Manuals / Fortinet / Computer Equipment / Network Card

Fortinet 50A user manual Configuring encrypt policies, Importing CA certificates, 193

Models: 50A

1 272

Download 272 pages 24.69 Kb

Page 193

IPSec VPN	Configuring encrypt policies

The FortiGate unit obtains the CA certificate to validate the digital certificate that it receives from the remote VPN peer. The remote VPN peer obtains the CA certificate to validate the digital certificate that it receives from the FortiGate unit.

Note: The CA certificate must adhere to the X.509 standard.

Importing CA certificates

Import the CA certificate from the management computer to the FortiGate unit.

To import the CA certificate

1Go to VPN > Certificates > CA Certificates.

2Select Import.

3Enter the path or browse to locate the CA certificate on the management computer.

4Select OK.

The CA is displayed on the CA Certificates list.

The system assigns a unique name to each CA certificate. The names are numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).

Configuring encrypt policies

A VPN connects the local, internal network to a remote, external network. The principal role of the encrypt policy is to define (and limit) which addresses on these networks can use the VPN.

A VPN requires only one encrypt policy to control both inbound and outbound connections. Depending on how you configure it, the policy controls whether users on your internal network can establish a tunnel to the remote network (the outbound connection), and whether users on the remote network can establish a tunnel to your internal network (the inbound connection). This flexibility allows one encrypt policy to do the same function as two regular firewall policies.

Although the encrypt policy controls both incoming and outgoing connections, it must always be configured as an outgoing policy. An outgoing policy has a source address on an internal network and a destination address on an external network. The source address identifies the addresses on the internal network that are part of the VPN. The destination address identifies the addresses on the remote network that are part of the VPN.

Note: The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway.

FortiGate-50A Installation and Configuration Guide

193

Image 193

Fortinet 50A user manual Configuring encrypt policies, Importing CA certificates, 193

Contents

February Installation and Configuration GuideRegulatory Compliance TrademarksTable of Contents Transparent mode installation Virus and attack definitions updates and registration Network configuration Firewall configuration 137 Users and authentication 171 Pptp and L2TP VPN 203 Antivirus protection 225 Glossary 259 Index 263 Contents NAT/Route mode NAT/Route mode and Transparent modeTransparent mode IntroductionDocument conventions Comments on Fortinet technical documentation Fortinet documentationCustomer service and technical support Getting started Mounting Package contentsConnecting to the web-based manager Powering onEnvironmental specifications To power on the FortiGate-50A unitTo connect to the web-based manager Connecting to the command line interface CLIBits per second Data bits Parity To connect to the CLIStop bits Flow control Factory default Dhcp configuration Factory default FortiGate configuration settingsFactory default Transparent mode network configuration Factory default NAT/Route mode network configurationFactory default firewall configuration Service Factory default firewall configuration RecurringAuthentication ContentStrict content profile Factory default content profilesStrict content profile Options Web content profile Scan content profileScan content profile Options Web content profile OptionsUnfiltered content profile Planning the FortiGate configurationUnfiltered content profile Options Setup wizard Configuration optionsCLI FortiGate model maximum values matrix Signatures Antivirus file Block patterns Web filter Next stepsNext steps Getting started NAT/Route mode installation Changing the default configuration Preparing to configure NAT/Route modeInternal servers Advanced NAT/Route mode settings Using the setup wizardStarting the setup wizard Reconnecting to the web-based managerConfiguring the FortiGate unit to operate in NAT/Route mode Using the command line interfaceConfiguring NAT/Route mode IP addresses ExampleFortiGate-50A External Connecting the FortiGate unit to your networksInternal Completing the configuration Configuring your networksSetting the date and time Changing antivirus protectionRegistering your FortiGate unit Configuring virus and attack definition updatesCompleting the configuration Preparing to configure Transparent mode Transparent mode installationTransparent mode settings Administrator Password DNS SettingsGo to System Status Changing to Transparent modeConfigure the Transparent mode default gateway Configuring the Transparent mode management IP addressConnecting the FortiGate unit to your networks Registering your FortiGate Enabling antivirus protectionGo to Firewall Policy Int-Ext Default routes and static routes Transparent mode configuration examplesDefault route to an external network General configuration stepsCLI configuration steps Web-based manager example configuration stepsGo to System Network Management Go to System Network RoutingDMZ Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System statusChanging the FortiGate host name Firmware upgrade procedures Procedure DescriptionChanging the FortiGate firmware To change the FortiGate host name Go to System StatusUpgrading the firmware using the CLI Upgrading the firmware using the web-based managerTo upgrade the firmware using the web-based manager To upgrade the firmware using the CLIExecute ping Reverting to a previous firmware versionReverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot Press any key to enter configuration menu Testing a new firmware image before installing it Restoring the previous configurationTo test a new firmware image Save as Default firmware/Run image without savingD/R Manual attack definition updates Manual virus definition updatesTo update the antivirus definitions manually To update the attack definitions manuallyRestoring system settings Backing up system settingsDisplaying the FortiGate serial number Displaying the FortiGate up timeChanging to Transparent mode Restoring system settings to factory defaultsTo change to Transparent mode Go to System Status To change to NAT/Route mode Go to System Status Changing to NAT/Route modeRestarting the FortiGate unit Shutting down the FortiGate unitViewing CPU and memory status System statusTo view CPU and memory status Go to System Status Monitor CPU and memory status monitor Viewing sessions and network statusSessions and network status monitor Viewing virus and intrusions statusTo view the session list Go to System Status Session Session listExample session list ProtocolSession list Updating antivirus and attack definitions Virus and attack definitions updates and registrationGo to System Update Connecting to the FortiResponse Distribution NetworkVersion Expiry date Last update attempt Last update status To make sure the FortiGate unit can connect to the FDNManually initiating antivirus and attack definitions updates Configuring update logging Scheduling updatesEnabling scheduled updates To configure update logging Go to Log&Report Log SettingAdding an override server To add an override server Go to System UpdateEnabling scheduled updates through a proxy server Enabling push updatesPush updates when FortiGate IP addresses change Enabling push updatesEnabling push updates through a NAT device To enable push updates Go to System UpdateExample network topology Push updates through a NAT device Example push updates through a NAT deviceGeneral procedure Schedule Always Service ANY Action Accept To configure the FortiGate NAT deviceAdding a firewall policy for the port forwarding virtual IP Registering FortiGate units Example push update configurationFortiCare Service Contracts Registering the FortiGate unit Updating registration information Recovering a lost Fortinet support passwordViewing the list of registered FortiGate units Adding or changing a FortiCare Support Contract number Registering a new FortiGate unitChanging your contact information or security question Changing your Fortinet support passwordDownloading virus and attack definition updates Downloading virus and attack definitions updatesRegistering a FortiGate unit after an RMA Registering a FortiGate unit after an RMA Configuring interfaces Network configurationConfiguring an interface with a manual IP address Changing the administrative status of an interfaceTo stop an interface that is administratively up Viewing the interface listConnecting Configuring an interface for DhcpInitializing ConnectedAdding a secondary IP address to an interface Configuring an interface for PPPoEAdding a ping server to an interface Controlling administrative access to an interfaceChanging the MTU size to improve network performance Configuring traffic logging for connections to an interfaceConfiguring the management interface in Transparent mode Adding a default route Configuring routingAdding DNS server IP addresses 100101 Adding destination-based routes to the routing tableConfiguring the routing table Adding routes in Transparent mode102 103 Policy routingPolicy routing command syntax Configuring Dhcp servicesConfiguring a Dhcp relay agent 104Adding a Dhcp server to an interface Configuring a Dhcp serverAdding scopes to a Dhcp server 105106 Adding a reserve IP to a Dhcp serverScope Name IP PoolViewing a Dhcp server dynamic IP list Configuring the modem interface107 Configuring modem settings Connecting a modem to the FortiGate unitTo configure modem settings Go to System Network Modem 108Disconnecting the modem Connecting to a dialup account109 To connect to a dialup account Go to System Network ModemStandalone mode configuration Backup mode configurationTo configure backup mode Go to System Network Modem Viewing modem statusAdding firewall policies for modem connections To operate in standalone mode Go to System Network Modem111 112 RIP settings RIP configuration113 Holddown InvalidFlush 115 Configuring RIP for FortiGate interfaces116 Adding a RIP filter list Adding RIP filters117 To add a RIP filter list Go to System RIP FilterAssigning a RIP filter list to the incoming filter Assigning a RIP filter list to the neighbors filter119 Assigning a RIP filter list to the outgoing filter120 Setting system date and time System configurationTo set the date and time Go to System Config Time 121To set the Auth timeout Go to System Config Options To set the system idle timeout Go to System Config OptionsChanging system options 122Modifying the Dead Gateway Detection settings Adding and editing administrator accounts123 Editing administrator accounts Adding new administrator accountsTo add an administrator account Go to System Config Admin 124To edit an administrator account Go to System Config Admin Configuring Snmp125 Configuring FortiGate Snmp support Configuring the FortiGate unit for Snmp monitoringConfiguring Snmp access to an interface Configuring Snmp community settingsSystem Name 127System Location 128 FortiGate MIBsGeneral FortiGate traps FortiGate trapsSystem traps 129130 Firewall configuration System configuration and statusUsers and authentication configuration 131132 Customizing replacement messages Replacement messages133 134 Customizing alert emailsNids event 135Critical event 136137 Firewall configurationAddresses Default firewall configuration138 Content profiles ServicesSchedules 139140 Adding firewall policies141 ActionTraffic Shaping VPN Tunnel142 Dynamic IP Pool Fixed PortAnti-Virus & Web filter Authentication143 Maximum Bandwidth Traffic PriorityLog Traffic Configuring policy listsComments 144Changing the order of policies in a policy list Policy matching in detail145 Enabling and disabling policies AddressesDisabling policies Enabling policies147 Adding addressesTo add an address Go to Firewall Address Deleting addresses Editing addressesOrganizing addresses into address groups 148Predefined services Services149 GRE 150Ldap 151152 Adding custom TCP and UDP servicesAdding custom IP services Adding custom Icmp servicesGrouping services 153154 SchedulesCreating recurring schedules Creating one-time schedules155 156 Adding schedules to policies157 Virtual IPsTo add a schedule to a policy Go to Firewall Policy 158 Adding static NAT virtual IPsTo add a static NAT virtual IP Go to Firewall Virtual IP Virtual IP External Interface examples Description Internal159 Adding port forwarding virtual IPsAdding a port forwarding virtual IP 160Adding policies with virtual IPs IP pools161 To add a policy with a virtual IP Go to Firewall PolicyIP Pools for firewall policies that use fixed ports Adding an IP poolIP pools and dynamic NAT 162163 IP/MAC bindingGo to Firewall IP/MAC Binding Static IP/MAC 164 Configuring IP/MAC binding for packets going to the firewallViewing the dynamic IP/MAC list Adding IP/MAC addressesEnabling IP/MAC binding 165166 Content profilesAdding content profiles Default content profilesTo add a content profile Go to Firewall Content Profile 167Oversized File/Email Pass Fragmented Email 168To add a content profile to a policy Go to Firewall Policy Adding content profiles to policies169 170 171 Users and authenticationAdding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication To set authentication timeout Go to System Config Options173 Deleting user names from the internal databaseAdding Radius servers Configuring Radius supportDeleting Radius servers 174Adding Ldap servers Configuring Ldap support175 To add an Ldap server Go to User Ldap176 Deleting Ldap serversTo delete an Ldap server Go to User Ldap Adding user groups Configuring user groups177 To add a user group Go to User User Group178 Deleting user groupsTo delete a user group Go to User User Group 179 IPSec VPNManual Keys Key managementAutoIKE with pre-shared keys AutoIKE with certificatesManual key IPSec VPNs General configuration steps for a manual key VPNAdding a manual key VPN tunnel 181182 AutoIKE IPSec VPNsAES128 AES192Adding a phase 1 configuration for an AutoIKE VPN General configuration steps for an AutoIKE VPNTo create an AutoIKE VPN configuration To add a phase 1 configuration Go to VPN Ipsec PhaseRemote Gateway Static IP Address 184Remote Gateway Dialup User To configure phase 1 advanced options Configuring advanced options185 186 187 Adding a phase 1 configuration Standard optionsTo add a phase 2 configuration Go to VPN Ipsec Phase Adding a phase 2 configuration for an AutoIKE VPN188 Use selectors from policy 189Use wildcard selectors Obtaining a signed local certificate Managing digital certificatesGenerating the certificate request 190Key Type 191Key Size Importing the signed local certificate Downloading the certificate requestObtaining CA certificates 192Importing CA certificates Configuring encrypt policies193 Adding a destination address Adding a source address194 To add a source address Go to Firewall Address195 Adding an encrypt policyTo add an encrypt policy Go to Firewall Policy 196 IPSec VPN concentratorsTo create a VPN concentrator configuration VPN concentrator hub general configuration steps197 198 Adding a VPN concentratorSource InternalAll Destination VPN spoke address Action To create a VPN spoke configuration VPN spoke general configuration steps199 VPN Tunnel 200Policies To view VPN tunnel status Go to VPN Ipsec Phase Monitoring and Troubleshooting VPNsViewing VPN tunnel status Viewing dialup VPN connection status202 Testing a VPNConfiguring the FortiGate unit as a Pptp gateway Configuring PptpPptp and L2TP VPN 203To add a source address 204To add a source address group 205To add a destination address To add a firewall policy206 Configuring a Windows 98 client for PptpTo connect to the Pptp VPN Configuring a Windows XP client for Pptp Configuring a Windows 2000 client for Pptp207 208 To configure the VPN connectionSelect Properties Security Configuring the FortiGate unit as an L2TP gateway Configuring L2TP209 To add source addresses 210211 Configuring a Windows 2000 client for L2TP212 To disable IPSecTo connect to the L2TP VPN 213 Configuring a Windows XP client for L2TP214 Detecting attacks Network Intrusion Detection System Nids215 Selecting the interfaces to monitor Configuring checksum verificationDisabling monitoring interfaces 216Viewing attack descriptions Viewing the signature list217 Adding user-defined signatures Disabling Nids attack signatures218 219 Downloading the user-defined signature listPreventing attacks To enable Nids attack prevention Go to Nids PreventionEnabling Nids attack prevention Enabling Nids attack prevention signatures221 Setting signature threshold valuesLogging attack messages to the attack log Logging attacksReducing the number of Nids attack log and email messages Automatic message reduction223 Manual message reduction224 Antivirus protection General configuration steps225 226 Antivirus scanningTo scan FortiGate firewall traffic for viruses Blocking files in firewall traffic File blockingAdding file patterns to block 227Blocking oversized files and emails Configuring limits for oversized files and emailExempting fragmented email from blocking 228Viewing the virus list To view the virus list Go to Anti-Virus Config Virus List229 230 231 Web filteringGo to Web Filter Content Block Content blockingAdding words and phrases to the Banned Word list 232Backing up the Banned Word list Clearing the Banned Word listRestoring the Banned Word list 233Example Banned Word List text file 234URL blocking Configuring FortiGate Web URL blockingAdding URLs to the Web URL block list 235Downloading the Web URL block list Clearing the Web URL block listUploading a URL block list 236237 Configuring FortiGate Web pattern blockingTo upload a URL block list Installing a Cerberian license key Configuring Cerberian URL filteringAdding a Cerberian user 238About the default group and policy Configuring Cerberian web filterTo configure Cerberian web filtering Enabling Cerberian URL filteringEnabling script filtering Script filteringSelecting script filter options 240Adding URLs to the URL Exempt list Exempt URL list241 Go to Web Filter URL ExemptUploading a URL Exempt List Downloading the URL Exempt List242 243 244 245 Email filterAdding words and phrases to the email banned word list Email banned word list246 Uploading the email banned word list Downloading the email banned word list247 Adding address patterns to the email block list Email block listDownloading the email block list 248Uploading an email block list Email exempt list249 To upload the email block listAdding a subject tag To add a subject tag Go to Email Filter ConfigAdding address patterns to the email exempt list 250Recording logs Logging and reportingRecording logs on a remote computer 251252 Recording logs on a NetIQ WebTrends serverFiltering log messages To filter log entries Go to Log&Report Log SettingLog message levels 253254 Configuring traffic loggingEnabling traffic logging Configuring traffic filter settingsEnabling traffic logging for an interface Enabling traffic logging for a firewall policyAdding traffic filter entries Destination IP Address Destination Netmask Service256 Adding alert email addresses Configuring alert email257 To add a DNS server Go to System Network DNSEnabling alert email Testing alert email258 259 Glossary260 261 262 263 IndexIndex 264DNS 265Http 266NAT 267268 RMA 269TCP 270VPN 271272