Manuals
/
Fortinet
/
Computer Equipment
/
Network Router
Fortinet
100
user manual
Installation and Configuration Guide, August
Models:
100
1
1
272
272
Download
272 pages
22.37 Kb
1
2
3
4
5
6
7
8
Specs
Install
Password
Successful Update FDN error
System administration
Connecting to the Pptp VPN
RIP configuration 121
Replacement messages
Setup Wizard
Command line interface
Page 1
Image 1
FortiGate 100
Installation and Configuration Guide
INTERNAL
EXTERNAL
DMZ
POWER
STATUS
FortiGate User Manual Volume 1
Version 2.50 MR2
18 August 2003
Page 1
Page 2
Page 1
Image 1
Page 1
Page 2
Contents
August
Installation and Configuration Guide
Regulatory Compliance
Trademarks
Table of Contents
NAT/Route mode installation
System status
Virus and attack definitions updates and registration
RIP configuration 121
Users and authentication 173
IPSec VPN 181
Network Intrusion Detection System Nids 221
Glossary 259 Index 263
Contents
Antivirus protection
Introduction
Email filtering
Web content filtering
Firewall
NAT/Route mode
Network intrusion detection
Transparent mode
Web-based manager
Secure installation, configuration, and management
FortiGate web-based manager and setup wizard
Command line interface
Network configuration
System administration
What’s new in Version
Logging and reporting
Users and authentication
Replacement messages
Dhcp server
Firewall
Web Filter
Antivirus
Email filter
About this document
Document conventions
Comments on Fortinet technical documentation
Fortinet documentation
Customer service and technical support
Comments on Fortinet technical documentation
Getting started
Mounting
Package contents
Environmental specifications
Powering on
Connecting to the web-based manager
Connecting to the web-based manager
Factory default FortiGate configuration settings
Connecting to the command line interface CLI
Bits per second 9600 Data bits Parity
Stop bits Flow control
Account
Factory default NAT/Route mode network configuration
Internal interface
External interface
Factory default firewall configuration
Factory default Transparent mode network configuration
Factory default firewall configuration Traffic Shaping
Factory default content profiles
Authentication
Antivirus & Web Filter
Scan content profile
Strict content profile
Strict content profile Options
Scan content profile Options
Unfiltered content profile
Web content profile
Web content profile Options
Unfiltered content profile Options
Example NAT/Route mode network configuration
Planning your FortiGate configuration
Example NAT/Route multiple internet connection configuration
NAT/Route mode with multiple external network connections
Setup Wizard
Configuration options
FortiGate model maximum values matrix
Next steps
Configuration options Getting started
Preparing to configure NAT/Route mode
NAT/Route mode installation
Internal servers
Advanced FortiGate NAT/Route mode settings
Advanced NAT/Route mode settings
DMZ interface
Dhcp server
Using the command line interface
Using the setup wizard
Set system interface external mode static ip 204.23.1.5
FortiGate-100 NAT/Route mode connections
Connecting the FortiGate unit to your networks
Completing the configuration
Configuring your networks
Configuring the DMZ interface
Setting the date and time
Configuring virus and attack definition updates
Configuration example Multiple connections to the Internet
Enabling antivirus protection
Registering your FortiGate
Example multiple Internet connection configuration
Primary and backup links to the Internet
Configuring Ping servers
Using the CLI
Destination based routing examples
Load sharing and primary and secondary connections
Load sharing
Routing table should have routes arranged as shown in Table
Adding the routes using the CLI
Policy routing examples
Routing a service to an external network
Firewall policy example
Adding a redundant default policy
Adding more firewall policies
Action Accept
Restricting access to a single Internet connection
Preparing to configure Transparent mode
Transparent mode installation
Transparent mode settings Administrator Password
DNS Settings
Go to System Status
Changing to Transparent mode
Configure the Transparent mode default gateway
Configuring the Transparent mode management IP address
FortiGate-100 Transparent mode connections
Setting the date and time
Default routes and static routes
Transparent mode configuration examples
Default route to an external network
General configuration steps
CLI configuration steps
Web-based manager example configuration steps
Go to System Network Management
Go to System Network Routing
Static route to an external destination
Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1
Example static route to an internal destination
Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1
System status
System status
Changing the FortiGate host name
Firmware upgrade procedures Procedure Description
Changing the FortiGate firmware
Upgrading the firmware using the web-based manager
Upgrade to a new firmware version
Upgrading the firmware using the CLI
Revert to a previous firmware version
Execute restore image namestr tftpip
Reverting to a previous firmware version using the CLI
Execute ping
To install firmware from a system reboot
Install a firmware image from a system reboot using the CLI
Press Any Key To Download Boot Image
Restoring your previous configuration
Test a new firmware image before installing it
Test a new firmware image before installing it
Installing a backup firmware image
Installing and using a backup firmware image
Installing and using a backup firmware image
Switching to the backup firmware image
Switching back to the default firmware image
Manual virus definition updates
Backing up system settings
Manual attack definition updates
Displaying the FortiGate serial number
Displaying the FortiGate up time
Restoring system settings to factory defaults
Restoring system settings
Changing to NAT/Route mode
Changing to Transparent mode
Restarting the FortiGate unit
System status
Shutting down the FortiGate unit
Viewing CPU and memory status
Go to System Status Monitor
Viewing sessions and network status
Sessions and network status monitor
Viewing virus and intrusions status
Viewing the session list Go to System Status Session
Session list
To IP
Updating antivirus and attack definitions
Virus and attack definitions updates and registration
Version Expiry date Last update attempt Last update status
Connecting to the FortiResponse Distribution Network
Go to System Update
Configuring scheduled updates
Go to Log&Report Log Setting
Configuring update logging
Successful Update FDN error
Adding an override server
Configuring push updates
Manually updating antivirus and attack definitions
About push updates
To enable push updates
Push updates and external dynamic IP addresses
Push updates through a NAT device
Example network topology Push updates through a NAT device
Example push updates through a NAT device
Go to Firewall Virtual IP
General procedure
Adding a firewall policy for the port forwarding virtual IP
Schedule Always Service ANY Action Accept
100
Scheduled updates through a proxy server
Registering FortiGate units
FortiCare Service Contracts
101
102
Registering the FortiGate unit
Registering a FortiGate unit product information
103
Updating registration information
Recovering a lost Fortinet support password
Viewing the list of registered FortiGate units
104
Adding or changing a FortiCare Support Contract number
Registering a new FortiGate unit
105
Downloading virus and attack definitions updates
Changing your Fortinet support password
Changing your contact information or security question
106
107
Registering a FortiGate unit after an RMA
108
Configuring interfaces
Network configuration
109
Bringing up an interface
Viewing the interface list
Changing an interface static IP address
Adding a secondary IP address to an interface
Adding a ping server to an interface
Controlling management access to an interface
111
Configuring the external interface with a static IP address
Configuring traffic logging for connections to an interface
Configuring the external interface for Dhcp
113
Configuring the external interface for PPPoE
Configuring the management interface Transparent mode
Adding DNS server IP addresses
Configuring routing
115
Go to System Network DNS
Adding destination-based routes to the routing table
Adding a default route
117
Adding routes in Transparent mode
Policy routing
Configuring the routing table
Policy routing command syntax
Providing Dhcp services to your internal network
119
Go to System Network Dhcp
120
Viewing the dynamic IP list
121
RIP configuration
Go to System RIP Settings
RIP settings
122
123
Update
Invalid
Holddown
Password
Configuring RIP for FortiGate interfaces
124
Mode
125
Adding RIP neighbors
Adding RIP neighbors Go to System RIP Neighbor
Adding a single RIP filter
Adding RIP filters
126
Go to System RIP Filter
127
Adding a RIP filter list
Add the IP address of the route
Mask Add the netmask of the route Action
Adding a routes filter
Adding a neighbors filter
128
Setting system date and time
System configuration
To set the date and time Go to System Config Time
129
Changing web-based manager options
To set the system idle timeout
130
To modify the Dead Gateway Detection settings
To set the Auth timeout
131
To select a language for the web-based manager
Adding new administrator accounts
Adding and editing administrator accounts
Go to System Config Admin
132
To edit an administrator account Go to System Config Admin
Editing administrator accounts
133
Configuring the FortiGate unit for Snmp monitoring
Configuring Snmp
Configuring FortiGate Snmp support
Go to System Config Snmp v1/v2c
135
FortiGate MIBs
Trap Community Trap Receiver IP Addresses
FortiGate MIBs MIB file name Description EtherLike.mib
FortiGate traps
Customizing replacement messages
136
FortiGate traps Trap message Description
Go to System Config Replacement Messages
Customizing replacement messages
137
138
Customizing alert emails
Alert email message sections
Alert email message sections
139
140
141
Firewall configuration
Addresses
Default firewall configuration
142
Content profiles
Services
Schedules
143
144
Adding firewall policies
Go to Firewall Policy
145
Traffic Shaping
VPN Tunnel
146
Dynamic IP Pool Fixed Port
Anti-Virus & Web filter
Authentication
147
Comments
Log Traffic
148
Policy matching in detail
Configuring policy lists
Changing the order of policies in a policy list
149
Enabling and disabling policies
Addresses
Disabling a policy
Enabling a policy
151
Adding addresses
Go to Firewall Address
Deleting addresses
Editing addresses
Organizing addresses into address groups
152
Predefined services
Services
153
ANY
154
IRC
155
Grouping services
Providing access to custom services
Go to Firewall Service Custom
Go to Firewall Service Group
157
Schedules
Creating recurring schedules
Creating one-time schedules
158
Go to Firewall Schedule One-time
159
Adding a schedule to a policy
Adding static NAT virtual IPs
Virtual IPs
160
161
Adding port forwarding virtual IPs
162
163
Adding policies with virtual IPs
Adding an IP pool
IP pools
164
Go to Firewall IP Pool
IP pools and dynamic NAT
IP Pools for firewall policies that use fixed ports
165
IP/MAC binding
Go to Firewall IP/MAC Binding Setting
166
Go to Firewall IP/MAC Binding Static IP/MAC
167
Adding IP/MAC addresses
Enabling IP/MAC binding
Viewing the dynamic IP/MAC list
168
Go to Firewall IP/MAC Binding Dynamic IP/MAC
169
Content profiles
Adding a content profile
Default content profiles
Go to Firewall Content Profile
170
171
Adding a content profile to a policy
Oversized File/Email Block Pass Fragmented Email
172
173
Users and authentication
Adding user names and configuring authentication
Setting authentication timeout
Adding user names and configuring authentication
174
175
Deleting user names from the internal database
Adding Radius servers
Configuring Radius support
Deleting Radius servers
176
Adding Ldap servers
Configuring Ldap support
177
Go to User Ldap
178
Deleting Ldap servers
Adding user groups
Configuring user groups
179
Go to User User Group
180
Deleting user groups
181
IPSec VPN
Manual Keys
Key management
AutoIKE with pre-shared keys
AutoIKE with certificates
Manual key IPSec VPNs
General configuration steps for a manual key VPN
Adding a manual key VPN tunnel
183
184
Adding a phase 1 configuration for an AutoIKE VPN
General configuration steps for an AutoIKE VPN
Go to VPN Ipsec Phase
AutoIKE IPSec VPNs
Remote Gateway Static IP Address
186
Remote Gateway Dialup User
187
Configuring advanced options
188
189
Adding a phase 2 configuration for an AutoIKE VPN
190
Obtaining a signed local certificate
Managing digital certificates
191
192
Generating the certificate request
Go to VPN Local Certificates
Requesting the signed local certificate
Downloading the certificate request
193
Importing the signed local certificate
Retrieving the signed local certificate
194
Retrieving a CA certificate
Obtaining a CA certificate
Importing a CA certificate
195
196
Configuring encrypt policies
Adding a destination address
Adding a source address
Adding an encrypt policy
197
Adding an encrypt policy
198
IPSec VPN concentrators
VPN concentrator hub general configuration steps
199
Source InternalAll Destination VPN spoke address Action
200
201
Adding a VPN concentrator
Go to VPN IPSec Concentrator
202
VPN spoke general configuration steps
VPN Tunnel
Policies
Redundant IPSec VPNs
Configuring redundant IPSec VPN
203
204
See Adding a phase 1 configuration for an AutoIKE VPN on
Viewing VPN tunnel status
Monitoring and Troubleshooting VPNs
Viewing dialup VPN connection status
205
206
Testing a VPN
Go to VPN IPSec Dialup
Pptp and L2TP VPN
Configuring Pptp
207
Adding users and user groups
Configuring the FortiGate unit as a Pptp gateway
Enabling Pptp and specifying an address range
208
209
Adding an address group
Installing Pptp support
Configuring a Windows 98 client for Pptp
Go to Start Settings Control Panel Network
Adding a firewall policy
Connecting to the Pptp VPN
Configuring a Pptp dialup connection
Configuring a Windows 2000 client for Pptp
211
Configuring the VPN connection
Configuring a Windows XP client for Pptp
212
Go to Start Control Panel
213
Configuring L2TP
Enabling L2TP and specifying an address range
Configuring the FortiGate unit as a L2TP gateway
214
Go to VPN L2TP L2TP Range
215
Sample L2TP address range configuration
216
Configuring an L2TP dialup connection
Configuring a Windows 2000 client for L2TP
Disabling IPSec
217
Configuring a Windows XP client for L2TP
Connecting to the L2TP VPN
Configuring an L2TP VPN dialup connection
Go to Start Settings
219
220
Detecting attacks
Network Intrusion Detection System Nids
221
Selecting the interfaces to monitor
Configuring checksum verification
Disabling the Nids
222
Viewing attack descriptions
Viewing the signature list
223
Go to Nids Detection Signature List
Adding user-defined signatures
Enabling and disabling Nids attack signatures
224
Go to Nids Detection User Defined Signature List
Downloading the user-defined signature list
Preventing attacks
Enabling Nids attack prevention
225
Enabling Nids attack prevention signatures
Setting signature threshold values
226
227
Value Description Minimum Maximum Default
Configuring synflood signature values
Logging attacks
Logging attack messages to the attack log
Automatic message reduction
Reducing the number of Nids attack log and email messages
Manual message reduction
229
230
Antivirus protection
General configuration steps
231
232
Antivirus scanning
To scan FortiGate firewall traffic for viruses
Blocking files in firewall traffic
File blocking
Adding file patterns to block
233
Blocking oversized files and emails
Configuring limits for oversized files and email
Exempting fragmented email from blocking
Viewing the virus list
235
Web filtering
Go to Web Filter Content Block
Content blocking
Adding words and phrases to the banned word list
236
URL blocking
Using the FortiGate web filter
Adding URLs or URL patterns to the block list
237
238
Clearing the URL block list
Uploading a URL block list
Downloading the URL block list
239
Installing a Cerberian license key on the FortiGate unit
Using the Cerberian web filter
Adding a Cerberian user to the FortiGate unit
240
About the default group and policy
Configuring Cerberian web filter
To configure the Cerberian web filtering
Enabling Cerberian URL filtering
Enabling the script filter
Script filtering
Selecting script filter options
242
Adding URLs to the exempt URL list
Exempt URL list
243
Go to Web Filter Exempt URL
244
245
Email filter
Email banned word list
Go to Email Filter Content Block
246
Email exempt list
Email block list
Adding address patterns to the email block list
247
Adding a subject tag
To add a subject tag Go to Email Filter Config
Adding address patterns to the email exempt list
248
Recording logs
Logging and reporting
249
Recording logs on a NetIQ WebTrends server
Recording logs on a remote computer
250
Recording logs in system memory
Filtering log messages
251
252
Example log filter configuration
Enabling traffic logging
Configuring traffic logging
Enabling traffic logging for an interface
Enabling traffic logging for a firewall policy
Go to Log&Report Log Setting Traffic Filter
Configuring traffic filter settings
Adding traffic filter entries
254
Viewing logs saved to memory
Destination IP Address Destination Netmask Service
Viewing logs
255
Searching logs
Configuring alert email
Adding alert email addresses
256
Enabling alert email
Testing alert email
257
Go to Log&Report Alert Mail Categories
258
259
Glossary
260
261
262
263
Index
Index
264
FDS
265
Ldap
266
MIB
267
RMA
268
TCP
269
UDP
270
271
272
Top
Page
Image
Contents
