Fortinet 400 manual Adding the routes using the CLI

Page 56

Configuration example: Multiple connections to the Internet	NAT/Route mode installation

3Select New to add a route for connections to the network of ISP1.

•Destination IP: 100.100.100.0

•Mask: 255.255.255.0

•Gateway #1: 1.1.1.1

•Gateway #2: 2.2.2.1

•Device #1: port2

•Device #2: port3

4Select New to add a route for connections to the network of ISP2.

•Destination IP: 200.200.200.0

•Mask: 255.255.255.0

•Gateway #1: 2.2.2.1

•Gateway #2: 1.1.1.1

•Device #1: port3

•Device #2: port2

•Select OK.

5Change the order of the routes in the routing table to move the default route below the other two routes.

•For the default route select Move to .

•Type a number in the Move to field to move this route to the bottom of the list. If there are only 3 routes, type 3.

•Select OK.

Adding the routes using the CLI

1Add the route for connections to the network of ISP2.

set system route number 1 dst 100.100.100.0 255.255.255.0 gw1 1.1.1.1 dev1 port2 gw2 2.2.2.1 dev2 port3

1Add the route for connections to the network of ISP1.

set system route number 2 dst 200.200.200.0 255.255.255.0 gw1 2.2.2.1 dev1 port3 gw2 1.1.1.1 dev2 port2

2Add the default route for primary and backup links to the Internet.

set system route number 3 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1 dev1 port2 gw2 2.2.2.1 dev2 port3

The routing table should have routes arranged as shown in Table 13.

Table 13: Example combined routing table

Destination IP‘	Mask	Gateway #1	Device #1	Gateway #2	Device #2

100.100.100.0	255.255.255.0	1.1.1.1	port2	2.2.2.1	port3

200.200.200.0	255.255.255.0	2.2.2.1	port3	1.1.1.1	port2

0.0.0.0	0.0.0.0	1.1.1.1	port2	2.2.2.1	port3

56	Fortinet Inc.

Image 56

Contents Installation and Configuration Guide AugustTrademarks Regulatory ComplianceTable of Contents NAT/Route mode installation High availability System status Network configuration 133 System configuration 157 Users and authentication 201 IPSec VPN 209 Network Intrusion Detection System Nids 249 Email filter 277 Glossary 295 Index 299 Contents Introduction Antivirus protectionWeb content filtering Email filteringNAT/Route mode FirewallTransparent mode Network intrusion detectionVPN High availabilitySecure installation, configuration, and management Web-based managerCommand line interface Logging and reportingWhat’s new in Version Firewall Replacement messagesUsers and authentication Email filter AntivirusWeb Filter About this document Document conventions Fortinet documentation Comments on Fortinet technical documentationCustomer service and technical support Getting started Package contents MountingPowering on Power requirementsEnvironmental specifications FortiGate-400 LED indicatorsConnecting to the web-based manager Connecting to the web-based managerConnecting to the command line interface CLI Factory default FortiGate configuration settingsBits per second 9600 Data bits Parity Stop bits Flow controlInterface Factory default NAT/Route mode network configurationAccount Factory default Transparent mode network configuration Factory default firewall configurationFactory default content profiles Strict content profile Scan content profileStrict content profile Options Scan content profile OptionsWeb content profile Unfiltered content profileWeb content profile Options Unfiltered content profile OptionsPlanning your FortiGate configuration NAT/Route mode with multiple external network connections Example NAT/Route mode network configurationConfiguration options Setup WizardFortiGate model maximum values matrix Front keypad and LCDNext steps Next steps Getting started NAT/Route mode settings Administrator Password Interface NAT/Route mode installationPreparing to configure NAT/Route mode Reconnecting to the web-based manager Using the setup wizardStarting the setup wizard Using the front control buttons and LCD Using the command line interfaceConfiguring the FortiGate unit to operate in NAT/Route mode Configuring NAT/Route mode IP addressesSet system interface port2 mode static ip IPaddress netmask Connecting the FortiGate unit to your networks Configuring your network Completing the configurationConfiguring interface Go to System Network InterfaceConfiguring interface 4/HA Setting the date and timeEnabling antivirus protection Registering your FortiGate unitConfiguration example Multiple connections to the Internet Configuring virus and attack definition updatesConfiguring Ping servers Example multiple Internet connection configurationPrimary and backup links to the Internet Using the CLIDestination based routing examples Go to System Network Routing TableLoad sharing Load sharing and primary and secondary connectionsAdding the routes using the CLI Routing table should have routes arranged as shown in TableRouting a service to an external network Policy routing examplesGo to Firewall Policy port1-port3 Adding a redundant default policyFirewall policy example Restricting access to a single Internet connection Adding more firewall policiesConfiguration example Multiple connections to the Internet Transparent mode installation Preparing to configure Transparent modeTransparent mode settings Administrator Password DNS SettingsChanging to Transparent mode Go to System StatusSet system opmode transparent Configuring the Transparent mode management IP address Configure the Transparent mode default gatewayRegistering your FortiGate Transparent mode configuration examples FortiGate-400 Transparent mode connectionsDefault routes and static routes General configuration steps Default route to an external networkWeb-based manager example configuration steps CLI configuration stepsGo to System Network Management Go to System Network RoutingStatic route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples High availability Active-passive HAActive-active HA Configuring the HA interfaces HA in NAT/Route modeInstalling and configuring the FortiGate units Configuring the HA cluster Go to System Config HAWeighted Round Robin Least ConnectionConnecting the HA cluster to your network Example Active-Active HA configurationHA network configuration Starting the HA cluster HA in Transparent modeConfiguring the HA interface and HA IP address HA in Transparent mode None Sample active-passive HA configuration Go to System Status Cluster Members Managing the HA clusterViewing the status of cluster members Monitoring cluster members Go to System Status MonitorMonitoring cluster sessions Viewing and managing cluster log messagesGo to System Status Session Go to Log&Report LoggingSynchronizing the cluster configuration Managing individual cluster unitsReturning to standalone configuration Replacing a FortiGate unit after fail-overAdvanced HA options Selecting a FortiGate unit to a permanent primary unitConfiguring weighted-round-robin weights Set system ha weight 1 3System status System statusChanging the FortiGate firmware Firmware upgrade procedures Procedure DescriptionChanging the FortiGate host name Upgrading the firmware using the CLI Upgrade to a new firmware versionUpgrading the firmware using the web-based manager Execute restore image namestr tftpip Revert to a previous firmware versionReverting to a previous firmware version using the CLI Execute ping Install a firmware image from a system reboot using the CLI To install firmware from a system rebootExecute reboot 100101 Test a new firmware image before installing itRestoring your previous configuration 102 103 Installing and using a backup firmware imageInstalling a backup firmware image 104 Switching to the backup firmware image 105106 Manual virus definition updatesSwitching back to the default firmware image Manual attack definition updates Displaying the FortiGate serial numberDisplaying the FortiGate up time Displaying log hard disk statusBacking up system settings Restoring system settingsRestoring system settings to factory defaults 108Changing to Transparent mode Changing to NAT/Route modeRestarting the FortiGate unit 109Viewing CPU and memory status Shutting down the FortiGate unitSystem status Viewing sessions and network status 111Viewing virus and intrusions status Sessions and network status monitorViewing the session list Go to System Status Session Session list113 114 115 Virus and attack definitions updates and registrationUpdating antivirus and attack definitions Connecting to the FortiResponse Distribution Network Version Expiry date Last update attempt Last update status117 Configuring scheduled updatesGo to System Update Successful Update FDN error Configuring update loggingGo to Log&Report Log Setting Configuring push updates Adding an override serverManually updating antivirus and attack definitions 119To enable push updates About push updatesPush updates through a NAT device Example push updates through a NAT deviceGeneral procedure 121122 Go to Firewall Virtual IPAdding a firewall policy for the port forwarding virtual IP Schedule Always Service ANY Action Accept123 Scheduled updates through a proxy server 124125 FortiCare Service ContractsRegistering FortiGate units Registering the FortiGate unit 126127 Registering a FortiGate unit product informationRecovering a lost Fortinet support password Updating registration informationViewing the list of registered FortiGate units 128129 Registering a new FortiGate unitAdding or changing a FortiCare Support Contract number Changing your Fortinet support password Downloading virus and attack definitions updatesChanging your contact information or security question 130Registering a FortiGate unit after an RMA 131132 Network configuration Configuring zonesAdding zones 133Adding interfaces to a zone Adding Vlan subinterfaces to a zoneRenaming zones 134Configuring interfaces Deleting zonesViewing the interface list Bringing up an interfaceChanging an interface static IP address Adding a secondary IP address to an interfaceAdding a ping server to an interface 136Controlling management access to an interface Configuring traffic logging for connections to an interfaceChanging the MTU size to improve network performance 137Configuring port4/ha Configuring port4/ha for HA modeConfiguring port4/ha as a firewall interface Configuring the management interface Transparent mode139 Configuring VLANsVlan network configuration Typical Vlan network configuration 140Adding Vlan subinterfaces Rules for Vlan IDsRules for Vlan IP addresses Adding a Vlan subinterface142 Adding a Vlan subinterfaceConfiguring routing Adding a default routeAdding destination-based routes to the routing table 143144 145 Adding routes in Transparent modeConfiguring the routing table 146 Policy routing command syntaxPolicy routing 147 Providing Dhcp services to your internal networkSet system dhcpserver command syntax Keywords Description 148 RIP configuration 149150 RIP settingsGo to System RIP Settings Configuring RIP settings 151Configuring RIP for FortiGate interfaces Password152 ModeAdding RIP neighbors Go to System RIP Neighbor Adding RIP neighbors153 Adding RIP filters Adding a single RIP filter154 Go to System RIP FilterAdding a RIP filter list 155Add the IP address of the route Mask Add the netmask of the route Action156 Adding a neighbors filterAdding a routes filter System configuration Setting system date and timeTo set the date and time Go to System Config Time 157158 To set the system idle timeoutChanging web-based manager options To set the Auth timeout To modify the Dead Gateway Detection settings159 To select a language for the web-based managerAdding and editing administrator accounts Adding new administrator accountsGo to System Config Admin 160161 Editing administrator accountsTo edit an administrator account Go to System Config Admin Configuring Snmp Configuring the FortiGate unit for Snmp monitoringConfiguring FortiGate Snmp support Go to System Config Snmp v1/v2cFortiGate MIBs 163Trap Community Trap Receiver IP Addresses FortiGate MIBs MIB file name Description EtherLike.mibCustomizing replacement messages FortiGate traps164 FortiGate traps Trap message Description165 Customizing replacement messagesGo to System Config Replacement Messages Alert email message sections Customizing alert emails166 167 Alert email message sections168 Firewall configuration 169Default firewall configuration InterfacesVlan subinterfaces 170Default addresses Interface Address Description ZonesAddresses 171Services Content profilesAdding firewall policies SchedulesFirewall policy options SourceDestination 173Service ScheduleAction VPN Tunnel175 AuthenticationTraffic Shaping Anti-Virus & Web filter 176Configuring policy lists Log TrafficComments Policy matching in detailChanging the order of policies in a policy list Enabling and disabling policiesDisabling a policy Enabling a policyAddresses Adding addresses179 Go to Firewall Address180 Editing addressesDeleting addresses Go to Firewall Address Group Organizing addresses into address groups181 182 ServicesPredefined services 183 Https184 Providing access to custom servicesGo to Firewall Service Custom 185 Grouping servicesGo to Firewall Service Group Schedules Creating one-time schedules186 Go to Firewall Schedule One-timeGo to Firewall Schedule Recurring Creating recurring schedules187 188 Virtual IPsAdding a schedule to a policy Adding static NAT virtual IPs 189Adding port forwarding virtual IPs 190Adding policies with virtual IPs 191IP pools Adding an IP pool192 Go to Firewall IP PoolIP/MAC binding IP Pools for firewall policies that use fixed portsIP pools and dynamic NAT 193Go to Firewall IP/MAC Binding Static IP/MAC Go to Firewall IP/MAC Binding Setting194 Adding IP/MAC addresses 195Viewing the dynamic IP/MAC list Enabling IP/MAC binding196 Go to Firewall IP/MAC Binding Dynamic IP/MACContent profiles Default content profilesAdding a content profile Go to Firewall Content Profile198 File BlockQuarantine Oversized File/Email Block Pass Fragmented EmailAdding a content profile to a policy 199200 Users and authentication 201Setting authentication timeout Adding user names and configuring authenticationAdding user names and configuring authentication 202Deleting user names from the internal database 203Configuring Radius support Adding Radius serversDeleting Radius servers 204Configuring Ldap support Adding Ldap servers205 Go to User LdapDeleting Ldap servers 206Configuring user groups Adding user groups207 Go to User User GroupDeleting user groups 208IPSec VPN 209Key management Manual KeysAutoIKE with pre-shared keys AutoIKE with certificatesGeneral configuration steps for a manual key VPN Manual key IPSec VPNsAdding a manual key VPN tunnel 211212 General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPNGo to VPN Ipsec Phase AutoIKE IPSec VPNsRemote Gateway Dialup User 214Remote Gateway Static IP Address Configuring advanced options 215216 Adding a phase 2 configuration for an AutoIKE VPN 217218 219 Managing digital certificatesObtaining a signed local certificate Go to VPN Local Certificates Generating the certificate request220 221 Downloading the certificate requestRequesting the signed local certificate 222 Retrieving the signed local certificateImporting the signed local certificate Obtaining a CA certificate Retrieving a CA certificateImporting a CA certificate 223Configuring encrypt policies 224Adding a source address Adding a destination addressAdding an encrypt policy 225226 Adding an encrypt policy227 VPN concentrator hub general configuration stepsIPSec VPN concentrators 228 Source InternalAll Destination VPN spoke address ActionGo to VPN IPSec Concentrator Adding a VPN concentrator229 VPN spoke general configuration steps 230VPN Tunnel Policies231 Configuring redundant IPSec VPNRedundant IPSec VPNs See Adding a phase 1 configuration for an AutoIKE VPN on 232Monitoring and Troubleshooting VPNs Viewing VPN tunnel statusViewing dialup VPN connection status 233Go to VPN IPSec Dialup Testing a VPN234 235 Configuring PptpPptp and L2TP VPN Configuring the FortiGate unit as a Pptp gateway Adding users and user groupsEnabling Pptp and specifying an address range 236Adding an address group 237Configuring a Windows 98 client for Pptp Installing Pptp supportGo to Start Settings Control Panel Network Adding a firewall policyConfiguring a Pptp dialup connection Connecting to the Pptp VPNConfiguring a Windows 2000 client for Pptp 239Configuring a Windows XP client for Pptp Configuring the VPN connection240 Go to Start Control PanelConfiguring L2TP 241Configuring the FortiGate unit as a L2TP gateway Enabling L2TP and specifying an address range242 Go to VPN L2TP L2TP RangeSample L2TP address range configuration 243244 Configuring a Windows 2000 client for L2TP Configuring an L2TP dialup connectionDisabling IPSec 245Connecting to the L2TP VPN Configuring a Windows XP client for L2TPConfiguring an L2TP VPN dialup connection Go to Start Settings247 248 249 Network Intrusion Detection System NidsDetecting attacks Configuring checksum verification Selecting the interfaces to monitorDisabling the Nids 250Viewing the signature list Viewing attack descriptions251 Go to Nids Detection Signature ListEnabling and disabling Nids attack signatures Adding user-defined signatures252 Go to Nids Detection User Defined Signature ListPreventing attacks Downloading the user-defined signature listEnabling Nids attack prevention 253254 Setting signature threshold valuesEnabling Nids attack prevention signatures 255 Configuring synflood signature values Value Description Minimum Maximum DefaultLogging attacks Logging attack messages to the attack logReducing the number of Nids attack log and email messages Automatic message reductionManual message reduction 257258 259 General configuration stepsAntivirus protection To scan FortiGate firewall traffic for viruses Antivirus scanning260 File blocking 261Blocking files in firewall traffic Adding file patterns to block262 Go to Anti-Virus File BlockGo to Anti-Virus Quarantine Quarantine Config QuarantineQuarantining infected files Quarantining blocked filesViewing the quarantine list Sorting the quarantine list264 Go to Anti-Virus QuarantineConfiguring quarantine options Filtering the quarantine listDeleting files from quarantine Downloading quarantined filesConfiguring limits for oversized files and email Blocking oversized files and emailsExempting fragmented email from blocking Viewing the virus listWeb filtering 267Content blocking Go to Web Filter Content BlockAdding words and phrases to the banned word list 268Using the FortiGate web filter URL blockingAdding URLs or URL patterns to the block list 269Clearing the URL block list 270271 Downloading the URL block listUploading a URL block list Using the Cerberian web filter Installing a Cerberian license key on the FortiGate unitAdding a Cerberian user to the FortiGate unit 272Configuring Cerberian web filter About the default group and policyTo configure the Cerberian web filtering Enabling Cerberian URL filteringScript filtering Enabling the script filterSelecting script filter options 274Exempt URL list Adding URLs to the exempt URL list275 Go to Web Filter Exempt URL276 Example exempt URL listEmail filter 277278 Go to Email Filter Content BlockEmail banned word list Email block list Email exempt listAdding address patterns to the email block list 279To add a subject tag Go to Email Filter Config Adding a subject tagAdding address patterns to the email exempt list 280281 Logging and reportingRecording logs 282 Recording logs on a remote computerRecording logs on a NetIQ WebTrends server Recording logs on the FortiGate hard disk 283Overwrite Option284 Filtering log messagesRecording logs in system memory Example log filter configuration 285Configuring traffic logging Enabling traffic loggingEnabling traffic logging for an interface Enabling traffic logging for a Vlan subinterfaceConfiguring traffic filter settings Go to Log&Report Log Setting Traffic FilterEnabling traffic logging for a firewall policy 287288 Destination IP Address Destination Netmask ServiceAdding traffic filter entries Viewing logs saved to memory Viewing logsSearching logs 289Viewing and managing logs saved to the hard disk 290291 Downloading a log file to the management computerDeleting all messages in an active log Configuring alert email Deleting a saved log fileAdding alert email addresses 292Testing alert email Enabling alert email293 Go to Log&Report Alert Mail Categories294 Glossary 295296 297 298 299 IndexNumerics 300 Index301 FDS302 Ldap303 MIB304 305 RMA306 TCP307 VPN308

Related manuals

Manual 2 pages 1.18 Kb