advertisement
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2
IPSec VPN
A Virtual Private Network (VPN) is an extension of a private network that encompasses links across shared or public networks such as the Internet. For example, a company that has two offices in different cities, each with its own private network, can employ a VPN to create a secure tunnel between the offices. Similarly, a teleworker can use a VPN client to gain remote access to his private office network. In both cases, the secure connection appears to the user as a private network communication, even though the communication is carried over a public network.
Secure VPN connections are enabled by a combination of tunneling, data encryption and authentication. Tunneling encapsulates data so that it can be transferred over the public network. Instead of being sent in its original format, the data frames are encapsulated within an additional header and then routed between tunnel endpoints.
Upon arrival at the destination endpoint, the data is decapsulated and forwarded to its destination within the private network.
Encryption transforms data stream from clear text (something that a human or a program can interpret) to cipher text (something that cannot be interpreted). The information is encrypted and decrypted using mathematical algorithms know as keys.
Authentication provides a means to verify the origin of a packet and the integrity of its contents. Authentication is completed using checksums calculated with keyed hash function algorithms.
This chapter provides an overview of how to configure FortiGate IPSec VPN. For a complete description of FortiGate VPN, see the FortiGate VPN Guide.
•
•
•
•
•
•
•
•
Monitoring and Troubleshooting VPNs
FortiGate-400 Installation and Configuration Guide
209
Key management IPSec VPN
Key management
There are three basic elements in any encryption system:
• an algorithm which changes information into code,
• a cryptographic key which serves as a secret starting point for the algorithm,
• a management system to control the key.
IPSec provides two ways to handle key exchange and management: manual keying and IKE for automated key management.
•
•
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates
Manual Keys
When manual keys are employed, matching security parameters must be entered at both ends of the tunnel. These settings, which include both the encryption and authentication keys, must be kept secret so that unauthorized parties cannot decrypt the data, even if they know which encryption algorithm is being used.
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates
To facilitate deployment of multiple tunnels, an automated system of key management is required. IPSec supports the automated generation and negotiation of keys using the Internet Key Exchange protocol. This method of key management is typically referred to as AutoIKE. Fortinet supports AutoIKE with pre-shared keys and AutoIKE with certificates.
AutoIKE with pre-shared keys
When both peers in a session have been configured with the same pre-shared key, they can use it to authenticate themselves to each other. The peers do not actually send the key to each other. Instead, as part of the security negotiation process, they use it in combination with a Diffie-Hellman group to create a session key. The session key is used for encryption and authentication purposes, and is automatically regenerated during the communication session by IKE.
Pre-shared keys are similar to the manual keys in that they require the network administrator to distribute and manage matching information at the VPN peer sites.
Whenever a pre-shared key changes, the administrator must update both sites.
AutoIKE with certificates
This method of key management involves the participation of a trusted third party, the certificate authority (CA). Each peer in a VPN is first required to generate a set of keys, known as a public/private key pair. The CA signs the public key for each peer, creating a signed digital certificate. The peer then contacts the CA to retrieve their own certificates, plus that of the CA itself. Once the certificates have been uploaded to the
FortiGate units and appropriate IPSec tunnels and policies have been configured, the peers are ready to start communicating. As they do, IKE manages the exchange of certificates, transmitting signed digital certificates from one peer to another. The signed digital certificates are validated by the presence of the CA certificate at each end. With authentication complete, the IPSec tunnel is then established.
In some respects, certificates are simpler to manage than manual keys or pre-shared keys. For this reason, certificates are best suited to large network deployments.
210
Fortinet Inc.
IPSec VPN Manual key IPSec VPNs
Manual key IPSec VPNs
When manual keys are employed, complementary security parameters must be entered at both ends of the tunnel. In addition to encryption and authentication algorithms and keys, the security parameter index (SPI) is required. The SPI is an arbitrary value that defines the structure of the communication between the peers.
With other methods the SPI is generated automatically but with the manual key configuration it must be entered as part of the VPN setup.
The encryption and authentication keys must match on the local and remote peers; the SPI values must be mirror images of each other. After you enter these values, the
VPN tunnel can start without any need for the authentication and encryption algorithms to be negotiated. So long as you have entered correct, complementary values, the tunnel will be established between the peers. In essence, the tunnel already exists between the peers. As a result, when traffic matches a policy requiring the tunnel, it can be authenticated and encrypted immediately.
•
General configuration steps for a manual key VPN
•
Adding a manual key VPN tunnel
General configuration steps for a manual key VPN
1
2
A manual key VPN configuration consists of a manual key VPN tunnel, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel.
To create a manual key VPN configuration:
Add a manual key VPN tunnel. See “Adding a manual key VPN tunnel” on page 211
.
Configure an encrypt policy that includes the tunnel, source address, and destination address for both ends of the tunnel. See
“Configuring encrypt policies” on page 224
.
Adding a manual key VPN tunnel
1
2
3
4
Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiGate unit and a remote IPSec VPN client or gateway that is also using manual key.
To add a manual key VPN tunnel:
To add a manual key VPN tunnel:
Go to VPN > IPSec > Manual Key.
Select New to add a new manual key VPN tunnel.
Enter a VPN Tunnel Name.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Enter the Local SPI.
The Local Security Parameter Index is a hexadecimal number of up to eight digits
(digits can be 0 to 9, a to f) in the range bb8 to FFFFFFF. This number must be added to the Remote SPI at the opposite end of the tunnel.
FortiGate-400 Installation and Configuration Guide
211
Manual key IPSec VPNs IPSec VPN
5
6
7
8
9
10
11
Enter the Remote SPI.
The Remote Security Parameter Index is a hexadecimal number of up to eight digits
(digits can be 0 to 9, a to f) in the range bb8 to FFFFFFF. This number must be added to the Local SPI at the opposite end of the tunnel.
Enter the Remote Gateway.
This is the external IP address of the FortiGate unit or other IPSec gateway at the opposite end of the tunnel.
Select an Encryption Algorithm from the list.
Use the same algorithm at both ends of the tunnel.
Enter the Encryption Key.
Each two character combination entered in hexadecimal format represents one byte.
Depending on the encryption algorithm you have selected, you may be required to enter the key in multiple segments. Use the same encryption key at both ends of the tunnel.
DES
3DES
AES128
AES192
AES256
Enter a 16 character (8 byte) hexadecimal number (0-9, A-F).
Enter a 48 character (24 byte) hexadecimal number (0-9, A-F). Separate the number into three segments of 16 characters.
Enter a 32 character (16 byte) hexadecimal number (0-9, A-F). Separate the number into two segments of 16 characters.
Enter a 48 character (24 byte) hexadecimal number (0-9, A-F). Separate the number into three segments of 16 characters.
Enter a 64 character (32 byte) hexadecimal number (0-9, A-F). Separate the number into four segments of 16 characters.
Select an Authentication Algorithm from the list.
Use the same algorithm at both ends of the tunnel.
Enter the Authentication Key.
Each two character combination entered in hexadecimal format represents one byte.
Use the same authentication key at both ends of the tunnel.
MD5
SHA1
Enter a 32 character (16 byte) hexadecimal number (0-9, A-F). Separate the number into two segments of 16 characters.
Enter a 40 character (20 byte) hexadecimal number (0-9, A-F). Separate the number into two segments—the first of 16 characters; the second of 24 characters.
Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration. See
“Adding a VPN concentrator” on page 229 .
Select OK to save the manual key VPN tunnel.
212
Fortinet Inc.
IPSec VPN AutoIKE IPSec VPNs
AutoIKE IPSec VPNs
Fortunate supports two methods of Automatic Internet Key Exchange (AutoIKE) for the purpose of establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and
AutoIKE with digital certificates.
•
General configuration steps for an AutoIKE VPN
•
Adding a phase 1 configuration for an AutoIKE VPN
•
Adding a phase 2 configuration for an AutoIKE VPN
General configuration steps for an AutoIKE VPN
An AutoIKE VPN configuration consists of phase 1 and phase 2 configuration parameters, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel.
To create an AutoIKE VPN configuration:
1
2
3
Note: Prior to configuring an AutoIKE VPN that uses digital certificates, you must add the CA
.
Add the phase 1 parameters. See
“Adding a phase 1 configuration for an AutoIKE
.
Add the phase 2 parameters. See
“Adding a phase 2 configuration for an AutoIKE
.
Configure an encrypt policy that includes the tunnel, source address, and destination address for both ends of the tunnel. See
“Configuring encrypt policies” on page 224
.
Adding a phase 1 configuration for an AutoIKE VPN
1
2
When you add a phase 1 configuration, you define the terms by which the FortiGate unit and a remote VPN peer (gateway or client) authenticate themselves to each other prior to the establishment of an IPSec VPN tunnel.
The phase 1 configuration is related to the phase 2 configuration. In phase 1 the VPN peers are authenticated; in phase 2 the tunnel is established. You have the option to use the same phase 1 parameters to establish multiple tunnels. In other words, the same remote VPN peer (gateway or client) can have multiple tunnels to the local VPN peer (the FortiGate unit).
When the FortiGate unit receives an IPSec VPN connection request, it authenticates the VPN peers according to the phase 1 parameters. Then, depending on the source and destination addresses of the request, it starts an IPSec VPN tunnel and applies an encrypt policy.
To add a phase 1 configuration:
Go to VPN > IPSEC > Phase 1.
Select New to add a new phase 1 configuration.
FortiGate-400 Installation and Configuration Guide
213
AutoIKE IPSec VPNs IPSec VPN
3
4
Enter a Gateway Name for the remote VPN peer.
The remote VPN peer can be either a gateway to another network or an individual client on the Internet.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Select a Remote Gateway address type.
• If the remote VPN peer has a static IP address, select Static IP Address.
• If the remote VPN peer has a dynamically assigned IP address (DHCP or PPPoE), or if the remote VPN peer has a static IP address that is not required in the peer identification process, select Dialup User.
Depending upon the Remote Gateway address type you have selected, other fields become available.
IP Address
Remote Gateway: Static IP Address
If you select Static IP Address, the IP Address field appears. Enter the IP address of the remote IPSec VPN gateway or client that can connect to the
FortiGate unit. This is a mandatory entry.
Peer Options
Remote Gateway: Dialup User f you select Dialup User, the Peer Options become available under
Advanced Options. Use the Peer Options to authenticate remote VPN peers with peer IDs during phase 1 negotiations. For details, see step
5
6
7
8
9
Select Aggressive or Main (ID Protection) mode.
When using aggressive mode, the VPN peers exchange identifying information in the clear. When using main mode, identifying information is hidden.
The VPN peers must use the same mode.
Configure the P1 Proposal.
Select up to three encryption and authentication algorithm combinations to propose for phase 1.
The VPN peers must use the same P1 proposal settings.
Select the DH Group(s).
Select one or more Diffie-Hellman groups to propose for phase 1.
As a general rule, the VPN peers should use the same DH Group settings.
Enter the Keylife.
The keylife is the amount of time in seconds before the phase 1 encryption key expires. When the key expires, a new key is generated without interrupting service.
P1 proposal keylife can be from 120 to 172,800 seconds.
For Authentication Method, select Preshared Key or RSA Signature.
• If you select Preshared key, enter a that is shared by the VPN peers. The key must contain at least 6 printable characters and should only be known by network administrators. To protect against the best-known attacks, a good pre-shared key should consist of a minimum of 16 randomly chosen alpha-numeric characters.
• If you select RSA Signature, select a local certificate that has been digitally signed by the certificate authority (CA). To add a local certificate to the FortiGate unit, see
“Obtaining a signed local certificate” on page 219
.
214
Fortinet Inc.
IPSec VPN AutoIKE IPSec VPNs
10
1
2
3
Optionally, enter the Local ID of the FortiGate unit.
The entry is required if the FortiGate unit is functioning as a client and uses its local ID to authenticate itself to the remote VPN peer. (If you do not add a local ID, the
FortiGate unit will transmit its IP address.)
Configure the local ID only with pre-shared keys and aggressive mode. Do not configure the local ID with certificates or main mode.
Configuring advanced options
Select Advanced Options.
Optionally, select a Peer Option.
Use the Peer Options to authenticate remote VPN peers by the ID that they transmit during phase 1.
Accept any peer ID
Accept this peer ID
Accept peer ID in dialup group
Select to accept any peer ID (and therefore not authenticate remote VPN peers by peer ID).
Select to authenticate a specific VPN peer or a group of VPN peers with a shared user name (ID) and password (pre-shared key). Also add the peer ID. Also add the peer ID.
Select to authenticate each remote VPN peer with a unique user name (ID) and password (pre-shared key). Also select a dialup group (user group).
Configure the user group prior to configuring this peer option.
Optionally, configure XAuth.
XAuth (IKE eXtended Authentication) authenticates VPN peers at the user level. If the the FortiGate unit (the local VPN peer) is configured as an XAuth server, it will authenticate remote VPN peers by referring to a user group. The users contained in the user group can be configured locally on the FortiGate unit or on remotely located
LDAP or RADIUS servers. If the FortiGate unit is configured as an XAuth client, it will provide a user name and password when it is challenged.
Name
Password
XAuth: Enable as a Client
Enter the user name the local VPN peer uses to authenticate itself to the remote VPN peer.
Enter the password the local VPN peer uses to authenticate itself to the remote VPN peer.
Encryption method
Usergroup
XAuth: Enable as a Server
Select the encryption method used between the XAuth client, the FortiGate unit and the authentication server.
PAP— Password Authentication Protocol.
CHAP—Challenge-Handshake Authentication Protocol.
MIXED—Select MIXED to use PAP between the XAuth client and the
FortiGate unit, and CHAP between the FortiGate unit and the authentication server.
Use CHAP whenever possible. Use PAP if the authentication server does not support CHAP. (Use PAP with all implementations of LDAP and some implementations of Microsoft RADIUS). Use MIXED if the authentication server supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet
Remote VPN Client.).
Select a group of users to be authenticated by XAuth. The individual users within the group can be authenticated locally or by one or more LDAP or
RADIUS servers.
The user group must be added to the FortiGate configuration before it can be selected here.
FortiGate-400 Installation and Configuration Guide
215
AutoIKE IPSec VPNs IPSec VPN
4
5
6
Optionally, configure NAT Traversal.
Enable
Keepalive
Frequency
Select Enable if you expect the IPSec VPN traffic to go through a gateway that performs NAT. If no NAT device is detected, enabling NAT traversal will have no effect. Both ends of the VPN (both VPN peers) must have the same NAT traversal setting.
If you enable NAT-traversal, you can change the number of seconds in the
Keepalive Frequency field. This number specifies, in seconds, how frequently empty UDP packets are sent through the NAT device to ensure that the NAT mapping does not change until P1 and P2 keylife expires. The keepalive frequency can be from 0 to 900 seconds.
Optionally, configure Dead Peer Detection.
Use these settings to monitor the status of the connection between VPN peers. DPD allows dead connections to be cleaned up and new VPN tunnels established. DPD is not supported by all vendors.
Enable
Short Idle
Retry Count
Retry Interval
Long Idle
Select Enable to enable DPD between the local and remote peers.
Set the time, in seconds, that a link must remain unused before the local
VPN peer considers it to be idle. After this period of time expires, whenever the local peer sends traffic to the remote VPN peer it will also send a DPD probe to determine the status of the link. To control the length of time that the FortiGate unit takes to detect a dead peer with DPD probes, configure the Retry Count and the Retry Interval.
Set the number of times that the local VPN peer will retry the DPD probe before it considers the channel to be dead and tears down the security association (SA). To avoid false negatives due to congestion or other transient failures, set the retry count to a sufficiently high value for your network.
Set the time, in seconds, that the local VPN peer unit waits between retrying DPD probes.
Set the period of time, in seconds, that a link must remain unused before the local VPN peer pro-actively probes its state. After this period of time expires, the local peer will send a DPD probe to determine the status of the link even if there is no traffic between the local peer and the remote peer.
Select OK to save the phase 1 parameters.
216
Fortinet Inc.
IPSec VPN
Figure 21: Adding a phase 1 configuration
AutoIKE IPSec VPNs
Adding a phase 2 configuration for an AutoIKE VPN
Add a phase 2 configuration to specify the parameters used to create and maintain a
VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer
(the VPN gateway or client).
Note: Adding a Phase 2 configuration is the same for pre-shared key and certification VPNs.
1
2
3
To add a phase 2 configuration:
Go to VPN > IPSEC > Phase 2.
Select New to add a new phase 2 configuration.
Enter a Tunnel Name.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
FortiGate-400 Installation and Configuration Guide
217
AutoIKE IPSec VPNs IPSec VPN
4
5
6
7
8
9
10
11
12
Select a Remote Gateway to associate with the VPN tunnel.
A remote gateway can be either a gateway to another network or an individual client on the Internet. Remote gateways are added as part of the phase 1 configuration. For details, see
“Adding a phase 1 configuration for an AutoIKE VPN” on page 213 .
Choose either a single DIALUP remote gateway, or up to three STATIC remote gateways. Multiple STATIC remote gateways are necessary if you are configuring
IPSec redundancy. For information about IPSec redundancy, see
Configure the P2 Proposal.
Select up to three encryption and authentication algorithm combinations to propose for phase 2.
The VPN peers must use the same P2 proposal settings.
Optionally, enable Replay Detection.
Replay detection protects the VPN tunnel from replay attacks.
Note: Do not select replay detection if you have also selected Null Authentication for the P2
Proposal.
Optionally, enable Perfect Forward Secrecy (PFS).
PFS improves security by forcing a new Diffie-Hellman exchange whenever keylife expires.
Select the DH Group(s).
The VPN peers must use the same DH Group settings.
Enter the Keylife.
The keylife causes the phase 2 key to expire after a specified amount of time, after a specified number of kbytes of data have been processed by the VPN tunnel, or both. If you select both, the key does not expire until both the time has passed and the number of kbytes have been processed.
When the key expires, a new key is generated without interrupting service. P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to 99999 kbytes.
Optionally, enable Autokey Keep Alive.
Enable Autokey Keep Alive to keep the VPN tunnel running even if no data is being processed.
Optionally, select a concentrator.
Select a concentrator if you want the tunnel to be part of a hub and spoke VPN
configuration. If you use the procedure, “Adding a VPN concentrator” on page 229
to add the tunnel to a concentrator, the next time you open the tunnel, the Concentrator field displays the name of the concentrator to which you have added the tunnel.
Select OK to save the AutoIKE key VPN tunnel.
218
Fortinet Inc.
IPSec VPN
Figure 22: Adding a phase 2 configuration
Managing digital certificates
Managing digital certificates
Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy, prior to an encrypted VPN tunnel being set up between the participants.
Fortinet uses a manual procedure to obtain certificates. This involves copying and pasting text files from your local computer to the certificate authority, and from the certificate authority to your local computer.
•
Obtaining a signed local certificate
•
Note: Digital certificates are not required for configuring FortiGate VPNs. Digital certificates are an advanced feature provided for the convenience of system administrators. This manual assumes the user has prior knowledge of how to configure digital certificates for their implementation.
Obtaining a signed local certificate
The signed local certificate provides the FortiGate unit with a means to authenticate itself to other devices.
Note: The VPN peers must use digital certificates that adhere to the X.509 standard.
FortiGate-400 Installation and Configuration Guide
219
Managing digital certificates IPSec VPN
1
2
3
4
5
6
7
Generating the certificate request
With this procedure, you generate a private and public key pair. The public key is the base component of the certificate request.
To generate the certificate request:
Go to VPN > Local Certificates.
Select Generate.
Enter a Certificate Name.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Configure the Subject Information that identifies the object being certified.
Preferably use an IP address or domain name. If this is impossible (such as with a dialup client), use an e-mail address.
Host IP
Domain Name
For Host IP, enter the IP address of the FortiGate unit being certified.
For Domain name, enter the fully qualified domain name of the FortiGate unit being certified. Do not include the protocol specification (http://) or any port number or path names.
For E-mail, enter the email address of the owner of the FortiGate unit being certified. Typically, e-mail addresses are entered only for clients, not gateways.
Configure the Optional Information to further identify the object being certified.
Organization Unit Enter a name that identifies the department or unit within the organization that is requesting the certificate for the FortiGate unit (such as
Manufacturing or MF).
Organization
Locality
Enter the legal name of the organization that is requesting the certificate for the FortiGate unit (such as Fortinet).
Enter the name of the city or town where the FortiGate unit is located
(such as Vancouver).
State/Province
Country
Enter the name of the state or province where the FortiGate unit is located
(such as California or CA).
Select the country where the FortiGate unit is located. e-mail Enter a contact e-mail address for the FortiGate unit. Typically, e-mail addresses are entered only for clients, not gateways.
Configure the key .
Key Type
Key Size
Select RSA as the key encryption type. No other key type is supported.
Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate but more secure. Not all products support all three key sizes.
Select OK to generate the private and public key pair and the certificate request.
The private/public key pair will be generated and the certificate request will be displayed on the Local Certificates list with a status of Pending.
220
Fortinet Inc.
IPSec VPN
Figure 23: Adding a Local Certificate
Managing digital certificates
3
4
1
2
Downloading the certificate request
With this procedure, you download the certificate request from the FortiGate unit to the management computer.
To download the certificate request:
Go to VPN > Local Certificates.
Select Download to download the local certificate to the management computer.
Select Save.
Name the file and save it in a directory on the management computer.
1
2
3
Requesting the signed local certificate
With this procedure, you copy and paste the certificate request from the management computer to the CA web server.
To request the signed local certificate:
On the management computer, open the local certificate request in a text editor.
Copy the certificate request.
Connect the CA web server.
FortiGate-400 Installation and Configuration Guide
221
Managing digital certificates IPSec VPN
4 Request the signed local certificate.
Follow the CA web server instructions to:
• add a base64 encoded PKCS#10 certificate request to the CA web server,
• paste the certificate request to the CA web server,
• submit the certificate request to the CA web server.
The certificate request is submitted to the CA for it to sign.
Figure 24: Opening a certificate request in a text editor
222
1
2
3
4
Retrieving the signed local certificate
With this procedure, you connect to the CA web server and download the signed local certificate to the management computer. (Do this after receiving notification from the
CA that it has signed the certificate request.)
To retrieve the signed local certificate:
Connect the CA web server.
Follow the CA web server instructions to download the signed local certificate.
The File Download dialog will display.
Select Save.
Save the file in a directory on the management computer.
1
2
Importing the signed local certificate
With this procedure, you import the signed local certificate from the management computer to the FortiGate unit.
To import the signed local certificate:
Go to VPN > Local Certificates.
Select Import.
Fortinet Inc.
IPSec VPN Managing digital certificates
3
4
Enter the path or browse to locate the signed local certificate on the management computer.
Select OK.
The signed local certificate will be displayed on the Local Certificates list with a status of OK.
Obtaining a CA certificate
For the VPN peers to authenticate themselves to each other, they must both obtain a
CA certificate from the same certificate authority. The CA certificate provides the VPN peers with a means to validate the digital certificates that they receive from other devices.
The FortiGate unit obtains the CA certificate in order to validate the digital certificate that it receives from the remote VPN peer. The remote VPN peer obtains the CA certificate in order to validate the digital certificate that it receives from the FortiGate unit.
Note: The CA certificate must adhere to the X.509 standard.
1
2
3
4
3
4
1
2
Retrieving a CA certificate
Connect to the CA web server and download the CA certificate to the management computer.
To retrieve the CA certificate:
Connect the CA web server.
Follow the CA web server instructions to download the CA certificate.
The File Download dialog will display.
Select Save.
Save the CA certificate in a directory on the management computer.
Importing a CA certificate
Import the signed local certificate from the management computer to the FortiGate unit.
To import the CA certificate:
Go to VPN > CA Certificates.
Select Import.
Enter the path or browse to locate the CA certificate on the management computer.
Select OK.
The CA will be displayed on the CA Certificates list.
FortiGate-400 Installation and Configuration Guide
223
Configuring encrypt policies IPSec VPN
Configuring encrypt policies
A VPN connects the local, internal network to a remote, external network. The principal role of the encrypt policy is to define (and limit) which addresses on these networks can use the VPN.
A VPN requires only one encrypt policy to control both inbound and outbound connections. Depending on how you configure it, the policy controls whether users on your internal network can establish a tunnel to the remote network (the outbound connection), and whether users on the remote network can establish a tunnel to your internal network (the inbound connection). This flexibility allows a single encrypt policy to do the job of two regular firewall policies.
Although the encrypt policy controls both incoming and outgoing connections, it must always be configured as an outgoing policy. An outgoing policy has a source address on an internal network and a destination address on an external network. The source address identifies which addresses on the internal network are part of the VPN. The destination address identifies which addresses on the remote network are part of the
VPN. Typical outgoing policies include Internal-to-External and DMZ-to-External.
Note: The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway.
In addition to defining membership in the VPN by address, you can configure the encrypt policy for services such as DNS, FTP, and POP3, and to allow connections according to a predefined schedule (by the time of the day or the day of the week, month, or year). You can also configure the encrypt policy for:
• Inbound NAT to translate the source of incoming packets.
• Outbound NAT to translate the source address of outgoing packets.
• Traffic shaping to control the bandwidth available to the VPN and the priority of the
VPN.
• Content profiles to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services in the VPN.
• Logging so that the FortiGate unit logs all connections that use the VPN.
The policy must also include the VPN tunnel that you created to communicate with the remote FortiGate VPN gateway. When users on your internal network attempt to connect to the network behind the remote VPN gateway, the encrypt policy intercepts the connection attempt and starts the VPN tunnel added to the policy. The tunnel uses the remote gateway added to its configuration to connect to the remote VPN gateway.
When the remote VPN gateway receives the connection attempt, it checks its own policy, gateway and tunnel configuration. If the configuration is allowed, an IPSec VPN tunnel is negotiated between the two VPN peers.
•
•
•
224
Fortinet Inc.
IPSec VPN Configuring encrypt policies
Adding a source address
1
2
3
4
5
The source address is located within the internal network of the local VPN peer. It can be a single computer address or the address of a network.
Go to Firewall > Address.
Select an internal interface. (Methods will differ slightly between FortiGate models.)
Select New to add an address.
Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer.
Select OK to save the source address.
Adding a destination address
1
2
3
4
5
The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway.
Go to Firewall > Address.
Select an external interface. (Methods will differ slightly between FortiGate models.)
Select New to add an address.
Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the remote VPN peer.
Select OK to save the source address.
Adding an encrypt policy
5
6
3
4
7
8
1
2
Go to Firewall > Policy.
Use the policy grid to choose the policy list to which to add the policy.
For example, port1
-> port2 or port3
-> port2.
Select New to add a new policy.
Set Source to the source address.
Set Destination to the destination address.
Set Service to control the services allowed over the VPN connection.
You can select ANY to allow all supported services over the VPN connection or select a specific service or service group to limit the services allowed over the VPN connection.
Set Action to ENCRYPT.
Configure the ENCRYPT parameters.
VPN Tunnel Select an Auto Key tunnel for this encrypt policy.
Allow inbound Select Allow inbound to enable inbound users to connect to the source address.
Allow outbound Select Allow outbound to enable outbound users to connect to the destination address.
FortiGate-400 Installation and Configuration Guide
225
Configuring encrypt policies IPSec VPN
9
Inbound NAT The FortiGate unit translates the source address of incoming packets to the
IP address of the FortiGate interface connected to the source address network. Typically, this is an internal interface of the FortiGate unit.
Inbound NAT makes it impossible for local hosts to see the IP addresses of remote hosts (hosts located on the network behind the remote VPN gateway).
Outbound NAT The FortiGate unit translates the source address of outgoing packets to the
IP address of the FortiGate interface connected to the destination address network. Typically, this is an external interface of the FortiGate unit.
Outbound NAT makes it impossible for remote hosts to see the IP addresses of local hosts (hosts located on the network behind the local VPN gateway).
If Outbound NAT is implemented, it is subject to these limitations:
— Configure Outbound NAT only at one end of the tunnel.
— The end which does not implement Outbound NAT requires an Int->Ext policy which specifies the other end’s external interface as the Destination.
(This will be a public IP address.)
— The tunnel, and the traffic within the tunnel, can only be initiated at the end which implements Outbound NAT.
Refer to the FortiGate Installation and Configuration Guide to configure the remaining policy settings.
Select OK to save the encrypt policy.
To make sure that the encrypt policy is matched for VPN connections, arrange the encrypt policy above other policies with similar source and destination addresses and services in the policy list.
Figure 25: Adding an encrypt policy
226
Fortinet Inc.
IPSec VPN IPSec VPN concentrators
IPSec VPN concentrators
In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer known as a hub. The peers that connect to the hub are known as spokes. The hub functions as a concentrator on the network, managing the VPN connections between the spokes.
The advantage of a hub-and-spoke network is that the spokes are simpler to configure because they require fewer policy rules. Also, a hub-and-spoke network provides some processing efficiencies, particularly on the spokes. The disadvantage of a huband-spoke network is its reliance on a single peer to handle management of all VPNs.
If this peer goes down, all encrypted communication in the network is impossible.
A hub-and-spoke VPN network requires a special configuration. Setup varies depending on the role that the VPN peer is serving. If the VPN peer is a FortiGate unit functioning as the hub, or concentrator, it requires a VPN configuration connecting it to each spoke (AutoIKE phase 1 and 2 settings or manual key settings, plus encrypt policies). It also requires a concentrator configuration that groups the hub-and-spoke tunnels together. The concentrator configuration defines the FortiGate unit as the hub in a hub-and-spoke network.
If the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (but not to the other spokes). It also requires policies that control its encrypted connections to the other spokes and its non-encrypted connections to other networks, such as the
Internet.
•
VPN concentrator (hub) general configuration steps
•
•
VPN spoke general configuration steps
VPN concentrator (hub) general configuration steps
A central FortiGate that is functioning as a hub requires the following configuration:
• A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration) for each spoke.
• Destination addresses for each spoke.
• A concentrator configuration.
• An encrypt policy for each spoke.
FortiGate-400 Installation and Configuration Guide
227
IPSec VPN concentrators IPSec VPN
1
2
3
4
5
To create a VPN concentrator configuration:
Configure a tunnel for each spoke. Choose between a manual key tunnel or an
AutoIKE tunnel.
• A manual key tunnel consists of a name for the tunnel, the IP address of the spoke
(client or gateway) at the opposite end of the tunnel, and the encryption and authentication algorithms to use for the tunnel.
See
“Manual key IPSec VPNs” on page 211 .
• An AutoIKE tunnel consists of phase 1 and phase 2 parameters. The phase 1 parameters include the name of the spoke (client or gateway), designation of how the spoke receives its IP address (static or dialup), encryption and authentication algorithms, and the authentication method—either pre-shared keys or PKI certificates. The phase 2 parameters include the name of the tunnel, selection of the spoke (client or gateway) configured in phase 1, encryption and authentication algorithms, and a number of security parameters.
See
“AutoIKE IPSec VPNs” on page 213
.
Add a destination addresses for each spoke. The destination address is the address of the spoke (either a client on the Internet or a network located behind a gateway).
See
“Adding a source address” on page 225 .
Add the concentrator configuration. This step groups the tunnels together on the
FortiGate unit. The tunnels link the hub to the spokes. The tunnels are added as part of the AutoIKE phase 2 configuration or the manual key configuration.
See
“Adding a VPN concentrator” on page 229 .
Note: Add the concentrator configuration to the central FortiGate unit (the hub) after adding the tunnels for all spokes.
Add an encrypt policy for each spoke. Encrypt policies control the direction of traffic through the hub and allow inbound and outbound VPN connections between the hub and the spokes. The encrypt policy for each spoke must include the tunnel name of the spoke. The source address must be Internal_All. Use the following configuration for the encrypt policies:
Source
Destination
Action
VPN Tunnel
Internal_All
The VPN spoke address.
ENCRYPT
The VPN spoke tunnel name.
Allow inbound Select allow inbound.
Allow outbound Select allow outbound
Inbound NAT Select inbound NAT if required.
Outbound NAT Select outbound NAT if required.
See
“Adding an encrypt policy” on page 225
.
Arrange the policies in the following order:
• encrypt policies
• default non-encrypt policy (Internal_All -> External_All)
228
Fortinet Inc.
IPSec VPN IPSec VPN concentrators
Adding a VPN concentrator
1
2
3
4
5
6
To add a VPN concentrator configuration:
Go to VPN > IPSec > Concentrator.
Select New to add a VPN concentrator.
Enter the name of the new concentrator in the Concentrator Name field.
To add tunnels to the VPN concentrator, select a VPN tunnel from the Available
Tunnels list and select the right arrow.
To remove tunnels from the VPN concentrator, select the tunnel in the Members list and select the left arrow.
Select OK to add the VPN concentrator.
Figure 26: Adding a VPN concentrator
FortiGate-400 Installation and Configuration Guide
229
IPSec VPN concentrators IPSec VPN
VPN spoke general configuration steps
1
2
3
4
A remote VPN peer that is functioning as a spoke requires the following configuration:
• A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration) for the hub.
• The source address of the local VPN spoke.
• The destination address of each remote VPN spoke.
• A separate outbound encrypt policy for each remote VPN spoke. These policies allow the local VPN spoke to initiate encrypted connections.
• A single inbound encrypt policy. This policy allows the local VPN spoke to accept encrypted connections.
To create a VPN spoke configuration:
Configure a tunnel between the spoke and the hub.
Choose between a manual key tunnel or an AutoIKE tunnel.
• To add a manual key tunnel, see
“Manual key IPSec VPNs” on page 211
.
• To add an AutoIKE tunnel, see:
“AutoIKE IPSec VPNs” on page 213
.
Add the source address. One source address is required for the local VPN spoke.
See
“Adding a source address” on page 225 .
Add a destination addresses for each remote VPN spoke. The destination address is the address of the spoke (either a client on the Internet or a network located behind a gateway).
See
“Adding a destination address” on page 225
Add a separate outbound encrypt policy for each remote VPN spoke. These policies control the encrypted connections initiated by the local VPN spoke.
The encrypt policy must include the appropriate source and destination addresses and the tunnel added in step
. Use the following configuration:
5
Source
Destination
The local VPN spoke address.
The remote VPN spoke address.
Action
VPN Tunnel
ENCRYPT
The VPN tunnel name added in step
1 . (Use the same tunnel for all encrypt
policies.)
Allow inbound Do not enable.
Allow outbound Select allow outbound
Inbound NAT Select inbound NAT if required.
Outbound NAT Select outbound NAT if required.
See
“Adding an encrypt policy” on page 225
.
Add an inbound encrypt policy. This policies controls the encrypted connections initiated by the remote VPN spokes.
The encrypt policy for the hub must include the appropriate source and destination addresses and the tunnel added in step
. Use the following configuration:
Source
Destination
The local VPN spoke address.
External_All
230
Fortinet Inc.
IPSec VPN Redundant IPSec VPNs
6
Action
VPN Tunnel
ENCRYPT
The VPN tunnel name added in step
1 . (Use the same tunnel for all encrypt
policies.)
Allow inbound Select allow inbound.
Allow outbound Do not enable.
Inbound NAT Select inbound NAT if required.
Outbound NAT Select outbound NAT if required.
See
“Adding an encrypt policy” on page 225
.
Arrange the policies in the following order:
• outbound encrypt policies
• inbound encrypt policy
• default non-encrypt policy (Internal_All -> External_All)
Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks, such as the Internet.
Redundant IPSec VPNs
To ensure the continuous availability of an IPSec VPN tunnel, you can configure multiple connections between the local the FortiGate unit and the remote VPN peer
(remote gateway). With a redundant configuration, if one connection fails the
FortiGate unit will establish a tunnel using the other connection.
Configuration depends on the number of connections that each VPN peer has to the
Internet. For example, if the local VPN peer has two connections to the Internet, then it can provide two redundant connections to the remote VPN peer.
A single VPN peer can be configured with up to three redundant connections.
The VPN peers are not required to have a matching number of Internet connections.
For example, between two VPN peers, one can have multiple Internet connections while the other has only one Internet connection. Of course, with an asymmetrical configuration, the level redundancy will vary from one end of the VPN to the other.
Note: IPSec Redundancy is only available to VPN peers that have static IP addresses and that authenticate themselves to each other with pre-shared keys or digital certificates. It is not available to VPN peers that have dynamically assigned IP addresses (dialup users). Nor is it available to VPN peers that use manual keys.
Configuring redundant IPSec VPN
Prior to configuring the VPN, make sure that both FortiGate units have multiple connections to the Internet. For each unit, first add multiple (two or more) external interfaces. Then assign each interface to an external zone. Finally, add a route to the
Internet through each interface.
FortiGate-400 Installation and Configuration Guide
231
Redundant IPSec VPNs IPSec VPN
1
2
3
4
Configure the two FortiGate units with symmetrical settings for their connections to the
Internet. For example, if the remote FortiGate unit has two external interfaces grouped within one zone, then the local FortiGate unit should have two external interfaces grouped within one zone.
Similarly, if the remote FortiGate has two external interfaces in separate zones, then the local FortiGate unit should have two external interfaces in separate zones.
Configuration is made simpler if all external interfaces are grouped within a single zone, rather than multiple zones. However, this may not always be possible due to security considerations or other reasons.
After you have defined the Internet connections for both FortiGate units, you can proceed to configure the VPN tunnel.
To configure IPSec redundancy:
Add the phase 1 parameters for up to three VPN connections.
Enter identical values for each VPN connection, with the exception of the Gateway
Name and IP Address. Make sure that the remote VPN peer (Remote Gateway) has a static IP address.
See
“Adding a phase 1 configuration for an AutoIKE VPN” on page 213
.
Add the phase 2 parameters (VPN tunnel) for up to three VPN connections.
• If the Internet connections are in the same zone, add one VPN tunnel and add the remote gateways to it. You can add up to three remote gateways.
• If the Internet connections are in separate zones or assigned to unique interfaces, add a VPN tunnel for each remote gateway entered.
See
“Adding a phase 2 configuration for an AutoIKE VPN” on page 217 .
Add the source and destination addresses.
See
“Adding a source address” on page 225 .
See
“Adding a destination address” on page 225
.
Add encrypt policies for up to three VPN connections.
• If the VPN connections are in the same zone, add one outgoing encrypt policy; for example an Internal
->
External policy. Add the AutoIKE key tunnel to this policy.
• If the VPN connections are in different zones, add a separate outgoing encrypt policy for each connection; for example, an Internal
->
External and an Internal
-
>
DMZ policy. The source and destination of both policies must be the same. Add a different AutoIKE key tunnel to each policy.
See
“Adding an encrypt policy” on page 225
.
232
Fortinet Inc.
IPSec VPN Monitoring and Troubleshooting VPNs
Monitoring and Troubleshooting VPNs
This section provides a number of general maintenance and monitoring procedures for VPNs.
This section describes:
•
•
Viewing dialup VPN connection status
•
Viewing VPN tunnel status
1
You can use the IPSec VPN tunnel list to view the status of all IPSec AutoIKE key
VPN tunnels. For each tunnel, the list shows the status of each tunnel as well as the tunnel time out.
To view VPN tunnel status:
Go to VPN > IPSEC > AutoIKE Key.
The Status column displays the status of each tunnel. If Status is Up, the tunnel is active. If Status is Down, the tunnel is not active.
The Timeout column displays the time before the next key exchange. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife.
Figure 27: AutoIKE key tunnel status
Viewing dialup VPN connection status
You can use the dialup monitor to view the status of dialup VPNs. The dialup monitor lists the remote gateways and the active VPN tunnels for each gateway. The monitor also lists the tunnel lifetime, timeout, proxy ID source, and proxy ID destination for each tunnel.
FortiGate-400 Installation and Configuration Guide
233
Monitoring and Troubleshooting VPNs IPSec VPN
1
To view dialup connection status:
Go to VPN > IPSec > Dialup.
The Lifetime column displays how long the connection has been up.
The Timeout column displays the time before the next key exchange. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife.
The Proxy ID Source column displays the actual IP address or subnet address of the remote peer.
The Proxy ID Destination column displays the actual IP address or subnet address of the local peer.
Figure 28: Dialup Monitor
Testing a VPN
To confirm that a VPN between two networks has been configured correctly, use the ping command from one internal network to connect to a computer on the other internal network. The IPSec VPN tunnel starts automatically when the first data packet destined for the VPN is intercepted by the FortiGate unit.
To confirm that a VPN between a network and one or more clients has been configured correctly, start a VPN client and use the ping command to connect to a computer on the internal network. The VPN tunnel initializes automatically when the client makes a connection attempt. You can start the tunnel and test it at the same time by pinging from the client to an address on the internal network.
234
Fortinet Inc.
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 3 Table of Contents
- 15 Introduction
- 15 Antivirus protection
- 16 Web content filtering
- 16 Email filtering
- 17 Firewall
- 17 NAT/Route mode
- 18 Transparent mode
- 18 VLAN
- 18 Network intrusion detection
- 19 VPN
- 19 High availability
- 20 Secure installation, configuration, and management
- 20 Web-based manager
- 21 Command line interface
- 21 Logging and reporting
- 22 What’s new in Version 2.50
- 22 System administration
- 22 Network configuration
- 22 Routing
- 22 DHCP server
- 22 Routing Information Protocol (RIP)
- 22 SNMP
- 23 HA
- 23 Replacement messages
- 23 Firewall
- 23 Users and authentication
- 23 VPN
- 24 NIDS
- 24 Antivirus
- 24 Web Filter
- 24 Email filter
- 24 Logging and Reporting
- 25 About this document
- 26 Document conventions
- 27 Fortinet documentation
- 27 Comments on Fortinet technical documentation
- 28 Customer service and technical support
- 29 Getting started
- 30 Package contents
- 30 Mounting
- 30 Dimensions
- 30 Weight
- 31 Power requirements
- 31 Environmental specifications
- 31 Powering on
- 32 Connecting to the web-based manager
- 33 Connecting to the command line interface (CLI)
- 33 Factory default FortiGate configuration settings
- 34 Factory default NAT/Route mode network configuration
- 35 Factory default Transparent mode network configuration
- 35 Factory default firewall configuration
- 36 Factory default content profiles
- 37 Strict content profile
- 37 Scan content profile
- 38 Web content profile
- 38 Unfiltered content profile
- 39 Planning your FortiGate configuration
- 39 NAT/Route mode
- 40 NAT/Route mode with multiple external network connections
- 41 Transparent mode
- 41 Configuration options
- 41 Setup Wizard
- 42 CLI
- 42 Front keypad and LCD
- 42 FortiGate model maximum values matrix
- 43 Next steps
- 45 NAT/Route mode installation
- 45 Preparing to configure NAT/Route mode
- 46 Using the setup wizard
- 46 Starting the setup wizard
- 46 Reconnecting to the web-based manager
- 47 Using the front control buttons and LCD
- 47 Using the command line interface
- 47 Configuring the FortiGate unit to operate in NAT/Route mode
- 47 Configuring NAT/Route mode IP addresses
- 49 Connecting the FortiGate unit to your networks
- 50 Configuring your network
- 50 Completing the configuration
- 50 Configuring interface 3
- 51 Configuring interface 4/HA
- 51 Setting the date and time
- 51 Enabling antivirus protection
- 51 Registering your FortiGate unit
- 52 Configuring virus and attack definition updates
- 52 Configuration example: Multiple connections to the Internet
- 53 Configuring Ping servers
- 54 Destination based routing examples
- 54 Primary and backup links to the Internet
- 55 Load sharing
- 55 Load sharing and primary and secondary connections
- 57 Policy routing examples
- 57 Routing traffic from internal subnets to different external networks
- 57 Routing a service to an external network
- 58 Firewall policy example
- 58 Adding a redundant default policy
- 59 Adding more firewall policies
- 59 Restricting access to a single Internet connection
- 61 Transparent mode installation
- 61 Preparing to configure Transparent mode
- 62 Using the setup wizard
- 62 Changing to Transparent mode
- 62 Starting the setup wizard
- 62 Reconnecting to the web-based manager
- 63 Using the front control buttons and LCD
- 63 Using the command line interface
- 63 Changing to Transparent mode
- 64 Configuring the Transparent mode management IP address
- 64 Configure the Transparent mode default gateway
- 64 Completing the configuration
- 64 Setting the date and time
- 64 Enabling antivirus protection
- 65 Registering your FortiGate
- 65 Configuring virus and attack definition updates
- 65 Connecting the FortiGate unit to your networks
- 66 Transparent mode configuration examples
- 67 Default routes and static routes
- 67 Example default route to an external network
- 68 General configuration steps
- 69 Web-based manager example configuration steps
- 69 CLI configuration steps
- 69 Example static route to an external destination
- 70 General configuration steps
- 71 Web-based manager example configuration steps
- 71 CLI configuration steps
- 72 Example static route to an internal destination
- 72 General configuration steps
- 73 Web-based manager example configuration steps
- 73 CLI configuration steps
- 75 High availability
- 75 Active-passive HA
- 76 Active-active HA
- 77 HA in NAT/Route mode
- 77 Installing and configuring the FortiGate units
- 77 Configuring the HA interfaces
- 78 Configuring the HA cluster
- 80 Connecting the HA cluster to your network
- 82 Starting the HA cluster
- 82 HA in Transparent mode
- 82 Installing and configuring the FortiGate units
- 82 Configuring the HA interface and HA IP address
- 83 Configuring the HA cluster
- 85 Connecting the HA cluster to your network
- 86 Starting the HA cluster
- 86 Managing the HA cluster
- 86 Viewing the status of cluster members
- 87 Monitoring cluster members
- 88 Monitoring cluster sessions
- 88 Viewing and managing cluster log messages
- 89 Managing individual cluster units
- 89 Synchronizing the cluster configuration
- 90 Returning to standalone configuration
- 90 Replacing a FortiGate unit after fail-over
- 91 Advanced HA options
- 91 Selecting a FortiGate unit to a permanent primary unit
- 92 Configuring weighted-round-robin weights
- 93 System status
- 94 Changing the FortiGate host name
- 94 Changing the FortiGate firmware
- 95 Upgrade to a new firmware version
- 95 Upgrading the firmware using the web-based manager
- 95 Upgrading the firmware using the CLI
- 96 Revert to a previous firmware version
- 96 Reverting to a previous firmware version using the web-based manager
- 97 Reverting to a previous firmware version using the CLI
- 99 Install a firmware image from a system reboot using the CLI
- 101 Test a new firmware image before installing it
- 103 Installing and using a backup firmware image
- 103 Installing a backup firmware image
- 105 Switching to the backup firmware image
- 106 Switching back to the default firmware image
- 106 Manual virus definition updates
- 107 Manual attack definition updates
- 107 Displaying the FortiGate serial number
- 107 Displaying the FortiGate up time
- 107 Displaying log hard disk status
- 108 Backing up system settings
- 108 Restoring system settings
- 108 Restoring system settings to factory defaults
- 109 Changing to Transparent mode
- 109 Changing to NAT/Route mode
- 109 Restarting the FortiGate unit
- 110 Shutting down the FortiGate unit
- 110 System status
- 110 Viewing CPU and memory status
- 111 Viewing sessions and network status
- 112 Viewing virus and intrusions status
- 113 Session list
- 115 Virus and attack definitions updates and registration
- 115 Updating antivirus and attack definitions
- 116 Connecting to the FortiResponse Distribution Network
- 117 Configuring scheduled updates
- 118 Configuring update logging
- 119 Adding an override server
- 119 Manually updating antivirus and attack definitions
- 119 Configuring push updates
- 120 To enable push updates
- 120 About push updates
- 120 Push updates through a NAT device
- 120 Example: push updates through a NAT device
- 124 Scheduled updates through a proxy server
- 125 Registering FortiGate units
- 125 FortiCare Service Contracts
- 126 Registering the FortiGate unit
- 128 Updating registration information
- 128 Recovering a lost Fortinet support password
- 128 Viewing the list of registered FortiGate units
- 129 Registering a new FortiGate unit
- 129 Adding or changing a FortiCare Support Contract number
- 130 Changing your Fortinet support password
- 130 Changing your contact information or security question
- 130 Downloading virus and attack definitions updates
- 131 Registering a FortiGate unit after an RMA
- 133 Network configuration
- 133 Configuring zones
- 133 Adding zones
- 134 Adding interfaces to a zone
- 134 Adding VLAN subinterfaces to a zone
- 134 Renaming zones
- 135 Deleting zones
- 135 Configuring interfaces
- 135 Viewing the interface list
- 135 Bringing up an interface
- 136 Changing an interface static IP address
- 136 Adding a secondary IP address to an interface
- 136 Adding a ping server to an interface
- 137 Controlling management access to an interface
- 137 Configuring traffic logging for connections to an interface
- 137 Changing the MTU size to improve network performance
- 138 Configuring port4/ha
- 138 Configuring port4/ha for HA mode
- 138 Configuring port4/ha as a firewall interface
- 138 Configuring the management interface (Transparent mode)
- 139 Configuring VLANs
- 139 VLAN network configuration
- 141 Adding VLAN subinterfaces
- 141 Rules for VLAN IDs
- 141 Rules for VLAN IP addresses
- 141 Adding a VLAN subinterface
- 143 Configuring routing
- 143 Adding a default route
- 143 Adding destination-based routes to the routing table
- 145 Adding routes in Transparent mode
- 145 Configuring the routing table
- 146 Policy routing
- 146 Policy routing command syntax
- 147 Providing DHCP services to your internal network
- 149 RIP configuration
- 150 RIP settings
- 152 Configuring RIP for FortiGate interfaces
- 153 Adding RIP neighbors
- 154 Adding RIP filters
- 154 Adding a single RIP filter
- 155 Adding a RIP filter list
- 156 Adding a neighbors filter
- 156 Adding a routes filter
- 157 System configuration
- 157 Setting system date and time
- 158 Changing web-based manager options
- 160 Adding and editing administrator accounts
- 160 Adding new administrator accounts
- 161 Editing administrator accounts
- 162 Configuring SNMP
- 162 Configuring the FortiGate unit for SNMP monitoring
- 162 Configuring FortiGate SNMP support
- 163 FortiGate MIBs
- 164 FortiGate traps
- 164 Customizing replacement messages
- 165 Customizing replacement messages
- 166 Customizing alert emails
- 169 Firewall configuration
- 170 Default firewall configuration
- 170 Interfaces
- 170 VLAN subinterfaces
- 171 Zones
- 171 Addresses
- 172 Services
- 172 Schedules
- 172 Content profiles
- 172 Adding firewall policies
- 173 Firewall policy options
- 173 Source
- 173 Destination
- 174 Schedule
- 174 Service
- 174 Action
- 174 NAT
- 174 VPN Tunnel
- 175 Traffic Shaping
- 175 Authentication
- 176 Anti-Virus & Web filter
- 177 Log Traffic
- 177 Comments
- 177 Configuring policy lists
- 177 Policy matching in detail
- 178 Changing the order of policies in a policy list
- 178 Enabling and disabling policies
- 178 Disabling a policy
- 178 Enabling a policy
- 179 Addresses
- 179 Adding addresses
- 180 Editing addresses
- 180 Deleting addresses
- 181 Organizing addresses into address groups
- 182 Services
- 182 Predefined services
- 184 Providing access to custom services
- 185 Grouping services
- 186 Schedules
- 186 Creating one-time schedules
- 187 Creating recurring schedules
- 188 Adding a schedule to a policy
- 188 Virtual IPs
- 189 Adding static NAT virtual IPs
- 190 Adding port forwarding virtual IPs
- 191 Adding policies with virtual IPs
- 192 IP pools
- 192 Adding an IP pool
- 193 IP Pools for firewall policies that use fixed ports
- 193 IP pools and dynamic NAT
- 193 IP/MAC binding
- 194 Configuring IP/MAC binding for packets going through the firewall
- 195 Configuring IP/MAC binding for packets going to the firewall
- 195 Adding IP/MAC addresses
- 196 Viewing the dynamic IP/MAC list
- 196 Enabling IP/MAC binding
- 197 Content profiles
- 197 Default content profiles
- 197 Adding a content profile
- 199 Adding a content profile to a policy
- 201 Users and authentication
- 202 Setting authentication timeout
- 202 Adding user names and configuring authentication
- 202 Adding user names and configuring authentication
- 203 Deleting user names from the internal database
- 204 Configuring RADIUS support
- 204 Adding RADIUS servers
- 204 Deleting RADIUS servers
- 205 Configuring LDAP support
- 205 Adding LDAP servers
- 206 Deleting LDAP servers
- 207 Configuring user groups
- 207 Adding user groups
- 208 Deleting user groups
- 209 IPSec VPN
- 210 Key management
- 210 Manual Keys
- 210 Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates
- 210 AutoIKE with pre-shared keys
- 210 AutoIKE with certificates
- 211 Manual key IPSec VPNs
- 211 General configuration steps for a manual key VPN
- 211 Adding a manual key VPN tunnel
- 213 AutoIKE IPSec VPNs
- 213 General configuration steps for an AutoIKE VPN
- 213 Adding a phase 1 configuration for an AutoIKE VPN
- 217 Adding a phase 2 configuration for an AutoIKE VPN
- 219 Managing digital certificates
- 219 Obtaining a signed local certificate
- 220 Generating the certificate request
- 221 Downloading the certificate request
- 221 Requesting the signed local certificate
- 222 Retrieving the signed local certificate
- 222 Importing the signed local certificate
- 223 Obtaining a CA certificate
- 223 Retrieving a CA certificate
- 223 Importing a CA certificate
- 224 Configuring encrypt policies
- 225 Adding a source address
- 225 Adding a destination address
- 225 Adding an encrypt policy
- 227 IPSec VPN concentrators
- 227 VPN concentrator (hub) general configuration steps
- 229 Adding a VPN concentrator
- 230 VPN spoke general configuration steps
- 231 Redundant IPSec VPNs
- 231 Configuring redundant IPSec VPN
- 233 Monitoring and Troubleshooting VPNs
- 233 Viewing VPN tunnel status
- 233 Viewing dialup VPN connection status
- 234 Testing a VPN
- 235 PPTP and L2TP VPN
- 235 Configuring PPTP
- 236 Configuring the FortiGate unit as a PPTP gateway
- 236 Adding users and user groups
- 236 Enabling PPTP and specifying an address range
- 237 Adding a source address
- 237 Adding an address group
- 238 Adding a destination address
- 238 Adding a firewall policy
- 238 Configuring a Windows 98 client for PPTP
- 238 Installing PPTP support
- 239 Configuring a PPTP dialup connection
- 239 Connecting to the PPTP VPN
- 239 Configuring a Windows 2000 client for PPTP
- 239 Configuring a PPTP dialup connection
- 240 Connecting to the PPTP VPN
- 240 Configuring a Windows XP client for PPTP
- 240 Configuring a PPTP dialup connection
- 240 Configuring the VPN connection
- 241 Connecting to the PPTP VPN
- 241 Configuring L2TP
- 242 Configuring the FortiGate unit as a L2TP gateway
- 242 Adding users and user groups
- 242 Enabling L2TP and specifying an address range
- 243 Adding a source address
- 243 Adding an address group
- 244 Adding a destination address
- 244 Adding a firewall policy
- 245 Configuring a Windows 2000 client for L2TP
- 245 Configuring an L2TP dialup connection
- 245 Disabling IPSec
- 246 Connecting to the L2TP VPN
- 246 Configuring a Windows XP client for L2TP
- 246 Configuring an L2TP VPN dialup connection
- 246 Configuring the VPN connection
- 247 Disabling IPSec
- 248 Connecting to the L2TP VPN
- 249 Network Intrusion Detection System (NIDS)
- 249 Detecting attacks
- 250 Selecting the interfaces to monitor
- 250 Disabling the NIDS
- 250 Configuring checksum verification
- 251 Viewing the signature list
- 251 Viewing attack descriptions
- 252 Enabling and disabling NIDS attack signatures
- 252 Adding user-defined signatures
- 253 Downloading the user-defined signature list
- 253 Preventing attacks
- 253 Enabling NIDS attack prevention
- 254 Enabling NIDS attack prevention signatures
- 254 Setting signature threshold values
- 256 Configuring synflood signature values
- 256 Logging attacks
- 256 Logging attack messages to the attack log
- 257 Reducing the number of NIDS attack log and email messages
- 257 Automatic message reduction
- 257 Manual message reduction
- 259 Antivirus protection
- 259 General configuration steps
- 260 Antivirus scanning
- 261 File blocking
- 262 Blocking files in firewall traffic
- 262 Adding file patterns to block
- 263 Quarantine
- 263 Quarantining infected files
- 263 Quarantining blocked files
- 264 Viewing the quarantine list
- 264 Sorting the quarantine list
- 265 Filtering the quarantine list
- 265 Deleting files from quarantine
- 265 Downloading quarantined files
- 265 Configuring quarantine options
- 266 Blocking oversized files and emails
- 266 Configuring limits for oversized files and email
- 266 Exempting fragmented email from blocking
- 266 Viewing the virus list
- 267 Web filtering
- 267 General configuration steps
- 268 Content blocking
- 268 Adding words and phrases to the banned word list
- 269 URL blocking
- 269 Using the FortiGate web filter
- 269 Adding URLs or URL patterns to the block list
- 270 Clearing the URL block list
- 271 Downloading the URL block list
- 271 Uploading a URL block list
- 272 Using the Cerberian web filter
- 272 General configuration steps
- 272 Installing a Cerberian license key on the FortiGate unit
- 272 Adding a Cerberian user to the FortiGate unit
- 273 Configuring Cerberian web filter
- 273 Enabling Cerberian URL filtering
- 274 Script filtering
- 274 Enabling the script filter
- 274 Selecting script filter options
- 275 Exempt URL list
- 275 Adding URLs to the exempt URL list
- 277 Email filter
- 277 General configuration steps
- 278 Email banned word list
- 278 Adding words and phrases to the banned word list
- 279 Email block list
- 279 Adding address patterns to the email block list
- 279 Email exempt list
- 280 Adding address patterns to the email exempt list
- 280 Adding a subject tag
- 281 Logging and reporting
- 281 Recording logs
- 282 Recording logs on a remote computer
- 282 Recording logs on a NetIQ WebTrends server
- 283 Recording logs on the FortiGate hard disk
- 284 Recording logs in system memory
- 284 Filtering log messages
- 286 Configuring traffic logging
- 286 Enabling traffic logging
- 286 Enabling traffic logging for an interface
- 286 Enabling traffic logging for a VLAN subinterface
- 287 Enabling traffic logging for a firewall policy
- 287 Configuring traffic filter settings
- 288 Adding traffic filter entries
- 289 Viewing logs saved to memory
- 289 Viewing logs
- 289 Searching logs
- 290 Viewing and managing logs saved to the hard disk
- 290 Viewing logs
- 290 Searching logs
- 291 Downloading a log file to the management computer
- 291 Deleting all messages in an active log
- 292 Deleting a saved log file
- 292 Configuring alert email
- 292 Adding alert email addresses
- 293 Testing alert email
- 293 Enabling alert email
- 295 Glossary
- 299 Index