Fortinet 400 manual 215, Configuring advanced options

Page 215

IPSec VPN

AutoIKE IPSec VPNs

 

 

10Optionally, enter the Local ID of the FortiGate unit.

The entry is required if the FortiGate unit is functioning as a client and uses its local ID to authenticate itself to the remote VPN peer. (If you do not add a local ID, the FortiGate unit will transmit its IP address.)

Configure the local ID only with pre-shared keys and aggressive mode. Do not configure the local ID with certificates or main mode.

Configuring advanced options

1Select Advanced Options.

2Optionally, select a Peer Option.

Use the Peer Options to authenticate remote VPN peers by the ID that they transmit during phase 1.

Accept any peer ID

Select to accept any peer ID (and therefore not authenticate

 

remote VPN peers by peer ID).

Accept this peer ID

Select to authenticate a specific VPN peer or a group of VPN

 

peers with a shared user name (ID) and password (pre-shared

 

key). Also add the peer ID. Also add the peer ID.

Accept peer ID in dialup group

Select to authenticate each remote VPN peer with a unique user name (ID) and password (pre-shared key). Also select a dialup group (user group).

Configure the user group prior to configuring this peer option.

3Optionally, configure XAuth.

XAuth (IKE eXtended Authentication) authenticates VPN peers at the user level. If the the FortiGate unit (the local VPN peer) is configured as an XAuth server, it will authenticate remote VPN peers by referring to a user group. The users contained in the user group can be configured locally on the FortiGate unit or on remotely located LDAP or RADIUS servers. If the FortiGate unit is configured as an XAuth client, it will provide a user name and password when it is challenged.

 

XAuth: Enable as a Client

Name

Enter the user name the local VPN peer uses to authenticate itself to the

 

remote VPN peer.

Password

Enter the password the local VPN peer uses to authenticate itself to the

 

remote VPN peer.

 

XAuth: Enable as a Server

Encryption

Select the encryption method used between the XAuth client, the FortiGate

method

unit and the authentication server.

 

PAP— Password Authentication Protocol.

 

CHAP—Challenge-Handshake Authentication Protocol.

 

MIXED—Select MIXED to use PAP between the XAuth client and the

 

FortiGate unit, and CHAP between the FortiGate unit and the authentication

 

server.

 

Use CHAP whenever possible. Use PAP if the authentication server does not

 

support CHAP. (Use PAP with all implementations of LDAP and some

 

implementations of Microsoft RADIUS). Use MIXED if the authentication server

 

supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet

 

Remote VPN Client.).

Usergroup

Select a group of users to be authenticated by XAuth. The individual users

 

within the group can be authenticated locally or by one or more LDAP or

 

RADIUS servers.

 

The user group must be added to the FortiGate configuration before it can be

 

selected here.

FortiGate-400 Installation and Configuration Guide

215

Page 214 Page 216
Image 215
Page 214 Page 216
Contents August Installation and Configuration GuideRegulatory Compliance TrademarksTable of Contents NAT/Route mode installation High availability System status Network configuration 133 System configuration 157 Users and authentication 201 IPSec VPN 209 Network Intrusion Detection System Nids 249 Email filter 277 Glossary 295 Index 299 Contents Antivirus protection IntroductionEmail filtering Web content filteringFirewall NAT/Route modeNetwork intrusion detection Transparent modeHigh availability VPNWeb-based manager Secure installation, configuration, and managementLogging and reporting Command line interfaceWhat’s new in Version Firewall Replacement messagesUsers and authentication Email filter AntivirusWeb Filter About this document Document conventions Comments on Fortinet technical documentation Fortinet documentationCustomer service and technical support Getting started Mounting Package contentsFortiGate-400 LED indicators Powering onPower requirements Environmental specificationsConnecting to the web-based manager Connecting to the web-based managerStop bits Flow control Connecting to the command line interface CLIFactory default FortiGate configuration settings Bits per second 9600 Data bits ParityInterface Factory default NAT/Route mode network configurationAccount Factory default firewall configuration Factory default Transparent mode network configurationFactory default content profiles Scan content profile Options Strict content profileScan content profile Strict content profile OptionsUnfiltered content profile Options Web content profileUnfiltered content profile Web content profile OptionsPlanning your FortiGate configuration Example NAT/Route mode network configuration NAT/Route mode with multiple external network connectionsSetup Wizard Configuration optionsFront keypad and LCD FortiGate model maximum values matrixNext steps Next steps Getting started NAT/Route mode settings Administrator Password Interface NAT/Route mode installationPreparing to configure NAT/Route mode Reconnecting to the web-based manager Using the setup wizardStarting the setup wizard Configuring NAT/Route mode IP addresses Using the front control buttons and LCDUsing the command line interface Configuring the FortiGate unit to operate in NAT/Route modeSet system interface port2 mode static ip IPaddress netmask Connecting the FortiGate unit to your networks Go to System Network Interface Configuring your networkCompleting the configuration Configuring interfaceRegistering your FortiGate unit Configuring interface 4/HASetting the date and time Enabling antivirus protectionConfiguring virus and attack definition updates Configuration example Multiple connections to the InternetExample multiple Internet connection configuration Configuring Ping serversGo to System Network Routing Table Primary and backup links to the InternetUsing the CLI Destination based routing examplesLoad sharing and primary and secondary connections Load sharingRouting table should have routes arranged as shown in Table Adding the routes using the CLIPolicy routing examples Routing a service to an external networkGo to Firewall Policy port1-port3 Adding a redundant default policyFirewall policy example Adding more firewall policies Restricting access to a single Internet connectionConfiguration example Multiple connections to the Internet DNS Settings Transparent mode installationPreparing to configure Transparent mode Transparent mode settings Administrator PasswordGo to System Status Changing to Transparent modeSet system opmode transparent Configure the Transparent mode default gateway Configuring the Transparent mode management IP addressRegistering your FortiGate FortiGate-400 Transparent mode connections Transparent mode configuration examplesDefault routes and static routes Default route to an external network General configuration stepsGo to System Network Routing Web-based manager example configuration stepsCLI configuration steps Go to System Network ManagementStatic route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples Active-passive HA High availabilityActive-active HA Configuring the HA interfaces HA in NAT/Route modeInstalling and configuring the FortiGate units Go to System Config HA Configuring the HA clusterLeast Connection Weighted Round RobinExample Active-Active HA configuration Connecting the HA cluster to your networkHA network configuration Starting the HA cluster HA in Transparent modeConfiguring the HA interface and HA IP address HA in Transparent mode None Sample active-passive HA configuration Go to System Status Cluster Members Managing the HA clusterViewing the status of cluster members Go to System Status Monitor Monitoring cluster membersGo to Log&Report Logging Monitoring cluster sessionsViewing and managing cluster log messages Go to System Status SessionManaging individual cluster units Synchronizing the cluster configurationReplacing a FortiGate unit after fail-over Returning to standalone configurationSelecting a FortiGate unit to a permanent primary unit Advanced HA optionsSet system ha weight 1 3 Configuring weighted-round-robin weightsSystem status System statusChanging the FortiGate firmware Firmware upgrade procedures Procedure DescriptionChanging the FortiGate host name Upgrading the firmware using the CLI Upgrade to a new firmware versionUpgrading the firmware using the web-based manager Revert to a previous firmware version Execute restore image namestr tftpipReverting to a previous firmware version using the CLI Execute ping To install firmware from a system reboot Install a firmware image from a system reboot using the CLI100 Execute reboot101 Test a new firmware image before installing itRestoring your previous configuration 102 103 Installing and using a backup firmware imageInstalling a backup firmware image 104 105 Switching to the backup firmware image106 Manual virus definition updatesSwitching back to the default firmware image Displaying log hard disk status Manual attack definition updatesDisplaying the FortiGate serial number Displaying the FortiGate up time108 Backing up system settingsRestoring system settings Restoring system settings to factory defaults109 Changing to Transparent modeChanging to NAT/Route mode Restarting the FortiGate unitViewing CPU and memory status Shutting down the FortiGate unitSystem status 111 Viewing sessions and network statusSessions and network status monitor Viewing virus and intrusions statusViewing the session list Go to System Status Session Session list113 114 115 Virus and attack definitions updates and registrationUpdating antivirus and attack definitions Version Expiry date Last update attempt Last update status Connecting to the FortiResponse Distribution Network117 Configuring scheduled updatesGo to System Update Successful Update FDN error Configuring update loggingGo to Log&Report Log Setting 119 Configuring push updatesAdding an override server Manually updating antivirus and attack definitionsExample push updates through a NAT device To enable push updatesAbout push updates Push updates through a NAT device121 General procedureGo to Firewall Virtual IP 122Adding a firewall policy for the port forwarding virtual IP Schedule Always Service ANY Action Accept123 124 Scheduled updates through a proxy server125 FortiCare Service ContractsRegistering FortiGate units 126 Registering the FortiGate unitRegistering a FortiGate unit product information 127128 Recovering a lost Fortinet support passwordUpdating registration information Viewing the list of registered FortiGate units129 Registering a new FortiGate unitAdding or changing a FortiCare Support Contract number 130 Changing your Fortinet support passwordDownloading virus and attack definitions updates Changing your contact information or security question131 Registering a FortiGate unit after an RMA132 133 Network configurationConfiguring zones Adding zones134 Adding interfaces to a zoneAdding Vlan subinterfaces to a zone Renaming zonesBringing up an interface Configuring interfacesDeleting zones Viewing the interface list136 Changing an interface static IP addressAdding a secondary IP address to an interface Adding a ping server to an interface137 Controlling management access to an interfaceConfiguring traffic logging for connections to an interface Changing the MTU size to improve network performanceConfiguring the management interface Transparent mode Configuring port4/haConfiguring port4/ha for HA mode Configuring port4/ha as a firewall interface139 Configuring VLANsVlan network configuration 140 Typical Vlan network configurationAdding a Vlan subinterface Adding Vlan subinterfacesRules for Vlan IDs Rules for Vlan IP addressesAdding a Vlan subinterface 142143 Configuring routingAdding a default route Adding destination-based routes to the routing table144 145 Adding routes in Transparent modeConfiguring the routing table 146 Policy routing command syntaxPolicy routing 147 Providing Dhcp services to your internal networkSet system dhcpserver command syntax Keywords Description 148 149 RIP configuration150 RIP settingsGo to System RIP Settings 151 Configuring RIP settingsMode Configuring RIP for FortiGate interfacesPassword 152Adding RIP neighbors Go to System RIP Neighbor Adding RIP neighbors153 Go to System RIP Filter Adding RIP filtersAdding a single RIP filter 154Mask Add the netmask of the route Action Adding a RIP filter list155 Add the IP address of the route156 Adding a neighbors filterAdding a routes filter 157 System configurationSetting system date and time To set the date and time Go to System Config Time158 To set the system idle timeoutChanging web-based manager options To select a language for the web-based manager To set the Auth timeoutTo modify the Dead Gateway Detection settings 159160 Adding and editing administrator accountsAdding new administrator accounts Go to System Config Admin161 Editing administrator accountsTo edit an administrator account Go to System Config Admin Go to System Config Snmp v1/v2c Configuring SnmpConfiguring the FortiGate unit for Snmp monitoring Configuring FortiGate Snmp supportFortiGate MIBs MIB file name Description EtherLike.mib FortiGate MIBs163 Trap Community Trap Receiver IP AddressesFortiGate traps Trap message Description Customizing replacement messagesFortiGate traps 164165 Customizing replacement messagesGo to System Config Replacement Messages Alert email message sections Customizing alert emails166 Alert email message sections 167168 169 Firewall configuration170 Default firewall configurationInterfaces Vlan subinterfaces171 Default addresses Interface Address DescriptionZones AddressesSchedules ServicesContent profiles Adding firewall policies173 Firewall policy optionsSource DestinationVPN Tunnel ServiceSchedule Action175 AuthenticationTraffic Shaping 176 Anti-Virus & Web filterPolicy matching in detail Configuring policy listsLog Traffic CommentsEnabling a policy Changing the order of policies in a policy listEnabling and disabling policies Disabling a policyGo to Firewall Address AddressesAdding addresses 179180 Editing addressesDeleting addresses Go to Firewall Address Group Organizing addresses into address groups181 182 ServicesPredefined services Https 183184 Providing access to custom servicesGo to Firewall Service Custom 185 Grouping servicesGo to Firewall Service Group Go to Firewall Schedule One-time SchedulesCreating one-time schedules 186Go to Firewall Schedule Recurring Creating recurring schedules187 188 Virtual IPsAdding a schedule to a policy 189 Adding static NAT virtual IPs190 Adding port forwarding virtual IPs191 Adding policies with virtual IPsGo to Firewall IP Pool IP poolsAdding an IP pool 192193 IP/MAC bindingIP Pools for firewall policies that use fixed ports IP pools and dynamic NATGo to Firewall IP/MAC Binding Static IP/MAC Go to Firewall IP/MAC Binding Setting194 195 Adding IP/MAC addressesGo to Firewall IP/MAC Binding Dynamic IP/MAC Viewing the dynamic IP/MAC listEnabling IP/MAC binding 196Go to Firewall Content Profile Content profilesDefault content profiles Adding a content profileOversized File/Email Block Pass Fragmented Email 198File Block Quarantine199 Adding a content profile to a policy200 201 Users and authentication202 Setting authentication timeoutAdding user names and configuring authentication Adding user names and configuring authentication203 Deleting user names from the internal database204 Configuring Radius supportAdding Radius servers Deleting Radius serversGo to User Ldap Configuring Ldap supportAdding Ldap servers 205206 Deleting Ldap serversGo to User User Group Configuring user groupsAdding user groups 207208 Deleting user groups209 IPSec VPNAutoIKE with certificates Key managementManual Keys AutoIKE with pre-shared keys211 General configuration steps for a manual key VPNManual key IPSec VPNs Adding a manual key VPN tunnel212 AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN Go to VPN Ipsec PhaseRemote Gateway Dialup User 214Remote Gateway Static IP Address 215 Configuring advanced options216 217 Adding a phase 2 configuration for an AutoIKE VPN218 219 Managing digital certificatesObtaining a signed local certificate Go to VPN Local Certificates Generating the certificate request220 221 Downloading the certificate requestRequesting the signed local certificate 222 Retrieving the signed local certificateImporting the signed local certificate 223 Obtaining a CA certificateRetrieving a CA certificate Importing a CA certificate224 Configuring encrypt policies225 Adding a source addressAdding a destination address Adding an encrypt policyAdding an encrypt policy 226227 VPN concentrator hub general configuration stepsIPSec VPN concentrators Source InternalAll Destination VPN spoke address Action 228Go to VPN IPSec Concentrator Adding a VPN concentrator229 Policies VPN spoke general configuration steps230 VPN Tunnel231 Configuring redundant IPSec VPNRedundant IPSec VPNs 232 See Adding a phase 1 configuration for an AutoIKE VPN on233 Monitoring and Troubleshooting VPNsViewing VPN tunnel status Viewing dialup VPN connection statusGo to VPN IPSec Dialup Testing a VPN234 235 Configuring PptpPptp and L2TP VPN 236 Configuring the FortiGate unit as a Pptp gatewayAdding users and user groups Enabling Pptp and specifying an address range237 Adding an address groupAdding a firewall policy Configuring a Windows 98 client for PptpInstalling Pptp support Go to Start Settings Control Panel Network239 Configuring a Pptp dialup connectionConnecting to the Pptp VPN Configuring a Windows 2000 client for PptpGo to Start Control Panel Configuring a Windows XP client for PptpConfiguring the VPN connection 240241 Configuring L2TPGo to VPN L2TP L2TP Range Configuring the FortiGate unit as a L2TP gatewayEnabling L2TP and specifying an address range 242243 Sample L2TP address range configuration244 245 Configuring a Windows 2000 client for L2TPConfiguring an L2TP dialup connection Disabling IPSecGo to Start Settings Connecting to the L2TP VPNConfiguring a Windows XP client for L2TP Configuring an L2TP VPN dialup connection247 248 249 Network Intrusion Detection System NidsDetecting attacks 250 Configuring checksum verificationSelecting the interfaces to monitor Disabling the NidsGo to Nids Detection Signature List Viewing the signature listViewing attack descriptions 251Go to Nids Detection User Defined Signature List Enabling and disabling Nids attack signaturesAdding user-defined signatures 252253 Preventing attacksDownloading the user-defined signature list Enabling Nids attack prevention254 Setting signature threshold valuesEnabling Nids attack prevention signatures 255 Logging attack messages to the attack log Configuring synflood signature valuesValue Description Minimum Maximum Default Logging attacks257 Reducing the number of Nids attack log and email messagesAutomatic message reduction Manual message reduction258 259 General configuration stepsAntivirus protection To scan FortiGate firewall traffic for viruses Antivirus scanning260 261 File blockingGo to Anti-Virus File Block Blocking files in firewall trafficAdding file patterns to block 262Quarantining blocked files Go to Anti-Virus Quarantine Quarantine ConfigQuarantine Quarantining infected filesGo to Anti-Virus Quarantine Viewing the quarantine listSorting the quarantine list 264Downloading quarantined files Configuring quarantine optionsFiltering the quarantine list Deleting files from quarantineViewing the virus list Configuring limits for oversized files and emailBlocking oversized files and emails Exempting fragmented email from blocking267 Web filtering268 Content blockingGo to Web Filter Content Block Adding words and phrases to the banned word list269 Using the FortiGate web filterURL blocking Adding URLs or URL patterns to the block list270 Clearing the URL block list271 Downloading the URL block listUploading a URL block list 272 Using the Cerberian web filterInstalling a Cerberian license key on the FortiGate unit Adding a Cerberian user to the FortiGate unitEnabling Cerberian URL filtering Configuring Cerberian web filterAbout the default group and policy To configure the Cerberian web filtering274 Script filteringEnabling the script filter Selecting script filter optionsGo to Web Filter Exempt URL Exempt URL listAdding URLs to the exempt URL list 275Example exempt URL list 276277 Email filter278 Go to Email Filter Content BlockEmail banned word list 279 Email block listEmail exempt list Adding address patterns to the email block list280 To add a subject tag Go to Email Filter ConfigAdding a subject tag Adding address patterns to the email exempt list281 Logging and reportingRecording logs 282 Recording logs on a remote computerRecording logs on a NetIQ WebTrends server Option Recording logs on the FortiGate hard disk283 Overwrite284 Filtering log messagesRecording logs in system memory 285 Example log filter configurationEnabling traffic logging for a Vlan subinterface Configuring traffic loggingEnabling traffic logging Enabling traffic logging for an interface287 Configuring traffic filter settingsGo to Log&Report Log Setting Traffic Filter Enabling traffic logging for a firewall policy288 Destination IP Address Destination Netmask ServiceAdding traffic filter entries 289 Viewing logs saved to memoryViewing logs Searching logs290 Viewing and managing logs saved to the hard disk291 Downloading a log file to the management computerDeleting all messages in an active log 292 Configuring alert emailDeleting a saved log file Adding alert email addressesGo to Log&Report Alert Mail Categories Testing alert emailEnabling alert email 293294 295 Glossary296 297 298 299 IndexNumerics Index 300FDS 301Ldap 302MIB 303304 RMA 305TCP 306VPN 307308
Related manuals
Manual 2 pages 1.18 Kb
Top Page Image Contents