Command line interface, Logging and reporting | Fortinet 400

Introduction	Secure installation, configuration, and management

Command line interface

You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial Console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network connected to the FortiGate, including the Internet.

The CLI supports the same configuration and monitoring functionality as the web-based manager. In addition, you can use the CLI for advanced configuration options not available from the web-based manager. This Installation and Configuration Guide contains information about basic and advanced CLI commands. You can find a more complete description of connecting to and using the FortiGate CLI in the FortiGate CLI Reference Guide.

Logging and reporting

The FortiGate supports logging of various categories of traffic and of configuration changes. You can configure logging to:

•report traffic that connects to the firewall,

•report network services used,

•report traffic permitted by firewall policies,

•report traffic that was denied by firewall policies,

•report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks, and web page blocking,

•report attacks detected by the NIDS,

•send alert email to system administrators to report virus incidents, intrusions, and firewall or VPN events or violations.

Logs can be sent to a remote syslog server or to a WebTrends NetIQ Security Reporting Center and Firewall Suite server using the WebTrends enhanced log format. Some models can also save logs to an optional internal hard drive. If a hard drive is not installed, you can configure most FortiGates to log the most recent events and attacks detected by the NIDS to shared system memory.

FortiGate-400 Installation and Configuration Guide

21

Image 21

Fortinet 400 manual Command line interface, Logging and reporting

Contents

August Installation and Configuration Guide Regulatory Compliance Trademarks Table of Contents NAT/Route mode installation High availability System status Network configuration 133 System configuration 157 Users and authentication 201 IPSec VPN 209 Network Intrusion Detection System Nids 249 Email filter 277 Glossary 295 Index 299 Contents Antivirus protection Introduction Email filtering Web content filtering Firewall NAT/Route mode Network intrusion detection Transparent mode High availability VPN Web-based manager Secure installation, configuration, and management Logging and reporting Command line interface What’s new in Version Replacement messages Users and authenticationFirewall Antivirus Web FilterEmail filter About this document Document conventions Comments on Fortinet technical documentation Fortinet documentation Customer service and technical support Getting started Mounting Package contents Power requirements Powering onEnvironmental specifications FortiGate-400 LED indicators Connecting to the web-based manager Connecting to the web-based manager Factory default FortiGate configuration settings Connecting to the command line interface CLIBits per second 9600 Data bits Parity Stop bits Flow control Factory default NAT/Route mode network configuration AccountInterface Factory default firewall configuration Factory default Transparent mode network configuration Factory default content profiles Scan content profile Strict content profileStrict content profile Options Scan content profile Options Unfiltered content profile Web content profileWeb content profile Options Unfiltered content profile Options Planning your FortiGate configuration Example NAT/Route mode network configuration NAT/Route mode with multiple external network connections Setup Wizard Configuration options Front keypad and LCD FortiGate model maximum values matrix Next steps Next steps Getting started NAT/Route mode installation Preparing to configure NAT/Route modeNAT/Route mode settings Administrator Password Interface Using the setup wizard Starting the setup wizardReconnecting to the web-based manager Using the command line interface Using the front control buttons and LCDConfiguring the FortiGate unit to operate in NAT/Route mode Configuring NAT/Route mode IP addresses Set system interface port2 mode static ip IPaddress netmask Connecting the FortiGate unit to your networks Completing the configuration Configuring your networkConfiguring interface Go to System Network Interface Setting the date and time Configuring interface 4/HAEnabling antivirus protection Registering your FortiGate unit Configuring virus and attack definition updates Configuration example Multiple connections to the Internet Example multiple Internet connection configuration Configuring Ping servers Using the CLI Primary and backup links to the InternetDestination based routing examples Go to System Network Routing Table Load sharing and primary and secondary connections Load sharing Routing table should have routes arranged as shown in Table Adding the routes using the CLI Policy routing examples Routing a service to an external network Adding a redundant default policy Firewall policy exampleGo to Firewall Policy port1-port3 Adding more firewall policies Restricting access to a single Internet connection Configuration example Multiple connections to the Internet Preparing to configure Transparent mode Transparent mode installationTransparent mode settings Administrator Password DNS Settings Go to System Status Changing to Transparent mode Set system opmode transparent Configure the Transparent mode default gateway Configuring the Transparent mode management IP address Registering your FortiGate FortiGate-400 Transparent mode connections Transparent mode configuration examples Default routes and static routes Default route to an external network General configuration steps CLI configuration steps Web-based manager example configuration stepsGo to System Network Management Go to System Network Routing Static route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples Active-passive HA High availability Active-active HA HA in NAT/Route mode Installing and configuring the FortiGate unitsConfiguring the HA interfaces Go to System Config HA Configuring the HA cluster Least Connection Weighted Round Robin Example Active-Active HA configuration Connecting the HA cluster to your network HA network configuration HA in Transparent mode Configuring the HA interface and HA IP addressStarting the HA cluster HA in Transparent mode None Sample active-passive HA configuration Managing the HA cluster Viewing the status of cluster membersGo to System Status Cluster Members Go to System Status Monitor Monitoring cluster members Viewing and managing cluster log messages Monitoring cluster sessionsGo to System Status Session Go to Log&Report Logging Managing individual cluster units Synchronizing the cluster configuration Replacing a FortiGate unit after fail-over Returning to standalone configuration Selecting a FortiGate unit to a permanent primary unit Advanced HA options Set system ha weight 1 3 Configuring weighted-round-robin weights System status System status Firmware upgrade procedures Procedure Description Changing the FortiGate host nameChanging the FortiGate firmware Upgrade to a new firmware version Upgrading the firmware using the web-based managerUpgrading the firmware using the CLI Revert to a previous firmware version Execute restore image namestr tftpip Reverting to a previous firmware version using the CLI Execute ping To install firmware from a system reboot Install a firmware image from a system reboot using the CLI 100 Execute reboot Test a new firmware image before installing it Restoring your previous configuration101 102 Installing and using a backup firmware image Installing a backup firmware image103 104 105 Switching to the backup firmware image Manual virus definition updates Switching back to the default firmware image106 Displaying the FortiGate serial number Manual attack definition updatesDisplaying the FortiGate up time Displaying log hard disk status Restoring system settings Backing up system settingsRestoring system settings to factory defaults 108 Changing to NAT/Route mode Changing to Transparent modeRestarting the FortiGate unit 109 Shutting down the FortiGate unit System statusViewing CPU and memory status 111 Viewing sessions and network status Sessions and network status monitor Viewing virus and intrusions status Session list 113Viewing the session list Go to System Status Session 114 Virus and attack definitions updates and registration Updating antivirus and attack definitions115 Version Expiry date Last update attempt Last update status Connecting to the FortiResponse Distribution Network Configuring scheduled updates Go to System Update117 Configuring update logging Go to Log&Report Log SettingSuccessful Update FDN error Adding an override server Configuring push updatesManually updating antivirus and attack definitions 119 About push updates To enable push updatesPush updates through a NAT device Example push updates through a NAT device 121 General procedure Go to Firewall Virtual IP 122 Schedule Always Service ANY Action Accept 123Adding a firewall policy for the port forwarding virtual IP 124 Scheduled updates through a proxy server FortiCare Service Contracts Registering FortiGate units125 126 Registering the FortiGate unit Registering a FortiGate unit product information 127 Updating registration information Recovering a lost Fortinet support passwordViewing the list of registered FortiGate units 128 Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number129 Downloading virus and attack definitions updates Changing your Fortinet support passwordChanging your contact information or security question 130 131 Registering a FortiGate unit after an RMA 132 Configuring zones Network configurationAdding zones 133 Adding Vlan subinterfaces to a zone Adding interfaces to a zoneRenaming zones 134 Deleting zones Configuring interfacesViewing the interface list Bringing up an interface Adding a secondary IP address to an interface Changing an interface static IP addressAdding a ping server to an interface 136 Configuring traffic logging for connections to an interface Controlling management access to an interfaceChanging the MTU size to improve network performance 137 Configuring port4/ha for HA mode Configuring port4/haConfiguring port4/ha as a firewall interface Configuring the management interface Transparent mode Configuring VLANs Vlan network configuration139 140 Typical Vlan network configuration Rules for Vlan IDs Adding Vlan subinterfacesRules for Vlan IP addresses Adding a Vlan subinterface Adding a Vlan subinterface 142 Adding a default route Configuring routingAdding destination-based routes to the routing table 143 144 Adding routes in Transparent mode Configuring the routing table145 Policy routing command syntax Policy routing146 Providing Dhcp services to your internal network Set system dhcpserver command syntax Keywords Description147 148 149 RIP configuration RIP settings Go to System RIP Settings150 151 Configuring RIP settings Password Configuring RIP for FortiGate interfaces152 Mode Adding RIP neighbors 153Adding RIP neighbors Go to System RIP Neighbor Adding a single RIP filter Adding RIP filters154 Go to System RIP Filter 155 Adding a RIP filter listAdd the IP address of the route Mask Add the netmask of the route Action Adding a neighbors filter Adding a routes filter156 Setting system date and time System configurationTo set the date and time Go to System Config Time 157 To set the system idle timeout Changing web-based manager options158 To modify the Dead Gateway Detection settings To set the Auth timeout159 To select a language for the web-based manager Adding new administrator accounts Adding and editing administrator accountsGo to System Config Admin 160 Editing administrator accounts To edit an administrator account Go to System Config Admin161 Configuring the FortiGate unit for Snmp monitoring Configuring SnmpConfiguring FortiGate Snmp support Go to System Config Snmp v1/v2c 163 FortiGate MIBsTrap Community Trap Receiver IP Addresses FortiGate MIBs MIB file name Description EtherLike.mib FortiGate traps Customizing replacement messages164 FortiGate traps Trap message Description Customizing replacement messages Go to System Config Replacement Messages165 Customizing alert emails 166Alert email message sections Alert email message sections 167 168 169 Firewall configuration Interfaces Default firewall configurationVlan subinterfaces 170 Zones Default addresses Interface Address DescriptionAddresses 171 Content profiles ServicesAdding firewall policies Schedules Source Firewall policy optionsDestination 173 Schedule ServiceAction VPN Tunnel Authentication Traffic Shaping175 176 Anti-Virus & Web filter Log Traffic Configuring policy listsComments Policy matching in detail Enabling and disabling policies Changing the order of policies in a policy listDisabling a policy Enabling a policy Adding addresses Addresses179 Go to Firewall Address Editing addresses Deleting addresses180 Organizing addresses into address groups 181Go to Firewall Address Group Services Predefined services182 Https 183 Providing access to custom services Go to Firewall Service Custom184 Grouping services Go to Firewall Service Group185 Creating one-time schedules Schedules186 Go to Firewall Schedule One-time Creating recurring schedules 187Go to Firewall Schedule Recurring Virtual IPs Adding a schedule to a policy188 189 Adding static NAT virtual IPs 190 Adding port forwarding virtual IPs 191 Adding policies with virtual IPs Adding an IP pool IP pools192 Go to Firewall IP Pool IP Pools for firewall policies that use fixed ports IP/MAC bindingIP pools and dynamic NAT 193 Go to Firewall IP/MAC Binding Setting 194Go to Firewall IP/MAC Binding Static IP/MAC 195 Adding IP/MAC addresses Enabling IP/MAC binding Viewing the dynamic IP/MAC list196 Go to Firewall IP/MAC Binding Dynamic IP/MAC Default content profiles Content profilesAdding a content profile Go to Firewall Content Profile File Block 198Quarantine Oversized File/Email Block Pass Fragmented Email 199 Adding a content profile to a policy 200 201 Users and authentication Adding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication 202 203 Deleting user names from the internal database Adding Radius servers Configuring Radius supportDeleting Radius servers 204 Adding Ldap servers Configuring Ldap support205 Go to User Ldap 206 Deleting Ldap servers Adding user groups Configuring user groups207 Go to User User Group 208 Deleting user groups 209 IPSec VPN Manual Keys Key managementAutoIKE with pre-shared keys AutoIKE with certificates Manual key IPSec VPNs General configuration steps for a manual key VPNAdding a manual key VPN tunnel 211 212 Adding a phase 1 configuration for an AutoIKE VPN General configuration steps for an AutoIKE VPNGo to VPN Ipsec Phase AutoIKE IPSec VPNs 214 Remote Gateway Static IP AddressRemote Gateway Dialup User 215 Configuring advanced options 216 217 Adding a phase 2 configuration for an AutoIKE VPN 218 Managing digital certificates Obtaining a signed local certificate219 Generating the certificate request 220Go to VPN Local Certificates Downloading the certificate request Requesting the signed local certificate221 Retrieving the signed local certificate Importing the signed local certificate222 Retrieving a CA certificate Obtaining a CA certificateImporting a CA certificate 223 224 Configuring encrypt policies Adding a destination address Adding a source addressAdding an encrypt policy 225 Adding an encrypt policy 226 VPN concentrator hub general configuration steps IPSec VPN concentrators227 Source InternalAll Destination VPN spoke address Action 228 Adding a VPN concentrator 229Go to VPN IPSec Concentrator 230 VPN spoke general configuration stepsVPN Tunnel Policies Configuring redundant IPSec VPN Redundant IPSec VPNs231 232 See Adding a phase 1 configuration for an AutoIKE VPN on Viewing VPN tunnel status Monitoring and Troubleshooting VPNsViewing dialup VPN connection status 233 Testing a VPN 234Go to VPN IPSec Dialup Configuring Pptp Pptp and L2TP VPN235 Adding users and user groups Configuring the FortiGate unit as a Pptp gatewayEnabling Pptp and specifying an address range 236 237 Adding an address group Installing Pptp support Configuring a Windows 98 client for PptpGo to Start Settings Control Panel Network Adding a firewall policy Connecting to the Pptp VPN Configuring a Pptp dialup connectionConfiguring a Windows 2000 client for Pptp 239 Configuring the VPN connection Configuring a Windows XP client for Pptp240 Go to Start Control Panel 241 Configuring L2TP Enabling L2TP and specifying an address range Configuring the FortiGate unit as a L2TP gateway242 Go to VPN L2TP L2TP Range 243 Sample L2TP address range configuration 244 Configuring an L2TP dialup connection Configuring a Windows 2000 client for L2TPDisabling IPSec 245 Configuring a Windows XP client for L2TP Connecting to the L2TP VPNConfiguring an L2TP VPN dialup connection Go to Start Settings 247 248 Network Intrusion Detection System Nids Detecting attacks249 Selecting the interfaces to monitor Configuring checksum verificationDisabling the Nids 250 Viewing attack descriptions Viewing the signature list251 Go to Nids Detection Signature List Adding user-defined signatures Enabling and disabling Nids attack signatures252 Go to Nids Detection User Defined Signature List Downloading the user-defined signature list Preventing attacksEnabling Nids attack prevention 253 Setting signature threshold values Enabling Nids attack prevention signatures254 255 Value Description Minimum Maximum Default Configuring synflood signature valuesLogging attacks Logging attack messages to the attack log Automatic message reduction Reducing the number of Nids attack log and email messagesManual message reduction 257 258 General configuration steps Antivirus protection259 Antivirus scanning 260To scan FortiGate firewall traffic for viruses 261 File blocking Adding file patterns to block Blocking files in firewall traffic262 Go to Anti-Virus File Block Quarantine Go to Anti-Virus Quarantine Quarantine ConfigQuarantining infected files Quarantining blocked files Sorting the quarantine list Viewing the quarantine list264 Go to Anti-Virus Quarantine Filtering the quarantine list Configuring quarantine optionsDeleting files from quarantine Downloading quarantined files Blocking oversized files and emails Configuring limits for oversized files and emailExempting fragmented email from blocking Viewing the virus list 267 Web filtering Go to Web Filter Content Block Content blockingAdding words and phrases to the banned word list 268 URL blocking Using the FortiGate web filterAdding URLs or URL patterns to the block list 269 270 Clearing the URL block list Downloading the URL block list Uploading a URL block list271 Installing a Cerberian license key on the FortiGate unit Using the Cerberian web filterAdding a Cerberian user to the FortiGate unit 272 About the default group and policy Configuring Cerberian web filterTo configure the Cerberian web filtering Enabling Cerberian URL filtering Enabling the script filter Script filteringSelecting script filter options 274 Adding URLs to the exempt URL list Exempt URL list275 Go to Web Filter Exempt URL Example exempt URL list 276 277 Email filter Go to Email Filter Content Block Email banned word list278 Email exempt list Email block listAdding address patterns to the email block list 279 Adding a subject tag To add a subject tag Go to Email Filter ConfigAdding address patterns to the email exempt list 280 Logging and reporting Recording logs281 Recording logs on a remote computer Recording logs on a NetIQ WebTrends server282 283 Recording logs on the FortiGate hard diskOverwrite Option Filtering log messages Recording logs in system memory284 285 Example log filter configuration Enabling traffic logging Configuring traffic loggingEnabling traffic logging for an interface Enabling traffic logging for a Vlan subinterface Go to Log&Report Log Setting Traffic Filter Configuring traffic filter settingsEnabling traffic logging for a firewall policy 287 Destination IP Address Destination Netmask Service Adding traffic filter entries288 Viewing logs Viewing logs saved to memorySearching logs 289 290 Viewing and managing logs saved to the hard disk Downloading a log file to the management computer Deleting all messages in an active log291 Deleting a saved log file Configuring alert emailAdding alert email addresses 292 Enabling alert email Testing alert email293 Go to Log&Report Alert Mail Categories 294 295 Glossary 296 297 298 Index Numerics299 Index 300 FDS 301 Ldap 302 MIB 303 304 RMA 305 TCP 306 VPN 307 308