Fortinet 100 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of Fortinet 100, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Fortinet 100 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of Fortinet 100. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of Fortinet 100 should contain:
- informations concerning technical data of Fortinet 100
- name of the manufacturer and a year of construction of the Fortinet 100 item
- rules of operation, control and maintenance of the Fortinet 100 item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Fortinet 100 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Fortinet 100, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Fortinet service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Fortinet 100.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the Fortinet 100 item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    FortiGate 100 Installation and Configuration Guide INTERNAL EXTERNAL DMZ POWER STA TUS FortiGate User Manual V olume 1 Ve r s i o n 2 . 5 0 M R 2 18 August 2003[...]

  • Page 2

    © Copyright 2003 Fortine t Inc. All rights reserved. No part of this publication incl uding text, examples, di agrams or illustration s may be reproduced, transmitted, or translated in any form or by any means, electronic, m echanical, m anual, optical or otherwise, for any purpose, without prio r written pe rmission of F ortinet I nc. FortiGate-1[...]

  • Page 3

    Contents FortiGate-100 Installation and Configuration Guide 3 Table of Contents Introduction ............. ................................ .................................................. ........... 13 Antivirus protection ............... ................ ................ ................ ................ ............. ............... 13 Web co[...]

  • Page 4

    Contents 4 Fortinet Inc. Planning your FortiGate configurat ion .. ................ ................ ................ ................. ........... 37 NAT/Route mode .............. ................ ................ ................ ................ ............. ............... 37 NAT/Route mode with multiple external networ k connections ....... .[...]

  • Page 5

    Contents FortiGate-100 Installation and Configuration Guide 5 Completing the configuration ...................... .... ............. ............. ................ ................ ........ 61 Setting the date and time ........................ ............. ................. ................ ................ ........ 61 Enabling antivirus protectio[...]

  • Page 6

    Contents 6 Fortinet Inc. Virus and attack definitions upda tes and registration ......... ................. ........... 91 Updating antivirus and attack definit ions .... .... ......... ................. ............ ................. ........... 91 Connecting to the FortiResponse Distribution Network ........ ................ ................ ....[...]

  • Page 7

    Contents FortiGate-100 Installation and Configuration Guide 7 Configuring routing...... ................ ................ ................. ................ ................ ................ ... 1 15 Adding a default route .......... ................ ............. ................ ................ ................. ......... 116 Adding destination-[...]

  • Page 8

    Contents 8 Fortinet Inc. Configuring policy lists .......... ................ ................ ................ ................ ................. ......... 14 9 Policy matching in detail ...................... ................ ................. ................ ................ ...... 149 Changing the order of policies in a policy list . .........[...]

  • Page 9

    Contents FortiGate-100 Installation and Configuration Guide 9 Configuring LDAP support ....... ................ ................ ................. ................ ................ ...... 177 Adding LDAP servers . ................. ................ ................ ................ ................ ................ 177 Deleting LDAP servers .......[...]

  • Page 10

    Contents 10 Fortinet Inc. Configuring L2TP ..................... ................ ................ ................. ................ ................ ...... 21 3 Configuring the FortiGate unit as a L2TP gateway ........................ ................ ............. 214 Configuring a Windows 2000 client for L2TP ........................ ..........[...]

  • Page 11

    Contents FortiGate-100 Installation and Configuration Guide 11 Exempt URL list ............. ................. ................ ................ ................ ............. ................ ... 2 43 Adding URLs to the exempt URL list ............. .......... ............. ................ ................ ...... 243 Email filter ................[...]

  • Page 12

    Contents 12 Fortinet Inc.[...]

  • Page 13

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 13 Introduction The FortiGate Antivirus Firewall suppor ts network-based deployment of application-leve l services—in cluding antivirus pr otection and fu ll-scan conten t filtering. FortiGate A ntivirus Firew alls improve n et[...]

  • Page 14

    14 Fortinet Inc. Introduction For extra prot ection, you also config ure antivi rus protection to block files of specified file types from passing thr ough the FortiGate unit. Y ou can use the fe ature to stop files that may cont ain new viruses. If the FortiGate unit cont ains a hard disk, infected or blocked files can be quarantined. The FortiGat[...]

  • Page 15

    Introduction NAT/Route mode FortiGate-100 Installation and Configuration Guide 15 Y ou can configure Email blocking to tag email from all or so me senders within organizations that are known to send sp am email. T o prevent unintentional t agging of email from legitimate se nders, you can add sender address patterns to an exempt list that overrides[...]

  • Page 16

    16 Fortinet Inc. Transparent mode Introduction Transparent mode T ransparent mode pro vides the same basic firewall protection as NA T mode. Packets received by the FortiGate unit are intellig ently forwarded or blocked according to firewall policies. The FortiGate unit can be inserted in your network at any point without the need to make changes t[...]

  • Page 17

    Introduction Web-based manager FortiGate-100 Installation and Configuration Guide 17 • PPTP fo r easy connectivity with the VPN standar d supported by the most popular operating systems. • L2TP for easy connectivity with a more secure VPN st andard also supported by many popular operatin g systems. • Firewall policy based control of IPSec VPN[...]

  • Page 18

    18 Fortinet Inc. Command line interface Introduction Figure 1: The FortiGate web-based ma nager and se tup wizard Command line interface Y ou can access the FortiGate command line interface (CLI) by connecting a management compute r serial port to the Fo rtiGate RS-232 serial Console connector . Y ou can also use T elnet or a secure SSH co nnection[...]

  • Page 19

    Introduction Logging and reporting FortiGate-100 Installation and Configuration Guide 19 Logging and reporting The FortiGate support s logging of various cate gories of traffic and of co nfiguration changes. Y ou can configure logging to: • report traf fic that connects to the firewall, • report network services used, • report traf fic permit[...]

  • Page 20

    20 Fortinet Inc. Firewall Introduction DHCP server • Addition of a WINS server to DHCP configurat ion. • Reserve IP/MAC pair combinatio ns for DHCP servers (CLI only). RIP • New RIP v1 and v2 functionality . See “RIP configuration” on page 121 . SNMP • SNMP v1 and v2 support. • Support for RFC 12 13 and RFC 2665 • Monitoring of all [...]

  • Page 21

    Introduction NIDS FortiGate-100 Installation and Configuration Guide 21 NIDS See the FortiGate NIDS Guide for a complete description of F ortiGate NIDS functionality . New features include: • Attack detection signature group s • User-configuration att ack prevention • Monitor multiple in terfaces for att acks • User-defined att ack detectio[...]

  • Page 22

    22 Fortinet Inc. Logging and Rep orting Introduction About this document This inst allation and configuration guide describes how to inst all and configure the FortiGate-100. This documen t contains the following information: • Getting started describes unp acking, mounting, and powering on the FortiGate. • NA T/Route mode installation describe[...]

  • Page 23

    Introduction Logging and Repo rting FortiGate-100 Installation and Configuration Guide 23 Document conventions This guide uses the fo llowing conventio ns to descr ibe CLI comma nd syntax. • angle brac kets < > to indicate variable keywords For example: execute restore config <filename_str> Y ou enter restore config myfile.bak <xxx[...]

  • Page 24

    24 Fortinet Inc. Comments on Fortinet technica l docume ntation Introduction Fortinet document ation Information about FortiGate product s is av ailable from the follo wing FortiGate User Manual volumes: • V olume 1: FortiGate Inst allation and Configuration Guide Describes installation and basic configurat ion for the FortiG ate unit. Also descr[...]

  • Page 25

    Introduction Comments on Fortine t technical documenta tion FortiGate-100 Installation and Configuration Guide 25 Customer service and technical support For antiviru s and attack def inition up dates, firmware updates, updated product documentation , technical support informatio n, and other r esources, please visit the Fortinet technical support w[...]

  • Page 26

    26 Fortinet Inc. Comments on Fortinet technica l docume ntation Introduction[...]

  • Page 27

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 27 Getting st arted This chapter describes un packing, sett ing up, and powering on your FortiGate Antivirus Firewall. When you have completed the procedure s in this chapter , you can proceed to one of the following: • If you [...]

  • Page 28

    28 Fortinet Inc. Getting started Package content s The FortiGate-100 p ackage contains the followin g items: • FortiGate -100 Antivirus Firewall • one orange crossover ethern et cable • one gray regular ethernet cable • one null modem cable • FortiGate-100 Quick S tart Guide • CD containing the Fo rtiGate user documentation • one powe[...]

  • Page 29

    Getting started FortiGate-100 Installation and Configuration Guide 29 Environmental specifications • Operating temperature: 32 to 10 4°F (0 to 40°C) • S torage temperature: -13 to 158°F (-25 to 70°C) • Humidity: 5 to 95% non-co ndensing Powering on T o power on the For tiGate-100 unit: 1 Connect the AC adapter to the po wer connec tion at[...]

  • Page 30

    30 Fortinet Inc. Getting started Connecting to the web-based manager Use the followin g procedur e to conne ct to the web-based manager for the first time. Configuration changes ma de with the web- based mana ger are effective immediate ly without the need to reset the firewall or inte rrupt service. T o connect to the web-based manager , you need:[...]

  • Page 31

    Getting started FortiGate-100 Installation and Configuration Guide 31 Connecting to the command line interface (CLI) As an alternative to the web-based ma nager , you can install and configur e the FortiGate unit using the CLI. Configuration changes mad e with the CLI are effective immediately with out the need to rese t the firewall or interrupt s[...]

  • Page 32

    32 Fortinet Inc. Factory default NAT/Route mode ne twork configuration Getting started If you are planning on operating the FortiGa te unit in Tr ansparent mode, you can switch to transparent mode from the factory default configuration and then configure the FortiGate unit onto your network in T ransparent mode. Once the network con figuration is c[...]

  • Page 33

    Getting started Factory default Tra nsparent mode network configurati on FortiGate-100 Installation and Configuration Guide 33 Factory default Transparent mode network configuration If you switch the FortiGate unit to T ransparent mode, it has the defau lt network configuration listed in Ta b l e 3 . Factory default firewall configuration The facto[...]

  • Page 34

    34 Fortinet Inc. Factory default content pro files Getting started Factory default content profiles Y ou ca n use cont ent profiles to apply different pr otection s ettings for c ontent traffic controlled by firewall policies. Y ou can use content profiles for: • Antivirus protection of HTTP , FTP , IMAP , POP3, and SMTP network traffic • Web c[...]

  • Page 35

    Getting started Factory default co ntent profiles FortiGate-100 Installation and Configuration Guide 35 Strict content profile Use the strict content prof ile to apply maximum content protection to HTTP , FTP , IMAP , PO P3, and SMTP content traffic. Y ou would not use the strict content profile under normal circumst ances, but it is ava ilable if [...]

  • Page 36

    36 Fortinet Inc. Factory default content pro files Getting started Web content profile Use the web content profile to apply antivir us scanning and Web content blockin g to HTTP content traffic. Y ou can add this cont ent profile to firewall policies that control HTTP traffic. Unfiltered content profile Use the unfiltered content profile if you do [...]

  • Page 37

    Getting started NAT/Route mode FortiGate-100 Installation and Configuration Guide 37 Planning your FortiGate configuration Before beginning to configure th e FortiGate unit, you need to plan how to integrate th e unit into your net work. Among ot her things, y ou have to decide whether or not the unit will be visible to the network, which firewall [...]

  • Page 38

    38 Fortinet Inc. NAT/Route mode with multiple external network connecti ons Getting started NAT/Route mode with multiple external network connections In NA T/Route mode, you can config ure th e FortiGate unit with multiple redundant connections to the external netw ork (usually the Int ernet). For exam ple, you could create the following con figura[...]

  • Page 39

    Getting started Configuration options FortiGate-100 Installation and Configuration Guide 39 Y ou can connect up to three network segment s to the FortiGate unit to control traffic between these network segment s. • External can connect to the external firewall or router . • Internal can conne ct to the internal network. • DMZ can connect to a[...]

  • Page 40

    40 Fortinet Inc. Configuration opti ons Getting started FortiGate model maximum values matrix T able 9: FortiGate maximum values matrix FortiGate model 50 60 100 200 300 400 500 1000 2000 3000 3600 Policy 200 50 0 1 000 2000 5000 500 0 20000 50000 50000 50000 50000 Address 500 500 500 500 3000 3000 6000 10000 10000 10000 10000 Address grou p 500 50[...]

  • Page 41

    Getting started Configuration options FortiGate-100 Installation and Configuration Guide 41 Next step s Now that your FortiGate unit is operating , y ou can proceed to configure it to connect to networks: • If you are goin g to operate the For t iGate unit in NA T/Route mode, go to “NA T/Route m ode installation” on page 43 . • If you are g[...]

  • Page 42

    42 Fortinet Inc. Configuration opti ons Getting started[...]

  • Page 43

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 43 NA T/Route mode inst allation This chapter describes ho w to install the FortiGate unit in NA T/Route mode. T o install the FortiGate unit in T ranspar ent mode, see “T ranspare nt mode installation” on pag e 57 . This cha[...]

  • Page 44

    44 Fortinet Inc. Advanced NAT/Route mode settin gs NAT/Rout e mode installat ion Advanced NAT/Route mode settings Use Ta b l e 1 1 to gather the information that you need to customize advanced FortiGate N A T/Route mo de settings . DMZ interface Use Ta b l e 1 2 to record the IP address and netmask of the FortiGate DMZ interface if you are configu [...]

  • Page 45

    NAT/Route mode installati on Starting the setup wizard FortiGate-100 Installation and Configuration Guide 45 Using the setup wizard From the web-based manager, you can use the setup wizar d to create the initial configuration of your FortiGate unit. T o connect to the web-based manager, see “Connecting to th e web-based manager” on p age 30 . S[...]

  • Page 46

    46 Fortinet Inc. Configur ing the FortiGate u nit to operate in NAT/R oute mode NAT/Rout e mode installatio n 3 Set the IP address and netma sk of the external interfa ce to the external IP address and netmask that you recor ded in T able 10 on p age 43 . T o set the manual IP a ddress and netmask, enter: set system interface external mode static i[...]

  • Page 47

    NAT/Route mode installation Configuring the Fo rtiGate unit to oper ate in NAT/Route mode FortiGate-100 Installation and Configuration Guide 47 Connecting the FortiGate unit to your networks When you have com pleted the init ial configuration , you can connect th e FortiGate u nit between yo ur internal network and the Interne t. There are thre e 1[...]

  • Page 48

    48 Fortinet Inc. Configuring the DMZ inte rface NAT/Route mode installa tion Configuring your networks If you are running the FortiGate unit in NA T/Route mode, your networ ks must be configured to route all Internet traf fic to t he IP address of the FortiGate interface to which they are connected. For your inte rnal networ k, change the default g[...]

  • Page 49

    NAT/Route mode installation Enabling antivi rus protection FortiGate-100 Installation and Configuration Guide 49 Enabling antivirus protection T o enable antivirus protection to protec t users on yo ur internal network from downloading a virus fro m the Intern et: 1 Go to Firewall > Policy > Int -> Ext . 2 Select Edit to edit this policy .[...]

  • Page 50

    50 Fortinet Inc. Configuring virus and attack definiti on updates NAT/Route mode installati on This section provides some examples of routing and fir ewall configurations to configure the FortiGate unit fo r multiple internet connections. T o use the inform ation in this section you should be familia r with FortiGate routing (see “Configuring rou[...]

  • Page 51

    NAT/Route mode installati on Configuring Ping servers FortiGate-100 Installation and Configuration Guide 51 Configuring Ping servers Use the followin g procedur e to make Gateway 1 t he ping serve r for the ex ternal interface and Gate way 2 the ping server for the DMZ interface. 1 Go to System > Network > Interface . 2 For the external inter[...]

  • Page 52

    52 Fortinet Inc. Destination based routing exampl es NAT/Route mode installati on Using the CLI 1 Add the route to the routing t able. set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1 dev1 external gw2 2.2.2.1 dev2 dmz Load sharing Y ou can also configure destination routing to direct traf fic through both gateways at the same time. If use[...]

  • Page 53

    NAT/Route mode installati on Dest ination based routing examples FortiGate-100 Installation and Configuration Guide 53 3 Select New to add a route for connections to the network of ISP1. • Destination IP: 100.100.100.0 • Mask: 255.255.255.0 • Gateway #1: 1.1.1.1 • Gateway #2: 2.2.2.1 • Device #1: external • Device #2: dmz 4 Select New t[...]

  • Page 54

    54 Fortinet Inc. Policy routing examples NAT/Route mode installati on Policy routing examples Policy routing can be added to increase the control you have over how packets are routed. Policy routing works on top of de stination -based routing. This means you should configure destinati on-based routing first and then build policy rou ting on top to [...]

  • Page 55

    NAT/Route mode installati on Firewall policy exa mple FortiGate-100 Installation and Configuration Guide 55 Firewall policy example Firewall policies control how traf fic flows th rough the FortiGate unit. Once routing for multiple internet connections has be en conf igured you must create firewall policies to control which traffic is allo wed thro[...]

  • Page 56

    56 Fortinet Inc. Firewall policy example NAT/Route mode installati on Restricting access to a singl e Internet connection In some case s you might want to limit s ome traffic to only be ing able to use one Internet connection. For exampl e, in the topolo gy shown in Figure 8 on pag e 50 the organization might want it s mail server to only be able t[...]

  • Page 57

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 57 T ransp arent mode inst allation This chapter describes ho w to install your F ortiGate unit in T ransparent m ode. If you want to install the FortiGa te unit in NA T/Route mode, see “NA T/Route m ode insta llation” on pag[...]

  • Page 58

    58 Fortinet Inc. Changing to T ransparent mode Transparent mode installati on Using the setup wizard From the web-based manager, you can use the setup wizar d to create the initial configuration of your FortiGate unit. T o connect to the web-based manager, see “Connecting to th e web-based manager” on p age 30 . Changing to Transparent mode The[...]

  • Page 59

    Transparent mode i nstallation Changing to T ransparent mode FortiGate-100 Installation and Configuration Guide 59 Using the command line interface As an alternative to the setup wizard, you can configure the FortiGate unit using the command line interface (CLI) . T o connect to the CLI, see “ Connecting to the command line interface (CLI)” on [...]

  • Page 60

    60 Fortinet Inc. Configure the Transparen t mode default gateway Transparent mode installa tion Connecting the FortiGate unit to your networks When you have com pleted the init ial configuration , you can connect th e FortiGate u nit between your inter nal network and the Internet. Y ou can also connect a ne twork to the DMZ interface. There are th[...]

  • Page 61

    Transparent mode installatio n Setting the date and time FortiGate-100 Installation and Configuration Guide 61 A FortiGate unit in T ransparent mode can also perform firewallin g. Even though it take s no part in the layer 3 topology , it can examine layer 3 header informa tion and make decisions on whether to block or pass traffic. Completing the [...]

  • Page 62

    62 Fortinet Inc. Default routes and st atic routes Transparent mode installati on The FortiGate unit uses HTTPS on port 8890 to check for updates. The FortiGate external interface must have a p ath to the FortiResponse Distr ibution Network (FDN) using port 8890. T o configure automatic virus and attack upda tes, see “Up dating antiviru s and att[...]

  • Page 63

    Transparent mode i nstallation Example default route to an external network FortiGate-100 Installation and Configuration Guide 63 Example default route to an external network Figure 10 shows a FortiGa te unit wher e all destinat ions, including the manag ement computer , are located on the external net work . T o reach these destinations, the Forti[...]

  • Page 64

    64 Fortinet Inc. Example static route to an e xternal destination Transparent mode installati on 3 Configure the default route to the external network. Web-based manager exampl e configuration steps T o configure basic T ransparent mode setting s and a default route using the web-based manager : 1 Go to System > St atus . • Select Change to T [...]

  • Page 65

    Transparent mode i nstallation Example st atic route to an external destination FortiGate-100 Installation and Configuration Guide 65 Figure 1 1 : St atic route to an external destination General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode. 2 Configure the Manag ement IP address and Netmask of the FortiGate unit. 3 [...]

  • Page 66

    66 Fortinet Inc. Example static route to an e xternal destination Transparent mode installati on Web-based manager exampl e configuration steps T o configure the basic FortiGate settings and a static route using the web-based manager: 1 Go to System > St atus . • Select Change to T ransparent Mode. • Select T ranspar ent in the Operation Mod[...]

  • Page 67

    Transparent mode installation Example static route to an internal destinati on FortiGate-100 Installation and Configuration Guide 67 Example static route to an internal destination Figure 12 shows a FortiGa te unit where the FDN is locate d on an external subnet and the management computer is located on a remote, interna l subnet. T o reach the FDN[...]

  • Page 68

    68 Fortinet Inc. Example static route to an in ternal destination Transparent mode installa tion Web-based manager exampl e configuration steps T o configure the FortiGate basic settings, a static route, and a d efault route using the web-based manager : 1 Go to System > St atus . • Select Change to T ransparent Mode. • Select T ranspar ent [...]

  • Page 69

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 69 System st atus Y ou can connect to the web-based manager and go to System > S tatus to view the current status of your FortiGate unit. The st atus information tha t is displayed includes the current firmware version, the cu[...]

  • Page 70

    70 Fortinet Inc. System status Changing the FortiGate host name The FortiGate host name ap pears on the System > S tatu s page and on the FortiGate CLI prompt. The host name is also used as the SNMP System Name (see “Configuring SNMP” on p age 134 ). The default h ost name is FortiGate-100. T o change the FortiGate host name: 1 Go to System [...]

  • Page 71

    System status Upgrade to a ne w firmware versi on FortiGate-100 Installation and Configuration Guide 71 Upgrade to a new firmware version Use the following procedure s to upgrade your FortiGate to a newer firmware version. Upgrading the firmware usi ng the web-based manager 1 Copy the firmware image file to your manage ment computer . 2 Login to th[...]

  • Page 72

    72 Fortinet Inc. Revert to a previous firmware version System status 5 Enter the following command to copy the fir mware image from the TFTP server to the FortiGate: execute restore image <name_str> <tftp_ip> Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the IP address of the TFT[...]

  • Page 73

    System status Revert to a previous firmware version FortiGate-100 Installation and Configuration Guide 73 1 Copy the firmware image file to your manage ment computer . 2 Login to the FortiGate web- based manage r as the admin administrative user . 3 Go to System > St atus . 4 Select Firmware Upgrade . 5 Enter the path and filename of the previou[...]

  • Page 74

    74 Fortinet Inc. Revert to a previous firmware version System status T o use the followin g procedure you must have a TFTP server that you can conn ect to from the FortiGate unit. 1 Make sure that the TFTP server is running. 2 Copy the new firmware image file to the root directory of the TFT P server . 3 Login to th e FortiGate CLI as th e admin ad[...]

  • Page 75

    System status Install a firmware ima ge from a system reboot using the CLI FortiGate-100 Installation and Configuration Guide 75 12 T o confirm that the antivirus and att ack definitions have been updated, enter the following command to display the an tivirus engi ne, virus and attack definitions version, contract ex piry , and last updat e attempt[...]

  • Page 76

    76 Fortinet Inc. Install a firmwa re image from a system reboot using the CLI System status 6 Enter the following co mmand to restart the FortiGate unit: execute reboot As the FortiGate units st arts, a seri es of system startup messages are displaye d. When one of the following messages appears: • FortiGate unit running v2.x BIOS Press Any Key T[...]

  • Page 77

    System status Test a new fi rmware image before installing it FortiGate-100 Installation and Configuration Guide 77 11 Enter the firmware image file name an d press Enter . The TFTP server up loads the firmware image file to the FortiGate u nit and messages similar to the following appear . • FortiGate unit running v2.x BIOS Do You Want To Save T[...]

  • Page 78

    78 Fortinet Inc. Test a new firmware image befo re installing it System status T o test a new firmware image: 1 Connect to the CLI using a null modem cable and FortiGate console port. 2 Make sure the TFTP se rver is running. 3 Copy the new firmware image file to the root directory of the TFT P server . 4 Make sure that the inte rnal interface is co[...]

  • Page 79

    System status Installing and using a backup firmware image FortiGate-100 Installation and Configuration Guide 79 The following m essage appears: Enter File Name [image.out]: 11 Enter the firmware image file name an d press Enter . The TFTP server up loads the firmware image file to the FortiGate u nit and messages similar to the following appear . [...]

  • Page 80

    80 Fortinet Inc. Installing and using a backup firmware image System status 4 T o confirm that the FortiGate unit can co nnect to the TFTP se rver , use the following command to ping the computer running the TFTP server . For example, if the TFTP server ’s IP ad dress is 192.168.1.168: execute ping 192.168.1.168 5 Enter the following co mmand to [...]

  • Page 81

    System status Installing and using a backup firmware image FortiGate-100 Installation and Configuration Guide 81 Switching to the ba ckup firmware image Use this procedure to switch yo ur FortiG ate unit to operating with a backup firmware image that you have pre vious installed. Wh en you switch the FortiGate unit to th e backup firm ware image , [...]

  • Page 82

    82 Fortinet Inc. Installing and using a backup firmware image System status Switching back to the default firmware image Use this proced ure to switch your For tiGate unit to ope rating with the bac kup firmware image that had been running as the default fi rmware image. When you switch to this backup firmware image, the configuration sa ved with t[...]

  • Page 83

    System status Installing and using a backup firmware image FortiGate-100 Installation and Configuration Guide 83 5 Select OK to copy the antivirus defini tions update file to the FortiGate unit. The FortiGate u nit updates the antiviru s defin itions. This takes about 1 minute. 6 Go to System > St atus to confirm that the Antivirus Definitions V[...]

  • Page 84

    84 Fortinet Inc. Installing and using a backup firmware image System status 2 Select System Settings Backup. 3 Select Backup Sy stem Setting s. 4 T ype a name and location for the file. The system settings file is backed up to the manag ement computer . 5 Select Return to go back to the S tatus p age. Restoring system settings Y ou can restore syst[...]

  • Page 85

    System status Installing and using a backup firmware image FortiGate-100 Installation and Configuration Guide 85 Changing to T ransp arent mode Use the followin g procedur e to switch th e FortiGate unit from NA T /Route mode to T ransparent mode . When the FortiGate unit has changed to T ransparent mode it s configuration reset s to T ransparent m[...]

  • Page 86

    86 Fortinet Inc. Viewing CPU and memory status System status Shutting down the FortiGate unit 1 Go to System > S t atus . 2 Select Shutdown. The FortiGate unit shut s down and all traffic flow stop s. The FortiGate unit can only be rest arted afte r shutdown by turning the powe r off, then on. System st atus Y ou can use the system status moni t[...]

  • Page 87

    System status Viewing sessions and network status FortiGate-100 Installation and Configuration Guide 87 Figure 1: CPU and memo ry st atus monito r CPU and memory inte nsive processes such as encryptin g and decrypting IPSec VPN traffic, virus scanning, and processing hig h levels of network traffic containing small packet s will increase CPU and me[...]

  • Page 88

    88 Fortinet Inc. Viewing virus and intrusions status System status 2 Select Sessions & Network. Sessions and network st atus is displayed. The display includes bar graph s of the current number of sessions and current network utilizatio n as well as line graphs of session and network utilizatio n usage for t he last minute. The line graph scale[...]

  • Page 89

    System status Viewing virus and intrusions status FortiGate-100 Installation and Configuration Guide 89 Figure 3: Sessions and ne twork st atus monitor 3 Set the automatic refresh interva l and select Go to control how of ten the web-based manager updates the display . More frequent updates use system resources and increase network traffic. However[...]

  • Page 90

    90 Fortinet Inc. Viewing virus and intrusions status System status Figure 4: Example session list To I P The destination IP a ddress of the connection. To P o r t The destination port of th e connection. Expire The time, in seconds, before the connection expires. Clear S top an active communication session.[...]

  • Page 91

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 91 V irus and att ack definitions up dates and registration Y ou can configure the FortiGate unit to c onnect to the FortiResponse Distribution Network (FDN) to update the antivirus and attack definitions and antivirus engine. Y [...]

  • Page 92

    92 Fortinet Inc. Connecting to the FortiResponse Distribution Network Vir us and attack de finitions updates and registration The System > Update p age web-based manage r displays the following antivir us and attack defin ition update information: This section describes: • Connecting to the FortiResponse Distribution Network • Configuring sc[...]

  • Page 93

    Virus and attack definitions updates and registration Configuring scheduled updates FortiGate-100 Installation and Configuration Guide 93 T o make sure the FortiGate unit ca n connect to the FDN: 1 Go to System > Config > Time and make su re the time zone is set to the correct time zone for your area. 2 Go to System > Up date . 3 Select Re[...]

  • Page 94

    94 Fortinet Inc. Configuring update logging Virus and attack defi nitions updates and registrati on 4 Select Apply . The FortiGate unit star ts the next sche duled update accordin g to the new update schedule. Whenever a scheduled u pdate is run, the ev ent is recorded in the FortiGate event log. Figure 1: Configurin g automatic antiviru s and att [...]

  • Page 95

    Virus and attack definitions updates and registration Adding an override server FortiGate-100 Installation and Configuration Guide 95 Adding an override server If you cannot connect to the F DN or if your organization provides antivirus and att ack updates usin g their own FortiResponse server , you can use the following procedure to add the IP add[...]

  • Page 96

    96 Fortinet Inc. Push updates through a NAT device Virus and attack defi nitions updates and registration To enable push updates 1 Go to System > Up date . 2 Select Allow Push Update. 3 Select Apply . About push updates When you config ure a FortiGate un it to a llow push updates, the FortiGate unit sends a SETUP message to the F DN. The next ti[...]

  • Page 97

    Virus and attack definitions updates and registration Push updates through a NAT device FortiGate-100 Installation and Configuration Guide 97 Example: push update s through a NAT device This examp le describes how to conf igure a FortiG ate NA T device to forwar d push updates to a FortiGat e unit installed on its internal networ k. For the FortiGa[...]

  • Page 98

    98 Fortinet Inc. Push updates through a NAT device Virus and attack defi nitions updates and registration General procedure Use the following steps to config ure the Fo rtiGate NA T device and the FortiGate unit on the Internal networ k so that the FortiGate unit on the Internal network can receive push updates: 1 Add a port fo rwarding virt ual IP[...]

  • Page 99

    Virus and attack definitions updates and registration Push updates through a NAT device FortiGate-100 Installation and Configuration Guide 99 Figure 3: Push update port forwarding virtual IP Adding a firewall policy for the port forwarding virtual IP T o configure the FortiGate NA T device: 1 Add a new external to internal firewall policy . 2 Confi[...]

  • Page 100

    100 Fortinet Inc. Scheduled updates th rough a proxy server Virus a nd attack de finitions updates and registra tion 5 Set Port to the External Servic e Port added to the virtual IP . For the example top ology , enter 45001. 6 Select Apply . The FortiGate unit sends the override push IP address and Po rt to the FDN. The FDN will now use this IP add[...]

  • Page 101

    Virus and attack definitions updates and registration FortiCare Service Contracts FortiGate-100 Installation and Configuration Guide 101 There are no special tun neling requirement s if you have configured an override server address to connect to the FDN. Push updates are not su pported if t he FortiG ate must connect to the Internet through a prox[...]

  • Page 102

    102 Fortinet Inc. Registering the FortiGate uni t Virus and at ta ck definitions updates and registration T o activate the For tiCare Support Contract, you must register the For tiGate unit and add the FortiCare Support Contr act number to the registration information. Y ou can also register th e FortiGate unit without pu rchasing a FortiCare Suppo[...]

  • Page 103

    Virus and attack definitions upda tes and r egistration Registering the FortiGate unit FortiGate-100 Installation and Configuration Guide 103 Figure 5: Registering a FortiGate unit (c ontact information and security question) 3 Provide a security question and an answe r to the security question. 4 Select the model number of the Product Model to reg[...]

  • Page 104

    104 Fortinet Inc. Recovering a lost Fortinet suppor t password Virus and attack defi nitions updates and registrati on Up dating registration information Y ou can use your Fortinet support user nam e and password to log on to the Fortinet Support web site at any time to view or update your Fortinet support infor mation. This section describes: • [...]

  • Page 105

    Virus and attack definitions upda tes and regi stration Registering a new FortiGate unit FortiGate-100 Installation and Configuration Guide 105 Figure 7: Sample list of registered FortiGa te units Registering a new FortiGate unit 1 Go to System > Up date > Support and select Support Login . 2 Enter your Fort inet support use r name and passwo[...]

  • Page 106

    106 Fortinet Inc. Changing your Fortinet support password Virus and attack definition s updates and registration 7 Select Finish. The list of FortiGate product s that you have registered is displayed. The list now includes the new suppor t contract information. Changing your Forti net support password 1 Go to System > Up date > Support and se[...]

  • Page 107

    Virus and attack definitions upda tes and registration Downloading viru s and attack defi nitions updates FortiGate-100 Installation and Configuration Guide 107 Figure 8: Downloading virus and attack definition updates For information about how to in stall the downloaded files, see “Manual virus definition updates” on p age 82 and “Manual att[...]

  • Page 108

    108 Fortinet Inc. Downloading virus and attack defin itions updates Viru s and atta ck definitions updates and registration[...]

  • Page 109

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 109 Network configuration Go to System > Network to make any of the following changes to the FortiGate network set tings: • Configuring interfaces • Adding DNS server IP addres ses • Configuring routing • Providing DHC[...]

  • Page 110

    11 0 Fortinet Inc. Viewing the interface list Network configuration Viewing the interface list Use the follo wing proced ure to view the interfac e list. 1 Go to System > Interface . The interface list is display ed. The interface list shows the following status inform ation for all of the FortiGate interfaces: • The IP address of the interfac[...]

  • Page 111

    Network configuration Adding a ping server to an interface FortiGate-100 Installation and Configuration Guide 111 Y ou can also configure management access and add a pi ng server to the secondary IP address. set system interface <intf_str> config secallowaccess ping https ssh snmp http telnet set system interface <intf_str> config secgw[...]

  • Page 112

    11 2 Fortinet Inc. Configuring traffic loggi ng for connection s to an interface Network configuration Configuring traffic logging fo r connections to an interface 1 Go to System > Network > Interface . 2 Select Modify for the interface for which to configure lo gging. 3 Select Log to record log messages whenever a firewall policy accepts a c[...]

  • Page 113

    Network configuration Configuring the external interface for PPPoE FortiGate-100 Installation and Configuration Guide 11 3 4 Select Connect to DHCP server to au tomatically connect to a DHCP server . If you do not select Connect to DHCP serv er , the FortiGate unit will not connect to a DHCP server . Y ou can deselec t this option if you are config[...]

  • Page 114

    11 4 Fortinet Inc. Configuring the man agement interface (Tra nsparent mod e) Network configuration T o change the M TU size of the pack e ts leaving the external interface: 1 Go to System > Network > Interface . 2 For the external interf ace, select Modify . 3 Select Fragment outg oing packets gr eater than MTU. 4 Set the MTU size. Set the m[...]

  • Page 115

    Network configuration Configuring the ma nagement interface (Transparent mode) FortiGate-100 Installation and Configuration Guide 11 5 Figure 2: Configuring the management interfac e Adding DNS server IP addresses Several FortiGat e functions, incl uding se nding email alerts and URL blocking, use DNS. T o set the DNS s erver addr esses: 1 Go to Sy[...]

  • Page 116

    11 6 Fortinet Inc. Adding a default route Network configuration Adding a default route Use the following procedure to add a default route for network traf fic leaving the external inter face. 1 Go to System > Network > Routing T able . 2 Select New to add a new route. 3 Set the Source IP and Netm ask to 0.0. 0.0. 4 Set the Destination IP and [...]

  • Page 117

    Network configuration Adding routes in T ransparent mode FortiGate-100 Installation and Configuration Guide 11 7 6 Set Device #1 to the FortiGate interface th r ough which to route traf fic to connect to Gateway #1. Y ou can select the name of an interface or Au to (the default). If you select the name of an interface , the traffic is routed to tha[...]

  • Page 118

    11 8 Fortinet Inc. Configu ring the routing table Network configuration Configuring the routing table The routing ta ble shows the destination IP address and mask of each route you add as well as the gateways and devices added to the route. The routing t able also displays the gateway connectio n status. A green check mark indicates th at the Forti[...]

  • Page 119

    Network configuration Policy routing FortiGate-100 Installation and Configuration Guide 11 9 The gateway added to a policy route must al so be adde d to a destination route. When the FortiGate unit matches packets with a ro ute in the RPDB, the FortiGate unit looks in the destination routing t able for the gate way that was added to the policy rout[...]

  • Page 120

    120 Fortinet Inc. Policy routing Network configuration Figure 4: Sample DHCP settin gs Viewing the dy namic IP list If you have configured the FortiGate unit as a DHCP server , you can view a list of IP addresses that the DHCP serv er has added, their corres ponding MAC addresses, and the expiry time and date for these addre sses. The FortiGate uni[...]

  • Page 121

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 121 RIP configuration The FortiGate implement ation of the Routing Inform ation Protocol (RIP) supports both RIP version 1 (as defined by RFC 1058) and RIP version 2 (also called RIP2 and defined by RFC 2453). RIP2 enables RIP me[...]

  • Page 122

    122 Fortinet Inc. RIP configuration This chapter describes how to configur e FortiGate RIP: • RIP settings • Configuring RIP for FortiGate interfaces • Adding RIP neighbors • Adding RIP filters RIP settings Configure RIP settings to enable basic RIP functio nality and metrics and to configure RIP timers. 1 Go to System > RIP > Setting[...]

  • Page 123

    RIP configuration FortiGate-100 Installation and Configuration Guide 123 7 Select Apply to sa ve your changes. Figure 1: Configuring RIP settings Up date The time interval in seconds betwee n sending routing table updates. The default is 30 seconds. Invalid The time interval in seconds after which a route is declared invalid. Invalid should be at l[...]

  • Page 124

    124 Fortinet Inc. RIP configuration Configuring RIP for FortiGate interfaces Y ou can create a unique RIP configuration for each FortiGate inte rface. This allows you to customize RIP for th e network to w hich each in terface is co nnected. F or example: • If you have a complex internal network cont aining devices that use the RIP2 protocol, you[...]

  • Page 125

    RIP configuration FortiGate-100 Installation and Configuration Guide 125 4 Select OK to save the R IP config uration for the selected interface. Figure 2: Example RIP configuration for an internal interface Adding RIP neighbors Add RIP neighbors to de fine a neighboring router with which to exchange routing information. Add ne ighbors on non-broadc[...]

  • Page 126

    126 Fortinet Inc. Adding a single RIP filter RIP configuration 3 Add the IP address of a neighbor router that you wan t the FortiGat e unit to exchange routing information with. 4 Select Enable Se nd RIP1 to sen d RIP1 message s to the neig hbor . 5 Select Enable Se nd RIP2 to sen d RIP2 message s to the neig hbor . 6 Select OK to add the RIP neigh[...]

  • Page 127

    RIP configuration Adding a RIP filter list FortiGate-100 Installation and Configuration Guide 127 4 Select OK to save the RIP f ilter . Adding a RIP filter list Add a RIP filter list to filter multiple routes. A RIP filter list consist s of a RIP filter name and a series of route prefixes. Y ou can add a total of four RIP filte rs or RIP Filter lis[...]

  • Page 128

    128 Fortinet Inc. Adding a neighbors filter RIP configuration Adding a neighbors filter Y ou can select a single RIP filter or a RI P filter list to be the neighbors filter . 1 Go to System > RIP > Filter . 2 Add RIP filters and RIP f ilter list s as required. 3 For Neighbors Filter , select the name of the RI P filter or RIP filter list to b[...]

  • Page 129

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 129 System configuration Go to System > Config to make any of the following changes to the FortiGat e system configuration: • Setting system date and time • Changing web-based man ager options • Adding and editing admini[...]

  • Page 130

    130 Fortinet Inc. System configuration 8 S pecify how often the FortiGate unit should synchronize its time with the NTP server . A typical Syn Interval would be 1440 minute s for the FortiGate unit to synchronize its time once a day . 9 Select Apply . Figure 1: Example date and time setting Changing web-base d manager options On the System > Con[...]

  • Page 131

    System configuration FortiGate-100 Installation and Configuration Guide 131 T o set the Auth timeout 1 For Auth T imeout, type a number in minutes. 2 Select Apply . Auth T imeout controls the amount of inacti ve time that the fi rewall waits before requiring users to authen ticate again. For more information, see “Users and authenti cation” on [...]

  • Page 132

    132 Fortinet Inc. Adding new administrator a ccounts System configuration Adding and editing administrator account s When the FortiGate unit is initia lly installed, it is configur ed with a single administr ator account with the user name admin. From this administrator account, you can add and edit administra tor accounts. Y ou can also control th[...]

  • Page 133

    System configuration Editing administrator accounts FortiGate-100 Installation and Configuration Guide 133 Editing administrator accounts The admin account user can change indi vidual administrator account passwords, configure the IP addresses from which administrato rs can access the web-based manager, and change the administrator p ermission leve[...]

  • Page 134

    134 Fortinet Inc. Configuri ng the FortiGate unit fo r SNMP monitoring System configurat ion Configuring SNMP Configure the FortiGate SNMP agent to report system information and send trap s to SNMP managers. The FortiGate SNMP agent supp orts SNMP v1 and v2c. RFC support includes RFC 1213 and RFC 2665. The FortiGate SNMP impleme ntation is read-onl[...]

  • Page 135

    System configuration FortiGate MIBs FortiGate-100 Installation and Configuration Guide 135 4 Select Apply . Figure 2: Sample SNMP configuration FortiGate MIBs The FortiGate SNMP agent suppo rts FortiGate proprie tary MIBs as well as sta ndard RFC 1213 and RFC 2665 MIBs. The FortiGate MIBs are listed in Ta b l e 1 . Y o u can obtain th ese MIB files[...]

  • Page 136

    136 Fortinet Inc. FortiGate traps System configuration FortiGate traps The FortiGa te agent ca n send traps to up to three S NMP trap r eceivers on your network that are configur ed to receive tr aps from the FortiGate unit. For these SNMP managers to receive trap s, you must load and compile the For tinet trap MIB onto the SNMP manager . The Forti[...]

  • Page 137

    System configuration Custom izing replacement messa ges FortiGate-100 Installation and Configuration Guide 137 This section describes: • Customizing replacement messages • Customizing alert emails Figure 3: Sample replacement m essage Customizing replacement messages Each of the replacement messages in the replace ment message list is created b[...]

  • Page 138

    138 Fortinet Inc. Customizing alert emails System configura tion Customizing alert emails Customize alert emails to control the content disp layed in alert email messages sent to system administrators. 1 Go to System > Config > Replacement Mes sages . 2 For the alert email message you want to customize, select Modify . 3 In the Message setup [...]

  • Page 139

    System configuration Customizing alert emails FortiGate-100 Installation and Configuration Guide 139 %%EMAIL_FROM%% The email address of the send er of the message in which the virus was found. %%EMAIL_TO%% The email address of the intended receiver of the message in which the virus was found. Block alert Used for file block alert email messages Se[...]

  • Page 140

    140 Fortinet Inc. Customizing alert emails System configura tion[...]

  • Page 141

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 141 Firewall configuration Firewall policies control all traf fic passing through th e FortiGate unit. Firewall policies are instructions used by the Fort iGate un it to decide what to do with a connection request. When the firew[...]

  • Page 142

    142 Fortinet Inc. Addresses Firewall configurati on Default firewall configuration By default, the users on your intern al ne twork can connect through the For tiGate unit to the Internet. The fir ewall blocks all other connections. The firewall is configured with a default policy that matches any connecti on request received from the interna l net[...]

  • Page 143

    Firewall confi guration Services FortiGate-100 Installation and Configuration Guide 143 Services Policies can also control connections based o n the service or destination port number of packet s. The default policy accept s connec tions to using any service or destination port number . The firewall is configured with over 40 predefined services. Y[...]

  • Page 144

    144 Fortinet Inc. Content profiles Firewall configuration Adding firewall policies Add Firewall policies to con trol connections and traffic between FortiGate interf aces. 1 Go to Firewall > Polic y . 2 Select the policy list to whic h you want to add the policy . 3 Select New to add a new policy . Y ou can also select Insert Policy before on a [...]

  • Page 145

    Firewall confi guration Firewall policy options FortiGate-100 Installation and Configuration Guide 145 Firewall policy options This section describes the o ptions th at you can add to firewall policies. Source Select an address o r address group that matches the source ad dress of the packet. Before you can add this address to a policy , yo u must [...]

  • Page 146

    146 Fortinet Inc. Firewall policy options Firewall configuration VPN Tunnel Select a VPN tunnel for an ENCRYP T policy . Y ou can select an AutoIKE key or Manual Key tunnel. VPN T unnel is not available in T ransparent mode. Traffic Shaping T raffic Shapin g controls the bandwidth availabl e to and sets th e priority of the traffic processed by the[...]

  • Page 147

    Firewall confi guration Firewall policy options FortiGate-100 Installation and Configuration Guide 147 Authentication Select Authentication and select a user gr oup to require users to enter a user name and password b efore the firewall accepts the connection. Select the user group to control the users that can authenticate with this policy . T o a[...]

  • Page 148

    148 Fortinet Inc. Firewall policy options Firewall configuration Figure 6: Adding a Transp arent mode p olicy Log Traffic Select Log Traf fic to writ e messages to th e traffic log whenev er the policy proc esses a connection. For more informatio n about logging, see “Logging and r eporting” on page 249 . Comments Optionally add a description o[...]

  • Page 149

    Firewall confi guration Policy matching in deta il FortiGate-100 Installation and Configuration Guide 149 Configuring policy list s The firewall matches policies by searching for a match starting at th e top of the policy list and moving down until it finds the firs t match. Y ou must arrange policies in the policy list from more spec ific to more [...]

  • Page 150

    150 Fortinet Inc. Enabling and disabling poli cies Firewall configuration 4 T ype a number in the Move to field to specify where in the policy list to move th e policy and select OK. Enabling and disabling policies Y ou can enable and disable policies in the po licy list to control wh ether the policy is active or not. The FortiGate unit matc hes e[...]

  • Page 151

    Firewall confi guration Adding addresses FortiGate-100 Installation and Configuration Guide 151 This section describes: • Adding addresses • Editing addresses • Deleting addresses • Organizing addresses into address gr oups Adding addresses 1 Go to Firewall > Address . 2 Select the interface to which to add the address. 3 Select New to a[...]

  • Page 152

    152 Fortinet Inc. Editing addresses Firewall configuration Figure 7: Adding an internal add ress Editing addresses Edit an address to change its IP addr ess and netmask. Y ou cannot edit the address name. T o chan ge the address name , you must delete the ad dress entry and then add the address ag ain with a new name. 1 Go to Firewall > Address [...]

  • Page 153

    Firewall confi guration Predefined services FortiGate-100 Installation and Configuration Guide 153 2 Select the interface to which to add the address group. 3 Enter a Group Name to iden tify the address group. The name can cont ain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other sp ecial characte[...]

  • Page 154

    154 Fortinet Inc. Predefined services Firewall configuration T able 5: FortiGate predefined services Service name Description Protocol Port ANY Match connections on any port. A connection that uses any of the predefined services is allowed through the firewall. all all GRE Generic Routing Encapsulation. A protocol that allows an ar bitrary network [...]

  • Page 155

    Firewall confi guration Predefined services FortiGate-100 Installation and Configuration Guide 155 IRC Interne t Relay Chat allows people connected to the Internet to join live discussions. tcp 6660-6669 L2TP L 2TP is a PPP-based tunnel protocol for remote access. tcp 1701 LDAP Lightweight Directory Access Protocol is a set of protocols used to acc[...]

  • Page 156

    156 Fortinet Inc. Providing access to custom services Firewall configuration Providing access to custom services Add a custom service if you need to create a policy fo r a service that is not in the predefined service list. 1 Go to Firewall > Service > Custom . 2 Select New . 3 Enter a Name for the service. This name appears in the service li[...]

  • Page 157

    Firewall confi guration Grouping services FortiGate-100 Installation and Configuration Guide 157 2 Select New . 3 Enter a Group Name to iden tify the group. This name appears in the service list when you add a policy and cannot be the same as a predefined service nam e. The name can cont ain numbers (0-9), uppercase and lowercase letters (A-Z, a-z)[...]

  • Page 158

    158 Fortinet Inc. Creating one-time schedules Firewall configuration Creating one-time schedules Y ou can create a one-time schedule that activates or deactivates a policy for a specified perio d of time. For exam ple, your firewall might be configured with the default policy that allows acce ss to all services on the In ternet at all times. Y ou c[...]

  • Page 159

    Firewall confi guration Adding a schedule to a policy FortiGate-100 Installation and Configuration Guide 159 3 Enter a Name for the schedule. The name can cont ain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other sp ecial characters and spa ces are not allowed. 4 Select the days of the week on wh [...]

  • Page 160

    160 Fortinet Inc. Adding static NAT virtual IPs Firewall configuration For example, to use a one-time schedule to deny access to a policy , add a policy that matches the policy to be denied in every way . Choose the one-time schedule that you added and set Action to DENY . Then place the policy contain ing the one-time schedule in the policy list a[...]

  • Page 161

    Firewall configuratio n Adding port forwarding vi rtual IPs FortiGate-100 Installation and Configuration Guide 161 6 In the External IP Address field, enter th e external IP address to be mapped to an address on the destination ne twork. For example, if the virtual IP provides access from the Internet to a web server on a destination network, the e[...]

  • Page 162

    162 Fortinet Inc. Adding port forwarding virtual IPs Firewall configuration 4 Select the virtual IP External Interface. The External Interf ace is the interface connected to the source network that receives the p ackets to be forwarded to the destination ne twork. 5 Change T ype to Port Forwarding. 6 In the External IP Address field, enter th e ext[...]

  • Page 163

    Firewall confi guration Adding policies with vi rtual IPs FortiGate-100 Installation and Configuration Guide 163 Figure 13: Adding a port forwardi ng virtual IP Adding policies wi th virtual IPs Use the followin g procedur e to add a policy that use s a virtua l IP to forwar d packets. 1 Go to Firewall > Polic y . 2 Select the type of policy to [...]

  • Page 164

    164 Fortinet Inc. Adding an IP pool Firewall configuration 4 Select OK to save the policy . IP pools An IP pool (also called a dynamic IP pool) is a range of IP ad dresses added to a firewall interface. If you add IP pools to an interface, you can select Dynamic IP Pool when you configure a policy with the destinati on set to this interface. Y ou c[...]

  • Page 165

    Firewall configuratio n IP Pools for firewall policies that use fixed ports FortiGate-100 Installation and Configuration Guide 165 5 Select OK to save the IP pool. Figure 14: Adding an IP Pool IP Pools for firewall pol icies that use fixed ports Some network configurations will not operate correctly if a NA T policy translates the source port of pa[...]

  • Page 166

    166 Fortinet Inc. Configuring IP/MAC binding for pa ckets going through the firewall Firewall configuration IP/MAC binding IP/MAC binding protect s the FortiGate unit and your network from IP spoofing a ttacks. IP spoofing attempts to use the IP address of a trusted computer to connect to or through the FortiGate unit from a different computer . Th[...]

  • Page 167

    Firewall configuratio n Configuring IP/MAC binding for packets going to the firewall FortiGate-100 Installation and Configuration Guide 167 For example, if the IP/MAC pair IP 1.1.1. 1 and 12 :34:56:78:90:ab:cd is added to the IP/MAC binding list: • A packet with IP addre ss 1.1.1.1 a nd MAC address 12:34: 56:78:90:ab:cd is allowed to go on to be [...]

  • Page 168

    168 Fortinet Inc. Viewing the dynamic IP/MAC list Firewall configuration 3 Enter the IP address and the MAC addre ss. Y ou can bind multiple IP addresses to the same MAC address. Y ou cannot bi nd multiple MAC addresses to the same IP address. However , you can set the IP addres s to 0.0.0.0 for multiple MAC addresses. This means that all p ackets [...]

  • Page 169

    Firewall confi guration Enabling IP/MAC bindi ng FortiGate-100 Installation and Configuration Guide 169 Figure 15: I P/MAC settings Content profiles Use content profiles to app ly differen t prot ection settings for content traf fic controlled by firewall policies. Y ou can use content profiles to: • Configure antivirus protection for HT TP , FTP[...]

  • Page 170

    170 Fortinet Inc. Default content profiles Firewall configuration Default content profiles The FortiGate unit has the following four defa ult content profiles under Fir ewall > Content Profile . Y ou can use these existing cont ent profiles or cr eate your own: Adding a content profile If the default content p rofiles do not provide the protecti[...]

  • Page 171

    Firewall confi guration Adding a conte nt profile to a p olicy FortiGate-100 Installation and Configuration Guide 171 7 Enable fragmented email and oversized file and email options. 8 Select OK. Figure 16: Example cont ent profile Adding a content pr ofile to a policy Y ou can add content profiles to policies with actio n set to allow or encrypt an[...]

  • Page 172

    172 Fortinet Inc. Adding a content profile to a policy Firewall configurati on 3 Select New to add a new policy , or choos e a policy and select Edit . 4 Select Anti-Virus & W eb filter . 5 Select a content profile. 6 Configure the remaining policy settings if required. 7 Select OK. 8 Repeat this procedure for any policies for which to enable n[...]

  • Page 173

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 173 Users and authentication FortiGate unit s support user authenticati on to the F ortiGate us er database, to a RADIUS serve r , and to an LDAP se rver . Y ou can add us er names t o the FortiG ate user dat abase and then add a[...]

  • Page 174

    174 Fortinet Inc. Adding user names and configuring aut henti cation Users and authentication This chapter describes: • Setting authentication timeout • Adding user names and co nfiguring authentication • Configuring RADIUS support • Configuring LDAP support • Configuring user group s Setting authentication timeout T o set authenti cation[...]

  • Page 175

    Users and authentication Deleting user names from the inte rnal database FortiGate-100 Installation and Configuration Guide 175 5 Select T ry other servers if connect to sele cted server fa ils if you hav e selected Radius and you want the FortiGate unit to try to conn ect to other RADIUS servers added to the FortiGate RADI US configura tion. 6 Sel[...]

  • Page 176

    176 Fortinet Inc. Adding RADIUS servers Users and authentication Configuring RADIUS support If you have configur ed RADIUS support and a user is required to authenticate using a RADIUS server , the FortiGate unit cont ac ts the RADIUS server for authe ntication. This section describes: • Adding RADIUS servers • Deleting RADIUS servers Adding RA[...]

  • Page 177

    Users and authentication Adding LDAP servers FortiGate-100 Installation and Configuration Guide 177 Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server , the FortiGate unit contact s the LDAP server for authentication. T o authentication with the FortiGate un it, the user enters a[...]

  • Page 178

    178 Fortinet Inc. Deleting LDAP servers Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server . Enter the base distinguishe d name for the server using the correct X.500 or LDAP format. The FortiGate u nit passes this distinguishe d name unchanged to the server . For example, you could use the following [...]

  • Page 179

    Users and authentication Adding user gro ups FortiGate-100 Installation and Configuration Guide 179 Configuring user group s T o enable authentication, yo u mu st add user names, RADIUS servers and LDAP servers to one or more user gr oups. Y ou can then select a user group when you require authenticati on. Y ou can select a user group to configure [...]

  • Page 180

    180 Fortinet Inc. Deleting user groups Users and authentication Figure 20: Adding a user grou p 3 Enter a Group Name to identify th e user group. The name can cont ain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other sp ecial characters and spa ces are not allowed. 4 T o add users to the user grou[...]

  • Page 181

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 181 IPSec VPN A Virtua l Private Network (VPN) is an extension of a private networ k that encompasses links across sh ared or public networks such as the Intern et. For example, a compan y that has two offices in dif ferent citie[...]

  • Page 182

    182 Fortinet Inc. Manual Keys IPSec VPN Key management There are three basic elem ents in any encryption system: • an algorithm which changes informa tion into code, • a cryptographic key which serves as a secret starting point for the a lgorithm, • a management system to control the ke y . IPSec provides two ways to handle key exchange and m[...]

  • Page 183

    IPSec VPN General configuration step s for a manual key VPN FortiGate-100 Installation and Configuration Guide 183 Manual key IPSec VPNs When manu al keys are employed, c omplementary secu rity parameters must be entered at both ends of the tunnel. In ad dition to encryption and authentication algorithms and keys, the security parameter index (SPI)[...]

  • Page 184

    184 Fortinet Inc. Adding a manual key VPN tunne l IPSec VPN 5 Enter the Remote SPI. The Remote Security Parameter Index is a hexade cimal number of up to eight digits (digits can be 0 to 9, a to f) in the rang e bb8 to FFFFFFF . This number must be added to the Local SPI at the opposite end of the tunnel. 6 Enter the Remote Gateway . This is the ex[...]

  • Page 185

    IPSec VPN General configuration steps for an AutoIKE VPN FortiGate-100 Installation and Configuration Guide 185 AutoIKE IPSec VPNs Fortunate support s two methods of Automa tic Internet Key Exch ange (Auto IKE) for the purpose of establish ing IPSec VPN tu nnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates. • General config[...]

  • Page 186

    186 Fortinet Inc. Adding a phase 1 configuration for an AutoIKE VPN IPSec VPN 3 Enter a Gateway Name for the remote VPN peer . The remote VPN pee r can be either a gateway to an other networ k or an individual client on the In ternet. The name can cont ain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _[...]

  • Page 187

    IPSec VPN Adding a phase 1 configuration for an AutoIKE VPN FortiGate-100 Installation and Configuration Guide 187 10 Optionally , enter th e Local ID of the FortiG ate unit. The entry is required if the FortiGate unit is functioning as a client and uses its local ID to authenticate itself to the remote VPN peer . (If you do not add a local ID, the[...]

  • Page 188

    188 Fortinet Inc. Adding a phase 1 configuration for an AutoIKE VPN IPSec VPN 4 Optionally , configure NA T Tr aversal. 5 Optionally , configure Dead Peer Detection. Use these settings to monitor the st atus of the connection betwee n VPN peers. DPD allows dead connections to be cleane d up and new VPN tunnels established . DPD is not suppor ted by[...]

  • Page 189

    IPSec VPN Adding a phase 2 configuration for an AutoIKE VPN FortiGate-100 Installation and Configuration Guide 189 Figure 21: Adding a phase 1 configuration Adding a phase 2 configurat ion for an AutoIKE VPN Add a phas e 2 configura tion to spec ify the parameters used to cre ate and main tain a VPN tunnel between the local VPN peer (the FortiGate [...]

  • Page 190

    190 Fortinet Inc. Adding a phase 2 configuration for an AutoIKE VPN IPSec VPN 4 Select a Remote Gateway to as sociate with the VPN tunnel. A remote gateway can be either a gateway to another network or an individu al client on the Internet. Remote gateways are added as part of the phase 1 configuration. F or details, see “Adding a phase 1 configu[...]

  • Page 191

    IPSec VPN Obtaining a signed local certificate FortiGate-100 Installation and Configuration Guide 191 Figure 22: Adding a phase 2 configuration Managing digit a l certificates Digital certifica tes are used to ensure that both particip ants in an IPSec communications session are trustworthy , prior to an encrypted VPN tunnel being set up between th[...]

  • Page 192

    192 Fortinet Inc. Obtaining a si gned local certificate IPSec VPN Generating the certificate request With this procedure, you gen erate a privat e and public key pair . The public key is the base component of the certificate request. T o generate the certificate requ est: 1 Go to VPN > Local Certificates . 2 Select Generate. 3 Enter a Certificat[...]

  • Page 193

    IPSec VPN Obtaining a signed local certificate FortiGate-100 Installation and Configuration Guide 193 Figure 23: Adding a Local Certif icate Downloading the certificate request With this procedure, you down load the cert ificate requ est from th e FortiGate unit to the management computer . T o download th e certificate request: 1 Go to VPN > Lo[...]

  • Page 194

    194 Fortinet Inc. Obtaining a si gned local certificate IPSec VPN 4 Request the signed local certificate. Follow the CA web server instructions to: • add a base64 encod ed PKCS#10 certif icate request to the CA web server , • paste the certificate re quest to the CA web server , • submit the certificate request to the CA web server . The cert[...]

  • Page 195

    IPSec VPN Obtaining a C A certificate FortiGate-100 Installation and Configuration Guide 195 3 Enter the path or browse to locate the signed local certificate on the management computer . 4 Select OK. The signed local certificate will be displayed on the Local Cert ificates list with a status of OK. Obtaining a CA certificate For the VPN peers to a[...]

  • Page 196

    196 Fortinet Inc. Obtaining a C A certificate IPSec VPN Configuring encrypt policies A VPN connects the local, intern al network to a remote, external network. The principal role of the encrypt policy is to define (and limit) which addresses on th ese networks can use the VPN. A VPN requires only one encr ypt policy to control both inbound and outb[...]

  • Page 197

    IPSec VPN Adding a source address FortiGate-100 Installation and Configuration Guide 197 Adding a source address The source address is located with in the inte rnal network of the local VPN peer . It can be a single computer addre ss or the address of a network. 1 Go to Firewall > Address . 2 Select an internal interface. (Methods will differ sl[...]

  • Page 198

    198 Fortinet Inc. Adding an encrypt policy IPSec VPN Refer to the FortiGate Inst allation and Configuration Guide to configure the remain ing policy settings. 9 Select OK to save the encry pt policy . T o make sure that the encrypt policy is matched for VPN connection s, arrange the encrypt policy above other policies with similar source and destin[...]

  • Page 199

    IPSec VPN VPN concentrator (hub) general configuration steps FortiGate-100 Installation and Configuration Guide 199 IPSec VPN concentrators In a hub-and-spoke ne twork, all VPN tunnels terminate at a single VPN pe er known as a hub. The peer s that connect to th e hub are known as spoke s. The hub funct ions as a concentr ator on the network, m ana[...]

  • Page 200

    200 Fortinet Inc. VPN concentrator (hub) general configuration steps IPSec VPN T o create a VPN concentrator configuratio n: 1 Configure a tunnel fo r each spoke. Choose between a manu al key tunnel or an AutoIKE tunnel. • A manual key tunnel consist s of a name fo r the tunnel, the IP address of the spoke (client or gateway) at the opposite end [...]

  • Page 201

    IPSec VPN Adding a VPN concentrator FortiGate-100 Installation and Configuration Guide 201 Adding a VPN concentrator T o add a VPN concentrator configuration: 1 Go to VPN > IPSec > Concentrator . 2 Select New to ad d a VPN conc entrator . 3 Enter the name of the new conce ntrator in the Concentrator Name field. 4 T o add tunnels to the VPN co[...]

  • Page 202

    202 Fortinet Inc. VPN spoke general configuration steps IPSec VPN VPN spoke general co nfiguration steps A remote VPN pee r that is functio ning as a spoke r equires the followin g configuration : • A tunnel (Auto IKE phase 1 and phase 2 conf iguration or manu al key configuration) for the hub. • The source addre ss of the local VPN spoke. • [...]

  • Page 203

    IPSec VPN Co nfiguring redundant IPSe c VPN FortiGate-100 Installation and Configuration Guide 203 See “Adding an encrypt policy” on p age 197 . 6 Arrange the policie s in the following order: • outbound encrypt policies • inbound encrypt policy • default non-encrypt policy (Interna l_All -> External_All) Redundant IPSec VPNs T o ensur[...]

  • Page 204

    204 Fortinet Inc. Configuring redundant IPSec VPN IPSec VPN Configure the two FortiGate un its with symmetric al settings for their connections to the Internet. For example, if the remote FortiG ate unit has tw o external inter faces grouped within one zon e, then the local FortiGat e unit shou ld have two external inte rfaces grouped within one zo[...]

  • Page 205

    IPSec VPN Viewing VPN tunne l status FortiGate-100 Installation and Configuration Guide 205 Monitoring and T roubleshooting VPNs This section provid es a number of gene ra l maintenance and monitoring procedures for VPNs. This section describes: • Viewin g VPN tunnel status • Viewing dialu p VPN connection status • T esting a VPN Viewing VPN [...]

  • Page 206

    206 Fortinet Inc. Testing a VPN IPSec VPN T o view dialup connection st atus: 1 Go to VPN > IPSec > Dialup . The Lifetime column displays how long the connection has been up. The T imeout column displays the time be fore the next key exchange. The time is calculated by subtracting the tim e elapsed since the last key exchange from the keylife[...]

  • Page 207

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 207 PPTP and L2TP VPN Y ou can use PPTP and L2TP to crea te a virtual private network (VPN) between a remote client PC running the Windows op er ating sys tem and your internal ne twork. Because they are is a Windows st andards, [...]

  • Page 208

    208 Fortinet Inc. Configu ring the FortiGat e unit as a PPTP gateway PPTP and L2TP VPN Figure 29: PPTP VPN between a Windows client and the F ortiGate unit Configuring the FortiGat e unit as a PPTP gateway Use the followin g procedur es to config ure the Fo rtiGate unit as a PPTP gateway: Adding users and user groups T o add a user for each PP TP c[...]

  • Page 209

    PPTP and L2TP VPN Configuring the FortiGate unit as a PPTP gateway FortiGate-100 Installation and Configuration Guide 209 Figure 30: Example PPTP Range configuratio n Adding a source address Add a sour ce address for every a ddress in the PP TP address range. 1 Go to Firewall > Address . 2 Select the interface to which PP TP clients con nect. 3 [...]

  • Page 210

    210 Fortinet Inc. Configuring a Windows 9 8 clie nt for PPTP PPTP and L2TP VPN Adding a destination address Add an address to which PP TP users can connect. 1 Go to Firewall > Address . 2 Select the internal interface or the DMZ interface. (Methods w ill differ slightly between FortiGate m odels.) 3 Select New to add an addr ess. 4 Enter the Add[...]

  • Page 211

    PPTP and L2TP VPN Configuring a Windows 2000 client for PPTP FortiGate-100 Installation and Configuration Guide 21 1 8 Insert diskettes or CDs as required. 9 Restart the com puter . Configuring a PPTP dialup connection 1 Go to My Computer > Dial-Up Networking > Configuratio n . 2 Double-click Make New Connection. 3 Name the connection an d se[...]

  • Page 212

    212 Fortinet Inc. Configuring a Windows XP clie nt for PPTP PPTP and L2TP VPN 9 Uncheck Requir e da ta encryption. 10 Select OK. Connecting to the PPTP VPN 1 S tart the dialup connection that you configured in the previou s procedure. 2 Enter your PPTP VPN Us er Name and Password. 3 Select Connect. 4 In the connect window , enter the User Name and [...]

  • Page 213

    PPTP and L2TP VPN Configuring a Windows XP client for PPTP FortiGate-100 Installation and Configuration Guide 213 9 Select the Networking tab. 10 Make sure that the follow ing option s are select ed: •T C P / I P • QoS Packet Scheduler 11 Make sure that the follow ing option s are not s elected: • File and Printer Sh aring for Microsof t Netw[...]

  • Page 214

    214 Fortinet Inc. Configuring the FortiGate unit as a L2TP gateway PPTP and L2TP VPN Figure 31: L2TP VPN between a Windows client and the F ortiGate unit Configuring the FortiGat e unit as a L2TP gateway Use the follo wing proced ures to con figure the FortiGate u nit as an L2 TP gatew ay: Adding users and user groups T o add a user for each L2TP c[...]

  • Page 215

    PPTP and L2TP VPN Configuring the FortiGate uni t as a L2TP gateway FortiGate-100 Installation and Configuration Guide 215 Figure 32: Sample L2TP addre ss range configurat ion 6 Add the addresses from the L2TP ad dress ran ge to the external interface address list. The addresse s can be grouped into an external addr ess group. 7 Add addresses to th[...]

  • Page 216

    216 Fortinet Inc. Configuring the FortiGate unit as a L2TP gateway PPTP and L2TP VPN 3 Enter a Group Name to iden tify the address group. The name can cont ain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other sp ecial characters and spa ces are not allowed. 4 T o add addresses to th e address grou[...]

  • Page 217

    PPTP and L2TP VPN Configuring a Windows 2000 client fo r L2TP FortiGate-100 Installation and Configuration Guide 217 Configuring a Windows 2000 client for L2TP Use the following p rocedure to co nfigure a client computer ru nning Window s 2000 so that it can connect to a FortiGate L2TP VPN. Configuring an L2TP dialup connection 1 Go to St art > [...]

  • Page 218

    218 Fortinet Inc. Configuring a Wind ows XP client for L2TP PPTP an d L2TP VPN 8 Add the following registry value to this key: Value Name: ProhibitIpSec Data Type: REG_DWORD Value: 1 9 Save your changes and rest art the computer for the ch anges to take ef fect. Y ou must add the ProhibitIpSec registry value to each Windows 2000-based endpoint comp[...]

  • Page 219

    PPTP and L2TP VPN Configuring a Windows XP client for L2 TP FortiGate-100 Installation and Configuration Guide 219 5 Select Advanced to configure ad vanced settings. 6 Select Settings. 7 Select Challenge Handshake Authen tication Protocol (CHAP). 8 Make sure that none of the other settings are selected. 9 Select the Networking tab. 10 Make sure tha[...]

  • Page 220

    220 Fortinet Inc. Configuring a Wind ows XP client for L2TP PPTP an d L2TP VPN Connecting to the L2TP VPN 1 Connect to your ISP . 2 S tart the VPN connection that you co nfigu red in the previous procedure. 3 Enter your L2TP VPN User Name and Password. 4 Select Connect. 5 In the connect window , enter the User Name and Password that you use to conn[...]

  • Page 221

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 221 Network Intrusion Detection System (NIDS) The FortiGat e NIDS is a re al-time netw ork intrusion de tection se nsor that u ses attack signature definitions to both detect and prev ent a wide variet y of suspicious network tra[...]

  • Page 222

    222 Fortinet Inc. Selecting the i nterfaces to monitor Net work Intrusion Detection System (NIDS) Selecting the interfaces to monitor 1 Go to NIDS > Detection > General . 2 Select the interfaces to monitor for ne twork attacks. Y ou can select one or more interfaces. 3 Select Apply . Disabling the NIDS 1 Go to NIDS > Detection > General[...]

  • Page 223

    Network Intrusion Detection System (NIDS) Viewing the signature list FortiGate-100 Installation and Configuration Guide 223 Viewing the signature list T o display the current list of NIDS signature group s and to view the members of a signature group: 1 Go to NIDS > Detection > Signature List . 2 View the names an d action status of the signa[...]

  • Page 224

    224 Fortinet Inc. Enabling and disabling NIDS attack signatures Network Intrusion Detection System (NIDS) Enabling and disabling NI DS attack signatures By default, all NIDS attack signatures ar e enabled . Y ou can use the NIDS signatu re list to disable detection of some atta cks. Disabling unnecessary NIDS attack signatures can improve system pe[...]

  • Page 225

    Network Intrusion Detection System (N IDS) Enabling NIDS attack prevention FortiGate-100 Installation and Configuration Guide 225 Figure 35: Example user-defined sign ature list Downloading the user-defined signature list Y ou can back up the user-defined signature lis t by downloading it to a text file on the management compu ter . 1 Go to NIDS &g[...]

  • Page 226

    226 Fortinet Inc. Enabling NIDS attack prevention signatures Network Intrusion Detection System (NIDS) Enabling NIDS attack prevention signatures The NIDS Prevention mo dule contains signat ur es that are designed to protect your network against attacks. Some signatures are enabled by defa ult; others must be enabled. For a complete list of NIDS Pr[...]

  • Page 227

    Network Intrusion Detection System (NIDS) Setting signature thre shold values FortiGate-100 Installation and Configuration Guide 227 For example, setting the icmpflood signat ure threshold to 500 will allow 500 echo requests from a source address, to which the system sends echo replies. If the number of requests is 501 or higher , th e FortiGate un[...]

  • Page 228

    228 Fortinet Inc. Configuring synflood signature va lues Network Intrusion Detection System (NIDS) Configuring synflood signature values For synflood signatures, yo u can set the thre shold, queue size, and keep alive values. 1 Go to NIDS > Prevention . 2 Select Modify for the synflood signature. 3 T ype t he Thresh old value. 4 T ype the Queue [...]

  • Page 229

    Network Intrusion Detection System (NIDS) Reducing the number of NIDS atta ck log and email me ssages FortiGate-100 Installation and Configuration Guide 229 Reducing the number of NIDS attack log and email messages Intrusion attempt s may generate an excessive number of att ack messages. T o help you distingu ish real warnin gs from false al arms, [...]

  • Page 230

    230 Fortinet Inc. Reducing the number of NIDS attack log and emai l messages Network Intrusion Detection System (NIDS)[...]

  • Page 231

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 231 Antivirus protection Antivirus protection is enabled in fire wall policies. When you enable antivirus protection for a firewall polic y , you select a content profile that controls how the antivirus protection behaves. Conten[...]

  • Page 232

    232 Fortinet Inc. Antivirus protection Antivirus scanning Virus scan ning intercepts most files (including files compr essed with up to 12 layers of compression using zip, rar , gzip, tar , upx, and OLE) in the conten t streams for which antivirus protection as been enabled. Each file is tested to determine the file type and to determine the most e[...]

  • Page 233

    Antivirus protection Blocking files in firewall traffic FortiGate-100 Installation and Configuration Guide 233 File blocking Enable file blocking to remove all files that pose a potential threat and to provide the best protection fr om active computer virus att acks. Blocking files is the only protection available fro m a virus th at is so new that[...]

  • Page 234

    234 Fortinet Inc. Configuring limits for oversized files and email Antivirus protecti on Blocking oversized files and emails Y ou can configure the FortiGate unit to buff er 1 to 15 percent of available memory to store oversized files and email. Th e FortiGat e unit then blocks a file or ema il that exceeds this limit instead of byp assing anti vir[...]

  • Page 235

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 235 W eb filtering Web filtering is enabled in firewall policies. When you enable Anti-V irus & Web filter in a firewall policy , you select a content profile that controls how web filterin g behaves for HTTP traffic. Content[...]

  • Page 236

    236 Fortinet Inc. Adding words and phrases to the banned word list Web filtering 4 Configure the messages that users rec eive when the FortiGate unit blocks unwanted content or unwanted URLs. See “Customizing replacement messages” on p age 136 . 5 Configure the FortiGate unit to send an alert email when it blocks or deletes an infected file. Se[...]

  • Page 237

    Web filtering Using the FortiG ate web filter FortiGate-100 Installation and Configuration Guide 237 Figure 38: Exam ple banned word li st URL blocking Y ou can block the unwanted web URLs usin g both the F ortiGate we b filter and th e Cerberian web filter . • Using the FortiGate web filter • Using the Cerberian web filter Using the FortiGate [...]

  • Page 238

    238 Fortinet Inc. Using the Fo rtiGate web filt er Web filtering 3 T ype the URL/Pattern to block. T ype a top-level URL or IP address to block access to all pages on a website. For example, www.badsite.com or 122.133.144.155 blocks access to all pages at this website. T ype a top-level URL followed by the path an d filename to block acce ss to a s[...]

  • Page 239

    Web filtering Using the FortiG ate web filter FortiGate-100 Installation and Configuration Guide 239 Downloading the URL block list Y ou can back up the URL block list by downloading it to a text file on the management computer . 1 Go to Web Filter > URL Block . 2 Select Download URL Block List . The FortiGate unit downloads the list to a text f[...]

  • Page 240

    240 Fortinet Inc. Using the Cerberian web filter Web filtering Using the Cer berian web filter The FortiGate unit support s Cerberian web filtering. For information about Cerberian web filter , see www .cerberian.com. If you have purchased the Cerberian web f ilter ing functionality with your FortiGate unit, use the following configurat ion proced [...]

  • Page 241

    Web filtering Using the Cerberian web filter FortiGate-100 Installation and Configuration Guide 241 4 Enter the IP address and netmask of the user comp uters. Y o u can enter the IP address of a single user . For example, 192.168.100.19 255.255 .255.255. Y ou can also enter a subnet of a grou p of users. For example, 192.168.100.0 255 .255.255.0. 5[...]

  • Page 242

    242 Fortinet Inc. Enabling the script fi lter Web filtering 5 Create a new or select an existing c o ntent profile and enable W eb URL Block. 6 Go to Firewall > Polic y . 7 Create a new or select an existing policy that will use the content profile. 8 Select Anti-Virus & W eb filter . 9 Select the content profile from the Content Profile lis[...]

  • Page 243

    Web filtering Adding URLs to the exempt URL list FortiGate-100 Installation and Configuration Guide 243 Exempt URL list Add URLs to the exempt URL list to allow legitimate traf fic that might otherwise be blocked by content or URL blocking. For exam ple, if content blocking is set to block pornography-rela ted words and a reput able website runs a [...]

  • Page 244

    244 Fortinet Inc. Adding URLs to the exempt URL list Web filtering[...]

  • Page 245

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 245 Email filter Email filtering is enabled in firewall policies. When you en able Anti-Virus & Web filter in a firewall policy, you sele ct a conten t profile that controls how email filtering behaves for email (IMAP an d PO[...]

  • Page 246

    246 Fortinet Inc. Adding words and phrases to the banned word list Email filter Email banned word list When the FortiGate unit detect s email that contains a word or ph rase in the banned word list, the FortiGate unit adds a t ag to the subject line of the email and writes a message to the event log. Recei vers can then use their mail client softwa[...]

  • Page 247

    Email filter Adding address patt erns to the email blo ck list FortiGate-100 Installation and Configuration Guide 247 Email block list Y ou can configure the FortiGate unit to ta g all IMAP and POP3 protocol tra ffic sent from unwanted email addresse s. When the FortiGate unit detect s an email sent from an unwanted address p attern, the FortiGate [...]

  • Page 248

    248 Fortinet Inc. Adding address patterns to the email exemp t list Email filter Adding address patterns to the email exempt list 1 Go to Email Filter > Exempt List . 2 Select New to add an address pattern to the em ail exempt list. 3 T ype the addr ess pattern to ex empt. • T o exempt email sent from a specific email add ress, type the email [...]

  • Page 249

    FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 249 Logging and reporting Y ou can configure the FortiGate unit to log network activity from routine configuration changes and traf fic sessions to emergency events. Y ou can also configure the FortiGate u nit to send alert email[...]

  • Page 250

    250 Fortinet Inc. Recording logs on a remote comp uter Logging and reporting Recording logs on a remote computer Use the following procedure to configure the FortiGate unit to record log messages on a remote computer . The remote computer must be configured with a syslog server . 1 Go to Log&Report > Log Settin g . 2 Select Log to Remote Hos[...]

  • Page 251

    Logging and report ing Recording logs in system memory FortiGate-100 Installation and Configuration Guide 251 Recording logs in system memory If your Fo rtiGate unit does not co ntain a hard disk, y ou can use the following procedure to configure the FortiGate unit to rese rve some system memory for storing current event, at tack, antivirus , web f[...]

  • Page 252

    252 Fortinet Inc. Recording logs in system memory Logging and reporting 4 Select the message categories that you wa nt the FortiGa te unit to record if you selected Event Log, V irus Log, W eb Filter ing Lo g, Attack Log, Email Filter Log, or Update in step 3 . 5 Select OK. Figure 43: Exampl e log filter config uration Email Filter Log Record activ[...]

  • Page 253

    Logging and repo rting Enabling traffic loggi ng FortiGate-100 Installation and Configuration Guide 253 Configuring traffic logging Y ou can configure the FortiGate unit to reco rd traffic log messages for connections to: • Any interface • Any firewall policy The FortiGate unit can filter traf fic logs for any source and destination address and[...]

  • Page 254

    254 Fortinet Inc. Configuring traffic filter setti ngs Logging and reporting Configuring traffic filter settings Use the follo wing proced ure to configu re the in formation reco rded in all traffic log messages. 1 Go to Log&Report > Log Settin g > T raffic Filt er . 2 Select the settings that you wa nt to apply to all Tr affic Log messag[...]

  • Page 255

    Logging and repo rting Viewing logs FortiGate-100 Installation and Configuration Guide 255 4 Select OK. The traf fic filter list displays the new traffi c address entry with the settings that you selected in “Enabling traf fic logging” on pa ge 253 . Figure 45: Example new traffic address entry V iewing logs saved to memory If the FortiGate is [...]

  • Page 256

    256 Fortinet Inc. Searching logs Logging and reporti ng Searching logs Use the followin g procedur e to search lo g message s saved in sys tem memory: 1 Go to Log&Report > Logging . 2 Select Event Log, Attack Log, Antivirus Lo g, Web Filter Log, or Email Filter Log. 3 Select to search the messag es in the selected log. 4 Select AND to search[...]

  • Page 257

    Logging and repo rting Testing ale rt email FortiGate-100 Installation and Configuration Guide 257 3 In the SMTP Server field, type the name of the SMTP server to which the For tiGate unit should send em ail, in the format smtp.domain.com . The SMTP server can be located on any network connected to the FortiGate unit. 4 In the SMTP User field, type[...]

  • Page 258

    258 Fortinet Inc. Enabling al ert email Logging and reporting[...]

  • Page 259

    FortiGate-100 Installation and Configuration Guide 259 FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 Glossary Connection : A link between machines, applications, processes, and so on t hat can be lo gical, physical, or both. DMZ, Demilit arized Zone : Used to host Internet services without allowing unau thorized access to an[...]

  • Page 260

    260 Fortinet Inc. Glossary LAN, Local Area Network : A computer n etwork that spans a relatively small area. Most LANs connect worksta tions and personal computers. Each computer on a LAN is able to ac cess data and devices a nywhere on the LAN. This means that many users can share data as well as physical re sources such as printers. MAC address, [...]

  • Page 261

    Glossary FortiGate-100 Installation and Configuration Guide 261 SSH , Secure shell : A secure T elnet replacement that you can use to log into another computer over a network and run commands. SSH provides str ong secure authentication and secure communications over insecure channels. Subnet : A portion of a network that shares a comm on address co[...]

  • Page 262

    262 Fortinet Inc. Glossary[...]

  • Page 263

    FortiGate-100 Installation and Configuration Guide 263 FortiGate-100 Inst allation and Co nfiguration Guide V ersion 2.50 MR2 Index A accept policy 145 action policy option 145 active log searching 256 ActiveX 242 removing from web pages 242 address 150 adding 151 editing 152 group 152 IP/MAC binding 167 virtual IP 160 address group 152 example 153[...]

  • Page 264

    264 Fortinet Inc. Index B backing up system settings 83 bandwidth guaranteed 146 maximum 146 banned word l ist adding words 2 36, 246 blacklist URL 239 block traffic IP/MAC binding 167 blocking access to Internet sites 237, 247 access to URLs 237, 247 adding filename patterns 233 file 233 oversized files and emai l 234 web pages 236, 246 C certific[...]

  • Page 265

    Index FortiGate-100 Installation and Configuration Guide 265 E email alert testing 257 email filter log 252 enabling policy 150 encrypt policy 145 encrypt policy allow inbound 146 allow outbound 146 Inbound NAT 146 Outbound NAT 146 ending IP address DHCP 119 PPTP 208, 214 environmental specifications 29 event log 251 viewing 255 exclusion range DHC[...]

  • Page 266

    266 Fortinet Inc. Index IDS log viewing 255 IKE 259 IMAP 154, 259 Inbound NAT encrypt policy 146 interface RIP 124 internal address example 152 internal address group example 153 internal network configuring 48 Internet blocking access to Internet sites 237, 247 blocking access to URLs 237, 247 Internet key excha nge 259 intrusion attempts alert em[...]

  • Page 267

    Index FortiGate-100 Installation and Configuration Guide 267 maximum bandwidth 146 messages replacement 135 MIB FortiGate 135 mode Transparent 16 monitor system status 86, 87, 88, 89 monitored in terfaces 222 MTU size 113 changing 113 definition 260 improving network performance 113 N NAT introduction 15 policy option 145 push updates 96 NAT mode a[...]

  • Page 268

    268 Fortinet Inc. Index prevention NIDS 225 protocol service 154 system status 89 proxy server 100 push updates 100 push updates configuring 95 through a NAT device 96 through a proxy server 100 R RADIUS definition 260 example configuration 176 RADIUS server adding server address 176 deleting 176 read & write access level administ rator account[...]

  • Page 269

    Index FortiGate-100 Installation and Configuration Guide 269 session clearing 89 set time 129 setup wizard 45, 58 starting 4 5, 58 shutting down 86 signature threshold values 226 SMTP 155 configuring alert email 257 definition 260 SNMP configuring 134 contact information 134 definition 260 first trap receiver IP address 135 get community 134 MIBs 1[...]

  • Page 270

    270 Fortinet Inc. Index U UDP configuring checksum verification 222 unwanted content blocking 236, 24 6 update 252 attack 94 push 95 updated antivirus 94 updating attack definitions 91 , 95 virus definitions 91, 95 upgrade firmware 71 upgrading firmware 70 firmware using the CLI 71, 73 firmware using the web-based manager 71 , 72 URL adding to exem[...]

  • Page 271

    Index FortiGate-100 Installation and Configuration Guide 271 wizard firewall setu p 45, 58 starting 4 5, 58 worm list displaying 234 worm protection 234[...]

  • Page 272

    272 Fortinet Inc. Index[...]