Fortinet 400 Adding interfaces to a zone, Adding Vlan subinterfaces to a zone, Renaming zones

Page 134

Configuring zones	Network configuration

3Type a Name for the zone.

The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.

4Optionally select Block intra-zone traffic to block traffic between interfaces in the same zone.

5Select OK to add the zone.

The zone now appears on the firewall policy grid.

Adding interfaces to a zone

You can add one or more interfaces to a zone. If you have added firewall addresses to an interface, you must delete these firewall addresses before you can add the interface to a zone. See “Deleting addresses” on page 180. When you add an interface to a zone, you cannot add firewall addresses to the interface and the interface does not appear on the policy grid.

1Go to System > Network > Interface.

2For the interface to add to a zone, select Modify .

3Use the Zone list to select the zone to add the interface to.

4Select OK to save your changes.

5Repeat these steps to add more interfaces to zones.

Adding VLAN subinterfaces to a zone

You can add one or more VLAN subinterfaces to a zone. If you have added firewall addresses to a VLAN subinterface, you must delete these firewall addresses before you can add the VLAN subinterface to a zone. See “Deleting addresses” on page 180. When you add a VLAN subinterface to a zone, you cannot add firewall addresses to the VLAN subinterface and the VLAN subinterface does not appear on the policy grid.

1Go to System > Network > Interface.

2For the VLAN subinterface to add to a zone, select Modify .

3Use the Zone list to select the zone to add the VLAN subinterface to.

4Select OK to save your changes.

5Repeat these steps to add more VLAN subinterfaces to zones.

Renaming zones

You can change the name of any zone in the zone list.

1Go to System > Network > Zone.

2Choose a zone to rename and select Edit zone .

3Enter a new name for the zone.

4Select OK to save your changes.

134	Fortinet Inc.

Image 134

Contents Installation and Configuration Guide AugustTrademarks Regulatory ComplianceTable of Contents NAT/Route mode installation High availability System status Network configuration 133 System configuration 157 Users and authentication 201 IPSec VPN 209 Network Intrusion Detection System Nids 249 Email filter 277 Glossary 295 Index 299 Contents Introduction Antivirus protectionWeb content filtering Email filteringNAT/Route mode FirewallTransparent mode Network intrusion detectionVPN High availabilitySecure installation, configuration, and management Web-based managerCommand line interface Logging and reportingWhat’s new in Version Firewall Replacement messagesUsers and authentication Email filter AntivirusWeb Filter About this document Document conventions Fortinet documentation Comments on Fortinet technical documentationCustomer service and technical support Getting started Package contents MountingEnvironmental specifications Powering onPower requirements FortiGate-400 LED indicatorsConnecting to the web-based manager Connecting to the web-based managerBits per second 9600 Data bits Parity Connecting to the command line interface CLIFactory default FortiGate configuration settings Stop bits Flow controlInterface Factory default NAT/Route mode network configurationAccount Factory default Transparent mode network configuration Factory default firewall configurationFactory default content profiles Strict content profile Options Strict content profileScan content profile Scan content profile OptionsWeb content profile Options Web content profileUnfiltered content profile Unfiltered content profile OptionsPlanning your FortiGate configuration NAT/Route mode with multiple external network connections Example NAT/Route mode network configurationConfiguration options Setup WizardFortiGate model maximum values matrix Front keypad and LCDNext steps Next steps Getting started NAT/Route mode settings Administrator Password Interface NAT/Route mode installationPreparing to configure NAT/Route mode Reconnecting to the web-based manager Using the setup wizardStarting the setup wizard Configuring the FortiGate unit to operate in NAT/Route mode Using the front control buttons and LCDUsing the command line interface Configuring NAT/Route mode IP addressesSet system interface port2 mode static ip IPaddress netmask Connecting the FortiGate unit to your networks Configuring interface Configuring your networkCompleting the configuration Go to System Network InterfaceEnabling antivirus protection Configuring interface 4/HASetting the date and time Registering your FortiGate unitConfiguration example Multiple connections to the Internet Configuring virus and attack definition updatesConfiguring Ping servers Example multiple Internet connection configurationDestination based routing examples Primary and backup links to the InternetUsing the CLI Go to System Network Routing TableLoad sharing Load sharing and primary and secondary connectionsAdding the routes using the CLI Routing table should have routes arranged as shown in TableRouting a service to an external network Policy routing examplesGo to Firewall Policy port1-port3 Adding a redundant default policyFirewall policy example Restricting access to a single Internet connection Adding more firewall policiesConfiguration example Multiple connections to the Internet Transparent mode settings Administrator Password Transparent mode installationPreparing to configure Transparent mode DNS SettingsChanging to Transparent mode Go to System StatusSet system opmode transparent Configuring the Transparent mode management IP address Configure the Transparent mode default gatewayRegistering your FortiGate Transparent mode configuration examples FortiGate-400 Transparent mode connectionsDefault routes and static routes General configuration steps Default route to an external networkGo to System Network Management Web-based manager example configuration stepsCLI configuration steps Go to System Network RoutingStatic route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples High availability Active-passive HAActive-active HA Configuring the HA interfaces HA in NAT/Route modeInstalling and configuring the FortiGate units Configuring the HA cluster Go to System Config HAWeighted Round Robin Least ConnectionConnecting the HA cluster to your network Example Active-Active HA configurationHA network configuration Starting the HA cluster HA in Transparent modeConfiguring the HA interface and HA IP address HA in Transparent mode None Sample active-passive HA configuration Go to System Status Cluster Members Managing the HA clusterViewing the status of cluster members Monitoring cluster members Go to System Status MonitorGo to System Status Session Monitoring cluster sessionsViewing and managing cluster log messages Go to Log&Report LoggingSynchronizing the cluster configuration Managing individual cluster unitsReturning to standalone configuration Replacing a FortiGate unit after fail-overAdvanced HA options Selecting a FortiGate unit to a permanent primary unitConfiguring weighted-round-robin weights Set system ha weight 1 3System status System statusChanging the FortiGate firmware Firmware upgrade procedures Procedure DescriptionChanging the FortiGate host name Upgrading the firmware using the CLI Upgrade to a new firmware versionUpgrading the firmware using the web-based manager Execute restore image namestr tftpip Revert to a previous firmware versionReverting to a previous firmware version using the CLI Execute ping Install a firmware image from a system reboot using the CLI To install firmware from a system rebootExecute reboot 100101 Test a new firmware image before installing itRestoring your previous configuration 102 103 Installing and using a backup firmware imageInstalling a backup firmware image 104 Switching to the backup firmware image 105106 Manual virus definition updatesSwitching back to the default firmware image Displaying the FortiGate up time Manual attack definition updatesDisplaying the FortiGate serial number Displaying log hard disk statusRestoring system settings to factory defaults Backing up system settingsRestoring system settings 108Restarting the FortiGate unit Changing to Transparent modeChanging to NAT/Route mode 109Viewing CPU and memory status Shutting down the FortiGate unitSystem status Viewing sessions and network status 111Viewing virus and intrusions status Sessions and network status monitorViewing the session list Go to System Status Session Session list113 114 115 Virus and attack definitions updates and registrationUpdating antivirus and attack definitions Connecting to the FortiResponse Distribution Network Version Expiry date Last update attempt Last update status117 Configuring scheduled updatesGo to System Update Successful Update FDN error Configuring update loggingGo to Log&Report Log Setting Manually updating antivirus and attack definitions Configuring push updatesAdding an override server 119Push updates through a NAT device To enable push updatesAbout push updates Example push updates through a NAT deviceGeneral procedure 121122 Go to Firewall Virtual IPAdding a firewall policy for the port forwarding virtual IP Schedule Always Service ANY Action Accept123 Scheduled updates through a proxy server 124125 FortiCare Service ContractsRegistering FortiGate units Registering the FortiGate unit 126127 Registering a FortiGate unit product informationViewing the list of registered FortiGate units Recovering a lost Fortinet support passwordUpdating registration information 128129 Registering a new FortiGate unitAdding or changing a FortiCare Support Contract number Changing your contact information or security question Changing your Fortinet support passwordDownloading virus and attack definitions updates 130Registering a FortiGate unit after an RMA 131132 Adding zones Network configurationConfiguring zones 133Renaming zones Adding interfaces to a zoneAdding Vlan subinterfaces to a zone 134Viewing the interface list Configuring interfacesDeleting zones Bringing up an interfaceAdding a ping server to an interface Changing an interface static IP addressAdding a secondary IP address to an interface 136Changing the MTU size to improve network performance Controlling management access to an interfaceConfiguring traffic logging for connections to an interface 137Configuring port4/ha as a firewall interface Configuring port4/haConfiguring port4/ha for HA mode Configuring the management interface Transparent mode139 Configuring VLANsVlan network configuration Typical Vlan network configuration 140Rules for Vlan IP addresses Adding Vlan subinterfacesRules for Vlan IDs Adding a Vlan subinterface142 Adding a Vlan subinterfaceAdding destination-based routes to the routing table Configuring routingAdding a default route 143144 145 Adding routes in Transparent modeConfiguring the routing table 146 Policy routing command syntaxPolicy routing 147 Providing Dhcp services to your internal networkSet system dhcpserver command syntax Keywords Description 148 RIP configuration 149150 RIP settingsGo to System RIP Settings Configuring RIP settings 151152 Configuring RIP for FortiGate interfacesPassword ModeAdding RIP neighbors Go to System RIP Neighbor Adding RIP neighbors153 154 Adding RIP filtersAdding a single RIP filter Go to System RIP FilterAdd the IP address of the route Adding a RIP filter list155 Mask Add the netmask of the route Action156 Adding a neighbors filterAdding a routes filter To set the date and time Go to System Config Time System configurationSetting system date and time 157158 To set the system idle timeoutChanging web-based manager options 159 To set the Auth timeoutTo modify the Dead Gateway Detection settings To select a language for the web-based managerGo to System Config Admin Adding and editing administrator accountsAdding new administrator accounts 160161 Editing administrator accountsTo edit an administrator account Go to System Config Admin Configuring FortiGate Snmp support Configuring SnmpConfiguring the FortiGate unit for Snmp monitoring Go to System Config Snmp v1/v2cTrap Community Trap Receiver IP Addresses FortiGate MIBs163 FortiGate MIBs MIB file name Description EtherLike.mib164 Customizing replacement messagesFortiGate traps FortiGate traps Trap message Description165 Customizing replacement messagesGo to System Config Replacement Messages Alert email message sections Customizing alert emails166 167 Alert email message sections168 Firewall configuration 169Vlan subinterfaces Default firewall configurationInterfaces 170Addresses Default addresses Interface Address DescriptionZones 171Adding firewall policies ServicesContent profiles SchedulesDestination Firewall policy optionsSource 173Action ServiceSchedule VPN Tunnel175 AuthenticationTraffic Shaping Anti-Virus & Web filter 176Comments Configuring policy listsLog Traffic Policy matching in detailDisabling a policy Changing the order of policies in a policy listEnabling and disabling policies Enabling a policy179 AddressesAdding addresses Go to Firewall Address180 Editing addressesDeleting addresses Go to Firewall Address Group Organizing addresses into address groups181 182 ServicesPredefined services 183 Https184 Providing access to custom servicesGo to Firewall Service Custom 185 Grouping servicesGo to Firewall Service Group 186 SchedulesCreating one-time schedules Go to Firewall Schedule One-timeGo to Firewall Schedule Recurring Creating recurring schedules187 188 Virtual IPsAdding a schedule to a policy Adding static NAT virtual IPs 189Adding port forwarding virtual IPs 190Adding policies with virtual IPs 191192 IP poolsAdding an IP pool Go to Firewall IP PoolIP pools and dynamic NAT IP/MAC bindingIP Pools for firewall policies that use fixed ports 193Go to Firewall IP/MAC Binding Static IP/MAC Go to Firewall IP/MAC Binding Setting194 Adding IP/MAC addresses 195196 Viewing the dynamic IP/MAC listEnabling IP/MAC binding Go to Firewall IP/MAC Binding Dynamic IP/MACAdding a content profile Content profilesDefault content profiles Go to Firewall Content ProfileQuarantine 198File Block Oversized File/Email Block Pass Fragmented EmailAdding a content profile to a policy 199200 Users and authentication 201Adding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication 202Deleting user names from the internal database 203Deleting Radius servers Configuring Radius supportAdding Radius servers 204205 Configuring Ldap supportAdding Ldap servers Go to User LdapDeleting Ldap servers 206207 Configuring user groupsAdding user groups Go to User User GroupDeleting user groups 208IPSec VPN 209AutoIKE with pre-shared keys Key managementManual Keys AutoIKE with certificatesAdding a manual key VPN tunnel General configuration steps for a manual key VPNManual key IPSec VPNs 211212 Go to VPN Ipsec Phase General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN AutoIKE IPSec VPNsRemote Gateway Dialup User 214Remote Gateway Static IP Address Configuring advanced options 215216 Adding a phase 2 configuration for an AutoIKE VPN 217218 219 Managing digital certificatesObtaining a signed local certificate Go to VPN Local Certificates Generating the certificate request220 221 Downloading the certificate requestRequesting the signed local certificate 222 Retrieving the signed local certificateImporting the signed local certificate Importing a CA certificate Obtaining a CA certificateRetrieving a CA certificate 223Configuring encrypt policies 224Adding an encrypt policy Adding a source addressAdding a destination address 225226 Adding an encrypt policy227 VPN concentrator hub general configuration stepsIPSec VPN concentrators 228 Source InternalAll Destination VPN spoke address ActionGo to VPN IPSec Concentrator Adding a VPN concentrator229 VPN Tunnel VPN spoke general configuration steps230 Policies231 Configuring redundant IPSec VPNRedundant IPSec VPNs See Adding a phase 1 configuration for an AutoIKE VPN on 232Viewing dialup VPN connection status Monitoring and Troubleshooting VPNsViewing VPN tunnel status 233Go to VPN IPSec Dialup Testing a VPN234 235 Configuring PptpPptp and L2TP VPN Enabling Pptp and specifying an address range Configuring the FortiGate unit as a Pptp gatewayAdding users and user groups 236Adding an address group 237Go to Start Settings Control Panel Network Configuring a Windows 98 client for PptpInstalling Pptp support Adding a firewall policyConfiguring a Windows 2000 client for Pptp Configuring a Pptp dialup connectionConnecting to the Pptp VPN 239240 Configuring a Windows XP client for PptpConfiguring the VPN connection Go to Start Control PanelConfiguring L2TP 241242 Configuring the FortiGate unit as a L2TP gatewayEnabling L2TP and specifying an address range Go to VPN L2TP L2TP RangeSample L2TP address range configuration 243244 Disabling IPSec Configuring a Windows 2000 client for L2TPConfiguring an L2TP dialup connection 245Configuring an L2TP VPN dialup connection Connecting to the L2TP VPNConfiguring a Windows XP client for L2TP Go to Start Settings247 248 249 Network Intrusion Detection System NidsDetecting attacks Disabling the Nids Configuring checksum verificationSelecting the interfaces to monitor 250251 Viewing the signature listViewing attack descriptions Go to Nids Detection Signature List252 Enabling and disabling Nids attack signaturesAdding user-defined signatures Go to Nids Detection User Defined Signature ListEnabling Nids attack prevention Preventing attacksDownloading the user-defined signature list 253254 Setting signature threshold valuesEnabling Nids attack prevention signatures 255 Logging attacks Configuring synflood signature valuesValue Description Minimum Maximum Default Logging attack messages to the attack logManual message reduction Reducing the number of Nids attack log and email messagesAutomatic message reduction 257258 259 General configuration stepsAntivirus protection To scan FortiGate firewall traffic for viruses Antivirus scanning260 File blocking 261262 Blocking files in firewall trafficAdding file patterns to block Go to Anti-Virus File BlockQuarantining infected files Go to Anti-Virus Quarantine Quarantine ConfigQuarantine Quarantining blocked files264 Viewing the quarantine listSorting the quarantine list Go to Anti-Virus QuarantineDeleting files from quarantine Configuring quarantine optionsFiltering the quarantine list Downloading quarantined filesExempting fragmented email from blocking Configuring limits for oversized files and emailBlocking oversized files and emails Viewing the virus listWeb filtering 267Adding words and phrases to the banned word list Content blockingGo to Web Filter Content Block 268Adding URLs or URL patterns to the block list Using the FortiGate web filterURL blocking 269Clearing the URL block list 270271 Downloading the URL block listUploading a URL block list Adding a Cerberian user to the FortiGate unit Using the Cerberian web filterInstalling a Cerberian license key on the FortiGate unit 272To configure the Cerberian web filtering Configuring Cerberian web filterAbout the default group and policy Enabling Cerberian URL filteringSelecting script filter options Script filteringEnabling the script filter 274275 Exempt URL listAdding URLs to the exempt URL list Go to Web Filter Exempt URL276 Example exempt URL listEmail filter 277278 Go to Email Filter Content BlockEmail banned word list Adding address patterns to the email block list Email block listEmail exempt list 279Adding address patterns to the email exempt list To add a subject tag Go to Email Filter ConfigAdding a subject tag 280281 Logging and reportingRecording logs 282 Recording logs on a remote computerRecording logs on a NetIQ WebTrends server Overwrite Recording logs on the FortiGate hard disk283 Option284 Filtering log messagesRecording logs in system memory Example log filter configuration 285Enabling traffic logging for an interface Configuring traffic loggingEnabling traffic logging Enabling traffic logging for a Vlan subinterfaceEnabling traffic logging for a firewall policy Configuring traffic filter settingsGo to Log&Report Log Setting Traffic Filter 287288 Destination IP Address Destination Netmask ServiceAdding traffic filter entries Searching logs Viewing logs saved to memoryViewing logs 289Viewing and managing logs saved to the hard disk 290291 Downloading a log file to the management computerDeleting all messages in an active log Adding alert email addresses Configuring alert emailDeleting a saved log file 292293 Testing alert emailEnabling alert email Go to Log&Report Alert Mail Categories294 Glossary 295296 297 298 299 IndexNumerics 300 Index301 FDS302 Ldap303 MIB304 305 RMA306 TCP307 VPN308

Related manuals

Manual 2 pages 1.18 Kb