145 | Fortinet 100 manual

Firewall configuration	Firewall policy options

Firewall policy options

This section describes the options that you can add to firewall policies.

Source

Select an address or address group that matches the source address of the packet. Before you can add this address to a policy, you must add it to the source interface. To add an address, see “Addresses” on page 150.

Destination

Select an address or address group that matches the destination address of the packet. Before you can add this address to a policy, you must add it to the destination interface. To add an address, see “Addresses” on page 150.

For NAT/Route mode policies where the address on the destination network is hidden from the source network using NAT, the destination can also be a virtual IP that maps the destination address of the packet to a hidden destination address. See “Virtual IPs” on page 160.

Schedule

Select a schedule that controls when the policy is available to be matched with connections. See “Schedules” on page 157.

Service

Select a service that matches the service (port number) of the packet. You can select from a wide range of predefined services or add custom services and service groups. See “Services” on page 153.

Action

Select how the firewall should respond when the policy matches a connection attempt.

ACCEPT	Accept the connection. If you select ACCEPT, you can also configure NAT
	and Authentication for the policy.
DENY	Deny the connection. The only other policy option that you can configure is
	log traffic, to log the connections denied by this policy.
ENCRYPT	Make this policy an IPSec VPN policy. If you select ENCRYPT, you can
	select an AutoIKE key or Manual Key VPN tunnel for the policy and configure
	other IPSec settings. You cannot add authentication to an ENCRYPT policy.
	ENCRYPT is not available in Transparent mode. See “Configuring encrypt
	policies” on page 196.

NAT

Configure the policy for NAT. NAT translates the source address and the source port of packets accepted by the policy. If you select NAT, you can also select Dynamic IP Pool and Fixed Port. NAT is not available in Transparent mode.

FortiGate-100 Installation and Configuration Guide

145

Image 145

Fortinet 100 user manual 145

Contents

August Installation and Configuration Guide Regulatory Compliance Trademarks Table of Contents NAT/Route mode installation System status Virus and attack definitions updates and registration RIP configuration 121 Users and authentication 173 IPSec VPN 181 Network Intrusion Detection System Nids 221 Glossary 259 Index 263 Contents Antivirus protection Introduction Email filtering Web content filtering Firewall NAT/Route mode Network intrusion detection Transparent mode Web-based manager Secure installation, configuration, and management FortiGate web-based manager and setup wizard Command line interface Network configuration System administrationWhat’s new in Version Logging and reporting Users and authentication Replacement messagesDhcp server Firewall Web Filter AntivirusEmail filter About this document Document conventions Comments on Fortinet technical documentation Fortinet documentation Customer service and technical support Comments on Fortinet technical documentation Getting started Mounting Package contents Environmental specifications Powering on Connecting to the web-based manager Connecting to the web-based manager Factory default FortiGate configuration settings Connecting to the command line interface CLIBits per second 9600 Data bits Parity Stop bits Flow control Account Factory default NAT/Route mode network configurationInternal interface External interface Factory default firewall configuration Factory default Transparent mode network configuration Factory default firewall configuration Traffic Shaping Factory default content profilesAuthentication Antivirus & Web Filter Scan content profile Strict content profileStrict content profile Options Scan content profile Options Unfiltered content profile Web content profileWeb content profile Options Unfiltered content profile Options Example NAT/Route mode network configuration Planning your FortiGate configuration Example NAT/Route multiple internet connection configuration NAT/Route mode with multiple external network connections Setup Wizard Configuration options FortiGate model maximum values matrix Next steps Configuration options Getting started Preparing to configure NAT/Route mode NAT/Route mode installationInternal servers Advanced FortiGate NAT/Route mode settings Advanced NAT/Route mode settingsDMZ interface Dhcp server Using the command line interface Using the setup wizard Set system interface external mode static ip 204.23.1.5 FortiGate-100 NAT/Route mode connections Connecting the FortiGate unit to your networks Completing the configuration Configuring your networksConfiguring the DMZ interface Setting the date and time Configuring virus and attack definition updates Configuration example Multiple connections to the InternetEnabling antivirus protection Registering your FortiGate Example multiple Internet connection configuration Primary and backup links to the Internet Configuring Ping serversUsing the CLI Destination based routing examples Load sharing and primary and secondary connections Load sharing Routing table should have routes arranged as shown in Table Adding the routes using the CLI Policy routing examples Routing a service to an external network Firewall policy example Adding a redundant default policyAdding more firewall policies Action Accept Restricting access to a single Internet connection Preparing to configure Transparent mode Transparent mode installationTransparent mode settings Administrator Password DNS Settings Go to System Status Changing to Transparent mode Configure the Transparent mode default gateway Configuring the Transparent mode management IP address FortiGate-100 Transparent mode connections Setting the date and time Default routes and static routes Transparent mode configuration examples Default route to an external network General configuration steps CLI configuration steps Web-based manager example configuration stepsGo to System Network Management Go to System Network Routing Static route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System status Changing the FortiGate host name Firmware upgrade procedures Procedure DescriptionChanging the FortiGate firmware Upgrading the firmware using the web-based manager Upgrade to a new firmware versionUpgrading the firmware using the CLI Revert to a previous firmware version Execute restore image namestr tftpip Reverting to a previous firmware version using the CLI Execute ping To install firmware from a system reboot Install a firmware image from a system reboot using the CLI Press Any Key To Download Boot Image Restoring your previous configuration Test a new firmware image before installing it Test a new firmware image before installing it Installing a backup firmware image Installing and using a backup firmware image Installing and using a backup firmware image Switching to the backup firmware image Switching back to the default firmware image Manual virus definition updates Backing up system settings Manual attack definition updatesDisplaying the FortiGate serial number Displaying the FortiGate up time Restoring system settings to factory defaults Restoring system settings Changing to NAT/Route mode Changing to Transparent modeRestarting the FortiGate unit System status Shutting down the FortiGate unitViewing CPU and memory status Go to System Status Monitor Viewing sessions and network status Sessions and network status monitor Viewing virus and intrusions status Viewing the session list Go to System Status Session Session list To IP Updating antivirus and attack definitions Virus and attack definitions updates and registration Version Expiry date Last update attempt Last update status Connecting to the FortiResponse Distribution Network Go to System Update Configuring scheduled updates Go to Log&Report Log Setting Configuring update loggingSuccessful Update FDN error Adding an override server Configuring push updatesManually updating antivirus and attack definitions About push updates To enable push updatesPush updates and external dynamic IP addresses Push updates through a NAT device Example network topology Push updates through a NAT device Example push updates through a NAT device Go to Firewall Virtual IP General procedure Adding a firewall policy for the port forwarding virtual IP Schedule Always Service ANY Action Accept 100 Scheduled updates through a proxy server Registering FortiGate units FortiCare Service Contracts101 102 Registering the FortiGate unit Registering a FortiGate unit product information 103 Updating registration information Recovering a lost Fortinet support passwordViewing the list of registered FortiGate units 104 Adding or changing a FortiCare Support Contract number Registering a new FortiGate unit105 Downloading virus and attack definitions updates Changing your Fortinet support passwordChanging your contact information or security question 106 107 Registering a FortiGate unit after an RMA 108 Configuring interfaces Network configuration109 Bringing up an interface Viewing the interface listChanging an interface static IP address Adding a secondary IP address to an interface Adding a ping server to an interface Controlling management access to an interface111 Configuring the external interface with a static IP address Configuring traffic logging for connections to an interfaceConfiguring the external interface for Dhcp 113 Configuring the external interface for PPPoE Configuring the management interface Transparent mode Adding DNS server IP addresses Configuring routing115 Go to System Network DNS Adding destination-based routes to the routing table Adding a default route 117 Adding routes in Transparent mode Policy routing Configuring the routing table Policy routing command syntax Providing Dhcp services to your internal network119 Go to System Network Dhcp 120 Viewing the dynamic IP list 121 RIP configuration Go to System RIP Settings RIP settings122 123 UpdateInvalid Holddown Password Configuring RIP for FortiGate interfaces124 Mode 125 Adding RIP neighborsAdding RIP neighbors Go to System RIP Neighbor Adding a single RIP filter Adding RIP filters126 Go to System RIP Filter 127 Adding a RIP filter listAdd the IP address of the route Mask Add the netmask of the route Action Adding a routes filter Adding a neighbors filter128 Setting system date and time System configurationTo set the date and time Go to System Config Time 129 Changing web-based manager options To set the system idle timeout130 To modify the Dead Gateway Detection settings To set the Auth timeout131 To select a language for the web-based manager Adding new administrator accounts Adding and editing administrator accountsGo to System Config Admin 132 To edit an administrator account Go to System Config Admin Editing administrator accounts133 Configuring the FortiGate unit for Snmp monitoring Configuring SnmpConfiguring FortiGate Snmp support Go to System Config Snmp v1/v2c 135 FortiGate MIBsTrap Community Trap Receiver IP Addresses FortiGate MIBs MIB file name Description EtherLike.mib FortiGate traps Customizing replacement messages136 FortiGate traps Trap message Description Go to System Config Replacement Messages Customizing replacement messages137 138 Customizing alert emailsAlert email message sections Alert email message sections 139 140 141 Firewall configuration Addresses Default firewall configuration142 Content profiles ServicesSchedules 143 144 Adding firewall policiesGo to Firewall Policy 145 Traffic Shaping VPN Tunnel146 Dynamic IP Pool Fixed Port Anti-Virus & Web filter Authentication147 Comments Log Traffic148 Policy matching in detail Configuring policy listsChanging the order of policies in a policy list 149 Enabling and disabling policies AddressesDisabling a policy Enabling a policy 151 Adding addressesGo to Firewall Address Deleting addresses Editing addressesOrganizing addresses into address groups 152 Predefined services Services153 ANY 154 IRC 155 Grouping services Providing access to custom servicesGo to Firewall Service Custom Go to Firewall Service Group 157 Schedules Creating recurring schedules Creating one-time schedules158 Go to Firewall Schedule One-time 159 Adding a schedule to a policy Adding static NAT virtual IPs Virtual IPs160 161 Adding port forwarding virtual IPs 162 163 Adding policies with virtual IPs Adding an IP pool IP pools164 Go to Firewall IP Pool IP pools and dynamic NAT IP Pools for firewall policies that use fixed ports165 IP/MAC binding Go to Firewall IP/MAC Binding Setting166 Go to Firewall IP/MAC Binding Static IP/MAC 167 Adding IP/MAC addresses Enabling IP/MAC binding Viewing the dynamic IP/MAC list168 Go to Firewall IP/MAC Binding Dynamic IP/MAC 169 Content profiles Adding a content profile Default content profilesGo to Firewall Content Profile 170 171 Adding a content profile to a policyOversized File/Email Block Pass Fragmented Email 172 173 Users and authentication Adding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication 174 175 Deleting user names from the internal database Adding Radius servers Configuring Radius supportDeleting Radius servers 176 Adding Ldap servers Configuring Ldap support177 Go to User Ldap 178 Deleting Ldap servers Adding user groups Configuring user groups179 Go to User User Group 180 Deleting user groups 181 IPSec VPN Manual Keys Key managementAutoIKE with pre-shared keys AutoIKE with certificates Manual key IPSec VPNs General configuration steps for a manual key VPNAdding a manual key VPN tunnel 183 184 Adding a phase 1 configuration for an AutoIKE VPN General configuration steps for an AutoIKE VPNGo to VPN Ipsec Phase AutoIKE IPSec VPNs Remote Gateway Static IP Address 186Remote Gateway Dialup User 187 Configuring advanced options 188 189 Adding a phase 2 configuration for an AutoIKE VPN 190 Obtaining a signed local certificate Managing digital certificates191 192 Generating the certificate requestGo to VPN Local Certificates Requesting the signed local certificate Downloading the certificate request193 Importing the signed local certificate Retrieving the signed local certificate194 Retrieving a CA certificate Obtaining a CA certificateImporting a CA certificate 195 196 Configuring encrypt policies Adding a destination address Adding a source addressAdding an encrypt policy 197 Adding an encrypt policy 198 IPSec VPN concentrators VPN concentrator hub general configuration steps199 Source InternalAll Destination VPN spoke address Action 200 201 Adding a VPN concentratorGo to VPN IPSec Concentrator 202 VPN spoke general configuration stepsVPN Tunnel Policies Redundant IPSec VPNs Configuring redundant IPSec VPN203 204 See Adding a phase 1 configuration for an AutoIKE VPN on Viewing VPN tunnel status Monitoring and Troubleshooting VPNsViewing dialup VPN connection status 205 206 Testing a VPNGo to VPN IPSec Dialup Pptp and L2TP VPN Configuring Pptp207 Adding users and user groups Configuring the FortiGate unit as a Pptp gatewayEnabling Pptp and specifying an address range 208 209 Adding an address group Installing Pptp support Configuring a Windows 98 client for PptpGo to Start Settings Control Panel Network Adding a firewall policy Connecting to the Pptp VPN Configuring a Pptp dialup connectionConfiguring a Windows 2000 client for Pptp 211 Configuring the VPN connection Configuring a Windows XP client for Pptp212 Go to Start Control Panel 213 Configuring L2TP Enabling L2TP and specifying an address range Configuring the FortiGate unit as a L2TP gateway214 Go to VPN L2TP L2TP Range 215 Sample L2TP address range configuration 216 Configuring an L2TP dialup connection Configuring a Windows 2000 client for L2TPDisabling IPSec 217 Configuring a Windows XP client for L2TP Connecting to the L2TP VPNConfiguring an L2TP VPN dialup connection Go to Start Settings 219 220 Detecting attacks Network Intrusion Detection System Nids221 Selecting the interfaces to monitor Configuring checksum verificationDisabling the Nids 222 Viewing attack descriptions Viewing the signature list223 Go to Nids Detection Signature List Adding user-defined signatures Enabling and disabling Nids attack signatures224 Go to Nids Detection User Defined Signature List Downloading the user-defined signature list Preventing attacksEnabling Nids attack prevention 225 Enabling Nids attack prevention signatures Setting signature threshold values226 227 Value Description Minimum Maximum Default Configuring synflood signature valuesLogging attacks Logging attack messages to the attack log Automatic message reduction Reducing the number of Nids attack log and email messagesManual message reduction 229 230 Antivirus protection General configuration steps231 232 Antivirus scanningTo scan FortiGate firewall traffic for viruses Blocking files in firewall traffic File blockingAdding file patterns to block 233 Blocking oversized files and emails Configuring limits for oversized files and emailExempting fragmented email from blocking Viewing the virus list 235 Web filtering Go to Web Filter Content Block Content blockingAdding words and phrases to the banned word list 236 URL blocking Using the FortiGate web filterAdding URLs or URL patterns to the block list 237 238 Clearing the URL block list Uploading a URL block list Downloading the URL block list239 Installing a Cerberian license key on the FortiGate unit Using the Cerberian web filterAdding a Cerberian user to the FortiGate unit 240 About the default group and policy Configuring Cerberian web filterTo configure the Cerberian web filtering Enabling Cerberian URL filtering Enabling the script filter Script filteringSelecting script filter options 242 Adding URLs to the exempt URL list Exempt URL list243 Go to Web Filter Exempt URL 244 245 Email filter Email banned word list Go to Email Filter Content Block246 Email exempt list Email block listAdding address patterns to the email block list 247 Adding a subject tag To add a subject tag Go to Email Filter ConfigAdding address patterns to the email exempt list 248 Recording logs Logging and reporting249 Recording logs on a NetIQ WebTrends server Recording logs on a remote computer250 Recording logs in system memory Filtering log messages251 252 Example log filter configuration Enabling traffic logging Configuring traffic loggingEnabling traffic logging for an interface Enabling traffic logging for a firewall policy Go to Log&Report Log Setting Traffic Filter Configuring traffic filter settingsAdding traffic filter entries 254 Viewing logs saved to memory Destination IP Address Destination Netmask ServiceViewing logs 255 Searching logs Configuring alert emailAdding alert email addresses 256 Enabling alert email Testing alert email257 Go to Log&Report Alert Mail Categories 258 259 Glossary 260 261 262 263 Index Index 264 FDS 265 Ldap 266 MIB 267 RMA 268 TCP 269 UDP 270 271 272