FortiGate 100 Installation and Configuration Guide INTERNAL EXTERNAL DMZ POWER STATUS FortiGate User Manual Volume 1 Version 2.
© Copyright 2003 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FortiGate-100 Installation and Configuration Guide Version 2.
Contents Table of Contents Introduction .......................................................................................................... 13 Antivirus protection ........................................................................................................... Web content filtering ......................................................................................................... Email filtering ........................................................................................
Contents Planning your FortiGate configuration .............................................................................. NAT/Route mode .......................................................................................................... NAT/Route mode with multiple external network connections...................................... Transparent mode......................................................................................................... Configuration options .......................
Contents Completing the configuration ............................................................................................ Setting the date and time .............................................................................................. Enabling antivirus protection......................................................................................... Registering your FortiGate............................................................................................
Contents Virus and attack definitions updates and registration ..................................... 91 Updating antivirus and attack definitions .......................................................................... 91 Connecting to the FortiResponse Distribution Network ................................................ 92 Configuring scheduled updates .................................................................................... 93 Configuring update logging .....................................
Contents Configuring routing.......................................................................................................... Adding a default route................................................................................................. Adding destination-based routes to the routing table.................................................. Adding routes in Transparent mode............................................................................ Configuring the routing table..............
Contents Configuring policy lists .................................................................................................... Policy matching in detail ............................................................................................. Changing the order of policies in a policy list.............................................................. Enabling and disabling policies................................................................................... Addresses .....................
Contents Configuring LDAP support .............................................................................................. Adding LDAP servers.................................................................................................. Deleting LDAP servers................................................................................................ Configuring user groups.................................................................................................. Adding user groups......
Contents Configuring L2TP ............................................................................................................ Configuring the FortiGate unit as a L2TP gateway ..................................................... Configuring a Windows 2000 client for L2TP.............................................................. Configuring a Windows XP client for L2TP ................................................................. 213 214 217 218 Network Intrusion Detection System (NIDS) .
Contents Exempt URL list .............................................................................................................. 243 Adding URLs to the exempt URL list .......................................................................... 243 Email filter........................................................................................................... 245 General configuration steps ............................................................................................
Contents 12 Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Introduction The FortiGate Antivirus Firewall supports network-based deployment of application-level services—including antivirus protection and full-scan content filtering. FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network.
Introduction For extra protection, you also configure antivirus protection to block files of specified file types from passing through the FortiGate unit. You can use the feature to stop files that may contain new viruses. If the FortiGate unit contains a hard disk, infected or blocked files can be quarantined. The FortiGate administrator can download quarantined files, so that they can be virus scanned, cleaned, and forwarded to the intended recipient.
Introduction NAT/Route mode You can configure Email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentional tagging of email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned word lists. Firewall The FortiGate ICSA-certified firewall protects your computer networks from the hostile environment of the Internet. ICSA has granted FortiGate firewalls version 4.
Transparent mode Introduction Transparent mode Transparent mode provides the same basic firewall protection as NAT mode. Packets received by the FortiGate unit are intelligently forwarded or blocked according to firewall policies. The FortiGate unit can be inserted in your network at any point without the need to make changes to your network or any of its components. However, VPN and some advanced firewall features are only available in NAT/Route mode.
Introduction Web-based manager • PPTP for easy connectivity with the VPN standard supported by the most popular operating systems. • L2TP for easy connectivity with a more secure VPN standard also supported by many popular operating systems. • Firewall policy based control of IPSec VPN traffic. • IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel.
Command line interface Introduction Figure 1: The FortiGate web-based manager and setup wizard Command line interface You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial Console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network connected to the FortiGate, including the Internet. The CLI supports the same configuration and monitoring functionality as the web-based manager.
Introduction Logging and reporting Logging and reporting The FortiGate supports logging of various categories of traffic and of configuration changes.
Firewall Introduction DHCP server • Addition of a WINS server to DHCP configuration. • Reserve IP/MAC pair combinations for DHCP servers (CLI only). RIP • New RIP v1 and v2 functionality. See “RIP configuration” on page 121. SNMP • SNMP v1 and v2 support.
Introduction NIDS NIDS See the FortiGate NIDS Guide for a complete description of FortiGate NIDS functionality. New features include: • Attack detection signature groups • User-configuration attack prevention • Monitor multiple interfaces for attacks • User-defined attack detection signatures Antivirus See the FortiGate Content Protection Guide for a complete description of FortiGate antivirus functionality.
Logging and Reporting Introduction About this document This installation and configuration guide describes how to install and configure the FortiGate-100. This document contains the following information: 22 • Getting started describes unpacking, mounting, and powering on the FortiGate. • NAT/Route mode installation describes how to install the FortiGate if you are planning on running it in NAT/Route mode.
Introduction Logging and Reporting Document conventions This guide uses the following conventions to describe CLI command syntax. • angle brackets < > to indicate variable keywords For example: execute restore config You enter restore config myfile.bak indicates an ASCII string variable keyword. indicates an integer variable keyword. indicates an IP address variable keyword.
Comments on Fortinet technical documentation Introduction Fortinet documentation Information about FortiGate products is available from the following FortiGate User Manual volumes: • Volume 1: FortiGate Installation and Configuration Guide Describes installation and basic configuration for the FortiGate unit.
Introduction Comments on Fortinet technical documentation Customer service and technical support For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com. You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and modify your registration information at any time.
Comments on Fortinet technical documentation Introduction 26 Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Getting started This chapter describes unpacking, setting up, and powering on your FortiGate Antivirus Firewall. When you have completed the procedures in this chapter, you can proceed to one of the following: • If you are going to operate the FortiGate unit in NAT/Route mode, go to “NAT/Route mode installation” on page 43.
Getting started Package contents The FortiGate-100 package contains the following items: • FortiGate-100 Antivirus Firewall • one orange crossover ethernet cable • one gray regular ethernet cable • one null modem cable • FortiGate-100 Quick Start Guide • CD containing the FortiGate user documentation • one power cable and AC adapter Figure 2: FortiGate-100 package contents Front Ethernet Cables: Orange - Crossover Grey - Straight-through INTERNAL EXTERNAL DMZ POWER STATUS Null-Modem Cabl
Getting started Environmental specifications • Operating temperature: 32 to 104°F (0 to 40°C) • Storage temperature: -13 to 158°F (-25 to 70°C) • Humidity: 5 to 95% non-condensing Powering on To power on the FortiGate-100 unit: 1 Connect the AC adapter to the power connection at the back of the FortiGate-100 unit. 2 Connect the AC adapter to the power cable. 3 Connect the power cable to a power outlet. The FortiGate-100 unit starts up. The Power and Status lights light.
Getting started Connecting to the web-based manager Use the following procedure to connect to the web-based manager for the first time. Configuration changes made with the web-based manager are effective immediately without the need to reset the firewall or interrupt service. To connect to the web-based manager, you need: • • • a computer with an ethernet connection, Internet Explorer version 4.0 or higher, a crossover cable or an ethernet hub and two ethernet cables.
Getting started Connecting to the command line interface (CLI) As an alternative to the web-based manager, you can install and configure the FortiGate unit using the CLI. Configuration changes made with the CLI are effective immediately without the need to reset the firewall or interrupt service.
Factory default NAT/Route mode network configuration Getting started If you are planning on operating the FortiGate unit in Transparent mode, you can switch to transparent mode from the factory default configuration and then configure the FortiGate unit onto your network in Transparent mode. Once the network configuration is complete, you can perform additional configuration tasks such as setting system time, configuring virus and attack definition updates, and registering the FortiGate unit.
Getting started Factory default Transparent mode network configuration Factory default Transparent mode network configuration If you switch the FortiGate unit to Transparent mode, it has the default network configuration listed in Table 3. Table 3: Factory default Transparent mode network configuration Administrator account Management IP DNS Management access User name: admin Password: (none) IP: 10.10.10.1 Netmask: 255.255.255.0 Primary DNS Server: 207.194.200.1 Secondary DNS Server: 207.
Factory default content profiles Getting started Table 4: Factory default firewall configuration (Continued) Traffic Shaping Authentication Antivirus & Web Filter Log Traffic Traffic shaping is not selected. The policy does not apply traffic shaping to the traffic controlled by the policy. You can select this option to control the maximum or minimum amount of bandwidth available to traffic processed by the policy. Authentication is not selected.
Getting started Factory default content profiles Strict content profile Use the strict content profile to apply maximum content protection to HTTP, FTP, IMAP, POP3, and SMTP content traffic. You would not use the strict content profile under normal circumstances, but it is available if you are having extreme problems with viruses and require maximum content screening protection.
Factory default content profiles Getting started Web content profile Use the web content profile to apply antivirus scanning and Web content blocking to HTTP content traffic. You can add this content profile to firewall policies that control HTTP traffic.
Getting started NAT/Route mode Planning your FortiGate configuration Before beginning to configure the FortiGate unit, you need to plan how to integrate the unit into your network. Among other things, you have to decide whether or not the unit will be visible to the network, which firewall functions it will provide, and how it will control the traffic flowing between its interfaces. Your configuration plan is dependent upon the operating mode that you select.
NAT/Route mode with multiple external network connections Getting started NAT/Route mode with multiple external network connections In NAT/Route mode, you can configure the FortiGate unit with multiple redundant connections to the external network (usually the Internet). For example, you could create the following configuration: • External is the default interface to the external network (usually the Internet). • DMZ is the redundant interface to the external network.
Getting started Configuration options You can connect up to three network segments to the FortiGate unit to control traffic between these network segments. • External can connect to the external firewall or router. • Internal can connect to the internal network. • DMZ can connect to another network segment. Configuration options Once you have selected Transparent or NAT/Route mode operation, you can complete your configuration plan, and begin configuring the FortiGate unit.
Configuration options Getting started FortiGate model maximum values matrix Table 9: FortiGate maximum values matrix FortiGate model 500 1000 2000 3000 3600 Policy 200 50 500 1000 2000 5000 5000 20000 50000 50000 50000 50000 Address 500 500 500 500 3000 3000 6000 10000 10000 10000 10000 Address group 500 500 500 500 500 500 500 500 500 500 500 Service 500 500 500 500 500 500 500 500 500 500 500 Service group 500 500 500 500 500 500 500 500 500
Getting started Configuration options Next steps Now that your FortiGate unit is operating, you can proceed to configure it to connect to networks: • If you are going to operate the FortiGate unit in NAT/Route mode, go to “NAT/Route mode installation” on page 43. • If you are going to operate the FortiGate unit in Transparent mode, go to “Transparent mode installation” on page 57.
Configuration options 42 Getting started Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 NAT/Route mode installation This chapter describes how to install the FortiGate unit in NAT/Route mode. To install the FortiGate unit in Transparent mode, see “Transparent mode installation” on page 57.
Advanced NAT/Route mode settings NAT/Route mode installation Advanced NAT/Route mode settings Use Table 11 to gather the information that you need to customize advanced FortiGate NAT/Route mode settings. Table 11: Advanced FortiGate NAT/Route mode settings DHCP: External interface PPPoE: If your Internet Service Provider (ISP) supplies you with an IP address using DHCP, no further information is required.
NAT/Route mode installation Starting the setup wizard Using the setup wizard From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiGate unit. To connect to the web-based manager, see “Connecting to the web-based manager” on page 30. Starting the setup wizard 1 Select Easy Setup Wizard (the middle button in the upper-right corner of the web-based manager). 2 Use the information that you gathered in Table 10 on page 43 to fill in the wizard fields.
Configuring the FortiGate unit to operate in NAT/Route mode 3 Set the IP address and netmask of the external interface to the external IP address and netmask that you recorded in Table 10 on page 43. To set the manual IP address and netmask, enter: set system interface external mode static ip Example set system interface external mode static ip 204.23.1.5 255.255.255.
NAT/Route mode installation Configuring the FortiGate unit to operate in NAT/Route mode Connecting the FortiGate unit to your networks When you have completed the initial configuration, you can connect the FortiGate unit between your internal network and the Internet.
Configuring the DMZ interface NAT/Route mode installation Configuring your networks If you are running the FortiGate unit in NAT/Route mode, your networks must be configured to route all Internet traffic to the IP address of the FortiGate interface to which they are connected. For your internal network, change the default gateway address of all computers and routers connected directly to your internal network to the IP address of the FortiGate internal interface.
NAT/Route mode installation Enabling antivirus protection Enabling antivirus protection To enable antivirus protection to protect users on your internal network from downloading a virus from the Internet: 1 Go to Firewall > Policy > Int->Ext. 2 Select Edit 3 Select Anti-Virus & Web filter to enable antivirus protection for this policy. 4 Select the Scan Content Profile. 5 Select OK to save your changes. to edit this policy.
Configuring virus and attack definition updates NAT/Route mode installation This section provides some examples of routing and firewall configurations to configure the FortiGate unit for multiple internet connections. To use the information in this section you should be familiar with FortiGate routing (see “Configuring routing” on page 115) and FortiGate firewall configuration (see “Firewall configuration” on page 141).
NAT/Route mode installation Configuring Ping servers Configuring Ping servers Use the following procedure to make Gateway 1 the ping server for the external interface and Gateway 2 the ping server for the DMZ interface. 1 Go to System > Network > Interface. 2 For the external interface, select Modify 3 • Ping Server: 1.1.1.1 • Select Enable Ping Server • Select OK For the DMZ interface, select Modify • Ping Server: 2.2.2.1 • Select Enable Ping Server • Select OK . .
Destination based routing examples NAT/Route mode installation Using the CLI 1 Add the route to the routing table. set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1 dev1 external gw2 2.2.2.1 dev2 dmz Table 13: Route for primary and backup links Destination IP‘ Mask Gateway #1 Device #1 Gateway #2 Device #2 0.0.0.0 1.1.1.1 external 2.2.2.1 dmz 0.0.0.0 Load sharing You can also configure destination routing to direct traffic through both gateways at the same time.
NAT/Route mode installation 3 4 5 Destination based routing examples Select New to add a route for connections to the network of ISP1. • Destination IP: 100.100.100.0 • Mask: 255.255.255.0 • Gateway #1: 1.1.1.1 • Gateway #2: 2.2.2.1 • Device #1: external • Device #2: dmz Select New to add a route for connections to the network of ISP2. • Destination IP: 200.200.200.0 • Mask: 255.255.255.0 • Gateway #1: 2.2.2.1 • Gateway #2: 1.1.1.
Policy routing examples NAT/Route mode installation Policy routing examples Policy routing can be added to increase the control you have over how packets are routed. Policy routing works on top of destination-based routing. This means you should configure destination-based routing first and then build policy routing on top to increase the control provided by destination-based routing.
NAT/Route mode installation Firewall policy example Firewall policy example Firewall policies control how traffic flows through the FortiGate unit. Once routing for multiple internet connections has been configured you must create firewall policies to control which traffic is allowed through the FortiGate unit and the interfaces through which this traffic can connect.
Firewall policy example NAT/Route mode installation Restricting access to a single Internet connection In some cases you might want to limit some traffic to only being able to use one Internet connection. For example, in the topology shown in Figure 8 on page 50 the organization might want its mail server to only be able to connect to the SMTP mail server of ISP1. To do this, you add a single Int->Ext firewall policy for SMTP connections.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Transparent mode installation This chapter describes how to install your FortiGate unit in Transparent mode. If you want to install the FortiGate unit in NAT/Route mode, see “NAT/Route mode installation” on page 43.
Changing to Transparent mode Transparent mode installation Using the setup wizard From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiGate unit. To connect to the web-based manager, see “Connecting to the web-based manager” on page 30. Changing to Transparent mode The first time that you connect to the FortiGate unit, it is configured to run in NAT/Route mode. To switch to Transparent mode using the web-based manager: 1 Go to System > Status.
Transparent mode installation Changing to Transparent mode Using the command line interface As an alternative to the setup wizard, you can configure the FortiGate unit using the command line interface (CLI). To connect to the CLI, see “Connecting to the command line interface (CLI)” on page 31. Use the information that you gathered in Table 16 on page 57 to complete the following procedures. Changing to Transparent mode 1 Log into the CLI if you are not already logged in. 2 Switch to Transparent mode.
Configure the Transparent mode default gateway Transparent mode installation Connecting the FortiGate unit to your networks When you have completed the initial configuration, you can connect the FortiGate unit between your internal network and the Internet. You can also connect a network to the DMZ interface.
Transparent mode installation Setting the date and time A FortiGate unit in Transparent mode can also perform firewalling. Even though it takes no part in the layer 3 topology, it can examine layer 3 header information and make decisions on whether to block or pass traffic. Completing the configuration Use the information in this section to complete the initial configuration of the FortiGate unit.
Default routes and static routes Transparent mode installation The FortiGate unit uses HTTPS on port 8890 to check for updates. The FortiGate external interface must have a path to the FortiResponse Distribution Network (FDN) using port 8890. To configure automatic virus and attack updates, see “Updating antivirus and attack definitions” on page 91.
Transparent mode installation Example default route to an external network Note: When adding routes to the FortiGate unit, add the default route last so that it appears on the bottom of the route list. This ensures that the unit will attempt to match more specific routes before selecting the default route. Example default route to an external network Figure 10 shows a FortiGate unit where all destinations, including the management computer, are located on the external network.
Example static route to an external destination 3 Transparent mode installation Configure the default route to the external network. Web-based manager example configuration steps To configure basic Transparent mode settings and a default route using the web-based manager: 1 Go to System > Status. • Select Change to Transparent Mode. • Select Transparent in the Operation Mode list. • Select OK. The FortiGate unit changes to Transparent mode. 2 Go to System > Network > Management.
Transparent mode installation Example static route to an external destination Note: This is an example configuration only. To configure a static route, you require a destination IP address. Figure 11: Static route to an external destination General configuration steps 1 Set the FortiGate unit to operate in Transparent mode. 2 Configure the Management IP address and Netmask of the FortiGate unit. 3 Configure the static route to the FortiResponse server.
Example static route to an external destination Transparent mode installation Web-based manager example configuration steps To configure the basic FortiGate settings and a static route using the web-based manager: 1 Go to System > Status. • Select Change to Transparent Mode. • Select Transparent in the Operation Mode list. • Select OK. The FortiGate unit changes to Transparent mode. 2 Go to System > Network > Management. • Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.
Transparent mode installation Example static route to an internal destination Example static route to an internal destination Figure 12 shows a FortiGate unit where the FDN is located on an external subnet and the management computer is located on a remote, internal subnet. To reach the FDN, you need to enter a single default route that points to the upstream router as the next hop/default gateway. To reach the management computer, you need to enter a single static route that leads directly to it.
Example static route to an internal destination Transparent mode installation Web-based manager example configuration steps To configure the FortiGate basic settings, a static route, and a default route using the web-based manager: 1 Go to System > Status. • Select Change to Transparent Mode. • Select Transparent in the Operation Mode list. • Select OK. The FortiGate unit changes to Transparent mode. 2 Go to System > Network > Management. • Change the Management IP and Netmask: IP: 192.168.1.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 System status You can connect to the web-based manager and go to System > Status to view the current status of your FortiGate unit. The status information that is displayed includes the current firmware version, the current virus and attack definitions, and the FortiGate unit serial number.
System status Changing the FortiGate host name The FortiGate host name appears on the System > Status page and on the FortiGate CLI prompt. The host name is also used as the SNMP System Name (see “Configuring SNMP” on page 134). The default host name is FortiGate-100. To change the FortiGate host name: 1 Go to System > Status. 2 Select Edit Host Name 3 Enter a new host name. 4 Select OK. . The new host name appears on the System Status page and is added to the SNMP System Name.
System status Upgrade to a new firmware version Upgrade to a new firmware version Use the following procedures to upgrade your FortiGate to a newer firmware version. Upgrading the firmware using the web-based manager Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
Revert to a previous firmware version 5 System status Enter the following command to copy the firmware image from the TFTP server to the FortiGate: execute restore image Where is the name of the firmware image file on the TFTP server and is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.
System status Revert to a previous firmware version Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. When you have installed new firmware, use the procedure “Manually updating antivirus and attack definitions” on page 95 to make sure that antivirus and attack definitions are up-to-date. 1 Copy the firmware image file to your management computer.
Revert to a previous firmware version System status Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. When you have installed new firmware, use the procedure “Manually updating antivirus and attack definitions” on page 95 to make sure that antivirus and attack definitions are up-to-date.
System status Install a firmware image from a system reboot using the CLI 12 To confirm that the antivirus and attack definitions have been updated, enter the following command to display the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information. get system objver Install a firmware image from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiGate unit to default settings.
Install a firmware image from a system reboot using the CLI 6 System status Enter the following command to restart the FortiGate unit: execute reboot As the FortiGate units starts, a series of system startup messages are displayed. When one of the following messages appears: • FortiGate unit running v2.x BIOS Press Any Key To Download Boot Image. ... • FortiGate unit running v3.x BIOS Press any key to enter configuration menu..... ...... 7 Immediately press any key to interrupt the system startup.
System status Test a new firmware image before installing it 11 Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear. • FortiGate unit running v2.x BIOS Do You Want To Save The Image? [Y/n] Type Y. • FortiGate unit running v3.x BIOS Save as Default firmware/Run image without saving:[D/R] Save as Default firmware/Backup firmware/Run image without saving:[D/B/R] Type D.
Test a new firmware image before installing it System status To test a new firmware image: 1 Connect to the CLI using a null modem cable and FortiGate console port. 2 Make sure the TFTP server is running. 3 Copy the new firmware image file to the root directory of the TFTP server. 4 Make sure that the internal interface is connected to the same network as the TFTP server. You can use the following command to ping the computer running the TFTP server.
System status Installing and using a backup firmware image Note: The local IP address is only used to download the firmware image. After the firmware is installed the address of this interface is changed back to the default IP address for this interface. The following message appears: Enter File Name [image.out]: 11 Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear.
Installing and using a backup firmware image 4 System status To confirm that the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the TFTP server’s IP address is 192.168.1.168: execute ping 192.168.1.168 5 Enter the following command to restart the FortiGate unit: execute reboot As the FortiGate units starts, a series of system startup messages are displayed.
System status Installing and using a backup firmware image Switching to the backup firmware image Use this procedure to switch your FortiGate unit to operating with a backup firmware image that you have previous installed. When you switch the FortiGate unit to the backup firmware image, the FortiGate unit operates using the configuration that was saved with that firmware image.
Installing and using a backup firmware image System status Switching back to the default firmware image Use this procedure to switch your FortiGate unit to operating with the backup firmware image that had been running as the default firmware image. When you switch to this backup firmware image, the configuration saved with this firmware image is restored. 1 Connect to the CLI using the null modem cable and FortiGate console port.
System status Installing and using a backup firmware image 5 Select OK to copy the antivirus definitions update file to the FortiGate unit. The FortiGate unit updates the antivirus definitions. This takes about 1 minute. 6 Go to System > Status to confirm that the Antivirus Definitions Version information has been updated.
Installing and using a backup firmware image 2 Select System Settings Backup. 3 Select Backup System Settings. 4 Type a name and location for the file. The system settings file is backed up to the management computer. 5 Select Return to go back to the Status page. System status Restoring system settings You can restore system settings by uploading a previously downloaded system settings text file: 1 Go to System > Status. 2 Select System Settings Restore.
System status Installing and using a backup firmware image Changing to Transparent mode Use the following procedure to switch the FortiGate unit from NAT/Route mode to Transparent mode. When the FortiGate unit has changed to Transparent mode its configuration resets to Transparent mode factory defaults. 1 Go to System > Status. 2 Select Change to Transparent Mode. 3 Select Transparent in the operation mode list. 4 Select OK. The FortiGate unit changes operation mode.
Viewing CPU and memory status System status Shutting down the FortiGate unit 1 Go to System > Status. 2 Select Shutdown. The FortiGate unit shuts down and all traffic flow stops. The FortiGate unit can only be restarted after shutdown by turning the power off, then on. System status You can use the system status monitor to display FortiGate system health information.
System status Viewing sessions and network status Figure 1: CPU and memory status monitor CPU and memory intensive processes such as encrypting and decrypting IPSec VPN traffic, virus scanning, and processing high levels of network traffic containing small packets will increase CPU and memory usage. 1 Go to System > Status > Monitor. CPU & Memory status is displayed. The display includes bar graphs of current CPU and memory usage as well as line graphs of CPU and memory usage for the last minute.
Viewing virus and intrusions status 2 System status Select Sessions & Network. Sessions and network status is displayed. The display includes bar graphs of the current number of sessions and current network utilization as well as line graphs of session and network utilization usage for the last minute. The line graph scales are shown in the upper left corner of the graph.
System status Viewing virus and intrusions status Figure 3: Sessions and network status monitor 3 Set the automatic refresh interval and select Go to control how often the web-based manager updates the display. More frequent updates use system resources and increase network traffic. However, this only occurs when you are viewing the display using the web-based manager. The line graph scales are shown on the upper right corner of the graph. 4 Select Refresh to manually update the information displayed.
Viewing virus and intrusions status System status To IP The destination IP address of the connection. To Port The destination port of the connection. Expire The time, in seconds, before the connection expires. Clear Stop an active communication session. Figure 4: Example session list 90 Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Virus and attack definitions updates and registration You can configure the FortiGate unit to connect to the FortiResponse Distribution Network (FDN) to update the antivirus and attack definitions and antivirus engine.
Connecting to the FortiResponse Distribution Network Virus and attack definitions updates and registration The System > Update page web-based manager displays the following antivirus and attack definition update information: Version Displays the current antivirus engine, virus definition, and attack definition version numbers. Expiry date Displays the expiry date of your license for antivirus engine, virus definition, and attack definition updates.
Virus and attack definitions updates and registration Configuring scheduled updates To make sure the FortiGate unit can connect to the FDN: 1 Go to System > Config > Time and make sure the time zone is set to the correct time zone for your area. 2 Go to System > Update. 3 Select Refresh. The FortiGate unit tests its connection to the FDN. The test results are displayed at the top of the System Update page.
Configuring update logging 4 Virus and attack definitions updates and registration Select Apply. The FortiGate unit starts the next scheduled update according to the new update schedule. Whenever a scheduled update is run, the event is recorded in the FortiGate event log.
Virus and attack definitions updates and registration Adding an override server Adding an override server If you cannot connect to the FDN or if your organization provides antivirus and attack updates using their own FortiResponse server, you can use the following procedure to add the IP address of an override FortiResponse server. 1 Go to System > Update. 2 Select Use override server address and add the IP address of a FortiResponse server. 3 Select Apply.
Push updates through a NAT device Virus and attack definitions updates and registration To enable push updates 1 Go to System > Update. 2 Select Allow Push Update. 3 Select Apply. About push updates When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a SETUP message to the FDN.
Virus and attack definitions updates and registration Push updates through a NAT device Example: push updates through a NAT device This example describes how to configure a FortiGate NAT device to forward push updates to a FortiGate unit installed on its internal network. For the FortiGate unit on the internal network to receive push updates, the FortiGate NAT device must be configured with a port forwarding virtual IP.
Push updates through a NAT device Virus and attack definitions updates and registration General procedure Use the following steps to configure the FortiGate NAT device and the FortiGate unit on the Internal network so that the FortiGate unit on the Internal network can receive push updates: 1 Add a port forwarding virtual IP to the FortiGate NAT device. 2 Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP.
Virus and attack definitions updates and registration Push updates through a NAT device Figure 3: Push update port forwarding virtual IP Adding a firewall policy for the port forwarding virtual IP To configure the FortiGate NAT device: 1 Add a new external to internal firewall policy. 2 Configure the policy with the following settings: 3 Source External_All Destination The virtual IP added above. Schedule Always Service ANY Action Accept NAT Selected. Select OK.
Scheduled updates through a proxy server Virus and attack definitions updates and registration 5 Set Port to the External Service Port added to the virtual IP. For the example topology, enter 45001. 6 Select Apply. The FortiGate unit sends the override push IP address and Port to the FDN. The FDN will now use this IP address and port for push updates to the FortiGate unit on the internal network.
Virus and attack definitions updates and registration FortiCare Service Contracts There are no special tunneling requirements if you have configured an override server address to connect to the FDN. Push updates are not supported if the FortiGate must connect to the Internet through a proxy server.
Registering the FortiGate unit Virus and attack definitions updates and registration To activate the FortiCare Support Contract, you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information. You can also register the FortiGate unit without purchasing a FortiCare Support Contract. In this case, when you do purchase a FortiCare Support Contract you can update the registration information to add the support contract number.
Virus and attack definitions updates and registration Registering the FortiGate unit Figure 5: Registering a FortiGate unit (contact information and security question) 3 Provide a security question and an answer to the security question. 4 Select the model number of the Product Model to register. 5 Enter the Serial Number of the FortiGate unit. 6 If you have purchased a FortiCare Support Contract for this FortiGate unit, enter the support contract number.
Recovering a lost Fortinet support password Virus and attack definitions updates and registration Updating registration information You can use your Fortinet support user name and password to log on to the Fortinet Support web site at any time to view or update your Fortinet support information.
Virus and attack definitions updates and registration Registering a new FortiGate unit Figure 7: Sample list of registered FortiGate units Registering a new FortiGate unit 1 Go to System > Update > Support and select Support Login. 2 Enter your Fortinet support user name and password. 3 Select Login. 4 Select Add Registration. 5 Select the model number of the Product Model to register. 6 Enter the Serial Number of the FortiGate unit.
Changing your Fortinet support password 7 Virus and attack definitions updates and registration Select Finish. The list of FortiGate products that you have registered is displayed. The list now includes the new support contract information. Changing your Fortinet support password 1 Go to System > Update > Support and select Support Login. 2 Enter your Fortinet support user name and password. 3 Select Login. 4 Select My Profile. 5 Select Change Password. 6 Enter your current password.
Virus and attack definitions updates and registration Downloading virus and attack definitions updates Figure 8: Downloading virus and attack definition updates For information about how to install the downloaded files, see “Manual virus definition updates” on page 82 and “Manual attack definition updates” on page 83.
Downloading virus and attack definitions updates 108 Virus and attack definitions updates and registration Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.
Viewing the interface list Network configuration Viewing the interface list Use the following procedure to view the interface list. 1 Go to System > Interface. The interface list is displayed.
Network configuration Adding a ping server to an interface You can also configure management access and add a ping server to the secondary IP address. set system interface config secallowaccess ping https ssh snmp http telnet set system interface config secgwdetect enable Adding a ping server to an interface Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface.
Configuring traffic logging for connections to an interface Network configuration Configuring traffic logging for connections to an interface 1 Go to System > Network > Interface. 2 Select Modify 3 Select Log to record log messages whenever a firewall policy accepts a connection to this interface. 4 Select OK to save your changes. for the interface for which to configure logging.
Network configuration Configuring the external interface for PPPoE 4 Select Connect to DHCP server to automatically connect to a DHCP server. If you do not select Connect to DHCP server, the FortiGate unit will not connect to a DHCP server. You can deselect this option if you are configuring the FortiGate unit offline. 5 Select OK. The FortiGate unit attempts to contact a DHCP server from the external interface to set the external IP address, netmask, and default gateway IP address.
Configuring the management interface (Transparent mode) Network configuration Note: You cannot set MTU size if the external interface is configured using PPPoE. The PPPoE protocol configures optimum MTU size. To change the MTU size of the packets leaving the external interface: 1 Go to System > Network > Interface. 2 For the external interface, select Modify 3 Select Fragment outgoing packets greater than MTU. 4 Set the MTU size. Set the maximum packet size in the range of 68 to 1500 bytes.
Network configuration Configuring the management interface (Transparent mode) Figure 2: Configuring the management interface Adding DNS server IP addresses Several FortiGate functions, including sending email alerts and URL blocking, use DNS. To set the DNS server addresses: 1 Go to System > Network > DNS. 2 Change the primary and secondary DNS server addresses as required. 3 Select Apply to save your changes. Configuring routing This section describes how to configure FortiGate routing.
Adding a default route Network configuration Adding a default route Use the following procedure to add a default route for network traffic leaving the external interface. 1 Go to System > Network > Routing Table. 2 Select New to add a new route. 3 Set the Source IP and Netmask to 0.0.0.0. 4 Set the Destination IP and Netmask to 0.0.0.0. 5 Set Gateway 1 to the IP address of the routing gateway that routes traffic to the Internet. 6 Select OK to save the default route.
Network configuration Adding routes in Transparent mode 6 Set Device #1 to the FortiGate interface through which to route traffic to connect to Gateway #1. You can select the name of an interface or Auto (the default). If you select the name of an interface, the traffic is routed to that interface.
Configuring the routing table Network configuration Configuring the routing table The routing table shows the destination IP address and mask of each route you add as well as the gateways and devices added to the route. The routing table also displays the gateway connection status. A green check mark indicates that the FortiGate unit has used the ping server and dead gateway detection to determine that it can connect to the gateway; a red X means that a connection cannot be established.
Network configuration Policy routing The gateway added to a policy route must also be added to a destination route. When the FortiGate unit matches packets with a route in the RPDB, the FortiGate unit looks in the destination routing table for the gateway that was added to the policy route. If a match is found, the FortiGate routes the packet using the matched destination route. If a match is not found, the FortiGate routes the packet using normal routing.
Policy routing Network configuration Figure 4: Sample DHCP settings Viewing the dynamic IP list If you have configured the FortiGate unit as a DHCP server, you can view a list of IP addresses that the DHCP server has added, their corresponding MAC addresses, and the expiry time and date for these addresses. The FortiGate unit adds these addresses to the dynamic IP/MAC list and if IP/MAC binding is enabled, the addresses in the dynamic IP/MAC list are added to the list of trusted IP/MAC address pairs.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 RIP configuration The FortiGate implementation of the Routing Information Protocol (RIP) supports both RIP version 1 (as defined by RFC 1058) and RIP version 2 (also called RIP2 and defined by RFC 2453). RIP2 enables RIP messages to carry more information and support simple authentication. RIP2 also supports subnet masks, a feature not available in RIP.
RIP configuration This chapter describes how to configure FortiGate RIP: • RIP settings • Configuring RIP for FortiGate interfaces • Adding RIP neighbors • Adding RIP filters RIP settings Configure RIP settings to enable basic RIP functionality and metrics and to configure RIP timers. 1 Go to System > RIP > Settings. 2 Select Enable RIP Server to configure the FortiGate unit to be a RIP server.
RIP configuration 7 Update The time interval in seconds between sending routing table updates. The default is 30 seconds. Invalid The time interval in seconds after which a route is declared invalid. Invalid should be at least three times the value of Update. A route becomes invalid when there is an absence of updates that refresh the route. The route then enters holddown. The route is marked inaccessible and advertised as unreachable. However, the route is still used for forwarding packets.
RIP configuration Configuring RIP for FortiGate interfaces You can create a unique RIP configuration for each FortiGate interface. This allows you to customize RIP for the network to which each interface is connected. For example: • If you have a complex internal network containing devices that use the RIP2 protocol, you might want to configure RIP2 send and receive for the internal interface.
RIP configuration Note: MD5 authentication is used to verify the integrity of the routing message sent by the FortiGate unit. Using MD5 authentication, the password is added to the routing message and MD5 is applied to create the MD5 digest of the routing message. The password is replaced in the routing message with this MD5 digest and this message is broadcast.
Adding a single RIP filter RIP configuration 3 Add the IP address of a neighbor router that you want the FortiGate unit to exchange routing information with. 4 Select Enable Send RIP1 to send RIP1 messages to the neighbor. 5 Select Enable Send RIP2 to send RIP2 messages to the neighbor. 6 Select OK to add the RIP neighbor to the list. Adding RIP filters Use RIP filters to control the routing information received by the FortiGate unit and sent by the FortiGate unit.
RIP configuration Adding a RIP filter list 4 Filter Name Enter a name for the RIP filter. Each RIP filter and RIP filter list must have unique name. The name can be 15 characters long and can contain upper and lower case letters, numbers, and special characters. The name cannot contain spaces. Blank Filter Used for Filter lists. See “Adding a RIP filter list” on page 127. IP Add the IP address of the route. Mask Add the netmask of the route.
Adding a neighbors filter RIP configuration Adding a neighbors filter You can select a single RIP filter or a RIP filter list to be the neighbors filter. 1 Go to System > RIP > Filter. 2 Add RIP filters and RIP filter lists as required. 3 For Neighbors Filter, select the name of the RIP filter or RIP filter list to become the neighbors filter. 4 Select Apply. Routes received from neighbors are filtered using the selected RIP filter or RIP filter list.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 System configuration Go to System > Config to make any of the following changes to the FortiGate system configuration: • Setting system date and time • Changing web-based manager options • Adding and editing administrator accounts • Configuring SNMP • Customizing replacement messages Setting system date and time For effective scheduling and logging, the FortiGate system time should be accurate.
System configuration 8 Specify how often the FortiGate unit should synchronize its time with the NTP server. A typical Syn Interval would be 1440 minutes for the FortiGate unit to synchronize its time once a day. 9 Select Apply. Figure 1: Example date and time setting Changing web-based manager options On the System > Config > Options page, you can: • Set the system idle timeout. • Set the authentication timeout. • Select the language for the web-base manager.
System configuration To set the Auth timeout 1 For Auth Timeout, type a number in minutes. 2 Select Apply. Auth Timeout controls the amount of inactive time that the firewall waits before requiring users to authenticate again. For more information, see “Users and authentication” on page 173. The default Auth Timeout is 15 minutes. The maximum Auth Timeout is 480 minutes (8 hours).
Adding new administrator accounts System configuration Adding and editing administrator accounts When the FortiGate unit is initially installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administrator accounts. You can also control the access level of each of these administrator accounts and, optionally, control the IP address from which the administrator can connect to the FortiGate unit.
System configuration Editing administrator accounts Editing administrator accounts The admin account user can change individual administrator account passwords, configure the IP addresses from which administrators can access the web-based manager, and change the administrator permission levels. Administrator account users with Read & Write access can change their own administrator passwords. To edit an administrator account 1 Go to System > Config > Admin.
Configuring the FortiGate unit for SNMP monitoring System configuration Configuring SNMP Configure the FortiGate SNMP agent to report system information and send traps to SNMP managers. The FortiGate SNMP agent supports SNMP v1 and v2c. RFC support includes RFC 1213 and RFC 2665. The FortiGate SNMP implementation is read-only. SNMP v1 and v2c compliant SNMP manager have read-only access to FortiGate system information and can received FortiGate traps.
System configuration FortiGate MIBs 4 Trap Community The trap community string functions like a password that is sent with SNMP traps. The default trap community string is “public”. Change the trap community string to the one accepted by your trap receivers. The trap community string can be up to 31 characters long and can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Spaces and the \ < > [ ] ` $ % & characters are not allowed.
FortiGate traps System configuration Table 1: FortiGate MIBs MIB file name Description FORTINET.mib The Fortinet MIB is a proprietary MIB that includes detailed FortiGate system configuration information. Add this MIB to your SNMP manager to monitor all FortiGate configuration settings. RFC1213.mib The RFC 1213 MIB is the standard MIB-II MIB that describes network management protocols for TCP/IP networks.
System configuration Customizing replacement messages This section describes: • Customizing replacement messages • Customizing alert emails Figure 3: Sample replacement message Customizing replacement messages Each of the replacement messages in the replacement message list is created by combining replacement message sections. You can use these sections as building blocks to create your own replacement messages.
Customizing alert emails System configuration Table 3: Replacement message sections Scanning Used for virus scanning (all services). Section Start <**INFECTED**> Allowed Tags %%FILE%% The name of the file that was infected. %%VIRUS%% The name of the virus infecting the file. %%URL%% The URL of the blocked web page or file. Section End <**/BLOCKED**> Quarantine Used when quarantine is enabled (permitted for all scan services and block services for email only).
System configuration Customizing alert emails Table 4: Alert email message sections %%EMAIL_FROM%% The email address of the sender of the message in which the virus was found. %%EMAIL_TO%% The email address of the intended receiver of the message in which the virus was found. Block alert Used for file block alert email messages Section Start <**BLOCK_ALERT**> Allowed Tags %%FILE%% The name of the file that was blocked. %%PROTOCOL%% The service for which the file was blocked.
Customizing alert emails 140 System configuration Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Firewall configuration Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions used by the FortiGate unit to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (port number).
Addresses Firewall configuration Default firewall configuration By default, the users on your internal network can connect through the FortiGate unit to the Internet. The firewall blocks all other connections. The firewall is configured with a default policy that matches any connection request received from the internal network and instructs the firewall to forward the connection to the Internet.
Firewall configuration Services Services Policies can also control connections based on the service or destination port number of packets. The default policy accepts connections to using any service or destination port number. The firewall is configured with over 40 predefined services. You can add these services to a policy for more control over the services that can be used by connections through the firewall. You can also add user-defined services.
Content profiles Firewall configuration Adding firewall policies Add Firewall policies to control connections and traffic between FortiGate interfaces. 1 Go to Firewall > Policy. 2 Select the policy list to which you want to add the policy. 3 Select New to add a new policy. You can also select Insert Policy before policy above a specific policy. on a policy in the list to add the new 4 Configure the policy: See “Firewall policy options” on page 145 for information about policy options.
Firewall configuration Firewall policy options Firewall policy options This section describes the options that you can add to firewall policies. Source Select an address or address group that matches the source address of the packet. Before you can add this address to a policy, you must add it to the source interface. To add an address, see “Addresses” on page 150. Destination Select an address or address group that matches the destination address of the packet.
Firewall policy options Firewall configuration Dynamic IP Pool You cannot select Dynamic IP Pool for Int->Ext or DMZ->Ext policies if the external interface is configured using DHCP or PPPoE. Select Dynamic IP Pool to translate the source address to an address randomly selected from an IP pool added to the destination interface of the policy. To add IP pools, see “IP pools” on page 164. Fixed Port Select Fixed Port to prevent NAT from translating the source port.
Firewall configuration Firewall policy options Authentication Select Authentication and select a user group to require users to enter a user name and password before the firewall accepts the connection. Select the user group to control the users that can authenticate with this policy. To add and configure user groups, see “Configuring user groups” on page 179. You must add user groups before you can select Authentication. You can select Authentication for any service.
Firewall policy options Firewall configuration Figure 6: Adding a Transparent mode policy Log Traffic Select Log Traffic to write messages to the traffic log whenever the policy processes a connection. For more information about logging, see “Logging and reporting” on page 249. Comments Optionally add a description or other information about the policy. The comment can be up to 63 characters long, including spaces. 148 Fortinet Inc.
Firewall configuration Policy matching in detail Configuring policy lists The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. You must arrange policies in the policy list from more specific to more general. For example, the default policy is a very general policy because it matches all connection attempts. When you create exceptions to this policy, you must add them to the policy list above the default policy.
Enabling and disabling policies 4 Firewall configuration Type a number in the Move to field to specify where in the policy list to move the policy and select OK. Enabling and disabling policies You can enable and disable policies in the policy list to control whether the policy is active or not. The FortiGate unit matches enabled policies but does not match disabled policies. Disabling a policy Disable a policy to temporarily prevent the firewall from selecting the policy.
Firewall configuration Adding addresses This section describes: • Adding addresses • Editing addresses • Deleting addresses • Organizing addresses into address groups Adding addresses 1 Go to Firewall > Address. 2 Select the interface to which to add the address. 3 Select New to add a new address. 4 Enter an Address Name to identify the address. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _.
Editing addresses Firewall configuration Figure 7: Adding an internal address Editing addresses Edit an address to change its IP address and netmask. You cannot edit the address name. To change the address name, you must delete the address entry and then add the address again with a new name. 1 Go to Firewall > Address. 2 Select the interface list containing the address that you want to edit.
Firewall configuration Predefined services 2 Select the interface to which to add the address group. 3 Enter a Group Name to identify the address group. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. 4 To add addresses to the address group, select an address from the Available Addresses list and select the right arrow to add it to the Members list.
Predefined services Firewall configuration Table 5: FortiGate predefined services 154 Service name Description Protocol Port ANY Match connections on any port. A connection that uses any of the predefined services is allowed through the firewall. all all GRE Generic Routing Encapsulation. A protocol that allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol, by encapsulating the packets of the protocol within GRE packets.
Firewall configuration Predefined services Table 5: FortiGate predefined services (Continued) Service name Description IRC Internet Relay Chat allows people connected to tcp the Internet to join live discussions. 6660-6669 L2TP L2TP is a PPP-based tunnel protocol for remote access. tcp 1701 LDAP Lightweight Directory Access Protocol is a set of protocols used to access information directories.
Providing access to custom services Firewall configuration Table 5: FortiGate predefined services (Continued) Service name Description Protocol Port TCP All TCP ports. tcp 0-65535 TELNET Telnet service for connecting to a remote computer to run commands. tcp 23 TFTP Trivial file transfer protocol, a simple file transfer protocol similar to FTP but with no security features. udp 69 UDP All UDP ports. udp 0-65535 UUCP Unix to Unix copy utility, a simple file copying protocol.
Firewall configuration Grouping services 2 Select New. 3 Enter a Group Name to identify the group. This name appears in the service list when you add a policy and cannot be the same as a predefined service name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Creating one-time schedules Firewall configuration Creating one-time schedules You can create a one-time schedule that activates or deactivates a policy for a specified period of time. For example, your firewall might be configured with the default policy that allows access to all services on the Internet at all times. You can add a one-time schedule to block access to the Internet during a holiday period. 1 Go to Firewall > Schedule > One-time. 2 Select New. 3 Enter a Name for the schedule.
Firewall configuration Adding a schedule to a policy 3 Enter a Name for the schedule. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. 4 Select the days of the week on which the schedule should be active. 5 Set the Start and Stop hours in between which the schedule should be active. Recurring schedules use the 24-hour clock. 6 Select OK to save the recurring schedule.
Adding static NAT virtual IPs Firewall configuration For example, to use a one-time schedule to deny access to a policy, add a policy that matches the policy to be denied in every way. Choose the one-time schedule that you added and set Action to DENY. Then place the policy containing the one-time schedule in the policy list above the policy to be denied. Virtual IPs Use virtual IPs to access IP addresses on a destination network that are hidden from the source network by NAT security policies.
Firewall configuration Adding port forwarding virtual IPs 6 In the External IP Address field, enter the external IP address to be mapped to an address on the destination network. For example, if the virtual IP provides access from the Internet to a web server on a destination network, the external IP address must be a static IP address obtained from your ISP for your web server.
Adding port forwarding virtual IPs 162 Firewall configuration 4 Select the virtual IP External Interface. The External Interface is the interface connected to the source network that receives the packets to be forwarded to the destination network. 5 Change Type to Port Forwarding. 6 In the External IP Address field, enter the external IP address to be mapped to an address on the destination zone.
Firewall configuration Adding policies with virtual IPs Figure 13: Adding a port forwarding virtual IP Adding policies with virtual IPs Use the following procedure to add a policy that uses a virtual IP to forward packets. 1 Go to Firewall > Policy. 2 Select the type of policy to add. 3 • The source interface must match the interface selected in the External Interface list. • The destination interface must match the interface connected to the network with the Map to IP address.
Adding an IP pool Firewall configuration Authentication Optionally select Authentication and select a user group to require users to authenticate with the firewall before accessing the server using port forwarding. Log Traffic Select these options to log port-forwarded traffic and apply antivirus Anti-Virus & Web filter and web filter protection to this traffic. 4 Select OK to save the policy.
Firewall configuration IP Pools for firewall policies that use fixed ports 5 Select OK to save the IP pool. Figure 14: Adding an IP Pool IP Pools for firewall policies that use fixed ports Some network configurations will not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service. You can select fixed port for NAT policies to prevent source port translation.
Configuring IP/MAC binding for packets going through the firewall Firewall configuration IP/MAC binding IP/MAC binding protects the FortiGate unit and your network from IP spoofing attacks. IP spoofing attempts to use the IP address of a trusted computer to connect to or through the FortiGate unit from a different computer. The IP address of a computer can easily be changed to a trusted address, but MAC addresses are added to Ethernet cards at the factory and cannot easily be changed.
Firewall configuration Configuring IP/MAC binding for packets going to the firewall For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the IP/MAC binding list: • A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is allowed to go on to be matched with a firewall policy. • A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately to prevent IP spoofing.
Viewing the dynamic IP/MAC list Firewall configuration 3 Enter the IP address and the MAC address. You can bind multiple IP addresses to the same MAC address. You cannot bind multiple MAC addresses to the same IP address. However, you can set the IP address to 0.0.0.0 for multiple MAC addresses. This means that all packets with these MAC addresses are matched with the IP/MAC binding list. Similarly, you can set the MAC address to 00:00:00:00:00:00 for multiple IP addresses.
Firewall configuration Enabling IP/MAC binding Figure 15: IP/MAC settings Content profiles Use content profiles to apply different protection settings for content traffic controlled by firewall policies.
Default content profiles Firewall configuration Default content profiles The FortiGate unit has the following four default content profiles under Firewall > Content Profile. You can use these existing content profiles or create your own: Strict Scan Web Unfiltered To apply maximum content protection to HTTP, FTP, IMAP, POP3, and SMTP content traffic.
Firewall configuration Adding a content profile to a policy Email Content Block Add a subject tag to email that contains unwanted words or phrases. See “Email banned word list” on page 246. 7 Enable fragmented email and oversized file and email options. Oversized File/Email Block or pass files and email that exceed thresholds configured as a percent of system memory. See “Blocking oversized files and emails” Block on page 234.
Adding a content profile to a policy 172 Firewall configuration 3 Select New to add a new policy, or choose a policy and select Edit . 4 Select Anti-Virus & Web filter. 5 Select a content profile. 6 Configure the remaining policy settings if required. 7 Select OK. 8 Repeat this procedure for any policies for which to enable network protection. Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Users and authentication FortiGate units support user authentication to the FortiGate user database, to a RADIUS server, and to an LDAP server. You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database. You can also add the names of RADIUS and LDAP servers.
Adding user names and configuring authentication Users and authentication This chapter describes: • Setting authentication timeout • Adding user names and configuring authentication • Configuring RADIUS support • Configuring LDAP support • Configuring user groups Setting authentication timeout To set authentication timeout: 1 Go to System > Config > Options.
Users and authentication Deleting user names from the internal database 5 Select Try other servers if connect to selected server fails if you have selected Radius and you want the FortiGate unit to try to connect to other RADIUS servers added to the FortiGate RADIUS configuration. 6 Select OK. Figure 17: Adding a user name Deleting user names from the internal database You cannot delete user names that have been added to user groups.
Adding RADIUS servers Users and authentication Configuring RADIUS support If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the FortiGate unit contacts the RADIUS server for authentication. This section describes: • Adding RADIUS servers • Deleting RADIUS servers Adding RADIUS servers To configure the FortiGate unit for RADIUS authentication: 1 Go to User > RADIUS. 2 Select New to add a new RADIUS server. 3 Enter the name of the RADIUS server.
Users and authentication Adding LDAP servers Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authentication with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated with the FortiGate unit.
Deleting LDAP servers Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server. Enter the base distinguished name for the server using the correct X.500 or LDAP format. The FortiGate unit passes this distinguished name unchanged to the server.
Users and authentication Adding user groups Configuring user groups To enable authentication, you must add user names, RADIUS servers and LDAP servers to one or more user groups. You can then select a user group when you require authentication. You can select a user group to configure authentication for: • Policies that require authentication. Only users in the selected user group or that can authenticate with the RADIUS servers added to the user group can authenticate with these policies.
Deleting user groups Users and authentication Figure 20: Adding a user group 3 Enter a Group Name to identify the user group. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. 4 To add users to the user group, select a user from the Available Users list and select the right arrow to add the name to the Members list.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 IPSec VPN A Virtual Private Network (VPN) is an extension of a private network that encompasses links across shared or public networks such as the Internet. For example, a company that has two offices in different cities, each with its own private network, can employ a VPN to create a secure tunnel between the offices. Similarly, a teleworker can use a VPN client to gain remote access to his private office network.
Manual Keys IPSec VPN Key management There are three basic elements in any encryption system: • • • an algorithm which changes information into code, a cryptographic key which serves as a secret starting point for the algorithm, a management system to control the key. IPSec provides two ways to handle key exchange and management: manual keying and IKE for automated key management.
IPSec VPN General configuration steps for a manual key VPN Manual key IPSec VPNs When manual keys are employed, complementary security parameters must be entered at both ends of the tunnel. In addition to encryption and authentication algorithms and keys, the security parameter index (SPI) is required. The SPI is an arbitrary value that defines the structure of the communication between the peers.
Adding a manual key VPN tunnel IPSec VPN 5 Enter the Remote SPI. The Remote Security Parameter Index is a hexadecimal number of up to eight digits (digits can be 0 to 9, a to f) in the range bb8 to FFFFFFF. This number must be added to the Local SPI at the opposite end of the tunnel. 6 Enter the Remote Gateway. This is the external IP address of the FortiGate unit or other IPSec gateway at the opposite end of the tunnel. 7 Select an Encryption Algorithm from the list.
IPSec VPN General configuration steps for an AutoIKE VPN AutoIKE IPSec VPNs Fortunate supports two methods of Automatic Internet Key Exchange (AutoIKE) for the purpose of establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates.
Adding a phase 1 configuration for an AutoIKE VPN IPSec VPN 3 Enter a Gateway Name for the remote VPN peer. The remote VPN peer can be either a gateway to another network or an individual client on the Internet. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. 4 Select a Remote Gateway address type. • If the remote VPN peer has a static IP address, select Static IP Address.
IPSec VPN Adding a phase 1 configuration for an AutoIKE VPN 10 Optionally, enter the Local ID of the FortiGate unit. The entry is required if the FortiGate unit is functioning as a client and uses its local ID to authenticate itself to the remote VPN peer. (If you do not add a local ID, the FortiGate unit will transmit its IP address.) Configure the local ID only with pre-shared keys and aggressive mode. Do not configure the local ID with certificates or main mode.
Adding a phase 1 configuration for an AutoIKE VPN 4 5 6 188 IPSec VPN Optionally, configure NAT Traversal. Enable Select Enable if you expect the IPSec VPN traffic to go through a gateway that performs NAT. If no NAT device is detected, enabling NAT traversal will have no effect. Both ends of the VPN (both VPN peers) must have the same NAT traversal setting. Keepalive Frequency If you enable NAT-traversal, you can change the number of seconds in the Keepalive Frequency field.
IPSec VPN Adding a phase 2 configuration for an AutoIKE VPN Figure 21: Adding a phase 1 configuration Adding a phase 2 configuration for an AutoIKE VPN Add a phase 2 configuration to specify the parameters used to create and maintain a VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer (the VPN gateway or client). Note: Adding a Phase 2 configuration is the same for pre-shared key and certification VPNs. To add a phase 2 configuration: 1 Go to VPN > IPSEC > Phase 2.
Adding a phase 2 configuration for an AutoIKE VPN IPSec VPN 4 Select a Remote Gateway to associate with the VPN tunnel. A remote gateway can be either a gateway to another network or an individual client on the Internet. Remote gateways are added as part of the phase 1 configuration. For details, see “Adding a phase 1 configuration for an AutoIKE VPN” on page 185. Choose either a single DIALUP remote gateway, or up to three STATIC remote gateways.
IPSec VPN Obtaining a signed local certificate Figure 22: Adding a phase 2 configuration Managing digital certificates Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy, prior to an encrypted VPN tunnel being set up between the participants. Fortinet uses a manual procedure to obtain certificates.
Obtaining a signed local certificate IPSec VPN Generating the certificate request With this procedure, you generate a private and public key pair. The public key is the base component of the certificate request. To generate the certificate request: 1 Go to VPN > Local Certificates. 2 Select Generate. 3 Enter a Certificate Name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
IPSec VPN Obtaining a signed local certificate Figure 23: Adding a Local Certificate Downloading the certificate request With this procedure, you download the certificate request from the FortiGate unit to the management computer. To download the certificate request: 1 Go to VPN > Local Certificates. 2 Select Download 3 Select Save. 4 Name the file and save it in a directory on the management computer. to download the local certificate to the management computer.
Obtaining a signed local certificate 4 IPSec VPN Request the signed local certificate. Follow the CA web server instructions to: • add a base64 encoded PKCS#10 certificate request to the CA web server, • paste the certificate request to the CA web server, • submit the certificate request to the CA web server. The certificate request is submitted to the CA for it to sign.
IPSec VPN Obtaining a CA certificate 3 Enter the path or browse to locate the signed local certificate on the management computer. 4 Select OK. The signed local certificate will be displayed on the Local Certificates list with a status of OK. Obtaining a CA certificate For the VPN peers to authenticate themselves to each other, they must both obtain a CA certificate from the same certificate authority.
Obtaining a CA certificate IPSec VPN Configuring encrypt policies A VPN connects the local, internal network to a remote, external network. The principal role of the encrypt policy is to define (and limit) which addresses on these networks can use the VPN. A VPN requires only one encrypt policy to control both inbound and outbound connections.
IPSec VPN Adding a source address Adding a source address The source address is located within the internal network of the local VPN peer. It can be a single computer address or the address of a network. 1 Go to Firewall > Address. 2 Select an internal interface. (Methods will differ slightly between FortiGate models.) 3 Select New to add an address. 4 Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer.
Adding an encrypt policy IPSec VPN Inbound NAT The FortiGate unit translates the source address of incoming packets to the IP address of the FortiGate interface connected to the source address network. Typically, this is an internal interface of the FortiGate unit. Inbound NAT makes it impossible for local hosts to see the IP addresses of remote hosts (hosts located on the network behind the remote VPN gateway).
IPSec VPN VPN concentrator (hub) general configuration steps IPSec VPN concentrators In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer known as a hub. The peers that connect to the hub are known as spokes. The hub functions as a concentrator on the network, managing the VPN connections between the spokes. The advantage of a hub-and-spoke network is that the spokes are simpler to configure because they require fewer policy rules.
VPN concentrator (hub) general configuration steps IPSec VPN To create a VPN concentrator configuration: 1 Configure a tunnel for each spoke. Choose between a manual key tunnel or an AutoIKE tunnel. • A manual key tunnel consists of a name for the tunnel, the IP address of the spoke (client or gateway) at the opposite end of the tunnel, and the encryption and authentication algorithms to use for the tunnel. See “Manual key IPSec VPNs” on page 183.
IPSec VPN Adding a VPN concentrator Adding a VPN concentrator To add a VPN concentrator configuration: 1 Go to VPN > IPSec > Concentrator. 2 Select New to add a VPN concentrator. 3 Enter the name of the new concentrator in the Concentrator Name field. 4 To add tunnels to the VPN concentrator, select a VPN tunnel from the Available Tunnels list and select the right arrow. 5 To remove tunnels from the VPN concentrator, select the tunnel in the Members list and select the left arrow.
VPN spoke general configuration steps IPSec VPN VPN spoke general configuration steps A remote VPN peer that is functioning as a spoke requires the following configuration: • A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration) for the hub. • The source address of the local VPN spoke. • The destination address of each remote VPN spoke. • A separate outbound encrypt policy for each remote VPN spoke.
IPSec VPN Configuring redundant IPSec VPN Action ENCRYPT VPN Tunnel The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt policies.) Allow inbound Select allow inbound. Allow outbound Do not enable. Inbound NAT Select inbound NAT if required. Outbound NAT Select outbound NAT if required. See “Adding an encrypt policy” on page 197.
Configuring redundant IPSec VPN IPSec VPN Configure the two FortiGate units with symmetrical settings for their connections to the Internet. For example, if the remote FortiGate unit has two external interfaces grouped within one zone, then the local FortiGate unit should have two external interfaces grouped within one zone. Similarly, if the remote FortiGate has two external interfaces in separate zones, then the local FortiGate unit should have two external interfaces in separate zones.
IPSec VPN Viewing VPN tunnel status Monitoring and Troubleshooting VPNs This section provides a number of general maintenance and monitoring procedures for VPNs. This section describes: • Viewing VPN tunnel status • Viewing dialup VPN connection status • Testing a VPN Viewing VPN tunnel status You can use the IPSec VPN tunnel list to view the status of all IPSec AutoIKE key VPN tunnels. For each tunnel, the list shows the status of each tunnel as well as the tunnel time out.
Testing a VPN IPSec VPN To view dialup connection status: 1 Go to VPN > IPSec > Dialup. The Lifetime column displays how long the connection has been up. The Timeout column displays the time before the next key exchange. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife. The Proxy ID Source column displays the actual IP address or subnet address of the remote peer.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 PPTP and L2TP VPN You can use PPTP and L2TP to create a virtual private network (VPN) between a remote client PC running the Windows operating system and your internal network. Because they are is a Windows standards, PPTP and L2TP do not require third-party software on the client computer.
Configuring the FortiGate unit as a PPTP gateway PPTP and L2TP VPN Figure 29: PPTP VPN between a Windows client and the FortiGate unit Configuring the FortiGate unit as a PPTP gateway Use the following procedures to configure the FortiGate unit as a PPTP gateway: Adding users and user groups To add a user for each PPTP client: 1 Go to User > Local. 2 Add and configure PPTP users. See “Adding user names and configuring authentication” on page 174. 3 Go to User > User Group.
PPTP and L2TP VPN Configuring the FortiGate unit as a PPTP gateway Figure 30: Example PPTP Range configuration Adding a source address Add a source address for every address in the PPTP address range. 1 Go to Firewall > Address. 2 Select the interface to which PPTP clients connect. 3 Select New to add an address. 4 Enter the Address Name, IP Address, and NetMask for an address in the PPTP address range. 5 Select OK to save the source address.
Configuring a Windows 98 client for PPTP PPTP and L2TP VPN Adding a destination address Add an address to which PPTP users can connect. 1 Go to Firewall > Address. 2 Select the internal interface or the DMZ interface. (Methods will differ slightly between FortiGate models.) 3 Select New to add an address. 4 Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer. 5 Select OK to save the source address.
PPTP and L2TP VPN Configuring a Windows 2000 client for PPTP 8 Insert diskettes or CDs as required. 9 Restart the computer. Configuring a PPTP dialup connection 1 Go to My Computer > Dial-Up Networking > Configuration. 2 Double-click Make New Connection. 3 Name the connection and select Next. 4 Enter the IP address or host name of the FortiGate unit to connect to and select Next. 5 Select Finish. An icon for the new connection appears in the Dial-Up Networking folder.
Configuring a Windows XP client for PPTP 9 10 PPTP and L2TP VPN Uncheck Require data encryption. Select OK. Connecting to the PPTP VPN 1 Start the dialup connection that you configured in the previous procedure. 2 Enter your PPTP VPN User Name and Password. 3 Select Connect. 4 In the connect window, enter the User Name and Password that you use to connect to your dialup network connection. This user name and password is not the same as your VPN user name and password.
PPTP and L2TP VPN Configuring a Windows XP client for PPTP 9 10 11 12 Select the Networking tab. Make sure that the following options are selected: • TCP/IP • QoS Packet Scheduler Make sure that the following options are not selected: • File and Printer Sharing for Microsoft Networks • Client for Microsoft Networks Select OK. Connecting to the PPTP VPN 1 Connect to your ISP. 2 Start the VPN connection that you configured in the previous procedure.
Configuring the FortiGate unit as a L2TP gateway PPTP and L2TP VPN Figure 31: L2TP VPN between a Windows client and the FortiGate unit Configuring the FortiGate unit as a L2TP gateway Use the following procedures to configure the FortiGate unit as an L2TP gateway: Adding users and user groups To add a user for each L2TP client: 1 Go to User > Local. 2 Add and configure L2TP users. See “Adding user names and configuring authentication” on page 174. 3 Go to User > User Group.
PPTP and L2TP VPN Configuring the FortiGate unit as a L2TP gateway Figure 32: Sample L2TP address range configuration 6 Add the addresses from the L2TP address range to the external interface address list. The addresses can be grouped into an external address group. 7 Add addresses to the destination interface address list to control the addresses to which L2TP clients can connect. The addresses can be grouped into an address group.
Configuring the FortiGate unit as a L2TP gateway PPTP and L2TP VPN 3 Enter a Group Name to identify the address group. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. 4 To add addresses to the address group, select an address from the Available Addresses list and select the right arrow to add it to the Members list.
PPTP and L2TP VPN Configuring a Windows 2000 client for L2TP Configuring a Windows 2000 client for L2TP Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiGate L2TP VPN. Configuring an L2TP dialup connection 1 Go to Start > Settings > Network and Dial-up Connections. 2 Double-click Make New Connection to start the Network Connection Wizard and select Next.
Configuring a Windows XP client for L2TP PPTP and L2TP VPN 8 Add the following registry value to this key: Value Name: ProhibitIpSec Data Type: REG_DWORD Value: 1 9 Save your changes and restart the computer for the changes to take effect. You must add the ProhibitIpSec registry value to each Windows 2000-based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created.
PPTP and L2TP VPN Configuring a Windows XP client for L2TP Note: If a RADIUS server is used for authentication do not select Require data encryption. L2TP encryption is not supported for RADIUS server authentication. 5 Select Advanced to configure advanced settings. 6 Select Settings. 7 Select Challenge Handshake Authentication Protocol (CHAP). 8 Make sure that none of the other settings are selected. 9 Select the Networking tab.
Configuring a Windows XP client for L2TP PPTP and L2TP VPN Connecting to the L2TP VPN 220 1 Connect to your ISP. 2 Start the VPN connection that you configured in the previous procedure. 3 Enter your L2TP VPN User Name and Password. 4 Select Connect. 5 In the connect window, enter the User Name and Password that you use to connect to your dialup network connection. This user name and password is not the same as your VPN user name and password. Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Network Intrusion Detection System (NIDS) The FortiGate NIDS is a real-time network intrusion detection sensor that uses attack signature definitions to both detect and prevent a wide variety of suspicious network traffic and direct network-based attacks. Also, whenever an attack occurs, the FortiGate NIDS can record the event in a log plus send an alert email to the system administrator.
Selecting the interfaces to monitor Network Intrusion Detection System (NIDS) Selecting the interfaces to monitor 1 Go to NIDS > Detection > General. 2 Select the interfaces to monitor for network attacks. You can select one or more interfaces. 3 Select Apply. Disabling the NIDS 1 Go to NIDS > Detection > General. 2 Deselect all monitored interfaces. 3 Select Apply.
Network Intrusion Detection System (NIDS) Viewing the signature list Viewing the signature list To display the current list of NIDS signature groups and to view the members of a signature group: 1 Go to NIDS > Detection > Signature List. 2 View the names and action status of the signature groups in the list. The NIDS detects attacks listed in all the signature groups that are checked in the Modify or Details column. Note: The user-defined signature group is the last item in the signature list.
Enabling and disabling NIDS attack signatures Network Intrusion Detection System (NIDS) Enabling and disabling NIDS attack signatures By default, all NIDS attack signatures are enabled. You can use the NIDS signature list to disable detection of some attacks. Disabling unnecessary NIDS attack signatures can improve system performance and reduce the number of IDS log messages and alert emails that the NIDS generates. For example, the NIDS detects a large number of web server attacks.
Network Intrusion Detection System (NIDS) Enabling NIDS attack prevention Figure 35: Example user-defined signature list Downloading the user-defined signature list You can back up the user-defined signature list by downloading it to a text file on the management computer. 1 Go to NIDS > Detection > User Defined Signature List. 2 Select Download. The FortiGate unit downloads the user-defined signature list to a text file on the management computer.
Enabling NIDS attack prevention signatures Network Intrusion Detection System (NIDS) Enabling NIDS attack prevention signatures The NIDS Prevention module contains signatures that are designed to protect your network against attacks. Some signatures are enabled by default; others must be enabled. For a complete list of NIDS Prevention signatures and descriptions, see the FortiGate NIDS Guide. 1 Go to NIDS > Prevention. 2 Check the box in the Enable column beside each signature that you want to enable.
Network Intrusion Detection System (NIDS) Setting signature threshold values For example, setting the icmpflood signature threshold to 500 will allow 500 echo requests from a source address, to which the system sends echo replies. If the number of requests is 501 or higher, the FortiGate unit will block the attacker to eliminate disruption of system operations. If you enter a threshold value of 0 or a number out of the allowable range, the FortiGate unit uses the default value.
Configuring synflood signature values Network Intrusion Detection System (NIDS) Configuring synflood signature values For synflood signatures, you can set the threshold, queue size, and keep alive values. Value Description Minimum Maximum Default value value value Threshold Number of SYN requests sent to a 30 destination host or server per second. If the SYN requests are being sent to all ports on the destination, as opposed to just one port, the threshold quadruples (4 x).
Network Intrusion Detection System (NIDS) Reducing the number of NIDS attack log and email messages Reducing the number of NIDS attack log and email messages Intrusion attempts may generate an excessive number of attack messages. To help you distinguish real warnings from false alarms, the FortiGate unit provides methods to reduce the number of unnecessary messages. Based on the frequency that messages are generated, the FortiGate unit will automatically delete duplicates.
Reducing the number of NIDS attack log and email messages 230 Network Intrusion Detection System (NIDS) Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Antivirus protection Antivirus protection is enabled in firewall policies. When you enable antivirus protection for a firewall policy, you select a content profile that controls how the antivirus protection behaves. Content profiles control the type of traffic protected (HTTP, FTP, IMAP, POP3, SMTP), the type of antivirus protection and the treatment of fragmented email and oversized files or email.
Antivirus protection Antivirus scanning Virus scanning intercepts most files (including files compressed with up to 12 layers of compression using zip, rar, gzip, tar, upx, and OLE) in the content streams for which antivirus protection as been enabled. Each file is tested to determine the file type and to determine the most effective method of scanning the file for viruses.
Antivirus protection Blocking files in firewall traffic File blocking Enable file blocking to remove all files that pose a potential threat and to provide the best protection from active computer virus attacks. Blocking files is the only protection available from a virus that is so new that antivirus scanning cannot detect it. You would not normally run the FortiGate unit with blocking enabled.
Configuring limits for oversized files and email Antivirus protection Blocking oversized files and emails You can configure the FortiGate unit to buffer 1 to 15 percent of available memory to store oversized files and email. The FortiGate unit then blocks a file or email that exceeds this limit instead of bypassing antivirus scanning and sending the file or email directly to the server or receiver.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Web filtering Web filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how web filtering behaves for HTTP traffic. Content profiles control the following types of content filtering: • • • • blocking unwanted URLs, blocking unwanted content, removing scripts from web pages, exempting of URLs from blocking.
Adding words and phrases to the banned word list Web filtering 4 Configure the messages that users receive when the FortiGate unit blocks unwanted content or unwanted URLs. See “Customizing replacement messages” on page 136. 5 Configure the FortiGate unit to send an alert email when it blocks or deletes an infected file. See “Configuring alert email” in the Logging Configuration and Reference Guide.
Web filtering Using the FortiGate web filter Figure 38: Example banned word list URL blocking You can block the unwanted web URLs using both the FortiGate web filter and the Cerberian web filter. • • Using the FortiGate web filter Using the Cerberian web filter Using the FortiGate web filter You can configure the FortiGate unit to block all pages on a website by adding the toplevel URL or IP address.
Using the FortiGate web filter 3 Web filtering Type the URL/Pattern to block. Type a top-level URL or IP address to block access to all pages on a website. For example, www.badsite.com or 122.133.144.155 blocks access to all pages at this website. Type a top-level URL followed by the path and filename to block access to a single page on a website. For example, www.badsite.com/news.html or 122.133.144.155/news.html blocks the news page on this website. To block all pages with a URL that ends with badsite.
Web filtering Using the FortiGate web filter Downloading the URL block list You can back up the URL block list by downloading it to a text file on the management computer. 1 Go to Web Filter > URL Block. 2 Select Download URL Block List . The FortiGate unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file.
Using the Cerberian web filter Web filtering Using the Cerberian web filter The FortiGate unit supports Cerberian web filtering. For information about Cerberian web filter, see www.cerberian.com. If you have purchased the Cerberian web filtering functionality with your FortiGate unit, use the following configuration procedures to configure FortiGate support for Cerberian web filtering. General configuration steps To use the Cerberian web filter, you must: 1 Install a Cerberian web filter license key.
Web filtering Using the Cerberian web filter 4 Enter the IP address and netmask of the user computers. You can enter the IP address of a single user. For example, 192.168.100.19 255.255.255.255. You can also enter a subnet of a group of users. For example, 192.168.100.0 255.255.255.0. 5 Enter an alias for the user. This alias will be used as the user name when you add the user to a user group on the Cerberian server.
Enabling the script filter Web filtering 5 Create a new or select an existing content profile and enable Web URL Block. 6 Go to Firewall > Policy. 7 Create a new or select an existing policy that will use the content profile. 8 Select Anti-Virus & Web filter. 9 Select the content profile from the Content Profile list. 10 Click OK. Script filtering You can configure the FortiGate unit to remove Java applets, cookies, and ActiveX scripts from the HTML web pages.
Web filtering Adding URLs to the exempt URL list Exempt URL list Add URLs to the exempt URL list to allow legitimate traffic that might otherwise be blocked by content or URL blocking. For example, if content blocking is set to block pornography-related words and a reputable website runs a story on pornography, web pages from the reputable website would be blocked. Adding the address of the reputable website to the exempt URL list allows the content of the website to bypass content blocking.
Adding URLs to the exempt URL list Web filtering 244 Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Email filter Email filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how email filtering behaves for email (IMAP and POP3) traffic.
Adding words and phrases to the banned word list Email filter Email banned word list When the FortiGate unit detects email that contains a word or phrase in the banned word list, the FortiGate unit adds a tag to the subject line of the email and writes a message to the event log. Receivers can then use their mail client software to filter messages based on the subject tag.
Email filter Adding address patterns to the email block list Email block list You can configure the FortiGate unit to tag all IMAP and POP3 protocol traffic sent from unwanted email addresses. When the FortiGate unit detects an email sent from an unwanted address pattern, the FortiGate unit adds a tag to the subject line of the email and writes a message to the email filter log. Receivers can then use their mail client software to filter messages based on the subject tag.
Adding address patterns to the email exempt list Email filter Adding address patterns to the email exempt list 1 Go to Email Filter > Exempt List. 2 Select New to add an address pattern to the email exempt list. 3 Type the address pattern to exempt. • To exempt email sent from a specific email address, type the email address. For example, sender@abccompany.com. • To exempt email sent from a specific domain, type the domain name. For example, abccompany.com.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Logging and reporting You can configure the FortiGate unit to log network activity from routine configuration changes and traffic sessions to emergency events. You can also configure the FortiGate unit to send alert email messages to inform system administrators about events such as network attacks, virus incidents, and firewall and VPN events.
Recording logs on a remote computer Logging and reporting Recording logs on a remote computer Use the following procedure to configure the FortiGate unit to record log messages on a remote computer. The remote computer must be configured with a syslog server. 1 Go to Log&Report > Log Setting. 2 Select Log to Remote Host to send the logs to a syslog server. 3 Type the IP address of the remote computer running syslog server software. 4 Type the port number of the syslog server.
Logging and reporting Recording logs in system memory Recording logs in system memory If your FortiGate unit does not contain a hard disk, you can use the following procedure to configure the FortiGate unit to reserve some system memory for storing current event, attack, antivirus, web filter and email filter log messages. Logging to memory allows quick access to only the most recent log entries. The FortiGate unit can store a limited number of messages in system memory.
Recording logs in system memory Logging and reporting Email Filter Log Record activity events, such as detection of email that contains unwanted content and email from unwanted senders. Update Record log messages when the FortiGate connects to the FDN to download antivirus and attack updates. 4 Select the message categories that you want the FortiGate unit to record if you selected Event Log, Virus Log, Web Filtering Log, Attack Log, Email Filter Log, or Update in step 3. 5 Select OK.
Logging and reporting Enabling traffic logging Configuring traffic logging You can configure the FortiGate unit to record traffic log messages for connections to: • Any interface • Any firewall policy The FortiGate unit can filter traffic logs for any source and destination address and service. You can also enable the following global settings: • resolve IP addresses to host names, • record session or packet information, • display the port number or service.
Configuring traffic filter settings Logging and reporting Configuring traffic filter settings Use the following procedure to configure the information recorded in all traffic log messages. 1 Go to Log&Report > Log Setting > Traffic Filter. 2 Select the settings that you want to apply to all Traffic Log messages. Resolve IP Type Display 3 Select Resolve IP if you want traffic log messages to list the IP address and the domain name stored on the DNS server.
Logging and reporting Viewing logs Destination IP Address Type the destination IP address and netmask for which you want the Destination Netmask FortiGate unit to log traffic messages. The address can be an individual computer, subnetwork, or network. Service Select the service group or individual service for which you want the FortiGate unit to log traffic messages. 4 Select OK.
Searching logs Logging and reporting Searching logs Use the following procedure to search log messages saved in system memory: 1 Go to Log&Report > Logging. 2 Select Event Log, Attack Log, Antivirus Log, Web Filter Log, or Email Filter Log. 3 Select 4 Select AND to search for messages that match all the specified search criteria. 5 Select OR to search for messages that match one or more of the specified search criteria.
Logging and reporting Testing alert email 3 In the SMTP Server field, type the name of the SMTP server to which the FortiGate unit should send email, in the format smtp.domain.com. The SMTP server can be located on any network connected to the FortiGate unit. 4 In the SMTP User field, type a valid email address in the format user@domain.com. This address appears in the From header of the alert email. 5 In the Password field, type the password that the SMTP user needs to access the SMTP server.
Enabling alert email 258 Logging and reporting Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Glossary Connection: A link between machines, applications, processes, and so on that can be logical, physical, or both. DMZ, Demilitarized Zone: Used to host Internet services without allowing unauthorized access to an internal (private) network. Typically, the DMZ contains servers accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers and DNS servers.
Glossary LAN, Local Area Network: A computer network that spans a relatively small area. Most LANs connect workstations and personal computers. Each computer on a LAN is able to access data and devices anywhere on the LAN. This means that many users can share data as well as physical resources such as printers. MAC address, Media Access Control address: A hardware address that uniquely identifies each node of a network.
Glossary SSH, Secure shell: A secure Telnet replacement that you can use to log into another computer over a network and run commands. SSH provides strong secure authentication and secure communications over insecure channels. Subnet: A portion of a network that shares a common address component. On TCP/IP networks, subnets are defined as all devices whose IP addresses have the same prefix. For example, all devices with IP addresses that start with 100.100.100. would be part of the same subnet.
Glossary 262 Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.
Index B backing up system settings 83 bandwidth guaranteed 146 maximum 146 banned word list adding words 236, 246 blacklist URL 239 block traffic IP/MAC binding 167 blocking access to Internet sites 237, 247 access to URLs 237, 247 adding filename patterns 233 file 233 oversized files and email 234 web pages 236, 246 C certificates introduction 182 checksum verification configuring 222 clearing communication sessions 89 URL block list 238 CLI 18 configuring IP addresses 45, 59 configuring NAT/Route mode 4
Index E email alert testing 257 email filter log 252 enabling policy 150 encrypt policy 145 encrypt policy allow inbound 146 allow outbound 146 Inbound NAT 146 Outbound NAT 146 ending IP address DHCP 119 PPTP 208, 214 environmental specifications 29 event log 251 viewing 255 exclusion range DHCP 119 exempt URL list 243, 247 adding URL 243, 248 exempting URLs from content and URL blocking 243, 247 expire system status 90 external interface configuring DHCP 112 configuring PPPoE 113 F factory default restor
Index IDS log viewing 255 IKE 259 IMAP 154, 259 Inbound NAT encrypt policy 146 interface RIP 124 internal address example 152 internal address group example 153 internal network configuring 48 Internet blocking access to Internet sites 237, 247 blocking access to URLs 237, 247 Internet key exchange 259 intrusion attempts alert email 257 IP configuring checksum verification 222 IP address IP/MAC binding 166 IP addresses configuring from the CLI 45, 59 IP pool adding 164 IP spoofing 166 IP/MAC binding 166 add
Index maximum bandwidth 146 messages replacement 135 MIB FortiGate 135 mode Transparent 16 monitor system status 86, 87, 88, 89 monitored interfaces 222 MTU size 113 changing 113 definition 260 improving network performance 113 N NAT introduction 15 policy option 145 push updates 96 NAT mode adding policy 144 IP addresses 45 NAT/Route mode configuration from the CLI 45 introduction 15 neighbor RIP 125 netmask administrator account 132, 133 network address translation introduction 15 network configuration c
Index prevention NIDS 225 protocol service 154 system status 89 proxy server 100 push updates 100 push updates configuring 95 through a NAT device 96 through a proxy server 100 R RADIUS definition 260 example configuration 176 RADIUS server adding server address 176 deleting 176 read & write access level administrator account 132 read only access level administrator account 132 recording logs 249 recording logs in system memory 251 recording logs on NetIQ WebTrends server 250 recovering a lost Fortinet sup
Index session clearing 89 set time 129 setup wizard 45, 58 starting 45, 58 shutting down 86 signature threshold values 226 SMTP 155 configuring alert email 257 definition 260 SNMP configuring 134 contact information 134 definition 260 first trap receiver IP address 135 get community 134 MIBs 135 system location 134 trap community 135 traps 136 source policy option 145 squidGuard 239 SSH 155, 261 SSL 259 service definition 154 starting IP DHCP 119 PPTP 208, 214 static IP/MAC list 166 static NAT virtual IP 16
Index U UDP configuring checksum verification 222 unwanted content blocking 236, 246 update 252 attack 94 push 95 updated antivirus 94 updating attack definitions 91, 95 virus definitions 91, 95 upgrade firmware 71 upgrading firmware 70 firmware using the CLI 71, 73 firmware using the web-based manager 71, 72 URL adding to exempt URL list 243, 248 adding to URL block list 237, 247 blocking access 237, 247 URL block list adding URL 237, 247 clearing 238 downloading 239 uploading 239 URL block message 236 UR
Index wizard firewall setup 45, 58 starting 45, 58 FortiGate-100 Installation and Configuration Guide worm list displaying 234 worm protection 234 271
Index 272 Fortinet Inc.