Manuals / Fortinet / Computer Equipment / Network Router

Fortinet 100 user manual Contents

Models: 100

1 272

Download 272 pages 22.37 Kb

Page 12

Contents

12	Fortinet Inc.

Image 12

Fortinet 100 user manual Contents

Contents

Installation and Configuration Guide AugustTrademarks Regulatory ComplianceTable of Contents NAT/Route mode installation System status Virus and attack definitions updates and registration RIP configuration 121 Users and authentication 173 IPSec VPN 181 Network Intrusion Detection System Nids 221 Glossary 259 Index 263 Contents Introduction Antivirus protectionWeb content filtering Email filteringNAT/Route mode FirewallTransparent mode Network intrusion detectionSecure installation, configuration, and management Web-based managerCommand line interface FortiGate web-based manager and setup wizardSystem administration Network configurationWhat’s new in Version Logging and reportingReplacement messages Users and authenticationDhcp server FirewallAntivirus Web FilterEmail filter About this document Document conventions Fortinet documentation Comments on Fortinet technical documentationCustomer service and technical support Comments on Fortinet technical documentation Getting started Package contents MountingPowering on Environmental specificationsConnecting to the web-based manager Connecting to the web-based managerConnecting to the command line interface CLI Factory default FortiGate configuration settingsBits per second 9600 Data bits Parity Stop bits Flow controlFactory default NAT/Route mode network configuration AccountInternal interface External interfaceFactory default Transparent mode network configuration Factory default firewall configurationFactory default content profiles Factory default firewall configuration Traffic ShapingAuthentication Antivirus & Web FilterStrict content profile Scan content profileStrict content profile Options Scan content profile OptionsWeb content profile Unfiltered content profileWeb content profile Options Unfiltered content profile OptionsPlanning your FortiGate configuration Example NAT/Route mode network configurationNAT/Route mode with multiple external network connections Example NAT/Route multiple internet connection configurationConfiguration options Setup WizardFortiGate model maximum values matrix Next steps Configuration options Getting started NAT/Route mode installation Preparing to configure NAT/Route modeInternal servers Advanced NAT/Route mode settings Advanced FortiGate NAT/Route mode settingsDMZ interface Dhcp serverUsing the setup wizard Using the command line interfaceSet system interface external mode static ip 204.23.1.5 Connecting the FortiGate unit to your networks FortiGate-100 NAT/Route mode connectionsConfiguring your networks Completing the configurationConfiguring the DMZ interface Setting the date and timeConfiguration example Multiple connections to the Internet Configuring virus and attack definition updatesEnabling antivirus protection Registering your FortiGateExample multiple Internet connection configuration Configuring Ping servers Primary and backup links to the InternetUsing the CLI Destination based routing examplesLoad sharing Load sharing and primary and secondary connectionsAdding the routes using the CLI Routing table should have routes arranged as shown in TableRouting a service to an external network Policy routing examplesAdding a redundant default policy Firewall policy exampleAdding more firewall policies Action AcceptRestricting access to a single Internet connection Transparent mode installation Preparing to configure Transparent modeTransparent mode settings Administrator Password DNS SettingsChanging to Transparent mode Go to System StatusConfiguring the Transparent mode management IP address Configure the Transparent mode default gatewayFortiGate-100 Transparent mode connections Setting the date and time Transparent mode configuration examples Default routes and static routesGeneral configuration steps Default route to an external networkWeb-based manager example configuration steps CLI configuration stepsGo to System Network Management Go to System Network RoutingStatic route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System statusFirmware upgrade procedures Procedure Description Changing the FortiGate host nameChanging the FortiGate firmware Upgrade to a new firmware version Upgrading the firmware using the web-based managerUpgrading the firmware using the CLI Execute restore image namestr tftpip Revert to a previous firmware versionReverting to a previous firmware version using the CLI Execute ping Install a firmware image from a system reboot using the CLI To install firmware from a system rebootPress Any Key To Download Boot Image Test a new firmware image before installing it Restoring your previous configurationTest a new firmware image before installing it Installing and using a backup firmware image Installing a backup firmware imageInstalling and using a backup firmware image Switching to the backup firmware image Manual virus definition updates Switching back to the default firmware imageManual attack definition updates Backing up system settingsDisplaying the FortiGate serial number Displaying the FortiGate up timeRestoring system settings Restoring system settings to factory defaultsChanging to Transparent mode Changing to NAT/Route modeRestarting the FortiGate unit Shutting down the FortiGate unit System statusViewing CPU and memory status Viewing sessions and network status Go to System Status MonitorViewing virus and intrusions status Sessions and network status monitorSession list Viewing the session list Go to System Status SessionTo IP Virus and attack definitions updates and registration Updating antivirus and attack definitionsConnecting to the FortiResponse Distribution Network Version Expiry date Last update attempt Last update statusConfiguring scheduled updates Go to System UpdateConfiguring update logging Go to Log&Report Log SettingSuccessful Update FDN error Configuring push updates Adding an override serverManually updating antivirus and attack definitions To enable push updates About push updatesPush updates and external dynamic IP addresses Push updates through a NAT deviceExample push updates through a NAT device Example network topology Push updates through a NAT deviceGeneral procedure Go to Firewall Virtual IPSchedule Always Service ANY Action Accept Adding a firewall policy for the port forwarding virtual IPScheduled updates through a proxy server 100FortiCare Service Contracts Registering FortiGate units101 Registering the FortiGate unit 102103 Registering a FortiGate unit product informationRecovering a lost Fortinet support password Updating registration informationViewing the list of registered FortiGate units 104Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number105 Changing your Fortinet support password Downloading virus and attack definitions updatesChanging your contact information or security question 106Registering a FortiGate unit after an RMA 107108 Network configuration Configuring interfaces109 Viewing the interface list Bringing up an interfaceChanging an interface static IP address Adding a secondary IP address to an interfaceControlling management access to an interface Adding a ping server to an interface111 Configuring traffic logging for connections to an interface Configuring the external interface with a static IP addressConfiguring the external interface for Dhcp Configuring the external interface for PPPoE 113Configuring the management interface Transparent mode Configuring routing Adding DNS server IP addresses115 Go to System Network DNSAdding a default route Adding destination-based routes to the routing tableAdding routes in Transparent mode 117Configuring the routing table Policy routingProviding Dhcp services to your internal network Policy routing command syntax119 Go to System Network DhcpViewing the dynamic IP list 120RIP configuration 121RIP settings Go to System RIP Settings122 Update 123Invalid HolddownConfiguring RIP for FortiGate interfaces Password124 ModeAdding RIP neighbors 125Adding RIP neighbors Go to System RIP Neighbor Adding RIP filters Adding a single RIP filter126 Go to System RIP FilterAdding a RIP filter list 127Add the IP address of the route Mask Add the netmask of the route ActionAdding a neighbors filter Adding a routes filter128 System configuration Setting system date and timeTo set the date and time Go to System Config Time 129To set the system idle timeout Changing web-based manager options130 To set the Auth timeout To modify the Dead Gateway Detection settings131 To select a language for the web-based managerAdding and editing administrator accounts Adding new administrator accountsGo to System Config Admin 132Editing administrator accounts To edit an administrator account Go to System Config Admin133 Configuring Snmp Configuring the FortiGate unit for Snmp monitoringConfiguring FortiGate Snmp support Go to System Config Snmp v1/v2cFortiGate MIBs 135Trap Community Trap Receiver IP Addresses FortiGate MIBs MIB file name Description EtherLike.mibCustomizing replacement messages FortiGate traps136 FortiGate traps Trap message DescriptionCustomizing replacement messages Go to System Config Replacement Messages137 Customizing alert emails 138Alert email message sections 139 Alert email message sections140 Firewall configuration 141Default firewall configuration Addresses142 Services Content profilesSchedules 143Adding firewall policies 144Go to Firewall Policy 145 VPN Tunnel Traffic Shaping146 Dynamic IP Pool Fixed PortAuthentication Anti-Virus & Web filter147 Log Traffic Comments148 Configuring policy lists Policy matching in detailChanging the order of policies in a policy list 149Addresses Enabling and disabling policiesDisabling a policy Enabling a policyAdding addresses 151Go to Firewall Address Editing addresses Deleting addressesOrganizing addresses into address groups 152Services Predefined services153 154 ANY155 IRCProviding access to custom services Grouping servicesGo to Firewall Service Custom Go to Firewall Service GroupSchedules 157Creating one-time schedules Creating recurring schedules158 Go to Firewall Schedule One-timeAdding a schedule to a policy 159Virtual IPs Adding static NAT virtual IPs160 Adding port forwarding virtual IPs 161162 Adding policies with virtual IPs 163IP pools Adding an IP pool164 Go to Firewall IP PoolIP Pools for firewall policies that use fixed ports IP pools and dynamic NAT165 Go to Firewall IP/MAC Binding Setting IP/MAC binding166 Go to Firewall IP/MAC Binding Static IP/MACAdding IP/MAC addresses 167Viewing the dynamic IP/MAC list Enabling IP/MAC binding168 Go to Firewall IP/MAC Binding Dynamic IP/MACContent profiles 169Default content profiles Adding a content profileGo to Firewall Content Profile 170Adding a content profile to a policy 171Oversized File/Email Block Pass Fragmented Email 172 Users and authentication 173Setting authentication timeout Adding user names and configuring authenticationAdding user names and configuring authentication 174Deleting user names from the internal database 175Configuring Radius support Adding Radius serversDeleting Radius servers 176Configuring Ldap support Adding Ldap servers177 Go to User LdapDeleting Ldap servers 178Configuring user groups Adding user groups179 Go to User User GroupDeleting user groups 180IPSec VPN 181Key management Manual KeysAutoIKE with pre-shared keys AutoIKE with certificatesGeneral configuration steps for a manual key VPN Manual key IPSec VPNsAdding a manual key VPN tunnel 183184 General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPNGo to VPN Ipsec Phase AutoIKE IPSec VPNs186 Remote Gateway Static IP AddressRemote Gateway Dialup User Configuring advanced options 187188 Adding a phase 2 configuration for an AutoIKE VPN 189190 Managing digital certificates Obtaining a signed local certificate191 Generating the certificate request 192Go to VPN Local Certificates Downloading the certificate request Requesting the signed local certificate193 Retrieving the signed local certificate Importing the signed local certificate194 Obtaining a CA certificate Retrieving a CA certificateImporting a CA certificate 195Configuring encrypt policies 196Adding a source address Adding a destination addressAdding an encrypt policy 197198 Adding an encrypt policyVPN concentrator hub general configuration steps IPSec VPN concentrators199 200 Source InternalAll Destination VPN spoke address ActionAdding a VPN concentrator 201Go to VPN IPSec Concentrator VPN spoke general configuration steps 202VPN Tunnel PoliciesConfiguring redundant IPSec VPN Redundant IPSec VPNs203 See Adding a phase 1 configuration for an AutoIKE VPN on 204Monitoring and Troubleshooting VPNs Viewing VPN tunnel statusViewing dialup VPN connection status 205Testing a VPN 206Go to VPN IPSec Dialup Configuring Pptp Pptp and L2TP VPN207 Configuring the FortiGate unit as a Pptp gateway Adding users and user groupsEnabling Pptp and specifying an address range 208Adding an address group 209Configuring a Windows 98 client for Pptp Installing Pptp supportGo to Start Settings Control Panel Network Adding a firewall policyConfiguring a Pptp dialup connection Connecting to the Pptp VPNConfiguring a Windows 2000 client for Pptp 211Configuring a Windows XP client for Pptp Configuring the VPN connection212 Go to Start Control PanelConfiguring L2TP 213Configuring the FortiGate unit as a L2TP gateway Enabling L2TP and specifying an address range214 Go to VPN L2TP L2TP RangeSample L2TP address range configuration 215216 Configuring a Windows 2000 client for L2TP Configuring an L2TP dialup connectionDisabling IPSec 217Connecting to the L2TP VPN Configuring a Windows XP client for L2TPConfiguring an L2TP VPN dialup connection Go to Start Settings219 220 Network Intrusion Detection System Nids Detecting attacks221 Configuring checksum verification Selecting the interfaces to monitorDisabling the Nids 222Viewing the signature list Viewing attack descriptions223 Go to Nids Detection Signature ListEnabling and disabling Nids attack signatures Adding user-defined signatures224 Go to Nids Detection User Defined Signature ListPreventing attacks Downloading the user-defined signature listEnabling Nids attack prevention 225Setting signature threshold values Enabling Nids attack prevention signatures226 227 Configuring synflood signature values Value Description Minimum Maximum DefaultLogging attacks Logging attack messages to the attack logReducing the number of Nids attack log and email messages Automatic message reductionManual message reduction 229230 General configuration steps Antivirus protection231 Antivirus scanning 232To scan FortiGate firewall traffic for viruses File blocking Blocking files in firewall trafficAdding file patterns to block 233Configuring limits for oversized files and email Blocking oversized files and emailsExempting fragmented email from blocking Viewing the virus listWeb filtering 235Content blocking Go to Web Filter Content BlockAdding words and phrases to the banned word list 236Using the FortiGate web filter URL blockingAdding URLs or URL patterns to the block list 237Clearing the URL block list 238Downloading the URL block list Uploading a URL block list239 Using the Cerberian web filter Installing a Cerberian license key on the FortiGate unitAdding a Cerberian user to the FortiGate unit 240Configuring Cerberian web filter About the default group and policyTo configure the Cerberian web filtering Enabling Cerberian URL filteringScript filtering Enabling the script filterSelecting script filter options 242Exempt URL list Adding URLs to the exempt URL list243 Go to Web Filter Exempt URL244 Email filter 245Go to Email Filter Content Block Email banned word list246 Email block list Email exempt listAdding address patterns to the email block list 247To add a subject tag Go to Email Filter Config Adding a subject tagAdding address patterns to the email exempt list 248Logging and reporting Recording logs249 Recording logs on a remote computer Recording logs on a NetIQ WebTrends server250 Filtering log messages Recording logs in system memory251 Example log filter configuration 252Configuring traffic logging Enabling traffic loggingEnabling traffic logging for an interface Enabling traffic logging for a firewall policyConfiguring traffic filter settings Go to Log&Report Log Setting Traffic FilterAdding traffic filter entries 254Destination IP Address Destination Netmask Service Viewing logs saved to memoryViewing logs 255Configuring alert email Searching logsAdding alert email addresses 256Testing alert email Enabling alert email257 Go to Log&Report Alert Mail Categories258 Glossary 259260 261 262 Index 263264 Index265 FDS266 Ldap267 MIB268 RMA269 TCP270 UDP271 272