VPN spoke general configuration steps, 199 | Fortinet 50A guide

IPSec VPN	IPSec VPN concentrators

Figure 26: Adding a VPN concentrator

VPN spoke general configuration steps

A remote VPN peer that functions as a spoke requires the following configuration:

•A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration) for the hub.

•The source address of the local VPN spoke.

•The destination address of each remote VPN spoke.

•A separate outbound encrypt policy for each remote VPN spoke. These policies allow the local VPN spoke to initiate encrypted connections.

•A single inbound encrypt policy. This policy allows the local VPN spoke to accept encrypted connections.

To create a VPN spoke configuration

1Configure a tunnel between the spoke and the hub. Choose between a manual key tunnel or an AutoIKE tunnel.

•To add a manual key tunnel, see “Manual key IPSec VPNs” on page 181.

•To add an AutoIKE tunnel, see “AutoIKE IPSec VPNs” on page 182.

2Add the source address. One source address is required for the local VPN spoke. See “Adding a source address” on page 194.

3Add a destination address for each remote VPN spoke. The destination address is the address of the spoke (either a client on the Internet or a network located behind a gateway).

See “Adding a destination address” on page 194

FortiGate-50A Installation and Configuration Guide

199

Image 199

Fortinet 50A user manual VPN spoke general configuration steps, 199, To create a VPN spoke configuration

Contents

February Installation and Configuration Guide Regulatory Compliance Trademarks Table of Contents Transparent mode installation Virus and attack definitions updates and registration Network configuration Firewall configuration 137 Users and authentication 171 Pptp and L2TP VPN 203 Antivirus protection 225 Glossary 259 Index 263 Contents Introduction NAT/Route mode and Transparent modeNAT/Route mode Transparent mode Document conventions Comments on Fortinet technical documentation Fortinet documentation Customer service and technical support Getting started Mounting Package contents To power on the FortiGate-50A unit Powering onConnecting to the web-based manager Environmental specifications To connect to the web-based manager Connecting to the command line interface CLI Bits per second Data bits Parity To connect to the CLIStop bits Flow control Factory default Dhcp configuration Factory default FortiGate configuration settings Factory default Transparent mode network configuration Factory default NAT/Route mode network configurationFactory default firewall configuration Content Factory default firewall configuration RecurringService Authentication Strict content profile Factory default content profilesStrict content profile Options Web content profile Options Scan content profileWeb content profile Scan content profile Options Unfiltered content profile Planning the FortiGate configurationUnfiltered content profile Options Setup wizard Configuration options CLI FortiGate model maximum values matrix Signatures Antivirus file Block patterns Web filter Next steps Next steps Getting started NAT/Route mode installation Changing the default configuration Preparing to configure NAT/Route modeInternal servers Reconnecting to the web-based manager Using the setup wizardAdvanced NAT/Route mode settings Starting the setup wizard Example Using the command line interfaceConfiguring the FortiGate unit to operate in NAT/Route mode Configuring NAT/Route mode IP addresses FortiGate-50A External Connecting the FortiGate unit to your networksInternal Changing antivirus protection Configuring your networksCompleting the configuration Setting the date and time Registering your FortiGate unit Configuring virus and attack definition updates Completing the configuration DNS Settings Transparent mode installationPreparing to configure Transparent mode Transparent mode settings Administrator Password Go to System Status Changing to Transparent mode Configure the Transparent mode default gateway Configuring the Transparent mode management IP address Connecting the FortiGate unit to your networks Registering your FortiGate Enabling antivirus protectionGo to Firewall Policy Int-Ext Default routes and static routes Transparent mode configuration examples Default route to an external network General configuration steps Go to System Network Routing Web-based manager example configuration stepsCLI configuration steps Go to System Network Management DMZ Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System status To change the FortiGate host name Go to System Status Firmware upgrade procedures Procedure DescriptionChanging the FortiGate host name Changing the FortiGate firmware To upgrade the firmware using the CLI Upgrading the firmware using the web-based managerUpgrading the firmware using the CLI To upgrade the firmware using the web-based manager Execute ping Reverting to a previous firmware version Reverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot Press any key to enter configuration menu Testing a new firmware image before installing it Restoring the previous configurationTo test a new firmware image Save as Default firmware/Run image without savingD/R To update the attack definitions manually Manual virus definition updatesManual attack definition updates To update the antivirus definitions manually Displaying the FortiGate up time Backing up system settingsRestoring system settings Displaying the FortiGate serial number Changing to Transparent mode Restoring system settings to factory defaultsTo change to Transparent mode Go to System Status Shutting down the FortiGate unit Changing to NAT/Route modeTo change to NAT/Route mode Go to System Status Restarting the FortiGate unit Viewing CPU and memory status System statusTo view CPU and memory status Go to System Status Monitor CPU and memory status monitor Viewing sessions and network status Sessions and network status monitor Viewing virus and intrusions status To view the session list Go to System Status Session Session list Example session list Protocol Session list Updating antivirus and attack definitions Virus and attack definitions updates and registration To make sure the FortiGate unit can connect to the FDN Connecting to the FortiResponse Distribution NetworkGo to System Update Version Expiry date Last update attempt Last update status Manually initiating antivirus and attack definitions updates To configure update logging Go to Log&Report Log Setting Scheduling updatesConfiguring update logging Enabling scheduled updates Adding an override server To add an override server Go to System Update Enabling scheduled updates through a proxy server Enabling push updates To enable push updates Go to System Update Enabling push updatesPush updates when FortiGate IP addresses change Enabling push updates through a NAT device Example network topology Push updates through a NAT device Example push updates through a NAT device General procedure Schedule Always Service ANY Action Accept To configure the FortiGate NAT deviceAdding a firewall policy for the port forwarding virtual IP Registering FortiGate units Example push update configuration FortiCare Service Contracts Registering the FortiGate unit Updating registration information Recovering a lost Fortinet support password Viewing the list of registered FortiGate units Adding or changing a FortiCare Support Contract number Registering a new FortiGate unit Changing your contact information or security question Changing your Fortinet support password Downloading virus and attack definition updates Downloading virus and attack definitions updates Registering a FortiGate unit after an RMA Registering a FortiGate unit after an RMA Configuring interfaces Network configuration Viewing the interface list Changing the administrative status of an interfaceConfiguring an interface with a manual IP address To stop an interface that is administratively up Connected Configuring an interface for DhcpConnecting Initializing Adding a secondary IP address to an interface Configuring an interface for PPPoE Adding a ping server to an interface Controlling administrative access to an interface Changing the MTU size to improve network performance Configuring traffic logging for connections to an interface Configuring the management interface in Transparent mode 100 Configuring routingAdding a default route Adding DNS server IP addresses 101 Adding destination-based routes to the routing table Configuring the routing table Adding routes in Transparent mode102 103 Policy routing 104 Configuring Dhcp servicesPolicy routing command syntax Configuring a Dhcp relay agent 105 Configuring a Dhcp serverAdding a Dhcp server to an interface Adding scopes to a Dhcp server IP Pool Adding a reserve IP to a Dhcp server106 Scope Name Viewing a Dhcp server dynamic IP list Configuring the modem interface107 108 Connecting a modem to the FortiGate unitConfiguring modem settings To configure modem settings Go to System Network Modem To connect to a dialup account Go to System Network Modem Connecting to a dialup accountDisconnecting the modem 109 Viewing modem status Backup mode configurationStandalone mode configuration To configure backup mode Go to System Network Modem Adding firewall policies for modem connections To operate in standalone mode Go to System Network Modem111 112 RIP settings RIP configuration113 Holddown InvalidFlush 115 Configuring RIP for FortiGate interfaces 116 To add a RIP filter list Go to System RIP Filter Adding RIP filtersAdding a RIP filter list 117 Assigning a RIP filter list to the incoming filter Assigning a RIP filter list to the neighbors filter 119 Assigning a RIP filter list to the outgoing filter 120 121 System configurationSetting system date and time To set the date and time Go to System Config Time 122 To set the system idle timeout Go to System Config OptionsTo set the Auth timeout Go to System Config Options Changing system options Modifying the Dead Gateway Detection settings Adding and editing administrator accounts123 124 Adding new administrator accountsEditing administrator accounts To add an administrator account Go to System Config Admin To edit an administrator account Go to System Config Admin Configuring Snmp125 Configuring Snmp community settings Configuring the FortiGate unit for Snmp monitoringConfiguring FortiGate Snmp support Configuring Snmp access to an interface System Name 127System Location 128 FortiGate MIBs 129 FortiGate trapsGeneral FortiGate traps System traps 130 131 System configuration and statusFirewall configuration Users and authentication configuration 132 Customizing replacement messages Replacement messages133 134 Customizing alert emails Nids event 135 Critical event 136 137 Firewall configuration Addresses Default firewall configuration138 139 ServicesContent profiles Schedules 140 Adding firewall policies 141 Action Dynamic IP Pool Fixed Port VPN TunnelTraffic Shaping 142 Maximum Bandwidth Traffic Priority AuthenticationAnti-Virus & Web filter 143 144 Configuring policy listsLog Traffic Comments Changing the order of policies in a policy list Policy matching in detail145 Enabling policies AddressesEnabling and disabling policies Disabling policies 147 Adding addressesTo add an address Go to Firewall Address 148 Editing addressesDeleting addresses Organizing addresses into address groups Predefined services Services149 GRE 150 Ldap 151 152 Adding custom TCP and UDP services 153 Adding custom Icmp servicesAdding custom IP services Grouping services 154 Schedules Creating recurring schedules Creating one-time schedules155 156 Adding schedules to policies 157 Virtual IPsTo add a schedule to a policy Go to Firewall Policy Virtual IP External Interface examples Description Internal Adding static NAT virtual IPs158 To add a static NAT virtual IP Go to Firewall Virtual IP 159 Adding port forwarding virtual IPs Adding a port forwarding virtual IP 160 To add a policy with a virtual IP Go to Firewall Policy IP poolsAdding policies with virtual IPs 161 162 Adding an IP poolIP Pools for firewall policies that use fixed ports IP pools and dynamic NAT 163 IP/MAC bindingGo to Firewall IP/MAC Binding Static IP/MAC 164 Configuring IP/MAC binding for packets going to the firewall 165 Adding IP/MAC addressesViewing the dynamic IP/MAC list Enabling IP/MAC binding 166 Content profiles 167 Default content profilesAdding content profiles To add a content profile Go to Firewall Content Profile Oversized File/Email Pass Fragmented Email 168 To add a content profile to a policy Go to Firewall Policy Adding content profiles to policies169 170 171 Users and authentication To set authentication timeout Go to System Config Options Setting authentication timeoutAdding user names and configuring authentication Adding user names and configuring authentication 173 Deleting user names from the internal database 174 Configuring Radius supportAdding Radius servers Deleting Radius servers To add an Ldap server Go to User Ldap Configuring Ldap supportAdding Ldap servers 175 176 Deleting Ldap serversTo delete an Ldap server Go to User Ldap To add a user group Go to User User Group Configuring user groupsAdding user groups 177 178 Deleting user groupsTo delete a user group Go to User User Group 179 IPSec VPN AutoIKE with certificates Key managementManual Keys AutoIKE with pre-shared keys 181 General configuration steps for a manual key VPNManual key IPSec VPNs Adding a manual key VPN tunnel AES192 AutoIKE IPSec VPNs182 AES128 To add a phase 1 configuration Go to VPN Ipsec Phase General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN To create an AutoIKE VPN configuration Remote Gateway Static IP Address 184Remote Gateway Dialup User To configure phase 1 advanced options Configuring advanced options185 186 187 Adding a phase 1 configuration Standard options To add a phase 2 configuration Go to VPN Ipsec Phase Adding a phase 2 configuration for an AutoIKE VPN188 Use selectors from policy 189Use wildcard selectors 190 Managing digital certificatesObtaining a signed local certificate Generating the certificate request Key Type 191Key Size 192 Downloading the certificate requestImporting the signed local certificate Obtaining CA certificates Importing CA certificates Configuring encrypt policies193 To add a source address Go to Firewall Address Adding a source addressAdding a destination address 194 195 Adding an encrypt policyTo add an encrypt policy Go to Firewall Policy 196 IPSec VPN concentrators To create a VPN concentrator configuration VPN concentrator hub general configuration steps197 198 Adding a VPN concentratorSource InternalAll Destination VPN spoke address Action To create a VPN spoke configuration VPN spoke general configuration steps199 VPN Tunnel 200Policies Viewing dialup VPN connection status Monitoring and Troubleshooting VPNsTo view VPN tunnel status Go to VPN Ipsec Phase Viewing VPN tunnel status 202 Testing a VPN 203 Configuring PptpConfiguring the FortiGate unit as a Pptp gateway Pptp and L2TP VPN To add a source address 204 To add a firewall policy 205To add a source address group To add a destination address 206 Configuring a Windows 98 client for PptpTo connect to the Pptp VPN Configuring a Windows XP client for Pptp Configuring a Windows 2000 client for Pptp207 208 To configure the VPN connectionSelect Properties Security Configuring the FortiGate unit as an L2TP gateway Configuring L2TP209 To add source addresses 210 211 Configuring a Windows 2000 client for L2TP 212 To disable IPSecTo connect to the L2TP VPN 213 Configuring a Windows XP client for L2TP 214 Detecting attacks Network Intrusion Detection System Nids215 216 Configuring checksum verificationSelecting the interfaces to monitor Disabling monitoring interfaces Viewing attack descriptions Viewing the signature list217 Adding user-defined signatures Disabling Nids attack signatures218 219 Downloading the user-defined signature list Enabling Nids attack prevention signatures To enable Nids attack prevention Go to Nids PreventionPreventing attacks Enabling Nids attack prevention 221 Setting signature threshold values Automatic message reduction Logging attacksLogging attack messages to the attack log Reducing the number of Nids attack log and email messages 223 Manual message reduction 224 Antivirus protection General configuration steps225 226 Antivirus scanningTo scan FortiGate firewall traffic for viruses 227 File blockingBlocking files in firewall traffic Adding file patterns to block 228 Configuring limits for oversized files and emailBlocking oversized files and emails Exempting fragmented email from blocking Viewing the virus list To view the virus list Go to Anti-Virus Config Virus List229 230 231 Web filtering 232 Content blockingGo to Web Filter Content Block Adding words and phrases to the Banned Word list 233 Clearing the Banned Word listBacking up the Banned Word list Restoring the Banned Word list Example Banned Word List text file 234 235 Configuring FortiGate Web URL blockingURL blocking Adding URLs to the Web URL block list 236 Clearing the Web URL block listDownloading the Web URL block list Uploading a URL block list 237 Configuring FortiGate Web pattern blockingTo upload a URL block list 238 Configuring Cerberian URL filteringInstalling a Cerberian license key Adding a Cerberian user Enabling Cerberian URL filtering Configuring Cerberian web filterAbout the default group and policy To configure Cerberian web filtering 240 Script filteringEnabling script filtering Selecting script filter options Go to Web Filter URL Exempt Exempt URL listAdding URLs to the URL Exempt list 241 Uploading a URL Exempt List Downloading the URL Exempt List242 243 244 245 Email filter Adding words and phrases to the email banned word list Email banned word list246 Uploading the email banned word list Downloading the email banned word list247 248 Email block listAdding address patterns to the email block list Downloading the email block list To upload the email block list Email exempt listUploading an email block list 249 250 To add a subject tag Go to Email Filter ConfigAdding a subject tag Adding address patterns to the email exempt list 251 Logging and reportingRecording logs Recording logs on a remote computer 252 Recording logs on a NetIQ WebTrends server 253 To filter log entries Go to Log&Report Log SettingFiltering log messages Log message levels 254 Configuring traffic logging Enabling traffic logging for a firewall policy Configuring traffic filter settingsEnabling traffic logging Enabling traffic logging for an interface Adding traffic filter entries Destination IP Address Destination Netmask Service256 To add a DNS server Go to System Network DNS Configuring alert emailAdding alert email addresses 257 Enabling alert email Testing alert email258 259 Glossary 260 261 262 263 Index Index 264 DNS 265 Http 266 NAT 267 268 RMA 269 TCP 270 VPN 271 272