Manuals / Fortinet / Computer Equipment / Network Router

Fortinet 100 user manual Authentication, Anti-Virus & Web filter, 147

Models: 100

1 272

Download 272 pages 22.37 Kb

Page 147

Firewall configuration	Firewall policy options

Authentication

Select Authentication and select a user group to require users to enter a user name and password before the firewall accepts the connection. Select the user group to control the users that can authenticate with this policy. To add and configure user groups, see “Configuring user groups” on page 179. You must add user groups before you can select Authentication.

You can select Authentication for any service. Users can authenticate with the firewall using HTTP, Telnet, or FTP. For users to be able to authenticate you must add an HTTP, Telnet, or FTP policy that is configured for authentication. When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password.

If you want users to authenticate to use other services (for example POP3 or IMAP) you can create a service group that includes the services for which you want to require authentication as well as HTTP, Telnet, and FTP. Then users could authenticate with the policy using HTTP, Telnet, or FTP before using the other service.

In most cases you should make sure that users can use DNS through the firewall without authentication. If DNS is not available users cannot connect to a web, FTP, or Telnet server using a domain name.

Anti-Virus & Web filter

Enable antivirus protection and web filter content filtering for traffic controlled by this policy. You can select Anti-Virus & Web filter if Service is set to ANY, HTTP, SMTP, POP3, IMAP, or FTP or to a service group that includes the HTTP, SMTP, POP3, IMAP, or FTP services.

Select a content profile to configure how antivirus protection and content filtering is applied to the policy. See “Content profiles” on page 169.

FortiGate-100 Installation and Configuration Guide

147

Image 147

Fortinet 100 user manual Authentication, Anti-Virus & Web filter, 147

Contents

August Installation and Configuration GuideRegulatory Compliance TrademarksTable of Contents NAT/Route mode installation System status Virus and attack definitions updates and registration RIP configuration 121 Users and authentication 173 IPSec VPN 181 Network Intrusion Detection System Nids 221 Glossary 259 Index 263 Contents Antivirus protection IntroductionEmail filtering Web content filteringFirewall NAT/Route modeNetwork intrusion detection Transparent modeWeb-based manager Secure installation, configuration, and managementFortiGate web-based manager and setup wizard Command line interfaceLogging and reporting System administrationNetwork configuration What’s new in VersionFirewall Replacement messagesUsers and authentication Dhcp serverAntivirus Web FilterEmail filter About this document Document conventions Comments on Fortinet technical documentation Fortinet documentationCustomer service and technical support Comments on Fortinet technical documentation Getting started Mounting Package contentsEnvironmental specifications Powering onConnecting to the web-based manager Connecting to the web-based managerStop bits Flow control Connecting to the command line interface CLIFactory default FortiGate configuration settings Bits per second 9600 Data bits ParityExternal interface Factory default NAT/Route mode network configurationAccount Internal interfaceFactory default firewall configuration Factory default Transparent mode network configurationAntivirus & Web Filter Factory default content profilesFactory default firewall configuration Traffic Shaping AuthenticationScan content profile Options Strict content profileScan content profile Strict content profile OptionsUnfiltered content profile Options Web content profileUnfiltered content profile Web content profile OptionsExample NAT/Route mode network configuration Planning your FortiGate configurationExample NAT/Route multiple internet connection configuration NAT/Route mode with multiple external network connectionsSetup Wizard Configuration optionsFortiGate model maximum values matrix Next steps Configuration options Getting started NAT/Route mode installation Preparing to configure NAT/Route modeInternal servers Dhcp server Advanced NAT/Route mode settingsAdvanced FortiGate NAT/Route mode settings DMZ interfaceUsing the command line interface Using the setup wizardSet system interface external mode static ip 204.23.1.5 FortiGate-100 NAT/Route mode connections Connecting the FortiGate unit to your networksSetting the date and time Configuring your networksCompleting the configuration Configuring the DMZ interfaceRegistering your FortiGate Configuration example Multiple connections to the InternetConfiguring virus and attack definition updates Enabling antivirus protectionExample multiple Internet connection configuration Destination based routing examples Configuring Ping serversPrimary and backup links to the Internet Using the CLILoad sharing and primary and secondary connections Load sharingRouting table should have routes arranged as shown in Table Adding the routes using the CLIPolicy routing examples Routing a service to an external networkAction Accept Adding a redundant default policyFirewall policy example Adding more firewall policiesRestricting access to a single Internet connection DNS Settings Transparent mode installationPreparing to configure Transparent mode Transparent mode settings Administrator PasswordGo to System Status Changing to Transparent modeConfigure the Transparent mode default gateway Configuring the Transparent mode management IP addressFortiGate-100 Transparent mode connections Setting the date and time Default routes and static routes Transparent mode configuration examplesDefault route to an external network General configuration stepsGo to System Network Routing Web-based manager example configuration stepsCLI configuration steps Go to System Network ManagementStatic route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System statusFirmware upgrade procedures Procedure Description Changing the FortiGate host nameChanging the FortiGate firmware Upgrade to a new firmware version Upgrading the firmware using the web-based managerUpgrading the firmware using the CLI Revert to a previous firmware version Execute restore image namestr tftpipReverting to a previous firmware version using the CLI Execute ping To install firmware from a system reboot Install a firmware image from a system reboot using the CLIPress Any Key To Download Boot Image Restoring your previous configuration Test a new firmware image before installing itTest a new firmware image before installing it Installing a backup firmware image Installing and using a backup firmware imageInstalling and using a backup firmware image Switching to the backup firmware image Switching back to the default firmware image Manual virus definition updatesDisplaying the FortiGate up time Manual attack definition updatesBacking up system settings Displaying the FortiGate serial numberRestoring system settings to factory defaults Restoring system settingsChanging to Transparent mode Changing to NAT/Route modeRestarting the FortiGate unit Shutting down the FortiGate unit System statusViewing CPU and memory status Go to System Status Monitor Viewing sessions and network statusSessions and network status monitor Viewing virus and intrusions statusViewing the session list Go to System Status Session Session listTo IP Updating antivirus and attack definitions Virus and attack definitions updates and registrationVersion Expiry date Last update attempt Last update status Connecting to the FortiResponse Distribution NetworkGo to System Update Configuring scheduled updatesConfiguring update logging Go to Log&Report Log SettingSuccessful Update FDN error Configuring push updates Adding an override serverManually updating antivirus and attack definitions Push updates through a NAT device To enable push updatesAbout push updates Push updates and external dynamic IP addressesExample network topology Push updates through a NAT device Example push updates through a NAT deviceGo to Firewall Virtual IP General procedureAdding a firewall policy for the port forwarding virtual IP Schedule Always Service ANY Action Accept100 Scheduled updates through a proxy serverFortiCare Service Contracts Registering FortiGate units101 102 Registering the FortiGate unitRegistering a FortiGate unit product information 103104 Recovering a lost Fortinet support passwordUpdating registration information Viewing the list of registered FortiGate unitsRegistering a new FortiGate unit Adding or changing a FortiCare Support Contract number105 106 Changing your Fortinet support passwordDownloading virus and attack definitions updates Changing your contact information or security question107 Registering a FortiGate unit after an RMA108 Network configuration Configuring interfaces109 Adding a secondary IP address to an interface Viewing the interface listBringing up an interface Changing an interface static IP addressControlling management access to an interface Adding a ping server to an interface111 Configuring traffic logging for connections to an interface Configuring the external interface with a static IP addressConfiguring the external interface for Dhcp 113 Configuring the external interface for PPPoEConfiguring the management interface Transparent mode Go to System Network DNS Configuring routingAdding DNS server IP addresses 115Adding destination-based routes to the routing table Adding a default route117 Adding routes in Transparent modePolicy routing Configuring the routing tableGo to System Network Dhcp Providing Dhcp services to your internal networkPolicy routing command syntax 119120 Viewing the dynamic IP list121 RIP configurationRIP settings Go to System RIP Settings122 Holddown Update123 InvalidMode Configuring RIP for FortiGate interfacesPassword 124Adding RIP neighbors 125Adding RIP neighbors Go to System RIP Neighbor Go to System RIP Filter Adding RIP filtersAdding a single RIP filter 126Mask Add the netmask of the route Action Adding a RIP filter list127 Add the IP address of the routeAdding a neighbors filter Adding a routes filter128 129 System configurationSetting system date and time To set the date and time Go to System Config TimeTo set the system idle timeout Changing web-based manager options130 To select a language for the web-based manager To set the Auth timeoutTo modify the Dead Gateway Detection settings 131132 Adding and editing administrator accountsAdding new administrator accounts Go to System Config AdminEditing administrator accounts To edit an administrator account Go to System Config Admin133 Go to System Config Snmp v1/v2c Configuring SnmpConfiguring the FortiGate unit for Snmp monitoring Configuring FortiGate Snmp supportFortiGate MIBs MIB file name Description EtherLike.mib FortiGate MIBs135 Trap Community Trap Receiver IP AddressesFortiGate traps Trap message Description Customizing replacement messagesFortiGate traps 136Customizing replacement messages Go to System Config Replacement Messages137 Customizing alert emails 138Alert email message sections Alert email message sections 139140 141 Firewall configurationDefault firewall configuration Addresses142 143 ServicesContent profiles SchedulesAdding firewall policies 144Go to Firewall Policy 145 Dynamic IP Pool Fixed Port VPN TunnelTraffic Shaping 146Authentication Anti-Virus & Web filter147 Log Traffic Comments148 149 Configuring policy listsPolicy matching in detail Changing the order of policies in a policy listEnabling a policy AddressesEnabling and disabling policies Disabling a policyAdding addresses 151Go to Firewall Address 152 Editing addressesDeleting addresses Organizing addresses into address groupsServices Predefined services153 ANY 154IRC 155Go to Firewall Service Group Providing access to custom servicesGrouping services Go to Firewall Service Custom157 SchedulesGo to Firewall Schedule One-time Creating one-time schedulesCreating recurring schedules 158159 Adding a schedule to a policyVirtual IPs Adding static NAT virtual IPs160 161 Adding port forwarding virtual IPs162 163 Adding policies with virtual IPsGo to Firewall IP Pool IP poolsAdding an IP pool 164IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT165 Go to Firewall IP/MAC Binding Static IP/MAC Go to Firewall IP/MAC Binding SettingIP/MAC binding 166167 Adding IP/MAC addressesGo to Firewall IP/MAC Binding Dynamic IP/MAC Viewing the dynamic IP/MAC listEnabling IP/MAC binding 168169 Content profiles170 Default content profilesAdding a content profile Go to Firewall Content ProfileAdding a content profile to a policy 171Oversized File/Email Block Pass Fragmented Email 172 173 Users and authentication174 Setting authentication timeoutAdding user names and configuring authentication Adding user names and configuring authentication175 Deleting user names from the internal database176 Configuring Radius supportAdding Radius servers Deleting Radius serversGo to User Ldap Configuring Ldap supportAdding Ldap servers 177178 Deleting Ldap serversGo to User User Group Configuring user groupsAdding user groups 179180 Deleting user groups181 IPSec VPNAutoIKE with certificates Key managementManual Keys AutoIKE with pre-shared keys183 General configuration steps for a manual key VPNManual key IPSec VPNs Adding a manual key VPN tunnel184 AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN Go to VPN Ipsec Phase186 Remote Gateway Static IP AddressRemote Gateway Dialup User 187 Configuring advanced options188 189 Adding a phase 2 configuration for an AutoIKE VPN190 Managing digital certificates Obtaining a signed local certificate191 Generating the certificate request 192Go to VPN Local Certificates Downloading the certificate request Requesting the signed local certificate193 Retrieving the signed local certificate Importing the signed local certificate194 195 Obtaining a CA certificateRetrieving a CA certificate Importing a CA certificate196 Configuring encrypt policies197 Adding a source addressAdding a destination address Adding an encrypt policyAdding an encrypt policy 198VPN concentrator hub general configuration steps IPSec VPN concentrators199 Source InternalAll Destination VPN spoke address Action 200Adding a VPN concentrator 201Go to VPN IPSec Concentrator Policies VPN spoke general configuration steps202 VPN TunnelConfiguring redundant IPSec VPN Redundant IPSec VPNs203 204 See Adding a phase 1 configuration for an AutoIKE VPN on205 Monitoring and Troubleshooting VPNsViewing VPN tunnel status Viewing dialup VPN connection statusTesting a VPN 206Go to VPN IPSec Dialup Configuring Pptp Pptp and L2TP VPN207 208 Configuring the FortiGate unit as a Pptp gatewayAdding users and user groups Enabling Pptp and specifying an address range209 Adding an address groupAdding a firewall policy Configuring a Windows 98 client for PptpInstalling Pptp support Go to Start Settings Control Panel Network211 Configuring a Pptp dialup connectionConnecting to the Pptp VPN Configuring a Windows 2000 client for PptpGo to Start Control Panel Configuring a Windows XP client for PptpConfiguring the VPN connection 212213 Configuring L2TPGo to VPN L2TP L2TP Range Configuring the FortiGate unit as a L2TP gatewayEnabling L2TP and specifying an address range 214215 Sample L2TP address range configuration216 217 Configuring a Windows 2000 client for L2TPConfiguring an L2TP dialup connection Disabling IPSecGo to Start Settings Connecting to the L2TP VPNConfiguring a Windows XP client for L2TP Configuring an L2TP VPN dialup connection219 220 Network Intrusion Detection System Nids Detecting attacks221 222 Configuring checksum verificationSelecting the interfaces to monitor Disabling the NidsGo to Nids Detection Signature List Viewing the signature listViewing attack descriptions 223Go to Nids Detection User Defined Signature List Enabling and disabling Nids attack signaturesAdding user-defined signatures 224225 Preventing attacksDownloading the user-defined signature list Enabling Nids attack preventionSetting signature threshold values Enabling Nids attack prevention signatures226 227 Logging attack messages to the attack log Configuring synflood signature valuesValue Description Minimum Maximum Default Logging attacks229 Reducing the number of Nids attack log and email messagesAutomatic message reduction Manual message reduction230 General configuration steps Antivirus protection231 Antivirus scanning 232To scan FortiGate firewall traffic for viruses 233 File blockingBlocking files in firewall traffic Adding file patterns to blockViewing the virus list Configuring limits for oversized files and emailBlocking oversized files and emails Exempting fragmented email from blocking235 Web filtering236 Content blockingGo to Web Filter Content Block Adding words and phrases to the banned word list237 Using the FortiGate web filterURL blocking Adding URLs or URL patterns to the block list238 Clearing the URL block listDownloading the URL block list Uploading a URL block list239 240 Using the Cerberian web filterInstalling a Cerberian license key on the FortiGate unit Adding a Cerberian user to the FortiGate unitEnabling Cerberian URL filtering Configuring Cerberian web filterAbout the default group and policy To configure the Cerberian web filtering242 Script filteringEnabling the script filter Selecting script filter optionsGo to Web Filter Exempt URL Exempt URL listAdding URLs to the exempt URL list 243244 245 Email filterGo to Email Filter Content Block Email banned word list246 247 Email block listEmail exempt list Adding address patterns to the email block list248 To add a subject tag Go to Email Filter ConfigAdding a subject tag Adding address patterns to the email exempt listLogging and reporting Recording logs249 Recording logs on a remote computer Recording logs on a NetIQ WebTrends server250 Filtering log messages Recording logs in system memory251 252 Example log filter configurationEnabling traffic logging for a firewall policy Configuring traffic loggingEnabling traffic logging Enabling traffic logging for an interface254 Configuring traffic filter settingsGo to Log&Report Log Setting Traffic Filter Adding traffic filter entries255 Destination IP Address Destination Netmask ServiceViewing logs saved to memory Viewing logs256 Configuring alert emailSearching logs Adding alert email addressesGo to Log&Report Alert Mail Categories Testing alert emailEnabling alert email 257258 259 Glossary260 261 262 263 IndexIndex 264FDS 265Ldap 266MIB 267RMA 268TCP 269UDP 270271 272