Manuals
/
Brands
/
Computer Equipment
/
Network Card
/
Fortinet
/
Computer Equipment
/
Network Card
Fortinet
400 manual
1
1
308
308
Download
308 pages, 4.86 Mb
FortiGate 400
Installation and
Configuration Guide
4 / HA
3
CONSOLE
1
2
Esc Enter
FortiGate User Manual Volume 1
Vers ion 2. 50 MR2
18 August 2003
Contents
Main
Page
Table of Contents
4
Page
6
Virus and attack definitions updates and registration................................... 115
Page
8
Page
10
Network Intrusion Detection System (NIDS) ................................................... 249
12
Page
Page
Introduction
Antivirus protection
Web content filtering
Email filtering
Firewall
NAT/Route mode
18
Transparent mode
VLAN
Network intrusion detection
VPN
High availability
20
Secure installation, configuration, and management
Web-based manager
Command line interface
Logging and reporting
Whats new in Version 2.50
HA
Replacement messages
Firewall
Users and authentication
VPN
24
NIDS
Antivirus
Web Filter
Email filter
About this document
Document conventions
Fortinet documentation
Comments on Fortinet technical documentation
Customer service and technical support
Getting started
30
Package contents
Mounting
Dimensions
Weight
Power requirements
Powering on
Connecting to the web-based manager
Connecting to the command line interface (CLI)
Factory default FortiGate configuration settings
34
Factory default NAT/Route mode network configuration
Factory default Transparent mode network configuration
Factory default firewall configuration
The factory default firewall configuration is the same in NAT/Route and Transparent mode.
36
Factory default content profiles
Strict content profile
Scan content profile
38
Web content profile
Unfiltered content profile
Planning your FortiGate configuration
NAT/Route mode
40
NAT/Route mode with multiple external network connections
Transparent mode
Configuration options
Setup Wizard
42
CLI
FortiGate model maximum values matrix
Next steps
Page
NAT/Route mode installation
Preparing to configure NAT/Route mode
46
Using the setup wizard
Starting the setup wizard
Reconnecting to the web-based manager
Using the front control buttons and LCD
Using the command line interface
Configuring the FortiGate unit to operate in NAT/Route mode
Configuring NAT/Route mode IP addresses
Page
Connecting the FortiGate unit to your networks
50
Configuring your network
Completing the configuration
Configuring interface 3
Configuring interface 4/HA
Setting the date and time
Enabling antivirus protection
Registering your FortiGate unit
52
Configuration example: Multiple connections to the Internet
Configuring Ping servers
54
Destination based routing examples
Primary and backup links to the Internet
Load sharing
Load sharing and primary and secondary connections
Page
Policy routing examples
Routing traffic from internal subnets to different external networks
Routing a service to an external network
58
Firewall policy example
Adding a redundant default policy
Page
Page
Transparent mode installation
Preparing to configure Transparent mode
62
Using the setup wizard
Changing to Transparent mode
Starting the setup wizard
Reconnecting to the web-based manager
Using the front control buttons and LCD
Using the command line interface
Changing to Transparent mode
64
Configuring the Transparent mode management IP address
Completing the configuration
Setting the date and time
Enabling antivirus protection
Registering your FortiGate
Configuring virus and attack definition updates
Connecting the FortiGate unit to your networks
Transparent mode configuration examples
Default routes and static routes
Example default route to an external network
Page
Example static route to an external destination
Page
Page
72
Example static route to an internal destination
General configuration steps
Page
Page
High availability
Active-passive HA
Active-active HA
HA in NAT/Route mode
Installing and configuring the FortiGate units
Configuring the HA interfaces
78
Configuring the HA cluster
Page
80
Connecting the HA cluster to your network
Page
82
Starting the HA cluster
HA in Transparent mode
Installing and configuring the FortiGate units
Configuring the HA interface and HA IP address
Configuring the HA cluster
Page
Connecting the HA cluster to your network
86
Starting the HA cluster
Managing the HA cluster
Viewing the status of cluster members
Monitoring cluster members
88
Monitoring cluster sessions
Viewing and managing cluster log messages
Managing individual cluster units
Synchronizing the cluster configuration
90
Returning to standalone configuration
Replacing a FortiGate unit after fail-over
Advanced HA options
Selecting a FortiGate unit to a permanent primary unit
92
Configuring weighted-round-robin weights
System status
Changing the FortiGate host name
Changing the FortiGate firmware
Upgrade to a new firmware version
Upgrading the firmware using the web-based manager
Upgrading the firmware using the CLI
96
Revert to a previous firmware version
Reverting to a previous firmware version using the web-based manager
Reverting to a previous firmware version using the CLI
Page
Install a firmware image from a system reboot using the CLI
Page
Test a new firmware image before installing it
Page
Installing and using a backup firmware image
Installing a backup firmware image
Page
Switching to the backup firmware image
106
Switching back to the default firmware image
Manual virus definition updates
Manual attack definition updates
Displaying the FortiGate serial number
Displaying the FortiGate up time
Displaying log hard disk status
Backing up system settings
Restoring system settings
Restoring system settings to factory defaults
Changing to Transparent mode
Changing to NAT/Route mode
Restarting the FortiGate unit
110
Shutting down the FortiGate unit
System status
Viewing CPU and memory status
Viewing sessions and network status
112
Viewing virus and intrusions status
Session list
Page
Virus and attack definitions updates and registration
Updating antivirus and attack definitions
116
Connecting to the FortiResponse Distribution Network
Configuring scheduled updates
118
Configuring update logging
Adding an override server
Manually updating antivirus and attack definitions
Configuring push updates
120
To enable push updates
About push updates
Push updates through a NAT device
Example: push updates through a NAT device
Page
Page
Page
124
Scheduled updates through a proxy server
Registering FortiGate units
FortiCare Service Contracts
126
Registering the FortiGate unit
Page
128
Updating registration information
Recovering a lost Fortinet support password
Viewing the list of registered FortiGate units
Registering a new FortiGate unit
Adding or changing a FortiCare Support Contract number
130
Changing your Fortinet support password
Changing your contact information or security question
Downloading virus and attack definitions updates
Registering a FortiGate unit after an RMA
Page
Network configuration
Configuring zones
Adding zones
134
Adding interfaces to a zone
Adding VLAN subinterfaces to a zone
Renaming zones
Deleting zones
Configuring interfaces
Viewing the interface list
Bringing up an interface
136
Changing an interface static IP address
Adding a secondary IP address to an interface
Adding a ping server to an interface
Controlling management access to an interface
Configuring traffic logging for connections to an interface
Changing the MTU size to improve network performance
138
Configuring port4/ha
Configuring port4/ha for HA mode
Configuring port4/ha as a firewall interface
Configuring the management interface (Transparent mode)
Configuring VLANs
VLAN network configuration
Page
Adding VLAN subinterfaces
Rules for VLAN IDs
Rules for VLAN IP addresses
Adding a VLAN subinterface
Page
Configuring routing
Adding a default route
Adding destination-based routes to the routing table
Page
Adding routes in Transparent mode
Configuring the routing table
146
Policy routing
Policy routing command syntax
Providing DHCP services to your internal network
Page
RIP configuration
RIP settings
7Select Apply to save your changes.
Configuring RIP for FortiGate interfaces
Adding RIP neighbors
154
Adding RIP filters
Adding a single RIP filter
Adding a RIP filter list
156
Adding a neighbors filter
Adding a routes filter
System configuration
Setting system date and time
Changing web-based manager options
Page
160
Adding and editing administrator accounts
Adding new administrator accounts
Editing administrator accounts
162
Configuring SNMP
Configuring the FortiGate unit for SNMP monitoring
Configuring FortiGate SNMP support
FortiGate MIBs
164
FortiGate traps
Customizing replacement messages
Customizing replacement messages
166
Customizing alert emails
Block alert
Critical event
Page
Firewall configuration
170
Default firewall configuration
Interfaces
VLAN subinterfaces
Zones
Addresses
172
Services
Schedules
Adding firewall policies
Page
174
Schedule
Service
Action
NAT
Traffic Shaping
Authentication
Page
Log Traffic
Comments
Configuring policy lists
Policy matching in detail
178
Changing the order of policies in a policy list
Enabling and disabling policies
Disabling a policy
Enabling a policy
Addresses
Adding addresses
180
Editing addresses
Deleting addresses
Organizing addresses into address groups
182
Services
Predefined services
Page
184
Providing access to custom services
Grouping services
186
Schedules
Creating one-time schedules
Creating recurring schedules
188
Adding a schedule to a policy
Virtual IPs
Adding static NAT virtual IPs
190
Adding port forwarding virtual IPs
Adding policies with virtual IPs
192
IP pools
Adding an IP pool
IP Pools for firewall policies that use fixed ports
IP pools and dynamic NAT
IP/MAC binding
194
Configuring IP/MAC binding for packets going through the firewall
Configuring IP/MAC binding for packets going to the firewall
Adding IP/MAC addresses
196
Viewing the dynamic IP/MAC list
Enabling IP/MAC binding
Content profiles
Default content profiles
Adding a content profile
3Type a Profile Name. 4Enable antivirus protection options.
5Enable Web filtering options.
8Select OK.
6Enable Email filter protection options.
7Enable fragmented email and oversized file and email options.
Adding a content profile to a policy
Page
Users and authentication
202
Setting authentication timeout
Adding user names and configuring authentication
Adding user names and configuring authentication
Deleting user names from the internal database
204
Configuring RADIUS support
Adding RADIUS servers
Deleting RADIUS servers
Configuring LDAP support
Adding LDAP servers
206
Deleting LDAP servers
Configuring user groups
Adding user groups
208
Deleting user groups
IPSec VPN
210
Key management
Manual Keys
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates
AutoIKE with pre-shared keys
AutoIKE with certificates
Manual key IPSec VPNs
General configuration steps for a manual key VPN
Adding a manual key VPN tunnel
Page
AutoIKE IPSec VPNs
General configuration steps for an AutoIKE VPN
Adding a phase 1 configuration for an AutoIKE VPN
Page
Page
4Optionally, configure NAT Traversal.
6Select OK to save the phase 1 parameters.
Adding a phase 2 configuration for an AutoIKE VPN
Page
Managing digital certificates
Obtaining a signed local certificate
220
Generating the certificate request
Page
222
Retrieving the signed local certificate
Importing the signed local certificate
Obtaining a CA certificate
Retrieving a CA certificate
Importing a CA certificate
Configuring encrypt policies
Adding an encrypt policy
Page
IPSec VPN concentrators
VPN concentrator (hub) general configuration steps
Page
Page
230
VPN spoke general configuration steps
Redundant IPSec VPNs
Configuring redundant IPSec VPN
Page
Monitoring and Troubleshooting VPNs
Viewing VPN tunnel status
Viewing dialup VPN connection status
234
Testing a VPN
PPTP and L2TP VPN
Configuring PPTP
Page
Adding a source address
Adding an address group
238
Adding a destination address
Adding a firewall policy
Configuring a Windows 98 client for PPTP
Installing PPTP support
Configuring a Windows 2000 client for PPTP
240
Configuring a Windows XP client for PPTP
Configuring the VPN connection
Configuring L2TP
Page
Adding a source address
Adding an address group
244
Adding a destination address
Adding a firewall policy
Configuring a Windows 2000 client for L2TP
Configuring an L2TP dialup connection
Disabling IPSec
246
Connecting to the L2TP VPN
Configuring a Windows XP client for L2TP
Configuring an L2TP VPN dialup connection
Configuring the VPN connection
Disabling IPSec
Page
Network Intrusion Detection System (NIDS)
Detecting attacks
Page
Viewing the signature list
Viewing attack descriptions
252
Enabling and disabling NIDS attack signatures
Adding user-defined signatures
Downloading the user-defined signature list
Preventing attacks
Enabling NIDS attack prevention
254
Enabling NIDS attack prevention signatures
Setting signature threshold values
Page
256
Configuring synflood signature values
Logging attacks
Logging attack messages to the attack log
Reducing the number of NIDS attack log and email messages
Automatic message reduction
Manual message reduction
Page
Antivirus protection
Antivirus scanning
File blocking
262
Blocking files in firewall traffic
Adding file patterns to block
Quarantine
Quarantining infected files
Quarantining blocked files
264
Viewing the quarantine list
1Go to Anti-Virus > Quarantine. The quarantine list provides the following information.
Sorting the quarantine list
Filtering the quarantine list
Deleting files from quarantine
Downloading quarantined files
Configuring quarantine options
266
Blocking oversized files and emails
Configuring limits for oversized files and email
Exempting fragmented email from blocking
Viewing the virus list
Web filtering
268
Content blocking
Adding words and phrases to the banned word list
URL blocking
Using the FortiGate web filter
Adding URLs or URL patterns to the block list
270
Clearing the URL block list
Downloading the URL block list
Uploading a URL block list
272
Using the Cerberian web filter
General configuration steps
Installing a Cerberian license key on the FortiGate unit
Adding a Cerberian user to the FortiGate unit
Configuring Cerberian web filter
Enabling Cerberian URL filtering
274
Script filtering
Enabling the script filter
Selecting script filter options
Exempt URL list
Adding URLs to the exempt URL list
Page
Email filter
278
Email banned word list
Adding words and phrases to the banned word list
Email block list
Adding address patterns to the email block list
Email exempt list
280
Adding address patterns to the email exempt list
Adding a subject tag
Logging and reporting
Recording logs
282
Recording logs on a remote computer
Recording logs on a NetIQ WebTrends server
Recording logs on the FortiGate hard disk
284
Recording logs in system memory
Filtering log messages
Page
286
Configuring traffic logging
Enabling traffic logging
Enabling traffic logging for an interface
Enabling traffic logging for a VLAN subinterface
Enabling traffic logging for a firewall policy
Configuring traffic filter settings
288
Adding traffic filter entries
Viewing logs saved to memory
Viewing logs
Searching logs
290
Viewing and managing logs saved to the hard disk
Viewing logs
Searching logs
Downloading a log file to the management computer
Deleting all messages in an active log
292
Deleting a saved log file
Configuring alert email
Adding alert email addresses
Testing alert email
Enabling alert email
Page
Glossary
Page
Page
Page
Index
Numerics
A
300
B
C
D
E
F
G
H
302
I
J
K
L
M
N
O
P
304
Q
R
S
306
T
U
V
W
Z