Fortinet 100A manual Users and authentication 233

Page 7

Contents

Address	198
Address list	199
Address options	199
Configuring addresses	200
Address group list	201
Address group options	201
Configuring address groups	202
Service	203
Predefined service list	203
Custom service list	206
Custom service options	207
Configuring custom services	208
Service group list	209
Service group options	209
Configuring service groups	210
Schedule	211
One-time schedule list	211
One-time schedule options	212
Configuring one-time schedules	212
Recurring schedule list	213
Recurring schedule options	213
Configuring recurring schedules	214
Virtual IP	214
Virtual IP list	215
Virtual IP options	215
Configuring virtual IPs	216
IP pool	219
IP pool list	220
IP pool options	220
Configuring IP pools	220
IP Pools for firewall policies that use fixed ports	221
IP pools and dynamic NAT	221
Protection profile	222
Protection profile list	222
Default protection profiles	223
Protection profile options	223
Configuring protection profiles	228
Profile CLI configuration	229
Users and authentication	233
Setting authentication timeout	234
Local	234
Local user list	234
Local user options	234

FortiGate-100A Administration Guide

01-28007-0068-20041203

Image 7

Contents December 01-28007-0068-20041203 Administration GuideTrademarks Version 2.80 MR7 December 01-28007-0068-20041203Regulatory Compliance Table of Contents 102 Configuring Snmp Snmp communityManagement 101Static 141 Static route list 143 Static route options 144 System administration 109RIP Policy 145 Policy route list Policy route options 146Users and authentication 233 Pptp range 260 235Radius server list 235 Radius server options 236 260IPS Web filter 309 Log & Report 339 Contents 01-28007-0068-20041203 About FortiGate Antivirus Firewalls IntroductionAntivirus protection Web content filteringFirewall Spam filteringTransparent mode NAT/Route modeVLANs and virtual domains VPN Intrusion Prevention System IPSWeb-based manager Secure installation, configuration, and managementCommand line interface High availabilityLogging and reporting Document conventionsYou enter You can enter any of the following set allowaccess pingComments on Fortinet technical documentation Explains how to configure VPNs using the web-based managerFortiGate documentation Fortinet Knowledge CenterFortiMail documentation Related documentationFortiManager documentation FortiClient documentationFortiLog documentation Customer service and technical supportFortiLog documentation System status Console accessDisconnect StatusViewing system status ConnectRecent Virus Detections Content SummaryUpgrades Unit InformationInterface Status ResetSystem Resources Attack Name Name of the attack HistoryRecent Intrusion Detections Changing unit informationTo change FortiGate host name To update the firmware versionTo update the antivirus definitions manually To update the attack definitions manuallyTo change to NAT/Route mode To change to Transparent modeProtocol Session listTo view the session list Go to System Status Session SessionsChanging the FortiGate firmware Upgrading the firmware using the web-based managerTo upgrade the firmware using the web-based manager Firmware upgrade procedures Procedure DescriptionTo upgrade the firmware using the CLI Upgrading the firmware using the CLIFortiGate unit responds with the message Reverting to a previous firmware versionCopy the firmware image file to the management computer Log into the FortiGate web-based manager Reverting to a previous firmware version using the CLITo revert to a previous firmware version using the CLI To install firmware from a system reboot Go to step FortiGate unit running v3.x Bios FortiGate unit running v3.x BiosImmediately press any key to interrupt the system startup Type Y FortiGate unit running v3.x Bios Restoring the previous configurationTo test a new firmware image Testing a new firmware image before installing itType N FortiGate unit running v3.x Bios Installing a backup firmware image Installing and using a backup firmware imageTo install a backup firmware image To switch to the backup firmware image Switching to the backup firmware imageTo switch back to the default firmware image Switching back to the default firmware imageInstalling and using a backup firmware image Interface System networkNetmask Interface settingsAccess NameName of the Interface See the following procedures for configuring interfacesName InterfaceVirtual Domain Addressing modeManual Connected ConnectingPPPoE InitializingPing server Administrative accessLog Configuring interfacesTo add interfaces to a zone To bring down an interface that is administratively upTo start up an interface that is administratively down To add a Vlan subinterfaceTo change the static IP address of an interface To configure an interface for DhcpYou can configure any FortiGate interface to use Dhcp To configure an interface for PPPoESave the changes end To add a secondary IP addressChoose an interface and select Edit To control administrative access to an interface Zone Zone settingsTraffic To edit a zone ManagementTo add a zone To delete a zoneVirtual Domain management Default Enter the default gateway address GatewayFrom IP/NetmaskTo add DNS server IP addresses Go to System Network DNS DNSMask Routing table Transparent ModeTransparent mode route settings Routing table listBasic Vlan topology Vlan overviewRules for Vlan IP addresses VLANs in NAT/Route modeFortiGate units and VLANs Rules for Vlan IDsAdding Vlan subinterfaces FortiGate unit in Nat/Route modeGo to Firewall Policy VLANs in Transparent modeTo add firewall policies for Vlan subinterfaces Go to Firewall AddressFortiGate unit with two virtual domains in Transparent mode Rules for Vlan IDs Transparent mode virtual domains and VLANsTransparent mode Vlan settings Transparent mode Vlan listTo add a Vlan subinterface in Transparent mode FortiGate IPv6 support IPv6 CLI commands Feature CLI CommandTransparent mode Vlan settings System Dhcp ServiceType Regular Dhcp service settingsTo configure an interface as a regular Dhcp relay agent Go to System Dhcp ServiceServer To configure an interface to be a Dhcp serverSelect Create New Dhcp server settingsTo configure a Dhcp server for an interface Go to System Dhcp ServerEnding IP To configure multiple Dhcp servers for an interfaceExclude range Starting IPTo add an exclusion range Go to System Dhcp Exclude Range Dhcp exclude range settingsIP/MAC binding Range cannot exceed 65536 IP addressesSelect the interface for which you want to view the list Dhcp IP/MAC binding settingsDynamic IP To view the dynamic IP list Go to System Dhcp Dynamic IPDhcp IP/MAC binding settings Time Zone Select the current FortiGate system time zone System configSystem time TimeOptions For Auth Timeout, type a number in minutes Select Apply To set the system idle timeout Go to System Config OptionsFor Idle Timeout, type a number in minutes Select Apply To set the Auth timeout Go to System Config OptionsDevice failover HA heartbeat failover To modify the dead gateway detection settingsStandalone Mode HA configurationUnit Priority Cluster MembersMode Group IDOverride Master PasswordPriorities of Heartbeat Device ScheduleHeartbeat device IP addresses To configure a FortiGate unit for HA operation Configuring an HA clusterMonitor priorities Go to System Status Go to System Config HATo connect a FortiGate HA cluster To add a new unit to a functioning cluster HA network configurationManaging an HA cluster To configure weighted-round-robin weightsConnect to the cluster and log into the web-based manager To view the status of each cluster memberTo view and manage logs for individual cluster units Go to Log&Report Log AccessTo monitor cluster units for failover To manage individual cluster units SnmpGo to System Config Snmp v1/v2c to configure the Snmp agent Configuring SnmpSnmp community options part Snmp community100 To configure Snmp access to an interface in NAT/Route modeFortiGate MIBs To add an Snmp community Go to System Config Snmp v1/v2c101 102 FortiGate traps103 Fortinet MIB fields104 Administrator accounts System config Fortinet MIB fields105 Replacement messages list Replacement messages106 FILE%% Changing replacement messagesReplacement message tags Tag Description 107Tag Description Replacement message tagsFortiManager 108This chapter describes System administrationAdministrators 109Administrators options Administrators listUsing trusted hosts Access profiles111 Allow Write All Access profile listAccess profile options Under Access Control113 114 115 System maintenanceBackup and restore System settingsVersion or the antivirus or attack definitions Restore or back up the spam filter RBL and Ordbl listBacking up and Restoring Backing up and Restoring117 118 Update center119 Update centerTo make sure the FortiGate unit can connect to the FDN Go to System Maintenance Update centerUpdating antivirus and attack definitions 120To add an override server 121122 To enable scheduled updates through a proxy server123 Enabling push updatesPush updates when FortiGate IP addresses change Select Allow Push Update Select ApplyGo to Firewall Virtual IP Enabling push updates through a NAT deviceGeneral procedure 124To add a firewall policy to the FortiGate NAT device Schedule Always Service ANY Action AcceptSupport 125126 Sending a bug reportRelay To report a bug Go to System Maintenance SupportRegistering a FortiGate unit 127To register a FortiGate unit 128129 To log out of the system Go to System Maintenance ShutdownTo restart the system Go to System Maintenance Shutdown ShutdownTo shut down the system Select Reboot Select Apply FortiGate unit restartsTo reset the FortiGate unit to factory defaults 130131 System virtual domainIPSec Virtual domain propertiesExclusive virtual domain properties 132133 Shared configuration settingsAntivirus Web filter Spam filter Log and report Virtual domains Administration and management134 135 Adding a virtual domainSelecting a virtual domain Selecting a management virtual domainTo add physical interfaces to a virtual domain Configuring virtual domains136 To select a management virtual domainTo add Vlan subinterfaces to a virtual domain 137To add zones to a virtual domain To add firewall policies to a virtual domain Configuring routing for a virtual domainConfiguring firewall policies for a virtual domain 138Go to Firewall IP Pool 139To add firewall addresses to a virtual domain To add IP pools to a virtual domainTo configure VPN for a virtual domain Configuring IPSec VPN for a virtual domain140 Static Router141 FortiGate1 142143 Static route listDevice internal Distance 144 Static route optionsTo move static routes Go to Router Static Static Route Policy route list Policy145 Port, enter the same port number for both From and To Policy route options146 To add a policy route Go to Router Policy Route147 GeneralNetworks list To configure RIP general settings Go to Router RIP General148 149 To configure a RIP network Go to Router RIP NetworksNetworks options Interface list150 Interface optionsSplit-Horizon 151 To configure a RIP interface Go to Router RIP InterfacePassword Distribute list152 Distribute list options153 To configure an offset list Go to Router RIP Offset ListOffset list Offset list options154 Access listNew access list Router objectsPrefix list New access list entry155 156 New Prefix listRoute-map list New prefix list entry157 158 New Route-mapSelect Create New Enter a name for the route map Select OK 159 Route-map list entryNew key chain Key chain list160 161 Key chain list entryEnter a name for the key chain Select OK Display the FortiGate routing table MonitorRouting monitor list 162163 CLI configurationGet router info rip Router info rip command keywords and variablesConfig router ospf Command syntax patternKeywords Description Default Availability Variables Ospf command keywords and variables165 166 This example shows how to set the Ospf router ID toThis example shows how to display the Ospf settings ExampleConfig area command has 3 subcommands Config areaConfig area command syntax pattern This example shows how to display the Ospf configuration168 Area command keywords and variables169 This example shows how to display the settings for area170 Config filter-listConfig filter-list command syntax pattern Filter-list command keywords and variablesRange idinteger can be 0 to Config rangeConfig range command syntax pattern 171172 Range command keywords and variables173 Config virtual-linkConfig virtual link command syntax pattern Command174 Virtual-link command keywords and variablesThis example shows how to configure a virtual link Config distribute-list175 Distribute-list command keywords and variables Config distribute-list command syntax pattern176 Config neighbor command syntax pattern Config neighbor177 178 Neighbor command keywords and variablesThis example shows how to manually add a neighbor This example shows how to display the settings for neighbor179 Config networkConfig network command syntax pattern Network command keywords and variables180 Config ospf-interfaceConfig ospf-interface command syntax pattern This example shows how to display the settings for networkKeywords and variables Description Default Availability Ospf-interface command keywords and variables181 182 183 184 Config redistribute185 Config redistribute command syntax patternRedistribute command keywords and variables Config summary-addressSummary-address command keywords and variables Config summary-address command syntax pattern186 Static6 command keywords and variables Config router static6187 188 189 FirewallPolicy list How policy matching works190 Policy options Policy list has the following icons and features191 Address Name 192Policy has the following standard options Interface / Zone193 Advanced policy options Authentication194 Traffic Shaping Differentiated Services195 Comments Configuring firewall policies196 197 Policy CLI configurationTo disable a policy To enable a policy Go to Firewall PolicyAddress Firewall policy command keywords and variables198 199 Address list has the following icons and featuresAddress list Address optionsTo edit an address Configuring addresses200 To add an address Go to Firewall Address201 Address group list has the following icons and featuresAddress group list Address group optionsTo delete an address group Configuring address groups202 Address group has the following optionsMake any required changes Select OK Predefined service listName Name of the predefined services Detail 203ANY 204IRC 205Custom services list has the following icons and features Custom service list206 207 Custom service optionsTCP and UDP custom service options Icmp custom service optionsTo add a custom IP service Go to Firewall Service Custom IP custom service optionsConfiguring custom services To add a custom Icmp service Go to Firewall Service CustomTo edit a custom service Go to Firewall Service Custom Service group listService group options To delete a custom service Go to Firewall Service CustomTo edit a service group Go to Firewall Service Group Configuring service groupsService group has the following options To delete a service group211 One-time schedule list has the following icons and featuresSchedule One-time schedule listOne-time schedule has the following options Configuring one-time schedulesOne-time schedule options 212Recurring schedule has the following options Recurring schedule listRecurring schedule options 213Virtual IP Configuring recurring schedules214 215 Virtual IP list has the following icons and featuresVirtual IP list Virtual IP optionsTo add a static NAT virtual IP Go to Firewall Virtual IP Configuring virtual IPs216 Virtual IP has the following optionsWan1 217218 To edit a virtual IP Go to Firewall Virtual IP IP pool219 To delete a virtual IP Go to Firewall Virtual IP220 Configuring IP poolsIP pool list IP pool optionsTo delete an IP pool Go to Firewall IP Pool IP Pools for firewall policies that use fixed portsIP pools and dynamic NAT 221Create New Select Create New to add an IP pool Name Protection profileProtection profile list 222Protection profile options Default protection profiles223 File Block Configuring antivirus options224 Virus ScanConfiguring web category filtering options Configuring web filtering options225 226 Configuring spam filtering optionsConfiguring content archive options Configuring IPS options227 Go to Firewall Protection Profile Configuring protection profiles228 To add a protection profile229 Profile CLI configurationTo add a protection profile to a policy 230 Firewall profile command keywords and variables231 232 To set up user groups Users and authentication233 Local user options Setting authentication timeoutLocal Local user listRadius Radius server list235 To delete a user name from the internal databaseServer Secret Enter the Radius server secret Radius server options236 To delete a Radius serverLdap server options Ldap server list237 To delete an Ldap server 238User group list User group239 Available Users To configure a user group Go to User User GroupUser group options 240241 Radius command keywords and variablesThis example shows how to add the branchoffice peer PeerMember namestr Use this command to add or edit a peer groupPeergrp 242243 244 245 VPN246 PhasePhase 1 list To configure phase 1 settings Go to VPN Ipsec PhaseAlgorithm Phase 1 basic settings247 EncryptionPre-shared Key Certificate Name 248249 Phase 1 advanced settings250 To configure phase 2 settings Go to VPN Ipsec PhasePhase 2 basic settings Phase 2 list251 252 Phase 2 advanced optionsTunnel Name Remote Gateway 253 Enable replay detectionEnable perfect forward secrecy PFS DH Group Manual keyTo specify manual keys for creating a tunnel Algorithm Edit, view, or delete manual key configurationsManual key list 254Remote SPI Manual key options255 Local SPI256 AuthenticationConcentrator Concentrator listConcentrator Name Ping GeneratorConcentrator options 257To interpret the display, see the following sections Ping generator options258 To view active tunnels Go to VPN Ipsec MonitorStatic IP and dynamic DNS monitor Dialup monitor259 Pptp range Enable Pptp and specify the address range260 L2TP range Enable L2TP and specify the address range261 Local certificate list Certificates262 263 Certificate requestSelect Generate 264 Importing signed certificatesSelect Import View Certificate CA certificate listImporting CA certificates 265266 VPN configuration proceduresIPSec configuration procedures Adding firewall policies for IPSec VPN tunnelsInterface/Zone 267To define an IP destination address To define the firewall encryption policyL2TP configuration procedures Pptp configuration procedures268 Ipsec phase1 command keywords and variables Ipsec phase1269 Dpd-retryinterval Probes. The dpd-retryinterval range Enable270 Dpd-retrycountNetwork behind the remote VPN Ipsec phase2Ipsec phase2 command keywords and variables 271272 Ipsec vipLocal sender or network behind Null Ipsec vip command keywords and variables273 Out-interfaceFortiGate2 Configuring IPSec virtual IP addresses274 FortiGate1 External275 276 IPS updates and information Protection profile configuration277 Predefined Signature278 279 Predefined signature list280 Configuring predefined signaturesActions to select for each predefined signature 281 Configuring parameters for dissector signaturesCustom signature list Custom282 To add a custom signature Go to IPS Signature Custom Adding custom signaturesBacking up and restoring custom signature files 283Anomaly list Anomaly284 Pass Configuring an anomaly285 Modify286 To configure the settings of an anomaly Go to IPS AnomalyReset Client Reset ServerLimit command keywords and variables Anomaly CLI configuration Config ips anomaly config limit287 Default fail open setting Configuring IPS logging and alert email288 289 Antivirus290 Virus list updates and informationFile block Order of antivirus operationsFile block list File block list has the following icons and features291 292 Configuring the file block listQuarantine Quarantined files list293 Quarantined files list optionsAutoSubmit list options Configuring the AutoSubmit listAutoSubmit list has the following icons and features AutoSubmit listOptions ConfigQuarantine configuration has the following options 295Virus list Config296 Grayware options Grayware297 298 This example shows how to disable heuristic scanning Config antivirus heuristic299 300 Config antivirus quarantineAntivirus quarantine command keywords and variables Config antivirus service httpHow file size limits work Antivirus service http command keywords and variables301 302 Config antivirus service ftp303 Antivirus service ftp command keywords and variablesAntivirus service pop3 command keywords and variables Config antivirus service pop3304 305 Config antivirus service imap143 Antivirus service imap command keywords and variables306 MemfilesizelimiAntivirus service smtp command keywords and variables Config antivirus service smtp307 308 309 Web filter310 Order of web filter operationsWeb content block has the following icons and features Content blockWeb content block list Web content block options312 Configuring the web content block listTo add or edit a banned word Go to Web Filter Content Block URL block313 Web URL block has the following icons and featuresWeb URL block list Web URL block optionsSelect Web URL Block Select Create New Configuring the web URL block listWeb pattern block list 314315 Configuring web pattern blockURL exempt Web pattern block optionsURL exempt list options Configuring URL exemptURL exempt list has the following icons and features URL exempt listFortiGuard categories and ratings FortiGuard managed web filtering serviceFortiGuard Service Points Category block318 FortiGuard configurationCategory block configuration options FortiGuard licensing319 Configuring web category blockTo enable FortiGuard web filtering Category block reports320 Category block CLI configurationCategory block reports options Generating a category block report321 Catblock command keywords and variablesThis example shows how to display the catblock settings Script filterCookies Web script filter options322 JavascriptSpam filter Spam filter setting323 324 Order of spam filter operations FortiShield325 326 Configuring the FortiShield cacheEnable Cache FortiShield optionsIP address options IP address list has the following icons and featuresIP address IP address list328 Configuring the IP address listRBL & Ordbl options Configuring the RBL & Ordbl listRBL & Ordbl list has the following icons and features RBL & Ordbl listEmail address options Email address list has the following icons and featuresEmail address Email address listEmail address Configuring the email address listMime headers 331332 Mime headers list has the following icons and featuresMime headers list Mime headers optionsBanned word Configuring the Mime headers list333 334 Banned word has the following icons and featuresBanned word list Banned word optionsTo add or edit a banned word Go to Spam Filter Banned Word Using Perl regular expressionsConfiguring the banned word list 335336 Regular expression vs. wildcard match patternWord boundary Case sensitivityTo block common spam phrases 337To block any word in a phrase To block purposely misspelled words338 339 Log & ReportFortiLog Log configLog Setting options 340341 FortiLog settingsDescribes the FortiGate logging severity levels Logging severity levels Disk settingsLog file upload settings 342To configure log file uploading Memory settingsSyslog settings WebTrends settings344 Alert E-mail optionsLog filter options To configure alert email Go to Log&Report Alert E-mail345 Policy allowed traffic Policy violation traffic Traffic logEvent log 346Web filter log Anti-virus log347 Enabling traffic logging Configuring log filtersAttack log Spam filter log349 Log accessTo enable traffic logging for a firewall policy Viewing log messages350 Choosing columnsTo perform a simple keyword search Searching log messages351 To change the columns in the log message display352 Fortilog setting353 Log fortilog setting command keywords and variablesLog syslogd setting command keywords and variables Syslogd setting354 Facility types Description 355356 357 FortiGuard categoriesFortiGuard categories Category name Description 358Objectionable or Controversial Potentially Security Violating 359Potentially Non-productive Potentially Bandwidth ConsumingUse 360361 Others 362363 GlossaryKB, kilobyte a unit of storage 1 024 bytes 364365 366 367 IndexIndex 368369 MIB 370371 TCP 372373 374

Related manuals

Manual 2 pages 50.79 Kb

100A specifications

Fortinet 100A is a versatile network security device designed to provide comprehensive protection against various cyber threats while ensuring optimal network performance. As part of the FortiGate series, the 100A combines advanced security features with powerful hardware capabilities, making it suitable for small to medium-sized businesses.

One of the key features of the Fortinet 100A is its deep packet inspection technology. This capability allows the firewall to analyze both the header and payload of packets traversing the network, enabling it to detect and block malicious content effectively. The 100A can identify and mitigate a wide range of threats, including malware, intrusions, and application-layer attacks.

The FortiOS operating system powers the Fortinet 100A, offering a robust and user-friendly interface for configuration and management. With its unified security management console, administrators can efficiently monitor network traffic and enforce security policies across the organization. The system provides centralized logging and reporting features, enabling users to gain valuable insights into their security posture and respond swiftly to incidents.

The 100A supports multiple deployment modes, including transparent, NAT, and route modes. This flexibility allows organizations to integrate the device into their existing network architecture with ease. The firewall's high throughput capabilities ensure that network performance remains unaffected, even under heavy load from multiple users and devices.

Another notable aspect of the Fortinet 100A is its support for various VPN technologies, including IPsec and SSL VPN. This feature facilitates secure remote access for employees, enabling them to connect to the corporate network safely, regardless of their location. As remote work continues to be a norm in many sectors, this capability is critical for maintaining productivity and security.

In addition to these features, the Fortinet 100A provides comprehensive web filtering capabilities, protecting users from harmful websites and inappropriate content. This protection is essential for organizations looking to maintain a secure and productive environment.

With its combination of powerful security features, flexible deployment options, and robust performance, the Fortinet 100A stands out as an ideal solution for organizations seeking to bolster their cybersecurity measures while ensuring seamless connectivity for users. As cyber threats continue to evolve, investing in a capable device like the FortiGate 100A is crucial for maintaining a secure network infrastructure.