Manuals / Fortinet / Computer Equipment / Network Card

Fortinet 400 manual Configuring VLANs, Vlan network configuration, 139

Models: 400

1 308

Download 308 pages 48.56 Kb

Page 139

Network configuration	Configuring VLANs

3Add a default gateway IP address if the FortiGate unit must connect to a default gateway to reach the management computer.

4Select the management Access methods for each interface.

HTTPS To allow secure HTTPS connections to the web-based manager through this interface.

PING If you want this interface to respond to pings. Use this setting to verify your installation and for testing.

SSH To allow secure SSH connections to the CLI through this interface.

SNMP To allow a remote SNMP manager to request SNMP information by connecting to this interface. See “Configuring SNMP” on page 162.

5Select Apply to save your changes.

Configuring VLANs

Using Virtual LAN (VLAN) technology, a single FortiGate unit can provide security services and control connections between multiple security domains. Traffic from each security domain is given a different VLAN ID. The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between security domains. The FortiGate unit can also apply authentication, content filtering, and antivirus protection for network and VPN traffic that is allowed to pass between security domains.

This section describes a basic VLAN network configuration, provides an overview of what is required to configure the FortiGate unit to support VLANs, and describes how to add VLAN subinterfaces. VLAN subinterfaces function like any FortiGate interface. You can add firewall addresses for a VLAN subinterface to add it to the policy grid.

You can also add VLAN subinterfaces to zones.

VLAN support is available when the FortiGate unit is operating in NAT/Route mode. This section describes:

•VLAN network configuration

•Adding VLAN subinterfaces

VLAN network configuration

Fortigate units support IEEE 802.1Q-compliant VLAN tags. A VLAN tag is a series of added bits in the ethernet frame header that indicates membership in a particular VLAN.

The FortiGate unit does not add or change VLAN tags. However, you can configure it to separate VLAN-tagged packets and apply policies to control how they connect through the firewall.

FortiGate-400 Installation and Configuration Guide

139

Image 139

Fortinet 400 manual Configuring VLANs, Vlan network configuration, 139

Contents

August Installation and Configuration GuideRegulatory Compliance TrademarksTable of Contents NAT/Route mode installation High availability System status Network configuration 133 System configuration 157 Users and authentication 201 IPSec VPN 209 Network Intrusion Detection System Nids 249 Email filter 277 Glossary 295 Index 299 Contents Antivirus protection IntroductionEmail filtering Web content filteringFirewall NAT/Route modeNetwork intrusion detection Transparent modeHigh availability VPNWeb-based manager Secure installation, configuration, and managementLogging and reporting Command line interfaceWhat’s new in Version Users and authentication Replacement messagesFirewall Web Filter AntivirusEmail filter About this document Document conventions Comments on Fortinet technical documentation Fortinet documentationCustomer service and technical support Getting started Mounting Package contentsFortiGate-400 LED indicators Powering onPower requirements Environmental specificationsConnecting to the web-based manager Connecting to the web-based managerStop bits Flow control Connecting to the command line interface CLIFactory default FortiGate configuration settings Bits per second 9600 Data bits ParityAccount Factory default NAT/Route mode network configurationInterface Factory default firewall configuration Factory default Transparent mode network configurationFactory default content profiles Scan content profile Options Strict content profileScan content profile Strict content profile OptionsUnfiltered content profile Options Web content profileUnfiltered content profile Web content profile OptionsPlanning your FortiGate configuration Example NAT/Route mode network configuration NAT/Route mode with multiple external network connectionsSetup Wizard Configuration optionsFront keypad and LCD FortiGate model maximum values matrixNext steps Next steps Getting started Preparing to configure NAT/Route mode NAT/Route mode installationNAT/Route mode settings Administrator Password Interface Starting the setup wizard Using the setup wizardReconnecting to the web-based manager Configuring NAT/Route mode IP addresses Using the front control buttons and LCDUsing the command line interface Configuring the FortiGate unit to operate in NAT/Route modeSet system interface port2 mode static ip IPaddress netmask Connecting the FortiGate unit to your networks Go to System Network Interface Configuring your networkCompleting the configuration Configuring interfaceRegistering your FortiGate unit Configuring interface 4/HASetting the date and time Enabling antivirus protectionConfiguring virus and attack definition updates Configuration example Multiple connections to the InternetExample multiple Internet connection configuration Configuring Ping serversGo to System Network Routing Table Primary and backup links to the InternetUsing the CLI Destination based routing examplesLoad sharing and primary and secondary connections Load sharingRouting table should have routes arranged as shown in Table Adding the routes using the CLIPolicy routing examples Routing a service to an external networkFirewall policy example Adding a redundant default policyGo to Firewall Policy port1-port3 Adding more firewall policies Restricting access to a single Internet connectionConfiguration example Multiple connections to the Internet DNS Settings Transparent mode installationPreparing to configure Transparent mode Transparent mode settings Administrator PasswordGo to System Status Changing to Transparent modeSet system opmode transparent Configure the Transparent mode default gateway Configuring the Transparent mode management IP addressRegistering your FortiGate FortiGate-400 Transparent mode connections Transparent mode configuration examplesDefault routes and static routes Default route to an external network General configuration stepsGo to System Network Routing Web-based manager example configuration stepsCLI configuration steps Go to System Network ManagementStatic route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples Active-passive HA High availabilityActive-active HA Installing and configuring the FortiGate units HA in NAT/Route modeConfiguring the HA interfaces Go to System Config HA Configuring the HA clusterLeast Connection Weighted Round RobinExample Active-Active HA configuration Connecting the HA cluster to your networkHA network configuration Configuring the HA interface and HA IP address HA in Transparent modeStarting the HA cluster HA in Transparent mode None Sample active-passive HA configuration Viewing the status of cluster members Managing the HA clusterGo to System Status Cluster Members Go to System Status Monitor Monitoring cluster membersGo to Log&Report Logging Monitoring cluster sessionsViewing and managing cluster log messages Go to System Status SessionManaging individual cluster units Synchronizing the cluster configurationReplacing a FortiGate unit after fail-over Returning to standalone configurationSelecting a FortiGate unit to a permanent primary unit Advanced HA optionsSet system ha weight 1 3 Configuring weighted-round-robin weightsSystem status System statusChanging the FortiGate host name Firmware upgrade procedures Procedure DescriptionChanging the FortiGate firmware Upgrading the firmware using the web-based manager Upgrade to a new firmware versionUpgrading the firmware using the CLI Revert to a previous firmware version Execute restore image namestr tftpipReverting to a previous firmware version using the CLI Execute ping To install firmware from a system reboot Install a firmware image from a system reboot using the CLI100 Execute rebootRestoring your previous configuration Test a new firmware image before installing it101 102 Installing a backup firmware image Installing and using a backup firmware image103 104 105 Switching to the backup firmware imageSwitching back to the default firmware image Manual virus definition updates106 Displaying log hard disk status Manual attack definition updatesDisplaying the FortiGate serial number Displaying the FortiGate up time108 Backing up system settingsRestoring system settings Restoring system settings to factory defaults109 Changing to Transparent modeChanging to NAT/Route mode Restarting the FortiGate unitSystem status Shutting down the FortiGate unitViewing CPU and memory status 111 Viewing sessions and network statusSessions and network status monitor Viewing virus and intrusions status113 Session listViewing the session list Go to System Status Session 114 Updating antivirus and attack definitions Virus and attack definitions updates and registration115 Version Expiry date Last update attempt Last update status Connecting to the FortiResponse Distribution NetworkGo to System Update Configuring scheduled updates117 Go to Log&Report Log Setting Configuring update loggingSuccessful Update FDN error 119 Configuring push updatesAdding an override server Manually updating antivirus and attack definitionsExample push updates through a NAT device To enable push updatesAbout push updates Push updates through a NAT device121 General procedureGo to Firewall Virtual IP 122123 Schedule Always Service ANY Action AcceptAdding a firewall policy for the port forwarding virtual IP 124 Scheduled updates through a proxy serverRegistering FortiGate units FortiCare Service Contracts125 126 Registering the FortiGate unitRegistering a FortiGate unit product information 127128 Recovering a lost Fortinet support passwordUpdating registration information Viewing the list of registered FortiGate unitsAdding or changing a FortiCare Support Contract number Registering a new FortiGate unit129 130 Changing your Fortinet support passwordDownloading virus and attack definitions updates Changing your contact information or security question131 Registering a FortiGate unit after an RMA132 133 Network configurationConfiguring zones Adding zones134 Adding interfaces to a zoneAdding Vlan subinterfaces to a zone Renaming zonesBringing up an interface Configuring interfacesDeleting zones Viewing the interface list136 Changing an interface static IP addressAdding a secondary IP address to an interface Adding a ping server to an interface137 Controlling management access to an interfaceConfiguring traffic logging for connections to an interface Changing the MTU size to improve network performanceConfiguring the management interface Transparent mode Configuring port4/haConfiguring port4/ha for HA mode Configuring port4/ha as a firewall interfaceVlan network configuration Configuring VLANs139 140 Typical Vlan network configurationAdding a Vlan subinterface Adding Vlan subinterfacesRules for Vlan IDs Rules for Vlan IP addressesAdding a Vlan subinterface 142143 Configuring routingAdding a default route Adding destination-based routes to the routing table144 Configuring the routing table Adding routes in Transparent mode145 Policy routing Policy routing command syntax146 Set system dhcpserver command syntax Keywords Description Providing Dhcp services to your internal network147 148 149 RIP configurationGo to System RIP Settings RIP settings150 151 Configuring RIP settingsMode Configuring RIP for FortiGate interfacesPassword 152153 Adding RIP neighborsAdding RIP neighbors Go to System RIP Neighbor Go to System RIP Filter Adding RIP filtersAdding a single RIP filter 154Mask Add the netmask of the route Action Adding a RIP filter list155 Add the IP address of the routeAdding a routes filter Adding a neighbors filter156 157 System configurationSetting system date and time To set the date and time Go to System Config TimeChanging web-based manager options To set the system idle timeout158 To select a language for the web-based manager To set the Auth timeoutTo modify the Dead Gateway Detection settings 159160 Adding and editing administrator accountsAdding new administrator accounts Go to System Config AdminTo edit an administrator account Go to System Config Admin Editing administrator accounts161 Go to System Config Snmp v1/v2c Configuring SnmpConfiguring the FortiGate unit for Snmp monitoring Configuring FortiGate Snmp supportFortiGate MIBs MIB file name Description EtherLike.mib FortiGate MIBs163 Trap Community Trap Receiver IP AddressesFortiGate traps Trap message Description Customizing replacement messagesFortiGate traps 164Go to System Config Replacement Messages Customizing replacement messages165 166 Customizing alert emailsAlert email message sections Alert email message sections 167168 169 Firewall configuration170 Default firewall configurationInterfaces Vlan subinterfaces171 Default addresses Interface Address DescriptionZones AddressesSchedules ServicesContent profiles Adding firewall policies173 Firewall policy optionsSource DestinationVPN Tunnel ServiceSchedule ActionTraffic Shaping Authentication175 176 Anti-Virus & Web filterPolicy matching in detail Configuring policy listsLog Traffic CommentsEnabling a policy Changing the order of policies in a policy listEnabling and disabling policies Disabling a policyGo to Firewall Address AddressesAdding addresses 179Deleting addresses Editing addresses180 181 Organizing addresses into address groupsGo to Firewall Address Group Predefined services Services182 Https 183Go to Firewall Service Custom Providing access to custom services184 Go to Firewall Service Group Grouping services185 Go to Firewall Schedule One-time SchedulesCreating one-time schedules 186187 Creating recurring schedulesGo to Firewall Schedule Recurring Adding a schedule to a policy Virtual IPs188 189 Adding static NAT virtual IPs190 Adding port forwarding virtual IPs191 Adding policies with virtual IPsGo to Firewall IP Pool IP poolsAdding an IP pool 192193 IP/MAC bindingIP Pools for firewall policies that use fixed ports IP pools and dynamic NAT194 Go to Firewall IP/MAC Binding SettingGo to Firewall IP/MAC Binding Static IP/MAC 195 Adding IP/MAC addressesGo to Firewall IP/MAC Binding Dynamic IP/MAC Viewing the dynamic IP/MAC listEnabling IP/MAC binding 196Go to Firewall Content Profile Content profilesDefault content profiles Adding a content profileOversized File/Email Block Pass Fragmented Email 198File Block Quarantine199 Adding a content profile to a policy200 201 Users and authentication202 Setting authentication timeoutAdding user names and configuring authentication Adding user names and configuring authentication203 Deleting user names from the internal database204 Configuring Radius supportAdding Radius servers Deleting Radius serversGo to User Ldap Configuring Ldap supportAdding Ldap servers 205206 Deleting Ldap serversGo to User User Group Configuring user groupsAdding user groups 207208 Deleting user groups209 IPSec VPNAutoIKE with certificates Key managementManual Keys AutoIKE with pre-shared keys211 General configuration steps for a manual key VPNManual key IPSec VPNs Adding a manual key VPN tunnel212 AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN Go to VPN Ipsec PhaseRemote Gateway Static IP Address 214Remote Gateway Dialup User 215 Configuring advanced options216 217 Adding a phase 2 configuration for an AutoIKE VPN218 Obtaining a signed local certificate Managing digital certificates219 220 Generating the certificate requestGo to VPN Local Certificates Requesting the signed local certificate Downloading the certificate request221 Importing the signed local certificate Retrieving the signed local certificate222 223 Obtaining a CA certificateRetrieving a CA certificate Importing a CA certificate224 Configuring encrypt policies225 Adding a source addressAdding a destination address Adding an encrypt policyAdding an encrypt policy 226IPSec VPN concentrators VPN concentrator hub general configuration steps227 Source InternalAll Destination VPN spoke address Action 228229 Adding a VPN concentratorGo to VPN IPSec Concentrator Policies VPN spoke general configuration steps230 VPN TunnelRedundant IPSec VPNs Configuring redundant IPSec VPN231 232 See Adding a phase 1 configuration for an AutoIKE VPN on233 Monitoring and Troubleshooting VPNsViewing VPN tunnel status Viewing dialup VPN connection status234 Testing a VPNGo to VPN IPSec Dialup Pptp and L2TP VPN Configuring Pptp235 236 Configuring the FortiGate unit as a Pptp gatewayAdding users and user groups Enabling Pptp and specifying an address range237 Adding an address groupAdding a firewall policy Configuring a Windows 98 client for PptpInstalling Pptp support Go to Start Settings Control Panel Network239 Configuring a Pptp dialup connectionConnecting to the Pptp VPN Configuring a Windows 2000 client for PptpGo to Start Control Panel Configuring a Windows XP client for PptpConfiguring the VPN connection 240241 Configuring L2TPGo to VPN L2TP L2TP Range Configuring the FortiGate unit as a L2TP gatewayEnabling L2TP and specifying an address range 242243 Sample L2TP address range configuration244 245 Configuring a Windows 2000 client for L2TPConfiguring an L2TP dialup connection Disabling IPSecGo to Start Settings Connecting to the L2TP VPNConfiguring a Windows XP client for L2TP Configuring an L2TP VPN dialup connection247 248 Detecting attacks Network Intrusion Detection System Nids249 250 Configuring checksum verificationSelecting the interfaces to monitor Disabling the NidsGo to Nids Detection Signature List Viewing the signature listViewing attack descriptions 251Go to Nids Detection User Defined Signature List Enabling and disabling Nids attack signaturesAdding user-defined signatures 252253 Preventing attacksDownloading the user-defined signature list Enabling Nids attack preventionEnabling Nids attack prevention signatures Setting signature threshold values254 255 Logging attack messages to the attack log Configuring synflood signature valuesValue Description Minimum Maximum Default Logging attacks257 Reducing the number of Nids attack log and email messagesAutomatic message reduction Manual message reduction258 Antivirus protection General configuration steps259 260 Antivirus scanningTo scan FortiGate firewall traffic for viruses 261 File blockingGo to Anti-Virus File Block Blocking files in firewall trafficAdding file patterns to block 262Quarantining blocked files Go to Anti-Virus Quarantine Quarantine ConfigQuarantine Quarantining infected filesGo to Anti-Virus Quarantine Viewing the quarantine listSorting the quarantine list 264Downloading quarantined files Configuring quarantine optionsFiltering the quarantine list Deleting files from quarantineViewing the virus list Configuring limits for oversized files and emailBlocking oversized files and emails Exempting fragmented email from blocking267 Web filtering268 Content blockingGo to Web Filter Content Block Adding words and phrases to the banned word list269 Using the FortiGate web filterURL blocking Adding URLs or URL patterns to the block list270 Clearing the URL block listUploading a URL block list Downloading the URL block list271 272 Using the Cerberian web filterInstalling a Cerberian license key on the FortiGate unit Adding a Cerberian user to the FortiGate unitEnabling Cerberian URL filtering Configuring Cerberian web filterAbout the default group and policy To configure the Cerberian web filtering274 Script filteringEnabling the script filter Selecting script filter optionsGo to Web Filter Exempt URL Exempt URL listAdding URLs to the exempt URL list 275Example exempt URL list 276277 Email filterEmail banned word list Go to Email Filter Content Block278 279 Email block listEmail exempt list Adding address patterns to the email block list280 To add a subject tag Go to Email Filter ConfigAdding a subject tag Adding address patterns to the email exempt listRecording logs Logging and reporting281 Recording logs on a NetIQ WebTrends server Recording logs on a remote computer282 Option Recording logs on the FortiGate hard disk283 OverwriteRecording logs in system memory Filtering log messages284 285 Example log filter configurationEnabling traffic logging for a Vlan subinterface Configuring traffic loggingEnabling traffic logging Enabling traffic logging for an interface287 Configuring traffic filter settingsGo to Log&Report Log Setting Traffic Filter Enabling traffic logging for a firewall policyAdding traffic filter entries Destination IP Address Destination Netmask Service288 289 Viewing logs saved to memoryViewing logs Searching logs290 Viewing and managing logs saved to the hard diskDeleting all messages in an active log Downloading a log file to the management computer291 292 Configuring alert emailDeleting a saved log file Adding alert email addressesGo to Log&Report Alert Mail Categories Testing alert emailEnabling alert email 293294 295 Glossary296 297 298 Numerics Index299 Index 300FDS 301Ldap 302MIB 303304 RMA 305TCP 306VPN 307308