN events or violations If you have configured logging to a local disk you can enable sending an alert email when the hard disk is almost full Use the following procedure to enable alert email 1 Go to Log amp Report gt Alert Mail gt Categories 2 Select Enable alert email for virus incidents to have the FortiGate unit send an alert email when antivirus scanning detects a virus Alert email is not sent when antivirus file blocking deletes a file 3 Select Enable alert email for block incidents to have the FortiGate unit send an alert email when it blocks files affected by viruses 4 Select Enable alert email for intrusions to have the FortiGate unit send an alert email to notify the system administrator of attacks detected by the NIDS 5 Select Enable alert email for critical firewall VPN events or violations to have the FortiGate unit send an alert email when a critical firewall or VPN event occurs Critical firewall events include failed authentication attempts Critical VPN events include when replay detection detects a replay packet Replay detection can be configured for both manual key and AutolIKE Key VPN tunnels 6 Select Send alert email when disk is full to have the FortiGate unit send an alert email when the hard disk is almost full 7 Select Apply FortiGate 400 Installation and Configuration Guide 293 Configuring alert email Logging and reporting 294 Fortinet Inc Glossary Connection A link between machi
77. phrase Content filtering is not case sensitive You cannot include special characters in banned words Select the Language for the banned word or phrase You can choose Western Chinese Simplified Chinese Traditional Japanese or Korean Your computer and web browser must be configured to enter characters in the language that you select Select Enable Select OK The word or phrase is added to the banned word list You can enter multiple banned words or phrases and then select Check All iJ to activate all items in the banned word list Note Email Content Block must be selected in the content profile for IMAP or POP3 email containing banned words to be tagged Fortinet Inc Email filter Email block list Email block list You can configure the FortiGate unit to tag all IMAP and POP3 protocol traffic sent from unwanted email addresses When the FortiGate unit detects an email sent from an unwanted address pattern the FortiGate unit adds a tag to the subject line of the email and writes a message to the email filter log Receivers can then use their mail client software to filter messages based on the subject tag You can tag email from a specific sender address or from all address subdomains by adding the top level domain name Alternatively you can tag email sent from individual subdomains by including the subdomain to block Adding address patterns to the email block list 1 2 3 Go to Email Filter gt Block
78. policy The comment can be up to 63 characters long including spaces Configuring policy lists The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match You must arrange policies in the policy list from more specific to more general For example the default policy is a very general policy because it matches all connection attempts When you create exceptions to this policy you must add them to the policy list above the default policy No policy below the default policy will ever be matched This section describes e Policy matching in detail e Changing the order of policies in a policy list e Enabling and disabling policies Policy matching in detail When the FortiGate unit receives a connection attempt at an interface it must select a policy list to search through for a policy that matches the connection attempt The FortiGate unit chooses the policy list based on the source and destination addresses of the connection attempt The FortiGate unit then starts at the top of the selected policy list and searches down the list for the first policy that matches the connection attempt source and destination addresses service port and time and date at which the connection attempt was received The first policy that matches is applied to the connection attempt If no policy matches the connection is dropped The default policy accepts all connection att
79. policy list that you want to rearrange Choose a policy to move and select Move To a to change its order in the policy list Type a number in the Move to field to specify where in the policy list to move the policy and select OK Enabling and disabling policies 178 You can enable and disable policies in the policy list to control whether the policy is active or not The FortiGate unit matches enabled policies but does not match disabled policies Disabling a policy Disable a policy to temporarily prevent the firewall from selecting the policy Disabling a policy does not stop active communications sessions that have been allowed by the policy To stop active communication sessions see System status on page 110 Go to Firewall gt Policy Select the policy list containing the policy to disable Clear the check box of the policy to disable Enabling a policy Enable a policy that has been disabled so that the firewall can match connections with the policy Go to Firewall gt Policy Select the policy list containing the policy to enable Select the check box of the policy to enable Fortinet Inc Firewall configuration Addresses Addresses All policies require source and destination addresses To add addresses to a policy you must first add addresses to the address list for the interfaces zones or VLAN subinterfaces of the policy You can add edit and delete all firewall addresses as required You can a
80. press any key If you do not press any key soon enough the N FortiGate unit reboots and you must log in and repeat the execute reboot command If you successfully interrupt the startup process one of the following messages appears e FortiGate unit running v2 x BIOS Enter TFTP Server Address 192 168 1 168 Go to step 9 e FortiGate unit running v3 x BIOS Get firmware image from TFTP server Format boot device Boot with backup firmware and set as default Quit menu and continue to boot with default firmware Display this list of options Towa Enter G F B Q or H Type G to get the new firmware image from the TFTP server Type the address of the TFTP server and press Enter The following message appears Enter Local Address 192 168 1 188 10 Type the address of port1 and press Enter A Note The local IP address is only used to download the firmware image After the firmware is Ss installed the address of this interface is changed back to the default IP address for this interface The following message appears Enter File Name image out 100 Fortinet Inc System status Changing the FortiGate firmware 11 Enter the firmware image file name and press Enter The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear e FortiGate unit running v2 x BIOS Do You Want To Save The Image Y n Type Y e FortiGate unit running v
81. remote VPN peer Password Enter the password the local VPN peer uses to authenticate itself to the remote VPN peer XAuth Enable as a Server Encryption Select the encryption method used between the XAuth client the FortiGate method unit and the authentication server PAP Password Authentication Protocol CHAP Challenge Handshake Authentication Protocol MIXED Select MIXED to use PAP between the XAuth client and the FortiGate unit and CHAP between the FortiGate unit and the authentication server Use CHAP whenever possible Use PAP if the authentication server does not support CHAP Use PAP with all implementations of LDAP and some implementations of Microsoft RADIUS Use MIXED if the authentication server supports CHAP but the XAuth client does not Use MIXED with the Fortinet Remote VPN Client Usergroup Select a group of users to be authenticated by XAuth The individual users within the group can be authenticated locally or by one or more LDAP or RADIUS servers The user group must be added to the FortiGate configuration before it can be selected here FortiGate 400 Installation and Configuration Guide 215 AutolKE IPSec VPNs 216 IPSec VPN Optionally configure NAT Traversal Enable Keepalive Frequency Select Enable if you expect the IPSec VPN traffic to go through a gateway that performs NAT If no NAT device is detected enabling NAT traversal will have no effect Both ends of the VPN both VPN peers
82. report traffic that connects to the firewall report network services used e report traffic permitted by firewall policies e report traffic that was denied by firewall policies report events such as configuration changes and other management events IPSec tunnel negotiation virus detection attacks and web page blocking e report attacks detected by the NIDS e send alert email to system administrators to report virus incidents intrusions and firewall or VPN events or violations Logs can be sent to a remote syslog server or to a WebTrends NetIQ Security Reporting Center and Firewall Suite server using the WebTrends enhanced log format Some models can also save logs to an optional internal hard drive If a hard drive is not installed you can configure most FortiGates to log the most recent events and attacks detected by the NIDS to shared system memory FortiGate 400 Installation and Configuration Guide 21 What s new in Version 2 50 Introduction What s new in Version 2 50 This section presents a brief summary of some of the new features in FortiOS v2 50 System administration e Improved graphical FortiGate system health monitoring that includes CPU and memory usage session number and network bandwidth usage and the number of viruses and intrusions detected See System status on page 110 e Revised antivirus and attack definition update functionality that connects to a new version of the FortiResponse Distr
83. see Using the Cerberian web filter on page 272 to HTTP traffic accepted by a policy Web Content Block Block web pages that contain unwanted words or phrases See Content blocking on page 268 Web Script Filter Remove scripts from web pages See Script filtering on page 274 Web Exempt List Exempt URLs from web filtering and virus scanning See Exempt URL list on page 275 6 Enable Email filter protection options Email Block List Add a subject tag to email from unwanted addresses See Email block list on page 279 Email Exempt List Exempt sender address patterns from email filtering See Email exempt list on page 279 Email Content Block Add a subject tag to email that contains unwanted words or phrases See Email banned word list on page 278 7 Enable fragmented email and oversized file and email options Oversized File Email Block or pass files and email that exceed thresholds configured as a Block percent of system memory See Blocking oversized files and emails on page 266 Pass Fragmented Allow email messages that have been fragmented to bypass antivirus Email scanning See Exempting fragmented email from blocking on page 266 8 Select OK 198 Fortinet Inc Firewall configuration Content profiles Figure 16 Example content profile Content Profile A Profile Name Scen CO COC Options HTTP FTP IMAP POP3 SMTP Anti Virus Scan Vv M M Iv Vv File
84. specifying the IP address and port required to connect to the FDN The proxy server establishes the connection to the FDN and passes information between the FortiGate unit and the FDN The CONNECT method is used mostly for tunneling SSL traffic Some proxy servers won t allow the CONNECT to connect to just any port they restrict the allowed ports to the well known ports for HTTPS and perhaps some other similar services Because FortiGate autoupdates use HTTPS on port 8890 to connect to the FDN your proxy server may have to be configured to allow connections on this port Fortinet Inc Virus and attack definitions updates and registration Registering FortiGate units There are no special tunneling requirements if you have configured an override server address to connect to the FDN Push updates are not supported if the FortiGate must connect to the Internet through a proxy server Registering FortiGate units After purchasing and installing a new FortiGate unit you can register the unit using the web based manager by going to System gt Update gt Support or by using a web browser to connect to http support fortinet com and selecting Product Registration Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased Registration is quick and easy You can register multiple FortiGate units in a single session without re entering your contact informatio
85. systems e L2TP for easy connectivity with a more secure VPN standard also supported by many popular operating systems e Firewall policy based control of IPSec VPN traffic e IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another tunnel through the FortiGate unit IPSec Redundancy to create a redundant AutolKE key IPSec VPN connection to a remote network High availability High Availability HA provides fail over between two or more FortiGate units Fortinet achieves HA through the use of redundant hardware matching FortiGate models running in NAT Route mode You can configure the FortiGate units for either active passive A P or active active A A HA Both A P and A A HA use similar redundant high availability hardware configurations High availability software guarantees that if one of the FortiGate units in the HA group fails all functions established firewall connections and IPSec VPN sessions are maintained FortiGate 400 Installation and Configuration Guide 19 Secure installation configuration and management Introduction Secure installation configuration and management 20 Installation is quick and simple The first time you turn on the FortiGate unit it is already configured with default IP addresses and security policies Connect to the web based manager
86. that you want to delete You can delete any listed address that has a Delete Address icon Ti Fortinet Inc Firewall configuration Addresses 3 Choose an address to delete and select Delete T 4 Select OK to delete the address Organizing addresses into address groups You can organize related addresses into address groups to make it easier to add policies For example if you add three addresses and then add them to an address group you only have to add one policy using the address group rather than a separate policy for each address You can add address groups to any interface VLAN subinterface or zone The address group can only contain addresses from that interface VLAN subinterface or zone Address groups are available in interface VLAN subinterface or zone source or destination address lists Address groups cannot have the same names as individual addresses If an address group is included in a policy it cannot be deleted unless it is first removed from the policy 1 Go to Firewall gt Address gt Group Select the interface VLAN subinterface or zone to which to add the address group Enter a Group Name to identify the address group The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 To add addresses to the address group select an address from the Available Addresses list and select the right arr
87. the FortiGate unit in Transparent mode go to Transparent mode installation on page 61 If you are going to operate two or more FortiGate units in HA mode go to High availability on page 75 FortiGate 400 Installation and Configuration Guide 43 Next steps Getting started 44 Fortinet Inc RAT MET NAT Route mode installation This chapter describes how to install your FortiGate unit in NAT Route mode To install your FortiGate unit in Transparent mode see Transparent mode installation on page 61 To install two or more FortiGate units in HA mode see High availability on page 75 This chapter describes Preparing to configure NAT Route mode Using the setup wizard Using the front control buttons and LCD Using the command line interface Completing the configuration Connecting the FortiGate unit to your networks Configuring your network Completing the configuration Configuration example Multiple connections to the Internet Preparing to configure NAT Route mode Use Table 10 to gather the information that you need to customize NAT Route mode settings Table 10 NAT Route mode settings Administrator Password IP Interface 1 Netmask IP Netmask Interface 2 Default Gateway Primary DNS Server Secondary DNS Server Interface 3 IP otopay connect Netmask FortiGate 400 Installation and Configuration Guide 45 Using the setup w
88. the configuration saved with this firmware image is restored 1 Connect to the CLI using the null modem cable and FortiGate console port 2 Enter the following command to restart the FortiGate unit execute reboot As the FortiGate units starts a series of system startup messages are displayed When one of the following messages appears Press any key to enter configuration menu 3 Immediately press any key to interrupt the system startup A Note You only have 3 seconds to press any key If you do not press any key soon enough the Z FortiGate unit reboots and you must log in and repeat the execute reboot command If you successfully interrupt the startup process one of the following messages appears G Get firmware image from TFTP server F Format boot device B Boot with backup firmware and set as default Q Quit menu and continue to boot with default firmware H Display this list of options Enter G F B Q or H 4 Type B to load the backup firmware image The FortiGate unit loads the backup firmware image and restarts When the FortiGate unit restarts it is running the backup firmware version with a restored configuration Manual virus definition updates The System gt Status page of the FortiGate web based manager displays the current installed versions of the FortiGate Antivirus Definitions You can use the following procedure to update the antivirus definitions manually A Note To configure
89. the interface must be on the same subnet as the network the interface is connecting to Two interfaces cannot have the same IP address and cannot have IP addresses on the same subnet 4 Select OK to save your changes If you changed the IP address of the interface that you are connecting to manage the FortiGate unit you must reconnect to the web based manager using the new interface IP address Adding a secondary IP address to an interface You can use the CLI to add a secondary IP address to any FortiGate interface The secondary IP address cannot be the same as the primary IP address but it can be on the same subnet To add a secondary IP address from the CLI enter the command set system interface lt intf_str gt config secip lt second_ip gt lt netmask_ip gt You can also configure management access and add a ping server to the secondary IP address set system interface lt intf_str gt config secallowaccess ping https ssh snmp http telnet set system interface lt intf_str gt config secgwdetect enabl Adding a ping server to an interface Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface Adding a ping server is required for routing failover See Adding destination based routes to the routing table on page 143 1 Go to System gt Network gt Interface Select Modify ESI for the interface to which to add
90. the port forwarding virtual IP Set action to ACCEPT to accept connections to the internal server You can also select DENY to deny access Select NAT if the firewall is protecting the private addresses on the destination network from the source network 191 IP pools Firewall configuration IP pools Authentication Optionally select Authentication and select a user group to require users to authenticate with the firewall before accessing the server using port forwarding Log Traffic Select these options to log port forwarded traffic and apply antivirus Anti Virus amp Web filter 2nd web filter protection to this traffic Select OK to save the policy An IP pool also called a dynamic IP pool is a range of IP addresses added to a firewall interface If you add IP pools to an interface you can select Dynamic IP Pool when you configure a policy with the destination set to this interface You can add an IP pool if you want to add NAT mode policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface The addresses in the IP pool must be on the same subnet as the IP address of the interface For example if the IP address of a FortiGate interface is 192 168 1 99 a valid IP pool could start IP at 192 168 1 10 and end at 192 168 1 20 This IP pool would give the firewall 11 addresses to select from when translating the source address
91. to and through the VLAN subinterface and recorded in the traffic log 1 Go to System gt Network gt Interface 2 Select Edit in the Modify column beside the VLAN subinterface for which you want to enable logging 3 For Log select Enable Select OK 286 Fortinet Inc Logging and reporting 1 2 3 4 Configuring traffic logging Repeat this procedure for each VLAN subinterface for which you want to enable logging Enabling traffic logging for a firewall policy If you enable traffic logging for a firewall policy all connections accepted by firewall policy are recorded in the traffic log Go to Firewall gt Policy Select a policy tab Select Log Traffic Select OK Configuring traffic filter settings Use the following procedure to configure the information recorded in all traffic log messages Go to Log amp Report gt Log Setting gt Traffic Filter Select the settings that you want to apply to all Traffic Log messages Resolve IP Select Resolve IP if you want traffic log messages to list the IP address and the domain name stored on the DNS server If the primary and secondary DNS server addresses provided to you by your ISP have not al been added go to System gt Network gt DNS and add the addresses Type Select Session or Packet If you select Session the FortiGate unit records the number of packets sent and received for each session If you select Packet the FortiGate unit records the average pa
92. to apply more control to which traffic is sent to which destination route This section describes the following policy routing examples based on topology similar to that shown in Figure 8 on page 53 Differences are noted in each example The policy routes described in these examples only work if you have already defined destination routes similar to those described in the previous section e Routing traffic from internal subnets to different external networks e Routing a service to an external network For more information about policy routing see Policy routing on page 146 Routing traffic from internal subnets to different external networks If the FortiGate provides internet access for multiple internal subnets you can use policy routing to control the route that traffic from each network takes to the Internet For example if the internal network includes the subnets 192 168 10 0 and 192 168 20 0 you can enter the following policy routes 1 Enter the following command to route traffic from the 192 168 10 0 subnet to the 100 100 100 0 external network set system route policy 1 src 192 168 10 0 255 255 255 0 dst 100 100 100 0 255 255 255 0 gw 1 1 1 1 2 Enter the following command to route traffic from the 192 168 20 0 subnet to the 200 200 200 0 external network set system route policy 2 sre 192 168 20 0 255 255 255 0 dst 200 200 200 0 255 255 255 0 gw 2 2 2 1 Routing a service to an external network You can use the follo
93. to forward the connection to the network connected to port2 Figure 4 Default firewall policy ID Source Schedule Service Action Enable Config 1 2 Port1_All Port2_All Always ANY ACCEPT V TW ae e Interfaces e VLAN subinterfaces Zones e Addresses e Services e Schedules e Content profiles Add policies to control connections between FortiGate interfaces and between the networks connected to these interfaces By default you can add policies for connections between the port to the port2 interfaces To add policies that include the port3 and port4 ha interfaces you must use the following steps to add these interfaces to the firewall policy grid If they are down bring the port3 and port4 ha interfaces up See Bringing up an interface on page 135 Add IP addresses to port3 and port4 ha See Changing an interface static IP address on page 136 Add firewall addresses for these interfaces See Adding addresses on page 179 VLAN subinterfaces You can also add VLAN subinterfaces to the FortiGate configuration to control connections between VLANs For more information about VLANs see Configuring VLANs on page 139 To add policies that include VLAN subinterfaces you must use the following steps to add the VLAN subinterfaces to the firewall policy grid Add VLAN subinterfaces to the FortiGate configuration See Adding VLAN subinterfaces on page 141 Add firewall addresses for the VLAN
94. tunnel is active If Status is Down the tunnel is not active The Timeout column displays the time before the next key exchange The time is calculated by subtracting the time elapsed since the last key exchange from the keylife Figure 27 AutolKE key tunnel status Manual Key Phase 2 Phase1 Concentrator Dialup Monitor Remote Gateway Lifetime sec kb esta Tenens a AutoIKE_tunnel_1 66 34 23 78 300 10240 Up x AutoIKE_tunnel_2 55 66 77 88 300 NA Down a pe Viewing dialup VPN connection status You can use the dialup monitor to view the status of dialup VPNs The dialup monitor lists the remote gateways and the active VPN tunnels for each gateway The monitor also lists the tunnel lifetime timeout proxy ID source and proxy ID destination for each tunnel FortiGate 400 Installation and Configuration Guide 233 Monitoring and Troubleshooting VPNs IPSec VPN 234 Testing a VPN To view dialup connection status Go to VPN gt IPSec gt Dialup The Lifetime column displays how long the connection has been up The Timeout column displays the time before the next key exchange The time is calculated by subtracting the time elapsed since the last key exchange from the keylife The Proxy ID Source column displays the actual IP address or subnet address of the remote peer The Proxy ID Destination column displays the actual IP address or subnet address of the local peer Figure 28 Dialup Monitor
95. unit Outbound NAT makes it impossible for remote hosts to see the IP addresses of local hosts hosts located on the network behind the local VPN gateway If Outbound NAT is implemented it is subject to these limitations Configure Outbound NAT only at one end of the tunnel The end which does not implement Outbound NAT requires an Int gt Ext policy which specifies the other end s external interface as the Destination This will be a public IP address The tunnel and the traffic within the tunnel can only be initiated at the end which implements Outbound NAT Refer to the FortiGate Installation and Configuration Guide to configure the remaining policy settings 9 Select OK to save the encrypt policy To make sure that the encrypt policy is matched for VPN connections arrange the encrypt policy above other policies with similar source and destination addresses and services in the policy list Figure 25 Adding an encrypt policy Int gt Ext Int gt DMZ DMZ gt Int DMZ gt Ext Ext gt Int Ext gt DMZ Pe editpolicy O OOOO Ol Source Fe 100 H Destination Foso Schedule aways of Service ANY Action ENCRYPT z YPN Tunnel Fs M Allow inbound C Inbound NAT M Allow outbound I Outbound NAT I Traffic Shapin Guaranteed pina Bandwidth 12 kBytes s Maximum bo Bandwidth 10 KBytes s Traffic Priority High z I Anti Virus amp Web filter Content Profile Strict I
96. user defined signatures web content lists email filtering lists and changes to replacement messages Before running this procedure you can e Backup the FortiGate unit configuration use the procedure Backing up system settings on page 108 e Backup the NIDS user defined signatures see the FortiGate NIDS Guide e Backup web content and email filtering lists see the FortiGate Content Protection Guide If you are reverting to a previous FortiOS version for example reverting from FortiOS v2 50 to FortiOS v2 36 you may not be able to restore your previous configuration from the backup configuration file Fortinet Inc System status ro a fF O N 10 Changing the FortiGate firmware Note Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing When you have installed new firmware use the procedure Manually updating antivirus and attack definitions on page 119 to make sure that antivirus and attack definitions are up to date Copy the firmware image file to your management computer Login to the FortiGate web based manager as the admin administrative user Go to System gt Status Select Firmware Upgrade ie Enter the path and filename of the previous firmware image file or select Browse and locate the file Select OK The FortiGate unit uploads the firmware image file reverts to the old firmware versio
97. uses the hard disk to store log messages and to quarantine files infected with a virus or blocked by antivirus file blocking FortiGate 400 Installation and Configuration Guide 107 Backing up system settings System status Backing up system settings You can back up system settings by downloading them to a text file on the management computer Go to System gt Status Select System Settings Backup Select Backup System Settings kh OO N Type a name and location for the file The system settings file is backed up to the management computer 5 Select Return to go back to the Status page Restoring system settings You can restore system settings by uploading a previously downloaded system settings text file 1 Go to System gt Status Select System Settings Restore Enter the path and filename of the system settings file or select Browse and locate the file 4 Select OK to restore the system settings file to the FortiGate unit The FortiGate unit restarts loading the new system settings 5 Reconnect to the web based manager and review your configuration to confirm that the uploaded system settings have taken effect Restoring system settings to factory defaults Use the following procedure to restore system settings to the values set at the factory This procedure does not change the firmware version or the antivirus or attack definitions f Caution This procedure deletes all changes that you have made to the For
98. week You can specify the day of the week and the time of day to check for updates FortiGate 400 Installation and Configuration Guide 117 Updating antivirus and attack definitions Virus and attack definitions updates and registration 118 4 Select Apply The FortiGate unit starts the next scheduled update according to the new update schedule Whenever a scheduled update is run the event is recorded in the FortiGate event log Figure 1 Configuring automatic antivirus and attack definitions updates Update FortiResponse Distribution Network available Push Update not available I Use override server address l Update Version Expiry date Last update attempt gant Status Anti Virus Engine 1 00 Mon Nov 29 19 00 00 1999 Tue Aug 12 14 25 21 2003 No updates anti Virus Definition 4 115 Mon Nov 29 19 00 00 1999 Tue Aug 12 14 25 21 2003 No updates Attack Definition 2 56 Mon Nov 29 19 00 00 1999 Tue Aug 12 14 25 21 2003 No updates V Allow Push Update M Use override push IP 64 230 123 149 Port 45034 V Scheduled Update Every o x hour a5 z minutes after the hour C Daily o zx hour foo z minute C Weekly Sunday z day fo H hour foo minute Configuring update logging Use the following procedure to configure FortiGate logging to record log messages when the FortiGate unit updates antivirus and attack definitions Update log messages are recorded on the FortiGate Event log Go to Log amp Report
99. what actions Web servers and browsers should take in response to various commands HTTPS The SSL protocol for transmitting private documents over the Internet using a Web browser FortiGate 400 Installation and Configuration Guide AT MET Internal interface The FortiGate interface that is connected to an internal private network Internet A collection of networks connected together that span the entire globe using the NFSNET as their backbone As a generic term it refers to any collection of interdependent networks ICMP Internet Control Message Protocol Part of the Internet Protocol IP that allows for the generation of error messages test packets and information messages relating to IP This is the protocol used by the ping function when sending ICMP Echo Requests to a network host IKE Internet Key Exchange A method of automatically exchanging authentication and encryption keys between two secure servers IMAP Internet Message Access Protocol An Internet email protocol that allows access to your email from any IMAP compatible browser With IMAP your mail resides on the server IP Internet Protocol The component of TCP IP that handles routing IP Address An identifier for a computer or device on a TCP IP network An IP address is a 32 bit numeric address written as four numbers separated by periods Each number can be zero to 255 L2TP Layer Two 2 Tunneling Protocol An extension to the PPTP prot
100. your PPTP VPN User Name and Password Select Connect In the connect window enter the User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password Configuring a Windows XP client for PPTP ao a fF WN Use the following procedure to configure a client computer running Windows XP so that it can connect to a FortiGate PPTP VPN Configuring a PPTP dialup connection Go to Start gt Control Panel Select Network and Internet Connections Select Create a Connection to the network of your workplace and select Next Select Virtual Private Network Connection and select Next Name the connection and select Next If the Public Network dialog box appears choose the appropriate initial connection and select Next In the VPN Server Selection dialog enter the IP address or host name of the FortiGate unit to connect to and select Next Select Finish Configuring the VPN connection Right click the Connection icon that you created in the previous procedure Select Properties gt Security Select Typical to configure typical settings Select Require data encryption Note If a RADIUS server is used for authentication do not select Require data encryption PPTP encryption is not supported for RADIUS server authentication Fortinet Inc PPTP and L2TP VPN O O ON OOO 11 12 a Fk WOW N Configuring L2TP Select Advanc
101. 1 v2c Select Enable SNMP Configure SNMP settings System Name Automatically set to the FortiGate host name To change the System Name see Changing the FortiGate host name on page 94 System Location Describe the physical location of the FortiGate unit The system location description can be up to 31 characters long and can contain spaces numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ The lt gt amp characters are not allowed Contact Information Add the contact information for the person responsible for this FortiGate unit The contact information can be up to 31 characters long and can contain spaces numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ The lt gt amp characters are not allowed Get Community Also called read community get community is a password to identify SNMP get requests sent to the FortiGate unit When an SNMP manager sends a get request to the FortiGate unit it must include the correct get community string The default get community string is public Change the default get community string to keep intruders from using get requests to retrieve information about your network configuration The get community string must be used in your SNMP manager to enable it to access FortiGate SNMP information The get community string can be up to 31 characters long and can contain numbers 0 9 upper
102. 3 x BIOS Save as Default firmware Run image without saving D R Save as Default firmware Backup firmware Run image without saving D B R Type D The FortiGate unit installs the new firmware image and restarts The installation might take a few minutes to complete Restoring your previous configuration You can then restore your previous configuration Begin by changing the interface addresses if required You can do this from the CLI using the command set system interface After changing the interface addresses you can access the FortiGate unit from the web based manager and restore your configuration To restore your FortiGate unit configuration see Restoring system settings on page 108 To restore NIDS user defined signatures see the FortiGate NIDS Guide To restore web content and email filtering lists see the FortiGate Content Protection Guide If you are reverting to a previous firmware version for example reverting from FortiOS v2 50 to FortiOS v2 36 you may not be able to restore your previous configuration from the backup up configuration file 12 Update the virus and attack definitions to the most recent version see Manually updating antivirus and attack definitions on page 119 Test a new firmware image before installing it You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory After completing this procedure the FortiGate unit op
103. 4704 192 168 1103 443 8 i tep 192 168 110 200 1250 65 39 139 188 110 42 T top 192 168 110 121 4699 192 168 110 3 443 8 1 tep 192 168 110 121 4691 192 168 1103 443 56 To tep 192 168 110 121 4479 10 0 1 128 6969 72 i udp 192 168 110 200 1246 209 87 239 20 53 86 i udp 192 168 110 200 1246 209 87 239 21 53 89 ij tcp 192 168 110 121 4674 192 168 1103 443 8 T tep 192 168 110 155 1107 65 39 139 188 143 3262 tep 192 168 110 200 1248 65 39 139 188 110 30 rj tep 192 168 110 123 2307 65 39 139 188 110 2 tep 192 168 110 121 4701 192 168 110 3 443 8 i tep 192 168 110 154 1117 65 39 139 199 143 962 tep 192 168 110 121 4361 10 0 1 128 6969 49 EE i tcp 192 168 110 123 2308 65 39 139 188 110 85 i tep 192 168 110 121 4708 192 168 1103 443 58 Ww Fortinet Inc RAT MET Virus and attack definitions updates and registration You can configure the FortiGate unit to connect to the FortiResponse Distribution Network FDN to update the antivirus and attack definitions and antivirus engine You have the following update options Request updates from the FDN manually Schedule updates to automatically request the latest versions hourly daily or weekly Push updates so that the FDN contacts your FortiGate unit when a new update is available To receive scheduled updates and push updates you must register the FortiGate unit on the Fortinet Support web page This chapter describes Updating antivirus and attack definitions
104. A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Select one of the following authentication configurations Disable Prevent this user from authenticating Password Enter the password that this user must use to authenticate The password should be at least six characters long The password can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed LDAP Require the user to authenticate to an LDAP server Select the name of the LDAP server to which the user must authenticate You can only select an LDAP server that has been added to the FortiGate LDAP configuration See Configuring LDAP support on page 205 Radius Require the user to authenticate to a RADIUS server Select the name of the RADIUS server to which the user must authenticate You can only select a RADIUS server that has been added to the FortiGate RADIUS configuration See Configuring RADIUS support on page 204 202 Fortinet Inc Users and authentication Adding user names and configuring authentication 5 Select Try other servers if connect to selected server fails if you have selected Radius and you want the FortiGate unit to try to connect to other RADIUS servers added to the FortiGate RADIUS configuration 6 Select OK Figure 17 Adding a user name Local y User Name User 2 I Disable Passw
105. Add a single RIP filter to filter a single route You can apply a single RIP filter to the neighbors or routes filter You can add a total of four RIP filters or RIP Filter lists If you want to filter multiple routes use a RIP filter list See Adding a RIP filter list on page 155 Go to System gt RIP gt Filter Select New to add a RIP filter Configure the RIP filter Fortinet Inc RIP configuration 4 Adding RIP filters Filter Name Enter a name for the RIP filter Each RIP filter and RIP filter list must have unique name The name can be 15 characters long and can contain upper and lower case letters numbers and special characters The name cannot contain spaces Blank Filter Used for Filter lists See Adding a RIP filter list on page 155 IP Add the IP address of the route Mask Add the netmask of the route Action Select Allow so that the filter permits this route to be communicated Select Deny to stop this route from being communicated Interface Select the interface on which to apply this RIP filter Select OK to save the RIP filter Adding a RIP filter list Add a RIP filter list to filter multiple routes A RIP filter list consists of a RIP filter name and a series of route prefixes You can add a total of four RIP filters or RIP Filter lists When a RIP filter list is added to the neighbors or routes filter all of the routes in the RIP filter list are filtered Go to System gt RIP gt Fi
106. Block E T D D E Quarantine L O E O Web URL Block E Web Content Block E Web Script Filter L Web Exempt List L Email Block List L L Email Exempt List E C Email Content Block L L Oversized File Email a ae a ae z S ie z i Pass Fragmented Emails r E r Adding a content profile to a policy Oo N oO a Fk W FortiGate 400 Installation and Configuration Guide You can add content profiles to policies with action set to allow or encrypt and with Service set to ANY HTTP FTP IMAP POP3 SMTP or a service group that includes these services Go to Firewall gt Policy Select a policy list that contains policies to which to add a content profile For example to enable network protection for files downloaded by internal network users from the web select an internal to external policy list Select New to add a new policy or choose a policy and select Edit E Select Anti Virus amp Web filter Select a content profile Configure the remaining policy settings if required Select OK Repeat this procedure for any policies for which to enable network protection 199 Content profiles Firewall configuration 200 Fortinet Inc RAT MET Users and authentication FortiGate units support user authentication to the FortiGate user database to a RADIUS server and to an LDAP server You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal da
107. Completing the configuration Connecting the FortiGate unit to your networks Transparent mode configuration examples Preparing to configure Transparent mode Use Table 14 to gather the information that you need to customize Transparent mode settings Table 14 Transparent mode settings Administrator Password Management IP IP Netmask Default Gateway The management IP address and netmask must be valid for the network from which you will manage the FortiGate unit Add a default gateway if the FortiGate unit must connect to a router to reach the management computer DNS Settings Primary DNS Server Secondary DNS Server FortiGate 400 Installation and Configuration Guide 61 Using the setup wizard Transparent mode installation Using the setup wizard From the web based manager you can use the setup wizard to create the initial configuration of your FortiGate unit To connect to the web based manager see Connecting to the web based manager on page 32 Changing to Transparent mode kh OO N The first time that you connect to the FortiGate unit it is configured to run in NAT Route mode To switch to Transparent mode using the web based manager Go to System gt Status Select Change to Transparent Mode Select Transparent in the Operation Mode list Select OK The FortiGate unit changes to Transparent mode To reconnect to the web based manager
108. Configuration Guide 3 Contents Planning your FortiGate Configuration cccccceeceeeceeeeeeeeeeneeeeeeeeaeeeeeeenaeeeeeeeenaeeeeeeeeaas 39 NAT Route MOE eee eeereee eee ette eee teeter eee eerie ee eet e eee eee essere taeeee eee taeeeeeennaeeeeeee 39 NAT Route mode with multiple external network connections ccccceceeeeeeeeteees 40 Transparent MOdE cccceceeceecceceeeeeeeeetee ee ceaeaaaeaeeeeeeeeeeeeeseacaaaaaeaeeeeeeeeeeeeeesenscnsieeeeeees 41 Configuration Options cccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeceeeeeeeesegeeaeeeeseeeeaeeeeseeeaeeeeeeeenaneees 41 FortiGate model maximum values Matrix 0 00 0 cee eee eeeeeee eee eette teers taaeee eee taeeeeeetiaeeeeeeeee 42 NOXU SUG DS cccsits Gocdtstdcaeedetend See ceesidd gee eevee gcaueneld caeedtvidd pack ee iceg ea evand eh este dee eed eee 43 NAT Route mode installation ccccccssssecceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeeeeeeeeaes 45 Preparing to configure NAT Route MOdE c ceceeeeeneeeeeeeeeeeeeeeeeetaeeeeeeeenaeeeeeeeenaeeeeeeenaas 45 Using the setup WIZ Id 0 0 2 eee cette tere entree ee teeter eee errr EAAS eee tienes eee neeeeerenaeeeeerinea 46 Starting the setup wizard eee eee e ete eee e ence ee eee eae ee eset anaes eee taeeeeeeeteeeeeesnaeeeeeeee 46 Reconnecting to the web based manager ceececeeeeeeeeeeeeeeenneeeeeeeeaeeeeeeeesateeeeeeaaas 46 Using the front control buttons and LCD
109. Configuration and Reference Guide For information about email filter log message categories and formats see Log messages in the FortiGate Logging Configuration and Reference Guide FortiGate 400 Installation and Configuration Guide 277 Email banned word list Email filter Email banned word list When the FortiGate unit detects email that contains a word or phrase in the banned word list the FortiGate unit adds a tag to the subject line of the email and writes a message to the event log Receivers can then use their mail client software to filter messages based on the subject tag You can add banned words to the list in many languages using Western Simplified Chinese Traditional Chinese Japanese or Korean character sets Adding words and phrases to the banned word list 1 2 3 278 Go to Email Filter gt Content Block Select New to add a word or phrase to the banned word list Type a banned word or phrase e If you type a single word for example banned the FortiGate unit tags all IMAP and POP3 email that contains that word e Ifyou type a phrase for example banned phrase the FortiGate unit tags email that contains both words When this phrase appears on the banned word list the FortiGate unit inserts plus signs in place of spaces for example banned phrase e If you type a phrase in quotes for example banned word the FortiGate unit tags all email in which the words are found together as a
110. DINGING cistnrcesssencdeneetarnceeesbdacerel sanonnan a a a aAA 193 Configuring IP MAC binding for packets going through the firewall 0 0 ccee 194 Configuring IP MAC binding for packets going to the firewall ceeeeeeteeereeeeees 195 Adding IP MAC addresses cececceeeeeeenteeeeeeeeneeeeeeeaeeeeeesaaeeeeeeenaeeeeeeesaeeeeeeeaaes 195 Viewing the dynamic IP MAC list ececceeeeeeeeeeeeeeeeeeeeeeeeeeeeceeeeeseeeeaeeeeseeeaeeeeseeeaaees 196 Enabling IP MAC DINGING 22 2vccctdeeiseitieatelecddetisiel neta ees dla ale 196 Content profiles isisi aa aa aaa aaa aaa a aaa a aaa 197 Default Content profiles wi sicciceeietetdeciechssteeceedsereiddatiera angie dies A a E 197 Adding a content profile 0 0 2 ceeeececeeeeecne reece eenneeeeeeeeaeeeeeesaeeeeeeeeaeeeeseeenaeeeeeennaees 197 Adding a content profile to a policy eee eeeeeeeeceeee eee eeeeeeaeeeseeeaaaeeeeeeeaaeeeseeenaeeeeeeeaas 199 Users and ATG TCA ON seco ies cect aaaea ie e eceacete test 201 Setting authentication timeOut cece ceee eee eeeeeeeeceeeee cent ee ee eee eeeeceaaeaaeaeeeeeeeeeeteeeeeeneeee 202 Adding user names and configuring authentication cc eeeeeeeeeeeenteeeeeeeeneeeeeeeeaaes 202 Adding user names and configuring authentication cc eceeeeeeeeeeteeeeeeeteteeeeeeeees 202 Deleting user names from the internal database cceeeeeeeeeeeeeeeeeeteeeeeeeeteteeeeeees 203 Configuring RADIUS S
111. File caught by heuristics e Green File blocked by block pattern e Blue File is over size limit Fortinet recommends that you send yellow status files to the FortiResponse Center as these files could contain a new virus or a variant of a known virus Status Specific information related to the status for example the File is infected Description with W32 Klez h or File was stopped by file block pattern DC Duplicate count A count of how many duplicate files were discovered during quarantine A rapidly increasing number can indicate a virus outbreak TTL Time to live in the format hh mm When the TTL elapses the FortiGate unit automatically deletes the file In the case of duplicate files each duplicate found refreshes the TTL Modify You can delete or download the file When you download a file it is downloaded in its original format Note In the case of duplicate files all fields relate to the originally quarantined file except TTL which is refreshed with every new instance of a given file Duplicate files based on checksum are never stored but an internal counter for each file records the number of duplicates encountered Sorting the quarantine list 264 You can sort the quarantine list according to status infected or blocked service IMAP POP3 SMTP FTP or HTTP alphabetically by file name by date quarantined by time to live TTL or by duplicate count Go to Anti Virus gt Quarantine To s
112. For effective scheduling and logging the FortiGate system date and time should be accurate You can either manually set the system date and time or you can configure the FortiGate unit to automatically keep its time correct by synchronizing with a Network Time Protocol NTP server To set the FortiGate system date and time see Setting system date and time on page 157 Enabling antivirus protection To enable antivirus protection to protect users on your internal network from downloading a virus from the Internet 1 Go to Firewall gt Policy gt port1 gt port2 Select Edit 4 to edit this policy Select Anti Virus amp Web filter to enable antivirus protection for this policy Select the Scan Content Profile a A O N Select OK to save your changes Registering your FortiGate unit After purchasing and installing a new FortiGate unit you can register the unit by going to System gt Update gt Support or using a web browser to connect to http support fortinet com and selecting Product Registration Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased Registration is quick and easy You can register multiple FortiGate units in a single session without re entering your contact information For more information about registration see Registering FortiGate units on page 125 FortiGate 400 Installation and Configuration
113. Gateway Interface 2 IP 1 1 1 1 Internet q i L2TP Windows Client Configuring the FortiGate unit as a L2TP gateway kh OO N Use the following procedures to configure the FortiGate unit as an L2TP gateway Adding users and user groups To add a user for each L2TP client Go to User gt Local Add and configure L2TP users See Adding user names and configuring authentication on page 202 Go to User gt User Group Add and configure L2TP user groups See Configuring user groups on page 207 Enabling L2TP and specifying an address range Go to VPN gt L2TP gt L2TP Range Select Enable L2TP Enter the Starting IP and the Ending IP for the L2TP address range Select the User Group that you added in Adding users and user groups on page 242 Select Apply to enable L2TP through the FortiGate unit Fortinet Inc PPTP and L2TP VPN Configuring L2TP Figure 32 Sample L2TP address range configuration L2TP Range y Enable L2TP Starting IP 192 168 1 200 Ending IP 192 168 1 201 User Group L2TP_users C Disable L2TP 6 Add the addresses from the L2TP address range to the External zone address list The addresses can be grouped into an External address group 7 Add addresses to the destination zone address list to control the addresses to which L2TP clients can connect The addresses can be grouped into an address group For example if you want L2TP users to connect to the Int
114. Guide 51 Configuration example Multiple connections to the Internet NAT Route mode installation Configuring virus and attack definition updates You can go to System gt Update to configure the FortiGate unit to automatically check to see if new versions of the virus definitions and attack definitions are available If it finds new versions the FortiGate unit automatically downloads and installs the updated definitions The FortiGate unit uses HTTPS on port 8890 to check for updates FortiGate interface 2 must have a path to the FortiResponse Distribution Network FDN using port 8890 To configure automatic virus and attack updates see Updating antivirus and attack definitions on page 115 Configuration example Multiple connections to the Internet This section describes some basic routing and firewall policy configuration examples for a FortiGate unit with multiple connections to the Internet see Figure 8 In this topology the organization operating the FortiGate unit uses two Internet service providers to connect to the Internet The FortiGate unit is connected to the Internet using port 2 and port 3 Port 1 connects to gateway 1 operated by ISP1 and port 2 connects to gateway 2 operated by ISP2 By adding ping servers to interfaces and by configuring routing you can control how traffic uses each Internet connection With this routing configuration is place you can proceed to create firewall policies to support multiple in
115. Installing and configuring the FortiGate units Follow the instructions in NAT Route mode installation on page 45 to install and configure the FortiGate units All of the FortiGate units in the HA cluster should have the same configuration Do not connect the FortiGate units to the network Instead proceed to Configuring the HA interfaces Configuring the HA interfaces Configure the 4 HA interfaces of all of the FortiGate 400s in the HA cluster to operate in HA mode When you switch the 4 HA interface to HA mode the System gt Config gt HA options become active When running in HA mode the 4 HA interfaces cannot be connected to a network because they are dedicated to HA communication FortiGate 400 Installation and Configuration Guide 77 HA in NAT Route mode kh OO N a High availability The 4 HA interface of each FortiGate 400 unit must be configured with a different IP address The addresses of the 4 HA interfaces must be on the same subnet and they must be configured for management access Repeat the following procedure for each FortiGate unit in the HA cluster Connect to the FortiGate unit and log into the web based manager Go to System gt Network gt Interface For the port4 ha interface select Modify E Select Work as HA to configure port4 ha for HA operation When the FortiGate unit is configured for HA operation you cannot connect a network to the 4 HA interface Change the IP address and Netm
116. Log Traffic Comments maxmium 63 chars OK Cancel 226 Fortinet Inc IPSec VPN IPSec VPN concentrators IPSec VPN concentrators In a hub and spoke network all VPN tunnels terminate at a single VPN peer known as a hub The peers that connect to the hub are known as spokes The hub functions as a concentrator on the network managing the VPN connections between the spokes The advantage of a hub and spoke network is that the spokes are simpler to configure because they require fewer policy rules Also a hub and spoke network provides some processing efficiencies particularly on the spokes The disadvantage of a hub and spoke network is its reliance on a single peer to handle management of all VPNs If this peer goes down all encrypted communication in the network is impossible A hub and spoke VPN network requires a special configuration Setup varies depending on the role that the VPN peer is serving If the VPN peer is a FortiGate unit functioning as the hub or concentrator it requires a VPN configuration connecting it to each spoke AutolKE phase 1 and 2 settings or manual key settings plus encrypt policies It also requires a concentrator configuration that groups the hub and spoke tunnels together The concentrator configuration defines the FortiGate unit as the hub in a hub and spoke network If the VPN peer is one of the spokes it requires a tunnel connecting it to the hub but not to the other spokes It also re
117. P and editing replacement messages Firewall configuration describes how to configure firewall policies to control traffic through the FortiGate unit and apply content protection profiles to content traffic Users and authentication describes how to add user names to the FortiGate user database and how to configure the FortiGate to connect to a RADIUS server to authenticate users IPSec VPN describes how to configure FortiGate IPSec VPN PPTP and L2TP VPN describes how to configure PPTP and L2TP VPNs between the FortiGate and a windows client Network Intrusion Detection System NIDS describes how to configure the FortiGate NIDS to detect and prevent network attacks Antivirus protection describes how use the FortiGate to protect your network from viruses and worms Web filtering describes how to configure web content filtering to prevent unwanted Web content from passing through the FortiGate Email filter describes how to configure email filtering to screen unwanted email content Logging and reporting describes how to configure logging and alert email to track activity through the FortiGate The Glossary defines many of the terms used in this document FortiGate 400 Installation and Configuration Guide 25 Document conventions Introduction Document conventions This guide uses the following conventions to describe CLI command syntax e angle brackets lt gt to indicate variable keywords For example xecute resto
118. P IP QoS Packet Scheduler Make sure that the following options are not selected e File and Printer Sharing for Microsoft Networks e Client for Microsoft Networks Disabling IPSec Select the Networking tab Select Internet Protocol TCP IP properties Double click the Advanced tab Go to the Options tab and select IP security properties Make sure that Do not use IPSEC is selected Select OK and close the connection properties window Note The default Windows XP L2TP traffic policy does not allow L2TP traffic without IPSec encryption You can disable default behavior by editing the Windows XP Registry as described in the following steps See the Microsoft documentation for editing the Windows Registry Use the registry editor regedit to locate the following key in the registry HKEY_LOCAL_MACHINE System CurrentControlSet Services Rasman Parameters Add the following registry value to this key Value Name ProhibitIpSec Data Type REG _DWORD Value 1 Save your changes and restart the computer for the changes to take effect You must add the ProhibitIpSec registry value to each Windows XP based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created When the ProhibitIpSec registry value is set to 1 your Windows XP based computer does not create the automatic filter that uses CA authentication Instead it checks for a local or active director
119. P_address gt lt netmask gt Example set system interface port2 mode static ip 204 23 1 5 255 255 255 0 4 Set the IP address and netmask of interface 3 or 4 to the IP addresses and netmasks that you recorded in Table 10 on page 45 set system interface lt interface_name gt mode static ip lt IP_address gt lt netmask gt Example To set the IP address of interface 3 to 192 45 56 73 and netmask to 255 255 255 0 enter set system interface port3 mode static ip 192 45 56 73 2552552550 5 Confirm that the addresses are correct Enter get system interface The CLI lists the IP address netmask and other settings for each of the FortiGate interfaces 6 Set the primary DNS server IP addresses Enter set system dns primary lt IP address gt Example set system dns primary 293 44 75 21 7 Optionally set the secondary DNS server IP addresses Enter set system dns secondary lt IP address gt Example set system dns secondary 293 44 75 22 8 Set the default route to the Default Gateway IP address set system route number lt route_no gt dst 0 0 0 0 0 0 0 0 gwl lt gateway_ip gt Example set system route number 0 dst 0 0 0 0 0 0 0 0 gwl 204 23 1 2 48 Fortinet Inc NAT Route mode installation Connecting the FortiGate unit to your networks Connecting the FortiGate unit to your networks When you have completed the initial configuration you can connect the FortiGate unit between your internal network and the Internet The Fo
120. RL block list add more items to it using a text editor and then upload the edited list to the FortiGate unit 1 In a text editor create the list of URLs and patterns to block 2 Using the web based manager go to Web Filter gt URL Block 3 Select Upload URL Block List Ei 4 Type the path and filename of your URL block list text file or select Browse and locate the file 5 Select OK to upload the file to the FortiGate unit 6 Select Return to display the updated URL block list Each page of the URL block list displays 100 URLs Use Page Down and Page Up F to navigate through the URL block list You can continue to maintain the URL block list by making changes to the text file and uploading it again FortiGate 400 Installation and Configuration Guide 271 URL blocking 272 Web filtering Using the Cerberian web filter A oe kh O N The FortiGate unit supports Cerberian web filtering For information about Cerberian web filter see www cerberian com Note If you are operating FortiGate units in active passive HA mode each FortiGate unit in the cluster must have its own Cerberian license Cerberian web filtering is not supported for active active HA For information about HA see High availability on page 75 If you have purchased the Cerberian web filtering functionality with your FortiGate unit use the following configuration procedures to configure FortiGate support for Cerberian web filtering
121. S 253 protocol service 182 system status 113 proxy server 124 push updates 124 push updates configuring 119 through a NAT device 120 through a proxy server 124 304 Q quarantine list filtering 265 sorting 264 viewing 264 quarantining blocked files 263 file 263 infected files 263 R RADIUS definition 296 example configuration 204 RADIUS server adding server address 204 deleting 204 read amp write access level administrator account 160 read only access level administrator account 160 recording logs 281 recording logs in system memory 284 recording logs on FortiGate hard disk 283 recording logs on NetIQ WebTrends server 282 recovering a lost Fortinet support password 128 recurring schedule 187 creating 187 registered FortiGate units viewing the list of 128 registering FortiGate unit 125 126 127 129 FortiGate unit after an RMA 131 list of registered FortiGate units 129 registration contact information 130 security question 130 updating information 128 renaming zones 134 replacement messages customizing 163 reporting 21 281 resolve IP 287 traffic filter 287 restarting 109 restoring system settings 108 restoring system settings to factory default 108 reverting firmware to an older version 99 RIP configuring 149 filters 154 interface configuration 152 neighbors 153 settings 150 Fortinet Inc RMA registering a FortiGate unit 131 route adding default 143 adding to routing table 143 adding to rou
122. S through the firewall without authentication If DNS is not available users cannot connect to a web FTP or Telnet server using a domain name Anti Virus amp Web filter Enable antivirus protection and web filter content filtering for traffic controlled by this policy You can select Anti Virus amp Web filter if Service is set to ANY HTTP SMTP POP3 IMAP or FTP or to a service group that includes the HTTP SMTP POP3 IMAP or FTP services Select a content profile to configure how antivirus protection and content filtering is applied to the policy See Content profiles on page 197 Figure 6 Adding a Transparent mode policy Policy A New Policy porti gt port2 Source Porti_Al x Destination Potz a x Schedule Always Service ANY MZ Action ACCEPT x M Traffic Shaping Seah e i00 kBytes s Maximum Hoo Bandwidth 100 KBytes s Traffic Priority Medium z M authentication User_Group_1 z M Anti Virus amp Web filter Content Profile Scan 7 l Log Traffic Comments maximum 63 characters Policy Traffic Shaping Authentication and Virus Scanning Fortinet Inc Firewall configuration Configuring policy lists Log Traffic Select Log Traffic to write messages to the traffic log whenever the policy processes a connection For more information about logging see Logging and reporting on page 281 Comments Optionally add a description or other information about the
123. SSH To allow secure SSH connections to the CLI through this interface SNMP To allow a remote SNMP manager to request SNMP information by connecting to this interface TELNET To allow Telnet connections to the CLI through this interface Telnet connections are not secure and can be intercepted by a third party Change the HA IP address and Netmask as required Optionally configure management access for other interfaces Select Apply Now that you have configured the HA interfaces proceed to Configuring the HA cluster Configuring the HA cluster Use the following procedure to configure each FortiGate unit for HA before connecting the HA cluster to your network Note These instructions describe configuring each of the FortiGate units in the HA cluster before connecting the HA cluster to your network You can also use the procedure Connecting the HA cluster to your network on page 85 to connect the HA cluster to your network first Connect to the FortiGate unit and log into the web based manager Go to System gt Config gt HA Select HA You can only select HA if the 4 HA interface is configured for HA operation See Configuring the HA interface and HA IP address on page 82 Select the HA mode Select Active Passive mode to create an Active Passive HA cluster in which one FortiGate unit in the HA cluster is actively processing all connections and the others are passively monitoring the status and remaining syn
124. Service Contract sessie ees ir enik narines AE DEAETE AEEA REETA 125 Registering the FortiGate Unit sisirin aniidae E 126 6 Fortinet Inc Contents Updating registration information cece eeeeeeeeeseeeeeeeeeseceeeeeeeseneeeeeeseeeneaeeeseeenaneees 128 Recovering a lost Fortinet Support DPASSWOTG 2 c ceeecceeeeeeeeeeeeeeteeeeenaecaeeeeeeeeess 128 Viewing the list of registered FortiGate Units 20 0 0 ee ceeeeeeeeeeeeeeeeeneeeeeeenaeeeeeeeaaes 128 Registering a new FortiGate Unit cc eceeeeee teen neces E NEEN ANANE ENAREN 129 Adding or changing a FortiCare Support Contract numbe cccccceeeeeeeeeeeeeeeeee 129 Changing your Fortinet support password cceeeeeeeeeeeeceeeeeeteeeeeeeeeeeeeaaeeeeeeeaaeeees 130 Changing your contact information or security question eececeeeeeeceeeeeeeeeeees 130 Downloading virus and attack definitions Updates 0 00 2 eeeeeeeeeeeeteeeeeeeetnteeeeeeteee 130 Registering a FortiGate unit after an RMA ececceeceeeeee eee eeeeeeeeeeeeeeeeeeeseeeaeeeeeeeenaees 131 Network COMP QUIAUON osisisssssiccacecosanerssasennaterssssssasasasancianescanasaaasaaesccsdsiesconnsnsanese 133 CONMIQUIING ZONES sier an NE A ieee 133 Adding ZONCS subssssianisri idn ENEE A N R E oes 133 Adding interfaces to a ZONE 0 eee eeececceceeeeee eee eeeeene eee eeeeaeeeeeeetaeeeeseeeaeeeeeeeeieeeeseeenaees 134 Adding VLAN subinterfaces to a ZONE ccceceeeeee
125. The remote computer must be configured with a syslog server Go to Log amp Report gt Log Setting Select Log to Remote Host to send the logs to a syslog server Type the IP address of the remote computer running syslog server software Type the port number of the syslog server Select the severity level for which you want to record log messages The FortiGate will log all levels of severity down to but not lower than the level you choose For example if you want to record emergency alert critical and error messages select Error Select Config Policy Select the Log type for which you want the FortiGate unit to record logs e For each Log type select the activities for which you want the FortiGate unit to record log messages Select OK For more information on log types and activities see Filtering log messages on page 284 and Configuring traffic logging on page 286 Select Apply Recording logs on a NetIQ WebTrends server a Use the following procedure to configure the FortiGate unit to record logs on a remote NetIQ WebTrends firewall reporting server for storage and analysis FortiGate log formats comply with WebTrends Enhanced Log Format WELF and are compatible with WebTrends NetIQ Security Reporting Center 2 0 and Firewall Suite 4 1 See the Security Reporting Center and Firewall Suite documentation for more information Note FortiGate traffic log messages include sent and received fields wh
126. UPPOFt eee ee eeeenee eee eeene eter eeeaeeeeeeeeaeeeeeeeeaeeeeeseeaeeeeseenaaes 204 Adding RADIUS Servers assetiar did aint ile lenis 204 Deleting RADIUS Servers cccccccceeeseaeteheesedeeccntenpecdcentepeneteceeqeeeedentaseeneccnsapeseeecdeaeeess 204 Configuring LDAP SUPPOM assisar rinan as A A A A 205 Adding LDAP SEVES cnencnncincnincinnna i E 205 Deleting LDAP ServefS sseesseeessrnesseenneseesnnnnsntannanatenanndtntnnadntanannntannnatnanaaanaannnaaaaa 206 Configuring USEF QrOUPSs sisiu tech eee heed needed dived hil eee ealieees 207 ACGING USEF QrOUPS sc2c6s 5 ceedceis ac aeis ea eink edcie dn nE EE 207 Deleting user groupsas N E E 208 FortiGate 400 Installation and Configuration Guide Contents Contents i VEN aoe a ene ectenan ne TopPe eraser nner Mane Samer 209 Key MANAGeEMENL eee eceree eee tre rete e ee errr e ee seen ee eee eens eee naaeeeeeenaeeeeeeenneeeeens 210 Manual Keys eccrancisiaraini cin n N T E 210 Automatic Internet Key Exchange AutolKE with pre shared keys or certificates 210 Manual key IPSec VPNScnercunercarici iinan EA 211 General configuration steps for a manual key VPN eceeeeeeeseeeeeeeeeeeeeeeeeeeeeeeaeees 211 Adding a manual key VPN tunnel seeessssessssrrsssssnnesesnsnnaaatennnaatnnnnaannnnnnaanananaaenennaaanana 211 AuUtolKE IPSec VPNS widzcocstta cy iattesiadcgeastedaddstesiaadasdraeedbdacedet aai ai aa aA 213 General configuration steps for an AutolKE VPN sessse
127. Web filter Select the content profile from the Content Profile list Click OK You can configure the FortiGate unit to remove Java applets cookies and ActiveX scripts from the HTML web pages Note Blocking of any of these items might prevent some web pages from working properly e Enabling the script filter e Selecting script filter options Enabling the script filter 1 2 3 4 Go to Firewall gt Content Profile Select the content profile for which you want to enable script filtering Select Script Filter Select OK Selecting script filter options 1 2 274 Go to Web Filter gt Script Filter Select the script filter options that you want to enable You can block Java applets cookies and Activex Select Apply Fortinet Inc Web filtering Exempt URL list Figure 41 Example script filter settings to block Java applets and ActiveX Script Filter y Filtering Options M Java Applet C Cookie M Activex Exempt URL list Add URLs to the exempt URL list to allow legitimate traffic that might otherwise be blocked by content or URL blocking For example if content blocking is set to block pornography related words and a reputable website runs a story on pornography web pages from the reputable website would be blocked Adding the address of the reputable website to the exempt URL list allows the content of the website to bypass content blocking Note Content downloaded from exempt web
128. a VLAN subinterface Use the following procedure to add VLAN subinterfaces 1 Go to System gt Network gt Interface Select New VLAN to add a VLAN subinterface Enter a Name to identify the VLAN subinterface The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Select the interface that receives the VLAN packets intended for this VLAN subinterface 5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface The VLAN ID can be any number between 1 and 4096 but must match the VLAN ID added by the IEEE 802 1Q compliant router FortiGate 400 Installation and Configuration Guide 141 Configuring VLANs 142 9 Network configuration Enter the IP address and Netmask for the VLAN subinterface Optionally select a zone to add the VLAN subinterface to a zone Select the management Access for the VLAN subinterface to control how administrators on the network that connects to this subinterface can connect to and manage the FortiGate unit HTTPS PING HTTP SSH SNMP TELNET To allow secure HTTPS connections to the web based manager through this VLAN subinterface If you want this VLAN subinterface to respond to pings Use this setting to verify your installation and for testing To allow HTTP connections to the web based manager through this VLAN subinterface
129. ains these words the FortiGate unit would normally add a subject tag to the email Adding the domain name of the reputable company to the exempt list allows IMAP and POP3 traffic from the company to bypass email and content blocking FortiGate 400 Installation and Configuration Guide 279 Adding a subject tag Email filter Adding address patterns to the email exempt list 1 2 3 Go to Email Filter gt Exempt List Select New to add an address pattern to the email exempt list Type the address pattern to exempt To exempt email sent from a specific email address type the email address For example sender abccompany com To exempt email sent from a specific domain type the domain name For example abccompany com To exempt email sent from a specific subdomain type the subdomain name For example mail abccompany com To exempt email sent from an entire organization category type the top level domain name For example type net to exempt email sent from all organizations that use net as the top level domain The pattern can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters hyphen underscore and Spaces and other special characters are not allowed Select Enable to exempt the address pattern Select OK to add the address pattern to the email exempt list You can enter multiple patterns and then select Check All to activate all patterns in the email exempt list
130. air Enter the IP address and the MAC address You can bind multiple IP addresses to the same MAC address You cannot bind multiple MAC addresses to the same IP address However you can set the IP address to 0 0 0 0 for multiple MAC addresses This means that all packets with these MAC addresses are matched with the IP MAC binding list Similarly you can set the MAC address to 00 00 00 00 00 00 for multiple IP addresses This means that all packets with these IP addresses are matched with the IP MAC binding list Enter a Name for the new IP MAC address pair The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Select Enable to enable IP MAC binding for the IP MAC pair Select OK to save the IP MAC binding pair FortiGate 400 Installation and Configuration Guide 195 IP MAC binding Firewall configuration Viewing the dynamic IP MAC list 1 Go to Firewall gt IP MAC Binding gt Dynamic IP MAC Enabling IP MAC binding Caution Make sure that you have added the IP MAC Address pair of your management computer before enabling IP MAC binding 1 Go to Firewall gt IP MAC Binding gt Setting 2 Select Enable IP MAC binding going through the firewall to turn on IP MAC binding for packets that could be matched by policies 3 Select Enable IP MAC binding going to the firewall to turn on IP MAC binding for packets conne
131. ameters See Adding a phase 2 configuration for an AutolKE VPN on page 217 Configure an encrypt policy that includes the tunnel source address and destination address for both ends of the tunnel See Configuring encrypt policies on page 224 Adding a phase 1 configuration for an AutolIKE VPN When you add a phase 1 configuration you define the terms by which the FortiGate unit and a remote VPN peer gateway or client authenticate themselves to each other prior to the establishment of an IPSec VPN tunnel The phase 1 configuration is related to the phase 2 configuration In phase 1 the VPN peers are authenticated in phase 2 the tunnel is established You have the option to use the same phase 1 parameters to establish multiple tunnels In other words the same remote VPN peer gateway or client can have multiple tunnels to the local VPN peer the FortiGate unit When the FortiGate unit receives an IPSec VPN connection request it authenticates the VPN peers according to the phase 1 parameters Then depending on the source and destination addresses of the request it starts an IPSec VPN tunnel and applies an encrypt policy To add a phase 1 configuration Go to VPN gt IPSEC gt Phase 1 Select New to add a new phase 1 configuration FortiGate 400 Installation and Configuration Guide 213 AutolKE IPSec VPNs 214 IPSec VPN Enter a Gateway Name for the remote VPN peer The remote VPN peer can be either a gate
132. an select fixed port for NAT policies to prevent source port translation However selecting fixed port means that only one connection can be supported through the firewall for this service To be able to support multiple connections you can add an IP pool to the destination interface and then select Dynamic P pool in the policy The firewall randomly selects an IP address from the IP pool and assigns it to each connection In this case the number of connections that the firewall can support is limited by the number of IP addresses in the IP pool IP pools and dynamic NAT You can use IP pools for dynamic NAT For example your organization may have purchased a range of Internet addresses but you may have only one Internet connection the external interface of your FortiGate unit You can assign one of your organization s Internet IP addresses to the external interface of your FortiGate unit If your FortiGate unit is operating in NAT Route mode all connections from your network to the Internet appear to come from this IP address If you want connections to originate from all of your Internet IP addresses you can add this address range to an IP pool for the external interface Then you can select Dynamic IP Pool for all policies with the external interface as the destination For each connection the firewall dynamically selects an IP address from the IP pool to be the source address for the connection As a result connections to the Internet wi
133. anagement computer to the FortiGate unit To import the CA certificate Go to VPN gt CA Certificates Select Import Enter the path or browse to locate the CA certificate on the management computer Select OK The CA will be displayed on the CA Certificates list FortiGate 400 Installation and Configuration Guide 223 Configuring encrypt policies IPSec VPN Configuring encrypt policies 224 e S A VPN connects the local internal network to a remote external network The principal role of the encrypt policy is to define and limit which addresses on these networks can use the VPN A VPN requires only one encrypt policy to control both inbound and outbound connections Depending on how you configure it the policy controls whether users on your internal network can establish a tunnel to the remote network the outbound connection and whether users on the remote network can establish a tunnel to your internal network the inbound connection This flexibility allows a single encrypt policy to do the job of two regular firewall policies Although the encrypt policy controls both incoming and outgoing connections it must always be configured as an outgoing policy An outgoing policy has a source address on an internal network and a destination address on an external network The source address identifies which addresses on the internal network are part of the VPN The destination address identifies which addresses on the rem
134. and IMAP network traffic Passing fragmented emails in IMAP POP3 and SMTP email traffic Using content profiles you can build up protection configurations that can be easily applied to different types of Firewall policies This allows you to customize different types and different levels of protection for different firewall policies For example while traffic between internal and external addresses might need strict protection traffic between trusted internal addresses might need moderate protection You can configure policies for different traffic services to use the same or different content profiles Content profiles can be added to NAT Route mode and Transparent mode policies Fortinet Inc Getting started Factory default FortiGate configuration settings Strict content profile Use the strict content profile to apply maximum content protection to HTTP FTP IMAP POP3 and SMTP content traffic You would not use the strict content profile under normal circumstances but it is available if you are having extreme problems with viruses and require maximum content screening protection Table 5 Strict content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan MV Mw Mw m i File Block m l l M A Quarantine l M i i Web URL Block m Web Content Block m Web Script Filter m Web Exempt List m Email Block List l MV Email Exempt List Mw MV Email Content Block Mw MV Oversized
135. anding installation make sure that the appliance has at least 1 5 in 3 75 cm of clearance on each side to allow for adequate air flow and cooling Dimensions 16 75 x 12 x 1 75 in 42 7 x 30 5 x 4 5 cm Weight e 11 Ib 5 kg Fortinet Inc Getting started Powering on Power requirements e Power dissipation 180 W max e AC input voltage 100 to 240 VAC AC input current 4A e Frequency 47 to 63 Hz Environmental specifications e Operating temperature 32 to 104 F 0 to 40 C e Storage temperature 13 to 158 F 25 to 70 C e Humidity 5 to 95 non condensing Powering on To power on the FortiGate 400 unit Make sure that the power switch on the back is turned off Connect the power cable to the power connection on the back of the FortiGate unit Connect the power cable to a power outlet kh O N Turn on the power switch After a few seconds SYSTEM STARTING appears on the LCD SYSTEM STARTING tt ee a MAIN MENU appears on the LCD when the system Table 1 FortiGate 400 LED indicators LED State Description Power Green The FortiGate unit is powered on Off The FortiGate unit is powered off 1 Amber The correct cable is in use and the connected equipment has 2 power 3 Flashing Network activity at this interface 4IHA amber Green The interface is connected at 100 Mbps Off No link established FortiGate 400 Installation and Configuration Guide 31
136. ansparent Mode set system opmode transparent 2 Add the Management IP address and Netmask set system management ip 192 168 1 1 255 255 255 0 3 Add the static route to the primary FortiResponse server set system route number 1 dst 24 102 233 5 255 255 255 0 gwl 192 168 1 2 4 Add the default route to the external network set system route number 2 gwl 192 168 1 2 FortiGate 400 Installation and Configuration Guide 71 Transparent mode configuration examples Transparent mode installation 72 Example static route to an internal destination kh OND Figure 12 shows a FortiGate unit where the FDN is located on an external subnet and the management computer is located on a remote internal subnet To reach the FDN you need to enter a single default route that points to the upstream router as the next hop default gateway To reach the management computer you need to enter a single static route that leads directly to it This route will point to the internal router as the next hop No route is required for the DNS servers because they are on the same layer 3 subnet as the FortiGate unit Figure 12 Static route to an internal destination FortiResponse Distribution Internet Network FDN Upstream Gateway IP 192 168 1 2 Router DNS DMZ Management IP 192 168 1 1 FortiGate 400 in Internal Network A Gateway IP 192 168 1 3 Internal Router Internal Network B Management Computer 172 16 1 11 General con
137. applies antivirus protection to the web FTP and email traffic allowed by policies See e Antivirus scanning on page 260 e File blocking on page 261 e Blocking oversized files and emails on page 266 e Exempting fragmented email from blocking on page 266 4 Configure file quarantine settings to control the quarantining of infected or blocked files by traffic type age and file size See Configuring quarantine options on page 265 5 Configure the messages that users receive when the FortiGate unit blocks or deletes an infected file See Customizing replacement messages on page 164 FortiGate 400 Installation and Configuration Guide 259 Antivirus scanning Antivirus protection Configure the FortiGate unit to send an alert email when it blocks or deletes an infected file See Configuring alert email in the Logging and Message Reference Guide Note To receive virus log messages see Configuring logging and for information about log message content and format see Virus log messages in the Logging Configuration and Reference Guide Antivirus scanning 260 Virus scanning intercepts most files including files compressed with up to 12 layers of compression using zip rar gzip tar upx and OLE in the content streams for which antivirus protection as been enabled Each file is tested to determine the file type and to determine the most effective method of scanning the file for vi
138. arameters include the name of the tunnel selection of the spoke client or gateway configured in phase 1 encryption and authentication algorithms and a number of security parameters See AutolIKE IPSec VPNs on page 213 Add a destination addresses for each spoke The destination address is the address of the spoke either a client on the Internet or a network located behind a gateway See Adding a source address on page 225 Add the concentrator configuration This step groups the tunnels together on the FortiGate unit The tunnels link the hub to the spokes The tunnels are added as part of the AutolKE phase 2 configuration or the manual key configuration See Adding a VPN concentrator on page 229 Note Add the concentrator configuration to the central FortiGate unit the hub after adding the tunnels for all spokes Add an encrypt policy for each spoke Encrypt policies control the direction of traffic through the hub and allow inbound and outbound VPN connections between the hub and the spokes The encrypt policy for each spoke must include the tunnel name of the spoke The source address must be Internal_All Use the following configuration for the encrypt policies Source Internal_All Destination The VPN spoke address Action ENCRYPT VPN Tunnel The VPN spoke tunnel name Allow inbound Select allow inbound Allow outbound Select allow outbound Inbound NAT Select inbound NAT if required Outbound NAT Selec
139. are image works correctly you can use one of the other procedures listed in this table to install it permanently Installing and using a backup firmware image If your FortiGate unit is running BIOS version v3 x you can install a backup firmware image Once the backup firmware image is installed you can switch to this backup image when required Fortinet Inc System status Changing the FortiGate firmware Upgrade to a new firmware version Use the following procedures to upgrade your FortiGate to a newer firmware version Upgrading the firmware using the web based manager A Note Installing firmware replaces your current antivirus and attack definitions with the S definitions included with the firmware release that you are installing When you have installed new firmware use the procedure Manually updating antivirus and attack definitions on page 119 to make sure that antivirus and attack definitions are up to date 1 Copy the firmware image file to your management computer 2 Login to the FortiGate web based manager as the admin administrative user 3 Go to System gt Status 4 Select Firmware Upgrade ie 5 Enter the path and filename of the firmware image file or select Browse and locate the file 6 Select OK The FortiGate unit uploads the firmware image file upgrades to the new firmware version restarts and displays the FortiGate login This process takes a few minutes Login to the web based ma
140. as 265 Configuring quarantine Options eceeeeeceeeeee cette eee eee etne eee eee taeee eee eaeeeerenneeeeenee 265 Blocking oversized files ANd emails 0 0 2 2 cc eeeeeeeeceeeeeeeeeeeeeeeeeececeeeeeeeseeeeaeeeseeeaaeeeseeenaeeees 266 Configuring limits for oversized files and EMail ceeceeeeeeeeeeeeeeeteeeeeeeettteeeeeeens 266 Exempting fragmented email from DIOCKING cceceeeeeeeeeeeeeeeeeteeeeeee tennessee etnaeeeeeeees 266 Viewing the virus listed cissidelecaustebde es pidieeds a hades a AE nth evel 266 eg re ee ee 267 General configuration StepS cece ceeceeeeeeeeeeeeeeseeeeeeeeeseeeeaeeeeseeeeaeeeeteenaeeeeteeaaaees 267 Content DIOCKING lt 2 22 eececeets deed atiene ect iti deeede daa cele aaeceeeesinaaceelv rhaeeeeei dia evelaaeeeeei anes 268 Adding words and phrases to the banned word list cceeeeceeeeeseeeeeeeentneeeeeeeeaaes 268 FortiGate 400 Installation and Configuration Guide Contents 11 Contents URL DIOCKING 0 eee et ne eee EEEE REEERE AEE 269 Using the FortiGate web filter ec cceeceeeeeeeeeeeeeeeeeeeeeeseeeeeeeeeseceeaeeeeseeeaeeeeseeeaeeees 269 Using the Cerberian web filter cc ccccccseeeecccccnaeeedsdeaetensccdanesensdctensanesccdcneteessdacananneee 272 SCPE TICS TUN Gates a2 Ss eeechennn cee even ta eg booed Shacwenet pate aida aetenwespaeteatt a OE 274 Enabling the Script filler senstie E ede Meat dbase epee 274 Selecting script filter Op
141. ask as required Select the management access methods for the HA interface HTTPS To allow secure HTTPS connections to the web based manager through this interface PING If you want this interface to respond to pings Use this setting to verify your installation and for testing HTTP To allow HTTP connections to the web based manager through this interface HTTP connections are not secure and can be intercepted by a third party SSH To allow secure SSH connections to the CLI through this interface SNMP To allow a remote SNMP manager to request SNMP information by connecting to this interface TELNET To allow Telnet connections to the CLI through this interface Telnet connections are not secure and can be intercepted by a third party Select Apply Now that you have configured the HA interfaces proceed to Configuring the HA cluster Configuring the HA cluster 78 Use the following procedure to configure each FortiGate unit for HA before connecting the HA cluster to your network Note These instructions describe configuring each of the FortiGate units in the HA cluster before connecting the HA cluster to your network You can also use the procedure Connecting the HA cluster to your network on page 80 to connect the HA cluster to your network first Connect to the FortiGate unit and log into the web based manager Go to System gt Config gt HA Select HA You can only select HA if the 4 HA interface is confi
142. asnagadeedes A samecdeas shaddauen vaaausdtensadad ees 17 NAT ROute mode 0cceccccceceeeeeeeeeeeceeeaacaeeceeeeeeeeeeecaeceacaaaaecaeeeeeeeeeeeseceeceaccueeeeseeeeees 17 Transparent Mode saccvc tees cried donereilients a adar iaaa ate ede ees 18 WEAN A EA ted neat bet eet A A E diag tes aanardenaed ene a EET 18 Network intrusion detection ccccccecceeceeeeeeeeeeeceeeeeeeeeeeecescaaaeaecaeeeeeeeeeeeesessessenaneaeeees 18 VPN e ainn oes a a cae atd a dases heed Set a eee e a a 19 Fa aWealeAN CY os easeniecs pod ack T 19 Secure installation configuration and management cecceeceeeeeeeeeeeeseeseeseeaeees 20 Web based iMamagen esrara E ssnese Souk jaca tevcnon ae cledeebesaeeenevecdoeds 20 Command line interface seed scee sive selaantvek neste des a aiaa iaaa 21 Logging and reporting eee ee ceeeeee eee eeeeeeeeeeeeeeaaeeeeeeeeaeeeeeeeeaaaeeeeseeaaeeeseeeiaeeesseneas 21 What s new in Version 2 50 viccdescs sects cendcaes adevaceusenawodedaadaautedessadussdecenseeacceeeendiaevias enuneds 22 System adminis talon sssaaa beanie a sbbddeceddbalahedues els dieepesavaddezesanede 22 Firewalls sgean ia a E a a a o a e A 23 Users and authentication minei irisan aa a i aAA 23 VENG mee a a E et E eed ea ee ee 23 NIDS niania a a a a eee ede 24 ANIV S si iinta sainan aaa aa Aaaa iaai aaa aaia aaa edie taadaa aai odii 24 Web Filter sericese aaa aaa a a a a aaia aaa Eaa 24 Email ter irsin a a a aaa aa a eats A 24 Logging
143. ate CLI The following prompt appears FortiGate 400 login Type admin and press Enter twice The following prompt appears Type for a list of commands For information on how to use the CLI see the FortiGate CLI Reference Guide Factory default FortiGate configuration settings The FortiGate unit is shipped with a factory default configuration This default configuration allows you to connect to and use the FortiGate web based manager to configure the FortiGate unit onto your network To configure the FortiGate unit onto your network you add an administrator password change network interface IP addresses add DNS server IP addresses and configuring routing if required FortiGate 400 Installation and Configuration Guide 33 Factory default FortiGate configuration settings Getting started 34 If you are planning on operating the FortiGate unit in Transparent mode you can switch to transparent mode from the factory default configuration and then configure the FortiGate unit onto your network in Transparent mode Once the network configuration is complete you can perform additional configuration tasks such as setting system time configuring virus and attack definition updates and registering the FortiGate unit The factory default firewall configuration includes a single network address translation NAT policy that allows users on your internal network to connect to the external network and stops users on the external network f
144. ate the number into two segments of 16 characters SHA1 Enter a 40 character 20 byte hexadecimal number 0 9 A F Separate the number into two segments the first of 16 characters the second of 24 characters Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration See Adding a VPN concentrator on page 229 Select OK to save the manual key VPN tunnel Fortinet Inc IPSec VPN AutolKE IPSec VPNs AutolKE IPSec VPNs Fortunate supports two methods of Automatic Internet Key Exchange AutolKE for the purpose of establishing IPSec VPN tunnels AutolKE with pre shared keys and AutolKE with digital certificates e General configuration steps for an AutolIKE VPN e Adding a phase 1 configuration for an AutolKE VPN e Adding a phase 2 configuration for an Autol KE VPN General configuration steps for an AutolIKE VPN An AutolIKE VPN configuration consists of phase 1 and phase 2 configuration parameters the source and destination addresses for both ends of the tunnel and an encrypt policy to control access to the VPN tunnel To create an AutolIKE VPN configuration Note Prior to configuring an AutolKE VPN that uses digital certificates you must add the CA and local certificates to the FortiGate unit For details see Managing digital certificates on page 219 Add the phase 1 parameters See Adding a phase 1 configuration for an AutolKE VPN on page 213 Add the phase 2 par
145. ate unit assigns routes by searching for a match starting at the top of the routing table and moving down until it finds the first match You must arrange routes in the routing table from more specific to more general The default route is the most general route If you add a default route it should be at the bottom of the routing table Go to System gt Network gt Routing Table Choose a route to move and select Move to La to change its order in the routing table Type a number in the Move to field to specify where in the routing table to move the route and select OK Select Delete jf to remove a route from the routing table FortiGate 400 Installation and Configuration Guide 145 Configuring routing Network configuration Figure 11 Routing table Interface DNS Routing Table DHCP Mask Gateway 1 Gateway 2 Device 1 Device 2 Modify 10 10 10 0 255 255 255 0 120 45 67 19 external i amp amp 0 0 0 0 0 0 0 0 64 230 129 22 120 45 67 19 external i amp Policy routing Policy routing extends the functions of destination routing Using policy routing you can route traffic based not only the destination address but also on e Source address e Protocol service type or port range e Incoming or source interface Using policy routing you can build a routing policy database RPDB that selects the appropriate route for traffic by executing a set of routing rules To select a route for traffic the
146. ate unit contains a hard disk the system status monitor also displays the capacity of the hard disk as well as the amount of used and free space on the hard disk You can also view current virus and intrusion status The web based manager displays the current number of viruses and attacks as well as a graph of virus and attack levels over the previous 20 hours In each case you can set an automatic refresh interval that updates the display every 5 to 30 seconds You can also refresh the display manually e Viewing CPU and memory status e Viewing sessions and network status e Viewing virus and intrusions status Viewing CPU and memory status 110 Current CPU and memory status indicates how close the FortiGate unit is to running at full capacity The web based manager displays CPU and memory usage for core processes only CPU and memory use for management processes for example for HTTPS connections to the web based manager is excluded If CPU and memory use is low the FortiGate unit is able to process much more network traffic than is currently running If CPU and memory use is high the FortiGate unit is performing near its full capacity Placing additional demands on the system could lead to traffic processing delays Fortinet Inc System status System status Figure 1 CPU and memory status monitor Automatic Refresh Interval 5 seconds 7 CPU amp Memory Sessions amp Network Virus amp Intrusions CPU U
147. ate unit has changed to NAT Route mode its configuration resets to NAT Route mode factory defaults Go to System gt Status Select Change to NAT Mode Select NAT Route in the operation mode list Select OK The FortiGate unit changes operation mode kh OO N 5 To reconnect to the web based manager you must connect to the interface configured by default for management access By default in NAT Route mode you can connect to port1 The default Transparent mode management IP address is 192 168 1 99 See Connecting to the web based manager on page 32 or Connecting to the command line interface CLI on page 33 Restarting the FortiGate unit 1 Go to System gt Status 2 Select Restart The FortiGate unit restarts FortiGate 400 Installation and Configuration Guide 109 Shutting down the FortiGate unit System status Shutting down the FortiGate unit 1 2 System status Go to System gt Status Select Shutdown The FortiGate unit shuts down and all traffic flow stops The FortiGate unit can only be restarted after shutdown by turning the power off then on You can use the system status monitor to display FortiGate system health information The system health information includes memory usage the number of active communication sessions and the amount of network bandwidth currently in use The web based manager displays current statistics as well as statistics for the previous minute If the FortiG
148. ate unit to synchronize its time once a day 9 Select Apply Figure 1 Example date and time setting System Time Tue Jun 24 07 18 53 2003 Time Zone GMT 8 00 Pacific Time US amp Canada E I Automatically adjust clock for daylight saving changes SetTime Hour 7 7 Minute 18 Second 53 7 Month un x Day 24 7 Year 2003 x C Synchronize with NTP Server Server Syn Interval eo mins Changing web based manager options On the System gt Config gt Options page you can Set the system idle timeout e Set the authentication timeout e Select the language for the web base manager e Modify the dead gateway detection settings You can also restrict access to the control buttons and LCD by requiring a PIN Personal Identification Number To set the system idle timeout 1 For Idle Timeout type a number in minutes 2 Select Apply Idle Timeout controls the amount of inactive time that the web based manager waits before requiring the administrator to log in again The default idle time out is 5 minutes The maximum idle time out is 480 minutes 8 hours 158 Fortinet Inc System configuration Changing web based manager options To set the Auth timeout 1 For Auth Timeout type a number in minutes 2 Select Apply Auth Timeout controls the amount of inactive time that the firewall waits before requiring users to authenticate again For more information see Users and authentication
149. ates The push notification may not be received by the FortiGate unit Also when the FortiGate unit receives a push notification it will only make one attempt to connect to the FDN and download updates Push updates through a NAT device we ws If the FDN can only connect to the FortiGate unit through a NAT device you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration Using port forwarding the FDN connects to the FortiGate unit using either port 9443 or an override push port that you assign Note You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic for example set using PPPoE or DHCP Example push updates through a NAT device This example describes how to configure a FortiGate NAT device to forward push updates to a FortiGate unit installed on its internal network For the FortiGate unit on the internal network to receive push updates the FortiGate NAT device must be configured with a port forwarding virtual IP This virtual IP maps the IP address of the external interface of the FortiGate NAT device and a custom port to the IP address of the FortiGate unit on the internal network This IP address can either be the external IP address of the FortiGate unit if it is operating in NAT Route mode or the Management IP address of the FortiGate unit if it is operating in Transparent mode Note This example describ
150. atic route to an external destination e Example static route to an internal destination Default routes and static routes To create a route to a destination you need to define an IP prefix which consists of an IP network address and a corresponding netmask value A default route matches any prefix and forwards traffic to the next hop router otherwise known as the default gateway A static route matches a more specific prefix and forwards traffic to the next hop router Default route example IP Prefix 0 0 0 0 IP address 0 0 0 0 Netmask Next Hop 192 168 1 2 Static Route example IP Prefix 172 100 100 0 IP address 255 255 255 0 Netmask Next Hop 192 168 1 2 A Note When adding routes to the FortiGate unit add the default route last so that it e appears on the bottom of the route list This ensures that the unit will attempt to match more specific routes before selecting the default route Example default route to an external network Figure 10 shows a FortiGate unit where all destinations including the management computer are located on the external network To reach these destinations the FortiGate unit must connect to the upstream router leading to the external network To facilitate this connection you must enter a single default route that points to the upstream router as the next hop default gateway FortiGate 400 Installation and Configuration Guide 67 Transparent mode configuration examples Transparent m
151. ation in this section to complete the initial configuration of the FortiGate unit Setting the date and time For effective scheduling and logging the FortiGate system date and time should be accurate You can either manually set the system date and time or you can configure the FortiGate unit to automatically keep its time correct by synchronizing with a Network Time Protocol NTP server To set the FortiGate system date and time see Setting system date and time on page 157 Enabling antivirus protection To enable antivirus protection to protect users on your internal network from downloading a virus from the Internet Go to Firewall gt Policy gt port1 gt port2 Select Edit 4 to edit this policy Select Anti Virus amp Web filter to enable antivirus protection for this policy Select the Scan Content Profile a Fk WOW N Select OK to save your changes 64 Fortinet Inc Transparent mode installation Connecting the FortiGate unit to your networks Registering your FortiGate After purchasing and installing a new FortiGate unit you can register the unit by going to System gt Update gt Support or using a web browser to connect to http support fortinet com and selecting Product Registration Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased Registration is quick and easy You can register multiple FortiGat
152. atterns 262 file 261 oversized files and email 266 web pages 268 278 Cc certificates introduction 210 checksum verification configuring 250 clearing communication sessions 113 URL block list 270 CLI 21 configuring IP addresses 63 configuring NAT Route mode 47 connecting to 33 upgrading the firmware 95 97 command line interface 21 Comments firewall policy 177 policy 177 connecting to network 49 65 to the FDN 116 to the FortiResponse Distribution Network 116 web based manager 32 contact information registration 130 SNMP 162 content blocking exempting URLs 275 279 web page 268 278 300 content filter 267 277 content profiles default 197 cookies blocking 274 critical firewall events alert email 293 critical VPN events alert email 293 custom service 184 customer service 28 D date and time setting example 158 165 date setting 157 default gateway configuring Transparent mode 64 deleting log files 292 deny firewall policy 174 policy 174 destination policy option 173 174 destination route adding 143 adding a default route 143 detection NIDS 249 device auto 144 DHCP internal network 147 dialup L2TP configuring Windows 2000 client 245 configuring Windows XP client 246 dialup PPTP configuring Windows 2000 client 239 configuring Windows 98 client 238 configuring Windows XP client 240 dialup VPN viewing connection status 233 disabling NIDS 250 DMZ interface configuring 50 51 definition 295 d
153. ave the AutolIKE key VPN tunnel Fortinet Inc IPSec VPN Managing digital certificates Figure 22 Adding a phase 2 configuration New PN Tunnel Tunnel Name fTunnel_1 Remote Gateway Remote_Client_1 z E P2 Proposal 1 Eneryption 3DES z Authentication SHA1 z 2 Eneryption 3DES gt Authentication MDS z 3 Encryption 4ES128 z Authentication MD5 z E M Enable replay detection M Enable perfect forward secrecy PFS DH Group 10 20 56 Keylife Seconds z 1800 Seconds 4608000 KBytes Autokey Keep Alive Enable Concentrator None 7 Se eee Managing digital certificates Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy prior to an encrypted VPN tunnel being set up between the participants Fortinet uses a manual procedure to obtain certificates This involves copying and pasting text files from your local computer to the certificate authority and from the certificate authority to your local computer e Obtaining a signed local certificate e Obtaining a CA certificate a Note Digital certificates are not required for configuring FortiGate VPNs Digital certificates are SN an advanced feature provided for the convenience of system administrators This manual assumes the user has prior knowledge of how to configure digital certificates for their implementation Obtaining a signed local certificate The signed local certificat
154. ayed When one of the following messages appears e FortiGate unit running v2 x BIOS Press Any Key To Download Boot Image e FortiGate unit running v3 x BIOS Press any key to enter configuration menu Immediately press any key to interrupt the system startup Note You only have 3 seconds to press any key If you do not press any key soon enough the FortiGate unit reboots and you must log in and repeat the execute reboot command If you successfully interrupt the startup process one of the following messages appears e FortiGate unit running v2 x BIOS Enter TFTP Server Address 192 168 1 168 Go to step 9 e FortiGate unit running v3 x BIOS Get firmware image from TFTP server Format boot device Quit menu and continue to boot with default firmware ie Display this list of options G F Q H Enter G F Q or H Type G to get the new firmware image from the TFTP server Type the address of the TFTP server and press Enter The following message appears Enter Local Address 192 168 1 188 Type the address of port1 and press Enter Fortinet Inc System status Changing the FortiGate firmware A Note The local IP address is only used to download the firmware image After the firmware is Z installed the address of this interface is changed back to the default IP address for this interface The following message appears Enter File Name image out 11 Enter the firmware image
155. be assigned a high traffic priority Less important services should be assigned a low priority The firewall provides bandwidth to low priority connections only when bandwidth is not needed for high priority connections Authentication Select Authentication and select a user group to require users to enter a user name and password before the firewall accepts the connection Select the user group to control the users that can authenticate with this policy To add and configure user groups see Configuring user groups on page 207 You must add user groups before you can select Authentication You can select Authentication for any service Users can authenticate with the firewall using HTTP Telnet or FTP For users to be able to authenticate you must add an HTTP Telnet or FTP policy that is configured for authentication When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password If you want users to authenticate to use other services for example POP3 or IMAP you can create a service group that includes the services for which you want to require authentication as well as HTTP Telnet and FTP Then users could authenticate with the policy using HTTP Telnet or FTP before using the other service FortiGate 400 Installation and Configuration Guide 175 Adding firewall policies 176 Firewall configuration In most cases you should make sure that users can use DN
156. be on the same subnet as the internal interface Enable or disable the FortiGate DHCP server for your internal network reserve lt reserve_ip gt lt reserve_mac gt lt name_str gt none status enable disable winsserver lt serverl_ip gt none lt server2_ip gt none Enter one or two WINS server IP addresses that are assigned to DHCP clients FortiGate 400 Installation and Configuration Guide 147 Providing DHCP services to your internal network Network configuration 148 Fortinet Inc RAT MET RIP configuration The FortiGate implementation of the Routing Information Protocol RIP supports both RIP version 1 as defined by RFC 1058 and RIP version 2 also called RIP2 and defined by RFC 2453 RIP2 enables RIP messages to carry more information and support simple authentication RIP2 also supports subnet masks a feature not available in RIP RIP sends routing update messages at regular intervals and when network topology changes When the FortiGate unit receives a routing update that includes changes to an entry it updates its routing table to reflect the new route The FortiGate RIP table maintains the best route to a destination After updating its routing table the FortiGate unit begins transmitting routing updates to inform other network routers of the change You can configure FortiGate RIP to control the timing of these updates RIP uses hop count as the routing metric t
157. block the attacker to eliminate disruption of system operations If you enter a threshold value of 0 or a number out of the allowable range the FortiGate unit uses the default value Table 7 NIDS Prevention signatures with threshold values Signature Threshold value units Default Minimum Maximum abbreviation threshold threshold threshold value value value synflood Maximum number of SYN segments 200 30 3000 received per second portscan Maximum number of SYN segments 128 10 256 received per second srcsession Total number of TCP sessions initiated 2048 128 10240 from the same source ftpovfl Maximum buffer size for an FTP 256 128 1024 command bytes smtpovfl Maximum buffer size for an SMTP 512 128 1024 command bytes pop3ovfl Maximum buffer size for a POP3 512 128 1024 command bytes udpflood Maximum number of UDP packets 2048 512 102400 received from the same source or sent to the same destination per second udpsrcsession Total number of UDP sessions initiated 1024 512 102400 from the same source icmpflood Maximum number of UDP packets 256 128 102400 received from the same source or sent to the same destination per second icmpsrcsession Total number of ICMP sessions 128 64 2048 initiated from the same source icmpsweep Maximum number of ICMP packets 32 16 2048 received from the same source per second icmplarge Maximum ICMP packet size bytes 32000 1024 64000
158. boring router with which to exchange routing information Add neighbors on non broadcast networks When you add neighbors the FortiGate unit exchanges routing information with the neighbor router directly instead of relying on broadcasting routes This point to point exchange of routing information between the FortiGate unit and the routers added to the neighbor list is more secure and reduces network traffic Adding neighbors is required to be able to exchange routes over non broadcast networks When used in combination with the RIP filters the FortiGate unit can be configured to exchange routing information with a subset of routers and access servers on a LAN Adding RIP neighbors 1 Go to System gt RIP gt Neighbor 2 Select New to add a RIP neighbor FortiGate 400 Installation and Configuration Guide 153 Adding RIP filters RIP configuration Add the IP address of a neighbor router that you want the FortiGate unit to exchange routing information with Select Enable Send RIP1 to send RIP1 messages to the neighbor Select Enable Send RIP2 to send RIP2 messages to the neighbor Select OK to add the RIP neighbor to the list Adding RIP filters Use RIP filters to control the routing information received by the FortiGate unit and sent by the FortiGate unit You can create filters for two purposes Neighbors filter For filtering routes received from neighboring routers When the FortiGate unit receives routes from a neighboring
159. case and lowercase letters A Z a z and the special characters and _ Spaces and the lt gt amp characters are not allowed Fortinet Inc System configuration Trap Community Trap Receiver IP Addresses 4 Select Apply Configuring SNMP The trap community string functions like a password that is sent with SNMP traps The default trap community string is public Change the trap community string to the one accepted by your trap receivers The trap community string can be up to 31 characters long and can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Spaces and the lt gt amp characters are not allowed Type the IP addresses of up to three trap receivers on your network that are configured to receive traps from your FortiGate unit Traps are only sent to the configured addresses Figure 2 Sample SNMP configuration Enable SNMP System Name Contact Information ext 3345 Get Community Trap Community trap_com Main_Office_Firewall System Location Server room first floor four_g et_com First Trap Receiver IP Address 192 33 44 55 Second Trap Receiver IP Address 143 44 52 78 Third Trap Rece iver IP Address FortiGate MIBs The FortiGate SNMP agent supports FortiGate proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs The FortiGate MIBs are listed in Table 1 You can ob
160. ccs tay vadeceees vandactens E REN 110 Viewing CPU and memory Status 0 eee e ee eete eee e reenter i a 110 Viewing sessions and network Status 0 ccccceeeeeeeeeeeeeeeeeeeeeeeeeaeeeeeeeenaeeeeeeeenaeeeeeeeaas 111 Viewing virus and intrusions StatUS 00 eee eee sence ee eee eetteee eee etaeeeeeeeaaeeeeeeeiaeeeeeeenaas 112 Session liSl ciaee EEEE Ra EA AA Ea ETEA EEE REEERE EEE AEEA E EES 113 Virus and attack definitions updates and registration ccceeeeeeeeeees 115 Updating antivirus and attack definitions 00 0 e cece eee eeeeeeeeeeeeeeeeeeeseeeeaaeeeseeeneeeees 115 Connecting to the FortiResponse Distribution Network essssseseessserrssseerresserrrrs 116 Configuring scheduled updates eee eeeeeeeeeceeeeee eee eeeeeeeeeeseeeeaeeeeseeeeaeeeeseeeaaeeeeseeeaaeess 117 Configuring Update logging 0 0 02 ce eeeeeeeeeeeeeee eee a AE 118 Adding AN override SEFVEL eeecceeeeeeeeeeeeeeeeeneee eee eaaeeeeeeeaaeeeeeetaaeeeeeesiaeeeeessnaeeeeeeseaas 119 Manually updating antivirus and attack definitions cc ceeceeeeeeeeeteeeeeeeeenteeeeeeeeee 119 Configuring push updates essione enaA ARE ENAA EAEAN EESE aa 119 Push updates through a NAT device sseesssssssesrssssessnnasarennnantnennnastennnnadtannaaatnennaaanan 120 Scheduled updates through a proxy Server e ee eeeeeeceeeeeeeeeeeeeeeeeeeeteeeaeeeeeeeaaeeees 124 Registering FortiGate units eesin aena aiaa AAAA bites Acne eaten 125 FortiCare
161. certified Organization Unit Enter a name that identifies the department or unit within the organization that is requesting the certificate for the FortiGate unit such as Manufacturing or MF Organization Enter the legal name of the organization that is requesting the certificate for the FortiGate unit such as Fortinet Locality Enter the name of the city or town where the FortiGate unit is located such as Vancouver State Province Enter the name of the state or province where the FortiGate unit is located such as California or CA Country Select the country where the FortiGate unit is located e mail Enter a contact e mail address for the FortiGate unit Typically e mail addresses are entered only for clients not gateways Configure the key Key Type Select RSA as the key encryption type No other key type is supported Key Size Select 1024 Bit 1536 Bit or 2048 Bit Larger keys are slower to generate but more secure Not all products support all three key sizes Select OK to generate the private and public key pair and the certificate request The private public key pair will be generated and the certificate request will be displayed on the Local Certificates list with a status of Pending Fortinet Inc IPSec VPN bk OO N Managing digital certificates Figure 23 Adding a Local Certificate Local Certificates gt Generate Certificate Signing Request Certification Name User_One Subject Information ID
162. ch slows down transmission speeds Netmask Also called subnet mask A set of rules for omitting parts of a complete IP address to reach a target destination without using a broadcast message It can indicate a subnetwork portion of a larger network in TCP IP Sometimes referred to as an Address Mask NTP Network Time Protocol Used to synchronize the time of a computer to an NTP server NTP provides accuracies to within tens of milliseconds across the Internet relative to Coordinated Universal Time UTC Packet A piece of a message transmitted over a packet switching network One of the key features of a packet is that it contains the destination address in addition to the data In IP networks packets are often called datagrams Ping Packet Internet Grouper A utility used to determine whether a specific IP address is accessible It works by sending a packet to the specified address and waiting for a reply POP3 Post Office Protocol A protocol used to transfer e mail from a mail server to a mail client across the Internet Most e mail clients use POP 296 PPP Point to Point Protocol A TCP IP protocol that provides host to network and router to router connections PPTP Point to Point Tunneling Protocol A Windows based technology for creating VPNs PPTP is supported by Windows 98 2000 and XP To create a PPTP VPN your ISP s routers must support PPTP Port In TCP IP and UDP networks a port is an endpoint to a log
163. ch to add the policy For example port1 gt port2 or port3 gt port2 Select New to add a new policy Set Source to the source address Set Destination to the destination address Set Service to control the services allowed over the VPN connection You can select ANY to allow all supported services over the VPN connection or select a specific service or service group to limit the services allowed over the VPN connection Set Action to ENCRYPT Configure the ENCRYPT parameters VPN Tunnel Select an Auto Key tunnel for this encrypt policy Allow inbound Select Allow inbound to enable inbound users to connect to the source address Allow outbound Select Allow outbound to enable outbound users to connect to the destination address FortiGate 400 Installation and Configuration Guide 225 Configuring encrypt policies IPSec VPN Inbound NAT The FortiGate unit translates the source address of incoming packets to the IP address of the FortiGate interface connected to the source address network Typically this is an internal interface of the FortiGate unit Inbound NAT makes it impossible for local hosts to see the IP addresses of remote hosts hosts located on the network behind the remote VPN gateway Outbound NAT The FortiGate unit translates the source address of outgoing packets to the IP address of the FortiGate interface connected to the destination address network Typically this is an external interface of the FortiGate
164. change the IP address of your management computer to 10 10 10 2 Connect to interface 1 2 or 3 and browse to https followed by the Transparent mode management IP address The default FortiGate Transparent mode Management IP address is 10 10 10 1 Starting the setup wizard 3 To start the setup wizard Select Easy Setup Wizard the middle button in the upper right corner of the web based manager Use the information that you gathered in Table 14 on page 61 to fill in the wizard fields Select the Next button to step through the wizard pages Confirm your configuration settings and then select Finish and Close Reconnecting to the web based manager 62 If you changed the IP address of the management interface while you were using the setup wizard you must reconnect to the web based manager using the new IP address Browse to https followed by the new IP address of the management interface Otherwise you can reconnect to the web based manager by browsing to https 10 10 10 1 If you connect to the management interface through a router make sure that you have added a default gateway for that router to the management IP default gateway field Fortinet Inc Transparent mode installation Using the front control buttons and LCD Using the front control buttons and LCD This procedure describes how to use the control buttons and LCD to configure Transparent mode IP addresses Use the information that you recorded in Table 14
165. chronized with the active FortiGate unit Select Active Active mode to create an Active Active HA cluster in which each FortiGate unit in the HA cluster is actively processing connections and monitoring the status of the other FortiGate units The HA mode must be the same for all FortiGate units in the HA cluster Enter and confirm a password for the HA cluster The password must be the same for all FortiGate units in the HA cluster Select a Group ID for the HA cluster The Group ID must be the same for all FortiGate units in the HA cluster FortiGate 400 Installation and Configuration Guide 83 HA in Transparent mode 84 High availability If you are configuring Active Active HA select a schedule The schedule controls load balancing among the FortiGate units in the active active HA cluster The schedule must be the same for all FortiGate units in the HA cluster None No load balancing Select None when the cluster interfaces are connected to load balancing switches Hub Load balancing for hubs Select Hub if the cluster interfaces are connected to a hub Traffic is distributed to units in a cluster based on the Source IP and Destination IP of the packet Least Connection Least connection load balancing If the FortiGate units are connected using switches select Least connection to distribute traffic to the cluster unit with the fewest concurrent connections Round Robin Round robin load balancing If the FortiGate units a
166. cket length for each session in bytes Display Select Port Number if you want traffic log messages to list the port number for example 80 tcp Select Service Name if you want traffic log messages to list the name of the service for example TCP Select Apply Figure 44 Example traffic filter list M Resolve IP Type Session Packet Display Port Number Service Name Apply gt Name Source Address Destination Address Protocol Modify FTP_Main_Office 10 10 10 1 255 255 255 0 10 10 10 2 255 255 255 0 FTP T amp All_traffic 192 168 123 111 255 255 255 0 192 168 124 0 255 255 255 0 ANY Ws Email_Branch_to_Main 10 10 11 0 255 255 255 0 10 10 10 0 255 255 255 0 POP3 T amp FortiGate 400 Installation and Configuration Guide 287 Configuring traffic logging 288 Logging and reporting Adding traffic filter entries Add entries to the traffic filter list to filter the messages that are recorded in the traffic log If you do not add any entries to the traffic filter list the FortiGate records all traffic log messages You can add entries to the traffic filter list to limit the traffic logs that are recorded You can log traffic with a specified source IP address and netmask to a destination IP address and netmask and for a specified service A traffic filter entry can include any combination of source and destination addresses and services Use the following procedure to add an entry to the traffic filter
167. connect to the override server Check the FortiGate configuration and the network configuration to make sure you can connect to the override FortiResponse server from the FortiGate unit Manually updating antivirus and attack definitions You can use the following procedure to update the antivirus and attack definitions at any time To run this procedure the FortiGate unit must be able to connect to the FDN or to an override FortiResponse server 1 Go to System gt Update 2 Select Update Now to update the antivirus and attack definitions If the connection to the FDN or override server is successful the web based manager displays a message similar to the following Your update request has been sent Your database will be updated in a few minutes Please check your update page for the status of the update After a few minutes if an update is available the System Update page lists new version information for antivirus definitions the antivirus engine or for attack definitions The System Status page will also displays new dates and version numbers for antivirus and attack definitions Messages are recorded to the event log indicating whether the update was successful or not Configuring push updates The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations You must register the FortiGate unit before it can receive push updates See Registering the FortiGate unit on page 126
168. cters and _ Other special characters and spaces are not allowed Set the Start date and time for the schedule Set Start and Stop times to 00 for the schedule to be active for the entire day Set the Stop date and time for the schedule One time schedules use the 24 hour clock Select OK to add the one time schedule Figure 10 Adding a one time schedule One time Recurring New One time Schedule Notes start time should be earlier than stop time Fortinet Inc Firewall configuration Schedules Creating recurring schedules You can create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week For example you might want to prevent Internet use outside of working hours by creating a recurring schedule If you create a recurring schedule with a stop time that occurs before the start time the schedule will start at the start time and finish at the stop time on the next day You can use this technique to create recurring schedules that run from one day to the next You can also create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time 1 Go to Firewall gt Schedule gt Recurring Select New to create a new schedule Enter a Name for the schedule The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special c
169. cting to the firewall 4 Configure how IP MAC binding handles packets with IP and MAC addresses that are not defined in the IP MAC list Select Allow traffic to allow all packets with IP and MAC address pairs that are not added to the IP MAC binding list Select Block traffic to block packets with IP and MAC address pairs that are not added to the IP MAC binding list 5 Select Apply to save your changes Figure 15 IP MAC settings Setting Static IP MAC y Dynamic IP MAC M Enable IP MAC binding going through the firewall MV Enable IP MAC binding going to the firewall For hosts not defined in table C Allow traffic Block traffic 196 Fortinet Inc Firewall configuration Content profiles Content profiles Use content profiles to apply different protection settings for content traffic controlled by firewall policies You can use content profiles to e Configure antivirus protection for HTTP FTP POP3 SMTP and IMAP policies e Configure web filtering for HTTP policies Configure email filtering for IMAP and POP3 policies e Configure oversized file and email blocking for HTTP FTP POP3 SMTP and IMAP policies e Passing fragmented email for POP3 SMTP and IMAP policies Using content profiles you can build up protection configurations that can be easily applied to different types of Firewall policies This allows you to customize different types and different levels of protection for different fir
170. ction Firewall What s new in Version 2 50 HA e Active active HA using switches and with the ability to select the schedule Transparent mode HA e A V update for HA clusters e Configuration synchronizing for HA See High availability on page 75 Replacement messages You can customize messages sent by the FortiGate unit e When a virus is detected e When a file is blocked e When a fragmented email is blocked e When an alert email is sent See Customizing replacement messages on page 164 e The firewall default configuration has changed See Default firewall configuration on page 170 Add virtual IPs to all interfaces See Virtual IPs on page 188 e Add content profiles to firewall policies to configure blocking scanning quarantine web content blocking and email filtering See Content profiles on page 197 Users and authentication VPN e LDAP authentication See Configuring LDAP support on page 205 See the FortiGate VPN Guide for a complete description of FortiGate VPN functionality New features include e Phase 1 e AES encryption e Certificates e Advanced options including Dialup Group Peer XAUTH NAT Traversal DPD e Phase 2 e AES encryption e Encryption policies select service e Generate and import local certificates Import CA certificates FortiGate 400 Installation and Configuration Guide 23 What s new in Version 2 50 Introduction NIDS See th
171. d and configure PPTP user groups See Configuring user groups on page 207 Enabling PPTP and specifying an address range Go to VPN gt PPTP gt PPTP Range Select Enable PPTP Enter the Starting IP and the Ending IP for the PPTP address range Select the User Group that you added in Adding users and user groups on page 236 Select Apply to enable PPTP through the FortiGate unit Fortinet Inc PPTP and L2TP VPN Configuring PPTP Figure 30 Example PPTP Range configuration PPTP Range A Enable PPTP Starting IP 192 168 1 100 Ending IP 192 168 1 110 User Group PPTP_users 7 C Disable PPTP Adding a source address Add a source address for every address in the PPTP address range Go to Firewall gt Address Select the interface to which PPTP clients connect This can be an interface VLAN subinterface or zone Select New to add an address Enter the Address Name IP Address and NetMask for an address in the PPTP address range Select OK to save the source address Repeat for all addresses in the PPTP address range Note If the PPTP address range is comprised of an entire subnet add an address for this subnet Do not add an address group Adding an address group Organize the source addresses into an address group Go to Firewall gt Address gt Group Add a new address group to the interface to which PPTP clients connect This can be an interface VLAN subinterface or zone
172. d configuration information among the members of the HA group To configure port4 ha for HA mode Go to System gt Network gt Interface For port4 ha select Modify 25 Select Work as HA to configure the interface for HA operation When port4 ha is configured for HA operation you cannot connect this interface to a network Select OK to save your changes Configuring port4 ha as a firewall interface To configure port4 ha to operate as a firewall interface disable HA functionality and add port4 ha to a zone Go to System gt Network gt Interface For port4 ha select Modify z Make sure that Work as HA is not selected Select OK to save your changes Configuring the management interface Transparent mode In Transparent mode you configure the management interface for management access Go to System gt Network gt Management Change the Management IP and Netmask as required This must be a valid address for the network from which you will manage the FortiGate unit Fortinet Inc Network configuration Configuring VLANs 3 Add a default gateway IP address if the FortiGate unit must connect to a default gateway to reach the management computer 4 Select the management Access methods for each interface HTTPS To allow secure HTTPS connections to the web based manager through this interface PING If you want this interface to respond to pings Use this setting to verify your installation and for testing
173. d in 2 Switch to Transparent mode Enter set system opmode transparent After a few seconds the login prompt appears 3 Type admin and press Enter The following prompt appears Type for a list of commands 4 Confirm that the FortiGate unit has switched to Transparent mode Enter get system status The CLI displays the status of the FortiGate unit The last line shows the current operation mode Operation mode Transparent FortiGate 400 Installation and Configuration Guide 63 Completing the configuration Transparent mode installation Configuring the Transparent mode management IP address 1 Log into the CLI if you are not already logged in 2 Setthe management IP address and netmask to the IP address and netmask that you recorded in Table 14 on page 61 Enter set system management ip lt IP address gt lt netmask gt Example set system management ip 10 10 10 2 255 255 255 0 3 Confirm that the address is correct Enter get system management The CLI lists the management IP address and netmask Configure the Transparent mode default gateway 1 Log into the CLI if you are not already logged in 2 Set the default route to the default gateway that you recorded in Table 14 on page 61 Enter set system route number lt number gt gwl lt IP address gt Example set system route number 0 gwl 204 23 1 2 You have now completed the initial configuration of the FortiGate unit Completing the configuration Use the inform
174. der a Fk WO N Right click the new icon and select Properties Go to Server Types Uncheck IPX SPX Compatible Select TCP IP Settings Uncheck Use IP header compression O O ON OC 11 Uncheck Use default gateway on remote network 12 Select OK twice Connecting to the PPTP VPN 1 Start the dialup connection that you configured in the previous procedure Enter your PPTP VPN User Name and Password Select Connect Configuring a Windows 2000 client for PPTP Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiGate PPTP VPN Configuring a PPTP dialup connection 1 Go to Start gt Settings gt Network and Dial up Connections 2 Double click Make New Connection to start the Network Connection Wizard and select Next 3 For Network Connection Type select Connect to a private network through the Internet and select Next 4 For Destination Address enter the IP address or host name of the FortiGate unit to connect to and select Next FortiGate 400 Installation and Configuration Guide 239 Configuring PPTP 240 O O N OOM kh OO N PPTP and L2TP VPN Set Connection Availability to Only for myself and select Next Select Finish In the Connect window select Properties Select the Security tab Uncheck Require data encryption Select OK Connecting to the PPTP VPN Start the dialup connection that you configured in the previous procedure Enter
175. e Viewing the list of registered FortiGate units 1 2 3 4 Go to System gt Update gt Support and select Support Login Enter your Fortinet support user name and password Select Login Select View Products The list of FortiGate products that you have registered is displayed For each FortiGate unit the list includes the serial number and current support options for that unit Fortinet Inc Virus and attack definitions updates and registration Updating registration information Figure 7 Sample list of registered FortiGate units View Product Support Serial Number FGT 602803030020 Support Type Hours Activation Date Expiration Date Hardware Coverage 5 12 2003 5 11 2004 Firmware Updates es 5 12 2003 8 10 2003 Telephone Support 5 12 2003 8 10 2003 Virus Definitions Updates 5 12 2003 8 10 2003 Attack Definitions Updates 5 12 2003 8 10 2003 Serial Number FGT1002801021024 Support Type Hours Activation Date Expiration Date Hardware Coverage 5 7 2003 5 6 2004 Firmware Updates 5 7 2003 8 5 2003 Telephone Support 5 7 2003 8 5 2003 Virus Definitions Updates 5 7 2003 8 5 2003 Attack Definitions Updates 5 7 2003 8 5 2003 Registering a new FortiGate unit 1 Nn oO oo Ff WO ND Go to System gt Update gt Support and select Support Login Enter your Fortinet support user name and password Select Login Select Add Registration Select the model number of the Product Model to register Ente
176. e FortiGate NIDS Guide for a complete description of FortiGate NIDS functionality New features include e Attack detection signature groups e User configuration attack prevention e Monitor multiple interfaces for attacks e Monitor VLAN subinterfaces for attacks e User defined attack detection signatures Antivirus See the FortiGate Content Protection Guide for a complete description of FortiGate antivirus functionality New features include e Content profiles e Quarantine for files containing viruses or files that are blocked e Blocking oversized files Web Filter See the FortiGate Content Protection Guide for a complete description of FortiGate web filtering functionality New features include e Cerberian URL Filtering Email filter See the FortiGate Content Protection Guide for a complete description of FortiGate email filtering functionality Logging and Reporting See the FortiGate Logging and Message Reference Guide for a complete description of FortiGate logging e Log to remote host CSV format Log message levels Emergency Alert critical error Warning notification information e Log level policies Traffic log filter e New antivirus web filter and email filter logs Alert email supports authentication e Suppress email flooding e Extended WebTrends support for graphing activity 24 Fortinet Inc Introduction About this document About this document This installation and configuration guide desc
177. e FortiGate system time should be accurate You can either manually set the FortiGate system time or you can configure the FortiGate unit to automatically keep its system time correct by synchronizing with a Network Time Protocol NTP server For more information on NTP and to find the IP address of an NTP server that you can use see http www ntp org To set the date and time Go to System gt Config gt Time Select Refresh to display the current FortiGate system date and time Select your Time Zone from the list kh O N Select Automatically adjust clock for daylight saving changes if you want the FortiGate system clock to be adjusted automatically when your time zone changes to daylight saving time 5 Select Set Time and set the FortiGate system date and time to the correct date and time if required 6 Select Synchronize with NTP Server to configure the FortiGate unit to use NTP to automatically set the system time and date You can go to www ntp org for information about the network time protocol NTP and to select a public NTP server in your region 7 Enter the IP address or domain name of the NTP server that the FortiGate unit uses to set its time and date FortiGate 400 Installation and Configuration Guide 157 Changing web based manager options System configuration 8 Specify how often the FortiGate unit should synchronize its time with the NTP server A typical Syn Interval would be 1440 minutes for the FortiG
178. e address and the source port of packets accepted by the policy If you select NAT you can also select Dynamic IP Pool and Fixed Port NAT is not available in Transparent mode Dynamic IP Select Dynamic IP Pool to translate the source address to an address Pool randomly selected from an IP pool added to the destination interface of the policy To add IP pools see IP pools on page 192 Fixed Port Select Fixed Port to prevent NAT from translating the source port Some applications do not function correctly if the source port is changed If you select Fixed Port you must also select Dynamic IP Pool and add a dynamic IP pool address range to the destination interface of the policy If you do not select Dynamic IP Pool a policy with Fixed Port selected can only allow one connection at a time for this port or service VPN Tunnel Select a VPN tunnel for an ENCRYPT policy You can select an AutolKE key or Manual Key tunnel VPN Tunnel is not available in Transparent mode Fortinet Inc Firewall configuration Adding firewall policies Allow inbound Select Allow inbound so that users behind the remote VPN gateway can connect to the source address Allow outbound Select Allow outbound so that users can connect to the destination address behind the remote VPN gateway Inbound NAT Select Inbound NAT to translate the source address of incoming packets to the FortiGate internal IP address Outbound NAT Select Outbound NAT to translate th
179. e and is added to the SNMP System Name Changing the FortiGate firmware 94 After you download a FortiGate firmware image from Fortinet you can use the procedures in Table 1 to install the firmware image on your FortiGate unit Table 1 Firmware upgrade procedures Procedure Description Upgrade to a new firmware version Commonly used web based manager and CLI procedures to upgrade to a new FortiOS firmware version or to a more recent build of the same firmware version Revert to a previous firmware version Use the web based manager or CLI procedure to revert to a previous firmware version This procedure reverts your FortiGate unit to its factory default configuration Install a firmware image from a system reboot using the CLI Use this procedure to install a new firmware version or revert to a previous firmware version You must run this procedure by connecting to the CLI using the FortiGate console port and a null modem cable This procedure reverts your FortiGate unit to its factory default configuration Test a new firmware image before installing it Use this procedure to test a new firmware image before installing it You must run this procedure by connecting to the CLI using the FortiGate console port and a null modem cable This procedure temporarily installs a new firmware image using your current configuration You can test the firmware image before installing it permanently If the firmw
180. e control buttons and LCD or the command line interface CLI for the basic configuration of the FortiGate unit Setup Wizard If you are configuring the FortiGate unit to operate in NAT Route mode the default the Setup Wizard prompts you to add the administration password and the internal and external interface addresses Using the wizard you can also add DNS server IP addresses and a default route for the external interface In NAT Route mode you can also configure the FortiGate to allow Internet access to your internal Web FTP or email servers If you are configuring the FortiGate unit to operate in Transparent mode you can switch to Transparent mode from the web based manager and then use the Setup Wizard to add the administration password the management IP address and gateway and the DNS server addresses FortiGate 400 Installation and Configuration Guide 41 FortiGate model maximum values matrix Getting started CLI If you are configuring the FortiGate unit to operate in NAT Route mode you can add the administration password and all interface addresses Using the CLI you can also add DNS server IP addresses and a default route for the external interface If you are configuring the FortiGate unit to operate in Transparent mode you can use the CLI to switch to Transparent mode Then you can add the administration password the management IP address and gateway and the DNS server addresses Front keypad and LCD If
181. e provides the FortiGate unit with a means to authenticate itself to other devices Gs Note The VPN peers must use digital certificates that adhere to the X 509 standard FortiGate 400 Installation and Configuration Guide 219 Managing digital certificates 220 IPSec VPN Generating the certificate request With this procedure you generate a private and public key pair The public key is the base component of the certificate request To generate the certificate request Go to VPN gt Local Certificates Select Generate Enter a Certificate Name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Configure the Subject Information that identifies the object being certified Preferably use an IP address or domain name If this is impossible Such as with a dialup client use an e mail address Host IP For Host IP enter the IP address of the FortiGate unit being certified Domain Name For Domain name enter the fully qualified domain name of the FortiGate unit being certified Do not include the protocol specification http or any port number or path names E Mail For E mail enter the email address of the owner of the FortiGate unit being certified Typically e mail addresses are entered only for clients not gateways Configure the Optional Information to further identify the object being
182. e routing table or configure your network to allow the FortiGate unit to use HTTPS on port 8890 to connect to the Internet You may also have to connect to an override FortiResponse server to receive updates See Configuring update logging on page 118 Available The FDN can connect to the FortiGate unit to send push updates You can configure the FortiGate unit to receive push updates See Configuring push updates on page 119 Not available The FDN cannot connect to the FortiGate unit to send push updates Push updates may not be available if Push Update you have not registered the FortiGate unit see Registering the FortiGate unit on page 126 if there is a NAT device installed between the FortiGate unit and the FDN see Push updates through a NAT device on page 120 or if your FortiGate unit connects to the Internet using a proxy server see Scheduled updates through a proxy server on page 124 Configuring scheduled updates You can configure the FortiGate unit to check for and download updated definitions hourly daily or weekly according to the schedule you specify Go to System gt Update Select Scheduled Update Select whether to check for and download updates hourly daily or weekly Hourly Once every 1 to 23 hours Select the number of hours and minutes between each update request Daily Once a day You can specify the time of day to check for updates Weekly Once a
183. e sent to the user saying that the user doesn t have authorized access to the Cerberian web filter Go to Web Filter gt URL Block Fortinet Inc Web filtering URL blocking Select Cerberian URL Filtering Select New Enter the IP address and netmask of the user computers You can enter the IP address of a single user For example 192 168 100 19 255 255 255 255 You can also enter a subnet of a group of users For example 192 168 100 0 255 255 255 0 5 Enter an alias for the user This alias will be used as the user name when you add the user to a user group on the Cerberian server If you do not enter an alias the user s IP will used and added to the default group on the Cerberian server 6 Select OK Configuring Cerberian web filter After you add the Cerberian web filter users on the FortiGate unit you can add the users to the user groups on the Cerberian web filter server Then you can create policies and apply the policies to the user groups About the default group and policy There is a default user group which is associated with a default policy existing on the Cerberian web filter You can add users to the default group and apply any policies to the group The default group is a place for All the users who are not assigned alias names on the FortiGate unit All the users who are not assigned to any other user groups The Cerberian web filter groups the web pages into 53 categories The default policy
184. e source address of outgoing packets to the FortiGate external IP address Traffic Shaping Traffic Shaping controls the bandwidth available to and sets the priority of the traffic processed by the policy Traffic Shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the FortiGate device For example the policy for the corporate web server might be given higher priority than the policies for most employees computers An employee who needs unusually high speed Internet access could have a special outgoing policy set up with higher bandwidth If you set both guaranteed bandwidth and maximum bandwidth to 0 the policy does not allow any traffic Guaranteed You can use traffic shaping to guarantee the amount of bandwidth available Bandwidth through the firewall for a policy Guarantee bandwidth in Kbytes to make sure that there is enough bandwidth available for a high priority service Maximum You can also use traffic shaping to limit the amount of bandwidth available Bandwidth through the firewall for a policy Limit bandwidth to keep less important services from using bandwidth needed for more important services Traffic Priority Select High Medium or Low Select Traffic Priority so that the FortiGate unit manages the relative priorities of different types of traffic For example a policy for connecting to a secure web server needed to support e commerce traffic should
185. e unfiltered content profile if you do not want to apply any content protection to content traffic You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected Adding a content profile If the default content profiles do not provide the protection that you require you can create new content profiles customized to your requirements 1 Go to Firewall gt Content Profile 2 Select New FortiGate 400 Installation and Configuration Guide 197 Content profiles Firewall configuration 3 Type a Profile Name Enable antivirus protection options Anti Virus Scan Scan web FTP and email traffic for viruses and worms See Antivirus scanning on page 260 File Block Delete files with blocked file patterns even if they do not contain viruses You should only enable file blocking when a virus has been found that is so new that virus scanning does not detect it See File blocking on page 261 Quarantine Quarantine blocked and infected files according to the quarantine configuration sA Note If both virus Scan and File Block are enabled the FortiGate unit blocks files that match es enabled file patterns before they are scanned for viruses 5 Enable Web filtering options Web URL Block Block unwanted web pages and web sites This option adds Fortinet URL blocking see URL blocking on page 269 and Cerberian URL filtering
186. e units in a single session without re entering your contact information For more information about registration see Registering FortiGate units on page 125 Configuring virus and attack definition updates You can go to System gt Update to configure the FortiGate unit to automatically check to see if new versions of the virus definitions and attack definitions are available If it finds new versions the FortiGate unit automatically downloads and installs the updated definitions The FortiGate unit uses HTTPS on port 8890 to check for updates FortiGate interface 2 must have a path to the FortiResponse Distribution Network FDN using port 8890 To configure automatic virus and attack updates see Updating antivirus and attack definitions on page 115 Connecting the FortiGate unit to your networks When you have completed the initial configuration you can connect the FortiGate 400 unit to your networks The FortiGate 400 has four 10 100Base TX connectors that can be connected to up to four different networks You can connect them in any configuration For example you can connect the FortiGate 400 interfaces using the following steps 1 Connect interface 1 to the hub or switch connected to your internal network 2 Connect interface 2 to the public switch or router provided by your Internet Service Provider 3 Optionally connect interfaces 3 and 4 HA to hubs or switches connected to your other networks the example s
187. e updates The default is 30 seconds The time interval in seconds after which a route is declared invalid Invalid should be at least three times the value of Update A route becomes invalid when there is an absence of updates that refresh the route The route then enters holddown The route is marked inaccessible and advertised as unreachable However the route is still used for forwarding packets The default is 180 seconds The time interval in seconds during which routing information regarding better paths is suppressed Holddown should be at least three times the value of Update A route enters into a holddown state when an update packet is received that indicates the route is unreachable The route is marked inaccessible and advertised as unreachable and is no longer used for forwarding packets When holddown expires the route can be flushed from the routing table The default is 180 seconds The amount of time in seconds that must pass before a route is removed from the routing table The value for Flush should be greater than the value for Invalid If the value for Flush is less than the value for Invalid the proper holddown interval cannot elapse which results in a new route being accepted before the holddown interval expires The default is 240 seconds 7 Select Apply to save your changes Figure 1 Configuring RIP settings Enable RIP Server M Enable Advertise Default MV Enable Auto Summary Default Metric 2 Inp
188. eaeeeeeteeaaeees 88 Managing individual cluster Units ce eeeceeeeee eect eee eee eeee eee eeeeaeeeeeeeeaeeeeeeetaeeeeeeeaaas 89 Synchronizing the cluster configuration cc ceeeceeeeee eee eetee eee eeeetneeeeeetaeeeeeettaeeeeere 89 Returning to standalone Configuration eceeeeeiceeeeeeeetee eter eeeteeeeeeetiieeeeeetiieeeeereea 90 Replacing a FortiGate unit after fail over eee eeceee eee eene eee eeeetneeeeeeeaeeeeeetneeeeereea 90 Advanced HA OPtIONS i neasi iai naaar sand derstand a a aaa aa aa 91 Selecting a FortiGate unit to a permanent primary unit sseesseseeeesseesirssseerrresererrrsseees 91 Configuring weighted round robin weights ceceeceeee seen cette eecteeeeeetaeeeeeeetneeeeeeee 92 FortiGate 400 Installation and Configuration Guide 5 Contents RE ULE e E Rennes nnn Sessa na Met ES Wn De mDee ce E E ES Heater eraser 93 Changing the FortiGate host NAME eee eeeecee eee eeeeeee eee eeeeeeeeeeseeeeeeeeeteeeeaeeeeseeeaeeees 94 Changing the FortiGate firmware cccccccceeeeeccnceeeeeneceeeeeeenaeeeeeeeeneceeeenseceneeeenseneneaeeeees 94 Upgrade to a new firmware version c ccccecceeeeeeeeecteeeeeeseieeeeeeticaeeeeeesieeeeeetiieeeeertea 95 Revert to a previous firmware version ccccccceceeeeeeeeeeeeceecaeeeeeeeeeeesececeencnaneeeeseeeneees 96 Install a firmware image from a system reboot using the CLl 99 Test a new firmware image before installing it
189. ed files are removed from the content stream and stored on the FortiGate hard disk Users received a message informing them that the removed file have been quarantined On the FortiGate the names of quarantined files are displayed on the quarantine list The list displays status duplication and age information for each quarantined file You can sort and filter this list based on this criteria From the list you can also delete or download files Quarantining infected files e Quarantining blocked files e Viewing the quarantine list Sorting the quarantine list e Filtering the quarantine list e Deleting files from quarantine e Downloading quarantined files e Configuring quarantine options Quarantining infected files Use content profiles to quarantine infected files found in HTTP FTP POP3 IMAP and SMTP traffic controlled by firewall policies 1 Go to Anti Virus gt Quarantine gt Quarantine Config N Select the Content protocols for which to quarantine infected files 3 Select antivirus scanning in a content profile See Adding a content profile on page 197 4 Select Quarantine to save to the quarantine any files that are found to be infected with a virus 5 Add this content profile to firewall policies to quarantine infected files found in the traffic controlled by the firewall policy See Adding a content profile to a policy on page 199 Quarantining blocked files Use content profiles to quaranti
190. ed to configure advanced settings Select Settings Select Challenge Handshake Authentication Protocol CHAP Make sure that none of the other settings are selected Select the Networking tab Make sure that the following options are selected e TCP IP e QoS Packet Scheduler Make sure that the following options are not selected e File and Printer Sharing for Microsoft Networks e Client for Microsoft Networks Select OK Connecting to the PPTP VPN Connect to your ISP Start the VPN connection that you configured in the previous procedure Enter your PPTP VPN User Name and Password Select Connect In the connect window enter the User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password Configuring L2TP Some implementations of L2TP support elements of IPSec These elements must be disabled when L2TP is used with Fortlgate units Note L2TP VPNs are only supported in NAT Route mode This section describes e Configuring the FortiGate unit as a L2TP gateway e Configuring a Windows 2000 client for L2TP e Configuring a Windows XP client for L2TP FortiGate 400 Installation and Configuration Guide 241 Configuring L2TP 242 PPTP and L2TP VPN Figure 31 L2TP VPN between a Windows client and the FortiGate unit Internal Network 192 168 1 0 Main Office a eee ee FortiGate 400 L2TP
191. eeeeeeeeeeeeeseeeeeeeeeeeseeaeeeesenaaeeeeeeenaneees 77 Configuring the HA ClUSte senresndann dence tana edeectdeladeeeuetdiaeeeed sols deeedhaitieneve 78 Connecting the HA cluster to your NEtWOFK eee ceeeceeeeeeeeneeeeeeeeeeeeeeeteeaaeeeeeeeaeeees 80 Starting the HA Cluse ueccsrnisrenrceri iin eid dinetdadtienenachivbeddedasetieed 82 HA in Transparent MODS vic iiis seheacs ence aceenncahacdea sa a a a a E 82 Installing and configuring the FortiGate UNitS eee ceceeeeeeeeeeeeeeeteeeeeeenaeeeeeeeenaees 82 Configuring the HA interface and HA IP address eee ccceceeeeeeeeeeeeneeeeeseeneeeeeeeenaeeees 82 Configuring the HA cluster oe eeeceeeeceeeeee eee eeeeeee eee ceeeeeeeeseaeeeeeeseseeaeeeeseeeaeeeeeenaaeeees 83 Connecting the HA cluster to your NEtWOFK ee eeeeeeceeeeeeeeeeeeneeeeeseeeeeeeeeteeeaaeeeeeeeaeeees 85 Starting the HA cluster ce ceeeeee eee eeeee eter eceeeeeeeeteeaeeeeeeseneaeeeeeseeeeaeeeeseeeaeeeeeeeaeeeees 86 Managing the HA ClUste fics siceeitt sane ith enti cect ined cenietesiiedis eben 86 Viewing the status of cluster members eceeeeeeeseeeeeeeeeseeeeeeeeeeeeeeeeeeeeeeeeaeeeeeeeaaees 86 Monitoring cluster members sssscsisienisns rendisni rei innin KARANAA NAAS NAA E AA NAAA RARATAN RANA 87 Monitoring cluster SCSSIONS cccccce seseccneeeeeseceeceeeeseceneeeesguenenesedecseneeesgaeedeesensniteeeeesteees 88 Viewing and managing cluster log MESSAGES eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeetee
192. eeeeeeeeneee eee eaaeeeeeesaaaeeeeeeeiaeeeeesenaeeeeeeenaaes 141 CONTGUMING TOUTING se eceect ask eeeee send eneee E T 143 Adding a default route ec cceceeeeeneeeeeeeenneeeeeeeeaeeeeseeeaaeeeeeeeaaeeeeseeaaeeeeeseneeeeeseaaas 143 Adding destination based routes to the routing table eee eeeeeeeeeeeeeettteeeeeeeaes 143 Adding routes in Transparent MOdEC cccccceeeeeeeeeeeeeeneeeeseeeaeeeeeeeenaeeeeeeeenaeeeeeeenaaes 145 Configuring the routing table sisisi osese eee ann EEan AEEA EARNE 145 Policy TOUTING cecrncccaroni nnen a OAA E 146 Providing DHCP services to your internal network sssssssseseesssesrrsssesrrsssrrrrrsssrrrsssenens 147 RIP configuration sissien epee ete ode ea eects 149 RIP satingS oui da tedece zeta en tenn EEEE EENE EEEE EEE EEEE EAEE EEEE RENEE 150 Configuring RIP for FortiGate interfaces eeeeeeeeeeeeerrreseerrsssrirrsssttrrsssteernssttnnnnnnt 152 Adding RIP neighbol Seisson a A E AES 153 FortiGate 400 Installation and Configuration Guide 7 Contents Adding RIP filters 00 2 ctr enter teeter e ee eee tienes eet aeeee eee teeeeeetiieeeeeetiieeeeeeeneeeeenenea 154 Adding a single RIP Piense niia E A T 154 Adding a RIP filter Steecicssccroiarais iari E E 155 Adding a peidhbors Mol serrer O eee 156 Adding a routes filter 2 2 eect eee eene eee terete eee eet aeeee eee eaeeeeeeteeeeeeetieeeeeeetieeeeeeeeaa 156 System COMPQUPATON oiissisisisccsaissssnsrsaressoncnsedsnnasaaanaadbnnnesinsaa
193. empts from the network connected to port1 to the network connected to port2 From the network connected to port1 users can browse the web use POP3 to get email use FTP to download files through the firewall and so on If the default policy is at the top of the port1 gt port2 policy list the firewall allows all connections from the network connected to port1 to the Internet because all connections match the default policy If more specific policies are added to the list below the default policy they are never matched FortiGate 400 Installation and Configuration Guide 177 Configuring policy lists we Se Firewall configuration A policy that is an exception to the default policy for example a policy to block FTP connections must be placed above the default policy in the port1 gt port2 policy list In this example all FTP connection attempts from the internal network would then match the FTP policy and be blocked Connection attempts for all other kinds of services would not match with the FTP policy but they would match with the default policy Therefore the firewall would still accept all other connections from the internal network Note Policies that require authentication must be added to the policy list above matching policies that do not otherwise the policy that does not require authentication is selected first Changing the order of policies in a policy list 1 2 3 4 Go to Firewall gt Policy Select the
194. ention When negotiation is complete the cluster is ready to begin processing network traffic You can use the information in Managing the HA cluster on page 86 to log into and manage the cluster Managing the HA cluster When a FortiGate cluster is up and running you manage it as a cluster instead of a group of individual FortiGate units You manage the cluster by connecting to the web based manager or CLI using any interface configured for management access Since all units in the cluster are configured with the same interface IP addresses except for the HA interface connecting to any interface IP address configured for management access connects to that cluster interface which automatically connects you to the primary FortiGate unit You can also connect to and manage individual units in the cluster by connecting to their HA interfaces all of which are configured with a different IP address You can also manage individual cluster units by connect to the primary unit CLI From here you can use the execute ha manage command to connect to the CLI of each unit in the cluster This section describes e Viewing the status of cluster members e Monitoring cluster members e Monitoring cluster sessions e Viewing and managing cluster log messages e Managing individual cluster units e Synchronizing the cluster configuration e Returning to standalone configuration e Replacing a FortiGate unit after fail over Viewing the status
195. er name and password Configuring a Windows XP client for L2TP ao a fF WN kh OO N Use the following procedure to configure a client computer running Windows XP so that it can connect to a FortiGate L2TP VPN Configuring an L2TP VPN dialup connection Go to Start gt Settings Select Network and Internet Connections Select Create a connection to the network of your workplace and select Next Select Virtual Private Network Connection and select Next Name the connection and select Next If the Public Network dialog box appears choose the appropriate initial connection and select Next In the VPN Server Selection dialog enter the IP address or host name of the FortiGate unit to connect to and select Next Select Finish Configuring the VPN connection Right click the icon that you have created Select Properties gt Security Select Typical to configure typical settings Select Require data encryption Fortinet Inc PPTP and L2TP VPN Ss O O ON OC 11 aoa fF WN Configuring L2TP Note If a RADIUS server is used for authentication do not select Require data encryption L2TP encryption is not supported for RADIUS server authentication Select Advanced to configure advanced settings Select Settings Select Challenge Handshake Authentication Protocol CHAP Make sure that none of the other settings are selected Select the Networking tab Make sure that the following options are selected e TC
196. erates using the new firmware image with the current configuration This new firmware image is not permanently installed The next time the FortiGate unit restarts it will be operating with the originally installed firmware image using the current configuration If the new firmware image operates successfully you can install it permanently using the procedure Upgrade to a new firmware version on page 95 To run this procedure you e access the CLI by connecting to the FortiGate console port using a null modem cable e install a TFTP server that you can connect to from port1 The TFTP server should be on the same subnet as port1 FortiGate 400 Installation and Configuration Guide 101 Changing the FortiGate firmware System status 102 kh O N 10 To test a new firmware image Connect to the CLI using a null modem cable and FortiGate console port Make sure the TFTP server is running Copy the new firmware image file to the root directory of the TFTP server Make sure that port1 is connected to the same network as the TFTP server You can use the following command to ping the computer running the TFTP server For example if the TFTP server s IP address is 192 168 1 168 execute ping 192 168 1 168 Enter the following command to restart the FortiGate unit execute reboot As the FortiGate unit reboots press any key to interrupt the system startup As the FortiGate units starts a series of system startup messages are displ
197. eries complements existing solutions such as host based antivirus protection and enables new applications and services while greatly lowering costs for equipment administration and maintenance The FortiGate 400 model meets enterprise class requirements for performance availability and reliability With throughput up to 500Mbps and high availability features including automatic failover with no session loss the FortiGate 400 is the choice for mission critical applications Antivirus protection FortiGate ICSA certified antivirus protection virus scans web HTTP file transfer FTP and email SMTP POP3 and IMAP content as it passes through the FortiGate If a virus is found antivirus protection removes the file containing the virus from the content stream and forwards an replacement message to the intended recipient FortiGate 400 Installation and Configuration Guide 15 Web content filtering Introduction For extra protection you also configure antivirus protection to block files of specified file types from passing through the FortiGate unit You can use the feature to stop files that may contain new viruses If the FortiGate unit contains a hard disk infected or blocked files can be quarantined The FortiGate administrator can download quarantined files so that they can be virus scanned cleaned and forwarded to the intended recipient You can also configure the FortiGate unit to automatically delete quarantined file
198. ernal zone add addresses to the Internal zone address list 8 Adda policy to allow L2TP clients to connect through the FortiGate unit Adding a source address Add a source address for every address in the L2TP address range 1 Go to Firewall gt Address 2 Select the interface to which L2TP clients connect This can be an interface VLAN subinterface or zone 3 Select New to add an address 4 Enter the Address Name IP Address and NetMask for an address in the L2TP address range Select OK to save the source address Repeat for all addresses in the L2TP address range ioe Note If the L2TP address range is comprised of an entire subnet add an address for oe this subnet Do not add an address group Adding an address group Organize the source addresses into an address group 1 Go to Firewall gt Address gt Group FortiGate 400 Installation and Configuration Guide 243 Configuring L2TP PPTP and L2TP VPN 2 Add anew address group to the interface to which L2TP clients connect This can be an interface VLAN subinterface or zone 3 Enter a Group Name to identify the address group The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 To add addresses to the address group select an address from the Available Addresses list and select the right arrow to add it to the Members list 5 To remove addresses f
199. es the configuration for a FortiGate NAT device However any NAT device with a static external IP address that can be configured for port forwarding can be used Fortinet Inc Virus and attack definitions updates and registration Updating antivirus and attack definitions Figure 2 Example network topology Push updates through a NAT device u FortiResponse we Distribution o A Network FDN Internet Push update to z IP address 64 230 123 149 and port 45001 External IP 64 230 123 149 Virtual IP maps FortiGate 300 a 64 230 123 149 45001 NAT Device to 192 168 1 99 9443 External IP or Management IP 192 168 1 99 FortiGate 400 Internal Network General procedure Use the following steps to configure the FortiGate NAT device and the FortiGate unit on the Internal network so that the FortiGate unit on the Internal network can receive push updates 1 Add a port forwarding virtual IP to the FortiGate NAT device 2 Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP 3 Configure the FortiGate unit on the internal network with an override push IP and port sA Note Before completing the following procedure you should register the FortiGate unit on the eae internal network so that it can receive push updates FortiGate 400 Installation and Configuration Guide 121 Updating antivirus and attack definitions 122 kh OO N a 10 11 Vir
200. esessseesrisseserrsserrrrrsserrrrssererns 213 Adding a phase 1 configuration for an AutolKE VPN ssessessssesrrisseerrrssesrrrrsseerrrssees 213 Adding a phase 2 configuration for an AutolKE VPN sssssesessssssrrsseerrrsseserrrssrerressens 217 Managing digital Certificates senca aae E EOE EENET ENAS 219 Obtaining a signed local certificate 0 0 eee eeeeeeenee eee eeeaaeeeeeeeaeeeeeeeiaeeeeeeeaaes 219 Obtaining a CA Certificate c2 cccctecccccccneeceeedeedeceeecedenbeceeceddheneeeeedenbeeeeecevebeeeededebieneds 223 Configuring encrypt PolicieS cccceccceeeeeseccceceeeseecceeeeeeccceeeeeaceeeeeeseeceeeeeseeaaeeeeeneaeees 224 Adding a source address 00 eeecceee cette eee ee ettte ee eee eaaeee ee etaeeeeeeetaeeeeseeaaeeeeseenaeeeeeeeaaas 225 Adding a destination AddreSS ccccceeceeeeeeeeee eee eeineeeeeeetneeeeeeeeieeeeeetiieeeeeeetiieeeeenenaa 225 Adding an encry pt Polley esesta raia vamsdeadevvasaacdeerssancendvtves dd ctezeveende 225 IPSec VPN concentrators ssrin pecetiee abies dione enass 227 VPN concentrator hub general configuration steps 0 0 0 0 cee eeeeeeeeeeeteeeeeeeentaeeeeeeeaas 227 Adding a VPN concentrator ceceeceeee ence eect eeecneee eee eaeeeeeetaeeeeeeeeiaeeeeseeeiaeeeeesenaas 229 VPN spoke general configuration stepS 0 ecccceeeeeeeeeeeeeeetteeeeeeetaeeeeeeenaeeeeeeeaas 230 Redundant IPSec VPNS cece eeeeee tere eeeee eee eeeeeaeeeeeeeeaaeeeeeeeeaeeeeeeeaaeeeeseeiaeeeeesenaae
201. etects a virus blocks a file type or blocks an oversized file or email Web Filtering Log Record activity events such as URL and content blocking and exemption of URLs from blocking Attack Log Record attacks detected by the NIDS and prevented by the NIDS Prevention module Fortinet Inc Logging and reporting Filtering log messages Email Filter Log Record activity events such as detection of email that contains unwanted content and email from unwanted senders Update Record log messages when the FortiGate connects to the FDN to download antivirus and attack updates 4 Select the message categories that you want the FortiGate unit to record if you selected Event Log Virus Log Web Filtering Log Attack Log Email Filter Log or Update in step 3 5 Select OK Figure 43 Example log filter configuration Log Setting l Traffic Log I Web Filtering Log l Event Log l Content block I When configuration has changed Il URL block IPSec negotiation event M URL exempt I DHCP service event I Attack Log I PPP service event I Attack Detection T Admin login logout event I Attack Prevention I IP MAC binding event I Email Filter Log I System activity event I Blocklist email detected T HA activity event l Banned word detected I Firewall authentication event M Update I Route gateway event I Failed update T Virus Log I Successful update I Virus infected I FDN error I Filename blocked Il File oversized FortiGate 400 I
202. etects and prevents many common denial of service and packet based attacks You can enable and disable prevention attack signatures and customize attack signature thresholds and other parameters To notify system administrators of the attack the NIDS records the attack and any suspicious traffic to the attack log and can be configured to send alert emails Fortinet updates NIDS attack definitions periodically You can download and install updated attack definitions manually or you can configure the FortiGate to automatically check for and download attack definition updates Fortinet Inc Introduction VPN VPN Using FortiGate virtual private networking VPN you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network FortiGate VPN features include the following e Industry standard and ICSA certified IPSec VPN including IPSec ESP security in tunnel mode DES 3DES triple DES and AES hardware accelerated encryption e HMAC MD5 and HMAC SHA1 authentication and data integrity e AutolKE key based on pre shared key tunnels IPSec VPN using local or CA certificates e Manual Keys tunnels Diffie Hellman groups 1 2 and 5 e Aggressive and Main Mode e Replay Detection e Perfect Forward Secrecy e XAuth authentication e Dead peer detection e PPTP for easy connectivity with the VPN standard supported by the most popular operating
203. ewall policies For example while traffic between internal and external addresses might need strict protection traffic between trusted internal addresses might need moderate protection You can configure policies for different traffic services to use the same or different content profiles Content profiles can be added to NAT Route mode and Transparent mode policies e Default content profiles e Adding a content profile e Adding a content profile to a policy Default content profiles The FortiGate unit has the following four default content profiles under Firewall gt Content Profile You can use these existing content profiles or create your own Strict To apply maximum content protection to HTTP FTP IMAP POP3 and SMTP content traffic You would not use the strict content profile under normal circumstances but it is available if you are having extreme problems with viruses and require maximum content screening protection Scan Apply antivirus scanning to HTTP FTP IMAP POP3 and SMTP content traffic Quarantine is also selected for all content services On FortiGate models with a hard drive if antivirus scanning finds a virus in a file the file is quarantined on the FortiGate hard disk If required system administrators can recover quarantined files Web Apply antivirus scanning and Web content blocking to HTTP content traffic You can add this content profile to firewall policies that control HTTP traffic Unfiltered Use th
204. examples eee eee eeeeee eect eenneeeeeeeeaeeeeeeeeaeeeeeeeenaeeeeeeeeaaas 54 Policy FOULING examples sein a A E DaS 57 Firewall policy xa ples siiscccassinscceccasdacdandcertataacsdarvaadarieavenadadiansadacecsansaadugauasenndsteassabaneee 58 Transparent mode installation ccccceceeeeeeeeeeeeeeeeeeeeeneeeeeeeeeeeeeeeeeeeeeeeeeeeaaes 61 Preparing to configure Transparent mode ccceceeeeeeeeeeeeeeeeeeeaeeeeeeeaaeeeeeeeenaeeeeeeeeaes 61 USING the setup WIZAT io ei vi sccctcedey feces fe eth a NEN denen 62 Changing to Transparent MOG ecce ce ceeeeeeeeeeeee cee eeeeaeeeeeeeeaaaeaeeeeeeeeeeeeeenenaaeees 62 Starting the Setup WIZAN sesiis iine r N E ASEE aaa 62 Reconnecting to the web based manager eseessssesrisssssrrrststerrssttrrrsstrrrssstnnsssrn nns 62 Using the front control buttons and LCD ceceeceeeeeeeneeeeceeeeeeeeceeeeaeeeeteeeaaeeeseeenaeees 63 Using the command line interface cece cere eeeeeeneee eee eaeee eee taeeeeeetaaeeeeeetiaeeeeee 63 Changing to Transparent Mode sssssssiiarisirdsnsiiia aiid aE ani ai a 63 Configuring the Transparent mode management IP address 0 seeeeeeeeeeteees 64 Configure the Transparent mode default gateway cccecceeeeseteeeeeeettteeeeeettaeeeeee 64 4 Fortinet Inc Contents Completing the configuration eect cece eeeeeeeeteeeeee eee eeeeeeeeeteeaeeeeteeeeaeeeeteeeaaeeeeeeeaeeees 64 Setting the date and UME v
205. fails or is disconnected from its network the FortiGate unit stops processing traffic and is removed from the cluster If you can re establish traffic flow through the interface for example if you re connect a disconnected network cable the FortiGate unit rejoins the cluster You should only monitor interfaces that are connected to networks Select Apply The FortiGate unit negotiates to establish an HA cluster When you select apply you may temporarily loose connectivity with the FortiGate unit as the HA cluster negotiates Fortinet Inc High availability HA in Transparent mode Figure 15 Sample active passive HA configuration C Standalone Mode wa Active Passive gt Password PEE AEAEE E AEE a E EE Retype Password PEPEE k o ik Group ID Doo Monitor on interface M port1 M port2 ports Repeat this procedure to add each FortiGate unit in the HA cluster When you have configured all of the FortiGate units proceed to Connecting the HA cluster to your network Connecting the HA cluster to your network To connect the HA cluster to your network you must connect all matching interfaces in the cluster to the same hub or switch Then you must connect these interfaces to their networks using the same hub or switch Also you must connect all of the HA interfaces in the cluster to their own hub or switch You can also connect a management computer to this hub or switch The units in the cluster are cons
206. figuration steps Set the unit to operate in Transparent mode Configure the Management IP address and Netmask of the FortiGate unit Configure the static route to the management computer on the internal network Configure the default route to the external network Fortinet Inc Transparent mode installation Transparent mode configuration examples Web based manager example configuration steps To configure the FortiGate basic settings a static route and a default route using the web based manager 1 Go to System gt Status e Select Change to Transparent Mode e Select Transparent in the Operation Mode list e Select OK The FortiGate unit changes to Transparent mode 2 Goto System gt Network gt Management e Change the Management IP and Netmask IP 192 168 1 1 Mask 255 255 255 0 e Select Apply 3 Goto System gt Network gt Routing e Select New to add the static route to the management computer Destination IP 172 16 1 11 Mask 255 255 255 0 Gateway 192 168 1 3 e Select OK e Select New to add the default route to the external network Destination IP 0 0 0 0 Mask 0 0 0 0 Gateway 192 168 1 2 e Select OK CLI configuration steps To configure the FortiGate basic settings a static route and a default route using the CLI 1 Set the system to operate in Transparent Mode set system opmode transparent 2 Add the Management IP address and Netmask set system management ip 192 168 1 1 255 255 255 0 3 Add t
207. file name and press Enter The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear e FortiGate unit running v2 x BIOS Do You Want To Save The Image Y n Type N e FortiGate unit running v3 x BIOS Save as Default firmware Run image without saving D R Type R The FortiGate image is installed to system memory and the FortiGate starts running the new firmware image but with its current configuration 12 You can login to the CLI or the web based manager using any administrative account 13 To confirm that the new firmware image has been loaded from the CLI enter get system status You can test the new firmware image as required Installing and using a backup firmware image If your FortiGate unit is running BIOS version v3 x you can install a backup firmware image Once the backup firmware image is installed you can switch to this backup image when required This section describes e Installing a backup firmware image e Switching to the backup firmware image e Switching back to the default firmware image Installing a backup firmware image To run this procedure you e access the CLI by connecting to the FortiGate console port using a null modem cable e installa TFTP server that you can connect to from the FortiGate as described in the procedure Install a firmware image from a system reboot using the CLI on page 99 To install a backup firmware image
208. g firmware replaces your current antivirus and attack definitions with the Ss definitions included with the firmware release that you are installing When you have installed i new firmware use the procedure Manually updating antivirus and attack definitions on page 119 to make sure that antivirus and attack definitions are up to date To install firmware from a system reboot Connect to the CLI using the null modem cable and FortiGate console port Make sure that the TFTP server is running Copy the new firmware image file to the root directory of your TFTP server Make sure that port1 is connected to the same network as the TFTP server a A WOW N To confirm that the FortiGate unit can connect to the TFTP server use the following command to ping the computer running the TFTP server For example if the TFTP server s IP address is 192 168 1 168 execute ping 192 168 1 168 FortiGate 400 Installation and Configuration Guide 99 Changing the FortiGate firmware System status 6 Enter the following command to restart the FortiGate unit execute reboot As the FortiGate units starts a series of system startup messages are displayed When one of the following messages appears e FortiGate unit running v2 x BIOS Press Any Key To Download Boot Image e FortiGate unit running v3 x BIOS Press any key to enter configuration menu 7 Immediately press any key to interrupt the system startup A Note You only have 3 seconds to
209. ges 284 log to local 283 log to memory 284 log to remote host 282 log to WebTrends 282 recording 281 searching logs 289 290 selecting what to log 284 traffic log 284 traffic sessions 286 update log 285 viewing logs 290 virus log 284 web filtering log 284 logs maintaining 290 recording on FortiGate hard disk 283 recording on NetIQ WebTrends server 282 searching 290 viewing 290 MAC address 296 IP MAC binding 193 maintaining logs 290 malicious scripts removing from web pages 274 280 management interface 138 management IP address transparent mode 64 manual keys introduction 210 matching policy 177 maximum bandwidth 175 messages replacement 163 MIB FortiGate 163 mode Transparent 18 monitor system status 110 111 112 113 monitored interfaces 250 MTU size 137 changing 137 definition 296 improving network performance 137 FortiGate 400 Installation and Configuration Guide Index N NAT introduction 17 policy option 174 push updates 120 NAT mode adding policy 172 IP addresses 47 NAT Route mode configuration from the CLI 47 HA 77 introduction 17 neighbor RIP 153 netmask administrator account 160 161 network address translation introduction 17 network connection HA 80 85 network intrusion detection 18 Network Intrusion Detection System 249 next hop router 136 NIDS 18 249 attack prevention 253 detection 249 prevention 253 reducing alert email 257 reducing attack log messages 257 user defined signat
210. gs saved to the hard disk on page 290 e Ifthe cluster unit contains a hard disk you can manage log messages see Downloading a log file to the management computer on page 291 Deleting all messages in an active log on page 291 and Deleting a saved log file on page 292 Fortinet Inc High availability Managing the HA cluster Note Note you can view and manage log messages for all cluster members However from the S primary unit you can only configure logging for the primary unit To configure logging for other units in the cluster you must manage individual cluster units Managing individual cluster units You can manage individual cluster units by connecting to each unit s HA interface using either the web based manager or the CLI To do this the HA interfaces of each unit have to be configured for HTTPS and SSH management access You can also use the following procedure to connect to the CLI of each unit in the cluster Managing individual units from the web based manager 1 Use SSH to connect to the cluster and log into the web based manager Connect to any cluster interface configured for SSH management to automatically log into the primary unit You can also use a direct cable connection to log into the primary unit CLI to do this you must know which unit is the primary unit See Selecting a FortiGate unit to a permanent primary unit on page 91 to control which FortiGate unit becomes the primary u
211. gured for HA operation See Configuring the HA interfaces on page 77 Fortinet Inc High availability HA in NAT Route mode 4 Select the HA mode Select Active Passive mode to create an Active Passive HA cluster in which one FortiGate unit in the HA cluster is actively processing all connections and the others are passively monitoring the status and remaining synchronized with the active FortiGate unit Select Active Active mode to create an Active Active HA cluster in which each FortiGate unit in the HA cluster is actively processing connections and monitoring the status of the other FortiGate units The HA mode must be the same for all FortiGate units in the HA cluster 5 Enter and confirm a password for the HA cluster The password must be the same for all FortiGate units in the HA cluster 6 Select a Group ID for the HA cluster The Group ID must be the same for all FortiGate units in the HA cluster 7 If you are configuring Active Active HA select a schedule The schedule controls load balancing among the FortiGate units in the active active HA cluster The schedule must be the same for all FortiGate units in the HA cluster None No load balancing Select None when the cluster interfaces are connected to load balancing switches Hub Load balancing for hubs Select Hub if the cluster interfaces are connected to a hub Traffic is distributed to units in a cluster based on the Source IP and Destination IP of the packet
212. guring L2TP Configuring a Windows 2000 client for L2TP Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiGate L2TP VPN Configuring an L2TP dialup connection 1 Go to Start gt Settings gt Network and Dial up Connections 2 Double click Make New Connection to start the Network Connection Wizard and select Next 3 For Network Connection Type select Connect to a private network through the Internet and select Next 4 For Destination Address enter the address of the FortiGate unit to connect to and select Next Set Connection Availability to Only for myself and select Next Select Finish In the Connect window select Properties Select the Security tab oOo NO Make sure that Require data encryption is selected rs Note If a RADIUS server is used for authentication do not select Require data encryption Ss L2TP encryption is not supported for RADIUS server authentication 10 Select the Networking tab 11 Set VPN server type to Layer 2 Tunneling Protocol L2TP 12 Save your changes and continue with the following procedure Disabling IPSec Select the Networking tab Select Internet Protocol TCP IP properties Double click the Advanced tab Go to the Options tab and select IP security properties Make sure that Do not use IPSEC is selected Select OK and close the connection properties window Note The default Windows 2000 L2TP traffic policy does
213. haracters and spaces are not allowed Select the days of the week on which the schedule should be active Set the Start and Stop hours in between which the schedule should be active Recurring schedules use the 24 hour clock 6 Select OK to save the recurring schedule Figure 11 Adding a recurring schedule Oni time N Recurring N New Recurring Schedule working _Week Minute Minute Notes If the stop time is set earlier than the start time the stop time will be during next day If the start time is equal to the stop time the schedule will run for 24 hours FortiGate 400 Installation and Configuration Guide 187 Virtual IPs Firewall configuration Adding a schedule to a policy Virtual IPs 188 NO oO FR WO DN After you have created schedules you can add them to policies to schedule when the policies are active You can add the new schedules to policies when you create the policy or you can edit existing policies and add a new schedule to them Go to Firewall gt Policy Select the tab corresponding to the type of policy to add Select New to add a policy or select Edit E to edit a policy to change its schedule Configure the policy as required Add a schedule by selecting it from the Schedule list Select OK to save the policy Arrange the policy in the policy list to have the effect that you expect For example to use a one time schedule to deny access
214. have received the virus For POP3 this is the IP address of the user s computer that attempted to download the email containing the virus Fortinet Inc System configuration Customizing replacement messages Table 4 Alert email message sections EMAIL_FROM The email address of the sender of the message in which the virus was found Y EMAIL_TO The email address of the intended receiver of the message in which the virus was found Block alert Used for file block alert email messages Section Start lt BLOCK_ALERT gt Allowed Tags FILE The name of the file that was blocked PROTOCOL The service for which the file was blocked SOURCE_IP The IP address from which the block file was received For email this is the IP address of the email server that sent the email containing the blocked file For HTTP this is the IP address of web page that sent the blocked file DEST_IP The IP address of the computer that would have received the blocked file For email this is the IP address of the user s computer that attempted to download the message from which the file ware removed EMAIL_FROM The email address of the sender of the message from which the file was removed Y EMAIL_TO The email address of the intended receiver of the message from which the file was removed Critical event Used for critical firewall event alert emails Sec
215. he RIP port Update messages sent in response to a request are sent to the port from which the request came Specific queries may be sent from ports other than the RIP port but they must be directed to the RIP port on the target machine FortiGate 400 Installation and Configuration Guide 149 RIP settings RIP settings 150 RIP configuration This chapter describes how to configure FortiGate RIP e RIP settings e Configuring RIP for FortiGate interfaces e Adding RIP neighbors e Adding RIP filters Configure RIP settings to enable basic RIP functionality and metrics and to configure RIP timers Go to System gt RIP gt Settings Select Enable RIP Server to configure the FortiGate unit to be a RIP server Select Enable Advertise Default so that the FortiGate unit includes its default route in RIP routing table updates Select Enable Auto Summary to automatically summarize subnet routes into network level routes If Enable Auto Summary is not selected the FortiGate unit transmits sub prefix routing information across classfull network boundaries Change the following RIP default settings to fine tune RIP performance RIP defaults are effective in most configurations You should only have to change these settings to troubleshoot problems with your RIP configuration Default Metric Change the default metric that is applied to routes with incompatible metrics The default metric assists in resolving how routes with incompatib
216. he VPN peers must use the same P2 proposal settings Optionally enable Replay Detection Replay detection protects the VPN tunnel from replay attacks Note Do not select replay detection if you have also selected Null Authentication for the P2 Proposal Optionally enable Perfect Forward Secrecy PFS PFS improves security by forcing a new Diffie Hellman exchange whenever keylife expires Select the DH Group s The VPN peers must use the same DH Group settings Enter the Keylife The keylife causes the phase 2 key to expire after a specified amount of time after a specified number of kbytes of data have been processed by the VPN tunnel or both If you select both the key does not expire until both the time has passed and the number of kbytes have been processed When the key expires a new key is generated without interrupting service P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to 99999 kbytes Optionally enable Autokey Keep Alive Enable Autokey Keep Alive to keep the VPN tunnel running even if no data is being processed Optionally select a concentrator Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration If you use the procedure Adding a VPN concentrator on page 229 to add the tunnel to a concentrator the next time you open the tunnel the Concentrator field displays the name of the concentrator to which you have added the tunnel Select OK to s
217. he management computer You can specify a location to which to download the text file as well as a name for the text file Uploading a URL block list You can create a URL block list in a text editor and then upload the text file to the FortiGate unit Add one URL or pattern to each line of the text file You can follow the item with a space and then a 1 to enable or a zero 0 to disable the URL If you do not add this information to the text file the FortiGate unit automatically enables all URLs and patterns that are followed with a 1 or no number when you upload the text file Figure 40 Example URL block list text file www badsite com index 1 www badsite com products 1 182 63 44 67 index 1 You can either create the URL block list yourself or add a URL list created by a third party URL block or blacklist service For example you can download the squidGuard blacklists available at http www squidguard org blacklist as a starting point for creating your own URL block list Three times per week the squidGuard robot searches the web for new URLs to add to the blacklists You can upload the squidGuard blacklists to the FortiGate unit as a text file with only minimal editing to remove comments at the top of each list and to combine the lists that you want into a single file A Note All changes made to the URL block list using the web based manager are lost when you S upload a new list However you can download your current U
218. he same number as the External Service Port If you want to translate the port enter the port number to which to translate the destination port of the packets when they are forwarded by the firewall Select the protocol to be used by the forwarded packets Select OK to save the port forwarding virtual IP Fortinet Inc Firewall configuration Virtual IPs Figure 13 Adding a port forwarding virtual IP Virtual IP A Name Type Map to IP Map to Port Protocol Add New Virtual IP Mapping External Interface port2 x External IP Address 173 87 39 21 External Service Port so web_Server C Static NST Port Forwarding 10 10 10 5 so Tce UDP Adding policies with virtual IPs Use the following procedure to add a policy that uses a virtual IP to forward packets 1 Go to Firewall gt Policy 2 Select the type of policy to add The source interface must match the interface selected in the External Interface list e The destination interface must match the interface connected to the network with the Map to IP address 3 Use the following information to configure the policy Source Destination Schedule Service Action NAT FortiGate 400 Installation and Configuration Guide Select the source address from which users can access the server Select the virtual IP Select a schedule as required Select the service that matches the Map to Service that you selected for
219. he static route to the management computer set system route number 1 dst 172 16 1 11 255 255 255 0 gwl 192 168 1 3 4 Add the default route to the external network set system route number 2 gwl 192 168 1 2 FortiGate 400 Installation and Configuration Guide 73 Transparent mode configuration examples 74 Transparent mode installation Fortinet Inc RAT MET High availability Fortinet achieves high availability HA using redundant hardware and the FortiGate Clustering Protocol FGCP The FortiGate units in the HA cluster enforce the same overall security policy and share the same configuration settings You can add up to 32 FortiGate units to an HA cluster Each FortiGate unit in an HA cluster must be the same model and be running the same FortiOS firmware image FortiGate HA is device redundant If one of the FortiGate units in an HA cluster fails all functions all established firewall connections and all IPSec VPN sessions are maintained by the other FortiGate units in the HA cluster The FortiGate units in the cluster use dedicated HA ethernet interfaces to communicate cluster session information and report individual system status The units in the cluster are constantly communicating HA status information to make sure the cluster is functioning properly For this reason the connection between the HA ports of all of the FortiGate units in the cluster must be well maintained An interruption of this communication can
220. hecks its own policy gateway and tunnel configuration If the configuration is allowed an IPSec VPN tunnel is negotiated between the two VPN peers e Adding a source address e Adding a destination address e Adding an encrypt policy Fortinet Inc IPSec VPN Configuring encrypt policies Adding a source address kh O N 5 The source address is located within the internal network of the local VPN peer It can be a single computer address or the address of a network Go to Firewall gt Address Select an internal interface Methods will differ slightly between FortiGate models Select New to add an address Enter the Address Name IP Address and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer Select OK to save the source address Adding a destination address kh O N 5 The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway Go to Firewall gt Address Select an external interface Methods will differ slightly between FortiGate models Select New to add an address Enter the Address Name IP Address and NetMask for a single computer or for an entire subnetwork on an internal interface of the remote VPN peer Select OK to save the source address Adding an encrypt policy 1 2 ao a Fk Q Go to Firewall gt Policy Use the policy grid to choose the policy list to whi
221. her search Note After running a search to display all log messages again run another search but leave all the search fields blank Downloading a log file to the management computer 5 You can download log files to the management computer as plain text files or comma separated value CSV files After downloading you can view the text file with any text editor or the CSV file using a spreadsheet program Use the following procedure to download log files Go to Log amp Report gt Logging Select Traffic Log Event Log Attack log Antivirus Log Web Filter Log or Email Filter Log To download a log file to the management computer select Download EF Select a format for the log file e Select Download file in the normal format to download the log messages to a text file Each line of the text file consists of a log message the messages are the formatted the same way as they appear on the web based manager e Select Download file in CSV format to download the log messages to text file in comma separated value CSV format In this format a comma is added between each field in each message If you open this file in a spreadsheet program each message field appears in a separate column Select Save Deleting all messages in an active log Use the following procedure to delete all messages from the active log Go to Log amp Report gt Logging Select Traffic Log Event Log Attack log Antivirus Log Web Filter Log or Email
222. hes the PPTP address range Set Destination to the address to which PPTP users can connect Set Service to match the traffic type inside the PPTP VPN tunnel For example if PPTP users can access a web server select HTTP Set Action to ACCEPT Select NAT if address translation is required You can also configure traffic shaping logging and antivirus and web filter settings for PPTP policies Select OK to save the firewall policy Configuring a Windows 98 client for PPTP Use the following procedure to configure a client computer running Windows 98 so that it can connect to a FortiGate PPTP VPN To configure the Windows 98 client you must install and configure Windows dialup networking and virtual private networking support Installing PPTP support Go to Start gt Settings gt Control Panel gt Network Select Add Select Adapter Fortinet Inc PPTP and L2TP VPN Configuring PPTP Select Add Select Microsoft as the manufacturer Select Microsoft Virtual Private Networking Adapter Select OK twice Insert diskettes or CDs as required oA N Oo fF Restart the computer Configuring a PPTP dialup connection Go to My Computer gt Dial Up Networking gt Configuration Double click Make New Connection Name the connection and select Next Enter the IP address or host name of the FortiGate unit to connect to and select Next Select Finish An icon for the new connection appears in the Dial Up Networking fol
223. hows a connection to interface 3 FortiGate 400 Installation and Configuration Guide 65 Transparent mode configuration examples Transparent mode installation Figure 9 FortiGate 400 Transparent mode connections Internal Network Other Network Hub or Switch Port 1 Port 3 E Hub or Switch FortiGate 400 Port 2 Public Switch SEE or Router Internet Et Transparent mode configuration examples A FortiGate unit operating in Transparent mode still requires a basic configuration to operate as a node on the IP network As a minimum the FortiGate unit must be configured with an IP address and subnet mask These are used for management access and to allow the unit to receive antivirus and definitions updates Also the unit must have sufficient route information to reach e the management computer The FortiResponse Distribution Network FDN e a DNS server A route is required whenever the FortiGate unit connects to a router to reach a destination If all of the destinations are located on the external network you may be required to enter only a single default route If however the network topology is more complex you may be required to enter one or more static routes in addition to the default route 66 Fortinet Inc Transparent mode installation Transparent mode configuration examples This section describes e Default routes and static routes e Example default route to an external network e Example st
224. ibution network Updates can now be scheduled hourly and the System gt Update page displays more information about the current update status See Updating antivirus and attack definitions on page 115 e Direct connection to the Fortinet tech support web page from the web based manager You can register your FortiGate unit and get access to other technical support resources See Registering FortiGate units on page 125 Network configuration e Changes have been made to how zones are added and used See Configuring zones on page 133 e Changes have been made to how VLANs are added and used See Configuring VLANs on page 139 e New interface configuration options See Configuring interfaces on page 135 e Ping server and dead gateway detection for all interfaces e HTTP and Telnet administrative access to any interface e Secondary IP addresses for all FortiGate interfaces Routing e Simplified direction based routing configuration e Advanced policy routing CLI only DHCP server e DHCP server for the internal network CLI only e Reserve IP MAC pair combinations for DHCP servers CLI only Routing Information Protocol RIP e NewRIP v1 and v2 functionality See RIP configuration on page 149 SNMP e SNMP v1 and v2 support e Support for RFC 1213 and RFC 2665 e Monitoring of all FortiGate configuration and functionality e See Configuring SNMP on page 162 22 Fortinet Inc Introdu
225. ical connection The port number identifies what type of port it is For example port 80 is used for HTTP traffic Protocol An agreed upon format for transmitting data between two devices The protocol determines the type of error checking to be used the data compression method if any how the sending device indicates that it has finished sending a message and how the receiving device indicates that it has received a message RADIUS Remote Authentication Dial In User Service An authentication and accounting system used by many Internet Service Providers ISPs When users dial into an ISP they enter a user name and password This information is passed to a RADIUS server which checks that the information is correct and then authorizes access to the ISP system Router A device that connects LANs into an internal network and routes traffic between them Routing The process of determining a path to use to send data to its destination Routing table A list of valid paths through which data can be transmitted Server An application that answers requests from other devices clients Used as a generic term for any device that provides services to the rest of the network such as printing high capacity storage and network access SMTP Simple Mail Transfer Protocol In TCP IP networks this is an application for providing mail delivery services SNMP Simple Network Management Protocol A set of protocols for managing net
226. iccicchs eee cetieevee dent iedi eal neeeedd Meee eevee eee siieweedielieetaeat nies 64 Enabling antivirus protection ccccccceeeeceeeeeeeeeceeeeeeesneeeeeeesaeeeeeesiaaeeeeeeeeneeeeseenaaes 64 Registering your FortiGate ecesna T 65 Configuring virus and attack definition updates cece tener eter eeeteeeeeeetntaeeeeeeeee 65 Connecting the FortiGate unit to your NEtWOFKS ee eeeeteeeeeeeeteeeeeeeeaeeeeteeenateeeeeeaees 65 Transparent mode configuration CxAMples ccccccceceeeeeeeeeeeeeccaeeeeeeeeeeeeeeseeseeeeesnaaeees 66 Default routes and static routes 0 eee ceecceeeeceeeeeeeeeeeeeeeeeeeaeeeeeeeeaeeeeeeeeaeeeeeeesiaeeeeeeeaas 67 Example default route to an external NEtWOFK cccccceeceeeeeeeeeeeeeeecaeeeeeeeeeeeeeeeeeneees 67 Example static route to an external destination ccccceeeeeeeeeeeeeeeceeeeeeeeeeeeeeeeeeneees 69 Example static route to an internal destination c ccceccecececeeeeeeeeeeeeneecaeeeeeeeeeeneees 72 High availa UG ts os cde n sca idan icine dicarpcameicitacentcdus Blecexic te ededeack inie 75 Active passive HA ceiccds ieee sus de ceuehadeseeess sasderiee codecs tiies ces ahead a sks daeeiaa iad aaa 75 Aene at Ve HAeceoin a a oe 76 HA in NAT ROULCMOdG oerscienenioi enii a A N aS 77 Installing and configuring the FortiGate UNitS ce eeceeeeeeeeeeeeeeeeeeteeeeeeetaeeeeeeetaees 77 Configuring the HA interfaces 0 0 22 ccceeecceeeceeeeeeeeeee
227. ich are optional but required for drawing a WebTrends graph To record logs on a NetIQ WebTrends server Go to Log amp Report gt Log Setting Select Log in WebTrends Enhanced Log Format Type the IP address of the NetIQ WebTrends firewall reporting server Fortinet Inc Logging and reporting Recording logs 4 Select the severity level for which you want to record log messages The FortiGate will log all levels of severity down to but not lower than the level you choose For example if you want to record emergency alert critical and error messages select Error 5 Select Config Policy To configure the FortiGate to filter the types of logs and events to record use the procedures in Filtering log messages on page 284 and Configuring traffic logging on page 286 6 Select Apply Recording logs on the FortiGate hard disk You can record log files on the FortiGate hard disk if one is installed in your FortiGate unit To record logs on the FortiGate hard disk 1 Go to Log amp Report gt Log Setting Select Log to Local Type a maximum log file size in Mbytes When the log file reaches this size the current log file is closed and saved and a new active log file is started The default maximum log file size is 10 Mbytes and the maximum allowed is 2 GBytes 4 Type a log time interval in days After the specified time interval the current log file is closed and saved and a new one is started The default log ti
228. icy accepts connections at any time The firewall is configured with one schedule that accepts connections at any time You can add more schedules to control when policies are active For more information about schedules see Schedules on page 186 Content profiles Content profiles can be added to policies to apply antivirus protection web filtering and email filtering to web file transfer and email services The FortiGate unit includes the following default content profiles Strict to apply maximum content protection to HTTP FTP IMAP POP3 and SMTP content traffic e Scan to apply antivirus scanning to HTTP FTP IMAP POP3 and SMTP content traffic e Web to apply antivirus scanning and Web content blocking to HTTP content traffic e Unfiltered to allow oversized files to pass through the FortiGate unit without scanned for viruses For more information about content profiles see Content profiles on page 197 Adding firewall policies 172 Add Firewall policies to control connections and traffic between FortiGate interfaces zones and VLAN subinterfaces Go to Firewall gt Policy Select the policy list to which you want to add the policy Select New to add a new policy You can also select Insert Policy before F on a policy in the list to add the new policy above a specific policy Configure the policy See Firewall policy options on page 173 for information about policy options Selec
229. idually and recombined when they are received By default when antivirus protection is enabled the FortiGate unit blocks fragmented emails and replaces them with an email block message that is forwarded to the receiver It is recommend that you disable the fragmenting of email messages in the client email software To exempt fragmented emails from automatic antivirus blocking you can enable Pass Fragmented Email for the email content protocols IMAP POP3 and SMTP Caution The FortiGate unit cannot scan fragmented emails for viruses or use file pattern blocking to remove files from these email messages Configure the FortiGate unit to pass fragmented emails by doing the following Enable Pass Fragmented Emails for IMAP POP3 and SMTP traffic in a content profile Select Anti Virus amp Web filter in a firewall policy For example to pass fragmented emails that internal users send to the external network select an internal to external policy Select a content profile that has Pass Fragmented Emails enabled for the traffic that you want the FortiGate unit to scan Viewing the virus list 266 Use the following procedure to view the names of the viruses and worms in the current virus definition list To display the virus list go to Anti Virus gt Config gt Virus List Scroll through the virus and worm list to view the names of all viruses and worms in the list Fortinet Inc RAT MET Web filtering Web filtering i
230. iew current sessions FortiGate administrators with read and write permission and the FortiGate admin user can also stop active communication sessions Viewing the session list 1 Go to System gt Status gt Session The web based manager displays the total number of active sessions in the FortiGate unit session table and lists the top 16 To page through the list of sessions select Page Up PA or Page Down Select Refresh to update the session list If you have logged in as an administrative user with read and write privileges or as the admin user you can select Clear jf to stop any active session Each line of the session list displays the following information Protocol The service protocol of the connection for example udp tcp or icmp From IP The source IP address of the connection From Port The source port of the connection FortiGate 400 Installation and Configuration Guide 113 Session list 114 To IP To Port Expire Clear Figure 4 Example session list Total Number of Sessions 659 Protocol The destination IP address of the connection The destination port of the connection The time in seconds before the connection expires Stop an active communication session From IP From Port System status To IP To Port Be e Expire secs Clear udp 192 168 110 200 1242 206 191 0 210 53 76 T tep 192 168 110 121
231. ig gt Admin Select New to add an administrator account Type a login name for the administrator account The login name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Type and confirm a password for the administrator account For improved security the password should be at least 6 characters long The password can contain any characters except spaces Optionally type a Trusted Host IP address and netmask for the location from which the administrator can log into the web based manager If you want the administrator to be able to access the FortiGate unit from any address set the trusted host to 0 0 0 0 and the netmask to 0 0 0 0 To limit the administrator to only be able to access the FortiGate unit from a specific network set the trusted host to the address of the network and set the netmask to the netmask for the network For example to limit an administrator to accessing the FortiGate unit from your internal network set the trusted host to the address of your internal network for example 192 168 1 0 and set the netmask to 255 255 255 0 Set the Permission level for the administrator Select OK to add the administrator account Fortinet Inc System configuration Adding and editing administrator accounts Editing administrator accounts The admin account user can change individual administrator account passwo
232. il 293 IP configuring checksum verification 250 IP address IP MAC binding 193 IP addresses configuring from the CLI 63 configuring with front keypad and LCD 47 63 IP pool adding 192 IP spoofing 193 IP MAC binding 193 adding 195 allow traffic 194 195 block traffic 194 195 enabling 196 static IP MAC list 194 IPSec 295 IPSec VPN authentication for user group 207 AutolKE 210 certificates 210 disabling 245 247 manual keys 210 pre shared keys 210 remote gateway 207 status 233 timeout 233 234 302 IPSec VPN tunnel testing 234 J Java applets 274 275 removing from web pages 274 K keyword log search 289 291 L L2TP 207 295 configuring Windows XP client 246 network configuration 242 L2TP gateway configuring 242 language web based manager 159 LCD and keypad configuring IP address 47 LDAP example configuration 206 LDAP server adding server address 205 deleting 206 log file downloading 291 log hard disk status 107 log options block traffic 283 do not log 283 overwrite 283 log setting filtering log entries 118 284 traffic filter 287 log to local logging 283 log to memory configuring 284 viewing saved logs 289 Log Traffic firewall policy 177 policy 177 Fortinet Inc logging 21 281 attack log 284 configuring traffic settings 286 287 deleting all messages 291 deleting log files 292 downloading log files 291 email filter log 285 enabling alert email 293 event log 284 filtering log messa
233. iltering on page 274 e Exempt URL list on page 275 FortiGate 400 Installation and Configuration Guide 267 Content blocking Web filtering 4 Configure the messages that users receive when the FortiGate unit blocks unwanted content or unwanted URLs See Customizing replacement messages on page 164 5 Configure the FortiGate unit to send an alert email when it blocks or deletes an infected file See Configuring alert email in the Logging Configuration and Reference Guide JA Note To receive web filtering log messages see Configuring logging and for information S about log message content and format see Web filtering log messages in the Logging Configuration and Reference Guide Content blocking 268 When the FortiGate unit blocks a web page the user who requested the blocked page receives a block message and the FortiGate unit writes a message to the web filtering log You can add banned words to the list in many languages using Western Simplified Chinese Traditional Chinese Japanese or Korean character sets Adding words and phrases to the banned word list 1 2 3 Go to Web Filter gt Content Block Select New to add a word or phrase to the banned word list Choose a language or character set for the banned word or phrase You can choose Western Chinese Simplified Chinese Traditional Japanese or Korean Your computer and web browser must be configured to enter characters in the cha
234. in quarantine The maximum number of hours is 480 The FortiGate unit automatically deletes a file when the TTL reaches 00 00 4 Type the maximum file size in MB to quarantine The FortiGate unit keeps any existing quarantined files over the limit The FortiGate unit does not quarantine any new files larger than this value The file size range is 1 499 MBytes Enter 0 for unlimited file size 5 Select a Low Disk Space option to specify the method for handling additional files when the FortiGate hard disk is too low You can select overwrite oldest file or drop new quarantine files 6 Select Apply FortiGate 400 Installation and Configuration Guide 265 Blocking oversized files and emails Antivirus protection Blocking oversized files and emails You can configure the FortiGate unit to buffer 1 to 15 percent of available memory to store oversized files and email The FortiGate unit then blocks a file or email that exceeds this limit instead of bypassing antivirus scanning and sending the file or email directly to the server or receiver The FortiGate unit sends a replacement message for an oversized file or email attachment to the HTTP or email proxy client Configuring limits for oversized files and email Go to Anti Virus gt Config gt Config Type the size limit in MB Select Apply Exempting fragmented email from blocking A fragmented email is a large email message that has been split into smaller messages that are sent indiv
235. inding Configuring IP MAC binding for packets going to the firewall kr OO N Use the following procedure to use IP MAC binding to filter packets that would normally connect with the firewall for example when an administrator is connecting to the FortiGate unit for management Go to Firewall gt IP MAC Binding gt Setting Select Enable IP MAC binding going to the firewall Go to Firewall gt IP MAC Binding gt Static IP MAC Select New to add IP MAC binding pairs to the IP MAC binding list All packets that would normally connect to the firewall are first compared with the entries in the IP MAC binding table For example if the IP MAC pair IP 1 1 1 1 and 12 34 56 78 90 ab cd is added to the IP MAC binding list A packet with IP address 1 1 1 1 and MAC address 12 34 56 78 90 ab cd is allowed to connect to the firewall A packet with IP 1 1 1 1 but with a different MAC address is dropped immediately to prevent IP spoofing A packet with a different IP address but with a MAC address of 12 34 56 78 90 ab cd is dropped immediately to prevent IP spoofing A packet with both the IP address and MAC address not defined in the IP MAC binding table e is allowed to connect to the firewall if IP MAC binding is set to Allow traffic e is blocked if IP MAC binding is set to Block traffic Adding IP MAC addresses 1 2 3 Go to Firewall gt IP MAC Binding gt Static IP MAC Select New to add an IP address MAC address p
236. ing Note Any 2 routes in the routing table must differ by something other than just the gateway to be simultaneously active If two routes added to the routing table are identical except for their gateway IP addresses only the route closer to the top of the routing table can be active Note Arrange routes in the routing table from more specific to more general To arrange routes in the routing table see Configuring the routing table Adding routes in Transparent mode ao a fF WN Use the following procedure to add routes when operating the FortiGate unit in Transparent mode Go to System gt Network gt Routing Select New to add a new route Enter the Destination IP address and Netmask for the route Enter the Gateway IP address for the route Select OK to save the new route Repeat these steps to add more routes as required Configuring the routing table The routing table shows the destination IP address and mask of each route you add as well as the gateways and devices added to the route The routing table also displays the gateway connection status A green check mark indicates that the FortiGate unit has used the ping server and dead gateway detection to determine that it can connect to the gateway a red X means that a connection cannot be established A blue question mark means that the connection status is unknown For more information see Adding a ping server to an interface on page 136 and The FortiG
237. ing a FortiGate unit after an RMA Virus and attack definitions updates and registration 132 Fortinet Inc RAT MET Network configuration Go to System gt Network to make any of the following changes to the FortiGate network settings e Configuring zones e Configuring interfaces e Configuring VLANs e Configuring routing e Providing DHCP services to your internal network Configuring zones In NAT Route mode you can use zones to group related interfaces or VLAN subinterfaces Grouping interfaces and subinterfaces into zones simplifies policy creation For example if you have two interfaces connected to the Internet you can add both of these interfaces to the same zone Then you can configure policies for connections to and from this zone rather than to and from each interface You can add new zones You can also rename and edit any zone Finally you can delete zones when they appear in the zone list with a Delete icon A new zone will not appear in the policy grid until you add a firewall address for it See Adding addresses on page 179 This section describes e Adding zones e Adding interfaces to a zone e Adding VLAN subinterfaces to a zone e Renaming zones e Deleting zones Adding zones Using the web based manager 1 Go to System gt Network gt Zone 2 Select New to add a zone FortiGate 400 Installation and Configuration Guide 133 Configuring zones 134 Network configuration Type a Name f
238. ing to record logs to one or more of a computer running a syslog server a computer running a WebTrends firewall reporting server the FortiGate hard disk if your FortiGate unit contains a hard disk e the console You can also configure logging to record event attack antivirus web filter and email filter logs to the FortiGate system memory if your FortiGate unit does not contain a hard disk Logging to memory allows quick access to only the most recent log entries If the FortiGate unit restarts the log entries are lost You can select the same or different severity levels for each log location For example you might want to record only emergency and alert level messages to the FortiGate memory and record all levels of messages on a remote computer For information about filtering the log types and activities that the FortiGate unit records see Filtering log messages on page 284 For information about traffic logs see Configuring traffic logging on page 286 FortiGate 400 Installation and Configuration Guide 281 Recording logs 282 Logging and reporting This section describes e Recording logs on a remote computer e Recording logs on a NetIQ WebTrends server e Recording logs on the FortiGate hard disk e Recording logs in system memory Recording logs on a remote computer a Ff WO N 7 Use the following procedure to configure the FortiGate unit to record log messages on a remote computer
239. ion 139 VLAN network typical configuration 140 VPN configuring L2TP gateway 242 configuring PPTP gateway 236 242 introduction 19 L2TP configuration 242 PPTP configuration 236 Tunnel 174 viewing dialup connection status 233 VPN events enabling alert email 293 VPN tunnel viewing status 233 WwW web content filtering introduction 16 web filtering ActiveX 274 cookies 274 Java applets 274 overview 267 277 FortiGate 400 Installation and Configuration Guide Index web filtering log 284 web page content blocking 268 278 web based manager 20 changing options 158 connecting to 32 introduction 20 language 159 timeout 158 WebTrends recording logs on NetIQ WebTrends server 282 Windows 2000 configuring for L2TP 245 configuring for PPTP 239 connecting to L2TP VPN 246 connecting to PPTP VPN 240 Windows 98 configuring for PPTP 238 connecting to PPTP VPN 239 Windows XP configuring for L2TP 246 configuring for PPTP 240 connecting to L2TP VPN 248 connecting to PPTP VPN 241 wizard setting up firewall 46 62 starting 46 62 worm list displaying 266 worm protection 266 Z zone adding 133 configuring 133 renaming 134 307 Index 308 Fortinet Inc
240. ion tests the integrity of packets received at the monitored interface s This section describes e Selecting the interfaces to monitor e Disabling the NIDS e Configuring checksum verification e Viewing the signature list e Viewing attack descriptions e Enabling and disabling NIDS attack signatures e Adding user defined signatures FortiGate 400 Installation and Configuration Guide 249 Detecting attacks Network Intrusion Detection System NIDS Selecting the interfaces to monitor 1 Go to NIDS gt Detection gt General 2 Select the interfaces to monitor for network attacks You can select up to 4 interfaces and VLAN subinterfaces 3 Select Apply Disabling the NIDS 1 Go to NIDS gt Detection gt General 2 Deselect all monitored interfaces 3 Select Apply Configuring checksum verification Checksum verification tests files passing through the FortiGate unit to make sure that they have not been changed in transit The NIDS can run checksum verification on IP TCP UDP and ICMP traffic For maximum detection you can turn on checksum verification for all types of traffic However if the FortiGate unit does not need to run checksum verification you can turn it off for some or all types of traffic to improve system performance For example you might not need to run checksum verification if your FortiGate unit is installed behind a router that also does checksum verification 1 Go to NIDS gt Detection gt General
241. is a world wide network of FortiResponse Distribution Servers FDSs When your FortiGate unit connects to the FDN it actually connects to the nearest FDS To do this all FortiGate units are programmed with a list of FDS addresses sorted by nearest time zone according to the time zone configured for the FortiGate unit To make sure the FortiGate unit receives updates from the nearest FDS go to System gt Config gt Time and make sure you have selected the correct time zone for your area Fortinet Inc Virus and attack definitions updates and registration Updating antivirus and attack definitions To make sure the FortiGate unit can connect to the FDN 1 Go to System gt Config gt Time and make sure the time zone is set to the correct time zone for your area Go to System gt Update Select Refresh The FortiGate unit tests its connection to the FDN The test results are displayed at the top of the System Update page Table 1 Connections to the FDN Connections Status Comments Available The FortiGate unit can connect to the FDN You can configure the FortiGate unit for scheduled updates See Configuring scheduled updates on page 117 Not available The FortiGate unit cannot connect to the FDN You z must configure your FortiGate unit and your network so FortiResponse that the FortiGate unit can connect to the Internet and Distribution to the FDN For example you may need to add routes Network to the FortiGat
242. ithm combinations to propose for phase 1 The VPN peers must use the same P1 proposal settings Select the DH Group s Select one or more Diffie Hellman groups to propose for phase 1 As a general rule the VPN peers should use the same DH Group settings Enter the Keylife The keylife is the amount of time in seconds before the phase 1 encryption key expires When the key expires a new key is generated without interrupting service P1 proposal keylife can be from 120 to 172 800 seconds For Authentication Method select Preshared Key or RSA Signature e If you select Preshared key enter a that is shared by the VPN peers The key must contain at least 6 printable characters and should only be known by network administrators To protect against the best known attacks a good pre shared key should consist of a minimum of 16 randomly chosen alpha numeric characters e If you select RSA Signature select a local certificate that has been digitally signed by the certificate authority CA To add a local certificate to the FortiGate unit see Obtaining a signed local certificate on page 219 Fortinet Inc IPSec VPN AutolKE IPSec VPNs 10 Optionally enter the Local ID of the FortiGate unit The entry is required if the FortiGate unit is functioning as a client and uses its local ID to authenticate itself to the remote VPN peer If you do not add a local ID the FortiGate unit will transmit its IP address Configure the local ID
243. its port2 and port3 interfaces The default policy allows all traffic from the port1 network to connect to the Internet through the port2 interface If you add a similar policy to the port1 to port3 policy list this policy will allow all traffic from the port1 network to connect to the Internet through the port3 interface With both of these policies added to the firewall configuration the routing configuration will determine which Internet connection the traffic from the internal network actually uses For more information about the default policy see Default firewall configuration on page 170 To add a redundant default policy 1 Go to Firewall gt Address gt port3 2 Add the following address to port3 Address Name Port3_All IP Address 0 0 0 0 Netmask 0 0 0 0 Go to Firewall gt Policy gt port1 gt port3 Select New Configure the policy to match the default policy Source Port1_All Destination Port3_All Schedule Always Service ANY Action Accept NAT Select NAT 6 Select OK to save your changes 58 Fortinet Inc NAT Route mode installation Configuration example Multiple connections to the Internet Adding more firewall policies In most cases your firewall configuration includes more than just the default policy However the basic premise of creating redundant policies applies even as the firewall configuration becomes more complex To configure the FortiGate unit to use multiple Internet connections you must add
244. izard NAT Route mode installation Table 10 NAT Route mode settings Continued IP Interface 4 HA Netmask Web Server SMTP Server POP3 Server Internal servers IMAP Server FTP Server If you provide access from the Internet to a web server mail server IMAP server or FTP server installed on an internal network add the IP addresses of the servers here Using the setup wizard From the web based manager you can use the setup wizard to create the initial configuration of your FortiGate unit To connect to the web based manager see Connecting to the web based manager on page 32 Starting the setup wizard To start the setup wizard 1 Select Easy Setup Wizard the middle button in the upper right corner of the web based manager 2 Use the information that you gathered in Table 10 on page 45 to fill in the wizard fields Select the Next button to step through the wizard pages 3 Confirm your configuration settings and then select Finish and Close JA Note If you use the setup wizard to configure internal server settings the FortiGate unit adds S port forwarding virtual IPs and firewall policies for each server For each server located in your Internal zone the FortiGate unit adds an External gt Internal policy For each server located in your DMZ zone the FortiGate unit adds an External gt DMZ policy Reconnecting to the web based manager If y
245. k prevention and synflood prevention are au always disabled e Enabling NIDS attack prevention e Enabling NIDS attack prevention signatures e Setting signature threshold values e Configuring synflood signature values Enabling NIDS attack prevention 1 Go to NIDS gt Prevention 2 Select Enable in the top left corner FortiGate 400 Installation and Configuration Guide 253 Preventing attacks Network Intrusion Detection System NIDS Enabling NIDS attack prevention signatures The NIDS Prevention module contains signatures that are designed to protect your network against attacks Some signatures are enabled by default others must be enabled For a complete list of NIDS Prevention signatures and descriptions see the FortiGate NIDS Guide Go to NIDS gt Prevention Check the box in the Enable column beside each signature that you want to enable Select Check All to enable all signatures in the NIDS attack prevention signature list 4 Select Uncheck All to disable all signatures in the NIDS attack prevention signature list 5 Select Reset to Default Values to enable only the default NIDS attack prevention signatures and return to the default threshold values Figure 36 Example NIDS attack prevention signature list entries Prevention X I Enable Prevention GA Slgnsturo T Summary Protocal Enable Modify synflood syn flood attack TCP IV ES portscan port scan attack TCP Ji aMi Co synfrag s synfragmentattack
246. l to register Enter the Serial Number of the FortiGate unit If you have purchased a FortiCare Support Contract for this FortiGate unit enter the support contract number ao a bk Q Figure 6 Registering a FortiGate unit product information Product Information Product Model FGT 60 x Serial FGT 60280303002 d Number Located on bottom of unit and also on System screen on the web user interface Support re Contract No 224278334744 _ indicates Required Fields 7 Select Finish If you have not entered a FortiCare Support Contract number SCN you can return to the previous page to enter the number If you do not have a FortiCare Support Contract you can select Continue to complete the registration If you have entered a support contract number a real time validation is performed to verify that the SCN information matches the FortiGate unit If the information doesn t match you can try entering it again Aweb page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiGate unit Your Fortinet support user name and password is sent to the email address provided with your Contact information FortiGate 400 Installation and Configuration Guide 127 Updating registration information Virus and attack definitions updates and registration Updating registration information 128 You can use your Fortinet support user name and password to log o
247. le metrics are redistributed Whenever metrics do not convert RIP uses the default metric to provide a reasonable substitute and allows the redistribution to proceed The default setting of the default metric is 2 Input Queue Change the depth of the RIP input queue The larger the numerical value the larger the depth of the queue Consider changing the input queue depth if you have FortiGate unit sending at high speed to a low speed router that might not be able to receive at the high speed Configuring this command will help prevent the routing table from losing information The range is 0 to 1024 The default input queue depth is 50 A queue size of 0 means there is no input queue Output Delay Change the output delay to add a delay in milliseconds between packets in a multiple packet RIP update A typical output delay is 8 to 50 milliseconds Add an output delay if you are configuring RIP on a FortiGate unit that could be sending packets to a router that cannot receive the packets at the rate the FortiGate unit is sending them The default output delay is 0 milliseconds Change the following RIP timer settings to fine tune RIP performance RIP timer defaults are effective in most configurations You should only have to change these timers to troubleshoot problems with your RIP configuration Fortinet Inc RIP configuration Update Invalid Holddown Flush RIP settings The time interval in seconds between sending routing tabl
248. le organization units ou accounts ou marketing dc fortinet dc com Select OK Figure 19 Example LDAP configuration LDAP New LDAP Server Name LDAP_1 Server Name IP 1 3245 Server Port 389 Common Name Identifier jo Stti i S C Distinguished Name fou marketing dc fortinet dc com Deleting LDAP servers 206 You cannot delete LDAP servers that have been added to user groups Go to User gt LDAP Select Delete Jj beside the LDAP server name that you want to delete Select OK Fortinet Inc Users and authentication Configuring user groups Configuring user groups To enable authentication you must add user names RADIUS servers and LDAP servers to one or more user groups You can then select a user group when you require authentication You can select a user group to configure authentication for e Policies that require authentication Only users in the selected user group or that can authenticate with the RADIUS servers added to the user group can authenticate with these policies e IPSec VPN Phase 1 configurations for dialup users Only users in the selected user group can authenticate to use the VPN tunnel e XAuth for IPSec VPN Phase 1 configurations Only users in the selected user group can be authenticated using XAuth The FortiGate PPTP configuration Only users in the selected user group can use PPTP The FortiGate L2TP configuration Only users in the selected user group ca
249. list Go to Log amp Report gt Log Setting gt Traffic Filter Select New Configure the traffic filter for the type of traffic that you want to record on the traffic log Name Type a name to identify the traffic filter entry The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Spaces and other special characters are not allowed Source IP Address Type the source IP address and netmask for which you want the Source Netmask FortiGate unit to log traffic messages The address can be an individual computer subnetwork or network Destination IP Address Type the destination IP address and netmask for which you want the Destination Netmask FortiGate unit to log traffic messages The address can be an individual computer subnetwork or network Service Select the service group or individual service for which you want the FortiGate unit to log traffic messages Select OK The traffic filter list displays the new traffic address entry with the settings that you selected in Enabling traffic logging on page 286 Figure 45 Example new traffic address entry Log Setting A Traffic Filter A Name FTP_Main_Office Source IP Address f10 10 10 1 Source Netmask 255 255 255 0 Destination IP Ie an Address 10 10 10 2 Destination Netmask 255 255 255 0 Service FTP z Fortinet Inc Logging and reporting Viewing logs saved to memory Viewing logs saved to memo
250. ll appear to be originating from all of the IP addresses in the IP pool IP MAC binding IP MAC binding protects the FortiGate unit and your network from IP spoofing attacks IP spoofing attempts to use the IP address of a trusted computer to connect to or through the FortiGate unit from a different computer The IP address of a computer can easily be changed to a trusted address but MAC addresses are added to Ethernet cards at the factory and cannot easily be changed FortiGate 400 Installation and Configuration Guide 193 IP MAC binding S Firewall configuration You can enter the static IP addresses and corresponding MAC addresses of trusted computers in the Static IP MAC table IP MAC binding can be enabled for packets connecting to the firewall or passing through the firewall Note If you enable IP MAC binding and change the IP address of a computer with an IP or MAC address in the IP MAC list you must also change the entry in the IP MAC list or the computer will not have access to or through the FortiGate unit You must also add the IP MAC address pair of any new computer that you add to your network or this computer will not have access to or through the FortiGate unit This section describes e Configuring IP MAC binding for packets going through the firewall e Configuring IP MAC binding for packets going to the firewall e Adding IP MAC addresses e Viewing the dynamic IP MAC list e Enabling IP MAC binding Configuring
251. ll to replace e Files or other content removed from email messages by the antivirus system e Files or other content removed from HTTP downloads by the antivirus system or web filtering Files removed from FTP downloads by the antivirus system You can edit replacement messages to control the content of these messages when they are received by a user You can also edit the content added to alert email messages to control the information that appears in alert emails for virus incidents NIDS events critical system events and disk full events Fortinet Inc System configuration Customizing replacement messages This section describes e Customizing replacement messages e Customizing alert emails Figure 3 Sample replacement message Message setup Email virus message Allowed Formats Text HTML Size 4095 characters Sorry Dangerous Attachment has been Removed lt INFECTED gt The file FILES has been removed because of a virus It was infected with the S VIRUSS virus lt INFECTED gt lt QUARANTINE gt File quarantined as QUARF ILENAMES lt QUARANTINE gt Customizing replacement messages Each of the replacement messages in the replacement message list is created by combining replacement message sections You can use these sections as building blocks to create your own replacement messages You can edit any of the replacement messages in the replacement message li
252. lso organize related addresses into address groups to simplify policy creation A firewall address consists of an IP address and a netmask This information can represent The address of a subnet for example for a class C subnet IP address 192 168 20 0 and Netmask 255 255 255 0 A single IP address for example IP Address 192 168 20 1 and Netmask 255 255 255 255 All possible IP addresses represented by IP Address 0 0 0 0 and Netmask 0 0 0 0 Note IP address 0 0 0 0 and Netmask 255 255 255 255 is not a valid firewall address This section describes e Adding addresses e Editing addresses e Deleting addresses e Organizing addresses into address groups Adding addresses 1 2 3 4 Go to Firewall gt Address Select the interface VLAN subinterface or zone to which to add the address Select New to add a new address Enter an Address Name to identify the address The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Spaces and other special characters are not allowed Enter the IP Address The IP address can be The IP address of a single computer for example 192 45 46 45 The IP address of a subnetwork for example 192 168 1 0 for a class C subnet e 0 0 0 0 to represent all possible IP addresses FortiGate 400 Installation and Configuration Guide 179 Addresses 180 Firewall configuration Enter the NetMask
253. lt attack ID gt Remember to include the attack ID For example to view the Fortinet Attack Analysis web page for the ssh CRC32 overflow bin sh attack ID 101646338 use the following URL http www fortinet com ids ID101646338 Note Each attack log message includes a URL that links directly to the FortiResponse Attack Analysis web page for that attack This URL is available from the Attack Log messages and Alert email messages For information about log message content and formats and about log locations see the Logging Configuration and Reference Guide To log attack messages see Logging attacks on page 256 Figure 34 Example signature group members list ID Rule Name Revision 101646337 gobbles SSH exploit attempt a 16 101646338 ssh CRC32 overflow binf sh 16 101646339 ssh CRC32 overflow NOOP 16 101646340 ssh CRC32 overflow 16 101646341 x86 linux samba overflow oe 16 101646342 Solaris x86 nips overflow attempt 16 101646343 nlps x86 solaris overflow 16 101646344 LPRng overflow 16 101646345 redhat 7 0 lprd overflow 16 FortiGate 400 Installation and Configuration Guide 251 Detecting attacks Network Intrusion Detection System NIDS Enabling and disabling NIDS attack signatures e res By default all NIDS attack signatures are enabled You can use the NIDS signature list to disable detection of some attacks Disabling unnecessary NIDS attack signatures can improve system performance and reduce the number
254. lter Select New to add a RIP filter Configure the RIP filter list name Filter Name Enter a name for the RIP filter list Each RIP filter and RIP filter list must have unique name The name can be 15 characters long and can contain upper and lower case letters numbers and special characters The name cannot contain spaces Blank Filter Optionally select blank filter to start the RIP filter list with a blank x After adding the blank filter you can add routes to the RIP filter list Select OK to save the RIP filter list For the RIP filter list name select Add Prefix to add a route prefix to the filter list Configure the route prefix IP Add the IP address of the route Mask Add the netmask of the route Action Select Allow so that the filter permits this route to be communicated Select Deny to stop this route from being communicated Interface Select the interface on which to apply this RIP filter Select OK to add the route prefix to the filter list Repeat steps 5 to 7 to add route prefixes to the filter list FortiGate 400 Installation and Configuration Guide 155 Adding RIP filters RIP configuration Adding a neighbors filter You can select a single RIP filter or a RIP filter list to be the neighbors filter 1 Go to System gt RIP gt Filter Add RIP filters and RIP filter lists as required For Neighbors Filter select the name of the RIP filter or RIP filter list to become the neighbors filter 4 Select Apply
255. luster CPU CPU Usage History Memory Memory Usage History Usage Usage 3 Select Sessions amp Network Sessions and network status is displayed for each cluster member The primary unit is identified as Local and the other units in the cluster are listed by serial number The display includes bar graphs of the current number of sessions and current network utilization as well as line graphs of session and network utilization usage for the last minute The line graph scales are shown in the upper left corner of the graph For more information see Viewing sessions and network status on page 111 FortiGate 400 Installation and Configuration Guide 87 Managing the HA cluster High availability Select Virus amp Intrusions Virus and intrusions status is displayed for each cluster member The primary unit is identified as Local and the other units in the cluster are listed by serial number The display includes bar graphs of the number viruses and intrusions detected per hour as well as line graphs of the number of viruses and intrusions detected for the last 20 hours For more information see Viewing virus and intrusions status on page 112 Select Packets amp Bytes The number of packets and bytes processed by each cluster member is displayed For each of these displays you can set the automatic refresh interval and select Go to control how often the web based manager updates the display More frequent updates
256. ly simple configuration changes to the client computer and the FortiGate unit This chapter provides an overview of how to configure FortiGate PPTP and L2TP VPN For a complete description of FortiGate PPTP and L2TP see the FortiGate VPN Guide This chapter describes e Configuring PPTP e Configuring L2TP Configuring PPTP As its name suggests PPTP involves the Point to Point protocol PPTP packages data within PPP packets and then encapsulates the PPP packets within IP packets for transmission through a VPN tunnel ue Note PPTP VPNs are only supported in NAT Route mode This section describes e Configuring the FortiGate unit as a PPTP gateway e Configuring a Windows 98 client for PPTP e Configuring a Windows 2000 client for PPTP e Configuring a Windows XP client for PPTP FortiGate 400 Installation and Configuration Guide 235 Configuring PPTP 236 PPTP and L2TP VPN Figure 29 PPTP VPN between a Windows client and the FortiGate unit Internal Network 192 168 1 0 Main FortiGate 4 Interface 2 IP 111 4 Interi y A PPTP Windows Client Configuring the FortiGate unit as a PPTP gateway A OO N Use the following procedures to configure the FortiGate unit as a PPTP gateway Adding users and user groups To add a user for each PPTP client Go to User gt Local Add and configure PPTP users See Adding user names and configuring authentication on page 202 Go to User gt User Group Ad
257. mage from the TFTP server to the FortiGate xecute restore image lt name_str gt lt tftp_ip gt Where lt name_str gt is the name of the firmware image file on the TFTP server and lt tftp_ip gt is the IP address of the TFTP server For example if the firmware image file name is FGT_300 v250 build045 FORTINET out and the IP address of the TFTP server is 192 168 1 168 enter xecute restore image FGT_300 v250 build045 FORTINET out 192 168 1 168 The FortiGate unit uploads the firmware image file upgrades to the new firmware version and restarts This process takes a few minutes Reconnect to the CLI To confirm that the new firmware image has been loaded enter get system status Use the procedure Manually updating antivirus and attack definitions on page 119 to update antivirus and attack definitions or from the CLI enter execute updatecenter updatenow To confirm that the antivirus and attack definitions have been updated enter the following command to display the antivirus engine virus and attack definitions version contract expiry and last update attempt information get system objver Revert to a previous firmware version Use the following procedures to revert your FortiGate unit to a previous firmware version Reverting to a previous firmware version using the web based manager The following procedures return your FortiGate unit to its factory default configuration and delete NIDS
258. me interval is 10 days 5 Select the severity level for which you want to record log messages The FortiGate will log all levels of severity down to but not lower than the level you choose For example if you want to record emergency alert critical and error messages select Error 6 Select Config Policy To configure the FortiGate to filter the types of logs and events to record use the procedures in Filtering log messages on page 284 and Configuring traffic logging on page 286 7 Set Log options when disk is full to Overwrite Delete the oldest log file when the hard disk is full Overwrite is the default option Block traffic Block all network traffic when the hard disk is full Do not log Stop logging messages when the hard disk is full 8 Select Apply FortiGate 400 Installation and Configuration Guide 283 Filtering log messages Logging and reporting Recording logs in system memory If your FortiGate unit does not contain a hard disk you can use the following procedure to configure the FortiGate unit to reserve some system memory for storing current event attack antivirus web filter and email filter log messages Logging to memory allows quick access to only the most recent log entries The FortiGate unit can store a limited number of messages in system memory After all available memory is used the FortiGate unit deletes the oldest messages If the FortiGate unit restarts the log entries are lost No
259. me is FGT_300 v250 build045 FORTINET out and the IP address of the TFTP server is 192 168 1 168 enter xecute restore image FGT_300 v250 build045 FORTINET out 192 168 1 168 The FortiGate unit uploads the firmware image file Once the file has been uploaded a message similar to the following is displayed Get image from tftp server OK This operation will downgarde the current firmware version Do you want to continue y n Type Y The FortiGate unit reverts to the old firmware version resets the configuration to factory defaults and restarts This process takes a few minutes Reconnect to the CLI For information about logging into the web based manager when the FortiGate unit is set to factory defaults see Connecting to the command line interface CLI on page 33 To confirm that the new firmware image has been loaded enter get system status Restore your previous configuration Use the following command xecute restore config Use the procedure Manually updating antivirus and attack definitions on page 119 to update antivirus and attack definitions or from the CLI enter execute updatecenter updatenow Fortinet Inc System status Changing the FortiGate firmware 12 To confirm that the antivirus and attack definitions have been updated enter the following command to display the antivirus engine virus and attack definitions version contract expiry and last update attempt information ge
260. means that the firewall policy is valid at all times Firewall Policy Port1 gt Port2 Firewall policy for connections from the internal network to the external network Source Port1_All The policy source address Internal_All means that the policy accepts connections from any internal IP address Destination Port2_All The policy destination address External_All means that the policy accepts connections with a destination address to any IP address on the external network Schedule Always The policy schedule Always means that the policy is valid at any time Service ANY The policy service ANY means that this policy processes connections for all services FortiGate 400 Installation and Configuration Guide 35 Factory default FortiGate configuration settings 36 Getting started Table 4 Factory default firewall configuration Continued Action ACCEPT The policy action ACCEPT means that the policy allows connections M NAT NAT is selected for the NAT Route mode default policy so that the policy applies network address translation to the traffic processed by the policy NAT is not available for Transparent mode policies O Traffic Shaping Traffic shaping is not selected The policy does not apply traffic shaping to the traffic controlled by the policy You can select this option to control the maximum or minimum amount of bandwidth
261. mode installation Configuration example Multiple connections to the Internet Load sharing You can also configure destination routing to direct traffic through both gateways at the same time If users on your internal network connect to the networks of ISP1 and ISP2 you can add routes for each of these destinations Each route can include a backup destination to the network of the other ISP Table 12 Load sharing routes Destination IP Mask Gateway 1 Device 1 Gateway 2 Device 2 100 100 100 0 255 255 255 0 1 1 1 1 port2 2 2 2 1 port3 200 200 200 0 255 255 255 0 2 2 2 1 port3 1 1 1 1 port2 The first route directs all traffic destined for the 100 100 100 0 network out port2 to gateway 1 with the IP address 1 1 1 1 If this router is down traffic destined for the 100 100 100 0 network is re directed out port3 to gateway 2 with the IP address 2 2 2 1 Load sharing and primary and secondary connections You can combine these routes into a more complete multiple internet connection configuration In the topology shown in Figure 8 on page 53 users on the internal network would connect to the Internet to access web pages and other Internet resources However they may also connect to services such as email provided by their ISPs You can combine the routes described in the previous examples to provide users with a primary and backup connection to the Internet while at the same time routing
262. move it from the group 6 Select OK to add the service group Figure 9 Adding a service group Predefined Custom Group z New Service Group Group Name web_Services Available Services Members FortiGate 400 Installation and Configuration Guide 185 Schedules Schedules Firewall configuration Use scheduling to control when policies are active or inactive You can create one time schedules and recurring schedules You can use one time schedules to create policies that are effective once for the period of time specified in the schedule Recurring schedules repeat weekly You can use recurring schedules to create policies that are effective only at specified times of the day or on specified days of the week This section describes e Creating one time schedules e Creating recurring schedules e Adding a schedule to a policy Creating one time schedules 186 You can create a one time schedule that activates or deactivates a policy fora specified period of time For example your firewall might be configured with the default policy that allows access to all services on the Internet at all times You can add a one time schedule to block access to the Internet during a holiday period Go to Firewall gt Schedule gt One time Select New Enter a Name for the schedule The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special chara
263. must have the same NAT traversal setting If you enable NAT traversal you can change the number of seconds in the Keepalive Frequency field This number specifies in seconds how frequently empty UDP packets are sent through the NAT device to ensure that the NAT mapping does not change until P1 and P2 keylife expires The keepalive frequency can be from 0 to 900 seconds Optionally configure Dead Peer Detection Use these settings to monitor the status of the connection between VPN peers DPD allows dead connections to be cleaned up and new VPN tunnels established DPD is not supported by all vendors Enable Short Idle Retry Count Retry Interval Long Idle Select Enable to enable DPD between the local and remote peers Set the time in seconds that a link must remain unused before the local VPN peer considers it to be idle After this period of time expires whenever the local peer sends traffic to the remote VPN peer it will also send a DPD probe to determine the status of the link To control the length of time that the FortiGate unit takes to detect a dead peer with DPD probes configure the Retry Count and the Retry Interval Set the number of times that the local VPN peer will retry the DPD probe before it considers the channel to be dead and tears down the security association SA To avoid false negatives due to congestion or other transient failures set the retry count to a sufficiently high value for your network
264. n Once registration is completed Fortinet sends a Support Login user name and password to your email address You can use this user name and password to log on to the Fortinet support web site to e View your list of registered FortiGate units e Register additional FortiGate units Add or change FortiCare Support Contract numbers for each FortiGate unit e View and change registration information e Download virus and attack definitions updates e Download firmware upgrades e Modify registration information after an RMA Soon you will also be able to Access Fortinet user documentation e Access the Fortinet knowledge base All registration information is stored in the Fortinet Customer Support database This information is used to make sure that your registered FortiGate units can be kept up to date All information is strictly confidential Fortinet does not share this information with any third party organizations for any reason This section describes FortiCare Service Contracts e Registering the FortiGate unit FortiCare Service Contracts Owners of a new FortiGate unit are entitled to 90 days of technical support services To continue receiving support services after the 90 day expiry date you must purchase a FortiCare Support Contract from an authorized Fortinet reseller or distributor Different levels of service are available so you can purchase the support that you need For maximum network protection Fortine
265. n resets the configuration restarts and displays the FortiGate login This process takes a few minutes Login to the web based manager For information about logging into the web based manager when the FortiGate unit is set to factory defaults see Connecting to the web based manager on page 32 Go to System gt Status and check the Firmware Version to confirm that the firmware has been installed successfully Restore your configuration See Restoring system settings on page 108 to restore your previous configuration Use the procedure Manually updating antivirus and attack definitions on page 119 to update antivirus and attack definitions Reverting to a previous firmware version using the CLI This procedure reverts your FortiGate unit to its factory default configuration and deletes NIDS user defined signatures web content lists email filtering lists and changes to replacement messages Before running this procedure you can e Backup the FortiGate unit configuration using the command execute backup config Backup the NIDS user defined signatures using the command execute backup nidsuserdefsig e Backup web content and email filtering lists see the FortiGate Content Protection Guide If you are reverting to a previous FortiOS version for example reverting from FortiOS v2 50 to FortiOS v2 36 you may not be able to restore your previous configuration from the backup configuration file FortiGate
266. n the ethernet frame header that indicates membership in a particular VLAN The FortiGate unit does not add or change VLAN tags However you can configure it to separate VLAN tagged packets and apply policies to control how they connect through the firewall FortiGate 400 Installation and Configuration Guide 139 Configuring VLANs Network configuration Figure 9 Typical VLAN network configuration 802 1q tagged traffic IEEE 802 1Q compliant router 802 1q tagged traffic Internal FortiGate 400 External 802 1q tagged traffic IEEE 802 1Q compliant router 802 1q tagged traffic i a In a typical VLAN configuration a number of physical networks could be connected to a single IEEE 802 1Q compliant router The router is configured to add VLAN IDs to the packets that it receives from each network and then route the packets out a single interface that is connected to the FortiGate interface This FortiGate unit is configured with subinterfaces that include VLAN IDs that match the VLAN IDs added by the router When the FortiGate unit receives packets with VLAN IDs it directs them to the correct subinterface 140 Fortinet Inc Network configuration Configuring VLANs Adding VLAN subinterfaces The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802 1Q compliant router The VLAN ID can be any number between 1 and 4096 Each VLAN subinterface must also be configured with its own IP address and ne
267. n the same subnet You only have to configure a management IP address so that you can make configuration changes The management IP address is also used for antivirus and attack definition updates You would typically use the FortiGate unit in Transparent mode on a private network behind an existing firewall or behind a router The FortiGate unit performs firewalling as well as antivirus and content scanning but not VPN Figure 6 Example Transparent mode network configuration FortiGate 400 Unit Gateway to in Transparent mode public network 204 23 1 5 192 168 1 1 Internal network Internet ES ae es 192 168 1 3 2N firewall router Port 2 192 168 1 2 Port 1 Management IP __ _ Transparent mode policies controlling traffic between internal and external networks You can connect up to four network segments to the FortiGate unit to control traffic between these network segments e Interface 1 can connect to the internal firewall or router Interface 2 can connect to the external network e Interface 3 can connect to another network Interface 4 HA connect to another network Interface 4 HA can also connect to other FortiGate 400s if you are installing an HA cluster Configuration options Once you have selected Transparent or NAT Route mode operation you can complete your configuration plan and begin configuring the FortiGate unit You can use the web based manager setup wizard th
268. n to the Fortinet Support web site at any time to view or update your Fortinet support information This section describes e Recovering a lost Fortinet support password e Viewing the list of registered FortiGate units e Registering a new FortiGate unit e Adding or changing a FortiCare Support Contract number e Changing your Fortinet support password e Changing your contact information or security question e Downloading virus and attack definitions updates Recovering a lost Fortinet support password a Fk WO N If you provided a security question and answer when you registered on the Fortinet support web site you can use the following procedure to receive a replacement password If you did not provide a security question and answer contact Fortinet tech support Go to System gt Update gt Support Select Support Login Enter your Fortinet support user name Select Forgot your password Enter your email address and select Submit The security question that you entered when you registered is displayed Enter the answer to your security question and select Get Password If you entered the correct answer to the security question an email containing a new password is sent to your email address You can use your current user name and this password to log into the Fortinet support web site Select Support Login When your new password arrives enter your user name and new password to log into the Fortinet support web sit
269. n use L2TP When you add user names RADIUS servers and LDAP servers to a user group the order in which they are added affects the order in which the FortiGate unit checks for authentication If user names are first then the FortiGate unit checks for a match with these local users If a match is not found the FortiGate unit checks the RADIUS or LDAP server If a RADIUS or LDAP server is added first the FortiGate unit checks the server and then the local users If the user group contains users RADIUS servers and LDAP servers the FortiGate unit checks them in the order in which they have been added to the user group This section describes e Adding user groups e Deleting user groups Adding user groups Use the following procedure to add user groups to the FortiGate configuration You can add user names RADIUS servers and LDAP servers to user groups To add a user group 1 Go to User gt User Group 2 Select New to add a new user group FortiGate 400 Installation and Configuration Guide 207 Configuring user groups 208 8 Users and authentication Figure 20 Adding a user group User Group N New User Group Group Name PPTP_User_Group Available Users Members Enter a Group Name to identify the user group The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed To add
270. nager Go to System gt Status and check the Firmware Version to confirm that the firmware upgrade has been installed successfully 9 Use the procedure Manually updating antivirus and attack definitions on page 119 to update antivirus and attack definitions Upgrading the firmware using the CLI To use the following procedure you must have a TFTP server that you can connect to from the FortiGate unit A Note Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing When you have installed new firmware use the procedure Manually updating antivirus and attack definitions on page 119 to make sure that antivirus and attack definitions are up to date You can also use the CLI command execute updatecenter updatenow to update the antivirus and attack definitions Make sure that the TFTP server is running Copy the new firmware image file to the root directory of the TFTP server Log into the CLI as the admin administrative user A A O N Make sure the FortiGate unit can connect to the TFTP server You can use the following command to ping the computer running the TFTP server For example if the TFTP server s IP address is 192 168 1 168 execute ping 192 168 1 168 FortiGate 400 Installation and Configuration Guide 95 Changing the FortiGate firmware System status 96 Enter the following command to copy the firmware i
271. namic NAT when the firewall translates source addresses You can use policies to configure port address translation PAT through the FortiGate Content profiles can be added to policies to apply antivirus protection web filtering and email filtering to web file transfer and email services You can create content profiles that perform one or any combination of the following actions Apply antivirus protection to HTTP FTP SMTP IMAP or POP3 services e Quarantine files that are infected or that may be infected by a virus e Apply web filtering to HTTP services e Apply email filtering to IMAP and POP3 services You can also add logging to a firewall policy so that the FortiGate unit logs all connections that use this policy This chapter describes e Default firewall configuration e Adding firewall policies e Configuring policy lists e Addresses e Services e Schedules e Virtual IPs e IP pools IP MAC binding e Content profiles FortiGate 400 Installation and Configuration Guide 169 Default firewall configuration Firewall configuration Default firewall configuration 170 Interfaces By default the users on the network connected to port1 can connect through the FortiGate unit to the network connected to port2 The firewall blocks all other connections The firewall is configured with a default policy that matches any connection request received from the network connected to port1 and instructs the firewall
272. nds are larger they are broken up or fragmented which slows down transmission speeds To change the MTU size Go to System gt Network gt Interface Choose an interface and select Modify z Select Fragment outgoing packets greater than MTU FortiGate 400 Installation and Configuration Guide 137 Configuring interfaces 138 Network configuration Set the MTU size Set the maximum packet size in the range of 68 to 1500 bytes The default MTU size is 1500 Experiment by lowering the MTU to find an MTU size for best network performance Configuring port4 ha 1 2 3 4 You can use port4 ha as a firewall interface or for communication between FortiGate 400 units in an HA group To configure port4 ha as a firewall interface you must disable its HA functionality You can then add the interface to a zone and configure its IP address and netmask The zone should match the type of network connected to the interface For example if you are connecting port4 ha to an internal network add it to the Internal zone Configuring port4 ha for HA mode To connect two or more FortiGate 400 units in high availability mode you must set their port4 ha interfaces to HA mode In HA mode you cannot connect port4 ha to a network and you cannot add VLAN subinterfaces to it It can only be connected to the port4 ha of the other FortiGate 400 units in the HA group The FortiGate 400 units in the HA group use this connection to communicate status an
273. ne blocked files found in POP3 IMAP and SMTP traffic controlled by firewall policies 1 Go to Anti Virus gt Quarantine gt Quarantine Config 2 Select the Content protocols for which to quarantine blocked files 3 To quarantine blocked files select file block in a content profile See Adding a content profile on page 197 4 Select Quarantine to save to the quarantine any files that are blocked 5 Add this content profile to firewall policies See Adding a content profile to a policy on page 199 FortiGate 400 Installation and Configuration Guide 263 Quarantine Antivirus protection Viewing the quarantine list 1 Go to Anti Virus gt Quarantine The quarantine list provides the following information File Name The processed filename of the file that was quarantined The processed filename has all white space removed As a file is quarantined it is 32 bit checksummed and stored on the FortiGate hard disk with the following naming convention lt 32bit CRC gt lt processed filename gt For example a file named Over Size exe is stored as 3fc155d2 oversize exe Date Quarantined The date and time the file was quarantined in the format dd mm yyyy hh mm This value indicates the time that the first file was quarantined if the duplicate count increases Service The service from which the file was quarantined HTTP FTP IMAP POP3 SMTP Status A color coded status indicator e Red File is infected e Yellow
274. nected to load balancing switches Hub Used when the cluster interfaces are connected to a hub Distributes traffic to units in the cluster based on the Source IP and Destination IP of the packet Least Connection Distributes traffic to the cluster unit with the fewest concurrent connections Round Robin Distributes traffic to the next available cluster unit Weighted Round Similar to Round Robin but weighted values are assigned to each of Robin the units in a cluster based on their capacity For example the primary unit should have a lower weighted value because it handles scheduling and forwards traffic Random Randomly distributes traffic to cluster units IP Distributes traffic to units in a cluster based on the Source IP and Destination IP of the packet IP Port Distributes traffic to units in a cluster based on the Source IP Source Port Destination IP and Destination port of the packet Fortinet Inc High availability HA in NAT Route mode During startup the members of the HA cluster negotiate to select the primary unit The primary unit allows other FortiGate units to join the HA cluster as subordinate units and assigns each subordinate unit a priority The FortiGate units in the HA cluster communicate status and session information using their HA interfaces All FortiGate units in the cluster maintain all session information For load balancing when the primary FortiGate unit forward
275. nes applications processes and so on that can be logical physical or both DMZ Demilitarized Zone Used to host Internet services without allowing unauthorized access to an internal private network Typically the DMZ contains servers accessible to Internet traffic such as Web HTTP servers FTP servers SMTP email servers and DNS servers DMZ interface The FortiGate interface that is connected to a DMZ network DNS Domain Name Service A service that converts symbolic node names to IP addresses Ethernet A local area network LAN architecture that uses a bus or star topology and supports data transfer rates of 10 Mbps Ethernet is one of the most widely implemented LAN standards A newer version of Ethernet called 100 Base T or Fast Ethernet supports data transfer rates of 100 Mbps And the newest version Gigabit Ethernet supports data rates of 1 gigabit 1 000 megabits per second External interface The FortiGate interface that is connected to the Internet For the FortiGate 60 the external interface is WAN1 or WAN2 FTP File transfer Protocol An application and TCP IP protocol used to upload or download files Gateway A combination of hardware and software that links different networks Gateways between TCP IP networks for example can link different subnetworks HTTP Hyper Text Transfer Protocol The protocol used by the World Wide Web HTTP defines how messages are formatted and transmitted and
276. net tech support web site Changing your contact information or security question 1 oN Oo FF WwW ND Go to System gt Update gt Support and select Support Login Enter your Fortinet support user name and password Select Login Select My Profile Select Edit Profile Make the required changes to your contact information Make the required changes to your security question and answer Select Update Profile Your changes are saved to the Fortinet technical support database If you changed your contact information the changes are displayed Downloading virus and attack definitions updates ao a fF WN Use the following procedure to manually download virus and attack definitions updates This procedure also describes how to install the definitions updates on your FortiGate unit Go to System gt Update gt Support and select Support Login Enter your Fortinet support user name and password Select Login Select Download Virus Attack Update If required select the FortiOS version Select the virus and attack definitions to download Fortinet Inc Virus and attack definitions updates and registration Registering a FortiGate unit after an RMA Figure 8 Downloading virus and attack definition updates Download Virus Attack Updates Version v2 36 2 30 FGT Unit Virus Definition Attack Definition FGT 50 0S2 3 6_4 77 2 36 1 41 FGT 60 2 36 1 41 FGT 100 OS2 3 6_4 77 2 36 1 41 FGT 200 OS2 3 6_4 77 2 36 1
277. nformation for the Fortinet Remote VPN Client detailed configuration information for FortiGate PPTP and L2TP VPN and VPN configuration examples Volume 3 FortiGate Content Protection Guide Describes how to configure antivirus protection web content filtering and email filtering to protect content as it passes through the FortiGate unit Volume 4 FortiGate NIDS Guide Describes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from network based attacks Volume 5 FortiGate Logging and Message Reference Guide Describes how to configure FortiGate logging and alert email Also contains the FortiGate log message reference Volume 6 FortiGate CLI Reference Guide Describes the FortiGate CLI and contains a reference to all FortiGate CLI commands The FortiGate online help also contains procedures for using the FortiGate web based manager to configure and manage your FortiGate unit Comments on Fortinet technical documentation You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc fortinet com FortiGate 400 Installation and Configuration Guide 27 Customer service and technical support Introduction Customer service and technical support 28 For antivirus and attack definition updates firmware updates updated product documentation technical support information and other resources please visit the Fortinet technical support web site at ht
278. ng the FortiGate web filter e Using the Cerberian web filter Using the FortiGate web filter You can configure the FortiGate unit to block all pages on a website by adding the top level URL or IP address You can also block individual pages on a website by including the full path and filename of the web page to block This section describes e Adding URLs or URL patterns to the block list e Clearing the URL block list e Downloading the URL block list e Uploading a URL block list Adding URLs or URL patterns to the block list 1 Go to Web Filter gt URL Block 2 Select New to add an item to the URL block list FortiGate 400 Installation and Configuration Guide 269 URL blocking 270 Web filtering Type the URL Pattern to block Type a top level URL or IP address to block access to all pages on a website For example www badsite comor 122 133 144 155 blocks access to all pages at this website Type a top level URL followed by the path and filename to block access to a single page on a website For example www badsite com news html or 122 133 144 155 news html blocks the news page on this website To block all pages with a URL that ends with badsite com add badsite com to the block list For example adding badsite com blocks access to www badsite com mail badsite com www finance badsite com and so on Note Do not include http in the URL to block Do not use an asterisk to represent any characters You can type a
279. ng up system settings e Restoring system settings e Restoring system settings to factory defaults e Changing to Transparent mode e Changing to NAT Route mode e Restarting the FortiGate unit e Shutting down the FortiGate unit If you log into the web based manager with any other administrator account you can go to System gt Status to view the system settings including e Displaying the FortiGate serial number e Displaying the FortiGate up time e Displaying log hard disk status All administrative users can also go to System gt Status gt Monitor and view FortiGate system status System status displays FortiGate health monitoring information including CPU and memory status Session and network status e System status All administrative users can also go to System gt Status gt Session and view the active communication sessions to and through the FortiGate unit e Session list FortiGate 400 Installation and Configuration Guide 93 Changing the FortiGate host name System status Changing the FortiGate host name The FortiGate host name appears on the System gt Status page and on the FortiGate CLI prompt The host name is also used as the SNMP System Name see Configuring SNMP on page 162 The default host name is FortiGate 400 To change the FortiGate host name Go to System gt Status Select Edit Host Name ie Enter a new host name Select OK The new host name appears on the System Status pag
280. ngle page to 30 50 or 1000 You can scroll through the log entries To view a specific line in the log file type a line number in the Go to line field and select To navigate through the log message pages select Go to next page or Go to previous page To search the messages in the log file that you are viewing select C4 Searching logs N ao a Aa Q Use the following procedure to search the active log or any of the saved log files Go to Log amp Report gt Logging Select Traffic Log Event Log Attack Log Antivirus Log Web Filter Log or Email Filter Log To view a log file select View T Select to search the messages in the log file that you are viewing Select AND to search for messages that match all the specified search criteria Select OR to search for messages that match one or more of the specified search criteria Select one or more of the following search criteria Fortinet Inc Logging and reporting e gt Viewing and managing logs saved to the hard disk Keyword To search for any text in a log message Keyword searching is case sensitive Source To search for any source IP address Destination To search for any destination IP address Time ie search log messages created during the selected year month day and our Select OK to run the search The web based manager displays the messages that match the search criteria You can scroll through the messages or run anot
281. nit 2 Enter the following command followed by a space and type a question mark execute ha manage A list of all of the subordinate units in the cluster is displayed Each cluster unit in the list is numbered starting at 1 The information displayed for each cluster unit includes the unit serial number and host name of the unit 3 Complete the command with the number of the subordinate unit to log into For example to log into subordinate unit 1 enter the following command execute ha manage 1 You are connected to and logged into the CLI of the selected subordinate unit If this subordinate unit has a different host name the CLI prompt changes to this host name You can use CLI commands to manage this subordinate unit 4 Enter the following command to return to the primary unit CLI exit You can use the execute manage ha command to log into the CLI of any of the other subordinate units in the cluster Synchronizing the cluster configuration For best results when operating a cluster you should make sure that the configurations of all of the units in the cluster remain synchronized You can do this by making configuration changes to the primary unit and then using the execute ha synchronize command from each subordinate unit in an HA cluster to manually synchronize its configuration with the primary unit Using this command you can synchronize the following FortiGate 400 Installation and Configuration Guide 89 Managing the HA clu
282. nitions updates see Virus and attack definitions updates and registration on page 115 You can also manually initiate an attack definitions update by going to System gt Update and selecting Update Now Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web based manager Start the web based manager and go to System gt Status To the right of the Attack Definitions Version select Definitions Update EE Enter the path and filename for the attack definitions update file or select Browse and locate the attack definitions update file Select OK to copy the attack definitions update file to the FortiGate unit The FortiGate unit updates the attack definitions This takes about 1 minute Go to System gt Status to confirm that the Attack Definitions Version information has been updated FortiGate serial number Go to System gt Status The serial number is displayed in the System Status page of the web based manager The serial number is specific to the FortiGate unit and does not change with firmware upgrades FortiGate up time Go to System gt Status The FortiGate up time displays the time in days hours and minutes since the FortiGate unit was last started hard disk status Go to System gt Status Log Hard Disk displays Available if the FortiGate unit contains a hard disk and Not Available if no hard disk is installed The FortiGate unit
283. nnection fails the FortiGate unit will establish a tunnel using the other connection Configuration depends on the number of connections that each VPN peer has to the Internet For example if the local VPN peer has two connections to the Internet then it can provide two redundant connections to the remote VPN peer A single VPN peer can be configured with up to three redundant connections The VPN peers are not required to have a matching number of Internet connections For example between two VPN peers one can have multiple Internet connections while the other has only one Internet connection Of course with an asymmetrical configuration the level redundancy will vary from one end of the VPN to the other Note IPSec Redundancy is only available to VPN peers that have static IP addresses and that authenticate themselves to each other with pre shared keys or digital certificates It is not available to VPN peers that have dynamically assigned IP addresses dialup users Nor is it available to VPN peers that use manual keys Configuring redundant IPSec VPN Prior to configuring the VPN make sure that both FortiGate units have multiple connections to the Internet For each unit first add multiple two or more external interfaces Then assign each interface to an external zone Finally add a route to the Internet through each interface FortiGate 400 Installation and Configuration Guide 231 Redundant IPSec VPNs 232 IPSec VPN
284. not add spaces Use a space to separate ranges The defaultroute exclusionrange iprange and reserve IP addresses must all be on the same subnet as the internal interface To change an exclusion range you must redefine all of the exclusion ranges To remove all exclusion ranges replace the first exclusion range with none exclusionrange lt startl_ip endl_ip gt none lt start2_ip end2_ip gt none lt start3_ip end3_ip gt none lt start4_ip end4_ip gt none iprange lt start_ip end_ip gt The starting IP and the ending IP for the range of IP addresses that the FortiGate unit can assign to DHCP clients The defaultroute exclusionrange iprange and reserve IP addresses must all be on the same subnet as the internal interface leaseduration lt lease_int gt The interval in seconds after which a DHCP client must ask the DHCP server for a new address The lease duration must be between 300 and 8000000 seconds netmask lt netmask_ip gt The Netmask that the FortiGate DHCP server assigns to the DHCP clients Reserve an IP address so that the FortiGate DHCP server always assigns this IP address to the device with the specified MAC address Optionally specify a name for the IP and MAC address pair The reserved IP cannot be assigned to any other device You can only add a given IP address or MAC address once The defaultroute exclusionrange iprange and reserve IP addresses must all
285. npneeve cag cebedavesedeedoayeeeteeeueees 293 Enabling alert email esses nia a E Mluadedds eadeuaesevanedeacess ponds 293 12 Fortinet Inc Contents FortiGate 400 Installation and Configuration Guide 13 Contents 14 Fortinet Inc RAT MET Introduction The FortiGate Antivirus Firewall supports network based deployment of application level services including antivirus protection and full scan content filtering FortiGate Antivirus Firewalls improve network security reduce network misuse and abuse and help you use communications resources more efficiently without compromising the performance of your network FortiGate Antivirus Firewalls are ICSA certified for firewall IPSec and antivirus services Your FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include e application level services such as virus protection and content filtering e network level services such as firewall intrusion detection VPN and traffic shaping Your FortiGate Antivirus Firewall employs Fortinet s Accelerated Behavior and Content Analysis System ABACAS technology which leverages breakthroughs in chip design networking security and content analysis The unique ASIC based architecture analyzes content and behavior in real time enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks The FortiGate s
286. nstallation and Configuration Guide 285 Configuring traffic logging Logging and reporting Configuring traffic logging You can configure the FortiGate unit to record traffic log messages for connections to Any interface e Any VLAN subinterface e Any firewall policy The FortiGate unit can filter traffic logs for any source and destination address and service You can also enable the following global settings e resolve IP addresses to host names record session or packet information e display the port number or service The traffic filter list shows the name source address and destination address and the protocol type of the traffic to be filtered This section describes e Enabling traffic logging e Configuring traffic filter settings e Adding traffic filter entries Enabling traffic logging You can enable logging on any interface VLAN subinterface and firewall policy Enabling traffic logging for an interface If you enable traffic logging for an interface all connections to and through the interface and recorded in the traffic log 1 Go to System gt Network gt Interface 2 Select Edit in the Modify column beside the interface for which you want to enable logging For Log select Enable Select OK Repeat this procedure for each interface for which you want to enable logging Enabling traffic logging for a VLAN subinterface If you enable traffic logging for a VLAN subinterface all connections
287. nt Profile 3 Configure External Interface Keylife Since you choose Manual as the external addressing VPN mode please input your external interface information Autokey provided by your ISP PPTP IPSEC i Internal Interface External Interface IP 192 168 100 99 _ External Interface Netmask 255 255 255 0 ve Default gateway 192 168 110 3 Primary DNS Server 207 194 200 1 Secondary DNS Server 207 194 200 129 lt Back Next gt Fortinet Inc Introduction Secure installation configuration and management Command line interface You can access the FortiGate command line interface CLI by connecting a management computer serial port to the FortiGate RS 232 serial Console connector You can also use Telnet or a secure SSH connection to connect to the CLI from any network connected to the FortiGate including the Internet The CLI supports the same configuration and monitoring functionality as the web based manager In addition you can use the CLI for advanced configuration options not available from the web based manager This nstallation and Configuration Guide contains information about basic and advanced CLI commands You can find a more complete description of connecting to and using the FortiGate CLI in the FortiGate CLI Reference Guide Logging and reporting The FortiGate supports logging of various categories of traffic and of configuration changes You can configure logging to
288. nterface list Use the following procedure to view the interface list 1 Go to System gt Interface The interface list is displayed The interface list shows the following status information for all of the FortiGate interfaces and VLAN subinterfaces The IP address of the interface The netmask of the interface The zone that the interface has been added to e The administrative access configuration for the interface The link status for the interface link status does not apply to VLAN subinterfaces If the link status is a green arrow the interface is up and can accept network traffic If the link status is a red arrow the interface is down and cannot accept traffic To bring an interface up see the procedure Bringing up an interface Bringing up an interface If the link status of an interface on the interface shows that it is down you can use the following procedure to bring the interface up 1 Go to System gt Interface The interface list is displayed 2 Select Bring Up for the interface that you want to bring up FortiGate 400 Installation and Configuration Guide 135 Configuring interfaces Network configuration Changing an interface static IP address Use the following procedure to change the static IP address of any FortiGate interface 1 Go to System gt Network gt Interface Select Modify 44 for the interface to change Change the IP address and Netmask as required The IP address of
289. nts System configuration Adding and editing administrator accounts 160 When the FortiGate unit is initially installed it is configured with a single administrator account with the user name admin From this administrator account you can add and edit administrator accounts You can also control the access level of each of these administrator accounts and optionally control the IP address from which the administrator can connect to the FortiGate unit There are three administration account access levels admin Has all permissions Can view add edit and delete administrator accounts Can view and change the FortiGate configuration The admin user is the only user who can go to System gt Status and manually update firmware update the antivirus definitions update the attack definitions download or upload system settings restore the FortiGate unit to factory defaults restart the FortiGate unit and shut down the FortiGate unit There is only one admin user Read amp Write Can view and change the FortiGate configuration Can view but cannot add edit or delete administrator accounts Can change own administrator account password Cannot make changes to system settings from the System gt Status page Read Only Can view the FortiGate configuration Adding new administrator accounts From the admin account use the following procedure to add new administrator accounts and control their permission levels Go to System gt Conf
290. o reduce the number of connections processed by the primary cluster unit by increasing the weight assigned to the subordinate cluster units Weight values are entered in order according to the priority of the units in the cluster For example if you have a cluster of 3 FortiGate units you can enter the following command to configure the weight values for each unit set system ha weight 1 3 3 This command has the following results The first connection is processed by the primary unit The next three connections are processed by the first subordinate unit e The next three connections are processed by the second subordinate unit The subordinate units will process more connections than the primary unit and both subordinate units will on average process the same number of connections 92 Fortinet Inc RAT MET System status You can connect to the web based manager and go to System gt Status to view the current status of your FortiGate unit The status information that is displayed includes the current firmware version the current virus and attack definitions and the FortiGate unit serial number If you have logged into the web based manager using the admin administrator account you can use System Status to make any of the following changes to the FortiGate system settings e Changing the FortiGate host name e Changing the FortiGate firmware e Manual virus definition updates e Manual attack definition updates e Backi
291. o includes a script filter feature that can be configured to block unsecure web content such as Java Applets Cookies and Activex You can also use the Cerberian URL blocking to block unwanted URLs FortiGate Email filtering can be configured to scan all IMAP and POP3 email content for unwanted senders or for unwanted content If a match is found between a sender address pattern on the Email block list or if an email is found to contain a word or phrase in the banned word list the FortiGate adds a Email tag to subject line of the email Receivers can then use their mail client software to filter messages based on the Email tag Fortinet Inc Introduction Firewall Firewall You can configure Email blocking to tag email from all or some senders within organizations that are known to send spam email To prevent unintentional tagging of email from legitimate senders you can add sender address patterns to an exempt list that overrides the email block and banned word lists The FortiGate CSA certified firewall protects your computer networks from the hostile environment of the Internet ICSA has granted FortiGate firewalls version 4 0 firewall certification providing assurance that FortiGate firewalls successfully screen for and secure corporate networks against a wide range of threats from public or other untrusted networks After basic installation of the FortiGate unit the firewall allows users on the protected network to access the
292. o measure the distance between the source and destination network of a route Each hop in the path of the route is added to the metric for the route RIP prevents routing loops by limiting the number of hops allowed in a path to 15 This feature limits the maximum diameter of RIP network to 15 hops RIP uses a split horizon to prevent temporary routing loops caused by network topology changes The premise of a split horizon is that it is never useful to send information about a route back in the direction from which it came For example Router 1 could tell Router 2 that it has a route for network A Router 2 knows that it got this information from Router 1 so when Router 2 sends its updates to Router 1 Router 2 will not include the route to network A in its update In this example if Router 1 receives Router 2 s information about the route to network A Router 1 might try and use this route to get to network A rather than using its own RIP uses timers to regulate its performance A routing update timer controls the time interval between routing updates Usually this timer is set to 30 seconds Each routing table entry has a route timeout When the route timeout expires the route is marked as invalid The invalid routes remain in the route table until the route flush timer expires RIP is a UDP based protocol that sends and receives datagrams on UDP port 520 Unsolicited routing update messages have both the source and destination port equal to t
293. o not enable Allow outbound Select allow outbound Inbound NAT Select inbound NAT if required Outbound NAT Select outbound NAT if required See Adding an encrypt policy on page 225 5 Add an inbound encrypt policy This policies controls the encrypted connections initiated by the remote VPN spokes The encrypt policy for the hub must include the appropriate source and destination addresses and the tunnel added in step 1 Use the following configuration Source The local VPN spoke address Destination External_All 230 Fortinet Inc IPSec VPN we S Redundant IPSec VPNs Action ENCRYPT VPN Tunnel The VPN tunnel name added in step 1 Use the same tunnel for all encrypt policies Allow inbound Select allow inbound Allow outbound Do not enable Inbound NAT Select inbound NAT if required Outbound NAT Select outbound NAT if required See Adding an encrypt policy on page 225 Arrange the policies in the following order e outbound encrypt policies e inbound encrypt policy e default non encrypt policy Internal_All gt External_All Note The default non encrypt policy is required to allow the VPN spoke to access other networks such as the Internet Redundant IPSec VPNs Se To ensure the continuous availability of an IPSec VPN tunnel you can configure multiple connections between the local the FortiGate unit and the remote VPN peer remote gateway With a redundant configuration if one co
294. o not log log option 283 downloading attack definition updates 130 131 virus definition updates 130 131 downloading log files 291 dynamic IP pool IP pool 174 dynamic IP MAC list viewing 196 Fortinet Inc E email alert testing 293 email filter log 285 enabling policy 178 encrypt policy 174 encrypt policy allow inbound 175 allow outbound 175 Inbound NAT 175 Outbound NAT 175 ending IP address PPTP 236 242 environmental specifications 31 event log 284 viewing 289 exempt URL list 275 279 adding URL 275 280 exempting URLs from content and URL blocking 275 279 expire system status 114 F factory default restoring system settings 108 FAQs 233 FDN connecting to 116 FortiResponse Distribution Network 116 FDS FortiResponse Distribution Server 116 filename pattern adding 262 blocking 261 filter RIP 154 Filtering 265 filtering log messages 284 filtering traffic 286 firewall authentication timeout 159 configuring 169 introduction 17 overview 169 firewall events enabling alert email 293 firewall policy accept 174 Comments 177 deny 174 guaranteed bandwidth 175 Log Traffic 177 maximum bandwidth 175 firewall setup wizard 20 46 62 starting 46 62 FortiGate 400 Installation and Configuration Guide Index firmware changing 94 installing 99 re installing current version 99 reverting to an older version 99 upgrading 94 upgrading to a new version 95 upgrading using the CLI 95 97 upgrading using the web
295. o operate two or more FortiGate units in HA mode go to High availability on page 75 This chapter describes Package contents Mounting Powering on Connecting to the web based manager Connecting to the command line interface CLI Factory default FortiGate configuration settings Planning your FortiGate configuration FortiGate model maximum values matrix Next steps FortiGate 400 Installation and Configuration Guide 29 Package contents Getting started Package contents Mounting 30 The FortiGate 400 package contains the following items e FortiGate 400 Antivirus Firewall one orange crossover ethernet cable one gray regular ethernet cable one null modem cable e FortiGate 400 QuickStart Guide one power cable e CD containing the FortiGate user documentation e two 19 inch rack mount brackets Figure 2 FortiGate 400 package contents Ethernet Cables Orange Crossover Grey Straight through A A Null Modem Cable RS 232 LCD Control RS 232 Serial Interface Power Buttons Connection 1 2 3 4 HA Light Power Cable Back TN ee TTT Front Rack Mount Brackets tity Removable Power Power Hard Drive Switch Connection Documentation The FortiGate 400 unit can be mounted in a standard 19 inch rack It requires 1 U of vertical space in the rack The FortiGate 400 unit can also be installed as a free standing appliance on any stable surface For free st
296. ocol that enables ISPs to operate Virtual Private Networks VPNs L2TP merges PPTP from Microsoft and L2F from Cisco Systems To create an L2TP VPN your ISP s routers must support L2TP IPSec Internet Protocol Security A set of protocols that support secure exchange of packets at the IP layer IPSec is most often used to support VPNs 295 Glossary LAN Local Area Network A computer network that spans a relatively small area Most LANs connect workstations and personal computers Each computer on aLAN is able to access data and devices anywhere on the LAN This means that many users can share data as well as physical resources such as printers MAC address Media Access Control address A hardware address that uniquely identifies each node of a network MIB Management Information Base A database of objects that can be monitored by an SNMP network manager Modem A device that converts digital signals into analog signals and back again for transmission over telephone lines MTU Maximum Transmission Unit The largest physical packet size measured in bytes that a network can transmit Any packets larger than the MTU are divided into smaller packets before being sent Ideally you want the MTU your network produces to be the same as the smallest MTU of all the networks between your machine and a message s final destination If your messages are larger than one of the intervening MTUs they get broken up fragmented whi
297. ode installation Figure 10 Default route to an external network ae a DE FortiResponse DNS a a Distribution Ey Ao o Network FDN Internet NS u s Management Computer Upstream Gateway IP 192 168 1 2 s Router Management IP 192 168 1 1 FortiGate 400 HE Internal Network e b o eo C4 eey R Q a General configuration steps 1 Set the FortiGate unit to operate in Transparent mode o ELEELE Configure the Management IP address and Netmask of the FortiGate unit Configure the default route to the external network 68 Fortinet Inc Transparent mode installation Transparent mode configuration examples Web based manager example configuration steps To configure basic Transparent mode settings and a default route using the web based manager 1 Go to System gt Status e Select Change to Transparent Mode e Select Transparent in the Operation Mode list e Select OK The FortiGate unit changes to Transparent mode 2 Goto System gt Network gt Management e Change the Management IP and Netmask IP 192 168 1 1 Mask 255 255 255 0 e Select Apply 3 Goto System gt Network gt Routing e Select New to add the default route to the external network Destination IP 0 0 0 0 Mask 0 0 0 0 Gateway 192 168 1 2 e Select OK CLI configuration steps To configure the Fortinet basic settings and a default route using the CLI 1 Change the
298. of IDS log messages and alert emails that the NIDS generates For example the NIDS detects a large number of web server attacks If you do not provide access to a web server behind your firewall you might want to disable all web server attack signatures Note To save your NIDS attack signature settings Fortinet recommends that you back up your FortiGate configuration before you update the firmware and restore the saved configuration after the update To disable NIDS attack signatures Go to NIDS gt Detection gt Signature List Scroll down the signature list to find the signature group to disable Attack ID numbers and rule names in attack log messages and alert email match those in the signature group members list You can scroll through a signature group members list to locate specific attack signatures by ID number and name Uncheck the Enable check box Select OK Repeat steps 2 to 4 for each NIDS attack signature group that you want to disable Select Check All HL enable all NIDS attack signature groups in the signature list I Select Uncheck A to disable all NIDS attack signature groups in the signature list Adding user defined signatures 252 You can create a user defined signature list in a text file and upload it from the management computer to the FortiGate unit For information about how to write user defined signatures see the FortiGate NIDS Guide Go to NIDS gt Detection gt User Defined Signature List
299. of cluster members To view the status of each cluster member 1 Connect to the cluster and log into the web based manager 2 Go to System gt Status gt Cluster Members The web based manager lists the serial numbers of all of the FortiGate units in the cluster The primary unit is identified as Local For each cluster member the list includes the up time and status for that cluster member 86 Fortinet Inc High availability Managing the HA cluster Figure 16 Example cluster members list Cluster Members Priority Up Time Local 16 days 0 hours 27 minutes 0 seconds 0 FGT4012803021709 12 days0 hours 16 minutes 12 seconds Monitoring cluster members To monitor health information for each cluster member 1 Connect to the cluster and log into the web based manager 2 Go to System gt Status gt Monitor CPU Memory Status and Hard disk status is displayed for each cluster member The primary unit is identified as Local and the other units in the cluster are listed by serial number The display includes bar graphs of current CPU and memory usage as well as line graphs of CPU and memory usage for the last minute For more information see Viewing CPU and memory status on page 110 Figure 17 Example cluster Sessions amp Network display Monitor Automatic Refresh Interval fis seconds z CPU amp Memory Sessions amp Network Virus amp Intrusions Packets and Bytes C
300. olicy to control access to the VPN tunnel To create a manual key VPN configuration 1 Add a manual key VPN tunnel See Adding a manual key VPN tunnel on page 211 2 Configure an encrypt policy that includes the tunnel source address and destination address for both ends of the tunnel See Configuring encrypt policies on page 224 Adding a manual key VPN tunnel Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiGate unit and a remote IPSec VPN client or gateway that is also using manual key To add a manual key VPN tunnel To add a manual key VPN tunnel 1 Go to VPN gt IPSec gt Manual Key 2 Select New to add a new manual key VPN tunnel 3 Enter a VPN Tunnel Name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Enter the Local SPI The Local Security Parameter Index is a hexadecimal number of up to eight digits digits can be 0 to 9 a to f in the range bb8 to FFFFFFF This number must be added to the Remote SPI at the opposite end of the tunnel FortiGate 400 Installation and Configuration Guide 211 Manual key IPSec VPNs 10 11 212 IPSec VPN Enter the Remote SPI The Remote Security Parameter Index is a hexadecimal number of up to eight digits digits can be 0 to 9 a to f in the range bb8 to FFFFFFF This number must be added to the Local SPI at the opposi
301. om index Tt M 127 33 44 55 it ME Fortinet Inc RAT MET Email filter Email filtering is enabled in firewall policies When you enable Anti Virus amp Web filter in a firewall policy you select a content profile that controls how email filtering behaves for email IMAP and POP3 traffic Content profiles control the following types of protection to identify unwanted email e filtering of unwanted sender address patterns e filtering of unwanted content exempting sender address patterns from blocking This chapter describes e General configuration steps Email banned word list e Email block list Email exempt list e Adding a subject tag General configuration steps Configuring email filtering involves the following general steps 1 Select email filter options in a new or existing content profile See Adding a content profile on page 197 2 Select the Anti Virus amp Web filter option in firewall policies that allow IMAP and POP3 connections through the FortiGate unit Select a content profile that provides the email filtering options that you want to apply to a policy See Adding a content profile to a policy on page 199 3 Adda subject tag to the unwanted email so that receivers can use their mail client software to filter messages based on the tag See Adding a subject tag on page 280 Note To receive email filter log messages see Configuring logging in the Logging S ss
302. on page 61 to complete this procedure Starting with Main Menu displayed on the LCD use the front control buttons and LCD 1 Press Enter three times to configure the management interface IP address IP Address 2 Set the manager interface IP address 192 168 100 001 Use the up and down arrow keys to increase or decrease the value of each IP address digit Press Enter to move to the next digit Press Esc to move to the previous digit A Note When you enter an IP address the LCD display always shows three digits for each part S of the address For example the IP address 192 168 100 1 appears on the LCD display as lt 192 168 100 001 The IP address 192 168 23 45 appears as 192 168 023 045 When you have set the last digit of the IP address press Enter Use the down arrow to highlight Netmask 3 4 5 Press Enter and set the management IP Netmask 6 When you have set the last digit of the Netmask press Enter 7 Press Esc to return to the Main Menu 8 Repeat these steps to configure the default gateway if required Using the command line interface As an alternative to the setup wizard you can configure the FortiGate unit using the command line interface CLI To connect to the CLI see Connecting to the command line interface CLI on page 33 Use the information that you gathered in Table 14 on page 61 to complete the following procedures Changing to Transparent mode 1 Log into the CLI if you are not already logge
303. only with pre shared keys and aggressive mode Do not configure the local ID with certificates or main mode Configuring advanced options Select Advanced Options 2 Optionally select a Peer Option Use the Peer Options to authenticate remote VPN peers by the ID that they transmit during phase 1 Accept any peer ID Select to accept any peer ID and therefore not authenticate remote VPN peers by peer ID Accept this peer ID Select to authenticate a specific VPN peer or a group of VPN peers with a shared user name ID and password pre shared key Also add the peer ID Also add the peer ID Accept peer ID in dialup Select to authenticate each remote VPN peer with a unique user group name ID and password pre shared key Also select a dialup group user group Configure the user group prior to configuring this peer option 3 Optionally configure XAuth XAuth IKE eXtended Authentication authenticates VPN peers at the user level If the the FortiGate unit the local VPN peer is configured as an XAuth server it will authenticate remote VPN peers by referring to a user group The users contained in the user group can be configured locally on the FortiGate unit or on remotely located LDAP or RADIUS servers If the FortiGate unit is configured as an XAuth client it will provide a user name and password when it is challenged XAuth Enable as a Client Name Enter the user name the local VPN peer uses to authenticate itself to the
304. or example 192 168 1 0 and set the netmask to 255 255 255 0 Change the administrator s permission level as required Select OK 10 To delete an administrator account choose the account to delete and select Delete T FortiGate 400 Installation and Configuration Guide 161 Configuring SNMP System configuration Configuring SNMP 162 Configure the FortiGate SNMP agent to report system information and send traps to SNMP managers The FortiGate SNMP agent supports SNMP v1 and v2c RFC support includes RFC 1213 and RFC 2665 The FortiGate SNMP implementation is read only SNMP v1 and v2c compliant SNMP manager have read only access to FortiGate system information and can received FortiGate traps To monitor FortiGate system information and receive FortiGate traps you must compile the Fortinet proprietary MIBs and the standard MIBs into the SNMP manager This section describes e Configuring the FortiGate unit for SNMP monitoring e Configuring FortiGate SNMP support e FortiGate MIBs FortiGate traps Configuring the FortiGate unit for SNMP monitoring Before a remote SNMP manager can connect to the FortiGate agent you must configure one or more FortiGate interfaces to accept SNMP connections For information about how to do this see Controlling management access to an interface on page 137 and related interface configuration sections Configuring FortiGate SNMP support 1 2 3 Go to System gt Config gt SNMP v
305. or the zone The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Optionally select Block intra zone traffic to block traffic between interfaces in the same zone Select OK to add the zone The zone now appears on the firewall policy grid Adding interfaces to a zone a Ff WO N You can add one or more interfaces to a zone If you have added firewall addresses to an interface you must delete these firewall addresses before you can add the interface to a zone See Deleting addresses on page 180 When you add an interface to a zone you cannot add firewall addresses to the interface and the interface does not appear on the policy grid Go to System gt Network gt Interface For the interface to add to a zone select Modify 4 Use the Zone list to select the zone to add the interface to Select OK to save your changes Repeat these steps to add more interfaces to zones Adding VLAN subinterfaces to a zone a Fk WOW N You can add one or more VLAN subinterfaces to a zone If you have added firewall addresses to a VLAN subinterface you must delete these firewall addresses before you can add the VLAN subinterface to a zone See Deleting addresses on page 180 When you add a VLAN subinterface to a zone you cannot add firewall addresses to the VLAN subinterface and the VLAN subinterface does not appear on
306. ord match a user name and password on the LDAP server the connection is allowed If the user name and password do not match a user name and password on the LDAP server the connection is dropped If the user group contains user names RADIUS servers and LDAP servers the FortiGate unit checks them in the order in which they have been added to the user group FortiGate 400 Installation and Configuration Guide 201 Setting authentication timeout Users and authentication This chapter describes e Setting authentication timeout e Adding user names and configuring authentication e Configuring RADIUS support e Configuring LDAP support e Configuring user groups Setting authentication timeout To set authentication timeout 1 Go to System gt Config gt Options 2 Set Auth Timeout to control how long authenticated firewall connections can remain idle before users must authenticate again to get access through the firewall The default authentication timeout is 15 minutes Adding user names and configuring authentication Use the following procedures to add user names and configure authentication This section describes e Adding user names and configuring authentication e Deleting user names from the internal database Adding user names and configuring authentication 1 Go to User gt Local 2 Select New to add a new user name 3 Enter the user name The user name can contain numbers 0 9 uppercase and lowercase letters
307. ord pe C LDAP LDAP_1 x C Radius Radiusi x I Try other servers if connect to selected server fails Deleting user names from the internal database You cannot delete user names that have been added to user groups Remove user names from user groups before deleting them 1 Go to User gt Local Select Delete User Tl for the user name to delete Select OK N Note Deleting the user name deletes the authentication configured for the user FortiGate 400 Installation and Configuration Guide 203 Configuring RADIUS support Users and authentication Configuring RADIUS support If you have configured RADIUS support and a user is required to authenticate using a RADIUS server the FortiGate unit contacts the RADIUS server for authentication This section describes e Adding RADIUS servers e Deleting RADIUS servers Adding RADIUS servers To configure the FortiGate unit for RADIUS authentication 1 Go to User gt RADIUS Select New to add a new RADIUS server Enter the name of the RADIUS server You can enter any name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Enter the domain name or IP address of the RADIUS server Enter the RADIUS server secret Select OK Figure 18 Example RADIUS configuration Radius Name Radius 1 t S Server Name IP 23 64 67 47 Server Secret Secret 1
308. ordinate unit 5 Repeat steps 3 and 4 for all of the subordinate units in the HA cluster Returning to standalone configuration Repeat this procedure for each FortiGate unit in the HA cluster To return to standalone configuration 1 Connect to the web based manager Go to System gt Config gt HA Select Standalone Mode and select Apply The FortiGate unit exits from HA mode and returns to standalone mode Replacing a FortiGate unit after fail over A failover can occur due to a hardware or software problem When a failover occurs you can attempt to restart the failed FortiGate unit by cycling its power If the FortiGate unit starts up correctly it rejoins the HA cluster which then continues to function normally If the FortiGate unit does not restart normally or does not rejoin the HA cluster you must take it out of the network and either reconfigure or replace it Once the FortiGate unit is reconfigured or replaced change its HA configuration to match that of the FortiGate unit that failed and connect it back into the network The reconnected FortiGate unit then automatically joins the HA cluster 90 Fortinet Inc High availability Advanced HA options Advanced HA options The following advanced HA options are available from the FortiGate CLI e Selecting a FortiGate unit to a permanent primary unit e Configuring weighted round robin weights Selecting a FortiGate unit to a permanent primary unit In a typical FortiGa
309. orities of all of the other units in the cluster are higher than the priority of the permanent primary unit The command get system ha mode displays the current priority of the FortiGate unit that you are connected to 4 Configure the permanent primary unit to override an existing primary unit when it joins the cluster Use the following command to configure primary unit override set system ha overrid nabl Enable override so the that the permanent primary unit will always override any other primary unit For example if the permanent primary unit shuts down one of the other units in the cluster replaces it as the primary unit When the permanent primary unit is restarted it can become the primary unit again only if override is enabled FortiGate 400 Installation and Configuration Guide 91 Advanced HA options High availability Configuring weighted round robin weights By default in active active HA mode the weighted round robin schedule assigns the same weight to each FortiGate unit in the cluster Once the cluster is configured to use the weighted round robin schedule you can use the set system ha weight command to configure a weight value for each cluster unit The weight value sets the maximum number of connections that are sent to a cluster unit before a connection can be sent to the next cluster unit You can set weight values to control the number of connections processed by each cluster unit One use for this technique would be t
310. ort the quarantine list select a column heading in the Sort by list Select Apply Fortinet Inc Antivirus protection Quarantine Filtering the quarantine list You can filter the quarantine list to e Display only blocked files e Display only infected files e Display blocked and infected files found only in IMAP POP3 SMTP FTP or HTTP traffic Deleting files from quarantine 1 Go to Anti Virus gt Quarantine 2 Select Delete 1 to remove a quarantined file from the list Downloading quarantined files 1 Go to Anti Virus gt Quarantine 2 Select Download ETE to download a quarantined file in its original format Configuring quarantine options You can specify whether the FortiGate unit quarantines infected files blocked files or both in web FTP and email traffic You can also set the file age limit the maximum file size and the method for handling additional files when the FortiGate hard disk is too low 1 Go to Anti Virus gt Quarantine gt Quarantine Config 2 For each traffic protocol select the applicable Quarantine Infected Files and Quarantine Blocked Files check boxes The FortiGate unit quarantines infected and blocked files for the selected traffic amp Note The Quarantine Blocked Files option is not available for HTTP or FTP because a a filename is blocked at request time and the file is not downloaded to the FortiGate unit 3 Type the Age Limit TTL in hours to specify how long files are left
311. ote network are part of the VPN Typical outgoing policies include Internal to External and DMZ to External Note The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway In addition to defining membership in the VPN by address you can configure the encrypt policy for services such as DNS FTP and POP3 and to allow connections according to a predefined schedule by the time of the day or the day of the week month or year You can also configure the encrypt policy for e Inbound NAT to translate the source of incoming packets e Outbound NAT to translate the source address of outgoing packets Traffic shaping to control the bandwidth available to the VPN and the priority of the VPN e Content profiles to apply antivirus protection web filtering and email filtering to web file transfer and email services in the VPN Logging so that the FortiGate unit logs all connections that use the VPN The policy must also include the VPN tunnel that you created to communicate with the remote FortiGate VPN gateway When users on your internal network attempt to connect to the network behind the remote VPN gateway the encrypt policy intercepts the connection attempt and starts the VPN tunnel added to the policy The tunnel uses the remote gateway added to its configuration to connect to the remote VPN gateway When the remote VPN gateway receives the connection attempt it c
312. ou changed the IP address of interface 1 while you were using the setup wizard you must reconnect to the web based manager using a new IP address Browse to https followed by the new IP address of interface 1 Otherwise you can reconnect to the web based manager by browsing to https 192 168 1 99 You have now completed the initial configuration of your FortiGate unit and can proceed to Completing the configuration on page 50 46 Fortinet Inc NAT Route mode installation Using the front control buttons and LCD Using the front control buttons and LCD As an alternative to the setup wizard use the information that you recorded in Table 10 on page 45 to complete the following procedure Starting with Main Menu displayed on the LCD use the front control buttons and LCD Press Enter three times to configure the PORT1 IP address Set the PORT1 IP address IP Address 192 168 100 001 Use the up and down arrow keys to increase or decrease the value of each IP address digit Press Enter to move to the next digit Press Esc to move to the previous digit Note When you enter an IP address the LCD display always shows three digits for each part of the address For example the IP address 192 168 100 1 appears on the LCD display as 192 168 100 001 The IP address 192 168 23 45 appears as 192 168 023 045 When you have set the last digit of the IP address press Enter Use the down arrow to highlight Netmask Press Ente
313. ow to add it to the Members list 5 To remove addresses from the address group select an address from the Members list and select the left arrow to remove it from the group 6 Select OK to add the address group Figure 8 Adding an internal address group Ez Address A Group A New Address Group Interface internal Group Name finternal_Group_1 Available Addresses Members User_Network User_Network Internal Subnet1 Internal_Subnet1 Internal_Subnet2 Internal_Address Internal_Address2 FortiGate 400 Installation and Configuration Guide 181 Services Services Firewall configuration Use services to control the types of communication accepted or denied by the firewall You can add any of the predefined services to a policy You can also create your own custom services and add services to service groups This section describes e Predefined services e Providing access to custom services e Grouping services Predefined services 182 The FortiGate predefined firewall services are listed in Table 6 You can add these services to any policy Table 6 FortiGate predefined services Service name Description Protocol Port ANY Match connections on any port A connection that uses any of the predefined services is allowed through the firewall all all GRE Generic Routing Encapsulation A protocol that allows an arbitrary network protocol to be transmi
314. pages is not blocked or scanned by antivirus ve es protection Adding URLs to the exempt URL list 1 Go to Web Filter gt Exempt URL 2 Select New to add an item to the exempt URL list 3 Type the URL to exempt Type a complete URL including path and filename to exempt access to a page ona website For example www goodsite com index html exempts access to the main page of this example website You can also add IP addresses for example 122 63 44 67 index html exempts access to the main web page at this address Do not include http in the URL to exempt Exempting a top level URL such as www goodsite com exempts all requested subpages for example www goodsite com badpage from all content and URL filtering rules A Note Exempting a top level URL does not exempt pages such as mail goodsite com from S all content and URL filtering rules unless goodsite com without the www is added to the exempt URL list 4 Select Enable to exempt the URL FortiGate 400 Installation and Configuration Guide 275 Exempt URL list 276 Web filtering Select OK to add the URL to the exempt URL list You can enter multiple URLs and then select Check All J to activate all items in the exempt URL list Each page of the exempt URL list displays 100 URLs Use Page Down and Page Up 4 to navigate through the exempt URL list Figure 42 Example exempt URL list Exempt URL Url Exempt List www goodsite com rts E www goodsite c
315. ported and CHAP Challenge Handshake Authentication Protocol is not This section describes e Adding LDAP servers e Deleting LDAP servers Adding LDAP servers To configure the FortiGate unit for LDAP authentication 1 Go to User gt LDAP Select New to add a new LDAP server Enter the name of the LDAP server You can enter any name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Enter the domain name or IP address of the LDAP server Enter the port used to communicate with the LDAP server By default LDAP uses port 389 6 Enter the common name identifier for the LDAP server The common name identifier for most LDAP servers is cn However some servers use other common name identifiers such as uid FortiGate 400 Installation and Configuration Guide 205 Configuring LDAP support Users and authentication Enter the distinguished name used to look up entries on the LDAP server Enter the base distinguished name for the server using the correct X 500 or LDAP format The FortiGate unit passes this distinguished name unchanged to the server For example you could use the following base distinguished name ou marketing dc fortinet dc com where ou is organization unit and dc is domain component You can also specify multiple instances of the same field in the distinguished name for example to specify multip
316. primarily for broadcasting messages over a network VPN Virtual Private Network A network that links private networks over the Internet VPNs use encryption and other security mechanisms to ensure that only authorized users can access the network and that data cannot be intercepted Virus A computer program that attaches itself to other programs spreading itself through computers or networks by this mechanism usually with harmful intent Worm A program or algorithm that replicates itself over a computer network usually through email and performs malicious actions such as using up the computer s resources and possibly shutting the system down 297 Glossary 298 Fortinet Inc Index Numerics 4 IHA configuring for HA 77 82 A accept policy 174 action policy option 174 active log deleting all messages 291 searching 289 290 viewing and maintaining saved logs 290 ActiveX 275 removing from web pages 274 address 179 adding 179 editing 180 group 181 IP MAC binding 195 virtual IP 188 address group 181 example 181 address name 179 admin access level administrator account 160 administrator account adding 160 admin 160 changing password 161 editing 160 161 netmask 160 161 permission 161 trusted host 160 161 alert email configuring 292 configuring SMTP server 292 content of messages 257 critical firewall or VPN events 293 enabling 293 hard disk full 293 intrusion attempts 293 reducing messages 252
317. quires policies that control its encrypted connections to the other spokes and its non encrypted connections to other networks such as the Internet e VPN concentrator hub general configuration steps e Adding a VPN concentrator e VPN spoke general configuration steps VPN concentrator hub general configuration steps A central FortiGate that is functioning as a hub requires the following configuration A tunnel AutolIKE phase 1 and phase 2 configuration or manual key configuration for each spoke Destination addresses for each spoke e A concentrator configuration e An encrypt policy for each spoke FortiGate 400 Installation and Configuration Guide 227 IPSec VPN concentrators 228 IPSec VPN To create a VPN concentrator configuration Configure a tunnel for each spoke Choose between a manual key tunnel or an AutolKE tunnel e A manual key tunnel consists of a name for the tunnel the IP address of the spoke client or gateway at the opposite end of the tunnel and the encryption and authentication algorithms to use for the tunnel See Manual key IPSec VPNs on page 211 e An AutolKE tunnel consists of phase 1 and phase 2 parameters The phase 1 parameters include the name of the spoke client or gateway designation of how the spoke receives its IP address static or dialup encryption and authentication algorithms and the authentication method either pre shared keys or PKI certificates The phase 2 p
318. r and set the internal Netmask When you have set the last digit of the Netmask press Enter Press Esc to return to the Main Menu Repeat these steps to configure PORT2 the PORT2 default gateway PORT3 and PORT4 HA if required You have now completed the basic configuration of your FortiGate unit and you can proceed to Completing the configuration on page 50 Using the command line interface As an alternative to using the setup wizard you can configure the FortiGate unit using the command line interface CLI To connect to the CLI see Connecting to the command line interface CLI on page 33 Configuring the FortiGate unit to operate in NAT Route mode Use the information that you gathered in Table 10 on page 45 to complete the following procedures Configuring NAT Route mode IP addresses Log into the CLI if you are not already logged in Set the IP address and netmask of interface 1 to the internal IP address and netmask that you recorded in Table 10 on page 45 Enter set system interface portl mode static ip lt IP_address gt lt netmask gt Example set system interface portl mode static ip 192 168 1 1 2955255 255 0 FortiGate 400 Installation and Configuration Guide 47 Using the command line interface NAT Route mode installation 3 Set the IP address and netmask of interface 2 to the external IP address and netmask that you recorded in Table 10 on page 45 set system interface port2 mode static ip lt I
319. r the Serial Number of the FortiGate unit If you have purchased a FortiCare Support Contract for this FortiGate unit enter the support contract number Select Finish The list of FortiGate products that you have registered is displayed The list now includes the new FortiGate unit Adding or changing a FortiCare Support Contract number a fF Ww N Go to System gt Update gt Support and select Support Login Enter your Fortinet support user name and password Select Login Select Add Change Contract number Select the Serial Number of the FortiGate unit for which to add or change a FortiCare Support Contract number Add the new Support Contract number FortiGate 400 Installation and Configuration Guide 129 Updating registration information Virus and attack definitions updates and registration 130 7 Select Finish The list of FortiGate products that you have registered is displayed The list now includes the new support contract information Changing your Fortinet support password 1 Nn oO oO fF W ND Go to System gt Update gt Support and select Support Login Enter your Fortinet support user name and password Select Login Select My Profile Select Change Password Enter your current password Enter and confirm a new password An email is sent to your email address confirming that your password has been changed Use your current user name and new password the next time you log into the Forti
320. racter set that you choose Type a banned word or phrase If you type a single word for example banned the FortiGate unit blocks all web pages that contain that word If you type a phrase for example banned phrase the FortiGate unit blocks web pages that contain both words When this phrase appears on the banned word list the FortiGate unit inserts plus signs in place of spaces for example banned phrase If you type a phrase in quotes for example banned word the FortiGate unit blocks all web pages in which the words are found together as a phrase Content filtering is not case sensitive You cannot include special characters in banned words Select OK The word or phrase is added to the banned word list In the Modify column check the box beside the new item in the banned word list so that the FortiGate unit blocks web pages containing this word or phrase You can enter multiple banned words or phrases and then select Check All to activate all items in the banned word list Note Banned Word must be selected in the content profile for web pages containing banned words to be blocked Fortinet Inc Web filtering URL blocking Figure 38 Example banned word list Content Block D Banned word Modify banned tT w amp M banned phrase 1 rT Bw M banned phrase 2 rT Bw Vv URL blocking You can block the unwanted web URLs using both the FortiGate web filter and the Cerberian web filter e Usi
321. raps 164 source log search 291 policy option 173 squidGuard 271 SSH 139 184 297 SSL 295 service definition 183 starting IP PPTP 236 242 static IP MAC list 194 static NAT virtual IP 188 adding 189 static route adding 143 status IPSec VPN tunnel 233 viewing dialup connection status 233 viewing VPN tunnel status 233 subnet definition 297 subnet address definition 297 support contract number adding 129 changing 129 support password changing 130 syn interval 158 synchronize with NTP server 157 system configuration 157 system date and time setting 157 system location SNMP 162 system name SNMP 162 305 Index system settings backing up 108 restoring 108 restoring to factory default 108 system status 93 149 system status monitor 110 111 112 113 T TCP configuring checksum verification 250 technical support 28 testing alert email 293 time log search 289 291 setting 157 time zone 157 timeout firewall authentication 159 idle 158 IPSec VPN 233 234 web based manager 158 to IP system status 114 to port system status 114 traffic configuring global settings 286 287 filtering 286 logging 286 traffic filter adding entries 288 display 287 log setting 287 packet 287 port number 287 resolve IP 287 service name 287 session 287 type 287 traffic log 284 deleting all messages 291 292 Traffic Priority 175 Traffic Shaping 175 Transparent mode 18 adding routes 145 changing to 63 configuring the defa
322. rds configure the IP addresses from which administrators can access the web based manager and change the administrator permission levels Administrator account users with Read amp Write access can change their own administrator passwords To edit an administrator account Go to System gt Config gt Admin To change an administrator account password select Change Password 6 Type the Old Password kh OO N Type a New Password and Confirm the new password For improved security the password should be at least 6 characters long The password can contain any characters except spaces If you enter a password that is less than 6 characters long the system displays a warning message but still accepts the password Select OK To edit the settings of an administrator account select Edit E Optionally type a Trusted Host IP address and netmask for the location from which the administrator can log into the web based manager If you want the administrator to be able to access the FortiGate unit from any address set the trusted host to 0 0 0 0 and the netmask to 255 255 255 255 To limit the administrator to only be able to access the FortiGate unit from a specific network set the trusted host to the address of the network and set the netmask to the netmask for the network For example to limit an administrator to accessing the FortiGate unit from your internal network set the trusted host to the address of your internal network f
323. re config lt filename_str gt You enter restore config myfile bak lt xxx_str gt indicates an ASCII string variable keyword lt xxx_integer gt indicates an integer variable keyword lt xxx_ip gt indicates an IP address variable keyword e vertical bar and curly brackets to separate alternative mutually exclusive required keywords For example set system opmode nat transparent You can enter set system opmode nat Orset system opmode transparent e square brackets to indicate that a keyword is optional For example get firewall ipmacbinding dhcpipmac You can enter get firewall ipmacbinding or get firewall ipmacbinding dhcpipmac 26 Fortinet Inc Introduction Fortinet documentation Fortinet documentation Information about FortiGate products is available from the following FortiGate User Manual volumes Volume 1 FortiGate Installation and Configuration Guide Describes installation and basic configuration for the FortiGate unit Also describes how to use FortiGate firewall policies to control traffic flow through the FortiGate unit and how to use firewall policies to apply antivirus protection web content filtering and email filtering to HTTP FTP and email content passing through the FortiGate unit Volume 2 FortiGate VPN Guide Contains in depth information about FortiGate IPSec VPN using certificates pre shared keys and manual keys for encryption Also contains basic configuration i
324. re connected using switches select round robin to distribute traffic to the next available cluster unit Weighted Round Weighted round robin load balancing Similar to round robin but Robin weighted values are assigned to each of the units in a cluster based on their capacity and on how many connections they are currently processing For example the primary unit should have a lower weighted value because it handles scheduling and forwards traffic Weighted round robin distributes traffic more evenly because units that are not processing traffic will be more likely to receive new connections than units that are very busy Random Random load balancing If the FortiGate units are connected using switches select random to randomly distribute traffic to cluster units IP Load balancing according to IP address If the FortiGate units are connected using switches select IP to distribute traffic to units in a cluster based on the Source IP and Destination IP of the packet IP Port Load balancing according to IP address and port If the FortiGate units are connected using switches select IP Port to distribute traffic to units in a cluster based on the Source IP Source Port Destination IP and Destination port of the packet Under Monitor on Interface select the names of the interfaces to be monitored Monitor FortiGate interfaces to make sure they are functioning properly and that they are connected to their networks If a monitored interface
325. ream Gateway IP 192 168 1 2 bead Router Management IP 192 168 1 1 FortiGate 400 m Internal Network s lt SE Cn Management Computer General configuration steps Set the FortiGate unit to operate in Transparent mode Configure the Management IP address and Netmask of the FortiGate unit Configure the static route to the FortiResponse server A O N Configure the default route to the external network 70 Fortinet Inc Transparent mode installation Transparent mode configuration examples Web based manager example configuration steps To configure the basic FortiGate settings and a static route using the web based manager 1 Go to System gt Status e Select Change to Transparent Mode e Select Transparent in the Operation Mode list e Select OK The FortiGate unit changes to Transparent mode 2 Go to System gt Network gt Management e Change the Management IP and Netmask IP 192 168 1 1 Mask 255 255 255 0 e Select Apply 3 Goto System gt Network gt Routing e Select New to add the static route to the FortiResponse server Destination IP 24 102 233 5 Mask 255 255 255 0 Gateway 192 168 1 2 e Select OK e Select New to add the default route to the external network Destination IP 0 0 0 0 Mask 0 0 0 0 Gateway 192 168 1 2 e Select OK CLI configuration steps To configure the Fortinet basic settings and a static route using the CLI 1 Set the system to operate in Tr
326. red more security policies You would typically use NAT Route mode when the FortiGate unit is used as a gateway between private and public networks In this configuration you would create NAT mode policies to control traffic flowing between the internal private network and the external public network usually the Internet If you have multiple internal networks such as a DMZ network in addition to the internal private network you could create route mode policies for traffic flowing between them FortiGate 400 Installation and Configuration Guide 39 Planning your FortiGate configuration Getting started 40 Figure 4 Example NAT Route mode network configuration Internal network FortiGate 400 Unit Port 4 in NAT Route mode 192 168 1 1 192 168 1 3 Port 2 7 gt 204 23 1 5 Route mode policies Internet En j controlling traffic between SS lt lt Ze internal networks 4 gt Port 3 DMZ network as z 10 10 10 2 NAT mode policies controlling traffic between internal and external networks e He 10 10 10 23 NAT Route mode with multiple external network connections In NAT Route mode you can configure the FortiGate unit with multiple redundant connections to the external network usually the Internet For example you could create the following configuration e Interface 1 is the interface to the internal network e Interface 2 is the default interface to the external network
327. rfaces Sessions also displays the sessions as a percentage of the maximum number of sessions that the FortiGate unit is designed to support FortiGate 400 Installation and Configuration Guide 111 System status 112 4 Viewing virus System status Network utilization displays the total network bandwidth being used through all FortiGate interfaces Network utilization also displays network utilization as a percentage of the maximum network bandwidth that can be processed by the FortiGate unit Go to System gt Status gt Monitor Select Sessions amp Network Sessions and network status is displayed The display includes bar graphs of the current number of sessions and current network utilization as well as line graphs of session and network utilization usage for the last minute The line graph scales are shown in the upper left corner of the graph Figure 2 Sessions and network status monitor Automatic Refresh Interval fio seconds 7 CPU amp Memory Sessions amp Network Virus amp Intrusions Sessions Session History LJ E Ere EEEE EEE last 1 min Network Utilization Network Utilization History LJ Ferree last 1 min Set the automatic refresh interval and select Go to control how often the web based manager updates the display More frequent updates use system resources and increase network traffic However this only occurs when you are viewing the display using the web based manager
328. ribes how to install and configure the FortiGate 400 This document contains the following information Getting started describes unpacking mounting and powering on the FortiGate NAT Route mode installation describes how to install the FortiGate if you are planning on running it in NAT Route mode Transparent mode installation describes how to install the FortiGate if you are planning on running it in Transparent mode High availability describes how to install and configure the FortiGate in a high availability configuration System status describes how to view the current status of your FortiGate unit and related status procedures including installing updated FortiGate firmware backing up and restoring system settings and switching between Transparent and NAT Route mode Virus and attack definitions updates and registration describes configuring automatic virus and attack definition updates This chapter also contains procedures for connecting to the FortiGate tech support webs site and for registering your FortiGate unit Network configuration describes configuring interfaces zones and VLANs and configuring routing RIP configuration describes the FortiGate RIP2 implementation and how to configure RIP settings System configuration describes system administration tasks available from the System gt Config web based manager pages This chapter describes setting system time adding and changed administrative users configuring SNM
329. ring management access for an interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet Allowing management access from the Internet could compromise the security of your FortiGate unit You should avoid allowing management access for an interface connected to the Internet unless this is required for your configuration To improve the security of a FortiGate unit that allows remote management from the Internet add secure administrative user passwords change these passwords regularly and only enable secure management access using HTTPS or SSH Select OK to save your changes Configuring traffic logging for connections to an interface 1 4 Go to System gt Network gt Interface Select Modify ES for the interface for which to configure logging Select Log to record log messages whenever a firewall policy accepts a connection to this interface Select OK to save your changes Changing the MTU size to improve network performance You can change the maximum transmission unit MTU size for port1 port2 port3 and port4 ha if it is not configured for HA To improve the performance of your network connection you can adjust the MTU of the packets that the FortiGate unit transmits from its interfaces Ideally this MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets If the packets that the FortiGate se
330. rom connecting to the internal network You can add more policies to provide more control of the network traffic passing through the FortiGate unit The factory default content profiles can be used to quickly apply different levels of antivirus protection web content filtering and email filtering to the network traffic controlled by firewall policies e Factory default NAT Route mode network configuration e Factory default Transparent mode network configuration e Factory default firewall configuration e Factory default content profiles Factory default NAT Route mode network configuration When the FortiGate unit is first powered on it is running in NAT Route mode and has the basic network configuration listed in Table 2 This configuration allows you to connect to the FortiGate unit web based manager and establish the configuration required to connect the FortiGate unit to your network In Table 2 HTTPS management access means you can connect to the web based manager using this interface Ping management access means this interface responds to ping requests Table 2 Factory default NAT Route mode network configuration Administrator User name admin account Password none IP 192 168 1 99 Interface 1 Netmask 255 255 255 0 Management Access HTTPS Ping IP 192 168 100 99 Netmask 255 255 255 0 Default Gateway 192 168 100 1 Interface 2 Primary DNS Server 207 194 200 1 Secondary DNS Server 207 194 200 129 Management
331. rom the address group select an address from the Members list and select the left arrow to remove it from the group Select OK to add the address group Adding a destination address Add an address to which L2TP users can connect 1 Go to Firewall gt Address 2 Select the internal interface or the DMZ interface Methods will differ slightly between FortiGate models 3 Select New to add an address 4 Enter the Address Name IP Address and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer 5 Select OK to save the source address Adding a firewall policy Add a policy which specifies the source and destination addresses and sets the service for the policy to the traffic type inside the L2TP VPN tunnel Go to Firewall gt Policy Use the policy grid to choose the policy list to which to add the policy Select New to add a new policy Set Source to the group that matches the L2TP address range Set Destination to the address to which L2TP users can connect Set Service to match the traffic type inside the L2TP VPN tunnel For example if L2TP users can access a web server select HTTP Set Action to ACCEPT Select NAT if address translation is required You can also configure traffic shaping logging and antivirus and web filter settings for L2TP policies 9 Select OK to save the firewall policy ao a fF WO DN N 244 Fortinet Inc PPTP and L2TP VPN Confi
332. router the neighbors filter defines what routes received from the neighbor will be stored in the FortiGate routing table and what routes will be discarded Routes filter For filtering routes before a routing table update is sent to neighboring routers Before the FortiGate unit sends routes to neighboring routers the routes filter defines what routes can be sent and what routes cannot be sent A RIP filter consists of the IP address and netmask of a route the action the filter should perform for this route allow or deny and the interface on which this filter entry should be applied Routes that do not match a route added to a RIP filter are allowed A single RIP filter contains instructions for allowing or denying a single route You can add multiple RIP filter entries under the same RIP filter name to create a RIP filter list Using a RIP filter list you can filter multiple routes After creating RIP filters and filter lists you can configure the neighbors filter or routes filter by selecting a filter or filter list for each of these filter types If you do not select a RIP filter for neighbors or routes no filtering is applied You can add a total of four RIP filters or RIP filter lists but you can only have one active neighbors filter and one active routes filter This section describes e Adding a single RIP filter e Adding a RIP filter list e Adding a neighbors filter e Adding a routes filter Adding a single RIP filter 154
333. rt lt QUARANTINE gt Allowed Tag QUARFILE The name of the file that was quarantined NAME Section End lt QUARANTINE gt Customizing alert emails Customize alert emails to control the content displayed in alert email messages sent to system administrators Go to System gt Config gt Replacement Messages For the alert email message you want to customize select Modify E In the Message setup dialog box edit the text of the message Table 4 lists the replacement message sections that can be added to alert email messages and describes the tags that can appear in each section In addition to the allowed tags you can add any text and HTML code Select OK to save the changes Table 4 Alert email message sections NIDS event Used for NIDS event alert email messages Section Start lt NIDS_EVENT gt Allowed Tags NIDS_EVENT The NIDS attack message Section End lt NIDS_EVENT gt Virus alert Used for virus alert email messages Section Start lt VIRUS_ALERT gt Allowed Tags VIRUS The name of the virus PROTOCOL The service for which the virus was detected SOURCE_IP The IP address from which the virus was received For email this is the IP address of the email server that sent the email containing the virus For HTTP this is the IP address of web page that sent the virus A DEST_IP The IP address of the computer that would
334. rtiGate 400 has four 10 100Base TX connectors that can be connected to up to four different networks You can connect them in any configuration When you first power on the FortiGate 400 the interfaces and zones are configured for the following connections e interface 1 to connect to your internal network e interface 2 to connect to your public switch or router and the Internet interface 3 to connect to a DMZ network e interface 4 HA to connect to another FortiGate 400 for high availability see High availability on page 75 or to connect to a fourth network Note You can also create redundant connections to the internet by connecting two interfaces to separate Internet connections For example you could connect interface 2 and 3 to different Internet connections each provided by a different service provider See Configuration example Multiple connections to the Internet on page 52 To connect the FortiGate unit running in NAT Route mode Connect interface 1 to the hub or switch connected to your internal network Connect interface 2 to the public switch or router provided by your Internet Service Provider Optionally connect interface 3 to your DMZ network You can use a DMZ network to provide access from the Internet to a web server or other server without installing the servers on your internal network Optionally connect the 4 HA interface to a fourth network not shown in Figure 7 FortiGate 400 Installation
335. rtual IP External Interface The External Interface is the interface connected to the source network that receives the packets to be forwarded to the destination network You can select a firewall interface or a VLAN subinterface Change Type to Port Forwarding In the External IP Address field enter the external IP address to be mapped to an address on the destination zone You can set the External IP Address to the IP address of external interface selected in step 4 or to any other address For example if the virtual IP provides access from the Internet to a server on your internal network the External IP Address must be a static IP address obtained from your ISP for this server This address must be a unique address that is not used by another host However this address must be routed to the External Interface selected in step 4 Enter the External Service Port number for which to configure port forwarding The external service port number must match the destination port of the packets to be forwarded For example if the virtual IP provides access from the Internet to a Web server the external service port number would be 80 the HTTP port In Map to IP enter the real IP address on the destination network For example the real IP address could be the IP address of a web server on an internal network Set Map to Port to the port number to be added to packets when they are forwarded If you do not want to translate the port enter t
336. ruses For example binary files are scanned using binary virus scanning and Microsoft Office files containing macros are scanned for macro viruses FortiGate virus scanning does not scan the following file types cdimage floppy image e ace e bzip2 e Tar Gzip Bzip2 If a file is found to contain a virus it is removed from the content stream and replaced with a replacement message If your FortiGate unit includes a hard disk and if quarantine is enabled for infected files for the matching traffic protocol the FortiGate unit adds the file to the quarantine list To scan FortiGate firewall traffic for viruses Select antivirus scanning in a content profile See Adding a content profile on page 197 Optionally select Quarantine in this content profile Add this content profile to firewall policies to apply virus scanning to the traffic controlled by the firewall policy See Adding a content profile to a policy on page 199 Configure file quarantine settings to control the quarantining of infected files See Configuring quarantine options on page 265 Fortinet Inc Antivirus protection File blocking e on File blocking Figure 37 Example content profile for virus scanning Content Profile A New Content Profile Profile Name virus scanning Options HTTP FTP IMAP POP3 SMTP Anti Virus Scan Iv IV Vv Vv Iv File Block E E L E L Web URL Block D Web Content Block E Web Script Filter m
337. ry Viewing logs If the FortiGate is configured to save log messages in system memory you can use the web based manager to view search and clear the log messages This section describes e Viewing logs e Searching logs Log messages are listed with the most recent message at the top Use the following procedure to view log messages saved in system memory Go to Log amp Report gt Logging Select Event Log Attack Log Antivirus Log Web Filter Log or Email Filter Log The web based manager lists the log messages saved in system memory Scroll through the log messages to view them To view a specific line in the log type a line number in the Go to line field and select To navigate through the log message pages select Go to next page 5 or Go to previous page F Searching logs a Ff O N Use the following procedure to search log messages saved in system memory Go to Log amp Report gt Logging Select Event Log Attack Log Antivirus Log Web Filter Log or Email Filter Log Select C to search the messages in the selected log Select AND to search for messages that match all the specified search criteria Select OR to search for messages that match one or more of the specified search criteria Select one or more of the following search criteria Keyword To search for any text in a log message Keyword searching is case sensitive Time To search log messages created during the selected year month day and
338. s the secure connection appears to the user as a private network communication even though the communication is carried over a public network Secure VPN connections are enabled by a combination of tunneling data encryption and authentication Tunneling encapsulates data so that it can be transferred over the public network Instead of being sent in its original format the data frames are encapsulated within an additional header and then routed between tunnel endpoints Upon arrival at the destination endpoint the data is decapsulated and forwarded to its destination within the private network Encryption transforms data stream from clear text something that a human or a program can interpret to cipher text something that cannot be interpreted The information is encrypted and decrypted using mathematical algorithms know as keys Authentication provides a means to verify the origin of a packet and the integrity of its contents Authentication is completed using checksums calculated with keyed hash function algorithms This chapter provides an overview of how to configure FortiGate IPSec VPN For a complete description of FortiGate VPN see the FortiGate VPN Guide e Key management e Manual key IPSec VPNs e AutolKE IPSec VPNs e Managing digital certificates e Configuring encrypt policies e IPSec VPN concentrators e Redundant IPSec VPNs e Monitoring and Troubleshooting VPNs FortiGate 400 Installation and Configuration Guide 209
339. s 231 Configuring redundant IPSec VPN ce cceeeeeeceeeeeeeeeeeeeeseeeeeeeeeseeeeaeeeeseeeaaeeeeseeaaaeees 231 Monitoring and Troubleshooting VPNS cceccceeeeeeeceeeeeceeeeeeeeseeeeeeeeeseeaaeeeeeeeeaaeees 233 Viewing VPN tuninel Status coisa jc cectaunsedeedeielasaadesd eu S 233 Viewing dialup VPN connection Status 0 ceeceeeeeeeeneeeeeeeeeeeeeeeeeenaeeeeeeeeneeeeeeeeaes 233 Testing a VPN eee 234 PETE andi L2ITP VPN cioen N 235 conigunmg PP TF naeia O O O 235 Configuring the FortiGate unit as a PPTP gateway eeeeseeseeeeersserrrrssreeressrren 236 Configuring a Windows 98 client for PPTP ececcceeeeeeeeeeeeeeeeeneeeeeseeeaeeeeseeeanes 238 Configuring a Windows 2000 client for PPTP seesssseseeesssesirrssseerrssserrrsserrrnrsseernnssns 239 Configuring a Windows XP client for PPTP assseeessssseeisssserrsseerrrsssrrirrssrrrrrsseernnssns 240 Connguring L2 TP reede AN 241 Configuring the FortiGate unit as a L2TP gateway eeesseeeeieeseeerssseeerressrrrrrsssres 242 Configuring a Windows 2000 client for L2TP 0 ecteeeeeeeeeteeeeeeeenteeeeeeeeneeeeeeeeaa 245 Configuring a Windows XP client for LOTP eeceeceeeeeeceeeee eee eeneeeeeeeteeeeeeetneeeeeree 246 10 Fortinet Inc Network Intrusion Detection System NIDS ccceseseeeeeeeeeeeeeeeeeeeeeeeeees 249 Detecting attacks 00 ccc ccceeeeeee eee eeeeeeeeeeecneeeeeeseceeeeeeesecneeeeeeseceaeeeeseeneaaeeeseeeaeeeeseeenaeeees 249
340. s a packet to a subordinate unit it sends the packet back out the interface on which it received the packet to the corresponding interface on the subordinate FortiGate unit If the primary FortiGate unit fails the first subordinate unit to register that the primary unit has failed becomes the new primary unit The new primary unit notifies the other FortiGate units that it is the new primary unit and resets the priority of each of the remaining subordinate units The new primary unit also redistributes communication sessions among the units in the HA cluster During a fail over the new primary FortiGate unit notifies the adjacent networking devices so that the entire network can quickly converge to the new data path The new primary unit also alerts administrators of the changes to the HA cluster by writing a message to the event log sending an SNMP trap if SNMP is enabled and sending an alert email If a subordinate FortiGate unit fails the primary unit writes a message to the event log and sends an SNMP trap and an alert email The primary unit also adjusts the priority of each of the remaining units in the HA cluster HA in NAT Route mode Use the following steps to configure a group of FortiGate units to operate as an HA cluster in NAT Route mode e Installing and configuring the FortiGate units e Configuring the HA interfaces e Configuring the HA cluster e Connecting the HA cluster to your network Starting the HA cluster
341. s after a specified time period The FortiGate unit can send email alerts to system administrators when it detects and removes a virus from a content stream The web and email content can be in normal network traffic or in encrypted IPSec VPN traffic ICSA Labs has certified that FortiGate Antivirus Firewalls e detect 100 of the viruses listed in the current In The Wild List www wildlist org e detect viruses in compressed files using the PKZip format e detect viruses in e mail that has been encoded using uuencode format e detect viruses in e mail that has been encoded using MIME encoding e log all actions taken while scanning Web content filtering Email filtering 16 FortiGate web content filtering can be configured to scan all HTTP content protocol streams for URLs or for web page content If a match is found between a URL on the URL block list or if a web page is found to contain a word or phrase in the content block list the FortiGate blocks the web page The blocked web page is replaced with a message that you can edit using the FortiGate web based manager You can configure URL blocking to block all or just some of the pages on a web site Using this feature you can deny access to parts of a web site without denying access to it completely To prevent unintentional blocking of legitimate web pages you can add URLs to an Exempt List that overrides the URL blocking and content blocking lists Web content filtering als
342. s enabled in firewall policies When you enable Anti Virus amp Web filter in a firewall policy you select a content profile that controls how web filtering behaves for HTTP traffic Content profiles control the following types of content filtering e blocking unwanted URLs e blocking unwanted content e removing scripts from web pages e exempting of URLs from blocking You can also use the Cerberian URL blocking to block unwanted URLs For more information see Using the Cerberian web filter on page 272 This chapter describes e General configuration steps e Content blocking e URL blocking e Using the Cerberian web filter Script filtering e Exempt URL list General configuration steps Configuring web filtering involves the following general steps 1 Select web filtering options in a new or existing content profile See Adding a content profile on page 197 2 Select the Anti Virus amp Web filter option in firewall policies that allow HTTP connections through the FortiGate unit e Select a content profile that provides the web filtering options that you want to apply to a policy See Adding a content profile to a policy on page 199 3 Configure web filtering settings to control how the FortiGate unit applies web filtering to the HTTP traffic allowed by policies See e URL blocking on page 269 e Using the Cerberian web filter on page 272 e Content blocking on page 268 Script f
343. s restored Connect to the CLI using the null modem cable and FortiGate console port Enter the following command to restart the FortiGate unit execute reboot As the FortiGate units starts a series of system startup messages are displayed When one of the following messages appears Press any key to enter configuration menu Immediately press any key to interrupt the system startup Note You only have 3 seconds to press any key If you do not press any key soon enough the FortiGate unit reboots and you must log in and repeat the execute reboot command If you successfully interrupt the startup process one of the following messages appears G Get firmware image from TFTP server Format boot device Boot with backup firmware and set as default Quit menu and continue to boot with default firmware Display this list of options Enter G F B Q or H Type B to load the backup firmware image The FortiGate unit loads the backup firmware image and restarts When the FortiGate unit restarts it is running the backup firmware version and the configuration is set to factory default FortiGate 400 Installation and Configuration Guide 105 Manual virus definition updates System status Switching back to the default firmware image Use this procedure to switch your FortiGate unit to operating with the backup firmware image that had been running as the default firmware image When you switch to this backup firmware image
344. sage CPU Usage History LJ P aarteen aas last 1 min Memory Usage Memory Usage History LJ FEErErEerrereee last 1 min CPU and memory intensive processes such as encrypting and decrypting IPSec VPN traffic virus scanning and processing high levels of network traffic containing small packets will increase CPU and memory usage Go to System gt Status gt Monitor CPU amp Memory status is displayed The display includes bar graphs of current CPU and memory usage as well as line graphs of CPU and memory usage for the last minute If your FortiGate unit contains a hard disk CPU memory and hard disk status is displayed Set the automatic refresh interval and select Go to control how often the web based manager updates the display More frequent updates use system resources and increase network traffic However this only occurs when you are viewing the display using the web based manager Select Refresh to manually update the information displayed Viewing sessions and network status Use the session and network status display to track how many network sessions the FortiGate unit is processing and to see what effect the number of sessions has on the available network bandwidth Also by comparing CPU and memory usage with session and network status you can see how much demand network traffic is placing on system resources Sessions displays the total number of sessions being processed by the FortiGate unit on all inte
345. secure connections to tcp 22 computers for remote management udp 22 SYSLOG Syslog service for remote logging udp 514 TALK A protocol supporting conversations between udp 517 518 two or more users TCP All TCP ports tcp 0 65535 TELNET Telnet service for connecting to a remote tcp 23 computer to run commands TFTP Trivial file transfer protocol a simple file udp 69 transfer protocol similar to FTP but with no security features UDP All UDP ports udp 0 65535 UUCP Unix to Unix copy utility a simple file copying udp 540 protocol VDOLIVE For VDO Live streaming multimedia traffic tcp 7000 7010 WAIS Wide Area Information Server An Internet tcp 210 search protocol WINFRAME For WinFrame communications between tcp 1494 computers running Windows NT X WINDOWS For remote communications between an tcp 6000 6063 X Window server and X Window clients Select New Providing access to custom services Go to Firewall gt Service gt Custom Add a custom service if you need to create a policy for a service that is not in the predefined service list Enter a Name for the service This name appears in the service list used when you add a policy The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Select the Protocol either TCP or UDP used by the service Fortinet Inc Firewall configuration
346. session information If the primary FortiGate unit fails the subordinate units negotiate to select a new primary unit All connections are resumed by the new primary unit During a fail over the new primary unit notifies the adjacent networking devices so that the entire network can quickly converge to the new data path The new primary unit also alerts administrators of the changes to the HA cluster by writing a message to its event log sending an SNMP trap if SNMP is enabled and sending an alert email If a subordinate FortiGate unit fails the primary FortiGate unit writes a message to its event log and sends an SNMP trap and an alert email The primary FortiGate unit also adjusts the priority of each of the remaining units in the HA cluster Active active HA 76 Active active A A HA provides load balancing between all of the FortiGate units in an HA cluster An active active HA cluster consists of a primary FortiGate unit and one or more subordinate FortiGate units all processing traffic The primary FortiGate unit uses a load balancing algorithm to distribute sessions to all of the FortiGate units in the HA cluster In active active HA mode the primary unit uses one of the following scheduling algorithms to distribute network sessions among the members of the HA cluster Table 15 Active Active HA load balancing scheduling algorithms Schedule Description None No load balancing Used when the cluster interfaces are con
347. ss or failure of the last update attempt No updates means status the last update attempt was successful but no new updates are available Update succeeded or similar messages mean the last update attempt was successful and new updates were installed Other messages can indicate that the FortiGate was not able to connect to the FDN and other error conditions This section describes e Connecting to the FortiResponse Distribution Network e Configuring scheduled updates e Configuring update logging e Adding an override server e Manually updating antivirus and attack definitions e Configuring push updates e Push updates through a NAT device Scheduled updates through a proxy server Connecting to the FortiResponse Distribution Network Before the FortiGate unit can receive antivirus and attack updates it must be able to connect to the FortiResponse Distribution Network FDN The FortiGate unit uses HTTPS on port 8890 to connect to the FDN The FortiGate interface 1 must have a path to the internet using port 8890 To configure scheduled updates see Configuring scheduled updates on page 117 You can also configure the FortiGate unit to allow push updates Push updates are provided to the FortiGate unit from the FDN using HTTPS on UDP port 9443 To receive push updates the FDN must have a path to the FortiGate interface 1 using UDP port 9443 To configure push updates see Configuring push updates on page 119 The FDN
348. st and add and edit the replacement message sections as required Go to System gt Config gt Replacement Messages For the replacement message you want to customize select Modify E In the Message setup dialog box edit the content of the message Table 3 lists the replacement message sections that can be added to replacement messages and describes the tags that can appear in each section In addition to the allowed tags you can add any text Also for mail and HTTP messages you can add HTML code 4 Select OK to save the changes Table 3 Replacement message sections File blocking Used for file blocking all services Section Start lt BLOCKED gt Allowed Tags FILE The name of the file that was blocked WVURL The URL of the blocked web page Section End lt BLOCKED gt FortiGate 400 Installation and Configuration Guide 165 Customizing replacement messages 166 System configuration Table 3 Replacement message sections Scanning Used for virus scanning all services Section Start lt INFECTED gt Allowed Tags FILE The name of the file that was infected W VIRUS The name of the virus infecting the file WVURL The URL of the blocked web page or file Section End lt BLOCKED gt Quarantine Used when quarantine is enabled permitted for all scan services and block services for email only Section Sta
349. ster High availability Table 16 execute ha synchronize keywords Keyword Description config Synchronize the FortiGate configuration This includes normal system configuration firewall configuration VPN configuration and so on stored in the FortiGate configuration file avupd Synchronize the antivirus engine and antivirus definitions received by the primary unit from the FortiResponse Distribution Network FDN attackdef Synchronize NIDS attack definition updates received by the primary unit from the FDN weblists Synchronize web filter lists added to or changed on the primary unit emaillists Synchronize email filter lists added to or changed on the primary unit resmsg Synchronize replacement messages changed on the primary unit ca Synchronize CA certificates added to the primary unit localcert Synchronize local certificates added to the primary unit all Synchronize all of the above Use the following procedure to make configuration changes to the primary FortiGate unit and then synchronize the configuration of the subordinate units 1 Connect to the cluster and log into the web based manager or CLI Make configuration changes as required Connect to the CLI of each of the subordinate units in the cluster To connect to subordinate units see Managing individual cluster units on page 89 4 Usethe execute ha synchronize command to synchronize the configuration of the sub
350. subinterfaces See Adding addresses on page 179 Fortinet Inc Firewall configuration Zones 1 2 3 Addresses Default firewall configuration You can add zones to the FortiGate configuration to group together related interfaces and VLAN subinterfaces to simplify firewall policy creation For more information about zones see Configuring zones on page 133 To add policies for zones you must use the following steps to add the zones to the firewall policy grid Add zones to the FortiGate configuration See Adding zones on page 133 Add interfaces and VLAN subinterfaces to the zone See Adding interfaces to a zone on page 134 and Adding VLAN subinterfaces to a zone on page 134 Add firewall addresses for the zone See Adding addresses on page 179 To add policies between interfaces VLAN subinterfaces and zones the firewall configuration must contain addresses for each interface VLAN subinterface or zone By default the firewall configuration includes the addresses listed in Table 5 Table 5 Default addresses Interface Address Description Port1 Port1_All This address matches all addresses on the network connected to port Port2 Port2_All This address matches all addresses on the network connected to port2 The firewall uses these addresses to match the source and destination addresses of packets received by the firewall The default policy matches all connec
351. system to operate in Transparent Mode set system opmode transparent 2 Add the Management IP address and Netmask set system management ip 192 168 1 1 255 255 255 0 3 Add the default route to the external network set system route number 1 gwl 192 168 1 2 Example static route to an external destination Figure 11 shows a FortiGate unit that requires routes to the FDN located on the external network The Fortigate unit does not require routes to the DNS servers or management computer because they are located on the internal network To connect to the FDN you would typically enter a single default route to the external network However to provide an extra degree of security you could enter static routes to a specific FortiResponse server in addition to a default route to the external network If the static route becomes unavailable perhaps because the IP address of the FortiResponse server changes the FortiGate unit will still be able to receive antivirus and NIDS updates from the FDN using the default route FortiGate 400 Installation and Configuration Guide 69 Transparent mode configuration examples Transparent mode installation Note This is an example configuration only To configure a static route you require a eS destination IP address Figure 11 Static route to an external destination 24 102 233 5 BaBGLACCOCOCOCOOOOOOG i eras FortiResponse LITTIN Distribution 9 ol Network FDN Internet SS Upst
352. t To import the signed local certificate Go to VPN gt Local Certificates Select Import Fortinet Inc IPSec VPN Managing digital certificates Enter the path or browse to locate the signed local certificate on the management computer Select OK The signed local certificate will be displayed on the Local Certificates list with a status of OK Obtaining a CA certificate e En A A OO N For the VPN peers to authenticate themselves to each other they must both obtain a CA certificate from the same certificate authority The CA certificate provides the VPN peers with a means to validate the digital certificates that they receive from other devices The FortiGate unit obtains the CA certificate in order to validate the digital certificate that it receives from the remote VPN peer The remote VPN peer obtains the CA certificate in order to validate the digital certificate that it receives from the FortiGate unit Note The CA certificate must adhere to the X 509 standard Retrieving a CA certificate Connect to the CA web server and download the CA certificate to the management computer To retrieve the CA certificate Connect the CA web server Follow the CA web server instructions to download the CA certificate The File Download dialog will display Select Save Save the CA certificate in a directory on the management computer Importing a CA certificate Import the signed local certificate from the m
353. t OK to add the policy Arrange policies in the policy list so that they have the results that you expect Arranging policies in a policy list is described in Configuring policy lists on page 177 Fortinet Inc Firewall configuration Adding firewall policies Figure 5 Adding a NAT Route policy Policy aN Edit Policy porti gt port2 Source Porti _ All x Destination Port2_All z Schedule Always 7 Service ANY bi Action ACCEPT 7 M NAT Dynamic IP Pool IV Fixed Port E M Traffic Shapi Guaranteed fioo raffic Shaping Bandwidth 100 KBytes s Maximum Bandwidth ai L Erroni Traffic Priority High x M authentication User_Group_1 7 M Anti Virus amp Web filter Content Profile Scan x l Log Traffic Comments maximum 63 characters Policy Traffic Shaping Authentication and Virus Scanning Firewall policy options This section describes the options that you can add to firewall policies Source Select an address or address group that matches the source address of the packet Before you can add this address to a policy you must add it to the source interface To add an address see Addresses on page 179 Destination Select an address or address group that matches the destination address of the packet Before you can add this address to a policy you must add it to the destination interface VLAN subinterface or zone To add an address see Addresses on page 179 FortiGate 400
354. t outbound NAT if required See Adding an encrypt policy on page 225 Arrange the policies in the following order encrypt policies e default non encrypt policy Internal_All gt External_All Fortinet Inc IPSec VPN IPSec VPN concentrators Adding a VPN concentrator To add a VPN concentrator configuration Go to VPN gt IPSec gt Concentrator Select New to add a VPN concentrator Enter the name of the new concentrator in the Concentrator Name field kh OO N To add tunnels to the VPN concentrator select a VPN tunnel from the Available Tunnels list and select the right arrow 5 To remove tunnels from the VPN concentrator select the tunnel in the Members list and select the left arrow 6 Select OK to add the VPN concentrator Figure 26 Adding a VPN concentrator New YPN Concentrator Concentrator Name Concentrator_1 Available Tunnels Members Certificate_1_tunnel Certificate_1_tunnel Certificate_2 tunnel Certificate_2 tunnel Preshared_key_1_tuni Preshared_key_2_ tun Preshared_key_2_tuni Manual_key_1_tunnel Manual_key_1_ tunnel FortiGate 400 Installation and Configuration Guide 229 IPSec VPN concentrators IPSec VPN VPN spoke general configuration steps A remote VPN peer that is functioning as a spoke requires the following configuration e A tunnel AutolIKE phase 1 and phase 2 configuration or manual key configuration for the hub e The source address of the local VPN spoke
355. t strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates See your Fortinet reseller or distributor for details of packages and pricing FortiGate 400 Installation and Configuration Guide 125 Registering FortiGate units Virus and attack definitions updates and registration To activate the FortiCare Support Contract you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information You can also register the FortiGate unit without purchasing a FortiCare Support Contract In this case when you do purchase a FortiCare Support Contract you can update the registration information to add the support contract number A single FortiCare Support Contract can cover multiple FortiGate units You must enter the same service contract number for each of the FortiGate models covered by the service contract Registering the FortiGate unit Before registering a FortiGate unit you require the following information e Your contact information including e First and last name e Company name e Email address Your Fortinet support login user name and password will be sent to this email address e Address e Contact phone number e A security question and an answer to the security question This information is used for password recovery The security question should be a simple question that only you know the answer to The answer should not be eas
356. t system objver Install a firmware image from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiGate unit to default settings You can use this procedure to upgrade to a new firmware version revert to an older firmware version or to re install the current firmware amp Note There are a few variations on this procedure for different FortiGate BIOS versions These eS variations are explained in the procedure steps that are affected The version of the BIOS running on your FortiGate unit is displayed when you restart the FortiGate unit while accessing the CLI by connecting to the FortiGate console port using a null modem cable To run this procedure you access the CLI by connecting to the FortiGate console port using a null modem cable e install a TFTP server that you can connect to from port1 The TFTP server should be on the same subnet as port1 Before running this procedure you can e Backup the FortiGate unit configuration use the procedure Backing up system settings on page 108 e Backup the NIDS user defined signatures see the FortiGate NIDS Guide e Backup web content and email filtering lists see the FortiGate Content Protection Guide If you are reverting to a previous FortiOS version for example reverting from FortiOS v2 50 to FortiOS v2 36 you may not be able to restore your previous configuration from the backup configuration file A Note Installin
357. tabase You can also add the names of RADIUS and LDAP servers You can select RADIUS to allow the user to authenticate using the selected RADIUS server or LDAP to allow the user to authenticate using the selected LDAP server You can disable a user name so that the user cannot authenticate To enable authentication you must add user names to one or more user groups You can also add RADIUS servers and LDAP servers to user groups You can then select a user group when you require authentication You can select user groups to require authentication for e any firewall policy with Action set to ACCEPT e IPSec dialup user phase 1 configurations e XAuth functionality for Phase 1 IPSec VPN configurations e PPTP e L2TP When a user enters a user name and password the FortiGate unit searches the internal user database for a matching user name If Disable is selected for that user name the user cannot authenticate and the connection is dropped If Password is selected for that user and the password matches the connection is allowed If the password does not match the connection is dropped If RADIUS is selected and RADIUS support is configured and the user name and password match a user name and password on the RADIUS server the connection is allowed If the user name and password do not match a user name and password on the RADIUS server the connection is dropped If LDAP is selected and LDAP support is configured and the user name and passw
358. tain these MIB files from Fortinet technical support To be able to communicate with the SNMP agent all of these MIBs must be compiled into your SNMP manager Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use You must add the Fortinet proprietary MIBs to this database If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you will not have to re compile them Table 1 FortiGate MIBs MIB file name Description EtherLike mib The Ethernet like MIB is a standard MIB based on RFC 2665 This MIB includes information used for managing ethernet interfaces FN TRAP mib The Fortinet trap MIB is a proprietary MIB that is required for your SNMP manager to receive traps from the FortiGate SNMP agent For more information on FortiGate traps see FortiGate traps on page 164 FortiGate 400 Installation and Configuration Guide 163 Customizing replacement messages Table 1 FortiGate MIBs System configuration MIB file name Description FORTINET mib The Fortinet MIB is a proprietary MIB that includes detailed FortiGate system configuration information Add this MIB to your SNMP manager to monitor all FortiGate configuration settings RFC1213 mib The RFC 1213 MIB is the standard MIB I MIB that describes network management protocols for TCP IP networks FortiGate traps The FortiGate agent
359. tantly communicating HA status information to make sure the cluster is functioning properly For this reason the connection between the HA ports of all of the FortiGate units in the cluster must be well maintained An interruption of this communication can cause unpredictable results Switches are recommended for better performance The network equipment to use and the procedure to follow are the same whether you are configuring the FortiGate units for active active HA or active passive HA To connect the FortiGate units to your network Connect port 1 of each FortiGate unit to a switch or hub connected to your internal network Connect port 2 of each FortiGate unit to a switch or hub connected to your external network Optionally connect port 3 of each FortiGate unit to a switch or hub connected to another network Connect the 4 HA interfaces of the FortiGate units to another switch or hub When you have connected the cluster proceed to Starting the HA cluster FortiGate 400 Installation and Configuration Guide 85 Managing the HA cluster High availability Starting the HA cluster After all of the FortiGate units in the cluster are configured for HA and once the cluster is connected use the following procedure to start the HA cluster 1 Power on all of the HA units in the cluster As the units power on they negotiate to choose the primary cluster unit and the subordinate units This negotiation occurs with no user interv
360. te The FortiGate unit can only record the event and attack log messages in system memory To record logs in system memory Go to Log amp Report gt Log Setting Select Log to memory Select the severity level for which you want to record log messages The FortiGate will log all levels of severity down to but not lower than the level you choose For example if you want to record emergency alert critical and error messages select Error Select Config Policy To configure the FortiGate to filter the types of logs and events to record use the procedures in Filtering log messages on page 284 Select Apply Filtering log messages 284 You can configure which logs to record and which message categories to record in each log Go to Log amp Report gt Log Setting Select Config Policy for the log location that you selected in Recording logs on page 281 Select the log types that you want FortiGate unit to record Traffic Log Record all connections to and through the interface To configure traffic filtering see Adding traffic filter entries on page 288 Event Log Record management and activity events in the event log Management events include changes to the system configuration as well as administrator and user logins and logouts Activity events include system activities such as VPN tunnel establishment and HA failover events Virus Log Record virus intrusion events such as when the FortiGate unit d
361. te cluster configuration the primary unit selection process is automatic The primary unit can be different each time the cluster starts up In addition the unit functioning as the primary unit can change from time to time for example if the current primary unit restarts one of the other units in the cluster replaces it as the primary unit In some situations you may want to control which unit becomes the primary unit You can configure a FortiGate unit to become the permanent primary unit by changing the priority of this unit and configuring it to override any other primary unit When FortiGates units in a cluster are negotiating to be the primary unit the one with the lowest priority always becomes the primary unit If two units have the same priority the standard negotiation process is used to select the primary unit To configure a FortiGate unit to be the permanent primary unit in an HA cluster 1 Connect to the CLI of the permanent primary FortiGate unit 2 Set the priority of the permanent primary unit Enter set system ha priority lt priority_int gt Where lt priority_int gt is the priority to set for the permanent primary unit The unit with the lowest priority becomes the primary unit The default priority is 128 Set the priority of the permanent primary unit to a number lower than 128 For example to set the priority of the permanent primary unit to 10 enter the command set system ha priority 10 3 Make sure the pri
362. te end of the tunnel Enter the Remote Gateway This is the external IP address of the FortiGate unit or other IPSec gateway at the opposite end of the tunnel Select an Encryption Algorithm from the list Use the same algorithm at both ends of the tunnel Enter the Encryption Key Each two character combination entered in hexadecimal format represents one byte Depending on the encryption algorithm you have selected you may be required to enter the key in multiple segments Use the same encryption key at both ends of the tunnel DES Enter a 16 character 8 byte hexadecimal number 0 9 A F 3DES Enter a 48 character 24 byte hexadecimal number 0 9 A F Separate the number into three segments of 16 characters AES128 Enter a 32 character 16 byte hexadecimal number 0 9 A F Separate the number into two segments of 16 characters AES192 Enter a 48 character 24 byte hexadecimal number 0 9 A F Separate the number into three segments of 16 characters AES256 Enter a 64 character 32 byte hexadecimal number 0 9 A F Separate the number into four segments of 16 characters Select an Authentication Algorithm from the list Use the same algorithm at both ends of the tunnel Enter the Authentication Key Each two character combination entered in hexadecimal format represents one byte Use the same authentication key at both ends of the tunnel MD5 Enter a 32 character 16 byte hexadecimal number 0 9 A F Separ
363. te gateway entered See Adding a phase 2 configuration for an AutolKE VPN on page 217 Add the source and destination addresses See Adding a source address on page 225 See Adding a destination address on page 225 Add encrypt policies for up to three VPN connections If the VPN connections are in the same zone add one outgoing encrypt policy for example an Internal gt External policy Add the AutolKE key tunnel to this policy e If the VPN connections are in different zones add a separate outgoing encrypt policy for each connection for example an Internal gt External and an Internal gt DMZ policy The source and destination of both policies must be the same Adda different AutolIKE key tunnel to each policy See Adding an encrypt policy on page 225 Fortinet Inc IPSec VPN Monitoring and Troubleshooting VPNs Monitoring and Troubleshooting VPNs This section provides a number of general maintenance and monitoring procedures for VPNs This section describes e Viewing VPN tunnel status e Viewing dialup VPN connection status Testing a VPN Viewing VPN tunnel status You can use the IPSec VPN tunnel list to view the status of all IPSec AutolKE key VPN tunnels For each tunnel the list shows the status of each tunnel as well as the tunnel time out To view VPN tunnel status 1 Go to VPN gt IPSEC gt AutolKE Key The Status column displays the status of each tunnel If Status is Up the
364. teasteneeiaseteoedenaned 256 Logging attack messages to the attack 1OQ ceceeeeeeeteeeeeeeeeneeeeeeteteeeeeeeeneeeeeeeeea 256 Reducing the number of NIDS attack log and email messages 257 Antivirus protection sssaaa acts vcbcec aaea iaa Eat 259 General configuration St pSesscnecaiisri nA 259 Antivirus SCanning sssssseesssssressstrrttttttt ee eee taeeeeeeetaeeeeeeeaaeeeeeeeaaeeeeseeneeeeeeeeieeeeeseaas 260 File DIOCKING 2225 33 st cetlantaee te E ee edacts None hadi ede eee baeet tie 261 Blocking files in firewall traffic 0 0 0 eceeceeeeeeeeee eee eeceeee eee eeeeeeeeeeaeeeeeeetiaeeeeseeeiaeeeeesenaas 262 Adding file patterns to DIOCK io jcdered s seed aces supdees Svevuyeadevesivgnedicyandeaedetavseees da AARNA 262 Quarantine ssni frisii elie Geena ees 263 Quarantining infected files 2 2 e cece cceescee cece eeeeeeeceaaeeeeeeeeeceaeeeseeeeeseaeeeeeeeeeesiaeeneneees 263 Quarantining blocked filOS eee eeceeeeeeeeeeeeeeeeeeeeececaeeececeeecaeeeseaeeeseaeeeeseseeesseeeeeeees 263 Viewing the quarantine list cece eceeeneeeeeeeeeeeeeeeeeeaaeeeeeeeaaaeeeeseeaaeeeeeeenaeeeeeeneaas 264 Sorting the guarantine lists ci i ea setees vecee eeeetee dei deeecade de ndeecd deb elavensneeend dees eeaaetatne 264 Filtering the quarantine Sissis rannira a aa 265 Deleting files from QUArANTING sssssssssirnoensni neie rsa EE eSEE AEAEE 265 Downloading quarantined files ssiissrresinnnrraiiivernra seater eeeeaaeeeeeeeeaeeeeeeeeneeeeeeeea
365. teeeeeeeeeneeeeeeeeaeeeeeeeaeeeeeeenateeeeeenaaes 134 RENAMING ZONES eee eeeeece eee eeee eee ee eente eee ee teat ee eee eaaeee eee taeeeeeeeeaeeeeeeeiaeeeeeseeneeeeseeaas 134 Deleting ZONES 2225s sacecdevessecedcaesdeceddvhvestecs a aa 135 CONTQUNING Merac Siaa aa etic N AAE DA eee dearth aceon eel 135 Viewing the interface etessen E A 135 Bringing Up an interface ou ccc cccccceeeeccscccteeneecccecteeceeccetenecccccebenececeeetneseaeceteneeeseceneneees 135 Changing an interface static IP address ce cceeeeeee seen eee eeeeeteee eee eteeeeeeetneeeeeten 136 Adding a secondary IP address to an interface eee eeeeeeeenneeeeeeeeeeteeeeeeeenaeeeeeeeeaaes 136 Adding a ping server to an interface cccceccceccceceeeeeeceeceeeneneceeeesneeeeeeeesteeceeeneeneeaes 136 Controlling management access to an interface cc ecceeeeeeeeeeeeeeeteteeeeeeeenteeeene 137 Configuring traffic logging for connections to an interface eeeeeeeeeeeeeeteeteeeeeees 137 Changing the MTU size to improve network performance ceceeeeeeeeeettteeeeeeeee 137 Configuring porta Na sensenc A 138 Configuring the management interface Transparent mode 2 0 cesceeeeeeeeeees 138 Configuring VLAN Scese E ao eneseestayeeiectel ayecdevdiaveny 139 VLAN network COnfiguration 0 ccecceceeeeee eee eeeeeeeeeeeeeeeeeeseeeeaeeeeseneaaeeeeseeeaaeeeeeeeaaaeees 139 Adding VLAN subinterfacess eeececceeeeeeecn
366. ternet connections This section provides some examples of routing and firewall configurations to configure the FortiGate unit for multiple internet connections To use the information in this section you should be familiar with FortiGate routing see Configuring routing on page 138 and FortiGate firewall configuration see Firewall configuration on page 169 The examples below show how to configure destination based routing and policy routing to control different traffic patterns e Configuring Ping servers e Destination based routing examples e Policy routing examples e Firewall policy example 52 Fortinet Inc NAT Route mode installation Configuration example Multiple connections to the Internet Figure 8 Example multiple Internet connection configuration Internal Network 192 168 1 0 Port1 192 168 1 99 Forminer T Port2 FortiGate 400 Port3 1 1 1 2 2 2 2 2 Gateway 1 1 1 1 1 Gateway 2 2 2 2 1 ISP1 2 iw RE ISP2 External Network 1 External Network 2 100 100 100 0 200 200 200 0 Internet Et Use the following procedure to make Gateway 1 the ping server for port2 and Gateway 2 the ping server for port3 Configuring Ping servers 1 Go to System gt Network gt Interface 2 For port2 select Modify z e Ping Server 1 1 1 1 e Select Enable Ping Server e Select OK 3 For port3 select Modify z4 e Ping Server 2 2 2 1 e Select Enable Ping Server e Select OK FortiGate
367. testing 293 virus incidents 293 FortiGate 400 Installation and Configuration Guide AT MET allow inbound encrypt policy 175 allow outbound encrypt policy 175 allow traffic IP MAC binding 194 195 Anti Virus amp Web filter policy 176 antivirus definition updates manual 106 antivirus definitions updating 115 antivirus updates 117 configuring 118 through a proxy server 124 attack definition updates downloading 130 131 manual 107 attack definitions updating 115 119 attack detection checksum verification 250 disabling the NIDS 250 enabling and disabling signatures 252 selecting interfaces to monitor 250 viewing the signature list 251 attack log 284 content of messages 257 reducing messages 252 attack prevention configuring signature threshold values 254 enabling prevention signatures 253 NIDS 253 attack updates configuring 118 scheduling 117 through a proxy server 124 authentication 175 201 configuring 202 enabling 207 LDAP server 205 RADIUS server 204 timeout 159 auto device in route 144 299 Index AutolKE 210 certificates 210 introduction 210 pre shared keys 210 automatic antivirus and attack definition updates configuring 118 B backing up system settings 108 bandwidth guaranteed 175 maximum 175 banned word list adding words 268 278 blacklist URL 271 block traffic IP MAC binding 194 195 log option 283 blocking access to Internet sites 269 279 access to URLs 269 279 adding filename p
368. the FortiGate unit for automatic antivirus definitions updates see Virus and attack definitions updates and registration on page 115 You can also manually initiate an antivirus definitions update by going to System gt Update and selecting Update Now 1 Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web based manager Start the web based manager and go to System gt Status To the right of the Antivirus Definitions Version select Definitions Update SE Enter the path and filename for the antivirus definitions update file or select Browse and locate the antivirus definitions update file 106 Fortinet Inc System status Manual attack definition updates Select OK to copy the antivirus definitions update file to the FortiGate unit The FortiGate unit updates the antivirus definitions This takes about 1 minute Go to System gt Status to confirm that the Antivirus Definitions Version information has been updated Manual attack definition updates Displaying the 1 Displaying the 1 Displaying log 1 The System gt Status page of the FortiGate web based manager displays the current installed versions of the FortiGate Attack Definitions used by the Network Intrusion Detection System NIDS You can use the following procedure to update the attack definitions manually Note To configure the FortiGate unit for automatic attack defi
369. the policy grid Go to System gt Network gt Interface For the VLAN subinterface to add to a zone select Modify Use the Zone list to select the zone to add the VLAN subinterface to Select OK to save your changes Repeat these steps to add more VLAN subinterfaces to zones Renaming zones kh OO N You can change the name of any zone in the zone list Go to System gt Network gt Zone Choose a zone to rename and select Edit zone zy Enter a new name for the zone Select OK to save your changes Fortinet Inc Network configuration Configuring interfaces Deleting zones You must remove all interfaces and VLAN subinterfaces from a zone before you can delete the zone You can only delete zones that have the Delete icon Tl beside them in the zone list 1 Go to System gt Network gt Zone Select Delete ili to remove a zone from the list Select OK to delete the zone Configuring interfaces Use the following procedures to configure the FortiGate interfaces e Viewing the interface list e Bringing up an interface e Changing an interface static IP address e Adding a secondary IP address to an interface e Adding a ping server to an interface Controlling management access to an interface e Configuring traffic logging for connections to an interface e Changing the MTU size to improve network performance e Configuring port4 ha e Configuring the management interface Transparent mode Viewing the i
370. tiGate configuration and reverts the system to its original configuration including resetting interface addresses 1 Go to System gt Status Select Restore Factory Defaults Select OK to confirm The FortiGate unit restarts with the configuration that it had when it was first powered on 4 Reconnect to the web based manager and review the system configuration to confirm that it has been reset to the default settings To restore your system settings see Restoring system settings on page 108 108 Fortinet Inc System status Changing to Transparent mode Changing to Transparent mode Use the following procedure to switch the FortiGate unit from NAT Route mode to Transparent mode When the FortiGate unit has changed to Transparent mode its configuration resets to Transparent mode factory defaults Go to System gt Status Select Change to Transparent Mode Select Transparent in the operation mode list Select OK The FortiGate unit changes operation mode kh OO N 5 To reconnect to the web based manager connect to the interface configured for Transparent mode management access and browse to https followed by the Transparent mode management IP address By default in Transparent mode you can connect to port1 The default Transparent mode management IP address is 10 10 10 1 Changing to NAT Route mode Use the following procedure to switch the FortiGate unit from Transparent mode to NAT Route mode When the FortiG
371. tificate request in a text editor Ej downloadfile 1 WordPad 0 x File Edit View Insert Format Help Dll Sia al ie amp MNIIBpzCCaRac aQawaTELMAkGALUEBHMNCOOEXCzaJBGNVBAgTAkJDMRIWEAYDVOOH EwlWY W57b3V2 ZXIxETAPBGNVBAoTCE ZvcnRpbmVONGswCOYDVOOLEWINRJEZMBcG ALUEAx00b2 5 10GZvcenRpbriVOLmNvbTCBnzaNBokqhkiGSwOBAQEF AAOBIOAWGYkC QqYEA3 63xSztDbEBaiC9OZzuv8uLMbScrv7xEe Cyz39D ObOxh7lrvqEKj8cJial qadmasd3 G6sH gekgjY6G6MhUA 7ASZcHZZNtcLIBS28wNUSPGosHOuYl6nkstTmcy hgZhkrkaut UXDiat 3 yaFb6u rzsJ2tSvN4NjV qpfsso0 sCaAwEAATANBgkqhkiG SwOBAQOF AAOBGOBI3 47 YS1loZ xaNSTReS OGm4ilezLOqDTZpxCHaln uMLe1lTYw yiaDSdmpDT SaNKfcheSGOYiYSC AmA00Sn6VOP 1042 cUmaAPxTTFxGETE44Ug2526 ni207Gfis ypsN5inNoZ sB KUDZ1SNNsshNO zbh Cyx7q d29 4adJwL12w For Help press F1 NUM 4 Retrieving the signed local certificate With this procedure you connect to the CA web server and download the signed local certificate to the management computer Do this after receiving notification from the CA that it has signed the certificate request To retrieve the signed local certificate Connect the CA web server Follow the CA web server instructions to download the signed local certificate The File Download dialog will display Select Save Save the file in a directory on the management computer Importing the signed local certificate With this procedure you import the signed local certificate from the management computer to the FortiGate uni
372. tination interface_name gt protocol lt protocol_int gt port lt low port_int gt lt high port_int gt gw lt gateway_ip gt Complete policy routing command syntax is described in Volume 6 FortiGate CLI Reference Guide 146 Fortinet Inc Network configuration Providing DHCP services to your internal network Providing DHCP services to your internal network If the FortiGate unit is operating in NAT Route mode you can use the CLI command set system dhcpserver to configure the FortiGate unit to be the DHCP server for your internal network Table 2 describes the syntax for the set system dhcpserver command Table 2 set system dhcpserver command syntax Keywords Description defaultroute lt gateway_ip gt The default route to be assigned to DHCP clients The defaultroute exclusionrange iprange and reserve IP addresses must all be on the same subnet as the internal interface dns lt dns_ip gt lt dns_ip gt lt dns_ip gt The IP addresses of up to 3 DNS servers that the DHCP clients can use for looking up domain names Use a space to separate the IP addresses To remove a DNS IP set the IP to 0 0 0 0 domain lt domain_str gt The domain name that the DHCP server assigns to the DHCP clients Enter up to 4 exclusion ranges of IP addresses within the starting IP and ending IP addresses that cannot be assigned to DHCP clients Separate the IP addresses in the range with a dash Do
373. ting mode that you select The FortiGate unit can be configured in either of two modes NAT Route mode the default or Transparent mode NAT Route mode In NAT Route mode the unit is visible to the network Like a router all of its interfaces are on different subnets The following interfaces are available in NAT Route mode e Interfaces 1 2 3 and 4 HA can be connected to any networks By default the FortiGate 400 interfaces have the following configuration e Interface 1 is the default interface to the internal network usually the Internet e Interface 2 is the default interface to the external network e Interface 3 can be connected to another network such as a DMZ network e Interface 4 HA can be connected to another network Interface 4 HA can also be connected to other FortiGate 400s if you are installing an HA cluster You can add security policies to control whether communications through the FortiGate unit operate in NAT mode or in route mode Security policies control the flow of traffic based on each packet s source address destination address and service In NAT mode the FortiGate performs network address translation before the packet is sent to the destination network In route mode no translation takes place By default the FortiGate unit has a NAT mode security policy that allows users on the internal network to securely download content from the external network No other traffic is possible until you have configu
374. ting table Transparent mode 145 destination 143 device 144 router next hop 136 routing 296 adding static routes 143 configuring 143 configuring routing table 145 policy 146 routing table 296 adding default route 143 adding routes 143 adding routes Transparent mode 145 configuring 145 S scanning antivirus 260 schedule 186 applying to policy 188 automatic antivirus and attack definition updates 117 creating one time 186 creating recurring 187 one time 186 policy option 174 recurring 187 scheduled antivirus and attack updates 124 scheduled updates through a proxy server 124 scheduling 117 script filter 275 example settings 274 scripts removing from web pages 274 280 searching logs 289 290 logs saved to FortiGate hard disk 290 logs saved to memory 289 security question registration 130 serial number displaying 107 service 182 custom 184 group 185 policy option 174 predefined 182 service name 182 user defined 184 service contracts Forticare 125 service group adding 185 FortiGate 400 Installation and Configuration Guide Index service name traffic filter display 287 session clearing 113 set time 157 setup wizard 46 62 starting 46 62 shutting down 110 signature threshold values 254 SMTP 184 configuring alert email 292 definition 296 SNMP configuring 162 contact information 162 definition 296 first trap receiver IP address 163 get community 162 MIBs 163 system location 162 trap community 163 t
375. tion Guide 17 VLAN Introduction Transparent mode VLAN Transparent mode provides the same basic firewall protection as NAT mode Packets received by the FortiGate unit are intelligently forwarded or blocked according to firewall policies The FortiGate unit can be inserted in your network at any point without the need to make changes to your network or any of its components However VPN VLAN multi zone functionality and some advanced firewall features are only available in NAT Route mode Fortigate Antivirus Firewalls support IEEE 802 1Q compliant virtual LAN VLAN tags Using VLAN technology a single FortiGate unit can provide security services to and control connections between multiple security domains according to the VLAN IDs added to VLAN packets The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between each security domain It can also apply authentication content filtering and antivirus protection to VLAN tagged network and VPN traffic Network intrusion detection 18 The FortiGate Network Intrusion Detection System NIDS is a real time network intrusion detection sensor that detects and prevents a wide variety of suspicious network activity NIDS detection uses attack signatures to identify over 1000 attacks You can enable and disable the attacks that the NIDS detects You can also write your own user defined detection attack signatures NIDS prevention d
376. tion Start lt CRITICAL_EVENT gt Allowed Tags CRITICAL_EVENT The firewall critical event message A Section End lt CRITICAL_EVENT gt FortiGate 400 Installation and Configuration Guide 167 Customizing replacement messages System configuration 168 Fortinet Inc RAT MET Firewall configuration Firewall policies control all traffic passing through the FortiGate unit Firewall policies are instructions used by the FortiGate unit to decide what to do with a connection request When the firewall receives a connection request in the form of a packet it analyzes the packet to extract its source address destination address and service port number For the packet to be connected through the FortiGate unit a firewall policy must have been added that matches the packet s source address destination address and service The policy directs the firewall action on the packet The action can be to allow the connection deny the connection require authentication before the connection is allowed or process the packet as an IPSec VPN packet You can also add schedules to policies so that the firewall can process connections differently depending on the time of day or the day of the week month or year Each policy can be individually configured to route connections or to apply network address translation NAT to translate source and destination IP addresses and ports You can add IP pools to use dy
377. tions ccceccecceceeceeeeeeeeeeeceencaeeeeeeeeeeeeeeseceeccceceecaeeeeeeeeeess 274 Exempt URLIlist cinici na de ested aa lene ea i ease eden 275 Adding URLs to the exempt URL list 2 ce eee eeeeeeeeeeneeeeeeeetaeeeeeeeaeeeeeeenaeeeeeeeaaes 275 EMAN MHG css Era 277 General configuration StepS ceceeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeeseeeeeeeeeteeenaeeeeeeeaaees 277 Email banned word Stai E N E SEE a 278 Adding words and phrases to the banned word list cctcceeeeeeseeeeeeeeeetteeeeeeeeaaes 278 Email block listana a E E 279 Adding address patterns to the email block list eee eeeeeeeeeeeeeeteeeeeeentaeeeeeeeaas 279 Email exempt listning a a aa aa aaa a a ai aiaa aaa 279 Adding address patterns to the email exempt list eee eee eeeececneeeeeeeeeeeeeeteeeeees 280 Adding a sub ect TAG eer O eels 280 Logging ANd reporti gsn 281 Recording lOS ennes nrinn E N 281 Recording logs on a remote COMpUter eeesssseerressetrtssttrntstttrttssttntnnntttnnnnnten nnanet 282 Recording logs on a NetIQ WebTrends server useeesssesrresssssrrrsserrrrsssrtrnssstrrnnnsrees 282 Recording logs on the FortiGate hard disk cccceeeeeeeseeeeeeeeeseeeeeeeseeesaeeeseeenaeeees 283 Recording logs in system Memory sesssssssssrrraseernnnstsannnaarennneatannnaaeennnaaatannnaaeenanaanan 284 Filtering log Messages arresi inoan dh eusen cadens saaeedee ateeede ae seteeaueesededenn eeee 284
378. tions from the network connected to port1 because it includes the Port1_All address The default policy also matches all connections to the network connected to port2 because it includes the Port2_All address You can add more addresses to each interface to improve the control you have over connections through the firewall For more information about addresses see Addresses on page 179 You can also add firewall policies that perform network address translation NAT To use NAT to translate destination addresses you must add virtual IPs Virtual IPs map addresses on one network to a translated address on another network For more information about Virtual IPs see Virtual IPs on page 188 FortiGate 400 Installation and Configuration Guide 171 Adding firewall policies Services Schedules Firewall configuration Policies can also control connections based on the service or destination port number of packets The default policy accepts connections to using any service or destination port number The firewall is configured with over 40 predefined services You can add these services to a policy for more control over the services that can be used by connections through the firewall You can also add user defined services For more information about services see Services on page 182 Policies can also control connections based on the time of day or day of the week when the firewall receives the connection The default pol
379. tiple connections to the Internet on page 52 This section describes e Adding a default route e Adding destination based routes to the routing table e Adding routes in Transparent mode e Configuring the routing table e Policy routing Adding a default route a Fk WOW N 6 A Use the following procedure to add a default route for network traffic leaving the external interface Go to System gt Network gt Routing Table Select New to add a new route Set the Source IP and Netmask to 0 0 0 0 Set the Destination IP and Netmask to 0 0 0 0 Set Gateway 1 to the IP address of the routing gateway that routes traffic to the Internet Select OK to save the default route Note Only 1 default route can be active at any 1 time If two default routes are added to the routing table only the default route closest to the top of the routing table is active Adding destination based routes to the routing table Use the following procedure to add destination based routes to the FortiGate routing table Add destination based routes to control the destination of traffic exiting the FortiGate unit You configure routes by adding destination IP addresses and netmasks and adding gateways for these destination addresses The gateways are the next hop routers to which to route traffic that matches the destination addresses in the route You can add one or two gateways to a route If you add one gateway the FortiGate unit routes the
380. tmask You add VLAN subinterfaces to physical interfaces You can add over 1000 VLAN subinterfaces to a FortiGate unit Rules for VLAN IDs Two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID However you can add two or more VLAN subinterfaces with the same VLAN IDs to different physical interfaces There is no internal connection or link between two VLAN subinterfaces with same VLAN ID Their relationship is the same as the relationship between two main interfaces Rules for VLAN IP addresses Normally the IP addresses of all FortiGate interfaces cannot overlap That is the IP addresses of all interfaces must be different on different subnets However some overlap of VLAN subinterfaces is allowed The rules for overlapping VLAN subinterface IP addresses are e Two or more VLAN subinterfaces can have the same IP address as long as they have different VLAN IDs The IP addresses of two or more VLAN subinterfaces can be on the same subnet as long as they have different VLAN IDs The IP address of a VLAN subinterface must different from IP address of the interface that it is added to The IP address of a VLAN subinterface can be on the same subnet as the IP address of the interface that it is added to e You cannot add firewall policies between 2 VLAN subinterfaces that have the same IP address or that have IP addresses in the same subnet even if their VLAN IDs are different Adding
381. to a policy add a policy that matches the policy to be denied in every way Choose the one time schedule that you added and set Action to DENY Then place the policy containing the one time schedule in the policy list above the policy to be denied Use virtual IPs to access IP addresses on a destination network that are hidden from the source network by NAT security policies To allow connections between these networks you must create a mapping between an address on the source network and the real address on the destination network This mapping is called a virtual IP For example if the computer hosting your web server is located on the network connected to port3 it could have a private IP address such as 10 10 10 3 If port2 connects to the Internet to get packets from the Internet to the web server you must have an external address for the web server on the Internet You must then add a virtual IP to the firewall that maps the external IP address of the web server to the actual address of the web server on the port3 network To allow connections from the Internet to the web server you must then add a port2 gt port3 firewall policy and set Destination to the virtual IP You can create two types of virtual IPs Static NAT Used in to translate an address on a source network to a hidden address on a destination network Static NAT translates the source address of return packets to the address on the source network Port Forwarding Used to
382. to each other Instead as part of the security negotiation process they use it in combination with a Diffie Hellman group to create a session key The session key is used for encryption and authentication purposes and is automatically regenerated during the communication session by IKE Pre shared keys are similar to the manual keys in that they require the network administrator to distribute and manage matching information at the VPN peer sites Whenever a pre shared key changes the administrator must update both sites AutolKE with certificates This method of key management involves the participation of a trusted third party the certificate authority CA Each peer in a VPN is first required to generate a set of keys known as a public private key pair The CA signs the public key for each peer creating a signed digital certificate The peer then contacts the CA to retrieve their own certificates plus that of the CA itself Once the certificates have been uploaded to the FortiGate units and appropriate IPSec tunnels and policies have been configured the peers are ready to start communicating As they do IKE manages the exchange of certificates transmitting signed digital certificates from one peer to another The signed digital certificates are validated by the presence of the CA certificate at each end With authentication complete the IPSec tunnel is then established In some respects certificates are simpler to manage than manual ke
383. top level domain suffix for example com without the leading period to block access to all URLs with this suffix Note URL blocking does not block access to other services that users can access with a web browser For example URL blocking does not block access to ftp ftp badsite com Instead you can use firewall policies to deny FTP connections Select Enable to block the URL Pattern Select OK to add the URL Pattern to the URL block list You can enter multiple URLs and patterns and then select Check All to enable all items in the URL block list Each page of the URL block list displays 100 URLs Use Page Up F and Page Down to navigate through the URL block list Note You must select the Web URL Block option in the content profile to enable the URL blocking Figure 39 Example URL block list URL Block A M Enable URL Block moO amp amp amp ee Ee www badsite com Ts E 123 78 41 22 news html Tes E www timewaste com products html i amp E Clearing the URL block list Go to Web Filter gt URL Block Select Clear URL Block List EA to remove all URLs and patterns from the URL block list Fortinet Inc Web filtering URL blocking Downloading the URL block list You can back up the URL block list by downloading it to a text file on the management computer 1 Go to Web Filter gt URL Block 2 Select Download URL Block List EH The FortiGate unit downloads the list to a text file on t
384. tp support fortinet com You can also register FortiGate Antivirus Firewalls from http support fortinet com and modify your registration information at any time Fortinet email support is available from the following addresses amer_support fortinet com For customers in the United States Canada Mexico Latin America and South America apac_support fortinet com For customers in Japan Korea China Hong Kong Singapore Malaysia all other Asian countries and Australia eu_support fortinet com For customers in the United Kingdom Scandinavia Mainland Europe Africa and the Middle East For information on Fortinet telephone support see http support fortinet com When requesting technical support please provide the following information Your name Company name Location Email address Telephone number FortiGate unit serial number FortiGate model FortiGate FortiOS firmware version Detailed description of the problem Fortinet Inc RAT MET Getting started This chapter describes unpacking setting up and powering on your FortiGate Antivirus Firewall When you have completed the procedures in this chapter you can proceed to one of the following If you are going to operate the FortiGate unit in NAT Route mode go to NAT Route mode installation on page 45 If you are going to operate the FortiGate unit in Transparent mode go to Transparent mode installation on page 61 If you are going t
385. traffic to each ISP network as required The routing described below allows a user on the internal network to connect to the Internet through gateway 1 and ISP1 At the same time this user can also connect through to gateway 2 to access a mail server maintained by ISP2 Adding the routes using the web based manager Go to System gt Network gt Routing Table Select New to add the default route for primary and backup links to the Internet e Destination IP 0 0 0 0 e Mask 0 0 0 0 e Gateway 1 1 1 1 1 e Gateway 2 2 2 2 1 e Device 1 port2 e Device 2 port3 e Select OK FortiGate 400 Installation and Configuration Guide 55 Configuration example Multiple connections to the Internet NAT Route mode installation 3 Select New to add a route for connections to the network of ISP1 e Destination IP 100 100 100 0 e Mask 255 255 255 0 Gateway 1 1 1 1 1 e Gateway 2 2 2 2 1 e Device 1 port2 e Device 2 port3 4 Select New to add a route for connections to the network of ISP2 e Destination IP 200 200 200 0 e Mask 255 255 255 0 e Gateway 1 2 2 2 1 e Gateway 2 1 1 1 1 e Device 1 port3 e Device 2 port2 e Select OK 5 Change the order of the routes in the routing table to move the default route below the other two routes e For the default route select Move to La Type a number in the Move to field to move this route to the bottom of the list If there are only 3 routes type 3 e Select OK Adding the ro
386. traffic to that gateway You can add a second gateway to route traffic to the second gateway if the first gateway fails FortiGate 400 Installation and Configuration Guide 143 Configuring routing 144 kh OO N Network configuration To support routing failover the IP address of each gateway must be added to the ping server of the interface connected to the same network as the gateway See Adding a ping server to an interface on page 136 Adding destination based routes to the routing table Go to System gt Network gt Routing Table Select New to add a new route Type the Destination IP address and netmask for the route Add the IP address of Gateway 1 Gateway 1 is the IP address of the primary destination for the route Gateway 1 must be on the same subnet as a Fortigate interface If you are adding a static route from the FortiGate unit to a single destination router you only need to specify one gateway Optionally add the IP address of Gateway 2 if want to route traffic to multiple gateways Set Device 1 to the FortiGate interface or VLAN subinterface through which to route traffic to connect to Gateway 1 You can select the name of an interface VLAN subinterface or Auto the default If you select the name of an interface or VLAN subinterface the traffic is routed to that interface If you select Auto the system selects the interface according to the following rules e Ifthe Gateway 1 IP address is
387. translate an address and a port number on a source network to a hidden address and optionally a different port number on a destination network Using port forwarding you can also route packets with a specific port number and a destination address that matches the IP address of the interface that receives the packets This technique is called port forwarding or port address translation PAT You can also use port forwarding to change the destination port of the forwarded packets Fortinet Inc Firewall configuration Virtual IPs This section describes e Adding static NAT virtual IPs e Adding port forwarding virtual IPs e Adding policies with virtual IPs Adding static NAT virtual IPs 1 2 3 7 Go to Firewall gt Virtual IP Select New to add a virtual IP Enter a Name for the virtual IP The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Select the virtual IP External Interface The External Interface is the interface connected to the source network that receives the packets to be forwarded to the destination network You can select a firewall interface or a VLAN subinterface Make sure Type is set to Static NAT In the External IP Address field enter the external IP address to be mapped to an address on the destination network For example if the virtual IP provides access from the Internet to a
388. tted over any other arbitrary network protocol by encapsulating the packets of the protocol within GRE packets 47 AH Authentication Header AH provides source host authentication and data integrity but not secrecy This protocol is used for authentication by IPSec remote gateways set to aggressive mode 51 ESP Encapsulating Security Payload This service is used by manual key and AutolIKE VPN tunnels for communicating encrypted data AutolKE key VPN tunnels use ESP after establishing the tunnel using IKE 50 AOL AOL instant messenger protocol tcp 5190 5194 BGP Border Gateway Protocol routing protocol BGP is an interior exterior routing protocol tcp 179 DHCP Relay Dynamic Host Configuration Protocol DHCP allocates network addresses and delivers configuration parameters from DHCP servers to hosts udp 67 DNS Domain name service for translating domain names into IP addresses os cp 53 udp 53 FINGER A network service that provides information about users tcp 79 FTP FTP service for transferring files tcp 21 GOPHER Gopher communication service Gopher organizes and displays Internet server contents as a hierarchically structured list of files tcp 70 Fortinet Inc Firewall configuration Table 6 FortiGate predefined services Continued Services
389. ult gateway 64 HA 82 management interface 138 management IP address 64 trap community SNMP 163 traps SNMP 164 troubleshooting 233 trusted host administrator account 160 161 306 U UDP configuring checksum verification 250 unwanted content blocking 268 278 update 285 attack 118 push 119 updated antivirus 118 updating attack definitions 115 119 virus definitions 115 119 upgrade firmware 95 upgrading firmware 94 firmware using the CLI 95 97 firmware using the web based manager 95 96 URL adding to exempt URL list 275 280 adding to URL block list 269 279 blocking access 269 279 URL block list adding URL 269 279 clearing 270 downloading 271 uploading 271 URL block message 268 URL blocking exempt URL list 275 279 URL exempt list see also exempt URL list 275 279 user authentication 201 user groups configuring 207 deleting 208 user name and password adding 203 adding user name 202 user defined services 184 user defined signature NIDS 252 V Viewing 264 viewing dialup connection status 233 logs 290 logs saved to memory 289 VPN tunnel status 233 virtual IP 188 adding 189 port forwarding 188 190 static NAT 188 virus definition updates downloading 130 131 Fortinet Inc virus definitions updating 115 119 virus incidents enabling alert email 293 virus list displaying 266 viewing 266 virus log 284 virus protection overview 259 worm protection 15 VLAN configuring 139 network configurat
390. ure 3 FortiGate login x NS SX FortiGate 400 3 N Name Password Cgejis N N A SX 32 Fortinet Inc Getting started Connecting to the command line interface CLI Connecting to the command line interface CLI ee S As an alternative to the web based manager you can install and configure the FortiGate unit using the CLI Configuration changes made with the CLI are effective immediately without the need to reset the firewall or interrupt service To connect to the FortiGate CLI you need a computer with an available communications port e the null modem cable included in your FortiGate package e terminal emulation software such as HyperTerminal for Windows Note The following procedure describes how to connect to the CLI using Windows HyperTerminal software You can use any terminal emulation program To connect to the CLI Connect the null modem cable to the communications port of your computer and to the FortiGate Console port Make sure that the FortiGate unit is powered on Start HyperTerminal enter a name for the connection and select OK Configure HyperTerminal to connect directly to the communications port on the computer to which you have connected the null modem cable and select OK Select the following port settings and select OK Bits per second 9600 Data bits 8 Parity None Stop bits 1 Flow control None Press Enter to connect to the FortiG
391. ures 252 NTP 51 64 183 296 NTP server 157 setting system date and time 157 O one time schedule 186 creating 186 operating mode changing 109 Outbound NAT encrypt policy 175 override serve adding 118 119 oversized files and email blocking 266 overwrite log option 283 P password adding 202 changing administrator account 161 Fortinet support 130 recovering a lost Fortinet support 128 PAT 190 permission administrator account 161 303 Index ping management access 139 policy accept 174 Anti Virus amp Web filter 176 arranging in policy list 177 Comments 177 deny 174 disabling 178 enabling 178 enabling authentication 207 fixed port 174 guaranteed bandwidth 175 Log Traffic 177 matching 177 maximum bandwidth 175 policy list configuring 177 policy routing 146 POP3 183 296 port address translation 190 port forwarding 190 adding virtual IP 190 virtual IP 188 port number traffic filter display 287 power requirements 31 powering on 31 PPTP 207 296 configuring gateway 236 242 configuring Windows 2000 client 239 configuring Windows 98 client 238 configuring Windows XP client 240 enabling 236 242 ending IP address 236 242 network configuration 236 starting IP 236 242 PPTP dialup connection configuring Windows 2000 client 239 configuring Windows 98 client 239 configuring Windows XP client 240 PPTP gateway configuring 236 predefined services 182 pre shared keys introduction 210 prevention NID
392. us and attack definitions updates and registration Adding a port forwarding virtual IP to the FortiGate NAT device Use the following procedure to configure a FortiGate NAT device to use port forwarding to forward push update connections from the FDN to a FortiGate unit on the internal network To configure the FortiGate NAT device Go to Firewall gt Virtual IP Select New Add a name for the virtual IP Select the External interface that the FDN connects to For the example topology select the external interface Select Port Forwarding Enter the External IP address that the FDN connects to For the example topology enter 64 230 123 149 Enter the External Service Port that the FDN connects to For the example topology enter 45001 Set Map to IP to the IP address of the FortiGate unit on the internal network If the FortiGate unit is operating in NAT Route mode enter the IP address of the external interface If the FortiGate unit is operating in Transparent mode enter the management IP address For the example topology enter 192 168 1 99 Set the Map to Port to 9443 Set Protocol to UDP Select OK Fortinet Inc Virus and attack definitions updates and registration kh OO N FortiGate 400 Installation and Configuration Guide Updating antivirus and attack definitions Figure 3 Push update port forwarding virtual IP virtual IP Add New Virtual IP Mapping Name Push_VIP External Interface
393. use system resources and increase network traffic However this only occurs when you are viewing the display using the web based manager The line graph scales are shown on the upper right corner of the graph Monitoring cluster sessions To view the current primary unit communication sessions Connect to the cluster and log into the web based manager Go to System gt Status gt Session The session table displays the sessions processed by the primary unit in the cluster The sessions include HA communications between the primary unit and the subordinate units Viewing and managing cluster log messages 88 To view log messages for each cluster member Connect to the cluster and log into the web based manager Go to Log amp Report gt Logging The primary unit Traffic log Event log Attack log Antivirus log Web Filter log and Email Filter log are displayed The pull down list at the upper right of the display identifies the unit for which logs are displayed The primary unit is identified as Local and the other units in the cluster are listed by serial number Select the serial number of one of the units in the cluster to display the logs for this cluster unit You can view logs saved to memory or logs saved to the hard disk depending on the configuration of the cluster unit For each cluster unit e You can view and search log messages see Viewing logs saved to memory on page 289 and Viewing and managing lo
394. users to the user group select a user from the Available Users list and select the right arrow to add the name to the Members list To add a RADIUS server to the user group select a RADIUS server from the Available Users list and select the right arrow to add the RADIUS server to the Members list To add an LDAP server to the user group select an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list To remove users RADIUS servers or LDAP servers from the user group select a user RADIUS server or LDAP server from the Members list and select the left arrow to remove the name RADIUS server or LDAP server from the group Select OK Deleting user groups You cannot delete user groups that have been selected in a policy a dialup user phase configuration or in a PPTP or L2TP configuration To delete a user group Go to User gt User Group Select Delete ill beside the user group that you want to delete Select OK Fortinet Inc RAT MET IPSec VPN A Virtual Private Network VPN is an extension of a private network that encompasses links across shared or public networks such as the Internet For example a company that has two offices in different cities each with its own private network can employ a VPN to create a secure tunnel between the offices Similarly a teleworker can use a VPN client to gain remote access to his private office network In both case
395. ush update configuration Mo Allow Push Update M Use override push IP 64 230 123 149 Port 45001 Select Apply You can select Refresh to make sure that push updates work Push Update should change to Available Scheduled updates through a proxy server If your FortiGate unit must connect to the Internet through a proxy server you can use the set system autoupdate tunneling command to allow the FortiGate unit to connect or tunnel to the FDN using the proxy server Using the command you can specify the IP address and port of the proxy server As well if the proxy server requires authentication you can add the user name and password required for the proxy server to the autoupdate configuration The full syntax for enabling updates through a proxy server is set system autouopdate tunneling enable address lt proxy address_ip gt port lt proxy port gt username lt username_str gt password lt password_str gt For example if the IP address of the proxy server is 64 23 6 89 and its port is 8080 enter the following command set system autouopdate tunneling enable address 64 23 6 89 port 8080 For more information about the set system autoupdate command see Volume 6 FortiGate CLI Reference Guide The FortiGate unit connects to the proxy server using the HTTP CONNECT method as described in RFC 2616 The FortiGate unit sends an HTTP CONNECT request to the proxy server optionally with authentication information
396. usually the Internet e Interface 3 is the interface to the DMZ network Interface 4 HA is the redundant interface to the external network You must configure routing to support redundant internet connections Routing can be used to automatically re direct connections from an interface if its connection to the external network fails Otherwise security policy configuration is similar to a NAT Route mode configuration with a single Internet connection You would create NAT mode policies to control traffic flowing between the internal private network and the external public network usually the Internet If you have multiple internal networks such as a DMZ network in addition to the internal private network you could create route mode policies for traffic flowing between them Figure 5 Example NAT Route multiple internet connection configuration Internal network FortiGate 400 Unit 192 168 1 3 in NAT Route mode Port 1 Port 2 192 168 1 1 204 23 1 5 Route mode policies Internet controlling traffic between SS internal networks Port 4 HA 64 83 32 45 Port 3 DMZ network SS 10 10 10 2 NAT mode policies controlling traffic between internal and external networks o i 10 10 10 23 Fortinet Inc Getting started Planning your FortiGate configuration Transparent mode In Transparent mode the FortiGate unit is invisible to the network Similar to a network bridge all of FortiGate interfaces must be o
397. ut Queue Ouput Delay S000 mo RIP Timer Update Holddown 30 secs Invalid 180 secs 180 secs Flush 240 secs FortiGate 400 Installation and Configuration Guide 151 Configuring RIP for FortiGate interfaces RIP configuration Configuring RIP for FortiGate interfaces 152 You can create a unique RIP configuration for each FortiGate interface and VLAN subinterface This allows you to customize RIP for the network to which each interface or each VLAN subinterface is connected For example e If you have a complex network connected to port 1 that contains devices that use the RIP2 protocol you might want to configure RIP2 send and receive for this interface e If port2 is connected to the Internet you may not want to enable RIP send for this interface so that the internal routes are not exposed to the Internet However you may want to configure RIP receive so that the FortiGate unit receives routes from your ISP If port3 is connected to a small DMZ network you may not need to configure RIP for this interface To configure RIP for FortiGate interfaces Go to System gt RIP gt Interface On this page you can view a summary of the RIP settings for each FortiGate interface Select Modify ES for the interface for which to configure RIP settings Configure the following RIP settings RIP1 Send RIP1 Receive RIP2 Send RIP2 Receive Split Horizon Authentication Password Mode
398. utes using the CLI 1 Add the route for connections to the network of ISP2 set system route number 1 dst 100 100 100 0 255 255 255 0 gwl 1 1 1 1 devl port2 gw2 2 2 2 1 dev2 port3 1 Add the route for connections to the network of ISP 1 set system route number 2 dst 200 200 200 0 255 255 255 0 gwl 2 2 2 1 devl port3 gw2 1 1 1 1 dev2 port2 2 Add the default route for primary and backup links to the Internet set system route number 3 dst 0 0 0 0 0 0 0 0 gwl 1 1 1 1 devl port2 gw2 2 2 2 1 dev2 port3 The routing table should have routes arranged as shown in Table 13 Table 13 Example combined routing table Destination IP Mask Gateway 1 Device 1 Gateway 2 Device 2 100 100 100 0 255 255 255 0 1 1 1 1 port2 2 2 2 1 port3 200 200 200 0 255 255 255 0 2 2 2 1 port3 1 1 1 1 port2 0 0 0 0 0 0 0 0 1 1 1 1 port2 2 2 2 1 port3 56 Fortinet Inc NAT Route mode installation Configuration example Multiple connections to the Internet Policy routing examples Policy routing can be added to increase the control you have over how packets are routed Policy routing works on top of destination based routing This means you should configure destination based routing first and then build policy routing on top to increase the control provided by destination based routing For example if you have used destination based routing to configure routing for dual internet connections you can use policy routing
399. vesersecaserseasnannianeies 157 Setting system date and mera iiaiai cedeanaedeeedennendddecebaeneseedenuenecentennentee 157 Changing web based manager Options ccccceeeeeeeeeeeeeeeeeeeeenaeeeeeeenaeeeeeeenaeeeeesenaaes 158 Adding and editing administrator accounts 0 ceceeeeeeeeeteeeeeeeeeeeeeeeeetnaeeeeetetnaeeeeeeeaaas 160 Adding new administrator ACCOUNES eccceeceeeeeeneeeeeeeecneeeeeeeaaeeeeeeeaeeeeeeeiaeeeeenenaaes 160 Editing administrator ACCOUNTS eoseid eee entree eee eeteeeeeeetaeeeeeeeaaeeeeetenaeeeeeneaaas 161 Configuring SNMP i cccedei e ised dis eeeet an acts dete deviid seeesd tala eee ah evest al bdedeesdiaaeeeevi nce 162 Configuring the FortiGate unit for SNMP monitoring 0 eceeeeeeeeeeeeeeeeeetteeeeeeeeee 162 Configuring FortiGate SNMP support 0 ee ceeeeeceeee teeter ee tere tteee eee taeeeeeetaeeeeenena 162 FortiGate MIBS renina E E deca Haine Gana deeded eae 163 FortiGate traps ini siet seca aa i ena eae a Pee 164 Customizing replacement MESSAGES ce eeeeeeeeceeenee eee eeeeaaeeeeeeeaaaeeeeeeeaeeeeseetaeeeeeeenaaes 164 Customizing replacement MESSAGES cceceeeeeeeeeeeeeeeeeseeeeeeeeeseeeaeeeeseeenaeeeeeeeeaeeees 165 Customizing Alert SMAllS sissies A R 166 Firewall CUT ENN is cess cacao ent nnana reesen arianen iiaa 169 Default firewall CONFIQUrATION eee cece ee etter e eee ettte eter etne eee eee taeee sere taeeeeeetaaeeeeeetiaeeeeenes 170 NWO ACCS A EE
400. way 500 500 500 500 500 500 500 500 500 500 500 Admin user 500 500 500 500 500 500 500 500 500 500 500 IPsec Phase 1 20 50 80 200 1500 1500 3000 5000 5000 5000 5000 VPN concentrator 500 500 500 500 500 500 500 500 500 500 500 VLAN subinterface N A N A N A N A N A 1024 1024 2048 2048 8192 8192 Zone N A N A N A N A N A 100 100 200 200 300 500 42 Fortinet Inc Getting started Next steps Table 9 FortiGate maximum values matrix FortiGate model 50 60 100 200 300 400 500 1000 2000 3000 3600 IP pool 50 50 50 50 50 50 50 50 50 50 50 RADIUS server 6 6 6 6 6 6 6 6 6 6 6 File pattern 56 56 56 56 56 56 56 56 56 56 56 PPTP user 500 500 500 500 500 500 500 500 500 500 500 L2TP user 500 500 500 500 500 500 500 500 500 500 500 URL block no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit Content block no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit Exempt URL no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit Next steps Now that your FortiGate unit is operating you can proceed to configure it to connect to networks If you are going to operate the FortiGate unit in NAT Route mode go to NAT Route mode installation on page 45 If you are going to operate
401. way to another network or an individual client on the Internet The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Select a Remote Gateway address type Ifthe remote VPN peer has a static IP address select Static IP Address Ifthe remote VPN peer has a dynamically assigned IP address DHCP or PPPoE or if the remote VPN peer has a static IP address that is not required in the peer identification process select Dialup User Depending upon the Remote Gateway address type you have selected other fields become available Remote Gateway Static IP Address IP Address If you select Static IP Address the IP Address field appears Enter the IP address of the remote IPSec VPN gateway or client that can connect to the FortiGate unit This is a mandatory entry Remote Gateway Dialup User Peer Options f you select Dialup User the Peer Options become available under Advanced Options Use the Peer Options to authenticate remote VPN peers with peer IDs during phase 1 negotiations For details see step 2 Select Aggressive or Main ID Protection mode When using aggressive mode the VPN peers exchange identifying information in the clear When using main mode identifying information is hidden The VPN peers must use the same mode Configure the P1 Proposal Select up to three encryption and authentication algor
402. web server on a destination network the external IP address must be a static IP address obtained from your ISP for your web server This address must be a unique address that is not used by another host and cannot be the same as the IP address of the External Interface selected in step 4 However this address must be routed to this interface Figure 12 Adding a static NAT virtual IP Virtual IP Add New Virtual IP Mapping Name Web_Server External Interface eot x Type Static NAT Port Forwarding External IP Address 173 87 39 21 Map to IP fio 10 105 In the Map to IP field enter the real IP address on the destination network for example the IP address of a web server on an internal network FortiGate 400 Installation and Configuration Guide 189 Virtual IPs 190 A Ce 8 Firewall configuration Note The firewall translates the source address of outbound packets from the host with the Map to IP address to the virtual IP External IP Address instead of the firewall external address Select OK to save the virtual IP You can now add the virtual IP to firewall policies Adding port forwarding virtual IPs 1 2 3 10 11 Go to Firewall gt Virtual IP Select New to add a virtual IP Enter a Name for the virtual IP The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Select the vi
403. wing policy routes to direct all HTTP traffic using port 80 to one external network and all other traffic to the other external network 1 Enter the following command to route all HTTP traffic using port 80 to the next hop gateway with IP address 1 1 1 1 set system route policy 1 src 0 0 0 0 0 0 0 0 dst 0 0 0 0 0 0 0 0 protocol 6 port 1 1000 gw 1 1 1 1 2 Enter the following command to route all other traffic to the next hop gateway with IP address 2 2 2 1 Set system route policy 2 src 0 0 0 0 0 0 0 0 dst 0 0 0 0 0 0 0 0 gw 2 2 2 1 FortiGate 400 Installation and Configuration Guide 57 Configuration example Multiple connections to the Internet NAT Route mode installation Firewall policy example Firewall policies control how traffic flows through the FortiGate unit Once routing for multiple internet connections has been configured you must create firewall policies to control which traffic is allowed through the FortiGate unit and the interfaces through which this traffic can connect For traffic originating on the Internal network to be able to connect to the Internet through both Internet connections you must add redundant policies from the internal interface to each interface that connects to the Internet Once these policies have been added the routing configuration controls which internet connection is actually used Adding a redundant default policy Figure 8 on page 53 shows a FortiGate unit connected to the Internet using
404. work time protocol for synchronizing a tcp 123 computer s time with a time server OSPF Open Shortest Path First OSPF routing 89 protocol OSPF is a common link state routing protocol PC Anywhere PC Anywhere is a remote control and file udp 5632 transfer protocol PING Packet Internet Groper is a utility to determine icmp 8 whether a specific host is accessible by its IP address POP3 Post office protocol email protocol for tcp 110 downloading email from a POP3 server PPTP Point to Point Tunneling Protocol is a protocol tcp 1723 that allows corporations to extend their own corporate network through private tunnels over the public Internet QUAKE For connections used by the popular Quake udp 26000 multi player computer game 27000 27910 27960 FortiGate 400 Installation and Configuration Guide 183 Services 184 Table 6 FortiGate predefined services Continued Firewall configuration Service name Description Protocol Port RAUDIO For streaming real audio multimedia traffic udp 7070 RLOGIN Rlogin service for remotely logging into a tcp 513 server RIP Routing Information Protocol is a common udp 520 distance vector routing protocol SMTP For sending mail between email servers on the tcp 25 Internet SNMP Simple Network Management Protocol is a set tcp 161 162 of protocols for managing complex networks udp 161 162 SSH SSH service for
405. works SNMP works by sending messages to different parts of a network SNMP compliant devices called agents store data about themselves in Management Information Bases MIBs and return this data to the SNMP requesters Fortinet Inc SSH Secure shell A secure Telnet replacement that you can use to log into another computer over a network and run commands SSH provides strong secure authentication and secure communications over insecure channels Subnet A portion of a network that shares a common address component On TCP IP networks subnets are defined as all devices whose IP addresses have the same prefix For example all devices with IP addresses that start with 100 100 100 would be part of the same subnet Dividing a network into subnets is useful for both security and performance reasons IP networks are divided using a subnet mask Subnet Address The part of the IP address that identifies the subnetwork TCP Transmission Control Protocol One of the main protocols in TCP IP networks TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent FortiGate 400 Installation and Configuration Guide Glossary UDP User Datagram Protocol A connectionless protocol that like TCP runs on top of IP networks Unlike TCP UDP provides very few error recovery services offering instead a direct way to send and receive datagrams over an IP network It is used
406. y to guess The product model and serial number for each FortiGate unit to be registered The serial number is located on a label on the bottom of the FortiGate unit You can view the Serial number from the web based manager by going to System gt Status The serial number is also available from the CLI using the get system status command e FortiCare Support Contract numbers if you have purchased FortiCare Support Contracts for the FortiGate units to be registered To register one or more FortiGate units 1 Go to System gt Update gt Support 2 Enter your contact information into the product registration form 126 Fortinet Inc Virus and attack definitions updates and registration Registering FortiGate units Figure 5 Registering a FortiGate unit contact information and security question Contact Information First Name Customer tti i s S S Last Name Name t SOSOS SCS Company Company Title Administrator Email Customer company com Addressa 123 My Stret Address 2 P City city aad eat State a fz36 Country funTeD states Zip 123456 Region UNITED STATES v contact 1 555 555 5555 Fax Number one Security Question Security question will be used if you forgot your password Answer to Security Question will be used if you forgot your password Provide a security question and an answer to the security question Select the model number of the Product Mode
407. y IPSec policy FortiGate 400 Installation and Configuration Guide 247 Configuring L2TP 248 a Fk WOW N PPTP and L2TP VPN Connecting to the L2TP VPN Connect to your ISP Start the VPN connection that you configured in the previous procedure Enter your L2TP VPN User Name and Password Select Connect In the connect window enter the User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password Fortinet Inc RAT MET Network Intrusion Detection System NIDS The FortiGate NIDS is a real time network intrusion detection sensor that uses attack signature definitions to both detect and prevent a wide variety of suspicious network traffic and direct network based attacks Also whenever an attack occurs the FortiGate NIDS can record the event in a log plus send an alert email to the system administrator This chapter describes e Detecting attacks e Preventing attacks e Logging attacks Detecting attacks The NIDS Detection module detects a wide variety of suspicious network traffic and network based attacks Use the following procedures to configure the general NIDS settings and the NIDS Detection module Signature List For the general NIDS settings you need to select which interfaces will be monitored for network based attacks You also need to decide whether to enable checksum verification Checksum verificat
408. you are configuring the FortiGate unit to operate in NAT Route mode you can use the control buttons and LCD to add the IP address of the FortiGate interfaces as well as the external default gateway If you are configuring the FortiGate unit to operate in Transparent mode you can use the control buttons and LCD to switch to Transparent mode Then you can add the management IP address and default gateway FortiGate model maximum values matrix Table 9 FortiGate maximum values matrix FortiGate model 50 60 100 200 300 400 500 1000 2000 3000 3600 Policy 200 500 1000 2000 5000 5000 20000 50000 50000 50000 50000 Address 500 500 500 500 3000 3000 6000 10000 10000 10000 10000 Address group 500 500 500 500 500 500 500 500 500 500 500 Service 500 500 500 500 500 500 500 500 500 500 500 Service group 500 500 500 500 500 500 500 500 500 500 500 Recurring schedule 256 256 256 256 256 256 256 256 256 256 256 Onetime schedule 256 256 256 256 256 256 256 256 256 256 256 User 20 500 1000 1000 1000 1000 1000 1000 1000 1000 1000 User group 100 100 100 100 100 100 100 100 100 100 100 Group members 300 300 300 300 300 300 300 300 300 300 300 Virtual IPs 500 500 500 500 500 500 500 500 500 500 500 IP MAC binding 50 100 1000 1000 2000 2000 2000 5000 5000 5000 5000 Route 500 500 500 500 500 500 500 500 500 500 500 Policy route gate
409. ys or pre shared keys For this reason certificates are best suited to large network deployments Fortinet Inc IPSec VPN Manual key IPSec VPNs Manual key IPSec VPNs When manual keys are employed complementary security parameters must be entered at both ends of the tunnel In addition to encryption and authentication algorithms and keys the security parameter index SPI is required The SPI is an arbitrary value that defines the structure of the communication between the peers With other methods the SPI is generated automatically but with the manual key configuration it must be entered as part of the VPN setup The encryption and authentication keys must match on the local and remote peers the SPI values must be mirror images of each other After you enter these values the VPN tunnel can start without any need for the authentication and encryption algorithms to be negotiated So long as you have entered correct complementary values the tunnel will be established between the peers In essence the tunnel already exists between the peers As a result when traffic matches a policy requiring the tunnel it can be authenticated and encrypted immediately e General configuration steps for a manual key VPN e Adding a manual key VPN tunnel General configuration steps for a manual key VPN A manual key VPN configuration consists of a manual key VPN tunnel the source and destination addresses for both ends of the tunnel and an encrypt p
410. zing addresses into address groupS ceeeeeeeeeee teen cette eeeneeeeeeettteeeeeeetnaeeeeeees 181 8 Fortinet Inc Sea iii fe E E E E E A E E E A 182 Predetined SCrviCe sssrcrciarciisair inn E A stented 182 Providing access to CUStOM S rV C S 000 eeeeceeee cette ee eee eeeteee eee eeaeeeeeeeaaeeeeeeeaaeeeeeneaaas 184 Grouping SOIVICCS ic ivies heya tecen n T aa eceeeeee 185 SCMOGUICS its cat coe lees hevkd cee cehaddevaeetd heads Rete eeatd Oita sed ites ae eee nad den ated eens 186 Creating one time schedules 000 2 eee ceeeee eee eeeeeeeeeeeeeeeeeeeseceneeeeeseeeaaeeeteeeeaaeeeeeeeaeeees 186 Creating recurring schedules 00 2 2 eceeeeeeeeeeeeeeeeeeeeeeeeeeeceeeeeeeseenaaeeeseeeaaeeeeeeenaeeees 187 Adding a schedule to a Policy 00 eececcceeeeete neces eeeneee eee eeceeeeeeeaaeeeeeeeaeeeeeeenaeeeeeeenaaes 188 Virt al PS ariyana n a aai a aE E ai aR 188 Adding state NA Tvintual IPS seisis ciiin aiaa aE E aa 189 Adding port forwarding virtual IPS sssrin 190 Adding policies with virtual IPS cc ccceeeeeeeeeeente eee eeeeaeeeeeeeeaeeeeeeenaaeeeeeeenaeeeeeseaaas 191 DO ONS aenea aaea oe a dee dan a eee ed neg a eae Tas Ue ns ae Peed edn as gn Hea ee 192 Adding an IP POl encena AA 192 IP Pools for firewall policies that use fixed Ports 00 ccceeeeeeeeeeeeeceeceeeeeeeeeeeteeneenaees 193 IP pools and dynamic NAT fiisciiceecatsaeced ects tagiede day tee esti aeaaeds dviecebeavia iveede dis pyeceani nee 193 IP MAG
Download Pdf Manuals
Related Search