Fortinet FortiGate 4000 manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation Fortinet FortiGate 4000. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel Fortinet FortiGate 4000 ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation Fortinet FortiGate 4000 décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation Fortinet FortiGate 4000 devrait contenir:
- informations sur les caractéristiques techniques du dispositif Fortinet FortiGate 4000
- nom du fabricant et année de fabrication Fortinet FortiGate 4000
- instructions d'utilisation, de réglage et d’entretien de l'équipement Fortinet FortiGate 4000
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage Fortinet FortiGate 4000 ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles Fortinet FortiGate 4000 et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service Fortinet en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées Fortinet FortiGate 4000, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif Fortinet FortiGate 4000, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation Fortinet FortiGate 4000. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    FortiGate – 4000 User Manual POWER ON/OFF LAN 1 LAN 2 PWR/KVMSTATUS KVM/ACCESS POWER ON/OFF LAN 1 LAN 2 PWR/KVMSTATUS KVM/ACCESS POWER ON/OFF LAN 1 LAN 2 PWR/KVMSTATUS KVM ACCESS POWER ON/OFF LAN 1 LAN 2 PWR/KVMSTATUS KVM/ACCESS POWER ON/OFF LAN 1 LAN 2 PWR/KVMSTATUS KVM/ACCESS POWER ON/OFF LAN 1 LAN 2 PWR/KVMSTATUS KVM/ACCESS[...]

  • Page 2

    © Copyright 2004 Fortine t Inc. All rights reserved . No part of this publication incl uding text, examples , diagrams or illustrations may be reproduced, transmitted, or translated in any form or by an y means, electro nic, mechanical, manual, optical or otherwise, for any purpose, without prio r written permiss ion of Fort inet Inc. FortiGate-40[...]

  • Page 3

    Contents FortiGate-4000 Installation and Configuration Guide 3 Table of Contents Introduction ............. ................................ .................................................. ........... 15 Antivirus protection ......................... ................ ................ ............. ................ ............. ........ 16 Web c[...]

  • Page 4

    Contents 4 Fortinet Inc. Installing hardware ................ ................ ............. ................ ............. ................ ............. ..... 37 Choosing a suitable environm ent ...................... ............. ............. ................ ............. ..... 37 Choosing a rack ...... ................ ............. ........[...]

  • Page 5

    Contents FortiGate-4000 Installation and Configuration Guide 5 Using the command line interface... ................ ................ ................ ................ ............. ..... 64 Configuring the FortiGate unit to operate in NAT/Route mode ...................... ............... 64 Configuring the out of band management inte rface .... ...[...]

  • Page 6

    Contents 6 Fortinet Inc. Managing an HA cluster..... ................ ................ ............. ................ ................ ............. ..... 87 Configuring cluster interface monitoring .............. ................. ................ ................ ........ 88 Viewing the status of clust er members ............. ................ ..[...]

  • Page 7

    Contents FortiGate-4000 Installation and Configuration Guide 7 System status ................ ............. ................ ............. ................. ............ ............. ............. 118 Viewing CPU and memory status .. ................ ................ ............. ................ ................ 119 Viewing sessions and network [...]

  • Page 8

    Contents 8 Fortinet Inc. Network configuration .............. ................................. ................ ............... ......... 141 Configuring zones . ................ ............. ................ ............. ................ ............. ................ ... 14 1 Adding zones ................. ............. ................ ......[...]

  • Page 9

    Contents FortiGate-4000 Installation and Configuration Guide 9 RIP configuration ........... ................ ............................................ ............... ......... 167 RIP settings....... ................. ............. ................ ............. ................ ............. ................ .... .. 167 Configuring RIP for Fo[...]

  • Page 10

    Contents 10 Fortinet Inc. Addresses ................... ................ ............. ............. ................ ............. ................ ............ . 2 0 2 Adding addresses ................ ............. ................ ............. ................ ............. ................ 202 Editing addresses ....................... .......[...]

  • Page 11

    Contents FortiGate-4000 Installation and Configuration Guide 11 Configuring LDAP support .... ................ ............. ................ ................ ............. ................ 231 Adding LDAP servers . ............. ................ ............. ................. ............ ................. ......... 231 Deleting LDAP servers ....[...]

  • Page 12

    Contents 12 Fortinet Inc. Network Intrusion Detection System (NIDS) .... ............................ ............ ....... 271 Detecting attacks ............... ............. ................ ............. ................ ............. ................ ...... 2 71 Selecting the interfaces to monitor .... .......... ...... ................ ........[...]

  • Page 13

    Contents FortiGate-4000 Installation and Configuration Guide 13 Script filtering ........ ................ ............. ............. ................ ............. ............. ................ ... ... 297 Enabling script filtering ............ ............. ................ ................. ............ ................. ......... 297 Selectin[...]

  • Page 14

    Contents 14 Fortinet Inc.[...]

  • Page 15

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 15 Introduction FortiGate A ntivirus Firew alls support netw ork-based deployment of application-level services, including antivirus protection and full-scan con tent filtering. FortiGate Antivirus Firewalls improve network secu r[...]

  • Page 16

    16 Fortinet Inc. Antivirus protection Introduction Antivirus protection FortiGate I CSA-certified a ntivirus prot ection scans web (HTTP) , file transfe r (FTP), and email (SMTP , POP3, and IMAP) content as it p asses through the FortiGate unit. If a virus is found, a ntivirus protection remove s the file containin g the virus from the content stre[...]

  • Page 17

    Introduction Email filtering FortiGate-4000 Installation and Configuration Guide 17 Email filtering FortiGate email filtering can scan all IM AP and POP3 email content for un wanted senders or unwanted content. If there is a match between a sender add ress pattern on the email block list, or an email cont ains a word or phra se in the banned word l[...]

  • Page 18

    18 Fortinet Inc. VLANs and virtual domains Introduction NAT/Route mode In NA T/Route mode, you can create NA T mode policies and Route mode policies. • NA T mode policies use network address translation to hide the addresses in a more secure network from u s ers in a less secure network. • Route mode p olicies accept or deny connections between[...]

  • Page 19

    Introduction VPN FortiGate-4000 Installation and Configuration Guide 19 VPN Using FortiGate virtual private network ing (VPN), you can provide a secure connection between wid ely separated office netw orks or secu rely link telec ommuters or travellers to an of fice network. Service providers can also use the FortiGate unit to provide VPN services [...]

  • Page 20

    20 Fortinet Inc. Secure installation, configurat ion, and management Introduction Secure inst allation, configuration, and management The first tim e you powe r on the F ortiGate uni t, it is already configured with default IP addresses and security po licies. Connect to the we b-based manager, set the operating mode, and use the Setup wizard to cu[...]

  • Page 21

    Introduction Document conventions FortiGate-4000 Installation and Configuration Guide 21 Command line interface Y ou can access the FortiGate command line inter face (CLI) by connecting a management compute r serial port to the Fo rtiGate RS-232 serial console connector . Y ou can also use T elnet or a secure SSH co nnection to connect to the CLI f[...]

  • Page 22

    22 Fortinet Inc. Fortinet documentation Introduction execute restore config <filename_str> Y ou enter restore config myfile.bak <xxx_str> indicates an ASCII string variable ke yword. <xxx_integer> indicates an inte ger variable keyword. <xxx_ip> indicates an IP address variable keyword. • vertical bar a nd curly bracket s [...]

  • Page 23

    Introduction Customer service a nd technical support FortiGate-4000 Installation and Configuration Guide 23 • V olume 4: FortiGat e NIDS Guide Describes how to configure the FortiGate NI DS to dete ct and pr otect the Fo rtiGate unit from network-based att acks. • V olume 5: FortiGat e Logging an d Message Refe rence Guide Describes how to conf[...]

  • Page 24

    24 Fortinet Inc. Customer service and technical support Introduction[...]

  • Page 25

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 25 Getting st arted This chapter describes u npacking, setting up, and powering on a FortiGate-4000 Antivirus Firewall. When you have completed the procedure s in this chapter , you can proceed to one of the following: • If you [...]

  • Page 26

    26 Fortinet Inc. Warnings and cautions Getting started W arnings and cautions Y ou should be aware of the following cautions and warnings before operating the FortiGate-4000 antivirus firewall. Warning T urning off all power switches may not tur n off all power to the FortiGate-4000 uni t. Disconnect the FortiGate-4 000 unit from its power source a[...]

  • Page 27

    Getting started Physical description FortiGate-4000 Installation and Configuration Guide 27 Figure 2: FortiGate-4000 package contents Physical description The FortiGate-4000 chassis is a 4U 19-inch rack mounted steel shelf with the following features: • High density design accommod ates up to 10 FortiBlad e-4010 modules, • Gigabit LAN interface[...]

  • Page 28

    28 Fortinet Inc. Front panel features Getting started Front p anel features Figure 3 shows the location of the FortiGate-4000 chassis fron t panel compo nents. The front panel c ontains and prov ides acces s to up to 10 FortiBla de-4010 m odules and the KVM switch module. Figure 3: FortiGate-4000 chassis front panel T a ble 1: FortiGate-4000 chassi[...]

  • Page 29

    Getting started Front panel features FortiGate-4000 Installation and Configuration Guide 29 FortiBlade-4010 module Each FortiBlade-4010 module is an independent FortiGate-4000 antivirus firewall capable of opera ting at gigabit netw ork speeds. Y ou can install up to 10 FortiBlade-40 10 modules in the Fort iGate-4000 chassis. E ach FortiBlad e-4010[...]

  • Page 30

    30 Fortinet Inc. Front panel features Getting started KVM switch module Use the KVM switch module to switch se rial connections to the CLI of each FortiBlade-4010 module insta lled in the FortiGate-4000 chassis. T o access the CLI, connect the the black header of the RJ- 45 to DB-9 serial cable to the managem ent module (see “Manageme nt module?[...]

  • Page 31

    Getting started Rear panel features FortiGate-4000 Installation and Configuration Guide 31 Rear p anel features The FortiGate-4000 chassis rear panel cont ains and provides access to 4 cooling fan trays, 7 power su pply modules, 3 power s upply connectors, the manageme nt module, and the 10/100 out of band manage ment module. The rear panel also co[...]

  • Page 32

    32 Fortinet Inc. Rear panel features Getting started Figure 7: FortiGate-4000S rear panel Power supplies and power connections The FortiGate-40 00 chassis cont ains 7 power supply modules. Each power supply can provide a maximum of 350 watts for a tot a l of 2100 watts, in 6+1 hot-swap redundant configura tion that includes load balancing. The volt[...]

  • Page 33

    Getting started Rear panel features FortiGate-4000 Installation and Configuration Guide 33 Cooling fan trays The FortiGate-4000 chassis is cooled usin g four ho t swappable cooling fan trays. Each tray includes one 10-cm ball bear ing fan unit. Figure 9 illustrates a cooling fan tray . Figure 9: Cooling fan tray Management module Use the KVM switch[...]

  • Page 34

    34 Fortinet Inc. Rear panel features Getting started 10/100 out of band ma nagement module The 10/100 out of b and management module provides dedicated et hernet co nnection to manage each For tiBlade-4010 module inst alled in the FortiGate-4000 chassis. This out of band connection is not sha red by ot her network con nections. The 10/100 o ut of b[...]

  • Page 35

    Getting started Rear panel features FortiGate-4000 Installation and Configuration Guide 35 Pass-through inte rface module T wo pass-through inte rface modules are inst alled on the Fort iGate-4000P . The internal p ass-through interface modu le connects to each FortiBlade-4010 internal interface. Th e external pass-thr ough inte rface connects to e[...]

  • Page 36

    36 Fortinet Inc. Rear panel features Getting started The internal switched interface mod ule pr ovides two gigabit connections to the internal inte rfaces of the FortiBlade-4010 modules insta lled in the FortiGate-4000 chassis. The external switch ed interface module provides two gigabit connections to the external interf aces of the FortiBl ade-40[...]

  • Page 37

    Getting started Installing hardware FortiGate-4000 Installation and Configuration Guide 37 Inst alling hardware This section describes ho w to install FortiGate -4000 hardware. • Choosing a suitable environm ent • Choosing a rack • Attaching the mou nting rail • Installing FortiBl ade-4010 modules • FortiGate-4000P networ k connections ?[...]

  • Page 38

    38 Fortinet Inc. Installing hardwar e Getting started Figure 14: Rail mounting location s Installing FortiBlade-4010 modules Install a FortiBlade- 4010 module by removing a FortiGate- 4000 unit slot cover and replacing it with a FortiBl ade-4010 module. Begin inst alling the FortiBlade-4010 modules at slot number 1 and fill the FortiGat e-4000 chas[...]

  • Page 39

    Getting started Installing hardware FortiGate-4000 Installation and Configuration Guide 39 FortiGate-4000P network connections Use the following steps to connect your in ternal and external networ ks to the FortiGate-4000P p ass-through interface modules that support 1000Base-T connections. This is a general connection procedure only . For informat[...]

  • Page 40

    40 Fortinet Inc. Turning FortiGate -4000 chassis power on and off Getting started Out of band management connections Y ou can manage the FortiBlade-4010 module s by co nnecting to the 10/100 ou t of band management module . The 10/100 out of band ma nagement module provides ethernet management connection s for all of the FortiBlade-4010 modules ins[...]

  • Page 41

    Getting started Hot swapping modules FortiGate-4000 Installation and Configuration Guide 41 2 Connect the three power cables to the powe r connection module on the FortiGate-4000 chassis ba ck panel. 3 Connect the power cables to power outlet s. 4 T urn on the power switch on each power supply module. 5 Press and hold the chassis power switch for a[...]

  • Page 42

    42 Fortinet Inc. Hot swapping modules Getting started Hot swapping FortiBlade-4010 modules Follow this procedure to hot swap the FortiBlade-4010 mo dules. For information about the FortiBlade-4010 module, see “FortiBlade-4010 m odule” on p age 29 . 1 Press the power b utton on the front panel of the FortiBlade-4010 module that you want to repla[...]

  • Page 43

    Getting started Hot swapping modules FortiGate-4000 Installation and Configuration Guide 43 7 Slide the power supply module into the slot until the lock clicks into place. 8 T urn on the power supply . 9 Replace the locking strip. 10 Quickly toggle the chassis po wer supply switch to turn on the power supp ly module. Hot swapping interface modules [...]

  • Page 44

    44 Fortinet Inc. Connecting to the web-based manager Getting started 2 Unscrew the two locking screws to remove the module’s locking strip. 3 Loosen its two mounting knot s. Do not remove the mounting knot s. 4 Pull out the manage ment module. 5 Insert the new management module into the chassis. 6 Slide the managemen t module into the slot until [...]

  • Page 45

    Getting started Connecting to the web-based manager FortiGate-4000 Installation and Configuration Guide 45 Connecting to the FortiGate- 4000 internal interface module T o connect to the web-based manager of a FortiGate-40 00 unit us ing the Fo rtiGate- 4000 internal interfa ce module, you must connect the Fo rtiGate-4000 internal interface module t[...]

  • Page 46

    46 Fortinet Inc. Connecting to the web-based manager Getting started Figure 16: FortiGate login Connecting to the FortiGate-4000 10/ 100 out of band ma nagement module T o connect to the web-based manager of a FortiGate-4000 unit using the FortiGate-4000 10/100 out of band manag emen t module, you must conne ct the out of band management module to [...]

  • Page 47

    Getting started Connecting to th e Command Line Interface (CLI) FortiGate-4000 Installation and Configuration Guide 47 T o change the out of band management IP address 1 After logging into the FortiGate-4000 unit, go to System > Network > OOB Management . 2 Change the IP/Netmask addresses. 3 Select Apply to save the ch anges. Connecting to th[...]

  • Page 48

    48 Fortinet Inc. Factory default configuration Getting started 8 Press Enter to connect to the CLI of the Fo rtiGate-4000 unit. The following prompt is displayed: FortiGate-4000 login: 9 Ty p e admin and press Enter twice. The following prompt is displayed: Type ? for a list of commands. For information about how to use th e CLI, see the FortiGate [...]

  • Page 49

    [...]

  • Page 50

    50 Fortinet Inc. Factory default configuration Getting started T a ble 14: Factory default firewall configuration Internal Address Internal_All IP: 0.0.0.0 Represents all of the IP addresses on the in ternal network. Mask: 0.0.0.0 External Address External_All IP: 0.0.0.0 Represents all of the IP addresses on the externa l network. Mask: 0.0.0.0 Re[...]

  • Page 51

    Getting started Factory default configuration FortiGate-4000 Installation a nd Configuration Guid e 51 Factory default content profiles Y ou can use content pr ofiles to app ly different prot ection sett ings for con tent traffic that is controlled by fi rewall policies. Y ou can use content prof iles for: • Antivirus protection of HTTP , FTP , I[...]

  • Page 52

    52 Fortinet Inc. Factory default configuration Getting started Web content profile Use the web content profile to apply antiv irus scanning and web content blocking to HTTP content traffic. Y ou can add this cont ent profile to firewall policies that control HTTP traffic. T a ble 16: Scan content profile[...]

  • Page 53

    Getting started Planning the FortiGate configura tion FortiGate-4000 Installation and Configuration Guide 53 Unfiltered content profile Use the unfilte red conten t profile if yo u do not wa nt to apply content protection t o traffic. Y ou can add this content profile to firewall policies fo r connections between highly trusted or highly secu re ne[...]

  • Page 54

    54 Fortinet Inc. Planning the FortiGa te configuration Getting started For each FortiGate-4000 un it, the following interfaces are available for processing network traf fic in NA T/Route mode: • External: the interface to th e extern al network (usually the Internet). • Internal: the interface to the inter nal network. In addition, the 10/100 o[...]

  • Page 55

    Getting started Planning the FortiGate configura tion FortiGate-4000 Installation and Configuration Guide 55 Y ou typically use a FortiGate-4000 unit in T ransparent mo de on a private network behind an existing firewall or behind a router . The FortiGate-4000 unit performs firewall func tions as well as antiv i rus and content scannin g but not VP[...]

  • Page 56

    56 Fortinet Inc. Planning the FortiGa te configuration Getting started Figure 19: HA network configuration in NA T/Route mode Figure 20: HA network configu ration in T ran sparent mode FortiGate-4000P HA configuration In the FortiGate-4000P HA configuration, you connect your internal p ass-through interface module to a switch or hub conne cted to t[...]

  • Page 57

    Getting started Planning the FortiGate configura tion FortiGate-4000 Installation and Configuration Guide 57 Figure 21: F ortiGate-4000 P HA configura tion FortiGate-4000S HA configuration In the FortiGate-4000S HA con figuration, all yo u need to do is to connect your internal network to the interna l switched in terface module and your external n[...]

  • Page 58

    58 Fortinet Inc. Planning the FortiGa te configuration Getting started Figure 22: FortiGa te-4000P config uration with loa d balance rs FortiGate-4000 Unit Internal Internal Network[...]

  • Page 59

    Getting started Fo rtiGate model maximum values matrix FortiGate-4000 Installation and Configuration Guide 59 FortiGate model maximum values matrix T a ble 19: FortiGate maximum values ma trix FortiGate model 50 60 100 200 300 400 500 800 1000 3000 3600 4000 Routes 500 500 500 500 500 500 500 500 500 500 500 5 00 Policy routing gateways 500 500 500[...]

  • Page 60

    60 Fortinet Inc. Next steps Getting started Next step s Now that your FortiGate unit is operating , y ou can proceed to configure it to connect to networks: • If you are goin g to operate the F ort iGate unit in NA T/Route mode, go to “NA T /Route mo de installation” on page 61 . • If you are going to op erate the For tiG ate unit in T rans[...]

  • Page 61

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 61 NA T/Route mode inst allation This chapter describes how to install the FortiGate un it in NA T/Route mode. For information about installing a FortiGate unit in T r ansparent mode, see “T ransparent mode inst allation” on p[...]

  • Page 62

    62 Fortinet Inc. Preparing to configure NAT/Route mode NAT/Route mode installa tion Advanced NAT/Route mode settings Use Ta b l e 2 1 to gather the information that yo u need to customize advanced FortiGate N A T/ Route mo de settings. External interface IP: _____._____._____._____ Netmask: _____._ ____._____._____ Default Gatew ay: _____._____.___[...]

  • Page 63

    NAT/Route mode installati on Using the setup wizard FortiGate-4000 Installation and Configuration Guide 63 Out of band management interface Use Ta b l e 2 2 to record the IP address, netmask, and default gateway of the FortiGate-4000 o ut of band manage ment interface if you are configur ing this interface during installation. . Using the setup wiz[...]

  • Page 64

    64 Fortinet Inc. Using the command line interface NAT/Route mode installa tion Using the command line interface As an alternative to using the setup wizard, you ca n configure the FortiGate unit using the command line interface (CLI). For informa tion about co nnecting to the CLI, see “Connecting to th e Command Line Interface (CLI)” on page 47[...]

  • Page 65

    NAT/Route mode installati on Connecting the FortiGa te unit to your networks FortiGate-4000 Installation and Configuration Guide 65 6 Optionally , set the secondary DNS server IP addresses. Enter set system dns secondary <IP address> Example set system dns secondary 293.44.75.22 7 Set the default route to the Default Gateway IP address (not r[...]

  • Page 66

    66 Fortinet Inc. Configuring your networks NAT/Route mode installation Configuring your networks If you are running the FortiGate unit in NA T/Route mode, your networks must be configured to route all Internet traf fic to t he IP address of the FortiGate interface to which they are connected. Make sure that the connected FortiGate unit is functioni[...]

  • Page 67

    NAT/Route mode installation Completing the configura tion FortiGate-4000 Installation a nd Configuration Guid e 67 Registering your FortiGate unit After pur chasing and inst alling a new For tiGat e unit, you can register the u nit by goin g to the System Update Support page, or usin g a web browser to connect to http://support.fortinet .com and se[...]

  • Page 68

    68 Fortinet Inc. Completing the configuration NAT/Route mode installation[...]

  • Page 69

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 69 T ransp arent mode inst allation This chapter describes how to install your FortiGate unit in Transp arent mo de. If you want to install the FortiGa te unit in NA T/Route mode, see “NA T/Route mode insta llation” on page 61[...]

  • Page 70

    70 Fortinet Inc. Using the setu p wizard Transparen t mode instal lation Out of band management interface Use Ta b l e 2 4 to record the IP address, netmask, and default gateway of the FortiGate-4000 o ut of band manage ment interface if you are configur ing this interface during installation. . Using the setup wizard From the web-based manager, yo[...]

  • Page 71

    Transparent mode installatio n Using the command line interface FortiGate-4000 Installation and Configuration Guide 71 Reconnecting to the web-based manager If you chan ged the IP address of the manag ement inter face while yo u were usin g the setup wizard, you must recon nect to the web-based manager using the new IP address. Browse to http s:// [...]

  • Page 72

    72 Fortinet Inc. Completing the configuration T ransparent mod e installation Configure the Transparen t mode default gateway 1 Make sure that you are logge d into the CLI. 2 Set the default route to the default gateway that you reco rded in T able 23 on p age 69 . Enter: set system route number <number> gw1 <IP addr ess> Example set sy[...]

  • Page 73

    Transparent mode installatio n Connecting the FortiGate un it to your networks FortiGate-4000 Installation and Configuration Guide 73 3 Select Anti-Virus & Web filter to enab le antivirus prot ection for t his policy . 4 Select the Scan Content Profile. 5 Select OK to save the changes. Registering your FortiGate unit After pur chasing and inst [...]

  • Page 74

    74 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation T ransp arent mode configuration examples A FortiGate unit operating in T ransparent mode still requir es a basic configuration to operate as a node on the IP networ k. As a minimum, the F ortiGate unit must be configured with an IP address and subnet mask. T[...]

  • Page 75

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-4000 Installation and Configuration Guide 75 Example default route to an external network Figure 23 shows a FortiGa te unit wher e all destinat ions, includ ing the ma nagement computer , are located on the extern al net work. T o reach these destinations, the FortiG[...]

  • Page 76

    76 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Web-based manager exampl e configuration steps T o configure basic T ransparent mode se ttings and a default route using the web-based manager 1 Go to System > St atus . • Select Change to T ransparen t Mode. • Select T ransparent in the Operation Mode[...]

  • Page 77

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-4000 Installation and Configuration Guide 77 Figure 24: St atic route to an external destination General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode . 2 Configure the Manag ement IP address and Netmask o f the FortiGate unit. 3 Config[...]

  • Page 78

    78 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation 2 Go to System > Network > Management . • Change the Man agement IP and Netma sk: IP: 192.168.1.1 Mask: 255.255.2 55.0 • Select Apply . 3 Go to System > Network > Routing . • Select New to add the static route to th e FortiResp onse server .[...]

  • Page 79

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-4000 Installation and Configuration Guide 79 Figure 25: St atic route to an internal destination General configuration steps 1 Set the unit to operate in T ransparent mode. 2 Configure the Manag ement IP address and Netmask o f the FortiGate unit. 3 Configure the st [...]

  • Page 80

    80 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Web-based manager exampl e configuration steps T o configure the FortiGate basic settings, a static route, and a default route using the web-based manager : 1 Go to System > St atus . • Select Change to T ransparen t Mode. • Select T ransparent in the [...]

  • Page 81

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 81 High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster uses the same overall security policy and shar es the same c[...]

  • Page 82

    82 Fortinet Inc. Configuring an HA clu ster High availabili ty An active-passive (A -P) HA cluster , also referr ed to as ho t standby HA, cons ists of a primary FortiGate unit that processes traf fic, and one or more subordinate FortiGate units. The su bordinate FortiGate unit s are connected to the network and to the primary FortiGate unit but do[...]

  • Page 83

    High availability Configuring an HA cluster FortiGate-4000 Installation and Configuration Guide 83 6 Select the HA mode. Select Active-Active mode to crea te an Active-Active HA clust er . Select Active-Passive mode to crea te an Active-Passive H A cluster . The HA mode must be the same for all FortiGate unit s in the HA cluster . 7 Enter and confi[...]

  • Page 84

    84 Fortinet Inc. Configuring an HA clu ster High availabili ty Figure 26: Example Active-Active HA con figuration 11 If you are configuring a NA T/Route mode cluste r , power of f the FortiGate unit and then repeat this procedur e for all the FortiGate uni t s in the cluster . Once all the units ar e configured, proceed to “Connecting the cluster[...]

  • Page 85

    High availability Configuring an HA cluster FortiGate-4000 Installation and Configuration Guide 85 T o connect the cluster 1 Connect the cluster unit s: For FortiGat e-4000S: • Connect your internal network to t he internal switched inte rface module. • Connect your external network to th e external switched interface module. For FortiGat e-400[...]

  • Page 86

    86 Fortinet Inc. Configuring an HA clu ster High availabili ty Figure 28: FortiGate -4000P HA network c onfiguration Adding a new FortiGate unit to a functioning cluster Y ou can add a new FortiGate unit to a fu nctioning clus ter at an y time. The new FortiGate u nit must be the same model as th e other un its in the cluster a nd must be running t[...]

  • Page 87

    High availability Managing an HA cluster FortiGate-4000 Installation and Configuration Guide 87 Managing an HA cluster The configurations of all of the FortiGate uni ts in the cluster are synchronized so that the FortiGate units can functi on as a cluster . Be cause of th is synchr onization, you manage the HA cluster instead of managing the indivi[...]

  • Page 88

    88 Fortinet Inc. Managing an HA clu ster High availabili ty This section describes: • Configuring cluster interface monitor ing • Viewin g the stat us of cluster members • Monitoring cluster m embers • Viewing cluster sessions • Viewin g and managing cluster log messa ges • Monitoring cluster units for failover • Viewin g cluster comm[...]

  • Page 89

    High availability Managing an HA cluster FortiGate-4000 Installation and Configuration Guide 89 Figure 29: Example cluster members lis t Monitoring cluster members T o monitor health informa ti on for each cluster member 1 Connect to the cluster and lo g into the web-based manager. 2 Go to System > St atus > Monitor . The cluster displays CPU[...]

  • Page 90

    90 Fortinet Inc. Managing an HA clu ster High availabili ty 4 Select Virus & Intrusions. The cluster displays virus and intrusions status for each cluster member . The primary unit is identified as Local and the other unit s in the cluster are listed b y serial number . The display includes bar gr aphs of the numb er viruses a nd intrusions det[...]

  • Page 91

    High availability Managing an HA cluster FortiGate-4000 Installation and Configuration Guide 91 3 Select the se rial number of one of the units in the clus ter to display the logs for this cluster unit. Y ou can view logs saved to memory or logs saved to the hard d isk, depending on the configuration of the cluster unit. 4 For each cluster unit: ?[...]

  • Page 92

    92 Fortinet Inc. Managing an HA clu ster High availabili ty Managing individual cluster units Y ou can connect to the CLI of each unit in the cluster . This procedure descri bes how to log into the primary u nit CLI and from there connect to the CLI of subordinate cluster units. Y ou log into the subordinate unit with the ha_admin administrato r ac[...]

  • Page 93

    High availability Managing an HA cluster FortiGate-4000 Installation and Configuration Guide 93 Synchronizing the cl uster configuration Cluster synchronization keeps all unit s in the cluster synchro nized with the master unit. This includes: • System configuration • Virus d efinition updates • Attack definition u pdates • Web filter list [...]

  • Page 94

    94 Fortinet Inc. Managing an HA clu ster High availabili ty Upgrading firmware T o upgrade the firmware of the FortiGate unit s in a cluster , you must upgrade the firmware of each unit sep a rately . In most cases, if you are upgrading to a new firmware build within the same firmware version (for example, upgrading from 2.50 build069 to 2.50 build[...]

  • Page 95

    High availability Advanced HA opti ons FortiGate-4000 Installation and Configuration Guide 95 Replacing a FortiGate unit after failover A failover can occur be cause of a hardware or sof tware problem . When a failover occurs, you can atte mpt to restart the failed FortiGate u n it by cycling its power . If the FortiGate un it starts up correctly ,[...]

  • Page 96

    96 Fortinet Inc. Advanced HA options High availabili ty Configuring the priority of each FortiGate unit in the cluster In addition to selecting a permanent primar y FortiGate unit, you ca n set the priorities of each of the subordinate unit s in the cluster to control the failover path. For example, if you have three FortiGate units in an HA cluste[...]

  • Page 97

    High availability Active-Active cl uster packet flow FortiGate-4000 Installation and Configuration Guide 97 This command has the following results: • The first connection is processed by th e primary unit • The next t hree con nections are process ed by the first sub ordinate un it • The next three co nnections are proces sed by the second su[...]

  • Page 98

    98 Fortinet Inc. Active-Active cluster packet flow High availabili ty In NA T/Route mode, the HA cluster works as a gateway when it responds to ARP requests . Therefore, the clie nt and the server only know the gateway MAC a ddress (MAC_V), which is a virtual M AC address created by the HA clus ter . The virtual MAC address is 00-09 -0f-06-f f-00. [...]

  • Page 99

    High availability Active-Active cl uster packet flow FortiGate-4000 Installation and Configuration Guide 99 Transparent mo de packet flow In transp arent mode, six MAC addresses are involved in active-active communication between a client and a server if the cluster rout es the packet s to the subordinate un it in the cluster: • Client MAC addres[...]

  • Page 100

    100 Fortinet Inc. Active-Active cluster packet flow High availabili ty[...]

  • Page 101

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 101 System st atus Y ou can connect to the web-based manager and view the cur rent system status of the FortiGate unit. The status infor mation that is displayed includes the current firmware version, the current viru s and attack[...]

  • Page 102

    102 Fortinet Inc. Changing the FortiGat e host name System status Changing the FortiGate host name The FortiGate host name ap pears on the S tatus p age and in the FortiGate CLI prompt. The host name is al so used as the SNMP system name. Fo r information about the SNMP system name, see “Config uring SNMP” on pa ge 180 . The default h ost name [...]

  • Page 103

    System status Changing the Forti Gate firmware FortiGate-4000 Installation and Configuration Guide 103 Upgrading to a new firmware version Use the following procedures to upgra de the FortiGate unit to a newer firmware version. Upgrading the firmware usi ng the web-based manager T o upgrade the firmware using the web-based manage r 1 Copy the firmw[...]

  • Page 104

    104 Fortinet Inc. Changing the FortiGate fi rmware System status 4 Make sure the FortiGate uni t c an connect to the TFTP server . Y ou can use the following command to ping the computer running the TFTP server . For example, if the IP address of the TFTP server is 192.16 8.1.168: execute ping 192.168.1.168 5 Enter the following command to copy the[...]

  • Page 105

    System status Changing the Forti Gate firmware FortiGate-4000 Installation and Configuration Guide 105 If you are reverting to a previous FortiOS ve rsion (for example, reverting from F ortiOS v2.50 to FortiOS v2.36) you might not be able to restore the pr evious configuration from the backup configuration file. T o revert to a previous firmware ve[...]

  • Page 106

    106 Fortinet Inc. Changing the FortiGate fi rmware System status If you are reverting to a previous FortiOS ve rsion (for example, reverting from F ortiOS v2.50 to FortiOS v2.36) you might not be ab le to restore your previous configu ration from the backup configuration file. T o use the following procedure you must have a TF TP server that the Fo[...]

  • Page 107

    System status Changing the Forti Gate firmware FortiGate-4000 Installation and Configuration Guide 107 11 Update antivirus and atta ck definitions. For information, see “Manually initiating antivirus and att ack definitions updates” on pa ge 125 , or from the CLI, enter: execute updatecenter updatenow 12 T o confirm that the antivirus and attac[...]

  • Page 108

    108 Fortinet Inc. Changing the FortiGate fi rmware System status 5 T o confirm that the FortiGate unit can co nnect to the TFTP server , use the following command to ping the computer running the TFTP server . For example, if the IP address of the TFTP server is 192.168.1.168 , enter: execute ping 192.168.1.168 6 Enter the following co mmand to res[...]

  • Page 109

    System status Changing the Forti Gate firmware FortiGate-4000 Installation and Configuration Guide 109 11 Enter the firmware image filen ame and press Enter . The TFTP server up loads the firmware imag e file to the FortiGate unit and messages similar to the following are displayed: • FortiGate unit running v2.x BIOS Do You Want To Save The Image[...]

  • Page 110

    11 0 Fortinet Inc. Changing the FortiGate fi rmware System status T o run th is procedur e you: • access the CLI by connecting to the Fo rtiGate console port using a null-modem cable, • install a TFTP server that you can conn ect to from the F ortiGate int ernal interfac e. The TFTP server should be on the same subnet as the internal interface.[...]

  • Page 111

    System status Changing the Forti Gate firmware FortiGate-4000 Installation and Configuration Guide 111 9 T ype the address of th e TFTP server and press Ente r . The following m essage appears: Enter Local Address [192.168.1.188]: 10 T ype the address of th e internal interfac e of the FortiGate unit and pr ess Enter . The following m essage appear[...]

  • Page 112

    11 2 Fortinet Inc. Changing the FortiGate fi rmware System status T o install a backup f irmware image 1 Connect to the CLI using the null-modem cable and FortiGate console por t. 2 Make sure that the TFTP server is running. 3 Copy the new firmware image file to the root directory of your TFTP server . 4 T o confirm that the FortiGate unit can co n[...]

  • Page 113

    System status Changing the Forti Gate firmware FortiGate-4000 Installation and Configuration Guide 11 3 Switching to the ba ckup firmware image Use this procedure to switch th e FortiGate unit to operating with a backup firmwar e image that you previously in stalled. When yo u switch the FortiGat e unit to the backup firmware image, the FortiGa te [...]

  • Page 114

    11 4 Fortinet Inc. Manual virus definition updates System status T o switch back to the default firmware image 1 Connect to the CLI using the null-modem cable and FortiGate console por t. 2 Enter the following co mmand to restart the FortiGate unit: execute reboot As the FortiGate units st arts, a series of system st artup messages are displayed. W[...]

  • Page 115

    System status Manual attack definition updates FortiGate-4000 Installation a nd Configuration Guid e 11 5 Manual att ack definition up dates The S tatus page of the Fo rtiGate web-base d manager displays the curr ent inst alled versions of the FortiGate Attack Definition s use d by the Networ k Intrusion Detection System (NIDS). T o update the at t[...]

  • Page 116

    11 6 Fortinet Inc. Restoring system settings System status T o back up system settings 1 Go to System > St atus . 2 Select System Settings Backup. 3 Select Backup Sy stem Setting s. 4 T ype a name and location for the file. The system settings file is backed up to the manag ement computer . 5 Select Return to go back to the S tatus page. Restori[...]

  • Page 117

    System status Changing to T ransparent mode FortiGate-4000 Installation a nd Configuration Guid e 11 7 For information about restor ing system settings, see “Restoring system settings” on pag e 1 16 . Changing to T ransp arent mode Use the follo wing proced ure to cha nge the Fo rtiGate unit from NA T/Route mode to T r ansparent mode. After yo [...]

  • Page 118

    11 8 Fortinet Inc. Restarting the FortiGate unit System status 4 Select OK. The FortiGate unit changes operation mod e. 5 T o reconnect to the web-base d manager you must connect to the interface config ured by defaul t for mana gement access. By default in NA T/Ro ute mode, you can co nnect to th e internal in terface. Th e default T ransparent mo[...]

  • Page 119

    System status System status FortiGate-4000 Installation and Configuration Guide 11 9 Viewing CPU and memory status Current CPU and mem ory status indicates how cl ose the FortiGa te unit is to running at full capacity . The web-based manager displays CPU and memory usage for cor e processes only . CPU and memory use for management processes (for ex[...]

  • Page 120

    120 Fortinet Inc. System status System status Viewing sessions and network status Use the session and network st atus display to track how many network sessions the FortiGate u nit is process ing and to s ee what effect the num ber of sess ions has on th e available network bandwid th. Also, by compar ing CPU and memory usage with session and netwo[...]

  • Page 121

    System status System status FortiGate-4000 Installation and Configuration Guide 121 Viewing virus and intrusions status Use the virus and intrusions st atus display to track when viruses are found by the FortiGate antivirus system and to tra ck when the NIDS detect s a network-based attack. T o view virus and intrusions st atus 1 Go to System > [...]

  • Page 122

    122 Fortinet Inc. Session list System status Session list The session list displays information abo ut the communications sessions cu rrently being processed by the FortiGate unit. Y ou can use the session list to view current sessions. FortiGate administrators with read and write permission and the FortiG ate admin user can also stop active commun[...]

  • Page 123

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 123 V irus and att ack definitions up dates and registration Y ou can configure the FortiGate unit to c onnect to the FortiResponse Distribution Network (FDN ) to update the antiv irus and attack defi nitions and the an tivirus en[...]

  • Page 124

    124 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration The Update p age on the web-based manage r displays the following antiviru s and attack defin ition update information. This section describes: • Connecting to the FortiResponse Distribution Network • Manually initiating an tiviru[...]

  • Page 125

    Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-4000 Installation and Configuration Guide 125 Manually initiating antivirus and attack definitions updates Y ou can use the following procedure to update the antivirus an d attack definit ions at any time. The FortiGate unit must be able to c[...]

  • Page 126

    126 Fortinet Inc. Scheduling updates Virus and attack defi nitions updates and registra tion Configuring update logging Use the follo wing proced ure to con figure Fort iGate loggin g to record log mess ages when the Fo rtiGate un it updates antivirus and a ttack definitions. T he update log messages are reco rded on the FortiGate Event log. T o co[...]

  • Page 127

    Virus and attack definitions upda tes and registration Scheduling updates FortiGate-4000 Installation and Configuration Guide 127 4 Select Apply . The FortiGate unit star ts the next sche dule d update according to the new update schedule. Whenever the FortiGate unit runs a scheduled update, the event is recor ded in the FortiGate e vent log. Figur[...]

  • Page 128

    128 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Enabling scheduled updat es through a proxy server If your FortiGate unit must connect to the Internet throu gh a proxy se rver , yo u can use the set system autoupdate tunneling command to allow the FortiGate unit to connect (or tunnel) to the FDN using[...]

  • Page 129

    Virus and attack definitions updates and registration Enabling push updates FortiGate-4000 Installation and Configuration Guide 129 When the network configuratio n permits, c onfig uring push update s is recommended in addition to configuring scheduled updates. On aver age the FortiGate unit receives new updates sooner through push up dates than if[...]

  • Page 130

    130 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Example: push update s through a NAT device This examp le describes how to conf igure a Fo rtiGate NA T device to forwar d push updates to a FortiGat e unit installed on its internal network. For the Fo rtiGate unit on the internal network to receive pus[...]

  • Page 131

    Virus and attack definitions updates and registration Enabling push updates FortiGate-4000 Installation and Configuration Guide 131 General procedure Use the following steps to config ure the Fo rtiGate NA T device and the FortiGate unit on the internal network so that the FortiGate un it on the internal network can rece ive push updates: 1 Add a p[...]

  • Page 132

    132 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Figure 38: Pus h update port forwarding virtual I P Adding a firewall policy for the port forwarding virtual IP T o configure the FortiGate NA T device12 18-6.137612d5660 TD02 Tc0 Tw(2)Tj/T42 1 Tf-6.1376 0 TD0.0049 Tc-0.0016 Tw[(Ade)[...]

  • Page 133

    Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-4000 Installation and Configuration Guide 133 4 Set IP to the external IP address added to the virtual IP . For the examp le topology , enter 64.2 30.123. 149. 5 Set Port to the external servic e port added to the virtual IP . For the example top ology , e[...]

  • Page 134

    134 Fortinet Inc. Registering Forti Gate units Virus and attack defi nitions updates and registra tion All registration information is stored in the Fortinet Customer Support dat abase. This information is used to make sure tha t your registered FortiGate units can be kept up to date. All information is strict ly confidential. Fortinet doe s not sh[...]

  • Page 135

    Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-4000 Installation and Configuration Guide 135 • The product model an d serial number for each For tiGate unit that you want to register . The serial number is located on a label on the bottom of the FortiGate unit. Y ou can view the Serial number from th[...]

  • Page 136

    136 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on 7 Select Finish. If you have not entered a F ortiCare Support Contract number (SCN) you can retu rn to the previous pa ge to enter the number . If you do not have a FortiCare Support Contract, you can select Continue to complete th e registra[...]

  • Page 137

    Virus and attack definitions updates and registration Updating registration informati on FortiGate-4000 Installation and Configuration Guide 137 7 Select Support Login. 8 When you receive your new password, enter your use r name and new p assword to log into the Fortinet suppor t web site. Viewing the list of re gistered FortiGate units T o view th[...]

  • Page 138

    138 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on 7 Enter the serial number of the For tiGate unit. 8 If you have purchased a FortiCare Support Co ntract for this FortiGate unit, en ter the support contract number . 9 Select Finish. The list of FortiGate product s that you have registered is[...]

  • Page 139

    Virus and attack definitions updates and registration Updating registration informati on FortiGate-4000 Installation and Configuration Guide 139 3 Enter your Fort inet support use r name and password. 4 Select Login. 5 Select My Profile. 6 Select Edit Profile. 7 Make the r equired ch anges to yo ur contact inform ation. 8 Make the required changes [...]

  • Page 140

    140 Fortinet Inc. Registering a FortiGate unit after an RMA Vi rus and attack defi nitions updates and registra tion For information about how to in stall the downloaded files, see “Manual virus definition updates” on p age 1 14 and “Manual att ack definition updates” on pag e 1 15 . Registering a FortiGate unit af ter an RMA The Return Mat[...]

  • Page 141

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 141 Network configuration Y ou can use the System Network page to change any of the follo wing FortiGate network set tings: • Configuring zones • Configuring interfaces • Out of band mana gement • VLAN overview • VLANs i[...]

  • Page 142

    142 Fortinet Inc. Configuring interfac es Network configuration Adding zones The new zone does not appe ar in the policy grid until you add an interface to it, see “T o add an inte rface to a zone ” below , and add a firewall address for it (see “Adding addresses” on p age 202 ). T o add a zone 1 Go to System > Network > Zone . 2 Sele[...]

  • Page 143

    Network configuration Configuring interfaces FortiGate-4000 Installation and Configuration Guide 143 Viewing the interface list T o view the interface list 1 Go to System > Network > Interface . The interface list is display ed. The interface list shows the following status inform ation for all the FortiGate interfaces and VLAN subi nterfaces[...]

  • Page 144

    144 Fortinet Inc. Configuring interfac es Network configuration T o add an interface to a zone 1 Go to System > Network > Interface . 2 Choose the interface or VLAN subint erface to add to a zone and select Modify . 3 From the Belong to Zone list, select the zone that you want to add the interface to. The belong to zone list only appears if y[...]

  • Page 145

    Network configuration Configuring interfaces FortiGate-4000 Installation and Configuration Guide 145 4 Clear the Retr ieve default gateway and DNS from server check box if you do not wan t the FortiGate unit to obta in a default gat eway IP addr ess and DNS server IP addresses from the DHCP server . By default, this option is enabled. 5 Clear the C[...]

  • Page 146

    146 Fortinet Inc. Configuring interfac es Network configuration 7 Select Apply . The FortiGate unit attempts to cont act the PPPoE server from the in terface to set the IP address, netmask, defaul t gate way IP address, and DNS server IP addresses. 8 Select S tatus: to refresh th e addressin g mode status m essage. Poss ible message s: 9 Select OK.[...]

  • Page 147

    Network configuration Configuring interfaces FortiGate-4000 Installation and Configuration Guide 147 Controlling administrati ve access to an interface For a FortiGate unit running in NA T/R out e mode, you can cont rol administrative access to an interface to contro l how adminis trators acce ss the Fo rtiGate unit a nd the FortiGate inte rfaces t[...]

  • Page 148

    148 Fortinet Inc. Configuring interfac es Network configuration Changing the MTU size to improve network performance T o impro ve network p erformanc e, you can change the maximum t ransmission un it (MTU) of the packet s that the FortiGate unit transmits from any interface. Ideally , this MTU should be the same as the smalle st MTU of all the netw[...]

  • Page 149

    Network configuration Out of band management FortiGate-4000 Installation and Configuration Guide 149 • Enable secure administrative access to this interface using only HTTPS or SSH, • Do not change the system idle timeo ut from the default value of 5 minutes ( see “T o set the system idle timeout” on page 1 76 ). T o configure the managemen[...]

  • Page 150

    150 Fortinet Inc. VLAN overview Network configuration 5 Select Log for the interface if you wa nt to record log messages whenever and administrator connect s to the out of band managemen t interface. 6 Select Apply to save the ch anges. Out of band management interface CLI command From the CLI, you can use the set system oobmanagement command to co[...]

  • Page 151

    Network configuration VLANs in NAT/Route mode FortiGate-4000 Installation and Configuration Guide 151 A VLAN segregates device s logically instead of physically . Each VLAN is treated as a broadcast domain. Devices in VLAN 1 can co nn ect with other devices in VLAN 1, but cannot connect with devices in other VLAN s. The communication among device s[...]

  • Page 152

    152 Fortinet Inc. VLANs in NAT/Route mode Network configuration Rules for VLAN IP addresses IP addresses of all FortiGate interfaces canno t overlap. That is, the IP a ddresses of all interfaces must be on differ ent subnet s. This rule applies to both physical interfaces and to VLAN subinterfaces. Adding VLAN subinterfaces The VLAN ID of each VLAN[...]

  • Page 153

    Network configuration Virtual domains in Transparent mode FortiGate-4000 Installation and Configuration Guide 153 V irtual domains in T r ansp arent mode In T ransparent mode, T he FortiGate u nit can apply fir ewall policies an d services, s uch as virus scanning, to traf fic on an IEEE 802.1 VLAN trunk. The FortiGate unit operating in T ranspa re[...]

  • Page 154

    154 Fortinet Inc. Virtual domains in Transparen t mode Network configuration Figure 44: FortiGate unit with two virtual doma ins Virtual domain properties A virtual domain has the following exclu sive properties: • VLAN name, •V L A N I D , • VLAN interf ace assign ment, • VLAN zone assign ment (optional), • Firewall policy . Vir tual dom[...]

  • Page 155

    Network configuration Virtual domains in Transparent mode FortiGate-4000 Installation and Configuration Guide 155 Adding a virtual domain Use the following procedure to add a virtua l domain to the FortiGate unit. Y ou must add at least one virtual domain to support VLANs in T ransparent mode. Add more virtual domains to simplify c onfigura tion if[...]

  • Page 156

    156 Fortinet Inc. Virtual domains in Transparen t mode Network configuration Adding zones to virtual domains Add zones to a virtual domain to group together related VLAN subinter faces. Use zones to simplify firewall po licy creation if you have many VLAN subinterfaces in a virtual domain. For more information about zones, see “Config uring zones[...]

  • Page 157

    Network configuration Virtual domains in Transparent mode FortiGate-4000 Installation and Configuration Guide 157 6 Select OK to save your changes. Y ou can al so use the procedur e “Adding VLAN subinterfaces” on page 15 2 to add a VLAN subinterface to a zone if you are ad ding new VLAN subinter faces to a virtual domain to which you ha ve alre[...]

  • Page 158

    158 Fortinet Inc. Adding DNS server IP addres ses Network configuration Deleting virtual domains Y ou must remove all VLAN subinterfaces and zones that have been added to the virtual domain before you ca n delete the virtual domain. T o remove VLAN subinterfaces a nd zones you must remove all firewall policies and fire wall addresses for the VLAN s[...]

  • Page 159

    Network configuration Configuring routing FortiGate-4000 Installation and Configuration Guide 159 Adding a default route Y ou can add a default route for network traf fic leaving the external interface. T o add a default route 1 Go to System > Network > Routing T able . 2 Select New to add a new route. 3 Set the Source IP and Netm ask to 0. 0[...]

  • Page 160

    160 Fortinet Inc. Configuring routing Network configuration 6 Set Device #1 to the FortiGate interface or VLAN subinterface through which to route traffic to connect to Gateway #1. Y ou can select the name of an interface, VLAN subinterface, or Auto (the default). If you select the name of an interface or VLAN subinterface th e traf fic is routed t[...]

  • Page 161

    Network configuration Configuring routing FortiGate-4000 Installation and Configuration Guide 161 5 Select OK to save the new route. 6[...]

  • Page 162

    162 Fortinet Inc. Configuring DHCP servi ces Network configurati on Using policy routing you can bui ld a routing policy dat abase (RPDB) that selects the appropriate route for tr affic by applying a se t of routing rules. T o select a route for traffic, the FortiGate unit matches the traf fic with the po licy routes added to the RPDB starting at t[...]

  • Page 163

    Network configuration Configuring DHCP services FortiGate-4000 Installation and Configuration Guide 163 Configuring a DHCP relay agent In a DHCP relay configuration, the Fort iGate unit forwards DHCP request s from DHCP clients through th e FortiGate unit to a DHCP server . The FortiGate unit also returns response s from the DH CP server to the DHC[...]

  • Page 164

    164 Fortinet Inc. Configuring DHCP servi ces Network configurati on Y ou can add multiple scopes to an interface so that th e DHCP server added to that interface can supply IP addresses to compute rs on multiple subnets. Add multiple scopes if the DHCP server re ceives DHCP requests from subnets that are not connected di rectly to the FortiGate uni[...]

  • Page 165

    Network configuration Configuring DHCP services FortiGate-4000 Installation and Configuration Guide 165 Adding a reserve IP to a DHCP server If you have configured an inte rfac e as a DHCP server , you can reserve an IP address for a pa rticular device on the n etwork acco rding to the MAC address of the device. When you add the MAC address of a de[...]

  • Page 166

    166 Fortinet Inc. Configuring DHCP servi ces Network configurati on[...]

  • Page 167

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 167 RIP configuration The FortiGate implement ation of the Routing Information Protocol (RIP) support s both RIP version 1 as defined by RFC 1058, a nd RIP ver sion 2 as defined by RFC 2453. RIP version 2 enables RIP messages to c[...]

  • Page 168

    168 Fortinet Inc. RIP settings RIP configuration 5 Change the following RIP time r settings, as re quired. RIP timer de faults are effective in most configurations. Y ou should only have to change these timers to tr oubleshoot netw ork routing problems. All routers and access servers in the network should ha ve the same RIP timer settings. 6 Select[...]

  • Page 169

    RIP configuration Configuring RIP for FortiGate interfaces FortiGate-4000 Installation and Configuration Guide 169 Figure 47: Configuring RIP settings Configuring RIP for FortiGate interfaces Y ou can customize a RIP configuration for each F ortiGate inte rface. This allows you to customize RIP for the network to which each interface is connected. [...]

  • Page 170

    170 Fortinet Inc. Configuring RIP for Forti Gate interfaces RIP configuration 4 Select OK to save the R IP config uration for the selected interface. Figure 48: Example RIP configuration for an internal interface Password Enter the password to be used for RIP version 2 authentication. The password can be up to 16 characters long. Mode Defines the a[...]

  • Page 171

    RIP configuration Adding RIP filters FortiGate-4000 Installation and Configuration Guide 171 Adding RIP filters Use the Filter pag e to create RIP filter list s and assign RIP filter list s to the neighbor s filter , inco ming rout e filter , or outgo ing route filter . The neighbors filter allows or denie s updates from other ro uters. The incomin[...]

  • Page 172

    172 Fortinet Inc. Adding RIP filters RIP configuration 3 For Filter Name, type a nam e for the RIP filter list. The name can be 15 characters long an d can contai n upper and lower case letters, numbers, and special char acters. The name cannot cont ain sp aces. 4 Select the Blank Filter check box to create a RIP filter lis t with no entries, or en[...]

  • Page 173

    RIP configuration Adding RIP filters FortiGate-4000 Installation and Configuration Guide 173 Assigning a RIP fi lter list to the outgoing filter The outgoing filter allows or denie s addi ng rout es to outgoing RIP update packet s. Y ou can assign a single RIP filter list to the outgoing filter . T o assign a RIP filter list to the outgoing filter [...]

  • Page 174

    174 Fortinet Inc. Adding RIP filters RIP configuration[...]

  • Page 175

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 175 System configuration Use the System Config page to make any of the following chan ges to the FortiGate system configuration: • Setting system date and time • Changing system options • Adding and editing administra tor ac[...]

  • Page 176

    176 Fortinet Inc. Changing system options System configuration 9 Select Apply . Figure 49: Example date and time setti ng Changing system options On the System Config Options page, you can: • Set the system idle timeout. • Set the authentication timeout. • Select the language for th e web-base manage r . • Modify the dead gate way detec tio[...]

  • Page 177

    System configuration Changing system opti ons FortiGate-4000 Installation and Configuration Guide 177 3 Select Apply . Auth T imeout controls the amount of inacti ve time that the fi rewall waits before requiring users to authen ticate again. For more informatio n, see “Users and authenti cation” on page 227 . The default Auth T imeout is 15 mi[...]

  • Page 178

    178 Fortinet Inc. Adding and editing administrato r accounts System configuration Adding and editing administrator account s When the FortiGate unit is initia lly installed, it is configur ed with a single administr ator account with the user name admin. From this administrator accou nt, you can add and edit administra tor accoun ts. Y ou can also [...]

  • Page 179

    System configuration Adding and editing administrator accounts FortiGate-4000 Installation and Configuration Guide 179 Editing administrator accounts The admin account user can change indi vidual administrator account p asswords, configure the IP addresses from which administrato rs can access the web-based manager, and change the admin istrator pe[...]

  • Page 180

    180 Fortinet Inc. Configuring SNMP System configuration Configuring SNMP Y ou can configure the FortiGate SNMP agen t to report system information and send traps to SNMP managers . Using an SNMP ma nager , y ou can access SNMP traps and data from any Forti Gate interface or VL AN subinterface configured for SNMP management access. The FortiGate SNM[...]

  • Page 181

    System configuration Configuring SNMP FortiGate-4000 Installation and Configuration Guide 181 T o configure SNMP access to an interface in T ransparent mode 1 Go to System > Network > Management . 2 Choose the interface that th e SNMP manager connect s to and select SNMP . Select Apply . Configuring SNMP community settings Y ou can configure [...]

  • Page 182

    182 Fortinet Inc. Configuring SNMP System configuration Figure 50: Sample SNMP configuration FortiGate MIBs The FortiGate SNMP agent suppo rts FortiGat e propriet ary MIBs as well as standa rd RFC 1213 and RFC 2665 MIBs. The FortiGate MIBs are listed in Ta b l e 2 8 . Y ou can obtain th ese MIB files from Fortinet technical support. T o be able to [...]

  • Page 183

    System configuration Configuring SNMP FortiGate-4000 Installation and Configuration Guide 183 FortiGate traps The FortiGa te agent ca n send t raps to up to thre e SNMP tr ap receiver s on your network that are configur ed to receive tr ap s from the FortiGate unit. For these SNMP managers to receive trap s, you must load and compile th e Fortinet [...]

  • Page 184

    184 Fortinet Inc. Configuring SNMP System configuration VPN traps NIDS traps Antivirus traps Logging traps T a ble 31: FortiGate VPN traps T rap message Description VPN tunnel is up An IPSec VPN tunnel starts up and begins processing network traf- fic. VPN tunnel down An IPSe c VPN tunnel shuts down. T a ble 32: FortiGate NIDS traps T rap message D[...]

  • Page 185

    System configuration Configuring SNMP FortiGate-4000 Installation and Configuration Guide 185 Fortinet MIB fields The Fortinet MIB contain s fields for co nfiguration settings and current st atus information for all parts of the FortiGate pr oduct. This section list s the names of the high-level MIB f ields and de scribes the configuratio n and sta[...]

  • Page 186

    186 Fortinet Inc. Configuring SNMP System configuration Users and authentication configuration VPN configuration and status NIDS configuration Antivirus configur ation Web filter configuration T a ble 37: User and authentication MIB fields FnUserLoca lT able Local user list. FnUserRadiusSrvT able RADIUS server list. FnUserGrpT ab le User group list[...]

  • Page 187

    System configuration Replacement messa ges FortiGate-4000 Installation and Configuration Guide 187 Logging and reporting configuration Replacement messages Replacement messages are adde d to content passin g through the firewall to repla ce: • Files or other content r emoved from POP3 and IMAP email messages by the antivirus system, • Files or [...]

  • Page 188

    188 Fortinet Inc. Replacement messages System configuration Customizing replacement messages Each of the replacement messages in the replace ment message list is created by combining replacement message se ctions. Y ou can use these sections as building blocks to create your own replacement messages. Y ou can edit any of the replacement messages in[...]

  • Page 189

    System configuration Replacement messa ges FortiGate-4000 Installation and Configuration Guide 189 Customizing alert emails Customize alert emails to control the content disp layed in alert email messages sent to system administrators. T o customize alert emails 1 Go to System > Config > Replacement Mes sages . 2 For the alert email message t[...]

  • Page 190

    190 Fortinet Inc. Replacement messages System configuration %%SOURCE_IP%% The IP add ress from which the block file was received. For email this is the IP address of the email server that sent the email containing the blocked file. For HTTP this is the IP address of web page that sent the blocked file. %%DEST_IP%% Th e IP address of the computer th[...]

  • Page 191

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 191 Firewall configuration Firewall policies control all traf fic passing th rough the FortiGate unit. Firewall policies are instructions tha t the FortiGate unit uses to decide what to do with a connection request. When the firew[...]

  • Page 192

    192 Fortinet Inc. Default firewall configuration Firewall configuration • IP/MAC binding • Content prof iles Default firewall configuration By default, the users on your intern al ne twork can connect thro ugh the FortiGate unit to the Internet. The fir ewall blocks all other connections. The firewall is configured with a default policy that ma[...]

  • Page 193

    Firewall confi guration Default firewall configurati on FortiGate-4000 Installation and Configuration Guide 193 VLAN subinterfaces Y ou can also add VLAN subinterfaces to the FortiGate configuration to control connections between VLANs. For mor e information about VLANs, see “VLANs in NA T/Route mode” on p age 151 or “V irtual dom ains in Tra[...]

  • Page 194

    194 Fortinet Inc. Adding firewall policies Firewall configuration Y ou can also add firewall policies that perform network address translation (NA T). T o use NA T to translate destination addresses, you must a dd virtual IPs. V irtual IPs map addresses on one network to a translated address on another networ k. For more information about V irtual [...]

  • Page 195

    Firewall confi guration Adding firewall policies FortiGate-4000 Installation and Configuration Guide 195 3 Select New to add a new policy . Y ou can also select Insert Policy before on a policy in the list to add the new policy above a specific policy . 4 Configure the policy: For information abou t configuring the policy , see “Firewall policy o[...]

  • Page 196

    196 Fortinet Inc. Adding firewall policies Firewall configuration Firewall policy options This section describes the o ptions th at you can add to fir ewall policies. Source Select an address o r address group that matches the source address of the p acket. Before you can add th is address to a policy , you must add it to the source interface . For[...]

  • Page 197

    Firewall confi guration Adding firewall policies FortiGate-4000 Installation and Configuration Guide 197 NAT Configure the policy fo r NA T . NA T translates the source address and the sour ce port of packets accepted by the policy . I f you select NA T , y ou can also select Dynamic IP Pool and Fixed Port . NA T is not ava ilable in Transparent mo[...]

  • Page 198

    198 Fortinet Inc. Adding firewall policies Firewall configuration Authentication Select Authentication and select a user gr oup to require users to enter a user name and password b efore the firewall accept s the connection. Select the user gr oup to control the user s that can auth enticate with this policy . For information about ad ding and conf[...]

  • Page 199

    Firewall confi guration Adding firewall policies FortiGate-4000 Installation and Configuration Guide 199 Figure 54: Adding a T ransp arent mode policy Log Traffic Select Log Traf fic to write me ssages to the t raffic log whenever th e policy proces ses a connection. For information abo ut logging, see “Logging and reporting” on page 307 . Comm[...]

  • Page 200

    200 Fortinet Inc. Configuring policy lists Firewall co nfiguration Configuring policy list s The firewall matches policies by searching for a match starting at the top of the po licy list and moving down until it finds the firs t match. Y ou must arrange policies in the policy list from more spec ific to more general. For example, the default polic[...]

  • Page 201

    Firewall confi guration Configuring poli cy lists FortiGate-4000 Installation a nd Configuration Guid e 201 Changing the order of po licies in a policy list T o change the order of a policy in a policy list 1 Go to Firewa ll > Policy . 2 Select the policy list that you want to change the o rder of. 3 Choose the policy that you want to move an d [...]

  • Page 202

    202 Fortinet Inc. Addresses Firewall configurati on Addresses All policies require source and de stination addresses. T o add addresses to a policy , you must first add addresses to the address list for the interfaces, zones, or VLAN subinterfaces o f the policy . Y ou can add, edit, and delete all firewall addresses as r equired. Y ou can also org[...]

  • Page 203

    Firewall confi guration Addresses FortiGate-4000 Installation and Configuration Guide 203 6 Enter the Netmask. The netmask corre sponds to the type of address th at you are adding. For exam ple: • The netmask for the IP address of a si ngle computer should be 255.255.255.255 . • The netmask for a class A subnet shou ld be 255.0.0.0. • The net[...]

  • Page 204

    204 Fortinet Inc. Addresses Firewall configurati on Deleting addresses Deleting an address removes it from an address list. T o delete an address that has been added to a policy , you must first remove the address from the policy . T o delete an address 1 Go to Firewall > Address . 2 Select the interface list cont aining the address that you wan[...]

  • Page 205

    Firewall confi guration Services FortiGate-4000 Installation and Configuration Guide 205 Figure 56: Adding an in ternal ad dress group Services Use services to determine the types of communication accepted or denied by the firewall. Y ou can add any of t he predefined services to a policy . Y ou can also create custom services and add services to s[...]

  • Page 206

    206 Fortinet Inc. Services Firewall configuration GRE Generic Routing Encapsulation. A protocol that allows an arbitrary network p rotocol to be transmitte d over any other arbi trary network protocol, by encapsulating the packet s of the protocol within GRE packets. 47 AH Authentication Header. AH provides source host authentication and data integ[...]

  • Page 207

    Firewall confi guration Services FortiGate-4000 Installation and Configuration Guide 207 LDAP Lightweight Directory Access Protocol is a set of protocols used to access information directories. tcp 389 NetMeeting NetMeeting allows users to teleconference using the Internet as th e transmission medium. tcp 1720 NFS Network File System allows network[...]

  • Page 208

    208 Fortinet Inc. Services Firewall configuration Adding custom TC P and UDP services Add a custom TCP or UDP service if you need to create a policy fo r a service that is not in the predef ined service list. T o add a custom TCP or UDP service 1 Go to Firewall > Service > Cus tom . 2 Select TCP/UDP from the Protocol list. 3 Select New . 4 T [...]

  • Page 209

    Firewall confi guration Services FortiGate-4000 Installation and Configuration Guide 209 Adding custom ICMP services Add a custom ICMP service if you need to cr eate a policy for a service that is not in the predefin ed service list . T o add a custom ICMP service 1 Go to Firewall > Service > Cus tom . 2 Select ICMP from the Prot ocol list. 3[...]

  • Page 210

    210 Fortinet Inc. Schedules Firewall configura tion 3 T ype a Group Name to identify the group . This name appears in the service list when you add a policy and cannot be the same as a predefined service nam e. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _. Other sp ecial chara[...]

  • Page 211

    Firewall confi guration Schedules FortiGate-4000 Installation a nd Configuration Guid e 21 1 Creating one-time schedules Y ou can create a one-time schedule that activates or deactivates a policy for a specified pe riod of time . For exam ple, yo ur firewall might be configured with the default policy that allows acce ss to all services on the In t[...]

  • Page 212

    212 Fortinet Inc. Schedules Firewall configura tion Creating recurring schedules Y ou can create a recurring schedule that acti vates or deactivates policies at specified times of the day or on specified days of t he week. For example, you might want to prevent Internet use outs ide working hours by creating a recurrin g schedule. If you create a r[...]

  • Page 213

    Firewall confi guration Virtual IPs FortiGate-4000 Installation and Configuration Guide 213 Adding schedules to policies After you create schedules, you can ad d them to policies to schedule when the policies are active . Y o u can add the new sched ules to policies when you crea te the policy , or you can edit existing policies and add a new sched[...]

  • Page 214

    214 Fortinet Inc. Virtual IPs Firewall configuration This section describes: • Adding static NA T virtual IPs • Adding port fo rwarding vir tual IPs • Adding policies with virtual IPs Adding static NAT virtual IPs T o add a static NA T virtual IP 1 Go to Firewall > Virtual IP . 2 Select New to add a virtual IP . 3 T ype a Name for the virt[...]

  • Page 215

    Firewall confi guration Virtual IPs FortiGate-4000 Installation and Configuration Guide 215 7 In Map to IP , type the real IP address on the destination networ k, for example, the IP address of a web server on an intern al network. 8 Select OK to save the v irtual IP . Y ou can now add the virtual IP to firewall policies. Figure 60: Adding a st ati[...]

  • Page 216

    216 Fortinet Inc. Virtual IPs Firewall configuration 6 Enter the External IP Address that you want to map to an addr ess on the destination zone. Y ou can set the external IP address to the IP address of the external interface selected in step 4 or to any other address. If the IP address of the external interface se lected in step 4 is set using PP[...]

  • Page 217

    Firewall confi guration Virtual IPs FortiGate-4000 Installation and Configuration Guide 217 Figure 61: Adding a port forwarding virtu al IP Adding policies wi th virtual IPs Use the followin g proced ure to add a policy that uses a virt ual IP to fo rward packets. T o add a policy with a virtual IP 1 Go to Firewall > Polic y . 2 Select the type [...]

  • Page 218

    218 Fortinet Inc. IP pools Firewall configura tion 4 Select OK to save the policy . IP pools An IP pool (also called a dynamic IP pool) is a range of IP ad dresses added to a firewall interface. If you add IP pools to an interface, you can select Dynamic IP Pool when you configure a policy with the destinati on set to this interface. Y ou can add a[...]

  • Page 219

    Firewall confi guration IP pools FortiGate-4000 Installation and Configuration Guide 219 Figure 62: Adding an IP Pool IP Pools for firewall pol icies that use fixed ports Some network configurations do not operate correctly if a NA T policy translates the source port of packet s used by the connec tion. NA T translates source ports to ke ep track o[...]

  • Page 220

    220 Fortinet Inc. IP/MAC binding Firewall configuration IP/MAC binding IP/MAC binding protect s the FortiGate unit and your network from IP spoofing att acks. IP spoofing attacks try to use the IP address of a trusted computer to connect to, or through, the FortiGate unit from a dif ferent computer . The IP address of a comp uter is easy to change [...]

  • Page 221

    Firewall confi guration IP/MAC binding FortiGate-4000 Installation and Configuration Guide 221 For example, if the IP/MAC pair IP 1.1.1. 1 and 12 :34:56:78:90:ab:cd is added to the IP/MAC binding list: • A packet with IP addre ss 1.1.1.1 a nd MAC address 12:34: 56:78:90:ab:cd is allowed to go on to be matched with a firewall policy . • A packet[...]

  • Page 222

    222 Fortinet Inc. IP/MAC binding Firewall configuration 3 Enter the IP Address and th e MAC Address. Y ou can bind multiple IP addresses to the same MAC address. Y ou cannot bind multiple MAC addresses to the same IP address. However , you can set the IP address to 0.0.0.0 for multiple MAC addresses. This means that all p ackets with these MAC ad d[...]

  • Page 223

    Firewall confi guration Content profiles FortiGate-4000 Installation and Configuration Guide 223 Figure 63: IP/MAC settings Content profiles Use content profiles to app ly diff erent prot ection settings for content traf fic that is controlled by firewall policies. Y ou can use content profiles to: • Configure antivirus protection for HT TP , FTP[...]

  • Page 224

    224 Fortinet Inc. Content profiles Firewall configuration Default content profiles The FortiGate unit has the following four default content profiles that are displayed on the Firewall Cont ent Profile page. Y ou can use the de fault content pr ofiles or create your own. Adding content profiles If the default content p rofiles do not pr ovide the p[...]

  • Page 225

    Firewall confi guration Content profiles FortiGate-4000 Installation and Configuration Guide 225 6 Enable the email filter protec tion options that you want. 7 Enable the fragmented email and oversized file an d email options that you want. 8 Select OK. Figure 64: Example con tent profile Web Exempt List Exempt URLs from web filt ering and virus sc[...]

  • Page 226

    226 Fortinet Inc. Content profiles Firewall configuration Adding content prof iles to policies Y ou can add content profiles to policies with action set to allo w or encrypt and with service set to ANY , HTTP , FTP , IMAP , POP3, SMTP , or a service gr oup that includes these services. T o add a content profile to a policy 1 Go to Firewall > Pol[...]

  • Page 227

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 227 Users and authentication FortiGate un its support user authe ntication to the FortiGate user database, a RADIUS server , a nd an LD AP server . Y o u can add user nam es to the F ortiGate user database and then add a p assword[...]

  • Page 228

    228 Fortinet Inc. Setting authentication timeout Users and authenticati on This chapter describes : • Setting authentication timeout • Adding user names and co nfiguring authentication • Configuring RADIUS support • Configuring LDAP support • Configuring user group s Setting authentication timeout Authentication timeout controls how long [...]

  • Page 229

    Users and authentication Adding user names and con figuring authentica tion FortiGate-4000 Installation a nd Configuration Guid e 229 5 Select the T ry other servers if connect to selected server fails check box if you have selected Radius and you want th e FortiGate unit to try to connect to other RADIUS servers added to the FortiGate RADIUS confi[...]

  • Page 230

    230 Fortinet Inc. Configuring RADIUS supp ort Users and authentication Configuring RADIUS support If you have configur ed RADIUS support and a user is required to authenticate using a RADIUS server , the FortiGate unit cont ac ts the RADIUS server for authentication. This section describes: • Adding RADIUS servers • Deleting RADIUS servers Addi[...]

  • Page 231

    Users and authentication Configuring LDAP suppo rt FortiGate-4000 Installation and Configuration Guide 231 Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server , the FortiGate unit contact s the LDAP server for authentication. T o authenticat e with the F ortiGate unit, the us er e[...]

  • Page 232

    232 Fortinet Inc. Configuring user g roups Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server . Enter the base distinguishe d name for the server using the correct X.500 or LDAP format. The FortiGate u nit passes this distinguished name unchanged to the server . For example, you could use the followin[...]

  • Page 233

    Users and authentication Configuring user groups FortiGate-4000 Installation and Configuration Guide 233 • IPSec VPN Phase 1 configurations for dial up users. Only users in the selec ted user group can authenticate to use th e VPN tunnel. • XAuth for IPSec VPN Phase 1 configurations. Only users in the selected user group can be authenticated us[...]

  • Page 234

    234 Fortinet Inc. Configuring user g roups Users and authentication 3 Enter a Group Name to identify th e user group. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _. Other sp ecial characters and sp aces are not allowed. 4 T o add users to the user group, sele ct a us er from th[...]

  • Page 235

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 235 IPSec VPN A Virtua l Private Network (VPN) is an extension of a private network that encompasses links across sh ared or public networks such as the Intern et. For example, a compan y that has two offices in di fferen t cities[...]

  • Page 236

    236 Fortinet Inc. Key management IPSec VPN Key management There are three basic elem ents in any en cryption system: • an algorithm that change s info rmation into code, • a cryptographic key that serves as a secret starting point for the algorithm, • a management system to control the ke y . IPSec provides two ways to handle key exchange and[...]

  • Page 237

    IPSec VPN Manual key IPSec VPNs FortiGate-4000 Installation and Configuration Guide 237 In some respect s, certificates are simpler to manage than manual keys or pre-shared keys. For this reason, certificates are best suited to large network deployments. Manual key IPSec VPNs When using manual keys, comple mentary secur ity paramete rs must be ente[...]

  • Page 238

    238 Fortinet Inc. Manual key IPSec VPNs IPSec VPN 5 Enter the Remote SPI. The Remote Security Parameter Index is a hexade cimal number of up to eight digit s (digits can be 0 to 9, a to f) in the rang e bb8 to FFFFFFF . This number must be added to the Local SPI at the opposite end of the tunnel. 6 Enter the Remote Gateway . This is the external IP[...]

  • Page 239

    IPSec VPN AutoIKE IPSec VPNs FortiGate-4000 Installation and Configuration Guide 239 AutoIKE IPSec VPNs FortiGate unit s support two methods of Au tomatic Internet Key Exchange (AutoIKE) for establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates. • General configuration step s for an AutoIKE VPN • Add[...]

  • Page 240

    240 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 3 T ype a Gateway Name for the remot e VPN peer . The remote VPN pee r can be either a gatewa y to another netw ork or an individual client on the In ternet. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _. Other sp ecial characters [...]

  • Page 241

    IPSec VPN AutoIKE IPSec VPNs FortiGate-4000 Installation and Configuration Guide 241 10 Configure the Local ID the that the FortiGate un it sends to the remote VPN peer . • Preshared key: If the FortiGate unit is fu nctioning as a client and uses its ID to authenticate it self to the remote VPN peer , enter an ID. If no ID is s pecified, the Fort[...]

  • Page 242

    242 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Optionally , configure NA T Traver sal. 5 Optionally , configure Dead Peer Detection . Use these settings to monitor the st atus of the connec tion between VPN peer s. DPD allows dead connections to be cleane d up and new VPN tunnels est ablished. DPD is not suppor ted by all ve ndors. 6 Select OK to[...]

  • Page 243

    IPSec VPN AutoIKE IPSec VPNs FortiGate-4000 Installation and Configuration Guide 243 Figure 69: Adding a ph ase 1 con figuration ( St andard options) Figure 70: Adding a ph ase 1 con figuration ( Advanced options)[...]

  • Page 244

    244 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN Adding a phase 2 configurat ion for an AutoIKE VPN Add a phas e 2 configu ration to spec ify the paramete rs used to c reate and maintain a VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer (the VPN gateway or client). T o add a phase 2 configuration 1 Go to VPN > IP[...]

  • Page 245

    IPSec VPN AutoIKE IPSec VPNs FortiGate-4000 Installation and Configuration Guide 245 10 Enable Autokey Kee p Alive if you want to kee p the VPN tunnel ru nning even if no da ta is being processed. 11 Select a concentra tor if you want the tunn el to be part of a hub and spoke VPN configuration. If you use the pro cedure, “Add ing a VPN concentrat[...]

  • Page 246

    246 Fortinet Inc. Managing digital certificates IPSec VPN Managing digit al certificates Use digital cer tificates to make sure that both participants in an IPSec communication session are trustworthy , prior to setting up an encrypted VPN tunn el between the particip ants. Fortinet uses a manual proc edure to obtain certificates. This involves cop[...]

  • Page 247

    IPSec VPN Managing digital certificates FortiGate-4000 Installation and Configuration Guide 247 6 Configure the key . 7 Select OK to generate the private and pub lic key p air and the certificate re quest. The private/public key p air are generated and the certificate request is displayed on the Local Certificates list with a status of Pend ing. Fi[...]

  • Page 248

    248 Fortinet Inc. Managing digital certificates IPSec VPN Downloading the certificate request Use the followin g proced ure to dow nload a ce rtificate request from the FortiGate unit to the management compute r . T o download the certificate reque st 1 Go to VPN > Certificates > Local Certificates . 2 Select Download to download the local ce[...]

  • Page 249

    IPSec VPN Configuring encrypt policies FortiGate-4000 Installation and Configuration Guide 249 Obtaining CA certificates For the VPN peers to authenticate themselves to each other , they must both obtain a CA certificate from th e same certificate author ity . The CA certificate provides the VPN peers with a means to validate the digit al ce rtific[...]

  • Page 250

    250 Fortinet Inc. Configuring encrypt policies IPSec VPN In addition to defining membership in th e VPN by address, you can configure the encrypt policy for services such as DNS, FTP , and POP3, and to allow connectio ns according to a predefined schedule ( by the time of the day or the day of the week, month, or year). Y ou can also configure the [...]

  • Page 251

    IPSec VPN Configuring encrypt policies FortiGate-4000 Installation and Configuration Guide 251 Adding a destination address The destination addr ess can be a VPN client address on the Inte rnet or the addr ess of a network behin d a remote VPN gatew ay . T o add a destination address 1 Go to Firewall > Address . 2 Select an extern al interfac e.[...]

  • Page 252

    252 Fortinet Inc. Configuring encrypt policies IPSec VPN For information about configu ring the remaining policy settin gs, see “Adding firewall policies” on page 19 4 . 9 Select OK to save the encry pt policy . T o make sure that the encrypt policy is matched for VPN connections, arran ge the encrypt policy above other policies with similar so[...]

  • Page 253

    IPSec VPN IPSec VPN concentrators FortiGate-4000 Installation and Configuration Guide 253 Figure 73: Adding an encryp t policy IPSec VPN concentrators In a hub-and-spoke networ k, all VPN tunnels terminate at a single VPN peer called a hub. The pee rs that connect to th e hub are know n as spokes. The hu b functions as a concentrat or on the n etwo[...]

  • Page 254

    254 Fortinet Inc. IPSec VPN concentrators IPSec VPN If the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (but not to the other spokes) . It also requires policies tha t control it s encrypted connectio ns to the other spokes and it s non-encrypted co nnections to other networks, such as the Internet. • VPN concentra[...]

  • Page 255

    IPSec VPN IPSec VPN concentrators FortiGate-4000 Installation and Configuration Guide 255 See “Adding an encrypt policy” on p age 251 . 5 Arrange the policie s in the following order: • encrypt policies • default non-encrypt policy (Interna l_All -> External_All) Adding a VPN concentrator T o add a VPN concentrator configuration 1 Go to [...]

  • Page 256

    256 Fortinet Inc. IPSec VPN concentrators IPSec VPN VPN spoke general co nfiguration steps A remote VPN pe er that fu nctions as a spoke re quires the f ollowing conf iguration: • A tunnel (Auto IKE phase 1 an d phase 2 conf iguration or manu al key configura tion) for the hub. • The source addre ss of the local VPN spoke. • The destination a[...]

  • Page 257

    IPSec VPN Monitoring and Troublesh ooting VPNs FortiGate-4000 Installation a nd Configuration Guid e 257 See “Adding an encrypt policy” on p age 251 . 6 Arrange the policie s in the following order: • outbound encrypt policies • inbound encrypt policy • default non-encrypt policy (Interna l_All -> External_All) Monitoring and T roubles[...]

  • Page 258

    258 Fortinet Inc. Monitoring and Troubleshooti ng VPNs IPSec VPN Viewing dialup VP N connection status Y ou can use the dialup monitor to view the status of dialup VPNs. The dialup monitor lists the remote gateways and th e active VPN tunnels for each gateway . The monitor also lists the tunne l lifetime, timeout, proxy ID source, and proxy ID dest[...]

  • Page 259

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 259 PPTP and L2TP VPN Y ou can use PPTP and L2TP to create a virtual pr ivate network (VPN) between a remote client computer that is runn ing Wi ndows and your internal netwo rk. Because PPTP and L2TP are supported by Win dows you[...]

  • Page 260

    260 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN Configuring the FortiGat e unit as a PPTP gateway Use the followin g proced ures to con figure the FortiGate u nit as a PPTP gate way: T o add users and user group s Add a user for each PPTP clie nt. 1 Go to User > Local . 2 Add and configure PPTP users. For information about adding and config[...]

  • Page 261

    PPTP and L2TP VPN Configuring PPTP FortiGate-4000 Installation and Configuration Guide 261 3 Select New to add an addr ess. 4 Enter the Address Name, IP Address, and NetMask for an addr ess in the PPTP address range. 5 Select OK to sa ve the sour ce address. 6 Repeat for all addresses in the PP TP address range. T o add a source address group Organ[...]

  • Page 262

    262 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 6 Set Service to match the traffic ty pe inside the PP TP VPN tunnel. For example, if PPTP user s can ac cess a web server , select HTTP . 7 Set Action to ACCEPT . 8 Select NA T if address tr anslation is required. Y ou can also configure traffic shaping , logging, and antivirus and web filter se[...]

  • Page 263

    PPTP and L2TP VPN Configuring PPTP FortiGate-4000 Installation and Configuration Guide 263 T o connect to the PPTP VPN 1 S tart the dialup connection that yo u configured in the previous procedure. 2 Enter your PPTP VPN Us er Name and Password. 3 Select Connect. Configuring a Windows 2000 client for PPTP Use the following p rocedure to co nfigure a[...]

  • Page 264

    264 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 5 Name the connectio n and select Next. 6 If the Public Network dialog box appears, choose the appropriate ini tial connection and select Next. 7 In the VPN Server Selection dialog, enter the IP addr ess or host name of the FortiGate unit to connect to and select Next. 8 Select Finish. T o config[...]

  • Page 265

    PPTP and L2TP VPN Configuring L2TP FortiGate-4000 Installation and Configuration Guide 265 Configuring L2TP Some implement ations of L2TP support elem ents of IPSec. These element s must be disabled when L2TP is used with a Fo rtiGate unit. This section describes: • Configuring the FortiGate unit as an L2 TP gateway • Configuring a Windows 2000[...]

  • Page 266

    266 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN T o add source addresses Add a sour ce address for ever y address in the L2TP addr ess range. 1 Go to Firewall > Address . 2 Select the interface to which L2T P clients connect. This can be an interface, VLAN subinterfa ce, or zone. 3 Select New to add an addr ess. 1 Enter the Address Name, IP[...]

  • Page 267

    PPTP and L2TP VPN Configuring L2TP FortiGate-4000 Installation and Configuration Guide 267 2 Select the policy list that you want to add the policy to (usually , External -> Internal). 3 Select New to add a policy . 4 Set Source to the group that match es the L2TP address range. 5 Set Destination to the address to which L2TP users can connect. 6[...]

  • Page 268

    268 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 4 Go to the Options tab and select IP security properties. 5 Make sure that Do not use IPSEC is selected. 6 Select OK and close the co nnection properties window . 7 Use the registry editor (rege dit) to lo cate the following ke y in the registry: HKEY_LOCAL_MACHINESystemCurrentControlSetServi[...]

  • Page 269

    PPTP and L2TP VPN Configuring L2TP FortiGate-4000 Installation and Configuration Guide 269 7 In the VPN Server Selection dialog, enter the IP addr ess or host name of the FortiGate unit to connect to and select Next. 8 Select Finish. T o configure the VPN connection 1 Right-click the icon that you created. 2 Select Properties > Security . 3 Sele[...]

  • Page 270

    270 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 8 Add the following registry value to this key: Value Name: ProhibitIpSec Data Type: REG_DWORD Value: 1 9 Save the changes and restar t the computer for the changes to t ake effect. Y ou must add the ProhibitIpSec registry value to each Windows XP-based endpoint comp uter of an L2TP or IPSec conn[...]

  • Page 271

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 271 Network Intrusion Detection System (NIDS) The FortiGat e NIDS is a re al-time netw ork intrusio n detectio n sensor th at uses at tack signature definitions to both detect and prev ent a wide variet y of suspicious network tra[...]

  • Page 272

    272 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Selecting the interfaces to monitor T o select the interfaces to monitor for att acks 1 Go to NIDS > Detection > General . 2 Select the interfaces to monitor for ne twork attacks. Y ou can select up to a total of 4 interfaces and VLAN subinterfaces. 3 Select Apply[...]

  • Page 273

    Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-4000 Installation and Configuration Guide 273 Viewing the signature list Y ou can display the current list of NIDS signature group s and the members of a signature group. T o view the signature list 1 Go to NIDS > Detection > Signature List . 2 View the names an d action s[...]

  • Page 274

    274 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Figure 80: Example signatur e group members list Disabling NIDS attack signatures By default, all NIDS attack signatures ar e enabled . Y ou can use the NIDS signature list to disable detection of some atta cks. Disabling unnecessary NIDS attack signatures can improve s[...]

  • Page 275

    Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-4000 Installation and Configuration Guide 275 T o add user-defined signatures 1 Go to NIDS > Detection > User Defined Signature List . 2 Select Upload . 3 T ype the path and filenam e of the text file for the user-defined signatu re list or select Browse and lo cate the fi[...]

  • Page 276

    276 Fortinet Inc. Preventing attacks Network Intrusion Detection System (NIDS) Preventing att acks NIDS attack prev ention prot ects the FortiGat e unit an d the netwo rks connect ed to it from common TCP , ICMP , UDP , and IP attacks. Y ou can enable NIDS attack prevention to prevent a set of default att a cks with default threshold values. Y ou c[...]

  • Page 277

    Network Intrusion Detection S ystem (NIDS) Preventing attacks FortiGate-4000 Installation and Configuration Guide 277 Setting signature threshold values Y ou can change the default threshold values for the NIDS Prevention signatures listed in Ta b l e 4 8 . The threshold d epends on the type of att ack. For flooding attacks, the threshold is the ma[...]

  • Page 278

    278 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS) T o set Prevention signat ure threshold values 1 Go to NIDS > Prevention . 2 Select Modify beside the signature for which you want to set the Threshold value. Signatures that do not ha ve threshol d valu es do not have Modify icons. 3 T ype the Threshold va lue. 4 Select[...]

  • Page 279

    Network Intrusion Detection System (NIDS) Logging attacks FortiGate-4000 Installation and Configuration Guide 279 The FortiGate unit uses an alert email queu e in which each new message is compared with the p revious messages. If the new messag e is not a duplicate, the FortiGate unit sends it immedia tely and put s a copy in the queue . If the new[...]

  • Page 280

    280 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS)[...]

  • Page 281

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 281 Antivirus protection Y ou can enable antivirus protection in firewall policies. Y ou can select a content profile that controls how the antivir us protection behaves. Content profiles control th e type of traffic protected (HT[...]

  • Page 282

    282 Fortinet Inc. Antivirus scanning Antivirus protection Antivirus scanning Virus scan ning intercepts mo st files (including files compressed with up to 12 laye rs of compression using zip, rar , gzip, tar , upx, and OLE) in the content streams for which you enable antiviru s protection . Each file is tested to determ ine the file type and the mo[...]

  • Page 283

    Antivirus protection File blocking FortiGate-4000 Installation and Configuration Guide 283 Figure 82: Example content profile for virus scan ning File blocking Enable file b locking to re move all files that are a potential threat and to provide th e best protection fr om active computer virus attacks. Blocking files is the only pr otection from a [...]

  • Page 284

    284 Fortinet Inc. File blocking Antivirus protection By default, w hen blocki ng is enabled, the FortiG ate unit bl ocks the follo wing file patterns: • executable files (*.bat, *.com, and *.exe) • compressed or archive files (*.gz, *.rar , *.tar , *.tgz, and *.zip) • dynamic link libraries (*.dll) • HTML applic ation (*.hta) • Microsoft [...]

  • Page 285

    Antivirus protection Blocking oversized files and emails FortiGate-4000 Installation and Configuration Guide 285 Blocking oversized files and emails Y ou can configure the FortiGate unit to buff er 1 to 15 percent of available memory to store oversized files and email. Th e FortiGat e unit then blocks a file or email that exceeds this limit instead[...]

  • Page 286

    286 Fortinet Inc. Viewing the virus list Antivirus protection V iewing the virus list Y ou can view the names of the viruses and worms in the current viru s definition list. T o view the virus list 1 Go to Anti-Virus > Config > Virus List . 2 Scroll through the virus and wo rm list to view the names of all viruses and worms in the list.[...]

  • Page 287

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 287 W eb filtering When you enable Anti-V irus & Web filter in a firewall policy , you select a content profile that controls how web filterin g behave s for HTTP traf fic. Co ntent profiles control the following types of cont[...]

  • Page 288

    288 Fortinet Inc. Content blocking Web filtering 3 Configure web filtering settin gs to control how the FortiGate unit app lies web filtering to the HTTP traf fic allowed by policies. See: • “URL block ing” on page 29 1 , • “Configuring Cerber ian URL filtering” on p age 294 , • “Content blocking” on page 288 , • “Script filte[...]

  • Page 289

    Web filtering Content blocking FortiGate-4000 Installation and Configuration Guide 289 4 T ype a banned word or phrase. If you type a single word (for ex ample, banned ), the FortiGate unit blocks all web pages that contain that word. If you type a phrase (for example, banned phrase ), the FortiGate unit blocks web pages th at conta in both word s.[...]

  • Page 290

    290 Fortinet Inc. Content blocking Web filtering Backing up the Banned Word list Y ou can back up the banned word list by downloading it to a text file on the management compu ter . T o back up the banned word list 1 Go to Web Filter > Cont ent Block . 2 Select Backup Banned Word List . The FortiGate unit downloads the list to a text file on the[...]

  • Page 291

    Web filtering URL blocking FortiGate-4000 Installation and Configuration Guide 291 5 Select Return to display the updated Banned W ord List. 6 Y ou can continue to maintain the Banned W ord List by making chang es to the text file and uploading it again as nece ssary . . URL blocking Y ou can block the unwanted web URLs usi ng FortiGate W eb URL bl[...]

  • Page 292

    292 Fortinet Inc. URL blocking Web filtering 4 Ensure that th e Enable ch eckbox has been select ed and then select OK. 5 Select OK to add the URL to the Web URL block list. Y ou can enter multiple URLs and then select Check All to enable all items in the Web URL block list. Y ou can disable all of the URLs on the list by selecting Uncheck All . Ea[...]

  • Page 293

    Web filtering URL blocking FortiGate-4000 Installation and Configuration Guide 293 Downloading the Web URL block list Y ou can back up the Web URL block list by downloading it to a text file on the management compu ter . T o download a Web URL bloc k list 1 Go to Web Filter > Web URL Block . 2 Select Download URL Block List . The FortiGate unit [...]

  • Page 294

    294 Fortinet Inc. Configuring Cerberian URL filtering Web filtering 8 Y ou can continue to maintain the We b URL bl ock list by making chan ges to the text file and uploading it again. Configuring FortiGate Web pattern blocking Y ou can configure FortiGate web pattern bl ocking to block web p ages that match a URL pattern. Create URL p atterns usin[...]

  • Page 295

    Web filtering Configuring Cerberian URL filtering FortiGate-4000 Installation and Configuration Guide 295 Installing a Cerberian license key Before you ca n use the C erberian we b filter , yo u must install a license key . The license key determines th e number of end users allowe d to use Cerberian web filtering through the Fort iGate unit. T o i[...]

  • Page 296

    296 Fortinet Inc. Configuring Cerberian URL filtering Web filtering Y ou can add users to the default group and apply any polici es to the group. Use the default group to add: • All the users who are not assigned alias names on the FortiGate unit. • All the users who are no t assigned to ot her user groups. The Cerberian web filte r groups URLs[...]

  • Page 297

    Web filtering Script filtering FortiGate-4000 Installation and Configuration Guide 297 Script filtering Y ou can configure the FortiGate unit to re move Java applets, cookies, and ActiveX scripts from the HT ML web pages. • Enabling script filtering • Selecting script filter o ptions Enabling script filtering 1 Go to Firewall > Content Profi[...]

  • Page 298

    298 Fortinet Inc. Exempt URL list Web filtering Exempt URL list Add URLs to the exempt URL list to allow legitimate traf fic that might otherwise be blocked by content or URL blocking. For exam ple, if content blocking is set to block pornography-rela ted words and a re putable we bsite runs a story on pornog raphy , web pages from the repu table w[...]

  • Page 299

    Web filtering Exempt URL list FortiGate-4000 Installation and Configuration Guide 299 Figure 88: Example URL Exempt list Downloading the URL Exempt List Y ou can back up the URL Exempt List by downloading it to a text file on the management compu ter . 1 Go to Web Filter > URL Exempt . 2 Select Download URL Exempt List . The FortiGate unit downl[...]

  • Page 300

    300 Fortinet Inc. Exempt URL list Web filtering 3 Select Upload URL Exempt List . 4 T ype the path and filename of your URL Exe m pt List text file, or select Browse and locate the file. 5 Select OK to upload the f ile to the FortiGate unit. 6 Select Return to display the updated URL Exemp t List. 7 Y ou can continue to maintain the URL Exempt List[...]

  • Page 301

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 301 Email filter Email filtering is enabled in firewall policies. When you en able Anti-V irus & Web filte r in a firewall policy , you select a content profile that controls how email filtering behaves for email (IM AP and PO[...]

  • Page 302

    302 Fortinet Inc. Email banned word list Email filter Email banned word list When the FortiGate unit detect s an email that contains a word or phr ase in the banned word list, the FortiGate unit adds a t ag to the subject line of the email and writes a message to the event log. Recei vers can then use their mail client sof tware to filter messages [...]

  • Page 303

    Email filter Email banned word list FortiGate-4000 Installation and Configuration Guide 303 Downloading the email banned word list Y ou can back up the banned word list by downloading it to a text file on the management compu ter: T o download the banned word list 1 Go to Email Filter > Content Block . 2 Select Download. The FortiGate unit downl[...]

  • Page 304

    304 Fortinet Inc. Email block list Email filter Email block list Y ou can configure the FortiGate unit to ta g all IMAP and POP3 protocol traf fic sent from unwanted email addresse s. When the FortiGate unit dete cts an email sent from an unwanted address p attern, the FortiGate un it adds a t ag to the subject line of the email and writes a messag[...]

  • Page 305

    Email filter Email exempt li st FortiGate-4000 Installation and Configuration Guide 305 Uploading an email block list Y ou can create a email block list in a text ed itor and then upload the text file to the FortiGate unit. Add one p attern to each line of the text file. Y ou can follow the pattern with a space and the n a 1 to enable or a zero (0)[...]

  • Page 306

    306 Fortinet Inc. Adding a subject tag Email filter Adding address patterns to the email exempt list T o add an address p attern to the email exempt list 1 Go to Email Filter > Exempt List . 2 Select New . 3 T ype the add ress pattern that you wan t to exempt. • T o exempt email sent from a specific email address, type the email address. Fo r [...]

  • Page 307

    FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 307 Logging and reporting Y ou can configure the FortiGate unit to log network activity from routine configuration changes and traf fic sessions to emergency event s. Y o u can also configure the FortiGate u nit to send alert emai[...]

  • Page 308

    308 Fortinet Inc. Recording logs Logging and reporting Recording logs on a remote computer Y ou can configure the FortiGate unit to re cord log messages on a remote computer . The remote computer must be configu red with a syslog server . T o record logs on a remote computer 1 Go to Log&Report > Log Settin g . 2 Select the Log to Remote Host[...]

  • Page 309

    Logging and repo rting Recording logs FortiGate-4000 Installation and Configuration Guide 309 5 Select Config Policy . T o configure the FortiGate unit to filter the types of logs and events to record, use the procedures in “Filtering log messag es” on page 310 an d “Configuring traf fic logging” on page 31 1 . 6 Select OK. 7 Select Apply .[...]

  • Page 310

    310 Fortinet Inc. Filtering log me ssages Logging and reporting Filtering log messages Y ou can configure the logs t hat you want to record and the message categories that you want to record in each log. T o filter log entries 1 Go to Log&Report > Log Settin g . 2 Select Config Policy for the log location that you selected in “Recording lo[...]

  • Page 311

    Logging and repo rting Configuring traffic loggi ng FortiGate-4000 Installation and Configuration Guide 31 1 4 Select the message categories that you wa nt the FortiGa te unit to record if you selected Event Log, V irus Log, Web Filter ing Log, Att ack Log, Email Filter Log, or Update in step 3 . 5 Select OK. Figure 92: Exam ple log filter con figu[...]

  • Page 312

    312 Fortinet Inc. Configuring traffic loggi ng Logging and reporting This section describes: • Enabling traffic logging • Configuring traffic filter settings • Adding traf fic filter entries Enabling traf fic logging Y ou can enable logging on any interface, VLAN subinterface, and firewal l policy . Enabling traffic loggi ng for an interface [...]

  • Page 313

    Logging and repo rting Configuring traffic loggi ng FortiGate-4000 Installation and Configuration Guide 313 Configuring traffic filter settings Y ou can configure the information re corded in all tr affic log messages. T o configure traffic filter settings 1 Go to Log&Report > Log Settin g > T raffic Filter . 2 Select the settings that yo[...]

  • Page 314

    314 Fortinet Inc. Viewing logs saved to memory Loggin g and reporting 4 Select OK. The traf fic filter list displays the new traffi c address entry with the settings that you selected in “Enabling traf fic logging” on page 312 . Figure 94: Example new traffic address entry V iewing logs saved to memory If the FortiGate unit is configured to sav[...]

  • Page 315

    Logging and repo rting Configu ring aler t email FortiGate-4000 Installation and Configuration Guide 315 4 T o view a specific line in the log, type a li ne number in the Go to line field and select . 5 T o navigate through the log messa ge pages, select Go to next p age or Go to previous page . Searching logs T o search log messages saved in syste[...]

  • Page 316

    316 Fortinet Inc. Configu ring aler t email Logging and reporting Adding alert email addresses Because the F ortiGate unit uses th e SMTP ser ver name t o connect t o the mail se rver , the FortiGate unit must look up this name on your DNS se rver . Befo re you config ure alert email, make sure that you configur e at least one DNS serv er . T o add[...]

  • Page 317

    Logging and repo rting Configu ring aler t email FortiGate-4000 Installation and Configuration Guide 317 Enabling alert email Y ou can configure the FortiGate unit to send alert email in re sponse to virus incidents, intrusion attempts, and critical firewall or VPN event s or violations. If you have configured logging to a local disk, you can enabl[...]

  • Page 318

    318 Fortinet Inc. Configu ring aler t email Logging and reporting[...]

  • Page 319

    FortiGate-4000 Installation and Configuration Guide 319 FortiGate-4000 Inst allation and Co nfiguration Guide V ersion 2.50 Glossary Connection : A link between machines, applications, processes, and so on t hat can be logical, phys ical, or both. DMZ, Demilit arized Zone : Used to host Internet services without allowing unau thorized access to an [...]

  • Page 320

    320 Fortinet Inc. Glossary LAN, Local Area Network : A computer n etwork that spans a relatively small area. Most LANs connect worksta tions and personal computers. Each computer on a LAN is able to ac cess data and devices a nywhere on the LAN. This means that many users can share data as well as physical re sources such as printers. MAC address, [...]

  • Page 321

    Glossary FortiGate-4000 Installation and Configuration Guide 321 SSH , Secure shell : A secure T elnet replacement that you can use to log into another computer over a network and run commands. SSH provides str ong secure authentication and secure communications over insecure channels. Subnet : A portion of a network that shares a comm on address c[...]

  • Page 322

    322 Fortinet Inc. Glossary[...]

  • Page 323

    FortiGate-4000 Installation and Configuration Guide 323 FortiGate-4000 Inst allation and Configuration Guide V ersion 2.50 Index A accept policy 196 action policy option 196 active log searching 315 ActiveX 297 removing from web pages 297 address 202 adding 202 adding firewall addresses to a virtual domain 157 editing 203, 204 group 204 IP/MAC bind[...]

  • Page 324

    324 Fortinet Inc. Index attack updates configuring 127 scheduling 126 through a proxy server 128 authentication 198, 227 configuring 228 enabling 232 LDAP server 231 RADIUS server 230 timeout 176 auto device in route 160 AutoIKE 236 certificates 23 6 introduction 236 pre-shared keys 236 automatic antivirus and attack definition updates configuring [...]

  • Page 325

    Index FortiGate-4000 Installation and Configuration Guide 325 dialup PPTP configuring Windows 2000 client 263 configuring Windows 98 clien t 262 configuring Windows XP client 263 dialup VPN viewing connection statu s 258 disabling NIDS 272 DMZ interface definition 319 DNS server addresses 158 domain DHCP 164 downloading attack definition updates 13[...]

  • Page 326

    326 Fortinet Inc. Index H HA 81 connecting a NAT/Route mode cluster 84 introduction 19 managing HA group 87 NAT/Rout e mode 82 replacing FortiGate unit a fter fail-over 95 hard disk full alert email 317 high availability 81 introduction 19 HTTP enabling web filtering 287, 301 HTTPS 20, 206, 319 I ICMP 207, 319 configuring checksum verification 272 [...]

  • Page 327

    Index FortiGate-4000 Installation and Configuration Guide 327 log setting filtering log entries 126, 310 traffic fil ter 313 log to memory configuring 309 viewing saved logs 314 Log Traffic firewall policy 199 policy 199 loggin g 21, 307 attack log 310 configuring traffic settings 312, 313 connections to an interface 148 email filter log 310 enabli[...]

  • Page 328

    328 Fortinet Inc. Index oversized files and email blocking 285 P password adding 228 changing administrator account 179 Fortinet support 1 38 recovering a lost Fortinet support 136 PAT 215 pattern web pattern blocking 294 permission administ rator acco unt 179 ping server adding to an interface 146 policy accept 196 adding for a virtual domain 1 57[...]

  • Page 329

    Index FortiGate-4000 Installation and Configuration Guide 329 reserved IP adding to a DHCP server 165 resolve IP 313 traffic fil ter 313 restarting 118 restoring system settings 116 restoring system settings to factory default 116 reverting firmware to an olde r version 107 RIP configuring 167 filters 171 interface configuration 169 settings 167 RM[...]

  • Page 330

    330 Fortinet Inc. Index static NAT virtual IP 213 adding 214 static ro ute adding 159 status CPU 119 interface 143 intrusions 121 IPSec VPN tunnel 257 memory 119 network 120 sessions 120 viewing dialup con nection status 258 viewing VPN tunnel status 257 virus 121 subnet definition 321 subnet address definition 321 support contract number adding 13[...]

  • Page 331

    Index FortiGate-4000 Installation and Configuration Guide 331 URL block list adding URL 294, 304 clearing 292 downloading 290, 293, 299, 304 uploading 290, 293, 299, 305 URL block message 288 URL blocking 291 exempt URL list 298, 305 web pattern blocking 294 URL exempt list see also exempt URL list 298, 305 use selectors from policy quick mode iden[...]

  • Page 332

    332 Fortinet Inc. Index worm list displaying 286 worm protection 286 Z zone adding 142 adding to a virtual domain 156 configuring 141[...]