198, Adding an encrypt policy | Fortinet 100 specs

Adding an encrypt policy	IPSec VPN

Inbound NAT The FortiGate unit translates the source address of incoming packets to the IP address of the FortiGate interface connected to the source address network. Typically, this is an internal interface of the FortiGate unit. Inbound NAT makes it impossible for local hosts to see the IP addresses of remote hosts (hosts located on the network behind the remote VPN gateway).

Outbound NAT The FortiGate unit translates the source address of outgoing packets to the IP address of the FortiGate interface connected to the destination address network. Typically, this is an external interface of the FortiGate unit.

Outbound NAT makes it impossible for remote hosts to see the IP addresses of local hosts (hosts located on the network behind the local VPN gateway).

If Outbound NAT is implemented, it is subject to these limitations:

—Configure Outbound NAT only at one end of the tunnel.

—The end which does not implement Outbound NAT requires an Int->Ext policy which specifies the other end’s external interface as the Destination. (This will be a public IP address.)

—The tunnel, and the traffic within the tunnel, can only be initiated at the end which implements Outbound NAT.

Refer to the FortiGate Installation and Configuration Guide to configure the remaining policy settings.

9Select OK to save the encrypt policy.

To make sure that the encrypt policy is matched for VPN connections, arrange the encrypt policy above other policies with similar source and destination addresses and services in the policy list.

Figure 25: Adding an encrypt policy

198	Fortinet Inc.

Image 198

Fortinet 100 user manual 198, Adding an encrypt policy

Contents

Installation and Configuration Guide August Trademarks Regulatory Compliance Table of Contents NAT/Route mode installation System status Virus and attack definitions updates and registration RIP configuration 121 Users and authentication 173 IPSec VPN 181 Network Intrusion Detection System Nids 221 Glossary 259 Index 263 Contents Introduction Antivirus protection Web content filtering Email filtering NAT/Route mode Firewall Transparent mode Network intrusion detection Secure installation, configuration, and management Web-based manager Command line interface FortiGate web-based manager and setup wizard What’s new in Version System administrationNetwork configuration Logging and reporting Dhcp server Replacement messagesUsers and authentication Firewall Antivirus Web FilterEmail filter About this document Document conventions Fortinet documentation Comments on Fortinet technical documentation Customer service and technical support Comments on Fortinet technical documentation Getting started Package contents Mounting Powering on Environmental specifications Connecting to the web-based manager Connecting to the web-based manager Bits per second 9600 Data bits Parity Connecting to the command line interface CLIFactory default FortiGate configuration settings Stop bits Flow control Internal interface Factory default NAT/Route mode network configurationAccount External interface Factory default Transparent mode network configuration Factory default firewall configuration Authentication Factory default content profilesFactory default firewall configuration Traffic Shaping Antivirus & Web Filter Strict content profile Options Strict content profileScan content profile Scan content profile Options Web content profile Options Web content profileUnfiltered content profile Unfiltered content profile Options Planning your FortiGate configuration Example NAT/Route mode network configuration NAT/Route mode with multiple external network connections Example NAT/Route multiple internet connection configuration Configuration options Setup Wizard FortiGate model maximum values matrix Next steps Configuration options Getting started NAT/Route mode installation Preparing to configure NAT/Route modeInternal servers DMZ interface Advanced NAT/Route mode settingsAdvanced FortiGate NAT/Route mode settings Dhcp server Using the setup wizard Using the command line interface Set system interface external mode static ip 204.23.1.5 Connecting the FortiGate unit to your networks FortiGate-100 NAT/Route mode connections Configuring the DMZ interface Configuring your networksCompleting the configuration Setting the date and time Enabling antivirus protection Configuration example Multiple connections to the InternetConfiguring virus and attack definition updates Registering your FortiGate Example multiple Internet connection configuration Using the CLI Configuring Ping serversPrimary and backup links to the Internet Destination based routing examples Load sharing Load sharing and primary and secondary connections Adding the routes using the CLI Routing table should have routes arranged as shown in Table Routing a service to an external network Policy routing examples Adding more firewall policies Adding a redundant default policyFirewall policy example Action Accept Restricting access to a single Internet connection Transparent mode settings Administrator Password Transparent mode installationPreparing to configure Transparent mode DNS Settings Changing to Transparent mode Go to System Status Configuring the Transparent mode management IP address Configure the Transparent mode default gateway FortiGate-100 Transparent mode connections Setting the date and time Transparent mode configuration examples Default routes and static routes General configuration steps Default route to an external network Go to System Network Management Web-based manager example configuration stepsCLI configuration steps Go to System Network Routing Static route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System status Firmware upgrade procedures Procedure Description Changing the FortiGate host nameChanging the FortiGate firmware Upgrade to a new firmware version Upgrading the firmware using the web-based managerUpgrading the firmware using the CLI Execute restore image namestr tftpip Revert to a previous firmware version Reverting to a previous firmware version using the CLI Execute ping Install a firmware image from a system reboot using the CLI To install firmware from a system reboot Press Any Key To Download Boot Image Test a new firmware image before installing it Restoring your previous configuration Test a new firmware image before installing it Installing and using a backup firmware image Installing a backup firmware image Installing and using a backup firmware image Switching to the backup firmware image Manual virus definition updates Switching back to the default firmware image Displaying the FortiGate serial number Manual attack definition updatesBacking up system settings Displaying the FortiGate up time Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT/Route modeRestarting the FortiGate unit Shutting down the FortiGate unit System statusViewing CPU and memory status Viewing sessions and network status Go to System Status Monitor Viewing virus and intrusions status Sessions and network status monitor Session list Viewing the session list Go to System Status Session To IP Virus and attack definitions updates and registration Updating antivirus and attack definitions Connecting to the FortiResponse Distribution Network Version Expiry date Last update attempt Last update status Configuring scheduled updates Go to System Update Configuring update logging Go to Log&Report Log SettingSuccessful Update FDN error Configuring push updates Adding an override serverManually updating antivirus and attack definitions Push updates and external dynamic IP addresses To enable push updatesAbout push updates Push updates through a NAT device Example push updates through a NAT device Example network topology Push updates through a NAT device General procedure Go to Firewall Virtual IP Schedule Always Service ANY Action Accept Adding a firewall policy for the port forwarding virtual IP Scheduled updates through a proxy server 100 FortiCare Service Contracts Registering FortiGate units101 Registering the FortiGate unit 102 103 Registering a FortiGate unit product information Viewing the list of registered FortiGate units Recovering a lost Fortinet support passwordUpdating registration information 104 Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number105 Changing your contact information or security question Changing your Fortinet support passwordDownloading virus and attack definitions updates 106 Registering a FortiGate unit after an RMA 107 108 Network configuration Configuring interfaces109 Changing an interface static IP address Viewing the interface listBringing up an interface Adding a secondary IP address to an interface Controlling management access to an interface Adding a ping server to an interface111 Configuring traffic logging for connections to an interface Configuring the external interface with a static IP addressConfiguring the external interface for Dhcp Configuring the external interface for PPPoE 113 Configuring the management interface Transparent mode 115 Configuring routingAdding DNS server IP addresses Go to System Network DNS Adding a default route Adding destination-based routes to the routing table Adding routes in Transparent mode 117 Configuring the routing table Policy routing 119 Providing Dhcp services to your internal networkPolicy routing command syntax Go to System Network Dhcp Viewing the dynamic IP list 120 RIP configuration 121 RIP settings Go to System RIP Settings122 Invalid Update123 Holddown 124 Configuring RIP for FortiGate interfacesPassword Mode Adding RIP neighbors 125Adding RIP neighbors Go to System RIP Neighbor 126 Adding RIP filtersAdding a single RIP filter Go to System RIP Filter Add the IP address of the route Adding a RIP filter list127 Mask Add the netmask of the route Action Adding a neighbors filter Adding a routes filter128 To set the date and time Go to System Config Time System configurationSetting system date and time 129 To set the system idle timeout Changing web-based manager options130 131 To set the Auth timeoutTo modify the Dead Gateway Detection settings To select a language for the web-based manager Go to System Config Admin Adding and editing administrator accountsAdding new administrator accounts 132 Editing administrator accounts To edit an administrator account Go to System Config Admin133 Configuring FortiGate Snmp support Configuring SnmpConfiguring the FortiGate unit for Snmp monitoring Go to System Config Snmp v1/v2c Trap Community Trap Receiver IP Addresses FortiGate MIBs135 FortiGate MIBs MIB file name Description EtherLike.mib 136 Customizing replacement messagesFortiGate traps FortiGate traps Trap message Description Customizing replacement messages Go to System Config Replacement Messages137 Customizing alert emails 138Alert email message sections 139 Alert email message sections 140 Firewall configuration 141 Default firewall configuration Addresses142 Schedules ServicesContent profiles 143 Adding firewall policies 144Go to Firewall Policy 145 146 VPN TunnelTraffic Shaping Dynamic IP Pool Fixed Port Authentication Anti-Virus & Web filter147 Log Traffic Comments148 Changing the order of policies in a policy list Configuring policy listsPolicy matching in detail 149 Disabling a policy AddressesEnabling and disabling policies Enabling a policy Adding addresses 151Go to Firewall Address Organizing addresses into address groups Editing addressesDeleting addresses 152 Services Predefined services153 154 ANY 155 IRC Go to Firewall Service Custom Providing access to custom servicesGrouping services Go to Firewall Service Group Schedules 157 158 Creating one-time schedulesCreating recurring schedules Go to Firewall Schedule One-time Adding a schedule to a policy 159 Virtual IPs Adding static NAT virtual IPs160 Adding port forwarding virtual IPs 161 162 Adding policies with virtual IPs 163 164 IP poolsAdding an IP pool Go to Firewall IP Pool IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT165 166 Go to Firewall IP/MAC Binding SettingIP/MAC binding Go to Firewall IP/MAC Binding Static IP/MAC Adding IP/MAC addresses 167 168 Viewing the dynamic IP/MAC listEnabling IP/MAC binding Go to Firewall IP/MAC Binding Dynamic IP/MAC Content profiles 169 Go to Firewall Content Profile Default content profilesAdding a content profile 170 Adding a content profile to a policy 171Oversized File/Email Block Pass Fragmented Email 172 Users and authentication 173 Adding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication 174 Deleting user names from the internal database 175 Deleting Radius servers Configuring Radius supportAdding Radius servers 176 177 Configuring Ldap supportAdding Ldap servers Go to User Ldap Deleting Ldap servers 178 179 Configuring user groupsAdding user groups Go to User User Group Deleting user groups 180 IPSec VPN 181 AutoIKE with pre-shared keys Key managementManual Keys AutoIKE with certificates Adding a manual key VPN tunnel General configuration steps for a manual key VPNManual key IPSec VPNs 183 184 Go to VPN Ipsec Phase General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN AutoIKE IPSec VPNs 186 Remote Gateway Static IP AddressRemote Gateway Dialup User Configuring advanced options 187 188 Adding a phase 2 configuration for an AutoIKE VPN 189 190 Managing digital certificates Obtaining a signed local certificate191 Generating the certificate request 192Go to VPN Local Certificates Downloading the certificate request Requesting the signed local certificate193 Retrieving the signed local certificate Importing the signed local certificate194 Importing a CA certificate Obtaining a CA certificateRetrieving a CA certificate 195 Configuring encrypt policies 196 Adding an encrypt policy Adding a source addressAdding a destination address 197 198 Adding an encrypt policy VPN concentrator hub general configuration steps IPSec VPN concentrators199 200 Source InternalAll Destination VPN spoke address Action Adding a VPN concentrator 201Go to VPN IPSec Concentrator VPN Tunnel VPN spoke general configuration steps202 Policies Configuring redundant IPSec VPN Redundant IPSec VPNs203 See Adding a phase 1 configuration for an AutoIKE VPN on 204 Viewing dialup VPN connection status Monitoring and Troubleshooting VPNsViewing VPN tunnel status 205 Testing a VPN 206Go to VPN IPSec Dialup Configuring Pptp Pptp and L2TP VPN207 Enabling Pptp and specifying an address range Configuring the FortiGate unit as a Pptp gatewayAdding users and user groups 208 Adding an address group 209 Go to Start Settings Control Panel Network Configuring a Windows 98 client for PptpInstalling Pptp support Adding a firewall policy Configuring a Windows 2000 client for Pptp Configuring a Pptp dialup connectionConnecting to the Pptp VPN 211 212 Configuring a Windows XP client for PptpConfiguring the VPN connection Go to Start Control Panel Configuring L2TP 213 214 Configuring the FortiGate unit as a L2TP gatewayEnabling L2TP and specifying an address range Go to VPN L2TP L2TP Range Sample L2TP address range configuration 215 216 Disabling IPSec Configuring a Windows 2000 client for L2TPConfiguring an L2TP dialup connection 217 Configuring an L2TP VPN dialup connection Connecting to the L2TP VPNConfiguring a Windows XP client for L2TP Go to Start Settings 219 220 Network Intrusion Detection System Nids Detecting attacks221 Disabling the Nids Configuring checksum verificationSelecting the interfaces to monitor 222 223 Viewing the signature listViewing attack descriptions Go to Nids Detection Signature List 224 Enabling and disabling Nids attack signaturesAdding user-defined signatures Go to Nids Detection User Defined Signature List Enabling Nids attack prevention Preventing attacksDownloading the user-defined signature list 225 Setting signature threshold values Enabling Nids attack prevention signatures226 227 Logging attacks Configuring synflood signature valuesValue Description Minimum Maximum Default Logging attack messages to the attack log Manual message reduction Reducing the number of Nids attack log and email messagesAutomatic message reduction 229 230 General configuration steps Antivirus protection231 Antivirus scanning 232To scan FortiGate firewall traffic for viruses Adding file patterns to block File blockingBlocking files in firewall traffic 233 Exempting fragmented email from blocking Configuring limits for oversized files and emailBlocking oversized files and emails Viewing the virus list Web filtering 235 Adding words and phrases to the banned word list Content blockingGo to Web Filter Content Block 236 Adding URLs or URL patterns to the block list Using the FortiGate web filterURL blocking 237 Clearing the URL block list 238 Downloading the URL block list Uploading a URL block list239 Adding a Cerberian user to the FortiGate unit Using the Cerberian web filterInstalling a Cerberian license key on the FortiGate unit 240 To configure the Cerberian web filtering Configuring Cerberian web filterAbout the default group and policy Enabling Cerberian URL filtering Selecting script filter options Script filteringEnabling the script filter 242 243 Exempt URL listAdding URLs to the exempt URL list Go to Web Filter Exempt URL 244 Email filter 245 Go to Email Filter Content Block Email banned word list246 Adding address patterns to the email block list Email block listEmail exempt list 247 Adding address patterns to the email exempt list To add a subject tag Go to Email Filter ConfigAdding a subject tag 248 Logging and reporting Recording logs249 Recording logs on a remote computer Recording logs on a NetIQ WebTrends server250 Filtering log messages Recording logs in system memory251 Example log filter configuration 252 Enabling traffic logging for an interface Configuring traffic loggingEnabling traffic logging Enabling traffic logging for a firewall policy Adding traffic filter entries Configuring traffic filter settingsGo to Log&Report Log Setting Traffic Filter 254 Viewing logs Destination IP Address Destination Netmask ServiceViewing logs saved to memory 255 Adding alert email addresses Configuring alert emailSearching logs 256 257 Testing alert emailEnabling alert email Go to Log&Report Alert Mail Categories 258 Glossary 259 260 261 262 Index 263 264 Index 265 FDS 266 Ldap 267 MIB 268 RMA 269 TCP 270 UDP 271 272