200, VPN Tunnel, Policies | Fortinet 50A manual

IPSec VPN concentrators	IPSec VPN

4Add a separate outbound encrypt policy for each remote VPN spoke. These policies control the encrypted connections initiated by the local VPN spoke.

The encrypt policy must include the appropriate source and destination addresses and the tunnel added in step 1. Use the following configuration:

Source	The local VPN spoke address.
Destination	The remote VPN spoke address.
Action	ENCRYPT
VPN Tunnel	The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt
	policies.)
Allow inbound	Do not enable.
Allow outbound Select allow outbound
Inbound NAT	Select inbound NAT if required.
Outbound NAT	Select outbound NAT if required.

See “Adding an encrypt policy” on page 195.

5Add an inbound encrypt policy. This policy controls the encrypted connections initiated by the remote VPN spokes.

The encrypt policy for the hub must include the appropriate source and destination addresses and the tunnel added in step 1. Use the following configuration:

Source	The local VPN spoke address.
Destination	External_All
Action	ENCRYPT
VPN Tunnel	The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt
	policies.)
Allow inbound	Select allow inbound.
Allow outbound Do not enable.
Inbound NAT	Select inbound NAT if required.
Outbound NAT	Select outbound NAT if required.

See “Adding an encrypt policy” on page 195.

6Arrange the policies in the following order:

•outbound encrypt policies

•inbound encrypt policy

•default non-encrypt policy (Internal_All -> External_All)

Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks, such as the Internet.

200	Fortinet Inc.

Image 200

Fortinet 50A user manual 200, VPN Tunnel, Policies

Contents

Installation and Configuration Guide February Trademarks Regulatory Compliance Table of Contents Transparent mode installation Virus and attack definitions updates and registration Network configuration Firewall configuration 137 Users and authentication 171 Pptp and L2TP VPN 203 Antivirus protection 225 Glossary 259 Index 263 Contents NAT/Route mode and Transparent mode NAT/Route modeTransparent mode Introduction Document conventions Fortinet documentation Comments on Fortinet technical documentation Customer service and technical support Getting started Package contents Mounting Powering on Connecting to the web-based managerEnvironmental specifications To power on the FortiGate-50A unit Connecting to the command line interface CLI To connect to the web-based manager Stop bits Flow control To connect to the CLIBits per second Data bits Parity Factory default FortiGate configuration settings Factory default Dhcp configuration Factory default firewall configuration Factory default NAT/Route mode network configurationFactory default Transparent mode network configuration Factory default firewall configuration Recurring ServiceAuthentication Content Strict content profile Options Factory default content profilesStrict content profile Scan content profile Web content profileScan content profile Options Web content profile Options Unfiltered content profile Options Planning the FortiGate configurationUnfiltered content profile Configuration options Setup wizard CLI FortiGate model maximum values matrix Next steps Signatures Antivirus file Block patterns Web filter Next steps Getting started NAT/Route mode installation Internal servers Preparing to configure NAT/Route modeChanging the default configuration Using the setup wizard Advanced NAT/Route mode settingsStarting the setup wizard Reconnecting to the web-based manager Using the command line interface Configuring the FortiGate unit to operate in NAT/Route modeConfiguring NAT/Route mode IP addresses Example Internal Connecting the FortiGate unit to your networksFortiGate-50A External Configuring your networks Completing the configurationSetting the date and time Changing antivirus protection Configuring virus and attack definition updates Registering your FortiGate unit Completing the configuration Transparent mode installation Preparing to configure Transparent modeTransparent mode settings Administrator Password DNS Settings Changing to Transparent mode Go to System Status Configuring the Transparent mode management IP address Configure the Transparent mode default gateway Connecting the FortiGate unit to your networks Go to Firewall Policy Int-Ext Enabling antivirus protectionRegistering your FortiGate Transparent mode configuration examples Default routes and static routes General configuration steps Default route to an external network Web-based manager example configuration steps CLI configuration stepsGo to System Network Management Go to System Network Routing DMZ Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System status Firmware upgrade procedures Procedure Description Changing the FortiGate host nameChanging the FortiGate firmware To change the FortiGate host name Go to System Status Upgrading the firmware using the web-based manager Upgrading the firmware using the CLITo upgrade the firmware using the web-based manager To upgrade the firmware using the CLI Reverting to a previous firmware version Execute ping Reverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot Press any key to enter configuration menu To test a new firmware image Restoring the previous configurationTesting a new firmware image before installing it Save as Default firmware/Run image without savingD/R Manual virus definition updates Manual attack definition updatesTo update the antivirus definitions manually To update the attack definitions manually Backing up system settings Restoring system settingsDisplaying the FortiGate serial number Displaying the FortiGate up time To change to Transparent mode Go to System Status Restoring system settings to factory defaultsChanging to Transparent mode Changing to NAT/Route mode To change to NAT/Route mode Go to System StatusRestarting the FortiGate unit Shutting down the FortiGate unit To view CPU and memory status Go to System Status Monitor System statusViewing CPU and memory status Viewing sessions and network status CPU and memory status monitor Viewing virus and intrusions status Sessions and network status monitor Session list To view the session list Go to System Status Session Protocol Example session list Session list Virus and attack definitions updates and registration Updating antivirus and attack definitions Connecting to the FortiResponse Distribution Network Go to System UpdateVersion Expiry date Last update attempt Last update status To make sure the FortiGate unit can connect to the FDN Manually initiating antivirus and attack definitions updates Scheduling updates Configuring update loggingEnabling scheduled updates To configure update logging Go to Log&Report Log Setting To add an override server Go to System Update Adding an override server Enabling push updates Enabling scheduled updates through a proxy server Enabling push updates Push updates when FortiGate IP addresses changeEnabling push updates through a NAT device To enable push updates Go to System Update Example push updates through a NAT device Example network topology Push updates through a NAT device General procedure Adding a firewall policy for the port forwarding virtual IP To configure the FortiGate NAT deviceSchedule Always Service ANY Action Accept Example push update configuration Registering FortiGate units FortiCare Service Contracts Registering the FortiGate unit Recovering a lost Fortinet support password Updating registration information Viewing the list of registered FortiGate units Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number Changing your Fortinet support password Changing your contact information or security question Downloading virus and attack definitions updates Downloading virus and attack definition updates Registering a FortiGate unit after an RMA Registering a FortiGate unit after an RMA Network configuration Configuring interfaces Changing the administrative status of an interface Configuring an interface with a manual IP addressTo stop an interface that is administratively up Viewing the interface list Configuring an interface for Dhcp ConnectingInitializing Connected Configuring an interface for PPPoE Adding a secondary IP address to an interface Controlling administrative access to an interface Adding a ping server to an interface Configuring traffic logging for connections to an interface Changing the MTU size to improve network performance Configuring the management interface in Transparent mode Configuring routing Adding a default routeAdding DNS server IP addresses 100 Adding destination-based routes to the routing table 101 102 Adding routes in Transparent modeConfiguring the routing table Policy routing 103 Configuring Dhcp services Policy routing command syntaxConfiguring a Dhcp relay agent 104 Configuring a Dhcp server Adding a Dhcp server to an interfaceAdding scopes to a Dhcp server 105 Adding a reserve IP to a Dhcp server 106Scope Name IP Pool 107 Configuring the modem interfaceViewing a Dhcp server dynamic IP list Connecting a modem to the FortiGate unit Configuring modem settingsTo configure modem settings Go to System Network Modem 108 Connecting to a dialup account Disconnecting the modem109 To connect to a dialup account Go to System Network Modem Backup mode configuration Standalone mode configurationTo configure backup mode Go to System Network Modem Viewing modem status 111 To operate in standalone mode Go to System Network ModemAdding firewall policies for modem connections 112 113 RIP configurationRIP settings Flush InvalidHolddown Configuring RIP for FortiGate interfaces 115 116 Adding RIP filters Adding a RIP filter list117 To add a RIP filter list Go to System RIP Filter Assigning a RIP filter list to the neighbors filter Assigning a RIP filter list to the incoming filter Assigning a RIP filter list to the outgoing filter 119 120 System configuration Setting system date and timeTo set the date and time Go to System Config Time 121 To set the system idle timeout Go to System Config Options To set the Auth timeout Go to System Config OptionsChanging system options 122 123 Adding and editing administrator accountsModifying the Dead Gateway Detection settings Adding new administrator accounts Editing administrator accountsTo add an administrator account Go to System Config Admin 124 125 Configuring SnmpTo edit an administrator account Go to System Config Admin Configuring the FortiGate unit for Snmp monitoring Configuring FortiGate Snmp supportConfiguring Snmp access to an interface Configuring Snmp community settings System Location 127System Name FortiGate MIBs 128 FortiGate traps General FortiGate trapsSystem traps 129 130 System configuration and status Firewall configurationUsers and authentication configuration 131 132 133 Replacement messagesCustomizing replacement messages Customizing alert emails 134 135 Nids event 136 Critical event Firewall configuration 137 138 Default firewall configurationAddresses Services Content profilesSchedules 139 Adding firewall policies 140 Action 141 VPN Tunnel Traffic Shaping142 Dynamic IP Pool Fixed Port Authentication Anti-Virus & Web filter143 Maximum Bandwidth Traffic Priority Configuring policy lists Log TrafficComments 144 145 Policy matching in detailChanging the order of policies in a policy list Addresses Enabling and disabling policiesDisabling policies Enabling policies To add an address Go to Firewall Address Adding addresses147 Editing addresses Deleting addressesOrganizing addresses into address groups 148 149 ServicesPredefined services 150 GRE 151 Ldap Adding custom TCP and UDP services 152 Adding custom Icmp services Adding custom IP servicesGrouping services 153 Schedules 154 155 Creating one-time schedulesCreating recurring schedules Adding schedules to policies 156 To add a schedule to a policy Go to Firewall Policy Virtual IPs157 Adding static NAT virtual IPs 158To add a static NAT virtual IP Go to Firewall Virtual IP Virtual IP External Interface examples Description Internal Adding port forwarding virtual IPs 159 160 Adding a port forwarding virtual IP IP pools Adding policies with virtual IPs161 To add a policy with a virtual IP Go to Firewall Policy Adding an IP pool IP Pools for firewall policies that use fixed portsIP pools and dynamic NAT 162 Go to Firewall IP/MAC Binding Static IP/MAC IP/MAC binding163 Configuring IP/MAC binding for packets going to the firewall 164 Adding IP/MAC addresses Viewing the dynamic IP/MAC listEnabling IP/MAC binding 165 Content profiles 166 Default content profiles Adding content profilesTo add a content profile Go to Firewall Content Profile 167 168 Oversized File/Email Pass Fragmented Email 169 Adding content profiles to policiesTo add a content profile to a policy Go to Firewall Policy 170 Users and authentication 171 Setting authentication timeout Adding user names and configuring authenticationAdding user names and configuring authentication To set authentication timeout Go to System Config Options Deleting user names from the internal database 173 Configuring Radius support Adding Radius serversDeleting Radius servers 174 Configuring Ldap support Adding Ldap servers175 To add an Ldap server Go to User Ldap To delete an Ldap server Go to User Ldap Deleting Ldap servers176 Configuring user groups Adding user groups177 To add a user group Go to User User Group To delete a user group Go to User User Group Deleting user groups178 IPSec VPN 179 Key management Manual KeysAutoIKE with pre-shared keys AutoIKE with certificates General configuration steps for a manual key VPN Manual key IPSec VPNsAdding a manual key VPN tunnel 181 AutoIKE IPSec VPNs 182AES128 AES192 General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPNTo create an AutoIKE VPN configuration To add a phase 1 configuration Go to VPN Ipsec Phase Remote Gateway Dialup User 184Remote Gateway Static IP Address 185 Configuring advanced optionsTo configure phase 1 advanced options 186 Adding a phase 1 configuration Standard options 187 188 Adding a phase 2 configuration for an AutoIKE VPNTo add a phase 2 configuration Go to VPN Ipsec Phase Use wildcard selectors 189Use selectors from policy Managing digital certificates Obtaining a signed local certificateGenerating the certificate request 190 Key Size 191Key Type Downloading the certificate request Importing the signed local certificateObtaining CA certificates 192 193 Configuring encrypt policiesImporting CA certificates Adding a source address Adding a destination address194 To add a source address Go to Firewall Address To add an encrypt policy Go to Firewall Policy Adding an encrypt policy195 IPSec VPN concentrators 196 197 VPN concentrator hub general configuration stepsTo create a VPN concentrator configuration Source InternalAll Destination VPN spoke address Action Adding a VPN concentrator198 199 VPN spoke general configuration stepsTo create a VPN spoke configuration Policies 200VPN Tunnel Monitoring and Troubleshooting VPNs To view VPN tunnel status Go to VPN Ipsec PhaseViewing VPN tunnel status Viewing dialup VPN connection status Testing a VPN 202 Configuring Pptp Configuring the FortiGate unit as a Pptp gatewayPptp and L2TP VPN 203 204 To add a source address 205 To add a source address groupTo add a destination address To add a firewall policy To connect to the Pptp VPN Configuring a Windows 98 client for Pptp206 207 Configuring a Windows 2000 client for PptpConfiguring a Windows XP client for Pptp Select Properties Security To configure the VPN connection208 209 Configuring L2TPConfiguring the FortiGate unit as an L2TP gateway 210 To add source addresses Configuring a Windows 2000 client for L2TP 211 To connect to the L2TP VPN To disable IPSec212 Configuring a Windows XP client for L2TP 213 214 215 Network Intrusion Detection System NidsDetecting attacks Configuring checksum verification Selecting the interfaces to monitorDisabling monitoring interfaces 216 217 Viewing the signature listViewing attack descriptions 218 Disabling Nids attack signaturesAdding user-defined signatures Downloading the user-defined signature list 219 To enable Nids attack prevention Go to Nids Prevention Preventing attacksEnabling Nids attack prevention Enabling Nids attack prevention signatures Setting signature threshold values 221 Logging attacks Logging attack messages to the attack logReducing the number of Nids attack log and email messages Automatic message reduction Manual message reduction 223 224 225 General configuration stepsAntivirus protection To scan FortiGate firewall traffic for viruses Antivirus scanning226 File blocking Blocking files in firewall trafficAdding file patterns to block 227 Configuring limits for oversized files and email Blocking oversized files and emailsExempting fragmented email from blocking 228 229 To view the virus list Go to Anti-Virus Config Virus ListViewing the virus list 230 Web filtering 231 Content blocking Go to Web Filter Content BlockAdding words and phrases to the Banned Word list 232 Clearing the Banned Word list Backing up the Banned Word listRestoring the Banned Word list 233 234 Example Banned Word List text file Configuring FortiGate Web URL blocking URL blockingAdding URLs to the Web URL block list 235 Clearing the Web URL block list Downloading the Web URL block listUploading a URL block list 236 To upload a URL block list Configuring FortiGate Web pattern blocking237 Configuring Cerberian URL filtering Installing a Cerberian license keyAdding a Cerberian user 238 Configuring Cerberian web filter About the default group and policyTo configure Cerberian web filtering Enabling Cerberian URL filtering Script filtering Enabling script filteringSelecting script filter options 240 Exempt URL list Adding URLs to the URL Exempt list241 Go to Web Filter URL Exempt 242 Downloading the URL Exempt ListUploading a URL Exempt List 243 244 Email filter 245 246 Email banned word listAdding words and phrases to the email banned word list 247 Downloading the email banned word listUploading the email banned word list Email block list Adding address patterns to the email block listDownloading the email block list 248 Email exempt list Uploading an email block list249 To upload the email block list To add a subject tag Go to Email Filter Config Adding a subject tagAdding address patterns to the email exempt list 250 Logging and reporting Recording logsRecording logs on a remote computer 251 Recording logs on a NetIQ WebTrends server 252 To filter log entries Go to Log&Report Log Setting Filtering log messagesLog message levels 253 Configuring traffic logging 254 Configuring traffic filter settings Enabling traffic loggingEnabling traffic logging for an interface Enabling traffic logging for a firewall policy 256 Destination IP Address Destination Netmask ServiceAdding traffic filter entries Configuring alert email Adding alert email addresses257 To add a DNS server Go to System Network DNS 258 Testing alert emailEnabling alert email Glossary 259 260 261 262 Index 263 264 Index 265 DNS 266 Http 267 NAT 268 269 RMA 270 TCP 271 VPN 272