Manuals
/
Fortinet
/
Computer Equipment
/
Network Card
Fortinet
FortiGate-800
manual
Transparent mode configuration examples
Models:
FortiGate-800
1
72
336
336
Download
336 pages
18.65 Kb
69
70
71
72
73
74
75
76
Specification
Install
Adding a default route
Editing administrator accounts
Connecting the cluster
Network configuration 137
Setup wizard
Command line interface
General procedure
Setting the date and time
Page 72
Image 72
Transparent mode configuration examples
Transparent mode installation
72
Fortinet Inc.
Page 71
Page 73
Page 72
Image 72
Page 71
Page 73
Contents
Installation and Configuration Guide
January 15
Trademarks
Regulatory Compliance
Table of Contents
NAT/Route mode installation
High availability
Virus and attack definitions updates and registration 117
Network configuration 137
System configuration 169
Users and authentication 223
IPSec VPN 231
Network Intrusion Detection System Nids 269
Email filter 303
Glossary 323 Index 327
Contents
Introduction
Flexibility demanded by large enterprises
Web content filtering
Antivirus protection
Email filtering
Firewall
NAT/Route mode
Transparent mode
VLANs and virtual domains
Network intrusion detection
VPN
High availability
Secure installation, configuration, and management
Web-based manager
Command line interface
Logging and reporting
Document conventions
Fortinet documentation
Customer service and technical support
Comments on Fortinet technical documentation
Customer service and technical support
Getting started
Package contents
Mounting
Powering on
Power requirements
Environmental specifications
To power on the FortiGate-800 unit
Connecting to the web-based manager
To connect to the web-based manager
Connecting to the command line interface CLI
To connect to the CLI
Bits per second 9600 Data bits Parity
Stop bits Flow control
Factory default FortiGate configuration settings
Factory default NAT/Route mode network configuration
Account
Internal interface
Factory default Transparent mode network configuration
Factory default firewall configuration
Factory default content profiles
Strict content profile
Scan content profile
Strict content profile Options
Scan content profile Options
Web content profile
Unfiltered content profile
Web content profile Options
Unfiltered content profile Options
Planning the FortiGate configuration
Example NAT/Route mode network configuration
NAT/Route mode with multiple external network connections
Example NAT/Route multiple internet connection configuration
Configuration options
Setup wizard
FortiGate model maximum values matrix
Front keypad and LCD
Next steps
Signatures Antivirus file Block patterns Web filter
NAT/Route mode installation
Preparing to configure NAT/Route mode
Advanced NAT/Route mode settings
Advanced FortiGate NAT/Route mode settings
Dhcp server
Using the setup wizard
Starting the setup wizard
Reconnecting to the web-based manager
DMZ and user-defined interfaces
Using the front control buttons and LCD
Using the command line interface
Configuring the FortiGate unit to operate in NAT/Route mode
Configuring NAT/Route mode IP addresses
Set system interface external mode static ip 204.23.1.5
Connecting the FortiGate unit to your networks
To connect the FortiGate unit running in NAT/Route mode
FortiGate-800 External
To connect to FortiGate-800 user-defined interfaces
Configuring your networks
Example FortiGate-800 user-defined interface connections
Completing the configuration
Configuring the DMZ interface
Configuring interfaces 1 to
Setting the date and time
Configuration example Multiple connections to the Internet
Configuring virus and attack definition updates
Registering your FortiGate unit
Configuring ping servers
Internal
Using the CLI
Primary and backup links to the Internet
Destination-based routing examples
Go to System Network Routing Table
Load sharing
Load sharing and primary and secondary connections
To add the routes using the CLI
Routing table should have routes arranged as shown in Table
Routing a service to an external network
Policy routing examples
Adding a redundant default policy
Destination DMZAll Schedule Always Service
Firewall policy example
Adding more firewall policies
Restricting access to a single Internet connection
Configuration example Multiple connections to the Internet
Transparent mode installation
Preparing to configure Transparent mode
Transparent mode settings Administrator Password
DNS Settings
Changing to Transparent mode using the web-based manager
Go to System Status
Changing to Transparent mode using the CLI
Operation mode Transparent
Configuring the Transparent mode management IP address
Configure the Transparent mode default gateway
Enabling antivirus protection
Connecting the FortiGate unit to your networks
Transparent mode configuration examples
FortiGate-800
Default routes and static routes
Example default route to an external network
General configuration steps
Default route to an external network
Web-based manager example configuration steps
CLI configuration steps
Example static route to an external destination
Go to System Network Management
DMZ
Example static route to an internal destination
FortiGate-800
Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1
Transparent mode configuration examples
High availability
Configuring an HA cluster
Configuring FortiGate units for HA operation
To configure a FortiGate unit for HA operation
Go to System Config HA
Weighted Round Robin
None
Hub
Least Connection
Connecting the cluster
Example Active-Active HA configuration
HA network configuration
To connect the cluster
Managing an HA cluster
Adding a new FortiGate unit to a functioning cluster
To add a new unit to the cluster
Configuring cluster interface monitoring
Viewing the status of cluster members
Monitoring cluster members
To set the update frequency
Example cluster CPU, memory, and hard disk display
Viewing cluster sessions
Viewing and managing cluster log messages
Monitoring cluster units for failover
Viewing cluster communication sessions
Managing individual cluster units
Changing cluster unit host names
To manage a cluster unit
To set the host name of each cluster member
Synchronizing the cluster configuration
Keyword Description
Upgrading firmware
Advanced HA options
Replacing a FortiGate unit after failover
Selecting a FortiGate unit as a permanent primary unit
To select a permanent primary unit
Configuring weighted-round-robin weights
To set the priority of each FortiGate unit in a cluster
Active-Active cluster packet flow
Active-active HA packet flow
NAT/Route mode packet flow
Transparent mode packet flow
Active-Active cluster packet flow
System status
System status
Firmware upgrade procedures Procedure Description
Changing the FortiGate host name
Changing the FortiGate firmware
To change the FortiGate host name Go to System Status
Upgrading the firmware using the web-based manager
Upgrading the firmware using the CLI
To upgrade the firmware using the web-based manager
To upgrade the firmware using the CLI
Reverting to a previous firmware version
Execute ping
Reverting to a previous firmware version using the CLI
To revert to a previous firmware version using the CLI
To install firmware from a system reboot
Press any key to enter configuration menu
100
Restoring the previous configuration
Testing a new firmware image before installing it
101
102
To test a new firmware image
Installing and using a backup firmware image
Installing a backup firmware image
103
To install a backup firmware image
104
Switching to the backup firmware image
To switch to the backup firmware image
105
Manual virus definition updates
Switching back to the default firmware image
To switch back to the default firmware image
To update the antivirus definitions manually
Manual attack definition updates
To update the attack definitions manually
Displaying the FortiGate serial number
107
Backing up system settings
Restoring system settings
Displaying the FortiGate up time
Displaying log hard disk status
Restoring system settings to factory defaults
Changing to Transparent mode
To change to Transparent mode Go to System Status
109
Changing to NAT/Route mode
To change to NAT/Route mode Go to System Status
Restarting the FortiGate unit
Shutting down the FortiGate unit
System status
Viewing CPU and memory status
111
To view CPU and memory status Go to System Status Monitor
Viewing sessions and network status
CPU and memory status monitor
Viewing virus and intrusions status
113
Session list
To view the session list Go to System Status Session
115
Protocol
116
Virus and attack definitions updates and registration
Updating antivirus and attack definitions
117
Connecting to the FortiResponse Distribution Network
Go to System Update
Version Expiry date Last update attempt Last update status
To make sure the FortiGate unit can connect to the FDN
Manually initiating antivirus and attack definitions updates
119
Scheduling updates
Configuring update logging
Enabling scheduled updates
120
To add an override server Go to System Update
Adding an override server
121
Enabling push updates
Enabling scheduled updates through a proxy server
122
Enabling push updates
Push updates when FortiGate IP addresses change
To enable push updates Go to System Update
123
Enabling push updates through a NAT device
Example push updates through a NAT device
124
General procedure
125
126
To configure the FortiGate NAT device
Schedule Always Service ANY Action Accept
Adding a firewall policy for the port forwarding virtual IP
127
Registering FortiGate units
128
FortiCare Service Contracts
129
Registering the FortiGate unit
130
Updating registration information
131
Recovering a lost Fortinet support password
Viewing the list of registered FortiGate units
132
Registering a new FortiGate unit
Adding or changing a FortiCare Support Contract number
133
Changing your Fortinet support password
Changing your contact information or security question
134
Downloading virus and attack definitions updates
135
Registering a FortiGate unit after an RMA
136
Network configuration
Configuring zones
137
Configuring interfaces
Adding zones
Deleting zones
138
Changing the administrative status of an interface
Viewing the interface list
Adding an interface to a zone
139
Configuring an interface with a manual IP address
Configuring an interface for Dhcp
140
Configuring an interface for PPPoE
141
Adding a secondary IP address to an interface
Adding a ping server to an interface
142
Controlling administrative access to an interface
143
Configuring traffic logging for connections to an interface
Configuring the management interface in Transparent mode
Changing the MTU size to improve network performance
144
Vlan overview
145
VLANs in NAT/Route mode
Rules for Vlan IDs
Rules for Vlan IP addresses
146
Virtual domains in Transparent mode
Adding Vlan subinterfaces
147
To add Vlan subinterfaces Go to System Network Interface
148
FortiGate unit with two virtual domains
Configuring a virtual domain
Virtual domain properties
Adding a virtual domain
149
Adding Vlan subinterfaces to a virtual domain
Adding zones to virtual domains
150
151
To add a zone to a virtual domain Go to System Network Zone
Adding firewall policies for virtual domains
Adding addresses for virtual domains
152
Go to Firewall Address
Configuring routing
Adding DNS server IP addresses
Deleting virtual domains
153
Adding a default route
To add a default route Go to System Network Routing Table
Adding destination-based routes to the routing table
154
Adding routes in Transparent mode
155
Configuring the routing table
Policy routing
156
Configuring Dhcp services
Policy routing command syntax
157
Configuring a Dhcp relay agent
Configuring a Dhcp server
Adding a Dhcp server to an interface
Adding scopes to a Dhcp server
159
To add a scope to a Dhcp server Go to System Network Dhcp
Adding a reserve IP to a Dhcp server
Viewing a Dhcp server dynamic IP list
160
Selected scope
RIP configuration
RIP settings
161
162
Invalid
Holddown
Flush
Configuring RIP for FortiGate interfaces
163
Example RIP configuration for an internal interface
164
Adding RIP filters
Adding a RIP filter list
165
To add a RIP filter list Go to System RIP Filter
Assigning a RIP filter list to the neighbors filter
Assigning a RIP filter list to the incoming filter
166
Assigning a RIP filter list to the outgoing filter
167
168
System configuration
Setting system date and time
To set the date and time Go to System Config Time
169
To set the system idle timeout Go to System Config Options
To set the Auth timeout Go to System Config Options
Changing system options
170
Modifying the Dead Gateway Detection settings
171
Adding and editing administrator accounts
Adding new administrator accounts
To add an administrator account Go to System Config Admin
172
Configuring Snmp
Editing administrator accounts
To edit an administrator account Go to System Config Admin
173
Configuring the FortiGate unit for Snmp monitoring
Configuring FortiGate Snmp support
Configuring Snmp access to an interface
Configuring Snmp community settings
175
System Name
System Location
FortiGate MIBs
176
FortiGate traps
General FortiGate traps
System traps
177
VPN traps
Nids traps
Antivirus traps
Logging traps
System configuration and status
Firewall configuration
Fortinet MIB fields
179
180
Replacement messages
Logging and reporting configuration
181
Customizing replacement messages
182
Customizing alert emails
183
Alert email message sections
184
Alert email message sections
Firewall configuration
185
Default firewall configuration
186
Interfaces
Vlan subinterfaces
Zones
187
Services
Default addresses Interface Address Description
Addresses
Schedules
Content profiles
Adding firewall policies
189
To add a firewall policy Go to Firewall Policy
Firewall policy options
Source
190
Service
Destination
Schedule
Action
VPN Tunnel
Traffic Shaping
192
Dynamic IP Pool Fixed Port
Authentication
Anti-Virus & Web filter
193
Maximum Bandwidth Traffic Priority
Log Traffic
Comments
194
Configuring policy lists
Policy matching in detail
195
Changing the order of policies in a policy list
Enabling and disabling policies
Disabling policies
Enabling policies
Addresses
Adding addresses
197
To add an address Go to Firewall Address
Editing addresses
198
To edit an address Go to Firewall Address
Deleting addresses
Organizing addresses into address groups
199
To delete an address Go to Firewall Address
Services
Predefined services
200
201
GRE
202
Ldap
Adding custom TCP and UDP services
203
Adding custom Icmp services
Adding custom IP services
Grouping services
204
Schedules
205
Creating one-time schedules
206
Creating recurring schedules
207
Virtual IPs
Adding schedules to policies
208
To add a schedule to a policy Go to Firewall Policy
Adding static NAT virtual IPs
209
To add a static NAT virtual IP Go to Firewall Virtual IP
Virtual IP External Interface examples Description Internal
Adding port forwarding virtual IPs
210
211
Adding policies with virtual IPs
212
To add a policy with a virtual IP Go to Firewall Policy
IP pools
Adding an IP pool
213
To add an IP pool Go to Firewall IP Pool
IP/MAC binding
IP Pools for firewall policies that use fixed ports
IP pools and dynamic NAT
214
215
Go to Firewall IP/MAC Binding Static IP/MAC
Adding IP/MAC addresses
216
Viewing the dynamic IP/MAC list
Enabling IP/MAC binding
217
Content profiles
218
Default content profiles
Adding content profiles
To add a content profile Go to Firewall Content Profile
219
220
Oversized File/Email Pass Fragmented Email
Adding content profiles to policies
To add a content profile to a policy Go to Firewall Policy
221
222
Users and authentication
223
Setting authentication timeout
Adding user names and configuring authentication
Adding user names and configuring authentication
To set authentication timeout Go to System Config Options
Deleting user names from the internal database
225
Configuring Radius support
Adding Radius servers
Deleting Radius servers
226
Configuring Ldap support
Adding Ldap servers
227
To add an Ldap server Go to User Ldap
Deleting Ldap servers
228
To delete an Ldap server Go to User Ldap
Configuring user groups
Adding user groups
229
To add a user group Go to User User Group
Deleting user groups
230
To delete a user group Go to User User Group
IPSec VPN
231
Key management
Manual Keys
AutoIKE with pre-shared keys
AutoIKE with certificates
General configuration steps for a manual key VPN
Manual key IPSec VPNs
Adding a manual key VPN tunnel
233
234
AES128
AES192
AES256
General configuration steps for an AutoIKE VPN
Adding a phase 1 configuration for an AutoIKE VPN
AutoIKE IPSec VPNs
235
236
Remote Gateway Static IP Address
Remote Gateway Dialup User
Configuring advanced options
To configure phase 1 advanced options
237
238
Adding a phase 1 configuration Standard options
239
Adding a phase 2 configuration for an AutoIKE VPN
To add a phase 2 configuration Go to VPN Ipsec Phase
240
241
Use selectors from policy
Use wildcard selectors
Managing digital certificates
Obtaining a signed local certificate
Generating the certificate request
242
243
Key Type
Key Size
Downloading the certificate request
Importing the signed local certificate
244
Configuring encrypt policies
Obtaining CA certificates
Importing CA certificates
245
Adding a source address
246
To add a source address Go to Firewall Address
Adding a destination address
Adding an encrypt policy
247
To add a destination address Go to Firewall Address
248
IPSec VPN concentrators
249
VPN concentrator hub general configuration steps
To create a VPN concentrator configuration
250
Adding a VPN concentrator
251
VPN spoke general configuration steps
To create a VPN spoke configuration
252
Redundant IPSec VPNs
253
Configuring redundant IPSec VPNs
To configure a redundant IPSec VPN
254
Monitoring and Troubleshooting VPNs
To view VPN tunnel status Go to VPN Ipsec Phase
Viewing VPN tunnel status
Viewing dialup VPN connection status
Testing a VPN
256
Configuring Pptp
Pptp and L2TP VPN
257
Configuring the FortiGate unit as a Pptp gateway
258
To add users and user groups
To add a source address
259
To add a source address group
To add a destination address
To add a firewall policy
Configuring a Windows 98 client for Pptp
260
Configuring a Windows 2000 client for Pptp
Configuring a Windows XP client for Pptp
261
To connect to the Pptp VPN
To configure the VPN connection
262
Select Properties Security
Configuring L2TP
Configuring the FortiGate unit as an L2TP gateway
263
264
To add source addresses
Configuring a Windows 2000 client for L2TP
265
To disable IPSec
266
To connect to the L2TP VPN
Configuring a Windows XP client for L2TP
267
268
Network Intrusion Detection System Nids
Detecting attacks
269
Configuring checksum verification
Selecting the interfaces to monitor
Disabling monitoring interfaces
270
Viewing the signature list
Viewing attack descriptions
271
Disabling Nids attack signatures
Adding user-defined signatures
272
Downloading the user-defined signature list
273
To enable Nids attack prevention Go to Nids Prevention
Preventing attacks
Enabling Nids attack prevention
Enabling Nids attack prevention signatures
Setting signature threshold values
275
Logging attacks
Logging attack messages to the attack log
Reducing the number of Nids attack log and email messages
Automatic message reduction
Manual message reduction
277
278
General configuration steps
Antivirus protection
279
Antivirus scanning
280
To scan FortiGate firewall traffic for viruses
File blocking
281
Blocking files in firewall traffic
Adding file patterns to block
282
To block files in firewall traffic
Quarantine
Quarantining infected files
Quarantining blocked files
283
Viewing the quarantine list
Sorting the quarantine list
284
To view the quarantine list Go to Anti-Virus Quarantine
Configuring quarantine options
Filtering the quarantine list
Deleting files from the quarantine list
Downloading quarantined files
Configuring limits for oversized files and email
Blocking oversized files and emails
286
To view the virus list Go to Anti-Virus Config Virus List
Exempting fragmented email from blocking
Viewing the virus list
287
288
Web filtering
289
Content blocking
Go to Web Filter Content Block
Adding words and phrases to the Banned Word list
290
Clearing the Banned Word list
291
Backing up the Banned Word list
Restoring the Banned Word list
292
Configuring FortiGate Web URL blocking
URL blocking
Adding URLs to the Web URL block list
293
Clearing the Web URL block list
294
Downloading the Web URL block list
Uploading a URL block list
295
To upload a URL block list
Configuring Cerberian URL filtering
Configuring FortiGate Web pattern blocking
296
Installing a Cerberian license key
Configuring Cerberian web filter
About the default group and policy
Adding a Cerberian user
To configure Cerberian web filtering
Enabling Cerberian URL filtering
298
Script filtering
Enabling script filtering
Selecting script filter options
299
Exempt URL list
Adding URLs to the URL Exempt list
300
Go to Web Filter URLExempt
Downloading the URL Exempt List
Uploading a URL Exempt List
301
Go to Web Filter URL Exempt
302
Email filter
303
Email banned word list
Adding words and phrases to the email banned word list
304
Downloading the email banned word list
Uploading the email banned word list
305
Email block list
Adding address patterns to the email block list
Downloading the email block list
306
Email exempt list
Uploading an email block list
307
To upload the email block list
To add a subject tag Go to Email Filter Config
Adding a subject tag
Adding address patterns to the email exempt list
308
Logging and reporting
Recording logs
309
Recording logs on a remote computer
Recording logs on a NetIQ WebTrends server
310
Recording logs on the FortiGate hard disk
311
Overwrite
Option
Recording logs in system memory
Log message levels
312
To filter log entries Go to Log&Report Log Setting
Filtering log messages
313
Configuring traffic logging
314
Enabling traffic logging
Enabling traffic logging for an interface
Enabling traffic logging for a Vlan subinterface
Enabling traffic logging for a firewall policy
Configuring traffic filter settings
Adding traffic filter entries
316
Resolve IP
Destination IP Address Destination Netmask Service
Viewing logs saved to memory
Viewing logs
317
Viewing and managing logs saved to the hard disk
Searching logs
318
Keyword
319
To view the active or saved logs Go to Log&Report Logging
Downloading a log file to the management computer
Deleting all messages from an active log
Deleting a saved log file
320
Configuring alert email
Testing alert email
Adding alert email addresses
321
Enabling alert email
322
Glossary
323
324
325
326
Index
327
328
Index
329
Dialup Pptp
330
Http
331
Ldap
332
333
Pptp dialup connection
334
335
TCP
336
Vlan
Top
Page
Image
Contents