Manuals / Fortinet / Computer Equipment / Network Router

Fortinet 100 user manual Network intrusion detection, Transparent mode

Models: 100

1 272

Download 272 pages 22.37 Kb

Page 16

Transparent mode	Introduction

Transparent mode

Transparent mode provides the same basic firewall protection as NAT mode. Packets received by the FortiGate unit are intelligently forwarded or blocked according to firewall policies. The FortiGate unit can be inserted in your network at any point without the need to make changes to your network or any of its components. However, VPN and some advanced firewall features are only available in NAT/Route mode.

Network intrusion detection

The FortiGate Network Intrusion Detection System (NIDS) is a real-time network intrusion detection sensor that detects and prevents a wide variety of suspicious network activity. NIDS detection uses attack signatures to identify over 1000 attacks. You can enable and disable the attacks that the NIDS detects. You can also write your own user-defined detection attack signatures.

NIDS prevention detects and prevents many common denial of service and packet- based attacks. You can enable and disable prevention attack signatures and customize attack signature thresholds and other parameters.

To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log and can be configured to send alert emails.

Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually, or you can configure the FortiGate to automatically check for and download attack definition updates.

VPN

Using FortiGate virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network.

FortiGate VPN features include the following:

•Industry standard and ICSA-certified IPSec VPN including:

•IPSec, ESP security in tunnel mode,

•DES, 3DES (triple-DES), and AES hardware accelerated encryption,

•HMAC MD5 and HMAC SHA1 authentication and data integrity,

•AutoIKE key based on pre-shared key tunnels,

•IPSec VPN using local or CA certificates,

•Manual Keys tunnels,

•Diffie-Hellman groups 1, 2, and 5,

•Aggressive and Main Mode,

•Replay Detection,

•Perfect Forward Secrecy,

•XAuth authentication,

•Dead peer detection.

16	Fortinet Inc.

Image 16

Fortinet 100 user manual Network intrusion detection, Transparent mode

Contents

Installation and Configuration Guide AugustTrademarks Regulatory ComplianceTable of Contents NAT/Route mode installation System status Virus and attack definitions updates and registration RIP configuration 121 Users and authentication 173 IPSec VPN 181 Network Intrusion Detection System Nids 221 Glossary 259 Index 263 Contents Introduction Antivirus protectionWeb content filtering Email filteringNAT/Route mode FirewallTransparent mode Network intrusion detectionSecure installation, configuration, and management Web-based managerCommand line interface FortiGate web-based manager and setup wizardSystem administration Network configurationWhat’s new in Version Logging and reportingReplacement messages Users and authenticationDhcp server FirewallWeb Filter AntivirusEmail filter About this document Document conventions Fortinet documentation Comments on Fortinet technical documentationCustomer service and technical support Comments on Fortinet technical documentation Getting started Package contents MountingPowering on Environmental specificationsConnecting to the web-based manager Connecting to the web-based managerConnecting to the command line interface CLI Factory default FortiGate configuration settingsBits per second 9600 Data bits Parity Stop bits Flow controlFactory default NAT/Route mode network configuration AccountInternal interface External interfaceFactory default Transparent mode network configuration Factory default firewall configurationFactory default content profiles Factory default firewall configuration Traffic ShapingAuthentication Antivirus & Web FilterStrict content profile Scan content profileStrict content profile Options Scan content profile OptionsWeb content profile Unfiltered content profileWeb content profile Options Unfiltered content profile OptionsPlanning your FortiGate configuration Example NAT/Route mode network configurationNAT/Route mode with multiple external network connections Example NAT/Route multiple internet connection configurationConfiguration options Setup WizardFortiGate model maximum values matrix Next steps Configuration options Getting started Preparing to configure NAT/Route mode NAT/Route mode installationInternal servers Advanced NAT/Route mode settings Advanced FortiGate NAT/Route mode settingsDMZ interface Dhcp serverUsing the setup wizard Using the command line interfaceSet system interface external mode static ip 204.23.1.5 Connecting the FortiGate unit to your networks FortiGate-100 NAT/Route mode connectionsConfiguring your networks Completing the configurationConfiguring the DMZ interface Setting the date and timeConfiguration example Multiple connections to the Internet Configuring virus and attack definition updatesEnabling antivirus protection Registering your FortiGateExample multiple Internet connection configuration Configuring Ping servers Primary and backup links to the InternetUsing the CLI Destination based routing examplesLoad sharing Load sharing and primary and secondary connectionsAdding the routes using the CLI Routing table should have routes arranged as shown in TableRouting a service to an external network Policy routing examplesAdding a redundant default policy Firewall policy exampleAdding more firewall policies Action AcceptRestricting access to a single Internet connection Transparent mode installation Preparing to configure Transparent modeTransparent mode settings Administrator Password DNS SettingsChanging to Transparent mode Go to System StatusConfiguring the Transparent mode management IP address Configure the Transparent mode default gatewayFortiGate-100 Transparent mode connections Setting the date and time Transparent mode configuration examples Default routes and static routesGeneral configuration steps Default route to an external networkWeb-based manager example configuration steps CLI configuration stepsGo to System Network Management Go to System Network RoutingStatic route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System statusChanging the FortiGate host name Firmware upgrade procedures Procedure DescriptionChanging the FortiGate firmware Upgrading the firmware using the web-based manager Upgrade to a new firmware versionUpgrading the firmware using the CLI Execute restore image namestr tftpip Revert to a previous firmware versionReverting to a previous firmware version using the CLI Execute ping Install a firmware image from a system reboot using the CLI To install firmware from a system rebootPress Any Key To Download Boot Image Test a new firmware image before installing it Restoring your previous configurationTest a new firmware image before installing it Installing and using a backup firmware image Installing a backup firmware imageInstalling and using a backup firmware image Switching to the backup firmware image Manual virus definition updates Switching back to the default firmware imageManual attack definition updates Backing up system settingsDisplaying the FortiGate serial number Displaying the FortiGate up timeRestoring system settings Restoring system settings to factory defaultsChanging to NAT/Route mode Changing to Transparent modeRestarting the FortiGate unit System status Shutting down the FortiGate unitViewing CPU and memory status Viewing sessions and network status Go to System Status MonitorViewing virus and intrusions status Sessions and network status monitorSession list Viewing the session list Go to System Status SessionTo IP Virus and attack definitions updates and registration Updating antivirus and attack definitionsConnecting to the FortiResponse Distribution Network Version Expiry date Last update attempt Last update statusConfiguring scheduled updates Go to System UpdateGo to Log&Report Log Setting Configuring update loggingSuccessful Update FDN error Adding an override server Configuring push updatesManually updating antivirus and attack definitions To enable push updates About push updatesPush updates and external dynamic IP addresses Push updates through a NAT deviceExample push updates through a NAT device Example network topology Push updates through a NAT deviceGeneral procedure Go to Firewall Virtual IPSchedule Always Service ANY Action Accept Adding a firewall policy for the port forwarding virtual IPScheduled updates through a proxy server 100Registering FortiGate units FortiCare Service Contracts101 Registering the FortiGate unit 102103 Registering a FortiGate unit product informationRecovering a lost Fortinet support password Updating registration informationViewing the list of registered FortiGate units 104Adding or changing a FortiCare Support Contract number Registering a new FortiGate unit105 Changing your Fortinet support password Downloading virus and attack definitions updatesChanging your contact information or security question 106Registering a FortiGate unit after an RMA 107108 Configuring interfaces Network configuration109 Viewing the interface list Bringing up an interfaceChanging an interface static IP address Adding a secondary IP address to an interfaceAdding a ping server to an interface Controlling management access to an interface111 Configuring the external interface with a static IP address Configuring traffic logging for connections to an interfaceConfiguring the external interface for Dhcp Configuring the external interface for PPPoE 113Configuring the management interface Transparent mode Configuring routing Adding DNS server IP addresses115 Go to System Network DNSAdding a default route Adding destination-based routes to the routing tableAdding routes in Transparent mode 117Configuring the routing table Policy routingProviding Dhcp services to your internal network Policy routing command syntax119 Go to System Network DhcpViewing the dynamic IP list 120RIP configuration 121Go to System RIP Settings RIP settings122 Update 123Invalid HolddownConfiguring RIP for FortiGate interfaces Password124 Mode125 Adding RIP neighborsAdding RIP neighbors Go to System RIP Neighbor Adding RIP filters Adding a single RIP filter126 Go to System RIP FilterAdding a RIP filter list 127Add the IP address of the route Mask Add the netmask of the route ActionAdding a routes filter Adding a neighbors filter128 System configuration Setting system date and timeTo set the date and time Go to System Config Time 129Changing web-based manager options To set the system idle timeout130 To set the Auth timeout To modify the Dead Gateway Detection settings131 To select a language for the web-based managerAdding and editing administrator accounts Adding new administrator accountsGo to System Config Admin 132To edit an administrator account Go to System Config Admin Editing administrator accounts133 Configuring Snmp Configuring the FortiGate unit for Snmp monitoringConfiguring FortiGate Snmp support Go to System Config Snmp v1/v2cFortiGate MIBs 135Trap Community Trap Receiver IP Addresses FortiGate MIBs MIB file name Description EtherLike.mibCustomizing replacement messages FortiGate traps136 FortiGate traps Trap message DescriptionGo to System Config Replacement Messages Customizing replacement messages137 138 Customizing alert emailsAlert email message sections 139 Alert email message sections140 Firewall configuration 141Addresses Default firewall configuration142 Services Content profilesSchedules 143144 Adding firewall policiesGo to Firewall Policy 145 VPN Tunnel Traffic Shaping146 Dynamic IP Pool Fixed PortAnti-Virus & Web filter Authentication147 Comments Log Traffic148 Configuring policy lists Policy matching in detailChanging the order of policies in a policy list 149Addresses Enabling and disabling policiesDisabling a policy Enabling a policy151 Adding addressesGo to Firewall Address Editing addresses Deleting addressesOrganizing addresses into address groups 152Predefined services Services153 154 ANY155 IRCProviding access to custom services Grouping servicesGo to Firewall Service Custom Go to Firewall Service GroupSchedules 157Creating one-time schedules Creating recurring schedules158 Go to Firewall Schedule One-timeAdding a schedule to a policy 159Adding static NAT virtual IPs Virtual IPs160 Adding port forwarding virtual IPs 161162 Adding policies with virtual IPs 163IP pools Adding an IP pool164 Go to Firewall IP PoolIP pools and dynamic NAT IP Pools for firewall policies that use fixed ports165 Go to Firewall IP/MAC Binding Setting IP/MAC binding166 Go to Firewall IP/MAC Binding Static IP/MACAdding IP/MAC addresses 167Viewing the dynamic IP/MAC list Enabling IP/MAC binding168 Go to Firewall IP/MAC Binding Dynamic IP/MACContent profiles 169Default content profiles Adding a content profileGo to Firewall Content Profile 170171 Adding a content profile to a policyOversized File/Email Block Pass Fragmented Email 172 Users and authentication 173Setting authentication timeout Adding user names and configuring authenticationAdding user names and configuring authentication 174Deleting user names from the internal database 175Configuring Radius support Adding Radius serversDeleting Radius servers 176Configuring Ldap support Adding Ldap servers177 Go to User LdapDeleting Ldap servers 178Configuring user groups Adding user groups179 Go to User User GroupDeleting user groups 180IPSec VPN 181Key management Manual KeysAutoIKE with pre-shared keys AutoIKE with certificatesGeneral configuration steps for a manual key VPN Manual key IPSec VPNsAdding a manual key VPN tunnel 183184 General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPNGo to VPN Ipsec Phase AutoIKE IPSec VPNsRemote Gateway Static IP Address 186Remote Gateway Dialup User Configuring advanced options 187188 Adding a phase 2 configuration for an AutoIKE VPN 189190 Obtaining a signed local certificate Managing digital certificates191 192 Generating the certificate requestGo to VPN Local Certificates Requesting the signed local certificate Downloading the certificate request193 Importing the signed local certificate Retrieving the signed local certificate194 Obtaining a CA certificate Retrieving a CA certificateImporting a CA certificate 195Configuring encrypt policies 196Adding a source address Adding a destination addressAdding an encrypt policy 197198 Adding an encrypt policyIPSec VPN concentrators VPN concentrator hub general configuration steps199 200 Source InternalAll Destination VPN spoke address Action201 Adding a VPN concentratorGo to VPN IPSec Concentrator VPN spoke general configuration steps 202VPN Tunnel PoliciesRedundant IPSec VPNs Configuring redundant IPSec VPN203 See Adding a phase 1 configuration for an AutoIKE VPN on 204Monitoring and Troubleshooting VPNs Viewing VPN tunnel statusViewing dialup VPN connection status 205206 Testing a VPNGo to VPN IPSec Dialup Pptp and L2TP VPN Configuring Pptp207 Configuring the FortiGate unit as a Pptp gateway Adding users and user groupsEnabling Pptp and specifying an address range 208Adding an address group 209Configuring a Windows 98 client for Pptp Installing Pptp supportGo to Start Settings Control Panel Network Adding a firewall policyConfiguring a Pptp dialup connection Connecting to the Pptp VPNConfiguring a Windows 2000 client for Pptp 211Configuring a Windows XP client for Pptp Configuring the VPN connection212 Go to Start Control PanelConfiguring L2TP 213Configuring the FortiGate unit as a L2TP gateway Enabling L2TP and specifying an address range214 Go to VPN L2TP L2TP RangeSample L2TP address range configuration 215216 Configuring a Windows 2000 client for L2TP Configuring an L2TP dialup connectionDisabling IPSec 217Connecting to the L2TP VPN Configuring a Windows XP client for L2TPConfiguring an L2TP VPN dialup connection Go to Start Settings219 220 Detecting attacks Network Intrusion Detection System Nids221 Configuring checksum verification Selecting the interfaces to monitorDisabling the Nids 222Viewing the signature list Viewing attack descriptions223 Go to Nids Detection Signature ListEnabling and disabling Nids attack signatures Adding user-defined signatures224 Go to Nids Detection User Defined Signature ListPreventing attacks Downloading the user-defined signature listEnabling Nids attack prevention 225Enabling Nids attack prevention signatures Setting signature threshold values226 227 Configuring synflood signature values Value Description Minimum Maximum DefaultLogging attacks Logging attack messages to the attack logReducing the number of Nids attack log and email messages Automatic message reductionManual message reduction 229230 Antivirus protection General configuration steps231 232 Antivirus scanningTo scan FortiGate firewall traffic for viruses File blocking Blocking files in firewall trafficAdding file patterns to block 233Configuring limits for oversized files and email Blocking oversized files and emailsExempting fragmented email from blocking Viewing the virus listWeb filtering 235Content blocking Go to Web Filter Content BlockAdding words and phrases to the banned word list 236Using the FortiGate web filter URL blockingAdding URLs or URL patterns to the block list 237Clearing the URL block list 238Uploading a URL block list Downloading the URL block list239 Using the Cerberian web filter Installing a Cerberian license key on the FortiGate unitAdding a Cerberian user to the FortiGate unit 240Configuring Cerberian web filter About the default group and policyTo configure the Cerberian web filtering Enabling Cerberian URL filteringScript filtering Enabling the script filterSelecting script filter options 242Exempt URL list Adding URLs to the exempt URL list243 Go to Web Filter Exempt URL244 Email filter 245Email banned word list Go to Email Filter Content Block246 Email block list Email exempt listAdding address patterns to the email block list 247To add a subject tag Go to Email Filter Config Adding a subject tagAdding address patterns to the email exempt list 248Recording logs Logging and reporting249 Recording logs on a NetIQ WebTrends server Recording logs on a remote computer250 Recording logs in system memory Filtering log messages251 Example log filter configuration 252Configuring traffic logging Enabling traffic loggingEnabling traffic logging for an interface Enabling traffic logging for a firewall policyConfiguring traffic filter settings Go to Log&Report Log Setting Traffic FilterAdding traffic filter entries 254Destination IP Address Destination Netmask Service Viewing logs saved to memoryViewing logs 255Configuring alert email Searching logsAdding alert email addresses 256Testing alert email Enabling alert email257 Go to Log&Report Alert Mail Categories258 Glossary 259260 261 262 Index 263264 Index265 FDS266 Ldap267 MIB268 RMA269 TCP270 UDP271 272