Manuals
/
Fortinet
/
Computer Equipment
/
Network Card
Fortinet
400
manual
Installation and Configuration Guide, August
Models:
400
1
1
308
308
Download
308 pages
48.56 Kb
1
2
3
4
5
6
7
8
Specs
Install
Password
Successful Update FDN error
Go to System Config Admin
Connecting to the Pptp VPN
Network configuration 133
Replacement messages
Setup Wizard
Command line interface
Page 1
Image 1
FortiGate 400
Installation and Configuration Guide
Esc
Enter
CONSOLE
1
2
3
4 / HA
FortiGate User Manual Volume 1
Version 2.50 MR2
18 August 2003
Page 1
Page 2
Page 1
Image 1
Page 1
Page 2
Contents
August
Installation and Configuration Guide
Regulatory Compliance
Trademarks
Table of Contents
NAT/Route mode installation
High availability
System status
Network configuration 133
System configuration 157
Users and authentication 201
IPSec VPN 209
Network Intrusion Detection System Nids 249
Email filter 277
Glossary 295 Index 299
Contents
Antivirus protection
Introduction
Email filtering
Web content filtering
Firewall
NAT/Route mode
Network intrusion detection
Transparent mode
High availability
VPN
Web-based manager
Secure installation, configuration, and management
Logging and reporting
Command line interface
What’s new in Version
Users and authentication
Replacement messages
Firewall
Web Filter
Antivirus
Email filter
About this document
Document conventions
Comments on Fortinet technical documentation
Fortinet documentation
Customer service and technical support
Getting started
Mounting
Package contents
Power requirements
Powering on
Environmental specifications
FortiGate-400 LED indicators
Connecting to the web-based manager
Connecting to the web-based manager
Factory default FortiGate configuration settings
Connecting to the command line interface CLI
Bits per second 9600 Data bits Parity
Stop bits Flow control
Account
Factory default NAT/Route mode network configuration
Interface
Factory default firewall configuration
Factory default Transparent mode network configuration
Factory default content profiles
Scan content profile
Strict content profile
Strict content profile Options
Scan content profile Options
Unfiltered content profile
Web content profile
Web content profile Options
Unfiltered content profile Options
Planning your FortiGate configuration
Example NAT/Route mode network configuration
NAT/Route mode with multiple external network connections
Setup Wizard
Configuration options
Front keypad and LCD
FortiGate model maximum values matrix
Next steps
Next steps Getting started
Preparing to configure NAT/Route mode
NAT/Route mode installation
NAT/Route mode settings Administrator Password Interface
Starting the setup wizard
Using the setup wizard
Reconnecting to the web-based manager
Using the command line interface
Using the front control buttons and LCD
Configuring the FortiGate unit to operate in NAT/Route mode
Configuring NAT/Route mode IP addresses
Set system interface port2 mode static ip IPaddress netmask
Connecting the FortiGate unit to your networks
Completing the configuration
Configuring your network
Configuring interface
Go to System Network Interface
Setting the date and time
Configuring interface 4/HA
Enabling antivirus protection
Registering your FortiGate unit
Configuring virus and attack definition updates
Configuration example Multiple connections to the Internet
Example multiple Internet connection configuration
Configuring Ping servers
Using the CLI
Primary and backup links to the Internet
Destination based routing examples
Go to System Network Routing Table
Load sharing and primary and secondary connections
Load sharing
Routing table should have routes arranged as shown in Table
Adding the routes using the CLI
Policy routing examples
Routing a service to an external network
Firewall policy example
Adding a redundant default policy
Go to Firewall Policy port1-port3
Adding more firewall policies
Restricting access to a single Internet connection
Configuration example Multiple connections to the Internet
Preparing to configure Transparent mode
Transparent mode installation
Transparent mode settings Administrator Password
DNS Settings
Go to System Status
Changing to Transparent mode
Set system opmode transparent
Configure the Transparent mode default gateway
Configuring the Transparent mode management IP address
Registering your FortiGate
FortiGate-400 Transparent mode connections
Transparent mode configuration examples
Default routes and static routes
Default route to an external network
General configuration steps
CLI configuration steps
Web-based manager example configuration steps
Go to System Network Management
Go to System Network Routing
Static route to an external destination
Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1
Example static route to an internal destination
Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1
Transparent mode configuration examples
Active-passive HA
High availability
Active-active HA
Installing and configuring the FortiGate units
HA in NAT/Route mode
Configuring the HA interfaces
Go to System Config HA
Configuring the HA cluster
Least Connection
Weighted Round Robin
Example Active-Active HA configuration
Connecting the HA cluster to your network
HA network configuration
Configuring the HA interface and HA IP address
HA in Transparent mode
Starting the HA cluster
HA in Transparent mode
None
Sample active-passive HA configuration
Viewing the status of cluster members
Managing the HA cluster
Go to System Status Cluster Members
Go to System Status Monitor
Monitoring cluster members
Viewing and managing cluster log messages
Monitoring cluster sessions
Go to System Status Session
Go to Log&Report Logging
Managing individual cluster units
Synchronizing the cluster configuration
Replacing a FortiGate unit after fail-over
Returning to standalone configuration
Selecting a FortiGate unit to a permanent primary unit
Advanced HA options
Set system ha weight 1 3
Configuring weighted-round-robin weights
System status
System status
Changing the FortiGate host name
Firmware upgrade procedures Procedure Description
Changing the FortiGate firmware
Upgrading the firmware using the web-based manager
Upgrade to a new firmware version
Upgrading the firmware using the CLI
Revert to a previous firmware version
Execute restore image namestr tftpip
Reverting to a previous firmware version using the CLI
Execute ping
To install firmware from a system reboot
Install a firmware image from a system reboot using the CLI
100
Execute reboot
Restoring your previous configuration
Test a new firmware image before installing it
101
102
Installing a backup firmware image
Installing and using a backup firmware image
103
104
105
Switching to the backup firmware image
Switching back to the default firmware image
Manual virus definition updates
106
Displaying the FortiGate serial number
Manual attack definition updates
Displaying the FortiGate up time
Displaying log hard disk status
Restoring system settings
Backing up system settings
Restoring system settings to factory defaults
108
Changing to NAT/Route mode
Changing to Transparent mode
Restarting the FortiGate unit
109
System status
Shutting down the FortiGate unit
Viewing CPU and memory status
111
Viewing sessions and network status
Sessions and network status monitor
Viewing virus and intrusions status
113
Session list
Viewing the session list Go to System Status Session
114
Updating antivirus and attack definitions
Virus and attack definitions updates and registration
115
Version Expiry date Last update attempt Last update status
Connecting to the FortiResponse Distribution Network
Go to System Update
Configuring scheduled updates
117
Go to Log&Report Log Setting
Configuring update logging
Successful Update FDN error
Adding an override server
Configuring push updates
Manually updating antivirus and attack definitions
119
About push updates
To enable push updates
Push updates through a NAT device
Example push updates through a NAT device
121
General procedure
Go to Firewall Virtual IP
122
123
Schedule Always Service ANY Action Accept
Adding a firewall policy for the port forwarding virtual IP
124
Scheduled updates through a proxy server
Registering FortiGate units
FortiCare Service Contracts
125
126
Registering the FortiGate unit
Registering a FortiGate unit product information
127
Updating registration information
Recovering a lost Fortinet support password
Viewing the list of registered FortiGate units
128
Adding or changing a FortiCare Support Contract number
Registering a new FortiGate unit
129
Downloading virus and attack definitions updates
Changing your Fortinet support password
Changing your contact information or security question
130
131
Registering a FortiGate unit after an RMA
132
Configuring zones
Network configuration
Adding zones
133
Adding Vlan subinterfaces to a zone
Adding interfaces to a zone
Renaming zones
134
Deleting zones
Configuring interfaces
Viewing the interface list
Bringing up an interface
Adding a secondary IP address to an interface
Changing an interface static IP address
Adding a ping server to an interface
136
Configuring traffic logging for connections to an interface
Controlling management access to an interface
Changing the MTU size to improve network performance
137
Configuring port4/ha for HA mode
Configuring port4/ha
Configuring port4/ha as a firewall interface
Configuring the management interface Transparent mode
Vlan network configuration
Configuring VLANs
139
140
Typical Vlan network configuration
Rules for Vlan IDs
Adding Vlan subinterfaces
Rules for Vlan IP addresses
Adding a Vlan subinterface
Adding a Vlan subinterface
142
Adding a default route
Configuring routing
Adding destination-based routes to the routing table
143
144
Configuring the routing table
Adding routes in Transparent mode
145
Policy routing
Policy routing command syntax
146
Set system dhcpserver command syntax Keywords Description
Providing Dhcp services to your internal network
147
148
149
RIP configuration
Go to System RIP Settings
RIP settings
150
151
Configuring RIP settings
Password
Configuring RIP for FortiGate interfaces
152
Mode
153
Adding RIP neighbors
Adding RIP neighbors Go to System RIP Neighbor
Adding a single RIP filter
Adding RIP filters
154
Go to System RIP Filter
155
Adding a RIP filter list
Add the IP address of the route
Mask Add the netmask of the route Action
Adding a routes filter
Adding a neighbors filter
156
Setting system date and time
System configuration
To set the date and time Go to System Config Time
157
Changing web-based manager options
To set the system idle timeout
158
To modify the Dead Gateway Detection settings
To set the Auth timeout
159
To select a language for the web-based manager
Adding new administrator accounts
Adding and editing administrator accounts
Go to System Config Admin
160
To edit an administrator account Go to System Config Admin
Editing administrator accounts
161
Configuring the FortiGate unit for Snmp monitoring
Configuring Snmp
Configuring FortiGate Snmp support
Go to System Config Snmp v1/v2c
163
FortiGate MIBs
Trap Community Trap Receiver IP Addresses
FortiGate MIBs MIB file name Description EtherLike.mib
FortiGate traps
Customizing replacement messages
164
FortiGate traps Trap message Description
Go to System Config Replacement Messages
Customizing replacement messages
165
166
Customizing alert emails
Alert email message sections
Alert email message sections
167
168
169
Firewall configuration
Interfaces
Default firewall configuration
Vlan subinterfaces
170
Zones
Default addresses Interface Address Description
Addresses
171
Content profiles
Services
Adding firewall policies
Schedules
Source
Firewall policy options
Destination
173
Schedule
Service
Action
VPN Tunnel
Traffic Shaping
Authentication
175
176
Anti-Virus & Web filter
Log Traffic
Configuring policy lists
Comments
Policy matching in detail
Enabling and disabling policies
Changing the order of policies in a policy list
Disabling a policy
Enabling a policy
Adding addresses
Addresses
179
Go to Firewall Address
Deleting addresses
Editing addresses
180
181
Organizing addresses into address groups
Go to Firewall Address Group
Predefined services
Services
182
Https
183
Go to Firewall Service Custom
Providing access to custom services
184
Go to Firewall Service Group
Grouping services
185
Creating one-time schedules
Schedules
186
Go to Firewall Schedule One-time
187
Creating recurring schedules
Go to Firewall Schedule Recurring
Adding a schedule to a policy
Virtual IPs
188
189
Adding static NAT virtual IPs
190
Adding port forwarding virtual IPs
191
Adding policies with virtual IPs
Adding an IP pool
IP pools
192
Go to Firewall IP Pool
IP Pools for firewall policies that use fixed ports
IP/MAC binding
IP pools and dynamic NAT
193
194
Go to Firewall IP/MAC Binding Setting
Go to Firewall IP/MAC Binding Static IP/MAC
195
Adding IP/MAC addresses
Enabling IP/MAC binding
Viewing the dynamic IP/MAC list
196
Go to Firewall IP/MAC Binding Dynamic IP/MAC
Default content profiles
Content profiles
Adding a content profile
Go to Firewall Content Profile
File Block
198
Quarantine
Oversized File/Email Block Pass Fragmented Email
199
Adding a content profile to a policy
200
201
Users and authentication
Adding user names and configuring authentication
Setting authentication timeout
Adding user names and configuring authentication
202
203
Deleting user names from the internal database
Adding Radius servers
Configuring Radius support
Deleting Radius servers
204
Adding Ldap servers
Configuring Ldap support
205
Go to User Ldap
206
Deleting Ldap servers
Adding user groups
Configuring user groups
207
Go to User User Group
208
Deleting user groups
209
IPSec VPN
Manual Keys
Key management
AutoIKE with pre-shared keys
AutoIKE with certificates
Manual key IPSec VPNs
General configuration steps for a manual key VPN
Adding a manual key VPN tunnel
211
212
Adding a phase 1 configuration for an AutoIKE VPN
General configuration steps for an AutoIKE VPN
Go to VPN Ipsec Phase
AutoIKE IPSec VPNs
Remote Gateway Static IP Address
214
Remote Gateway Dialup User
215
Configuring advanced options
216
217
Adding a phase 2 configuration for an AutoIKE VPN
218
Obtaining a signed local certificate
Managing digital certificates
219
220
Generating the certificate request
Go to VPN Local Certificates
Requesting the signed local certificate
Downloading the certificate request
221
Importing the signed local certificate
Retrieving the signed local certificate
222
Retrieving a CA certificate
Obtaining a CA certificate
Importing a CA certificate
223
224
Configuring encrypt policies
Adding a destination address
Adding a source address
Adding an encrypt policy
225
Adding an encrypt policy
226
IPSec VPN concentrators
VPN concentrator hub general configuration steps
227
Source InternalAll Destination VPN spoke address Action
228
229
Adding a VPN concentrator
Go to VPN IPSec Concentrator
230
VPN spoke general configuration steps
VPN Tunnel
Policies
Redundant IPSec VPNs
Configuring redundant IPSec VPN
231
232
See Adding a phase 1 configuration for an AutoIKE VPN on
Viewing VPN tunnel status
Monitoring and Troubleshooting VPNs
Viewing dialup VPN connection status
233
234
Testing a VPN
Go to VPN IPSec Dialup
Pptp and L2TP VPN
Configuring Pptp
235
Adding users and user groups
Configuring the FortiGate unit as a Pptp gateway
Enabling Pptp and specifying an address range
236
237
Adding an address group
Installing Pptp support
Configuring a Windows 98 client for Pptp
Go to Start Settings Control Panel Network
Adding a firewall policy
Connecting to the Pptp VPN
Configuring a Pptp dialup connection
Configuring a Windows 2000 client for Pptp
239
Configuring the VPN connection
Configuring a Windows XP client for Pptp
240
Go to Start Control Panel
241
Configuring L2TP
Enabling L2TP and specifying an address range
Configuring the FortiGate unit as a L2TP gateway
242
Go to VPN L2TP L2TP Range
243
Sample L2TP address range configuration
244
Configuring an L2TP dialup connection
Configuring a Windows 2000 client for L2TP
Disabling IPSec
245
Configuring a Windows XP client for L2TP
Connecting to the L2TP VPN
Configuring an L2TP VPN dialup connection
Go to Start Settings
247
248
Detecting attacks
Network Intrusion Detection System Nids
249
Selecting the interfaces to monitor
Configuring checksum verification
Disabling the Nids
250
Viewing attack descriptions
Viewing the signature list
251
Go to Nids Detection Signature List
Adding user-defined signatures
Enabling and disabling Nids attack signatures
252
Go to Nids Detection User Defined Signature List
Downloading the user-defined signature list
Preventing attacks
Enabling Nids attack prevention
253
Enabling Nids attack prevention signatures
Setting signature threshold values
254
255
Value Description Minimum Maximum Default
Configuring synflood signature values
Logging attacks
Logging attack messages to the attack log
Automatic message reduction
Reducing the number of Nids attack log and email messages
Manual message reduction
257
258
Antivirus protection
General configuration steps
259
260
Antivirus scanning
To scan FortiGate firewall traffic for viruses
261
File blocking
Adding file patterns to block
Blocking files in firewall traffic
262
Go to Anti-Virus File Block
Quarantine
Go to Anti-Virus Quarantine Quarantine Config
Quarantining infected files
Quarantining blocked files
Sorting the quarantine list
Viewing the quarantine list
264
Go to Anti-Virus Quarantine
Filtering the quarantine list
Configuring quarantine options
Deleting files from quarantine
Downloading quarantined files
Blocking oversized files and emails
Configuring limits for oversized files and email
Exempting fragmented email from blocking
Viewing the virus list
267
Web filtering
Go to Web Filter Content Block
Content blocking
Adding words and phrases to the banned word list
268
URL blocking
Using the FortiGate web filter
Adding URLs or URL patterns to the block list
269
270
Clearing the URL block list
Uploading a URL block list
Downloading the URL block list
271
Installing a Cerberian license key on the FortiGate unit
Using the Cerberian web filter
Adding a Cerberian user to the FortiGate unit
272
About the default group and policy
Configuring Cerberian web filter
To configure the Cerberian web filtering
Enabling Cerberian URL filtering
Enabling the script filter
Script filtering
Selecting script filter options
274
Adding URLs to the exempt URL list
Exempt URL list
275
Go to Web Filter Exempt URL
Example exempt URL list
276
277
Email filter
Email banned word list
Go to Email Filter Content Block
278
Email exempt list
Email block list
Adding address patterns to the email block list
279
Adding a subject tag
To add a subject tag Go to Email Filter Config
Adding address patterns to the email exempt list
280
Recording logs
Logging and reporting
281
Recording logs on a NetIQ WebTrends server
Recording logs on a remote computer
282
283
Recording logs on the FortiGate hard disk
Overwrite
Option
Recording logs in system memory
Filtering log messages
284
285
Example log filter configuration
Enabling traffic logging
Configuring traffic logging
Enabling traffic logging for an interface
Enabling traffic logging for a Vlan subinterface
Go to Log&Report Log Setting Traffic Filter
Configuring traffic filter settings
Enabling traffic logging for a firewall policy
287
Adding traffic filter entries
Destination IP Address Destination Netmask Service
288
Viewing logs
Viewing logs saved to memory
Searching logs
289
290
Viewing and managing logs saved to the hard disk
Deleting all messages in an active log
Downloading a log file to the management computer
291
Deleting a saved log file
Configuring alert email
Adding alert email addresses
292
Enabling alert email
Testing alert email
293
Go to Log&Report Alert Mail Categories
294
295
Glossary
296
297
298
Numerics
Index
299
Index
300
FDS
301
Ldap
302
MIB
303
304
RMA
305
TCP
306
VPN
307
308
Top
Page
Image
Contents