Installation and Configuration Guide | Fortinet 50A instruction

FortiGate 50A

Installation and Configuration Guide

PWR

STATUS

INTERNAL

EXTERNAL

A

LINK 100

LINK 100

FortiGate User Manual Volume 1

Version 2.50

29 February 2004

Image 1

Fortinet 50A user manual Installation and Configuration Guide, February

Contents

February Installation and Configuration Guide Regulatory Compliance Trademarks Table of Contents Transparent mode installation Virus and attack definitions updates and registration Network configuration Firewall configuration 137 Users and authentication 171 Pptp and L2TP VPN 203 Antivirus protection 225 Glossary 259 Index 263 Contents NAT/Route mode NAT/Route mode and Transparent modeTransparent mode Introduction Document conventions Comments on Fortinet technical documentation Fortinet documentation Customer service and technical support Getting started Mounting Package contents Connecting to the web-based manager Powering onEnvironmental specifications To power on the FortiGate-50A unit To connect to the web-based manager Connecting to the command line interface CLI Bits per second Data bits Parity To connect to the CLIStop bits Flow control Factory default Dhcp configuration Factory default FortiGate configuration settings Factory default Transparent mode network configuration Factory default NAT/Route mode network configurationFactory default firewall configuration Service Factory default firewall configuration RecurringAuthentication Content Strict content profile Factory default content profilesStrict content profile Options Web content profile Scan content profileScan content profile Options Web content profile Options Unfiltered content profile Planning the FortiGate configurationUnfiltered content profile Options Setup wizard Configuration options CLI FortiGate model maximum values matrix Signatures Antivirus file Block patterns Web filter Next steps Next steps Getting started NAT/Route mode installation Changing the default configuration Preparing to configure NAT/Route modeInternal servers Advanced NAT/Route mode settings Using the setup wizardStarting the setup wizard Reconnecting to the web-based manager Configuring the FortiGate unit to operate in NAT/Route mode Using the command line interfaceConfiguring NAT/Route mode IP addresses Example FortiGate-50A External Connecting the FortiGate unit to your networksInternal Completing the configuration Configuring your networksSetting the date and time Changing antivirus protection Registering your FortiGate unit Configuring virus and attack definition updates Completing the configuration Preparing to configure Transparent mode Transparent mode installationTransparent mode settings Administrator Password DNS Settings Go to System Status Changing to Transparent mode Configure the Transparent mode default gateway Configuring the Transparent mode management IP address Connecting the FortiGate unit to your networks Registering your FortiGate Enabling antivirus protectionGo to Firewall Policy Int-Ext Default routes and static routes Transparent mode configuration examples Default route to an external network General configuration steps CLI configuration steps Web-based manager example configuration stepsGo to System Network Management Go to System Network Routing DMZ Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System status Changing the FortiGate host name Firmware upgrade procedures Procedure DescriptionChanging the FortiGate firmware To change the FortiGate host name Go to System Status Upgrading the firmware using the CLI Upgrading the firmware using the web-based managerTo upgrade the firmware using the web-based manager To upgrade the firmware using the CLI Execute ping Reverting to a previous firmware version Reverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot Press any key to enter configuration menu Testing a new firmware image before installing it Restoring the previous configurationTo test a new firmware image Save as Default firmware/Run image without savingD/R Manual attack definition updates Manual virus definition updatesTo update the antivirus definitions manually To update the attack definitions manually Restoring system settings Backing up system settingsDisplaying the FortiGate serial number Displaying the FortiGate up time Changing to Transparent mode Restoring system settings to factory defaultsTo change to Transparent mode Go to System Status To change to NAT/Route mode Go to System Status Changing to NAT/Route modeRestarting the FortiGate unit Shutting down the FortiGate unit Viewing CPU and memory status System statusTo view CPU and memory status Go to System Status Monitor CPU and memory status monitor Viewing sessions and network status Sessions and network status monitor Viewing virus and intrusions status To view the session list Go to System Status Session Session list Example session list Protocol Session list Updating antivirus and attack definitions Virus and attack definitions updates and registration Go to System Update Connecting to the FortiResponse Distribution NetworkVersion Expiry date Last update attempt Last update status To make sure the FortiGate unit can connect to the FDN Manually initiating antivirus and attack definitions updates Configuring update logging Scheduling updatesEnabling scheduled updates To configure update logging Go to Log&Report Log Setting Adding an override server To add an override server Go to System Update Enabling scheduled updates through a proxy server Enabling push updates Push updates when FortiGate IP addresses change Enabling push updatesEnabling push updates through a NAT device To enable push updates Go to System Update Example network topology Push updates through a NAT device Example push updates through a NAT device General procedure Schedule Always Service ANY Action Accept To configure the FortiGate NAT deviceAdding a firewall policy for the port forwarding virtual IP Registering FortiGate units Example push update configuration FortiCare Service Contracts Registering the FortiGate unit Updating registration information Recovering a lost Fortinet support password Viewing the list of registered FortiGate units Adding or changing a FortiCare Support Contract number Registering a new FortiGate unit Changing your contact information or security question Changing your Fortinet support password Downloading virus and attack definition updates Downloading virus and attack definitions updates Registering a FortiGate unit after an RMA Registering a FortiGate unit after an RMA Configuring interfaces Network configuration Configuring an interface with a manual IP address Changing the administrative status of an interfaceTo stop an interface that is administratively up Viewing the interface list Connecting Configuring an interface for DhcpInitializing Connected Adding a secondary IP address to an interface Configuring an interface for PPPoE Adding a ping server to an interface Controlling administrative access to an interface Changing the MTU size to improve network performance Configuring traffic logging for connections to an interface Configuring the management interface in Transparent mode Adding a default route Configuring routingAdding DNS server IP addresses 100 101 Adding destination-based routes to the routing table Configuring the routing table Adding routes in Transparent mode102 103 Policy routing Policy routing command syntax Configuring Dhcp servicesConfiguring a Dhcp relay agent 104 Adding a Dhcp server to an interface Configuring a Dhcp serverAdding scopes to a Dhcp server 105 106 Adding a reserve IP to a Dhcp serverScope Name IP Pool Viewing a Dhcp server dynamic IP list Configuring the modem interface107 Configuring modem settings Connecting a modem to the FortiGate unitTo configure modem settings Go to System Network Modem 108 Disconnecting the modem Connecting to a dialup account109 To connect to a dialup account Go to System Network Modem Standalone mode configuration Backup mode configurationTo configure backup mode Go to System Network Modem Viewing modem status Adding firewall policies for modem connections To operate in standalone mode Go to System Network Modem111 112 RIP settings RIP configuration113 Holddown InvalidFlush 115 Configuring RIP for FortiGate interfaces 116 Adding a RIP filter list Adding RIP filters117 To add a RIP filter list Go to System RIP Filter Assigning a RIP filter list to the incoming filter Assigning a RIP filter list to the neighbors filter 119 Assigning a RIP filter list to the outgoing filter 120 Setting system date and time System configurationTo set the date and time Go to System Config Time 121 To set the Auth timeout Go to System Config Options To set the system idle timeout Go to System Config OptionsChanging system options 122 Modifying the Dead Gateway Detection settings Adding and editing administrator accounts123 Editing administrator accounts Adding new administrator accountsTo add an administrator account Go to System Config Admin 124 To edit an administrator account Go to System Config Admin Configuring Snmp125 Configuring FortiGate Snmp support Configuring the FortiGate unit for Snmp monitoringConfiguring Snmp access to an interface Configuring Snmp community settings System Name 127System Location 128 FortiGate MIBs General FortiGate traps FortiGate trapsSystem traps 129 130 Firewall configuration System configuration and statusUsers and authentication configuration 131 132 Customizing replacement messages Replacement messages133 134 Customizing alert emails Nids event 135 Critical event 136 137 Firewall configuration Addresses Default firewall configuration138 Content profiles ServicesSchedules 139 140 Adding firewall policies 141 Action Traffic Shaping VPN Tunnel142 Dynamic IP Pool Fixed Port Anti-Virus & Web filter Authentication143 Maximum Bandwidth Traffic Priority Log Traffic Configuring policy listsComments 144 Changing the order of policies in a policy list Policy matching in detail145 Enabling and disabling policies AddressesDisabling policies Enabling policies 147 Adding addressesTo add an address Go to Firewall Address Deleting addresses Editing addressesOrganizing addresses into address groups 148 Predefined services Services149 GRE 150 Ldap 151 152 Adding custom TCP and UDP services Adding custom IP services Adding custom Icmp servicesGrouping services 153 154 Schedules Creating recurring schedules Creating one-time schedules155 156 Adding schedules to policies 157 Virtual IPsTo add a schedule to a policy Go to Firewall Policy 158 Adding static NAT virtual IPsTo add a static NAT virtual IP Go to Firewall Virtual IP Virtual IP External Interface examples Description Internal 159 Adding port forwarding virtual IPs Adding a port forwarding virtual IP 160 Adding policies with virtual IPs IP pools161 To add a policy with a virtual IP Go to Firewall Policy IP Pools for firewall policies that use fixed ports Adding an IP poolIP pools and dynamic NAT 162 163 IP/MAC bindingGo to Firewall IP/MAC Binding Static IP/MAC 164 Configuring IP/MAC binding for packets going to the firewall Viewing the dynamic IP/MAC list Adding IP/MAC addressesEnabling IP/MAC binding 165 166 Content profiles Adding content profiles Default content profilesTo add a content profile Go to Firewall Content Profile 167 Oversized File/Email Pass Fragmented Email 168 To add a content profile to a policy Go to Firewall Policy Adding content profiles to policies169 170 171 Users and authentication Adding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication To set authentication timeout Go to System Config Options 173 Deleting user names from the internal database Adding Radius servers Configuring Radius supportDeleting Radius servers 174 Adding Ldap servers Configuring Ldap support175 To add an Ldap server Go to User Ldap 176 Deleting Ldap serversTo delete an Ldap server Go to User Ldap Adding user groups Configuring user groups177 To add a user group Go to User User Group 178 Deleting user groupsTo delete a user group Go to User User Group 179 IPSec VPN Manual Keys Key managementAutoIKE with pre-shared keys AutoIKE with certificates Manual key IPSec VPNs General configuration steps for a manual key VPNAdding a manual key VPN tunnel 181 182 AutoIKE IPSec VPNsAES128 AES192 Adding a phase 1 configuration for an AutoIKE VPN General configuration steps for an AutoIKE VPNTo create an AutoIKE VPN configuration To add a phase 1 configuration Go to VPN Ipsec Phase Remote Gateway Static IP Address 184Remote Gateway Dialup User To configure phase 1 advanced options Configuring advanced options185 186 187 Adding a phase 1 configuration Standard options To add a phase 2 configuration Go to VPN Ipsec Phase Adding a phase 2 configuration for an AutoIKE VPN188 Use selectors from policy 189Use wildcard selectors Obtaining a signed local certificate Managing digital certificatesGenerating the certificate request 190 Key Type 191Key Size Importing the signed local certificate Downloading the certificate requestObtaining CA certificates 192 Importing CA certificates Configuring encrypt policies193 Adding a destination address Adding a source address194 To add a source address Go to Firewall Address 195 Adding an encrypt policyTo add an encrypt policy Go to Firewall Policy 196 IPSec VPN concentrators To create a VPN concentrator configuration VPN concentrator hub general configuration steps197 198 Adding a VPN concentratorSource InternalAll Destination VPN spoke address Action To create a VPN spoke configuration VPN spoke general configuration steps199 VPN Tunnel 200Policies To view VPN tunnel status Go to VPN Ipsec Phase Monitoring and Troubleshooting VPNsViewing VPN tunnel status Viewing dialup VPN connection status 202 Testing a VPN Configuring the FortiGate unit as a Pptp gateway Configuring PptpPptp and L2TP VPN 203 To add a source address 204 To add a source address group 205To add a destination address To add a firewall policy 206 Configuring a Windows 98 client for PptpTo connect to the Pptp VPN Configuring a Windows XP client for Pptp Configuring a Windows 2000 client for Pptp207 208 To configure the VPN connectionSelect Properties Security Configuring the FortiGate unit as an L2TP gateway Configuring L2TP209 To add source addresses 210 211 Configuring a Windows 2000 client for L2TP 212 To disable IPSecTo connect to the L2TP VPN 213 Configuring a Windows XP client for L2TP 214 Detecting attacks Network Intrusion Detection System Nids215 Selecting the interfaces to monitor Configuring checksum verificationDisabling monitoring interfaces 216 Viewing attack descriptions Viewing the signature list217 Adding user-defined signatures Disabling Nids attack signatures218 219 Downloading the user-defined signature list Preventing attacks To enable Nids attack prevention Go to Nids PreventionEnabling Nids attack prevention Enabling Nids attack prevention signatures 221 Setting signature threshold values Logging attack messages to the attack log Logging attacksReducing the number of Nids attack log and email messages Automatic message reduction 223 Manual message reduction 224 Antivirus protection General configuration steps225 226 Antivirus scanningTo scan FortiGate firewall traffic for viruses Blocking files in firewall traffic File blockingAdding file patterns to block 227 Blocking oversized files and emails Configuring limits for oversized files and emailExempting fragmented email from blocking 228 Viewing the virus list To view the virus list Go to Anti-Virus Config Virus List229 230 231 Web filtering Go to Web Filter Content Block Content blockingAdding words and phrases to the Banned Word list 232 Backing up the Banned Word list Clearing the Banned Word listRestoring the Banned Word list 233 Example Banned Word List text file 234 URL blocking Configuring FortiGate Web URL blockingAdding URLs to the Web URL block list 235 Downloading the Web URL block list Clearing the Web URL block listUploading a URL block list 236 237 Configuring FortiGate Web pattern blockingTo upload a URL block list Installing a Cerberian license key Configuring Cerberian URL filteringAdding a Cerberian user 238 About the default group and policy Configuring Cerberian web filterTo configure Cerberian web filtering Enabling Cerberian URL filtering Enabling script filtering Script filteringSelecting script filter options 240 Adding URLs to the URL Exempt list Exempt URL list241 Go to Web Filter URL Exempt Uploading a URL Exempt List Downloading the URL Exempt List242 243 244 245 Email filter Adding words and phrases to the email banned word list Email banned word list246 Uploading the email banned word list Downloading the email banned word list247 Adding address patterns to the email block list Email block listDownloading the email block list 248 Uploading an email block list Email exempt list249 To upload the email block list Adding a subject tag To add a subject tag Go to Email Filter ConfigAdding address patterns to the email exempt list 250 Recording logs Logging and reportingRecording logs on a remote computer 251 252 Recording logs on a NetIQ WebTrends server Filtering log messages To filter log entries Go to Log&Report Log SettingLog message levels 253 254 Configuring traffic logging Enabling traffic logging Configuring traffic filter settingsEnabling traffic logging for an interface Enabling traffic logging for a firewall policy Adding traffic filter entries Destination IP Address Destination Netmask Service256 Adding alert email addresses Configuring alert email257 To add a DNS server Go to System Network DNS Enabling alert email Testing alert email258 259 Glossary 260 261 262 263 Index Index 264 DNS 265 Http 266 NAT 267 268 RMA 269 TCP 270 VPN 271 272