Example static route to an internal destination | Fortinet 50A

Transparent mode installation	Transparent mode configuration examples

Example static route to an internal destination

Figure 9 shows a FortiGate unit where the FDN is located on an external subnet and the management computer is located on a remote, internal subnet. To reach the FDN, you need to enter a single default route that points to the upstream router as the next hop/default gateway. To reach the management computer, you need to enter a single static route that leads directly to it. This route will point to the internal router as the next hop. (No route is required for the DNS servers because they are on the same layer 3 subnet as the FortiGate unit.)

Figure 9: Static route to an internal destination

Internet

	Gateway IP 192.168.1.2	Upstream	DNS
		Router

DMZ

Management IP 192.168.1.1

FortiGate-50A	A	LINK 100 LINK 100
	PWR	STATUS
		INTERNAL EXTERNAL

Internal Network A

Gateway IP 192.168.1.3

Internal

Router

Internal Network B

Management Computer

172.16.1.11

FortiResponse

Distribution

Network (FDN)

General configuration steps

1Set the unit to operate in Transparent mode.

2Configure the Management IP address and Netmask of the FortiGate unit.

3Configure the static route to the management computer on the internal network.

FortiGate-50A Installation and Configuration Guide

51

Image 51

Fortinet 50A user manual Example static route to an internal destination

Contents

February Installation and Configuration Guide Regulatory Compliance Trademarks Table of Contents Transparent mode installation Virus and attack definitions updates and registration Network configuration Firewall configuration 137 Users and authentication 171 Pptp and L2TP VPN 203 Antivirus protection 225 Glossary 259 Index 263 Contents Introduction NAT/Route mode and Transparent modeNAT/Route mode Transparent mode Document conventions Comments on Fortinet technical documentation Fortinet documentation Customer service and technical support Getting started Mounting Package contents To power on the FortiGate-50A unit Powering onConnecting to the web-based manager Environmental specifications To connect to the web-based manager Connecting to the command line interface CLI To connect to the CLI Bits per second Data bits ParityStop bits Flow control Factory default Dhcp configuration Factory default FortiGate configuration settings Factory default NAT/Route mode network configuration Factory default Transparent mode network configurationFactory default firewall configuration Content Factory default firewall configuration RecurringService Authentication Factory default content profiles Strict content profileStrict content profile Options Web content profile Options Scan content profileWeb content profile Scan content profile Options Planning the FortiGate configuration Unfiltered content profileUnfiltered content profile Options Setup wizard Configuration options CLI FortiGate model maximum values matrix Signatures Antivirus file Block patterns Web filter Next steps Next steps Getting started NAT/Route mode installation Preparing to configure NAT/Route mode Changing the default configurationInternal servers Reconnecting to the web-based manager Using the setup wizardAdvanced NAT/Route mode settings Starting the setup wizard Example Using the command line interfaceConfiguring the FortiGate unit to operate in NAT/Route mode Configuring NAT/Route mode IP addresses Connecting the FortiGate unit to your networks FortiGate-50A ExternalInternal Changing antivirus protection Configuring your networksCompleting the configuration Setting the date and time Registering your FortiGate unit Configuring virus and attack definition updates Completing the configuration DNS Settings Transparent mode installationPreparing to configure Transparent mode Transparent mode settings Administrator Password Go to System Status Changing to Transparent mode Configure the Transparent mode default gateway Configuring the Transparent mode management IP address Connecting the FortiGate unit to your networks Enabling antivirus protection Registering your FortiGateGo to Firewall Policy Int-Ext Default routes and static routes Transparent mode configuration examples Default route to an external network General configuration steps Go to System Network Routing Web-based manager example configuration stepsCLI configuration steps Go to System Network Management DMZ Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System status To change the FortiGate host name Go to System Status Firmware upgrade procedures Procedure DescriptionChanging the FortiGate host name Changing the FortiGate firmware To upgrade the firmware using the CLI Upgrading the firmware using the web-based managerUpgrading the firmware using the CLI To upgrade the firmware using the web-based manager Execute ping Reverting to a previous firmware version Reverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot Press any key to enter configuration menu Restoring the previous configuration Testing a new firmware image before installing itTo test a new firmware image Save as Default firmware/Run image without savingD/R To update the attack definitions manually Manual virus definition updatesManual attack definition updates To update the antivirus definitions manually Displaying the FortiGate up time Backing up system settingsRestoring system settings Displaying the FortiGate serial number Restoring system settings to factory defaults Changing to Transparent modeTo change to Transparent mode Go to System Status Shutting down the FortiGate unit Changing to NAT/Route modeTo change to NAT/Route mode Go to System Status Restarting the FortiGate unit System status Viewing CPU and memory statusTo view CPU and memory status Go to System Status Monitor CPU and memory status monitor Viewing sessions and network status Sessions and network status monitor Viewing virus and intrusions status To view the session list Go to System Status Session Session list Example session list Protocol Session list Updating antivirus and attack definitions Virus and attack definitions updates and registration To make sure the FortiGate unit can connect to the FDN Connecting to the FortiResponse Distribution NetworkGo to System Update Version Expiry date Last update attempt Last update status Manually initiating antivirus and attack definitions updates To configure update logging Go to Log&Report Log Setting Scheduling updatesConfiguring update logging Enabling scheduled updates Adding an override server To add an override server Go to System Update Enabling scheduled updates through a proxy server Enabling push updates To enable push updates Go to System Update Enabling push updatesPush updates when FortiGate IP addresses change Enabling push updates through a NAT device Example network topology Push updates through a NAT device Example push updates through a NAT device General procedure To configure the FortiGate NAT device Schedule Always Service ANY Action AcceptAdding a firewall policy for the port forwarding virtual IP Registering FortiGate units Example push update configuration FortiCare Service Contracts Registering the FortiGate unit Updating registration information Recovering a lost Fortinet support password Viewing the list of registered FortiGate units Adding or changing a FortiCare Support Contract number Registering a new FortiGate unit Changing your contact information or security question Changing your Fortinet support password Downloading virus and attack definition updates Downloading virus and attack definitions updates Registering a FortiGate unit after an RMA Registering a FortiGate unit after an RMA Configuring interfaces Network configuration Viewing the interface list Changing the administrative status of an interfaceConfiguring an interface with a manual IP address To stop an interface that is administratively up Connected Configuring an interface for DhcpConnecting Initializing Adding a secondary IP address to an interface Configuring an interface for PPPoE Adding a ping server to an interface Controlling administrative access to an interface Changing the MTU size to improve network performance Configuring traffic logging for connections to an interface Configuring the management interface in Transparent mode 100 Configuring routingAdding a default route Adding DNS server IP addresses 101 Adding destination-based routes to the routing table Adding routes in Transparent mode Configuring the routing table102 103 Policy routing 104 Configuring Dhcp servicesPolicy routing command syntax Configuring a Dhcp relay agent 105 Configuring a Dhcp serverAdding a Dhcp server to an interface Adding scopes to a Dhcp server IP Pool Adding a reserve IP to a Dhcp server106 Scope Name Configuring the modem interface Viewing a Dhcp server dynamic IP list107 108 Connecting a modem to the FortiGate unitConfiguring modem settings To configure modem settings Go to System Network Modem To connect to a dialup account Go to System Network Modem Connecting to a dialup accountDisconnecting the modem 109 Viewing modem status Backup mode configurationStandalone mode configuration To configure backup mode Go to System Network Modem To operate in standalone mode Go to System Network Modem Adding firewall policies for modem connections111 112 RIP configuration RIP settings113 Invalid HolddownFlush 115 Configuring RIP for FortiGate interfaces 116 To add a RIP filter list Go to System RIP Filter Adding RIP filtersAdding a RIP filter list 117 Assigning a RIP filter list to the incoming filter Assigning a RIP filter list to the neighbors filter 119 Assigning a RIP filter list to the outgoing filter 120 121 System configurationSetting system date and time To set the date and time Go to System Config Time 122 To set the system idle timeout Go to System Config OptionsTo set the Auth timeout Go to System Config Options Changing system options Adding and editing administrator accounts Modifying the Dead Gateway Detection settings123 124 Adding new administrator accountsEditing administrator accounts To add an administrator account Go to System Config Admin Configuring Snmp To edit an administrator account Go to System Config Admin125 Configuring Snmp community settings Configuring the FortiGate unit for Snmp monitoringConfiguring FortiGate Snmp support Configuring Snmp access to an interface 127 System NameSystem Location 128 FortiGate MIBs 129 FortiGate trapsGeneral FortiGate traps System traps 130 131 System configuration and statusFirewall configuration Users and authentication configuration 132 Replacement messages Customizing replacement messages133 134 Customizing alert emails Nids event 135 Critical event 136 137 Firewall configuration Default firewall configuration Addresses138 139 ServicesContent profiles Schedules 140 Adding firewall policies 141 Action Dynamic IP Pool Fixed Port VPN TunnelTraffic Shaping 142 Maximum Bandwidth Traffic Priority AuthenticationAnti-Virus & Web filter 143 144 Configuring policy listsLog Traffic Comments Policy matching in detail Changing the order of policies in a policy list145 Enabling policies AddressesEnabling and disabling policies Disabling policies Adding addresses 147To add an address Go to Firewall Address 148 Editing addressesDeleting addresses Organizing addresses into address groups Services Predefined services149 GRE 150 Ldap 151 152 Adding custom TCP and UDP services 153 Adding custom Icmp servicesAdding custom IP services Grouping services 154 Schedules Creating one-time schedules Creating recurring schedules155 156 Adding schedules to policies Virtual IPs 157To add a schedule to a policy Go to Firewall Policy Virtual IP External Interface examples Description Internal Adding static NAT virtual IPs158 To add a static NAT virtual IP Go to Firewall Virtual IP 159 Adding port forwarding virtual IPs Adding a port forwarding virtual IP 160 To add a policy with a virtual IP Go to Firewall Policy IP poolsAdding policies with virtual IPs 161 162 Adding an IP poolIP Pools for firewall policies that use fixed ports IP pools and dynamic NAT IP/MAC binding 163Go to Firewall IP/MAC Binding Static IP/MAC 164 Configuring IP/MAC binding for packets going to the firewall 165 Adding IP/MAC addressesViewing the dynamic IP/MAC list Enabling IP/MAC binding 166 Content profiles 167 Default content profilesAdding content profiles To add a content profile Go to Firewall Content Profile Oversized File/Email Pass Fragmented Email 168 Adding content profiles to policies To add a content profile to a policy Go to Firewall Policy169 170 171 Users and authentication To set authentication timeout Go to System Config Options Setting authentication timeoutAdding user names and configuring authentication Adding user names and configuring authentication 173 Deleting user names from the internal database 174 Configuring Radius supportAdding Radius servers Deleting Radius servers To add an Ldap server Go to User Ldap Configuring Ldap supportAdding Ldap servers 175 Deleting Ldap servers 176To delete an Ldap server Go to User Ldap To add a user group Go to User User Group Configuring user groupsAdding user groups 177 Deleting user groups 178To delete a user group Go to User User Group 179 IPSec VPN AutoIKE with certificates Key managementManual Keys AutoIKE with pre-shared keys 181 General configuration steps for a manual key VPNManual key IPSec VPNs Adding a manual key VPN tunnel AES192 AutoIKE IPSec VPNs182 AES128 To add a phase 1 configuration Go to VPN Ipsec Phase General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN To create an AutoIKE VPN configuration 184 Remote Gateway Static IP AddressRemote Gateway Dialup User Configuring advanced options To configure phase 1 advanced options185 186 187 Adding a phase 1 configuration Standard options Adding a phase 2 configuration for an AutoIKE VPN To add a phase 2 configuration Go to VPN Ipsec Phase188 189 Use selectors from policyUse wildcard selectors 190 Managing digital certificatesObtaining a signed local certificate Generating the certificate request 191 Key TypeKey Size 192 Downloading the certificate requestImporting the signed local certificate Obtaining CA certificates Configuring encrypt policies Importing CA certificates193 To add a source address Go to Firewall Address Adding a source addressAdding a destination address 194 Adding an encrypt policy 195To add an encrypt policy Go to Firewall Policy 196 IPSec VPN concentrators VPN concentrator hub general configuration steps To create a VPN concentrator configuration197 Adding a VPN concentrator 198Source InternalAll Destination VPN spoke address Action VPN spoke general configuration steps To create a VPN spoke configuration199 200 VPN TunnelPolicies Viewing dialup VPN connection status Monitoring and Troubleshooting VPNsTo view VPN tunnel status Go to VPN Ipsec Phase Viewing VPN tunnel status 202 Testing a VPN 203 Configuring PptpConfiguring the FortiGate unit as a Pptp gateway Pptp and L2TP VPN To add a source address 204 To add a firewall policy 205To add a source address group To add a destination address Configuring a Windows 98 client for Pptp 206To connect to the Pptp VPN Configuring a Windows 2000 client for Pptp Configuring a Windows XP client for Pptp207 To configure the VPN connection 208Select Properties Security Configuring L2TP Configuring the FortiGate unit as an L2TP gateway209 To add source addresses 210 211 Configuring a Windows 2000 client for L2TP To disable IPSec 212To connect to the L2TP VPN 213 Configuring a Windows XP client for L2TP 214 Network Intrusion Detection System Nids Detecting attacks215 216 Configuring checksum verificationSelecting the interfaces to monitor Disabling monitoring interfaces Viewing the signature list Viewing attack descriptions217 Disabling Nids attack signatures Adding user-defined signatures218 219 Downloading the user-defined signature list Enabling Nids attack prevention signatures To enable Nids attack prevention Go to Nids PreventionPreventing attacks Enabling Nids attack prevention 221 Setting signature threshold values Automatic message reduction Logging attacksLogging attack messages to the attack log Reducing the number of Nids attack log and email messages 223 Manual message reduction 224 General configuration steps Antivirus protection225 Antivirus scanning 226To scan FortiGate firewall traffic for viruses 227 File blockingBlocking files in firewall traffic Adding file patterns to block 228 Configuring limits for oversized files and emailBlocking oversized files and emails Exempting fragmented email from blocking To view the virus list Go to Anti-Virus Config Virus List Viewing the virus list229 230 231 Web filtering 232 Content blockingGo to Web Filter Content Block Adding words and phrases to the Banned Word list 233 Clearing the Banned Word listBacking up the Banned Word list Restoring the Banned Word list Example Banned Word List text file 234 235 Configuring FortiGate Web URL blockingURL blocking Adding URLs to the Web URL block list 236 Clearing the Web URL block listDownloading the Web URL block list Uploading a URL block list Configuring FortiGate Web pattern blocking 237To upload a URL block list 238 Configuring Cerberian URL filteringInstalling a Cerberian license key Adding a Cerberian user Enabling Cerberian URL filtering Configuring Cerberian web filterAbout the default group and policy To configure Cerberian web filtering 240 Script filteringEnabling script filtering Selecting script filter options Go to Web Filter URL Exempt Exempt URL listAdding URLs to the URL Exempt list 241 Downloading the URL Exempt List Uploading a URL Exempt List242 243 244 245 Email filter Email banned word list Adding words and phrases to the email banned word list246 Downloading the email banned word list Uploading the email banned word list247 248 Email block listAdding address patterns to the email block list Downloading the email block list To upload the email block list Email exempt listUploading an email block list 249 250 To add a subject tag Go to Email Filter ConfigAdding a subject tag Adding address patterns to the email exempt list 251 Logging and reportingRecording logs Recording logs on a remote computer 252 Recording logs on a NetIQ WebTrends server 253 To filter log entries Go to Log&Report Log SettingFiltering log messages Log message levels 254 Configuring traffic logging Enabling traffic logging for a firewall policy Configuring traffic filter settingsEnabling traffic logging Enabling traffic logging for an interface Destination IP Address Destination Netmask Service Adding traffic filter entries256 To add a DNS server Go to System Network DNS Configuring alert emailAdding alert email addresses 257 Testing alert email Enabling alert email258 259 Glossary 260 261 262 263 Index Index 264 DNS 265 Http 266 NAT 267 268 RMA 269 TCP 270 VPN 271 272