INSTALL GUIDE FortiGate-30B FortiOS 3.0 MR6 www.fortinet.
FortiGate-30B Install Guide FortiOS 3.0 MR6 5 May 2008 01-30006-0459-20080505 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
Conents Conents Conents............................................................................................... 3 Introduction ........................................................................................ 7 Register your FortiGate unit............................................................................. 7 About the FortiGate-30B ................................................................................... 8 About this document.................................................
Conents Configure a DNS server ....................................................................... 24 Adding a default route and gateway ..................................................... 24 Adding firewall policies ......................................................................... 25 Configuring Transparent mode...................................................................... 25 Using the web-based manager ...................................................................
Conents Installing firmware from a system reboot using the CLI.............................. 44 Restoring the previous configuration........................................................... Backup and Restore from a USB key ......................................................... Using the USB Auto-Install.......................................................................... Additional CLI Commands for a USB key ...................................................
Conents 6 FortiGate-30B FortiOS 3.
Introduction Register your FortiGate unit Introduction Welcome and thank you for selecting Fortinet products for your real-time network protection. The FortiGate Unified Threat Management System improves network security, reduces network misuse and abuse, and helps you use communications resources more efficiently without compromising the performance of your network. The FortiGate Unified Threat Management System are ICSA-certified for firewall, IPSec, and antivirus services.
About the FortiGate-30B Introduction About the FortiGate-30B The FortiGate-30B provides a WAN port for connection to the Internet and three integrated switch ports for multiuser environments in a small remote office. It is ideally suited for remote offices, retail stores, broadband telecommuter sites and many other applications.
Introduction Further Reading Document conventions The following document conventions are used in this guide: • In the examples, private IP addresses are used for both private and public IP addresses. • Notes and Cautions are used to provide important information: Note: Highlights useful additional information. ! Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.
Further Reading Introduction • FortiGate online help Provides a context-sensitive and searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work. • FortiGate CLI Reference Describes how to use the FortiGate CLI and contains a reference to all FortiGate CLI commands.
Introduction Customer service and technical support Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network. Please visit the Fortinet Technical Support web site at http://support.fortinet.com to learn about the technical support services that Fortinet provides. FortiGate-30B FortiOS 3.
Customer service and technical support 12 Introduction FortiGate-30B FortiOS 3.
Installing Environmental specifications Installing This chapter describes installing your FortiGate unit in your server room, environmental specifications and how to mount the FortiGate in a rack if applicable.
Cautions and warnings Installing • Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. • Consult the dealer or an experienced radio/TV technician for help. The equipment compliance with FCC radiation exposure limit set forth for uncontrolled Environment. Cautions and warnings Review the following cautions before installing your FortiGate unit.
Installing Plugging in the FortiGate Place the FortiGate unit on any flat, stable surface. Ensure the unit has sufficient clearance on each side to ensure adequate airflow for cooling. Plugging in the FortiGate Use the following steps to connect the power supply to the FortiGate unit. To power on the FortiGate unit 1 Connect the AC adapter to the power connection at the back of the FortiGate unit. 2 Connect the AC adapter to the power cable. 3 Connect the power cable to a power outlet.
Turning off the FortiGate unit 16 Installing FortiGate-30B FortiOS 3.
Configuring NAT vs. Transparent mode Configuring This section provides an overview of the operating modes of the FortiGate unit, NAT/Route and Transparent, and how to configure the FortiGate unit for each mode. There are two ways you can configure the FortiGate unit, using the web-based manager or the command line interface (CLI). This section will step through using both methods. Use whichever you are most comfortable with. This section includes the following topics: • NAT vs.
Connecting to the FortiGate unit Configuring Transparent mode In Transparent mode, the FortiGate unit is invisible to the network. Similar to a network bridge, all FortiGate interfaces must be on the same subnet. You only have to configure a management IP address to make configuration changes. The management IP address is also used for antivirus and attack definition updates. Figure 3: FortiGate unit in Transparent mode 10.10.10.1 Management IP Internet Gateway to public network 204.23.1.2 10.10.10.
Configuring Connecting to the FortiGate unit To support a secure HTTPS authentication method, the FortiGate unit ships with a self-signed security certificate, which is offered to remote clients whenever they initiate a HTTPS connection to the FortiGate unit. When you connect, the FortiGate unit displays two security warnings in a browser. The first warning prompts you to accept and optionally install the FortiGate unit’s self-signed security certificate.
Configuring NAT mode Configuring Configuring NAT mode Configuring NAT mode involves defining interface addresses and default routes, and simple firewall policies. You can use the web-based manager or the CLI to configure the FortiGate unit in NAT/Route mode. Using the web-based manager After connecting to the web-based manager, you can use the following procedures to complete the basic configuration of the FortiGate unit.
Configuring Configuring NAT mode Initial PADT Timeout Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. Your ISP must support PADT. To disable the PADT timeout, set the value to 0. Distance Enter the administrative distance, between 1 and 255 for the default gateway retrieved from the DHCP server.
Configuring NAT mode Configuring For an initial configuration, you must edit the factory configured static default route to specify a different default gateway for the FortiGate unit. This will enable the flow of data through the FortiGate unit. For details on adding additional static routes, see the FortiGate Administration Guide. To modify the default gateway 1 Go to Router > Static.
Configuring Configuring NAT mode 3 Set the following and select OK. Source Interface Select the port connected to the Internet. Source Address All Destination Interface Select the port connected to the network. Destination Address All Schedule always Service Any Action Accept Firewall policy configuration is the same in NAT/Route mode and Transparent mode. Note that these policies allow all traffic through. No protection profiles have been applied.
Configuring NAT mode Configuring To set an interface to use PPPoE addressing config system interface edit external set mode pppoe set username set password set ipunnumbered set disc-retry-timeout set padt-retry-timeout set distance set defaultgw {enable | disable} set dns-server-override {enable | disable} end The CLI lists the IP address, netmask, and other settings for each of the FortiGate interfaces.
Configuring Configuring Transparent mode For an initial configuration, you must edit the factory configured static default route to specify a different default gateway for the FortiGate unit. This will enable the flow of data through the FortiGate unit. For details on adding additional static routes, see the FortiGate Administration Guide.
Configuring Transparent mode Configuring Using the web-based manager After connecting to the web-based manager, you can use the following procedures to complete the basic configuration of the FortiGate unit. Ensure you read the section “Connecting to the web-based manager” on page 18 before beginning. Switching to Transparent mode The FortiGate unit comes preset to NAT mode. You need to switch to Transparent mode. To switch to Transparent mode 1 Go to System > Status.
Configuring Configuring Transparent mode To add an outgoing traffic firewall policy 1 Go to Firewall > Policy. 2 Select Create New. 3 Set the following and select OK. Source Interface Select the port connected to the network. Source Address All Destination Interface Select the port connected to the Internet. Destination Address All Schedule always Service Any Action Accept To add an incoming traffic firewall policy 1 Go to Firewall > Policy. 2 Select Create New.
Configuring Transparent mode Configuring Configure a DNS server A DNS server is a service that converts symbolic node names to IP addresses. A domain name server (DNS server) implements the protocol. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com when browsing the Internet. DNS server IP addresses are typically provided by your internet service provider.
Configuring Verify the configuration Verify the configuration Your FortiGate unit is now configured and connected to the network. To verify the FortiGate unit is connected and configured correctly, use your web browser to browse a web site, or use your email client to send and receive email. If you cannot browse to the web site or retrieve/send email from your account, review the previous steps to ensure all information was entered correctly and try again. Remember, to verify the firewall policies.
Restoring a configuration Configuring Restoring a configuration Should you need to restore the configuration file, use the following steps. To restore the FortiGate configuration 1 Go to System > Maintenance > Backup & Restore. 2 Select to upload the restore file from your PC or a USB key. The USB Disk option will be grayed out if the FortiGate unit supports USB disks but none are connected. 3 Enter the path and file name of the configuration file, or select Browse to locate the file.
Configuring Additional configuration To change the administrator password 1 Go to System > Admin > Administrators. 2 Select Change Password and enter a new password. 3 Select OK. Alternatively, you can also add new administrator users by selecting Create New, however, you cannot remove the admin administrator. Applying a password for this account is recommended.
Additional configuration 32 Configuring FortiGate-30B FortiOS 3.
Advanced configuration Protection profiles Advanced configuration The FortiGate unit and the FortiOS operating system provide a wide range of features that enable you to control network and internet traffic and protect your network. This chapter describes some of these options and how to configure them.
Firewall policies Advanced configuration Web Apply virus scanning and web content blocking to HTTP traffic. Unfiltered Apply no scanning, blocking or IPS. Use the unfiltered content profile if no content protection for content traffic is required. Add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. The best way to begin creating your own protection profile is to open a predefined profile.
Advanced configuration Antivirus options Configuring firewall policies To add or edit a firewall policy go to Firewall > Policy and select Edit on an existing policy, or select Create New to add a policy. The source and destination Interface/Zone match the firewall policy with the source and destination of a communication session. The Address Name matches the source and destination address of the communication session. Schedule defines when the firewall policy is enabled.
AntiSpam options Advanced configuration • Grayware - These are unsolicited commercial software programs that are installed on computers, often without the user's consent or knowledge. Grayware programs are generally considered an annoyance, but these programs can cause system performance problems or be used for malicious ends. The FortiGate unit scans for known grayware executable programs in each enabled category.
Advanced configuration Web filtering Banned word lists are specific words that may be typically found in email. The FortiGate unit searches for words or patterns in email messages. If matches are found, values assigned to the words are totalled. If the defined threshold value is exceeded, the message is marked as spam. If no match is found, the email message is passed along to the next filter. You configure banned words by going to Antispam > Banned Word.
Logging Advanced configuration To configure content blocking, go to Web Filter > Content Block. URL filter enables you to control additional web sites that you can block or allow. This enables you greater control over certain URLs or sub-URLs. The FortiGate unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead. To configure URL filters, go to Web Filter > URL Filter.
FortiGate Firmware Downloading firmware FortiGate Firmware Fortinet periodically updates the FortiGate firmware to include new features and address issues. After you have registered your FortiGate unit, you can download FortiGate firmware updates is available for download at the support web site, http://support.fortinet.com. You can also use the instructions in this chapter to downgrade, or revert, to a previous version.
Using the web-based manager FortiGate Firmware To download firmware 1 Log into the site using your user name and password. 2 Go to Firmware Images > FortiGate. 3 Select the most recent FortiOS version, and MR release and patch release. 4 Locate the firmware for your FortiGate unit, right-click the link and select the Download option for your browser. Note: Always review the Release Notes for a new firmware release before installing.
FortiGate Firmware Using the web-based manager Note: To use this procedure, you must log in using the admin administrator account, or an administrator account that has system configuration read and write privileges. To revert to a previous firmware version 1 Copy the firmware image file to the management computer. 2 Log into the FortiGate web-based manager. 3 Go to System > Status. 4 Under System Information > Firmware Version, select Update.
Using the CLI FortiGate Firmware Note: You need an unencrypted configuration file for this feature. Also the default files, image.out and system.conf, must be in the root directory of the USB key. Note: Make sure at least FortiOS v3.0MR1 is installed on the FortiGate unit before installing. To configure the USB Auto-Install 1 Go to System > Maintenance > Backup and Restore. 2 Select the blue arrow to expand the Advanced options.
FortiGate Firmware Using the CLI 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image Where is the name of the firmware image file and is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image image.out 192.168.1.
Installing firmware from a system reboot using the CLI 4 FortiGate Firmware Make sure the FortiGate unit can connect to the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server’s IP address is 192.168.1.168: execute ping 192.168.1.
FortiGate Firmware Installing firmware from a system reboot using the CLI If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file. Note: Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date.
Installing firmware from a system reboot using the CLI 9 FortiGate Firmware Type the address of the TFTP server and press Enter: The following message appears: Enter Local Address [192.168.1.188]: 10 Type an IP address the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network the interface is connected to. Make sure you do not enter the IP address of another device on this network. The following message appears: Enter File Name [image.
FortiGate Firmware Installing firmware from a system reboot using the CLI To restore configuration using the CLI 1 Log into the CLI. 2 Enter the following command to restore the configuration files: exec restore image usb The FortiGate unit responds with the following message: This operation will replace the current firmware version! Do you want to continue? (y/n) 3 Type y.
Testing new firmware before installing FortiGate Firmware Testing new firmware before installing You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed.
FortiGate Firmware Testing new firmware before installing 8 Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 9 Type the address of the TFTP server and press Enter: The following message appears: Enter Local Address [192.168.1.188]: 10 Type an IP address of the FortiGate unit to connect to the TFTP server.
Testing new firmware before installing 50 FortiGate Firmware FortiGate-30B FortiOS 3.
Index Index A F adding a default route 21, 24 additional resources 9 admin password 30 air flow 13 ambient temperature 13 antispam options 36 antivirus options 35 auto-install 41 auto-install from CLI 47 firewall policies 22, 25, 34 firmware backup and restore from USB 46 download 39 from system reboot 44 installing 44 re-installing current version 46 restore from CLI 46 restoring previous config 46 revert from CLI 43 reverting with web-based manager 40 testing before use 48 testing new firmware 48 upgr
Index P T PADT timeout 21 password, changing 30 power off 15 PPPoE 24 protection profiles 33 technical support 11 TFTP server 44 time and date 30 time zone 30 Transparent mode 18 switching to 26 typographic conventions 9 R registering 7 restore 30 restoring previous firmware configuration 46 reverting firmware 40 S security certificate 19 shielded twisted pair 14 shut down 15 signatures, update 31 static route 21, 24 system reboot, installing 44 U unnumbered IP 20 update signatures 31 updating antivi
Index 53 FortiGate-30B FortiOS 3.
Index 54 FortiGate-30B FortiOS 3.
www.fortinet.
www.fortinet.