Installation Guide FortiGate 800/800F FortiGate-800 INTERNAL Esc Enter EXTERNAL DMZ HA 1 2 3 4 CONSOLE USB 1 2 3 4 CONSOLE USB PWR 8 FortiGate-800F PWR INTERNAL Esc EXTERNAL DMZ HA Enter 800F Version 2.
© Copyright 2004 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FortiGate-800/800F Installation Guide Version 2.
Contents Table of Contents Introduction ............................................................................................................ 5 Secure installation, configuration, and management .......................................................... 5 Web-based manager ...................................................................................................... 6 Command line interface ..................................................................................................
Contents Using the setup wizard...................................................................................................... Starting the setup wizard .............................................................................................. Connecting the FortiGate unit to the network(s) ............................................................... Configuring the networks .................................................................................................. Next steps .........
FortiGate-800/800F Installation Guide Version 2.80 MR6 Introduction FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate Antivirus Firewalls are ICSA-certified for firewall, IPSec, and antivirus services.
Web-based manager Introduction The CLI or the web-based manager can then be used to complete configuration and to perform maintenance and administration. Web-based manager Using HTTP or a secure HTTPS connection from any computer running Internet Explorer, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages. You can configure the FortiGate unit for HTTP and HTTPS administration from any FortiGate interface.
Introduction Setup wizard Setup wizard The FortiGate setup wizard provides an easy way to configure the basic initial settings for the FortiGate unit. The wizard walks through the configuration of a new administrator password, FortiGate interfaces, DHCP server settings, internal servers (web, FTP, etc.), and basic antivirus settings. Document conventions This guide uses the following conventions to describe command syntax. • Angle brackets < > to indicate variables.
Setup wizard Introduction set allowaccess {ping https ssh snmp http telnet} You can enter any of the following: set allowaccess ping set allowaccess ping https ssh set allowaccess https ping ssh set allowaccess snmp In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.
Introduction FortiManager documentation Related documentation Additional information about Fortinet products is available from the following related documentation. FortiManager documentation • FortiManager QuickStart Guide Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings. • FortiManager System Administration Guide Describes how to use the FortiManager System to manage FortiGate devices.
FortiLog documentation Introduction FortiLog documentation • FortiLog Administration Guide Describes how to install and configure a FortiLog unit to collect FortiGate and FortiMail log files. It also describes how to view FortiGate and FortiMail log files, generate and view log reports, and use the FortiLog unit as a NAS server. • FortiLog online help Provides a searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work.
Introduction Comments on Fortinet technical documentation Customer service and technical support For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com. You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and change your registration information at any time.
Comments on Fortinet technical documentation 12 Introduction 01-28006-0024-20041026 Fortinet Inc.
FortiGate-800/800F Installation Guide Version 2.80 MR6 Getting started This section describes unpacking, setting up, and powering on a FortiGate Antivirus Firewall unit.
Getting started Package contents The FortiGate-800 and FortiGate-800F package contains the following items: • FortiGate-800 or FortiGate-800F Antivirus Firewall • one orange crossover ethernet cable (Fortinet part number CC300248) • one grey regular ethernet cable (Fortinet part number CC300249) • one RJ-45 to DB-9 serial cable • SFP transceivers (FortiGate-800F only) • one power cable • two 19-inch rack mount brackets • FortiGate-800 or FortiGate-800F QuickStart Guide • CD containing Fort
Getting started Mounting The FortiGate-800/800F unit can be mounted in a standard 19-inch rack. It requires 1 U of vertical space in the rack. The FortiGate-800/800F unit can also be installed as a free-standing appliance on any stable surface. Dimensions • 16.75 x 12 x 1.75 in. (42.7 x 30.5 x 4.5 cm) Weight • 10 lb. (4.
Getting started Turning the FortiGate unit power on and off Table 1: FortiGate-800 LED indicators LED State Description Power Green The FortiGate unit is powered on. Off The FortiGate unit is powered off. Amber The correct cable is in use and the connected equipment has power. Flashing amber Network activity at this interface. Green The interface is connected. Internal, External, DMZ and HA connect at up to 1000 Mbps. Interfaces 1, 2, 3 and 4 connect at up to 100 Mbps.
Getting started To connect to the web-based manager, you need: • a computer with an ethernet connection, • Internet Explorer version 6.0 or higher, • a crossover cable or an ethernet hub and two ethernet cables. Note: You can use the web-based manager with recent versions of most popular web browsers. The web-based manager is fully supported for Internet Explorer version 6.0 or higher.
Getting started Note: The following procedure describes how to connect to the CLI using Windows HyperTerminal software. You can use any terminal emulation program. To connect to the CLI 1 Connect the serial cable to the communications port of your computer and to the FortiGate Console port. Use the RJ-45 to DB-9 convertor if your PC communications port requires a DB-9 connector. 2 Make sure that the FortiGate unit is powered on. 3 Start HyperTerminal, enter a name for the connection, and select OK.
Getting started Factory default NAT/Route mode network configuration Factory default FortiGate configuration settings The FortiGate unit is shipped with a factory default configuration. The default configuration allows you to connect to and use the FortiGate web-based manager to configure the FortiGate unit onto the network.
Factory default Transparent mode network configuration Getting started Table 3: Factory default NAT/Route mode network configuration (Continued) HA interface Port 1 Port 2 Port 3 Port 4 Network Settings IP: 0.0.0.0 Netmask: 0.0.0.0 Administrative Access: Ping IP: 0.0.0.0 Netmask: 0.0.0.0 Administrative Access: Ping IP: 0.0.0.0 Netmask: 0.0.0.0 Administrative Access: Ping IP: 0.0.0.0 Netmask: 0.0.0.0 Administrative Access: Ping IP: 0.0.0.0 Netmask: 0.0.0.
Getting started Factory default firewall configuration Table 4: Factory default Transparent mode network configuration (Continued) Internal HTTPS, Ping External Ping DMZ HTTPS, Ping Administrative access Port 1 Ping Port 2 Ping Port 3 Ping Port 4 Ping Factory default firewall configuration FortiGate firewall policies control how all traffic is processed by the FortiGate unit. Until firewall policies are added, no traffic can be accepted by or pass through the FortiGate unit.
Factory default protection profiles Getting started Using protection profiles, you can build protection configurations that can be applied to different types of firewall policies. This allows you to customize types and levels of protection for different firewall policies. For example, while traffic between internal and external addresses might need strict protection, traffic between trusted internal addresses might need moderate protection.
Getting started NAT/Route mode Planning the FortiGate configuration Before you configure the FortiGate unit, you need to plan how to integrate the unit into the network. Among other things, you must decide whether you want the unit to be visible to the network, which firewall functions you want it to provide, and how you want it to control the traffic flowing between its interfaces. Your configuration plan depends on the operating mode that you select.
NAT/Route mode with multiple external network connections Getting started NAT/Route mode with multiple external network connections In NAT/Route mode, you can configure the FortiGate unit with multiple redundant connections to the external network (usually the Internet). For example, you could create the following configuration: • External is the default interface to the external network (usually the Internet). • Port 1 is the redundant interface to the external network.
Getting started Configuration options Figure 8: Example Transparent mode network configuration FortiGate-800 Unit in Transparent mode Gateway to public network 204.23.1.5 Internal network 10.10.10.2 Internet INTERNAL Esc Enter EXTERNAL DMZ HA 1 2 3 4 CONSOLE USB PWR 8 10.10.10.3 (firewall, router) External 10.10.10.
Configuration options Getting started If you are configuring the FortiGate unit to operate in Transparent mode, you can use the front keypad and LCD to switch to Transparent mode. Then you can add the management IP address and default gateway.
FortiGate-800/800F Installation Guide Version 2.80 MR6 NAT/Route mode installation This chapter describes how to install the FortiGate unit in NAT/Route mode. For information about installing a FortiGate unit in Transparent mode, see “Transparent mode installation” on page 41. For information about installing two or more FortiGate units in HA mode, see “High availability installation” on page 51.
DHCP or PPPoE configuration NAT/Route mode installation Table 6: NAT/Route mode settings Administrator Password: Internal External DMZ HA Port 1 Port 2 Port 3 Port 4 IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____.
NAT/Route mode installation Configuring basic settings PPPoE requires you to supply a user name and password. In addition, PPPoE unnumbered configurations require you to supply an IP address. Use Table 7 to record the information you require for your PPPoE configuration. Table 7: PPPoE settings User name: Password: Using the web-based manager You can use the web-based manager for the initial configuration of the FortiGate unit.
Configuring basic settings NAT/Route mode installation Note: If you change the IP address of the interface you are connecting to, you must connect through a web browser again using the new address. Browse to https:// followed by the new IP address of the interface. If the new IP address of the interface is on a different subnet, you may have to change the IP address of your computer to the same subnet. To configure DNS server settings 1 Go to System > Network > DNS.
NAT/Route mode installation Configuring the FortiGate unit to operate in NAT/Route mode 2 Use the up and down arrows to highlight the name of the interface to change and press Enter. 3 Press Enter for IP address. 4 Use the up and down arrow keys to increase or decrease the value of each IP address digit. Press Enter to move to the next digit. Press Esc to move to the previous digit. Note: When you enter an IP address, the LCD always shows three digits for each part of the address.
Configuring the FortiGate unit to operate in NAT/Route mode NAT/Route mode installation config system admin edit admin set password end To configure interfaces 1 Log in to the CLI. 2 Set the IP address and netmask of the internal interface to the internal IP address and netmask that you recorded in Table 6 on page 28. Enter: config system interface edit internal set mode static set ip end Example config system interface edit internal set mode static set ip <192.168.120.
NAT/Route mode installation Configuring the FortiGate unit to operate in NAT/Route mode config system external edit external set mode static set ip end Example config system external edit external set mode static set ip <204.23.1.5> <255.255.255.
Configuring the FortiGate unit to operate in NAT/Route mode NAT/Route mode installation To add a default route Add a default route to configure where the FortiGate unit sends traffic that should be sent to an external network (usually the Internet). Adding the default route also defines which interface is connected to an external network. The default route is not required if the interface connected to the external network is configured using DHCP or PPPoE.
NAT/Route mode installation Starting the setup wizard Table 8: Setup wizard settings Password Prepare an administrator password. Internal Interface Use the information you gathered in Table 6 on page 28. External Interface Use the information you gathered in Table 6 on page 28. DHCP server Starting IP: _____._____._____._____ Ending IP: _____._____._____._____ Netmask: _____._____._____._____ Default Gateway: _____._____._____._____ DNS IP: _____._____._____.
Starting the setup wizard NAT/Route mode installation Note: If you change the IP address of the interface you are connecting to, you must connect through a web browser again using the new address. Browse to https:// followed by the new IP address of the interface. If the new IP address of the interface is on a different subnet, you may have to change the IP address of your computer to the same subnet.
NAT/Route mode installation Starting the setup wizard To connect the FortiGate unit running in NAT/Route mode 1 Connect the Internal interface to the hub or switch connected to the internal network. 2 Connect the External interface to your public switch or router. 3 Optionally, connect the DMZ interface to the DMZ network. You can use a DMZ network to provide access from the Internet to a web server or other server without installing the servers on the internal network.
Starting the setup wizard NAT/Route mode installation 2 Repeat for all user-defined interfaces that you have configured. The example in Figure 11 shows an internal network connected to user-defined interface 1 and an external network connected to user-defined interface 4.
NAT/Route mode installation Starting the setup wizard In standalone mode, the modem interface is the connection from the FortiGate unit to the Internet. When connecting to the ISP, in either configuration, the FortiGate unit modem can automatically dial up to three dialup accounts until the modem connects to an ISP. The modem interface connected to the FortiGate USB interface. You must connect an external modem to the USB interface.
Starting the setup wizard NAT/Route mode installation To register, enter your contact information and the serial numbers of the FortiGate units that you or your organization have purchased. You can register multiple FortiGate units in a single session without re-entering your contact information. To configure virus, attack, and spam definition updates You can configure the FortiGate unit to automatically keep virus, grayware, and attack definitions up to date.
FortiGate-800/800F Installation Guide Version 2.80 MR6 Transparent mode installation This chapter describes how to install a FortiGate unit in Transparent mode. If you want to install the FortiGate unit in NAT/Route mode, see “NAT/Route mode installation” on page 27. If you want to install two or more FortiGate units in HA mode, see “High availability installation” on page 51.
Transparent mode installation Table 9: Transparent mode settings Administrator Password: Management IP IP: _____._____._____._____ Netmask: _____._____._____._____ Default Gateway: _____._____._____._____ The management IP address and netmask must be valid for the network from which you will manage the FortiGate unit. Add a default gateway if the FortiGate unit must connect to a router to reach the management computer. Primary DNS Server: DNS Settings _____._____._____.
Transparent mode installation Reconnecting to the web-based manager 2 Enter the IP address of the primary DNS server. 3 Enter the IP address of the secondary DNS server. 4 Select OK. To configure the default gateway 1 Go to System > Network > Management. 2 Set Default Gateway to the default gateway IP address that you recorded in Table 9 on page 42. 3 Select Apply.
Reconnecting to the web-based manager Transparent mode installation To add a default gateway 1 Press Enter to display the option list. 2 Use the down arrow to highlight Default Gateway. 3 Press Enter and set the default gateway. 4 After you set the last digit of the default gateway, press Enter. 5 Press Esc to return to the Main Menu. You have now completed the initial configuration of the FortiGate unit and you can proceed to “Next steps” on page 48.
Transparent mode installation Reconnecting to the web-based manager config system manageip set ip 10.10.10.2 255.255.255.0 end 3 Confirm that the address is correct. Enter: get system manageip The CLI lists the management IP address and netmask. To configure DNS server settings 1 Set the primary and secondary DNS server IP addresses. Enter config system dns set primary set secondary end Example config system dns set primary 293.44.75.21 set secondary 293.44.75.
Reconnecting to the web-based manager Transparent mode installation The first time you connect to the FortiGate unit, it is configured to run in NAT/Route mode. To switch to Transparent mode using the web-based manager 1 Go to System > Status. 2 Select Change beside the Operation Mode. 3 Select Transparent in the Operation Mode list. 4 Select OK. To reconnect to the web-based manager, change the IP address of the management computer to 10.10.10.2.
Transparent mode installation Reconnecting to the web-based manager There are 4 10/100 Base-TX connectors on the FortiGate-800: • user-defined interfaces 1 to 4 for connecting up to four additional networks to the FortiGate unit.
Reconnecting to the web-based manager Transparent mode installation Figure 12: FortiGate-800/800F Transparent mode connections Internal Network Other Network Hub or Switch Internal D MZ INTERNAL Esc Enter EXTERNAL DMZ HA 1 2 3 4 CONSOLE USB PWR 8 FortiGate-800 External Interface 4 Public Switch or Router Internet Other Network Next steps You can use the following information to configure FortiGate system time, to register the FortiGate unit, and to configure antivirus and attack d
Transparent mode installation Reconnecting to the web-based manager 5 Select Set Time and set the FortiGate system date and time. 6 Set the hour, minute, second, month, day, and year as required. 7 Select Apply. To use NTP to set the FortiGate date and time 1 Go to System > Config > Time. 2 Select Synchronize with NTP Server to configure the FortiGate unit to use NTP to automatically set the system time and date.
Reconnecting to the web-based manager 50 Transparent mode installation 01-28006-0024-20041026 Fortinet Inc.
FortiGate-800/800F Installation Guide Version 2.80 MR6 High availability installation This chapter describes how to install two or more FortiGate units in an HA cluster. HA installation involves three basic steps: • Configuring FortiGate units for HA operation • Connecting the cluster to your networks • Installing and configuring the cluster For information about HA, see the FortiGate Administration Guide and the FortiOS High Availability technical note.
High availability configuration settings High availability installation Table 10: High availability settings Active-Active Mode Load balancing and failover HA. Each FortiGate unit in the HA cluster actively processes connections and monitors the status of the other FortiGate units in the cluster. The primary FortiGate unit in the cluster controls load balancing. Active-Passive Failover HA. The primary FortiGate unit in the cluster processes all connections.
High availability installation Configuring FortiGate units for HA using the web-based manager Table 10: High availability settings (Continued) The schedule controls load balancing among the FortiGate units in the active-active HA cluster. The schedule must be the same for all FortiGate units in the HA cluster. Schedule None No load balancing. Select None when the cluster interfaces are connected to load balancing switches. Hub Load balancing for hubs.
Configuring FortiGate units for HA using the CLI High availability installation To configure a FortiGate unit for HA operation 1 Go to System > Config > HA. 2 Select High Availability. 3 Select the mode. 4 Select a Group ID for the HA cluster. 5 If required, change the Unit Priority. 6 If required, select Override master. 7 Enter and confirm a password for the HA cluster. 8 If you are configuring Active-Active HA, select a schedule. 9 Select Apply.
High availability installation Configuring FortiGate units for HA using the CLI To configure the FortiGate unit for HA operation 1 Configure HA settings.
Configuring FortiGate units for HA using the CLI High availability installation Inserting an HA cluster into your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through the cluster. Also, starting the cluster interrupts network traffic until the individual FortiGate units in the cluster are functioning and the cluster completes negotiation. Cluster negotiation normally takes just a few seconds.
High availability installation Configuring FortiGate units for HA using the CLI Figure 13: HA network configuration Internal Network Port 2 Port 1 Esc Enter CONSOLE USB 10/100 1 2 10/100/1000 3 4 5 6 A Port 4 Hub or Switch Hub or Switch Port 4 Esc Enter CONSOLE USB 10/100 1 2 Router 10/100/1000 3 4 5 6 A Port 1 Port 2 Internet 2 Power on all the FortiGate units in the cluster. As the units start, they negotiate to choose the primary cluster unit and the subordinate units.
Configuring FortiGate units for HA using the CLI High availability installation The configurations of all of the FortiGate units in the cluster are synchronized so that the FortiGate units can function as a cluster. Because of this synchronization, you configure and manage the HA cluster instead of managing the individual FortiGate units in the cluster.
FortiGate-800/800F Installation Guide Version 2.
Index 60 01-28006-0024-20041026 Fortinet Inc.