User Manual FortiGate – 4000 KVM/ACCESS KVM/ACCESS KVM ACCESS KVM/ACCESS KVM/ACCESS KVM/ACCESS PWR/KVM STATUS PWR/KVM STATUS PWR/KVM STATUS PWR/KVM STATUS PWR/KVM STATUS PWR/KVM STATUS LAN 1 LAN 2 POWER ON/OFF LAN 1 LAN 2 POWER ON/OFF LAN 1 LAN 2 POWER ON/OFF LAN 1 LAN 2 POWER ON/OFF LAN 1 LAN 2 POWER ON/OFF LAN 1 LAN 2 POWER ON/OFF
© Copyright 2004 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FortiGate-4000 Installation and Configuration Guide Version 2.
Contents Table of Contents Introduction .......................................................................................................... 15 Antivirus protection ........................................................................................................... 16 Web content filtering ......................................................................................................... 16 Email filtering ..................................................................................
Contents Installing hardware............................................................................................................ Choosing a suitable environment.................................................................................. Choosing a rack ............................................................................................................ Attaching the mounting rail ...........................................................................................
Contents Using the command line interface..................................................................................... Configuring the FortiGate unit to operate in NAT/Route mode ..................................... Configuring the out of band management interface ...................................................... Connecting the FortiGate unit to your networks................................................................ Configuring your networks .............................................
Contents Managing an HA cluster.................................................................................................... 87 Configuring cluster interface monitoring ....................................................................... 88 Viewing the status of cluster members ......................................................................... 88 Monitoring cluster members.......................................................................................... 89 Viewing cluster sessions.
Contents System status ................................................................................................................. Viewing CPU and memory status ............................................................................... Viewing sessions and network status ......................................................................... Viewing virus and intrusions status............................................................................. Session list.............................
Contents Network configuration....................................................................................... 141 Configuring zones ........................................................................................................... 141 Adding zones .............................................................................................................. 142 Deleting zones ............................................................................................................
Contents RIP configuration ............................................................................................... 167 RIP settings..................................................................................................................... Configuring RIP for FortiGate interfaces......................................................................... Adding RIP filters ............................................................................................................
Contents Addresses ....................................................................................................................... Adding addresses ....................................................................................................... Editing addresses ....................................................................................................... Deleting addresses .....................................................................................................
Contents Configuring LDAP support .............................................................................................. Adding LDAP servers.................................................................................................. Deleting LDAP servers................................................................................................ Configuring user groups.................................................................................................. Adding user groups......
Contents Network Intrusion Detection System (NIDS) ................................................... 271 Detecting attacks ............................................................................................................ Selecting the interfaces to monitor.............................................................................. Disabling monitoring interfaces................................................................................... Configuring checksum verification ..............
Contents Script filtering .................................................................................................................. Enabling script filtering................................................................................................ Selecting script filter options ....................................................................................... Exempt URL list ..............................................................................................................
Contents 14 Fortinet Inc.
FortiGate-4000 Installation and Configuration Guide Version 2.50 Introduction FortiGate Antivirus Firewalls support network-based deployment of application-level services, including antivirus protection and full-scan content filtering. FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network.
Antivirus protection Introduction Antivirus protection FortiGate ICSA-certified antivirus protection scans web (HTTP), file transfer (FTP), and email (SMTP, POP3, and IMAP) content as it passes through the FortiGate unit. If a virus is found, antivirus protection removes the file containing the virus from the content stream and forwards a replacement message to the intended recipient.
Introduction Email filtering Email filtering FortiGate email filtering can scan all IMAP and POP3 email content for unwanted senders or unwanted content. If there is a match between a sender address pattern on the email block list, or an email contains a word or phrase in the banned word list, the FortiGate adds an email tag to the subject line of the email. The recipient can use the mail client software to filter messages based on the email tag.
VLANs and virtual domains Introduction NAT/Route mode In NAT/Route mode, you can create NAT mode policies and Route mode policies. • NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network. • Route mode policies accept or deny connections between networks without performing address translation. Transparent mode Transparent mode provides the same basic firewall protection as NAT mode.
Introduction VPN VPN Using FortiGate virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network. Service providers can also use the FortiGate unit to provide VPN services for their clients.
Secure installation, configuration, and management Introduction Secure installation, configuration, and management The first time you power on the FortiGate unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the Setup wizard to customize FortiGate IP addresses for your network, and the FortiGate unit is ready to protect your network.
Introduction Document conventions Command line interface You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network that is connected to the FortiGate unit, including the Internet. The CLI supports the same configuration and monitoring functionality as the web-based manager.
Fortinet documentation Introduction execute restore config You enter restore config myfile.bak indicates an ASCII string variable keyword. indicates an integer variable keyword. indicates an IP address variable keyword.
Introduction Customer service and technical support • Volume 4: FortiGate NIDS Guide Describes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from network-based attacks. • Volume 5: FortiGate Logging and Message Reference Guide Describes how to configure FortiGate logging and alert email. Also contains the FortiGate log message reference. • Volume 6: FortiGate CLI Reference Guide Describes the FortiGate CLI and contains a reference to all FortiGate CLI commands.
Customer service and technical support Introduction 24 Fortinet Inc.
FortiGate-4000 Installation and Configuration Guide Version 2.50 Getting started This chapter describes unpacking, setting up, and powering on a FortiGate-4000 Antivirus Firewall. When you have completed the procedures in this chapter, you can proceed to one of the following: • If you are going to operate the FortiGate unit in NAT/Route mode, go to “NAT/Route mode installation” on page 61.
Warnings and cautions Getting started Warnings and cautions You should be aware of the following cautions and warnings before operating the FortiGate-4000 antivirus firewall. Warning Turning off all power switches may not turn off all power to the FortiGate-4000 unit. Disconnect the FortiGate-4000 unit from its power source and from any telecommunications links and networks before installing and removing FortiGate-4000 components or performing other maintenance tasks.
Getting started Physical description Figure 2: FortiGate-4000 package contents FortiGate-4000P Chassis (back view) KVM/ACCESS PWR/KVM STATUS LAN 1 LAN 2 POWER ON/OFF Physical description The FortiGate-4000 chassis is a 4U 19-inch rack mounted steel shelf with the following features: • High density design accommodates up to 10 FortiBlade-4010 modules, • Gigabit LAN interfaces, • SFP connectors for multimode fibre optic interfaces (FortiGate-4000S), • Built-in KVM switch module, • Hot-swappab
Front panel features Getting started Table 1: FortiGate-4000 chassis physical description Dimensions 42.6 x 17.7 x 67.0 cm 16.78 x 6.97 x 26.40 in. (W x H x D) Weight Minimum: 28 kg (61 lb) (no FortiBlade-4010 modules installed) Maximum: 50 kg (110 lb) when full configured.
Getting started Front panel features FortiBlade-4010 module Each FortiBlade-4010 module is an independent FortiGate-4000 antivirus firewall capable of operating at gigabit network speeds. You can install up to 10 FortiBlade-4010 modules in the FortiGate-4000 chassis. Each FortiBlade-4010 module can operate as a standalone FortiGate-4000 antivirus firewall or you can group FortiBlade-4010 modules into high availability (HA) clusters.
Front panel features Getting started Table 3: FortiBlade-4010 module front panel LEDs LED State Description PWR/KVM Blue The FortiBlade-4010 module is powered on. Green KVM access to this FortiBlade-4010 module is enabled. STATUS LAN 1 LAN 2 Off Normal operation. Red System Fault. Green The correct cable is connected to the internal interface of this FortiBlade-4010 module and the connected equipment has power.
Getting started Rear panel features Table 4: KVM switch module front panel buttons Button Description FortiBlade select buttons Use these buttons to switch console access to each FortiBlade-4010 module. Table 5: KVM switch module front panel LEDs LED State Description ALARM Off Normal operation. Red FortiGate-4000 unit power fault resulting from a failed power supply. KVM Green KVM switch module is powered on.
Rear panel features Getting started Figure 7: FortiGate-4000S rear panel ON OFF LAN 1 LAN 2 Power supplies and power connections The FortiGate-4000 chassis contains 7 power supply modules. Each power supply can provide a maximum of 350 watts for a total of 2100 watts, in 6+1 hot-swap redundant configuration that includes load balancing. The voltage range is 100-230 Vac auto range. The power connections supply AC power to the power supplies.
Getting started Rear panel features Cooling fan trays The FortiGate-4000 chassis is cooled using four hot swappable cooling fan trays. Each tray includes one 10-cm ball bearing fan unit. Figure 9 illustrates a cooling fan tray. Figure 9: Cooling fan tray Fan handle Management module Use the KVM switch module to switch serial connections to the CLI of each FortiBlade-4010 module installed in the FortiGate-4000 chassis.
Rear panel features Getting started Table 6: Management module controls Button Description On/Off switch Turns the management module on and off. The management module must be turned on to establish a serial connection to the CLI of each FortiBlade-4010 module. ID dial Set to 0. Console port Serial connection to the CLI of each FortiBlade-4010 module. Table 7: KVM switch module LED LED State Description ERR Off Normal operation. Yellow System fault. Contact Fortinet Technical Support.
Getting started Rear panel features Pass-through interface module Two pass-through interface modules are installed on the FortiGate-4000P. The internal pass-through interface module connects to each FortiBlade-4010 internal interface. The external pass-through interface connects to each FortiBlade-4010 external interface. Each pass-through interface module contains ten gigabit copper 1000Base-T ethernet interfaces, one for each FortiBlade-4010 module.
Rear panel features Getting started The internal switched interface module provides two gigabit connections to the internal interfaces of the FortiBlade-4010 modules installed in the FortiGate-4000 chassis. The external switched interface module provides two gigabit connections to the external interfaces of the FortiBlade-4010 modules installed in the FortiGate-4000 chassis. The switched interface modules act as layer 2 switches.
Getting started Installing hardware Installing hardware This section describes how to install FortiGate-4000 hardware.
Installing hardware Getting started Figure 14: Rail mounting locations Installing FortiBlade-4010 modules Install a FortiBlade-4010 module by removing a FortiGate-4000 unit slot cover and replacing it with a FortiBlade-4010 module. Begin installing the FortiBlade-4010 modules at slot number 1 and fill the FortiGate-4000 chassis from left to right (see Figure 3 on page 28 for slot numbering). Note: Do not operate the FortiGate-4000 unit with open slots on the front panel.
Getting started Installing hardware FortiGate-4000P network connections Use the following steps to connect your internal and external networks to the FortiGate-4000P pass-through interface modules that support 1000Base-T connections. This is a general connection procedure only. For information about how to connect the FortiGate-4000 unit for different network configurations, see “Planning the FortiGate configuration” on page 53.
Turning FortiGate-4000 chassis power on and off Getting started Out of band management connections You can manage the FortiBlade-4010 modules by connecting to the 10/100 out of band management module. The 10/100 out of band management module provides ethernet management connections for all of the FortiBlade-4010 modules installed in the FortiGate-4000 chassis. See Figure 6 on page 31 or Figure 7 on page 32 for the location of the 10/100 out of band management module.
Getting started Hot swapping modules 2 Connect the three power cables to the power connection module on the FortiGate-4000 chassis back panel. 3 Connect the power cables to power outlets. 4 Turn on the power switch on each power supply module. 5 Press and hold the chassis power switch for a few seconds to turn it on to supply power to the power supplies. The Power LED on each power supply module lights. 6 Turn on the management module power switch.
Hot swapping modules Getting started Hot swapping FortiBlade-4010 modules Follow this procedure to hot swap the FortiBlade-4010 modules. For information about the FortiBlade-4010 module, see “FortiBlade-4010 module” on page 29. 1 Press the power button on the front panel of the FortiBlade-4010 module that you want to replace. The PWR LED on the FortiBlade-4010 module goes out. Note: Wait at least five seconds after turning off the power before removing the FortiBlade-4010 module from the chassis.
Getting started Hot swapping modules 7 Slide the power supply module into the slot until the lock clicks into place. 8 Turn on the power supply. 9 Replace the locking strip. 10 Quickly toggle the chassis power supply switch to turn on the power supply module. Note: If you press the chassis power supply switch for more than four seconds, the entire FortiGate-4000 unit turns off.
Connecting to the web-based manager Getting started 2 Unscrew the two locking screws to remove the module’s locking strip. 3 Loosen its two mounting knots. Do not remove the mounting knots. 4 Pull out the management module. 5 Insert the new management module into the chassis. 6 Slide the management module into the slot until the lock clicks into place. 7 Screw the locking screws to fasten the locking strip. 8 Tighten the two mounting knots. 9 Turn on the power of the management module.
Getting started Connecting to the web-based manager Connecting to the FortiGate-4000 internal interface module To connect to the web-based manager of a FortiGate-4000 unit using the FortiGate4000 internal interface module, you must connect the FortiGate-4000 internal interface module to the same network as your management computer. To connect to the web-based manager 1 2 Connect the internal interface module to your network.
Connecting to the web-based manager Getting started Figure 16: FortiGate login Connecting to the FortiGate-4000 10/100 out of band management module To connect to the web-based manager of a FortiGate-4000 unit using the FortiGate-4000 10/100 out of band management module, you must connect the out of band management module to the same network as your management computer.
Getting started Connecting to the Command Line Interface (CLI) To change the out of band management IP address 1 After logging into the FortiGate-4000 unit, go to System > Network > OOB Management. 2 Change the IP/Netmask addresses. 3 Select Apply to save the changes. Connecting to the Command Line Interface (CLI) Connect to the CLI of each FortiGate-4000 unit by connecting to the management interface module.
Factory default configuration Getting started 8 Press Enter to connect to the CLI of the FortiGate-4000 unit. The following prompt is displayed: FortiGate-4000 login: 9 Type admin and press Enter twice. The following prompt is displayed: Type ? for a list of commands. For information about how to use the CLI, see the FortiGate CLI Reference Guide. Factory default configuration Each FortiGate-4000 unit in a FortiGate-4000 chassis is shipped with a factory default configuration.
Factory default configuration Getting started Table 14: Factory default firewall configuration Internal Address Internal_All External Address External_All IP: 0.0.0.0 Mask: 0.0.0.0 IP: 0.0.0.0 Mask: 0.0.0.0 Represents all of the IP addresses on the external network. Recurring Always Schedule The schedule is valid at all times. This means that the firewall policy is valid at all times.
Getting started Factory default configuration Factory default content profiles You can use content profiles to apply different protection settings for content traffic that is controlled by firewall policies.
Factory default configuration Getting started Table 16: Scan content profile Web content profile Use the web content profile to apply antivirus scanning and web content blocking to HTTP content traffic. You can add this content profile to firewall policies that control HTTP traffic. 52 Fortinet Inc.
Getting started Planning the FortiGate configuration Unfiltered content profile Use the unfiltered content profile if you do not want to apply content protection to traffic. You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. Planning the FortiGate configuration Before you configure the FortiGate-4000 units in the FortiGate-4000 chassis, you need to plan how to integrate them into your network.
Planning the FortiGate configuration Getting started For each FortiGate-4000 unit, the following interfaces are available for processing network traffic in NAT/Route mode: • External: the interface to the external network (usually the Internet). • Internal: the interface to the internal network. In addition, the 10/100 out of band management interface is available for out of band management. The out of band management IP address must not be on the same subnet as the internal or external interfaces.
Getting started Planning the FortiGate configuration You typically use a FortiGate-4000 unit in Transparent mode on a private network behind an existing firewall or behind a router. The FortiGate-4000 unit performs firewall functions as well as antivirus and content scanning but not VPN. The following interfaces are available in Transparent mode: • External: the interface to the external network (usually the Internet). • Internal: the interface to the internal network.
Planning the FortiGate configuration Getting started Figure 19: HA network configuration in NAT/Route mode Internet External 204.23.1.5 KVM/ACCESS KVM/ACCESS PWR/KVM STATUS PWR/KVM STATUS LAN 1 LAN 2 POWER ON/OFF LAN 1 LAN 2 POWER ON/OFF NAT mode policies controlling traffic between internal and external networks.
Getting started Planning the FortiGate configuration Figure 21: FortiGate-4000P HA configuration FortiGate-4000P HA cluster 1 2 3 External ALARM KVM KVM/ACCESS KVM/ACCESS KVM ACCESS PWR/KVM STATUS PWR/KVM STATUS PWR/KVM STATUS LAN 2 POWER ON/OFF Internal POWER ON/OFF LAN 1 LAN 1 LAN 2 POWER ON/OFF Hub or Switch 192.168.1.1 204.23.1.5 LAN 2 192.168.1.99 LAN 1 192.168.1.
Planning the FortiGate configuration Getting started Figure 22: FortiGate-4000P configuration with load balancers Internal FortiGate-4000 Unit Internal Network 58 Fortinet Inc.
Getting started FortiGate model maximum values matrix FortiGate model maximum values matrix Table 19: FortiGate maximum values matrix FortiGate model 50 60 100 200 300 400 500 800 1000 3000 3600 4000 Routes 500 500 500 500 500 500 500 500 500 500 500 500 Policy routing gateways 500 500 500 500 500 500 500 500 500 500 500 500 Administrative users 500 500 500 500 500 500 500 500 500 500 500 500 VLAN subinterfaces N/A N/A N/A 4096* 4096* 4096* 4096*
Next steps Getting started Table 19: FortiGate maximum values matrix FortiGate model 50 60 100 200 300 400 500 800 1000 3000 3600 4000 IPSec remote gateways (Phase 1) 20 50 80 200 1500 1500 3000 3000 5000 5000 5000 5000 IPSec VPN tunnels (Phase 2) 20 50 80 200 1500 1500 3000 3000 5000 5000 5000 5000 IPSec VPN concentrators 500 500 500 500 500 500 500 500 500 500 500 500 PPTP users 500 500 500 500 500 500 500 500 500 500 500 500 L2TP users 50
FortiGate-4000 Installation and Configuration Guide Version 2.50 NAT/Route mode installation This chapter describes how to install the FortiGate unit in NAT/Route mode. For information about installing a FortiGate unit in Transparent mode, see “Transparent mode installation” on page 69. For information about installing two or more FortiGate units in HA mode, see “High availability” on page 81.
Preparing to configure NAT/Route mode NAT/Route mode installation Table 20: NAT/Route mode settings (Continued) External interface Internal servers IP: _____._____._____._____ Netmask: _____._____._____._____ Default Gateway: _____._____._____._____ Primary DNS Server: _____._____._____._____ Secondary DNS Server: _____._____._____._____ Web Server: _____._____._____._____ SMTP Server: _____._____._____._____ POP3 Server: _____._____._____._____ IMAP Server: _____._____._____.
NAT/Route mode installation Using the setup wizard Out of band management interface Use Table 22 to record the IP address, netmask, and default gateway of the FortiGate-4000 out of band management interface if you are configuring this interface during installation. . Table 22: Out of band management interface (Optional) IP: _____._____._____._____ Netmask: _____._____._____._____ Default Gateway: _____._____._____.
Using the command line interface NAT/Route mode installation Using the command line interface As an alternative to using the setup wizard, you can configure the FortiGate unit using the command line interface (CLI). For information about connecting to the CLI, see “Connecting to the Command Line Interface (CLI)” on page 47. Configuring the FortiGate unit to operate in NAT/Route mode Use the information that you gathered in Table 20 on page 61 to complete the following procedure.
NAT/Route mode installation 6 Connecting the FortiGate unit to your networks Optionally, set the secondary DNS server IP addresses. Enter set system dns secondary Example set system dns secondary 293.44.75.22 7 Set the default route to the Default Gateway IP address (not required for DHCP and PPPoE). set system route number dst 0.0.0.0 0.0.0.0 gw1 Example set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 204.23.1.
Configuring your networks NAT/Route mode installation Configuring your networks If you are running the FortiGate unit in NAT/Route mode, your networks must be configured to route all Internet traffic to the IP address of the FortiGate interface to which they are connected. Make sure that the connected FortiGate unit is functioning properly by connecting to the Internet from a computer on your internal network. You should be able to connect to any Internet address.
NAT/Route mode installation Completing the configuration Registering your FortiGate unit After purchasing and installing a new FortiGate unit, you can register the unit by going to the System Update Support page, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. To register, enter your contact information and the serial numbers of the FortiGate units that you or your organization have purchased.
Completing the configuration 68 NAT/Route mode installation Fortinet Inc.
FortiGate-4000 Installation and Configuration Guide Version 2.50 Transparent mode installation This chapter describes how to install your FortiGate unit in Transparent mode. If you want to install the FortiGate unit in NAT/Route mode, see “NAT/Route mode installation” on page 61. If you want to install two or more FortiGate units in HA mode, see “High availability” on page 81.
Using the setup wizard Transparent mode installation Out of band management interface Use Table 24 to record the IP address, netmask, and default gateway of the FortiGate-4000 out of band management interface if you are configuring this interface during installation. . Table 24: Out of band management interface (Optional) IP: _____._____._____._____ Netmask: _____._____._____._____ Default Gateway: _____._____._____.
Transparent mode installation Using the command line interface Reconnecting to the web-based manager If you changed the IP address of the management interface while you were using the setup wizard, you must reconnect to the web-based manager using the new IP address. Browse to https:// followed by the new IP address of the management interface. Otherwise, you can reconnect to the web-based manager by browsing to https://10.10.10.1.
Completing the configuration Transparent mode installation Configure the Transparent mode default gateway 1 Make sure that you are logged into the CLI. 2 Set the default route to the default gateway that you recorded in Table 23 on page 69. Enter: set system route number gw1 Example set system route number 0 gw1 204.23.1.2 Configure the out of band management interface 1 Make sure that you are logged into the CLI.
Transparent mode installation Connecting the FortiGate unit to your networks 3 Select Anti-Virus & Web filter to enable antivirus protection for this policy. 4 Select the Scan Content Profile. 5 Select OK to save the changes. Registering your FortiGate unit After purchasing and installing a new FortiGate unit, you can register the unit by going to the System Update Support page, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration.
Transparent mode configuration examples Transparent mode installation Transparent mode configuration examples A FortiGate unit operating in Transparent mode still requires a basic configuration to operate as a node on the IP network. As a minimum, the FortiGate unit must be configured with an IP address and subnet mask. These are used for management access and to allow the unit to receive antivirus and definitions updates.
Transparent mode installation Transparent mode configuration examples Example default route to an external network Figure 23 shows a FortiGate unit where all destinations, including the management computer, are located on the external network. To reach these destinations, the FortiGate unit must connect to the “upstream” router leading to the external network. To facilitate this connection, you must enter a single default route that points to the upstream router as the next hop/default gateway.
Transparent mode configuration examples Transparent mode installation Web-based manager example configuration steps To configure basic Transparent mode settings and a default route using the web-based manager 1 Go to System > Status. • Select Change to Transparent Mode. • Select Transparent in the Operation Mode list. • Select OK. The FortiGate unit changes to Transparent mode. 2 Go to System > Network > Management. • Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.
Transparent mode installation Transparent mode configuration examples Note: This is an example configuration only. To configure a static route, you require a destination IP address. Figure 24: Static route to an external destination 24.102.233.5 FortiResponse Distribution Network (FDN) Internet Upstream Router Gateway IP 192.168.1.2 FortiGate-4000 Management IP 192.168.1.
Transparent mode configuration examples 2 Transparent mode installation Go to System > Network > Management. • Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.0 • 3 Select Apply. Go to System > Network > Routing. • Select New to add the static route to the FortiResponse server. Destination IP: 24.102.233.5 Mask: 255.255.255.0 Gateway: 192.168.1.2 • Select OK. • Select New to add the default route to the external network. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.
Transparent mode installation Transparent mode configuration examples Figure 25: Static route to an internal destination FortiResponse Distribution Network (FDN) Internet Upstream Router Gateway IP 192.168.1.2 FortiGate-4000 KVM/ACCESS Management IP 192.168.1.1 PWR/KVM STATUS LAN 1 LAN 2 POWER ON/OFF Internal Network A Gateway IP 192.168.1.3 Internal Router Internal Network B Management Computer 172.16.1.11 General configuration steps 1 2 3 4 Set the unit to operate in Transparent mode.
Transparent mode configuration examples Transparent mode installation Web-based manager example configuration steps To configure the FortiGate basic settings, a static route, and a default route using the web-based manager: 1 Go to System > Status. • Select Change to Transparent Mode. • Select Transparent in the Operation Mode list. • Select OK. The FortiGate unit changes to Transparent mode. 2 Go to System > Network > Management. • Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.
FortiGate-4000 Installation and Configuration Guide Version 2.50 High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster uses the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster. Each FortiGate unit in an HA cluster must be the same model and must run the same FortiOS firmware image. FortiGate HA is device redundant.
Configuring an HA cluster High availability An active-passive (A-P) HA cluster, also referred to as hot standby HA, consists of a primary FortiGate unit that processes traffic, and one or more subordinate FortiGate units. The subordinate FortiGate units are connected to the network and to the primary FortiGate unit but do not process traffic. Active-active (A-A) HA load balances virus scanning among all the FortiGate units in the cluster.
High availability Configuring an HA cluster 6 Select the HA mode. Select Active-Active mode to create an Active-Active HA cluster. Select Active-Passive mode to create an Active-Passive HA cluster. The HA mode must be the same for all FortiGate units in the HA cluster. 7 Enter and confirm a password for the HA cluster. The password must be the same for all FortiGate units in the HA cluster. 8 Select a Group ID for the HA cluster.
Configuring an HA cluster High availability Figure 26: Example Active-Active HA configuration 11 If you are configuring a NAT/Route mode cluster, power off the FortiGate unit and then repeat this procedure for all the FortiGate units in the cluster. Once all the units are configured, proceed to “Connecting the cluster” on page 84. 12 If you are configuring a Transparent mode cluster, reconnect to the web-based manager. You might have to wait a few minutes before you can reconnect.
High availability Configuring an HA cluster To connect the cluster 1 Connect the cluster units: For FortiGate-4000S: • Connect your internal network to the internal switched interface module. • Connect your external network to the external switched interface module. For FortiGate-4000P: 2 • Connect the internal pass-through interface module of each FortiGate unit to a switch or hub connected to your internal network.
Configuring an HA cluster High availability Figure 28: FortiGate-4000P HA network configuration LAN 10 LAN 9 LAN 8 LAN 7 LAN 6 LAN 5 LAN 4 LAN 3 LAN 2 LAN 1 LAN 10 LAN 9 LAN 1 LAN 8 LAN 7 LAN 6 LAN 5 LAN 4 LAN 3 LAN 2 LAN 1 LAN 2 Adding a new FortiGate unit to a functioning cluster You can add a new FortiGate unit to a functioning cluster at any time. The new FortiGate unit must be the same model as the other units in the cluster and must be running the same firmware version.
High availability Managing an HA cluster Managing an HA cluster The configurations of all of the FortiGate units in the cluster are synchronized so that the FortiGate units can function as a cluster. Because of this synchronization, you manage the HA cluster instead of managing the individual FortiGate units in the cluster. You manage the cluster by connecting to the web-based manager or CLI using any interface configured for management access (except the HA interface).
Managing an HA cluster High availability This section describes: • Configuring cluster interface monitoring • Viewing the status of cluster members • Monitoring cluster members • Viewing cluster sessions • Viewing and managing cluster log messages • Monitoring cluster units for failover • Viewing cluster communication sessions • Managing individual cluster units • Changing cluster unit host names • Synchronizing the cluster configuration • Upgrading firmware • Replacing a FortiGate
High availability Managing an HA cluster Figure 29: Example cluster members list Monitoring cluster members To monitor health information for each cluster member 1 Connect to the cluster and log into the web-based manager. 2 Go to System > Status > Monitor. The cluster displays CPU, memory status, and hard disk status for each cluster member. The primary unit is identified as Local and the other units in the cluster are listed by serial number.
Managing an HA cluster High availability 4 Select Virus & Intrusions. The cluster displays virus and intrusions status for each cluster member. The primary unit is identified as Local and the other units in the cluster are listed by serial number. The display includes bar graphs of the number viruses and intrusions detected per hour as well as line graphs of the number of viruses and intrusions detected for the last 20 hours. For more information, see “Viewing virus and intrusions status” on page 121.
High availability Managing an HA cluster 3 Select the serial number of one of the units in the cluster to display the logs for this cluster unit. You can view logs saved to memory or logs saved to the hard disk, depending on the configuration of the cluster unit. 4 For each cluster unit: • If the cluster unit logs to memory you can view, search, and manage log messages. For more information, see “Viewing logs saved to memory” on page 314.
Managing an HA cluster High availability Managing individual cluster units You can connect to the CLI of each unit in the cluster. This procedure describes how to log into the primary unit CLI and from there connect to the CLI of subordinate cluster units. You log into the subordinate unit with the ha_admin administrator account. This built-in administrator account gives you read & write permission on the subordinate unit.
High availability Managing an HA cluster Synchronizing the cluster configuration Cluster synchronization keeps all units in the cluster synchronized with the master unit.
Managing an HA cluster High availability Upgrading firmware To upgrade the firmware of the FortiGate units in a cluster, you must upgrade the firmware of each unit separately. In most cases, if you are upgrading to a new firmware build within the same firmware version (for example, upgrading from 2.50 build069 to 2.50 build070), you can do firmware upgrades using the following procedure and without interrupting cluster operation. This procedure involves uploading a new firmware image to the primary unit.
High availability Advanced HA options Replacing a FortiGate unit after failover A failover can occur because of a hardware or software problem. When a failover occurs, you can attempt to restart the failed FortiGate unit by cycling its power. If the FortiGate unit starts up correctly, it rejoins the HA cluster, which then continues to function normally.
Advanced HA options High availability Configuring the priority of each FortiGate unit in the cluster In addition to selecting a permanent primary FortiGate unit, you can set the priorities of each of the subordinate units in the cluster to control the failover path. For example, if you have three FortiGate units in an HA cluster and you configured one as the permanent primary FortiGate unit, you might always want the cluster to failover to the same FortiGate unit if the primary unit fails.
High availability Active-Active cluster packet flow This command has the following results: • The first connection is processed by the primary unit • The next three connections are processed by the first subordinate unit • The next three connections are processed by the second subordinate unit The subordinate units process more connections than the primary unit, and both subordinate units, on average, process the same number of connections.
Active-Active cluster packet flow High availability In NAT/Route mode, the HA cluster works as a gateway when it responds to ARP requests. Therefore, the client and the server only know the gateway MAC address (MAC_V), which is a virtual MAC address created by the HA cluster. The virtual MAC address is 00-09-0f-06-ff-00. Switch 1 and 2 know where the virtual MAC address and the real MAC address are. Packets are routed through the subordinate unit as follows.
High availability Active-Active cluster packet flow Transparent mode packet flow In transparent mode, six MAC addresses are involved in active-active communication between a client and a server if the cluster routes the packets to the subordinate unit in the cluster: • Client MAC address (MAC_C), • Server MAC address (MAC_S), • Primary unit internal MAC address (MAC_P_I), • Primary unit external MAC address (MAC_P_E), • Subordinate unit internal MAC address (MAC_S_I), • Subordinate unit externa
Active-Active cluster packet flow 100 High availability Fortinet Inc.
FortiGate-4000 Installation and Configuration Guide Version 2.50 System status You can connect to the web-based manager and view the current system status of the FortiGate unit. The status information that is displayed includes the current firmware version, the current virus and attack definitions, and the FortiGate unit serial number.
Changing the FortiGate host name System status Changing the FortiGate host name The FortiGate host name appears on the Status page and in the FortiGate CLI prompt. The host name is also used as the SNMP system name. For information about the SNMP system name, see “Configuring SNMP” on page 180. The default host name is FortiGate-4000. To change the FortiGate host name 1 Go to System > Status. 2 Select Edit Host Name 3 Type a new host name. 4 Select OK.
System status Changing the FortiGate firmware Upgrading to a new firmware version Use the following procedures to upgrade the FortiGate unit to a newer firmware version. Upgrading the firmware using the web-based manager Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
Changing the FortiGate firmware System status 4 Make sure the FortiGate unit can connect to the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168: execute ping 192.168.1.
System status Changing the FortiGate firmware If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore the previous configuration from the backup configuration file. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
Changing the FortiGate firmware System status If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore your previous configuration from the backup configuration file. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
System status Changing the FortiGate firmware 11 Update antivirus and attack definitions. For information, see “Manually initiating antivirus and attack definitions updates” on page 125, or from the CLI, enter: execute updatecenter updatenow 12 To confirm that the antivirus and attack definitions have been updated, enter the following command to display the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information.
Changing the FortiGate firmware System status 5 To confirm that the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168, enter: execute ping 192.168.1.168 6 Enter the following command to restart the FortiGate unit: execute reboot As the FortiGate units starts, a series of system startup messages is displayed.
System status Changing the FortiGate firmware 11 Enter the firmware image filename and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following are displayed: • FortiGate unit running v2.x BIOS Do You Want To Save The Image? [Y/n] Type Y. • FortiGate unit running v3.x BIOS Save as Default firmware/Run image without saving:[D/R] Save as Default firmware/Backup firmware/Run image without saving:[D/B/R] Type D.
Changing the FortiGate firmware System status To run this procedure you: • access the CLI by connecting to the FortiGate console port using a null-modem cable, • install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface. To test a new firmware image 1 Connect to the CLI using a null-modem cable and FortiGate console port. 2 Make sure the TFTP server is running.
System status Changing the FortiGate firmware 9 10 Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: Type the address of the internal interface of the FortiGate unit and press Enter. Note: The local IP address is used only to download the firmware image. After the firmware is installed, the address of this interface is changed back to the default IP address for this interface. The following message appears: Enter File Name [image.
Changing the FortiGate firmware System status To install a backup firmware image 1 Connect to the CLI using the null-modem cable and FortiGate console port. 2 Make sure that the TFTP server is running. 3 Copy the new firmware image file to the root directory of your TFTP server. 4 To confirm that the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.
System status Changing the FortiGate firmware Switching to the backup firmware image Use this procedure to switch the FortiGate unit to operating with a backup firmware image that you previously installed. When you switch the FortiGate unit to the backup firmware image, the FortiGate unit operates using the configuration that was saved with that firmware image. If you install a new backup image from a reboot, the configuration saved with this firmware image is the factory default configuration.
Manual virus definition updates System status To switch back to the default firmware image 1 Connect to the CLI using the null-modem cable and FortiGate console port. 2 Enter the following command to restart the FortiGate unit: execute reboot As the FortiGate units starts, a series of system startup messages are displayed. When the following message appears: Press any key to enter configuration menu..... ...... 3 Immediately press any key to interrupt the system startup.
System status Manual attack definition updates Manual attack definition updates The Status page of the FortiGate web-based manager displays the current installed versions of the FortiGate Attack Definitions used by the Network Intrusion Detection System (NIDS). Note: For information about configuring the FortiGate unit for automatic attack definitions updates, see “Virus and attack definitions updates and registration” on page 123.
Restoring system settings System status To back up system settings 1 Go to System > Status. 2 Select System Settings Backup. 3 Select Backup System Settings. 4 Type a name and location for the file. The system settings file is backed up to the management computer. 5 Select Return to go back to the Status page. Restoring system settings You can restore system settings by uploading a previously downloaded system settings text file. To restore system settings 1 Go to System > Status.
System status Changing to Transparent mode For information about restoring system settings, see “Restoring system settings” on page 116. Changing to Transparent mode Use the following procedure to change the FortiGate unit from NAT/Route mode to Transparent mode. After you change the FortiGate unit to Transparent mode, most of the configuration resets to Transparent mode factory defaults.
Restarting the FortiGate unit System status 4 Select OK. The FortiGate unit changes operation mode. 5 To reconnect to the web-based manager you must connect to the interface configured by default for management access. By default in NAT/Route mode, you can connect to the internal interface. The default Transparent mode management IP address is 192.168.1.99. See “Connecting to the web-based manager” on page 44 or “Connecting to the Command Line Interface (CLI)” on page 47.
System status System status Viewing CPU and memory status Current CPU and memory status indicates how close the FortiGate unit is to running at full capacity. The web-based manager displays CPU and memory usage for core processes only. CPU and memory use for management processes (for example, for HTTPS connections to the web-based manager) is excluded. If CPU and memory use is low, the FortiGate unit is able to process much more network traffic than is currently running.
System status System status Viewing sessions and network status Use the session and network status display to track how many network sessions the FortiGate unit is processing and to see what effect the number of sessions has on the available network bandwidth. Also, by comparing CPU and memory usage with session and network status you can see how much demand network traffic is putting on system resources.
System status System status Viewing virus and intrusions status Use the virus and intrusions status display to track when viruses are found by the FortiGate antivirus system and to track when the NIDS detects a network-based attack. To view virus and intrusions status 1 Go to System > Status > Monitor. 2 Select Virus & Intrusions. Virus and intrusions status is displayed.
Session list System status Session list The session list displays information about the communications sessions currently being processed by the FortiGate unit. You can use the session list to view current sessions. FortiGate administrators with read and write permission and the FortiGate admin user can also stop active communication sessions. To view the session list 1 Go to System > Status > Session.
FortiGate-4000 Installation and Configuration Guide Version 2.50 Virus and attack definitions updates and registration You can configure the FortiGate unit to connect to the FortiResponse Distribution Network (FDN) to update the antivirus and attack definitions and the antivirus engine.
Updating antivirus and attack definitions Virus and attack definitions updates and registration The Update page on the web-based manager displays the following antivirus and attack definition update information. Version Current antivirus engine, virus definition, and attack definition version numbers. Expiry date Expiry date of your license for antivirus engine, virus definition, and attack definition updates.
Virus and attack definitions updates and registration Updating antivirus and attack definitions Table 27: Connections to the FDN Connections Status Comments Available The FortiGate unit can connect to the FDN. You can configure the FortiGate unit for scheduled updates. See “Scheduling updates” on page 126. Not available The FortiGate unit cannot connect to the FDN. You must configure your FortiGate unit and your network so that the FortiGate unit can connect to the Internet and to the FDN.
Scheduling updates Virus and attack definitions updates and registration Configuring update logging Use the following procedure to configure FortiGate logging to record log messages when the FortiGate unit updates antivirus and attack definitions. The update log messages are recorded on the FortiGate Event log. To configure update logging 1 Go to Log&Report > Log Setting. 2 Select Config Policy for the type of logs that the FortiGate unit is configured to record.
Virus and attack definitions updates and registration 4 Scheduling updates Select Apply. The FortiGate unit starts the next scheduled update according to the new update schedule. Whenever the FortiGate unit runs a scheduled update, the event is recorded in the FortiGate event log.
Enabling push updates Virus and attack definitions updates and registration Enabling scheduled updates through a proxy server If your FortiGate unit must connect to the Internet through a proxy server, you can use the set system autoupdate tunneling command to allow the FortiGate unit to connect (or tunnel) to the FDN using the proxy server. Using this command you can specify the IP address and port of the proxy server.
Virus and attack definitions updates and registration Enabling push updates When the network configuration permits, configuring push updates is recommended in addition to configuring scheduled updates. On average the FortiGate unit receives new updates sooner through push updates than if the FortiGate unit receives only scheduled updates. However, scheduled updates make sure that the FortiGate unit receives the latest updates.
Enabling push updates Virus and attack definitions updates and registration Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic (for example, set using PPPoE or DHCP). Example: push updates through a NAT device This example describes how to configure a FortiGate NAT device to forward push updates to a FortiGate unit installed on its internal network.
Virus and attack definitions updates and registration Enabling push updates General procedure Use the following steps to configure the FortiGate NAT device and the FortiGate unit on the internal network so that the FortiGate unit on the internal network can receive push updates: 1 Add a port forwarding virtual IP to the FortiGate NAT device. 2 Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP.
Enabling push updates Virus and attack definitions updates and registration Figure 38: Push update port forwarding virtual IP Adding a firewall policy for the port forwarding virtual IP To configure the FortiGate NAT device12 18-6.137612d5660 TD02 Tc0 Tw(2)Tj/T42 1 Tf-6.137 132 Fortinet Inc.
Virus and attack definitions updates and registration 4 Registering FortiGate units Set IP to the external IP address added to the virtual IP. For the example topology, enter 64.230.123.149. 5 Set Port to the external service port added to the virtual IP. For the example topology, enter 45001. 6 Select Apply. The FortiGate unit sends the override push IP address and port to the FDN. The FDN now uses this IP address and port for push updates to the FortiGate unit on the internal network.
Registering FortiGate units Virus and attack definitions updates and registration All registration information is stored in the Fortinet Customer Support database. This information is used to make sure that your registered FortiGate units can be kept up to date. All information is strictly confidential. Fortinet does not share this information with any third-party organizations for any reason.
Virus and attack definitions updates and registration • Registering FortiGate units The product model and serial number for each FortiGate unit that you want to register. The serial number is located on a label on the bottom of the FortiGate unit. You can view the Serial number from the web-based manager by going to System > Status. The serial number is also available from the CLI using the get system status command.
Updating registration information 7 Virus and attack definitions updates and registration Select Finish. If you have not entered a FortiCare Support Contract number (SCN) you can return to the previous page to enter the number. If you do not have a FortiCare Support Contract, you can select Continue to complete the registration. If you have entered a support contract number, a real-time validation is performed to verify that the SCN information matches the FortiGate unit.
Virus and attack definitions updates and registration Updating registration information 7 Select Support Login. 8 When you receive your new password, enter your user name and new password to log into the Fortinet support web site. Viewing the list of registered FortiGate units To view the list of registered FortiGate units 1 Go to System > Update > Support. 2 Select Support Login. 3 Enter your Fortinet support user name and password. 4 Select Login. 5 Select View Products.
Updating registration information Virus and attack definitions updates and registration 7 Enter the serial number of the FortiGate unit. 8 If you have purchased a FortiCare Support Contract for this FortiGate unit, enter the support contract number. 9 Select Finish. The list of FortiGate products that you have registered is displayed. The list now includes the new FortiGate unit.
Virus and attack definitions updates and registration Updating registration information 3 Enter your Fortinet support user name and password. 4 Select Login. 5 Select My Profile. 6 Select Edit Profile. 7 Make the required changes to your contact information. 8 Make the required changes to your security question and answer. 9 Select Update Profile. Your changes are saved to the Fortinet technical support database. If you changed your contact information, the changes are displayed.
Registering a FortiGate unit after an RMA Virus and attack definitions updates and registration For information about how to install the downloaded files, see “Manual virus definition updates” on page 114 and “Manual attack definition updates” on page 115. Registering a FortiGate unit after an RMA The Return Material Authorization (RMA) process starts when a registered FortiGate unit does not work properly because of a hardware failure.
FortiGate-4000 Installation and Configuration Guide Version 2.
Configuring interfaces Network configuration Adding zones The new zone does not appear in the policy grid until you add an interface to it, see “To add an interface to a zone” below, and add a firewall address for it (see “Adding addresses” on page 202). To add a zone 1 Go to System > Network > Zone. 2 Select New. 3 Type a name for the zone. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _.
Network configuration Configuring interfaces Viewing the interface list To view the interface list 1 Go to System > Network > Interface. The interface list is displayed.
Configuring interfaces Network configuration To add an interface to a zone 1 Go to System > Network > Interface. 2 Choose the interface or VLAN subinterface to add to a zone and select Modify 3 From the Belong to Zone list, select the zone that you want to add the interface to. The belong to zone list only appears if you have added zones and if you have not added firewall addresses for the interface. 4 Select OK to save the changes.
Network configuration Configuring interfaces 4 Clear the Retrieve default gateway and DNS from server check box if you do not want the FortiGate unit to obtain a default gateway IP address and DNS server IP addresses from the DHCP server. By default, this option is enabled. 5 Clear the Connect to Server check box if you do not want the FortiGate unit to connect to the DHCP server. By default, this option is enabled. 6 Select Apply.
Configuring interfaces Network configuration 7 Select Apply. The FortiGate unit attempts to contact the PPPoE server from the interface to set the IP address, netmask, default gateway IP address, and DNS server IP addresses. 8 Select Status: to refresh the addressing mode status message. Possible messages: 9 initializing No activity connecting The FortiGate unit is attempting to connect to the DHCP server.
Network configuration Configuring interfaces Controlling administrative access to an interface For a FortiGate unit running in NAT/Route mode, you can control administrative access to an interface to control how administrators access the FortiGate unit and the FortiGate interfaces to which administrators can connect. Controlling administrative access for an interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet.
Configuring interfaces Network configuration Changing the MTU size to improve network performance To improve network performance, you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits from any interface. Ideally, this MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets.
Network configuration Out of band management • Enable secure administrative access to this interface using only HTTPS or SSH, • Do not change the system idle timeout from the default value of 5 minutes (see “To set the system idle timeout” on page 176). To configure the management interface in Transparent mode 1 Go to System > Network > Management. 2 Change the Management IP and Netmask as required. This must be a valid IP address for the network that you want to manage the FortiGate unit from.
VLAN overview Network configuration HTTPS To allow secure HTTPS connections to the web-based manager through this interface. PING If you want this interface to respond to pings. Use this setting to verify your installation and for testing. HTTP To allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party. SSH To allow SSH connections to the CLI through this interface.
Network configuration VLANs in NAT/Route mode A VLAN segregates devices logically instead of physically. Each VLAN is treated as a broadcast domain. Devices in VLAN 1 can connect with other devices in VLAN 1, but cannot connect with devices in other VLANs. The communication among devices on a VLAN is independent of the physical network. A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent and received by the devices in the VLAN.
VLANs in NAT/Route mode Network configuration Rules for VLAN IP addresses IP addresses of all FortiGate interfaces cannot overlap. That is, the IP addresses of all interfaces must be on different subnets. This rule applies to both physical interfaces and to VLAN subinterfaces. Note: You can enter the CLI command set system ip-overlap enable to allow IP address overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is part of a subnet used by another interface.
Network configuration Virtual domains in Transparent mode Virtual domains in Transparent mode In Transparent mode, The FortiGate unit can apply firewall policies and services, such as virus scanning, to traffic on an IEEE 802.1 VLAN trunk. The FortiGate unit operating in Transparent mode can be inserted into the trunk without making changes to the network.
Virtual domains in Transparent mode Network configuration Figure 44: FortiGate unit with two virtual domains VLAN Switch or router FortiGate unit VLAN1 Internal VLAN1 VLAN2 VLAN3 VLAN2 VLAN trunk Virtual Domain 1 content filtering antivirus VLAN1 NIDS VLAN1 Virtual Domain 2 filtering VLAN2 VLAN2 content antivirus VLAN3 VLAN3 NIDS External VLAN1 VLAN2 VLAN3 VLAN Switch VLAN trunk or router Internet VLAN3 Virtual domain properties A virtual domain has the following exclusive properties: • VLAN name,
Network configuration Virtual domains in Transparent mode Adding a virtual domain Use the following procedure to add a virtual domain to the FortiGate unit. You must add at least one virtual domain to support VLANs in Transparent mode. Add more virtual domains to simplify configuration if you are planning to add a large number of VLANs. To add a virtual domain 1 Go to System > Virtual Domain. 2 Select New to add a virtual domain. 3 Type a Name for the virtual domain.
Virtual domains in Transparent mode Network configuration Adding zones to virtual domains Add zones to a virtual domain to group together related VLAN subinterfaces. Use zones to simplify firewall policy creation if you have many VLAN subinterfaces in a virtual domain. For more information about zones, see “Configuring zones” on page 141. Use the following procedure to add a zone to a virtual domain.
Network configuration Virtual domains in Transparent mode 6 Select OK to save your changes. You can also use the procedure “Adding VLAN subinterfaces” on page 152 to add a VLAN subinterface to a zone if you are adding new VLAN subinterfaces to a virtual domain to which you have already added zones.
Adding DNS server IP addresses Network configuration Deleting virtual domains You must remove all VLAN subinterfaces and zones that have been added to the virtual domain before you can delete the virtual domain. To remove VLAN subinterfaces and zones you must remove all firewall policies and firewall addresses for the VLAN subinterfaces and zones. You can only delete virtual domains that have the Delete icon beside them in the zone list.
Network configuration Configuring routing Adding a default route You can add a default route for network traffic leaving the external interface. To add a default route 1 Go to System > Network > Routing Table. 2 Select New to add a new route. 3 Set the Source IP and Netmask to 0.0.0.0. 4 Set the Destination IP and Netmask to 0.0.0.0. 5 Set Gateway 1 to the IP address of the routing gateway that routes traffic to the Internet. 6 Select OK to save the default route.
Configuring routing Network configuration 6 Set Device #1 to the FortiGate interface or VLAN subinterface through which to route traffic to connect to Gateway #1. You can select the name of an interface, VLAN subinterface, or Auto (the default). If you select the name of an interface or VLAN subinterface the traffic is routed to that interface.
Network configuration Configuring routing 5 Select OK to save the new route.
Configuring DHCP services Network configuration Using policy routing you can build a routing policy database (RPDB) that selects the appropriate route for traffic by applying a set of routing rules. To select a route for traffic, the FortiGate unit matches the traffic with the policy routes added to the RPDB starting at the top of the list. The first policy route that matches is used to set the route for the traffic.
Network configuration Configuring DHCP services Configuring a DHCP relay agent In a DHCP relay configuration, the FortiGate unit forwards DHCP requests from DHCP clients through the FortiGate unit to a DHCP server. The FortiGate unit also returns responses from the DHCP server to the DHCP clients. The DHCP server must have a route to the FortiGate unit that is configured as the DHCP relay so that the packets sent by the DHCP server to the DHCP client arrive at the FortiGate performing DHCP relay.
Configuring DHCP services Network configuration You can add multiple scopes to an interface so that the DHCP server added to that interface can supply IP addresses to computers on multiple subnets. Add multiple scopes if the DHCP server receives DHCP requests from subnets that are not connected directly to the FortiGate unit. In this case, the DHCP requests are sent to the FortiGate unit through DHCP relay.
Network configuration Configuring DHCP services Adding a reserve IP to a DHCP server If you have configured an interface as a DHCP server, you can reserve an IP address for a particular device on the network according to the MAC address of the device. When you add the MAC address of a device and an IP address to the reserve IP list, the DHCP server always assigns this IP address to the device. To add a reserve IP you must first select the interface and scope to which you want to add the reserve IP.
Configuring DHCP services 166 Network configuration Fortinet Inc.
FortiGate-4000 Installation and Configuration Guide Version 2.50 RIP configuration The FortiGate implementation of the Routing Information Protocol (RIP) supports both RIP version 1 as defined by RFC 1058, and RIP version 2 as defined by RFC 2453. RIP version 2 enables RIP messages to carry more information, and to support simple authentication and subnet masks. RIP is a distance-vector routing protocol intended for small, relatively homogeneous, networks. RIP uses hop count as its routing metric.
RIP settings RIP configuration 5 6 168 Default Metric RIP uses the default metric to advertise routes learned from other routing protocols. Set Default Metric to a positive integer lower than 16 to advertise that metric for all routes learned from other routing protocols. The default setting for the Default Metric is 2. Input Queue Change the depth of the RIP input queue. The higher the number, the deeper the input queue.
RIP configuration Configuring RIP for FortiGate interfaces Figure 47: Configuring RIP settings Configuring RIP for FortiGate interfaces You can customize a RIP configuration for each FortiGate interface. This allows you to customize RIP for the network to which each interface is connected. To configure RIP for FortiGate interfaces 1 Go to System > RIP > Interface. On this page you can view a summary of the RIP settings for each FortiGate interface.
Configuring RIP for FortiGate interfaces 4 RIP configuration Password Enter the password to be used for RIP version 2 authentication. The password can be up to 16 characters long. Mode Defines the authentication used for RIP version 2 packets sent and received by this interface. If you select Clear, the password is sent as plain text. If you select MD5, the password is used to generate an MD5 hash.
RIP configuration Adding RIP filters Adding RIP filters Use the Filter page to create RIP filter lists and assign RIP filter lists to the neighbors filter, incoming route filter, or outgoing route filter. The neighbors filter allows or denies updates from other routers. The incoming filter accepts or rejects routes in an incoming RIP update packet. The outgoing filter allows or denies adding routes to outgoing RIP update packets.
Adding RIP filters RIP configuration 3 For Filter Name, type a name for the RIP filter list. The name can be 15 characters long and can contain upper and lower case letters, numbers, and special characters. The name cannot contain spaces. 4 Select the Blank Filter check box to create a RIP filter list with no entries, or enter the information for the first entry on the RIP filter list. 5 Enter the IP address and Mask to create the prefix. 6 For Action, select allow or deny.
RIP configuration Adding RIP filters Assigning a RIP filter list to the outgoing filter The outgoing filter allows or denies adding routes to outgoing RIP update packets. You can assign a single RIP filter list to the outgoing filter. To assign a RIP filter list to the outgoing filter 1 Go to System > RIP > Filter. 2 Add RIP filter lists as required. 3 For Outgoing Routes Filter, select the name of the RIP filter list to assign to the outgoing filter. 4 Select Apply.
Adding RIP filters 174 RIP configuration Fortinet Inc.
FortiGate-4000 Installation and Configuration Guide Version 2.50 System configuration Use the System Config page to make any of the following changes to the FortiGate system configuration: • Setting system date and time • Changing system options • Adding and editing administrator accounts • Configuring SNMP • Replacement messages Setting system date and time For effective scheduling and logging, the FortiGate system time must be accurate.
Changing system options System configuration 9 Select Apply. Figure 49: Example date and time setting Changing system options On the System Config Options page, you can: • Set the system idle timeout. • Set the authentication timeout. • Select the language for the web-base manager. • Modify the dead gateway detection settings. To set the system idle timeout 1 Go to System > Config > Options. 2 For Idle Timeout, type a number in minutes. 3 Select Apply.
System configuration Changing system options 3 Select Apply. Auth Timeout controls the amount of inactive time that the firewall waits before requiring users to authenticate again. For more information, see “Users and authentication” on page 227. The default Auth Timeout is 15 minutes. The maximum Auth Timeout is 480 minutes (8 hours). To select a language for the web-based manager 1 Go to System > Config > Options. 2 From the Languages list, select a language for the web-based manager to use.
Adding and editing administrator accounts System configuration Adding and editing administrator accounts When the FortiGate unit is initially installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administrator accounts. You can also control the access level of each of these administrator accounts and control the IP address from which the administrator can connect to the FortiGate unit.
System configuration Adding and editing administrator accounts Editing administrator accounts The admin account user can change individual administrator account passwords, configure the IP addresses from which administrators can access the web-based manager, and change the administrator permission levels. Administrator account users with Read & Write access can change their own administrator passwords. To edit an administrator account 1 Go to System > Config > Admin.
Configuring SNMP System configuration Configuring SNMP You can configure the FortiGate SNMP agent to report system information and send traps to SNMP managers. Using an SNMP manager, you can access SNMP traps and data from any FortiGate interface or VLAN subinterface configured for SNMP management access. The FortiGate SNMP implementation is read-only. SNMP v1 and v2c compliant SNMP managers have read-only access to FortiGate system information and can receive FortiGate traps.
System configuration Configuring SNMP To configure SNMP access to an interface in Transparent mode 1 Go to System > Network > Management. 2 Choose the interface that the SNMP manager connects to and select SNMP. Select Apply. Configuring SNMP community settings You can configure a single SNMP community for each FortiGate device.
Configuring SNMP System configuration Figure 50: Sample SNMP configuration FortiGate MIBs The FortiGate SNMP agent supports FortiGate proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. The FortiGate MIBs are listed in Table 28. You can obtain these MIB files from Fortinet technical support. To be able to communicate with the SNMP agent, you must compile all of these MIBs into your SNMP manager.
System configuration Configuring SNMP FortiGate traps The FortiGate agent can send traps to up to three SNMP trap receivers on your network that are configured to receive traps from the FortiGate unit. For these SNMP managers to receive traps, you must load and compile the Fortinet trap MIB onto the SNMP manager. General FortiGate traps Table 29: General FortiGate traps Trap message Description Cold Start The FortiGate unit starts or restarts.
Configuring SNMP System configuration VPN traps Table 31: FortiGate VPN traps Trap message Description VPN tunnel is up An IPSec VPN tunnel starts up and begins processing network traffic. VPN tunnel down An IPSec VPN tunnel shuts down. NIDS traps Table 32: FortiGate NIDS traps Trap message Description Flood attack happened. NIDS attack prevention detects and provides protection from a syn flood attack. Port scan attack happened.
System configuration Configuring SNMP Fortinet MIB fields The Fortinet MIB contains fields for configuration settings and current status information for all parts of the FortiGate product. This section lists the names of the high-level MIB fields and describes the configuration and status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Configuring SNMP System configuration Users and authentication configuration Table 37: User and authentication MIB fields FnUserLocalTable Local user list. FnUserRadiusSrvTable RADIUS server list. FnUserGrpTable User group list. VPN configuration and status Table 38: VPN MIB fields fnVpnIpsec IPSec VPN configuration including the Phase 1 list, Phase 2 list, manual key list, and VPN concentrator list.
System configuration Replacement messages Logging and reporting configuration Table 42: Logging and reporting MIB fields fnLoglogSetting Log setting configuration. fnLoglog Log setting traffic filter configuration. fnLogAlertEmail Alert email configuration.
Replacement messages System configuration Customizing replacement messages Each of the replacement messages in the replacement message list is created by combining replacement message sections. You can use these sections as building blocks to create your own replacement messages. You can edit any of the replacement messages in the replacement message list and add and edit the replacement message sections as required. To customize a replacement message 1 Go to System > Config > Replacement Messages.
System configuration Replacement messages Customizing alert emails Customize alert emails to control the content displayed in alert email messages sent to system administrators. To customize alert emails 1 Go to System > Config > Replacement Messages. 2 For the alert email message that you want to customize, select Modify 3 In the Message setup dialog box, edit the text of the message.
Replacement messages System configuration Table 44: Alert email message sections %%SOURCE_IP%% The IP address from which the block file was received. For email this is the IP address of the email server that sent the email containing the blocked file. For HTTP this is the IP address of web page that sent the blocked file. %%DEST_IP%% The IP address of the computer that would have received the blocked file.
FortiGate-4000 Installation and Configuration Guide Version 2.50 Firewall configuration Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions that the FortiGate unit uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (port number).
Default firewall configuration Firewall configuration • IP/MAC binding • Content profiles Default firewall configuration By default, the users on your internal network can connect through the FortiGate unit to the Internet. The firewall blocks all other connections. The firewall is configured with a default policy that matches any connection request received from the internal network and instructs the firewall to forward the connection to the Internet.
Firewall configuration Default firewall configuration VLAN subinterfaces You can also add VLAN subinterfaces to the FortiGate configuration to control connections between VLANs. For more information about VLANs, see “VLANs in NAT/Route mode” on page 151 or “Virtual domains in Transparent mode” on page 153. To add policies that include VLAN subinterfaces, you must use the following steps to add the VLAN subinterfaces to the firewall policy grid: 1 Add VLAN subinterfaces to the FortiGate configuration.
Adding firewall policies Firewall configuration You can also add firewall policies that perform network address translation (NAT). To use NAT to translate destination addresses, you must add virtual IPs. Virtual IPs map addresses on one network to a translated address on another network. For more information about Virtual IPs, see “Virtual IPs” on page 213. Services Policies can control connections based on the service or destination port number of packets.
Firewall configuration Adding firewall policies 3 Select New to add a new policy. You can also select Insert Policy before policy above a specific policy. on a policy in the list to add the new 4 Configure the policy: For information about configuring the policy, see “Firewall policy options” on page 196. 5 Select OK to add the policy. 6 Arrange policies in the policy list so that they have the results that you expect.
Adding firewall policies Firewall configuration Firewall policy options This section describes the options that you can add to firewall policies. Source Select an address or address group that matches the source address of the packet. Before you can add this address to a policy, you must add it to the source interface. For information about adding an address, see “Addresses” on page 202. Destination Select an address or address group that matches the destination address of the packet.
Firewall configuration Adding firewall policies NAT Configure the policy for NAT. NAT translates the source address and the source port of packets accepted by the policy. If you select NAT, you can also select Dynamic IP Pool and Fixed Port. NAT is not available in Transparent mode. Dynamic IP Pool Select Dynamic IP Pool to translate the source address to an address randomly selected from an IP pool.
Adding firewall policies Firewall configuration Guaranteed Bandwidth Maximum Bandwidth Traffic Priority You can use traffic shaping to guarantee the amount of bandwidth available through the firewall for a policy. Guarantee bandwidth (in Kbytes) to make sure that there is enough bandwidth available for a high-priority service. You can also use traffic shaping to limit the amount of bandwidth available through the firewall for a policy.
Firewall configuration Adding firewall policies Figure 54: Adding a Transparent mode policy Log Traffic Select Log Traffic to write messages to the traffic log whenever the policy processes a connection. For information about logging, see “Logging and reporting” on page 307. Comments You can add a description or other information about the policy. The comment can be up to 63 characters long, including spaces.
Configuring policy lists Firewall configuration Configuring policy lists The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. You must arrange policies in the policy list from more specific to more general. For example, the default policy is a very general policy because it matches all connection attempts. When you create exceptions to that policy, you must add them to the policy list above the default policy.
Firewall configuration Configuring policy lists Changing the order of policies in a policy list To change the order of a policy in a policy list 1 Go to Firewall > Policy. 2 Select the policy list that you want to change the order of. 3 Choose the policy that you want to move and select Move To in the policy list. 4 Type a number in the Move to field to specify where in the policy list to move the policy and select OK.
Addresses Firewall configuration Addresses All policies require source and destination addresses. To add addresses to a policy, you must first add addresses to the address list for the interfaces, zones, or VLAN subinterfaces of the policy. You can add, edit, and delete all firewall addresses as required. You can also organize related addresses into address groups to simplify policy creation. A firewall address consists of an IP address and a netmask.
Firewall configuration Addresses 6 Enter the Netmask. The netmask corresponds to the type of address that you are adding. For example: • The netmask for the IP address of a single computer should be 255.255.255.255. • The netmask for a class A subnet should be 255.0.0.0. • The netmask for a class B subnet should be 255.255.0.0. • The netmask for a class C subnet should be 255.255.255.0. • The netmask for all addresses should be 0.0.0.
Addresses Firewall configuration Deleting addresses Deleting an address removes it from an address list. To delete an address that has been added to a policy, you must first remove the address from the policy. To delete an address 1 Go to Firewall > Address. 2 Select the interface list containing the address that you want to delete. You can delete any address that has a Delete Address icon . 3 Choose an address to delete and select Delete 4 Select OK to delete the address. .
Firewall configuration Services Figure 56: Adding an internal address group Services Use services to determine the types of communication accepted or denied by the firewall. You can add any of the predefined services to a policy. You can also create custom services and add services to service groups.
Services Firewall configuration Table 46: FortiGate predefined services (Continued) 206 Service name Description Protocol GRE Generic Routing Encapsulation. A protocol that allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol, by encapsulating the packets of the protocol within GRE packets. 47 AH Authentication Header. AH provides source host authentication and data integrity, but not secrecy.
Firewall configuration Services Table 46: FortiGate predefined services (Continued) Service name Description LDAP Lightweight Directory Access Protocol is a set tcp of protocols used to access information directories. 389 NetMeeting NetMeeting allows users to teleconference using the Internet as the transmission medium. 1720 NFS Network File System allows network users to tcp access shared files stored on computers of different types.
Services Firewall configuration Table 46: FortiGate predefined services (Continued) Service name Description Protocol Port TCP All TCP ports. tcp 0-65535 TELNET Telnet service for connecting to a remote computer to run commands. tcp 23 TFTP Trivial file transfer protocol, a simple file transfer protocol similar to FTP but with no security features. udp 69 UDP All UDP ports. udp 0-65535 UUCP Unix to Unix copy utility, a simple file copying udp protocol.
Firewall configuration Services Adding custom ICMP services Add a custom ICMP service if you need to create a policy for a service that is not in the predefined service list. To add a custom ICMP service 1 Go to Firewall > Service > Custom. 2 Select ICMP from the Protocol list. 3 Select New. 4 Type a Name for the new custom ICMP service. This name appears in the service list used when you add a policy.
Schedules Firewall configuration 3 Type a Group Name to identify the group. This name appears in the service list when you add a policy and cannot be the same as a predefined service name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. 4 To add services to the service group, select a service from the Available Services list and select the right arrow to copy it to the Members list.
Firewall configuration Schedules Creating one-time schedules You can create a one-time schedule that activates or deactivates a policy for a specified period of time. For example, your firewall might be configured with the default policy that allows access to all services on the Internet at all times. You can add a one-time schedule to block access to the Internet during a holiday period. To create a one-time schedule 1 Go to Firewall > Schedule > One-time. 2 Select New.
Schedules Firewall configuration Creating recurring schedules You can create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week. For example, you might want to prevent Internet use outside working hours by creating a recurring schedule. If you create a recurring schedule with a stop time that occurs before the start time, the schedule starts at the start time and finishes at the stop time on the next day.
Firewall configuration Virtual IPs Adding schedules to policies After you create schedules, you can add them to policies to schedule when the policies are active. You can add the new schedules to policies when you create the policy, or you can edit existing policies and add a new schedule to them. To add a schedule to a policy 1 Go to Firewall > Policy. 2 Create a new policy or edit a policy to change its schedule. 3 Configure the policy as required.
Virtual IPs Firewall configuration This section describes: • Adding static NAT virtual IPs • Adding port forwarding virtual IPs • Adding policies with virtual IPs Adding static NAT virtual IPs To add a static NAT virtual IP 1 Go to Firewall > Virtual IP. 2 Select New to add a virtual IP. 3 Type a Name for the virtual IP. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Firewall configuration Virtual IPs 7 In Map to IP, type the real IP address on the destination network, for example, the IP address of a web server on an internal network. Note: The firewall translates the source address of outbound packets from the host with the Map to IP address to the virtual IP External IP Address, instead of the firewall external address. 8 Select OK to save the virtual IP. You can now add the virtual IP to firewall policies.
Virtual IPs 216 Firewall configuration 6 Enter the External IP Address that you want to map to an address on the destination zone. You can set the external IP address to the IP address of the external interface selected in step 4 or to any other address. If the IP address of the external interface selected in step 4 is set using PPPoE or DHCP, you can enter 0.0.0.0 for the External IP Address. The FortiGate unit substitutes the IP address set for this external interface using PPPoE or DHCP.
Firewall configuration Virtual IPs Figure 61: Adding a port forwarding virtual IP Adding policies with virtual IPs Use the following procedure to add a policy that uses a virtual IP to forward packets. To add a policy with a virtual IP 1 Go to Firewall > Policy. 2 Select the type of policy that you want to add. 3 • The source interface must match the interface selected in the External Interface list.
IP pools Firewall configuration 4 Select OK to save the policy. IP pools An IP pool (also called a dynamic IP pool) is a range of IP addresses added to a firewall interface. If you add IP pools to an interface, you can select Dynamic IP Pool when you configure a policy with the destination set to this interface.
Firewall configuration IP pools Figure 62: Adding an IP Pool IP Pools for firewall policies that use fixed ports Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service. You can select fixed port for NAT policies to prevent source port translation.
IP/MAC binding Firewall configuration IP/MAC binding IP/MAC binding protects the FortiGate unit and your network from IP spoofing attacks. IP spoofing attacks try to use the IP address of a trusted computer to connect to, or through, the FortiGate unit from a different computer. The IP address of a computer is easy to change to a trusted address, but MAC addresses are added to ethernet cards at the factory and are not easy to change.
Firewall configuration IP/MAC binding For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the IP/MAC binding list: • A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is allowed to go on to be matched with a firewall policy. • A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately to prevent IP spoofing.
IP/MAC binding Firewall configuration 3 Enter the IP Address and the MAC Address. You can bind multiple IP addresses to the same MAC address. You cannot bind multiple MAC addresses to the same IP address. However, you can set the IP address to 0.0.0.0 for multiple MAC addresses. This means that all packets with these MAC addresses are matched with the IP/MAC binding list. Similarly, you can set the MAC address to 00:00:00:00:00:00 for multiple IP addresses.
Firewall configuration Content profiles Figure 63: IP/MAC settings Content profiles Use content profiles to apply different protection settings for content traffic that is controlled by firewall policies.
Content profiles Firewall configuration Default content profiles The FortiGate unit has the following four default content profiles that are displayed on the Firewall Content Profile page. You can use the default content profiles or create your own. Strict To apply maximum content protection to HTTP, FTP, IMAP, POP3, and SMTP content traffic.
Firewall configuration Content profiles Web Exempt List 6 Exempt URLs from web filtering and virus scanning. See “Exempt URL list” on page 298. Enable the email filter protection options that you want. Email Block List Add a subject tag to email from unwanted addresses. See “Email block list” on page 304. Email Exempt List Exempt sender address patterns from email filtering. See “Email exempt list” on page 305. Email Content Block Add a subject tag to email that contains unwanted words or phrases.
Content profiles Firewall configuration Adding content profiles to policies You can add content profiles to policies with action set to allow or encrypt and with service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes these services. To add a content profile to a policy 226 1 Go to Firewall > Policy. 2 Select a policy list that contains policies that you want to add a content profile to.
FortiGate-4000 Installation and Configuration Guide Version 2.50 Users and authentication FortiGate units support user authentication to the FortiGate user database, a RADIUS server, and an LDAP server. You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database. You can also add the names of RADIUS and LDAP servers.
Setting authentication timeout Users and authentication This chapter describes: • Setting authentication timeout • Adding user names and configuring authentication • Configuring RADIUS support • Configuring LDAP support • Configuring user groups Setting authentication timeout Authentication timeout controls how long authenticated firewall connections can remain idle before users must authenticate again to get access through the firewall.
Users and authentication Adding user names and configuring authentication LDAP Require the user to authenticate to an LDAP server. Select the name of the LDAP server to which the user must authenticate. You can only select an LDAP server that has been added to the FortiGate LDAP configuration. See “Configuring LDAP support” on page 231. Radius Require the user to authenticate to a RADIUS server. Select the name of the RADIUS server to which the user must authenticate.
Configuring RADIUS support Users and authentication Configuring RADIUS support If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the FortiGate unit contacts the RADIUS server for authentication. This section describes: • Adding RADIUS servers • Deleting RADIUS servers Adding RADIUS servers To add a RADIUS server 1 Go to User > RADIUS. 2 Select New to add a new RADIUS server. 3 Type the Name of the RADIUS server. You can type any name.
Users and authentication Configuring LDAP support Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authenticate with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated with the FortiGate unit.
Configuring user groups Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server. Enter the base distinguished name for the server using the correct X.500 or LDAP format. The FortiGate unit passes this distinguished name unchanged to the server.
Users and authentication Configuring user groups • IPSec VPN Phase 1 configurations for dialup users. Only users in the selected user group can authenticate to use the VPN tunnel. • XAuth for IPSec VPN Phase 1 configurations. Only users in the selected user group can be authenticated using XAuth. • The FortiGate PPTP configuration. Only users in the selected user group can use PPTP. • The FortiGate L2TP configuration. Only users in the selected user group can use L2TP.
Configuring user groups Users and authentication 3 Enter a Group Name to identify the user group. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. 4 To add users to the user group, select a user from the Available Users list and select the right arrow to add the name to the Members list.
FortiGate-4000 Installation and Configuration Guide Version 2.50 IPSec VPN A Virtual Private Network (VPN) is an extension of a private network that encompasses links across shared or public networks such as the Internet. For example, a company that has two offices in different cities, each with its own private network, can use a VPN to create a secure tunnel between the offices. Similarly, a teleworker can use a VPN client for remote access to a private office network.
Key management IPSec VPN Key management There are three basic elements in any encryption system: • an algorithm that changes information into code, • a cryptographic key that serves as a secret starting point for the algorithm, • a management system to control the key.
IPSec VPN Manual key IPSec VPNs In some respects, certificates are simpler to manage than manual keys or pre-shared keys. For this reason, certificates are best suited to large network deployments. Manual key IPSec VPNs When using manual keys, complementary security parameters must be entered at both ends of the tunnel. In addition to encryption and authentication algorithms and keys, the security parameter index (SPI) is required.
Manual key IPSec VPNs IPSec VPN 5 Enter the Remote SPI. The Remote Security Parameter Index is a hexadecimal number of up to eight digits (digits can be 0 to 9, a to f) in the range bb8 to FFFFFFF. This number must be added to the Local SPI at the opposite end of the tunnel. 6 Enter the Remote Gateway. This is the external IP address of the FortiGate unit or other IPSec gateway at the opposite end of the tunnel. 7 Select an Encryption Algorithm from the list.
IPSec VPN AutoIKE IPSec VPNs AutoIKE IPSec VPNs FortiGate units support two methods of Automatic Internet Key Exchange (AutoIKE) for establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates.
AutoIKE IPSec VPNs IPSec VPN 3 Type a Gateway Name for the remote VPN peer. The remote VPN peer can be either a gateway to another network or an individual client on the Internet. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. 4 Select a Remote Gateway address type. • If the remote VPN peer has a static IP address, select Static IP Address.
IPSec VPN AutoIKE IPSec VPNs 10 Configure the Local ID the that the FortiGate unit sends to the remote VPN peer. • Preshared key: If the FortiGate unit is functioning as a client and uses its ID to authenticate itself to the remote VPN peer, enter an ID. If no ID is specified, the FortiGate unit transmits its IP address. • RSA Signature: No entry is required because the Local ID field contains the Distinguished Name (DN) of the certificate associated with this phase 1 configuration.
AutoIKE IPSec VPNs IPSec VPN XAuth: Enable as a Server 4 5 6 242 Encryption method Select the encryption method used between the XAuth client, the FortiGate unit and the authentication server. PAP— Password Authentication Protocol. CHAP—Challenge-Handshake Authentication Protocol. MIXED—Select MIXED to use PAP between the XAuth client and the FortiGate unit, and CHAP between the FortiGate unit and the authentication server. Use CHAP whenever possible.
IPSec VPN AutoIKE IPSec VPNs Figure 69: Adding a phase 1 configuration (Standard options) Figure 70: Adding a phase 1 configuration (Advanced options) FortiGate-4000 Installation and Configuration Guide 243
AutoIKE IPSec VPNs IPSec VPN Adding a phase 2 configuration for an AutoIKE VPN Add a phase 2 configuration to specify the parameters used to create and maintain a VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer (the VPN gateway or client). Note: Adding a Phase 2 configuration is the same for pre-shared key and certification VPNs. To add a phase 2 configuration 1 Go to VPN > IPSEC > Phase 2. 2 Select New to add a new phase 2 configuration. 3 Enter a Tunnel Name.
IPSec VPN AutoIKE IPSec VPNs 10 Enable Autokey Keep Alive if you want to keep the VPN tunnel running even if no data is being processed. 11 Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration. If you use the procedure, “Adding a VPN concentrator” on page 255 to add the tunnel to a concentrator, the next time you open the tunnel, the Concentrator field displays the name of the concentrator to which you added the tunnel. 12 Select a Quick Mode Identity.
Managing digital certificates IPSec VPN Managing digital certificates Use digital certificates to make sure that both participants in an IPSec communication session are trustworthy, prior to setting up an encrypted VPN tunnel between the participants. Fortinet uses a manual procedure to obtain certificates. This involves copying and pasting text files from your local computer to the certificate authority, and from the certificate authority to your local computer.
IPSec VPN Managing digital certificates 6 7 Organization Unit Enter a name that identifies the department or unit within the organization that is requesting the certificate for the FortiGate unit (such as Manufacturing or MF). Organization Enter the legal name of the organization that is requesting the certificate for the FortiGate unit (such as Fortinet). Locality Enter the name of the city or town where the FortiGate unit is located (such as Vancouver).
Managing digital certificates IPSec VPN Downloading the certificate request Use the following procedure to download a certificate request from the FortiGate unit to the management computer. To download the certificate request 1 Go to VPN > Certificates > Local Certificates. 2 Select Download 3 Select Save. 4 Name the file and save it in a directory on the management computer. to download the local certificate to the management computer.
IPSec VPN Configuring encrypt policies Obtaining CA certificates For the VPN peers to authenticate themselves to each other, they must both obtain a CA certificate from the same certificate authority. The CA certificate provides the VPN peers with a means to validate the digital certificates that they receive from other devices. The FortiGate unit obtains the CA certificate to validate the digital certificate that it receives from the remote VPN peer.
Configuring encrypt policies IPSec VPN Note: The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway. In addition to defining membership in the VPN by address, you can configure the encrypt policy for services such as DNS, FTP, and POP3, and to allow connections according to a predefined schedule (by the time of the day or the day of the week, month, or year).
IPSec VPN Configuring encrypt policies Adding a destination address The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway. To add a destination address 1 Go to Firewall > Address. 2 Select an external interface. 3 Select New to add an address. 4 Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the remote VPN peer.
Configuring encrypt policies IPSec VPN VPN Tunnel Select an Auto Key tunnel for this encrypt policy. Allow inbound Select Allow inbound to enable inbound users to connect to the source address. Allow outbound Select Allow outbound to enable outbound users to connect to the destination address. Inbound NAT The FortiGate unit translates the source address of incoming packets to the IP address of the FortiGate interface connected to the source address network.
IPSec VPN IPSec VPN concentrators Figure 73: Adding an encrypt policy IPSec VPN concentrators In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer called a hub. The peers that connect to the hub are known as spokes. The hub functions as a concentrator on the network, managing the VPN connections between the spokes. The advantage of a hub-and-spoke network is that the spokes are simpler to configure because they require fewer policy rules.
IPSec VPN concentrators IPSec VPN If the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (but not to the other spokes). It also requires policies that control its encrypted connections to the other spokes and its non-encrypted connections to other networks, such as the Internet.
IPSec VPN IPSec VPN concentrators Source Internal_All Destination The VPN spoke address. Action ENCRYPT VPN Tunnel The VPN spoke tunnel name. Allow inbound Select allow inbound. Allow outbound Select allow outbound Inbound NAT Select inbound NAT if required. Outbound NAT Select outbound NAT if required. See “Adding an encrypt policy” on page 251.
IPSec VPN concentrators IPSec VPN VPN spoke general configuration steps A remote VPN peer that functions as a spoke requires the following configuration: • A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration) for the hub. • The source address of the local VPN spoke. • The destination address of each remote VPN spoke. • A separate outbound encrypt policy for each remote VPN spoke. These policies allow the local VPN spoke to initiate encrypted connections.
IPSec VPN Monitoring and Troubleshooting VPNs Action ENCRYPT VPN Tunnel The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt policies.) Allow inbound Select allow inbound. Allow outbound Do not enable. Inbound NAT Select inbound NAT if required. Outbound NAT Select outbound NAT if required. See “Adding an encrypt policy” on page 251.
Monitoring and Troubleshooting VPNs IPSec VPN Viewing dialup VPN connection status You can use the dialup monitor to view the status of dialup VPNs. The dialup monitor lists the remote gateways and the active VPN tunnels for each gateway. The monitor also lists the tunnel lifetime, timeout, proxy ID source, and proxy ID destination for each tunnel. To view dialup connection status 1 Go to VPN > IPSec > Dialup Monitor.
FortiGate-4000 Installation and Configuration Guide Version 2.50 PPTP and L2TP VPN You can use PPTP and L2TP to create a virtual private network (VPN) between a remote client computer that is running Windows and your internal network. Because PPTP and L2TP are supported by Windows you do not require third-party software on the client computer.
Configuring PPTP PPTP and L2TP VPN Configuring the FortiGate unit as a PPTP gateway Use the following procedures to configure the FortiGate unit as a PPTP gateway: To add users and user groups Add a user for each PPTP client. 1 Go to User > Local. 2 Add and configure PPTP users. For information about adding and configuring users, see “Adding user names and configuring authentication” on page 228. 3 Go to User > User Group. 4 Add and configure PPTP user groups.
PPTP and L2TP VPN Configuring PPTP 3 Select New to add an address. 4 Enter the Address Name, IP Address, and NetMask for an address in the PPTP address range. 5 Select OK to save the source address. 6 Repeat for all addresses in the PPTP address range. To add a source address group Organize the source addresses into an address group. 1 Go to Firewall > Address > Group. 2 Add a new address group to the interface to which PPTP clients connect. This can be an interface, VLAN subinterface, or zone.
Configuring PPTP PPTP and L2TP VPN 6 Set Service to match the traffic type inside the PPTP VPN tunnel. For example, if PPTP users can access a web server, select HTTP. 7 Set Action to ACCEPT. 8 Select NAT if address translation is required. You can also configure traffic shaping, logging, and antivirus and web filter settings for PPTP policies. 9 Select OK to save the firewall policy.
PPTP and L2TP VPN Configuring PPTP To connect to the PPTP VPN 1 Start the dialup connection that you configured in the previous procedure. 2 Enter your PPTP VPN User Name and Password. 3 Select Connect. Configuring a Windows 2000 client for PPTP Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiGate PPTP VPN. To configure a PPTP dialup connection 1 Go to Start > Settings > Network and Dial-up Connections.
Configuring PPTP PPTP and L2TP VPN 5 Name the connection and select Next. 6 If the Public Network dialog box appears, choose the appropriate initial connection and select Next. 7 In the VPN Server Selection dialog, enter the IP address or host name of the FortiGate unit to connect to and select Next. 8 Select Finish. To configure the VPN connection 1 Right-click the Connection icon that you created in the previous procedure. 2 Select Properties > Security.
PPTP and L2TP VPN Configuring L2TP Configuring L2TP Some implementations of L2TP support elements of IPSec. These elements must be disabled when L2TP is used with a FortiGate unit.
Configuring L2TP PPTP and L2TP VPN To add source addresses Add a source address for every address in the L2TP address range. 1 Go to Firewall > Address. 2 Select the interface to which L2TP clients connect. This can be an interface, VLAN subinterface, or zone. 3 Select New to add an address. 1 Enter the Address Name, IP Address, and NetMask for an address in the L2TP address range. 2 Select OK to save the source address. 3 Repeat for all addresses in the L2TP address range.
PPTP and L2TP VPN Configuring L2TP 2 Select the policy list that you want to add the policy to (usually, External->Internal). 3 Select New to add a policy. 4 Set Source to the group that matches the L2TP address range. 5 Set Destination to the address to which L2TP users can connect. 6 Set Service to match the traffic type inside the L2TP VPN tunnel. For example, if L2TP users can access a web server, select HTTP. 7 Set Action to ACCEPT. 8 Select NAT if address translation is required.
Configuring L2TP PPTP and L2TP VPN 4 Go to the Options tab and select IP security properties. 5 Make sure that Do not use IPSEC is selected. 6 Select OK and close the connection properties window. Note: The default Windows 2000 L2TP traffic policy does not allow L2TP traffic without IPSec encryption. You can disable default behavior by editing the Windows 2000 Registry as described in the following steps. See the Microsoft documentation for editing the Windows Registry.
PPTP and L2TP VPN Configuring L2TP 7 In the VPN Server Selection dialog, enter the IP address or host name of the FortiGate unit to connect to and select Next. 8 Select Finish. To configure the VPN connection 1 Right-click the icon that you created. 2 Select Properties > Security. 3 Select Typical to configure typical settings. 4 Select Require data encryption. Note: If a RADIUS server is used for authentication do not select Require data encryption.
Configuring L2TP PPTP and L2TP VPN 8 Add the following registry value to this key: Value Name: ProhibitIpSec Data Type: REG_DWORD Value: 1 9 Save the changes and restart the computer for the changes to take effect. You must add the ProhibitIpSec registry value to each Windows XP-based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created.
FortiGate-4000 Installation and Configuration Guide Version 2.50 Network Intrusion Detection System (NIDS) The FortiGate NIDS is a real-time network intrusion detection sensor that uses attack signature definitions to both detect and prevent a wide variety of suspicious network traffic and direct network-based attacks. Also, whenever an attack occurs, the FortiGate NIDS can record the event in a log and send an alert email to the system administrator.
Detecting attacks Network Intrusion Detection System (NIDS) Selecting the interfaces to monitor To select the interfaces to monitor for attacks 1 Go to NIDS > Detection > General. 2 Select the interfaces to monitor for network attacks. You can select up to a total of 4 interfaces and VLAN subinterfaces. 3 Select Apply. Disabling monitoring interfaces To disable monitoring interfaces for attacks 1 Go to NIDS > Detection > General.
Network Intrusion Detection System (NIDS) Detecting attacks Viewing the signature list You can display the current list of NIDS signature groups and the members of a signature group. To view the signature list 1 Go to NIDS > Detection > Signature List. 2 View the names and action status of the signature groups in the list. The NIDS detects attacks listed in all the signature groups that have check marks in the Enable column. Note: The user-defined signature group is the last item in the signature list.
Detecting attacks Network Intrusion Detection System (NIDS) Figure 80: Example signature group members list Disabling NIDS attack signatures By default, all NIDS attack signatures are enabled. You can use the NIDS signature list to disable detection of some attacks. Disabling unnecessary NIDS attack signatures can improve system performance and reduce the number of IDS log messages and alert emails that the NIDS generates. For example, the NIDS detects a large number of web server attacks.
Network Intrusion Detection System (NIDS) Detecting attacks To add user-defined signatures 1 Go to NIDS > Detection > User Defined Signature List. 2 Select Upload ! . Caution: Uploading the user-defined signature list overwrites the existing file. 3 Type the path and filename of the text file for the user-defined signature list or select Browse and locate the file. 4 Select OK to upload the text file for the user-defined signature list.
Preventing attacks Network Intrusion Detection System (NIDS) Preventing attacks NIDS attack prevention protects the FortiGate unit and the networks connected to it from common TCP, ICMP, UDP, and IP attacks. You can enable NIDS attack prevention to prevent a set of default attacks with default threshold values. You can also enable or disable and set the threshold values for individual attack prevention signatures.
Network Intrusion Detection System (NIDS) Preventing attacks Setting signature threshold values You can change the default threshold values for the NIDS Prevention signatures listed in Table 48. The threshold depends on the type of attack. For flooding attacks, the threshold is the maximum number of packets received per second. For overflow attacks, the threshold is the buffer size for the command. For large ICMP attacks, the threshold is the ICMP packet size limit to pass through.
Logging attacks Network Intrusion Detection System (NIDS) To set Prevention signature threshold values 1 Go to NIDS > Prevention. 2 Select Modify beside the signature for which you want to set the Threshold value. Signatures that do not have threshold values do not have Modify 3 Type the Threshold value. 4 Select the Enable check box. 5 Select OK. icons. Logging attacks Whenever the NIDS detects or prevents an attack, it generates an attack message.
Network Intrusion Detection System (NIDS) Logging attacks The FortiGate unit uses an alert email queue in which each new message is compared with the previous messages. If the new message is not a duplicate, the FortiGate unit sends it immediately and puts a copy in the queue. If the new message is a duplicate, the FortiGate unit deletes it and increases an internal counter for the number of message copies in the queue. The FortiGate unit holds duplicate alert email messages for 60 seconds.
Logging attacks 280 Network Intrusion Detection System (NIDS) Fortinet Inc.
FortiGate-4000 Installation and Configuration Guide Version 2.50 Antivirus protection You can enable antivirus protection in firewall policies. You can select a content profile that controls how the antivirus protection behaves. Content profiles control the type of traffic protected (HTTP, FTP, IMAP, POP3, SMTP), the type of antivirus protection and the treatment of fragmented email and oversized files or email.
Antivirus scanning Antivirus protection Note: For information about receiving virus log messages, see “Configuring logging”, and for information about log message content and format, see “Virus log messages” in the Logging Configuration and Reference Guide Antivirus scanning Virus scanning intercepts most files (including files compressed with up to 12 layers of compression using zip, rar, gzip, tar, upx, and OLE) in the content streams for which you enable antivirus protection.
Antivirus protection File blocking Figure 82: Example content profile for virus scanning File blocking Enable file blocking to remove all files that are a potential threat and to provide the best protection from active computer virus attacks. Blocking files is the only protection from a virus that is so new that antivirus scanning cannot detect it. You would not normally operate the FortiGate unit with blocking enabled.
File blocking Antivirus protection By default, when blocking is enabled, the FortiGate unit blocks the following file patterns: • executable files (*.bat, *.com, and *.exe) • compressed or archive files (*.gz, *.rar, *.tar, *.tgz, and *.zip) • dynamic link libraries (*.dll) • HTML application (*.hta) • Microsoft Office files (*.doc, *.ppt, *.xl?) • Microsoft Works files (*.wps) • Visual Basic files (*.vb?) • screen saver files (*.
Antivirus protection Blocking oversized files and emails Blocking oversized files and emails You can configure the FortiGate unit to buffer 1 to 15 percent of available memory to store oversized files and email. The FortiGate unit then blocks a file or email that exceeds this limit instead of bypassing antivirus scanning and sending the file or email directly to the server or receiver.
Viewing the virus list Antivirus protection Viewing the virus list You can view the names of the viruses and worms in the current virus definition list. To view the virus list 286 1 Go to Anti-Virus > Config > Virus List. 2 Scroll through the virus and worm list to view the names of all viruses and worms in the list. Fortinet Inc.
FortiGate-4000 Installation and Configuration Guide Version 2.50 Web filtering When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how web filtering behaves for HTTP traffic. Content profiles control the following types of content filtering: • blocking unwanted URLs, • blocking unwanted content, • removing scripts from web pages, • exempting URLs from blocking. You can also use the Cerberian URL filtering to block unwanted URLs.
Content blocking Web filtering 3 Configure web filtering settings to control how the FortiGate unit applies web filtering to the HTTP traffic allowed by policies. See: • “URL blocking” on page 291, • “Configuring Cerberian URL filtering” on page 294, • “Content blocking” on page 288, • “Script filtering” on page 297, • “Exempt URL list” on page 298. 4 Configure the messages that users receive when the FortiGate unit blocks unwanted content or unwanted URLs.
Web filtering Content blocking 4 Type a banned word or phrase. If you type a single word (for example, banned), the FortiGate unit blocks all web pages that contain that word. If you type a phrase (for example, banned phrase), the FortiGate unit blocks web pages that contain both words. When this phrase appears on the banned word list, the FortiGate unit inserts plus signs (+) in place of spaces (for example, banned+phrase).
Content blocking Web filtering Backing up the Banned Word list You can back up the banned word list by downloading it to a text file on the management computer. To back up the banned word list 1 Go to Web Filter > Content Block. 2 Select Backup Banned Word List . The FortiGate unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file.
Web filtering URL blocking 5 Select Return to display the updated Banned Word List. 6 You can continue to maintain the Banned Word List by making changes to the text file and uploading it again as necessary. . Note: Banned Word must be selected in the content profile for web pages containing banned words to be blocked. URL blocking You can block the unwanted web URLs using FortiGate Web URL blocking, FortiGate Web pattern blocking, and Cerberian web filtering.
URL blocking Web filtering 4 Ensure that the Enable checkbox has been selected and then select OK. 5 Select OK to add the URL to the Web URL block list. You can enter multiple URLs and then select Check All to enable all items in the Web URL block list. You can disable all of the URLs on the list by selecting Uncheck All . Each page of the Web URL block list displays 100 URLs. 6 Use Page Up and Page Down to navigate through the Web URL block list.
Web filtering URL blocking Downloading the Web URL block list You can back up the Web URL block list by downloading it to a text file on the management computer. To download a Web URL block list 1 Go to Web Filter > Web URL Block. 2 Select Download URL Block List . The FortiGate unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file.
Configuring Cerberian URL filtering 8 Web filtering You can continue to maintain the Web URL block list by making changes to the text file and uploading it again. Configuring FortiGate Web pattern blocking You can configure FortiGate web pattern blocking to block web pages that match a URL pattern. Create URL patterns using regular expressions (for example, badsite.* matches badsite.com, badsite.org, badsite.net and so on). FortiGate web pattern blocking supports standard regular expressions.
Web filtering Configuring Cerberian URL filtering Installing a Cerberian license key Before you can use the Cerberian web filter, you must install a license key. The license key determines the number of end users allowed to use Cerberian web filtering through the FortiGate unit. To install a Cerberian licence key 1 Go to Web Filter > URL Block. 2 Select Cerberian URL Filtering. 3 Enter the license number. 4 Select Apply.
Configuring Cerberian URL filtering Web filtering You can add users to the default group and apply any policies to the group. Use the default group to add: • • All the users who are not assigned alias names on the FortiGate unit. All the users who are not assigned to other user groups. The Cerberian web filter groups URLs into 53 categories. The default policy blocks the URLs of 12 categories. You can modify the default policy and apply it to any user groups.
Web filtering Script filtering Script filtering You can configure the FortiGate unit to remove Java applets, cookies, and ActiveX scripts from the HTML web pages. Note: Blocking any of these items might prevent some web pages from working properly. • Enabling script filtering • Selecting script filter options Enabling script filtering 1 Go to Firewall > Content Profile. 2 Select the content profile for which you want to enable script filtering. 3 Select Script Filter. 4 Select OK.
Exempt URL list Web filtering Exempt URL list Add URLs to the exempt URL list to allow legitimate traffic that might otherwise be blocked by content or URL blocking. For example, if content blocking is set to block pornography-related words and a reputable website runs a story on pornography, web pages from the reputable website are blocked. Adding the address of the reputable website to the exempt URL list allows the content of the website to bypass content blocking.
Web filtering Exempt URL list Figure 88: Example URL Exempt list Downloading the URL Exempt List You can back up the URL Exempt List by downloading it to a text file on the management computer. 1 Go to Web Filter > URL Exempt. 2 Select Download URL Exempt List . The FortiGate unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file.
Exempt URL list 300 Web filtering 3 Select Upload URL Exempt List . 4 Type the path and filename of your URL Exempt List text file, or select Browse and locate the file. 5 Select OK to upload the file to the FortiGate unit. 6 Select Return to display the updated URL Exempt List. 7 You can continue to maintain the URL Exempt List by making changes to the text file and uploading it again as necessary. Fortinet Inc.
FortiGate-4000 Installation and Configuration Guide Version 2.50 Email filter Email filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how email filtering behaves for email (IMAP and POP3) traffic.
Email banned word list Email filter Email banned word list When the FortiGate unit detects an email that contains a word or phrase in the banned word list, the FortiGate unit adds a tag to the subject line of the email and writes a message to the event log. Receivers can then use their mail client software to filter messages based on the subject tag. You can add banned words to the list in many languages using Western, Simplified Chinese, Traditional Chinese, Japanese, or Korean character sets.
Email filter Email banned word list Downloading the email banned word list You can back up the banned word list by downloading it to a text file on the management computer: To download the banned word list 1 Go to Email Filter > Content Block. 2 Select Download. The FortiGate unit downloads the banned word list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file.
Email block list Email filter Email block list You can configure the FortiGate unit to tag all IMAP and POP3 protocol traffic sent from unwanted email addresses. When the FortiGate unit detects an email sent from an unwanted address pattern, the FortiGate unit adds a tag to the subject line of the email and writes a message to the email filter log. Receivers can then use their mail client software to filter messages based on the subject tag.
Email filter Email exempt list Uploading an email block list You can create a email block list in a text editor and then upload the text file to the FortiGate unit. Add one pattern to each line of the text file. You can follow the pattern with a space and then a 1 to enable or a zero (0) to disable the pattern. If you do not add this information to the text file, the FortiGate unit automatically enables all patterns that are followed with a 1 or no number when you upload the text file.
Adding a subject tag Email filter Adding address patterns to the email exempt list To add an address pattern to the email exempt list 1 Go to Email Filter > Exempt List. 2 Select New. 3 Type the address pattern that you want to exempt. • To exempt email sent from a specific email address, type the email address. For example, sender@abccompany.com. • To exempt email sent from a specific domain, type the domain name. For example, abccompany.com.
FortiGate-4000 Installation and Configuration Guide Version 2.50 Logging and reporting You can configure the FortiGate unit to log network activity from routine configuration changes and traffic sessions to emergency events. You can also configure the FortiGate unit to send alert email messages to inform system administrators about events such as network attacks, virus incidents, and firewall and VPN events.
Recording logs Logging and reporting Recording logs on a remote computer You can configure the FortiGate unit to record log messages on a remote computer. The remote computer must be configured with a syslog server. To record logs on a remote computer 1 Go to Log&Report > Log Setting. 2 Select the Log to Remote Host check box to send the logs to a syslog server. 3 Type the IP address of the remote computer running syslog server software. 4 Type the port number of the syslog server.
Logging and reporting Recording logs 5 Select Config Policy. To configure the FortiGate unit to filter the types of logs and events to record, use the procedures in “Filtering log messages” on page 310 and “Configuring traffic logging” on page 311. 6 Select OK. 7 Select Apply.
Filtering log messages Logging and reporting Table 51: FortiGate log message levels Levels Description Generated by 0 - Emergency The system has become unstable. Emergency messages not available. 1 - Alert Immediate action is required. NIDS attack log messages. 2 - Critical Functionality is affected. DHCP 3 - Error An error condition exists and functionality could be affected. Error messages not available. 4 - Warning Functionality could be affected.
Logging and reporting Configuring traffic logging 4 Select the message categories that you want the FortiGate unit to record if you selected Event Log, Virus Log, Web Filtering Log, Attack Log, Email Filter Log, or Update in step 3. 5 Select OK.
Configuring traffic logging Logging and reporting This section describes: • Enabling traffic logging • Configuring traffic filter settings • Adding traffic filter entries Enabling traffic logging You can enable logging on any interface, VLAN subinterface, and firewall policy. Enabling traffic logging for an interface If you enable traffic logging for an interface, all connections to and through the interface are recorded in the traffic log.
Logging and reporting Configuring traffic logging Configuring traffic filter settings You can configure the information recorded in all traffic log messages. To configure traffic filter settings 1 Go to Log&Report > Log Setting > Traffic Filter. 2 Select the settings that you want to apply to all traffic log messages. 3 Resolve IP Select Resolve IP if you want traffic log messages to list the IP address and domain name stored on the DNS server.
Viewing logs saved to memory Logging and reporting Destination IP Address Type the destination IP address and netmask for which you want the Destination Netmask FortiGate unit to log traffic messages. The address can be an individual computer, subnetwork, or network. Service 4 Select the service group or individual service for which you want the FortiGate unit to log traffic messages. Select OK.
Logging and reporting Configuring alert email 4 To view a specific line in the log, type a line number in the Go to line field and select . 5 To navigate through the log message pages, select Go to next page previous page .
Configuring alert email Logging and reporting Adding alert email addresses Because the FortiGate unit uses the SMTP server name to connect to the mail server, the FortiGate unit must look up this name on your DNS server. Before you configure alert email, make sure that you configure at least one DNS server. To add a DNS server 1 Go to System > Network > DNS. 2 If they are not already there, type the primary and secondary DNS server addresses provided by your ISP. 3 Select Apply.
Logging and reporting Configuring alert email Enabling alert email You can configure the FortiGate unit to send alert email in response to virus incidents, intrusion attempts, and critical firewall or VPN events or violations. If you have configured logging to a local disk, you can enable sending an alert email when the hard disk is almost full. To enable alert email 1 Go to Log&Report > Alert Mail > Categories. 2 Select Enable alert email for virus incidents.
Configuring alert email 318 Logging and reporting Fortinet Inc.
FortiGate-4000 Installation and Configuration Guide Version 2.50 Glossary Connection: A link between machines, applications, processes, and so on that can be logical, physical, or both. DMZ, Demilitarized Zone: Used to host Internet services without allowing unauthorized access to an internal (private) network. Typically, the DMZ contains servers accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers and DNS servers.
Glossary LAN, Local Area Network: A computer network that spans a relatively small area. Most LANs connect workstations and personal computers. Each computer on a LAN is able to access data and devices anywhere on the LAN. This means that many users can share data as well as physical resources such as printers. MAC address, Media Access Control address: A hardware address that uniquely identifies each node of a network.
Glossary SSH, Secure shell: A secure Telnet replacement that you can use to log into another computer over a network and run commands. SSH provides strong secure authentication and secure communications over insecure channels. Subnet: A portion of a network that shares a common address component. On TCP/IP networks, subnets are defined as all devices whose IP addresses have the same prefix. For example, all devices with IP addresses that start with 100.100.100. would be part of the same subnet.
Glossary 322 Fortinet Inc.
FortiGate-4000 Installation and Configuration Guide Version 2.
Index attack updates configuring 127 scheduling 126 through a proxy server 128 authentication 198, 227 configuring 228 enabling 232 LDAP server 231 RADIUS server 230 timeout 176 auto device in route 160 AutoIKE 236 certificates 236 introduction 236 pre-shared keys 236 automatic antivirus and attack definition updates configuring 127 B backing up system settings 115 bandwidth guaranteed 198 maximum 198 banned word list adding words 288, 302 restoring 303 blacklist URL 293, 305 block traffic IP/MAC binding 2
Index dialup PPTP configuring Windows 2000 client 263 configuring Windows 98 client 262 configuring Windows XP client 263 dialup VPN viewing connection status 258 disabling NIDS 272 DMZ interface definition 319 DNS server addresses 158 domain DHCP 164 downloading attack definition updates 139 virus definition updates 139 dynamic IP list viewing 165 dynamic IP pool IP pool 197 dynamic IP/MAC list 220 viewing 222 E email alert testing 316 email filter log 310 enabling policy 201 encrypt policy 196 encrypt po
Index H HA 81 connecting a NAT/Route mode cluster 84 introduction 19 managing HA group 87 NAT/Route mode 82 replacing FortiGate unit after fail-over 95 hard disk full alert email 317 high availability 81 introduction 19 HTTP enabling web filtering 287, 301 HTTPS 20, 206, 319 I ICMP 207, 319 configuring checksum verification 272 ICMP service custom 209 idle timeout web-based manager 176 IDS log viewing 314 IKE 319 IMAP 206, 319 Inbound NAT encrypt policy 197 interface adding a DHCP server 163 administrativ
Index log setting filtering log entries 126, 310 traffic filter 313 log to memory configuring 309 viewing saved logs 314 Log Traffic firewall policy 199 policy 199 logging 21, 307 attack log 310 configuring traffic settings 312, 313 connections to an interface 148 email filter log 310 enabling alert email 317 event log 310 filtering log messages 310 log to memory 309 log to remote host 308 log to WebTrends 308 message levels 309 recording 307 searching logs 315 selecting what to log 310 traffic log 310 traf
Index oversized files and email blocking 285 P password adding 228 changing administrator account 179 Fortinet support 138 recovering a lost Fortinet support 136 PAT 215 pattern web pattern blocking 294 permission administrator account 179 ping server adding to an interface 146 policy accept 196 adding for a virtual domain 157 Anti-Virus & Web filter 198 arranging in policy list 200 Comments 199 deny 196 disabling 201 enabling 201 enabling authentication 232 fixed port 197 guaranteed bandwidth 198 Log Traf
Index reserved IP adding to a DHCP server 165 resolve IP 313 traffic filter 313 restarting 118 restoring system settings 116 restoring system settings to factory default 116 reverting firmware to an older version 107 RIP configuring 167 filters 171 interface configuration 169 settings 167 RMA registering a FortiGate unit 140 route adding default 159 adding to routing table 159 adding to routing table (Transparent mode) 160 destination 159 device 160 router next hop 146 routing 320 adding static routes 159 c
Index static NAT virtual IP 213 adding 214 static route adding 159 status CPU 119 interface 143 intrusions 121 IPSec VPN tunnel 257 memory 119 network 120 sessions 120 viewing dialup connection status 258 viewing VPN tunnel status 257 virus 121 subnet definition 321 subnet address definition 321 support contract number adding 138 changing 138 support password changing 138 syn interval 175 synchronize with NTP server 175 system configuration 175 system date and time setting 175 system location SNMP 181 syste
Index URL block list adding URL 294, 304 clearing 292 downloading 290, 293, 299, 304 uploading 290, 293, 299, 305 URL block message 288 URL blocking 291 exempt URL list 298, 305 web pattern blocking 294 URL exempt list see also exempt URL list 298, 305 use selectors from policy quick mode identifier 245 use wildcard selectors quick mode identifier 245 user authentication 227 user groups configuring 232 deleting 234 user name and password adding 229 adding user name 228 user-defined ICMP services 209 user-de
Index worm list displaying 286 worm protection 286 332 Z zone adding 142 adding to a virtual domain 156 configuring 141 Fortinet Inc.