227 | Fortinet 100 specification

Network Intrusion Detection System (NIDS)	Setting signature threshold values

For example, setting the icmpflood signature threshold to 500 will allow 500 echo requests from a source address, to which the system sends echo replies. If the number of requests is 501 or higher, the FortiGate unit will block the attacker to eliminate disruption of system operations.

If you enter a threshold value of 0 or a number out of the allowable range, the

FortiGate unit uses the default value.

Table 6: NIDS Prevention signatures with threshold values

Signature	Threshold value units	Default	Minimum	Maximum
abbreviation		threshold	threshold	threshold
		value	value	value

synflood	Maximum number of SYN segments	200	30	3000
	received per second

portscan	Maximum number of SYN segments	128	10	256
	received per second

srcsession	Total number of TCP sessions initiated	2048	128	10240
	from the same source

ftpovfl	Maximum buffer size for an FTP	256	128	1024
	command (bytes)

smtpovfl	Maximum buffer size for an SMTP	512	128	1024
	command (bytes)

pop3ovfl	Maximum buffer size for a POP3	512	128	1024
	command (bytes)

udpflood	Maximum number of UDP packets	2048	512	102400
	received from the same source or sent
	to the same destination per second

udpsrcsession	Total number of UDP sessions initiated	1024	512	102400
	from the same source

icmpflood	Maximum number of UDP packets	256	128	102400
	received from the same source or sent
	to the same destination per second

icmpsrcsession	Total number of ICMP sessions	128	64	2048
	initiated from the same source

icmpsweep	Maximum number of ICMP packets	32	16	2048
	received from the same source per
	second

icmplarge	Maximum ICMP packet size (bytes)	32000	1024	64000

To set Prevention signature threshold values:

1Go to NIDS > Prevention.

2Select Modify beside the signature for which you want to set the Threshold value.

Signatures that do not have threshold values do not have Modify icons.

3Type the Threshold value.

4Select the Enable check box.

5Select OK.

FortiGate-100 Installation and Configuration Guide

227

Image 227

Fortinet 100 user manual 227

Contents

August Installation and Configuration Guide Regulatory Compliance Trademarks Table of Contents NAT/Route mode installation System status Virus and attack definitions updates and registration RIP configuration 121 Users and authentication 173 IPSec VPN 181 Network Intrusion Detection System Nids 221 Glossary 259 Index 263 Contents Antivirus protection Introduction Email filtering Web content filtering Firewall NAT/Route mode Network intrusion detection Transparent mode Web-based manager Secure installation, configuration, and management FortiGate web-based manager and setup wizard Command line interface Logging and reporting System administrationNetwork configuration What’s new in Version Firewall Replacement messagesUsers and authentication Dhcp server Email filter AntivirusWeb Filter About this document Document conventions Comments on Fortinet technical documentation Fortinet documentation Customer service and technical support Comments on Fortinet technical documentation Getting started Mounting Package contents Environmental specifications Powering on Connecting to the web-based manager Connecting to the web-based manager Stop bits Flow control Connecting to the command line interface CLIFactory default FortiGate configuration settings Bits per second 9600 Data bits Parity External interface Factory default NAT/Route mode network configurationAccount Internal interface Factory default firewall configuration Factory default Transparent mode network configuration Antivirus & Web Filter Factory default content profilesFactory default firewall configuration Traffic Shaping Authentication Scan content profile Options Strict content profileScan content profile Strict content profile Options Unfiltered content profile Options Web content profileUnfiltered content profile Web content profile Options Example NAT/Route mode network configuration Planning your FortiGate configuration Example NAT/Route multiple internet connection configuration NAT/Route mode with multiple external network connections Setup Wizard Configuration options FortiGate model maximum values matrix Next steps Configuration options Getting started Internal servers NAT/Route mode installationPreparing to configure NAT/Route mode Dhcp server Advanced NAT/Route mode settingsAdvanced FortiGate NAT/Route mode settings DMZ interface Using the command line interface Using the setup wizard Set system interface external mode static ip 204.23.1.5 FortiGate-100 NAT/Route mode connections Connecting the FortiGate unit to your networks Setting the date and time Configuring your networksCompleting the configuration Configuring the DMZ interface Registering your FortiGate Configuration example Multiple connections to the InternetConfiguring virus and attack definition updates Enabling antivirus protection Example multiple Internet connection configuration Destination based routing examples Configuring Ping serversPrimary and backup links to the Internet Using the CLI Load sharing and primary and secondary connections Load sharing Routing table should have routes arranged as shown in Table Adding the routes using the CLI Policy routing examples Routing a service to an external network Action Accept Adding a redundant default policyFirewall policy example Adding more firewall policies Restricting access to a single Internet connection DNS Settings Transparent mode installationPreparing to configure Transparent mode Transparent mode settings Administrator Password Go to System Status Changing to Transparent mode Configure the Transparent mode default gateway Configuring the Transparent mode management IP address FortiGate-100 Transparent mode connections Setting the date and time Default routes and static routes Transparent mode configuration examples Default route to an external network General configuration steps Go to System Network Routing Web-based manager example configuration stepsCLI configuration steps Go to System Network Management Static route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System status Changing the FortiGate firmware Firmware upgrade procedures Procedure DescriptionChanging the FortiGate host name Upgrading the firmware using the CLI Upgrade to a new firmware versionUpgrading the firmware using the web-based manager Revert to a previous firmware version Execute restore image namestr tftpip Reverting to a previous firmware version using the CLI Execute ping To install firmware from a system reboot Install a firmware image from a system reboot using the CLI Press Any Key To Download Boot Image Restoring your previous configuration Test a new firmware image before installing it Test a new firmware image before installing it Installing a backup firmware image Installing and using a backup firmware image Installing and using a backup firmware image Switching to the backup firmware image Switching back to the default firmware image Manual virus definition updates Displaying the FortiGate up time Manual attack definition updatesBacking up system settings Displaying the FortiGate serial number Restoring system settings to factory defaults Restoring system settings Restarting the FortiGate unit Changing to Transparent modeChanging to NAT/Route mode Viewing CPU and memory status Shutting down the FortiGate unitSystem status Go to System Status Monitor Viewing sessions and network status Sessions and network status monitor Viewing virus and intrusions status Viewing the session list Go to System Status Session Session list To IP Updating antivirus and attack definitions Virus and attack definitions updates and registration Version Expiry date Last update attempt Last update status Connecting to the FortiResponse Distribution Network Go to System Update Configuring scheduled updates Successful Update FDN error Configuring update loggingGo to Log&Report Log Setting Manually updating antivirus and attack definitions Configuring push updatesAdding an override server Push updates through a NAT device To enable push updatesAbout push updates Push updates and external dynamic IP addresses Example network topology Push updates through a NAT device Example push updates through a NAT device Go to Firewall Virtual IP General procedure Adding a firewall policy for the port forwarding virtual IP Schedule Always Service ANY Action Accept 100 Scheduled updates through a proxy server 101 FortiCare Service ContractsRegistering FortiGate units 102 Registering the FortiGate unit Registering a FortiGate unit product information 103 104 Recovering a lost Fortinet support passwordUpdating registration information Viewing the list of registered FortiGate units 105 Registering a new FortiGate unitAdding or changing a FortiCare Support Contract number 106 Changing your Fortinet support passwordDownloading virus and attack definitions updates Changing your contact information or security question 107 Registering a FortiGate unit after an RMA 108 109 Network configurationConfiguring interfaces Adding a secondary IP address to an interface Viewing the interface listBringing up an interface Changing an interface static IP address 111 Controlling management access to an interfaceAdding a ping server to an interface Configuring the external interface for Dhcp Configuring traffic logging for connections to an interfaceConfiguring the external interface with a static IP address 113 Configuring the external interface for PPPoE Configuring the management interface Transparent mode Go to System Network DNS Configuring routingAdding DNS server IP addresses 115 Adding destination-based routes to the routing table Adding a default route 117 Adding routes in Transparent mode Policy routing Configuring the routing table Go to System Network Dhcp Providing Dhcp services to your internal networkPolicy routing command syntax 119 120 Viewing the dynamic IP list 121 RIP configuration 122 RIP settingsGo to System RIP Settings Holddown Update123 Invalid Mode Configuring RIP for FortiGate interfacesPassword 124 Adding RIP neighbors Go to System RIP Neighbor Adding RIP neighbors125 Go to System RIP Filter Adding RIP filtersAdding a single RIP filter 126 Mask Add the netmask of the route Action Adding a RIP filter list127 Add the IP address of the route 128 Adding a neighbors filterAdding a routes filter 129 System configurationSetting system date and time To set the date and time Go to System Config Time 130 To set the system idle timeoutChanging web-based manager options To select a language for the web-based manager To set the Auth timeoutTo modify the Dead Gateway Detection settings 131 132 Adding and editing administrator accountsAdding new administrator accounts Go to System Config Admin 133 Editing administrator accountsTo edit an administrator account Go to System Config Admin Go to System Config Snmp v1/v2c Configuring SnmpConfiguring the FortiGate unit for Snmp monitoring Configuring FortiGate Snmp support FortiGate MIBs MIB file name Description EtherLike.mib FortiGate MIBs135 Trap Community Trap Receiver IP Addresses FortiGate traps Trap message Description Customizing replacement messagesFortiGate traps 136 137 Customizing replacement messagesGo to System Config Replacement Messages Alert email message sections Customizing alert emails138 Alert email message sections 139 140 141 Firewall configuration 142 Default firewall configurationAddresses 143 ServicesContent profiles Schedules Go to Firewall Policy Adding firewall policies144 145 Dynamic IP Pool Fixed Port VPN TunnelTraffic Shaping 146 147 AuthenticationAnti-Virus & Web filter 148 Log TrafficComments 149 Configuring policy listsPolicy matching in detail Changing the order of policies in a policy list Enabling a policy AddressesEnabling and disabling policies Disabling a policy Go to Firewall Address Adding addresses151 152 Editing addressesDeleting addresses Organizing addresses into address groups 153 ServicesPredefined services ANY 154 IRC 155 Go to Firewall Service Group Providing access to custom servicesGrouping services Go to Firewall Service Custom 157 Schedules Go to Firewall Schedule One-time Creating one-time schedulesCreating recurring schedules 158 159 Adding a schedule to a policy 160 Virtual IPsAdding static NAT virtual IPs 161 Adding port forwarding virtual IPs 162 163 Adding policies with virtual IPs Go to Firewall IP Pool IP poolsAdding an IP pool 164 165 IP Pools for firewall policies that use fixed portsIP pools and dynamic NAT Go to Firewall IP/MAC Binding Static IP/MAC Go to Firewall IP/MAC Binding SettingIP/MAC binding 166 167 Adding IP/MAC addresses Go to Firewall IP/MAC Binding Dynamic IP/MAC Viewing the dynamic IP/MAC listEnabling IP/MAC binding 168 169 Content profiles 170 Default content profilesAdding a content profile Go to Firewall Content Profile Oversized File/Email Block Pass Fragmented Email Adding a content profile to a policy171 172 173 Users and authentication 174 Setting authentication timeoutAdding user names and configuring authentication Adding user names and configuring authentication 175 Deleting user names from the internal database 176 Configuring Radius supportAdding Radius servers Deleting Radius servers Go to User Ldap Configuring Ldap supportAdding Ldap servers 177 178 Deleting Ldap servers Go to User User Group Configuring user groupsAdding user groups 179 180 Deleting user groups 181 IPSec VPN AutoIKE with certificates Key managementManual Keys AutoIKE with pre-shared keys 183 General configuration steps for a manual key VPNManual key IPSec VPNs Adding a manual key VPN tunnel 184 AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN Go to VPN Ipsec Phase Remote Gateway Dialup User 186Remote Gateway Static IP Address 187 Configuring advanced options 188 189 Adding a phase 2 configuration for an AutoIKE VPN 190 191 Managing digital certificatesObtaining a signed local certificate Go to VPN Local Certificates Generating the certificate request192 193 Downloading the certificate requestRequesting the signed local certificate 194 Retrieving the signed local certificateImporting the signed local certificate 195 Obtaining a CA certificateRetrieving a CA certificate Importing a CA certificate 196 Configuring encrypt policies 197 Adding a source addressAdding a destination address Adding an encrypt policy Adding an encrypt policy 198 199 VPN concentrator hub general configuration stepsIPSec VPN concentrators Source InternalAll Destination VPN spoke address Action 200 Go to VPN IPSec Concentrator Adding a VPN concentrator201 Policies VPN spoke general configuration steps202 VPN Tunnel 203 Configuring redundant IPSec VPNRedundant IPSec VPNs 204 See Adding a phase 1 configuration for an AutoIKE VPN on 205 Monitoring and Troubleshooting VPNsViewing VPN tunnel status Viewing dialup VPN connection status Go to VPN IPSec Dialup Testing a VPN206 207 Configuring PptpPptp and L2TP VPN 208 Configuring the FortiGate unit as a Pptp gatewayAdding users and user groups Enabling Pptp and specifying an address range 209 Adding an address group Adding a firewall policy Configuring a Windows 98 client for PptpInstalling Pptp support Go to Start Settings Control Panel Network 211 Configuring a Pptp dialup connectionConnecting to the Pptp VPN Configuring a Windows 2000 client for Pptp Go to Start Control Panel Configuring a Windows XP client for PptpConfiguring the VPN connection 212 213 Configuring L2TP Go to VPN L2TP L2TP Range Configuring the FortiGate unit as a L2TP gatewayEnabling L2TP and specifying an address range 214 215 Sample L2TP address range configuration 216 217 Configuring a Windows 2000 client for L2TPConfiguring an L2TP dialup connection Disabling IPSec Go to Start Settings Connecting to the L2TP VPNConfiguring a Windows XP client for L2TP Configuring an L2TP VPN dialup connection 219 220 221 Network Intrusion Detection System NidsDetecting attacks 222 Configuring checksum verificationSelecting the interfaces to monitor Disabling the Nids Go to Nids Detection Signature List Viewing the signature listViewing attack descriptions 223 Go to Nids Detection User Defined Signature List Enabling and disabling Nids attack signaturesAdding user-defined signatures 224 225 Preventing attacksDownloading the user-defined signature list Enabling Nids attack prevention 226 Setting signature threshold valuesEnabling Nids attack prevention signatures 227 Logging attack messages to the attack log Configuring synflood signature valuesValue Description Minimum Maximum Default Logging attacks 229 Reducing the number of Nids attack log and email messagesAutomatic message reduction Manual message reduction 230 231 General configuration stepsAntivirus protection To scan FortiGate firewall traffic for viruses Antivirus scanning232 233 File blockingBlocking files in firewall traffic Adding file patterns to block Viewing the virus list Configuring limits for oversized files and emailBlocking oversized files and emails Exempting fragmented email from blocking 235 Web filtering 236 Content blockingGo to Web Filter Content Block Adding words and phrases to the banned word list 237 Using the FortiGate web filterURL blocking Adding URLs or URL patterns to the block list 238 Clearing the URL block list 239 Downloading the URL block listUploading a URL block list 240 Using the Cerberian web filterInstalling a Cerberian license key on the FortiGate unit Adding a Cerberian user to the FortiGate unit Enabling Cerberian URL filtering Configuring Cerberian web filterAbout the default group and policy To configure the Cerberian web filtering 242 Script filteringEnabling the script filter Selecting script filter options Go to Web Filter Exempt URL Exempt URL listAdding URLs to the exempt URL list 243 244 245 Email filter 246 Go to Email Filter Content BlockEmail banned word list 247 Email block listEmail exempt list Adding address patterns to the email block list 248 To add a subject tag Go to Email Filter ConfigAdding a subject tag Adding address patterns to the email exempt list 249 Logging and reportingRecording logs 250 Recording logs on a remote computerRecording logs on a NetIQ WebTrends server 251 Filtering log messagesRecording logs in system memory 252 Example log filter configuration Enabling traffic logging for a firewall policy Configuring traffic loggingEnabling traffic logging Enabling traffic logging for an interface 254 Configuring traffic filter settingsGo to Log&Report Log Setting Traffic Filter Adding traffic filter entries 255 Destination IP Address Destination Netmask ServiceViewing logs saved to memory Viewing logs 256 Configuring alert emailSearching logs Adding alert email addresses Go to Log&Report Alert Mail Categories Testing alert emailEnabling alert email 257 258 259 Glossary 260 261 262 263 Index Index 264 FDS 265 Ldap 266 MIB 267 RMA 268 TCP 269 UDP 270 271 272