Fortinet FortiGate-800 manual To add the routes using the CLI

Page 54

Configuration example: Multiple connections to the Internet	NAT/Route mode installation

3Select New to add a route for connections to the network of ISP1.

•Destination IP: 100.100.100.0

•Mask: 255.255.255.0

•Gateway #1: 1.1.1.1

•Gateway #2: 2.2.2.1

•Device #1: external

•Device #2: dmz

4Select New to add a route for connections to the network of ISP2.

•Destination IP: 200.200.200.0

•Mask: 255.255.255.0

•Gateway #1: 2.2.2.1

•Gateway #2: 1.1.1.1

•Device #1: dmz

•Device #2: external

•Select OK.

5Change the order of the routes in the routing table to move the default route below the other two routes.

•For the default route select Move to .

•Type a number in the Move to field to move this route to the bottom of the list. If there are only 3 routes, type 3.

•Select OK.

To add the routes using the CLI

1Add the route for connections to the network of ISP2.

set system route number 1 dst 100.100.100.0 255.255.255.0 gw1

1.1.1.1dev1 external gw2 2.2.2.1 dev2 dmz

2Add the route for connections to the network of ISP1.

set system route number 2 dst 200.200.200.0 255.255.255.0 gw1

2.2.2.1dev1 dmz gw2 1.1.1.1 dev2 external

3Add the default route for primary and backup links to the Internet.

set system route number 3 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1 dev1 external gw2 2.2.2.1 dev2 dmz

The routing table should have routes arranged as shown in Table 15.

Table 15: Example combined routing table

Destination IP‘	Mask	Gateway #1	Device #1	Gateway #2	Device #2

100.100.100.0	255.255.255.0	1.1.1.1	external	2.2.2.1	dmz

200.200.200.0	255.255.255.0	2.2.2.1	dmz	1.1.1.1	external

0.0.0.0	0.0.0.0	1.1.1.1	external	2.2.2.1	dmz

54	Fortinet Inc.

Image 54

Contents Installation and Configuration Guide January 15Trademarks Regulatory ComplianceTable of Contents NAT/Route mode installation High availability Virus and attack definitions updates and registration 117 Network configuration 137 System configuration 169 Users and authentication 223 IPSec VPN 231 Network Intrusion Detection System Nids 269 Email filter 303 Glossary 323 Index 327 Contents Introduction Flexibility demanded by large enterprisesWeb content filtering Antivirus protectionEmail filtering FirewallVLANs and virtual domains NAT/Route modeTransparent mode Network intrusion detectionVPN High availabilitySecure installation, configuration, and management Web-based managerCommand line interface Logging and reportingDocument conventions Fortinet documentationCustomer service and technical support Comments on Fortinet technical documentationCustomer service and technical support Getting started Package contents MountingEnvironmental specifications Powering onPower requirements To power on the FortiGate-800 unitConnecting to the web-based manager To connect to the web-based managerBits per second 9600 Data bits Parity Connecting to the command line interface CLITo connect to the CLI Stop bits Flow controlAccount Factory default FortiGate configuration settingsFactory default NAT/Route mode network configuration Internal interfaceFactory default Transparent mode network configuration Factory default firewall configuration Factory default content profiles Strict content profileScan content profile Strict content profile OptionsScan content profile Options Web content profile Options Web content profileUnfiltered content profile Unfiltered content profile OptionsPlanning the FortiGate configuration Example NAT/Route mode network configurationNAT/Route mode with multiple external network connections Example NAT/Route multiple internet connection configurationConfiguration options Setup wizardFortiGate model maximum values matrix Front keypad and LCDNext steps Signatures Antivirus file Block patterns Web filterNAT/Route mode installation Preparing to configure NAT/Route modeAdvanced NAT/Route mode settings Advanced FortiGate NAT/Route mode settingsDhcp server Reconnecting to the web-based manager Using the setup wizardStarting the setup wizard DMZ and user-defined interfacesConfiguring the FortiGate unit to operate in NAT/Route mode Using the front control buttons and LCDUsing the command line interface Configuring NAT/Route mode IP addressesSet system interface external mode static ip 204.23.1.5 Connecting the FortiGate unit to your networks To connect the FortiGate unit running in NAT/Route modeFortiGate-800 External To connect to FortiGate-800 user-defined interfacesConfiguring your networks Example FortiGate-800 user-defined interface connectionsConfiguring interfaces 1 to Completing the configurationConfiguring the DMZ interface Setting the date and timeConfiguration example Multiple connections to the Internet Configuring virus and attack definition updatesRegistering your FortiGate unit Configuring ping servers InternalDestination-based routing examples Using the CLIPrimary and backup links to the Internet Go to System Network Routing TableLoad sharing Load sharing and primary and secondary connectionsTo add the routes using the CLI Routing table should have routes arranged as shown in TableRouting a service to an external network Policy routing examplesFirewall policy example Adding a redundant default policyDestination DMZAll Schedule Always Service Adding more firewall policiesRestricting access to a single Internet connection Configuration example Multiple connections to the Internet Transparent mode settings Administrator Password Transparent mode installationPreparing to configure Transparent mode DNS SettingsChanging to Transparent mode using the web-based manager Go to System StatusChanging to Transparent mode using the CLI Operation mode TransparentConfiguring the Transparent mode management IP address Configure the Transparent mode default gatewayEnabling antivirus protection Connecting the FortiGate unit to your networks Transparent mode configuration examples FortiGate-800Default routes and static routes Example default route to an external networkGeneral configuration steps Default route to an external networkExample static route to an external destination Web-based manager example configuration stepsCLI configuration steps Go to System Network ManagementDMZ Example static route to an internal destination FortiGate-800 Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples High availability To configure a FortiGate unit for HA operation Configuring an HA clusterConfiguring FortiGate units for HA operation Go to System Config HAHub Weighted Round RobinNone Least ConnectionConnecting the cluster Example Active-Active HA configurationHA network configuration To connect the clusterManaging an HA cluster Adding a new FortiGate unit to a functioning clusterTo add a new unit to the cluster Configuring cluster interface monitoring Viewing the status of cluster members Monitoring cluster membersTo set the update frequency Example cluster CPU, memory, and hard disk displayViewing cluster sessions Viewing and managing cluster log messagesMonitoring cluster units for failover Viewing cluster communication sessionsManaging individual cluster units Changing cluster unit host names To manage a cluster unitTo set the host name of each cluster member Synchronizing the cluster configuration Keyword DescriptionUpgrading firmware Selecting a FortiGate unit as a permanent primary unit Advanced HA optionsReplacing a FortiGate unit after failover To select a permanent primary unitConfiguring weighted-round-robin weights To set the priority of each FortiGate unit in a clusterActive-Active cluster packet flow Active-active HA packet flowNAT/Route mode packet flow Transparent mode packet flow Active-Active cluster packet flow System status System statusChanging the FortiGate firmware Firmware upgrade procedures Procedure DescriptionChanging the FortiGate host name To change the FortiGate host name Go to System StatusTo upgrade the firmware using the web-based manager Upgrading the firmware using the web-based managerUpgrading the firmware using the CLI To upgrade the firmware using the CLIReverting to a previous firmware version Execute pingReverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot Press any key to enter configuration menu 100Restoring the previous configuration Testing a new firmware image before installing it101 102 To test a new firmware imageInstalling and using a backup firmware image Installing a backup firmware image103 To install a backup firmware image 104Switching to the backup firmware image To switch to the backup firmware image105 To switch back to the default firmware image Manual virus definition updatesSwitching back to the default firmware image To update the antivirus definitions manuallyDisplaying the FortiGate serial number Manual attack definition updatesTo update the attack definitions manually 107Displaying the FortiGate up time Backing up system settingsRestoring system settings Displaying log hard disk statusTo change to Transparent mode Go to System Status Restoring system settings to factory defaultsChanging to Transparent mode 109Restarting the FortiGate unit Changing to NAT/Route modeTo change to NAT/Route mode Go to System Status Shutting down the FortiGate unit111 System statusViewing CPU and memory status To view CPU and memory status Go to System Status MonitorViewing sessions and network status CPU and memory status monitorViewing virus and intrusions status 113Session list To view the session list Go to System Status Session115 Protocol116 Virus and attack definitions updates and registration Updating antivirus and attack definitions117 Version Expiry date Last update attempt Last update status Connecting to the FortiResponse Distribution NetworkGo to System Update To make sure the FortiGate unit can connect to the FDNManually initiating antivirus and attack definitions updates 119Enabling scheduled updates Scheduling updatesConfiguring update logging 120To add an override server Go to System Update Adding an override server121 Enabling push updates Enabling scheduled updates through a proxy server122 To enable push updates Go to System Update Enabling push updatesPush updates when FortiGate IP addresses change 123Enabling push updates through a NAT device Example push updates through a NAT device124 General procedure 125126 Adding a firewall policy for the port forwarding virtual IP To configure the FortiGate NAT deviceSchedule Always Service ANY Action Accept 127Registering FortiGate units 128FortiCare Service Contracts 129Registering the FortiGate unit 130Updating registration information 131Recovering a lost Fortinet support password Viewing the list of registered FortiGate units132 Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number133 Changing your Fortinet support password Changing your contact information or security question134 Downloading virus and attack definitions updates 135Registering a FortiGate unit after an RMA 136Network configuration Configuring zones137 Deleting zones Configuring interfacesAdding zones 138Adding an interface to a zone Changing the administrative status of an interfaceViewing the interface list 139Configuring an interface with a manual IP address Configuring an interface for Dhcp140 Configuring an interface for PPPoE 141Adding a secondary IP address to an interface Adding a ping server to an interface142 Controlling administrative access to an interface 143Changing the MTU size to improve network performance Configuring traffic logging for connections to an interfaceConfiguring the management interface in Transparent mode 144Vlan overview 145Rules for Vlan IP addresses VLANs in NAT/Route modeRules for Vlan IDs 146147 Virtual domains in Transparent modeAdding Vlan subinterfaces To add Vlan subinterfaces Go to System Network Interface148 FortiGate unit with two virtual domainsAdding a virtual domain Configuring a virtual domainVirtual domain properties 149Adding Vlan subinterfaces to a virtual domain Adding zones to virtual domains150 151 To add a zone to a virtual domain Go to System Network Zone152 Adding firewall policies for virtual domainsAdding addresses for virtual domains Go to Firewall AddressDeleting virtual domains Configuring routingAdding DNS server IP addresses 153Adding destination-based routes to the routing table Adding a default routeTo add a default route Go to System Network Routing Table 154Adding routes in Transparent mode 155Configuring the routing table Policy routing156 Configuring Dhcp services Policy routing command syntax157 Adding a Dhcp server to an interface Configuring a Dhcp relay agentConfiguring a Dhcp server Adding scopes to a Dhcp server159 To add a scope to a Dhcp server Go to System Network Dhcp160 Adding a reserve IP to a Dhcp serverViewing a Dhcp server dynamic IP list Selected scopeRIP configuration RIP settings161 Holddown 162Invalid FlushConfiguring RIP for FortiGate interfaces 163Example RIP configuration for an internal interface 164165 Adding RIP filtersAdding a RIP filter list To add a RIP filter list Go to System RIP FilterAssigning a RIP filter list to the neighbors filter Assigning a RIP filter list to the incoming filter166 Assigning a RIP filter list to the outgoing filter 167168 To set the date and time Go to System Config Time System configurationSetting system date and time 169Changing system options To set the system idle timeout Go to System Config OptionsTo set the Auth timeout Go to System Config Options 170Modifying the Dead Gateway Detection settings 171To add an administrator account Go to System Config Admin Adding and editing administrator accountsAdding new administrator accounts 172To edit an administrator account Go to System Config Admin Configuring SnmpEditing administrator accounts 173Configuring Snmp access to an interface Configuring the FortiGate unit for Snmp monitoringConfiguring FortiGate Snmp support Configuring Snmp community settings175 System NameSystem Location FortiGate MIBs 176System traps FortiGate trapsGeneral FortiGate traps 177Antivirus traps VPN trapsNids traps Logging trapsFortinet MIB fields System configuration and statusFirewall configuration 179180 Replacement messages Logging and reporting configuration181 Customizing replacement messages 182Customizing alert emails 183Alert email message sections 184 Alert email message sectionsFirewall configuration 185Default firewall configuration 186Zones InterfacesVlan subinterfaces 187Addresses ServicesDefault addresses Interface Address Description Schedules189 Content profilesAdding firewall policies To add a firewall policy Go to Firewall PolicyFirewall policy options Source190 Schedule ServiceDestination Action192 VPN TunnelTraffic Shaping Dynamic IP Pool Fixed Port193 AuthenticationAnti-Virus & Web filter Maximum Bandwidth Traffic PriorityLog Traffic Comments194 Configuring policy lists Policy matching in detail195 Disabling policies Changing the order of policies in a policy listEnabling and disabling policies Enabling policies197 AddressesAdding addresses To add an address Go to Firewall AddressEditing addresses 198To edit an address Go to Firewall Address 199 Deleting addressesOrganizing addresses into address groups To delete an address Go to Firewall AddressServices Predefined services200 201 GRE202 LdapAdding custom TCP and UDP services 203Grouping services Adding custom Icmp servicesAdding custom IP services 204Schedules 205Creating one-time schedules 206Creating recurring schedules 207208 Virtual IPsAdding schedules to policies To add a schedule to a policy Go to Firewall PolicyTo add a static NAT virtual IP Go to Firewall Virtual IP Adding static NAT virtual IPs209 Virtual IP External Interface examples Description InternalAdding port forwarding virtual IPs 210211 Adding policies with virtual IPs 212To add a policy with a virtual IP Go to Firewall Policy 213 IP poolsAdding an IP pool To add an IP pool Go to Firewall IP PoolIP pools and dynamic NAT IP/MAC bindingIP Pools for firewall policies that use fixed ports 214215 Go to Firewall IP/MAC Binding Static IP/MACAdding IP/MAC addresses 216Viewing the dynamic IP/MAC list Enabling IP/MAC binding217 Content profiles 218To add a content profile Go to Firewall Content Profile Default content profilesAdding content profiles 219220 Oversized File/Email Pass Fragmented EmailAdding content profiles to policies To add a content profile to a policy Go to Firewall Policy221 222 Users and authentication 223Adding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication To set authentication timeout Go to System Config OptionsDeleting user names from the internal database 225Deleting Radius servers Configuring Radius supportAdding Radius servers 226227 Configuring Ldap supportAdding Ldap servers To add an Ldap server Go to User LdapDeleting Ldap servers 228To delete an Ldap server Go to User Ldap 229 Configuring user groupsAdding user groups To add a user group Go to User User GroupDeleting user groups 230To delete a user group Go to User User Group IPSec VPN 231AutoIKE with pre-shared keys Key managementManual Keys AutoIKE with certificatesAdding a manual key VPN tunnel General configuration steps for a manual key VPNManual key IPSec VPNs 233AES192 234AES128 AES256AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN 235236 Remote Gateway Static IP AddressRemote Gateway Dialup User Configuring advanced options To configure phase 1 advanced options237 238 Adding a phase 1 configuration Standard options 239Adding a phase 2 configuration for an AutoIKE VPN To add a phase 2 configuration Go to VPN Ipsec Phase240 241 Use selectors from policyUse wildcard selectors Generating the certificate request Managing digital certificatesObtaining a signed local certificate 242243 Key TypeKey Size Downloading the certificate request Importing the signed local certificate244 Importing CA certificates Configuring encrypt policiesObtaining CA certificates 245Adding a source address 246To add a source address Go to Firewall Address 247 Adding a destination addressAdding an encrypt policy To add a destination address Go to Firewall Address248 IPSec VPN concentrators 249VPN concentrator hub general configuration steps To create a VPN concentrator configuration250 Adding a VPN concentrator 251VPN spoke general configuration steps To create a VPN spoke configuration252 Redundant IPSec VPNs 253Configuring redundant IPSec VPNs To configure a redundant IPSec VPN254 Viewing VPN tunnel status Monitoring and Troubleshooting VPNsTo view VPN tunnel status Go to VPN Ipsec Phase Viewing dialup VPN connection statusTesting a VPN 256Configuring Pptp Pptp and L2TP VPN257 To add users and user groups Configuring the FortiGate unit as a Pptp gateway258 To add a source addressTo add a destination address 259To add a source address group To add a firewall policyConfiguring a Windows 98 client for Pptp 260261 Configuring a Windows 2000 client for PptpConfiguring a Windows XP client for Pptp To connect to the Pptp VPNTo configure the VPN connection 262Select Properties Security Configuring L2TP Configuring the FortiGate unit as an L2TP gateway263 264 To add source addressesConfiguring a Windows 2000 client for L2TP 265To disable IPSec 266To connect to the L2TP VPN Configuring a Windows XP client for L2TP 267268 Network Intrusion Detection System Nids Detecting attacks269 Disabling monitoring interfaces Configuring checksum verificationSelecting the interfaces to monitor 270Viewing the signature list Viewing attack descriptions271 Disabling Nids attack signatures Adding user-defined signatures272 Downloading the user-defined signature list 273Enabling Nids attack prevention To enable Nids attack prevention Go to Nids PreventionPreventing attacks Enabling Nids attack prevention signaturesSetting signature threshold values 275Reducing the number of Nids attack log and email messages Logging attacksLogging attack messages to the attack log Automatic message reductionManual message reduction 277278 General configuration steps Antivirus protection279 Antivirus scanning 280To scan FortiGate firewall traffic for viruses File blocking 281282 Blocking files in firewall trafficAdding file patterns to block To block files in firewall trafficQuarantining blocked files QuarantineQuarantining infected files 283284 Viewing the quarantine listSorting the quarantine list To view the quarantine list Go to Anti-Virus QuarantineDeleting files from the quarantine list Configuring quarantine optionsFiltering the quarantine list Downloading quarantined filesConfiguring limits for oversized files and email Blocking oversized files and emails286 Viewing the virus list To view the virus list Go to Anti-Virus Config Virus ListExempting fragmented email from blocking 287288 Web filtering 289Adding words and phrases to the Banned Word list Content blockingGo to Web Filter Content Block 290Clearing the Banned Word list 291Backing up the Banned Word list Restoring the Banned Word list292 Adding URLs to the Web URL block list Configuring FortiGate Web URL blockingURL blocking 293Clearing the Web URL block list 294295 Downloading the Web URL block listUploading a URL block list To upload a URL block listConfiguring Cerberian URL filtering Configuring FortiGate Web pattern blocking296 About the default group and policy Installing a Cerberian license keyConfiguring Cerberian web filter Adding a Cerberian userTo configure Cerberian web filtering Enabling Cerberian URL filtering298 Selecting script filter options Script filteringEnabling script filtering 299300 Exempt URL listAdding URLs to the URL Exempt list Go to Web Filter URLExempt301 Downloading the URL Exempt ListUploading a URL Exempt List Go to Web Filter URL Exempt302 Email filter 303Email banned word list Adding words and phrases to the email banned word list304 Downloading the email banned word list Uploading the email banned word list305 Downloading the email block list Email block listAdding address patterns to the email block list 306307 Email exempt listUploading an email block list To upload the email block listAdding address patterns to the email exempt list To add a subject tag Go to Email Filter ConfigAdding a subject tag 308Logging and reporting Recording logs309 Recording logs on a remote computer Recording logs on a NetIQ WebTrends server310 Overwrite Recording logs on the FortiGate hard disk311 OptionRecording logs in system memory Log message levels312 To filter log entries Go to Log&Report Log Setting Filtering log messages313 Configuring traffic logging 314Enabling traffic logging for a Vlan subinterface Enabling traffic loggingEnabling traffic logging for an interface Enabling traffic logging for a firewall policy316 Configuring traffic filter settingsAdding traffic filter entries Resolve IPViewing logs Destination IP Address Destination Netmask ServiceViewing logs saved to memory 317318 Viewing and managing logs saved to the hard diskSearching logs Keyword319 To view the active or saved logs Go to Log&Report LoggingDeleting a saved log file Downloading a log file to the management computerDeleting all messages from an active log 320Adding alert email addresses Configuring alert emailTesting alert email 321Enabling alert email 322Glossary 323324 325 326 Index 327328 Index329 Dialup Pptp330 Http331 Ldap332 333 Pptp dialup connection334 335 TCP336 Vlan