Manuals
/
Brands
/
Computer Equipment
/
Network Card
/
Fortinet
/
Computer Equipment
/
Network Card
Fortinet
50A user manual
1
1
272
272
Download
272 pages, 3.34 Mb
FortiGate 50A
Installation and
Configuration Guide
INTERNAL EXTERNAL
LINK 100
LINK 100
PWR
STATUS
A
FortiGate User Manual Volume 1
Vers ion 2. 50
29 February 2004
Contents
Main
Page
Table of Contents
4
Virus and attack definitions updates and registration..................................... 73
6
Page
8
Network Intrusion Detection System (NIDS) ................................................... 215
10
Page
Page
Introduction
NAT/Route mode and Transparent mode
NAT/Route mode
Transparent mode
Document conventions
Fortinet documentation
Comments on Fortinet technical documentation
Customer service and technical support
Getting started
18
Package contents
Mounting
Dimensions
Weight
Power requirements
Powering on
Connecting to the web-based manager
Connecting to the command line interface (CLI)
Page
22
Factory default FortiGate configuration settings
Factory default DHCP configuration
Factory default NAT/Route mode network configuration
Factory default Transparent mode network configuration
Factory default firewall configuration
Page
Factory default content profiles
Strict content profile
26
Scan content profile
Web content profile
Unfiltered content profile
Planning the FortiGate configuration
NAT/Route mode
28
Transparent mode
Configuration options
Setup wizard
CLI
FortiGate model maximum values matrix
Next steps
Page
NAT/Route mode installation
Installing the FortiGate unit using the default configuration
34
Changing the default configuration
Preparing to configure NAT/Route mode
Advanced NAT/Route mode settings
Using the setup wizard
Starting the setup wizard
Reconnecting to the web-based manager
36
Using the command line interface
Configuring the FortiGate unit to operate in NAT/Route mode
Configuring NAT/Route mode IP addresses
Connecting the FortiGate unit to your networks
Internal External
FortiGate-50A
Internal Network
38
Configuring your networks
Completing the configuration
Setting the date and time
Changing antivirus protection
Registering your FortiGate unit
Configuring virus and attack definition updates
Page
Transparent mode installation
Preparing to configure Transparent mode
42
Using the setup wizard
Changing to Transparent mode
Starting the setup wizard
Reconnecting to the web-based manager
Using the command line interface
Connecting the FortiGate unit to your networks
Internal External
FortiGate-50A
Internal Network
Completing the configuration
Setting the date and time
Enabling antivirus protection
Registering your FortiGate
Configuring virus and attack definition updates
Transparent mode configuration examples
Default routes and static routes
Example default route to an external network
DMZ
FortiGate-50A
Internal Network
Internet
Example static route to an external destination
Transparent mode installation Transparent mode configuration examples
Internal Network
FortiGate-50A Installation and Configuration Guide 49
Figure 8: Static route to an external destination
FortiGate-50A
DMZ
Page
Example static route to an internal destination
Page
System status
Changing the FortiGate host name
Changing the FortiGate firmware
Upgrading to a new firmware version
Upgrading the firmware using the web-based manager
Upgrading the firmware using the CLI
56
Reverting to a previous firmware version
Reverting to a previous firmware version using the web-based manager
Reverting to a previous firmware version using the CLI
Page
Installing firmware images from a system reboot using the CLI
Page
Restoring the previous configuration
Testing a new firmware image before installing it
Page
Manual virus definition updates
Manual attack definition updates
Displaying the FortiGate serial number
Displaying the FortiGate up time
Backing up system settings
Restoring system settings
Restoring system settings to factory defaults
Changing to Transparent mode
Changing to NAT/Route mode
Restarting the FortiGate unit
Shutting down the FortiGate unit
System status
Viewing CPU and memory status
68
Viewing sessions and network status
Viewing virus and intrusions status
Session list
Each line of the session list displays the following information.
Page
Virus and attack definitions updates and registration
Updating antivirus and attack definitions
74
Connecting to the FortiResponse Distribution Network
Manually initiating antivirus and attack definitions updates
76
Configuring update logging
Scheduling updates
Enabling scheduled updates
Adding an override server
78
Enabling scheduled updates through a proxy server
Enabling push updates
Enabling push updates
Push updates when FortiGate IP addresses change
Enabling push updates through a NAT device
80
Example: push updates through a NAT device
Internet
FortiGate-50A Internal Network
FortiGate-300 NAT Device
Adding a port forwarding virtual IP to the FortiGate NAT device
82
Adding a firewall policy for the port forwarding virtual IP
Configuring the FortiGate unit with an override push IP and port
Registering FortiGate units
84
FortiCare Service Contracts
Registering the FortiGate unit
86
Updating registration information
Recovering a lost Fortinet support password
Viewing the list of registered FortiGate units
88
Registering a new FortiGate unit
Adding or changing a FortiCare Support Contract number
Changing your Fortinet support password
Changing your contact information or security question
90
Downloading virus and attack definitions updates
Registering a FortiGate unit after an RMA
Page
Network configuration
Configuring interfaces
94
Viewing the interface list
Changing the administrative status of an interface
Configuring an interface with a manual IP address
Configuring an interface for DHCP
96
Configuring an interface for PPPoE
Adding a secondary IP address to an interface
Adding a ping server to an interface
Controlling administrative access to an interface
98
Changing the MTU size to improve network performance
Configuring traffic logging for connections to an interface
Configuring the management interface in Transparent mode
100
Adding DNS server IP addresses
Configuring routing
Adding a default route
Adding destination-based routes to the routing table
102
Adding routes in Transparent mode
Configuring the routing table
Policy routing
104
Policy routing command syntax
Configuring DHCP services
Configuring a DHCP relay agent
Configuring a DHCP server
Adding a DHCP server to an interface
Adding scopes to a DHCP server
106
Adding a reserve IP to a DHCP server
Viewing a DHCP server dynamic IP list
Configuring the modem interface
108
Connecting a modem to the FortiGate unit
Configuring modem settings
Connecting to a dialup account
Disconnecting the modem
110
Viewing modem status
Backup mode configuration
Standalone mode configuration
Adding firewall policies for modem connections
Page
RIP configuration
RIP settings
6Select Apply to save the changes.
Configuring RIP for FortiGate interfaces
4Select OK to save the RIP configuration for the selected interface.
Adding RIP filters
Adding a RIP filter list
118
Assigning a RIP filter list to the neighbors filter
Assigning a RIP filter list to the incoming filter
Page
Page
System configuration
Setting system date and time
Changing system options
Modifying the Dead Gateway Detection settings
Adding and editing administrator accounts
124
Adding new administrator accounts
Editing administrator accounts
Configuring SNMP
126
Configuring the FortiGate unit for SNMP monitoring
Configuring FortiGate SNMP support
Configuring SNMP access to an interface
Configuring SNMP community settings
4Select Apply.
128
FortiGate MIBs
FortiGate traps
System traps
General FortiGate traps
130
VPN traps
NIDS traps
Antivirus traps
Logging traps
System configuration and status
Firewall configuration
Users and authentication configuration
Page
Replacement messages
Customizing replacement messages
134
Customizing alert emails
NIDS event
Virus alert
Block alert
Critical event
Firewall configuration
138
Default firewall configuration
Addresses
Services
Schedules
Content profiles
140
Adding firewall policies
Firewall policy options
Source
Destination
Schedule
Action
Select how you want the firewall to respond when the policy matches a connection attempt.
142
NAT
VPN Tunnel
Traffic Shaping
Authentication
Anti-Virus & Web filter
Configuring policy lists
Policy matching in detail
Changing the order of policies in a policy list
146
Enabling and disabling policies
Disabling policies
Addresses
Adding addresses
148
Editing addresses
Deleting addresses
Organizing addresses into address groups
Services
Predefined services
Page
Page
152
Adding custom TCP and UDP services
Adding custom ICMP services
Adding custom IP services
Grouping services
Schedules
Creating one-time schedules
Creating recurring schedules
156
Adding schedules to policies
Virtual IPs
158
Adding static NAT virtual IPs
Adding port forwarding virtual IPs
Page
Adding policies with virtual IPs
IP pools
162
Adding an IP pool
IP Pools for firewall policies that use fixed ports
IP pools and dynamic NAT
IP/MAC binding
Configuring IP/MAC binding for packets going through the firewall
164
Configuring IP/MAC binding for packets going to the firewall
Adding IP/MAC addresses
Viewing the dynamic IP/MAC list
Enabling IP/MAC binding
Content profiles
Default content profiles
Adding content profiles
6Enable the email filter protection options that you want.
7Enable the fragmented email and oversized file and email options that you want.
8Select OK.
Adding content profiles to policies
Page
Users and authentication
172
Setting authentication timeout
Adding user names and configuring authentication
Adding user names and configuring authentication
Deleting user names from the internal database
174
Configuring RADIUS support
Adding RADIUS servers
Deleting RADIUS servers
Configuring LDAP support
Adding LDAP servers
176
Deleting LDAP servers
Configuring user groups
Adding user groups
178
Deleting user groups
IPSec VPN
180
Key management
Manual Keys
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates
AutoIKE with pre-shared keys
AutoIKE with certificates
Manual key IPSec VPNs
General configuration steps for a manual key VPN
Adding a manual key VPN tunnel
AutoIKE IPSec VPNs
General configuration steps for an AutoIKE VPN
Adding a phase 1 configuration for an AutoIKE VPN
Page
Configuring advanced options
4Optionally, configure NAT Traversal.
6Select OK to save the phase 1 parameters.
Page
188
Adding a phase 2 configuration for an AutoIKE VPN
Page
190
Managing digital certificates
Obtaining a signed local certificate
Generating the certificate request
Page
192
Downloading the certificate request
Importing the signed local certificate
Backing up and restoring the local certificate and private key
Obtaining CA certificates
Configuring encrypt policies
194
Adding a source address
Adding a destination address
Adding an encrypt policy
IPSec VPN concentrators
VPN concentrator (hub) general configuration steps
198
Adding a VPN concentrator
VPN spoke general configuration steps
Page
Monitoring and Troubleshooting VPNs
Viewing VPN tunnel status
Viewing dialup VPN connection status
202
Testing a VPN
PPTP and L2TP VPN
Configuring PPTP
Configuring the FortiGate unit as a PPTP gateway
Page
Page
206
Configuring a Windows 98 client for PPTP
Configuring a Windows 2000 client for PPTP
Configuring a Windows XP client for PPTP
Page
Configuring L2TP
Configuring the FortiGate unit as an L2TP gateway
Page
Configuring a Windows 2000 client for L2TP
Page
Configuring a Windows XP client for L2TP
Page
Network Intrusion Detection System (NIDS)
Detecting attacks
216
Selecting the interfaces to monitor
Disabling monitoring interfaces
Configuring checksum verification
Viewing the signature list
Viewing attack descriptions
218
Disabling NIDS attack signatures
Adding user-defined signatures
Downloading the user-defined signature list
220
Preventing attacks
Enabling NIDS attack prevention
Enabling NIDS attack prevention signatures
Setting signature threshold values
222
Logging attacks
Logging attack messages to the attack log
Reducing the number of NIDS attack log and email messages
Automatic message reduction
Manual message reduction
Page
Antivirus protection
Antivirus scanning
File blocking
Blocking files in firewall traffic
Adding file patterns to block
228
Blocking oversized files and emails
Configuring limits for oversized files and email
Exempting fragmented email from blocking
Page
Page
Web filtering
232
Content blocking
Adding words and phrases to the Banned Word list
Clearing the Banned Word list
Backing up the Banned Word list
Restoring the Banned Word list
Page
URL blocking
Configuring FortiGate Web URL blocking
Adding URLs to the Web URL block list
236
Clearing the Web URL block list
Downloading the Web URL block list
Uploading a URL block list
Configuring FortiGate Web pattern blocking
238
Configuring Cerberian URL filtering
Installing a Cerberian license key
Adding a Cerberian user
Configuring Cerberian web filter
About the default group and policy
Enabling Cerberian URL filtering
240
Script filtering
Enabling script filtering
Selecting script filter options
Exempt URL list
Adding URLs to the URL Exempt list
242
Downloading the URL Exempt List
Uploading a URL Exempt List
Page
Page
Email filter
246
Email banned word list
Adding words and phrases to the email banned word list
Downloading the email banned word list
Uploading the email banned word list
248
Email block list
Adding address patterns to the email block list
Downloading the email block list
Uploading an email block list
Email exempt list
250
Adding address patterns to the email exempt list
Adding a subject tag
Logging and reporting
Recording logs
Recording logs on a remote computer
252
Recording logs on a NetIQ WebTrends server
Log message levels
Tab le 23 lists and describes FortiGate log message levels.
Filtering log messages
Configuring traffic logging
Enabling traffic logging
Enabling traffic logging for an interface
Enabling traffic logging for a firewall policy
Configuring traffic filter settings
256
Adding traffic filter entries
Configuring alert email
Adding alert email addresses
258
Testing alert email
Enabling alert email
Glossary
Page
Page
Page
Index
A
264
B
C
D
E
F
G
266
H
I
J
L
M
N
O
268
P
Q
R
S
270
T
U
V
W