Fortinet 100A Bedienungsanleitung

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374

Zur Seite of

Richtige Gebrauchsanleitung

Die Vorschriften verpflichten den Verkäufer zur Übertragung der Gebrauchsanleitung Fortinet 100A an den Erwerber, zusammen mit der Ware. Eine fehlende Anleitung oder falsche Informationen, die dem Verbraucher übertragen werden, bilden eine Grundlage für eine Reklamation aufgrund Unstimmigkeit des Geräts mit dem Vertrag. Rechtsmäßig lässt man das Anfügen einer Gebrauchsanleitung in anderer Form als Papierform zu, was letztens sehr oft genutzt wird, indem man eine grafische oder elektronische Anleitung von Fortinet 100A, sowie Anleitungsvideos für Nutzer beifügt. Die Bedingung ist, dass ihre Form leserlich und verständlich ist.

Was ist eine Gebrauchsanleitung?

Das Wort kommt vom lateinischen „instructio”, d.h. ordnen. Demnach kann man in der Anleitung Fortinet 100A die Beschreibung der Etappen der Vorgehensweisen finden. Das Ziel der Anleitung ist die Belehrung, Vereinfachung des Starts, der Nutzung des Geräts oder auch der Ausführung bestimmter Tätigkeiten. Die Anleitung ist eine Sammlung von Informationen über ein Gegenstand/eine Dienstleistung, ein Hinweis.

Leider widmen nicht viele Nutzer ihre Zeit der Gebrauchsanleitung Fortinet 100A. Eine gute Gebrauchsanleitung erlaubt nicht nur eine Reihe zusätzlicher Funktionen des gekauften Geräts kennenzulernen, sondern hilft dabei viele Fehler zu vermeiden.

Was sollte also eine ideale Gebrauchsanleitung beinhalten?

Die Gebrauchsanleitung Fortinet 100A sollte vor allem folgendes enthalten:
- Informationen über technische Daten des Geräts Fortinet 100A
- Den Namen des Produzenten und das Produktionsjahr des Geräts Fortinet 100A
- Grundsätze der Bedienung, Regulierung und Wartung des Geräts Fortinet 100A
- Sicherheitszeichen und Zertifikate, die die Übereinstimmung mit entsprechenden Normen bestätigen

Warum lesen wir keine Gebrauchsanleitungen?

Der Grund dafür ist die fehlende Zeit und die Sicherheit, was die bestimmten Funktionen der gekauften Geräte angeht. Leider ist das Anschließen und Starten von Fortinet 100A zu wenig. Eine Anleitung beinhaltet eine Reihe von Hinweisen bezüglich bestimmter Funktionen, Sicherheitsgrundsätze, Wartungsarten (sogar das, welche Mittel man benutzen sollte), eventueller Fehler von Fortinet 100A und Lösungsarten für Probleme, die während der Nutzung auftreten könnten. Immerhin kann man in der Gebrauchsanleitung die Kontaktnummer zum Service Fortinet finden, wenn die vorgeschlagenen Lösungen nicht wirksam sind. Aktuell erfreuen sich Anleitungen in Form von interessanten Animationen oder Videoanleitungen an Popularität, die den Nutzer besser ansprechen als eine Broschüre. Diese Art von Anleitung gibt garantiert, dass der Nutzer sich das ganze Video anschaut, ohne die spezifizierten und komplizierten technischen Beschreibungen von Fortinet 100A zu überspringen, wie es bei der Papierform passiert.

Warum sollte man Gebrauchsanleitungen lesen?

In der Gebrauchsanleitung finden wir vor allem die Antwort über den Bau sowie die Möglichkeiten des Geräts Fortinet 100A, über die Nutzung bestimmter Accessoires und eine Reihe von Informationen, die erlauben, jegliche Funktionen und Bequemlichkeiten zu nutzen.

Nach dem gelungenen Kauf des Geräts, sollte man einige Zeit für das Kennenlernen jedes Teils der Anleitung von Fortinet 100A widmen. Aktuell sind sie genau vorbereitet oder übersetzt, damit sie nicht nur verständlich für die Nutzer sind, aber auch ihre grundliegende Hilfs-Informations-Funktion erfüllen.

Inhaltsverzeichnis der Gebrauchsanleitungen

  • Seite 1

    FortiGate 100A Administration Guide INTERNAL DMZ 1 4 3 2 1 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN 1 WAN 2 PWR STA TUS A DMZ 2 FortiGate-100A Admi nistration Guide Ve r s i o n 2 . 8 0 M R 7 3 December 20 04 01-28007-00 68-20041203[...]

  • Seite 2

    © Copyright 2004 Fortine t Inc. All rights reserved. No part of this publication incl uding text, examples, di agrams or illustration s may be reproduced, transmitted, or translated in any form or by any means, electronic, m echanical, m anual, optical or otherwise, for any purpose, without prio r written pe rmission of F ortinet I nc. FortiGate-1[...]

  • Seite 3

    Contents FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 3 Table of Contents Introduction ............. ................................ .................................................. ........... 13 About FortiGate Antivirus Firewa lls ............. ............. ................. ................ ............. ........... 13 Antiv[...]

  • Seite 4

    Contents 4 01-28007-0068-2004120 3 Fortinet Inc. Management ............... ................ ............. ................ ................. ................ ................ ........ 59 DNS ............... ............. ................ ................ ............. ................. ................ ............. ..... ...... 61 Routing table ([...]

  • Seite 5

    Contents FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 5 Replacement messages .... ................ ................ ................ ................ ................ ............. 106 Replacement messages list .... ................ ................. ................ ................ ................... 106 Changing replacement mess[...]

  • Seite 6

    Contents 6 01-28007-0068-2004120 3 Fortinet Inc. Policy ................ ................. ............. ................ ................ ............. ................ .............. ..... 145 Policy route list ........ ................ ............. ................ ................. ................ ................ ...... 1 45 Policy route opt[...]

  • Seite 7

    Contents FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 7 Address ....... ............. ................ ................ ................ ............. ................ ................. ...... ... 198 Address list .................... ............. ................ ................ ................ ............. ................ ...[...]

  • Seite 8

    Contents 8 01-28007-0068-2004120 3 Fortinet Inc. RADIUS ............ ................. ............. ................ ................ ............. ................ ................ .. . 2 3 5 RADIUS server list ............... ................ ................ ............. ................ ................. ......... 235 RADIUS server options ..[...]

  • Seite 9

    Contents FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 9 VPN configuration procedures . .......... ............. ................ ................ ............. ................ ... 266 IPSec configuration procedures ........ ............. ................ ................ ................ ............. 266 PPTP configuration procedu[...]

  • Seite 10

    Contents 10 01-28007-0068-2004120 3 Fortinet Inc. Web filter ............. ............................................ ............................ ............... ......... 309 Content block ........... ............. ................ ................ ................ ............. ................ ............. 311 Web content block list .... ...[...]

  • Seite 11

    Contents FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 11 MIME headers............. ................ ................ ................. ............. ................ ................ ...... 3 31 MIME headers list ................... ................ ............. ................. ................ ................ ...... 332 MIME he[...]

  • Seite 12

    Contents 12 01-28007-0068-2004120 3 Fortinet Inc.[...]

  • Seite 13

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 13 Introduction FortiGate A ntivirus Firew alls support ne tw ork-based deployment of application-level services, including antivirus protection and full-scan con tent filtering. FortiGate Antivirus Firewalls improve network secu rity [...]

  • Seite 14

    14 01-28007-0068-2004120 3 Fortinet Inc. Antivirus protection Introduction The FortiGate-100A al so supports advanced features such as multiple W AN and DMZ interfaces, 802.1Q VLAN, vi rtual domains, high availab ility (HA), and the RIP and OSPF routing protocols. Antivirus protection FortiGate I CSA-certified an tivirus protec tion scans we b (HTT[...]

  • Seite 15

    Introduction Spam filtering FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 15 T o preven t unintentionally blocking legitimate we b pages, you can add URL s to an exempt list that overrides th e URL blocking and content blocking list s. The exempt list also exempts web tra ffic this address from virus scanning. Web content filterin g [...]

  • Seite 16

    16 01-28007-0068-2004120 3 Fortinet Inc. VLANs and virtual domains Introduction NAT/Route mode In NA T/Route mode, the FortiGat e unit is a Layer 3 device. This means that each of it s interfaces is associated with a dif ferent IP subnet and that it appears to other devices as a router . This is how a firewall is normally deployed. In NA T/Route mo[...]

  • Seite 17

    Introduction Intrusion Prevention System (IPS) FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 17 Intrusion Prevention System (IPS) The FortiGate Intrusion Prev ention System (IPS) combines signature and anomaly based intrusion detection and preven tion. The FortiGate unit can record suspicious traffic in logs, can send a lert email to[...]

  • Seite 18

    18 01-28007-0068-2004120 3 Fortinet Inc. High availabili ty Introduction High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate un it in an HA cluster enforces the same overall security policy and shar es the same configuration settings. Y ou can add up to 32 [...]

  • Seite 19

    Introduction Secure installation, configura tion, and management FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 19 The CLI supports the same config urati on and monitoring functionality as the web-based manager. In addition, yo u can use the CLI fo r advanced configurat ion options that are not available from the we b-based manager. T[...]

  • Seite 20

    20 01-28007-0068-2004120 3 Fortinet Inc. Secure installation, configurat ion, and management Introduction Y ou enter: execute restore config myfile.bak <xxx_str> indicates an ASCII string that does not cont ain new-lines or carriage returns. <xxx_integer> indicates an integer string that is a decimal (bas e 10) number . <xxx_octet>[...]

  • Seite 21

    Introduction Fortinet Knowledge Center FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 21 FortiGate document ation Information about FortiGate product s is available from the following guides: • FortiGate QuickS tart Guide Provides basic informatio n about connecting and in stalling a FortiGate unit. • FortiGate Installation Guide [...]

  • Seite 22

    22 01-28007-0068-2004120 3 Fortinet Inc. FortiManager documentation Introduction Related document ation Additional info rmation about Fortinet produc ts is available from the following related documentation . FortiManager documentation • FortiManager QuickS tart Guide Explains how to inst all the FortiManager Co nsole, set up the FortiManager Ser[...]

  • Seite 23

    Introduction FortiLog documentation FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 23 FortiLog documentation • FortiLog Administration Guide Describes how to install and configure a FortiLog unit to collect FortiGa te and FortiMail log files. It also describes how to view FortiGate and FortiMail log files, generate and view log repo[...]

  • Seite 24

    24 01-28007-0068-2004120 3 Fortinet Inc. FortiLog documentation Introduction[...]

  • Seite 25

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 25 System st atus Y ou can connect to the web-based man ager and view the current system st atus of the FortiGate u nit. The status inf ormation that is displayed includes the system status, unit informati on, system re sources, and se[...]

  • Seite 26

    26 01-28007-0068-2004120 3 Fortinet Inc. Viewing system status System status Stat u s View the system status p age, also known as the system dashboard, for a snap shot of the current oper ating status of the FortiGate unit. All FortiGate ad ministrators with read acces s to system c onfiguration can view sys tem status inform ation. On HA clusters,[...]

  • Seite 27

    System status Viewing system status FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 27 System status Unit Information Admin users and administra tors whose acce ss profiles cont ain system configuration read and write privileges can ch ange or upd ate the unit information. For i nformation on access profiles, see “Access profiles” [...]

  • Seite 28

    28 01-28007-0068-2004120 3 Fortinet Inc. Viewing system status System status Interface Status All interfaces in the FortiGate unit are listed in the t able. System Resources Reset Select to reset the count values in th e table to zero. HTTP The number of URLs visited. Select De tails to see the list of URLs, the time they were accessed and the IP a[...]

  • Seite 29

    System status Changing unit information FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 29 Figure 3: Sample system re sources history History The history p age displays 6 graphs representing th e following system resources and protection: Recent Intrusion Detections Changing unit information Administrators with system configuration wri[...]

  • Seite 30

    30 01-28007-0068-2004120 3 Fortinet Inc. Changing unit information System status T o change FortiGate host name The FortiGate host name ap pears on the S tatus page an d in the FortiGate CLI prompt. The host name is al so used as the SNMP system name. For informa tion about the SNMP system name, see “SNMP” on page 97 . The default h ost name is[...]

  • Seite 31

    System status Changing unit information FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 31 3 In the Attack Definitions field of the Unit Information sect ion, select Update. The Intrusion Dete ction System Definitions Update dialog box appe ars. 4 In the Update File field, type the path and filename for the att ack definitions update f[...]

  • Seite 32

    32 01-28007-0068-2004120 3 Fortinet Inc. Changing unit information System status Session list The session list displays information abo ut the communications sessions cu rrently being processed by the FortiGate unit. Y ou can use the session list to view current sessions. Figure 4: Sample s ession list T o view the session list 1 Go to System > [...]

  • Seite 33

    System status Upgrading to a new firmware ver sion FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 33 Changing the FortiGate firmware FortiGate administra tors who se access prof iles contain system configu ration read and write privileges and th e Fort iGate admin user can chan ge the FortiGate firmware. After you d ownload a FortiGat[...]

  • Seite 34

    34 01-28007-0068-2004120 3 Fortinet Inc. Upgrading to a new firmware version System status 3 Go to System > St atus . 4 Under Unit Information > Firmware V ersion , select Update. 5 T ype the path an d filename of the firmwa re image file, or select Browse a nd locate the file. 6 Select OK. The FortiGate unit uploads th e firmware image file,[...]

  • Seite 35

    System status Reverting to a previous firmware version FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 35 Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server . For example, if the firmware image file name is FGT_300-v280-build183-FORTINET.out and the IP address of the T[...]

  • Seite 36

    36 01-28007-0068-2004120 3 Fortinet Inc. Reverting to a previous fi rmware version System status 2 Log into the FortiGate web- based manager . 3 Go to System > St atus . 4 Under Unit Information > Firmware V ersion , select Update. 5 T ype the path an d filename of the firmwa re image file, or select Browse a nd locate the file. 6 Select OK. [...]

  • Seite 37

    System status Reverting to a previous firmware version FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 37 T o use the followin g procedure you must have a TFTP server that the FortiGate unit can connect to. T o revert to a previous firmware version using the CLI 1 Make sure that the TFTP server is running. 2 Copy the firmware image fil[...]

  • Seite 38

    38 01-28007-0068-2004120 3 Fortinet Inc. Installing firmware images from a system reboot using t he CLI System status 11 Update antivirus and atta ck definitions. For information, see “T o update a ntivirus and attack definitions” on p age 120 , or from the CLI, enter: execute update_now Installing firmware images from a system reboot using the[...]

  • Seite 39

    System status Installing firmware images from a system reboot using the CLI FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 39 5 T o confirm that the For tiGate unit can co nnect to the TFTP server , use the following command to ping the computer running the TFTP server . For example, if the IP address of the TFTP server is 192.168.1.1[...]

  • Seite 40

    40 01-28007-0068-2004120 3 Fortinet Inc. Installing firmware images from a system reboot using t he CLI System status 10 T ype a n IP addre ss that the F ortiGate unit can use to connect to the TFTP server . The IP address can be any IP address that is valid for the n etwork that the interface is connected to. Make sure you do not enter the IP addr[...]

  • Seite 41

    System status Testing a new fi rmware image before installing it FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 41 Testing a new firmware im age before installing it Y ou can test a new firmware image by in stalling the firmware image from a system reboot and saving it to system memory . Afte r completing this procedure the FortiGate [...]

  • Seite 42

    42 01-28007-0068-2004120 3 Fortinet Inc. Testing a new firmware image be fore installi ng it System status If you successfully int errupt the startup process, one of th e following messages appears: • FortiGate unit running v2.x BIOS Enter TFTP Server Address [192.168.1.168]: Go to step 9 . • FortiGate unit running v3.x BIOS [G]: Get firmware i[...]

  • Seite 43

    System status Installing and using a backup firmware image FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 43 Installing and using a backup firmware image If the FortiGate unit is running BIOS version v3.x, you can install a backup firmware image. Once th e backup firmware image is installed you can swit ch to this backup image when re[...]

  • Seite 44

    44 01-28007-0068-2004120 3 Fortinet Inc. Installing and using a backup firmware image System status 7 T ype G to get the new firmw are image fr om the TF TP server . The following m essage appears: Enter TFTP server address [192.168.1.168]: 8 T ype the address of the TFT P server and press Enter . The following m essage appears: Enter Local Address[...]

  • Seite 45

    System status Installing and using a backup firmware image FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 45 If you successfully int errupt the startup process, the followin g message appears: [G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and contin[...]

  • Seite 46

    46 01-28007-0068-2004120 3 Fortinet Inc. Installing and using a backup firmware image System status[...]

  • Seite 47

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 47 System network System network settings control how th e Fort iGate unit connect s to and interacts with your network. Basic network sett ings start with configuring FortiGate interfaces to connect to your network and config uring th[...]

  • Seite 48

    48 01-28007-0068-2004120 3 Fortinet Inc. Interface sett ings System network Figure 5: Interface list Interface settings Interface s ettings displa ys the curren t configurat ion of a sele cted FortiGat e interface or VLAN subinter face. Use interfac e settings to configure a new VLAN subinterface or to change th e configu ration of a FortiGate inte[...]

  • Seite 49

    System network Interface settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 49 Figure 6: Interface settings See the following procedures for con figuring interfaces: • T o bring down an int erface that is administra tively up • T o st art up an interface that is administratively do wn • T o add inter faces to a zone • T o[...]

  • Seite 50

    50 01-28007-0068-2004120 3 Fortinet Inc. Interface sett ings System network The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID added by the IEEE 802 .1Q-compliant router or swit ch connected to the VLAN subinterface . For more informatio n on VLANs, see “VLAN overview” on pag e 63 . Virtual Domain Select a virtual domai[...]

  • Seite 51

    System network Interface settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 51 PPPoE If you configure the interface to use PPPoE, the FortiGate unit auto matically broadcasts a PPPoE request. Y o u can disable connect to server if yo u are configuring the FortiGate unit offline an d you do not want the FortiGate unit to send the [...]

  • Seite 52

    52 01-28007-0068-2004120 3 Fortinet Inc. Interface sett ings System network DDNS Enable or disable updates to a Dynamic DNS (DDNS) service . When the FortiGate unit has a s tatic domain na me and a dyna mic public IP address, select DDNS En able to force the unit to update the D DNS server each time the addre ss changes. In turn, the DDNS service u[...]

  • Seite 53

    System network Configuring interfaces FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 53 MTU T o improve networ k performa nce, you can change the maximum tra nsmission uni t (MTU) of the packet s that the FortiGate unit transmits from any interface. Ideally , t his MTU should be the same as the smalle st MTU of all the networks betwee[...]

  • Seite 54

    54 01-28007-0068-2004120 3 Fortinet Inc. Configuring interfac es System network T o add a VLAN subinterface See “T o add a VLAN subinter face in NA T/Route mode” on page 65 . T o bring down an interface that is administratively up Y ou can bring down physical interfaces or VLAN subinterfaces. Bring ing down a physical interface also brings down[...]

  • Seite 55

    System network Configuring interfaces FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 55 T o change the static IP address of an interface Y ou can change the static IP ad dress of any FortiGate interface. 1 Go to System > Network > Interface . 2 Choose an interface and select Edit. 3 Set Addressing Mode to Manual. 4 Change the IP[...]

  • Seite 56

    56 01-28007-0068-2004120 3 Fortinet Inc. Configuring interfac es System network 9 Select the Connect to Server check box if you want the FortiGate unit to connect to the PPPoE server . 10 Select Apply . The FortiGate unit attempts to cont act the PPPoE server from the in terface to set the IP address, netmask, and op tionally default gateway IP a d[...]

  • Seite 57

    System network Configuring interfaces FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 57 3 Set Ping Server to the IP address of the ne xt hop router on the network connected to the interface. 4 Select the Enable check box. 5 Select OK to save the changes. T o control administrative access to an inte rface For a FortiGate unit running i[...]

  • Seite 58

    58 01-28007-0068-2004120 3 Fortinet Inc. Zone settings System network Zone Y ou can use zones to group related interf aces an d VLAN subinterfaces. Grouping interfaces and VLAN sub interfaces into zo nes simplifies policy cr eation. If you grou p interfaces and VLAN sub interfaces into a zone, you can configure policies for connections to and from [...]

  • Seite 59

    System network Zone settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 59 T o add a zone 1 If you have added a virtual domain, g o to System > Virtual Domain > Current Virtual Domain and select the virtual domain to which you want to add the zone. 2 Go to System > Network > Zone . 3 Select Create New . 4 In the New Zo[...]

  • Seite 60

    60 01-28007-0068-2004120 3 Fortinet Inc. Zone settings System network Controlling administrative acce ss to a FortiGate interface connected to the Internet allows remot e administratio n of the F ortiG ate unit from any location on the Inte rnet. However , allowing remo te administration f rom the In te rnet could c ompromise the security of the Fo[...]

  • Seite 61

    System network Zone settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 61 DNS Several FortiG ate function s, including A lert E-mail an d URL blocking, use DNS. Y ou can add the IP addresses of the DNS serv ers to which your FortiGate unit can connect. DNS server IP addresses are usually supplied by your ISP . Y ou can configure [...]

  • Seite 62

    62 01-28007-0068-2004120 3 Fortinet Inc. Routing table li st System network Routing t able (T ransp arent Mode) In T ransparen t mode, you can configure routin g to add st atic routes from the FortiGate unit to local routers. Routing table list Figure 12: Routing ta ble Transparent mode route settings Figure 13: T ransparent mode route options T o [...]

  • Seite 63

    System network Transparent mode route settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 63 4 Set Gateway to the IP address of the next hop routing gateway . For an Internet connection, the n ext hop rout ing gateway ro utes traf fic to the Internet . 5 Select OK to save the route. VLAN overview A VLAN is group of PCs, servers, a[...]

  • Seite 64

    64 01-28007-0068-2004120 3 Fortinet Inc. FortiGate units and VLANs System network FortiGate units and VLANs In a typical VLAN configur ation, 802.1Q-com pliant VLAN layer-2 switches or layer-3 routers or firewalls add VLAN t ags to pa cket s. Packets p assing between device s in the same VLAN can be handled by layer 2 switches. Packets p assing bet[...]

  • Seite 65

    System network Adding VLAN sub interfaces FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 65 Figure 15 shows a simplified NA T/Route mode VLAN configuration. In this example, FortiGate internal interface conn ects to a VLAN switch using an 802.1Q trunk and is configured with two VLAN subinte rfaces (VLAN 100 and VLAN 200). The external[...]

  • Seite 66

    66 01-28007-0068-2004120 3 Fortinet Inc. Adding VLAN subinterfaces System network 5 Enter the VLAN ID that matches the VLAN ID of th e packets to be received by this VLAN subinterface. 6 Select the virtual domain to which to add this VLAN subinterfa ce. See “System virtual domain” on p age 131 for information about virtual domain s. 7 Select th[...]

  • Seite 67

    System network Adding VLAN sub interfaces FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 67 If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you can configure a FortiGate unit oper ating in T ransparent mode to pro vide security for network traf fic passing between dif ferent VLANs. T o support VLAN traffic in[...]

  • Seite 68

    68 01-28007-0068-2004120 3 Fortinet Inc. Rules for VLAN IDs System network Figure 17: FortiGate unit in T ransp arent mode Rules for VLAN IDs In T ransp arent mode two VLAN subinterfa ces added to the same physical interface cannot have the same VLAN ID. However , you can add two or more VLAN subinterfa ces with the same VLAN IDs to di fferent phys[...]

  • Seite 69

    System network Transparent mode VLAN list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 69 Transparent mode VLAN list In T ransp arent mode, go to System > Net work > Inte rface to add VLAN subinterface s. Figure 18: Sample T ransparent mode VLAN list Transparent mode VLAN settings VLAN settings disp lays the current configur a[...]

  • Seite 70

    70 01-28007-0068-2004120 3 Fortinet Inc. Transparent mode VLAN settings System network T o add a VLAN subinterface in T ranspare nt mode The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VL AN ID can be any numbe r between 1 and 4096. Y ou add VL AN subinterfaces to the physical in[...]

  • Seite 71

    System network Transparent mode VLAN settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 71 FortiGate IPv6 support Y ou can assign both an IPv4 and an IPv6 address to any interface on a FortiGate unit. The interface functi ons as two interfac es, one for IPv4-add ressed packet s and another for IPv6-addressed packet s. FortiGate u[...]

  • Seite 72

    72 01-28007-0068-2004120 3 Fortinet Inc. Transparent mode VLAN settings System network[...]

  • Seite 73

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 73 System DHCP Y ou can configure DHCP server or DHCP re lay agent functionalit y on any FortiGate interface or VLAN sub interface. A FortiGate interface can act as either a DHCP server or as a DHCP relay agent. An interface cannot pro[...]

  • Seite 74

    74 01-28007-0068-2004120 3 Fortinet Inc. DHCP service settings System DHCP DHCP service settings Go to System > DHCP > Service and select an edit or view icon to view to modify the DHCP service configuration for an interface. Figure 21: V iew or edit DHCP ser vice settings for an interface T o configure an interface as a regular DHCP relay ag[...]

  • Seite 75

    System DHCP DHCP service settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 75 T o configure an interface to be a DHCP server Y ou can configure a DHCP server for any Fo rtiGate inte rface. As a DHCP server , the interface dynamically assigns IP addresse s to hosts on the network connected to th e interface. Y o u can also config[...]

  • Seite 76

    76 01-28007-0068-2004120 3 Fortinet Inc. DHCP server settings System DHCP DHCP server settings Figure 23: Server options T o configure a DHCP server for an interface After configur ing an interface to be a DHCP server (using the procedure “T o configure an interface to be a DHCP server” on page 75 ), you must c onfigure a DHCP server f or the i[...]

  • Seite 77

    System DHCP DHCP server settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 77 3 Add a name for the DHCP server . 4 Select the interface 5 Configure the DHCP server . The IP range must match th e subnet address of the network from which the DHCP request was receive d. Usually this would be the subnet connected to the inter face fo[...]

  • Seite 78

    78 01-28007-0068-2004120 3 Fortinet Inc. DHCP exclude range settings System DHCP DHCP exclude range settings The range canno t exceed 65536 IP addresses. Figure 25: Exclude range settings T o add an exclusion range 1 Go to System > DHCP > Exclude Range . 2 Select Create New . 3 Add the starting IP and end ing IP . 4 Select OK to save the excl[...]

  • Seite 79

    System DHCP DHCP IP/MAC binding settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 79 DHCP IP/MAC binding setting s Figure 27: IP/MAC binding options T o add a DHCP IP/MAC binding pair 1 Go to System > DHCP > IP/MAC Binding . 2 Select Create New . 3 Add a name for the IP/MAC p air . 4 Add the IP address and MAC address. 5 S[...]

  • Seite 80

    80 01-28007-0068-2004120 3 Fortinet Inc. DHCP IP/MAC binding settings System DHCP[...]

  • Seite 81

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 81 System config Use the System Config page to make any of the following chan ges to the FortiGate system configuration: • System time • Options • HA • SNMP • Replacement messages • FortiManager System time Go to System >[...]

  • Seite 82

    82 01-28007-0068-2004120 3 Fortinet Inc. System config T o manually set the FortiGate date and time 1 Go to System > Config > T ime . 2 Select Refresh to disp lay the current FortiGate system date and time. 3 Select your T ime Zone from the list. 4 Optionally , select Automatically adjust clo ck for daylight saving changes check box. 5 Select[...]

  • Seite 83

    System config FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 83 Figure 29: System config options T o set the system idle timeout 1 Go to System > Config > Options . 2 For Idle T imeout, type a number in minutes. 3 Select Apply . T o set the Auth timeout 1 Go to System > Config > Options . 2 For Auth T imeout, type a number[...]

  • Seite 84

    84 01-28007-0068-2004120 3 Fortinet Inc. System config T o modify the dead gateway detectio n settings Modify dead gateway detection to control how the FortiGate unit co nfirms connectivity with a ping se rver added to an in terface conf igura tion. For information about adding a ping server to an interface, see “T o add a ping server to an inter[...]

  • Seite 85

    System config HA configuration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 85 An active-passive (A -P) HA cluster , also re ferred to as hot standby HA, cons ists of a primary FortiGate unit that processes traf fic, and one or more subordinate FortiGate units. The su bordinate FortiGate unit s are connected to the network and to th[...]

  • Seite 86

    86 01-28007-0068-2004120 3 Fortinet Inc. HA configuration System config Cluster Members When the cluster is operatin g, you can select Cluster Members to view the st atus of all FortiGate units in the cluster . S tatus info rmation includes the cluster ID, status, up time, weight, and monitor info rmation. For more informati on, see “T o view the[...]

  • Seite 87

    System config HA configuration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 87 Y ou can use the unit priority to control t he order in which cluster unit s become the primary cluster unit when a cluster unit fails. For examp le, if you have three FortiGate-3600s in a cluste r you can set the unit priorities as shown in Ta b l e 4 . [...]

  • Seite 88

    88 01-28007-0068-2004120 3 Fortinet Inc. HA configuration System config Schedule If you are config uring an active-ac tive cluster , select a load balanc ing schedule. Priorities of H eartbeat Device Enable or disable HA he artbeat communication an d set the heartbeat priority for ea ch interface in the cluster . By default HA heartbeat co mmunicat[...]

  • Seite 89

    System config HA configuration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 89 Y ou can enable heartbeat communi cations for physical interfaces, but not for VLAN subinterface s. Enabling the HA heartbeat for mo re interfaces increases reliab ility . If an interface fails, the HA heartbeat can be diverted to another interfa ce. HA h[...]

  • Seite 90

    90 01-28007-0068-2004120 3 Fortinet Inc. Configuring an HA clu ster System config Monitor priorities Monitor priorities and link failover is not supporte d for the internal interface . Enable or d isable monito ring a FortiG ate inter face to verif y that the in terface is functioning properly and connected to it s network. If a monitored interface[...]

  • Seite 91

    System config C onfiguring an HA cluster FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 91 1 Power on the FortiGate unit to be configured. 2 Connect to the we b-based manag er. 3 Give the FortiGate unit a unique host name. See “T o chan ge FortiGate host name” on p age 30 . Use host names to identify individual cluster unit s. 4 G[...]

  • Seite 92

    92 01-28007-0068-2004120 3 Fortinet Inc. Configuring an HA clu ster System config T o connect a FortiGate HA cluster Use the follo wing proced ure to con nect a cluste r operating in NA T/Route m ode or T ransparent mode. Con nect the FortiGate units in the cluster to each other and to your network. Y ou must connect all matching interfa ces in the[...]

  • Seite 93

    System config C onfiguring an HA cluster FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 93 Figure 31: HA network confi guration 2 Power on all the FortiGat e units in the cluster . As the units st art, they negotiate to choose the primary cluster un it and the subordinat e units. This negotiation occurs with no user interventio n and [...]

  • Seite 94

    94 01-28007-0068-2004120 3 Fortinet Inc. Managing an HA clu ster System config T o configure weighted-round-robin weight s By default, in active-active HA mode the weighted round-robin schedule assigns the same weight to each FortiGate unit in th e cl uster . If you configure a cluster to use the weighted round-robin sched ule, from the CLI you can[...]

  • Seite 95

    System config Managing an HA cluster FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 95 Y ou can use the web-based manager to monitor the status and logs of in dividual cluster members. See “ T o view the st atus of each cluster member” on p age 95 and “T o view and manage lo gs for individual cluster u nits” on p age 96 . Y ou[...]

  • Seite 96

    96 01-28007-0068-2004120 3 Fortinet Inc. Managing an HA clu ster System config T o view and manage logs for individual cluster units 1 Connect to the cluster and lo g into the web-based ma nager. 2 Go to Log&Report > Log Access . The T raffic log, Event log, Att ack log, Antiviru s log, W eb Filter log, and Email Filter log for the primary u[...]

  • Seite 97

    System config Managing an HA cluster FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 97 If a subordinate unit fails, the cluster continues to function normally . Failure of a subordinat e unit results in the following: • The cluster contain s fewer FortiGate units. The fa iled unit no longer appears on the Cluster Members list. • T[...]

  • Seite 98

    98 01-28007-0068-2004120 3 Fortinet Inc. Configuring SNMP System config RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II) (for more info rmation, see “FortiGate MIBs” on page 101 ). This section describes: • Configuring SNMP • SNMP community • FortiGate MI Bs • FortiGate tra ps • Forti[...]

  • Seite 99

    System config SNMP community FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 99 SNMP community An SNMP community is a gro uping of equi pment for networ k administration purposes. Add SNMP communi ties so that SNMP manage rs can connect to the FortiGate unit to view system information and receive SNMP trap s. Y ou can add up to three S[...]

  • Seite 100

    100 01-28007-0068-2004120 3 Fortinet Inc. SNMP community System config T o configure SNMP access to an interface in NA T/Route mode Before a remote SNMP manager can connect to the For tiGate agent, you must configure on e or more Fo rtiGate inte rfaces to a ccept SNMP co nnections. See “T o control administrative access to an interfac e” on pag[...]

  • Seite 101

    System config FortiGate MIBs FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 101 T o add an SNMP community 1 Go to System > Config > SNMP v1/v2c . 2 Select Create New . 3 Enter a Community Name to identify the SNMP community . 4 Configure Host s, Queries, T raps, and SNM P Events. 5 Select OK. FortiGate MIBs The FortiGate SNMP ag[...]

  • Seite 102

    102 01-28007-0068-2004120 3 Fortinet Inc. FortiGate traps System config FortiGate traps The FortiGate agent can send traps to SNMP managers that you ha ve added to SNMP communities. For SNMP managers to receive trap s, you must load and compile the Fortinet trap MIB (file name f ortinet.trap.2 .80.mib) onto the SNMP manager . All traps include the [...]

  • Seite 103

    System config Fortinet MIB fields FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 103 Fortinet MIB fields The Fortinet MIB contain s fields reporting current FortiGate unit status information. The tables below list the names of the MIB fields and de scribe the status information available for each one. Y ou ca n view more details ab ou[...]

  • Seite 104

    104 01-28007-0068-2004120 3 Fortinet Inc. Fortinet MIB fields System config T able 14: System MIB fields MIB field Description model FortiGate model number , for example, 400 for the FortiGate-400. serial FortiGate unit ser ial number . version The firmware version currently running on the FortiGate unit. versionA v The antivi rus definition versio[...]

  • Seite 105

    System config Fortinet MIB fields FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 105 T able 16: Administrator acco unts MIB field Description index The index number of the administrator account ad ded to the FortiGate unit. name The user name of an admi nistrator account added to the Forti Gate unit. addr Up to three trusted host IP a[...]

  • Seite 106

    106 01-28007-0068-2004120 3 Fortinet Inc. Replacement messages list System config Replacement messages Change replacement messages to customize ale rt email and information that the FortiGate unit adds to content streams such as email messages, web pages, and FTP sessions. The FortiGate unit adds replacement messages to a variet y of content stream[...]

  • Seite 107

    System config Changing replacement messa ges FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 107 Changing replacement messages Figure 37: Sample HTTP virus replacement mes sage Replacement messages can be text or HTML messages. Y ou can add HTML code to HTML messag es. In addition, re placement me ssages can includ e replacemen t messa[...]

  • Seite 108

    108 01-28007-0068-2004120 3 Fortinet Inc. Changing replacement messages System config FortiManager Configure the FortiGate unit for IPSec comm un ication between the FortiGate unit and a FortiManager se rver . When you enable this feature, all co mmunication between the FortiGate unit and the FortiManage r server takes place using VPN. Figure 38: F[...]

  • Seite 109

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 109 System administration When the Fo rtiGate unit is firs t installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administra tor accounts. Y ou [...]

  • Seite 110

    11 0 01-28007-006 8-20041203 Fortinet Inc. Administrators list System administration Administrators list Figure 39: Administrators list Administrators options Figure 40: Administrator account confi guration T o configure an administrator account 1 Go to System > Admin > Administrators . 2 Select Create New to add an ad ministrator account or [...]

  • Seite 111

    System administration Administrators opti ons FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 111 3 T ype a login name for the administra tor account. 4 T ype and confirm a passwo rd for the administrator account. 5 Optionally type a T rusted Host IP address an d netmask from which the administrator can log into the web-based manager .[...]

  • Seite 112

    11 2 01-28007-006 8-20041203 Fortinet Inc. Access profile list System administration Access profile list Figure 42: Access profile list Access profile options Figure 43: Access profile option Create New Add a new access profile. Profile Name T he name of the access profile. The Delete, and Edit icons. Y ou cannot delete the prof_admin access profil[...]

  • Seite 113

    System administration Access profile options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 11 3 T o configure an access profile 1 Go to System > Admin > Access Profile . 2 Select Create New to add an access profile, or select the edit icon to edit an existing access profile. 3 Enter a name for the access profile . 4 Select or c[...]

  • Seite 114

    11 4 01-28007-006 8-20041203 Fortinet Inc. Access profile optio ns System administration[...]

  • Seite 115

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 11 5 System maintenance Use the web-based manage r to maintain the FortiGate unit. Backup and restore Y ou can back up system con figuration, VPN cert ificate, web and sp am filtering files to the management comput er . Y ou can also r[...]

  • Seite 116

    11 6 01-28007-006 8-20041203 Fortinet Inc. Backing up and Restorin g System maintenance Backing up and Restoring T o back up all configuration files 1 Go to System > Maintenance > Bac kup & Restore . 2 For All Configuration Files, select the Backup icon. 3 Enter a password. 4 Select OK . 5 Save the file. T o restore all configuration file[...]

  • Seite 117

    System maintenance Backing up and Re storing FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 11 7 5 Select OK to restore all configur ation files to the FortiGate unit. The FortiGate unit rest arts, loading th e new configuration files. 6 Reconnect to the web-based manager an d review your configuration to confirm that the upload ed co[...]

  • Seite 118

    11 8 01-28007-006 8-20041203 Fortinet Inc. Backing up and Restorin g System maintenance Up date center Y ou can configure the FortiGate unit to connect to the FortiProtect Distr ibution Network (FDN) to update the antiviru s (including grayware), S pam Filter and att ack definitions and engines. Before the FortiGate unit can receive antiviru s and [...]

  • Seite 119

    System maintenance Backing up and Re storing FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 11 9 Figure 45: Update center FortiProtect Distribution Network The status of the connection to the Fo rtiProtect Distribu tion Network (FDN). A green indicato r means that the FortiGat e unit can connect to the FDN. Y ou can configure the F or[...]

  • Seite 120

    120 01-28007-0068-2004120 3 Fortinet Inc. Updating antivirus and atta ck definitions System maintenance Updating antivirus an d attack definitions Use the followin g procedur es to config ur e the FortiGate unit to connect to the FortiProtect Distribution Netw ork (FDN) to update the antivirus (including grayware) definitions, attack definitions an[...]

  • Seite 121

    System maintenance Updating ant ivirus and attack definiti ons FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 121 2 Select Update Now to update the antivi rus and attack definitions and engine s. If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following: Your updat[...]

  • Seite 122

    122 01-28007-0068-2004120 3 Fortinet Inc. Updating antivirus and atta ck definitions System maintenance 4 Select Apply . The FortiGate unit test s the conn ection to the over ride server . If the FortiProtect Distribution Network setting chang es to av ailable, the FortiGate unit has successfully connected to the override server . If the FortiProte[...]

  • Seite 123

    System maintenance Enabling push updates FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 123 There are no special tun neling requirement s if you have configured an override server address to connect to the FDN. Enabling push updates The FDN can push updates to FortiGate unit s to provide the fastest possible response to critical situa[...]

  • Seite 124

    124 01-28007-0068-2004120 3 Fortinet Inc. Enabling push upd ates System maintenance The FortiGate unit sends the SETUP me ssage if you change the interface 2 IP address manually or if yo u have set the interface 2 add ressing mode to DHCP or PPPoE and your DHCP or PPPoE se rver changes the IP address. If you have redundant co nnections to the In te[...]

  • Seite 125

    System maintenance Enabling push updates FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 125 8 In the Map to IP section, type the IP addre ss of the FortiGate unit on the interna l network. If the FortiGate unit is operating in NA T/ Route mode, enter the IP address of the external inter face. If the FortiGate unit is operating in T ra[...]

  • Seite 126

    126 01-28007-0068-2004120 3 Fortinet Inc. Sending a bug report System maintenance Figure 46: Support Sending a bug report Use the Report Bug form to send bug information to Fortinet support. Figure 47: Bug report Report Bug Select Report Bug to submit problems with the FortiGate un it to Fortinet Support. FDS Registration Sele ct FDS Registration t[...]

  • Seite 127

    System maintenance Registering a FortiGate unit FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 127 T o report a bug 1 Go to System > Maintenance > Supp ort . 2 Select Report Bug. 3 Fill out the Report Bug form. 4 Select Submit. T o configure a customized mail relay 1 Go to System > Maintenance > Supp ort . 2 Select Report [...]

  • Seite 128

    128 01-28007-0068-2004120 3 Fortinet Inc. Registering a FortiGate uni t System maintenance Soon you will also be able to: • Access Fortinet user docum entation • Access the Fortinet know ledge base All registration information is stored in the Fortinet Customer Support dat abase. This information is used to make sure that yo ur registered Forti[...]

  • Seite 129

    System maintenance Registering a FortiGate unit FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 129 FortiCare Support Contract numb ers, if you purchased FortiCare Support Contr acts for the FortiGate units that you want to register . 1 Go to System > Maintenance > Supp ort . 2 Select FDS Registration. 3 Enter your con tact infor[...]

  • Seite 130

    130 01-28007-0068-2004120 3 Fortinet Inc. Registering a FortiGate uni t System maintenance 2 Select Reboot. 3 Select Apply . The FortiGate unit rest arts. T o shut down the system Y ou can restar t the FortiGate unit after shut down only by turning the powe r off and then on. 1 Go to System > Maintenanc e > Shutdown . 2 Select Shutdown. 3 Sel[...]

  • Seite 131

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 131 System virtual domain FortiGate v irtual doma ins prov ide multiple logical firew alls and routers in a single FortiGate unit. Using virtual doma ins, one FortiG ate unit can provid e exclusive firewa ll and routing services to mul[...]

  • Seite 132

    132 01-28007-0068-2004120 3 Fortinet Inc. Exclusive virtual domain properties System virtual domain V irtual domain properties By default, each FortiGate unit runs a virt ual domain named root. Th is virtual domain includes all of the FortiGate physical in te rfaces, VLAN subinterfaces, zones, firewall policies, routing settin gs, and VPN settings.[...]

  • Seite 133

    System virtual domain Shared configuration settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 133 Shared configuration settings The following configur ation sett ings are shared by all virt ual domains. Ev en if you have configured multiple virtual domain s, there are no changes to how you config ure the following settings. • U[...]

  • Seite 134

    134 01-28007-0068-2004120 3 Fortinet Inc. Administration and management System virtual domain Administration and management In addition to the global properties, virt ual domains share a common administra tive model. Administrators have ac cess to all of the virtual domains on the FortiGate unit. Administrators logging into the CLI or web-based man[...]

  • Seite 135

    System virtual domain Adding a virtual domain FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 135 See the following procedures for con figuring virtual domains: • T o add VLAN subinter faces to a virtual domain • T o view the interfac es in a virt ual domain • T o add zo nes to a virtual domain • T o select a manage ment virtua[...]

  • Seite 136

    136 01-28007-0068-2004120 3 Fortinet Inc. Adding interfaces, VLAN subinterfaces, and z ones to a virtual domain System virtual domain T o select a management virtua l domain The following procedure applie s to NA T/Route mode only . 1 Go to System > Virtual Domain > Virtual Domains . 2 Select Change beside the listed Management vir tual domai[...]

  • Seite 137

    System virtual domain Adding interfaces, VLAN subinterfaces, and zones to a virtual domain FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 137 2 Set Virtual doma in to All or to the name of the virtual domain th at currently contains the interface. 3 Select Edit for the physical interface you want to move. 4 Choose the Virtual Domain t[...]

  • Seite 138

    138 01-28007-0068-2004120 3 Fortinet Inc. Configuring routing for a virtual domain System virtual doma in 4 Select OK. 5 Go to System > Network > Zone . 6 Select Create new . See “Zone” on p age 58 . Any zones that you add are added to the current virtual domain. Configuring routing for a virtual do main T o configure routing for a virtua[...]

  • Seite 139

    System virtual domain Configuring fi re wall policies for a virtual domain FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 139 6 Select Create new to add firewall po licies to the curren t virtual domain. See “Policy” on page 190 . Y ou can only add firewa ll policies for the physical interfaces, VLAN subinterfaces, or zones added [...]

  • Seite 140

    140 01-28007-0068-2004120 3 Fortinet Inc. Configuring IPSec VPN for a virt ual domain System virtual domain Configuring IPSec VPN for a virtual domain T o configure VPN for a virtual domain The following procedu re applies to NA T/Route and Tran sparent mode. 1 Go to System > Virtual domain > Virtual domains . 2 Select Change followin g the c[...]

  • Seite 141

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 141 Router This chapte r describes how to conf igure FortiGa te routing and RIP . It contains the following sections: • St a t i c • Policy • RIP • Router objects • Monitor • CLI configuration Stat i c A static ro ute speci[...]

  • Seite 142

    142 01-28007-0068-2004120 3 Fortinet Inc. Router For example, consider Figu re 50 , which shows a FortiGate unit conne cted to a router . T o ensu re that all outbound packet s destined to any network beyond the router are routed to the correct destina tion, you must edit the default configuration and make the router the default gateway fo r the Fo[...]

  • Seite 143

    Router Static ro ute list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 143 Figure 51: Destinations on networks behi nd internal routers T o route p ackets from Network_1 to Network_ 2, Router_1 must be configured to use the FortiGate internal interfac e as its default gateway . On the FortiGate unit, you would create a new st atic r[...]

  • Seite 144

    144 01-28007-0068-2004120 3 Fortinet Inc. Static route options Router Static route options Figure 53: St atic rou te configuration T o add or edit a sta tic route 1 Go to Router > St atic > St atic Route . 2 Select Create New to add a new route or se lect the edit icon beside an existing route to edit that route. 3 Enter the Destination IP ad[...]

  • Seite 145

    Router Policy route list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 145 Figure 54: Move a st atic route 3 For Move t o, select eith er Before or After a nd type the number t hat you want to place this route before or af ter . 4 Select OK. The route is displayed in the new location on the st atic route list. Policy Using policy rou[...]

  • Seite 146

    146 01-28007-0068-2004120 3 Fortinet Inc. Policy route options Router Policy route options Figure 56: Policy route configuration T o add a policy route 1 Go to Router > Policy Route . 2 Select Create New to add a new policy route or select the edit icon beside an existing policy route to edit that policy route. 3 Optionally enter a Protocol nu m[...]

  • Seite 147

    Router General FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 147 RIP is a distance-vector routing protocol in tended for small, relatively homog eneous, networks. RIP uses hop count as it s routin g metric. Each network is usually counted as one hop. The network diamet er is limited to 15 hops. General Figure 57: RIP General settings[...]

  • Seite 148

    148 01-28007-0068-2004120 3 Fortinet Inc. Networks list Router T o configure RIP general settings 1 Go to Router > RIP > General . 2 Select the default RIP V ersion. 3 Change the Default Metric if require d. 4 Select Enable Default- information-originate if the conf iguration requires ad vertising a default static ro ute into RIP . 5 Only cha[...]

  • Seite 149

    Router Networks options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 149 Networks options Figure 59: RIP Networks configura tion T o configure a RIP network 1 Go to Router > RIP > Networks . 2 Select Create New to add a ne w RIP network or select the ed it icon beside an existing RIP networ k to edit that RIP network. 3 Enter [...]

  • Seite 150

    150 01-28007-0068-2004120 3 Fortinet Inc. Interface options Router Interface options Figure 61: RIP in terface configuration Interface The Forti Gate interfac e name. Send V ersion RIP routing messages are UDP packet s that use port 520. Select 1 to configure RIP to s end RIP version 1 messages from an interface. Select 2 to configure RIP to s end [...]

  • Seite 151

    Router Distribute list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 151 T o configure a RIP interface 1 Go to Router > RIP > Interface . 2 Select the edit icon beside an In terface to configur e that interface. 3 Select a Send V ersion if you want to override the default send version for this interface. 4 Select a Receive V er[...]

  • Seite 152

    152 01-28007-0068-2004120 3 Fortinet Inc. Distribute list options Router Distribute list options Figure 63: RIP Distribu te list configuration T o configure a distribute list 1 Go to Router > RIP > Dist ribute Li st . 2 Select Create New to add a new distribute list or select the edit icon beside an existin g distribute list to edit that dist[...]

  • Seite 153

    Router Offset list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 153 Offset list Use offset list s to add the specifi ed of fset to the metric of a route. Figure 64: RIP Offset list Offset list options Figure 65: RIP Offset list configuration T o configure an offset list 1 Go to Router > RIP > Offset List . 2 Select Create New [...]

  • Seite 154

    154 01-28007-0068-2004120 3 Fortinet Inc. Access list Router 3 Set Direction to In or Out. 4 Enter the of fset number . 5 Select the interface to match for this offset list. 6 Check or clear the Enable check box to enable or disable this of fset list. 7 Select OK. Router object s Router objects are a set of tools us ed by routing protoc ols and fea[...]

  • Seite 155

    Router New access list entry FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 155 T o add an access list name 1 Go to Router > Router Object s > Access List . 2 Select Create New . 3 Enter a name for the access list. 4 Select OK. New access list entry Figure 68: Access list e ntry configuration T o configure an access list entry 1[...]

  • Seite 156

    156 01-28007-0068-2004120 3 Fortinet Inc. New Prefix list Router The FortiGate unit atte mpts to match a p acket against the rules in a prefix list starting at the top of the list. If it finds a match for t h e prefix, it take s the ac tion specified for th at prefix. If no match is found the default action is deny . For a prefix list to take effec[...]

  • Seite 157

    Router New prefix list entry FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 157 New prefix list entry Figure 71: Prefix list entry configuration T o configure a prefix list e ntry 1 Go to Router > Router Object s > Prefix List . 2 Select the Add prefix-list entry icon to add a new prefix list en try or select the edit icon besid[...]

  • Seite 158

    158 01-28007-0068-2004120 3 Fortinet Inc. New Route-map Router The FortiGate unit attempt s to match the rule s in a route ma p starting at the top of the list. If it finds a match it makes the changes defined in the set st atements and then takes the action specified for the rule. If no match is found in the route map the default action is deny . [...]

  • Seite 159

    Router Route- map list entry FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 159 Route-map list entry Figure 74: Route map entry co nfiguration T o configure a route map entry 1 Go to Router > Router Obje cts > Route Map . 2 Select the Add route-map entr y icon to add a new route map entry or select the edit icon beside an existi[...]

  • Seite 160

    160 01-28007-0068-2004120 3 Fortinet Inc. Key chain list Router 4 Under Matc h, select th e criteria to match. 5 Under Set, select the criteria to change . 6 Select OK. Key chain list RIP version 2 uses authentication keys to ensure that th e routing information exchanged between ro uters is reliable. For authentication to wor k both the sending an[...]

  • Seite 161

    Router Key chain list entry FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 161 3 Enter a name for the key chain. 4 Select OK. Key chain list entry Figure 77: Key chain entry co nfiguration T o configure a ke y chain entry 1 Go to Router > Router Object s > Key-chain . 2 Select the Add key-chain en try icon to a dd a new key chai[...]

  • Seite 162

    162 01-28007-0068-2004120 3 Fortinet Inc. Routing monitor list Router 5 Under Accept Lifetime, select In finit e, Duration or End time. • If you selected Duration, enter the time in seconds that this key should be active. • If you selected End time, select the required hour , minute, second, year , month and day to stop using this key for recei[...]

  • Seite 163

    Router get router info ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 163 3 S p ecify the n etwork for w hich to displa y routes. 4 S pecify a gateway to display the routes using that gateway . 5 Select Apply Filter . CLI configuration This guide only covers C ommand L ine Interfac e (CLI) com mands, keyw ords, or variables (in b[...]

  • Seite 164

    164 01-28007-0068-2004120 3 Fortinet Inc. get router info rip Router get router info rip Use this command to disp lay information about RIP . Command syntax get router info rip <keyword> Examples get router info rip database get router info rip interface config router ospf Use this command to configure open shortest pa th first (OSPF) on the [...]

  • Seite 165

    Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 165 config summary-address Note: In the following table, only the router-id keyword is required. All other keywords are optional. osp f command keywords and variables Keyword s and variables Description Default A vailability abr-type {cisco | ibm | shortcut | sta[...]

  • Seite 166

    166 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router Example This examp le shows how to set th e OSPF router ID to 1.1.1.1: config router ospf set router-id 1.1.1.1 end This examp le shows how to display the OSPF settings. default-metric <metric_integer> S pecify the default metric that OSPF should use for redistributed routes.[...]

  • Seite 167

    Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 167 get router ospf This examp le shows how to display th e OSPF config uration. show router ospf config area Access the config area subcommand usin g the config router ospf command. Use this command to set OSPF area relate d parameters. Routers in an OSPF au ton[...]

  • Seite 168

    168 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router area command keywords and variables Keyword s and variables Description Default A vailability authentication {md5 | none | text} Set the authentication typ e. Use the authentication keyword to define the authentication used for OSPF packets sent and received in this area. If you se[...]

  • Seite 169

    Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 169 Example This examp le shows how to configur e a stub ar ea with th e id 15.1.1 .1, a stub t ype of summary , a default cost of 20, and MD5 authentication . config router ospf config area edit 15.1.1.1 set type stub set stub-type summary set default-cost 20 se[...]

  • Seite 170

    170 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router This examp le shows how to display the configu ration for ar ea 15.1.1.1. config router ospf config area edit 15.1.1.1 show end config filter-list Access the config filter-list subcommand using the config area subcomman d. Use filter lists to cont rol the import and expo rt of LSAs[...]

  • Seite 171

    Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 171 Example This example shows how to use an access list named acc_list1 to filter packet s entering area 15.1.1.1. config router ospf config area edit 15.1.1.1 config filter-list edit 1 set direction in set list acc_list1 end end This examp le shows how to displ[...]

  • Seite 172

    172 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router config range edit <id_integer> get end config range edit <id_integer> show end Example This example shows how to set the prefix for rang e 1 of area 15.1.1.1. config router ospf config area edit 15.1.1.1 config range edit 1 set prefix 1.1.0.0 255.255.0.0 end end This ex[...]

  • Seite 173

    Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 173 config router ospf config area edit 15.1.1.1 show end config virtual-link Access the config virtual-link subcommand using the config area command. Use virtual links to connect an area to the backbone wh en the area has no direct connection to the backbone. A [...]

  • Seite 174

    174 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router virtual-link command keywords and variables Keyword s and variables Description Default A vailability authentication {md5 | none | text} Set the authentication type. Use the authentication keyword to define the authent ication used for OSPF packets sent and received over this virtu[...]

  • Seite 175

    Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 175 Example This examp le shows how to configure a virtual link. config router ospf config area edit 15.1.1.1 config virtual-link edit vlnk1 set peer 1.1.1.1 end end This examp le shows how to display the settings for area 1 5.1.1.1. config router ospf config are[...]

  • Seite 176

    176 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router Use this com mand to use an access list to filter the networks in r outing u pdates. Routes not matched by any of the di stribute lists will not be advertised. Y ou must configure the access list that you want the distr ibute list to use before you configure the distribute list. Fo[...]

  • Seite 177

    Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 177 config router ospf config distribute-list edit 2 set access-list acc_list1 set protocol static end end This examp le shows how to display th e settings fo r distribute list 2. config router ospf config distribute-list edit 2 get end This example shows how to [...]

  • Seite 178

    178 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router config neighbor edit <id_integer> show end Example This example shows how to man ually add a neighbor . config router ospf config neighbor edit 1 set ip 192.168.21.63 end end This examp le shows how to display the settings fo r neighbor 1. config router ospf config neighbor e[...]

  • Seite 179

    Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 179 config network Access the config network subcommand u sing the config router ospf command. Use this command to identify the interfaces to include in the specified OSPF area. The prefix keyword can define one or multip le interfaces. config network command syn[...]

  • Seite 180

    180 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router This examp le shows how to display the settings fo r networ k 2. config router ospf config network edit 2 get end This example shows how to display the configuration for network 2. config router ospf config network edit 2 show end config ospf-interface Access the config ospf-interf[...]

  • Seite 181

    Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 181 osp f-interface command keywords and variables Keywords and v ariables Description Default A vailability authentication {md5 | none | text} Use the authentication keyword to define the authentication used for OSPF packets sent and received by this interface. [...]

  • Seite 182

    182 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router hello-interval <seconds_integer> The time, in seconds, betw een hello packets . All routers on the network must use the same value for hello-interval . The valid range for seconds_integer is 1 to 65535. 10 All models. interface <name_str> Enter the na me of the interfac[...]

  • Seite 183

    Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 183 network-type {broadcast | non- broadcast | point-to- multipoint | point-to-point} S pecify the type of network to which the interface is connected. OSPF supports four different types of network. This command specifies the behavior of the OSPF interface accord[...]

  • Seite 184

    184 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router Example This example shows how to assign a n OSPF interface configuration named test to the interface na med internal and how to configure text authentication fo r this interface. config router ospf config ospf-interface edit test set interface internal set ip 192.168.20.3 set auth[...]

  • Seite 185

    Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 185 config redistribute co mmand syntax pattern config redistribute {connected | static | rip} set <keyword> <variable> end config redistribute {connected | static | rip} unset <keyword> end get router ospf show router ospf Example This examp le[...]

  • Seite 186

    186 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router Use this command to summarize external ro utes for redistribution into OSPF . This command works only fo r summarizing external routes on an Autonomous System Boundary Router (ASBR). Fo r information on summariza tion between areas, see “config range” on p age 171 . By replacin[...]

  • Seite 187

    Router config router static6 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 187 This examp le shows how to display th e OSPF config uration. show router ospf config router static6 Use this command to add, ed it, or delete static routes for IPv6 traffic. Add st atic routes to control the destination of traf fic exiting the FortiGate un[...]

  • Seite 188

    188 01-28007-0068-2004120 3 Fortinet Inc. config router static6 Router Example This example shows how to a dd an IPV6 st atic route that has the sequence number 2. config router static6 edit 2 set dev internal set dst 12AB:0:0:CD30::/60 set gateway 12AB:0:0:CD30:123:4567:89AB:CDEF end This examp le shows how to display th e list of IPV6 s tatic rou[...]

  • Seite 189

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 189 Firewall Firewall policies control all traf fic passing through the FortiGate unit. Firewall policies are instructions tha t the FortiGate unit uses to decide what to do with a connection request. When the firewall r eceives a conn[...]

  • Seite 190

    190 01-28007-0068-2004120 3 Fortinet Inc. How policy matching works Firewall Policy Go to Firewall > Polic y to add firewall policies to control connections and traf fic between F ortiGate interf aces, zon es, and VLAN subinterfac es. The firewall matches policies by searching for a match starting at the to p of the policy list and moving down u[...]

  • Seite 191

    Firewall Policy options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 191 The policy list has the following icons and fe atures. Figure 80: Move to options Policy options Policy options are configurable when creating or editin g a firewall policy . Create new Select Create New to add a firewall policy . ID The policy iden tifier . Po[...]

  • Seite 192

    192 01-28007-0068-2004120 3 Fortinet Inc. Policy options Firewall Figure 81: St andard policy options Policy has the following st andard options: Interface / Zone Source Select the source interface name to which the policy will apply . Destination Select the destination interface name to which the policy will apply . Interfaces and zones are listed[...]

  • Seite 193

    Firewall Policy options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 193 Action Select how you want the fire wall to respond when the policy matches a connection attempt. • ACCEPT : Select accept to accept connections matched by the policy . Y ou can also configu re NA T and Authentication for the policy . • DENY : Sel ect deny [...]

  • Seite 194

    194 01-28007-0068-2004120 3 Fortinet Inc. Advanced policy opti ons Firewall Advanced policy options Figure 82: Advanced policy o ptions Authentication Y ou must add users and a firewall protection profile to a user grou p before you can select Authenticatio n. For information about adding and conf iguring user groups, see “User group” on page 2[...]

  • Seite 195

    Firewall Advanced poli cy options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 195 In most cases you should make su re that users can use DNS through the firewa ll without auth entication. If D NS is not availabl e users cannot connect to a web, FTP , or T elnet ser ver using a domain name. Traffic Shaping T raffic Sha ping controls[...]

  • Seite 196

    196 01-28007-0068-2004120 3 Fortinet Inc. Configuring firewall po licies Firewall . Comments Y ou can add a description or other information about the p olicy . The comment can be up to 63 ch aracters lo ng, including spaces. Configuring firewall policies Use the followin g procedur es to add, delete, edit, r e-order , disable, and enable a firewal[...]

  • Seite 197

    Firewall Policy CLI co nfiguration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 197 3 Select the position fo r the policy . 4 Select OK. T o disable a pol icy Disable a policy to tem porarily prevent the fi rewall from selecting the policy . Disabling a policy does not stop active communications sessions that have been allo wed by t[...]

  • Seite 198

    198 01-28007-0068-2004120 3 Fortinet Inc. Policy CLI configuration Firewall Address Y ou can add, edit, and delete firewall addre sses as required. Y ou can also organize related addresses into address g roups to simplify policy creation. A firewall address can be co nfigured with a name, an IP address, and a netmask, or a name and IP add ress rang[...]

  • Seite 199

    Firewall Address li st FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 199 This section describes: • Address list • Address opt ions • Configuring addresses • Address group list • Address group options • Configuring address group s Address list Y ou can add addresse s to the list and edit existing addresses. The For tiGate [...]

  • Seite 200

    200 01-28007-0068-2004120 3 Fortinet Inc. Configuring addresses Firewall An IP/Mask a ddress can re present: • The address of a subn et (for example, for a class C subnet, IP address: 192.168.20.0 and Netmask: 255.255.255.0). • A single IP address (for exampl e, IP Address: 192.168.20.1 and Netmask: 255.255.255.255) • All possible IP addresse[...]

  • Seite 201

    Firewall Address group list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 201 4 Select OK. T o delete an address Deleting an address r emoves it from the address list. T o delete an address that has been added to a policy , you must first remove the address from the p olicy . 1 Go to Firewall > Address > Address . 2 Select the [...]

  • Seite 202

    202 01-28007-0068-2004120 3 Fortinet Inc. Configuring address grou ps Firewall Figure 87: Address gr oup options Address group has the following option s: Configuring address groups T o organize addresses into an address group 1 Go to Firewall > Address > Group . 2 Select Create New . 3 Enter a group n ame to identify the address group. 4 Sel[...]

  • Seite 203

    Firewall Predefined service list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 203 3 Make any required changes. 4 Select OK. Service Use services to determine the types of communication accepted or denied by the firewall. Y ou can add any of t he predefined services to a policy . Y ou can also create custom services and add services [...]

  • Seite 204

    204 01-28007-0068-2004120 3 Fortinet Inc. Predefined service list Firewall T able 21: FortiGate predefined servic es Service name Description Protocol Port ANY Match connections on any port. A connecti on that uses any of the predefined service s is allowed through the firewall . all all GRE Generic Routing Encapsulation. A protocol that allows an [...]

  • Seite 205

    Firewall Predefined service list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 205 IRC Internet Relay Chat allows people connected to the Internet to join live discussions. tcp 6660-6669 L2TP L2TP is a PPP-based tunnel protocol for remote access. tcp 1701 LDAP Lightweight Directory Access Protocol is a set of protocols used to access[...]

  • Seite 206

    206 01-28007-0068-2004120 3 Fortinet Inc. Custom service list Firewall Custom service list Add a custom service if you need to create a policy fo r a service that is not in the predefined service list. Figure 89: Sample custom ser vice list The custom s ervices list ha s the following ic ons and fe atures. SMTP Simple Mail T ransfer Protocol is use[...]

  • Seite 207

    Firewall Custom service options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 207 Custom service options Diffe rent options appear depend ing on the prot oco l type of custom service you want to define. Choose from TCP , UDP , ICMP , or IP . TCP and UDP custom service options Figure 90: TCP and UDP custom servi ce options ICMP custom[...]

  • Seite 208

    208 01-28007-0068-2004120 3 Fortinet Inc. Configuring custom services Firewall IP custom service options Figure 92: IP custom service options Configuring custom services T o add a custom TCP or UDP service 1 Go to Firewall > Service > Cus tom . 2 Select Create New . 3 Enter a name for the new custom TCP or UDP service. 4 Select TCP or UDP as [...]

  • Seite 209

    Firewall Service group list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 209 6 Select OK. Y ou can now add this custom service to a policy . T o delete a custom service 1 Go to Firewall > Service > Cus tom . 2 Select the Delete icon beside the service you want to delete . 3 Select OK. T o edit a custom service 1 Go to Firewall[...]

  • Seite 210

    210 01-28007-0068-2004120 3 Fortinet Inc. Configuring servi ce groups Firewall Figure 94: Service grou p options Service group has the following options. Configuring service groups T o organize services into a service group 1 Go to Firewall > Service > Grou p . 2 Select Create New . 3 Enter a group name to identify the service group. 4 Select[...]

  • Seite 211

    Firewall One-time schedule list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 21 1 4 Select OK. Schedule Use schedules to control when policies are ac tive or inactive. Y ou can create one-time schedules and recurring schedules. Y ou can use one-time schedules to create policies that are effective once for the period of time specifie[...]

  • Seite 212

    212 01-28007-0068-2004120 3 Fortinet Inc. One-time schedul e options Firewall One-time schedule options Figure 96: One-time schedule options One-time schedule has the followin g options. Configuring one-time schedules T o add a one-time schedule 1 Go to Firewall > Schedule > One -time . 2 Select Create New . 3 T ype a name for the schedule. 4[...]

  • Seite 213

    Firewall Recurring sched ule list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 213 Recurring schedule list Y ou can create a recurring sche dule that acti vates or deactivates policies at specified times of the day or on specified days of t he week. For exampl e, you might want to prevent game play during working ho urs by creating [...]

  • Seite 214

    214 01-28007-0068-2004120 3 Fortinet Inc. Configuring recu rring schedules Firewall Configuring recu rring schedules T o add a recurring schedule 1 Go to Firewall > Schedule > Re curring . 2 Select Create New . 3 Enter a name for the schedule. 4 Select the days of the week that yo u want th e schedule to be active. 5 Set the S tart and S top [...]

  • Seite 215

    Firewall Virtual IP list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 215 Y ou can create three types of virtual IPs: This section describes: • Virtual IP list • Vir tual IP options • Configuring virtual IPs Virtual IP list Figure 99: Sample virtua l IP list The virtual IP list has the following icons and featur es. Virtual IP[...]

  • Seite 216

    216 01-28007-0068-2004120 3 Fortinet Inc. Configuring virtual IPs Firewall Figure 100:Virtual IP options; static NA T Figure 101:V irtual IP op tions; port forwarding Virtual IP has the following options. Configuring virtual IPs T o add a static NA T virtual IP 1 Go to Firewall > Virtual IP . 2 Select Create New . 3 Enter a name for the virtual [...]

  • Seite 217

    Firewall Configuring virtua l IPs FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 217 4 Select the virtual IP External Interface from the list. The external inter face is connected to the sour ce network and receive s the packet s to be forwarded to the destination networ k. Y ou can select any firewall interface or a VLAN subinter fac[...]

  • Seite 218

    218 01-28007-0068-2004120 3 Fortinet Inc. Configuring virtual IPs Firewall 6 Enter the External IP Address that you want to map to an addr ess on the destination interface. Y ou can set the external IP address to the IP address of the external inter face selected in step 4 or to any other address. For example, if the virtual IP provides access from[...]

  • Seite 219

    Firewall Configuring virtua l IPs FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 219 10 Select OK. T o delete a virtual IP 1 Go to Firewall > Virtual IP . 2 Select the Delete icon beside the virtual IP you want to delete. 3 Select OK. T o edit a vi rtual IP 1 Go to Firewall > Virtual IP . 2 Select the Edit icon beside the virtua[...]

  • Seite 220

    220 01-28007-0068-2004120 3 Fortinet Inc. IP pool list Firewall IP pool list Figure 102:Sampl e IP pool list The IP pool list has the following icons and fe atures. IP pool options Figure 103:IP po ol options Virtual IP has the following options. Configuring IP pools T o add an IP pool 1 Go to Firewall > IP Pool . 2 Select the interface to which[...]

  • Seite 221

    Firewall IP Pools for firewall policies that use fixed ports FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 221 5 Select OK. T o delete an IP pool 1 Go to Firewall > IP Pool . 2 Select the Delete icon beside the IP pool you want to delete. 3 Select OK. T o edit a IP pool 1 Go to Firewall > IP Pool . 2 For the IP pool that you wa[...]

  • Seite 222

    222 01-28007-0068-2004120 3 Fortinet Inc. Protection profile list Firewall Protection profile Use protection profiles to apply dif ferent protection settings for traf fic that is controlled by firewall po licies. Y ou ca n use prot ection profiles to: • Configure antivirus protection for HT TP , FTP , IMAP , POP3, and SMTP policies • Configure [...]

  • Seite 223

    Firewall Default protection profiles FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 223 Default protection profiles The FortiGate unit comes preconfigured with four pr otection profiles. Protection profile options Figure 105:Addi ng a protection prof ile Y ou can configure the following options when creat ing or editing a prot ection [...]

  • Seite 224

    224 01-28007-0068-2004120 3 Fortinet Inc. Protection profile options Firewall Configuring antivirus options Figure 106:Protection p rofile antivirus options The following option s are available for an tivirus through the protection pro file. See “Antivirus” on p age 289 for more antivirus configuration options. Virus Scan Enable or disable viru[...]

  • Seite 225

    Firewall Prote ction profile options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 225 Configuring web filtering options Figure 107:Prote ction profile web fi ltering options The following options ar e available for web f iltering throug h the protection profile. See “Web filter” on page 30 9 for more web filter configuration opt[...]

  • Seite 226

    226 01-28007-0068-2004120 3 Fortinet Inc. Protection profile options Firewall The following options are ava ilable for web ca tegory filterin g through the protect ion profile. See “Category block” on p age 317 for more category blocking configuration options. Configuring spam filtering options Figure 109:Prote ction profile sp am filtering opt[...]

  • Seite 227

    Firewall Prote ction profile options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 227 Configuring IPS options Figure 1 10:Protection profile IPS opti ons The following options are ava ilable for IPS through the protection profile. See “IPS” on page 277 for more IPS configuration options. Configuring content archive options Figur[...]

  • Seite 228

    228 01-28007-0068-2004120 3 Fortinet Inc. Configuring prote ction profiles Firewa ll The following options are ava ilable for content archive thro ugh the protection profile. Configuring protection profiles T o add a protection profile If the default protection profiles do not provid e the settings you requir e, you can create custom protection pro[...]

  • Seite 229

    Firewall Profile CLI configuration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 229 T o add a protection profile to a policy Y ou can enable protection profiles fo r firewall policies with action set to allow or encrypt and with service set to ANY , HT TP , FTP , I MAP , POP3, SMTP , or a service group that includes these services. [...]

  • Seite 230

    230 01-28007-0068-2004120 3 Fortinet Inc. Profile CLI configuration Firewall firewall profile command keywords and variables Keyword s and variables Description Default A vailability ftp {block content-archive no-content-summary oversize quarantine scan splice } Select the actions that this profile will use for filt ering FTP traf fic for a policy [...]

  • Seite 231

    Firewall Profile CLI configuration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 231 This examp le shows how to display the settings for the firewall profile command. get firewall profile This examp le shows how to display the settings for the spammail profile. get firewall profile spammail This examp le shows how to display the conf[...]

  • Seite 232

    232 01-28007-0068-2004120 3 Fortinet Inc. Profile CLI configuration Firewall[...]

  • Seite 233

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 233 Users and authentication Y ou can control access to network resource s by defining lists of authorized users, called user groups. T o use a particular resource, such as a network or a VPN tunnel, the user m ust belon g to one of t [...]

  • Seite 234

    234 01-28007-0068-2004120 3 Fortinet Inc. Local user list Users and authentication Setting authentication timeout Authentication timeout controls how long an authenticated fire wall connection can be idle before the user mu st authenticate again. T o set authentication timeout 1 Go to System > Config > Options . 2 In Auth T imeout, type a num[...]

  • Seite 235

    Users and authentication RADIUS server list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 235 T o add a user name and configure authentication 1 Go to User > Local . 2 Select Create New to add a new user name or select the Edit icon to edit an existing configuration. 3 T ype t he User Name. 4 Select the authen tication type for th[...]

  • Seite 236

    236 01-28007-0068-2004120 3 Fortinet Inc. RADIUS server options Users and authentication RADIUS server options Figure 1 1 5:RADIUS configuration T o configure the FortiGate un it for RADIUS authentication 1 Go to User > RADIUS . 2 Select Create New to add a new RADIUS serv er or select the Edit icon to edit an existing configuration. 3 Enter the[...]

  • Seite 237

    Users and authentication LDAP server list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 237 The FortiGate unit support s LDAP protoc ol functionality defined in RFC225 1 for looking up and validating user names an d passwords. FortiGate LDAP supports all LDAP servers compliant with LDAP v3. FortiGate LDAP support does not extend to p[...]

  • Seite 238

    238 01-28007-0068-2004120 3 Fortinet Inc. LDAP server options Users and authentication T o configure the FortiGate unit for LDAP authentication: 1 Go to User > LDAP . 2 Select Create New to add a new LDAP server , or select the Edit icon to edit an existing configuration. 3 Enter the name of the LDAP server . 4 Enter the domain na me or IP addre[...]

  • Seite 239

    Users and authentication User group list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 239 User group T o enable authentication, yo u must add user names, RADIUS servers, and LDAP servers to one or more user grou ps. Y ou can then assign a firewall protection pr ofile to the user group. Y ou can conf igure authentication as follows: [...]

  • Seite 240

    240 01-28007-0068-2004120 3 Fortinet Inc. User group options Users and authentication User group options Figure 1 19:User group configurati on T o configure a user group 1 Go to User > User Group . 2 Select Create New to add a new user group, or select the Edit icon to edit an existing configuration. 3 Enter a Group Name to identify th e user gr[...]

  • Seite 241

    Users and authentication peer FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 241 T o delete a user group Y ou cannot delete a user group that is in cluded in a fir ewall policy , a dialup user phase 1 configuration, or a PP TP or L2TP configuration. 1 Go to User > User Group . 2 Select Delete beside the user group that you wa nt to[...]

  • Seite 242

    242 01-28007-0068-2004120 3 Fortinet Inc. peergrp Users and authentication config user peer edit branch_office set ca set cn set cn-type end This example shows how to display the list of configured peers. get user peer This examp le shows how to display the settings fo r the peer branch_office . get user peer branch_office This example shows how to[...]

  • Seite 243

    Users and authentication peergrp FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 243 config user peergrp edit EU_branches set member Sophia_branch Valencia_branch Cardiff_branch end This examp le shows how to display the list of co nfigured pee r groups. get user peergrp This examp le shows how to display the settings fo r the peer grp[...]

  • Seite 244

    244 01-28007-0068-2004120 3 Fortinet Inc. peergrp Users and authentication[...]

  • Seite 245

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 245 VPN FortiGate unit s support the following protoc ols to authenticate and en crypt traffic: • Internet Protocol Se curity (IPSec) • Point-to-Point T unneling Protocol (PPTP) • Layer T wo T unne ling Protocol (L2TP) This chapt[...]

  • Seite 246

    246 01-28007-0068-2004120 3 Fortinet Inc. Phase 1 list VPN Phase 1 The basic phase 1 settings associa te IPSec phase 1 parameters with a remote gateway and de termine: • whether the various phase 1 parameters will be exchan ged in multiple rounds with encrypted au thentication information (main mode) or in a single message with authentication inf[...]

  • Seite 247

    VPN Phase 1 basic settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 247 Phase 1 basic settings Figure 121:Phase 1 basic settings Encryption Algorithm The names of the encryptio n and authenti cation algorithms used by ea ch phase 1 configuration. Edit, view , or delete phase 1 configurations. Gateway Name T ype a name for the re[...]

  • Seite 248

    248 01-28007-0068-2004120 3 Fortinet Inc. Phase 1 basic settings VPN Pre-shared Key If Preshared Key is selected, type the preshared key that the F ortiGate unit will use to authenticate itself to the remote peer during phase 1 negotiations. Y ou must defi ne the same value at the remote peer . The key mu st contain at least 6 printable characters [...]

  • Seite 249

    VPN Ph ase 1 advanced settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 249 Phase 1 advanced settings Figure 122:Phase 1 advanced settings P1 Proposal Se lect the encryption and authenticatio n algorithms that will b e used to generate ke ys for protecting neg otiations. Add or delete encrypti on and authenticat ion algo rithms [...]

  • Seite 250

    250 01-28007-0068-2004120 3 Fortinet Inc. Phase 1 advanced settings VPN Phase 2 Y ou configure phase 2 setti ngs to specify the parameter s for creating and maint aining a VPN tunnel between th e FortiGate unit and the remote pee r or client. In most cas es, you only need to configure the basic phase 2 settings. T o configure phase 2 settings 1 Go [...]

  • Seite 251

    VPN Phase 2 list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 251 2 Follow the general guidelin es in these sections: • “Phase 2 list” on page 25 1 • “Phase 2 basic settings” on page 2 51 • “Phase 2 advanced options” on p age 252 For information about how to ch oose the correct phase 2 settings for your p articular[...]

  • Seite 252

    252 01-28007-0068-2004120 3 Fortinet Inc. Phase 2 advanced options VPN Phase 2 advanced options Figure 125:Phase 2 advanced settings Tu n n e l N a m e T ype a name to identi fy the tunnel configuration. Remote Gateway Select the phase 1 configuration to assign to this tun nel. See “Phase 1” on page 246 . The phase 1 configuration describes how[...]

  • Seite 253

    VPN Phase 2 advanced opti ons FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 253 Manual key If required, you can manually defin e cryptographic keys for establishin g an IPSec VPN tunnel. Y ou would define manual keys in situations wher e: • Prior knowledge of the encryption and/or a uthentication key is required (that is, one of th[...]

  • Seite 254

    254 01-28007-0068-2004120 3 Fortinet Inc. Manual key list VPN In both cases, you do not specify IPSec phase 1 and phase 2 p arameters; you define manual keys on the VPN > IPSEC > Manual Key tab instead. If one of the VPN peers uses specific authentication and encr yption keys to establish a tunnel, b oth VPN peers m ust be con figured to use [...]

  • Seite 255

    VPN Manual key opti ons FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 255 Manual key options Figure 127:Adding a manual key VPN tunnel VPN T unnel Name Type a name for the VPN tunnel. Local SPI Type a hexadecimal number (up to 8 characters, 0-9, a -f) that represents the SA that handles outbound traffic on the local FortiGate unit. T[...]

  • Seite 256

    256 01-28007-0068-2004120 3 Fortinet Inc. Concentra tor list VPN Concentrator In a hub-and-spoke co nfiguration, connecti ons to a number of re mote peers radiate from a single, central FortiGate unit. Site -to -site connections between the remote peers do not exist; however , VPN tunnels between any two of the remote peers can be established thr o[...]

  • Seite 257

    VPN Concentrator options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 257 Concentrator options Figure 129:Creating a concentrator for a hub-and-spoke configuration Ping Generator The ping generator genera tes traffic in an IPSec VPN tunnel to keep the tunnel connection open when no traffic is being generated inside th e tunnel. For [...]

  • Seite 258

    258 01-28007-0068-2004120 3 Fortinet Inc. Ping generator optio ns VPN 2 Select Enable. 3 In the Source IP 1 field, type the private IP address or subnet address from which traffic may originate locally (for ex ample, 192.168.20.12 or 192.168.20.0 respectively). 4 In the Destination IP 1 field, enter the IP address of a remote compute r: • For a p[...]

  • Seite 259

    VPN Dialup monitor FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 259 T o establish or t ake down a VPN tunnel 1 Go to VPN > IPSEC > Monitor . 2 In the list of tunnels, select the Bring down tunnel or Bring up tunnel button in the row that corresponds to the tunnel that yo u want to bring down or up. If you take down an active t[...]

  • Seite 260

    260 01-28007-0068-2004120 3 Fortinet Inc. PPTP range VPN PPTP FortiGate unit s support PP TP to tunnel P PP traffi c between two VPN peers. Windows or Linux PP TP clients can est ablish a PPTP tunnel with a For tiGate unit that has been configured to act as a PP TP server . As an alternative, you can configure the FortiGate unit to forward PPTP p a[...]

  • Seite 261

    VPN L2TP range FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 261 L2TP A FortiGate unit can be configured to act as an L2TP ne twork server . The FortiGate implementa tion of L2TP enables a remote dialup client to establish an L2TP tunnel with the FortiGate unit directly . For information about how to perform the related tasks, see ?[...]

  • Seite 262

    262 01-28007-0068-2004120 3 Fortinet Inc. Local certificate list VPN Certificates Digital certificates are downloadable files that you can install on the For tiGate unit and on remote peers an d clients for auth entication purposes. An X.509 digital certificate cont ains inform ation that has been digitally sig ned by a trusted third party known as[...]

  • Seite 263

    VPN Certificate reque st FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 263 Figure 136:Certificate d etails Certificate request T o obt ain a personal or site ce rtificate, yo u must send a r equest to a CA that provides digital certificates that adhere to the X. 509 standard. The FortiGa te unit provides a way for you to generate the[...]

  • Seite 264

    264 01-28007-0068-2004120 3 Fortinet Inc. Importing signed certifi cates VPN Importing signed certificates Y our CA will provide you with a signed certific ate to install on th e FortiGate unit. When you receive the signed certificate from the CA, save th e certificate on a PC that has management access to the For tiGate unit. T o install a signed [...]

  • Seite 265

    VPN CA certificate list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 265 CA certificate list Follow the CA instructions to download their root certificate, and then install the root certificate on the FortiGate unit. The inst alle d CA ce rtificates are displayed in t he CA certificate list. Figure 139:CA certificate list Importing [...]

  • Seite 266

    266 01-28007-0068-2004120 3 Fortinet Inc. IPSec confi guration proce dures VPN VPN configuration procedures The FortiGate VPN Guide uses a t ask-based approach to provide all of the procedures needed to create different ty pes of VPN configurations. The guide contains the followin g chapters: • “Configuring IPSec VPNs” describes how to set up[...]

  • Seite 267

    VPN IPSec configuration procedures FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 267 2 In the Address Name field, type a name t hat represents the loca l network, server(s), or host(s) from which IP p ackets may origina te on the private network behind the loca l FortiGate u nit. 3 In the IP Range/Subnet field, type the corresp ondin[...]

  • Seite 268

    268 01-28007-0068-2004120 3 Fortinet Inc. PPTP configuration procedures VPN 3 Y ou may enable a protection profile, a nd/or event logging, or select advanced settings to shape traffic or dif ferentiate servic es. See the “Fir ewall” chapter of the F ortiGate Administration G uide . 4 Select OK. 5 Place the policy in the policy list above any ot[...]

  • Seite 269

    VPN ipsec phase1 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 269 CLI configuration This section provides informat ion about features that must be configured through C LI commands. CLI commands provide additional network options that cannot be configured through the web-b ased manager . For complete de script ions and examples of ho[...]

  • Seite 270

    270 01-28007-0068-2004120 3 Fortinet Inc. ipsec phase1 VPN Example Use the following command to edit an IPSec VPN phase 1 configuration with the following characteristics: • Phase 1 configuratio n name: Simple_GW • Remote peer ad dress type: Dynamic • Encryption and authentication proposal: des-md5 • Authentication method: psk • Pre-share[...]

  • Seite 271

    VPN ipsec phase2 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 271 ipsec phase2 Use the config vpn ipsec phase2 CLI command to add or edit an IPSec VPN phase 2 configuration. Command syntax pattern config vpn ipsec phase2 edit <name_str> set <keyword> <variable> end config vpn ipsec phase2 edit <name_str> unse[...]

  • Seite 272

    272 01-28007-0068-2004120 3 Fortinet Inc. ipsec vip VPN ipsec vip A FortiGate unit can act a s a proxy by answering ARP request s locally and forwarding the associated traffic to the intended destination host over an IPSec VPN tunnel. The feature is intended to enable IPSec VPN communi cations between two hosts that coordinate the same private addr[...]

  • Seite 273

    VPN ipsec vip FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 273 For more informa tion, see “Configuring IPSec virtual IP addresses” on p age 274 . Command syntax pattern config vpn ipsec vip edit <vip_integer> set <keyword> <variable> end config vpn ipsec vip edit <vip_integer> unset <keyword> end co[...]

  • Seite 274

    274 01-28007-0068-2004120 3 Fortinet Inc. ipsec vip VPN This examp le shows how to display the settings for the vpn ipsec vip command. get vpn ipsec vip This examp le shows how to display the settings for the VIP entry named 1 . get vpn ipsec vip 1 This exampl e shows how to display the current con figuration of all existing VIP entries. show vpn i[...]

  • Seite 275

    VPN ipsec vip FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 275 When Host_1 attempt s to send a p acket to Host_2 for the first time, Host_1 issues an ARP request locally for the MAC address of Host_2. However , because Ho st_2 resides on a remote network, it does no t respond. Instead, the FortiGate unit responds with its own MAC ad[...]

  • Seite 276

    276 01-28007-0068-2004120 3 Fortinet Inc. ipsec vip VPN[...]

  • Seite 277

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 277 IPS The FortiGate Intrusion Prev ention System (IPS) combines signature- and an omaly- based intrusion detection and prevention with low latency and excelle nt reliability . The FortiGate unit can reco rd suspicious traf fic in log[...]

  • Seite 278

    278 01-28007-0068-2004120 3 Fortinet Inc. Predefined IPS This chapter describes: • Signature • Anomaly • Configuring IPS logging and alert email • Default fail open setting Signature The FortiGate IPS matches network traf fi c again st patterns contained in attack signatures. Attack signatur es reliably protect your network from known attac[...]

  • Seite 279

    IPS Predefined FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 279 Predefined signature list Y ou can enable or disa ble groups of predefi n ed signatures and configure the settings for individual prede fined signatures from the predefined signa ture list. Figure 142:A portion of the prede fined signature lis t Ta b l e 2 4 describes e[...]

  • Seite 280

    280 01-28007-0068-2004120 3 Fortinet Inc. Predefined IPS Configuring predefined signatures T o enable or disable predefined signatur e groups 1 Go to IPS > Signature > Predefined . 2 Select the Configure icon next to the predefined signature group that you want to enable or disable . Figure 143:Enabling or disabling a pr edefined signature gr[...]

  • Seite 281

    IPS Predefined FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 281 4 Select the Enable box to enable the signatu re or clear the Enable box to disable the signature. 5 Select the Logging box to e nable logging for this signature or clear the L ogging box to disable logging fo r this signature. 6 Select the Action for the FortiGate unit[...]

  • Seite 282

    282 01-28007-0068-2004120 3 Fortinet Inc. Custom IPS Custom Y ou can cr eate custom IPS signatur es. The cu stom signature s you crea te are add ed to a single Custom signature grou p. Custom signatures provide the power and fl exibility to customize the FortiGate IPS for diverse network enviro nments. The FortiGate pre defined signatures cover com[...]

  • Seite 283

    IPS Custom FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 283 Adding custom signatures T o add a custom signature 1 Go to IPS > Signature > Custom . 2 Select Create New to add a new custom signature or select the Edit icon to edit an existing custom signature. Figure 148:Edit custom signature 3 Enter a name for the custom signat[...]

  • Seite 284

    284 01-28007-0068-2004120 3 Fortinet Inc. Custom IPS Anomaly The FortiGate IPS u ses anomaly detection to ide ntify network traffic that does not fit known or preset traf fic patterns. The Fort i Gate IPS identifies the four statistical anomaly typ es for the TCP , UD P , an d ICMP prot ocols. Y ou can enable or disable lo gging for each anomaly , [...]

  • Seite 285

    IPS Custom FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 285 Configuring an anomaly Each anomaly is preset with a recommended configuration. By d efault all anomaly signatures are enabled. Y ou ca n use the recommended configuration s or you can modify the recommended co nfigurations to meet the needs of you r network. For more infor[...]

  • Seite 286

    286 01-28007-0068-2004120 3 Fortinet Inc. Custom IPS T o configure the settings of an anomaly 1 Go to IPS > Anomaly . 2 Select the Edit icon for the si gnature you want to configure. 3 Select the Enable box to enable the anoma ly or clear the Enable box to disable the anomaly . 4 Select the Logging box to enable logging for this anomaly or clear[...]

  • Seite 287

    IPS Anomaly CLI configuration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 287 Anomaly CLI configuration (config ips anomaly) config limit Access the config limit subcomman d using the config ips anomaly <name_str> command. Use this command for session control based on source and destination network ad dress. This com mand is [...]

  • Seite 288

    288 01-28007-0068-2004120 3 Fortinet Inc. Anomaly CLI configuration IPS Configuring IPS logging and alert email Whenever the IPS dete cts or prevent s an attack, it generates an att ack message. Y ou can configure the FortiGate unit to add the message to the attack log and to send an alert email t o administra tors. Y ou can conf igure how often th[...]

  • Seite 289

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 289 Antivirus Antivirus provides configur ation access to most of the antivirus options you enable when you creat e a firewall prot ection profile. While antivirus settin gs are config ured for system-wide us e, you can impleme nt spec[...]

  • Seite 290

    290 01-28007-0068-2004120 3 Fortinet Inc. Antivirus Protection profil e configuration For information about configu r ing Protection Profiles, see “Protection profile” on page 222 . For information about adding protecti on profiles to firewall policies, see “T o add a protection profile to a policy” on p age 229 . Order of antivirus operati[...]

  • Seite 291

    Antivirus File block list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 291 This section describes: • File block list • Configuring the file block list File block list The file block list is preconfig ure d with a default list of file patterns: • executable files (*.bat, *.com, and *.exe) • compressed or archive files (*.gz, [...]

  • Seite 292

    292 01-28007-0068-2004120 3 Fortinet Inc. Configuring the file b lock list Antivirus Configuring the file block list T o add a file name or file pattern to the file block list 1 Go to Anti-Virus > File Block . 2 Enter the file name or file p attern you want to add. 3 Select Create New . 4 Select the protocols for which you want to block the file[...]

  • Seite 293

    Antivirus Quarantined files l ist options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 293 Figure 153:Sample qu arantined files list Quarantined files list options The quarantined files list has the followin g features and displays the follow ing information about ea ch quarantined file: Apply Select Apply to apply the sorting and f[...]

  • Seite 294

    294 01-28007-0068-2004120 3 Fortinet Inc. AutoSubmit list Antivirus AutoSubmit list Y ou can configure the FortiGate unit to automatically upload suspicious files to Fortinet for analysis. Y ou can add file patt erns to the AutoSubmit list using wildcard characters (* or ?). File patterns are applied fo r AutoSubmit regardless of file bloc king set[...]

  • Seite 295

    Antivirus Config FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 295 Config Go to Config to set quarantine configurat ion options including whethe r to quarantine blocked or infected file s and from which se rvice. Y ou can also configure the time to live and file size values, and enable AutoSubmit settings. Figure 156:Quarantine c onf[...]

  • Seite 296

    296 01-28007-0068-2004120 3 Fortinet Inc. Virus list Antivirus Config Config displays a list of the current viruses blocked by the FortiGa te unit. Y ou can also configure file and email size limit s, and grayware blocking. This section describes: • Virus list • Config • Grayware • Grayware options Virus list The virus list displays the cur[...]

  • Seite 297

    Antivirus Grayware FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 297 Figure 158:Example threshold configu ration Y ou can enable oversized file blocking in a firewall pro tection profile. T o access protection prof iles go to Firewall > Protectio n Profile, select Anti-Virus > Oversized File/Email and choose to p ass or block o[...]

  • Seite 298

    298 01-28007-0068-2004120 3 Fortinet Inc. Grayware options Antivirus The categories may change or expand when the FortiGate unit receives upda tes. In the examp le above you can choos e to enable the following g rayware ca tegories. Enabling a graywa re category blocks all files listed in the ca tegory . Adware Select enable to block adware progra [...]

  • Seite 299

    Antivirus config antivirus heuristic FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 299 CLI configuration config antivirus heuristic The FortiGate heuristic antivirus e ngine pe rforms tests on files to detect virus-like behavior or known virus ind icators. Heuris tic scanning is performed last, after file blocking and virus scannin g[...]

  • Seite 300

    300 01-28007-0068-2004120 3 Fortinet Inc. config antivirus quaranti ne Antivirus This examp le shows how to display the settings for the antivirus heuristic command. get antivirus heuristic This example sh ows how to displa y the configurat ion for the antivirus heuristic command. show antivirus heuristic config antivirus quarantine The quarantine [...]

  • Seite 301

    Antivirus config antivi rus service http FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 301 config antivirus service http unset <keyword> end get antivirus service [http] show antivirus service [http] How file size limits work The memfilesizelimit is applied first to all inco ming files, compressed or uncompresse d. If the file [...]

  • Seite 302

    302 01-28007-0068-2004120 3 Fortinet Inc. config antivirus se rvice ftp Antivirus Example This examp le shows how t o set the ma ximum file size that can be buffered to memor y for scanning at 12 MB, the maximum un compressed file size that can be buffered to memory for scanning at 15 MB, and how to en able antivirus scanning on port s 70, 80, and [...]

  • Seite 303

    Antivirus config antivirus servic e ftp FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 303 How file size limits work See “How file size limits work” on page 301 . Example This examp le shows how to set the maxi mum file size buffered to memory for scanning at 25 MB, the maximum unco mpress ed file size that can b e buffered to mem[...]

  • Seite 304

    304 01-28007-0068-2004120 3 Fortinet Inc. config antivirus se rvice pop3 Antivirus config antivirus service pop3 Use this command to configur e how the Fort iGate unit handles antivir us scanning of large files in POP3 traf fic and what ports the FortiGate unit scans for POP3. Command syntax pattern config antivirus service pop3 set <keyword>[...]

  • Seite 305

    Antivirus config antivirus service imap FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 305 Example This examp le shows how t o set the ma ximum file size that can be buffered to memor y for scanning at 20 MB, the maximum un compressed file size that can be buffered to memory for scanning at 60 MB, and how to enable antivirus scanning [...]

  • Seite 306

    306 01-28007-0068-2004120 3 Fortinet Inc. config antivirus se rvice imap Antivirus How file size limits work See “How file size limits work” on page 301 . Example This examp le shows how t o set the ma ximum file size that can be buffered to memor y for scanning at 25 MB, the maximum un compressed file size that can be buffered to memory for sc[...]

  • Seite 307

    Antivirus config antivirus service smtp FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 307 config antivirus service smtp Use this command to configur e how the Fort iGate unit handles antivir us scanning of large files in SMTP traffic, what por ts the FortiGate un it scans for SMTP , and how the FortiGate unit handles interaction with[...]

  • Seite 308

    308 01-28007-0068-2004120 3 Fortinet Inc. config antivirus se rvice smtp Antivirus Example This examp le shows how t o set the ma ximum file size that can be buffered to memor y for scanning at 100 MB, the maximum uncompres sed file size that can be buf fered to memory for scan ning at 1 GB (1000 MB) , and how to enable antivirus scanning on ports [...]

  • Seite 309

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 309 W eb filter Web filte r provides configuration access to th e Web filtering and Web category filtering options you enable when you create a firewall Protection Profile. T o access protection profile web filter opti ons go to Firewa[...]

  • Seite 310

    310 01-28007-0068-2004120 3 Fortinet Inc. Web filter T able 28: Web filter and Protection Profil e web catego ry filtering confi guration Protection profil e configuration For information about configu r ing Protection Profiles, see “Protection profile” on page 222 . For information about adding protecti on profiles to firewall policies, see ?[...]

  • Seite 311

    Web filter Web conten t block list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 31 1 Content block Control web content by blocking spe cific words or word patterns. Th e FortiGate unit blocks web p ages containing ba nned words and displays a replaceme nt message instead. Y ou can use Perl regular expressions or wild cards to add ba[...]

  • Seite 312

    312 01-28007-0068-2004120 3 Fortinet Inc. Configuring the web content block list Web filter Configuring the web content block list Figure 161:Adding a banned word to the content block list When you select Create New or Edit you ca n configure the following settings for the banned word. T o add or edit a banned word 1 Go to Web Filter > Cont ent [...]

  • Seite 313

    Web filter Web URL blo ck list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 313 This section describes: • Web URL block list • Web URL block options • Configuring the web URL block list • Web pattern block list • Web p attern block options • Configuring web patter n block Web URL block list Y ou can add your own specific[...]

  • Seite 314

    314 01-28007-0068-2004120 3 Fortinet Inc. Configuring the web URL block li st Web filter Configuring the we b URL block list T o add a URL to the web URL block list 1 Go to Web Filter > URL Block . 2 Select Web URL Block. 3 Select Create New . Figure 163:Adding a new URL 4 Enter a URL or partial URL to add to the URL bloc k lis t. (Do not includ[...]

  • Seite 315

    Web filter Web pattern block options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 315 Figure 164:Sample web pattern block list Web pattern block options Web p attern block has the following icons and features: Configuring web pattern block T o add a pattern to the web pattern block list 1 Go to Web Filter > URL Block . 2 Select W[...]

  • Seite 316

    316 01-28007-0068-2004120 3 Fortinet Inc. URL exempt list Web filter URL exempt list Y ou can configure specific URLs as exempt from web filtering. URLs on the exempt list are not scanned for viruses. If users on your ne twork download files through the FortiGate unit from trusted website, you can add the URL o f this website to the exempt list so [...]

  • Seite 317

    Web filter FortiGuard managed web filtering service FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 317 Category block Y ou can filter http content by specific categories us i ng the FortiGuard managed web filtering service. This section describes: • FortiGuard managed web filtering ser vice • Category b lock configur ation option [...]

  • Seite 318

    318 01-28007-0068-2004120 3 Fortinet Inc. Category block configuration options Web filter FortiGuard licensing Every FortiG ate unit com es with a fr ee 30-day FortiGuard trial licen se. FortiGuard license managemen t is done by Fortinet se rvers, so there is no need to enter a license number . The FortiGate unit will t hen automatically contact a [...]

  • Seite 319

    Web filter Configuring web category block FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 319 Configuring web category block T o enabl e FortiGuard web filtering 1 Go to Web Filter > Category Block. 2 Select Enab le Service. 3 Select Check status to make sure the Fo rtiG ate unit c an access the FortiGuard server . After a moment, t[...]

  • Seite 320

    320 01-28007-0068-2004120 3 Fortinet Inc. Category block reports opti ons Web filter Category block reports options The following table describ es the options for gen erating reports: The following t able describes the features of a generated report: Generating a category block report T o generate a category block report 1 Go to Web filter > Ca [...]

  • Seite 321

    Web filter Category block CLI configuration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 321 Command syntax pattern config webfilter catblock set <keyword> <variable> end config webfilter catblock unset <keyword> end get webfilter catblock show webfilter catblock Example This example shows how to change the FortiGu[...]

  • Seite 322

    322 01-28007-0068-2004120 3 Fortinet Inc. Web script filter options Web filter Figure 170:Scri pt filtering options Web script filter options Y ou can configure the following options for script filterin g: Note: Blocking any of th ese items may prevent some web pages from functioning and displaying correctly . Note: Enable Web filtering > Web Sc[...]

  • Seite 323

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 323 S p am filter S pam filter provides configuration access to the sp am filtering options you enable when you create a firewall protection prof ile . While spam filters are configured for system-wide use, you ca n enable th e filters[...]

  • Seite 324

    324 01-28007-0068-2004120 3 Fortinet Inc. Spam filter Protection profil e configuration For information about configu ring protection profiles, see “Protection pr ofile” on page 222 . For information about adding protecti on profiles to firewall policies, see “T o add a protection profile to a policy” on p age 229 . E-mail address BWL check[...]

  • Seite 325

    Spam filter FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 325 Order of spam filter operations Generally , incoming email is passed through the spam filters in the or der the filters appear in the sp am filtering options list in a firewall protection profile (and in Ta b l e 2 9 ): FortiShield, IP address, RBL & ORDBL, HE LO DNS l[...]

  • Seite 326

    326 01-28007-0068-2004120 3 Fortinet Inc. FortiShi eld options Spam filter Both FortiShield antisp am processes are completely au tomated and configured by Fortinet. With constan t monitoring and dynam ic updates, FortiShield is always current. Y ou can enable or disable FortiShie ld in a firewall protection profile. See “Configuring spam filteri[...]

  • Seite 327

    Spam filter IP address list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 327 4 Select Apply . Y ou can now enable Fort iShield for any firewall protection profile yo u create. See “Configuring sp am filtering options” on page 226 . Once you select Apply , the FortiShield licens e type an d expiration date appe ars on the configu[...]

  • Seite 328

    328 01-28007-0068-2004120 3 Fortinet Inc. Configuring the IP address list Spam filter Configuring the IP address list T o add an IP address to the IP address list 1 Go to Sp am Filter > IP Address . 2 Select Create New . Figure 173:Adding an IP address 3 Enter the IP address/mask you wan t to add. 4 If required, select before or af ter another I[...]

  • Seite 329

    Spam filter RBL & ORDBL list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 329 This section describes: • RBL & ORDBL list • RBL & ORDBL options • Configuring the RBL & ORDBL list RBL & ORDBL list Y ou can configure the FortiGate unit to filter email by acce ssing RBL or ORDBL servers. Y ou can mark a match b[...]

  • Seite 330

    330 01-28007-0068-2004120 3 Fortinet Inc. Email address list Spam filter Figure 175:Addi ng an RBL or ORDBL serve r 3 Enter the do main name of the RBL or ORDBL server you want to add. 4 Select the action to take on email matched by the serv er . 5 Select Enable. 6 Select OK. Email address The FortiGate u nit uses the email address lis t to filter [...]

  • Seite 331

    Spam filter Configuring the email address li st FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 331 Configuring the em ail address list T o add an email address or domain to th e list 1 Go to Sp am Filter > E-mail Address . 2 Select Create New . Figure 177:Adding an email addre ss 3 Enter the email address or pattern you want to add[...]

  • Seite 332

    332 01-28007-0068-2004120 3 Fortinet Inc. MIME headers list Spam filter Y ou can use the MIME headers list to mark email from cert ain bulk mail programs or with certai n types of content that are common in spam messages. Y ou can choose to mark the email as spam or clear for each header you configure. The FortiGate unit comp ares the MIME header k[...]

  • Seite 333

    Spam filter Configuring th e MIME headers list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 333 Configuring the MIME headers list T o add a MIME header to the list 1 Go to Sp am Filter > MIME headers . 2 Select Create New . Figure 179:Adding a MIME header 3 Enter the MIME header ke y . 4 Enter the MIME header value . 5 Select a p[...]

  • Seite 334

    334 01-28007-0068-2004120 3 Fortinet Inc. Banned word list Spam filter Banned word list Y ou can add one or more banned words to sort email containing those words in the email subject, body , or both. Words ca n be marked as spam or cle ar . Banned words can be one word or a phrase up to 127 characters long. If you enter a single wo rd, the FortiGa[...]

  • Seite 335

    Spam filter Configuring the bann ed word list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 335 Figure 181:Addi ng a banned word Configuring the banned word list T o add or edit a banned word 1 Go to Sp am Filter > Banned W ord . 2 Select Create New to add a banned word o r select Edit for th e banned word you wa nt to modify . 3 [...]

  • Seite 336

    336 01-28007-0068-2004120 3 Fortinet Inc. Configuring the banne d word list Spam filter Regular expression vs. wildcard match pattern In Perl regular expressions, ‘.’ character refe rs to any single character . It is similar to the ‘?’ character in wildcard match patt ern. As a result: • fortinet.com not only ma tches fortinet.com but als[...]

  • Seite 337

    Spam filter Configuring the bann ed word list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 337 Examples T o block an y word i n a phrase /block|any|word/ T o block purposely misspelled words S pammers often insert other char acters betw een the letters of a word to fool sp am blocking software. /^.*v.*i.*a.*g.*r.*a.*$/i /cr[eéèê?[...]

  • Seite 338

    338 01-28007-0068-2004120 3 Fortinet Inc. Configuring the banne d word list Spam filter[...]

  • Seite 339

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 339 Log & Report FortiGate units provide extensive logging ca pabilities for traffic, system and network protection functions. Y ou can set the seve ri ty level of the messages that are logged, and you can choose the types of event[...]

  • Seite 340

    340 01-28007-0068-2004120 3 Fortinet Inc. Log Setting options Log & Report Figure 182:Example alert email For descriptions of log format s and specific log messages see the FortiGate Log Message Reference Guide . This chapter describes: • Log config • Log access • CLI configuration Log config Use Log Config to configure log stor age, aler[...]

  • Seite 341

    Log & Report Log Setting op tions FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 341 Figure 183:Lo g setting options for all log locatio ns T o configure Log Setting 1 Go to Log&Report > Log Config > Log Se tting . 2 Select the check box to enable logging to a location . 3 Select the blue arrow beside the location. The s[...]

  • Seite 342

    342 01-28007-0068-2004120 3 Fortinet Inc. Log Setting options Log & Report Disk settings T able 31: Logging severity leve ls Level Descriptio n Emergency The system has become unstable. Alert Immediate action is require d. Critical Functionali ty is affected. Error An error cond ition exists and functionality could be affected. W arning Functio[...]

  • Seite 343

    Log & Report Log Setting op tions FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 343 T o configure log file uploading 1 Select the blue arrow to exp and Log file upload settings. 2 Select Upload When Rolling. 3 Enter the IP address of the logging se rver . 4 Enter the port number on the loggin g server . The default is 21 (FTP). 5[...]

  • Seite 344

    344 01-28007-0068-2004120 3 Fortinet Inc. Alert E-mail options Log & Report Alert E-ma il options In Alert E-mail options you specify the mail server and recipients for email messages and you specify the severity leve l and frequency of the messages. Figure 184:Alert email configuration settings Authentication Enable Select the Authentication E[...]

  • Seite 345

    Log & Report Log filter options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 345 Y ou can select specific events to trigge r aler t email in Log Filter , described in “Log filter options” on page 345 . T o configure al ert email 1 Go to Log&Report > Alert E-mail . 2 Select Enable to enable SMTP Authentication if requi[...]

  • Seite 346

    346 01-28007-0068-2004120 3 Fortinet Inc. Log filter options Log & Report Figure 185:Example traffic and event log filter settings Traffic log The Traf fic Log rec ords all the traffic to and thro ugh the F ortiGate inte rfaces. Y ou can configure logging for traf fic controlled by firewall policies and for traffic between any source and destin[...]

  • Seite 347

    Log & Report Log filter options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 347 Anti-virus log The Anti-virus Log records virus incidents in Web, FTP , and email tr affic, such as when the FortiGa te unit detects an infected file, blocks a file type, or blocks an oversized file or email. Y o u can apply the following filters: W[...]

  • Seite 348

    348 01-28007-0068-2004120 3 Fortinet Inc. Configuring log filters Log & Report Attack log The Attack Log r ecords attacks detected and prevented by the FortiGate unit. Y ou can apply the following filters: Spam filter log The S pam Filter Log records blocking of address p atterns and content in IMAP and POP3 traffic. Y ou can apply the followin[...]

  • Seite 349

    Log & Report Viewing log messa ges FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 349 T o enable t raffic lo ggi ng for a firewall policy Y ou can enable traf fic logging for a firewa ll policy . All connections accepted by the firewall policy are record ed in the traffic log. 1 Go to Firewall > Polic y . 2 Select the Edit icon[...]

  • Seite 350

    350 01-28007-0068-2004120 3 Fortinet Inc. Viewing log messages Log & Report The following table describ es the features and icons you can use to naviga te and search the logs when viewing logs through the web-based manager. T o view log messages in the FortiGate memory buffer 1 Go to Log&Report > Log Access. 2 Select the log type you wis[...]

  • Seite 351

    Log & Report Search ing log messages FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 351 The Detailed In formation column provides the entire raw log entry and is not needed unless the log contains information not availa ble in any of the other , more specific columns. T o change the columns in the log message display 1 While viewi[...]

  • Seite 352

    352 01-28007-0068-2004120 3 Fortinet Inc. fortilog setting Log & Repo rt Figure 189:Search fo r log messag es 3 If you want to sear ch for log messages in a p articular date r ange, select the From and To d a t e s . 4 Select one of the following options: 5 In the Keywords field, type the keywords for the sear ch. 6 Select OK. The log message l[...]

  • Seite 353

    Log & Report fortilog setting FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 353 get log fortilog setting show log fortilog setting Example This example shows how to enable logging to a FortiLog unit, set the FortiLog IP address, add a local ID, and add a pr e-sh ared key for an IPSec VPN tunnel. config log fortilog setting set st[...]

  • Seite 354

    354 01-28007-0068-2004120 3 Fortinet Inc. syslogd setting Log & Report syslogd setting Use this command to configure log settings for logging to a remote syslog server . Y ou can configure the FortiGate unit to s end logs to a remote comput er running a syslog server . Command syntax pattern config log syslogd setting set <keyword> <va[...]

  • Seite 355

    Log & Report syslogd setting FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 355 Example This example shows h ow to enable logging to a remote syslog server , configure an IP address and port for th e server , and set the facility type to user . config log syslogd setting set status enable set server 220.210.200.190 set port 601 se[...]

  • Seite 356

    356 01-28007-0068-2004120 3 Fortinet Inc. syslogd setting Log & Report[...]

  • Seite 357

    FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 357 FortiGuard categories FortiGuard is a web filtering solution provid ed by Fortinet. Fo rtiGuard sor ts thousands of Web pages into a wid e variety o f categor ies that users can allow , block, or m onitor . The FortiGate unit acces[...]

  • Seite 358

    358 01-28007-0068-2004120 3 Fortinet Inc. FortiGuard categories 5. Racism or Hate Sites that promot e the identification of racial groups, the denigration or subjection of groups, or the superiority of any group. 6. Vio lence Sites that featur e or promote viol ence or bodily harm, including self-inflicted harm; or that gratuitously display images [...]

  • Seite 359

    FortiGuard categories FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 359 16. Weapons Sites that provide information about, promote, or support the sale of weapons an d related items.S port Hunting and Gun Clubs -- Sites that pr ovide information abo ut or directories of gun clubs and similar groups, including war-game and paintball fa[...]

  • Seite 360

    360 01-28007-0068-2004120 3 Fortinet Inc. FortiGuard categories General Interest 28. Arts and Entertainment Sites that provide information about o r promote motion pictures, non-news radio and television, music and programming guides, bo oks, humor , comics, movie theatres, galle ries, artists or review on entertainment, and magazines. 29. Cultural[...]

  • Seite 361

    FortiGuard categories FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 361 39. Reference Materials Sites that of fer reference-shelf content such as atlases, dictionar ies, encyclopedia s, formularies, white and yellow pages, and public statistical data. 40. Religion T raditional Religions -- Sites that provide information about or prom[...]

  • Seite 362

    362 01-28007-0068-2004120 3 Fortinet Inc. FortiGuard categories Business Or iented 49. Business and Economy Sites sponso red by or devoted to business firms, business associations, industry groups, or business in general. 50. Computer Security Computer Security -- Sites that provide information about or free d ownloadable tools for computer securit[...]

  • Seite 363

    Glossary FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 363 Glossary address : An IP address (logica l address) or the address of a physical inte rface (har dware addr ess). An Ethernet addre ss is sometimes ca lled a MAC address. See also IP address . aggressive mode : A way to establish a secure channel during IPSec phase 1 neg otia[...]

  • Seite 364

    364 01-28007-0068-2004120 3 Fortinet Inc. Glossary Ethernet : Can refer to the IEEE 802.3 signaling protocol, or an Ether net controller (also known as a Media Access Controller or MAC ). external int erface : The FortiGate interface that connects to the Internet. FTP , File T ransfer Protocol : A protocol used to transfer files between computers t[...]

  • Seite 365

    Glossary FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 365 MTU , Maximum T ransmission Unit : The largest physical packet size, m easured in bytes , that a networ k can transmit. Any p ackets larger than the MTU are divided into smaller p ackets before they are sent. NA T , Network Address T ranslation : A way of routing IPv4 packet [...]

  • Seite 366

    366 01-28007-0068-2004120 3 Fortinet Inc. Glossary SMTP , Simple Mail T ransfer Protocol : A protocol that supports email delivery services. SNMP , Simple Network Manag ement Protocol : A set of protocols for managing networks. SNMP agent s store and return dat a about themselves to SNMP requesters . spam : Unsolicited email. SSH , Secure Shell : A[...]

  • Seite 367

    FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 367 FortiGate-100A Administrati on Guide V ersion 2.80 MR7 Index A abr-type 165 access-list 176 Action, Policy 267 active sessions HA monitor 96 address 198 virtual IP 214 Address Name, Policy 267 administ rator account netmask 110, 111 trusted host 111 advertise 172, 186 alert email enab[...]

  • Seite 368

    368 01-28007-0068-2004120 3 Fortinet Inc. Index csv 354 custom TCP service 206, 207, 208 custom UDP service 206, 2 07, 208 customer service 23 D database 163 RIP 164 database-filter-out 181 database-overflow 165 database-overflow-max-lsas 165 database-overflow-time-to-recover 165 date setting 81 DDNS 56 Dead Peer Detection 250 dead-interval 174, 18[...]

  • Seite 369

    Index FortiGate-100A Administrati on Guide 01-28007 -0068-20041203 369 go HA monitor 95 group ID HA 86 grouping services 2 09 groups user 239 guaranteed bandwidth 195, 196 H HA 84, 85 add a new uni t to a functioning cl uster 93 cluster ID 95 cluster me mbers 86 configuration 85 configure a FortiGate un it fo r HA operation 90 configure weighted-ro[...]

  • Seite 370

    370 01-28007-0068-2004120 3 Fortinet Inc. Index L L2TP 239 configuring gateway 261 enabling 261 overview 261 language web-based manager 83 Least-Connection HA schedule 88 Lifetime (sec/kb) 251 link failover HA 84 list 170 Local certificate list 262 Local certificate options 263 Local ID 250 Local SPI, Manual Key 255 Log & report 339 Log file up[...]

  • Seite 371

    Index FortiGate-100A Administrati on Guide 01-28007 -0068-20041203 371 peer 174 Peer option 248 Phase 1 246 Phase 1 advanced options 249 Phase 1 basic settings 247 Phase 1 list 246 Phase 2 250 Phase 2 advanced options 252 Phase 2 basic settings 251 Phase 2 list 251 ping generator IPSec VPN 257 policy enabling authenticati on 239 guaranteed bandwidt[...]

  • Seite 372

    372 01-28007-0068-2004120 3 Fortinet Inc. Index service 203 custom TCP 206, 207, 208 custom UDP 206, 207, 2 08 group 209 predefined 203 service name 204 user-defined TCP 206, 2 07, 208 user-defined UDP 206, 207, 208 service ftp 302 service http 300 service imap 305 service pop3 304 service smtp 307 Service, Policy 267 set time 82 shortcut 169 Signa[...]

  • Seite 373

    Index FortiGate-100A Administrati on Guide 01-28007 -0068-20041203 373 URL options 313 user groups configuring 239 User-defined signatures 282 user-defined TCP services 20 6, 207, 208 user-defined UDP services 206, 207, 208 Username 259 V virtual domain properties 132 virtual IP 214 dynamic port forwarding 218 port forwarding 215 static N AT 215 vi[...]

  • Seite 374

    374 01-28007-0068-2004120 3 Fortinet Inc. Index[...]