Manuals
/
Fortinet
/
Computer Equipment
/
Network Card
Fortinet
FortiGate-800
manual
116
Models:
FortiGate-800
1
116
336
336
Download
336 pages
18.65 Kb
113
114
115
116
117
118
119
120
Specifications
Install
Adding a default route
Editing administrator accounts
Connecting the cluster
Network configuration 137
Setup wizard
Command line interface
General procedure
Setting the date and time
Page 116
Image 116
Session list
System status
116
Fortinet Inc.
Page 115
Page 117
Page 116
Image 116
Page 115
Page 117
Contents
Installation and Configuration Guide
January 15
Trademarks
Regulatory Compliance
Table of Contents
NAT/Route mode installation
High availability
Virus and attack definitions updates and registration 117
Network configuration 137
System configuration 169
Users and authentication 223
IPSec VPN 231
Network Intrusion Detection System Nids 269
Email filter 303
Glossary 323 Index 327
Contents
Introduction
Flexibility demanded by large enterprises
Web content filtering
Antivirus protection
Email filtering
Firewall
NAT/Route mode
Transparent mode
VLANs and virtual domains
Network intrusion detection
VPN
High availability
Secure installation, configuration, and management
Web-based manager
Command line interface
Logging and reporting
Document conventions
Fortinet documentation
Customer service and technical support
Comments on Fortinet technical documentation
Customer service and technical support
Getting started
Package contents
Mounting
Powering on
Power requirements
Environmental specifications
To power on the FortiGate-800 unit
Connecting to the web-based manager
To connect to the web-based manager
Connecting to the command line interface CLI
To connect to the CLI
Bits per second 9600 Data bits Parity
Stop bits Flow control
Factory default FortiGate configuration settings
Factory default NAT/Route mode network configuration
Account
Internal interface
Factory default Transparent mode network configuration
Factory default firewall configuration
Factory default content profiles
Strict content profile
Scan content profile Options
Scan content profile
Strict content profile Options
Web content profile
Unfiltered content profile
Web content profile Options
Unfiltered content profile Options
Planning the FortiGate configuration
Example NAT/Route mode network configuration
NAT/Route mode with multiple external network connections
Example NAT/Route multiple internet connection configuration
Configuration options
Setup wizard
FortiGate model maximum values matrix
Front keypad and LCD
Next steps
Signatures Antivirus file Block patterns Web filter
NAT/Route mode installation
Preparing to configure NAT/Route mode
Dhcp server
Advanced NAT/Route mode settings
Advanced FortiGate NAT/Route mode settings
Using the setup wizard
Starting the setup wizard
Reconnecting to the web-based manager
DMZ and user-defined interfaces
Using the front control buttons and LCD
Using the command line interface
Configuring the FortiGate unit to operate in NAT/Route mode
Configuring NAT/Route mode IP addresses
Set system interface external mode static ip 204.23.1.5
Connecting the FortiGate unit to your networks
To connect the FortiGate unit running in NAT/Route mode
FortiGate-800 External
To connect to FortiGate-800 user-defined interfaces
Configuring your networks
Example FortiGate-800 user-defined interface connections
Completing the configuration
Configuring the DMZ interface
Configuring interfaces 1 to
Setting the date and time
Registering your FortiGate unit
Configuration example Multiple connections to the Internet
Configuring virus and attack definition updates
Configuring ping servers
Internal
Using the CLI
Primary and backup links to the Internet
Destination-based routing examples
Go to System Network Routing Table
Load sharing
Load sharing and primary and secondary connections
To add the routes using the CLI
Routing table should have routes arranged as shown in Table
Routing a service to an external network
Policy routing examples
Adding a redundant default policy
Destination DMZAll Schedule Always Service
Firewall policy example
Adding more firewall policies
Restricting access to a single Internet connection
Configuration example Multiple connections to the Internet
Transparent mode installation
Preparing to configure Transparent mode
Transparent mode settings Administrator Password
DNS Settings
Changing to Transparent mode using the web-based manager
Go to System Status
Changing to Transparent mode using the CLI
Operation mode Transparent
Enabling antivirus protection
Configuring the Transparent mode management IP address
Configure the Transparent mode default gateway
Connecting the FortiGate unit to your networks
Transparent mode configuration examples
FortiGate-800
Default routes and static routes
Example default route to an external network
General configuration steps
Default route to an external network
Web-based manager example configuration steps
CLI configuration steps
Example static route to an external destination
Go to System Network Management
DMZ
Example static route to an internal destination
FortiGate-800
Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1
Transparent mode configuration examples
High availability
Configuring an HA cluster
Configuring FortiGate units for HA operation
To configure a FortiGate unit for HA operation
Go to System Config HA
Weighted Round Robin
None
Hub
Least Connection
Connecting the cluster
Example Active-Active HA configuration
HA network configuration
To connect the cluster
To add a new unit to the cluster
Managing an HA cluster
Adding a new FortiGate unit to a functioning cluster
Configuring cluster interface monitoring
Viewing the status of cluster members
Monitoring cluster members
To set the update frequency
Example cluster CPU, memory, and hard disk display
Viewing cluster sessions
Viewing and managing cluster log messages
Managing individual cluster units
Monitoring cluster units for failover
Viewing cluster communication sessions
To set the host name of each cluster member
Changing cluster unit host names
To manage a cluster unit
Synchronizing the cluster configuration
Keyword Description
Upgrading firmware
Advanced HA options
Replacing a FortiGate unit after failover
Selecting a FortiGate unit as a permanent primary unit
To select a permanent primary unit
Configuring weighted-round-robin weights
To set the priority of each FortiGate unit in a cluster
Active-Active cluster packet flow
Active-active HA packet flow
NAT/Route mode packet flow
Transparent mode packet flow
Active-Active cluster packet flow
System status
System status
Firmware upgrade procedures Procedure Description
Changing the FortiGate host name
Changing the FortiGate firmware
To change the FortiGate host name Go to System Status
Upgrading the firmware using the web-based manager
Upgrading the firmware using the CLI
To upgrade the firmware using the web-based manager
To upgrade the firmware using the CLI
Reverting to a previous firmware version
Execute ping
Reverting to a previous firmware version using the CLI
To revert to a previous firmware version using the CLI
To install firmware from a system reboot
Press any key to enter configuration menu
100
101
Restoring the previous configuration
Testing a new firmware image before installing it
102
To test a new firmware image
103
Installing and using a backup firmware image
Installing a backup firmware image
To install a backup firmware image
104
105
Switching to the backup firmware image
To switch to the backup firmware image
Manual virus definition updates
Switching back to the default firmware image
To switch back to the default firmware image
To update the antivirus definitions manually
Manual attack definition updates
To update the attack definitions manually
Displaying the FortiGate serial number
107
Backing up system settings
Restoring system settings
Displaying the FortiGate up time
Displaying log hard disk status
Restoring system settings to factory defaults
Changing to Transparent mode
To change to Transparent mode Go to System Status
109
Changing to NAT/Route mode
To change to NAT/Route mode Go to System Status
Restarting the FortiGate unit
Shutting down the FortiGate unit
System status
Viewing CPU and memory status
111
To view CPU and memory status Go to System Status Monitor
Viewing sessions and network status
CPU and memory status monitor
Viewing virus and intrusions status
113
Session list
To view the session list Go to System Status Session
115
Protocol
116
117
Virus and attack definitions updates and registration
Updating antivirus and attack definitions
Connecting to the FortiResponse Distribution Network
Go to System Update
Version Expiry date Last update attempt Last update status
To make sure the FortiGate unit can connect to the FDN
Manually initiating antivirus and attack definitions updates
119
Scheduling updates
Configuring update logging
Enabling scheduled updates
120
121
To add an override server Go to System Update
Adding an override server
122
Enabling push updates
Enabling scheduled updates through a proxy server
Enabling push updates
Push updates when FortiGate IP addresses change
To enable push updates Go to System Update
123
124
Enabling push updates through a NAT device
Example push updates through a NAT device
General procedure
125
126
To configure the FortiGate NAT device
Schedule Always Service ANY Action Accept
Adding a firewall policy for the port forwarding virtual IP
127
Registering FortiGate units
128
FortiCare Service Contracts
129
Registering the FortiGate unit
130
Updating registration information
131
132
Recovering a lost Fortinet support password
Viewing the list of registered FortiGate units
133
Registering a new FortiGate unit
Adding or changing a FortiCare Support Contract number
134
Changing your Fortinet support password
Changing your contact information or security question
Downloading virus and attack definitions updates
135
Registering a FortiGate unit after an RMA
136
137
Network configuration
Configuring zones
Configuring interfaces
Adding zones
Deleting zones
138
Changing the administrative status of an interface
Viewing the interface list
Adding an interface to a zone
139
140
Configuring an interface with a manual IP address
Configuring an interface for Dhcp
Configuring an interface for PPPoE
141
142
Adding a secondary IP address to an interface
Adding a ping server to an interface
Controlling administrative access to an interface
143
Configuring traffic logging for connections to an interface
Configuring the management interface in Transparent mode
Changing the MTU size to improve network performance
144
Vlan overview
145
VLANs in NAT/Route mode
Rules for Vlan IDs
Rules for Vlan IP addresses
146
Virtual domains in Transparent mode
Adding Vlan subinterfaces
147
To add Vlan subinterfaces Go to System Network Interface
148
FortiGate unit with two virtual domains
Configuring a virtual domain
Virtual domain properties
Adding a virtual domain
149
150
Adding Vlan subinterfaces to a virtual domain
Adding zones to virtual domains
151
To add a zone to a virtual domain Go to System Network Zone
Adding firewall policies for virtual domains
Adding addresses for virtual domains
152
Go to Firewall Address
Configuring routing
Adding DNS server IP addresses
Deleting virtual domains
153
Adding a default route
To add a default route Go to System Network Routing Table
Adding destination-based routes to the routing table
154
Adding routes in Transparent mode
155
156
Configuring the routing table
Policy routing
157
Configuring Dhcp services
Policy routing command syntax
Configuring a Dhcp relay agent
Configuring a Dhcp server
Adding a Dhcp server to an interface
Adding scopes to a Dhcp server
159
To add a scope to a Dhcp server Go to System Network Dhcp
Adding a reserve IP to a Dhcp server
Viewing a Dhcp server dynamic IP list
160
Selected scope
161
RIP configuration
RIP settings
162
Invalid
Holddown
Flush
Configuring RIP for FortiGate interfaces
163
Example RIP configuration for an internal interface
164
Adding RIP filters
Adding a RIP filter list
165
To add a RIP filter list Go to System RIP Filter
166
Assigning a RIP filter list to the neighbors filter
Assigning a RIP filter list to the incoming filter
Assigning a RIP filter list to the outgoing filter
167
168
System configuration
Setting system date and time
To set the date and time Go to System Config Time
169
To set the system idle timeout Go to System Config Options
To set the Auth timeout Go to System Config Options
Changing system options
170
Modifying the Dead Gateway Detection settings
171
Adding and editing administrator accounts
Adding new administrator accounts
To add an administrator account Go to System Config Admin
172
Configuring Snmp
Editing administrator accounts
To edit an administrator account Go to System Config Admin
173
Configuring the FortiGate unit for Snmp monitoring
Configuring FortiGate Snmp support
Configuring Snmp access to an interface
Configuring Snmp community settings
System Location
175
System Name
FortiGate MIBs
176
FortiGate traps
General FortiGate traps
System traps
177
VPN traps
Nids traps
Antivirus traps
Logging traps
System configuration and status
Firewall configuration
Fortinet MIB fields
179
180
181
Replacement messages
Logging and reporting configuration
Customizing replacement messages
182
Alert email message sections
Customizing alert emails
183
184
Alert email message sections
Firewall configuration
185
Default firewall configuration
186
Interfaces
Vlan subinterfaces
Zones
187
Services
Default addresses Interface Address Description
Addresses
Schedules
Content profiles
Adding firewall policies
189
To add a firewall policy Go to Firewall Policy
190
Firewall policy options
Source
Service
Destination
Schedule
Action
VPN Tunnel
Traffic Shaping
192
Dynamic IP Pool Fixed Port
Authentication
Anti-Virus & Web filter
193
Maximum Bandwidth Traffic Priority
194
Log Traffic
Comments
195
Configuring policy lists
Policy matching in detail
Changing the order of policies in a policy list
Enabling and disabling policies
Disabling policies
Enabling policies
Addresses
Adding addresses
197
To add an address Go to Firewall Address
To edit an address Go to Firewall Address
Editing addresses
198
Deleting addresses
Organizing addresses into address groups
199
To delete an address Go to Firewall Address
200
Services
Predefined services
201
GRE
202
Ldap
Adding custom TCP and UDP services
203
Adding custom Icmp services
Adding custom IP services
Grouping services
204
Schedules
205
Creating one-time schedules
206
Creating recurring schedules
207
Virtual IPs
Adding schedules to policies
208
To add a schedule to a policy Go to Firewall Policy
Adding static NAT virtual IPs
209
To add a static NAT virtual IP Go to Firewall Virtual IP
Virtual IP External Interface examples Description Internal
Adding port forwarding virtual IPs
210
211
To add a policy with a virtual IP Go to Firewall Policy
Adding policies with virtual IPs
212
IP pools
Adding an IP pool
213
To add an IP pool Go to Firewall IP Pool
IP/MAC binding
IP Pools for firewall policies that use fixed ports
IP pools and dynamic NAT
214
215
Go to Firewall IP/MAC Binding Static IP/MAC
Adding IP/MAC addresses
216
217
Viewing the dynamic IP/MAC list
Enabling IP/MAC binding
Content profiles
218
Default content profiles
Adding content profiles
To add a content profile Go to Firewall Content Profile
219
220
Oversized File/Email Pass Fragmented Email
221
Adding content profiles to policies
To add a content profile to a policy Go to Firewall Policy
222
Users and authentication
223
Setting authentication timeout
Adding user names and configuring authentication
Adding user names and configuring authentication
To set authentication timeout Go to System Config Options
Deleting user names from the internal database
225
Configuring Radius support
Adding Radius servers
Deleting Radius servers
226
Configuring Ldap support
Adding Ldap servers
227
To add an Ldap server Go to User Ldap
To delete an Ldap server Go to User Ldap
Deleting Ldap servers
228
Configuring user groups
Adding user groups
229
To add a user group Go to User User Group
To delete a user group Go to User User Group
Deleting user groups
230
IPSec VPN
231
Key management
Manual Keys
AutoIKE with pre-shared keys
AutoIKE with certificates
General configuration steps for a manual key VPN
Manual key IPSec VPNs
Adding a manual key VPN tunnel
233
234
AES128
AES192
AES256
General configuration steps for an AutoIKE VPN
Adding a phase 1 configuration for an AutoIKE VPN
AutoIKE IPSec VPNs
235
Remote Gateway Dialup User
236
Remote Gateway Static IP Address
237
Configuring advanced options
To configure phase 1 advanced options
238
Adding a phase 1 configuration Standard options
239
240
Adding a phase 2 configuration for an AutoIKE VPN
To add a phase 2 configuration Go to VPN Ipsec Phase
Use wildcard selectors
241
Use selectors from policy
Managing digital certificates
Obtaining a signed local certificate
Generating the certificate request
242
Key Size
243
Key Type
244
Downloading the certificate request
Importing the signed local certificate
Configuring encrypt policies
Obtaining CA certificates
Importing CA certificates
245
To add a source address Go to Firewall Address
Adding a source address
246
Adding a destination address
Adding an encrypt policy
247
To add a destination address Go to Firewall Address
248
IPSec VPN concentrators
249
250
VPN concentrator hub general configuration steps
To create a VPN concentrator configuration
Adding a VPN concentrator
251
252
VPN spoke general configuration steps
To create a VPN spoke configuration
Redundant IPSec VPNs
253
254
Configuring redundant IPSec VPNs
To configure a redundant IPSec VPN
Monitoring and Troubleshooting VPNs
To view VPN tunnel status Go to VPN Ipsec Phase
Viewing VPN tunnel status
Viewing dialup VPN connection status
Testing a VPN
256
257
Configuring Pptp
Pptp and L2TP VPN
Configuring the FortiGate unit as a Pptp gateway
258
To add users and user groups
To add a source address
259
To add a source address group
To add a destination address
To add a firewall policy
Configuring a Windows 98 client for Pptp
260
Configuring a Windows 2000 client for Pptp
Configuring a Windows XP client for Pptp
261
To connect to the Pptp VPN
Select Properties Security
To configure the VPN connection
262
263
Configuring L2TP
Configuring the FortiGate unit as an L2TP gateway
264
To add source addresses
Configuring a Windows 2000 client for L2TP
265
To connect to the L2TP VPN
To disable IPSec
266
Configuring a Windows XP client for L2TP
267
268
269
Network Intrusion Detection System Nids
Detecting attacks
Configuring checksum verification
Selecting the interfaces to monitor
Disabling monitoring interfaces
270
271
Viewing the signature list
Viewing attack descriptions
272
Disabling Nids attack signatures
Adding user-defined signatures
Downloading the user-defined signature list
273
To enable Nids attack prevention Go to Nids Prevention
Preventing attacks
Enabling Nids attack prevention
Enabling Nids attack prevention signatures
Setting signature threshold values
275
Logging attacks
Logging attack messages to the attack log
Reducing the number of Nids attack log and email messages
Automatic message reduction
Manual message reduction
277
278
279
General configuration steps
Antivirus protection
To scan FortiGate firewall traffic for viruses
Antivirus scanning
280
File blocking
281
Blocking files in firewall traffic
Adding file patterns to block
282
To block files in firewall traffic
Quarantine
Quarantining infected files
Quarantining blocked files
283
Viewing the quarantine list
Sorting the quarantine list
284
To view the quarantine list Go to Anti-Virus Quarantine
Configuring quarantine options
Filtering the quarantine list
Deleting files from the quarantine list
Downloading quarantined files
286
Configuring limits for oversized files and email
Blocking oversized files and emails
To view the virus list Go to Anti-Virus Config Virus List
Exempting fragmented email from blocking
Viewing the virus list
287
288
Web filtering
289
Content blocking
Go to Web Filter Content Block
Adding words and phrases to the Banned Word list
290
Clearing the Banned Word list
291
292
Backing up the Banned Word list
Restoring the Banned Word list
Configuring FortiGate Web URL blocking
URL blocking
Adding URLs to the Web URL block list
293
Clearing the Web URL block list
294
Downloading the Web URL block list
Uploading a URL block list
295
To upload a URL block list
296
Configuring Cerberian URL filtering
Configuring FortiGate Web pattern blocking
Installing a Cerberian license key
Configuring Cerberian web filter
About the default group and policy
Adding a Cerberian user
298
To configure Cerberian web filtering
Enabling Cerberian URL filtering
Script filtering
Enabling script filtering
Selecting script filter options
299
Exempt URL list
Adding URLs to the URL Exempt list
300
Go to Web Filter URLExempt
Downloading the URL Exempt List
Uploading a URL Exempt List
301
Go to Web Filter URL Exempt
302
Email filter
303
304
Email banned word list
Adding words and phrases to the email banned word list
305
Downloading the email banned word list
Uploading the email banned word list
Email block list
Adding address patterns to the email block list
Downloading the email block list
306
Email exempt list
Uploading an email block list
307
To upload the email block list
To add a subject tag Go to Email Filter Config
Adding a subject tag
Adding address patterns to the email exempt list
308
309
Logging and reporting
Recording logs
310
Recording logs on a remote computer
Recording logs on a NetIQ WebTrends server
Recording logs on the FortiGate hard disk
311
Overwrite
Option
312
Recording logs in system memory
Log message levels
313
To filter log entries Go to Log&Report Log Setting
Filtering log messages
Configuring traffic logging
314
Enabling traffic logging
Enabling traffic logging for an interface
Enabling traffic logging for a Vlan subinterface
Enabling traffic logging for a firewall policy
Configuring traffic filter settings
Adding traffic filter entries
316
Resolve IP
Destination IP Address Destination Netmask Service
Viewing logs saved to memory
Viewing logs
317
Viewing and managing logs saved to the hard disk
Searching logs
318
Keyword
319
To view the active or saved logs Go to Log&Report Logging
Downloading a log file to the management computer
Deleting all messages from an active log
Deleting a saved log file
320
Configuring alert email
Testing alert email
Adding alert email addresses
321
Enabling alert email
322
Glossary
323
324
325
326
Index
327
328
Index
329
Dialup Pptp
330
Http
331
Ldap
332
333
Pptp dialup connection
334
335
TCP
336
Vlan
Top
Page
Image
Contents