Manuals
/
Fortinet
/
Computer Equipment
/
Network Card
Fortinet
400
manual
168
Models:
400
1
168
308
308
Download
308 pages
48.56 Kb
165
166
167
168
169
170
171
172
<
>
Specification
Install
Password
Successful Update FDN error
Go to System Config Admin
Connecting to the Pptp VPN
Network configuration 133
Replacement messages
Setup Wizard
Command line interface
Page 168
Image 168
Customizing replacement messages
System configuration
168
Fortinet Inc.
Page 167
Page 169
Page 168
Image 168
Page 167
Page 169
Contents
Installation and Configuration Guide
August
Trademarks
Regulatory Compliance
Table of Contents
NAT/Route mode installation
High availability
System status
Network configuration 133
System configuration 157
Users and authentication 201
IPSec VPN 209
Network Intrusion Detection System Nids 249
Email filter 277
Glossary 295 Index 299
Contents
Introduction
Antivirus protection
Web content filtering
Email filtering
NAT/Route mode
Firewall
Transparent mode
Network intrusion detection
VPN
High availability
Secure installation, configuration, and management
Web-based manager
Command line interface
Logging and reporting
What’s new in Version
Replacement messages
Users and authentication
Firewall
Antivirus
Web Filter
Email filter
About this document
Document conventions
Fortinet documentation
Comments on Fortinet technical documentation
Customer service and technical support
Getting started
Package contents
Mounting
Powering on
Power requirements
Environmental specifications
FortiGate-400 LED indicators
Connecting to the web-based manager
Connecting to the web-based manager
Connecting to the command line interface CLI
Factory default FortiGate configuration settings
Bits per second 9600 Data bits Parity
Stop bits Flow control
Factory default NAT/Route mode network configuration
Account
Interface
Factory default Transparent mode network configuration
Factory default firewall configuration
Factory default content profiles
Strict content profile
Scan content profile
Strict content profile Options
Scan content profile Options
Web content profile
Unfiltered content profile
Web content profile Options
Unfiltered content profile Options
Planning your FortiGate configuration
NAT/Route mode with multiple external network connections
Example NAT/Route mode network configuration
Configuration options
Setup Wizard
FortiGate model maximum values matrix
Front keypad and LCD
Next steps
Next steps Getting started
NAT/Route mode installation
Preparing to configure NAT/Route mode
NAT/Route mode settings Administrator Password Interface
Using the setup wizard
Starting the setup wizard
Reconnecting to the web-based manager
Using the front control buttons and LCD
Using the command line interface
Configuring the FortiGate unit to operate in NAT/Route mode
Configuring NAT/Route mode IP addresses
Set system interface port2 mode static ip IPaddress netmask
Connecting the FortiGate unit to your networks
Configuring your network
Completing the configuration
Configuring interface
Go to System Network Interface
Configuring interface 4/HA
Setting the date and time
Enabling antivirus protection
Registering your FortiGate unit
Configuration example Multiple connections to the Internet
Configuring virus and attack definition updates
Configuring Ping servers
Example multiple Internet connection configuration
Primary and backup links to the Internet
Using the CLI
Destination based routing examples
Go to System Network Routing Table
Load sharing
Load sharing and primary and secondary connections
Adding the routes using the CLI
Routing table should have routes arranged as shown in Table
Routing a service to an external network
Policy routing examples
Adding a redundant default policy
Firewall policy example
Go to Firewall Policy port1-port3
Restricting access to a single Internet connection
Adding more firewall policies
Configuration example Multiple connections to the Internet
Transparent mode installation
Preparing to configure Transparent mode
Transparent mode settings Administrator Password
DNS Settings
Changing to Transparent mode
Go to System Status
Set system opmode transparent
Configuring the Transparent mode management IP address
Configure the Transparent mode default gateway
Registering your FortiGate
Transparent mode configuration examples
FortiGate-400 Transparent mode connections
Default routes and static routes
General configuration steps
Default route to an external network
Web-based manager example configuration steps
CLI configuration steps
Go to System Network Management
Go to System Network Routing
Static route to an external destination
Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1
Example static route to an internal destination
Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1
Transparent mode configuration examples
High availability
Active-passive HA
Active-active HA
HA in NAT/Route mode
Installing and configuring the FortiGate units
Configuring the HA interfaces
Configuring the HA cluster
Go to System Config HA
Weighted Round Robin
Least Connection
Connecting the HA cluster to your network
Example Active-Active HA configuration
HA network configuration
HA in Transparent mode
Configuring the HA interface and HA IP address
Starting the HA cluster
HA in Transparent mode
None
Sample active-passive HA configuration
Managing the HA cluster
Viewing the status of cluster members
Go to System Status Cluster Members
Monitoring cluster members
Go to System Status Monitor
Monitoring cluster sessions
Viewing and managing cluster log messages
Go to System Status Session
Go to Log&Report Logging
Synchronizing the cluster configuration
Managing individual cluster units
Returning to standalone configuration
Replacing a FortiGate unit after fail-over
Advanced HA options
Selecting a FortiGate unit to a permanent primary unit
Configuring weighted-round-robin weights
Set system ha weight 1 3
System status
System status
Firmware upgrade procedures Procedure Description
Changing the FortiGate host name
Changing the FortiGate firmware
Upgrade to a new firmware version
Upgrading the firmware using the web-based manager
Upgrading the firmware using the CLI
Execute restore image namestr tftpip
Revert to a previous firmware version
Reverting to a previous firmware version using the CLI
Execute ping
Install a firmware image from a system reboot using the CLI
To install firmware from a system reboot
Execute reboot
100
Test a new firmware image before installing it
Restoring your previous configuration
101
102
Installing and using a backup firmware image
Installing a backup firmware image
103
104
Switching to the backup firmware image
105
Manual virus definition updates
Switching back to the default firmware image
106
Manual attack definition updates
Displaying the FortiGate serial number
Displaying the FortiGate up time
Displaying log hard disk status
Backing up system settings
Restoring system settings
Restoring system settings to factory defaults
108
Changing to Transparent mode
Changing to NAT/Route mode
Restarting the FortiGate unit
109
Shutting down the FortiGate unit
System status
Viewing CPU and memory status
Viewing sessions and network status
111
Viewing virus and intrusions status
Sessions and network status monitor
Session list
113
Viewing the session list Go to System Status Session
114
Virus and attack definitions updates and registration
Updating antivirus and attack definitions
115
Connecting to the FortiResponse Distribution Network
Version Expiry date Last update attempt Last update status
Configuring scheduled updates
Go to System Update
117
Configuring update logging
Go to Log&Report Log Setting
Successful Update FDN error
Configuring push updates
Adding an override server
Manually updating antivirus and attack definitions
119
To enable push updates
About push updates
Push updates through a NAT device
Example push updates through a NAT device
General procedure
121
122
Go to Firewall Virtual IP
Schedule Always Service ANY Action Accept
123
Adding a firewall policy for the port forwarding virtual IP
Scheduled updates through a proxy server
124
FortiCare Service Contracts
Registering FortiGate units
125
Registering the FortiGate unit
126
127
Registering a FortiGate unit product information
Recovering a lost Fortinet support password
Updating registration information
Viewing the list of registered FortiGate units
128
Registering a new FortiGate unit
Adding or changing a FortiCare Support Contract number
129
Changing your Fortinet support password
Downloading virus and attack definitions updates
Changing your contact information or security question
130
Registering a FortiGate unit after an RMA
131
132
Network configuration
Configuring zones
Adding zones
133
Adding interfaces to a zone
Adding Vlan subinterfaces to a zone
Renaming zones
134
Configuring interfaces
Deleting zones
Viewing the interface list
Bringing up an interface
Changing an interface static IP address
Adding a secondary IP address to an interface
Adding a ping server to an interface
136
Controlling management access to an interface
Configuring traffic logging for connections to an interface
Changing the MTU size to improve network performance
137
Configuring port4/ha
Configuring port4/ha for HA mode
Configuring port4/ha as a firewall interface
Configuring the management interface Transparent mode
Configuring VLANs
Vlan network configuration
139
Typical Vlan network configuration
140
Adding Vlan subinterfaces
Rules for Vlan IDs
Rules for Vlan IP addresses
Adding a Vlan subinterface
142
Adding a Vlan subinterface
Configuring routing
Adding a default route
Adding destination-based routes to the routing table
143
144
Adding routes in Transparent mode
Configuring the routing table
145
Policy routing command syntax
Policy routing
146
Providing Dhcp services to your internal network
Set system dhcpserver command syntax Keywords Description
147
148
RIP configuration
149
RIP settings
Go to System RIP Settings
150
Configuring RIP settings
151
Configuring RIP for FortiGate interfaces
Password
152
Mode
Adding RIP neighbors
153
Adding RIP neighbors Go to System RIP Neighbor
Adding RIP filters
Adding a single RIP filter
154
Go to System RIP Filter
Adding a RIP filter list
155
Add the IP address of the route
Mask Add the netmask of the route Action
Adding a neighbors filter
Adding a routes filter
156
System configuration
Setting system date and time
To set the date and time Go to System Config Time
157
To set the system idle timeout
Changing web-based manager options
158
To set the Auth timeout
To modify the Dead Gateway Detection settings
159
To select a language for the web-based manager
Adding and editing administrator accounts
Adding new administrator accounts
Go to System Config Admin
160
Editing administrator accounts
To edit an administrator account Go to System Config Admin
161
Configuring Snmp
Configuring the FortiGate unit for Snmp monitoring
Configuring FortiGate Snmp support
Go to System Config Snmp v1/v2c
FortiGate MIBs
163
Trap Community Trap Receiver IP Addresses
FortiGate MIBs MIB file name Description EtherLike.mib
Customizing replacement messages
FortiGate traps
164
FortiGate traps Trap message Description
Customizing replacement messages
Go to System Config Replacement Messages
165
Customizing alert emails
166
Alert email message sections
167
Alert email message sections
168
Firewall configuration
169
Default firewall configuration
Interfaces
Vlan subinterfaces
170
Default addresses Interface Address Description
Zones
Addresses
171
Services
Content profiles
Adding firewall policies
Schedules
Firewall policy options
Source
Destination
173
Service
Schedule
Action
VPN Tunnel
Authentication
Traffic Shaping
175
Anti-Virus & Web filter
176
Configuring policy lists
Log Traffic
Comments
Policy matching in detail
Changing the order of policies in a policy list
Enabling and disabling policies
Disabling a policy
Enabling a policy
Addresses
Adding addresses
179
Go to Firewall Address
Editing addresses
Deleting addresses
180
Organizing addresses into address groups
181
Go to Firewall Address Group
Services
Predefined services
182
183
Https
Providing access to custom services
Go to Firewall Service Custom
184
Grouping services
Go to Firewall Service Group
185
Schedules
Creating one-time schedules
186
Go to Firewall Schedule One-time
Creating recurring schedules
187
Go to Firewall Schedule Recurring
Virtual IPs
Adding a schedule to a policy
188
Adding static NAT virtual IPs
189
Adding port forwarding virtual IPs
190
Adding policies with virtual IPs
191
IP pools
Adding an IP pool
192
Go to Firewall IP Pool
IP/MAC binding
IP Pools for firewall policies that use fixed ports
IP pools and dynamic NAT
193
Go to Firewall IP/MAC Binding Setting
194
Go to Firewall IP/MAC Binding Static IP/MAC
Adding IP/MAC addresses
195
Viewing the dynamic IP/MAC list
Enabling IP/MAC binding
196
Go to Firewall IP/MAC Binding Dynamic IP/MAC
Content profiles
Default content profiles
Adding a content profile
Go to Firewall Content Profile
198
File Block
Quarantine
Oversized File/Email Block Pass Fragmented Email
Adding a content profile to a policy
199
200
Users and authentication
201
Setting authentication timeout
Adding user names and configuring authentication
Adding user names and configuring authentication
202
Deleting user names from the internal database
203
Configuring Radius support
Adding Radius servers
Deleting Radius servers
204
Configuring Ldap support
Adding Ldap servers
205
Go to User Ldap
Deleting Ldap servers
206
Configuring user groups
Adding user groups
207
Go to User User Group
Deleting user groups
208
IPSec VPN
209
Key management
Manual Keys
AutoIKE with pre-shared keys
AutoIKE with certificates
General configuration steps for a manual key VPN
Manual key IPSec VPNs
Adding a manual key VPN tunnel
211
212
General configuration steps for an AutoIKE VPN
Adding a phase 1 configuration for an AutoIKE VPN
Go to VPN Ipsec Phase
AutoIKE IPSec VPNs
214
Remote Gateway Static IP Address
Remote Gateway Dialup User
Configuring advanced options
215
216
Adding a phase 2 configuration for an AutoIKE VPN
217
218
Managing digital certificates
Obtaining a signed local certificate
219
Generating the certificate request
220
Go to VPN Local Certificates
Downloading the certificate request
Requesting the signed local certificate
221
Retrieving the signed local certificate
Importing the signed local certificate
222
Obtaining a CA certificate
Retrieving a CA certificate
Importing a CA certificate
223
Configuring encrypt policies
224
Adding a source address
Adding a destination address
Adding an encrypt policy
225
226
Adding an encrypt policy
VPN concentrator hub general configuration steps
IPSec VPN concentrators
227
228
Source InternalAll Destination VPN spoke address Action
Adding a VPN concentrator
229
Go to VPN IPSec Concentrator
VPN spoke general configuration steps
230
VPN Tunnel
Policies
Configuring redundant IPSec VPN
Redundant IPSec VPNs
231
See Adding a phase 1 configuration for an AutoIKE VPN on
232
Monitoring and Troubleshooting VPNs
Viewing VPN tunnel status
Viewing dialup VPN connection status
233
Testing a VPN
234
Go to VPN IPSec Dialup
Configuring Pptp
Pptp and L2TP VPN
235
Configuring the FortiGate unit as a Pptp gateway
Adding users and user groups
Enabling Pptp and specifying an address range
236
Adding an address group
237
Configuring a Windows 98 client for Pptp
Installing Pptp support
Go to Start Settings Control Panel Network
Adding a firewall policy
Configuring a Pptp dialup connection
Connecting to the Pptp VPN
Configuring a Windows 2000 client for Pptp
239
Configuring a Windows XP client for Pptp
Configuring the VPN connection
240
Go to Start Control Panel
Configuring L2TP
241
Configuring the FortiGate unit as a L2TP gateway
Enabling L2TP and specifying an address range
242
Go to VPN L2TP L2TP Range
Sample L2TP address range configuration
243
244
Configuring a Windows 2000 client for L2TP
Configuring an L2TP dialup connection
Disabling IPSec
245
Connecting to the L2TP VPN
Configuring a Windows XP client for L2TP
Configuring an L2TP VPN dialup connection
Go to Start Settings
247
248
Network Intrusion Detection System Nids
Detecting attacks
249
Configuring checksum verification
Selecting the interfaces to monitor
Disabling the Nids
250
Viewing the signature list
Viewing attack descriptions
251
Go to Nids Detection Signature List
Enabling and disabling Nids attack signatures
Adding user-defined signatures
252
Go to Nids Detection User Defined Signature List
Preventing attacks
Downloading the user-defined signature list
Enabling Nids attack prevention
253
Setting signature threshold values
Enabling Nids attack prevention signatures
254
255
Configuring synflood signature values
Value Description Minimum Maximum Default
Logging attacks
Logging attack messages to the attack log
Reducing the number of Nids attack log and email messages
Automatic message reduction
Manual message reduction
257
258
General configuration steps
Antivirus protection
259
Antivirus scanning
260
To scan FortiGate firewall traffic for viruses
File blocking
261
Blocking files in firewall traffic
Adding file patterns to block
262
Go to Anti-Virus File Block
Go to Anti-Virus Quarantine Quarantine Config
Quarantine
Quarantining infected files
Quarantining blocked files
Viewing the quarantine list
Sorting the quarantine list
264
Go to Anti-Virus Quarantine
Configuring quarantine options
Filtering the quarantine list
Deleting files from quarantine
Downloading quarantined files
Configuring limits for oversized files and email
Blocking oversized files and emails
Exempting fragmented email from blocking
Viewing the virus list
Web filtering
267
Content blocking
Go to Web Filter Content Block
Adding words and phrases to the banned word list
268
Using the FortiGate web filter
URL blocking
Adding URLs or URL patterns to the block list
269
Clearing the URL block list
270
Downloading the URL block list
Uploading a URL block list
271
Using the Cerberian web filter
Installing a Cerberian license key on the FortiGate unit
Adding a Cerberian user to the FortiGate unit
272
Configuring Cerberian web filter
About the default group and policy
To configure the Cerberian web filtering
Enabling Cerberian URL filtering
Script filtering
Enabling the script filter
Selecting script filter options
274
Exempt URL list
Adding URLs to the exempt URL list
275
Go to Web Filter Exempt URL
276
Example exempt URL list
Email filter
277
Go to Email Filter Content Block
Email banned word list
278
Email block list
Email exempt list
Adding address patterns to the email block list
279
To add a subject tag Go to Email Filter Config
Adding a subject tag
Adding address patterns to the email exempt list
280
Logging and reporting
Recording logs
281
Recording logs on a remote computer
Recording logs on a NetIQ WebTrends server
282
Recording logs on the FortiGate hard disk
283
Overwrite
Option
Filtering log messages
Recording logs in system memory
284
Example log filter configuration
285
Configuring traffic logging
Enabling traffic logging
Enabling traffic logging for an interface
Enabling traffic logging for a Vlan subinterface
Configuring traffic filter settings
Go to Log&Report Log Setting Traffic Filter
Enabling traffic logging for a firewall policy
287
Destination IP Address Destination Netmask Service
Adding traffic filter entries
288
Viewing logs saved to memory
Viewing logs
Searching logs
289
Viewing and managing logs saved to the hard disk
290
Downloading a log file to the management computer
Deleting all messages in an active log
291
Configuring alert email
Deleting a saved log file
Adding alert email addresses
292
Testing alert email
Enabling alert email
293
Go to Log&Report Alert Mail Categories
294
Glossary
295
296
297
298
Index
Numerics
299
300
Index
301
FDS
302
Ldap
303
MIB
304
305
RMA
306
TCP
307
VPN
308
