Manuals
/
Brands
/
Computer Equipment
/
Network Card
/
Fortinet
/
Computer Equipment
/
Network Card
Fortinet
FortiGate-800 manual
1
1
336
336
Download
336 pages, 4.15 Mb
FortiGate 800
Installation and
Configuration Guide
Esc Enter
CONSOLE
INTERNAL
EXTERNAL DMZ
HA
123
4 USB
8
PWR
FortiGate User Manual Volume 1
Vers ion 2. 50
January 15 2004
Contents
Main
Page
Table of Contents
4
Page
6
Virus and attack definitions updates and registration................................... 117
Page
8
Page
10
Network Intrusion Detection System (NIDS) ................................................... 269
12
Page
Page
Introduction
Antivirus protection
Web content filtering
Email filtering
Firewall
18
NAT/Route mode
Transparent mode
VLANs and virtual domains
Network intrusion detection
VPN
High availability
20
Secure installation, configuration, and management
Web-based manager
Command line interface
Logging and reporting
Document conventions
Fortinet documentation
Comments on Fortinet technical documentation
Customer service and technical support
Page
Getting started
26
Package contents
Mounting
Dimensions
Weight
Power requirements
Powering on
Connecting to the web-based manager
Connecting to the command line interface (CLI)
30
Factory default FortiGate configuration settings
Factory default NAT/Route mode network configuration
Factory default Transparent mode network configuration
32
Factory default firewall configuration
The factory default firewall configuration is the same in NAT/Route and Transparent mode.
Factory default content profiles
Strict content profile
34
Scan content profile
Web content profile
Unfiltered content profile
36
Planning the FortiGate configuration
NAT/Route mode
NAT/Route mode with multiple external network connections
Transparent mode
38
Configuration options
Setup wizard
CLI
Front keypad and LCD
FortiGate model maximum values matrix
Next steps
NAT/Route mode installation
Preparing to configure NAT/Route mode
42
Advanced NAT/Route mode settings
DMZ and user-defined interfaces
Using the setup wizard
Starting the setup wizard
Reconnecting to the web-based manager
44
Using the front control buttons and LCD
Using the command line interface
Configuring the FortiGate unit to operate in NAT/Route mode
Configuring NAT/Route mode IP addresses
Page
Connecting the FortiGate unit to your networks
FortiGate-800
Configuring your networks
FortiGate-800
Completing the configuration
Configuring the DMZ interface
Configuring interfaces 1 to 4
Setting the date and time
Changing antivirus protection
Configuration example: Multiple connections to the Internet
Configuring ping servers
External Port3
ISP1 ISP2
Internet
FortiGate-800
52
Using the CLI
Destination-based routing examples
Primary and backup links to the Internet
Using the CLI
Load sharing
Load sharing and primary and secondary connections
Page
Policy routing examples
Routing traffic from internal subnets to different external networks
Routing a service to an external network
56
Firewall policy example
Adding a redundant default policy
Adding more firewall policies
Page
Page
Transparent mode installation
Preparing to configure Transparent mode
60
Using the setup wizard
Changing to Transparent mode using the web-based manager
Starting the setup wizard
Reconnecting to the web-based manager
Using the front control buttons and LCD
Using the command line interface
Changing to Transparent mode using the CLI
62
Configuring the Transparent mode management IP address
Completing the configuration
Setting the date and time
Enabling antivirus protection
Registering your FortiGate unit
Configuring virus and attack definition updates
Connecting the FortiGate unit to your networks
Transparent mode configuration examples
FortiGate-800
Default routes and static routes
Example default route to an external network
Internal Network
DMZ
FortiGate-800
Internet
Example static route to an external destination
Internal Network
DMZ
FortiGate-800
Internet
Example static route to an internal destination
DMZ
FortiGate-800
Internal Network A
Internal Network B
Internet
Page
Page
High availability
74
Configuring an HA cluster
Configuring FortiGate units for HA operation
Page
76
Connecting the cluster
Page
78
Adding a new FortiGate unit to a functioning cluster
Managing an HA cluster
Configuring cluster interface monitoring
80
Viewing the status of cluster members
Monitoring cluster members
Page
82
Viewing cluster sessions
Viewing and managing cluster log messages
Monitoring cluster units for failover
Viewing cluster communication sessions
Managing individual cluster units
84
Changing cluster unit host names
Synchronizing the cluster configuration
86
Upgrading firmware
Replacing a FortiGate unit after failover
Advanced HA options
Selecting a FortiGate unit as a permanent primary unit
88
Configuring the priority of each FortiGate unit in the cluster
Configuring weighted-round-robin weights
Active-Active cluster packet flow
NAT/Route mode packet flow
Configuring switches to work with a NAT/Route mode cluster
Transparent mode packet flow
Page
System status
Changing the FortiGate host name
Changing the FortiGate firmware
Upgrading to a new firmware version
Upgrading the firmware using the web-based manager
Upgrading the firmware using the CLI
96
Reverting to a previous firmware version
Reverting to a previous firmware version using the web-based manager
Reverting to a previous firmware version using the CLI
Page
Installing firmware images from a system reboot using the CLI
Page
Restoring the previous configuration
Testing a new firmware image before installing it
Page
Installing and using a backup firmware image
Installing a backup firmware image
Page
Switching to the backup firmware image
106
Switching back to the default firmware image
Manual virus definition updates
Manual attack definition updates
Displaying the FortiGate serial number
Displaying the FortiGate up time
Displaying log hard disk status
Backing up system settings
Restoring system settings
Restoring system settings to factory defaults
Changing to Transparent mode
Changing to NAT/Route mode
Restarting the FortiGate unit
Shutting down the FortiGate unit
System status
Viewing CPU and memory status
112
Viewing sessions and network status
Viewing virus and intrusions status
Session list
Each line of the session list displays the following information.
Page
Virus and attack definitions updates and registration
Updating antivirus and attack definitions
118
Connecting to the FortiResponse Distribution Network
Manually initiating antivirus and attack definitions updates
120
Configuring update logging
Scheduling updates
Enabling scheduled updates
Adding an override server
122
Enabling scheduled updates through a proxy server
Enabling push updates
Enabling push updates
Push updates when FortiGate IP addresses change
124
Enabling push updates through a NAT device
Example: push updates through a NAT device
Internet
FortiGate-800 Internal Network
FortiGate-300 NAT Device
126
Adding a port forwarding virtual IP to the FortiGate NAT device
Adding a firewall policy for the port forwarding virtual IP
Configuring the FortiGate unit with an override push IP and port
Registering FortiGate units
FortiCare Service Contracts
130
Registering the FortiGate unit
Updating registration information
132
Recovering a lost Fortinet support password
Viewing the list of registered FortiGate units
Registering a new FortiGate unit
Adding or changing a FortiCare Support Contract number
134
Changing your Fortinet support password
Changing your contact information or security question
Downloading virus and attack definitions updates
Registering a FortiGate unit after an RMA
Network configuration
Configuring zones
138
Adding zones
Deleting zones
Configuring interfaces
Viewing the interface list
Changing the administrative status of an interface
Adding an interface to a zone
140
Configuring an interface with a manual IP address
Configuring an interface for DHCP
Configuring an interface for PPPoE
142
Adding a secondary IP address to an interface
Adding a ping server to an interface
Controlling administrative access to an interface
144
Changing the MTU size to improve network performance
Configuring traffic logging for connections to an interface
Configuring the management interface in Transparent mode
VLAN overview
146
VLANs in NAT/Route mode
Rules for VLAN IDs
Rules for VLAN IP addresses
Adding VLAN subinterfaces
Virtual domains in Transparent mode
Page
Virtual domain properties
Configuring a virtual domain
Adding a virtual domain
150
Adding VLAN subinterfaces to a virtual domain
Adding zones to virtual domains
Page
152
Adding firewall policies for virtual domains
Adding addresses for virtual domains
Adding firewall policies for virtual domains
Deleting virtual domains
Adding DNS server IP addresses
Configuring routing
154
Adding a default route
Adding destination-based routes to the routing table
Adding routes in Transparent mode
156
Configuring the routing table
Policy routing
Policy routing command syntax
Configuring DHCP services
158
Configuring a DHCP relay agent
Configuring a DHCP server
Adding a DHCP server to an interface
Adding scopes to a DHCP server
Page
160
Adding a reserve IP to a DHCP server
Viewing a DHCP server dynamic IP list
RIP configuration
RIP settings
6Select Apply to save the changes.
Configuring RIP for FortiGate interfaces
4Select OK to save the RIP configuration for the selected interface.
Adding RIP filters
Adding a RIP filter list
166
Assigning a RIP filter list to the neighbors filter
Assigning a RIP filter list to the incoming filter
Page
Page
System configuration
Setting system date and time
Changing system options
Modifying the Dead Gateway Detection settings
172
Adding and editing administrator accounts
Adding new administrator accounts
Editing administrator accounts
Configuring SNMP
174
Configuring the FortiGate unit for SNMP monitoring
Configuring FortiGate SNMP support
Configuring SNMP access to an interface
Configuring SNMP community settings
4Select Apply.
176
FortiGate MIBs
FortiGate traps
System traps
General FortiGate traps
Page
Fortinet MIB fields
Firewall configuration
System configuration and status
Page
Logging and reporting configuration
Replacement messages
182
Customizing replacement messages
Customizing alert emails
Critical event
Firewall configuration
Default firewall configuration
Interfaces
VLAN subinterfaces
Zones
188
Addresses
Services
Schedules
Content profiles
Adding firewall policies
Page
Destination
Schedule
Service
Action
192
NAT
VPN Tunnel
Traffic Shaping
Authentication
Anti-Virus & Web filter
Page
Configuring policy lists
Policy matching in detail
196
Changing the order of policies in a policy list
Enabling and disabling policies
Disabling policies
Enabling policies
Addresses
Adding addresses
198
Editing addresses
Deleting addresses
Organizing addresses into address groups
200
Services
Predefined services
Page
Page
Adding custom TCP and UDP services
204
Adding custom ICMP services
Adding custom IP services
Grouping services
Schedules
206
Creating one-time schedules
Creating recurring schedules
208
Adding schedules to policies
Virtual IPs
Adding static NAT virtual IPs
210
Adding port forwarding virtual IPs
Page
212
Adding policies with virtual IPs
IP pools
Adding an IP pool
214
IP Pools for firewall policies that use fixed ports
IP pools and dynamic NAT
IP/MAC binding
Configuring IP/MAC binding for packets going through the firewall
216
Configuring IP/MAC binding for packets going to the firewall
Adding IP/MAC addresses
Viewing the dynamic IP/MAC list
Enabling IP/MAC binding
Content profiles
Default content profiles
Adding content profiles
6Enable the email filter protection options that you want.
7Enable the fragmented email and oversized file and email options that you want.
8Select OK.
Adding content profiles to policies
Page
Users and authentication
224
Setting authentication timeout
Adding user names and configuring authentication
Adding user names and configuring authentication
Deleting user names from the internal database
226
Configuring RADIUS support
Adding RADIUS servers
Deleting RADIUS servers
Configuring LDAP support
Adding LDAP servers
228
Deleting LDAP servers
Configuring user groups
Adding user groups
230
Deleting user groups
IPSec VPN
232
Key management
Manual Keys
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates
AutoIKE with pre-shared keys
AutoIKE with certificates
Manual key IPSec VPNs
General configuration steps for a manual key VPN
Adding a manual key VPN tunnel
Page
AutoIKE IPSec VPNs
General configuration steps for an AutoIKE VPN
Adding a phase 1 configuration for an AutoIKE VPN
Page
Configuring advanced options
4Optionally, configure NAT Traversal.
6Select OK to save the phase 1 parameters.
Page
240
Adding a phase 2 configuration for an AutoIKE VPN
Page
242
Managing digital certificates
Obtaining a signed local certificate
Generating the certificate request
Page
244
Downloading the certificate request
Importing the signed local certificate
Backing up and restoring the local certificate and private key
Obtaining CA certificates
Configuring encrypt policies
246
Adding a source address
Adding a destination address
Adding an encrypt policy
Page
IPSec VPN concentrators
250
VPN concentrator (hub) general configuration steps
Adding a VPN concentrator
252
VPN spoke general configuration steps
Redundant IPSec VPNs
254
Configuring redundant IPSec VPNs
Monitoring and Troubleshooting VPNs
Viewing VPN tunnel status
Viewing dialup VPN connection status
256
Testing a VPN
PPTP and L2TP VPN
Configuring PPTP
258
Configuring the FortiGate unit as a PPTP gateway
Page
260
Configuring a Windows 98 client for PPTP
Configuring a Windows 2000 client for PPTP
Configuring a Windows XP client for PPTP
Page
Configuring L2TP
Configuring the FortiGate unit as an L2TP gateway
Page
Configuring a Windows 2000 client for L2TP
Page
Configuring a Windows XP client for L2TP
Page
Network Intrusion Detection System (NIDS)
Detecting attacks
270
Selecting the interfaces to monitor
Disabling monitoring interfaces
Configuring checksum verification
Viewing the signature list
Viewing attack descriptions
272
Disabling NIDS attack signatures
Adding user-defined signatures
Downloading the user-defined signature list
274
Preventing attacks
Enabling NIDS attack prevention
Enabling NIDS attack prevention signatures
Setting signature threshold values
276
Logging attacks
Logging attack messages to the attack log
Reducing the number of NIDS attack log and email messages
Automatic message reduction
Manual message reduction
Page
Antivirus protection
Antivirus scanning
File blocking
282
Blocking files in firewall traffic
Adding file patterns to block
Quarantine
Quarantining infected files
Quarantining blocked files
284
Viewing the quarantine list
Sorting the quarantine list
Filtering the quarantine list
Deleting files from the quarantine list
Downloading quarantined files
Configuring quarantine options
286
Blocking oversized files and emails
Configuring limits for oversized files and email
Exempting fragmented email from blocking
Viewing the virus list
Page
Web filtering
290
Content blocking
Adding words and phrases to the Banned Word list
Clearing the Banned Word list
292
Backing up the Banned Word list
Restoring the Banned Word list
URL blocking
Configuring FortiGate Web URL blocking
Adding URLs to the Web URL block list
294
Clearing the Web URL block list
Downloading the Web URL block list
Uploading a URL block list
296
Configuring FortiGate Web pattern blocking
Configuring Cerberian URL filtering
Installing a Cerberian license key
Adding a Cerberian user
Configuring Cerberian web filter
About the default group and policy
298
Enabling Cerberian URL filtering
Script filtering
Enabling script filtering
Selecting script filter options
300
Exempt URL list
Adding URLs to the URL Exempt list
Downloading the URL Exempt List
Uploading a URL Exempt List
Page
Email filter
304
Email banned word list
Adding words and phrases to the email banned word list
Downloading the email banned word list
Uploading the email banned word list
306
Email block list
Adding address patterns to the email block list
Downloading the email block list
Uploading an email block list
Email exempt list
308
Adding address patterns to the email exempt list
Adding a subject tag
Logging and reporting
Recording logs
310
Recording logs on a remote computer
Recording logs on a NetIQ WebTrends server
Recording logs on the FortiGate hard disk
312
Recording logs in system memory
Log message levels
Filtering log messages
Configuring traffic logging
Enabling traffic logging
Enabling traffic logging for an interface
Enabling traffic logging for a VLAN subinterface
Enabling traffic logging for a firewall policy
316
Configuring traffic filter settings
Adding traffic filter entries
Viewing logs saved to memory
Viewing logs
318
Searching logs
Viewing and managing logs saved to the hard disk
Viewing logs
Searching logs
320
Downloading a log file to the management computer
Deleting all messages from an active log
Deleting a saved log file
Configuring alert email
Adding alert email addresses
Testing alert email
322
Enabling alert email
Glossary
Page
Page
Page
Index
A
328
B
C
D
E
F
330
G
H
I
J
K
L
M
332
N
O
P
Q
R
S
Page
T
U
V
336
W
Z