Fortinet Version 3.0 manual Probes and FortiGate firewall policies, Normal mode operation

Page 12

Normal mode operation

FortiBridge operating principles

Figure 5: FortiBridge unit operating in normal mode sending probe packets

(Normal mode)

Internal network

 

 

INT 1

EXT 1

Internet

INT 2

EXT 2

Router

Internal

External

Probe packets

(Transparent mode)

You can enable ICMP (ping), HTTP, FTP, POP3, SMTP, and IMAP probes to test connectivity through the FortiGate unit for each of these protocols. The FortiBridge unit simultaneously tests connectivity through the FortiGate unit for each probe that is enabled.

The first probe that registers a failure causes the FortiBridge unit to stop sending all probe packets. The FortiBridge unit responds to the failure according to the action on failure that you configure. The action on failure can include fail open, send alert email, send a syslog message, and send an SNMP trap. You can enable any combination of these actions on failure. Fail open switches the FortiBridge unit to bypass mode. Other actions on failure alert system administrators that the FortiBridge has determined that a failure occurred.

Probes and FortiGate firewall policies

Probe packets are accepted and passed through the FortiGate unit by firewall policies added to the FortiGate unit. When enabling probes, you must make sure that the firewall policies added to the FortiGate unit can accept probe packets. For example, if your FortiGate unit does not accept FTP packets, you should not enable the FTP probe. Table 1 describes FortiGate firewall policy requirements for each FortiBridge probe.

Table 1: FortiBridge probes and FortiGate firewall policy requirements

 

 

FortiGate Firewall policy

Probe

Description

 

 

Direction

Service

 

 

 

 

Ping

ICMP packets are sent from the INT 2

Internal ->External

ICMP or ANY

 

interface to the EXT 2 interface. The EXT 2

 

 

 

interface responds to the ping.

 

 

 

 

 

 

HTTP

HTTP requests are sent from an HTTP

Internal ->External

HTTP or ANY

 

client at the INT 2 interface to a web server

 

 

 

at the EXT 2 interface. The web server

 

 

 

sends a response from the EXT 2 interface

 

 

 

to the INT 2 interface.

 

 

 

 

 

 

FTP

FTP requests are sent from an FTP client at

Internal ->External

FTP or ANY

 

the INT 2 interface to an FTP server at the

 

 

 

EXT 2 interface. The FTP server sends a

 

 

 

response from the EXT 2 interface to the

 

 

 

INT 2 interface.

 

 

 

 

 

 

12

FortiBridge Version 3.0 Administration Guide

09-30000-0163-20061109

Image 12
Contents M i n i s t r a t i o n G u i d e Trademarks Regulatory complianceContents Configuration and operating procedures Using the CLIConfig CLI commands Execute CLI commands IndexPage About FortiBridge About this documentCustomer service and technical support Fortinet documentationFortinet tools and documentation CD Fortinet Knowledge CenterFortiBridge operating principles Example FortiBridge applicationConnecting the FortiBridge unit Connecting the FortiBridge-1000 copper gigabit ethernetNormal mode operation Connecting the FortiBridge-1000F fiber gigabit ethernetHow the FortiBridge unit monitors the FortiGate unit Normal mode operation Probes and FortiGate firewall policiesEnabling probes to detect FortiGate hardware failure Enabling probes to detect FortiGate software failureProbe interval and probe threshold Bypass mode operation FortiBridge power failureExample FortiGate HA cluster FortiBridge application Example configuration with other FortiGate interfaces Example configuration with other FortiGate interfaces Example configuration with other FortiGate interfaces FortiBridge-1000 Package contents FortiBridge unit basic informationFortiBridge-1000F Package contents Mounting instructionsTechnical specifications LED indicatorsConnectors Factory default configurationConnecting and turning on the FortiBridge unit Connecting and turning on the FortiBridge-1000 unitConnecting and turning on the FortiBridge-1000F unit To connect and turn on the FortiBridge-1000 unitTo connect and turn on the FortiBridge-1000F unit Connecting to the command line interface CLI Connecting to the FortiBridge consoleFortiBridge-1000 login To connect to the FortiBridge console for the first timeCompleting the basic FortiBridge configuration Connecting to the FortiBridge CLI using TelnetTo connect to the CLI using Telnet Welcome FortiBridge-1000 #Adding an administrator password To add an administrator passwordChanging the management IP address To change the management IP addressChanging DNS server IP addresses Adding static routesTo change DNS server IP addresses To add static routesAllowing management access to the EXT 1 interface Adding administrator accountsChanging the system time and date Resetting to the factory default configuration Installing FortiBridge unit firmwareTo reset to factory defaults from the FortiBridge CLI To upgrade to a new firmware version Execute restore image namestr tftpipExecute restore image FBG1000-v10-build010-FORTINET.out Upgrading to a new firmware versionReverting to a previous firmware version To revert to a previous firmware versionInstalling firmware from a system reboot To install firmware from a system rebootHit any key to stop autoboot Enter Tftp server addressEnter firmware image file image.out Get system statusConfiguration and operating procedures Example network settingsConfiguring FortiBridge probes Configuring FortiBridge probesProbe settings To configure probe settingsTo enable and configure FortiBridge probes Config probe probelist ping set status enable EndEnabling probes Config probe probelist Imap set status enable End Verifying that probes are functioningTo verify that probes are functioning Go to System Status SessionConfiguring FortiBridge alerts Tuning the failure threshold and probe intervalTo configure alert email Config alertemail setting set server mail.myorg.com EndFortiBridge alert email FortiBridge syslogTo configure FortiBridge syslog Config log syslogd setting set server EndFortiBridge Snmp Recovering from a FortiGate failure To add and enable an Snmp communityConfig system snmp community edit Set name snmp1 End To resume normal operation from bypass modeManually switching between FortiBridge operating modes Backing up and restoring the FortiBridge configurationExecute switch-mode To back up the FortiBridge configurationBacking up and restoring the FortiBridge configuration Backing up and restoring the FortiBridge configuration Connecting to the FortiBridge CLI using SSH or Telnet Setting administrative access for SSH or TelnetTo use the CLI to configure SSH or Telnet access CLI basicsOther access methods Connecting to the FortiBridge CLI using SSHSet allowaccess ping telnet ssh Get system interface namestrTo connect to the CLI using SSH Connecting to the FortiBridge CLI using SSH or Telnet Config CLI commands Alertemail setting Command syntax patternExamples Related Commands Log syslogd setting ExampleProbe probelist ping http ftp pop3 smtp imap Get probe probelistGet probe probelist http Show probe probelistProbe setting SyslogSystem accprofile Rw wGet system accprofile Get system accprofile policyprofileShow system accprofile System admin Password passwordstrGet system admin Get system admin newadminShow system admin Config system console set End System consoleGet system console Show system consoleSystem dns Get system dnsShow system dns Get system status System failclose FailbypassSystem failclose System global MinutesintegerGet system global Show system globalSystem interface internal external Get system interface internalShow system interface internal Config system manageip Set ip 192.168.2.80 255.255.255.0 end System manageipSystem route DistanceintegerConfig hosts System snmp communityGet system snmp community Show system snmp communityExecute CLI commands Backup Command syntaxExecute backup config filenamestr tftp-serveripv4 Execute backup config fbdg.cfgDate Execute date datestr datestr has the form mm/dd/yyyy, whereExecute date 09/17/2004 Factoryreset Execute factoryresetPing Execute ping addressipv4 host-namestrReboot Execute rebootRestore Execute restore config backupconfigSwitch-mode Time Execute time timestrTime Index 09-30000-0163-20061109 Snmp SSH