Manuals / Fortinet / Computer Equipment / Network Card

Fortinet FortiGate-800 manual To connect the cluster, HA network configuration

Models: FortiGate-800

1 336

Download 336 pages 18.65 Kb

Page 77

High availability	Configuring an HA cluster

Inserting an HA cluster into your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through the cluster. Also, starting the cluster interrupts network traffic until the individual FortiGate units in the cluster are functioning and the cluster completes negotiation. Cluster negotiation normally takes just a few seconds. During system startup and negotiation all network traffic is dropped.

To connect the cluster

1Connect the cluster units:

•Connect the internal interfaces of each FortiGate unit to a switch or hub connected to your internal network.

•Connect the external interfaces of each FortiGate unit to a switch or hub connected to your external network.

•Optionally connect the DMZ interfaces of each FortiGate unit to a switch or hub connected to your DMZ network.

•Optionally connect ports 1 to 4 of each FortiGate unit to switches or hubs connected to other networks.

•Connect the HA interfaces of the FortiGate units to another switch or hub.

Figure 15: HA network configuration

Internal Network

Internal External

	I N T E R N A L E X T E R N A L	D M Z	HA	1	2	3	4	CONSOLE	USB
Esc	Enter
	P W R
8
Hub or				HA
Hub or
Switch

Hub or

Switch

HA

I N T E R N A L

E X T E R N A L

D M Z

HA

1

2

3

4

CONSOLE

USB

Esc	Enter
	P W R
8

Router

Internal External

Internet

FortiGate-800 Installation and Configuration Guide

77

Image 77

Fortinet FortiGate-800 manual To connect the cluster, HA network configuration

Contents

January 15 Installation and Configuration GuideRegulatory Compliance TrademarksTable of Contents NAT/Route mode installation High availability Virus and attack definitions updates and registration 117 Network configuration 137 System configuration 169 Users and authentication 223 IPSec VPN 231 Network Intrusion Detection System Nids 269 Email filter 303 Glossary 323 Index 327 Contents Flexibility demanded by large enterprises IntroductionAntivirus protection Web content filteringFirewall Email filteringTransparent mode NAT/Route modeVLANs and virtual domains Network intrusion detectionHigh availability VPNWeb-based manager Secure installation, configuration, and managementLogging and reporting Command line interfaceFortinet documentation Document conventionsComments on Fortinet technical documentation Customer service and technical supportCustomer service and technical support Getting started Mounting Package contentsPower requirements Powering onEnvironmental specifications To power on the FortiGate-800 unitTo connect to the web-based manager Connecting to the web-based managerTo connect to the CLI Connecting to the command line interface CLIBits per second 9600 Data bits Parity Stop bits Flow controlFactory default NAT/Route mode network configuration Factory default FortiGate configuration settingsAccount Internal interfaceFactory default Transparent mode network configuration Factory default firewall configuration Strict content profile Factory default content profilesScan content profile Options Scan content profileStrict content profile Options Unfiltered content profile Web content profileWeb content profile Options Unfiltered content profile OptionsExample NAT/Route mode network configuration Planning the FortiGate configurationExample NAT/Route multiple internet connection configuration NAT/Route mode with multiple external network connectionsSetup wizard Configuration optionsFront keypad and LCD FortiGate model maximum values matrixSignatures Antivirus file Block patterns Web filter Next stepsPreparing to configure NAT/Route mode NAT/Route mode installationDhcp server Advanced NAT/Route mode settingsAdvanced FortiGate NAT/Route mode settings Starting the setup wizard Using the setup wizardReconnecting to the web-based manager DMZ and user-defined interfacesUsing the command line interface Using the front control buttons and LCDConfiguring the FortiGate unit to operate in NAT/Route mode Configuring NAT/Route mode IP addressesSet system interface external mode static ip 204.23.1.5 To connect the FortiGate unit running in NAT/Route mode Connecting the FortiGate unit to your networksTo connect to FortiGate-800 user-defined interfaces FortiGate-800 ExternalExample FortiGate-800 user-defined interface connections Configuring your networksConfiguring the DMZ interface Completing the configurationConfiguring interfaces 1 to Setting the date and timeRegistering your FortiGate unit Configuration example Multiple connections to the InternetConfiguring virus and attack definition updates Internal Configuring ping serversPrimary and backup links to the Internet Using the CLIDestination-based routing examples Go to System Network Routing TableLoad sharing and primary and secondary connections Load sharingRouting table should have routes arranged as shown in Table To add the routes using the CLIPolicy routing examples Routing a service to an external networkDestination DMZAll Schedule Always Service Adding a redundant default policyFirewall policy example Adding more firewall policiesRestricting access to a single Internet connection Configuration example Multiple connections to the Internet Preparing to configure Transparent mode Transparent mode installationTransparent mode settings Administrator Password DNS SettingsGo to System Status Changing to Transparent mode using the web-based managerOperation mode Transparent Changing to Transparent mode using the CLIEnabling antivirus protection Configuring the Transparent mode management IP addressConfigure the Transparent mode default gateway Connecting the FortiGate unit to your networks FortiGate-800 Transparent mode configuration examplesExample default route to an external network Default routes and static routesDefault route to an external network General configuration stepsCLI configuration steps Web-based manager example configuration stepsExample static route to an external destination Go to System Network ManagementDMZ Example static route to an internal destination FortiGate-800 Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples High availability Configuring FortiGate units for HA operation Configuring an HA clusterTo configure a FortiGate unit for HA operation Go to System Config HANone Weighted Round RobinHub Least ConnectionExample Active-Active HA configuration Connecting the clusterTo connect the cluster HA network configurationTo add a new unit to the cluster Managing an HA clusterAdding a new FortiGate unit to a functioning cluster Configuring cluster interface monitoring Monitoring cluster members Viewing the status of cluster membersExample cluster CPU, memory, and hard disk display To set the update frequencyViewing and managing cluster log messages Viewing cluster sessionsManaging individual cluster units Monitoring cluster units for failoverViewing cluster communication sessions To set the host name of each cluster member Changing cluster unit host namesTo manage a cluster unit Keyword Description Synchronizing the cluster configurationUpgrading firmware Replacing a FortiGate unit after failover Advanced HA optionsSelecting a FortiGate unit as a permanent primary unit To select a permanent primary unitTo set the priority of each FortiGate unit in a cluster Configuring weighted-round-robin weightsActive-active HA packet flow Active-Active cluster packet flowNAT/Route mode packet flow Transparent mode packet flow Active-Active cluster packet flow System status System statusChanging the FortiGate host name Firmware upgrade procedures Procedure DescriptionChanging the FortiGate firmware To change the FortiGate host name Go to System StatusUpgrading the firmware using the CLI Upgrading the firmware using the web-based managerTo upgrade the firmware using the web-based manager To upgrade the firmware using the CLIExecute ping Reverting to a previous firmware versionReverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot 100 Press any key to enter configuration menu101 Restoring the previous configurationTesting a new firmware image before installing it To test a new firmware image 102103 Installing and using a backup firmware imageInstalling a backup firmware image 104 To install a backup firmware image105 Switching to the backup firmware imageTo switch to the backup firmware image Switching back to the default firmware image Manual virus definition updatesTo switch back to the default firmware image To update the antivirus definitions manuallyTo update the attack definitions manually Manual attack definition updatesDisplaying the FortiGate serial number 107Restoring system settings Backing up system settingsDisplaying the FortiGate up time Displaying log hard disk statusChanging to Transparent mode Restoring system settings to factory defaultsTo change to Transparent mode Go to System Status 109To change to NAT/Route mode Go to System Status Changing to NAT/Route modeRestarting the FortiGate unit Shutting down the FortiGate unitViewing CPU and memory status System status111 To view CPU and memory status Go to System Status MonitorCPU and memory status monitor Viewing sessions and network status113 Viewing virus and intrusions statusTo view the session list Go to System Status Session Session listProtocol 115116 117 Virus and attack definitions updates and registrationUpdating antivirus and attack definitions Go to System Update Connecting to the FortiResponse Distribution NetworkVersion Expiry date Last update attempt Last update status To make sure the FortiGate unit can connect to the FDN119 Manually initiating antivirus and attack definitions updatesConfiguring update logging Scheduling updatesEnabling scheduled updates 120121 To add an override server Go to System UpdateAdding an override server 122 Enabling push updatesEnabling scheduled updates through a proxy server Push updates when FortiGate IP addresses change Enabling push updatesTo enable push updates Go to System Update 123124 Enabling push updates through a NAT deviceExample push updates through a NAT device 125 General procedure126 Schedule Always Service ANY Action Accept To configure the FortiGate NAT deviceAdding a firewall policy for the port forwarding virtual IP 127128 Registering FortiGate units129 FortiCare Service Contracts130 Registering the FortiGate unit131 Updating registration information132 Recovering a lost Fortinet support passwordViewing the list of registered FortiGate units 133 Registering a new FortiGate unitAdding or changing a FortiCare Support Contract number 134 Changing your Fortinet support passwordChanging your contact information or security question 135 Downloading virus and attack definitions updates136 Registering a FortiGate unit after an RMA137 Network configurationConfiguring zones Adding zones Configuring interfacesDeleting zones 138Viewing the interface list Changing the administrative status of an interfaceAdding an interface to a zone 139140 Configuring an interface with a manual IP addressConfiguring an interface for Dhcp 141 Configuring an interface for PPPoE142 Adding a secondary IP address to an interfaceAdding a ping server to an interface 143 Controlling administrative access to an interfaceConfiguring the management interface in Transparent mode Configuring traffic logging for connections to an interfaceChanging the MTU size to improve network performance 144145 Vlan overviewRules for Vlan IDs VLANs in NAT/Route modeRules for Vlan IP addresses 146Adding Vlan subinterfaces Virtual domains in Transparent mode147 To add Vlan subinterfaces Go to System Network InterfaceFortiGate unit with two virtual domains 148Virtual domain properties Configuring a virtual domainAdding a virtual domain 149150 Adding Vlan subinterfaces to a virtual domainAdding zones to virtual domains To add a zone to a virtual domain Go to System Network Zone 151Adding addresses for virtual domains Adding firewall policies for virtual domains152 Go to Firewall AddressAdding DNS server IP addresses Configuring routingDeleting virtual domains 153To add a default route Go to System Network Routing Table Adding a default routeAdding destination-based routes to the routing table 154155 Adding routes in Transparent mode156 Configuring the routing tablePolicy routing 157 Configuring Dhcp servicesPolicy routing command syntax Configuring a Dhcp server Configuring a Dhcp relay agentAdding a Dhcp server to an interface Adding scopes to a Dhcp serverTo add a scope to a Dhcp server Go to System Network Dhcp 159Viewing a Dhcp server dynamic IP list Adding a reserve IP to a Dhcp server160 Selected scope161 RIP configurationRIP settings Invalid 162Holddown Flush163 Configuring RIP for FortiGate interfaces164 Example RIP configuration for an internal interfaceAdding a RIP filter list Adding RIP filters165 To add a RIP filter list Go to System RIP Filter166 Assigning a RIP filter list to the neighbors filterAssigning a RIP filter list to the incoming filter 167 Assigning a RIP filter list to the outgoing filter168 Setting system date and time System configurationTo set the date and time Go to System Config Time 169To set the Auth timeout Go to System Config Options To set the system idle timeout Go to System Config OptionsChanging system options 170171 Modifying the Dead Gateway Detection settingsAdding new administrator accounts Adding and editing administrator accountsTo add an administrator account Go to System Config Admin 172Editing administrator accounts Configuring SnmpTo edit an administrator account Go to System Config Admin 173Configuring FortiGate Snmp support Configuring the FortiGate unit for Snmp monitoringConfiguring Snmp access to an interface Configuring Snmp community settingsSystem Location 175System Name 176 FortiGate MIBsGeneral FortiGate traps FortiGate trapsSystem traps 177Nids traps VPN trapsAntivirus traps Logging trapsFirewall configuration System configuration and statusFortinet MIB fields 179180 181 Replacement messagesLogging and reporting configuration 182 Customizing replacement messagesAlert email message sections Customizing alert emails183 Alert email message sections 184185 Firewall configuration186 Default firewall configurationVlan subinterfaces InterfacesZones 187Default addresses Interface Address Description ServicesAddresses SchedulesAdding firewall policies Content profiles189 To add a firewall policy Go to Firewall Policy190 Firewall policy optionsSource Destination ServiceSchedule ActionTraffic Shaping VPN Tunnel192 Dynamic IP Pool Fixed PortAnti-Virus & Web filter Authentication193 Maximum Bandwidth Traffic Priority194 Log TrafficComments 195 Configuring policy listsPolicy matching in detail Enabling and disabling policies Changing the order of policies in a policy listDisabling policies Enabling policiesAdding addresses Addresses197 To add an address Go to Firewall AddressTo edit an address Go to Firewall Address Editing addresses198 Organizing addresses into address groups Deleting addresses199 To delete an address Go to Firewall Address200 ServicesPredefined services GRE 201Ldap 202203 Adding custom TCP and UDP servicesAdding custom IP services Adding custom Icmp servicesGrouping services 204205 Schedules206 Creating one-time schedules207 Creating recurring schedulesAdding schedules to policies Virtual IPs208 To add a schedule to a policy Go to Firewall Policy209 Adding static NAT virtual IPsTo add a static NAT virtual IP Go to Firewall Virtual IP Virtual IP External Interface examples Description Internal210 Adding port forwarding virtual IPs211 To add a policy with a virtual IP Go to Firewall Policy Adding policies with virtual IPs212 Adding an IP pool IP pools213 To add an IP pool Go to Firewall IP PoolIP Pools for firewall policies that use fixed ports IP/MAC bindingIP pools and dynamic NAT 214Go to Firewall IP/MAC Binding Static IP/MAC 215216 Adding IP/MAC addresses217 Viewing the dynamic IP/MAC listEnabling IP/MAC binding 218 Content profilesAdding content profiles Default content profilesTo add a content profile Go to Firewall Content Profile 219Oversized File/Email Pass Fragmented Email 220221 Adding content profiles to policiesTo add a content profile to a policy Go to Firewall Policy 222 223 Users and authenticationAdding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication To set authentication timeout Go to System Config Options225 Deleting user names from the internal databaseAdding Radius servers Configuring Radius supportDeleting Radius servers 226Adding Ldap servers Configuring Ldap support227 To add an Ldap server Go to User LdapTo delete an Ldap server Go to User Ldap Deleting Ldap servers228 Adding user groups Configuring user groups229 To add a user group Go to User User GroupTo delete a user group Go to User User Group Deleting user groups230 231 IPSec VPNManual Keys Key managementAutoIKE with pre-shared keys AutoIKE with certificatesManual key IPSec VPNs General configuration steps for a manual key VPNAdding a manual key VPN tunnel 233AES128 234AES192 AES256Adding a phase 1 configuration for an AutoIKE VPN General configuration steps for an AutoIKE VPNAutoIKE IPSec VPNs 235Remote Gateway Dialup User 236Remote Gateway Static IP Address 237 Configuring advanced optionsTo configure phase 1 advanced options 238 239 Adding a phase 1 configuration Standard options240 Adding a phase 2 configuration for an AutoIKE VPNTo add a phase 2 configuration Go to VPN Ipsec Phase Use wildcard selectors 241Use selectors from policy Obtaining a signed local certificate Managing digital certificatesGenerating the certificate request 242Key Size 243Key Type 244 Downloading the certificate requestImporting the signed local certificate Obtaining CA certificates Configuring encrypt policiesImporting CA certificates 245To add a source address Go to Firewall Address Adding a source address246 Adding an encrypt policy Adding a destination address247 To add a destination address Go to Firewall Address248 249 IPSec VPN concentrators250 VPN concentrator hub general configuration stepsTo create a VPN concentrator configuration 251 Adding a VPN concentrator252 VPN spoke general configuration stepsTo create a VPN spoke configuration 253 Redundant IPSec VPNs254 Configuring redundant IPSec VPNsTo configure a redundant IPSec VPN To view VPN tunnel status Go to VPN Ipsec Phase Monitoring and Troubleshooting VPNsViewing VPN tunnel status Viewing dialup VPN connection status256 Testing a VPN257 Configuring PptpPptp and L2TP VPN 258 Configuring the FortiGate unit as a Pptp gatewayTo add users and user groups To add a source addressTo add a source address group 259To add a destination address To add a firewall policy260 Configuring a Windows 98 client for PptpConfiguring a Windows XP client for Pptp Configuring a Windows 2000 client for Pptp261 To connect to the Pptp VPNSelect Properties Security To configure the VPN connection262 263 Configuring L2TPConfiguring the FortiGate unit as an L2TP gateway To add source addresses 264265 Configuring a Windows 2000 client for L2TPTo connect to the L2TP VPN To disable IPSec266 267 Configuring a Windows XP client for L2TP268 269 Network Intrusion Detection System NidsDetecting attacks Selecting the interfaces to monitor Configuring checksum verificationDisabling monitoring interfaces 270271 Viewing the signature listViewing attack descriptions 272 Disabling Nids attack signaturesAdding user-defined signatures 273 Downloading the user-defined signature listPreventing attacks To enable Nids attack prevention Go to Nids PreventionEnabling Nids attack prevention Enabling Nids attack prevention signatures275 Setting signature threshold valuesLogging attack messages to the attack log Logging attacksReducing the number of Nids attack log and email messages Automatic message reduction277 Manual message reduction278 279 General configuration stepsAntivirus protection To scan FortiGate firewall traffic for viruses Antivirus scanning280 281 File blockingAdding file patterns to block Blocking files in firewall traffic282 To block files in firewall trafficQuarantining infected files QuarantineQuarantining blocked files 283Sorting the quarantine list Viewing the quarantine list284 To view the quarantine list Go to Anti-Virus QuarantineFiltering the quarantine list Configuring quarantine optionsDeleting files from the quarantine list Downloading quarantined files286 Configuring limits for oversized files and emailBlocking oversized files and emails Exempting fragmented email from blocking To view the virus list Go to Anti-Virus Config Virus ListViewing the virus list 287288 289 Web filteringGo to Web Filter Content Block Content blockingAdding words and phrases to the Banned Word list 290291 Clearing the Banned Word list292 Backing up the Banned Word listRestoring the Banned Word list URL blocking Configuring FortiGate Web URL blockingAdding URLs to the Web URL block list 293294 Clearing the Web URL block listUploading a URL block list Downloading the Web URL block list295 To upload a URL block list296 Configuring Cerberian URL filteringConfiguring FortiGate Web pattern blocking Configuring Cerberian web filter Installing a Cerberian license keyAbout the default group and policy Adding a Cerberian user298 To configure Cerberian web filteringEnabling Cerberian URL filtering Enabling script filtering Script filteringSelecting script filter options 299Adding URLs to the URL Exempt list Exempt URL list300 Go to Web Filter URLExemptUploading a URL Exempt List Downloading the URL Exempt List301 Go to Web Filter URL Exempt302 303 Email filter304 Email banned word listAdding words and phrases to the email banned word list 305 Downloading the email banned word listUploading the email banned word list Adding address patterns to the email block list Email block listDownloading the email block list 306Uploading an email block list Email exempt list307 To upload the email block listAdding a subject tag To add a subject tag Go to Email Filter ConfigAdding address patterns to the email exempt list 308309 Logging and reportingRecording logs 310 Recording logs on a remote computerRecording logs on a NetIQ WebTrends server 311 Recording logs on the FortiGate hard diskOverwrite Option312 Recording logs in system memoryLog message levels 313 To filter log entries Go to Log&Report Log SettingFiltering log messages 314 Configuring traffic loggingEnabling traffic logging for an interface Enabling traffic loggingEnabling traffic logging for a Vlan subinterface Enabling traffic logging for a firewall policyAdding traffic filter entries Configuring traffic filter settings316 Resolve IPViewing logs saved to memory Destination IP Address Destination Netmask ServiceViewing logs 317Searching logs Viewing and managing logs saved to the hard disk318 KeywordTo view the active or saved logs Go to Log&Report Logging 319Deleting all messages from an active log Downloading a log file to the management computerDeleting a saved log file 320Testing alert email Configuring alert emailAdding alert email addresses 321322 Enabling alert email323 Glossary324 325 326 327 IndexIndex 328Dialup Pptp 329Http 330Ldap 331332 Pptp dialup connection 333334 TCP 335Vlan 336