Firewall policy example | Fortinet 400 specs

Configuration example: Multiple connections to the Internet	NAT/Route mode installation

Firewall policy example

Firewall policies control how traffic flows through the FortiGate unit. Once routing for multiple internet connections has been configured you must create firewall policies to control which traffic is allowed through the FortiGate unit and the interfaces through which this traffic can connect.

For traffic originating on the Internal network to be able to connect to the Internet through both Internet connections, you must add redundant policies from the internal interface to each interface that connects to the Internet. Once these policies have been added, the routing configuration controls which internet connection is actually used.

Adding a redundant default policy

Figure 8 on page 53 shows a FortiGate unit connected to the Internet using its port2 and port3 interfaces. The default policy allows all traffic from the port1 network to connect to the Internet through the port2 interface. If you add a similar policy to the port1 to port3 policy list, this policy will allow all traffic from the port1 network to connect to the Internet through the port3 interface. With both of these policies added to the firewall configuration, the routing configuration will determine which Internet connection the traffic from the internal network actually uses. For more information about the default policy, see “Default firewall configuration” on page 170.

To add a redundant default policy

1Go to Firewall > Address > port3.

2Add the following address to port3.

Address Name	Port3_All
IP Address	0.0.0.0
Netmask	0.0.0.0

3Go to Firewall > Policy > port1->port3.

4Select New.

5Configure the policy to match the default policy.

Source Port1_All

Destination Port3_All

Schedule Always

Service	ANY
Action	Accept
NAT	Select NAT.

6Select OK to save your changes.

58	Fortinet Inc.

Image 58

Fortinet 400 manual Firewall policy example, Adding a redundant default policy, Go to Firewall Policy port1-port3

Contents

Installation and Configuration Guide August Trademarks Regulatory Compliance Table of Contents NAT/Route mode installation High availability System status Network configuration 133 System configuration 157 Users and authentication 201 IPSec VPN 209 Network Intrusion Detection System Nids 249 Email filter 277 Glossary 295 Index 299 Contents Introduction Antivirus protection Web content filtering Email filtering NAT/Route mode Firewall Transparent mode Network intrusion detection VPN High availability Secure installation, configuration, and management Web-based manager Command line interface Logging and reporting What’s new in Version Users and authentication Replacement messagesFirewall Web Filter AntivirusEmail filter About this document Document conventions Fortinet documentation Comments on Fortinet technical documentation Customer service and technical support Getting started Package contents Mounting Environmental specifications Powering onPower requirements FortiGate-400 LED indicators Connecting to the web-based manager Connecting to the web-based manager Bits per second 9600 Data bits Parity Connecting to the command line interface CLIFactory default FortiGate configuration settings Stop bits Flow control Account Factory default NAT/Route mode network configurationInterface Factory default Transparent mode network configuration Factory default firewall configuration Factory default content profiles Strict content profile Options Strict content profileScan content profile Scan content profile Options Web content profile Options Web content profileUnfiltered content profile Unfiltered content profile Options Planning your FortiGate configuration NAT/Route mode with multiple external network connections Example NAT/Route mode network configuration Configuration options Setup Wizard FortiGate model maximum values matrix Front keypad and LCD Next steps Next steps Getting started Preparing to configure NAT/Route mode NAT/Route mode installationNAT/Route mode settings Administrator Password Interface Starting the setup wizard Using the setup wizardReconnecting to the web-based manager Configuring the FortiGate unit to operate in NAT/Route mode Using the front control buttons and LCDUsing the command line interface Configuring NAT/Route mode IP addresses Set system interface port2 mode static ip IPaddress netmask Connecting the FortiGate unit to your networks Configuring interface Configuring your networkCompleting the configuration Go to System Network Interface Enabling antivirus protection Configuring interface 4/HASetting the date and time Registering your FortiGate unit Configuration example Multiple connections to the Internet Configuring virus and attack definition updates Configuring Ping servers Example multiple Internet connection configuration Destination based routing examples Primary and backup links to the InternetUsing the CLI Go to System Network Routing Table Load sharing Load sharing and primary and secondary connections Adding the routes using the CLI Routing table should have routes arranged as shown in Table Routing a service to an external network Policy routing examples Firewall policy example Adding a redundant default policyGo to Firewall Policy port1-port3 Restricting access to a single Internet connection Adding more firewall policies Configuration example Multiple connections to the Internet Transparent mode settings Administrator Password Transparent mode installationPreparing to configure Transparent mode DNS Settings Changing to Transparent mode Go to System Status Set system opmode transparent Configuring the Transparent mode management IP address Configure the Transparent mode default gateway Registering your FortiGate Transparent mode configuration examples FortiGate-400 Transparent mode connections Default routes and static routes General configuration steps Default route to an external network Go to System Network Management Web-based manager example configuration stepsCLI configuration steps Go to System Network Routing Static route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples High availability Active-passive HA Active-active HA Installing and configuring the FortiGate units HA in NAT/Route modeConfiguring the HA interfaces Configuring the HA cluster Go to System Config HA Weighted Round Robin Least Connection Connecting the HA cluster to your network Example Active-Active HA configuration HA network configuration Configuring the HA interface and HA IP address HA in Transparent modeStarting the HA cluster HA in Transparent mode None Sample active-passive HA configuration Viewing the status of cluster members Managing the HA clusterGo to System Status Cluster Members Monitoring cluster members Go to System Status Monitor Go to System Status Session Monitoring cluster sessionsViewing and managing cluster log messages Go to Log&Report Logging Synchronizing the cluster configuration Managing individual cluster units Returning to standalone configuration Replacing a FortiGate unit after fail-over Advanced HA options Selecting a FortiGate unit to a permanent primary unit Configuring weighted-round-robin weights Set system ha weight 1 3 System status System status Changing the FortiGate host name Firmware upgrade procedures Procedure DescriptionChanging the FortiGate firmware Upgrading the firmware using the web-based manager Upgrade to a new firmware versionUpgrading the firmware using the CLI Execute restore image namestr tftpip Revert to a previous firmware version Reverting to a previous firmware version using the CLI Execute ping Install a firmware image from a system reboot using the CLI To install firmware from a system reboot Execute reboot 100 Restoring your previous configuration Test a new firmware image before installing it101 102 Installing a backup firmware image Installing and using a backup firmware image103 104 Switching to the backup firmware image 105 Switching back to the default firmware image Manual virus definition updates106 Displaying the FortiGate up time Manual attack definition updatesDisplaying the FortiGate serial number Displaying log hard disk status Restoring system settings to factory defaults Backing up system settingsRestoring system settings 108 Restarting the FortiGate unit Changing to Transparent modeChanging to NAT/Route mode 109 System status Shutting down the FortiGate unitViewing CPU and memory status Viewing sessions and network status 111 Viewing virus and intrusions status Sessions and network status monitor 113 Session listViewing the session list Go to System Status Session 114 Updating antivirus and attack definitions Virus and attack definitions updates and registration115 Connecting to the FortiResponse Distribution Network Version Expiry date Last update attempt Last update status Go to System Update Configuring scheduled updates117 Go to Log&Report Log Setting Configuring update loggingSuccessful Update FDN error Manually updating antivirus and attack definitions Configuring push updatesAdding an override server 119 Push updates through a NAT device To enable push updatesAbout push updates Example push updates through a NAT device General procedure 121 122 Go to Firewall Virtual IP 123 Schedule Always Service ANY Action AcceptAdding a firewall policy for the port forwarding virtual IP Scheduled updates through a proxy server 124 Registering FortiGate units FortiCare Service Contracts125 Registering the FortiGate unit 126 127 Registering a FortiGate unit product information Viewing the list of registered FortiGate units Recovering a lost Fortinet support passwordUpdating registration information 128 Adding or changing a FortiCare Support Contract number Registering a new FortiGate unit129 Changing your contact information or security question Changing your Fortinet support passwordDownloading virus and attack definitions updates 130 Registering a FortiGate unit after an RMA 131 132 Adding zones Network configurationConfiguring zones 133 Renaming zones Adding interfaces to a zoneAdding Vlan subinterfaces to a zone 134 Viewing the interface list Configuring interfacesDeleting zones Bringing up an interface Adding a ping server to an interface Changing an interface static IP addressAdding a secondary IP address to an interface 136 Changing the MTU size to improve network performance Controlling management access to an interfaceConfiguring traffic logging for connections to an interface 137 Configuring port4/ha as a firewall interface Configuring port4/haConfiguring port4/ha for HA mode Configuring the management interface Transparent mode Vlan network configuration Configuring VLANs139 Typical Vlan network configuration 140 Rules for Vlan IP addresses Adding Vlan subinterfacesRules for Vlan IDs Adding a Vlan subinterface 142 Adding a Vlan subinterface Adding destination-based routes to the routing table Configuring routingAdding a default route 143 144 Configuring the routing table Adding routes in Transparent mode145 Policy routing Policy routing command syntax146 Set system dhcpserver command syntax Keywords Description Providing Dhcp services to your internal network147 148 RIP configuration 149 Go to System RIP Settings RIP settings150 Configuring RIP settings 151 152 Configuring RIP for FortiGate interfacesPassword Mode 153 Adding RIP neighborsAdding RIP neighbors Go to System RIP Neighbor 154 Adding RIP filtersAdding a single RIP filter Go to System RIP Filter Add the IP address of the route Adding a RIP filter list155 Mask Add the netmask of the route Action Adding a routes filter Adding a neighbors filter156 To set the date and time Go to System Config Time System configurationSetting system date and time 157 Changing web-based manager options To set the system idle timeout158 159 To set the Auth timeoutTo modify the Dead Gateway Detection settings To select a language for the web-based manager Go to System Config Admin Adding and editing administrator accountsAdding new administrator accounts 160 To edit an administrator account Go to System Config Admin Editing administrator accounts161 Configuring FortiGate Snmp support Configuring SnmpConfiguring the FortiGate unit for Snmp monitoring Go to System Config Snmp v1/v2c Trap Community Trap Receiver IP Addresses FortiGate MIBs163 FortiGate MIBs MIB file name Description EtherLike.mib 164 Customizing replacement messagesFortiGate traps FortiGate traps Trap message Description Go to System Config Replacement Messages Customizing replacement messages165 166 Customizing alert emailsAlert email message sections 167 Alert email message sections 168 Firewall configuration 169 Vlan subinterfaces Default firewall configurationInterfaces 170 Addresses Default addresses Interface Address DescriptionZones 171 Adding firewall policies ServicesContent profiles Schedules Destination Firewall policy optionsSource 173 Action ServiceSchedule VPN Tunnel Traffic Shaping Authentication175 Anti-Virus & Web filter 176 Comments Configuring policy listsLog Traffic Policy matching in detail Disabling a policy Changing the order of policies in a policy listEnabling and disabling policies Enabling a policy 179 AddressesAdding addresses Go to Firewall Address Deleting addresses Editing addresses180 181 Organizing addresses into address groupsGo to Firewall Address Group Predefined services Services182 183 Https Go to Firewall Service Custom Providing access to custom services184 Go to Firewall Service Group Grouping services185 186 SchedulesCreating one-time schedules Go to Firewall Schedule One-time 187 Creating recurring schedulesGo to Firewall Schedule Recurring Adding a schedule to a policy Virtual IPs188 Adding static NAT virtual IPs 189 Adding port forwarding virtual IPs 190 Adding policies with virtual IPs 191 192 IP poolsAdding an IP pool Go to Firewall IP Pool IP pools and dynamic NAT IP/MAC bindingIP Pools for firewall policies that use fixed ports 193 194 Go to Firewall IP/MAC Binding SettingGo to Firewall IP/MAC Binding Static IP/MAC Adding IP/MAC addresses 195 196 Viewing the dynamic IP/MAC listEnabling IP/MAC binding Go to Firewall IP/MAC Binding Dynamic IP/MAC Adding a content profile Content profilesDefault content profiles Go to Firewall Content Profile Quarantine 198File Block Oversized File/Email Block Pass Fragmented Email Adding a content profile to a policy 199 200 Users and authentication 201 Adding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication 202 Deleting user names from the internal database 203 Deleting Radius servers Configuring Radius supportAdding Radius servers 204 205 Configuring Ldap supportAdding Ldap servers Go to User Ldap Deleting Ldap servers 206 207 Configuring user groupsAdding user groups Go to User User Group Deleting user groups 208 IPSec VPN 209 AutoIKE with pre-shared keys Key managementManual Keys AutoIKE with certificates Adding a manual key VPN tunnel General configuration steps for a manual key VPNManual key IPSec VPNs 211 212 Go to VPN Ipsec Phase General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN AutoIKE IPSec VPNs Remote Gateway Static IP Address 214Remote Gateway Dialup User Configuring advanced options 215 216 Adding a phase 2 configuration for an AutoIKE VPN 217 218 Obtaining a signed local certificate Managing digital certificates219 220 Generating the certificate requestGo to VPN Local Certificates Requesting the signed local certificate Downloading the certificate request221 Importing the signed local certificate Retrieving the signed local certificate222 Importing a CA certificate Obtaining a CA certificateRetrieving a CA certificate 223 Configuring encrypt policies 224 Adding an encrypt policy Adding a source addressAdding a destination address 225 226 Adding an encrypt policy IPSec VPN concentrators VPN concentrator hub general configuration steps227 228 Source InternalAll Destination VPN spoke address Action 229 Adding a VPN concentratorGo to VPN IPSec Concentrator VPN Tunnel VPN spoke general configuration steps230 Policies Redundant IPSec VPNs Configuring redundant IPSec VPN231 See Adding a phase 1 configuration for an AutoIKE VPN on 232 Viewing dialup VPN connection status Monitoring and Troubleshooting VPNsViewing VPN tunnel status 233 234 Testing a VPNGo to VPN IPSec Dialup Pptp and L2TP VPN Configuring Pptp235 Enabling Pptp and specifying an address range Configuring the FortiGate unit as a Pptp gatewayAdding users and user groups 236 Adding an address group 237 Go to Start Settings Control Panel Network Configuring a Windows 98 client for PptpInstalling Pptp support Adding a firewall policy Configuring a Windows 2000 client for Pptp Configuring a Pptp dialup connectionConnecting to the Pptp VPN 239 240 Configuring a Windows XP client for PptpConfiguring the VPN connection Go to Start Control Panel Configuring L2TP 241 242 Configuring the FortiGate unit as a L2TP gatewayEnabling L2TP and specifying an address range Go to VPN L2TP L2TP Range Sample L2TP address range configuration 243 244 Disabling IPSec Configuring a Windows 2000 client for L2TPConfiguring an L2TP dialup connection 245 Configuring an L2TP VPN dialup connection Connecting to the L2TP VPNConfiguring a Windows XP client for L2TP Go to Start Settings 247 248 Detecting attacks Network Intrusion Detection System Nids249 Disabling the Nids Configuring checksum verificationSelecting the interfaces to monitor 250 251 Viewing the signature listViewing attack descriptions Go to Nids Detection Signature List 252 Enabling and disabling Nids attack signaturesAdding user-defined signatures Go to Nids Detection User Defined Signature List Enabling Nids attack prevention Preventing attacksDownloading the user-defined signature list 253 Enabling Nids attack prevention signatures Setting signature threshold values254 255 Logging attacks Configuring synflood signature valuesValue Description Minimum Maximum Default Logging attack messages to the attack log Manual message reduction Reducing the number of Nids attack log and email messagesAutomatic message reduction 257 258 Antivirus protection General configuration steps259 260 Antivirus scanningTo scan FortiGate firewall traffic for viruses File blocking 261 262 Blocking files in firewall trafficAdding file patterns to block Go to Anti-Virus File Block Quarantining infected files Go to Anti-Virus Quarantine Quarantine ConfigQuarantine Quarantining blocked files 264 Viewing the quarantine listSorting the quarantine list Go to Anti-Virus Quarantine Deleting files from quarantine Configuring quarantine optionsFiltering the quarantine list Downloading quarantined files Exempting fragmented email from blocking Configuring limits for oversized files and emailBlocking oversized files and emails Viewing the virus list Web filtering 267 Adding words and phrases to the banned word list Content blockingGo to Web Filter Content Block 268 Adding URLs or URL patterns to the block list Using the FortiGate web filterURL blocking 269 Clearing the URL block list 270 Uploading a URL block list Downloading the URL block list271 Adding a Cerberian user to the FortiGate unit Using the Cerberian web filterInstalling a Cerberian license key on the FortiGate unit 272 To configure the Cerberian web filtering Configuring Cerberian web filterAbout the default group and policy Enabling Cerberian URL filtering Selecting script filter options Script filteringEnabling the script filter 274 275 Exempt URL listAdding URLs to the exempt URL list Go to Web Filter Exempt URL 276 Example exempt URL list Email filter 277 Email banned word list Go to Email Filter Content Block278 Adding address patterns to the email block list Email block listEmail exempt list 279 Adding address patterns to the email exempt list To add a subject tag Go to Email Filter ConfigAdding a subject tag 280 Recording logs Logging and reporting281 Recording logs on a NetIQ WebTrends server Recording logs on a remote computer282 Overwrite Recording logs on the FortiGate hard disk283 Option Recording logs in system memory Filtering log messages284 Example log filter configuration 285 Enabling traffic logging for an interface Configuring traffic loggingEnabling traffic logging Enabling traffic logging for a Vlan subinterface Enabling traffic logging for a firewall policy Configuring traffic filter settingsGo to Log&Report Log Setting Traffic Filter 287 Adding traffic filter entries Destination IP Address Destination Netmask Service288 Searching logs Viewing logs saved to memoryViewing logs 289 Viewing and managing logs saved to the hard disk 290 Deleting all messages in an active log Downloading a log file to the management computer291 Adding alert email addresses Configuring alert emailDeleting a saved log file 292 293 Testing alert emailEnabling alert email Go to Log&Report Alert Mail Categories 294 Glossary 295 296 297 298 Numerics Index299 300 Index 301 FDS 302 Ldap 303 MIB 304 305 RMA 306 TCP 307 VPN 308