Fortinet 100 Redundant IPSec VPNs

IPSec VPN Configuring redundant IPSec VPN

FortiGate-100 Installation and Configuration Guide 203

See “Adding an encrypt policy” on page 197.

6Arrange the policies in the following order:

• outbound encrypt policies

• inbound encrypt policy

• default non-encrypt policy (Internal_All -> External_All)

Redundant IPSec VPNs

To ensure the continuous availability of an IPSec VPN tunnel, you can configure

multiple connections between the local the FortiGate unit and the remote VPN peer

(remote gateway). With a redundant configuration, if one connection fails the

FortiGate unit will establish a tunnel using the other connection.

Configuration depends on the number of connections that each VPN peer has to the

Internet. For example, if the local VPN peer has two connections to the Internet, then

it can provide two redundant connections to the remote VPN peer.

A single VPN peer can be configured with up to three redundant connections.

The VPN peers are not required to have a matching number of Internet connections.

For example, between two VPN peers, one can have multiple Internet connections

while the other has only one Internet connection. Of course, with an asymmetrical

configuration, the level redundancy will vary from one end of the VPN to the other.

Configuring redundant IPSec VPN

Prior to configuring the VPN, make sure that both FortiGate units have multiple

connections to the Internet. For each unit, first add multiple (two or more) external

interfaces. Then assign each interface to an external zone. Finally, add a route to the

Internet through each interface.

Action ENCRYPT

VPN Tunnel The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt

policies.)

Allow inbound Select allow inbound.

Allow outbound Do not enable.

Inbound NAT Sel ect inbound NAT if required.

Outbound NAT Select outbound NAT if required.

Note: The default non-encrypt policy is required to allow the VPN spoke to access other

networks, such as the Internet.

Note: IPSec Redundancy is only available to VPN peers that have static IP addresses and that

authenticate themselves to each other with pre-shared keys or digital certificates. It is not

available to VPN peers that have dynamically assigned IP addresses (dialup users). Nor is it

available to VPN peers that use manual keys.

Contents

Main Page Table of Contents 4 Page 6 Virus and attack definitions updates and registration..................................... 91 Page 8 Page 10 Network Intrusion Detection System (NIDS) ................................................... 221 Page Page Introduction Antivirus protection Web content filtering Email filtering Firewall NAT/Route mode 16 Transparent mode Network intrusion detection VPN Secure installation, configuration, and management Web-based manager 18 Command line interface Logging and reporting Whats new in Version 2.50 System administration Network configuration Routing Page Page About this document Document conventions 24 Fortinet documentation Comments on Fortinet technical documentation Customer service and technical support Page Getting started 28 Package contents Mounting Dimensions Weight Power requirements Powering on Connecting to the web-based manager Connecting to the command line interface (CLI) Factory default FortiGate configuration settings 32 Factory default NAT/Route mode network configuration Factory default Transparent mode network configuration Factory default firewall configuration The factory default firewall configuration is the same in NAT/Route and Transparent mode. 34 Factory default content profiles Strict content profile Scan content profile 36 Web content profile Unfiltered content profile Planning your FortiGate configuration NAT/Route mode 38 NAT/Route mode with multiple external network connections Transparent mode Configuration options Setup Wizard CLI FortiGate model maximum values matrix Next steps Page NAT/Route mode installation Preparing to configure NAT/Route mode 44 Advanced NAT/Route mode settings DMZ interface Using the setup wizard Starting the setup wizard Reconnecting to the web-based manager Using the command line interface Configuring the FortiGate unit to operate in NAT/Route mode Page Connecting the FortiGate unit to your networks 48 Configuring your networks Completing the configuration Configuring the DMZ interface Setting the date and time Enabling antivirus protection Configuration example: Multiple connections to the Internet Page Configuring Ping servers Destination based routing examples Primary and backup links to the Internet 52 Load sharing Load sharing and primary and secondary connections Page 54 Policy routing examples Routing traffic from internal subnets to different external networks Routing a service to an external network Firewall policy example Adding a redundant default policy Adding more firewall policies Page Transparent mode installation Preparing to configure Transparent mode 58 Using the setup wizard Changing to Transparent mode Starting the setup wizard Reconnecting to the web-based manager Using the command line interface Changing to Transparent mode Configuring the Transparent mode management IP address Configure the Transparent mode default gateway Connecting the FortiGate unit to your networks Completing the configuration Setting the date and time Enabling antivirus protection Registering your FortiGate Configuring virus and attack definition updates Transparent mode configuration examples Default routes and static routes Example default route to an external network Example static route to an external destination Page Page Example static route to an internal destination Page System status Changing the FortiGate host name Changing the FortiGate firmware Upgrade to a new firmware version Upgrading the firmware using the web-based manager Upgrading the firmware using the CLI 72 Revert to a previous firmware version Reverting to a previous firmware version using the web-based manager Reverting to a previous firmware version using the CLI Page Install a firmware image from a system reboot using the CLI Page Test a new firmware image before installing it Page Installing and using a backup firmware image Installing a backup firmware image Page Switching to the backup firmware image 82 Switching back to the default firmware image Manual virus definition updates Manual attack definition updates Displaying the FortiGate serial number Displaying the FortiGate up time Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT/Route mode Restarting the FortiGate unit 86 Shutting down the FortiGate unit System status Viewing CPU and memory status Viewing sessions and network status 88 Viewing virus and intrusions status Session list Page Virus and attack definitions updates and registration Updating antivirus and attack definitions 92 Connecting to the FortiResponse Distribution Network Configuring scheduled updates 94 Configuring update logging Adding an override server Manually updating antivirus and attack definitions Configuring push updates 96 To enable push updates About push updates Push updates and external dynamic IP addresses Push updates through a NAT device Example: push updates through a NAT device Page Page 100 Scheduled updates through a proxy server Registering FortiGate units FortiCare Service Contracts 102 Registering the FortiGate unit Page 104 Updating registration information Recovering a lost Fortinet support password Viewing the list of registered FortiGate units Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number 106 Changing your Fortinet support password Changing your contact information or security question Downloading virus and attack definitions updates Registering a FortiGate unit after an RMA Page Network configuration Configuring interfaces 110 Viewing the interface list Bringing up an interface Changing an interface static IP address Adding a secondary IP address to an interface Adding a ping server to an interface Controlling management access to an interface Page Configuring the external interface for PPPoE Changing the external interface MTU size to improve network performance 114 Configuring the management interface (Transparent mode) Adding DNS server IP addresses Configuring routing 116 Adding a default route Adding destination-based routes to the routing table Adding routes in Transparent mode 118 Configuring the routing table Policy routing Policy routing command syntax Providing DHCP services to your internal network 120 Viewing the dynamic IP list RIP configuration RIP settings 7Select Apply to save your changes. Configuring RIP for FortiGate interfaces Adding RIP neighbors 126 Adding RIP filters Adding a single RIP filter Adding a RIP filter list 128 Adding a neighbors filter Adding a routes filter System configuration Setting system date and time Changing web-based manager options Page 132 Adding and editing administrator accounts Adding new administrator accounts Editing administrator accounts 134 Configuring SNMP Configuring the FortiGate unit for SNMP monitoring Configuring FortiGate SNMP support FortiGate MIBs 136 FortiGate traps Customizing replacement messages Customizing replacement messages 138 Customizing alert emails Block alert Critical event Page Firewall configuration 142 Default firewall configuration Addresses Services Schedules Content profiles Adding firewall policies Page 146 VPN Tunnel Traffic Shaping Authentication Anti-Virus & Web filter Page Configuring policy lists Policy matching in detail Changing the order of policies in a policy list 150 Enabling and disabling policies Addresses Adding addresses 152 Editing addresses Deleting addresses Organizing addresses into address groups Services Predefined services Page Page 156 Providing access to custom services Grouping services Schedules 158 Creating one-time schedules Creating recurring schedules Adding a schedule to a policy 160 Virtual IPs Adding static NAT virtual IPs Adding port forwarding virtual IPs Page Adding policies with virtual IPs 164 IP pools Adding an IP pool IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT 166 IP/MAC binding Configuring IP/MAC binding for packets going through the firewall Configuring IP/MAC binding for packets going to the firewall Adding IP/MAC addresses 168 Viewing the dynamic IP/MAC list Enabling IP/MAC binding Content profiles 170 Default content profiles Adding a content profile Adding a content profile to a policy Page Users and authentication 174 Setting authentication timeout Adding user names and configuring authentication Adding user names and configuring authentication Deleting user names from the internal database 176 Configuring RADIUS support Adding RADIUS servers Deleting RADIUS servers Configuring LDAP support Adding LDAP servers 178 Deleting LDAP servers Configuring user groups Adding user groups 180 Deleting user groups IPSec VPN 182 Key management Manual Keys Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates AutoIKE with pre-shared keys AutoIKE with certificates Manual key IPSec VPNs General configuration steps for a manual key VPN Adding a manual key VPN tunnel Page AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPN Page Page 4Optionally, configure NAT Traversal. 6Select OK to save the phase 1 parameters. Adding a phase 2 configuration for an AutoIKE VPN Page Managing digital certificates Obtaining a signed local certificate 192 Generating the certificate request Page 194 Retrieving the signed local certificate Importing the signed local certificate Obtaining a CA certificate Retrieving a CA certificate Importing a CA certificate Configuring encrypt policies Adding an encrypt policy Page IPSec VPN concentrators VPN concentrator (hub) general configuration steps Page Page 202 VPN spoke general configuration steps Redundant IPSec VPNs Configuring redundant IPSec VPN Page Monitoring and Troubleshooting VPNs Viewing VPN tunnel status Viewing dialup VPN connection status 206 Testing a VPN PPTP and L2TP VPN Configuring PPTP Page Adding a source address Adding an address group 210 Adding a destination address Adding a firewall policy Configuring a Windows 98 client for PPTP Installing PPTP support Configuring a Windows 2000 client for PPTP 212 Configuring a Windows XP client for PPTP Configuring the VPN connection Configuring L2TP Page Adding a source address Adding an address group 216 Adding a destination address Adding a firewall policy Configuring a Windows 2000 client for L2TP Configuring an L2TP dialup connection Disabling IPSec 218 Connecting to the L2TP VPN Configuring a Windows XP client for L2TP Configuring an L2TP VPN dialup connection Configuring the VPN connection Disabling IPSec Page Network Intrusion Detection System (NIDS) Detecting attacks Page Viewing the signature list Viewing attack descriptions 224 Enabling and disabling NIDS attack signatures Adding user-defined signatures Downloading the user-defined signature list Preventing attacks Enabling NIDS attack prevention 226 Enabling NIDS attack prevention signatures Setting signature threshold values Page 228 Configuring synflood signature values Logging attacks Logging attack messages to the attack log Reducing the number of NIDS attack log and email messages Automatic message reduction Manual message reduction Page Antivirus protection Antivirus scanning File blocking Blocking files in firewall traffic Adding file patterns to block 234 Blocking oversized files and emails Configuring limits for oversized files and email Exempting fragmented email from blocking Viewing the virus list Web filtering 236 Content blocking Adding words and phrases to the banned word list URL blocking Using the FortiGate web filter Adding URLs or URL patterns to the block list 238 Clearing the URL block list Downloading the URL block list Uploading a URL block list 240 Using the Cerberian web filter Installing a Cerberian license key on the FortiGate unit Adding a Cerberian user to the FortiGate unit Configuring Cerberian web filter Enabling Cerberian URL filtering 242 Script filtering Enabling the script filter Selecting script filter options Exempt URL list Adding URLs to the exempt URL list Page Email filter 246 Email banned word list Adding words and phrases to the banned word list Email block list Adding address patterns to the email block list Email exempt list 248 Adding address patterns to the email exempt list Adding a subject tag Logging and reporting Recording logs 250 Recording logs on a remote computer Recording logs on a NetIQ WebTrends server Recording logs in system memory Filtering log messages Page Configuring traffic logging Enabling traffic logging Enabling traffic logging for an interface Enabling traffic logging for a firewall policy 254 Configuring traffic filter settings Adding traffic filter entries Viewing logs saved to memory Viewing logs 256 Searching logs Configuring alert email Adding alert email addresses Testing alert email Enabling alert email Page Glossary Page Page Page Index A 264 B C D E F G H I 266 J K L M N O P 268 R S T 270 U V W