Manuals
/
Fortinet
/
Computer Equipment
/
Network Card
Fortinet
FortiGate-800
manual
239, Adding a phase 1 configuration Standard options
Models:
FortiGate-800
1
239
336
336
Download
336 pages
18.65 Kb
236
237
238
239
240
241
242
243
Specifications
Install
Adding a default route
Editing administrator accounts
Connecting the cluster
Network configuration 137
Setup wizard
Command line interface
General procedure
Setting the date and time
Page 239
Image 239
IPSec VPN
AutoIKE IPSec VPNs
Figure 56: Adding a phase 1 configuration (Standard options)
Figure 57: Adding a phase 1 configuration (Advanced options)
FortiGate-800
Installation and Configuration Guide
239
Page 238
Page 240
Page 239
Image 239
Page 238
Page 240
Contents
January 15
Installation and Configuration Guide
Regulatory Compliance
Trademarks
Table of Contents
NAT/Route mode installation
High availability
Virus and attack definitions updates and registration 117
Network configuration 137
System configuration 169
Users and authentication 223
IPSec VPN 231
Network Intrusion Detection System Nids 269
Email filter 303
Glossary 323 Index 327
Contents
Flexibility demanded by large enterprises
Introduction
Antivirus protection
Web content filtering
Firewall
Email filtering
Network intrusion detection
NAT/Route mode
Transparent mode
VLANs and virtual domains
High availability
VPN
Web-based manager
Secure installation, configuration, and management
Logging and reporting
Command line interface
Fortinet documentation
Document conventions
Comments on Fortinet technical documentation
Customer service and technical support
Customer service and technical support
Getting started
Mounting
Package contents
To power on the FortiGate-800 unit
Powering on
Power requirements
Environmental specifications
To connect to the web-based manager
Connecting to the web-based manager
Stop bits Flow control
Connecting to the command line interface CLI
To connect to the CLI
Bits per second 9600 Data bits Parity
Internal interface
Factory default FortiGate configuration settings
Factory default NAT/Route mode network configuration
Account
Factory default Transparent mode network configuration
Factory default firewall configuration
Strict content profile
Factory default content profiles
Scan content profile Options
Scan content profile
Strict content profile Options
Unfiltered content profile Options
Web content profile
Unfiltered content profile
Web content profile Options
Example NAT/Route mode network configuration
Planning the FortiGate configuration
Example NAT/Route multiple internet connection configuration
NAT/Route mode with multiple external network connections
Setup wizard
Configuration options
Front keypad and LCD
FortiGate model maximum values matrix
Signatures Antivirus file Block patterns Web filter
Next steps
Preparing to configure NAT/Route mode
NAT/Route mode installation
Dhcp server
Advanced NAT/Route mode settings
Advanced FortiGate NAT/Route mode settings
DMZ and user-defined interfaces
Using the setup wizard
Starting the setup wizard
Reconnecting to the web-based manager
Configuring NAT/Route mode IP addresses
Using the front control buttons and LCD
Using the command line interface
Configuring the FortiGate unit to operate in NAT/Route mode
Set system interface external mode static ip 204.23.1.5
To connect the FortiGate unit running in NAT/Route mode
Connecting the FortiGate unit to your networks
To connect to FortiGate-800 user-defined interfaces
FortiGate-800 External
Example FortiGate-800 user-defined interface connections
Configuring your networks
Setting the date and time
Completing the configuration
Configuring the DMZ interface
Configuring interfaces 1 to
Registering your FortiGate unit
Configuration example Multiple connections to the Internet
Configuring virus and attack definition updates
Internal
Configuring ping servers
Go to System Network Routing Table
Using the CLI
Primary and backup links to the Internet
Destination-based routing examples
Load sharing and primary and secondary connections
Load sharing
Routing table should have routes arranged as shown in Table
To add the routes using the CLI
Policy routing examples
Routing a service to an external network
Adding more firewall policies
Adding a redundant default policy
Destination DMZAll Schedule Always Service
Firewall policy example
Restricting access to a single Internet connection
Configuration example Multiple connections to the Internet
DNS Settings
Transparent mode installation
Preparing to configure Transparent mode
Transparent mode settings Administrator Password
Go to System Status
Changing to Transparent mode using the web-based manager
Operation mode Transparent
Changing to Transparent mode using the CLI
Enabling antivirus protection
Configuring the Transparent mode management IP address
Configure the Transparent mode default gateway
Connecting the FortiGate unit to your networks
FortiGate-800
Transparent mode configuration examples
Example default route to an external network
Default routes and static routes
Default route to an external network
General configuration steps
Go to System Network Management
Web-based manager example configuration steps
CLI configuration steps
Example static route to an external destination
DMZ
Example static route to an internal destination
FortiGate-800
Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1
Transparent mode configuration examples
High availability
Go to System Config HA
Configuring an HA cluster
Configuring FortiGate units for HA operation
To configure a FortiGate unit for HA operation
Least Connection
Weighted Round Robin
None
Hub
Example Active-Active HA configuration
Connecting the cluster
To connect the cluster
HA network configuration
To add a new unit to the cluster
Managing an HA cluster
Adding a new FortiGate unit to a functioning cluster
Configuring cluster interface monitoring
Monitoring cluster members
Viewing the status of cluster members
Example cluster CPU, memory, and hard disk display
To set the update frequency
Viewing and managing cluster log messages
Viewing cluster sessions
Managing individual cluster units
Monitoring cluster units for failover
Viewing cluster communication sessions
To set the host name of each cluster member
Changing cluster unit host names
To manage a cluster unit
Keyword Description
Synchronizing the cluster configuration
Upgrading firmware
To select a permanent primary unit
Advanced HA options
Replacing a FortiGate unit after failover
Selecting a FortiGate unit as a permanent primary unit
To set the priority of each FortiGate unit in a cluster
Configuring weighted-round-robin weights
Active-active HA packet flow
Active-Active cluster packet flow
NAT/Route mode packet flow
Transparent mode packet flow
Active-Active cluster packet flow
System status
System status
To change the FortiGate host name Go to System Status
Firmware upgrade procedures Procedure Description
Changing the FortiGate host name
Changing the FortiGate firmware
To upgrade the firmware using the CLI
Upgrading the firmware using the web-based manager
Upgrading the firmware using the CLI
To upgrade the firmware using the web-based manager
Execute ping
Reverting to a previous firmware version
Reverting to a previous firmware version using the CLI
To revert to a previous firmware version using the CLI
To install firmware from a system reboot
100
Press any key to enter configuration menu
101
Restoring the previous configuration
Testing a new firmware image before installing it
To test a new firmware image
102
103
Installing and using a backup firmware image
Installing a backup firmware image
104
To install a backup firmware image
105
Switching to the backup firmware image
To switch to the backup firmware image
To update the antivirus definitions manually
Manual virus definition updates
Switching back to the default firmware image
To switch back to the default firmware image
107
Manual attack definition updates
To update the attack definitions manually
Displaying the FortiGate serial number
Displaying log hard disk status
Backing up system settings
Restoring system settings
Displaying the FortiGate up time
109
Restoring system settings to factory defaults
Changing to Transparent mode
To change to Transparent mode Go to System Status
Shutting down the FortiGate unit
Changing to NAT/Route mode
To change to NAT/Route mode Go to System Status
Restarting the FortiGate unit
To view CPU and memory status Go to System Status Monitor
System status
Viewing CPU and memory status
111
CPU and memory status monitor
Viewing sessions and network status
113
Viewing virus and intrusions status
To view the session list Go to System Status Session
Session list
Protocol
115
116
117
Virus and attack definitions updates and registration
Updating antivirus and attack definitions
To make sure the FortiGate unit can connect to the FDN
Connecting to the FortiResponse Distribution Network
Go to System Update
Version Expiry date Last update attempt Last update status
119
Manually initiating antivirus and attack definitions updates
120
Scheduling updates
Configuring update logging
Enabling scheduled updates
121
To add an override server Go to System Update
Adding an override server
122
Enabling push updates
Enabling scheduled updates through a proxy server
123
Enabling push updates
Push updates when FortiGate IP addresses change
To enable push updates Go to System Update
124
Enabling push updates through a NAT device
Example push updates through a NAT device
125
General procedure
126
127
To configure the FortiGate NAT device
Schedule Always Service ANY Action Accept
Adding a firewall policy for the port forwarding virtual IP
128
Registering FortiGate units
129
FortiCare Service Contracts
130
Registering the FortiGate unit
131
Updating registration information
132
Recovering a lost Fortinet support password
Viewing the list of registered FortiGate units
133
Registering a new FortiGate unit
Adding or changing a FortiCare Support Contract number
134
Changing your Fortinet support password
Changing your contact information or security question
135
Downloading virus and attack definitions updates
136
Registering a FortiGate unit after an RMA
137
Network configuration
Configuring zones
138
Configuring interfaces
Adding zones
Deleting zones
139
Changing the administrative status of an interface
Viewing the interface list
Adding an interface to a zone
140
Configuring an interface with a manual IP address
Configuring an interface for Dhcp
141
Configuring an interface for PPPoE
142
Adding a secondary IP address to an interface
Adding a ping server to an interface
143
Controlling administrative access to an interface
144
Configuring traffic logging for connections to an interface
Configuring the management interface in Transparent mode
Changing the MTU size to improve network performance
145
Vlan overview
146
VLANs in NAT/Route mode
Rules for Vlan IDs
Rules for Vlan IP addresses
To add Vlan subinterfaces Go to System Network Interface
Virtual domains in Transparent mode
Adding Vlan subinterfaces
147
FortiGate unit with two virtual domains
148
149
Configuring a virtual domain
Virtual domain properties
Adding a virtual domain
150
Adding Vlan subinterfaces to a virtual domain
Adding zones to virtual domains
To add a zone to a virtual domain Go to System Network Zone
151
Go to Firewall Address
Adding firewall policies for virtual domains
Adding addresses for virtual domains
152
153
Configuring routing
Adding DNS server IP addresses
Deleting virtual domains
154
Adding a default route
To add a default route Go to System Network Routing Table
Adding destination-based routes to the routing table
155
Adding routes in Transparent mode
156
Configuring the routing table
Policy routing
157
Configuring Dhcp services
Policy routing command syntax
Adding scopes to a Dhcp server
Configuring a Dhcp relay agent
Configuring a Dhcp server
Adding a Dhcp server to an interface
To add a scope to a Dhcp server Go to System Network Dhcp
159
Selected scope
Adding a reserve IP to a Dhcp server
Viewing a Dhcp server dynamic IP list
160
161
RIP configuration
RIP settings
Flush
162
Invalid
Holddown
163
Configuring RIP for FortiGate interfaces
164
Example RIP configuration for an internal interface
To add a RIP filter list Go to System RIP Filter
Adding RIP filters
Adding a RIP filter list
165
166
Assigning a RIP filter list to the neighbors filter
Assigning a RIP filter list to the incoming filter
167
Assigning a RIP filter list to the outgoing filter
168
169
System configuration
Setting system date and time
To set the date and time Go to System Config Time
170
To set the system idle timeout Go to System Config Options
To set the Auth timeout Go to System Config Options
Changing system options
171
Modifying the Dead Gateway Detection settings
172
Adding and editing administrator accounts
Adding new administrator accounts
To add an administrator account Go to System Config Admin
173
Configuring Snmp
Editing administrator accounts
To edit an administrator account Go to System Config Admin
Configuring Snmp community settings
Configuring the FortiGate unit for Snmp monitoring
Configuring FortiGate Snmp support
Configuring Snmp access to an interface
System Location
175
System Name
176
FortiGate MIBs
177
FortiGate traps
General FortiGate traps
System traps
Logging traps
VPN traps
Nids traps
Antivirus traps
179
System configuration and status
Firewall configuration
Fortinet MIB fields
180
181
Replacement messages
Logging and reporting configuration
182
Customizing replacement messages
Alert email message sections
Customizing alert emails
183
Alert email message sections
184
185
Firewall configuration
186
Default firewall configuration
187
Interfaces
Vlan subinterfaces
Zones
Schedules
Services
Default addresses Interface Address Description
Addresses
To add a firewall policy Go to Firewall Policy
Content profiles
Adding firewall policies
189
190
Firewall policy options
Source
Action
Service
Destination
Schedule
Dynamic IP Pool Fixed Port
VPN Tunnel
Traffic Shaping
192
Maximum Bandwidth Traffic Priority
Authentication
Anti-Virus & Web filter
193
194
Log Traffic
Comments
195
Configuring policy lists
Policy matching in detail
Enabling policies
Changing the order of policies in a policy list
Enabling and disabling policies
Disabling policies
To add an address Go to Firewall Address
Addresses
Adding addresses
197
To edit an address Go to Firewall Address
Editing addresses
198
To delete an address Go to Firewall Address
Deleting addresses
Organizing addresses into address groups
199
200
Services
Predefined services
GRE
201
Ldap
202
203
Adding custom TCP and UDP services
204
Adding custom Icmp services
Adding custom IP services
Grouping services
205
Schedules
206
Creating one-time schedules
207
Creating recurring schedules
To add a schedule to a policy Go to Firewall Policy
Virtual IPs
Adding schedules to policies
208
Virtual IP External Interface examples Description Internal
Adding static NAT virtual IPs
209
To add a static NAT virtual IP Go to Firewall Virtual IP
210
Adding port forwarding virtual IPs
211
To add a policy with a virtual IP Go to Firewall Policy
Adding policies with virtual IPs
212
To add an IP pool Go to Firewall IP Pool
IP pools
Adding an IP pool
213
214
IP/MAC binding
IP Pools for firewall policies that use fixed ports
IP pools and dynamic NAT
Go to Firewall IP/MAC Binding Static IP/MAC
215
216
Adding IP/MAC addresses
217
Viewing the dynamic IP/MAC list
Enabling IP/MAC binding
218
Content profiles
219
Default content profiles
Adding content profiles
To add a content profile Go to Firewall Content Profile
Oversized File/Email Pass Fragmented Email
220
221
Adding content profiles to policies
To add a content profile to a policy Go to Firewall Policy
222
223
Users and authentication
To set authentication timeout Go to System Config Options
Setting authentication timeout
Adding user names and configuring authentication
Adding user names and configuring authentication
225
Deleting user names from the internal database
226
Configuring Radius support
Adding Radius servers
Deleting Radius servers
To add an Ldap server Go to User Ldap
Configuring Ldap support
Adding Ldap servers
227
To delete an Ldap server Go to User Ldap
Deleting Ldap servers
228
To add a user group Go to User User Group
Configuring user groups
Adding user groups
229
To delete a user group Go to User User Group
Deleting user groups
230
231
IPSec VPN
AutoIKE with certificates
Key management
Manual Keys
AutoIKE with pre-shared keys
233
General configuration steps for a manual key VPN
Manual key IPSec VPNs
Adding a manual key VPN tunnel
AES256
234
AES128
AES192
235
General configuration steps for an AutoIKE VPN
Adding a phase 1 configuration for an AutoIKE VPN
AutoIKE IPSec VPNs
Remote Gateway Dialup User
236
Remote Gateway Static IP Address
237
Configuring advanced options
To configure phase 1 advanced options
238
239
Adding a phase 1 configuration Standard options
240
Adding a phase 2 configuration for an AutoIKE VPN
To add a phase 2 configuration Go to VPN Ipsec Phase
Use wildcard selectors
241
Use selectors from policy
242
Managing digital certificates
Obtaining a signed local certificate
Generating the certificate request
Key Size
243
Key Type
244
Downloading the certificate request
Importing the signed local certificate
245
Configuring encrypt policies
Obtaining CA certificates
Importing CA certificates
To add a source address Go to Firewall Address
Adding a source address
246
To add a destination address Go to Firewall Address
Adding a destination address
Adding an encrypt policy
247
248
249
IPSec VPN concentrators
250
VPN concentrator hub general configuration steps
To create a VPN concentrator configuration
251
Adding a VPN concentrator
252
VPN spoke general configuration steps
To create a VPN spoke configuration
253
Redundant IPSec VPNs
254
Configuring redundant IPSec VPNs
To configure a redundant IPSec VPN
Viewing dialup VPN connection status
Monitoring and Troubleshooting VPNs
To view VPN tunnel status Go to VPN Ipsec Phase
Viewing VPN tunnel status
256
Testing a VPN
257
Configuring Pptp
Pptp and L2TP VPN
To add a source address
Configuring the FortiGate unit as a Pptp gateway
258
To add users and user groups
To add a firewall policy
259
To add a source address group
To add a destination address
260
Configuring a Windows 98 client for Pptp
To connect to the Pptp VPN
Configuring a Windows 2000 client for Pptp
Configuring a Windows XP client for Pptp
261
Select Properties Security
To configure the VPN connection
262
263
Configuring L2TP
Configuring the FortiGate unit as an L2TP gateway
To add source addresses
264
265
Configuring a Windows 2000 client for L2TP
To connect to the L2TP VPN
To disable IPSec
266
267
Configuring a Windows XP client for L2TP
268
269
Network Intrusion Detection System Nids
Detecting attacks
270
Configuring checksum verification
Selecting the interfaces to monitor
Disabling monitoring interfaces
271
Viewing the signature list
Viewing attack descriptions
272
Disabling Nids attack signatures
Adding user-defined signatures
273
Downloading the user-defined signature list
Enabling Nids attack prevention signatures
To enable Nids attack prevention Go to Nids Prevention
Preventing attacks
Enabling Nids attack prevention
275
Setting signature threshold values
Automatic message reduction
Logging attacks
Logging attack messages to the attack log
Reducing the number of Nids attack log and email messages
277
Manual message reduction
278
279
General configuration steps
Antivirus protection
To scan FortiGate firewall traffic for viruses
Antivirus scanning
280
281
File blocking
To block files in firewall traffic
Blocking files in firewall traffic
Adding file patterns to block
282
283
Quarantine
Quarantining infected files
Quarantining blocked files
To view the quarantine list Go to Anti-Virus Quarantine
Viewing the quarantine list
Sorting the quarantine list
284
Downloading quarantined files
Configuring quarantine options
Filtering the quarantine list
Deleting files from the quarantine list
286
Configuring limits for oversized files and email
Blocking oversized files and emails
287
To view the virus list Go to Anti-Virus Config Virus List
Exempting fragmented email from blocking
Viewing the virus list
288
289
Web filtering
290
Content blocking
Go to Web Filter Content Block
Adding words and phrases to the Banned Word list
291
Clearing the Banned Word list
292
Backing up the Banned Word list
Restoring the Banned Word list
293
Configuring FortiGate Web URL blocking
URL blocking
Adding URLs to the Web URL block list
294
Clearing the Web URL block list
To upload a URL block list
Downloading the Web URL block list
Uploading a URL block list
295
296
Configuring Cerberian URL filtering
Configuring FortiGate Web pattern blocking
Adding a Cerberian user
Installing a Cerberian license key
Configuring Cerberian web filter
About the default group and policy
298
To configure Cerberian web filtering
Enabling Cerberian URL filtering
299
Script filtering
Enabling script filtering
Selecting script filter options
Go to Web Filter URLExempt
Exempt URL list
Adding URLs to the URL Exempt list
300
Go to Web Filter URL Exempt
Downloading the URL Exempt List
Uploading a URL Exempt List
301
302
303
Email filter
304
Email banned word list
Adding words and phrases to the email banned word list
305
Downloading the email banned word list
Uploading the email banned word list
306
Email block list
Adding address patterns to the email block list
Downloading the email block list
To upload the email block list
Email exempt list
Uploading an email block list
307
308
To add a subject tag Go to Email Filter Config
Adding a subject tag
Adding address patterns to the email exempt list
309
Logging and reporting
Recording logs
310
Recording logs on a remote computer
Recording logs on a NetIQ WebTrends server
Option
Recording logs on the FortiGate hard disk
311
Overwrite
312
Recording logs in system memory
Log message levels
313
To filter log entries Go to Log&Report Log Setting
Filtering log messages
314
Configuring traffic logging
Enabling traffic logging for a firewall policy
Enabling traffic logging
Enabling traffic logging for an interface
Enabling traffic logging for a Vlan subinterface
Resolve IP
Configuring traffic filter settings
Adding traffic filter entries
316
317
Destination IP Address Destination Netmask Service
Viewing logs saved to memory
Viewing logs
Keyword
Viewing and managing logs saved to the hard disk
Searching logs
318
To view the active or saved logs Go to Log&Report Logging
319
320
Downloading a log file to the management computer
Deleting all messages from an active log
Deleting a saved log file
321
Configuring alert email
Testing alert email
Adding alert email addresses
322
Enabling alert email
323
Glossary
324
325
326
327
Index
Index
328
Dialup Pptp
329
Http
330
Ldap
331
332
Pptp dialup connection
333
334
TCP
335
Vlan
336
Top
Page
Image
Contents