Installation Guide FortiGate 500A CON SOLE Esc Enter USB 10/100 LAN L1 L2 L3 A Version 2.
© Copyright 2004 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FortiGate-500A Installation Guide Version 2.
Contents Table of Contents Introduction ............................................................................................................ 5 Secure installation, configuration, and management .......................................................... 6 Web-based manager ...................................................................................................... 6 Command line interface ..................................................................................................
Contents Transparent mode installation............................................................................ 37 Preparing to configure Transparent mode ........................................................................ Using the web-based manager ......................................................................................... Reconnecting to the web-based manager .................................................................... Using the front control buttons and LCD................
FortiGate-500A Installation Guide Version 2.80 MR5 Introduction FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate Antivirus Firewalls are ICSA-certified for firewall, IPSec, and antivirus services.
Web-based manager Introduction Secure installation, configuration, and management The FortiGate unit default configuration includes default interface IP addresses and is only a few steps away from protecting your network. There are several ways to configure basic FortiGate settings: • the web-based manager, • the front panel front keypad and LCD, • the command line interface (CLI), or • the setup wizard.
Introduction Command line interface Command line interface You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network that is connected to the FortiGate unit, including the Internet. The CLI supports the same configuration and monitoring functionality as the web-based manager.
Setup wizard Introduction set opmode {nat | transparent} You can enter set opmode nat or set opmode transparent. • Square brackets [ ] to indicate that a keyword or variable is optional. For example: show system interface [] To show the settings for all interfaces, you can enter show system interface. To show the settings for the internal interface, you can enter show system interface internal.
Introduction Comments on Fortinet technical documentation Fortinet documentation Information about FortiGate products is available from the following FortiGate Guides: • FortiGate QuickStart Guide Each QuickStart Guide provides the basic information required to connect and install a FortiGate model. • FortiGate Installation Guide Each Installation Guide provides detailed information required to install a FortiGate model.
Comments on Fortinet technical documentation Introduction Customer service and technical support For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com. You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and change your registration information at any time.
FortiGate-500A Installation Guide Version 2.80 MR5 Getting started This section describes unpacking, setting up, and powering on a FortiGate Antivirus Firewall unit.
Getting started Package contents The FortiGate-500A package contains the following items: • FortiGate-500A Antivirus Firewall • one orange crossover ethernet cable (Fortinet part number CC300248) • one gray regular ethernet cable (Fortinet part number CC300249) • one RJ-45 serial cable (Fortinet part number CC300302) • FortiGate-500A QuickStart Guide • one power cable • CD containing the FortiGate user documentation • two 19-inch rack mount brackets Figure 2: FortiGate-500A package contents
Getting started Power requirements • Power dissipation: 50 W (max) • AC input voltage: 100 to 240 VAC • AC input current: 1.6 A • Frequency: 50 to 60 H Environmental specifications • Operating temperature: 32 to 104°F (0 to 40°C) • Storage temperature: -13 to 158°F (-25 to 70°C) • Humidity: 5 to 95% non-condensing If you install the FortiGate-500A unit in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient.
Getting started Table 1: FortiGate-500A LED indicators LED State Description Power Green The FortiGate unit is powered on. Off The FortiGate unit is powered off. LAN (L1, L2, Amber L3, L4), 1, 2, 3, 4, 5, 6 Flashing Amber The correct cable is in use and the connected equipment has power. Network activity at this interface. Green The interface is connected. • 1, 2, 3, and 4 connect at up to 100 Mbps. • 5 and 6 connect at up to 1000 Mbps. Off No link established.
Getting started 3 Start Internet Explorer and browse to the address https://192.168.1.99. (remember to include the “s” in https://). The FortiGate login is displayed. Figure 3: FortiGate login 4 Type admin in the Name field and select Login. Connecting to the command line interface (CLI) As an alternative to the web-based manager, you can install and configure the FortiGate unit using the CLI.
Getting started Bits per second 9600 Data bits 8 Parity None Stop bits 1 Flow control None 5 Press Enter to connect to the FortiGate CLI. The following prompt is displayed: FortiGate-500A login: 6 Type admin and press Enter twice. The following prompt is displayed: Welcome ! Type ? to list available commands. For information about how to use the CLI, see the FortiGate CLI Reference Guide.
Getting started Factory default NAT/Route mode network configuration Factory default NAT/Route mode network configuration When the FortiGate unit is first powered on, it is running in NAT/Route mode and has the basic network configuration listed in Table 2. This configuration allows you to connect to the FortiGate unit web-based manager and establish the configuration required to connect the FortiGate unit to the network.
Factory default Transparent mode network configuration Getting started Factory default Transparent mode network configuration In Transparent mode, the FortiGate unit has the default network configuration listed in Table 3. Table 3: Factory default Transparent mode network configuration Administrator account Management IP User name: admin Password: (none) IP: 10.10.10.1 Netmask: 255.255.255.0 Primary DNS Server: 207.194.200.1 Secondary DNS Server: 207.194.200.
Getting started Factory default protection profiles Factory default protection profiles Use protection profiles to apply different protection settings for traffic that is controlled by firewall policies.
NAT/Route mode Getting started Figure 4: Web protection profile settings Planning the FortiGate configuration Before you configure the FortiGate unit, you need to plan how to integrate the unit into the network. Among other things, you must decide whether you want the unit to be visible to the network, which firewall functions you want it to provide, and how you want it to control the traffic flowing between its interfaces. Your configuration plan depends on the operating mode that you select.
Getting started NAT/Route mode with multiple external network connections You can add firewall policies to control whether communications through the FortiGate unit operate in NAT or Route mode. Firewall policies control the flow of traffic based on the source address, destination address, and service of each packet. In NAT mode, the FortiGate unit performs network address translation before it sends the packet to the destination network. In Route mode, there is no address translation.
Transparent mode Getting started Figure 6: Example NAT/Route multiple internet connection configuration FortiGate-500A Unit in NAT/Route mode Port 1 204.23.1.5 Internal network Internet Esc Enter CONSOLE USB 10/100 LAN L1 L2 L3 L4 1 2 10/100/1000 3 4 5 6 A 192.168.1.3 Port 2 64.83.32.45 LAN 192.168.1.1 NAT mode policies controlling traffic between internal and external networks. Transparent mode In Transparent mode, the FortiGate unit is invisible to the network.
Getting started Configuration options Web-based manager and setup wizard The FortiGate web-based manager is a full featured management tool. You can use the web-based manager to configure most FortiGate settings. The web-based manager Setup Wizard guides you through the initial configuration steps. Use the Setup Wizard to configure the administrator password, the interface addresses, the default gateway address, and the DNS server addresses.
Configuration options 24 Getting started 01-28005-0101-20041015 Fortinet Inc.
FortiGate-500A Installation Guide Version 2.80 MR5 NAT/Route mode installation This chapter describes how to install the FortiGate unit in NAT/Route mode. For information about installing a FortiGate unit in Transparent mode, see “Transparent mode installation” on page 37. For information about installing two or more FortiGate units in HA mode, see “High availability installation” on page 45.
DHCP or PPPoE configuration NAT/Route mode installation Table 5: NAT/Route mode settings Administrator Password: LAN Port 1 Port 2 Port 3 Port 4 Port 5 Port 6 IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____.
NAT/Route mode installation Configuring basic settings Using the web-based manager You can use the web-based manager for the initial configuration of the FortiGate unit. You can also continue to use the web-based manager for all FortiGate unit settings. For information about connecting to the web-based manager, see “Connecting to the web-based manager” on page 14.
Configuring basic settings NAT/Route mode installation To add a default route Add a default route to configure where the FortiGate unit sends traffic destined for an external network (usually the Internet). Adding the default route also defines which interface is connected to an external network. The default route is not required if the interface connected to the external network is configured using DHCP or PPPoE. 1 Go to System > Router > Static.
NAT/Route mode installation Configuring the FortiGate unit to operate in NAT/Route mode To add a default gateway to an interface The default gateway is usually configured for the interface connected to the Internet. You can use the procedure below to configure a default gateway for any interface. 1 Press Enter to display the interface list. 2 Use the down arrow key to highlight the name of the interface connected to the Internet and press Enter. 3 Use the down arrow to highlight Default Gateway.
Configuring the FortiGate unit to operate in NAT/Route mode NAT/Route mode installation Example To set the IP address of the LAN interface to 192.168.2.99 and netmask to 255.255.255.0, enter: config system interface edit lan set ip 192.168.2.99 255.255.255.0 end 3 To set the IP address and netmask of port1, enter: config system interface edit port1 set ip end Example To set the IP address of port1 to 192.168.20.99 and netmask to 255.255.255.
NAT/Route mode installation 6 Configuring the FortiGate unit to operate in NAT/Route mode Confirm that the addresses are correct. Enter: get system interface The CLI lists the IP address, netmask, and other settings for each of the FortiGate interfaces. To configure DNS server settings • Set the primary and secondary DNS server IP addresses. Enter config system dns set primary set secondary end Example config system dns set primary 293.44.75.21 set secondary 293.44.75.
Configuring the FortiGate unit to operate in NAT/Route mode NAT/Route mode installation Using the setup wizard From the web-based manager, you can use the setup wizard to complete the initial configuration of the FortiGate unit. For information about connecting to the web-based manager, see “Connecting to the web-based manager” on page 14.
NAT/Route mode installation Starting the setup wizard Table 7: Setup wizard settings Antivirus High Create a protection profile that enables virus scanning, file blocking, and blocking of oversize email for HTTP, FTP, IMAP, POP3, and SMTP. Add this protection profile to a default firewall policy. Medium Create a protection profile that enables virus scanning, for HTTP, FTP, IMAP, POP3, and SMTP (recommended). Add this protection profile to a default firewall policy.
Starting the setup wizard NAT/Route mode installation Connecting the FortiGate unit to the network(s) After you complete the initial configuration, you can connect the FortiGate unit between the internal network and the Internet.
NAT/Route mode installation 3 Starting the setup wizard Optionally connect Ports 3, 4, 5, and 6 to other networks. For example, you could connect port 3 to a DMZ network to provide access from the Internet to a web server or other server without installing the servers on the internal network. Configuring the networks If you are using the FortiGate unit as the DHCP server for your internal network, configure the computers on your internal network for DHCP.
Starting the setup wizard NAT/Route mode installation To register the FortiGate unit After purchasing and installing a new FortiGate unit, you can register the unit by going to the System Update Support page, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. To register, enter your contact information and the serial numbers of the FortiGate units that you or your organization have purchased.
FortiGate-500A Installation Guide Version 2.80 MR5 Transparent mode installation This chapter describes how to install a FortiGate unit in Transparent mode. If you want to install the FortiGate unit in NAT/Route mode, see “NAT/Route mode installation” on page 25. If you want to install two or more FortiGate units in HA mode, see “High availability installation” on page 45. For more information about installing the FortiGate unit in Transparent mode, see “Planning the FortiGate configuration” on page 20.
Transparent mode installation Table 8: Transparent mode settings Administrator Password: Management IP DNS Settings IP:T _____._____._____._____ Netmask: _____._____._____._____ Default Gateway: _____._____._____._____ The management IP address and netmask must be valid for the network from which you will manage the FortiGate unit. Add a default gateway if the FortiGate unit must connect to a router to reach the management computer. Primary DNS Server: _____._____._____.
Transparent mode installation Reconnecting to the web-based manager To configure the default gateway 1 Go to System > Network > Management. 2 Set Default Gateway to the default gateway IP address that you recorded in Table 8 on page 38. 3 Select Apply. Reconnecting to the web-based manager If you changed the IP address of the management interface while you were using the setup wizard, you must reconnect to the web-based manager using the new IP address.
Reconnecting to the web-based manager Transparent mode installation 4 After you set the last digit of the default gateway, press Enter. 5 Press Esc to return to the Main Menu. You have now completed the initial configuration of the FortiGate unit and you can proceed to “Next steps” on page 43. Using the command line interface As an alternative to the web-based manager or setup wizard you can begin the initial configuration of the FortiGate unit using the command line interface (CLI).
Transparent mode installation Reconnecting to the web-based manager Example config system manageip set ip 10.10.10.2 255.255.255.0 end 3 Confirm that the address is correct. Enter: get system manageip The CLI lists the management IP address and netmask. To configure DNS server settings 1 Set the primary and secondary DNS server IP addresses. Enter config system dns set primary set secondary end Example config system dns set primary 293.44.75.21 set secondary 293.44.75.
Reconnecting to the web-based manager Transparent mode installation Using the setup wizard From the web-based manager, you can use the setup wizard to begin the initial configuration of the FortiGate unit. For information about connecting to the web-based manager, see “Connecting to the web-based manager” on page 14. The first time you connect to the FortiGate unit, it is configured to run in NAT/Route mode. To switch to Transparent mode using the web-based manager 1 Go to System > Status.
Transparent mode installation Reconnecting to the web-based manager For example, you can connect the FortiGate-500A using the following steps: 1 Connect port 1 to the hub or switch connected to your internal network. 2 Connect port 2 to the network segment connected to the external firewall or router. 3 Optionally connect ports 3 and 4 to hubs or switches connected to your other networks (the example shows a connection to port 5).
Reconnecting to the web-based manager Transparent mode installation To set the date and time For effective scheduling and logging, the FortiGate system date and time must be accurate. You can either manually set the system date and time or configure the FortiGate unit to automatically keep its time correct by synchronizing with a Network Time Protocol (NTP) server. 1 Go to System > Config > Time. 2 Select Refresh to display the current FortiGate system date and time.
FortiGate-500A Installation Guide Version 2.80 MR5 High availability installation This chapter describes how to install two or more FortiGate units in an HA cluster. HA installation involves three basic steps: • Configuring FortiGate units for HA operation • Connecting the cluster to your networks • Installing and configuring the cluster For information about HA, see the FortiGate Administration Guide and the FortiOS High Availability technical note.
High availability configuration settings High availability installation Table 9: High availability settings Active-Active Mode Load balancing and failover HA. Each FortiGate unit in the HA cluster actively processes connections and monitors the status of the other FortiGate units in the cluster. The primary FortiGate unit in the cluster controls load balancing. Active-Passive Failover HA. The primary FortiGate unit in the cluster processes all connections.
High availability installation Configuring FortiGate units for HA using the web-based manager Table 9: High availability settings (Continued) The schedule controls load balancing among the FortiGate units in the active-active HA cluster. The schedule must be the same for all FortiGate units in the HA cluster. Schedule None No load balancing. Select None when the cluster interfaces are connected to load balancing switches. Hub Load balancing for hubs.
Configuring FortiGate units for HA using the CLI High availability installation To configure a FortiGate unit for HA operation 1 Go to System > Config > HA. 2 Select High Availability. 3 Select the mode. 4 Select a Group ID for the HA cluster. 5 If required, change the Unit Priority. 6 If required, select Override master. 7 Enter and confirm a password for the HA cluster. 8 If you are configuring Active-Active HA, select a schedule. 9 Select Apply.
High availability installation Configuring FortiGate units for HA using the CLI To configure the FortiGate unit for HA operation 1 Configure HA settings.
Configuring FortiGate units for HA using the CLI High availability installation Inserting an HA cluster into your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through the cluster. Also, starting the cluster interrupts network traffic until the individual FortiGate units in the cluster are functioning and the cluster completes negotiation. Cluster negotiation normally takes just a few seconds.
High availability installation 2 Configuring FortiGate units for HA using the CLI Power on all the FortiGate units in the cluster. As the units start, they negotiate to choose the primary cluster unit and the subordinate units. This negotiation occurs with no user intervention and normally just takes a few seconds. Installing and configuring the cluster When negotiation is complete the you can configure the cluster as if it was a single FortiGate unit.
Configuring FortiGate units for HA using the CLI 52 High availability installation 01-28005-0101-20041015 Fortinet Inc.
FortiGate-500A Installation Guide Version 2.
Index 54 01-28005-0101-20041015 Fortinet Inc.
