Table of Contents. Fortinet FortiGate 400

Table of Contents

Introduction .......................................................................................................... 15

Antivirus protection ........................................................................................................... 15

Web content filtering ......................................................................................................... 16

Email filtering .................................................................................................................... 16

Firewall.............................................................................................................................. 17

NAT/Route mode .......................................................................................................... 17

Transparent mode......................................................................................................... 18

VLAN................................................................................................................................. 18

Network intrusion detection............................................................................................... 18

VPN................................................................................................................................... 19

High availability ................................................................................................................. 19

Secure installation, configuration, and management ........................................................ 20

Web-based manager .................................................................................................... 20

Command line interface ................................................................................................ 21

Logging and reporting ................................................................................................... 21

What’s new in Version 2.50 .............................................................................................. 22

System administration................................................................................................... 22

Firewall.......................................................................................................................... 23

Users and authentication .............................................................................................. 23

VPN............................................................................................................................... 23

NIDS ............................................................................................................................. 24

Antivirus ........................................................................................................................ 24

Web Filter...................................................................................................................... 24

Email filter ..................................................................................................................... 24

Logging and Reporting.................................................................................................. 24

About this document ......................................................................................................... 25

Document conventions ..................................................................................................... 26

Fortinet documentation ..................................................................................................... 27

Comments on Fortinet technical documentation........................................................... 27

Customer service and technical support........................................................................... 28

Getting started ..................................................................................................... 29

Package contents ............................................................................................................. 30

Mounting ........................................................................................................................... 30

Powering on ...................................................................................................................... 31

Connecting to the web-based manager ............................................................................ 32

Connecting to the command line interface (CLI)............................................................... 33

Factory default FortiGate configuration settings ............................................................... 33

Factory default NAT/Route mode network configuration .............................................. 34

Factory default Transparent mode network configuration............................................. 35

Factory default firewall configuration ............................................................................ 35

Factory default content profiles..................................................................................... 36

Contents

FortiGate-400 Installation and Configuration Guide

3

Contents

Planning your FortiGate configuration .............................................................................. 39

NAT/Route mode .......................................................................................................... 39

NAT/Route mode with multiple external network connections...................................... 40

Transparent mode......................................................................................................... 41

Configuration options .................................................................................................... 41

FortiGate model maximum values matrix ......................................................................... 42

Next steps ......................................................................................................................... 43

NAT/Route mode installation.............................................................................. 45

Preparing to configure NAT/Route mode.......................................................................... 45

Using the setup wizard...................................................................................................... 46

Starting the setup wizard .............................................................................................. 46

Reconnecting to the web-based manager .................................................................... 46

Using the front control buttons and LCD........................................................................... 47

Using the command line interface..................................................................................... 47

Configuring the FortiGate unit to operate in NAT/Route mode ..................................... 47

Connecting the FortiGate unit to your networks................................................................ 49

Configuring your network .................................................................................................. 50

Completing the configuration ............................................................................................ 50

Configuring interface 3.................................................................................................. 50

Configuring interface 4/HA............................................................................................ 51

Setting the date and time .............................................................................................. 51

Enabling antivirus protection......................................................................................... 51

Registering your FortiGate unit ..................................................................................... 51

Configuring virus and attack definition updates ............................................................ 52

Configuration example: Multiple connections to the Internet ............................................ 52

Configuring Ping servers............................................................................................... 53

Destination based routing examples............................................................................. 54

Policy routing examples ................................................................................................ 57

Firewall policy example................................................................................................. 58

Transparent mode installation............................................................................ 61

Preparing to configure Transparent mode ........................................................................ 61

Using the setup wizard...................................................................................................... 62

Changing to Transparent mode .................................................................................... 62

Starting the setup wizard .............................................................................................. 62

Reconnecting to the web-based manager .................................................................... 62

Using the front control buttons and LCD........................................................................... 63

Using the command line interface..................................................................................... 63

Changing to Transparent mode .................................................................................... 63

Configuring the Transparent mode management IP address ....................................... 64

Configure the Transparent mode default gateway........................................................ 64

4

Fortinet Inc.

Completing the configuration ............................................................................................ 64

Setting the date and time .............................................................................................. 64

Enabling antivirus protection......................................................................................... 64

Registering your FortiGate............................................................................................ 65

Configuring virus and attack definition updates ............................................................ 65

Connecting the FortiGate unit to your networks................................................................ 65

Transparent mode configuration examples....................................................................... 66

Default routes and static routes .................................................................................... 67

Example default route to an external network............................................................... 67

Example static route to an external destination ............................................................ 69

Example static route to an internal destination ............................................................. 72

High availability.................................................................................................... 75

Active-passive HA............................................................................................................. 75

Active-active HA................................................................................................................ 76

HA in NAT/Route mode .................................................................................................... 77

Installing and configuring the FortiGate units................................................................ 77

Configuring the HA interfaces ....................................................................................... 77

Configuring the HA cluster ............................................................................................ 78

Connecting the HA cluster to your network................................................................... 80

Starting the HA cluster .................................................................................................. 82

HA in Transparent mode................................................................................................... 82

Installing and configuring the FortiGate units................................................................ 82

Configuring the HA interface and HA IP address.......................................................... 82

Configuring the HA cluster ............................................................................................ 83

Connecting the HA cluster to your network................................................................... 85

Starting the HA cluster .................................................................................................. 86

Managing the HA cluster................................................................................................... 86

Viewing the status of cluster members ......................................................................... 86

Monitoring cluster members.......................................................................................... 87

Monitoring cluster sessions........................................................................................... 88

Viewing and managing cluster log messages............................................................... 88

Managing individual cluster units .................................................................................. 89

Synchronizing the cluster configuration ........................................................................ 89

Returning to standalone configuration .......................................................................... 90

Replacing a FortiGate unit after fail-over ...................................................................... 90

Advanced HA options ....................................................................................................... 91

Selecting a FortiGate unit to a permanent primary unit ................................................ 91

Configuring weighted-round-robin weights ................................................................... 92

Contents


5

Contents

System status....................................................................................................... 93

Changing the FortiGate host name................................................................................... 94

Changing the FortiGate firmware...................................................................................... 94

Upgrade to a new firmware version .............................................................................. 95

Revert to a previous firmware version .......................................................................... 96

Install a firmware image from a system reboot using the CLI ....................................... 99

Test a new firmware image before installing it............................................................ 101

Installing and using a backup firmware image ............................................................ 103

Manual virus definition updates ...................................................................................... 106

Manual attack definition updates .................................................................................... 107

Displaying the FortiGate serial number........................................................................... 107

Displaying the FortiGate up time..................................................................................... 107

Displaying log hard disk status ....................................................................................... 107

Backing up system settings ............................................................................................ 108

Restoring system settings............................................................................................... 108

Restoring system settings to factory defaults ................................................................. 108

Changing to Transparent mode ...................................................................................... 109

Changing to NAT/Route mode........................................................................................ 109

Restarting the FortiGate unit........................................................................................... 109

Shutting down the FortiGate unit .................................................................................... 110

System status ................................................................................................................. 110

Viewing CPU and memory status ............................................................................... 110

Viewing sessions and network status ......................................................................... 111

Viewing virus and intrusions status............................................................................. 112

Session list...................................................................................................................... 113

Virus and attack definitions updates and registration ................................... 115

Updating antivirus and attack definitions ........................................................................ 115

Connecting to the FortiResponse Distribution Network .............................................. 116

Configuring scheduled updates .................................................................................. 117

Configuring update logging ......................................................................................... 118

Adding an override server........................................................................................... 119

Manually updating antivirus and attack definitions...................................................... 119

Configuring push updates ........................................................................................... 119

Push updates through a NAT device .......................................................................... 120

Scheduled updates through a proxy server ................................................................ 124

Registering FortiGate units ............................................................................................. 125

FortiCare Service Contracts........................................................................................ 125

Registering the FortiGate unit ..................................................................................... 126

6

Fortinet Inc.

Updating registration information .................................................................................... 128

Recovering a lost Fortinet support password.............................................................. 128

Viewing the list of registered FortiGate units .............................................................. 128

Registering a new FortiGate unit ................................................................................ 129

Adding or changing a FortiCare Support Contract number......................................... 129

Changing your Fortinet support password .................................................................. 130

Changing your contact information or security question ............................................. 130

Downloading virus and attack definitions updates ...................................................... 130

Registering a FortiGate unit after an RMA...................................................................... 131

Network configuration....................................................................................... 133

Configuring zones ........................................................................................................... 133

Adding zones .............................................................................................................. 133

Adding interfaces to a zone ........................................................................................ 134

Adding VLAN subinterfaces to a zone ........................................................................ 134

Renaming zones ......................................................................................................... 134

Deleting zones ............................................................................................................ 135

Configuring interfaces ..................................................................................................... 135

Viewing the interface list ............................................................................................. 135

Bringing up an interface .............................................................................................. 135

Changing an interface static IP address ..................................................................... 136

Adding a secondary IP address to an interface .......................................................... 136

Adding a ping server to an interface ........................................................................... 136

Controlling management access to an interface......................................................... 137

Configuring traffic logging for connections to an interface .......................................... 137

Changing the MTU size to improve network performance.......................................... 137

Configuring port4/ha ................................................................................................... 138

Configuring the management interface (Transparent mode) ...................................... 138

Configuring VLANs ......................................................................................................... 139

VLAN network configuration ....................................................................................... 139

Adding VLAN subinterfaces ........................................................................................ 141

Configuring routing.......................................................................................................... 143

Adding a default route................................................................................................. 143

Adding destination-based routes to the routing table.................................................. 143

Adding routes in Transparent mode............................................................................ 145

Configuring the routing table....................................................................................... 145

Policy routing .............................................................................................................. 146

Providing DHCP services to your internal network ......................................................... 147

RIP configuration ............................................................................................... 149

RIP settings..................................................................................................................... 150

Configuring RIP for FortiGate interfaces......................................................................... 152

Adding RIP neighbors ..................................................................................................... 153

Contents


7

Contents

Adding RIP filters ............................................................................................................ 154

Adding a single RIP filter............................................................................................. 154

Adding a RIP filter list.................................................................................................. 155

Adding a neighbors filter ............................................................................................. 156

Adding a routes filter ................................................................................................... 156

System configuration ........................................................................................ 157

Setting system date and time.......................................................................................... 157

Changing web-based manager options .......................................................................... 158

Adding and editing administrator accounts ..................................................................... 160

Adding new administrator accounts ............................................................................ 160

Editing administrator accounts.................................................................................... 161

Configuring SNMP .......................................................................................................... 162

Configuring the FortiGate unit for SNMP monitoring .................................................. 162

Configuring FortiGate SNMP support ......................................................................... 162

FortiGate MIBs............................................................................................................ 163

FortiGate traps ............................................................................................................ 164

Customizing replacement messages .............................................................................. 164

Customizing replacement messages .......................................................................... 165

Customizing alert emails............................................................................................. 166

Firewall configuration........................................................................................ 169

Default firewall configuration........................................................................................... 170

Interfaces .................................................................................................................... 170

VLAN subinterfaces .................................................................................................... 170

Zones .......................................................................................................................... 171

Addresses ................................................................................................................... 171

Services ...................................................................................................................... 172

Schedules ................................................................................................................... 172

Content profiles........................................................................................................... 172

Adding firewall policies.................................................................................................... 172

Firewall policy options................................................................................................. 173

Configuring policy lists .................................................................................................... 177

Policy matching in detail ............................................................................................. 177

Changing the order of policies in a policy list.............................................................. 178

Enabling and disabling policies................................................................................... 178

Addresses ....................................................................................................................... 179

Adding addresses ....................................................................................................... 179

Editing addresses ....................................................................................................... 180

Deleting addresses ..................................................................................................... 180

Organizing addresses into address groups ................................................................ 181

8

Fortinet Inc.

Services .......................................................................................................................... 182

Predefined services .................................................................................................... 182

Providing access to custom services .......................................................................... 184

Grouping services ....................................................................................................... 185

Schedules ....................................................................................................................... 186

Creating one-time schedules ...................................................................................... 186

Creating recurring schedules ...................................................................................... 187

Adding a schedule to a policy ..................................................................................... 188

Virtual IPs........................................................................................................................ 188

Adding static NAT virtual IPs ...................................................................................... 189

Adding port forwarding virtual IPs ............................................................................... 190

Adding policies with virtual IPs.................................................................................... 191

IP pools ........................................................................................................................... 192

Adding an IP pool........................................................................................................ 192

IP Pools for firewall policies that use fixed ports......................................................... 193

IP pools and dynamic NAT ......................................................................................... 193

IP/MAC binding ............................................................................................................... 193

Configuring IP/MAC binding for packets going through the firewall............................ 194

Configuring IP/MAC binding for packets going to the firewall ..................................... 195

Adding IP/MAC addresses.......................................................................................... 195

Viewing the dynamic IP/MAC list ................................................................................ 196

Enabling IP/MAC binding ............................................................................................ 196

Content profiles............................................................................................................... 197

Default content profiles ............................................................................................... 197

Adding a content profile .............................................................................................. 197

Adding a content profile to a policy ............................................................................. 199

Users and authentication .................................................................................. 201

Setting authentication timeout......................................................................................... 202

Adding user names and configuring authentication ........................................................ 202

Adding user names and configuring authentication .................................................... 202

Deleting user names from the internal database ........................................................ 203

Configuring RADIUS support .......................................................................................... 204

Adding RADIUS servers ............................................................................................. 204

Deleting RADIUS servers ........................................................................................... 204

Configuring LDAP support .............................................................................................. 205

Adding LDAP servers.................................................................................................. 205

Deleting LDAP servers................................................................................................ 206

Configuring user groups.................................................................................................. 207

Adding user groups..................................................................................................... 207

Deleting user groups................................................................................................... 208

Contents


9

Contents

IPSec VPN........................................................................................................... 209

Key management............................................................................................................ 210

Manual Keys ............................................................................................................... 210

Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... 210

Manual key IPSec VPNs................................................................................................. 211

General configuration steps for a manual key VPN .................................................... 211

Adding a manual key VPN tunnel ............................................................................... 211

AutoIKE IPSec VPNs ...................................................................................................... 213

General configuration steps for an AutoIKE VPN ....................................................... 213

Adding a phase 1 configuration for an AutoIKE VPN.................................................. 213

Adding a phase 2 configuration for an AutoIKE VPN.................................................. 217

Managing digital certificates............................................................................................ 219

Obtaining a signed local certificate ............................................................................. 219

Obtaining a CA certificate ........................................................................................... 223

Configuring encrypt policies............................................................................................ 224

Adding a source address ............................................................................................ 225

Adding a destination address...................................................................................... 225

Adding an encrypt policy............................................................................................. 225

IPSec VPN concentrators ............................................................................................... 227

VPN concentrator (hub) general configuration steps .................................................. 227

Adding a VPN concentrator ........................................................................................ 229

VPN spoke general configuration steps...................................................................... 230

Redundant IPSec VPNs.................................................................................................. 231

Configuring redundant IPSec VPN ............................................................................. 231

Monitoring and Troubleshooting VPNs ........................................................................... 233

Viewing VPN tunnel status.......................................................................................... 233

Viewing dialup VPN connection status ....................................................................... 233

Testing a VPN............................................................................................................. 234

PPTP and L2TP VPN .......................................................................................... 235

Configuring PPTP ........................................................................................................... 235

Configuring the FortiGate unit as a PPTP gateway .................................................... 236

Configuring a Windows 98 client for PPTP ................................................................. 238

Configuring a Windows 2000 client for PPTP ............................................................. 239

Configuring a Windows XP client for PPTP ................................................................ 240

Configuring L2TP ............................................................................................................ 241

Configuring the FortiGate unit as a L2TP gateway ..................................................... 242

Configuring a Windows 2000 client for L2TP.............................................................. 245

Configuring a Windows XP client for L2TP ................................................................. 246

10

Fortinet Inc.

Network Intrusion Detection System (NIDS) ................................................... 249

Detecting attacks ............................................................................................................ 249

Selecting the interfaces to monitor.............................................................................. 250

Disabling the NIDS...................................................................................................... 250

Configuring checksum verification .............................................................................. 250

Viewing the signature list ............................................................................................ 251

Viewing attack descriptions......................................................................................... 251

Enabling and disabling NIDS attack signatures .......................................................... 252

Adding user-defined signatures .................................................................................. 252

Preventing attacks .......................................................................................................... 253

Enabling NIDS attack prevention ................................................................................ 253

Enabling NIDS attack prevention signatures .............................................................. 254

Setting signature threshold values.............................................................................. 254

Configuring synflood signature values ........................................................................ 256

Logging attacks............................................................................................................... 256

Logging attack messages to the attack log................................................................. 256

Reducing the number of NIDS attack log and email messages.................................. 257

Antivirus protection........................................................................................... 259

General configuration steps ............................................................................................ 259

Antivirus scanning........................................................................................................... 260

File blocking .................................................................................................................... 261

Blocking files in firewall traffic ..................................................................................... 262

Adding file patterns to block........................................................................................ 262

Quarantine ...................................................................................................................... 263

Quarantining infected files .......................................................................................... 263

Quarantining blocked files........................................................................................... 263

Viewing the quarantine list .......................................................................................... 264

Sorting the quarantine list ........................................................................................... 264

Filtering the quarantine list.......................................................................................... 265

Deleting files from quarantine ..................................................................................... 265

Downloading quarantined files.................................................................................... 265

Configuring quarantine options ................................................................................... 265

Blocking oversized files and emails ................................................................................ 266

Configuring limits for oversized files and email........................................................... 266

Exempting fragmented email from blocking.................................................................... 266

Viewing the virus list ....................................................................................................... 266

Web filtering ....................................................................................................... 267


Content blocking ............................................................................................................. 268

Adding words and phrases to the banned word list .................................................... 268

Contents


11

Contents

URL blocking................................................................................................................... 269

Using the FortiGate web filter ..................................................................................... 269

Using the Cerberian web filter..................................................................................... 272

Script filtering .................................................................................................................. 274

Enabling the script filter............................................................................................... 274

Selecting script filter options ....................................................................................... 274

Exempt URL list .............................................................................................................. 275

Adding URLs to the exempt URL list .......................................................................... 275

Email filter........................................................................................................... 277


Email banned word list.................................................................................................... 278

Adding words and phrases to the banned word list .................................................... 278

Email block list ................................................................................................................ 279

Adding address patterns to the email block list........................................................... 279

Email exempt list............................................................................................................. 279

Adding address patterns to the email exempt list ....................................................... 280

Adding a subject tag ....................................................................................................... 280

Logging and reporting....................................................................................... 281

Recording logs ................................................................................................................ 281

Recording logs on a remote computer........................................................................ 282

Recording logs on a NetIQ WebTrends server ........................................................... 282

Recording logs on the FortiGate hard disk ................................................................. 283

Recording logs in system memory.............................................................................. 284

Filtering log messages .................................................................................................... 284

Configuring traffic logging ............................................................................................... 286

Enabling traffic logging................................................................................................ 286

Configuring traffic filter settings................................................................................... 287

Adding traffic filter entries ........................................................................................... 288

Viewing logs saved to memory ....................................................................................... 289

Viewing logs................................................................................................................ 289

Searching logs ............................................................................................................ 289

Viewing and managing logs saved to the hard disk........................................................ 290

Viewing logs................................................................................................................ 290

Searching logs ............................................................................................................ 290

Downloading a log file to the management computer................................................. 291

Deleting all messages in an active log........................................................................ 291

Deleting a saved log file.............................................................................................. 292

Configuring alert email .................................................................................................... 292

Adding alert email addresses...................................................................................... 292

Testing alert email....................................................................................................... 293

Enabling alert email .................................................................................................... 293

12

Fortinet Inc.

Glossary ............................................................................................................. 295

Index .................................................................................................................... 299

Contents


13

Contents

14

Fortinet Inc.

Table of Contents. Fortinet FortiGate 400

Table of Contents

Related manuals

Table of contents

Table of Contents. Fortinet FortiGate 400

Table of Contents

Related manuals

Fortinet

FortiGate-800

Fortinet

100

Fortinet

50A

Fortinet

FortiGate FortiGate-50R

Fortinet

FortiGate 60R

Fortinet

Switch FortiGate 4000

SHI

FGS

Fortinet

FortiGate 4000

Fortinet

110C

Table of contents