Manuals / Fortinet / Computer Equipment / Network Card

Fortinet 50A Monitoring and Troubleshooting VPNs, To view VPN tunnel status Go to VPN Ipsec Phase

Models: 50A

1 272

Download 272 pages 24.69 Kb

Page 201

IPSec VPN	Monitoring and Troubleshooting VPNs

Monitoring and Troubleshooting VPNs

•Viewing VPN tunnel status

•Viewing dialup VPN connection status

•Testing a VPN

Viewing VPN tunnel status

You can use the IPSec VPN tunnel list to view the status of all IPSec AutoIKE key

VPN tunnels. For each tunnel, the list shows the status and the tunnel time out.

To view VPN tunnel status

1Go to VPN > IPSEC > Phase 2.

2View the status and timeout for each VPN tunnel.

Status	The status of each tunnel. If Status is Up, the tunnel is active. If Status is
	Down, the tunnel is not active. If Status is Connecting, the tunnel is
	attempting to start a VPN connection with a remote VPN gateway or client.
Timeout	The time before the next key exchange. The time is calculated by
	subtracting the time elapsed since the last key exchange from the keylife.

Figure 27: AutoIKE key tunnel status

Viewing dialup VPN connection status

You can use the dialup monitor to view the status of dialup VPNs. The dialup monitor lists the remote gateways and the active VPN tunnels for each gateway. The monitor also lists the tunnel lifetime, timeout, proxy ID source, and proxy ID destination for each tunnel.

To view dialup connection status

1Go to VPN > IPSec > Dialup Monitor.

2View the dialup connection status information for the FortiGate unit:

Remote gateway The IP address of the remote dialup remote gateway on the FortiGate unit.

Lifetime	The amount of time that the dialup VPN connection has been active.
Timeout	The time before the next key exchange. The time is calculated by
	subtracting the time elapsed since the last key exchange from the keylife.

FortiGate-50A Installation and Configuration Guide

201

Image 201

Fortinet 50A user manual Monitoring and Troubleshooting VPNs, To view VPN tunnel status Go to VPN Ipsec Phase

Contents

February Installation and Configuration GuideRegulatory Compliance TrademarksTable of Contents Transparent mode installation Virus and attack definitions updates and registration Network configuration Firewall configuration 137 Users and authentication 171 Pptp and L2TP VPN 203 Antivirus protection 225 Glossary 259 Index 263 Contents NAT/Route mode NAT/Route mode and Transparent modeTransparent mode IntroductionDocument conventions Comments on Fortinet technical documentation Fortinet documentationCustomer service and technical support Getting started Mounting Package contentsConnecting to the web-based manager Powering onEnvironmental specifications To power on the FortiGate-50A unitTo connect to the web-based manager Connecting to the command line interface CLITo connect to the CLI Bits per second Data bits ParityStop bits Flow control Factory default Dhcp configuration Factory default FortiGate configuration settingsFactory default NAT/Route mode network configuration Factory default Transparent mode network configurationFactory default firewall configuration Service Factory default firewall configuration RecurringAuthentication ContentFactory default content profiles Strict content profileStrict content profile Options Web content profile Scan content profileScan content profile Options Web content profile OptionsPlanning the FortiGate configuration Unfiltered content profileUnfiltered content profile Options Setup wizard Configuration optionsCLI FortiGate model maximum values matrix Signatures Antivirus file Block patterns Web filter Next stepsNext steps Getting started NAT/Route mode installation Preparing to configure NAT/Route mode Changing the default configurationInternal servers Advanced NAT/Route mode settings Using the setup wizardStarting the setup wizard Reconnecting to the web-based managerConfiguring the FortiGate unit to operate in NAT/Route mode Using the command line interfaceConfiguring NAT/Route mode IP addresses ExampleConnecting the FortiGate unit to your networks FortiGate-50A ExternalInternal Completing the configuration Configuring your networksSetting the date and time Changing antivirus protectionRegistering your FortiGate unit Configuring virus and attack definition updatesCompleting the configuration Preparing to configure Transparent mode Transparent mode installationTransparent mode settings Administrator Password DNS SettingsGo to System Status Changing to Transparent modeConfigure the Transparent mode default gateway Configuring the Transparent mode management IP addressConnecting the FortiGate unit to your networks Enabling antivirus protection Registering your FortiGateGo to Firewall Policy Int-Ext Default routes and static routes Transparent mode configuration examplesDefault route to an external network General configuration stepsCLI configuration steps Web-based manager example configuration stepsGo to System Network Management Go to System Network RoutingDMZ Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System statusChanging the FortiGate host name Firmware upgrade procedures Procedure DescriptionChanging the FortiGate firmware To change the FortiGate host name Go to System StatusUpgrading the firmware using the CLI Upgrading the firmware using the web-based managerTo upgrade the firmware using the web-based manager To upgrade the firmware using the CLIExecute ping Reverting to a previous firmware versionReverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot Press any key to enter configuration menu Restoring the previous configuration Testing a new firmware image before installing itTo test a new firmware image Save as Default firmware/Run image without savingD/R Manual attack definition updates Manual virus definition updatesTo update the antivirus definitions manually To update the attack definitions manuallyRestoring system settings Backing up system settingsDisplaying the FortiGate serial number Displaying the FortiGate up timeRestoring system settings to factory defaults Changing to Transparent modeTo change to Transparent mode Go to System Status To change to NAT/Route mode Go to System Status Changing to NAT/Route modeRestarting the FortiGate unit Shutting down the FortiGate unitSystem status Viewing CPU and memory statusTo view CPU and memory status Go to System Status Monitor CPU and memory status monitor Viewing sessions and network statusSessions and network status monitor Viewing virus and intrusions statusTo view the session list Go to System Status Session Session listExample session list ProtocolSession list Updating antivirus and attack definitions Virus and attack definitions updates and registrationGo to System Update Connecting to the FortiResponse Distribution NetworkVersion Expiry date Last update attempt Last update status To make sure the FortiGate unit can connect to the FDNManually initiating antivirus and attack definitions updates Configuring update logging Scheduling updatesEnabling scheduled updates To configure update logging Go to Log&Report Log SettingAdding an override server To add an override server Go to System UpdateEnabling scheduled updates through a proxy server Enabling push updatesPush updates when FortiGate IP addresses change Enabling push updatesEnabling push updates through a NAT device To enable push updates Go to System UpdateExample network topology Push updates through a NAT device Example push updates through a NAT deviceGeneral procedure To configure the FortiGate NAT device Schedule Always Service ANY Action AcceptAdding a firewall policy for the port forwarding virtual IP Registering FortiGate units Example push update configurationFortiCare Service Contracts Registering the FortiGate unit Updating registration information Recovering a lost Fortinet support passwordViewing the list of registered FortiGate units Adding or changing a FortiCare Support Contract number Registering a new FortiGate unitChanging your contact information or security question Changing your Fortinet support passwordDownloading virus and attack definition updates Downloading virus and attack definitions updatesRegistering a FortiGate unit after an RMA Registering a FortiGate unit after an RMA Configuring interfaces Network configurationConfiguring an interface with a manual IP address Changing the administrative status of an interfaceTo stop an interface that is administratively up Viewing the interface listConnecting Configuring an interface for DhcpInitializing ConnectedAdding a secondary IP address to an interface Configuring an interface for PPPoEAdding a ping server to an interface Controlling administrative access to an interfaceChanging the MTU size to improve network performance Configuring traffic logging for connections to an interfaceConfiguring the management interface in Transparent mode Adding a default route Configuring routingAdding DNS server IP addresses 100101 Adding destination-based routes to the routing tableAdding routes in Transparent mode Configuring the routing table102 103 Policy routingPolicy routing command syntax Configuring Dhcp servicesConfiguring a Dhcp relay agent 104Adding a Dhcp server to an interface Configuring a Dhcp serverAdding scopes to a Dhcp server 105106 Adding a reserve IP to a Dhcp serverScope Name IP PoolConfiguring the modem interface Viewing a Dhcp server dynamic IP list107 Configuring modem settings Connecting a modem to the FortiGate unitTo configure modem settings Go to System Network Modem 108Disconnecting the modem Connecting to a dialup account109 To connect to a dialup account Go to System Network ModemStandalone mode configuration Backup mode configurationTo configure backup mode Go to System Network Modem Viewing modem statusTo operate in standalone mode Go to System Network Modem Adding firewall policies for modem connections111 112 RIP configuration RIP settings113 Invalid HolddownFlush 115 Configuring RIP for FortiGate interfaces116 Adding a RIP filter list Adding RIP filters117 To add a RIP filter list Go to System RIP FilterAssigning a RIP filter list to the incoming filter Assigning a RIP filter list to the neighbors filter119 Assigning a RIP filter list to the outgoing filter120 Setting system date and time System configurationTo set the date and time Go to System Config Time 121To set the Auth timeout Go to System Config Options To set the system idle timeout Go to System Config OptionsChanging system options 122Adding and editing administrator accounts Modifying the Dead Gateway Detection settings123 Editing administrator accounts Adding new administrator accountsTo add an administrator account Go to System Config Admin 124Configuring Snmp To edit an administrator account Go to System Config Admin125 Configuring FortiGate Snmp support Configuring the FortiGate unit for Snmp monitoringConfiguring Snmp access to an interface Configuring Snmp community settings127 System NameSystem Location 128 FortiGate MIBsGeneral FortiGate traps FortiGate trapsSystem traps 129130 Firewall configuration System configuration and statusUsers and authentication configuration 131132 Replacement messages Customizing replacement messages133 134 Customizing alert emailsNids event 135Critical event 136137 Firewall configurationDefault firewall configuration Addresses138 Content profiles ServicesSchedules 139140 Adding firewall policies141 ActionTraffic Shaping VPN Tunnel142 Dynamic IP Pool Fixed PortAnti-Virus & Web filter Authentication143 Maximum Bandwidth Traffic PriorityLog Traffic Configuring policy listsComments 144Policy matching in detail Changing the order of policies in a policy list145 Enabling and disabling policies AddressesDisabling policies Enabling policiesAdding addresses 147To add an address Go to Firewall Address Deleting addresses Editing addressesOrganizing addresses into address groups 148Services Predefined services149 GRE 150Ldap 151152 Adding custom TCP and UDP servicesAdding custom IP services Adding custom Icmp servicesGrouping services 153154 SchedulesCreating one-time schedules Creating recurring schedules155 156 Adding schedules to policiesVirtual IPs 157To add a schedule to a policy Go to Firewall Policy 158 Adding static NAT virtual IPsTo add a static NAT virtual IP Go to Firewall Virtual IP Virtual IP External Interface examples Description Internal159 Adding port forwarding virtual IPsAdding a port forwarding virtual IP 160Adding policies with virtual IPs IP pools161 To add a policy with a virtual IP Go to Firewall PolicyIP Pools for firewall policies that use fixed ports Adding an IP poolIP pools and dynamic NAT 162IP/MAC binding 163Go to Firewall IP/MAC Binding Static IP/MAC 164 Configuring IP/MAC binding for packets going to the firewallViewing the dynamic IP/MAC list Adding IP/MAC addressesEnabling IP/MAC binding 165166 Content profilesAdding content profiles Default content profilesTo add a content profile Go to Firewall Content Profile 167Oversized File/Email Pass Fragmented Email 168Adding content profiles to policies To add a content profile to a policy Go to Firewall Policy169 170 171 Users and authenticationAdding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication To set authentication timeout Go to System Config Options173 Deleting user names from the internal databaseAdding Radius servers Configuring Radius supportDeleting Radius servers 174Adding Ldap servers Configuring Ldap support175 To add an Ldap server Go to User LdapDeleting Ldap servers 176To delete an Ldap server Go to User Ldap Adding user groups Configuring user groups177 To add a user group Go to User User GroupDeleting user groups 178To delete a user group Go to User User Group 179 IPSec VPNManual Keys Key managementAutoIKE with pre-shared keys AutoIKE with certificatesManual key IPSec VPNs General configuration steps for a manual key VPNAdding a manual key VPN tunnel 181182 AutoIKE IPSec VPNsAES128 AES192Adding a phase 1 configuration for an AutoIKE VPN General configuration steps for an AutoIKE VPNTo create an AutoIKE VPN configuration To add a phase 1 configuration Go to VPN Ipsec Phase184 Remote Gateway Static IP AddressRemote Gateway Dialup User Configuring advanced options To configure phase 1 advanced options185 186 187 Adding a phase 1 configuration Standard optionsAdding a phase 2 configuration for an AutoIKE VPN To add a phase 2 configuration Go to VPN Ipsec Phase188 189 Use selectors from policyUse wildcard selectors Obtaining a signed local certificate Managing digital certificatesGenerating the certificate request 190191 Key TypeKey Size Importing the signed local certificate Downloading the certificate requestObtaining CA certificates 192Configuring encrypt policies Importing CA certificates193 Adding a destination address Adding a source address194 To add a source address Go to Firewall AddressAdding an encrypt policy 195To add an encrypt policy Go to Firewall Policy 196 IPSec VPN concentratorsVPN concentrator hub general configuration steps To create a VPN concentrator configuration197 Adding a VPN concentrator 198Source InternalAll Destination VPN spoke address Action VPN spoke general configuration steps To create a VPN spoke configuration199 200 VPN TunnelPolicies To view VPN tunnel status Go to VPN Ipsec Phase Monitoring and Troubleshooting VPNsViewing VPN tunnel status Viewing dialup VPN connection status202 Testing a VPNConfiguring the FortiGate unit as a Pptp gateway Configuring PptpPptp and L2TP VPN 203To add a source address 204To add a source address group 205To add a destination address To add a firewall policyConfiguring a Windows 98 client for Pptp 206To connect to the Pptp VPN Configuring a Windows 2000 client for Pptp Configuring a Windows XP client for Pptp207 To configure the VPN connection 208Select Properties Security Configuring L2TP Configuring the FortiGate unit as an L2TP gateway209 To add source addresses 210211 Configuring a Windows 2000 client for L2TPTo disable IPSec 212To connect to the L2TP VPN 213 Configuring a Windows XP client for L2TP214 Network Intrusion Detection System Nids Detecting attacks215 Selecting the interfaces to monitor Configuring checksum verificationDisabling monitoring interfaces 216Viewing the signature list Viewing attack descriptions217 Disabling Nids attack signatures Adding user-defined signatures218 219 Downloading the user-defined signature listPreventing attacks To enable Nids attack prevention Go to Nids PreventionEnabling Nids attack prevention Enabling Nids attack prevention signatures221 Setting signature threshold valuesLogging attack messages to the attack log Logging attacksReducing the number of Nids attack log and email messages Automatic message reduction223 Manual message reduction224 General configuration steps Antivirus protection225 Antivirus scanning 226To scan FortiGate firewall traffic for viruses Blocking files in firewall traffic File blockingAdding file patterns to block 227Blocking oversized files and emails Configuring limits for oversized files and emailExempting fragmented email from blocking 228To view the virus list Go to Anti-Virus Config Virus List Viewing the virus list229 230 231 Web filteringGo to Web Filter Content Block Content blockingAdding words and phrases to the Banned Word list 232Backing up the Banned Word list Clearing the Banned Word listRestoring the Banned Word list 233Example Banned Word List text file 234URL blocking Configuring FortiGate Web URL blockingAdding URLs to the Web URL block list 235Downloading the Web URL block list Clearing the Web URL block listUploading a URL block list 236Configuring FortiGate Web pattern blocking 237To upload a URL block list Installing a Cerberian license key Configuring Cerberian URL filteringAdding a Cerberian user 238About the default group and policy Configuring Cerberian web filterTo configure Cerberian web filtering Enabling Cerberian URL filteringEnabling script filtering Script filteringSelecting script filter options 240Adding URLs to the URL Exempt list Exempt URL list241 Go to Web Filter URL ExemptDownloading the URL Exempt List Uploading a URL Exempt List242 243 244 245 Email filterEmail banned word list Adding words and phrases to the email banned word list246 Downloading the email banned word list Uploading the email banned word list247 Adding address patterns to the email block list Email block listDownloading the email block list 248Uploading an email block list Email exempt list249 To upload the email block listAdding a subject tag To add a subject tag Go to Email Filter ConfigAdding address patterns to the email exempt list 250Recording logs Logging and reportingRecording logs on a remote computer 251252 Recording logs on a NetIQ WebTrends serverFiltering log messages To filter log entries Go to Log&Report Log SettingLog message levels 253254 Configuring traffic loggingEnabling traffic logging Configuring traffic filter settingsEnabling traffic logging for an interface Enabling traffic logging for a firewall policyDestination IP Address Destination Netmask Service Adding traffic filter entries256 Adding alert email addresses Configuring alert email257 To add a DNS server Go to System Network DNSTesting alert email Enabling alert email258 259 Glossary260 261 262 263 IndexIndex 264DNS 265Http 266NAT 267268 RMA 269TCP 270VPN 271272