Ir a la página of
manuales de instrucciones parecidos
-
Network Card
Fortinet FortiGate-800
336 páginas 4.14 mb -
Network Card
Fortinet 5001A-SW
40 páginas 2.24 mb -
Network Card
Fortinet 1000A-LENC
2 páginas 0.4 mb -
Network Card
Fortinet 3.0 MR4
368 páginas 1.68 mb -
Network Card
Fortinet Network Device IPS
62 páginas 1.12 mb -
Network Card
Fortinet FortiGate 310B-LENC
2 páginas 0.53 mb -
Network Card
Fortinet 400
2 páginas 0.69 mb -
Network Card
Fortinet IPS
62 páginas 1.07 mb
Buen manual de instrucciones
Las leyes obligan al vendedor a entregarle al comprador, junto con el producto, el manual de instrucciones Fortinet 50A. La falta del manual o facilitar información incorrecta al consumidor constituyen una base de reclamación por no estar de acuerdo el producto con el contrato. Según la ley, está permitido adjuntar un manual de otra forma que no sea en papel, lo cual últimamente es bastante común y los fabricantes nos facilitan un manual gráfico, su versión electrónica Fortinet 50A o vídeos de instrucciones para usuarios. La condición es que tenga una forma legible y entendible.
¿Qué es un manual de instrucciones?
El nombre proviene de la palabra latina “instructio”, es decir, ordenar. Por lo tanto, en un manual Fortinet 50A se puede encontrar la descripción de las etapas de actuación. El propósito de un manual es enseñar, facilitar el encendido o el uso de un dispositivo o la realización de acciones concretas. Un manual de instrucciones también es una fuente de información acerca de un objeto o un servicio, es una pista.
Desafortunadamente pocos usuarios destinan su tiempo a leer manuales Fortinet 50A, sin embargo, un buen manual nos permite, no solo conocer una cantidad de funcionalidades adicionales del dispositivo comprado, sino también evitar la mayoría de fallos.
Entonces, ¿qué debe contener el manual de instrucciones perfecto?
Sobre todo, un manual de instrucciones Fortinet 50A debe contener:
- información acerca de las especificaciones técnicas del dispositivo Fortinet 50A
- nombre de fabricante y año de fabricación del dispositivo Fortinet 50A
- condiciones de uso, configuración y mantenimiento del dispositivo Fortinet 50A
- marcas de seguridad y certificados que confirmen su concordancia con determinadas normativas
¿Por qué no leemos los manuales de instrucciones?
Normalmente es por la falta de tiempo y seguridad acerca de las funcionalidades determinadas de los dispositivos comprados. Desafortunadamente la conexión y el encendido de Fortinet 50A no es suficiente. El manual de instrucciones siempre contiene una serie de indicaciones acerca de determinadas funcionalidades, normas de seguridad, consejos de mantenimiento (incluso qué productos usar), fallos eventuales de Fortinet 50A y maneras de solucionar los problemas que puedan ocurrir durante su uso. Al final, en un manual se pueden encontrar los detalles de servicio técnico Fortinet en caso de que las soluciones propuestas no hayan funcionado. Actualmente gozan de éxito manuales de instrucciones en forma de animaciones interesantes o vídeo manuales que llegan al usuario mucho mejor que en forma de un folleto. Este tipo de manual ayuda a que el usuario vea el vídeo entero sin saltarse las especificaciones y las descripciones técnicas complicadas de Fortinet 50A, como se suele hacer teniendo una versión en papel.
¿Por qué vale la pena leer los manuales de instrucciones?
Sobre todo es en ellos donde encontraremos las respuestas acerca de la construcción, las posibilidades del dispositivo Fortinet 50A, el uso de determinados accesorios y una serie de informaciones que permiten aprovechar completamente sus funciones y comodidades.
Tras una compra exitosa de un equipo o un dispositivo, vale la pena dedicar un momento para familiarizarse con cada parte del manual Fortinet 50A. Actualmente se preparan y traducen con dedicación, para que no solo sean comprensibles para los usuarios, sino que también cumplan su función básica de información y ayuda.
Índice de manuales de instrucciones
-
Página 1
FortiGate 50A Installation and Configuration Guide INTERNAL EXTERNAL LINK 100 LINK 100 PWR STA TUS A FortiGate User Manual V olume 1 Ve r s i o n 2 . 5 0 29 February 2004[...]
-
Página 2
© Copyright 2004 Fortine t Inc. All rights re served. No part of this publication incl uding text, examples , diagrams or illustrations may be reproduced, transmitted, or translated in any form or by an y means, electro nic, mechanical, manual, optical or otherwise, for any purpose, without prio r written pe rmission of F ortinet I nc. FortiGate-5[...]
-
Página 3
Contents FortiGate-50A Installation and Configuration Gu ide 3 Table of Contents Introduction ............. ................................ .................................................. ........... 13 NAT/Route mode and Transparent mode .................... ................ ................... ................ .. 13 NAT/Route mode ...........[...]
-
Página 4
Contents 4 Fortinet Inc. Completing the configuration ................... ....... ......... ................. ................ ............. ........... 38 Setting the date and time ..... ................ ................ ................. ............ ................. ........... 38 Changing antivirus protection ........ ................ ........[...]
-
Página 5
Contents FortiGate-50A Installation and Configuration Gu ide 5 Shutting down the FortiGate unit ............................. ................. ................ ................ ........ 66 System status .................... ................ ............. ................ ................ ................ ................ . . 6 7 Viewing CPU and me[...]
-
Página 6
Contents 6 Fortinet Inc. Network configuration .............. ................. ................................................. ......... 93 Configuring interfaces ........... ................ ................ ................ ................ ................. ........... 9 3 Viewing the interface list ......... ................ ................[...]
-
Página 7
Contents FortiGate-50A Installation and Configuration Gu ide 7 Changing system options...... ................ ................ ................ ............. ................ ............. 122 Adding and editing admi nistrator accounts ........... ................ ................ ................. ......... 123 Adding new administrator accounts ..[...]
-
Página 8
Contents 8 Fortinet Inc. Virtual IPs.... ................ ................ ................ ............. ................. ................ ............. ..... .... 157 Adding static NAT virtual IPs ............ ................ ................ ................ ................. ......... 158 Adding port forwarding virtual IPs .. ............. ..[...]
-
Página 9
Contents FortiGate-50A Installation and Configuration Gu ide 9 AutoIKE IPSec VPN s .................. ................ ................. ............. ................ ................ ...... 182 General configuration steps for an AutoIKE VPN ............. ................ ............. ............. 183 Adding a phase 1 configuration for an AutoI [...]
-
Página 10
Contents 10 Fortinet Inc. Logging attacks ..................... ................ ............. ................ ................ ................ ............. 222 Logging attack messages to t he attack log .... ............. ................ ................ ............. ... 222 Reducing the number of NIDS attack log and email messages ..... ....[...]
-
Página 11
Contents FortiGate-50A Installation and Configuration Gu ide 11 Email block list .. ................. ............. ................ ................ ................ ................ ............. .. . 2 4 8 Adding address patterns to t he email block list .... ................. ................ ................ ...... 248 Downloading the email bl[...]
-
Página 12
Contents 12 Fortinet Inc.[...]
-
Página 13
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 13 Introduction The FortiGate-50 A Antivirus Firewall is an easy-to-d eplo y and easy-to- administer solution that delivers exceptional value and perfor mance for small office and hom e office (SOHO) applications. Y our FortiGate-5[...]
-
Página 14
14 Fortinet Inc. Document co nventions Introduction Document conventions This guide uses the fo llowing conventio ns to descr ibe CLI comma nd syntax. • angle brac kets < > to indicate variable keywords For example: execute restore config <filename_str> Y ou enter restore config myfile.bak <xxx_str> indicates an ASCII string var[...]
-
Página 15
Introduction Fortinet documentati on FortiGate-50A Installation and Configuration Gu ide 15 Fortinet document ation Information about FortiGate product s is av ailable from the follo wing FortiGate User Manual volumes: • V olume 1: FortiGate Installation a nd Configuration Guide Describes installation and basic configurat ion for the F ortiGate u[...]
-
Página 16
16 Fortinet Inc. Customer service and technical support Introduction Customer service and technical support For antiviru s and attack def inition up dates, firmware updates, updated product documentation , technical support informatio n, and other resources, p lease visit the Fortinet technical support we b site at http://support.fortinet.com. Y ou[...]
-
Página 17
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 17 Getting st arted This chapter describes unp acking, setting up, and powering on a FortiGate Antivir us Firewall unit. When you have completed the procedures in this chap ter , you can proceed to one of the following: • If you [...]
-
Página 18
18 Fortinet Inc. Package contents Getting started Package content s The FortiGate-50A p ackage contains the following items: • the FortiGate-50A Antivirus Firewall • one orange cross-over ethernet cable • one gray regular ethernet cable • one null-modem ca ble • FortiGate -50A QuickS tart Gu ide • A CD contai ning the FortiGate user doc[...]
-
Página 19
Getting started Powering on FortiGate-50A Installation and Configuration Gu ide 19 Environmental specifications • Operating temperature: 32 to 10 4°F (0 to 40°C) • S torage temperature: -13 to 158°F (-25 to 70°C) • Humidity: 5 to 95% non-co ndensing Powering on T o power on the FortiGate-50A unit 1 Connect the AC adapter to the power conn[...]
-
Página 20
20 Fortinet Inc. Connecting to the command line interface (CLI) Getting started T o connect to the we b-based manager 1 Set the IP address of the computer with an ethernet connection to the st atic IP address 192.168.1.2 and a ne tmask of 255.255.255.0. Y ou can also configure the management computer to obta in an IP address automatically using DHC[...]
-
Página 21
Getting started Connecting to the command line in terface (CLI) FortiGate-50A Installation and Configuration Gu ide 21 T o connect to the CLI 1 Connect the null modem cable to the communication s port of your computer and to the FortiGate Console p ort. 2 Make sure that the FortiGa te unit is powered on. 3 S tart HyperT erminal, en ter a name for t[...]
-
Página 22
22 Fortinet Inc. Factory default FortiGate confi guration settings Getting started Factory default FortiGate configuration settings The FortiGate unit is shipped with a fa ct ory defa ult configura tion. The default configuration allows you to connect to and use the FortiGa te web-based manager to configure th e FortiGate un it onto the netw ork. T[...]
-
Página 23
Getting started Factory default FortiGate configurati on settings FortiGate-50A Installation and Configuration Gu ide 23 Factory default NAT/Route m ode network configuration When the FortiGate unit is first p owered on , it is running in NA T/Ro ute mode and has the basic ne twork config uration listed in Ta b l e 3 . This configurat ion allows yo[...]
-
Página 24
24 Fortinet Inc. Factory default FortiGate confi guration settings Getting started Recurring Schedule Always The schedule is valid at all times. This means that the firewall policy is valid at all times. Firewall Policy Int -> Ext Firewall policy for connection s from the internal network to the external network. Source Internal_All The policy s[...]
-
Página 25
Getting started Factory default FortiGate configurati on settings FortiGate-50A Installation and Configuration Gu ide 25 Factory default content profiles Y ou ca n use cont ent profiles to apply different protection s ettings for c ontent traffic that is controlled by fi rewall policies. Y ou can use cont ent profiles for: • Antivirus protection [...]
-
Página 26
26 Fortinet Inc. Factory default FortiGate confi guration settings Getting started Scan content profile Use the scan content profile to apply antivirus scannin g to HTTP , FTP , IMAP , POP3, and SMTP content traf fic. Web content profile Use the web content profile to apply antiv irus scanning and web content blocking to HTTP content traffic. Y ou [...]
-
Página 27
Getting started Planning the FortiGate configura tion FortiGate-50A Installation and Configuration Gu ide 27 Unfiltered content profile Use the unfilte red conten t profile if you do not wan t to apply co ntent prot ection to traffic. Y ou can add this content profile to firewall policies fo r connections between highly trusted or highly secu re ne[...]
-
Página 28
28 Fortinet Inc. Planning the FortiGa te configuration Getting started Y ou ty pically use NA T/Rout e mode whe n the Fo rtiGate unit is operating as a gateway between private and public networks. In th is configuration, you would cre ate NA T mode policies to control traf fic flowing between the internal, pr ivate network and the external, public [...]
-
Página 29
Getting started Planning the FortiGate configura tion FortiGate-50A Installation and Configuration Gu ide 29 In NA T/Route mode you can also ch ange t he configuration of the FortiGate DHCP server to supply IP addresses for the computer s on your internal network. Y ou can also configure the FortiGate to allow Inte rnet access to your internal Web,[...]
-
Página 30
30 Fortinet Inc. FortiGate model maximum valu es matrix Getting started FortiGate model maximum values matrix T able 10: FortiGate maximum va lues matrix FortiGate model 50A 60 100 200 300 400 500 800 1000 3000 3600 4000 Routes 500 500 500 500 500 500 500 500 500 500 500 5 00 Policy routing gateways 500 500 500 500 500 500 500 500 500 500 500 5 00 [...]
-
Página 31
Getting started Next steps FortiGate-50A Installation and Configuration Gu ide 31 Next step s Now that your FortiGate unit is operating , y ou can proceed to configure it to connect to networks: • If you are goin g to operate the For t iGate unit in NA T/Route mode, go to “NA T/Route mode installation ” on page 33 . • If you are going to op[...]
-
Página 32
32 Fortinet Inc. Next steps Getting started[...]
-
Página 33
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 33 NA T/Route mode inst allation This chapter describes ho w to install the FortiGate unit in NA T/Route mode. T o install the FortiGate unit in T ransparen t mode, see “T ransparent mode installatio n” on pag e 41 . This chapt[...]
-
Página 34
34 Fortinet Inc. Preparing to configure NAT/Route mode NAT/Route mode installa tion T o use the fa ctory default configuration, fo llow these step s to install the FortiGate unit: 1 Configure the TCP/IP setting s of the computers on your intern al network to obtain an IP address automatically using DHCP . Refer to your computer document ation for a[...]
-
Página 35
NAT/Route mode installati on Using the setup wizard FortiGate-50A Installation and Configuration Gu ide 35 Advanced NAT/Route mode settings Use Ta b l e 1 3 to gather the information that you need to custo mize advanced FortiGate N A T/Route m ode setting s. Using the setup wizard From the web-based manager, you can use the setup wizar d to create [...]
-
Página 36
36 Fortinet Inc. Using the command line interface NAT/Route mode installa tion Using the command line interface As an alternative to using the setup wizard, you ca n configure the FortiGate unit using the command line interface (CLI). T o connect to the CLI, see “Connecting to the command line interface (CLI)” on p age 20 . Configuring the Fort[...]
-
Página 37
NAT/Route mode installati on Connecting the FortiGa te unit to your networks FortiGate-50A Installation and Configuration Gu ide 37 6 Optionally , set the secondary DNS server IP addresses. Enter set system dns secondary <IP address> Example set system dns secondary 293.44.75.22 7 Set the default route to the Default Gateway IP address (not r[...]
-
Página 38
38 Fortinet Inc. Configuring your networks NAT/Route mode installati on T o connect the FortiGate- 50A unit: 1 Connect the Internal interface to the h ub or switch connected to your internal network. 2 Connect the External interface to the Internet. Connect to the pu blic switch or router pro v ided by your Internet Servic e Provider . If you are a[...]
-
Página 39
NAT/Route mode installation Completing the configura tion FortiGate-50A Installation and Configuration Gu ide 39 Registering your FortiGate unit After pur chasing and installing a new FortiGat e unit, you can register the unit by go ing to System > Update > Support, or using a web browser to connect to http://support.fortinet .com and selecti[...]
-
Página 40
40 Fortinet Inc. Completing the configuration NAT/Route mode installation[...]
-
Página 41
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 41 T ransp arent mode inst allation This chapter describes ho w to install your F ortiGate un it in T ran sparent mode. If y ou want to install the FortiGa t e unit in NA T/Route mode, see “NA T/Route mode insta llation” on pag[...]
-
Página 42
42 Fortinet Inc. Using the setu p wizard Transparen t mode installation Using the setup wizard From the web-based manager, you can use the setup wizar d to create the initial configuration of your FortiGate unit. T o connect to the web-based manag er, see “Connecting to th e web-based manager” on p age 19 . Changing to Transparent mode The firs[...]
-
Página 43
Transparent mode installatio n Connecting the FortiGate un it to your networks FortiGate-50A Installation and Configuration Gu ide 43 Changing to Transparent mode 1 Log into the CLI if you ar e not alrea dy logged in. 2 Switch to T ransparent mo de. Enter: set system opmode transparent After a few seconds, the logi n prompt appears. 3 Ty p e admin [...]
-
Página 44
44 Fortinet Inc. Connecting the FortiGate unit to your networks Transparent mode installa tion T o connect the FortiGate unit: 1 Connect the Internal interface to the h ub or switch connected to your internal network. 2 Connect the External interface to the Internet. Connect to the public sw itch or rout er provided b y your Inter net Service Provi[...]
-
Página 45
Transparent mode installatio n Completing the configura tion FortiGate-50A Installation and Configuration Gu ide 45 Completing the configuration Use the information in this se ction to complete th e initial configuratio n of t he FortiGat e unit. Setting the date and time For effective scheduling and logging, the FortiGate system date and time shou[...]
-
Página 46
46 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode installation T ransparent mode configuration examples A FortiGate unit operating in T r ansparent mode still requir es a basic configuration to operate as a node on the IP networ k. As a minimum, the FortiGate unit mu st be configured with an IP address and subnet mask. Th[...]
-
Página 47
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-50A Installation and Configuration Gu ide 47 Example default route to an external network Figure 7 shows a FortiGate unit where all de stinations, including the mana gement computer , are located on the external net work. T o reach these destinations, the FortiGate u[...]
-
Página 48
48 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode installation Web-based manager exampl e configuration steps T o configure basic T ransparent mode settings and a de fault route using the web-based manager : 1 Go to System > St atus . • Select Change to T ransparent Mode. • Select T ransparen t in the Operation Mod[...]
-
Página 49
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-50A Installation and Configuration Gu ide 49 Figure 8: St atic route to an external destination General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode. 2 Configure the Manag ement IP address and Netmask of the FortiGate unit. 3 Configure[...]
-
Página 50
50 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode installation Web-based manager exampl e configuration steps T o configure the basic FortiGate settings and a static route using the web-based manager: 1 Go to System > St atus . • Select Change to T ransparent Mode. • Select T ransparen t in the Operation Mode list.[...]
-
Página 51
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-50A Installation and Configuration Gu ide 51 Example static route to an internal destination Figure 9 shows a FortiGate unit where the FDN is located on an extern al subnet and the management computer is located on a remote, internal subnet. T o reach the FDN, you ne[...]
-
Página 52
52 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode installation 4 Configure the default route to the external networ k. Web-based manager exampl e configuration steps T o configure the FortiGate basic settings, a static route, and a d efault route using the web-based manager : 1 Go to System > St atus . • Select Chang[...]
-
Página 53
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 53 System st atus Y ou can connect to the web-based manager and view the current system status of the FortiGate unit. The status infor mation that is displayed includes the current firmware version, the current viru s and attack de[...]
-
Página 54
54 Fortinet Inc. Changing the FortiGa te host name System status Changing the FortiGate host name The FortiGate host name ap pears on the S tatus p age and in the FortiGate CLI prompt. The host name is al so used as the SNMP system name. For information about the SNMP system name, see “Config uring SNMP” on page 125 . The default host n ame is [...]
-
Página 55
System status Changing the Forti Gate firmware FortiGate-50A Installation and Configuration Gu ide 55 Upgrading to a new firmware version Use the following procedures to upgra de the FortiGate unit to a newer firmware version. Upgrading the firmware usi ng the web-based manager T o upgrade the firmware using the web -based manager 1 Copy the firmwa[...]
-
Página 56
56 Fortinet Inc. Changing the FortiGa te firmware System status 4 Make sure the FortiGate uni t c an connect to the TFTP s erver . Y ou can use the following command to ping the computer running the TFTP ser v er . For example, if the IP address of the TFTP server is 192.16 8.1.168: execute ping 192.168.1.168 5 Enter the following command to copy t[...]
-
Página 57
System status Changing the Forti Gate firmware FortiGate-50A Installation and Configuration Gu ide 57 If you are reverting to a previous FortiOS ve rsion (for example, r everting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore the pr evious configuration from the backup configuration file. T o revert to a previous fir mware ve[...]
-
Página 58
58 Fortinet Inc. Changing the FortiGa te firmware System status T o use the following procedur e you must have a TFTP server that the FortiGate unit can connect to. T o revert to a previous firmwar e version using the CLI 1 Make sure that the TFTP server is running. 2 Copy the new firmware image file to the root directory of the TFT P server . 3 Lo[...]
-
Página 59
System status Changing the Forti Gate firmware FortiGate-50A Installation and Configuration Gu ide 59 12 T o confirm that the antivirus and att ack definitions have been updated, enter the following command to display the an tivirus engi ne, virus and at tack definitions version, contract ex piry , and last update attempt information. get system ob[...]
-
Página 60
60 Fortinet Inc. Changing the FortiGa te firmware System status 6 Enter the following co mmand to restart the FortiGate unit: execute reboot As the FortiGate units st arts, a series o f system startup messages is displayed. When one of the following messages appears: Press any key to enter configuration menu..... ...... 7 Immediately press any key [...]
-
Página 61
System status Changing the Forti Gate firmware FortiGate-50A Installation and Configuration Gu ide 61 Restoring the previ ous configuration Change the internal interface addr esses if required. Y ou can do this from the CLI using the command: set system interface After changing the in terface addresses, you can access the FortiGate unit from th e w[...]
-
Página 62
62 Fortinet Inc. Changing the FortiGa te firmware System status 5 Enter the following co mmand to restart the FortiGate unit: execute reboot 6 As the FortiGate unit reboot s, press any key to interrupt the system st artup. As the FortiGate units st arts, a series o f system startup messages are displayed. When one of the following messages appears:[...]
-
Página 63
System status Manual virus defin ition updates FortiGate-50A Installation and Configuration Gu ide 63 Manual virus definition up dates The S tatus page of the FortiGate web-base d manager displays the current insta lled versions of the FortiGate antivirus definitions. T o up date the antivirus definitions manually 1 Download the latest antivirus de[...]
-
Página 64
64 Fortinet Inc. Displayi ng the FortiGate serial number System status Displaying the FortiGate serial number 1 Go to System > St atus . The serial number is displayed on the System St atus page of the web-based manager. The serial number is specific to th e F ortiGate unit and does not change with firmware upgr ades. Displaying the FortiGate up[...]
-
Página 65
System status Restoring system settings to factory defaults FortiGate-50A Installation and Configuration Gu ide 65 Restoring system settings to factory default s Use the following procedur e to restore system se ttings to the values set at the factory . This procedure does not ch ange the firmw are version or the antivirus or attack definitions. T [...]
-
Página 66
66 Fortinet Inc. Changing to NAT/Route mode System status Changing to NA T/Route mode Use the follo wing proced ure to cha nge the Fort iGate unit fr om T r ansparent mode t o NA T/Route mod e. After you change the Fort iGate unit to NA T/R oute mode, most of the configura tion resets to NA T/Route mo de factory defaults. The following items are no[...]
-
Página 67
System status System status FortiGate-50A Installation and Configuration Gu ide 67 System st atus Y ou can use the system status moni tor to di splay FortiGate system health information. The system health information includes memory usage, the numbe r of active communication sessions, and the am ount of network bandwidth currently in use. The web-b[...]
-
Página 68
68 Fortinet Inc. System status System status Figure 1: CPU and memo ry status monitor Viewing sessions and network status Use the session and network st atus display to track how many network sessions the FortiGate u nit is process ing and to see what effect the numb er of sessions h as on the available network bandwid th. Also, by comparing CPU an[...]
-
Página 69
System status System status FortiGate-50A Installation and Configuration Gu ide 69 4 Select Refresh to ma nually update the information displayed. Figure 2: Sessions an d network st atus monitor Viewing virus and intrusions status Use the virus and intrusions st atus display to track when viruses are found by the FortiGate antivirus system and to t[...]
-
Página 70
70 Fortinet Inc. Session list System status Figure 3: Sessions an d network st atus monitor Session list The session list displays information abo ut the communications sessions cu rrently being processed by the FortiGate unit. Y ou can use the session list to view current sessions. FortiGate administrators with read and write permission and the Fo[...]
-
Página 71
System status Session list FortiGate-50A Installation and Configuration Gu ide 71 Each line of the session list di splays the following information. Figure 4: Example sessio n list Protocol The service protocol of the connection, for example, udp, tcp, or icmp. From IP The source IP address of th e connection. From Port The source port of th e conn[...]
-
Página 72
72 Fortinet Inc. Session list System status[...]
-
Página 73
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 73 V i rus and att a ck definitions up dates and registration Y ou can configure the FortiGate unit to c onnect to the FortiResponse Distribution Network (FDN ) to update the antiv irus and attack definit ions and the antiv irus en[...]
-
Página 74
74 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration The Update p age on the web-based manage r displa ys the following antivirus and attack defin ition update information. This section describes: • Connecting to the FortiResponse Distribution Network • Manually initiating an tivirus[...]
-
Página 75
Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-50A Installation and Configuration Gu ide 75 Manually initiating antivirus and attack definitions updates Y ou can use the following procedure to update the antivirus and at tack definitions a t any time. The FortiGate unit must be able to co[...]
-
Página 76
76 Fortinet Inc. Scheduling updates Virus and attack defi nitions updates and registra tion Configuring update logging Use the follo wing proced ure to configu re FortiGa te logging t o record log messages when the Fo rtiGate unit updates an tivirus and attack de finitions. The update log messages are reco rded on the FortiGate Event log. T o confi[...]
-
Página 77
Virus and attack definitions upda tes and registration Scheduling updates FortiGate-50A Installation and Configuration Gu ide 77 4 Select Apply . The FortiGate unit star ts the next sche duled update according to the new upd ate schedule. Whenever the FortiGate unit runs a scheduled update, th e event is recorded in the FortiGate e vent log. Figure[...]
-
Página 78
78 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Enabling scheduled updat es through a proxy server If your FortiGate unit must connect to the Inter net through a proxy serv er , yo u can use the set system autoupdate tunneling command to allow the FortiGate unit to connect (or tunnel) to the FDN using [...]
-
Página 79
Virus and attack definitions updates and registration Enabling push updates FortiGate-50A Installation and Configuration Gu ide 79 When the network configuratio n permits, c onfiguring push updates is recommend ed in addition to configuring scheduled updates. On average the Forti Gate unit receives new updates sooner through push up dates than if t[...]
-
Página 80
80 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Example: push update s through a NAT device This examp le describes how to conf igure a FortiG ate NA T dev ice to forwar d push updates to a FortiGat e unit installed on its internal networ k. For the FortiGate unit on the internal network to receive pus[...]
-
Página 81
Virus and attack definitions updates and registration Enabling push updates FortiGate-50A Installation and Configuration Gu ide 81 General procedure Use the following steps to config ure the Fo rtiGate NA T device and the FortiGate unit on the internal network so that the FortiGate un it on the internal network can receive push updates: 1 Add a por[...]
-
Página 82
82 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Figure 3: Push update port forwarding virtua l IP Adding a firewall policy for the port forwarding virtual IP T o configure the FortiGate NA T device 1 Add a new external to internal firewall policy . 2 Configure the policy with the following settings: 3 [...]
-
Página 83
Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-50A Installation and Configuration Gu ide 83 4 Set IP to the external IP address added to the virtual IP . For the examp le topology , ente r 64.230.12 3.149. 5 Set Port to the external servic e port added to the virtual IP . For the example top ology , en[...]
-
Página 84
84 Fortinet Inc. Registering Forti Gate units Virus and attack defi nitions updates and registra tion All registration information is stored in the Fortinet Customer Support dat abase. This information is used to make sure that yo ur registered FortiGate units can be kept up to date. All information is strict ly confidential. Fortinet doe s not sha[...]
-
Página 85
Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-50A Installation and Configuration Gu ide 85 Registering the FortiGate unit Before registering a FortiGate unit, you require the follo wing information: • Y our co ntact information includin g: • First and last name • Compa ny name • Email address [...]
-
Página 86
86 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on 4 Select the model number of the Product Model to register . 5 Enter the Serial Number of the Fo rtiGate unit. 6 If you have purchased a FortiCare Support Co ntract for this Fort iGate unit, enter the support contract number . Figure 6: Regist[...]
-
Página 87
Virus and attack definitions updates and registration Updating registration informati on FortiGate-50A Installation and Configuration Gu ide 87 T o recover a lost Fortinet support p assword 1 Go to System > Up date > Support . 2 Select Support Login. 3 Enter your Fort inet support user name. 4 Select Forgot your password? 5 Enter your email a[...]
-
Página 88
88 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on Figure 7: Sample list of registered Forti Gate units Registering a new FortiGate unit T o register a new FortiGate unit 1 Go to System > Up date > Support . 2 Select Support Login. 3 Enter your Fort inet support use r name and password. [...]
-
Página 89
Virus and attack definitions updates and registration Updating registration informati on FortiGate-50A Installation and Configuration Gu ide 89 6 Select the Serial Nu mber of the F ortiGate unit for which to add or change a FortiCare Support Contract number . 7 Add the new Support Contract number . 8 Select Finish. The list of FortiGate product s t[...]
-
Página 90
90 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on Downloading virus and attack definitions updates Use the followin g procedur e to manually download virus and attack definitio ns updates. This proce dure also describes how to install the att ack definitions updates on your FortiG ate unit. T[...]
-
Página 91
Virus and attack definitions upda tes and registra tion Registering a Fort iGate unit after an RMA FortiGate-50A Installation and Configuration Gu ide 91 Registering a FortiGate unit af ter an RMA The Return Material Authoriz ation (RMA) process sta rts when a regi stered FortiGate unit does not work properly be cause of a hardware failure. If this[...]
-
Página 92
92 Fortinet Inc. Registering a FortiGate unit after an RMA Vi rus and attack defi nitions updates and registrati on[...]
-
Página 93
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 93 Network configuration Y ou can use the System Network page to change an y of the following FortiGate network set tings: • Configuring interfaces • Adding DNS server IP addres ses • Configuring routing • Configuring DHCP [...]
-
Página 94
94 Fortinet Inc. Configuring interfac es Network configuration Viewing the interface list T o view the interface list 1 Go to System > Network > Interface . The interface list is display ed. The interface list shows the following status inform ation for all the FortiGate interfaces and VLAN subi nterfaces: • The name of the interface • Th[...]
-
Página 95
Network configuration Configuring interfaces FortiGate-50A Installation and Configuration Gu ide 95 4 Change the IP address and Netmask as requ ired. The IP address of the interface must be o n the same subnet as the network the interface is connecting to . T wo interfaces cannot have the same IP address and cannot have IP addresses on the same sub[...]
-
Página 96
96 Fortinet Inc. Configuring interfac es Network configuration Configuring an interface for PPPoE Use the follo wing proced ure to configu re any FortiGate interface to use PPPoE. If you configure the interface to use PPPoE, the FortiGate unit auto matically broadcasts a PPPoE request. Y o u can disable connect to server if yo u are configuring the[...]
-
Página 97
Network configuration Configuring interfaces FortiGate-50A Installation and Configuration Gu ide 97 Y ou can also configure management access and add a pi ng server to the secondary IP address. set system interface <intf_str> config secallowaccess ping https ssh snmp http telnet set system interface <intf_str> config secgwdetect enable [...]
-
Página 98
98 Fortinet Inc. Configuring interfac es Network configuration 2 Choose an interface and select Modify . 3 Select the Administrative Ac cess methods for t he interface. 4 Select OK to save the changes. Changing the MTU size to improve network performance T o improve ne twork perfo rmance, you can change the maximum transmissio n unit (MTU) of the p[...]
-
Página 99
Network configuration Configuring interfaces FortiGate-50A Installation and Configuration Gu ide 99 Configuring the management interface in Transparent mode Configure the management int erface in Transparent mode to set the managem ent IP address of the FortiGat e unit. Admin istrators con nect to this IP address t o administer the FortiGate unit. [...]
-
Página 100
100 Fortinet Inc. Adding DNS server IP addres ses Network configuration Adding DNS server IP addresses Several FortiGat e functions, incl uding se nding email alerts and URL blocking, use DNS. Use the following procedure to add the IP addresses of the DNS servers that your FortiGate unit can connect to. DNS server IP addresses are usua lly supplied[...]
-
Página 101
Network configuration Configuring routing FortiGate-50A Installation and Configuration Guide 101 Adding destination-based r outes to the routing table Y ou can add destination-based routes to th e FortiGate routing t a ble to control the destination of traffic exiting the F ortiGat e unit. Y ou configure rou tes by adding destination IP ad dresses [...]
-
Página 102
102 Fortinet Inc. Configuring routing Network configuration 7 Set Device #2 to the FortiGate interface th r ough which to route traffic to co nnect to Gateway #2. Y ou can select the name of an interface or Au to (the default). If you select the na me of an interface , the traffic is routed to tha t in terface. If you select Auto the system selects[...]
-
Página 103
Network configuration Configuring routing FortiGate-50A Installation and Configuration Guide 103 T o configure the routing t able 1 Go to System > Network > Routing T able . 2 Choose the route that you want to move and select Move to to change its order in the routing table. 3 T ype a number in the Move to field to specify where in the routin[...]
-
Página 104
104 Fortinet Inc. Configuring DHCP servi ces Network configuration Policy routing command syntax Configure policy routing using th e following CLI command. set system route policy <route_int> src <source_ip> <source_mask> iifname <source-interface_name> dst <destination_ip> <destination_mask> oifname <destinat[...]
-
Página 105
Network configuration Configuring DHCP services FortiGate-50A Installation and Configuration Gu ide 105 Configuring a DHCP server As a DHCP server , the FortiGate unit dyna mically assigns IP addresses to hosts located on connected subnet s. Y ou can configure a DHCP server for any FortiGa te interface. Y ou can also configur e a DHCP server for mo[...]
-
Página 106
106 Fortinet Inc. Configuring DHCP servi ces Network configuration 3 Select an interface. Y ou must configure the inte rface as a DHCP server before it can be sele cted. 4 Select New to add an address scope. 5 Configure the ad dress scope. 6 Select Advanced if you want to configure Adva nced Options. 7 Select OK. Adding a reserve IP to a DHCP serve[...]
-
Página 107
Network configuration Confi guring the modem interface FortiGate-50A Installation and Configuration Gu ide 107 7 Select OK. Viewing a DHCP server dynamic IP list Y ou can view the list of IP addresses t hat the DHCP server has assigned, th eir corresponding MAC addr esses, and the expi ry time and date for these addresses. T o view a DHCP server dy[...]
-
Página 108
108 Fortinet Inc. Configur ing the modem interfac e Network con figuration Connecting a modem to the FortiGate unit The FortiGa te unit can operate with most standard external ser ial interface modems that support st andard Hayes A T commands. T o connect, install a USB-to -serial converter between one of the two USB port s on the FortiGate unit an[...]
-
Página 109
Network configuration Confi guring the modem interface FortiGate-50A Installation and Configuration Gu ide 109 4 Enter the following Dialup Acco unt 1 settings: 5 If you have multiple dia lup accounts, enter Ph one Number , User Name, and Password for Dialup Account 2 and Dialup Account 3. 6 Select Apply . Connecting to a dialup account Use the fol[...]
-
Página 110
11 0 Fortinet Inc. Configur ing the modem interfac e Network con figuration Viewing modem status T o view the statu s of the modem connection go to System > Network > Mo dem . Modem status is one of the following: A green check mark indicates the active dialup account. The IP address and netmask a ssigned to t he modem interface a ppears on t[...]
-
Página 111
Network configuration Confi guring the modem interface FortiGate-50A Installation and Configuration Gu ide 111 If the connection to the dialup account fails, the FortiGate unit re dials the modem. Th e modem redials the number of times specified by th e redi al limit, or until it conn ects to a dialup account. In standalo ne mode the modem interfac[...]
-
Página 112
11 2 Fortinet Inc. Configur ing the modem interfac e Network con figuration[...]
-
Página 113
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 11 3 RIP configuration The FortiGate implement ation of the Routing Information Pr otocol (RIP) supports both RIP version 1 as defined by RFC 1058, a nd RIP ver sion 2 as defined by RFC 2453. RIP version 2 enables RIP messages to c[...]
-
Página 114
11 4 Fortinet Inc. RIP settings RIP configuration 5 Change the following RIP time r settings, as re quired. RIP timer de faults are effective in most configurations. Y ou should only have to change these timers to tr oubleshoot netw ork routing problems. All routers and access servers in the network should ha ve the same RIP timer settings. 6 Selec[...]
-
Página 115
RIP configuration Configuring RIP for FortiGate interfaces FortiGate-50A Installation and Configuration Gu ide 11 5 Figure 1: Configuring RIP settings Configuring RIP for FortiGate interfaces Y ou can customize a RIP configuration for each FortiGate in terface. This allows you to customize RIP for the network to which each interface is connected. T[...]
-
Página 116
11 6 Fortinet Inc. Configuring RIP for Forti Gate interfaces RIP configuration 4 Select OK to save the R IP config uration for the selected interface. Figure 2: Example RIP configuration for an internal interface Password Enter the password to be used for RIP version 2 authentication. The password can be up to 16 characters long. Mode Defines the a[...]
-
Página 117
RIP configuration Adding RIP filters FortiGate-50A Installation and Configuration Gu ide 11 7 Adding RIP filters Use the Filter pag e to create RIP filter lists and assign RIP filter list s to the neighbors filter , incoming r oute filter , o r outgoing route filter . The neighbors fil ter allows or denies updates from other ro uters. The incoming [...]
-
Página 118
11 8 Fortinet Inc. Adding RIP filters RIP co nfiguration 3 For Filter Name, type a nam e for the RIP filter list. The name can be 15 characters long an d can contain upper and lower case letters, numbers, and special char acters. The name cannot contain sp aces. 4 Select the Blank Filter check box to create a RIP filter lis t with no entries, or en[...]
-
Página 119
RIP configuration Adding RIP filters FortiGate-50A Installation and Configuration Gu ide 11 9 Assigning a RIP fi lter list to the outgoing filter The outgoing filter allows or denies addi n g routes to outgoing RIP update packets . Y ou can assign a single RIP filter list to the outgoing filter . T o assign a RIP filter list to the out going filter[...]
-
Página 120
120 Fortinet Inc. Adding RIP filters RIP co nfiguration[...]
-
Página 121
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 121 System configuration Use the System Config page to make any of the following chan ges to the FortiGate system configuration: • Setting system date and time • Changing system options • Adding and editing administra tor acc[...]
-
Página 122
122 Fortinet Inc. Changing system options System configuration 9 Select Apply . Figure 1: Example date and time setti ng Changing system options On the System Config Options page, you can: • Set the system idle timeout. • Set the authentication timeout. • Select the language for th e web-base manager . • Modify the dead gate way detection s[...]
-
Página 123
System configuration Adding and editing administrator accounts FortiGate-50A Installation and Configuration Gu ide 123 3 Select Apply . Auth T imeout controls the amount of inacti ve time that the fi rewall waits before requiring users to authen ticate again. For more information, see “Users and authenti cation” on page 171 . The default Auth T[...]
-
Página 124
124 Fortinet Inc. Adding and editing administrato r accounts System configuration Adding new administrator accounts From the admin accou nt, use the following proc edure to a dd new adm inistrator accounts and contro l their permission levels . T o add an administrator acc ount 1 Go to System > Config > Admin . 2 Select New to add an administ[...]
-
Página 125
System configuration Configuring SNMP FortiGate-50A Installation and Configuration Gu ide 125 T o edit an administrator acc ount 1 Go to System > Config > Admin . 2 T o change an administrator account password, select Change Password . 3 T ype the Old Password. 4 T ype and confirm a new password. For improved security , the password shou ld b[...]
-
Página 126
126 Fortinet Inc. Configuring SNMP System configuration This section describes: • Configuring the FortiGate unit fo r SNMP monitoring • Configuring FortiGate SNMP suppor t • FortiGate MI Bs • FortiGate tra ps • Fortinet MIB fields Configuring the FortiGate unit for SNMP monitoring Before a remote SNMP manager can connect to the For tiGate[...]
-
Página 127
System configuration Configuring SNMP FortiGate-50A Installation and Configuration Gu ide 127 T o configure SNMP community settin gs 1 Go to System > Config > SNMP v1/v2c . 2 Select the Enable SNMP check box. 3 Configure the following SNMP settings: 4 Select Apply . System Name Automatically set to the FortiGate host name. T o change the Syst[...]
-
Página 128
128 Fortinet Inc. Configuring SNMP System configuration Figure 2: Sample SNMP configuration FortiGate MIBs The FortiGate SNMP agent suppo rts FortiGate propriet ary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. The FortiGate MIBs are listed in Ta b l e 1 . Y ou can obtain th ese MIB files from Fortinet technical support. T o be able to commu[...]
-
Página 129
System configuration Configuring SNMP FortiGate-50A Installation and Configuration Gu ide 129 FortiGate traps The FortiGa te agent ca n send tra ps to up to three S NMP trap r eceivers on your network that are configur ed to receive tr aps from the FortiGate unit. For these SNMP managers to receive trap s, you must load and compile the Fortinet tra[...]
-
Página 130
130 Fortinet Inc. Configuring SNMP System configuration VPN traps NIDS traps Antivirus traps Logging traps Fortinet MIB fields The Fortinet MIB contain s fields for co nfiguration settings and curren t status information for all parts of the FortiGate pr oduct. This section list s the names of the high-level MIB f ields and de scribes the configura[...]
-
Página 131
System configuration Configuring SNMP FortiGate-50A Installation and Configuration Gu ide 131 System configuration and status Firewall configuration Users and authentication configuration T able 8: System MIB fields MIB field Description fnSysSt atus FortiGate system configurat ion including operation mode, firmware version, virus definition versio[...]
-
Página 132
132 Fortinet Inc. Configuring SNMP System configuration VPN configuration and status NIDS configuration Antivirus configur ation Web filter configuration Logging and reporting configuration T able 1 1: VPN MIB fields fnVpnIp s ec IPSec VPN configuration including the Phase 1 list, Phase 2 list, manual key list, and VPN concentrator list. S tatus an[...]
-
Página 133
System configuration Replacement messa ges FortiGate-50A Installation and Configuration Gu ide 133 Replacement messages Replacement messages are adde d to content passing through the fir ewall to replace: • Files or other content r emoved from POP3 and IMAP email messages by the antivirus system, • Files or other content r emoved from HTTP down[...]
-
Página 134
134 Fortinet Inc. Replacement messages System configuration 2 For the replacement message that you wan t to customize, select Modify . 3 In the Message setup dialog box, e dit the content of the message. Ta b l e 1 6 lists the replacement message sections that can be added to repla cement messages and describes the t ags that can app ear in each se[...]
-
Página 135
System configuration Replacement messa ges FortiGate-50A Installation and Configuration Gu ide 135 T able 17: Alert email message sections NIDS event Used for NIDS event alert email messages Section St art <**NIDS_EVENT**> Allowed T a gs %%NIDS_EVENT%% The NIDS attack message. Section End <**/NIDS_EVENT**> Virus alert Used for virus ale[...]
-
Página 136
136 Fortinet Inc. Replacement messages System configuration Critical event Used for critical firewal l event alert emails. Section St art <**CRITICAL_EVENT**> Allowed T a gs %%CRITICAL_EVENT %% The firewall critical event message Section End <**/CRITICAL_EVENT**>[...]
-
Página 137
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 137 Firewall configuration Firewall policies control all traf fic passing through the FortiGate unit. Firewall policies are instructions tha t the FortiGate unit uses to decide what to do with a connection request. When the firewal[...]
-
Página 138
138 Fortinet Inc. Default firewall configuration Firewall configuration This chapter describes: • Default firewall configuration • Adding firewall policies • Configuring policy lists • Addresses • Services • Schedules • Vir t ua l I P s • IP pools • IP/MAC binding • Content prof iles Default firewall configuration Firewall polic[...]
-
Página 139
Firewall confi guration Default firewall configurati on FortiGate-50A Installation and Configuration Gu ide 139 The firewall uses these addresse s to match the source an d destination ad dresses of packets received by the f irewall. The defa ult policy matches all connections from the internal network because it includes the In ternal_All address. [...]
-
Página 140
140 Fortinet Inc. Adding firewall policies Firewall configuration Adding firewall policies Add Firewall policies to con trol connections and traffic between FortiGate interf aces. T o add a firewall policy 1 Go to Firewall > Polic y . 2 Select the policy list to whic h you want to add the policy . 3 Select New to add a new policy . Y ou can also[...]
-
Página 141
Firewall confi guration Adding firewall policies FortiGate-50A Installation and Configuration Gu ide 141 Figure 5: Addi ng a NA T/Route po licy Action Select how you want the firewall to respond when the policy ma tches a connection attempt. ACCEPT Accept the connecti on. If you select ACCEPT , you can also configure NA T and Authentication for the[...]
-
Página 142
142 Fortinet Inc. Adding firewall policies Firewall configuration NAT Configure the policy fo r NA T . NA T translates the source address and the source por t of packets accepted by the policy . If you select NA T , you can also select Dynamic IP Pool and Fixed Port . NA T is not available in Transparent mode. VPN Tunnel Select a VPN tunnel for an [...]
-
Página 143
Firewall confi guration Adding firewall policies FortiGate-50A Installation and Configuration Gu ide 143 Authentication Select Authentication and select a user gr oup to require users to enter a user name and password b efore the firewall accepts the connection. Sele ct the user group to control the user s that can auth enticate with this policy . [...]
-
Página 144
144 Fortinet Inc. Configuring policy lists Firewall co nfiguration Figure 6: Adding a T ransparent mode pol icy Log Traffic Select Log Traf fic to write message s to the traffic log when ever the polic y processes a connection. For information abo ut logging, see “L ogging and reporting” on p age 251 . Comments Y ou can add a description or oth[...]
-
Página 145
Firewall confi guration Configuring policy lists FortiGate-50A Installation and Configuration Gu ide 145 For example, the default policy is a very general policy be cause it matches all connection attempt s. When you create exceptio ns to that policy , you must add them to the policy list above the defaul t policy . No policy below the default poli[...]
-
Página 146
146 Fortinet Inc. Addresses Firewall configurati on Enabling and disabling policies Y ou can enable and disable policies in the po licy list to control wh ether the policy is active or not. The FortiGate unit matc hes enabled policies bu t does not match disabled policies. Disabling policies Disable a policy to tem porarily prevent the fi rewall fr[...]
-
Página 147
Firewall confi guration Addresses FortiGate-50A Installation and Configuration Gu ide 147 This section describes: • Adding addresses • Editing addresses • Deleting addresses • Organizing addresses into address gr oups Adding addresses T o add an address 1 Go to Firewall > Address . 2 Select the interface that you want to add the addre s [...]
-
Página 148
148 Fortinet Inc. Addresses Firewall configurati on Editing addresses Edit an address to change it s IP address and netmask. Y ou cannot edit the address name. T o change the address name , you must delete the address en try and then add the address ag ain with a new name. T o edit an address 1 Go to Firewall > Address . 2 Select the interface l[...]
-
Página 149
Firewall confi guration Services FortiGate-50A Installation and Configuration Gu ide 149 5 T o remove addresses from the addr ess group, select an address fro m the Members list and select the left arrow to remove it from the group. 6 Select OK to add the address group . Figure 8: Adding an internal addre ss group Services Use services to determine[...]
-
Página 150
150 Fortinet Inc. Services Firewall configuration GRE Generic Routing Encapsulation. A protocol that allows an arbitrary network p rotocol to be transmitte d over any other arbitrary netwo rk protocol, by encapsulating the packet s of the protocol within GRE packets. 47 AH Authentication Header. AH provides source host authentication and data integ[...]
-
Página 151
Firewall confi guration Services FortiGate-50A Installation and Configuration Gu ide 151 LDAP Lightweight Directory Access Protocol is a set of protocols used to access information directories. tcp 389 NetMeeting NetMeeting allows users to teleconference using the Internet as th e transmission medium. tcp 1720 NFS Network File System allows network[...]
-
Página 152
152 Fortinet Inc. Services Firewall configuration Adding custom TC P and UDP services Add a custom TCP or UDP service if you need to create a policy fo r a service that is not in the predef ined service list. T o add a custom TCP or UDP service 1 Go to Firewall > Service > Cus tom . 2 Select TCP/UDP from the Protocol list. 3 Select New . 4 T [...]
-
Página 153
Firewall confi guration Services FortiGate-50A Installation and Configuration Gu ide 153 Adding custom ICMP services Add a custom ICMP service if you need to cr eate a policy for a service that is not in the predefin ed service list . T o add a custom ICMP service 1 Go to Firewall > Service > Cus tom . 2 Select ICMP from the Prot ocol list. 3[...]
-
Página 154
154 Fortinet Inc. Schedules Firewall configura tion 3 T ype a Group Name to identify the group. This name appears in the service list when you add a policy and cannot be the same as a predefined service nam e. The name can cont ain numbers (0-9), uppercase and lowerca se letters (A-Z, a-z), and the special characters - and _. Other sp ecial charact[...]
-
Página 155
Firewall confi guration Schedules FortiGate-50A Installation and Configuration Gu ide 155 Creating one-time schedules Y ou can create a one-time schedule that activates or deactivates a policy for a specified pe riod of time . For example , yo ur firewall might be configured with the default policy that allows acce ss to all services on the In tern[...]
-
Página 156
156 Fortinet Inc. Schedules Firewall configura tion If you create a recurring schedule with a stop time that occurs be fore the start time, the schedule st arts at the st art time and finishes at the stop time on the next day . Y ou can use this techniqu e to create recurring schedules that r un from one day to the next. Y ou can also create a recu[...]
-
Página 157
Firewall confi guration Virtual IPs FortiGate-50A Installation and Configuration Gu ide 157 T o add a schedule to a policy 1 Go to Firewa ll > Policy . 2 Create a new policy or edit a policy to change its schedule. 3 Configure the policy as req uired. 4 Add a sched ule by selecting it from the Schedule list. 5 Select OK to save the policy . 6 Ar[...]
-
Página 158
158 Fortinet Inc. Virtual IPs Firewall configuration Adding static NAT virtual IPs T o add a st atic NA T virtual IP 1 Go to Firewall > Virtual IP . 2 Select New to add a virtual IP . 3 T ype a N ame for the virtual IP . The name can cont ain numbers (0-9), uppercase and lowerca se letters (A-Z, a-z), and the special characters - and _. Other sp[...]
-
Página 159
Firewall confi guration Virtual IPs FortiGate-50A Installation and Configuration Gu ide 159 Figure 12: Adding a st atic NA T virtual IP Adding port forwar ding virtual IPs T o add port forwarding virtual IPs 1 Go to Firewall > Virtual IP . 2 Select New to add a virtual IP . 3 T ype a N ame for the virtual IP . The name can cont ain numbers (0-9)[...]
-
Página 160
160 Fortinet Inc. Virtual IPs Firewall configuration 7 Enter the External Service Port numbe r that you want to configure port forwarding for . The external se rvice port number must matc h th e destination port of the packet s to be forwarded. For example, if the virtual IP provide s access from the Internet to a web server , the external service [...]
-
Página 161
Firewall confi guration IP pools FortiGate-50A Installation and Configuration Gu ide 161 Adding policies wi th virtual IPs Use the followin g procedur e to add a policy that use s a virtua l IP to forwar d packets. T o add a policy with a virtual IP 1 Go to Firewall > Polic y . 2 Select the type of policy that you want to add. • The sourc e in[...]
-
Página 162
162 Fortinet Inc. IP pools Firewall configura tion Adding an IP pool T o add an IP pool 1 Go to Firewall > IP Pool . 2 Select the interface to which to add the IP pool. 3 Select New to add a new IP poo l to the select ed interf ace. 4 Enter the S tart IP and End IP addresses for the range o f addresses in the IP pool. The start IP an d end IP mu[...]
-
Página 163
Firewall confi guration IP/MAC binding FortiGate-50A Installation and Configuration Gu ide 163 If you want connections to originate from a ll your Internet IP ad dresses, you can add this address range to an IP pool for th e external interface. T hen you ca n select Dynamic IP Pool for all policies with the exter nal interface as the de stination. [...]
-
Página 164
164 Fortinet Inc. IP/MAC binding Firewall configuration 4 Select New to add IP/MAC binding pairs to the IP/MAC binding list . All packet s that would normally be allowed through the firewall by a firewall policy are first compared with the entries in the IP/MAC binding list. If a match is found, th en the firewall attempt s to match the packet with[...]
-
Página 165
Firewall confi guration IP/MAC binding FortiGate-50A Installation and Configuration Gu ide 165 Adding IP/MAC addresses T o add an IP/MAC address 1 Go to Firewall > IP/M AC Binding > St atic IP/MAC . 2 Select New to add an IP ad dress/MAC addre ss pair . 3 Enter the IP Address and th e MAC Address. Y ou can bind multiple IP addresses to the sa[...]
-
Página 166
166 Fortinet Inc. Content profiles Firewall configuration Figure 15: IP/MAC settings Content profiles Use content profiles to app ly different prot ection settings for content traffic that is controlled by firewall policies. Y ou can use content profiles to: • Configure antivirus protection for HT TP , FTP , POP3, SMTP , and I MAP policies • Co[...]
-
Página 167
Firewall confi guration Content profiles FortiGate-50A Installation and Configuration Gu ide 167 Default content profiles The FortiGate unit has the following four default content profiles that are displayed on the Firewall Cont ent Profile page. Y ou can use the default content profiles or cre ate your own. Adding content profiles If the default c[...]
-
Página 168
168 Fortinet Inc. Content profiles Firewall configuration 6 Enable the email filter protec tion options that you want. 7 Enable the fragmented email and oversized file and email options that you want. 8 Select OK. Figure 16: Example cont ent profile Web Exempt List Exempt URLs from web filt ering and virus scanning. See “Exempt URL list” on pag[...]
-
Página 169
Firewall confi guration Content profiles FortiGate-50A Installation and Configuration Gu ide 169 Adding content prof iles to policies Y ou can add content profiles to policies with actio n set to allow or encrypt and with service set to ANY , HTTP , FTP , IMAP , POP3, SMTP , or a se rvice group that includes these services. T o add a content profil[...]
-
Página 170
170 Fortinet Inc. Content profiles Firewall configuration[...]
-
Página 171
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 171 Users and authentication FortiGate un its support user authe ntication to the FortiGate user database, a RADIUS server , and a n LDAP serv er . Y ou can add user na mes to th e FortiGat e user database and then add a p assword [...]
-
Página 172
172 Fortinet Inc. Setting authentication timeout Users and authenticati on This chapter describes: • Setting authentication timeout • Adding user names and co nfiguring authentication • Configuring RADIUS support • Configuring LDAP support • Configuring user group s Setting authentication timeout Authentication timeout controls how long a[...]
-
Página 173
Users and authentication Adding user names and con figuring authentica tion FortiGate-50A Installation and Configuration Gu ide 173 5 Select the T ry ot her servers if connect t o selected server fails check box if you have selected Radius and you want th e FortiGate unit to try to connect to other RADIUS servers added to the FortiGate RADIUS confi[...]
-
Página 174
174 Fortinet Inc. Configuring RADIUS supp ort Users and authentication Configuring RADIUS support If you have configur ed RADIUS support and a user is required to authenticate using a RADIUS server , the FortiGate unit cont ac ts the RADIUS server for authentication. This section describes: • Adding RADIUS servers • Deleting RADIUS servers Addi[...]
-
Página 175
Users and authentication Configuring LDAP suppo rt FortiGate-50A Installation and Configuration Gu ide 175 Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server , the FortiGate unit contact s the LDAP server for authentication. T o authenticat e with the F ortiGate un it, the us er [...]
-
Página 176
176 Fortinet Inc. Configuri ng LDAP support Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server . Enter the base distinguishe d name for the server using the correct X.500 or LDAP format. The FortiGate u nit passes this distinguished name unchanged to the server . For example, you could use the followi[...]
-
Página 177
Users and authentication Configuring user groups FortiGate-50A Installation and Configuration Gu ide 177 Configuring user group s T o enable authentication, yo u mu st add user names, RADIUS servers, and LDAP servers to one or more user gr oups. Y ou can then select a user group when you require authenticati on. Y ou can select a user group to conf[...]
-
Página 178
178 Fortinet Inc. Configuring user g roups Users and authentication Figure 20: Adding a user group 7 T o remove users, RADIUS servers, or LDAP servers from the user gr oup, select a user , RADIUS server , or LD AP server from the Members list and select the lef t arrow to remove the name , RADIUS server , or LDAP server from the group. 8 Select OK.[...]
-
Página 179
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 179 IPSec VPN A Virtua l Private Network (VPN) is an extension of a private network that encompasses links across sh ared or public networks such as the Intern et. For example, a compan y that has two office s in different cities, [...]
-
Página 180
180 Fortinet Inc. Key management IPSec VPN Key management There are three basic elem ents in any encryption system: • an algorithm that change s info rmation into code, • a cryptographic key that serves as a secret starting point for the algorithm, • a management system to control the ke y . IPSec provides two ways to handle key exchange and [...]
-
Página 181
IPSec VPN Manual key IPSec VPNs FortiGate-50A Installation and Configuration Gu ide 181 Manual key IPSec VPNs When using manual keys, comple mentary security p arameters must be entered at both ends of the tunn el. In addit ion to encryption and authentication algorithms and keys, the security pa rameter index (SPI) is re quired. The SPI is an arbi[...]
-
Página 182
182 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 6 Enter the Remote Gateway . This is the external IP addr ess of the Fo rtiGate unit or other IPSec gateway at the opposite end of the tunnel. 7 Select an Encryption Algorithm from the list. Use the same algorithm at both e nds of the tunnel. 8 Enter the Encryption Key . Each two-character combination [...]
-
Página 183
IPSec VPN AutoIKE IPSec VPNs FortiGate-50A Installation and Configuration Gu ide 183 General configuration steps for an Au toIKE VPN An AutoIKE VPN configuration consists of phase 1 and phase 2 configu ration paramete rs, the source and destination addresses for both ends of the tunnel, a nd an encrypt policy to control access to the VPN tunnel. T [...]
-
Página 184
184 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Select a Remote Gateway address type. • If the rem ote VPN peer ha s a static IP addre ss, select St atic IP Address. • If the remote VPN peer has a dynamically assigned IP address (DHCP or PPPoE), or if the remote VPN peer has a st atic IP address that is not required in the peer identification [...]
-
Página 185
IPSec VPN AutoIKE IPSec VPNs FortiGate-50A Installation and Configuration Gu ide 185 10 Configure the Local ID the that the FortiGate un it sends to the remote VPN peer . • Preshared key: If the FortiGate unit is fu nctioning as a client and uses its ID to authenticate it self to the remote VPN peer , enter an ID. If no ID is s pecified, the Fort[...]
-
Página 186
186 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Optionally , configure NA T Traver sal. 5 Optionally , configure De ad Peer Detection. Use these settings to monitor the st atus of the connection betw een VPN peers. DPD allows dead connections to be cleane d up and new VPN tunnels established. DPD is not suppor ted by all vend ors. 6 Select OK to s[...]
-
Página 187
IPSec VPN AutoIKE IPSec VPNs FortiGate-50A Installation and Configuration Gu ide 187 Figure 21: Adding a phase 1 configurat ion (St andard options ) Figure 22: Adding a phase 1 configurat ion (Advanced optio ns)[...]
-
Página 188
188 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN Adding a phase 2 configurat ion for an AutoIKE VPN Add a phas e 2 configura tion to spec ify the parameters used to cre ate and main tain a VPN tunnel between the local VPN peer (the FortiGate unit) and the r emote VPN peer (the VPN gateway or client). T o add a phase 2 configuration 1 Go to VPN > I[...]
-
Página 189
IPSec VPN AutoIKE IPSec VPNs FortiGate-50A Installation and Configuration Gu ide 189 10 Enable Autokey Kee p Alive if you want to kee p the VPN tunnel runn ing even if no data is being processed. 11 Select a concentra tor if you want the tunnel to be part of a hub and spoke VPN configuration. If you use the pro cedure, “Adding a VPN concentrator?[...]
-
Página 190
190 Fortinet Inc. Managing digital certificates IPSec VPN Managing digit al certificates Use digital cer tificates to make sure that both participants in an IPSec communication session are trustworthy , prior to setting up an encrypted VPN tunnel between the particip ants. Fortinet uses a manual proc edure to obtain certificates. This involves copy[...]
-
Página 191
IPSec VPN Managing digital certificates FortiGate-50A Installation and Configuration Gu ide 191 6 Configure the key . 7 Select OK to generate the private and pub lic key p air and the certificate request. The private/public key p air are generated and the certificate r equest is displayed on the Local Certificates list with a status of Pend ing. Fi[...]
-
Página 192
192 Fortinet Inc. Managing digital certificates IPSec VPN Downloading the certificate request Use the followin g procedur e to downlo ad a ce rtificate request from the FortiGate unit to the management compute r . T o download the cer tificate request 1 Go to VPN > Certificates > Local Certificates . 2 Select Download to download the local ce[...]
-
Página 193
IPSec VPN Co nfiguring encrypt policies FortiGate-50A Installation and Configuration Gu ide 193 The FortiGate unit obt ains the CA certificate to validate the digital certificate that it receives from the remote VPN peer . The remote VPN peer obt ains the CA certificate to validate the digital certificate that it receives from the Fo rtiGate unit. [...]
-
Página 194
194 Fortinet Inc. Configuring encrypt policies IPSec VPN In addition to defining membership in th e VPN by address, you can configure the encrypt policy for services such as DNS, FTP , and POP3, and to allow connectio ns according to a predefined schedule ( by the time of the day or the day of the week, month, or year). Y ou can also configure the [...]
-
Página 195
IPSec VPN Co nfiguring encrypt policies FortiGate-50A Installation and Configuration Gu ide 195 4 Enter the Address Name, IP Address, and NetMask for a single co mputer or for an entire subn etwork on an internal inte rface of th e remote V PN peer . 5 Select OK to save the destination addres s. Adding an encrypt policy T o add an encrypt polic y 1[...]
-
Página 196
196 Fortinet Inc. IPSec VPN concentrators IPSec VPN T o make sure that the encrypt policy is matched for VPN connection s, arrange the encrypt policy above other policies with similar source and destination addresse s and services in the policy list. Figure 25: Adding an encryp t policy IPSec VPN concentrators In a hub-and-spoke networ k, all VPN t[...]
-
Página 197
IPSec VPN IPSec VPN concen trators FortiGate-50A Installation and Configuration Gu ide 197 If the VPN peer is a FortiGate unit fu nctioning as the hub, or concen trator , it requires a VPN configura tion connecting it to ea ch spoke (AutoIKE ph ase 1 and 2 settings or manual key settings, plus encrypt policies). It also requires a concen trator con[...]
-
Página 198
198 Fortinet Inc. IPSec VPN concentrators IPSec VPN 4 Add an encrypt policy fo r each spoke. Encrypt policies control the directio n of traffic through the hub and allo w inbound and ou tbound VPN connections betwee n the hub and the spokes. The encrypt policy for ea ch spoke must include the tunnel name of the spoke. The source address must be In [...]
-
Página 199
IPSec VPN IPSec VPN concen trators FortiGate-50A Installation and Configuration Gu ide 199 Figure 26: Adding a VPN concentrato r VPN spoke general co nfiguration steps A remote VPN pe er that fu nctions as a spoke requ ires the followin g configu ration: • A tunnel (Auto IKE phase 1 and phase 2 co nf iguration or manual ke y configuration) for th[...]
-
Página 200
200 Fortinet Inc. IPSec VPN concentrators IPSec VPN 4 Add a separate ou tbound encrypt policy for e ach remote VPN spoke. These policies control the encrypted connections initia ted by the local VPN spoke. The encrypt policy must include the ap propr iate source and destination addresse s and the tunnel added in step 1 . Use the following co nfigur[...]
-
Página 201
IPSec VPN Monitoring and Troublesh ooting VPNs FortiGate-50A Installation and Configuration Gu ide 201 Monitoring and T roubleshooting VPNs • Viewin g VPN tunnel status • Viewing dialu p VPN connection status • T esting a VPN Viewing VPN tunnel status Y ou can use the IPSec VPN tunnel list to vi ew the status of all IPSec AutoIKE key VPN tunn[...]
-
Página 202
202 Fortinet Inc. Monitoring and Troubleshooti ng VPNs IPSec VPN Figure 28: Dialup Monitor Testing a VPN T o confirm tha t a VPN between two netw orks has be en configured correctly , u se the ping command from one inter nal network to connect to a computer on the other internal network. The IPSec VPN tunnel st arts automatica lly when the first da[...]
-
Página 203
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 203 PPTP and L2TP VPN Y ou can use PPTP and L2TP to crea te a virtual private network (VPN) between a remote client computer that is runn ing Wi ndows and your internal network. Because PPTP and L2TP are supported by Windows you do[...]
-
Página 204
204 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 2 Add and configure PPTP users. For information about adding and configuring users, see “Adding user names and configuring authentication” o n page 172 . 3 Go to User > User Group . 4 Add and configure PPTP user groups. For information about adding and configuring user groups, see “Confi[...]
-
Página 205
PPTP and L2TP VPN Configuring PPTP FortiGate-50A Installation and Configuration Gu ide 205 T o add a source address group Organize the source addresses in to an address group. 1 Go to Firewall > Address > Group . 2 Add a new address group to the interface to which PP TP clients connect. 3 Enter a Group Name to iden tify the address group. The[...]
-
Página 206
206 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN Configuring a Windows 98 client for PPTP Use the following procedure to configure a client computer running Windows 98 so that it can connect to a F ortiGate PPTP VPN. T o configure the Windows 98 client, you must install and configu re Windows dialup networking and virtual private networking sup[...]
-
Página 207
PPTP and L2TP VPN Configuring PPTP FortiGate-50A Installation and Configuration Gu ide 207 Configuring a Windows 2000 client for PPTP Use the following p rocedure to co nfigure a client computer ru nning Window s 2000 so that it can connect to a FortiGate PP TP VPN. T o configure a PPTP dialup connection 1 Go to St art > Settings > Network an[...]
-
Página 208
208 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 8 Select Finish. T o configure the VPN connectio n 1 Right-click the Connecti on icon that you created in the previous procedure. 2 Select Properties > Security . 3 Select T ypical to configure typical settings. 4 Select Require data encryption. 5 Select Advanced to configure ad vanced setting[...]
-
Página 209
PPTP and L2TP VPN Configuring L2TP FortiGate-50A Installation and Configuration Gu ide 209 Configuring L2TP Some implement ations of L2TP support elem ents of IPSec. These e lements must be disabled when L2TP is used with a Fo rtiGate unit. This section describes: • Configuring the FortiGate unit as an L2 TP gateway • Configuring a Windows 2000[...]
-
Página 210
210 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN Figure 30: Sample L2TP addre ss range configuration T o add source address es Add a sour ce address for every addr ess in the L2TP address ran ge. 1 Go to Firewall > Address . 2 Select the interface to which L2T P clients connect. 3 Select New to add an addr ess. 1 Enter the Address Name, IP A[...]
-
Página 211
PPTP and L2TP VPN Configuring L2TP FortiGate-50A Installation and Configuration Gu ide 21 1 T o add a destination address Add an address to which L2TP users can conn ect. 1 Go to Firewall > Address . 2 Select the internal interface. 3 Select New to add an addr ess. 4 Enter the Address Name, IP Address, and NetMask for a single co mputer or for a[...]
-
Página 212
212 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 8 Select the Security tab. 9 Make sure th at Require d ata encryption is se lected. 10 Select the Networking tab. 11 Set VPN server type to Laye r-2 T unn eling Protocol ( L2TP). 12 Save the changes and continue with the following proc edure. T o disable IPSec 1 Select the Networking tab. 2 Selec[...]
-
Página 213
PPTP and L2TP VPN Configuring L2TP FortiGate-50A Installation and Configuration Gu ide 213 Configuring a Windows XP client for L2TP Use the following procedure to configure a client computer running Windows XP so that it can connect to a FortiGate L2TP VPN. T o configure an L2TP VPN dialup connection 1 Go to St art > Settings . 2 Select Network [...]
-
Página 214
214 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 4 Go to the Options tab and select IP security properties. 5 Make sure that Do not use IPSEC is selected. 6 Select OK and close the co nnection properties window . 7 Use the registry editor (rege dit) to lo cate the following ke y in the registry: HKEY_LOCAL_MACHINESystemCurrentControlSetServi[...]
-
Página 215
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 215 Network Intrusion Detection System (NIDS) The FortiGat e NIDS is a re al-time netw ork intrusion de tection se nsor that u ses attack signature definitions to both detect and prev ent a wide variet y of suspicious network traff[...]
-
Página 216
216 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Selecting the interfaces to monitor T o select the interface s to monitor for attacks 1 Go to NIDS > Detection > General . 2 Select the interfaces to monitor for ne twork attacks. Y ou can select one or more interfaces. 3 Select Apply . Disabling monitoring interf[...]
-
Página 217
Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-50A Installation and Configuration Gu ide 217 Viewing the signature list Y ou can display the current list of NIDS signature groups and the members o f a signature group. T o view the signature list 1 Go to NIDS > Detection > Signature List . 2 View the names an d action s[...]
-
Página 218
218 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Figure 32: Example signature gro up members list Disabling NIDS attack signatures By default, all NIDS attack signatures ar e enabled . Y ou can use the NIDS signature list to disable detection of some atta cks. Disabling unnecessary NIDS attack signatures can improve s[...]
-
Página 219
Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-50A Installation and Configuration Gu ide 219 T o add user-defined sign atures 1 Go to NIDS > Detection > User Defined Signature List . 2 Select Upload . 3 T ype the path and filename of the text file for the user -defined signature list or select Browse and lo cate the fi[...]
-
Página 220
220 Fortinet Inc. Preventing attacks Network Intrusion Detection System (NIDS) Preventing att acks NIDS attack prev ention prot ects the FortiGat e unit and the networks connected t o it from common TCP , ICMP , UDP , and IP atta cks. Y ou can enable NIDS atta ck prevention to prevent a set of default att a cks with default threshold values. Y ou c[...]
-
Página 221
Network Intrusion Detection S ystem (NIDS) Preventing attacks FortiGate-50A Installation and Configuration Gu ide 221 Setting signature threshold values Y ou can change the default threshold val ues for the NIDS Prevention signatures listed in Ta b l e 2 0 . The threshold depends on the type of attack. For flooding att acks, the threshold is the ma[...]
-
Página 222
222 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS) T o set Prevent ion signature threshold values 1 Go to NIDS > Prevention . 2 Select Modify beside the signature for which you want to set the Threshold value. Signatures that do not ha ve threshol d values do not have Modify icons. 3 T ype the Thre shold value. 4 Select [...]
-
Página 223
Network Intrusion Detection System (NIDS) Logging attacks FortiGate-50A Installation and Configuration Gu ide 223 The FortiGate unit uses an alert email queu e in which each new message is compared with the p revious messages. If the new message is not a duplicate, the FortiGate unit sends it immedia tely and puts a copy in the qu eue. If the new m[...]
-
Página 224
224 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS)[...]
-
Página 225
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 225 Antivirus protection Y ou can enable antivirus protection in fire wall policies. Y ou can select a content profile that controls how the antivir us protection behaves. Content profiles control the type of traffic protected (HTT[...]
-
Página 226
226 Fortinet Inc. Antivirus scanning Antivirus protection Antivirus scanning Virus scan ning intercepts most files (including files compressed with up to 12 layers of compression using zip, rar , gzip, tar , upx, and OLE) in the content streams for which you enable antiviru s protection. Eac h file is tested to determin e the file type and the most[...]
-
Página 227
Antivirus protection File blocking FortiGate-50A Installation and Configuration Gu ide 227 File blocking Enable file b locking to re move all files th at are a po tential thre at and to pro vide the best protection fr om active computer virus atta cks. Blocking files is the only protection from a virus that is so new that antiviru s scanning cannot[...]
-
Página 228
228 Fortinet Inc. Blocking oversized files and emails Antivirus protection 3 T ype the new pattern in the File Pattern field. Y ou can use an asterisk (*) to represent an y characters and a questio n mark (?) to represent any single character . For exampl e, *.dot blocks Microsof t Word template files and *.do? blocks both Micr osoft Word template [...]
-
Página 229
Antivirus protection Viewing the virus list FortiGate-50A Installation and Configuration Gu ide 229 V iewing the virus list Y ou can view the names of the viruses and worms in the current virus definition list. T o view the virus list 1 Go to Anti-Virus > Config > Virus List . 2 Scroll through the virus and wo rm list to v iew the names of al[...]
-
Página 230
230 Fortinet Inc. Viewing the virus list Antivirus protect ion[...]
-
Página 231
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 231 W e b filtering When you enable Anti-V irus & Web filter in a firewall policy , you select a content profile that controls how web filterin g behave s for HTTP traffic. Co ntent profiles control the following types of co nt[...]
-
Página 232
232 Fortinet Inc. Content blocking Web filtering 4 Configure the messages that users rec eive when the FortiGate unit blocks unwanted content or unwanted URLs. See “Replacement messages” on pag e 133 . 5 Configure the FortiGate unit to record log messages when it blo cks unwanted content or unwanted URLs. See “Recording logs” on page 251 . [...]
-
Página 233
Web filtering Content blocking FortiGate-50A Installation and Configuration Gu ide 233 Figure 35: Exam ple banned word li st Clearing the Banned Word list 1 Go to Web Filter > Cont ent Block . 2 Select Clear List to remove all banned words and phrases from th e banned word list. Backing up the Banned Word list Y ou can back up the banned word li[...]
-
Página 234
234 Fortinet Inc. Content blocking Web filtering Figure 36: Example Banned Word List text file T o restore the banned wor d list 1 Go to Web Filter > Cont ent Block . 2 Select Restore Banned W ord List . 3 T ype the path and filename of the banned wo rd list text file, or select Browse and locate the file. 4 Select OK to upload the f ile to the [...]
-
Página 235
Web filtering URL blocking FortiGate-50A Installation and Configuration Gu ide 235 URL blocking Y ou can block the unwanted web URLs usi ng FortiGate Web URL blocking, FortiGate Web p attern blocking, and Cerberian web filtering. • Configuring FortiGate W eb URL blocking • Configuring FortiGate W eb pattern blockin g • Configuring Cerber ian [...]
-
Página 236
236 Fortinet Inc. URL blocking Web filtering 5 Select OK to add the URL to the Web URL block list. Y ou can enter multiple URLs and the n select Check All to enable all items in the Web URL block list. Y ou can disable all of the URLs on the list by selecting Uncheck All . Each page of the Web URL block list displays 100 URLs. 6 Use Page Up and Pag[...]
-
Página 237
Web filtering URL blocking FortiGate-50A Installation and Configuration Gu ide 237 Figure 38: Example URL block list text file Y ou can either create the URL block list or add a URL list created by a third-party URL block or blacklist service. For example, yo u can do wnload the squidGuard blacklist s available at http://www .squidguard.org/black l[...]
-
Página 238
238 Fortinet Inc. Configuring Cerberian URL filtering Web filtering 4 Select Enable to block the pattern. 5 Select OK to add the pattern to the W eb pattern block list. Configuring Cerberian URL filtering The FortiGate unit support s Cerberian URL filtering. For inform ation about Cerberian URL filtering, see www .cerberian.com. If you have purchas[...]
-
Página 239
Web filtering Configuring Cerberian URL filtering FortiGate-50A Installation and Configuration Gu ide 239 4 Enter the IP address and netmask of the user comp uters. Y ou can enter the IP address of a sing le user . For example, 192.168.100.19 255.255.255.255. Y ou can also enter a subn et of a group of users. Fo r exampl e, 192.168.100.0 255.255 .2[...]
-
Página 240
240 Fortinet Inc. Script filtering Web filtering 3 Go to Firewall > Content Profile . 4 Create a new or select an existing c o ntent profile and enable W eb URL Block. 5 Go to Firewall > Polic y . 6 Create a new or select an existing policy . 7 Select Anti-Virus & W eb filter . 8 Select the content profile from the Content Profile list. 9[...]
-
Página 241
Web filtering Exempt URL list FortiGate-50A Installation and Configuration Gu ide 241 Exempt URL list Add URLs to the exempt URL list to allow legitimate traf fic that might otherwise be blocked by content or URL blocking. For exam ple, if content blocking is set to block pornography-rela ted words and a reputa ble website runs a story on pornograp[...]
-
Página 242
242 Fortinet Inc. Exempt URL list Web filtering Figure 40: Example URL Exempt list Downloading the URL Exempt List Y ou can back up the URL Exempt List by downloading it to a text file on the management compu ter . 1 Go to Web Filter > URL Exempt . 2 Select Download URL Exempt List . The FortiGate unit downloads the list to a text file on the ma[...]
-
Página 243
Web filtering Exempt URL list FortiGate-50A Installation and Configuration Gu ide 243 3 Select Upload URL Exempt List . 4 T ype the path and filename of your URL Exem pt List text file, or select Browse and locate the file. 5 Select OK to upload the f ile to the FortiGate unit. 6 Select Return to display the updated URL Exemp t List. 7 Y ou can con[...]
-
Página 244
244 Fortinet Inc. Exempt URL list Web filtering[...]
-
Página 245
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 245 Email filter Email filtering is enabled in firewall policies. When you en able Anti-V irus & Web filter in a firewall policy , you select a content profile that co ntrols how email filtering behaves for email (IM A P and PO[...]
-
Página 246
246 Fortinet Inc. Email banned word list Email filter Email banned word list When the FortiGate unit detect s an email that contains a word or phrase in the banned word list, the FortiGate unit adds a t ag to the subject line of the email and writes a message to the event log. Recei vers can then use their mail client software to filter messages ba[...]
-
Página 247
Email filter Email banned word list FortiGate-50A Installation and Configuration Gu ide 247 Downloading the email banned word list Y ou can back up the banned word list by downloading it to a text file on the management compu ter: T o download the banned wo rd list 1 Go to Email Filter > Content Block . 2 Select Download. The FortiGate unit down[...]
-
Página 248
248 Fortinet Inc. Email block list Email filter Email block list Y ou can configure the FortiGate unit to ta g all IMAP and POP3 protocol tra ffic sent from unwanted email addresse s. When the FortiGate unit detects an email sent from an unwanted address p attern, the FortiGate un it adds a tag to the subjec t line of the email and writes a message[...]
-
Página 249
Email filter Email exempt li st FortiGate-50A Installation and Configuration Gu ide 249 Uploading an email block list Y ou can create a email block list in a text ed itor and then upload the text file to the FortiGate unit. Add one p attern to each line of the text file. Y ou can follow the pattern with a space and the n a 1 to enable or a zero (0)[...]
-
Página 250
250 Fortinet Inc. Adding a subject tag Email filter Adding address patterns to the email exempt list T o add an address p attern to the email exempt list 1 Go to Email Filter > Exempt List . 2 Select New . 3 T ype the address pattern th at you want to exemp t. • T o exempt email sent from a specific email add ress, type the email address. For [...]
-
Página 251
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 251 Logging and reporting Y ou can configure the FortiGate unit to log network activity from routine configuration changes and traf fic sessions to emergency events. Y ou can also configure the FortiGate u nit to send alert email m[...]
-
Página 252
252 Fortinet Inc. Recording logs Logging and reporting 4 T y pe the port num ber of the syslog server . 5 Select the severity leve l for which you want to record log messages. The FortiGate unit logs all le vels of severity down to, bu t not lower than, the level you choose. For example, if you want to record emergency , alert, critical, and error [...]
-
Página 253
Logging and repo rting Filtering log me ssages FortiGate-50A Installation and Configuration Gu ide 253 Log message levels Ta b l e 2 3 lists and describes Fo rt iGate log messa ge levels. Filtering log messages Y ou can configure the logs t hat you want to record and the message categorie s that you want to record in each log. T o filter log entrie[...]
-
Página 254
254 Fortinet Inc. Configuring traffic loggi ng Logging and reporting 4 Select the message categories that you wa nt the FortiGa t e unit to record if you selected Event Log, V irus Log, W eb Filter ing Log, Att ack Log, Email Filter Log, or Update in step 3 . 5 Select OK. Figure 44: Exampl e log filter config uration Configuring traffic logging Y o[...]
-
Página 255
Logging and repo rting Configuring traffic loggi ng FortiGate-50A Installation and Configuration Guide 255 This section describes: • Enabling traffic logging • Configuring traffic filter settings • Adding traf fic filter entries Enabling traf fic logging Y ou can enable logging on any interface and firewall policy . Enabling traffic loggi ng [...]
-
Página 256
256 Fortinet Inc. Configuring traffic loggi ng Logging and reporting 3 Select Apply . Figure 45: Example traffic filter list Adding traffic filter entries Add entries to the traffic filter list to filter the messages that are recorded in the traf fic log. If you do not add any entries to the tr affi c filter list, the Fort iGate unit records all tr[...]
-
Página 257
Logging and repo rting Configu ring alert email FortiGate-50A Installation and Configuration Gu ide 257 Figure 46: Example new traffic address entry Configuring alert email Y ou can configure the FortiGate unit to send ale rt email to up to three email addresses when there are virus incident s, block incidents, network intrusions, and other firewal[...]
-
Página 258
258 Fortinet Inc. Configu ring alert email Logging and reporting 3 In the SMTP Server field, type the name of the SMTP server where you want the FortiGate unit to send email, in the forma t smtp.domain.com . The SMTP server can be located on any networ k connected to the FortiGate unit. 4 In the SMTP User field, type a valid email address in the fo[...]
-
Página 259
FortiGate-50A Installation and Configuration Gu ide 259 FortiGate-50A Inst allation and Co nfiguration Guide V ersion 2.50 Glossary Connection : A link between machines, applications, processes, and so on t hat can be lo gical, physical, or both. DMZ, Demilit arized Zone : Used to host Internet services without allowing unau thorized access to an i[...]
-
Página 260
260 Fortinet Inc. Glossary LAN, Local Area Network : A computer n etwork that spans a relatively small area. Most LA Ns connect worksta tions and personal computers. Each computer on a LAN is able to ac cess data and devices a nywhere on the LAN. This means that many users can shar e data as well as physical re sources such as printers. MAC address[...]
-
Página 261
Glossary FortiGate-50A Installation and Configuration Gu ide 261 SSH , Secure shell : A secure T elnet replacement that you can use to log into another computer over a network and run commands. SSH provides str ong secure authentication and secure communications over insecure channels. Subnet : A portion of a network that shares a comm on address c[...]
-
Página 262
262 Fortinet Inc. Glossary[...]
-
Página 263
FortiGate-50A Installation and Configuration Gu ide 263 FortiGate-50A Inst allation and Configuration Guide V ersion 2.50 Index A accept policy 141 action policy option 141 ActiveX 240 removing from web pages 240 address 146 adding 147 editing 148 group 148 IP/MAC binding 165 virtual IP 157 address group 148 example 149 address name 147 addressing [...]
-
Página 264
264 Fortinet Inc. Index AutoIKE 180 certificates 18 0 introduction 180 pre-shared keys 180 automatic antivirus and attack definition updates configuring 77 B backing up system settings 64 backup mode modem 107, 110 bandwidth guaranteed 142 maximum 143 banned word l ist adding words 2 32, 246 restoring 247 blacklist URL 237, 249 block traffic IP/MAC[...]
-
Página 265
Index FortiGate-50A Installation and Configuration Gu ide 265 dialup VPN viewing connection statu s 201 disabling NIDS 216 DMZ interface definition 259 DNS server addresses 100 domain DHCP 106 downloading attack definition updates 90 virus definition updates 90 dynamic IP list viewing 107 dynamic IP pool IP pool 142 dynamic IP/MAC list 163 viewing [...]
-
Página 266
266 Fortinet Inc. Index H hard disk full alert email 258 HTTP enabling web filtering 231, 245 HTTPS 150, 259 I ICMP 151, 259 configuring checksum verification 216 ICMP service custom 153 idle timeout web-based manager 122 IKE 259 IMAP 150, 259 Inbound NAT encrypt policy 142 interface adding a DHCP server 105 administ rative access 97 administrative[...]
-
Página 267
Index FortiGate-50A Installation and Configuration Gu ide 267 loggin g 251 attack log 253 configuring traffic settings 255 connections to an interface 98 email filter log 253 enabling alert email 258 event log 253 filtering log messages 253 log to remote host 251 log to WebTrends 252 message levels 253 recording 251 selecting what to log 253 traffi[...]
-
Página 268
268 Fortinet Inc. Index P password adding 172 changing administrator account 125 Fortinet support 8 9 recovering a lost Fortinet support 86 PAT 159 pattern web pattern blocking 237 permission administ rator account 125 ping server adding to an interface 97 policy accept 141 Anti-Virus & Web filter 143 arranging in policy list 144 Comments 144 d[...]
-
Página 269
Index FortiGate-50A Installation and Configuration Gu ide 269 restarting 66 restoring system settings 64 restoring system settings to factory default 65 reverting firmware to an olde r version 59 RIP configuring 113 filters 117 interface configuration 115 settings 113 RMA registering a FortiGate unit 91 route adding default 100 adding to routing ta[...]
-
Página 270
270 Fortinet Inc. Index status CPU 67 interface 94 intrusions 69 IPSec VPN tunnel 201 memory 67 network 68 sessions 68 viewing dialup con nection status 201 viewing VPN tunnel status 201 virus 69 subnet definition 261 subnet address definition 261 support contract number adding 88 changing 88 support password changing 89 syn interval 121 synchroniz[...]
-
Página 271
Index FortiGate-50A Installation and Configuration Gu ide 271 URL blocking 235 exempt URL list 241, 249 web pattern blocking 237 URL exempt list see also exempt URL list 241, 249 use selectors from policy quick mode identifier 189 use wildcard selectors quick mode identifier 189 user authentication 171 user groups configuring 177 deleting 178 user [...]
-
Página 272
272 Fortinet Inc. Index[...]