Manuals
/
Brands
/
Computer Equipment
/
Network Router
/
Fortinet
/
Computer Equipment
/
Network Router
Fortinet
100 user manual
1
1
272
272
Download
272 pages, 4.28 Mb
FortiGate 100
Installation and
Configuration Guide
INTERNAL
EXTERNAL
DMZ
POWER
STATUS
FortiGate User Manual Volume 1
Vers ion 2. 50 MR2
18 August 2003
Contents
Main
Page
Table of Contents
4
Page
6
Virus and attack definitions updates and registration..................................... 91
Page
8
Page
10
Network Intrusion Detection System (NIDS) ................................................... 221
Page
Page
Introduction
Antivirus protection
Web content filtering
Email filtering
Firewall
NAT/Route mode
16
Transparent mode
Network intrusion detection
VPN
Secure installation, configuration, and management
Web-based manager
18
Command line interface
Logging and reporting
Whats new in Version 2.50
System administration
Network configuration
Routing
Page
Page
About this document
Document conventions
24
Fortinet documentation
Comments on Fortinet technical documentation
Customer service and technical support
Page
Getting started
28
Package contents
Mounting
Dimensions
Weight
Power requirements
Powering on
Connecting to the web-based manager
Connecting to the command line interface (CLI)
Factory default FortiGate configuration settings
32
Factory default NAT/Route mode network configuration
Factory default Transparent mode network configuration
Factory default firewall configuration
The factory default firewall configuration is the same in NAT/Route and Transparent mode.
34
Factory default content profiles
Strict content profile
Scan content profile
36
Web content profile
Unfiltered content profile
Planning your FortiGate configuration
NAT/Route mode
38
NAT/Route mode with multiple external network connections
Transparent mode
Configuration options
Setup Wizard
CLI
FortiGate model maximum values matrix
Next steps
Page
NAT/Route mode installation
Preparing to configure NAT/Route mode
44
Advanced NAT/Route mode settings
DMZ interface
Using the setup wizard
Starting the setup wizard
Reconnecting to the web-based manager
Using the command line interface
Configuring the FortiGate unit to operate in NAT/Route mode
Page
Connecting the FortiGate unit to your networks
48
Configuring your networks
Completing the configuration
Configuring the DMZ interface
Setting the date and time
Enabling antivirus protection
Configuration example: Multiple connections to the Internet
Page
Configuring Ping servers
Destination based routing examples
Primary and backup links to the Internet
52
Load sharing
Load sharing and primary and secondary connections
Page
54
Policy routing examples
Routing traffic from internal subnets to different external networks
Routing a service to an external network
Firewall policy example
Adding a redundant default policy
Adding more firewall policies
Page
Transparent mode installation
Preparing to configure Transparent mode
58
Using the setup wizard
Changing to Transparent mode
Starting the setup wizard
Reconnecting to the web-based manager
Using the command line interface
Changing to Transparent mode
Configuring the Transparent mode management IP address
Configure the Transparent mode default gateway
Connecting the FortiGate unit to your networks
Completing the configuration
Setting the date and time
Enabling antivirus protection
Registering your FortiGate
Configuring virus and attack definition updates
Transparent mode configuration examples
Default routes and static routes
Example default route to an external network
Example static route to an external destination
Page
Page
Example static route to an internal destination
Page
System status
Changing the FortiGate host name
Changing the FortiGate firmware
Upgrade to a new firmware version
Upgrading the firmware using the web-based manager
Upgrading the firmware using the CLI
72
Revert to a previous firmware version
Reverting to a previous firmware version using the web-based manager
Reverting to a previous firmware version using the CLI
Page
Install a firmware image from a system reboot using the CLI
Page
Test a new firmware image before installing it
Page
Installing and using a backup firmware image
Installing a backup firmware image
Page
Switching to the backup firmware image
82
Switching back to the default firmware image
Manual virus definition updates
Manual attack definition updates
Displaying the FortiGate serial number
Displaying the FortiGate up time
Backing up system settings
Restoring system settings
Restoring system settings to factory defaults
Changing to Transparent mode
Changing to NAT/Route mode
Restarting the FortiGate unit
86
Shutting down the FortiGate unit
System status
Viewing CPU and memory status
Viewing sessions and network status
88
Viewing virus and intrusions status
Session list
Page
Virus and attack definitions updates and registration
Updating antivirus and attack definitions
92
Connecting to the FortiResponse Distribution Network
Configuring scheduled updates
94
Configuring update logging
Adding an override server
Manually updating antivirus and attack definitions
Configuring push updates
96
To enable push updates
About push updates
Push updates and external dynamic IP addresses
Push updates through a NAT device
Example: push updates through a NAT device
Page
Page
100
Scheduled updates through a proxy server
Registering FortiGate units
FortiCare Service Contracts
102
Registering the FortiGate unit
Page
104
Updating registration information
Recovering a lost Fortinet support password
Viewing the list of registered FortiGate units
Registering a new FortiGate unit
Adding or changing a FortiCare Support Contract number
106
Changing your Fortinet support password
Changing your contact information or security question
Downloading virus and attack definitions updates
Registering a FortiGate unit after an RMA
Page
Network configuration
Configuring interfaces
110
Viewing the interface list
Bringing up an interface
Changing an interface static IP address
Adding a secondary IP address to an interface
Adding a ping server to an interface
Controlling management access to an interface
Page
Configuring the external interface for PPPoE
Changing the external interface MTU size to improve network performance
114
Configuring the management interface (Transparent mode)
Adding DNS server IP addresses
Configuring routing
116
Adding a default route
Adding destination-based routes to the routing table
Adding routes in Transparent mode
118
Configuring the routing table
Policy routing
Policy routing command syntax
Providing DHCP services to your internal network
120
Viewing the dynamic IP list
RIP configuration
RIP settings
7Select Apply to save your changes.
Configuring RIP for FortiGate interfaces
Adding RIP neighbors
126
Adding RIP filters
Adding a single RIP filter
Adding a RIP filter list
128
Adding a neighbors filter
Adding a routes filter
System configuration
Setting system date and time
Changing web-based manager options
Page
132
Adding and editing administrator accounts
Adding new administrator accounts
Editing administrator accounts
134
Configuring SNMP
Configuring the FortiGate unit for SNMP monitoring
Configuring FortiGate SNMP support
FortiGate MIBs
136
FortiGate traps
Customizing replacement messages
Customizing replacement messages
138
Customizing alert emails
Block alert
Critical event
Page
Firewall configuration
142
Default firewall configuration
Addresses
Services
Schedules
Content profiles
Adding firewall policies
Page
146
VPN Tunnel
Traffic Shaping
Authentication
Anti-Virus & Web filter
Page
Configuring policy lists
Policy matching in detail
Changing the order of policies in a policy list
150
Enabling and disabling policies
Addresses
Adding addresses
152
Editing addresses
Deleting addresses
Organizing addresses into address groups
Services
Predefined services
Page
Page
156
Providing access to custom services
Grouping services
Schedules
158
Creating one-time schedules
Creating recurring schedules
Adding a schedule to a policy
160
Virtual IPs
Adding static NAT virtual IPs
Adding port forwarding virtual IPs
Page
Adding policies with virtual IPs
164
IP pools
Adding an IP pool
IP Pools for firewall policies that use fixed ports
IP pools and dynamic NAT
166
IP/MAC binding
Configuring IP/MAC binding for packets going through the firewall
Configuring IP/MAC binding for packets going to the firewall
Adding IP/MAC addresses
168
Viewing the dynamic IP/MAC list
Enabling IP/MAC binding
Content profiles
170
Default content profiles
Adding a content profile
Adding a content profile to a policy
Page
Users and authentication
174
Setting authentication timeout
Adding user names and configuring authentication
Adding user names and configuring authentication
Deleting user names from the internal database
176
Configuring RADIUS support
Adding RADIUS servers
Deleting RADIUS servers
Configuring LDAP support
Adding LDAP servers
178
Deleting LDAP servers
Configuring user groups
Adding user groups
180
Deleting user groups
IPSec VPN
182
Key management
Manual Keys
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates
AutoIKE with pre-shared keys
AutoIKE with certificates
Manual key IPSec VPNs
General configuration steps for a manual key VPN
Adding a manual key VPN tunnel
Page
AutoIKE IPSec VPNs
General configuration steps for an AutoIKE VPN
Adding a phase 1 configuration for an AutoIKE VPN
Page
Page
4Optionally, configure NAT Traversal.
6Select OK to save the phase 1 parameters.
Adding a phase 2 configuration for an AutoIKE VPN
Page
Managing digital certificates
Obtaining a signed local certificate
192
Generating the certificate request
Page
194
Retrieving the signed local certificate
Importing the signed local certificate
Obtaining a CA certificate
Retrieving a CA certificate
Importing a CA certificate
Configuring encrypt policies
Adding an encrypt policy
Page
IPSec VPN concentrators
VPN concentrator (hub) general configuration steps
Page
Page
202
VPN spoke general configuration steps
Redundant IPSec VPNs
Configuring redundant IPSec VPN
Page
Monitoring and Troubleshooting VPNs
Viewing VPN tunnel status
Viewing dialup VPN connection status
206
Testing a VPN
PPTP and L2TP VPN
Configuring PPTP
Page
Adding a source address
Adding an address group
210
Adding a destination address
Adding a firewall policy
Configuring a Windows 98 client for PPTP
Installing PPTP support
Configuring a Windows 2000 client for PPTP
212
Configuring a Windows XP client for PPTP
Configuring the VPN connection
Configuring L2TP
Page
Adding a source address
Adding an address group
216
Adding a destination address
Adding a firewall policy
Configuring a Windows 2000 client for L2TP
Configuring an L2TP dialup connection
Disabling IPSec
218
Connecting to the L2TP VPN
Configuring a Windows XP client for L2TP
Configuring an L2TP VPN dialup connection
Configuring the VPN connection
Disabling IPSec
Page
Network Intrusion Detection System (NIDS)
Detecting attacks
Page
Viewing the signature list
Viewing attack descriptions
224
Enabling and disabling NIDS attack signatures
Adding user-defined signatures
Downloading the user-defined signature list
Preventing attacks
Enabling NIDS attack prevention
226
Enabling NIDS attack prevention signatures
Setting signature threshold values
Page
228
Configuring synflood signature values
Logging attacks
Logging attack messages to the attack log
Reducing the number of NIDS attack log and email messages
Automatic message reduction
Manual message reduction
Page
Antivirus protection
Antivirus scanning
File blocking
Blocking files in firewall traffic
Adding file patterns to block
234
Blocking oversized files and emails
Configuring limits for oversized files and email
Exempting fragmented email from blocking
Viewing the virus list
Web filtering
236
Content blocking
Adding words and phrases to the banned word list
URL blocking
Using the FortiGate web filter
Adding URLs or URL patterns to the block list
238
Clearing the URL block list
Downloading the URL block list
Uploading a URL block list
240
Using the Cerberian web filter
Installing a Cerberian license key on the FortiGate unit
Adding a Cerberian user to the FortiGate unit
Configuring Cerberian web filter
Enabling Cerberian URL filtering
242
Script filtering
Enabling the script filter
Selecting script filter options
Exempt URL list
Adding URLs to the exempt URL list
Page
Email filter
246
Email banned word list
Adding words and phrases to the banned word list
Email block list
Adding address patterns to the email block list
Email exempt list
248
Adding address patterns to the email exempt list
Adding a subject tag
Logging and reporting
Recording logs
250
Recording logs on a remote computer
Recording logs on a NetIQ WebTrends server
Recording logs in system memory
Filtering log messages
Page
Configuring traffic logging
Enabling traffic logging
Enabling traffic logging for an interface
Enabling traffic logging for a firewall policy
254
Configuring traffic filter settings
Adding traffic filter entries
Viewing logs saved to memory
Viewing logs
256
Searching logs
Configuring alert email
Adding alert email addresses
Testing alert email
Enabling alert email
Page
Glossary
Page
Page
Page
Index
A
264
B
C
D
E
F
G
H
I
266
J
K
L
M
N
O
P
268
R
S
T
270
U
V
W