Fortinet 400 manual Configuring interfaces, Deleting zones, Viewing the interface list, 135

Page 135

Network configuration	Configuring interfaces

Deleting zones

You must remove all interfaces and VLAN subinterfaces from a zone before you can delete the zone. You can only delete zones that have the Delete icon beside them in the zone list.

1Go to System > Network > Zone.

2Select Delete to remove a zone from the list.

3Select OK to delete the zone.

Configuring interfaces

Use the following procedures to configure the FortiGate interfaces:

•Viewing the interface list

•Bringing up an interface

•Changing an interface static IP address

•Adding a secondary IP address to an interface

•Adding a ping server to an interface

•Controlling management access to an interface

•Configuring traffic logging for connections to an interface

•Changing the MTU size to improve network performance

•Configuring port4/ha

•Configuring the management interface (Transparent mode)

Viewing the interface list

Use the following procedure to view the interface list.

1Go to System > Interface.

The interface list is displayed. The interface list shows the following status information for all of the FortiGate interfaces and VLAN subinterfaces:

•The IP address of the interface

•The netmask of the interface

•The zone that the interface has been added to

•The administrative access configuration for the interface

•The link status for the interface (link status does not apply to VLAN subinterfaces)

If the link status is a green arrow, the interface is up and can accept network traffic. If the link status is a red arrow, the interface is down and cannot accept traffic. To bring an interface up, see the procedure “Bringing up an interface”.

Bringing up an interface

If the link status of an interface on the interface shows that it is down, you can use the following procedure to bring the interface up.

1Go to System > Interface. The interface list is displayed.

2Select Bring Up for the interface that you want to bring up.

FortiGate-400 Installation and Configuration Guide

135

Image 135

Contents August Installation and Configuration GuideRegulatory Compliance TrademarksTable of Contents NAT/Route mode installation High availability System status Network configuration 133 System configuration 157 Users and authentication 201 IPSec VPN 209 Network Intrusion Detection System Nids 249 Email filter 277 Glossary 295 Index 299 Contents Antivirus protection IntroductionEmail filtering Web content filteringFirewall NAT/Route modeNetwork intrusion detection Transparent modeHigh availability VPNWeb-based manager Secure installation, configuration, and managementLogging and reporting Command line interfaceWhat’s new in Version Replacement messages Users and authenticationFirewall Antivirus Web FilterEmail filter About this document Document conventions Comments on Fortinet technical documentation Fortinet documentationCustomer service and technical support Getting started Mounting Package contentsFortiGate-400 LED indicators Powering onPower requirements Environmental specificationsConnecting to the web-based manager Connecting to the web-based managerStop bits Flow control Connecting to the command line interface CLIFactory default FortiGate configuration settings Bits per second 9600 Data bits ParityFactory default NAT/Route mode network configuration AccountInterface Factory default firewall configuration Factory default Transparent mode network configurationFactory default content profiles Scan content profile Options Strict content profileScan content profile Strict content profile OptionsUnfiltered content profile Options Web content profileUnfiltered content profile Web content profile OptionsPlanning your FortiGate configuration Example NAT/Route mode network configuration NAT/Route mode with multiple external network connectionsSetup Wizard Configuration optionsFront keypad and LCD FortiGate model maximum values matrixNext steps Next steps Getting started NAT/Route mode installation Preparing to configure NAT/Route modeNAT/Route mode settings Administrator Password Interface Using the setup wizard Starting the setup wizardReconnecting to the web-based manager Configuring NAT/Route mode IP addresses Using the front control buttons and LCDUsing the command line interface Configuring the FortiGate unit to operate in NAT/Route modeSet system interface port2 mode static ip IPaddress netmask Connecting the FortiGate unit to your networks Go to System Network Interface Configuring your networkCompleting the configuration Configuring interfaceRegistering your FortiGate unit Configuring interface 4/HASetting the date and time Enabling antivirus protectionConfiguring virus and attack definition updates Configuration example Multiple connections to the InternetExample multiple Internet connection configuration Configuring Ping serversGo to System Network Routing Table Primary and backup links to the InternetUsing the CLI Destination based routing examplesLoad sharing and primary and secondary connections Load sharingRouting table should have routes arranged as shown in Table Adding the routes using the CLIPolicy routing examples Routing a service to an external networkAdding a redundant default policy Firewall policy exampleGo to Firewall Policy port1-port3 Adding more firewall policies Restricting access to a single Internet connectionConfiguration example Multiple connections to the Internet DNS Settings Transparent mode installationPreparing to configure Transparent mode Transparent mode settings Administrator PasswordGo to System Status Changing to Transparent modeSet system opmode transparent Configure the Transparent mode default gateway Configuring the Transparent mode management IP addressRegistering your FortiGate FortiGate-400 Transparent mode connections Transparent mode configuration examplesDefault routes and static routes Default route to an external network General configuration stepsGo to System Network Routing Web-based manager example configuration stepsCLI configuration steps Go to System Network ManagementStatic route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples Active-passive HA High availabilityActive-active HA HA in NAT/Route mode Installing and configuring the FortiGate unitsConfiguring the HA interfaces Go to System Config HA Configuring the HA clusterLeast Connection Weighted Round RobinExample Active-Active HA configuration Connecting the HA cluster to your networkHA network configuration HA in Transparent mode Configuring the HA interface and HA IP addressStarting the HA cluster HA in Transparent mode None Sample active-passive HA configuration Managing the HA cluster Viewing the status of cluster membersGo to System Status Cluster Members Go to System Status Monitor Monitoring cluster membersGo to Log&Report Logging Monitoring cluster sessionsViewing and managing cluster log messages Go to System Status SessionManaging individual cluster units Synchronizing the cluster configurationReplacing a FortiGate unit after fail-over Returning to standalone configurationSelecting a FortiGate unit to a permanent primary unit Advanced HA optionsSet system ha weight 1 3 Configuring weighted-round-robin weightsSystem status System statusFirmware upgrade procedures Procedure Description Changing the FortiGate host nameChanging the FortiGate firmware Upgrade to a new firmware version Upgrading the firmware using the web-based managerUpgrading the firmware using the CLI Revert to a previous firmware version Execute restore image namestr tftpipReverting to a previous firmware version using the CLI Execute ping To install firmware from a system reboot Install a firmware image from a system reboot using the CLI100 Execute rebootTest a new firmware image before installing it Restoring your previous configuration101 102 Installing and using a backup firmware image Installing a backup firmware image103 104 105 Switching to the backup firmware imageManual virus definition updates Switching back to the default firmware image106 Displaying log hard disk status Manual attack definition updatesDisplaying the FortiGate serial number Displaying the FortiGate up time108 Backing up system settingsRestoring system settings Restoring system settings to factory defaults109 Changing to Transparent modeChanging to NAT/Route mode Restarting the FortiGate unitShutting down the FortiGate unit System statusViewing CPU and memory status 111 Viewing sessions and network statusSessions and network status monitor Viewing virus and intrusions statusSession list 113Viewing the session list Go to System Status Session 114 Virus and attack definitions updates and registration Updating antivirus and attack definitions115 Version Expiry date Last update attempt Last update status Connecting to the FortiResponse Distribution NetworkConfiguring scheduled updates Go to System Update117 Configuring update logging Go to Log&Report Log SettingSuccessful Update FDN error 119 Configuring push updatesAdding an override server Manually updating antivirus and attack definitionsExample push updates through a NAT device To enable push updatesAbout push updates Push updates through a NAT device121 General procedureGo to Firewall Virtual IP 122Schedule Always Service ANY Action Accept 123Adding a firewall policy for the port forwarding virtual IP 124 Scheduled updates through a proxy serverFortiCare Service Contracts Registering FortiGate units125 126 Registering the FortiGate unitRegistering a FortiGate unit product information 127128 Recovering a lost Fortinet support passwordUpdating registration information Viewing the list of registered FortiGate unitsRegistering a new FortiGate unit Adding or changing a FortiCare Support Contract number129 130 Changing your Fortinet support passwordDownloading virus and attack definitions updates Changing your contact information or security question131 Registering a FortiGate unit after an RMA132 133 Network configurationConfiguring zones Adding zones134 Adding interfaces to a zoneAdding Vlan subinterfaces to a zone Renaming zonesBringing up an interface Configuring interfacesDeleting zones Viewing the interface list136 Changing an interface static IP addressAdding a secondary IP address to an interface Adding a ping server to an interface137 Controlling management access to an interfaceConfiguring traffic logging for connections to an interface Changing the MTU size to improve network performanceConfiguring the management interface Transparent mode Configuring port4/haConfiguring port4/ha for HA mode Configuring port4/ha as a firewall interfaceConfiguring VLANs Vlan network configuration139 140 Typical Vlan network configurationAdding a Vlan subinterface Adding Vlan subinterfacesRules for Vlan IDs Rules for Vlan IP addressesAdding a Vlan subinterface 142143 Configuring routingAdding a default route Adding destination-based routes to the routing table144 Adding routes in Transparent mode Configuring the routing table145 Policy routing command syntax Policy routing146 Providing Dhcp services to your internal network Set system dhcpserver command syntax Keywords Description147 148 149 RIP configurationRIP settings Go to System RIP Settings150 151 Configuring RIP settingsMode Configuring RIP for FortiGate interfacesPassword 152Adding RIP neighbors 153Adding RIP neighbors Go to System RIP Neighbor Go to System RIP Filter Adding RIP filtersAdding a single RIP filter 154Mask Add the netmask of the route Action Adding a RIP filter list155 Add the IP address of the routeAdding a neighbors filter Adding a routes filter156 157 System configurationSetting system date and time To set the date and time Go to System Config TimeTo set the system idle timeout Changing web-based manager options158 To select a language for the web-based manager To set the Auth timeoutTo modify the Dead Gateway Detection settings 159160 Adding and editing administrator accountsAdding new administrator accounts Go to System Config AdminEditing administrator accounts To edit an administrator account Go to System Config Admin161 Go to System Config Snmp v1/v2c Configuring SnmpConfiguring the FortiGate unit for Snmp monitoring Configuring FortiGate Snmp supportFortiGate MIBs MIB file name Description EtherLike.mib FortiGate MIBs163 Trap Community Trap Receiver IP AddressesFortiGate traps Trap message Description Customizing replacement messagesFortiGate traps 164Customizing replacement messages Go to System Config Replacement Messages165 Customizing alert emails 166Alert email message sections Alert email message sections 167168 169 Firewall configuration170 Default firewall configurationInterfaces Vlan subinterfaces171 Default addresses Interface Address DescriptionZones AddressesSchedules ServicesContent profiles Adding firewall policies173 Firewall policy optionsSource DestinationVPN Tunnel ServiceSchedule ActionAuthentication Traffic Shaping175 176 Anti-Virus & Web filterPolicy matching in detail Configuring policy listsLog Traffic CommentsEnabling a policy Changing the order of policies in a policy listEnabling and disabling policies Disabling a policyGo to Firewall Address AddressesAdding addresses 179Editing addresses Deleting addresses180 Organizing addresses into address groups 181Go to Firewall Address Group Services Predefined services182 Https 183Providing access to custom services Go to Firewall Service Custom184 Grouping services Go to Firewall Service Group185 Go to Firewall Schedule One-time SchedulesCreating one-time schedules 186Creating recurring schedules 187Go to Firewall Schedule Recurring Virtual IPs Adding a schedule to a policy188 189 Adding static NAT virtual IPs190 Adding port forwarding virtual IPs191 Adding policies with virtual IPsGo to Firewall IP Pool IP poolsAdding an IP pool 192193 IP/MAC bindingIP Pools for firewall policies that use fixed ports IP pools and dynamic NATGo to Firewall IP/MAC Binding Setting 194Go to Firewall IP/MAC Binding Static IP/MAC 195 Adding IP/MAC addressesGo to Firewall IP/MAC Binding Dynamic IP/MAC Viewing the dynamic IP/MAC listEnabling IP/MAC binding 196Go to Firewall Content Profile Content profilesDefault content profiles Adding a content profileOversized File/Email Block Pass Fragmented Email 198File Block Quarantine199 Adding a content profile to a policy200 201 Users and authentication202 Setting authentication timeoutAdding user names and configuring authentication Adding user names and configuring authentication203 Deleting user names from the internal database204 Configuring Radius supportAdding Radius servers Deleting Radius serversGo to User Ldap Configuring Ldap supportAdding Ldap servers 205206 Deleting Ldap serversGo to User User Group Configuring user groupsAdding user groups 207208 Deleting user groups209 IPSec VPNAutoIKE with certificates Key managementManual Keys AutoIKE with pre-shared keys211 General configuration steps for a manual key VPNManual key IPSec VPNs Adding a manual key VPN tunnel212 AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN Go to VPN Ipsec Phase214 Remote Gateway Static IP AddressRemote Gateway Dialup User 215 Configuring advanced options216 217 Adding a phase 2 configuration for an AutoIKE VPN218 Managing digital certificates Obtaining a signed local certificate219 Generating the certificate request 220Go to VPN Local Certificates Downloading the certificate request Requesting the signed local certificate221 Retrieving the signed local certificate Importing the signed local certificate222 223 Obtaining a CA certificateRetrieving a CA certificate Importing a CA certificate224 Configuring encrypt policies225 Adding a source addressAdding a destination address Adding an encrypt policyAdding an encrypt policy 226VPN concentrator hub general configuration steps IPSec VPN concentrators227 Source InternalAll Destination VPN spoke address Action 228Adding a VPN concentrator 229Go to VPN IPSec Concentrator Policies VPN spoke general configuration steps230 VPN TunnelConfiguring redundant IPSec VPN Redundant IPSec VPNs231 232 See Adding a phase 1 configuration for an AutoIKE VPN on233 Monitoring and Troubleshooting VPNsViewing VPN tunnel status Viewing dialup VPN connection statusTesting a VPN 234Go to VPN IPSec Dialup Configuring Pptp Pptp and L2TP VPN235 236 Configuring the FortiGate unit as a Pptp gatewayAdding users and user groups Enabling Pptp and specifying an address range237 Adding an address groupAdding a firewall policy Configuring a Windows 98 client for PptpInstalling Pptp support Go to Start Settings Control Panel Network239 Configuring a Pptp dialup connectionConnecting to the Pptp VPN Configuring a Windows 2000 client for PptpGo to Start Control Panel Configuring a Windows XP client for PptpConfiguring the VPN connection 240241 Configuring L2TPGo to VPN L2TP L2TP Range Configuring the FortiGate unit as a L2TP gatewayEnabling L2TP and specifying an address range 242243 Sample L2TP address range configuration244 245 Configuring a Windows 2000 client for L2TPConfiguring an L2TP dialup connection Disabling IPSecGo to Start Settings Connecting to the L2TP VPNConfiguring a Windows XP client for L2TP Configuring an L2TP VPN dialup connection247 248 Network Intrusion Detection System Nids Detecting attacks249 250 Configuring checksum verificationSelecting the interfaces to monitor Disabling the NidsGo to Nids Detection Signature List Viewing the signature listViewing attack descriptions 251Go to Nids Detection User Defined Signature List Enabling and disabling Nids attack signaturesAdding user-defined signatures 252253 Preventing attacksDownloading the user-defined signature list Enabling Nids attack preventionSetting signature threshold values Enabling Nids attack prevention signatures254 255 Logging attack messages to the attack log Configuring synflood signature valuesValue Description Minimum Maximum Default Logging attacks257 Reducing the number of Nids attack log and email messagesAutomatic message reduction Manual message reduction258 General configuration steps Antivirus protection259 Antivirus scanning 260To scan FortiGate firewall traffic for viruses 261 File blockingGo to Anti-Virus File Block Blocking files in firewall trafficAdding file patterns to block 262Quarantining blocked files Go to Anti-Virus Quarantine Quarantine ConfigQuarantine Quarantining infected filesGo to Anti-Virus Quarantine Viewing the quarantine listSorting the quarantine list 264Downloading quarantined files Configuring quarantine optionsFiltering the quarantine list Deleting files from quarantineViewing the virus list Configuring limits for oversized files and emailBlocking oversized files and emails Exempting fragmented email from blocking267 Web filtering268 Content blockingGo to Web Filter Content Block Adding words and phrases to the banned word list269 Using the FortiGate web filterURL blocking Adding URLs or URL patterns to the block list270 Clearing the URL block listDownloading the URL block list Uploading a URL block list271 272 Using the Cerberian web filterInstalling a Cerberian license key on the FortiGate unit Adding a Cerberian user to the FortiGate unitEnabling Cerberian URL filtering Configuring Cerberian web filterAbout the default group and policy To configure the Cerberian web filtering274 Script filteringEnabling the script filter Selecting script filter optionsGo to Web Filter Exempt URL Exempt URL listAdding URLs to the exempt URL list 275Example exempt URL list 276277 Email filterGo to Email Filter Content Block Email banned word list278 279 Email block listEmail exempt list Adding address patterns to the email block list280 To add a subject tag Go to Email Filter ConfigAdding a subject tag Adding address patterns to the email exempt listLogging and reporting Recording logs281 Recording logs on a remote computer Recording logs on a NetIQ WebTrends server282 Option Recording logs on the FortiGate hard disk283 OverwriteFiltering log messages Recording logs in system memory284 285 Example log filter configurationEnabling traffic logging for a Vlan subinterface Configuring traffic loggingEnabling traffic logging Enabling traffic logging for an interface287 Configuring traffic filter settingsGo to Log&Report Log Setting Traffic Filter Enabling traffic logging for a firewall policyDestination IP Address Destination Netmask Service Adding traffic filter entries288 289 Viewing logs saved to memoryViewing logs Searching logs290 Viewing and managing logs saved to the hard diskDownloading a log file to the management computer Deleting all messages in an active log291 292 Configuring alert emailDeleting a saved log file Adding alert email addressesGo to Log&Report Alert Mail Categories Testing alert emailEnabling alert email 293294 295 Glossary296 297 298 Index Numerics299 Index 300FDS 301Ldap 302MIB 303304 RMA 305TCP 306VPN 307308

Related manuals

Manual 2 pages 1.18 Kb