Fortinet 100 266 , J, K, L, M

266 Fortinet Inc.

Index

IDS log

viewing 255

IKE 259

IMAP 154, 259

Inbound NAT

encrypt policy 146

interface

RIP 124

internal address

example 152

internal address group

example 153

internal network

configuring 48

Internet

blocking access to Internet sites 237, 247

blocking access to URLs 237, 247

Internet key exchange 259

intrusion attempts

alert email 257

IP

configuring checksum verification 222

IP address

IP/MAC binding 166

IP addresses

configuring from the CLI 45, 59

IP pool

adding 164

IP spoofing 166

IP/MAC binding 166

adding 167

allow traffic 167

block traffic 167

dynamic IP/MAC list 166

enabling 168

static IP/MAC list 166

IPSec 259

IPSec VPN

authentication for user group 179

AutoIKE 182

certificates 182

disabling 217, 219

manual keys 182

pre-shared keys 182

remote gateway 179

status 205

timeout 205, 206

IPSec VPN tunnel

testing 206

J

Java applets 242

removing from web pages 242

K

keyword

log search 256

L

L2TP 179, 259

configuring Windows XP client 218

network configuration 214

L2TP gateway

configuring 214

language

web-based manager 131

LDAP

example configuration 178

LDAP server

adding server address 177

deleting 178

lease duration

DHCP 119

log setting

filtering log entries 94, 251

traffic filter 254

log to memory

configuring 251

viewing saved logs 255

Log Traffic

firewall policy 148

policy 148

logging 19, 249

attack log 251

configuring traffic settings 253, 254

email filter log 252

enabling alert email 257

event log 251

filtering log messages 251

log to memory 251

log to remote host 250

log to WebTrends 250

recording 249

searching logs 256

selecting what to log 251

traffic log 251

traffic sessions 253

update log 252

virus log 251

web filtering log 251

logs

recording on NetIQ WebTrends server 250

M

MAC address 260

IP/MAC binding 166

malicious scripts

removing from web pages 242, 248

management interface

Transparent mode 114

management IP address

transparent mode 59

manual keys

introduction 182

matching

policy 149

Contents

Main Page Table of Contents 4 Page 6 Virus and attack definitions updates and registration..................................... 91 Page 8 Page 10 Network Intrusion Detection System (NIDS) ................................................... 221 Page Page Introduction Antivirus protection Web content filtering Email filtering Firewall NAT/Route mode 16 Transparent mode Network intrusion detection VPN Secure installation, configuration, and management Web-based manager 18 Command line interface Logging and reporting Whats new in Version 2.50 System administration Network configuration Routing Page Page About this document Document conventions 24 Fortinet documentation Comments on Fortinet technical documentation Customer service and technical support Page Getting started 28 Package contents Mounting Dimensions Weight Power requirements Powering on Connecting to the web-based manager Connecting to the command line interface (CLI) Factory default FortiGate configuration settings 32 Factory default NAT/Route mode network configuration Factory default Transparent mode network configuration Factory default firewall configuration The factory default firewall configuration is the same in NAT/Route and Transparent mode. 34 Factory default content profiles Strict content profile Scan content profile 36 Web content profile Unfiltered content profile Planning your FortiGate configuration NAT/Route mode 38 NAT/Route mode with multiple external network connections Transparent mode Configuration options Setup Wizard CLI FortiGate model maximum values matrix Next steps Page NAT/Route mode installation Preparing to configure NAT/Route mode 44 Advanced NAT/Route mode settings DMZ interface Using the setup wizard Starting the setup wizard Reconnecting to the web-based manager Using the command line interface Configuring the FortiGate unit to operate in NAT/Route mode Page Connecting the FortiGate unit to your networks 48 Configuring your networks Completing the configuration Configuring the DMZ interface Setting the date and time Enabling antivirus protection Configuration example: Multiple connections to the Internet Page Configuring Ping servers Destination based routing examples Primary and backup links to the Internet 52 Load sharing Load sharing and primary and secondary connections Page 54 Policy routing examples Routing traffic from internal subnets to different external networks Routing a service to an external network Firewall policy example Adding a redundant default policy Adding more firewall policies Page Transparent mode installation Preparing to configure Transparent mode 58 Using the setup wizard Changing to Transparent mode Starting the setup wizard Reconnecting to the web-based manager Using the command line interface Changing to Transparent mode Configuring the Transparent mode management IP address Configure the Transparent mode default gateway Connecting the FortiGate unit to your networks Completing the configuration Setting the date and time Enabling antivirus protection Registering your FortiGate Configuring virus and attack definition updates Transparent mode configuration examples Default routes and static routes Example default route to an external network Example static route to an external destination Page Page Example static route to an internal destination Page System status Changing the FortiGate host name Changing the FortiGate firmware Upgrade to a new firmware version Upgrading the firmware using the web-based manager Upgrading the firmware using the CLI 72 Revert to a previous firmware version Reverting to a previous firmware version using the web-based manager Reverting to a previous firmware version using the CLI Page Install a firmware image from a system reboot using the CLI Page Test a new firmware image before installing it Page Installing and using a backup firmware image Installing a backup firmware image Page Switching to the backup firmware image 82 Switching back to the default firmware image Manual virus definition updates Manual attack definition updates Displaying the FortiGate serial number Displaying the FortiGate up time Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT/Route mode Restarting the FortiGate unit 86 Shutting down the FortiGate unit System status Viewing CPU and memory status Viewing sessions and network status 88 Viewing virus and intrusions status Session list Page Virus and attack definitions updates and registration Updating antivirus and attack definitions 92 Connecting to the FortiResponse Distribution Network Configuring scheduled updates 94 Configuring update logging Adding an override server Manually updating antivirus and attack definitions Configuring push updates 96 To enable push updates About push updates Push updates and external dynamic IP addresses Push updates through a NAT device Example: push updates through a NAT device Page Page 100 Scheduled updates through a proxy server Registering FortiGate units FortiCare Service Contracts 102 Registering the FortiGate unit Page 104 Updating registration information Recovering a lost Fortinet support password Viewing the list of registered FortiGate units Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number 106 Changing your Fortinet support password Changing your contact information or security question Downloading virus and attack definitions updates Registering a FortiGate unit after an RMA Page Network configuration Configuring interfaces 110 Viewing the interface list Bringing up an interface Changing an interface static IP address Adding a secondary IP address to an interface Adding a ping server to an interface Controlling management access to an interface Page Configuring the external interface for PPPoE Changing the external interface MTU size to improve network performance 114 Configuring the management interface (Transparent mode) Adding DNS server IP addresses Configuring routing 116 Adding a default route Adding destination-based routes to the routing table Adding routes in Transparent mode 118 Configuring the routing table Policy routing Policy routing command syntax Providing DHCP services to your internal network 120 Viewing the dynamic IP list RIP configuration RIP settings 7Select Apply to save your changes. Configuring RIP for FortiGate interfaces Adding RIP neighbors 126 Adding RIP filters Adding a single RIP filter Adding a RIP filter list 128 Adding a neighbors filter Adding a routes filter System configuration Setting system date and time Changing web-based manager options Page 132 Adding and editing administrator accounts Adding new administrator accounts Editing administrator accounts 134 Configuring SNMP Configuring the FortiGate unit for SNMP monitoring Configuring FortiGate SNMP support FortiGate MIBs 136 FortiGate traps Customizing replacement messages Customizing replacement messages 138 Customizing alert emails Block alert Critical event Page Firewall configuration 142 Default firewall configuration Addresses Services Schedules Content profiles Adding firewall policies Page 146 VPN Tunnel Traffic Shaping Authentication Anti-Virus & Web filter Page Configuring policy lists Policy matching in detail Changing the order of policies in a policy list 150 Enabling and disabling policies Addresses Adding addresses 152 Editing addresses Deleting addresses Organizing addresses into address groups Services Predefined services Page Page 156 Providing access to custom services Grouping services Schedules 158 Creating one-time schedules Creating recurring schedules Adding a schedule to a policy 160 Virtual IPs Adding static NAT virtual IPs Adding port forwarding virtual IPs Page Adding policies with virtual IPs 164 IP pools Adding an IP pool IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT 166 IP/MAC binding Configuring IP/MAC binding for packets going through the firewall Configuring IP/MAC binding for packets going to the firewall Adding IP/MAC addresses 168 Viewing the dynamic IP/MAC list Enabling IP/MAC binding Content profiles 170 Default content profiles Adding a content profile Adding a content profile to a policy Page Users and authentication 174 Setting authentication timeout Adding user names and configuring authentication Adding user names and configuring authentication Deleting user names from the internal database 176 Configuring RADIUS support Adding RADIUS servers Deleting RADIUS servers Configuring LDAP support Adding LDAP servers 178 Deleting LDAP servers Configuring user groups Adding user groups 180 Deleting user groups IPSec VPN 182 Key management Manual Keys Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates AutoIKE with pre-shared keys AutoIKE with certificates Manual key IPSec VPNs General configuration steps for a manual key VPN Adding a manual key VPN tunnel Page AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPN Page Page 4Optionally, configure NAT Traversal. 6Select OK to save the phase 1 parameters. Adding a phase 2 configuration for an AutoIKE VPN Page Managing digital certificates Obtaining a signed local certificate 192 Generating the certificate request Page 194 Retrieving the signed local certificate Importing the signed local certificate Obtaining a CA certificate Retrieving a CA certificate Importing a CA certificate Configuring encrypt policies Adding an encrypt policy Page IPSec VPN concentrators VPN concentrator (hub) general configuration steps Page Page 202 VPN spoke general configuration steps Redundant IPSec VPNs Configuring redundant IPSec VPN Page Monitoring and Troubleshooting VPNs Viewing VPN tunnel status Viewing dialup VPN connection status 206 Testing a VPN PPTP and L2TP VPN Configuring PPTP Page Adding a source address Adding an address group 210 Adding a destination address Adding a firewall policy Configuring a Windows 98 client for PPTP Installing PPTP support Configuring a Windows 2000 client for PPTP 212 Configuring a Windows XP client for PPTP Configuring the VPN connection Configuring L2TP Page Adding a source address Adding an address group 216 Adding a destination address Adding a firewall policy Configuring a Windows 2000 client for L2TP Configuring an L2TP dialup connection Disabling IPSec 218 Connecting to the L2TP VPN Configuring a Windows XP client for L2TP Configuring an L2TP VPN dialup connection Configuring the VPN connection Disabling IPSec Page Network Intrusion Detection System (NIDS) Detecting attacks Page Viewing the signature list Viewing attack descriptions 224 Enabling and disabling NIDS attack signatures Adding user-defined signatures Downloading the user-defined signature list Preventing attacks Enabling NIDS attack prevention 226 Enabling NIDS attack prevention signatures Setting signature threshold values Page 228 Configuring synflood signature values Logging attacks Logging attack messages to the attack log Reducing the number of NIDS attack log and email messages Automatic message reduction Manual message reduction Page Antivirus protection Antivirus scanning File blocking Blocking files in firewall traffic Adding file patterns to block 234 Blocking oversized files and emails Configuring limits for oversized files and email Exempting fragmented email from blocking Viewing the virus list Web filtering 236 Content blocking Adding words and phrases to the banned word list URL blocking Using the FortiGate web filter Adding URLs or URL patterns to the block list 238 Clearing the URL block list Downloading the URL block list Uploading a URL block list 240 Using the Cerberian web filter Installing a Cerberian license key on the FortiGate unit Adding a Cerberian user to the FortiGate unit Configuring Cerberian web filter Enabling Cerberian URL filtering 242 Script filtering Enabling the script filter Selecting script filter options Exempt URL list Adding URLs to the exempt URL list Page Email filter 246 Email banned word list Adding words and phrases to the banned word list Email block list Adding address patterns to the email block list Email exempt list 248 Adding address patterns to the email exempt list Adding a subject tag Logging and reporting Recording logs 250 Recording logs on a remote computer Recording logs on a NetIQ WebTrends server Recording logs in system memory Filtering log messages Page Configuring traffic logging Enabling traffic logging Enabling traffic logging for an interface Enabling traffic logging for a firewall policy 254 Configuring traffic filter settings Adding traffic filter entries Viewing logs saved to memory Viewing logs 256 Searching logs Configuring alert email Adding alert email addresses Testing alert email Enabling alert email Page Glossary Page Page Page Index A 264 B C D E F G H I 266 J K L M N O P 268 R S T 270 U V W