Manuals
/
Fortinet
/
Computer Equipment
/
Network Router
Fortinet
100
user manual
140
Models:
100
1
140
272
272
Download
272 pages
22.37 Kb
137
138
139
140
141
142
143
144
Specifications
Install
Password
Successful Update FDN error
System administration
Connecting to the Pptp VPN
RIP configuration 121
Replacement messages
Setup Wizard
Command line interface
Page 140
Image 140
Customizing alert emails
System configuration
140
Fortinet Inc.
Page 139
Page 141
Page 140
Image 140
Page 139
Page 141
Contents
Installation and Configuration Guide
August
Trademarks
Regulatory Compliance
Table of Contents
NAT/Route mode installation
System status
Virus and attack definitions updates and registration
RIP configuration 121
Users and authentication 173
IPSec VPN 181
Network Intrusion Detection System Nids 221
Glossary 259 Index 263
Contents
Introduction
Antivirus protection
Web content filtering
Email filtering
NAT/Route mode
Firewall
Transparent mode
Network intrusion detection
Secure installation, configuration, and management
Web-based manager
Command line interface
FortiGate web-based manager and setup wizard
System administration
Network configuration
What’s new in Version
Logging and reporting
Replacement messages
Users and authentication
Dhcp server
Firewall
Email filter
Antivirus
Web Filter
About this document
Document conventions
Fortinet documentation
Comments on Fortinet technical documentation
Customer service and technical support
Comments on Fortinet technical documentation
Getting started
Package contents
Mounting
Powering on
Environmental specifications
Connecting to the web-based manager
Connecting to the web-based manager
Connecting to the command line interface CLI
Factory default FortiGate configuration settings
Bits per second 9600 Data bits Parity
Stop bits Flow control
Factory default NAT/Route mode network configuration
Account
Internal interface
External interface
Factory default Transparent mode network configuration
Factory default firewall configuration
Factory default content profiles
Factory default firewall configuration Traffic Shaping
Authentication
Antivirus & Web Filter
Strict content profile
Scan content profile
Strict content profile Options
Scan content profile Options
Web content profile
Unfiltered content profile
Web content profile Options
Unfiltered content profile Options
Planning your FortiGate configuration
Example NAT/Route mode network configuration
NAT/Route mode with multiple external network connections
Example NAT/Route multiple internet connection configuration
Configuration options
Setup Wizard
FortiGate model maximum values matrix
Next steps
Configuration options Getting started
Internal servers
NAT/Route mode installation
Preparing to configure NAT/Route mode
Advanced NAT/Route mode settings
Advanced FortiGate NAT/Route mode settings
DMZ interface
Dhcp server
Using the setup wizard
Using the command line interface
Set system interface external mode static ip 204.23.1.5
Connecting the FortiGate unit to your networks
FortiGate-100 NAT/Route mode connections
Configuring your networks
Completing the configuration
Configuring the DMZ interface
Setting the date and time
Configuration example Multiple connections to the Internet
Configuring virus and attack definition updates
Enabling antivirus protection
Registering your FortiGate
Example multiple Internet connection configuration
Configuring Ping servers
Primary and backup links to the Internet
Using the CLI
Destination based routing examples
Load sharing
Load sharing and primary and secondary connections
Adding the routes using the CLI
Routing table should have routes arranged as shown in Table
Routing a service to an external network
Policy routing examples
Adding a redundant default policy
Firewall policy example
Adding more firewall policies
Action Accept
Restricting access to a single Internet connection
Transparent mode installation
Preparing to configure Transparent mode
Transparent mode settings Administrator Password
DNS Settings
Changing to Transparent mode
Go to System Status
Configuring the Transparent mode management IP address
Configure the Transparent mode default gateway
FortiGate-100 Transparent mode connections
Setting the date and time
Transparent mode configuration examples
Default routes and static routes
General configuration steps
Default route to an external network
Web-based manager example configuration steps
CLI configuration steps
Go to System Network Management
Go to System Network Routing
Static route to an external destination
Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1
Example static route to an internal destination
Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1
System status
System status
Changing the FortiGate firmware
Firmware upgrade procedures Procedure Description
Changing the FortiGate host name
Upgrading the firmware using the CLI
Upgrade to a new firmware version
Upgrading the firmware using the web-based manager
Execute restore image namestr tftpip
Revert to a previous firmware version
Reverting to a previous firmware version using the CLI
Execute ping
Install a firmware image from a system reboot using the CLI
To install firmware from a system reboot
Press Any Key To Download Boot Image
Test a new firmware image before installing it
Restoring your previous configuration
Test a new firmware image before installing it
Installing and using a backup firmware image
Installing a backup firmware image
Installing and using a backup firmware image
Switching to the backup firmware image
Manual virus definition updates
Switching back to the default firmware image
Manual attack definition updates
Backing up system settings
Displaying the FortiGate serial number
Displaying the FortiGate up time
Restoring system settings
Restoring system settings to factory defaults
Restarting the FortiGate unit
Changing to Transparent mode
Changing to NAT/Route mode
Viewing CPU and memory status
Shutting down the FortiGate unit
System status
Viewing sessions and network status
Go to System Status Monitor
Viewing virus and intrusions status
Sessions and network status monitor
Session list
Viewing the session list Go to System Status Session
To IP
Virus and attack definitions updates and registration
Updating antivirus and attack definitions
Connecting to the FortiResponse Distribution Network
Version Expiry date Last update attempt Last update status
Configuring scheduled updates
Go to System Update
Successful Update FDN error
Configuring update logging
Go to Log&Report Log Setting
Manually updating antivirus and attack definitions
Configuring push updates
Adding an override server
To enable push updates
About push updates
Push updates and external dynamic IP addresses
Push updates through a NAT device
Example push updates through a NAT device
Example network topology Push updates through a NAT device
General procedure
Go to Firewall Virtual IP
Schedule Always Service ANY Action Accept
Adding a firewall policy for the port forwarding virtual IP
Scheduled updates through a proxy server
100
101
FortiCare Service Contracts
Registering FortiGate units
Registering the FortiGate unit
102
103
Registering a FortiGate unit product information
Recovering a lost Fortinet support password
Updating registration information
Viewing the list of registered FortiGate units
104
105
Registering a new FortiGate unit
Adding or changing a FortiCare Support Contract number
Changing your Fortinet support password
Downloading virus and attack definitions updates
Changing your contact information or security question
106
Registering a FortiGate unit after an RMA
107
108
109
Network configuration
Configuring interfaces
Viewing the interface list
Bringing up an interface
Changing an interface static IP address
Adding a secondary IP address to an interface
111
Controlling management access to an interface
Adding a ping server to an interface
Configuring the external interface for Dhcp
Configuring traffic logging for connections to an interface
Configuring the external interface with a static IP address
Configuring the external interface for PPPoE
113
Configuring the management interface Transparent mode
Configuring routing
Adding DNS server IP addresses
115
Go to System Network DNS
Adding a default route
Adding destination-based routes to the routing table
Adding routes in Transparent mode
117
Configuring the routing table
Policy routing
Providing Dhcp services to your internal network
Policy routing command syntax
119
Go to System Network Dhcp
Viewing the dynamic IP list
120
RIP configuration
121
122
RIP settings
Go to System RIP Settings
Update
123
Invalid
Holddown
Configuring RIP for FortiGate interfaces
Password
124
Mode
Adding RIP neighbors Go to System RIP Neighbor
Adding RIP neighbors
125
Adding RIP filters
Adding a single RIP filter
126
Go to System RIP Filter
Adding a RIP filter list
127
Add the IP address of the route
Mask Add the netmask of the route Action
128
Adding a neighbors filter
Adding a routes filter
System configuration
Setting system date and time
To set the date and time Go to System Config Time
129
130
To set the system idle timeout
Changing web-based manager options
To set the Auth timeout
To modify the Dead Gateway Detection settings
131
To select a language for the web-based manager
Adding and editing administrator accounts
Adding new administrator accounts
Go to System Config Admin
132
133
Editing administrator accounts
To edit an administrator account Go to System Config Admin
Configuring Snmp
Configuring the FortiGate unit for Snmp monitoring
Configuring FortiGate Snmp support
Go to System Config Snmp v1/v2c
FortiGate MIBs
135
Trap Community Trap Receiver IP Addresses
FortiGate MIBs MIB file name Description EtherLike.mib
Customizing replacement messages
FortiGate traps
136
FortiGate traps Trap message Description
137
Customizing replacement messages
Go to System Config Replacement Messages
Alert email message sections
Customizing alert emails
138
139
Alert email message sections
140
Firewall configuration
141
142
Default firewall configuration
Addresses
Services
Content profiles
Schedules
143
Go to Firewall Policy
Adding firewall policies
144
145
VPN Tunnel
Traffic Shaping
146
Dynamic IP Pool Fixed Port
147
Authentication
Anti-Virus & Web filter
148
Log Traffic
Comments
Configuring policy lists
Policy matching in detail
Changing the order of policies in a policy list
149
Addresses
Enabling and disabling policies
Disabling a policy
Enabling a policy
Go to Firewall Address
Adding addresses
151
Editing addresses
Deleting addresses
Organizing addresses into address groups
152
153
Services
Predefined services
154
ANY
155
IRC
Providing access to custom services
Grouping services
Go to Firewall Service Custom
Go to Firewall Service Group
Schedules
157
Creating one-time schedules
Creating recurring schedules
158
Go to Firewall Schedule One-time
Adding a schedule to a policy
159
160
Virtual IPs
Adding static NAT virtual IPs
Adding port forwarding virtual IPs
161
162
Adding policies with virtual IPs
163
IP pools
Adding an IP pool
164
Go to Firewall IP Pool
165
IP Pools for firewall policies that use fixed ports
IP pools and dynamic NAT
Go to Firewall IP/MAC Binding Setting
IP/MAC binding
166
Go to Firewall IP/MAC Binding Static IP/MAC
Adding IP/MAC addresses
167
Viewing the dynamic IP/MAC list
Enabling IP/MAC binding
168
Go to Firewall IP/MAC Binding Dynamic IP/MAC
Content profiles
169
Default content profiles
Adding a content profile
Go to Firewall Content Profile
170
Oversized File/Email Block Pass Fragmented Email
Adding a content profile to a policy
171
172
Users and authentication
173
Setting authentication timeout
Adding user names and configuring authentication
Adding user names and configuring authentication
174
Deleting user names from the internal database
175
Configuring Radius support
Adding Radius servers
Deleting Radius servers
176
Configuring Ldap support
Adding Ldap servers
177
Go to User Ldap
Deleting Ldap servers
178
Configuring user groups
Adding user groups
179
Go to User User Group
Deleting user groups
180
IPSec VPN
181
Key management
Manual Keys
AutoIKE with pre-shared keys
AutoIKE with certificates
General configuration steps for a manual key VPN
Manual key IPSec VPNs
Adding a manual key VPN tunnel
183
184
General configuration steps for an AutoIKE VPN
Adding a phase 1 configuration for an AutoIKE VPN
Go to VPN Ipsec Phase
AutoIKE IPSec VPNs
Remote Gateway Dialup User
186
Remote Gateway Static IP Address
Configuring advanced options
187
188
Adding a phase 2 configuration for an AutoIKE VPN
189
190
191
Managing digital certificates
Obtaining a signed local certificate
Go to VPN Local Certificates
Generating the certificate request
192
193
Downloading the certificate request
Requesting the signed local certificate
194
Retrieving the signed local certificate
Importing the signed local certificate
Obtaining a CA certificate
Retrieving a CA certificate
Importing a CA certificate
195
Configuring encrypt policies
196
Adding a source address
Adding a destination address
Adding an encrypt policy
197
198
Adding an encrypt policy
199
VPN concentrator hub general configuration steps
IPSec VPN concentrators
200
Source InternalAll Destination VPN spoke address Action
Go to VPN IPSec Concentrator
Adding a VPN concentrator
201
VPN spoke general configuration steps
202
VPN Tunnel
Policies
203
Configuring redundant IPSec VPN
Redundant IPSec VPNs
See Adding a phase 1 configuration for an AutoIKE VPN on
204
Monitoring and Troubleshooting VPNs
Viewing VPN tunnel status
Viewing dialup VPN connection status
205
Go to VPN IPSec Dialup
Testing a VPN
206
207
Configuring Pptp
Pptp and L2TP VPN
Configuring the FortiGate unit as a Pptp gateway
Adding users and user groups
Enabling Pptp and specifying an address range
208
Adding an address group
209
Configuring a Windows 98 client for Pptp
Installing Pptp support
Go to Start Settings Control Panel Network
Adding a firewall policy
Configuring a Pptp dialup connection
Connecting to the Pptp VPN
Configuring a Windows 2000 client for Pptp
211
Configuring a Windows XP client for Pptp
Configuring the VPN connection
212
Go to Start Control Panel
Configuring L2TP
213
Configuring the FortiGate unit as a L2TP gateway
Enabling L2TP and specifying an address range
214
Go to VPN L2TP L2TP Range
Sample L2TP address range configuration
215
216
Configuring a Windows 2000 client for L2TP
Configuring an L2TP dialup connection
Disabling IPSec
217
Connecting to the L2TP VPN
Configuring a Windows XP client for L2TP
Configuring an L2TP VPN dialup connection
Go to Start Settings
219
220
221
Network Intrusion Detection System Nids
Detecting attacks
Configuring checksum verification
Selecting the interfaces to monitor
Disabling the Nids
222
Viewing the signature list
Viewing attack descriptions
223
Go to Nids Detection Signature List
Enabling and disabling Nids attack signatures
Adding user-defined signatures
224
Go to Nids Detection User Defined Signature List
Preventing attacks
Downloading the user-defined signature list
Enabling Nids attack prevention
225
226
Setting signature threshold values
Enabling Nids attack prevention signatures
227
Configuring synflood signature values
Value Description Minimum Maximum Default
Logging attacks
Logging attack messages to the attack log
Reducing the number of Nids attack log and email messages
Automatic message reduction
Manual message reduction
229
230
231
General configuration steps
Antivirus protection
To scan FortiGate firewall traffic for viruses
Antivirus scanning
232
File blocking
Blocking files in firewall traffic
Adding file patterns to block
233
Configuring limits for oversized files and email
Blocking oversized files and emails
Exempting fragmented email from blocking
Viewing the virus list
Web filtering
235
Content blocking
Go to Web Filter Content Block
Adding words and phrases to the banned word list
236
Using the FortiGate web filter
URL blocking
Adding URLs or URL patterns to the block list
237
Clearing the URL block list
238
239
Downloading the URL block list
Uploading a URL block list
Using the Cerberian web filter
Installing a Cerberian license key on the FortiGate unit
Adding a Cerberian user to the FortiGate unit
240
Configuring Cerberian web filter
About the default group and policy
To configure the Cerberian web filtering
Enabling Cerberian URL filtering
Script filtering
Enabling the script filter
Selecting script filter options
242
Exempt URL list
Adding URLs to the exempt URL list
243
Go to Web Filter Exempt URL
244
Email filter
245
246
Go to Email Filter Content Block
Email banned word list
Email block list
Email exempt list
Adding address patterns to the email block list
247
To add a subject tag Go to Email Filter Config
Adding a subject tag
Adding address patterns to the email exempt list
248
249
Logging and reporting
Recording logs
250
Recording logs on a remote computer
Recording logs on a NetIQ WebTrends server
251
Filtering log messages
Recording logs in system memory
Example log filter configuration
252
Configuring traffic logging
Enabling traffic logging
Enabling traffic logging for an interface
Enabling traffic logging for a firewall policy
Configuring traffic filter settings
Go to Log&Report Log Setting Traffic Filter
Adding traffic filter entries
254
Destination IP Address Destination Netmask Service
Viewing logs saved to memory
Viewing logs
255
Configuring alert email
Searching logs
Adding alert email addresses
256
Testing alert email
Enabling alert email
257
Go to Log&Report Alert Mail Categories
258
Glossary
259
260
261
262
Index
263
264
Index
265
FDS
266
Ldap
267
MIB
268
RMA
269
TCP
270
UDP
271
272
Top
Page
Image
Contents