Fortinet 100 user manual 260

Page 260

Glossary

LAN, Local Area Network: A computer network that spans a relatively small area. Most LANs connect workstations and personal computers. Each computer on a LAN is able to access data and devices anywhere on the LAN. This means that many users can share data as well as physical resources such as printers.

MAC address, Media Access Control address: A hardware address that uniquely identifies each node of a network.

MIB, Management Information Base: A database of objects that can be monitored by an SNMP network manager.

Modem: A device that converts digital signals into analog signals and back again for transmission over telephone lines.

MTU, Maximum Transmission Unit: The largest physical packet size, measured in bytes, that a network can transmit. Any packets larger than the MTU are divided into smaller packets before being sent. Ideally, you want the MTU your network produces to be the same as the smallest MTU of all the networks between your machine and a message's final destination. If your messages are larger than one of the intervening MTUs, they get broken up (fragmented), which slows down transmission speeds.

Netmask: Also called subnet mask. A set of rules for omitting parts of a complete IP address to reach a target destination without using a broadcast message. It can indicate a subnetwork portion of a larger network in TCP/IP. Sometimes referred to as an Address Mask.

NTP, Network Time Protocol: Used to synchronize the time of a computer to an NTP server. NTP provides accuracies to within tens of milliseconds across the Internet relative to Coordinated Universal Time (UTC).

Packet: A piece of a message transmitted over a packet-switching network. One of the key features of a packet is that it contains the destination address in addition to the data. In IP networks, packets are often called datagrams.

Ping, Packet Internet Grouper: A utility used to determine whether a specific IP address is accessible. It works by sending a packet to the specified address and waiting for a reply.

POP3, Post Office Protocol: A protocol used to transfer e-mail from a mail server to a mail client across the Internet. Most e-mail clients use POP.

PPP, Point-to-Point Protocol: A TCP/IP protocol that provides host-to-network and router-to-router connections.

PPTP, Point-to-Point Tunneling Protocol: A Windows-based technology for creating VPNs. PPTP is supported by Windows 98, 2000, and XP. To create a PPTP VPN, your ISP's routers must support PPTP.

Port: In TCP/IP and UDP networks, a port is an endpoint to a logical connection. The port number identifies what type of port it is. For example, port 80 is used for HTTP traffic.

Protocol: An agreed-upon format for transmitting data between two devices. The protocol determines the type of error checking to be used, the data compression method (if any), how the sending device indicates that it has finished sending a message, and how the receiving device indicates that it has received a message.

RADIUS, Remote Authentication Dial-In User Service: An authentication and accounting system used by many Internet Service Providers (ISPs). When users dial into an ISP they enter a user name and password. This information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system.

Router: A device that connects LANs into an internal network and routes traffic between them.

Routing: The process of determining a path to use to send data to its destination.

Routing table: A list of valid paths through which data can be transmitted.

Server: An application that answers requests from other devices (clients). Used as a generic term for any device that provides services to the rest of the network such as printing, high capacity storage, and network access.

SMTP, Simple Mail Transfer Protocol: In TCP/IP networks, this is an application for providing mail delivery services.

SNMP, Simple Network Management Protocol: A set of protocols for managing networks. SNMP works by sending messages to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters.

260

Fortinet Inc.

Page 259 Page 261
Image 260
Page 259 Page 261
Contents Installation and Configuration Guide AugustTrademarks Regulatory ComplianceTable of Contents NAT/Route mode installation System status Virus and attack definitions updates and registration RIP configuration 121 Users and authentication 173 IPSec VPN 181 Network Intrusion Detection System Nids 221 Glossary 259 Index 263 Contents Introduction Antivirus protectionWeb content filtering Email filteringNAT/Route mode FirewallTransparent mode Network intrusion detectionSecure installation, configuration, and management Web-based managerCommand line interface FortiGate web-based manager and setup wizardSystem administration Network configurationWhat’s new in Version Logging and reportingReplacement messages Users and authenticationDhcp server FirewallEmail filter AntivirusWeb Filter About this document Document conventions Fortinet documentation Comments on Fortinet technical documentationCustomer service and technical support Comments on Fortinet technical documentation Getting started Package contents MountingPowering on Environmental specificationsConnecting to the web-based manager Connecting to the web-based managerConnecting to the command line interface CLI Factory default FortiGate configuration settingsBits per second 9600 Data bits Parity Stop bits Flow controlFactory default NAT/Route mode network configuration AccountInternal interface External interfaceFactory default Transparent mode network configuration Factory default firewall configurationFactory default content profiles Factory default firewall configuration Traffic ShapingAuthentication Antivirus & Web FilterStrict content profile Scan content profileStrict content profile Options Scan content profile OptionsWeb content profile Unfiltered content profileWeb content profile Options Unfiltered content profile OptionsPlanning your FortiGate configuration Example NAT/Route mode network configurationNAT/Route mode with multiple external network connections Example NAT/Route multiple internet connection configurationConfiguration options Setup WizardFortiGate model maximum values matrix Next steps Configuration options Getting started Internal servers NAT/Route mode installationPreparing to configure NAT/Route mode Advanced NAT/Route mode settings Advanced FortiGate NAT/Route mode settingsDMZ interface Dhcp serverUsing the setup wizard Using the command line interfaceSet system interface external mode static ip 204.23.1.5 Connecting the FortiGate unit to your networks FortiGate-100 NAT/Route mode connectionsConfiguring your networks Completing the configurationConfiguring the DMZ interface Setting the date and timeConfiguration example Multiple connections to the Internet Configuring virus and attack definition updatesEnabling antivirus protection Registering your FortiGateExample multiple Internet connection configuration Configuring Ping servers Primary and backup links to the InternetUsing the CLI Destination based routing examplesLoad sharing Load sharing and primary and secondary connectionsAdding the routes using the CLI Routing table should have routes arranged as shown in TableRouting a service to an external network Policy routing examplesAdding a redundant default policy Firewall policy exampleAdding more firewall policies Action AcceptRestricting access to a single Internet connection Transparent mode installation Preparing to configure Transparent modeTransparent mode settings Administrator Password DNS SettingsChanging to Transparent mode Go to System StatusConfiguring the Transparent mode management IP address Configure the Transparent mode default gatewayFortiGate-100 Transparent mode connections Setting the date and time Transparent mode configuration examples Default routes and static routesGeneral configuration steps Default route to an external networkWeb-based manager example configuration steps CLI configuration stepsGo to System Network Management Go to System Network RoutingStatic route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System statusChanging the FortiGate firmware Firmware upgrade procedures Procedure DescriptionChanging the FortiGate host name Upgrading the firmware using the CLI Upgrade to a new firmware versionUpgrading the firmware using the web-based manager Execute restore image namestr tftpip Revert to a previous firmware versionReverting to a previous firmware version using the CLI Execute ping Install a firmware image from a system reboot using the CLI To install firmware from a system rebootPress Any Key To Download Boot Image Test a new firmware image before installing it Restoring your previous configurationTest a new firmware image before installing it Installing and using a backup firmware image Installing a backup firmware imageInstalling and using a backup firmware image Switching to the backup firmware image Manual virus definition updates Switching back to the default firmware imageManual attack definition updates Backing up system settingsDisplaying the FortiGate serial number Displaying the FortiGate up timeRestoring system settings Restoring system settings to factory defaultsRestarting the FortiGate unit Changing to Transparent modeChanging to NAT/Route mode Viewing CPU and memory status Shutting down the FortiGate unitSystem status Viewing sessions and network status Go to System Status MonitorViewing virus and intrusions status Sessions and network status monitorSession list Viewing the session list Go to System Status SessionTo IP Virus and attack definitions updates and registration Updating antivirus and attack definitionsConnecting to the FortiResponse Distribution Network Version Expiry date Last update attempt Last update statusConfiguring scheduled updates Go to System UpdateSuccessful Update FDN error Configuring update loggingGo to Log&Report Log Setting Manually updating antivirus and attack definitions Configuring push updatesAdding an override server To enable push updates About push updatesPush updates and external dynamic IP addresses Push updates through a NAT deviceExample push updates through a NAT device Example network topology Push updates through a NAT deviceGeneral procedure Go to Firewall Virtual IPSchedule Always Service ANY Action Accept Adding a firewall policy for the port forwarding virtual IPScheduled updates through a proxy server 100101 FortiCare Service ContractsRegistering FortiGate units Registering the FortiGate unit 102103 Registering a FortiGate unit product informationRecovering a lost Fortinet support password Updating registration informationViewing the list of registered FortiGate units 104105 Registering a new FortiGate unitAdding or changing a FortiCare Support Contract number Changing your Fortinet support password Downloading virus and attack definitions updatesChanging your contact information or security question 106Registering a FortiGate unit after an RMA 107108 109 Network configurationConfiguring interfaces Viewing the interface list Bringing up an interfaceChanging an interface static IP address Adding a secondary IP address to an interface111 Controlling management access to an interfaceAdding a ping server to an interface Configuring the external interface for Dhcp Configuring traffic logging for connections to an interfaceConfiguring the external interface with a static IP address Configuring the external interface for PPPoE 113Configuring the management interface Transparent mode Configuring routing Adding DNS server IP addresses115 Go to System Network DNSAdding a default route Adding destination-based routes to the routing tableAdding routes in Transparent mode 117Configuring the routing table Policy routingProviding Dhcp services to your internal network Policy routing command syntax119 Go to System Network DhcpViewing the dynamic IP list 120RIP configuration 121122 RIP settingsGo to System RIP Settings Update 123Invalid HolddownConfiguring RIP for FortiGate interfaces Password124 ModeAdding RIP neighbors Go to System RIP Neighbor Adding RIP neighbors125 Adding RIP filters Adding a single RIP filter126 Go to System RIP FilterAdding a RIP filter list 127Add the IP address of the route Mask Add the netmask of the route Action128 Adding a neighbors filterAdding a routes filter System configuration Setting system date and timeTo set the date and time Go to System Config Time 129130 To set the system idle timeoutChanging web-based manager options To set the Auth timeout To modify the Dead Gateway Detection settings131 To select a language for the web-based managerAdding and editing administrator accounts Adding new administrator accountsGo to System Config Admin 132133 Editing administrator accountsTo edit an administrator account Go to System Config Admin Configuring Snmp Configuring the FortiGate unit for Snmp monitoringConfiguring FortiGate Snmp support Go to System Config Snmp v1/v2cFortiGate MIBs 135Trap Community Trap Receiver IP Addresses FortiGate MIBs MIB file name Description EtherLike.mibCustomizing replacement messages FortiGate traps136 FortiGate traps Trap message Description137 Customizing replacement messagesGo to System Config Replacement Messages Alert email message sections Customizing alert emails138 139 Alert email message sections140 Firewall configuration 141142 Default firewall configurationAddresses Services Content profilesSchedules 143Go to Firewall Policy Adding firewall policies144 145 VPN Tunnel Traffic Shaping146 Dynamic IP Pool Fixed Port147 AuthenticationAnti-Virus & Web filter 148 Log TrafficComments Configuring policy lists Policy matching in detailChanging the order of policies in a policy list 149Addresses Enabling and disabling policiesDisabling a policy Enabling a policyGo to Firewall Address Adding addresses151 Editing addresses Deleting addressesOrganizing addresses into address groups 152153 ServicesPredefined services 154 ANY155 IRCProviding access to custom services Grouping servicesGo to Firewall Service Custom Go to Firewall Service GroupSchedules 157Creating one-time schedules Creating recurring schedules158 Go to Firewall Schedule One-timeAdding a schedule to a policy 159160 Virtual IPsAdding static NAT virtual IPs Adding port forwarding virtual IPs 161162 Adding policies with virtual IPs 163IP pools Adding an IP pool164 Go to Firewall IP Pool165 IP Pools for firewall policies that use fixed portsIP pools and dynamic NAT Go to Firewall IP/MAC Binding Setting IP/MAC binding166 Go to Firewall IP/MAC Binding Static IP/MACAdding IP/MAC addresses 167Viewing the dynamic IP/MAC list Enabling IP/MAC binding168 Go to Firewall IP/MAC Binding Dynamic IP/MACContent profiles 169Default content profiles Adding a content profileGo to Firewall Content Profile 170Oversized File/Email Block Pass Fragmented Email Adding a content profile to a policy171 172 Users and authentication 173Setting authentication timeout Adding user names and configuring authenticationAdding user names and configuring authentication 174Deleting user names from the internal database 175Configuring Radius support Adding Radius serversDeleting Radius servers 176Configuring Ldap support Adding Ldap servers177 Go to User LdapDeleting Ldap servers 178Configuring user groups Adding user groups179 Go to User User GroupDeleting user groups 180IPSec VPN 181Key management Manual KeysAutoIKE with pre-shared keys AutoIKE with certificatesGeneral configuration steps for a manual key VPN Manual key IPSec VPNsAdding a manual key VPN tunnel 183184 General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPNGo to VPN Ipsec Phase AutoIKE IPSec VPNsRemote Gateway Dialup User 186Remote Gateway Static IP Address Configuring advanced options 187188 Adding a phase 2 configuration for an AutoIKE VPN 189190 191 Managing digital certificatesObtaining a signed local certificate Go to VPN Local Certificates Generating the certificate request192 193 Downloading the certificate requestRequesting the signed local certificate 194 Retrieving the signed local certificateImporting the signed local certificate Obtaining a CA certificate Retrieving a CA certificateImporting a CA certificate 195Configuring encrypt policies 196Adding a source address Adding a destination addressAdding an encrypt policy 197198 Adding an encrypt policy199 VPN concentrator hub general configuration stepsIPSec VPN concentrators 200 Source InternalAll Destination VPN spoke address ActionGo to VPN IPSec Concentrator Adding a VPN concentrator201 VPN spoke general configuration steps 202VPN Tunnel Policies203 Configuring redundant IPSec VPNRedundant IPSec VPNs See Adding a phase 1 configuration for an AutoIKE VPN on 204Monitoring and Troubleshooting VPNs Viewing VPN tunnel statusViewing dialup VPN connection status 205Go to VPN IPSec Dialup Testing a VPN206 207 Configuring PptpPptp and L2TP VPN Configuring the FortiGate unit as a Pptp gateway Adding users and user groupsEnabling Pptp and specifying an address range 208Adding an address group 209Configuring a Windows 98 client for Pptp Installing Pptp supportGo to Start Settings Control Panel Network Adding a firewall policyConfiguring a Pptp dialup connection Connecting to the Pptp VPNConfiguring a Windows 2000 client for Pptp 211Configuring a Windows XP client for Pptp Configuring the VPN connection212 Go to Start Control PanelConfiguring L2TP 213Configuring the FortiGate unit as a L2TP gateway Enabling L2TP and specifying an address range214 Go to VPN L2TP L2TP RangeSample L2TP address range configuration 215216 Configuring a Windows 2000 client for L2TP Configuring an L2TP dialup connectionDisabling IPSec 217Connecting to the L2TP VPN Configuring a Windows XP client for L2TPConfiguring an L2TP VPN dialup connection Go to Start Settings219 220 221 Network Intrusion Detection System NidsDetecting attacks Configuring checksum verification Selecting the interfaces to monitorDisabling the Nids 222Viewing the signature list Viewing attack descriptions223 Go to Nids Detection Signature ListEnabling and disabling Nids attack signatures Adding user-defined signatures224 Go to Nids Detection User Defined Signature ListPreventing attacks Downloading the user-defined signature listEnabling Nids attack prevention 225226 Setting signature threshold valuesEnabling Nids attack prevention signatures 227 Configuring synflood signature values Value Description Minimum Maximum DefaultLogging attacks Logging attack messages to the attack logReducing the number of Nids attack log and email messages Automatic message reductionManual message reduction 229230 231 General configuration stepsAntivirus protection To scan FortiGate firewall traffic for viruses Antivirus scanning232 File blocking Blocking files in firewall trafficAdding file patterns to block 233Configuring limits for oversized files and email Blocking oversized files and emailsExempting fragmented email from blocking Viewing the virus listWeb filtering 235Content blocking Go to Web Filter Content BlockAdding words and phrases to the banned word list 236Using the FortiGate web filter URL blockingAdding URLs or URL patterns to the block list 237Clearing the URL block list 238239 Downloading the URL block listUploading a URL block list Using the Cerberian web filter Installing a Cerberian license key on the FortiGate unitAdding a Cerberian user to the FortiGate unit 240Configuring Cerberian web filter About the default group and policyTo configure the Cerberian web filtering Enabling Cerberian URL filteringScript filtering Enabling the script filterSelecting script filter options 242Exempt URL list Adding URLs to the exempt URL list243 Go to Web Filter Exempt URL244 Email filter 245246 Go to Email Filter Content BlockEmail banned word list Email block list Email exempt listAdding address patterns to the email block list 247To add a subject tag Go to Email Filter Config Adding a subject tagAdding address patterns to the email exempt list 248249 Logging and reportingRecording logs 250 Recording logs on a remote computerRecording logs on a NetIQ WebTrends server 251 Filtering log messagesRecording logs in system memory Example log filter configuration 252Configuring traffic logging Enabling traffic loggingEnabling traffic logging for an interface Enabling traffic logging for a firewall policyConfiguring traffic filter settings Go to Log&Report Log Setting Traffic FilterAdding traffic filter entries 254Destination IP Address Destination Netmask Service Viewing logs saved to memoryViewing logs 255Configuring alert email Searching logsAdding alert email addresses 256Testing alert email Enabling alert email257 Go to Log&Report Alert Mail Categories258 Glossary 259260 261 262 Index 263264 Index265 FDS266 Ldap267 MIB268 RMA269 TCP270 UDP271 272
Related manuals
Manual 84 pages 47.25 Kb
Top Page Image Contents