Index, 263 | Fortinet 50A specs

FortiGate-50A Installation and Configuration Guide Version 2.50

Index

A

accept policy 141

action

policy option 141 ActiveX 240

removing from web pages 240 address 146

adding 147 editing 148 group 148 IP/MAC binding 165 virtual IP 157

address group 148 example 149 address name 147 addressing mode DHCP 95

PPPoE 96 admin access level

administrator account 124 administrative access

to an interface 97 administrative status

changing for an interface 94 administrator account

adding 123, 124 admin 124

changing password 125 editing 123, 124 netmask 124, 125 permission 125 trusted host 124, 125

alert email configuring 257 configuring SMTP server 258 content of messages 222 critical firewall or VPN events 258 enabling 258

hard disk full 258 intrusion attempts 258 reducing messages 218 testing 258

virus incidents 258

allow inbound encrypt policy 142

allow outbound encrypt policy 142

allow traffic

IP/MAC binding 164 Anti-Virus & Web filter

policy 143

antivirus definition updates manual 63

antivirus definitions

updating 73 antivirus updates 76 configuring 77

through a proxy server 78 attack definition updates

downloading 90 manual 63

attack definitions updating 73, 75

attack detection checksum verification 216 disabling the NIDS 216

enabling and disabling signatures 218 selecting interfaces to monitor 216 viewing the signature list 217

attack log 253

content of messages 222 reducing messages 218

attack prevention

configuring signature threshold values 221 enabling prevention signatures 220 NIDS 220

attack updates configuring 77 scheduling 76

through a proxy server 78 authentication 143, 171

configuring 172 enabling 177 LDAP server 175 RADIUS server 174 timeout 122

auto

device in route 101

FortiGate-50A Installation and Configuration Guide

263

Image 263

Fortinet 50A user manual Index, 263

Contents

February Installation and Configuration Guide Regulatory Compliance Trademarks Table of Contents Transparent mode installation Virus and attack definitions updates and registration Network configuration Firewall configuration 137 Users and authentication 171 Pptp and L2TP VPN 203 Antivirus protection 225 Glossary 259 Index 263 Contents Introduction NAT/Route mode and Transparent modeNAT/Route mode Transparent mode Document conventions Comments on Fortinet technical documentation Fortinet documentation Customer service and technical support Getting started Mounting Package contents To power on the FortiGate-50A unit Powering onConnecting to the web-based manager Environmental specifications To connect to the web-based manager Connecting to the command line interface CLI Stop bits Flow control To connect to the CLIBits per second Data bits Parity Factory default Dhcp configuration Factory default FortiGate configuration settings Factory default firewall configuration Factory default NAT/Route mode network configurationFactory default Transparent mode network configuration Content Factory default firewall configuration RecurringService Authentication Strict content profile Options Factory default content profilesStrict content profile Web content profile Options Scan content profileWeb content profile Scan content profile Options Unfiltered content profile Options Planning the FortiGate configurationUnfiltered content profile Setup wizard Configuration options CLI FortiGate model maximum values matrix Signatures Antivirus file Block patterns Web filter Next steps Next steps Getting started NAT/Route mode installation Internal servers Preparing to configure NAT/Route modeChanging the default configuration Reconnecting to the web-based manager Using the setup wizardAdvanced NAT/Route mode settings Starting the setup wizard Example Using the command line interfaceConfiguring the FortiGate unit to operate in NAT/Route mode Configuring NAT/Route mode IP addresses Internal Connecting the FortiGate unit to your networksFortiGate-50A External Changing antivirus protection Configuring your networksCompleting the configuration Setting the date and time Registering your FortiGate unit Configuring virus and attack definition updates Completing the configuration DNS Settings Transparent mode installationPreparing to configure Transparent mode Transparent mode settings Administrator Password Go to System Status Changing to Transparent mode Configure the Transparent mode default gateway Configuring the Transparent mode management IP address Connecting the FortiGate unit to your networks Go to Firewall Policy Int-Ext Enabling antivirus protectionRegistering your FortiGate Default routes and static routes Transparent mode configuration examples Default route to an external network General configuration steps Go to System Network Routing Web-based manager example configuration stepsCLI configuration steps Go to System Network Management DMZ Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System status To change the FortiGate host name Go to System Status Firmware upgrade procedures Procedure DescriptionChanging the FortiGate host name Changing the FortiGate firmware To upgrade the firmware using the CLI Upgrading the firmware using the web-based managerUpgrading the firmware using the CLI To upgrade the firmware using the web-based manager Execute ping Reverting to a previous firmware version Reverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot Press any key to enter configuration menu To test a new firmware image Restoring the previous configurationTesting a new firmware image before installing it Save as Default firmware/Run image without savingD/R To update the attack definitions manually Manual virus definition updatesManual attack definition updates To update the antivirus definitions manually Displaying the FortiGate up time Backing up system settingsRestoring system settings Displaying the FortiGate serial number To change to Transparent mode Go to System Status Restoring system settings to factory defaultsChanging to Transparent mode Shutting down the FortiGate unit Changing to NAT/Route modeTo change to NAT/Route mode Go to System Status Restarting the FortiGate unit To view CPU and memory status Go to System Status Monitor System statusViewing CPU and memory status CPU and memory status monitor Viewing sessions and network status Sessions and network status monitor Viewing virus and intrusions status To view the session list Go to System Status Session Session list Example session list Protocol Session list Updating antivirus and attack definitions Virus and attack definitions updates and registration To make sure the FortiGate unit can connect to the FDN Connecting to the FortiResponse Distribution NetworkGo to System Update Version Expiry date Last update attempt Last update status Manually initiating antivirus and attack definitions updates To configure update logging Go to Log&Report Log Setting Scheduling updatesConfiguring update logging Enabling scheduled updates Adding an override server To add an override server Go to System Update Enabling scheduled updates through a proxy server Enabling push updates To enable push updates Go to System Update Enabling push updatesPush updates when FortiGate IP addresses change Enabling push updates through a NAT device Example network topology Push updates through a NAT device Example push updates through a NAT device General procedure Adding a firewall policy for the port forwarding virtual IP To configure the FortiGate NAT deviceSchedule Always Service ANY Action Accept Registering FortiGate units Example push update configuration FortiCare Service Contracts Registering the FortiGate unit Updating registration information Recovering a lost Fortinet support password Viewing the list of registered FortiGate units Adding or changing a FortiCare Support Contract number Registering a new FortiGate unit Changing your contact information or security question Changing your Fortinet support password Downloading virus and attack definition updates Downloading virus and attack definitions updates Registering a FortiGate unit after an RMA Registering a FortiGate unit after an RMA Configuring interfaces Network configuration Viewing the interface list Changing the administrative status of an interfaceConfiguring an interface with a manual IP address To stop an interface that is administratively up Connected Configuring an interface for DhcpConnecting Initializing Adding a secondary IP address to an interface Configuring an interface for PPPoE Adding a ping server to an interface Controlling administrative access to an interface Changing the MTU size to improve network performance Configuring traffic logging for connections to an interface Configuring the management interface in Transparent mode 100 Configuring routingAdding a default route Adding DNS server IP addresses 101 Adding destination-based routes to the routing table 102 Adding routes in Transparent modeConfiguring the routing table 103 Policy routing 104 Configuring Dhcp servicesPolicy routing command syntax Configuring a Dhcp relay agent 105 Configuring a Dhcp serverAdding a Dhcp server to an interface Adding scopes to a Dhcp server IP Pool Adding a reserve IP to a Dhcp server106 Scope Name 107 Configuring the modem interfaceViewing a Dhcp server dynamic IP list 108 Connecting a modem to the FortiGate unitConfiguring modem settings To configure modem settings Go to System Network Modem To connect to a dialup account Go to System Network Modem Connecting to a dialup accountDisconnecting the modem 109 Viewing modem status Backup mode configurationStandalone mode configuration To configure backup mode Go to System Network Modem 111 To operate in standalone mode Go to System Network ModemAdding firewall policies for modem connections 112 113 RIP configurationRIP settings Flush InvalidHolddown 115 Configuring RIP for FortiGate interfaces 116 To add a RIP filter list Go to System RIP Filter Adding RIP filtersAdding a RIP filter list 117 Assigning a RIP filter list to the incoming filter Assigning a RIP filter list to the neighbors filter 119 Assigning a RIP filter list to the outgoing filter 120 121 System configurationSetting system date and time To set the date and time Go to System Config Time 122 To set the system idle timeout Go to System Config OptionsTo set the Auth timeout Go to System Config Options Changing system options 123 Adding and editing administrator accountsModifying the Dead Gateway Detection settings 124 Adding new administrator accountsEditing administrator accounts To add an administrator account Go to System Config Admin 125 Configuring SnmpTo edit an administrator account Go to System Config Admin Configuring Snmp community settings Configuring the FortiGate unit for Snmp monitoringConfiguring FortiGate Snmp support Configuring Snmp access to an interface System Location 127System Name 128 FortiGate MIBs 129 FortiGate trapsGeneral FortiGate traps System traps 130 131 System configuration and statusFirewall configuration Users and authentication configuration 132 133 Replacement messagesCustomizing replacement messages 134 Customizing alert emails Nids event 135 Critical event 136 137 Firewall configuration 138 Default firewall configurationAddresses 139 ServicesContent profiles Schedules 140 Adding firewall policies 141 Action Dynamic IP Pool Fixed Port VPN TunnelTraffic Shaping 142 Maximum Bandwidth Traffic Priority AuthenticationAnti-Virus & Web filter 143 144 Configuring policy listsLog Traffic Comments 145 Policy matching in detailChanging the order of policies in a policy list Enabling policies AddressesEnabling and disabling policies Disabling policies To add an address Go to Firewall Address Adding addresses147 148 Editing addressesDeleting addresses Organizing addresses into address groups 149 ServicesPredefined services GRE 150 Ldap 151 152 Adding custom TCP and UDP services 153 Adding custom Icmp servicesAdding custom IP services Grouping services 154 Schedules 155 Creating one-time schedulesCreating recurring schedules 156 Adding schedules to policies To add a schedule to a policy Go to Firewall Policy Virtual IPs157 Virtual IP External Interface examples Description Internal Adding static NAT virtual IPs158 To add a static NAT virtual IP Go to Firewall Virtual IP 159 Adding port forwarding virtual IPs Adding a port forwarding virtual IP 160 To add a policy with a virtual IP Go to Firewall Policy IP poolsAdding policies with virtual IPs 161 162 Adding an IP poolIP Pools for firewall policies that use fixed ports IP pools and dynamic NAT Go to Firewall IP/MAC Binding Static IP/MAC IP/MAC binding163 164 Configuring IP/MAC binding for packets going to the firewall 165 Adding IP/MAC addressesViewing the dynamic IP/MAC list Enabling IP/MAC binding 166 Content profiles 167 Default content profilesAdding content profiles To add a content profile Go to Firewall Content Profile Oversized File/Email Pass Fragmented Email 168 169 Adding content profiles to policiesTo add a content profile to a policy Go to Firewall Policy 170 171 Users and authentication To set authentication timeout Go to System Config Options Setting authentication timeoutAdding user names and configuring authentication Adding user names and configuring authentication 173 Deleting user names from the internal database 174 Configuring Radius supportAdding Radius servers Deleting Radius servers To add an Ldap server Go to User Ldap Configuring Ldap supportAdding Ldap servers 175 To delete an Ldap server Go to User Ldap Deleting Ldap servers176 To add a user group Go to User User Group Configuring user groupsAdding user groups 177 To delete a user group Go to User User Group Deleting user groups178 179 IPSec VPN AutoIKE with certificates Key managementManual Keys AutoIKE with pre-shared keys 181 General configuration steps for a manual key VPNManual key IPSec VPNs Adding a manual key VPN tunnel AES192 AutoIKE IPSec VPNs182 AES128 To add a phase 1 configuration Go to VPN Ipsec Phase General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN To create an AutoIKE VPN configuration Remote Gateway Dialup User 184Remote Gateway Static IP Address 185 Configuring advanced optionsTo configure phase 1 advanced options 186 187 Adding a phase 1 configuration Standard options 188 Adding a phase 2 configuration for an AutoIKE VPNTo add a phase 2 configuration Go to VPN Ipsec Phase Use wildcard selectors 189Use selectors from policy 190 Managing digital certificatesObtaining a signed local certificate Generating the certificate request Key Size 191Key Type 192 Downloading the certificate requestImporting the signed local certificate Obtaining CA certificates 193 Configuring encrypt policiesImporting CA certificates To add a source address Go to Firewall Address Adding a source addressAdding a destination address 194 To add an encrypt policy Go to Firewall Policy Adding an encrypt policy195 196 IPSec VPN concentrators 197 VPN concentrator hub general configuration stepsTo create a VPN concentrator configuration Source InternalAll Destination VPN spoke address Action Adding a VPN concentrator198 199 VPN spoke general configuration stepsTo create a VPN spoke configuration Policies 200VPN Tunnel Viewing dialup VPN connection status Monitoring and Troubleshooting VPNsTo view VPN tunnel status Go to VPN Ipsec Phase Viewing VPN tunnel status 202 Testing a VPN 203 Configuring PptpConfiguring the FortiGate unit as a Pptp gateway Pptp and L2TP VPN To add a source address 204 To add a firewall policy 205To add a source address group To add a destination address To connect to the Pptp VPN Configuring a Windows 98 client for Pptp206 207 Configuring a Windows 2000 client for PptpConfiguring a Windows XP client for Pptp Select Properties Security To configure the VPN connection208 209 Configuring L2TPConfiguring the FortiGate unit as an L2TP gateway To add source addresses 210 211 Configuring a Windows 2000 client for L2TP To connect to the L2TP VPN To disable IPSec212 213 Configuring a Windows XP client for L2TP 214 215 Network Intrusion Detection System NidsDetecting attacks 216 Configuring checksum verificationSelecting the interfaces to monitor Disabling monitoring interfaces 217 Viewing the signature listViewing attack descriptions 218 Disabling Nids attack signaturesAdding user-defined signatures 219 Downloading the user-defined signature list Enabling Nids attack prevention signatures To enable Nids attack prevention Go to Nids PreventionPreventing attacks Enabling Nids attack prevention 221 Setting signature threshold values Automatic message reduction Logging attacksLogging attack messages to the attack log Reducing the number of Nids attack log and email messages 223 Manual message reduction 224 225 General configuration stepsAntivirus protection To scan FortiGate firewall traffic for viruses Antivirus scanning226 227 File blockingBlocking files in firewall traffic Adding file patterns to block 228 Configuring limits for oversized files and emailBlocking oversized files and emails Exempting fragmented email from blocking 229 To view the virus list Go to Anti-Virus Config Virus ListViewing the virus list 230 231 Web filtering 232 Content blockingGo to Web Filter Content Block Adding words and phrases to the Banned Word list 233 Clearing the Banned Word listBacking up the Banned Word list Restoring the Banned Word list Example Banned Word List text file 234 235 Configuring FortiGate Web URL blockingURL blocking Adding URLs to the Web URL block list 236 Clearing the Web URL block listDownloading the Web URL block list Uploading a URL block list To upload a URL block list Configuring FortiGate Web pattern blocking237 238 Configuring Cerberian URL filteringInstalling a Cerberian license key Adding a Cerberian user Enabling Cerberian URL filtering Configuring Cerberian web filterAbout the default group and policy To configure Cerberian web filtering 240 Script filteringEnabling script filtering Selecting script filter options Go to Web Filter URL Exempt Exempt URL listAdding URLs to the URL Exempt list 241 242 Downloading the URL Exempt ListUploading a URL Exempt List 243 244 245 Email filter 246 Email banned word listAdding words and phrases to the email banned word list 247 Downloading the email banned word listUploading the email banned word list 248 Email block listAdding address patterns to the email block list Downloading the email block list To upload the email block list Email exempt listUploading an email block list 249 250 To add a subject tag Go to Email Filter ConfigAdding a subject tag Adding address patterns to the email exempt list 251 Logging and reportingRecording logs Recording logs on a remote computer 252 Recording logs on a NetIQ WebTrends server 253 To filter log entries Go to Log&Report Log SettingFiltering log messages Log message levels 254 Configuring traffic logging Enabling traffic logging for a firewall policy Configuring traffic filter settingsEnabling traffic logging Enabling traffic logging for an interface 256 Destination IP Address Destination Netmask ServiceAdding traffic filter entries To add a DNS server Go to System Network DNS Configuring alert emailAdding alert email addresses 257 258 Testing alert emailEnabling alert email 259 Glossary 260 261 262 263 Index Index 264 DNS 265 Http 266 NAT 267 268 RMA 269 TCP 270 VPN 271 272