Fortinet 400 manual Configuration options, Setup Wizard

Page 41

Getting started

Planning your FortiGate configuration

 

 

Transparent mode

In Transparent mode, the FortiGate unit is invisible to the network. Similar to a network bridge, all of FortiGate interfaces must be on the same subnet. You only have to configure a management IP address so that you can make configuration changes. The management IP address is also used for antivirus and attack definition updates.

You would typically use the FortiGate unit in Transparent mode on a private network behind an existing firewall or behind a router. The FortiGate unit performs firewalling as well as antivirus and content scanning but not VPN.

Figure 6: Example Transparent mode network configuration

You can connect up to four network segments to the FortiGate unit to control traffic between these network segments.

Interface 1 can connect to the internal firewall or router.

Interface 2 can connect to the external network.

Interface 3 can connect to another network.

Interface 4/HA connect to another network. Interface 4/HA can also connect to other FortiGate-400s if you are installing an HA cluster.

Configuration options

Once you have selected Transparent or NAT/Route mode operation, you can complete your configuration plan, and begin configuring the FortiGate unit.

You can use the web-based manager setup wizard, the control buttons and LCD, or the command line interface (CLI) for the basic configuration of the FortiGate unit.

Setup Wizard

If you are configuring the FortiGate unit to operate in NAT/Route mode (the default), the Setup Wizard prompts you to add the administration password and the internal and external interface addresses. Using the wizard, you can also add DNS server IP addresses and a default route for the external interface.

In NAT/Route mode you can also configure the FortiGate to allow Internet access to your internal Web, FTP, or email servers.

If you are configuring the FortiGate unit to operate in Transparent mode, you can switch to Transparent mode from the web-based manager and then use the Setup Wizard to add the administration password, the management IP address and gateway, and the DNS server addresses.

FortiGate-400 Installation and Configuration Guide

41

Page 40 Page 42
Image 41
Page 40 Page 42
Contents August Installation and Configuration GuideRegulatory Compliance TrademarksTable of Contents NAT/Route mode installation High availability System status Network configuration 133 System configuration 157 Users and authentication 201 IPSec VPN 209 Network Intrusion Detection System Nids 249 Email filter 277 Glossary 295 Index 299 Contents Antivirus protection IntroductionEmail filtering Web content filteringFirewall NAT/Route modeNetwork intrusion detection Transparent modeHigh availability VPNWeb-based manager Secure installation, configuration, and managementLogging and reporting Command line interfaceWhat’s new in Version Firewall Replacement messagesUsers and authentication Email filter AntivirusWeb Filter About this document Document conventions Comments on Fortinet technical documentation Fortinet documentationCustomer service and technical support Getting started Mounting Package contentsPower requirements Powering onEnvironmental specifications FortiGate-400 LED indicatorsConnecting to the web-based manager Connecting to the web-based managerFactory default FortiGate configuration settings Connecting to the command line interface CLIBits per second 9600 Data bits Parity Stop bits Flow controlInterface Factory default NAT/Route mode network configurationAccount Factory default firewall configuration Factory default Transparent mode network configurationFactory default content profiles Scan content profile Strict content profileStrict content profile Options Scan content profile OptionsUnfiltered content profile Web content profileWeb content profile Options Unfiltered content profile OptionsPlanning your FortiGate configuration Example NAT/Route mode network configuration NAT/Route mode with multiple external network connectionsSetup Wizard Configuration optionsFront keypad and LCD FortiGate model maximum values matrixNext steps Next steps Getting started NAT/Route mode settings Administrator Password Interface NAT/Route mode installationPreparing to configure NAT/Route mode Reconnecting to the web-based manager Using the setup wizardStarting the setup wizard Using the command line interface Using the front control buttons and LCDConfiguring the FortiGate unit to operate in NAT/Route mode Configuring NAT/Route mode IP addressesSet system interface port2 mode static ip IPaddress netmask Connecting the FortiGate unit to your networks Completing the configuration Configuring your networkConfiguring interface Go to System Network InterfaceSetting the date and time Configuring interface 4/HAEnabling antivirus protection Registering your FortiGate unitConfiguring virus and attack definition updates Configuration example Multiple connections to the InternetExample multiple Internet connection configuration Configuring Ping serversUsing the CLI Primary and backup links to the InternetDestination based routing examples Go to System Network Routing TableLoad sharing and primary and secondary connections Load sharingRouting table should have routes arranged as shown in Table Adding the routes using the CLIPolicy routing examples Routing a service to an external networkGo to Firewall Policy port1-port3 Adding a redundant default policyFirewall policy example Adding more firewall policies Restricting access to a single Internet connectionConfiguration example Multiple connections to the Internet Preparing to configure Transparent mode Transparent mode installationTransparent mode settings Administrator Password DNS SettingsGo to System Status Changing to Transparent modeSet system opmode transparent Configure the Transparent mode default gateway Configuring the Transparent mode management IP addressRegistering your FortiGate FortiGate-400 Transparent mode connections Transparent mode configuration examplesDefault routes and static routes Default route to an external network General configuration stepsCLI configuration steps Web-based manager example configuration stepsGo to System Network Management Go to System Network RoutingStatic route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples Active-passive HA High availabilityActive-active HA Configuring the HA interfaces HA in NAT/Route modeInstalling and configuring the FortiGate units Go to System Config HA Configuring the HA clusterLeast Connection Weighted Round RobinExample Active-Active HA configuration Connecting the HA cluster to your networkHA network configuration Starting the HA cluster HA in Transparent modeConfiguring the HA interface and HA IP address HA in Transparent mode None Sample active-passive HA configuration Go to System Status Cluster Members Managing the HA clusterViewing the status of cluster members Go to System Status Monitor Monitoring cluster membersViewing and managing cluster log messages Monitoring cluster sessionsGo to System Status Session Go to Log&Report LoggingManaging individual cluster units Synchronizing the cluster configurationReplacing a FortiGate unit after fail-over Returning to standalone configurationSelecting a FortiGate unit to a permanent primary unit Advanced HA optionsSet system ha weight 1 3 Configuring weighted-round-robin weightsSystem status System statusChanging the FortiGate firmware Firmware upgrade procedures Procedure DescriptionChanging the FortiGate host name Upgrading the firmware using the CLI Upgrade to a new firmware versionUpgrading the firmware using the web-based manager Revert to a previous firmware version Execute restore image namestr tftpipReverting to a previous firmware version using the CLI Execute ping To install firmware from a system reboot Install a firmware image from a system reboot using the CLI100 Execute reboot101 Test a new firmware image before installing itRestoring your previous configuration 102 103 Installing and using a backup firmware imageInstalling a backup firmware image 104 105 Switching to the backup firmware image106 Manual virus definition updatesSwitching back to the default firmware image Displaying the FortiGate serial number Manual attack definition updatesDisplaying the FortiGate up time Displaying log hard disk statusRestoring system settings Backing up system settingsRestoring system settings to factory defaults 108Changing to NAT/Route mode Changing to Transparent modeRestarting the FortiGate unit 109Viewing CPU and memory status Shutting down the FortiGate unitSystem status 111 Viewing sessions and network statusSessions and network status monitor Viewing virus and intrusions statusViewing the session list Go to System Status Session Session list113 114 115 Virus and attack definitions updates and registrationUpdating antivirus and attack definitions Version Expiry date Last update attempt Last update status Connecting to the FortiResponse Distribution Network117 Configuring scheduled updatesGo to System Update Successful Update FDN error Configuring update loggingGo to Log&Report Log Setting Adding an override server Configuring push updatesManually updating antivirus and attack definitions 119About push updates To enable push updatesPush updates through a NAT device Example push updates through a NAT device121 General procedureGo to Firewall Virtual IP 122Adding a firewall policy for the port forwarding virtual IP Schedule Always Service ANY Action Accept123 124 Scheduled updates through a proxy server125 FortiCare Service ContractsRegistering FortiGate units 126 Registering the FortiGate unitRegistering a FortiGate unit product information 127Updating registration information Recovering a lost Fortinet support passwordViewing the list of registered FortiGate units 128129 Registering a new FortiGate unitAdding or changing a FortiCare Support Contract number Downloading virus and attack definitions updates Changing your Fortinet support passwordChanging your contact information or security question 130131 Registering a FortiGate unit after an RMA132 Configuring zones Network configurationAdding zones 133Adding Vlan subinterfaces to a zone Adding interfaces to a zoneRenaming zones 134Deleting zones Configuring interfacesViewing the interface list Bringing up an interfaceAdding a secondary IP address to an interface Changing an interface static IP addressAdding a ping server to an interface 136Configuring traffic logging for connections to an interface Controlling management access to an interfaceChanging the MTU size to improve network performance 137Configuring port4/ha for HA mode Configuring port4/haConfiguring port4/ha as a firewall interface Configuring the management interface Transparent mode139 Configuring VLANsVlan network configuration 140 Typical Vlan network configurationRules for Vlan IDs Adding Vlan subinterfacesRules for Vlan IP addresses Adding a Vlan subinterfaceAdding a Vlan subinterface 142Adding a default route Configuring routingAdding destination-based routes to the routing table 143144 145 Adding routes in Transparent modeConfiguring the routing table 146 Policy routing command syntaxPolicy routing 147 Providing Dhcp services to your internal networkSet system dhcpserver command syntax Keywords Description 148 149 RIP configuration150 RIP settingsGo to System RIP Settings 151 Configuring RIP settingsPassword Configuring RIP for FortiGate interfaces152 ModeAdding RIP neighbors Go to System RIP Neighbor Adding RIP neighbors153 Adding a single RIP filter Adding RIP filters154 Go to System RIP Filter155 Adding a RIP filter listAdd the IP address of the route Mask Add the netmask of the route Action156 Adding a neighbors filterAdding a routes filter Setting system date and time System configurationTo set the date and time Go to System Config Time 157158 To set the system idle timeoutChanging web-based manager options To modify the Dead Gateway Detection settings To set the Auth timeout159 To select a language for the web-based managerAdding new administrator accounts Adding and editing administrator accountsGo to System Config Admin 160161 Editing administrator accountsTo edit an administrator account Go to System Config Admin Configuring the FortiGate unit for Snmp monitoring Configuring SnmpConfiguring FortiGate Snmp support Go to System Config Snmp v1/v2c163 FortiGate MIBsTrap Community Trap Receiver IP Addresses FortiGate MIBs MIB file name Description EtherLike.mibFortiGate traps Customizing replacement messages164 FortiGate traps Trap message Description165 Customizing replacement messagesGo to System Config Replacement Messages Alert email message sections Customizing alert emails166 Alert email message sections 167168 169 Firewall configurationInterfaces Default firewall configurationVlan subinterfaces 170Zones Default addresses Interface Address DescriptionAddresses 171Content profiles ServicesAdding firewall policies SchedulesSource Firewall policy optionsDestination 173Schedule ServiceAction VPN Tunnel175 AuthenticationTraffic Shaping 176 Anti-Virus & Web filterLog Traffic Configuring policy listsComments Policy matching in detailEnabling and disabling policies Changing the order of policies in a policy listDisabling a policy Enabling a policyAdding addresses Addresses179 Go to Firewall Address180 Editing addressesDeleting addresses Go to Firewall Address Group Organizing addresses into address groups181 182 ServicesPredefined services Https 183184 Providing access to custom servicesGo to Firewall Service Custom 185 Grouping servicesGo to Firewall Service Group Creating one-time schedules Schedules186 Go to Firewall Schedule One-timeGo to Firewall Schedule Recurring Creating recurring schedules187 188 Virtual IPsAdding a schedule to a policy 189 Adding static NAT virtual IPs190 Adding port forwarding virtual IPs191 Adding policies with virtual IPsAdding an IP pool IP pools192 Go to Firewall IP PoolIP Pools for firewall policies that use fixed ports IP/MAC bindingIP pools and dynamic NAT 193Go to Firewall IP/MAC Binding Static IP/MAC Go to Firewall IP/MAC Binding Setting194 195 Adding IP/MAC addressesEnabling IP/MAC binding Viewing the dynamic IP/MAC list196 Go to Firewall IP/MAC Binding Dynamic IP/MACDefault content profiles Content profilesAdding a content profile Go to Firewall Content ProfileFile Block 198Quarantine Oversized File/Email Block Pass Fragmented Email199 Adding a content profile to a policy200 201 Users and authenticationAdding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication 202203 Deleting user names from the internal databaseAdding Radius servers Configuring Radius supportDeleting Radius servers 204Adding Ldap servers Configuring Ldap support205 Go to User Ldap206 Deleting Ldap serversAdding user groups Configuring user groups207 Go to User User Group208 Deleting user groups209 IPSec VPNManual Keys Key managementAutoIKE with pre-shared keys AutoIKE with certificatesManual key IPSec VPNs General configuration steps for a manual key VPNAdding a manual key VPN tunnel 211212 Adding a phase 1 configuration for an AutoIKE VPN General configuration steps for an AutoIKE VPNGo to VPN Ipsec Phase AutoIKE IPSec VPNsRemote Gateway Dialup User 214Remote Gateway Static IP Address 215 Configuring advanced options216 217 Adding a phase 2 configuration for an AutoIKE VPN218 219 Managing digital certificatesObtaining a signed local certificate Go to VPN Local Certificates Generating the certificate request220 221 Downloading the certificate requestRequesting the signed local certificate 222 Retrieving the signed local certificateImporting the signed local certificate Retrieving a CA certificate Obtaining a CA certificateImporting a CA certificate 223224 Configuring encrypt policiesAdding a destination address Adding a source addressAdding an encrypt policy 225Adding an encrypt policy 226227 VPN concentrator hub general configuration stepsIPSec VPN concentrators Source InternalAll Destination VPN spoke address Action 228Go to VPN IPSec Concentrator Adding a VPN concentrator229 230 VPN spoke general configuration stepsVPN Tunnel Policies231 Configuring redundant IPSec VPNRedundant IPSec VPNs 232 See Adding a phase 1 configuration for an AutoIKE VPN onViewing VPN tunnel status Monitoring and Troubleshooting VPNsViewing dialup VPN connection status 233Go to VPN IPSec Dialup Testing a VPN234 235 Configuring PptpPptp and L2TP VPN Adding users and user groups Configuring the FortiGate unit as a Pptp gatewayEnabling Pptp and specifying an address range 236237 Adding an address groupInstalling Pptp support Configuring a Windows 98 client for PptpGo to Start Settings Control Panel Network Adding a firewall policyConnecting to the Pptp VPN Configuring a Pptp dialup connectionConfiguring a Windows 2000 client for Pptp 239Configuring the VPN connection Configuring a Windows XP client for Pptp240 Go to Start Control Panel241 Configuring L2TPEnabling L2TP and specifying an address range Configuring the FortiGate unit as a L2TP gateway242 Go to VPN L2TP L2TP Range243 Sample L2TP address range configuration244 Configuring an L2TP dialup connection Configuring a Windows 2000 client for L2TPDisabling IPSec 245Configuring a Windows XP client for L2TP Connecting to the L2TP VPNConfiguring an L2TP VPN dialup connection Go to Start Settings247 248 249 Network Intrusion Detection System NidsDetecting attacks Selecting the interfaces to monitor Configuring checksum verificationDisabling the Nids 250Viewing attack descriptions Viewing the signature list251 Go to Nids Detection Signature ListAdding user-defined signatures Enabling and disabling Nids attack signatures252 Go to Nids Detection User Defined Signature ListDownloading the user-defined signature list Preventing attacksEnabling Nids attack prevention 253254 Setting signature threshold valuesEnabling Nids attack prevention signatures 255 Value Description Minimum Maximum Default Configuring synflood signature valuesLogging attacks Logging attack messages to the attack logAutomatic message reduction Reducing the number of Nids attack log and email messagesManual message reduction 257258 259 General configuration stepsAntivirus protection To scan FortiGate firewall traffic for viruses Antivirus scanning260 261 File blockingAdding file patterns to block Blocking files in firewall traffic262 Go to Anti-Virus File BlockQuarantine Go to Anti-Virus Quarantine Quarantine ConfigQuarantining infected files Quarantining blocked filesSorting the quarantine list Viewing the quarantine list264 Go to Anti-Virus QuarantineFiltering the quarantine list Configuring quarantine optionsDeleting files from quarantine Downloading quarantined filesBlocking oversized files and emails Configuring limits for oversized files and emailExempting fragmented email from blocking Viewing the virus list267 Web filteringGo to Web Filter Content Block Content blockingAdding words and phrases to the banned word list 268URL blocking Using the FortiGate web filterAdding URLs or URL patterns to the block list 269270 Clearing the URL block list271 Downloading the URL block listUploading a URL block list Installing a Cerberian license key on the FortiGate unit Using the Cerberian web filterAdding a Cerberian user to the FortiGate unit 272About the default group and policy Configuring Cerberian web filterTo configure the Cerberian web filtering Enabling Cerberian URL filteringEnabling the script filter Script filteringSelecting script filter options 274Adding URLs to the exempt URL list Exempt URL list275 Go to Web Filter Exempt URLExample exempt URL list 276277 Email filter278 Go to Email Filter Content BlockEmail banned word list Email exempt list Email block listAdding address patterns to the email block list 279Adding a subject tag To add a subject tag Go to Email Filter ConfigAdding address patterns to the email exempt list 280281 Logging and reportingRecording logs 282 Recording logs on a remote computerRecording logs on a NetIQ WebTrends server 283 Recording logs on the FortiGate hard diskOverwrite Option284 Filtering log messagesRecording logs in system memory 285 Example log filter configurationEnabling traffic logging Configuring traffic loggingEnabling traffic logging for an interface Enabling traffic logging for a Vlan subinterfaceGo to Log&Report Log Setting Traffic Filter Configuring traffic filter settingsEnabling traffic logging for a firewall policy 287288 Destination IP Address Destination Netmask ServiceAdding traffic filter entries Viewing logs Viewing logs saved to memorySearching logs 289290 Viewing and managing logs saved to the hard disk291 Downloading a log file to the management computerDeleting all messages in an active log Deleting a saved log file Configuring alert emailAdding alert email addresses 292Enabling alert email Testing alert email293 Go to Log&Report Alert Mail Categories294 295 Glossary296 297 298 299 IndexNumerics Index 300FDS 301Ldap 302MIB 303304 RMA 305TCP 306VPN 307308
Related manuals
Manual 2 pages 1.18 Kb
Top Page Image Contents