Network configuration. Fortinet FortiGate-800, FortiGate FortiGate-800
Add to My manuals336 Pages
Fortinet FortiGate-800 is a high-performance security appliance that provides comprehensive protection for networks of all sizes. With its powerful hardware platform and advanced software features, the FortiGate-800 delivers exceptional performance, scalability, and reliability. Some of the key benefits of using the FortiGate-800 include:
- Protection against a wide range of threats, including viruses, malware, spyware, and phishing attacks
- Web content filtering to block access to inappropriate or malicious websites
- Email filtering to protect against spam and phishing attacks
- Firewall to control traffic and prevent unauthorized access to the network
- VPN support for secure remote access to the network
- High availability for maximum uptime and reliability
- Secure installation, configuration, and management
- Web-based manager and command line interface for easy configuration and management
advertisement
FortiGate-800 Installation and Configuration Guide Version 2.50
Network configuration
You can use the System Network page to change any of the following FortiGate network settings:
•
•
•
•
•
Virtual domains in Transparent mode
•
Adding DNS server IP addresses
•
•
Configuring zones
In NAT/Route mode, you can use zones to group related interfaces and VLAN subinterfaces. Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. If you group interfaces an VLAN subinterfaces into a zone, you can configure policies for connections to and from this zone, rather than to and from each interface and VLAN subinterface.
You can add zones, rename and edit zones, and delete zones from the zone list.
A new zone does not appear in the policy grid until you add an interface to it (see
“Adding an interface to a zone” on page 139 ) and add a firewall address for it (see
“Adding addresses” on page 197 ).
This section describes:
•
•
FortiGate-800 Installation and Configuration Guide
137
Configuring interfaces Network configuration
Adding zones
The new zone does not appear in the policy grid until you add an interface to it, see
“To add an interface to a zone” below, and add a firewall address for it (see
“Adding addresses” on page 197 ).
1
2
3
4
5
To add a zone
Go to System > Network > Zone.
Select New.
Type a name for the zone.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Select the Block intra-zone traffic check box if you want to block traffic between interfaces in the same zone.
Select OK.
Deleting zones
You must remove all interfaces and VLAN subinterfaces from a zone before you can delete the zone. You can only delete zones that have the Delete icon beside them in the zone list.
1
2
3
To delete a zone
Go to System > Network > Zone.
Select Delete to remove a zone from the list.
Select OK to delete the zone.
Configuring interfaces
Use the following procedures to configure FortiGate interfaces and VLAN subinterfaces. All of these procedures can be used for physical FortiGate interfaces and for VLAN subinterfaces.
•
•
Changing the administrative status of an interface
•
•
Configuring an interface with a manual IP address
•
Configuring an interface for DHCP
•
Configuring an interface for PPPoE
•
Adding a secondary IP address to an interface
•
Adding a ping server to an interface
•
Controlling administrative access to an interface
•
Changing the MTU size to improve network performance
•
Configuring traffic logging for connections to an interface
•
Configuring the management interface in Transparent mode
138
Fortinet Inc.
Network configuration Configuring interfaces
Viewing the interface list
1
To view the interface list
Go to System > Network > Interface.
The interface list is displayed. The interface list shows the following status information for all the FortiGate interfaces and VLAN subinterfaces:
• The name of the interface
• The IP address of the interface
• The netmask of the interface
• The zone that the interface has been added to
• The administrative access configuration for the interface
See
“Controlling administrative access to an interface” on page 143 for information
about administrative access options.
• The administrative status for the interface
If the administrative status is a green arrow, the interface is up and can accept network traffic. If the administrative status is a red arrow, the interface is administratively down and cannot accept traffic. To change the administrative
status, see “Changing the administrative status of an interface” on page 139 .
Changing the administrative status of an interface
You can use the following procedures to start an interface that is administratively down and stop and interface that is administratively up.
1
2
1
To start up an interface that is administratively down
Go to System > Network > Interface.
The interface list is displayed.
Select Bring Up for the interface that you want to start.
To stop an interface that is administratively up
From the FortiGate CLI, enter the command: set system interface <intf_str> config status down
You can only stop an interface that is administratively up from the FortiGate command line interface (CLI).
Adding an interface to a zone
If you have added zones to the FortiGate unit, you can use the following procedure to add an interface or VLAN subinterface to a zone.
You must delete any firewall addresses added to an interface or VLAN subinterface before adding the interface or VLAN subinterface to a zone. For information about
deleting addresses, see “Deleting addresses” on page 199 .
When you add an interface or VLAN subinterface to a zone, you cannot add firewall addresses to the interface or VLAN subinterface and the interface or VLAN subinterface does not appear on the policy grid.
FortiGate-800 Installation and Configuration Guide
139
Configuring interfaces Network configuration
1
2
3
4
5
To add an interface to a zone
Go to System > Network > Interface.
Choose the interface or VLAN subinterface to add to a zone and select Modify
From the Belong to Zone list, select the zone that you want to add the interface to.
The belong to zone list only appears if you have added zones and if you have not added firewall addresses for the interface.
Select OK to save the changes.
Repeat these steps to add more interfaces or VLAN subinterfaces to zones.
.
Configuring an interface with a manual IP address
You can change the static IP address of any FortiGate interface.
3
4
1
2
5
To change an interface with a manual IP address
Go to System > Network > Interface.
Choose an interface and select Modify .
Set Addressing Mode to Manual.
Change the IP address and Netmask as required.
The IP address of the interface must be on the same subnet as the network the interface is connecting to.
Two interfaces cannot have the same IP address and cannot have IP addresses on the same subnet.
Select OK to save your changes.
If you changed the IP address of the interface to which you are connecting to manage the FortiGate unit, you must reconnect to the web-based manager using the new interface IP address.
Configuring an interface for DHCP
You can configure any FortiGate interface to use DHCP.
If you configure the interface to use DHCP, the FortiGate unit automatically broadcasts a DHCP request. You can disable connect to server if you are configuring the
FortiGate unit offline and you do not want the FortiGate unit to send the DHCP request.
By default, the FortiGate unit also retrieves a default gateway IP address and DNS server IP addresses from the DHCP server. You can disable the option Retrieve default gateway and DNS from server if you do not want the DHCP server to configure these FortiGate settings.
1
2
3
To configure an interface for DHCP
Go to System > Network > Interface.
Choose an interface and select Modify .
In the Addressing Mode section, select DHCP.
140
Fortinet Inc.
Network configuration Configuring interfaces
4
5
6
7
8
Clear the Retrieve default gateway and DNS from server check box if you do not want the FortiGate unit to obtain a default gateway IP address and DNS server IP addresses from the DHCP server.
By default, this option is enabled.
Clear the Connect to Server check box if you do not want the FortiGate unit to connect to the DHCP server.
By default, this option is enabled.
Select Apply.
The FortiGate unit attempts to contact the DHCP server from the interface to set the
IP address, netmask, default gateway IP address, and DNS server IP addresses.
Select Status to refresh the addressing mode status message. initializing connecting connected failed
No activity
The FortiGate unit is attempting to connect to the DHCP server.
The FortiGate unit retrieves an IP address, netmask, and other settings from the DHCP server.
The FortiGate unit was unable to retrieve an IP address and other information from the DHCP server.
Select OK.
Configuring an interface for PPPoE
Use the following procedure to configure any FortiGate interface to use PPPoE.
If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoE request. You can disable connect to server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE request.
By default, the FortiGate unit also retrieves a default gateway IP address and DNS server IP addresses from the PPPoE server. You can disable the option Retrieve default gateway and DNS from server if you do not want the PPPoE server to configure these FortiGate settings.
1
2
3
4
5
6
To configure an interface for PPPoE
Go to System > Network > Interface.
Choose an interface and select Modify .
In the Addressing Mode section, select PPPoE.
Enter your PPPoE account User Name and Password.
Clear the Retrieve default gateway and DNS from server check box if you do not want the FortiGate unit to obtain a default gateway IP address and DNS server IP addresses from the PPPoE server.
By default, this option is enabled.
Clear the Connect to Server check box if you do not want the FortiGate unit to connect to the PPPoE server.
By default, this option is enabled.
FortiGate-800 Installation and Configuration Guide
141
Configuring interfaces Network configuration
7
8
9
Select Apply.
The FortiGate unit attempts to contact the PPPoE server from the interface to set the
IP address, netmask, default gateway IP address, and DNS server IP addresses.
Select Status: to refresh the addressing mode status message. Possible messages: initializing connecting connected failed
No activity
The FortiGate unit is attempting to connect to the DHCP server.
The FortiGate unit retrieves an IP address, netmask, and other settings from the PPPoE server.
The FortiGate unit was unable to retrieve an IP address and other information from the PPPoE server.
Select OK.
Adding a secondary IP address to an interface
You can use the CLI to add a secondary IP address to any FortiGate interface. The secondary IP address cannot be the same as the primary IP address but it can be on the same subnet.
To add a secondary IP address from the CLI enter the command: set system interface <intf_str> config secip <second_ip>
<netmask_ip>
You can also configure management access and add a ping server to the secondary
IP address.
set system interface <intf_str> config secallowaccess ping https ssh snmp http telnet set system interface <intf_str> config secgwdetect enable
Adding a ping server to an interface
Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface. Adding a ping server is required for routing failover. See
“Adding destination-based routes to the routing table” on page 154
.
1
2
3
4
5
To add a ping server to an interface
Go to System > Network > Interface.
Choose an interface and select Modify .
Set Ping Server to the IP address of the next hop router on the network connected to the interface.
Select the Enable check box.
The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to make sure that the FortiGate unit can connect to this IP address. To configure dead gateway detection, see
“Modifying the Dead Gateway Detection settings” on page 171 .
Select OK to save the changes.
142
Fortinet Inc.
Network configuration Configuring interfaces
Controlling administrative access to an interface
For a FortiGate unit running in NAT/Route mode, you can control administrative access to an interface to control how administrators access the FortiGate unit and the
FortiGate interfaces to which administrators can connect.
Controlling administrative access for an interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet. However, allowing remote administration from the Internet could compromise the security of your FortiGate unit. You should avoid allowing administrative access for an interface connected to the Internet unless this is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the Internet:
• Use secure administrative user passwords,
• Change these passwords regularly,
• Enable secure administrative access to this interface using only HTTPS or SSH,
• Do not change the system idle timeout from the default value of 5 minutes (see
“To set the system idle timeout” on page 170
).
To configure administrative access in Transparent mode, see
“Configuring the management interface in Transparent mode” on page 144
.
1
2
3
4
To control administrative access to an interface
Go to System > Network > Interface.
Choose an interface and select Modify .
Select the Administrative Access methods for the interface.
HTTPS
PING
HTTP
To allow secure HTTPS connections to the web-based manager through this interface.
If you want this interface to respond to pings. Use this setting to verify your installation and for testing.
To allow HTTP connections to the web-based manager through this interface.
HTTP connections are not secure and can be intercepted by a third party.
To allow SSH connections to the CLI through this interface.
SSH
SNMP To allow a remote SNMP manager to request SNMP information by connecting to this interface. See
“Configuring SNMP” on page 173 .
TELNET To allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party.
Select OK to save the changes.
FortiGate-800 Installation and Configuration Guide
143
Configuring interfaces Network configuration
Changing the MTU size to improve network performance
To improve network performance, you can change the maximum transmission unit
(MTU) of the packets that the FortiGate unit transmits from any interface. Ideally, this
MTU should be the same as the smallest MTU of all the networks between the
FortiGate unit and the destination of the packets. If the packets that the FortiGate unit sends are larger, they are broken up or fragmented, which slows down transmission.
Experiment by lowering the MTU to find an MTU size for best network performance.
1
2
3
4
To change the MTU size of the packets leaving an interface
Go to System > Network > Interface.
Choose an interface and select Modify
Select Override default MTU value (1500).
.
Set the MTU size.
Set the maximum packet size. For manual and DHCP addressing mode the MTU size can be from 576 to 1500 bytes. For PPPoE addressing mode the MTU size can be from 576 to 1492 bytes.
Configuring traffic logging for connections to an interface
1
2
3
4
To configure traffic logging for connections to an interface
Go to System > Network > Interface.
Choose an interface and select Modify .
Select the Log check box to record log messages whenever a firewall policy accepts a connection to this interface.
Select OK to save the changes.
Configuring the management interface in Transparent mode
Configure the management interface in Transparent mode to set the management IP address of the FortiGate unit. Administrators connect to this IP address to administer the FortiGate unit. The FortiGate also uses this IP address to connect to the FDN for virus and attack updates (see
“Updating antivirus and attack definitions” on page 117 )
You can also configure the management interface to control how administrators connect to the FortiGate unit for administration and the FortiGate interfaces to which administrators can connect.
Controlling administrative access to a FortiGate interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet.
However, allowing remote administration from the Internet could compromise the security of the FortiGate unit. You should avoid allowing administrative access for an interface connected to the Internet unless this is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the
Internet:
• Use secure administrative user passwords,
• Change these passwords regularly,
144
Fortinet Inc.
Network configuration VLAN overview
5
6
3
4
1
2
• Enable secure administrative access to this interface using only HTTPS or SSH,
• Do not change the system idle timeout from the default value of 5 minutes (see
“To set the system idle timeout” on page 170
).
To configure the management interface in Transparent mode
Go to System > Network > Management.
Change the Management IP and Netmask as required.
This must be a valid address for the network that you want to manage the FortiGate unit from.
Add a default gateway IP address if the FortiGate unit must connect to a default gateway to reach the management computer.
Select the administrative access methods for each interface.
HTTPS
PING
To allow secure HTTPS connections to the web-based manager through this interface.
If you want this interface to respond to pings. Use this setting to verify your installation and for testing.
HTTP To allow HTTP connections to the web-based manager through this interface.
HTTP connections are not secure and can be intercepted by a third party.
SSH
SNMP
To allow SSH connections to the CLI through this interface.
To allow a remote SNMP manager to request SNMP information by connecting to this interface. See
“Configuring SNMP” on page 173 .
TELNET To allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party.
Select Log for each interface that you want to record log messages whenever a firewall policy accepts a connection to this interface.
Select Apply to save the changes.
VLAN overview
FortiGate units support IEEE 802.1Q Virtual LAN (VLAN) technology. A VLAN is group of PCs, servers, and other network devices that communicate as if they were on the same LAN segment, even though they may not be. For example, the workstations and servers for an accounting department could be scattered throughout an office, connected to numerous network segments, but they can still belong to the same
VLAN.
A VLAN segregates devices logically instead of physically. Each VLAN is treated as a broadcast domain. Devices in VLAN 1 can connect with other devices in VLAN 1, but cannot connect with devices in other VLANs. The communication among devices on a
VLAN is independent of the physical network.
A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent and received by the devices in the VLAN. VLAN tags are 4-byte frame extensions that contain a VLAN identifier as well as other information.
FortiGate-800 Installation and Configuration Guide
145
VLANs in NAT/Route mode Network configuration
In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3 routers or firewalls add VLAN tags to packets. Packets passing between devices in the same VLAN can be handled by layer 2 switches. Packets passing between devices in different VLANs must be handled by a layer 3 device such as router, firewall, or layer 3 switch.
Operating in NAT/Route mode, the FortiGate unit functions as a layer 3 device to control the flow of packets between VLANs. See
“VLANs in NAT/Route mode” on page 146 for more information.
Operating in Transparent mode, the FortiGate unit functions as a layer 2 device to control the flow of packets between segments in the same VLAN. See
“Virtual domains in Transparent mode” on page 147 .
VLANs in NAT/Route mode
In NAT/Route mode, FortiGate units support VLANs for constructing VLAN trunks between an IEEE 802.1Q-compliant switch (or router) and the FortiGate unit. Normally the FortiGate unit internal interface connects to a VLAN trunk on an internal switch, and the external interface connects to an upstream Internet router untagged. The
FortiGate unit can then apply different policies for traffic on each VLAN that connects to the internal interface.
In this configuration, you add VLAN subinterfaces to the FortiGate internal interface that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk. The
FortiGate unit directs packets with VLAN IDs, to subinterfaces with matching VLAN
IDs.
You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate unit can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags from incoming packets and add different VLAN tags to outgoing packets.
Rules for VLAN IDs
Two VLAN subinterfaces added to the same physical interface cannot have the same
VLAN ID. However, you can add two or more VLAN subinterfaces with the same
VLAN IDs to different physical interfaces. There is no internal connection or link between two VLAN subinterfaces with same VLAN ID. Their relationship is the same as the relationship between any two FortiGate network interfaces.
Rules for VLAN IP addresses
IP addresses of all FortiGate interfaces cannot overlap. That is, the IP addresses of all interfaces must be on different subnets. This rule applies to both physical interfaces and to VLAN subinterfaces.
Note: You can enter the CLI command set system ip-overlap enable to allow IP address overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is part of a subnet used by another interface. This command is recommended for advanced users only.
146
Fortinet Inc.
Network configuration Virtual domains in Transparent mode
Adding VLAN subinterfaces
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE
802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096.
Each VLAN subinterface must also be configured with its own IP address and netmask.
You add VLAN subinterfaces to the physical interface that receives VLAN-tagged packets.
1
2
3
4
5
6
7
To add VLAN subinterfaces
Go to System > Network > Interface.
Select New VLAN to add a VLAN subinterface.
Enter a Name to identify the VLAN subinterface.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Select the interface that receives the VLAN packets intended for this VLAN subinterface.
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
The VLAN ID can be any number between 1 and 4096 but must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch.
Configure the VLAN subinterface settings as you would for any FortiGate interface.
You can add the VLAN subinterface to a zone, configure addressing, add a ping server, and configure administrative access to the VLAN subinterface. For more information, see
“Configuring interfaces” on page 138 .
Select OK to save your changes.
The FortiGate unit adds the new subinterface to the interface that you selected in step 4 .
Virtual domains in Transparent mode
In Transparent mode, The FortiGate unit can apply firewall policies and services, such as virus scanning, to traffic on an IEEE 802.1 VLAN trunk. The FortiGate unit operating in Transparent mode can be inserted into the trunk without making changes to the network. In a typical configuration, the FortiGate internal interface accepts
VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal
VLANs. The FortiGate external interface forwards tagged packets through the trunk to an external VLAN switch or router. This external switch or router could be connected to the Internet. The FortiGate unit can be configured to apply different policies for traffic on each VLAN in the trunk.
FortiGate-800 Installation and Configuration Guide
147
Virtual domains in Transparent mode Network configuration
To support VLANs in Transparent mode, you add virtual domains to the FortiGate unit.
A virtual domain contains at least 2 VLAN subinterfaces. For VLAN traffic to be able to pass between the FortiGate Internal and external interface you would add a VLAN subinterface to the internal interface and another VLAN subinterface to the external interface. If these VLAN subinterfaces have the same VLAN IDs, the FortiGate unit applies firewall policies to the traffic on this VLAN. If these VLAN subinterfaces have different VLAN IDs, or if you add more than two VLAN subinterfaces to the virtual domain, you can also use firewall policies to control connections between VLANs.
When the FortiGate unit receives a VLAN tagged packet at an interface, the packet is directed to the VLAN subinterface with matching VLAN ID. The VLAN subinterface removes the VLAN tag and assigns a destination interface to the packet based on its destination MAC address. The firewall policies for this source and destination VLAN subinterface pair are applied to the packet. If the packet is accepted by the firewall, the FortiGate unit forwards the packet to the destination VLAN subinterface. The destination VLAN ID is added to the packet and it is sent to the VLAN trunk.
When a packet enters a virtual domain on the FortiGate unit, it is confined to that virtual domain. In a given domain, you can only create firewall policies for connections between VLAN subinterfaces or zones in the virtual domain. The packet never crosses the virtual domain border.
The FortiGate-800 supports 64 virtual domains.
•
•
•
Adding firewall policies for virtual domains
•
Figure 31: FortiGate unit with two virtual domains
VLAN Switch or router
FortiGate unit
VLAN1
VLAN2
Internal
VLAN1
VLAN2
VLAN3
VLAN trunk
Virtual Domain 1 content filtering
VLAN1 antivirus
NIDS VLAN1
VLAN2
VLAN3 content filtering antivirus
NIDS
VLAN2
VLAN3
VLAN3
External
VLAN1
VLAN2
VLAN3
VLAN trunk
VLAN Switch or router
Internet
148
Fortinet Inc.
Network configuration Virtual domains in Transparent mode
Virtual domain properties
A virtual domain has the following exclusive properties:
• VLAN name,
• VLAN ID,
• VLAN interface assignment,
• VLAN zone assignment (optional),
• Firewall policy.
Virtual domains share the following global properties with other processes on the
FortiGate unit:
• System settings,
• Firewall policy objects (addresses, services, schedule, content profiles, and so on),
• User information,
• NIDS settings,
• Antivirus, Web filter, Mail filter settings,
• Log & report settings.
In addition to the global properties, virtual domains share a common administrative model. Administrators have access to all of the virtual domains on the FortiGate unit.
Only their administrative access level varies.
Configuring a virtual domain
Configure a virtual domain by adding the virtual domain to the FortiGate configuration.
Then add matching pairs of VLAN subinterfaces to the virtual domain.
•
•
Adding VLAN subinterfaces to a virtual domain
•
Adding zones to virtual domains
1
2
3
4
Adding a virtual domain
Use the following procedure to add a virtual domain to the FortiGate unit. You must add at least one virtual domain to support VLANs in Transparent mode. Add more virtual domains to simplify configuration if you are planning to add a large number of
VLANs.
To add a virtual domain
Go to System > Virtual Domain.
Select New to add a virtual domain.
Type a Name for the virtual domain.
Select OK to add the virtual domain.
FortiGate-800 Installation and Configuration Guide
149
Virtual domains in Transparent mode Network configuration
1
2
3
4
5
6
7
8
9
1
2
3
Adding VLAN subinterfaces to a virtual domain
Use the following procedure to add VLAN subinterfaces to a virtual domain. You must add at least two VLAN subinterfaces to each virtual domain. In most configurations a virtual domain is used to send VLAN-tagged packets received at one FortiGate physical interface to another FortiGate physical interface (for example, from the internal interface to the external interface). For this to occur, you must add VLAN subinterfaces to the receiving and sending physical interfaces (for example, to the internal and external interfaces.
To add VLAN subinterfaces to a virtual domain
Go to System > Network > VLAN.
Select the Virtual Domain to add the VLAN subinterface to.
Select New to add a VLAN subinterface.
Type a Name for the VLAN subinterface.
Select the interface to associate the VLAN subinterface with.
The VLAN subinterface must be added to the FortiGate interface that receives the
VLAN-tagged packets.
Enter a VLAN ID for the VLAN subinterface.
The VLAN ID can be any number between 1 and 4095.
Optionally, select a zone to add the VLAN subinterface to a zone.
To add a zone to a virtual domain, see
“Adding zones to virtual domains” on page 150 .
Select OK to add the VLAN subinterface.
Repeat these steps to add more VLAN subinterfaces to the virtual domain.
To configure management access and traffic logging for VLAN subinterfaces
Go to System > Network > Management.
Configure management access as required for the VLAN subinterfaces that you have added.
You can select HTTPS, PING, SSH, SNMP, HTTP, or TELNET.
Select Log to configure traffic logging for the VLAN subinterfaces that you have added.
Adding zones to virtual domains
Add zones to a virtual domain to group together related VLAN subinterfaces. Use zones to simplify firewall policy creation if you have many VLAN subinterfaces in a
150
Fortinet Inc.
Network configuration Virtual domains in Transparent mode
Figure 32: FortiGate unit containing a virtual domain with zones
VLAN Switch or router
FortiGate unit
VLAN1
VLAN2
Internal
VLAN1
VLAN2
VLAN3
VLAN trunk
VLAN1
Virtual Domain
VLAN1 zone1
VLAN2
VLAN3 zone2
VLAN2
VLAN3
External
VLAN1
VLAN2
VLAN3
VLAN trunk
VLAN Switch or router
VLAN3
Internet
3
4
1
2
5
6
3
4
5
6
1
2
Multiple zones in a single virtual domain cannot be connected to a single VLAN trunk.
This configuration is correct because each zone is connected to a different VLAN trunk (zone1 connected to the VLAN trunk on the internal interface and zone2 connected to the VLAN trunk on the external interface). If you were to add another zone (for example, zone3 connected to the VLAN trunk on the internal interface) the
FortiGate unit would not be able to successfully differentiate between traffic for zone1 and zone3. This is the case because both zone 1 and zone3 traffic would be routed to the same MAC address.
To add a zone to a virtual domain
Go to System > Network > Zone.
Select New to add a zone.
Type a Name for the zone.
Select the Virtual Domain to add the zone to.
Optionally select Block intra-zone traffic to block traffic between VLAN subinterfaces in the same zone.
Select OK to add the zone.
To add VLAN subinterfaces to a zone
Go to System > Network > VLAN.
Set Virtual Domain to All or to the virtual domain containing the VLAN subinterfaces to add to a zone.
Select List to list all of VLAN subinterfaces added to the FortiGate unit or to the selected virtual domain.
For a VLAN subinterface to add to a zone, select Modify .
From the zone list, select the name of the zone to add the VLAN subinterface to.
Select OK to save your changes.
You can also use the procedure
“Adding VLAN subinterfaces” on page 147
to add a
VLAN subinterface to a zone if you are adding new VLAN subinterfaces to a virtual domain to which you have already added zones.
FortiGate-800 Installation and Configuration Guide
151
Virtual domains in Transparent mode Network configuration
Adding firewall policies for virtual domains
Once the network configuration for the virtual domain is complete, you must create firewall policies for the virtual domain to allow packets to flow through the firewall between VLAN subinterfaces.
•
Adding addresses for virtual domains
•
Adding firewall policies for virtual domains
5
6
7
3
4
1
2
Adding addresses for virtual domains
Before you can create firewall policies for a virtual domain, you must add source and destination addresses for the VLAN subinterfaces and zones added to the virtual domain.
Go to Firewall > Address.
Select the VLAN subinterface or zone to which to add the address.
Select New to add a new address.
Enter an Address Name to identify the address.
Enter the IP Address.
Enter the NetMask.
Select OK to add the address.
5
6
7
3
4
1
2
Adding firewall policies for virtual domains
Add Firewall policies to control connections and traffic between FortiGate VLAN subinterfaces and zones in a virtual domain.
Go to Firewall > Policy.
Select the Virtual Domain to which you want to add the policy.
Select a source VLAN subinterface or zone.
Select a destination VLAN subinterface or zone.
VLAN subinterfaces or zones only appear in the source and destination lists if they have been added to the selected virtual domain and if you have added firewall addresses for them.
The source and destination cannot be the same VLAN subinterface or zone.
Select New to add a new policy.
Configure the policy.
Select OK to add the policy.
152
Fortinet Inc.
Network configuration Adding DNS server IP addresses
Deleting virtual domains
You must remove all VLAN subinterfaces and zones that have been added to the virtual domain before you can delete the virtual domain. To remove VLAN subinterfaces and zones you must remove all firewall policies and firewall addresses for the VLAN subinterfaces and zones. You can only delete virtual domains that have the Delete icon beside them in the zone list.
Delete the virtual domain components in the following order:
• firewall policies
• source and destination addresses
• VLAN subinterfaces
• zones
• the virtual domain
Adding DNS server IP addresses
Several FortiGate functions, including sending email alerts and URL blocking, use
DNS. Use the following procedure to add the IP addresses of the DNS servers that your FortiGate unit can connect to. DNS server IP addresses are usually supplied by your ISP.
1
2
3
To add DNS server IP addresses
Go to System > Network > DNS.
Change the primary and secondary DNS server IP addresses as required.
Select Apply to save the changes.
Configuring routing
This section describes how to configure FortiGate routing. You can configure routing to add static routes from the FortiGate unit to local routers. Using policy routing you can increase the flexibility of FortiGate routing to support more advanced routing functions.
You can also use routing to create a multiple Internet connection configuration that supports redundancy and load sharing between the two Internet connections.
This section describes:
•
•
Adding destination-based routes to the routing table
•
Adding routes in Transparent mode
•
•
FortiGate-800 Installation and Configuration Guide
153
Configuring routing Network configuration
Adding a default route
You can add a default route for network traffic leaving the external interface.
1
2
3
4
5
6
To add a default route
Go to System > Network > Routing Table.
Select New to add a new route.
Set the Source IP and Netmask to 0.0.0.0.
Set the Destination IP and Netmask to 0.0.0.0.
Set Gateway 1 to the IP address of the routing gateway that routes traffic to the
Internet.
Select OK to save the default route.
Note: Only one default route can be active at a time. If two default routes are added to the routing table, only the default route closest to the top of the routing table is active.
Adding destination-based routes to the routing table
You can add destination-based routes to the FortiGate routing table to control the destination of traffic exiting the FortiGate unit. You configure routes by adding destination IP addresses and netmasks and adding gateways for these destination addresses. The gateways are the next hop routers to which to route traffic that matches the destination addresses in the route.
You can add one or two gateways to a route. If you add one gateway, the FortiGate unit routes the traffic to that gateway. You can add a second gateway to route traffic to the second gateway if the first gateway fails.
To support routing failover, the IP address of each gateway must be added to the ping server of the interface connected to the same network as the gateway. For information
about adding a ping server, see “Adding a ping server to an interface” on page 142 .
3
4
1
2
5
To add destination-based routes to the routing table
Go to System > Network > Routing Table.
Select New to add a new route.
Type the Destination IP address and netmask for the route.
Add the IP address of Gateway #1.
Gateway #1 is the IP address of the primary destination for the route.
Gateway #1 must be on the same subnet as a Fortigate interface.
If you are adding a static route from the FortiGate unit to a single destination router, you need to specify only one gateway.
Add the IP address of Gateway #2, if you want to route traffic to multiple gateways.
154
Fortinet Inc.
Network configuration Configuring routing
6
7
8
Set Device #1 to the FortiGate interface or VLAN subinterface through which to route traffic to connect to Gateway #1.
You can select the name of an interface, VLAN subinterface, or Auto (the default). If you select the name of an interface or VLAN subinterface the traffic is routed to that interface. If you select Auto the system selects the interface according to the following rules:
• If the Gateway #1 IP address is on the same subnet as a FortiGate interface or
VLAN subinterface, the system sends the traffic to that interface.
• If the Gateway #1 IP address is not on the same subnet as a FortiGate interface or
VLAN subinterface, the system routes the traffic to the external interface, using the default route.
You can use Device #1 to send packets to an interface that is on a different subnet than the destination IP address of the packets without routing them using the default route.
Set Device #2 to the FortiGate interface or VLAN subinterface through which to route traffic to connect to Gateway #2.
You can select the name of an interface, VLAN subinterface, or Auto (the default). If you select the name of an interface or VLAN subinterface the traffic is routed to that interface. If you select Auto the system selects the interface according to the following rules:
• If the Gateway #2 IP address is on the same subnet as a FortiGate interface or
VLAN subinterface, the system sends the traffic to that interface.
• If the Gateway #2 IP address is not on the same subnet as a FortiGate interface or
VLAN subinterface, the system routes the traffic to the external interface, using the default route.
You can use Device #2 to send packets to an interface that is on a different subnet than the destination IP address of the packets without routing them using the default route.
Select OK to save the route.
Note: Any two routes in the routing table must differ by something other than just the gateway to be simultaneously active. If two routes added to the routing table are identical except for their gateway IP addresses, only the route closer to the top of the routing table can be active.
Note: Arrange routes in the routing table from more specific to more general. For information about arranging routes in the routing table, see
“Configuring the routing table” .
Adding routes in Transparent mode
Use the following procedure to add routes when operating the FortiGate unit in
Transparent mode.
3
4
1
2
To add a route in Transparent mode
Go to System > Network > Routing.
Select New.
Enter the Destination IP address and Netmask for the route.
Enter the Gateway IP address for the route.
FortiGate-800 Installation and Configuration Guide
155
Configuring routing Network configuration
5
6
Select OK to save the new route.
Repeat steps 1 to 5 to add more routes as required.
Configuring the routing table
The routing table shows the destination IP address and mask of each route that you add, as well as the gateways and devices added to the route. The routing table also displays the gateway connection status. A green check mark indicates that the
FortiGate unit has used the ping server and dead gateway detection to determine that it can connect to the gateway. A red X means that a connection cannot be established.
A blue question mark means that the connection status is unknown. For more information, see
“Adding a ping server to an interface” on page 142 .
The FortiGate unit assigns routes using a best match algorithm based on the destination address of the packet and the destination address of the route. To select a route for a packet, the FortiGate unit searches the routing table for a route that best matches the destination address of the packet. If a match is not found, the FortiGate unit routes the packet using the default route.
1
2
3
4
To configure the routing table
Go to System > Network > Routing Table.
Choose the route that you want to move and select Move to the routing table.
to change its order in
Type a number in the Move to field to specify where in the routing table to move the route and select OK.
Select Delete to delete a route from the routing table.
Figure 33: Routing table
156
Policy routing
Policy routing extends the functions of destination routing. Using policy routing you can route traffic based on the following:
• Destination address
• Source address
• Protocol, service type, or port range
• Incoming or source interface
Fortinet Inc.
Network configuration Configuring DHCP services
Using policy routing you can build a routing policy database (RPDB) that selects the appropriate route for traffic by applying a set of routing rules. To select a route for traffic, the FortiGate unit matches the traffic with the policy routes added to the RPDB starting at the top of the list. The first policy route that matches is used to set the route for the traffic. The route supplies the next hop gateway as well as the FortiGate interface to be used by the traffic.
Packets are matched with policy routes before they are matched with destination routes. If a packet does not match a policy route, it is routed using destination routes.
The gateway added to a policy route must also be added to a destination route. When the FortiGate unit matches packets with a route in the RPDB, the FortiGate unit looks in the destination routing table for the gateway that was added to the policy route. If a match is found, the FortiGate unit routes the packet using the matched destination route. If a match is not found, the FortiGate unit routes the packet using normal routing.
To find a route with a matching gateway, the FortiGate unit starts at the top of the destination routing table and searches until it finds the first matching destination route.
This matched route is used to route the packet.
For policy routing examples, see
“Policy routing examples” on page 55
.
Policy routing command syntax
Configure policy routing using the following CLI command.
set system route policy <route_int> src <source_ip>
<source_mask> iifname <source-interface_name> dst <destination_ip> <destination_mask> oifname <destination-interface_name> protocol <protocol_int> port <low-port_int> <high-port_int> gw <gateway_ip>
Complete policy routing command syntax is described in Volume 6: FortiGate CLI
Reference Guide.
Configuring DHCP services
You can configure DHCP server or DHCP relay agent functionality on any FortiGate interface.
A FortiGate interface can act as either a DHCP server or as a DHCP relay agent. An interface cannot provide both functions.
Note: To configure DHCP server or DHCP relay functionality on an interface, the FortiGate unit must be in NAT/Route mode and the interface must have a static IP address.
This section describes the following:
•
Configuring a DHCP relay agent
•
FortiGate-800 Installation and Configuration Guide
157
Configuring DHCP services Network configuration
Configuring a DHCP relay agent
In a DHCP relay configuration, the FortiGate unit forwards DHCP requests from
DHCP clients through the FortiGate unit to a DHCP server. The FortiGate unit also returns responses from the DHCP server to the DHCP clients. The DHCP server must have a route to the FortiGate unit that is configured as the DHCP relay so that the packets sent by the DHCP server to the DHCP client arrive at the FortiGate performing DHCP relay.
4
5
6
1
2
3
To configure an interface as a DHCP relay agent
Go to System > Network > DHCP.
Select Service.
Select the interface to be the DHCP relay agent.
Select DHCP Relay Agent.
Enter the DHCP Server IP address.
Select Apply.
Configuring a DHCP server
As a DHCP server, the FortiGate unit dynamically assigns IP addresses to hosts located on connected subnets. You can configure a DHCP server for any FortiGate interface. You can also configure a DHCP server for more than one FortiGate interface. For each DHCP server configuration you can add multiple scopes (also called address scopes) so that the DHCP server can assign IP addresses to computers on multiple subnets.
Use these procedures to configure an interface as a DHCP server:
•
Adding a DHCP server to an interface
•
Adding scopes to a DHCP server
•
Adding a reserve IP to a DHCP server
•
Viewing a DHCP server dynamic IP list
1
2
3
4
5
Adding a DHCP server to an interface
To add a DHCP server to an interface
Go to System > Network > DHCP.
Select Service.
Select an interface.
Select DHCP Server.
Select Apply.
Adding scopes to a DHCP server
If you have configured an interface as a DHCP server, the interface requires at least one scope (also called an address scope). The scope designates the starting IP and ending IP for the range of addresses that the FortiGate unit assigns to DHCP clients.
158
Fortinet Inc.
Network configuration Configuring DHCP services
4
5
1
2
3
6
7
You can add multiple scopes to an interface so that the DHCP server added to that interface can supply IP addresses to computers on multiple subnets.
Add multiple scopes if the DHCP server receives DHCP requests from subnets that are not connected directly to the FortiGate unit. In this case, the DHCP requests are sent to the FortiGate unit through DHCP relay. DHCP relay packets contain DHCP relay IP, which is the IP address of the subnet from which the DHCP relay received the request.
If the DHCP request received by the DHCP server is not forwarded by a DHCP relay, the DHCP server decides which scope to use based on the IP address of the interface that received the DHCP request; usually the scope with the same subnet as the interface.
If the DHCP request received by the server is forwarded by a DHCP relay, the relay IP is used to select the scope.
To add a scope to a DHCP server
Go to System > Network > DHCP.
Select Address Scope.
Select an interface.
You must configure the interface as a DHCP server before it can be selected.
Select New to add an address scope.
Configure the address scope.
Scope Name
IP Pool
Enter the address scope name.
Enter the starting IP and ending IP for the range of IP addresses that this
DHCP server assigns to DHCP clients.
Netmask Enter the netmask that the DHCP server assigns to the DHCP clients.
Lease Duration Enter the interval, in days, hours and minutes, after which a DHCP client must ask the DHCP server for a new address.
If you select Unlimited, DHCP leases never expire.
Domain
Default Route
Optionally enter in the domain that the DHCP server assigns to the DHCP clients.
Enter the default route to be assigned to DHCP clients. The default route must be on the same subnet as the IP pool.
Select Advanced if you want to configure Advanced Options.
DNS IP Enter the addresses of up to 3 DNS servers that the DHCP server assigns to the DHCP clients.
WINS Server IP Add the IP addresses of one or two WINS servers to be assigned to DHCP clients.
Exclusion Range Optionally enter up to 4 exclusion ranges of IP addresses within the IP pool that cannot be assigned to DHCP clients.
Select OK.
FortiGate-800 Installation and Configuration Guide
159
Configuring DHCP services Network configuration
1
2
3
4
5
6
Adding a reserve IP to a DHCP server
If you have configured an interface as a DHCP server, you can reserve an IP address for a particular device on the network according to the MAC address of the device.
When you add the MAC address of a device and an IP address to the reserve IP list, the DHCP server always assigns this IP address to the device.
To add a reserve IP you must first select the interface and scope to which you want to add the reserve IP.
To add a reserve IP to a DHCP server
Go to System > Network > DHCP.
Select Reserve IP.
Select an interface.
You must configure the interface as a DHCP server before you can select it.
Select a scope.
You must configure an address scope for the interface before you can select it.
Select New to add a reserved IP.
Configure the reserved IP.
IP
MAC
Name
Enter an IP address. The IP address must be within the IP pool added to the selected scope.
Enter the MAC address of the device.
Optionally, specify a name for the IP and MAC address pair.
7
1
2
3
Note: The reserved IP cannot be assigned to any other device. You can only add a given IP address or MAC address once.
Select OK.
Viewing a DHCP server dynamic IP list
You can view the list of IP addresses that the DHCP server has assigned, their corresponding MAC addresses, and the expiry time and date for these addresses.
To view a DHCP server dynamic IP list
Go to System > Network > DHCP.
Select Dynamic IP.
Select the interface for which you want to view the list.
160
Fortinet Inc.
advertisement
Key Features
- High-performance hardware platform
- Advanced software features
- Comprehensive protection against a wide range of threats
- Web content filtering
- Email filtering
- Firewall
- VPN support
- High availability
- Secure installation, configuration, and management
- Web-based manager and command line interface
Related manuals
Frequently Answers and Questions
What are the benefits of using the FortiGate-800?
What are the key features of the FortiGate-800?
How do I configure the FortiGate-800?
advertisement
Table of contents
- 3 Table of Contents
- 15 Introduction
- 16 Antivirus protection
- 16 Web content filtering
- 17 Email filtering
- 17 Firewall
- 18 NAT/Route mode
- 18 Transparent mode
- 18 VLANs and virtual domains
- 18 Network intrusion detection
- 19 VPN
- 19 High availability
- 20 Secure installation, configuration, and management
- 20 Web-based manager
- 21 Command line interface
- 21 Logging and reporting
- 22 Document conventions
- 22 Fortinet documentation
- 23 Comments on Fortinet technical documentation
- 23 Customer service and technical support
- 25 Getting started
- 26 Package contents
- 26 Mounting
- 26 Dimensions
- 26 Weight
- 27 Power requirements
- 27 Environmental specifications
- 27 Powering on
- 28 Connecting to the web-based manager
- 29 Connecting to the command line interface (CLI)
- 30 Factory default FortiGate configuration settings
- 30 Factory default NAT/Route mode network configuration
- 31 Factory default Transparent mode network configuration
- 32 Factory default firewall configuration
- 33 Factory default content profiles
- 33 Strict content profile
- 34 Scan content profile
- 35 Web content profile
- 35 Unfiltered content profile
- 36 Planning the FortiGate configuration
- 36 NAT/Route mode
- 37 NAT/Route mode with multiple external network connections
- 37 Transparent mode
- 38 Configuration options
- 38 Setup wizard
- 38 CLI
- 39 Front keypad and LCD
- 39 FortiGate model maximum values matrix
- 40 Next steps
- 41 NAT/Route mode installation
- 41 Preparing to configure NAT/Route mode
- 42 Advanced NAT/Route mode settings
- 43 DMZ and user-defined interfaces
- 43 Using the setup wizard
- 43 Starting the setup wizard
- 43 Reconnecting to the web-based manager
- 44 Using the front control buttons and LCD
- 44 Using the command line interface
- 44 Configuring the FortiGate unit to operate in NAT/Route mode
- 44 Configuring NAT/Route mode IP addresses
- 46 Connecting the FortiGate unit to your networks
- 48 Configuring your networks
- 49 Completing the configuration
- 49 Configuring the DMZ interface
- 49 Configuring interfaces 1 to 4
- 49 Setting the date and time
- 49 Changing antivirus protection
- 50 Registering your FortiGate unit
- 50 Configuring virus and attack definition updates
- 50 Configuration example: Multiple connections to the Internet
- 51 Configuring ping servers
- 52 Using the CLI
- 52 Destination-based routing examples
- 52 Primary and backup links to the Internet
- 52 Using the CLI
- 53 Load sharing
- 53 Load sharing and primary and secondary connections
- 55 Policy routing examples
- 55 Routing traffic from internal subnets to different external networks
- 55 Routing a service to an external network
- 56 Firewall policy example
- 56 Adding a redundant default policy
- 56 Adding more firewall policies
- 57 Restricting access to a single Internet connection
- 59 Transparent mode installation
- 59 Preparing to configure Transparent mode
- 60 Using the setup wizard
- 60 Changing to Transparent mode using the web-based manager
- 60 Starting the setup wizard
- 60 Reconnecting to the web-based manager
- 61 Using the front control buttons and LCD
- 61 Using the command line interface
- 61 Changing to Transparent mode using the CLI
- 62 Configuring the Transparent mode management IP address
- 62 Configure the Transparent mode default gateway
- 62 Completing the configuration
- 62 Setting the date and time
- 62 Enabling antivirus protection
- 63 Registering your FortiGate unit
- 63 Configuring virus and attack definition updates
- 63 Connecting the FortiGate unit to your networks
- 64 Transparent mode configuration examples
- 65 Default routes and static routes
- 65 Example default route to an external network
- 66 General configuration steps
- 67 Web-based manager example configuration steps
- 67 CLI configuration steps
- 67 Example static route to an external destination
- 68 General configuration steps
- 68 Web-based manager example configuration steps
- 69 CLI configuration steps
- 69 Example static route to an internal destination
- 70 General configuration steps
- 71 Web-based manager example configuration steps
- 71 CLI configuration steps
- 73 High availability
- 74 Configuring an HA cluster
- 74 Configuring FortiGate units for HA operation
- 76 Connecting the cluster
- 78 Adding a new FortiGate unit to a functioning cluster
- 78 Managing an HA cluster
- 79 Configuring cluster interface monitoring
- 80 Viewing the status of cluster members
- 80 Monitoring cluster members
- 82 Viewing cluster sessions
- 82 Viewing and managing cluster log messages
- 83 Monitoring cluster units for failover
- 83 Viewing cluster communication sessions
- 83 Managing individual cluster units
- 84 Changing cluster unit host names
- 85 Synchronizing the cluster configuration
- 86 Upgrading firmware
- 87 Replacing a FortiGate unit after failover
- 87 Advanced HA options
- 87 Selecting a FortiGate unit as a permanent primary unit
- 88 Configuring the priority of each FortiGate unit in the cluster
- 88 Configuring weighted-round-robin weights
- 89 Active-Active cluster packet flow
- 90 NAT/Route mode packet flow
- 90 Configuring switches to work with a NAT/Route mode cluster
- 91 Transparent mode packet flow
- 93 System status
- 94 Changing the FortiGate host name
- 94 Changing the FortiGate firmware
- 95 Upgrading to a new firmware version
- 95 Upgrading the firmware using the web-based manager
- 95 Upgrading the firmware using the CLI
- 96 Reverting to a previous firmware version
- 96 Reverting to a previous firmware version using the web-based manager
- 97 Reverting to a previous firmware version using the CLI
- 99 Installing firmware images from a system reboot using the CLI
- 101 Restoring the previous configuration
- 101 Testing a new firmware image before installing it
- 103 Installing and using a backup firmware image
- 103 Installing a backup firmware image
- 105 Switching to the backup firmware image
- 106 Switching back to the default firmware image
- 106 Manual virus definition updates
- 107 Manual attack definition updates
- 107 Displaying the FortiGate serial number
- 108 Displaying the FortiGate up time
- 108 Displaying log hard disk status
- 108 Backing up system settings
- 108 Restoring system settings
- 109 Restoring system settings to factory defaults
- 109 Changing to Transparent mode
- 110 Changing to NAT/Route mode
- 110 Restarting the FortiGate unit
- 110 Shutting down the FortiGate unit
- 111 System status
- 111 Viewing CPU and memory status
- 112 Viewing sessions and network status
- 113 Viewing virus and intrusions status
- 114 Session list
- 117 Virus and attack definitions updates and registration
- 117 Updating antivirus and attack definitions
- 118 Connecting to the FortiResponse Distribution Network
- 119 Manually initiating antivirus and attack definitions updates
- 120 Configuring update logging
- 120 Scheduling updates
- 120 Enabling scheduled updates
- 121 Adding an override server
- 122 Enabling scheduled updates through a proxy server
- 122 Enabling push updates
- 123 Enabling push updates
- 123 Push updates when FortiGate IP addresses change
- 124 Enabling push updates through a NAT device
- 124 Example: push updates through a NAT device
- 126 Adding a port forwarding virtual IP to the FortiGate NAT device
- 127 Adding a firewall policy for the port forwarding virtual IP
- 127 Configuring the FortiGate unit with an override push IP and port
- 128 Registering FortiGate units
- 129 FortiCare Service Contracts
- 130 Registering the FortiGate unit
- 131 Updating registration information
- 132 Recovering a lost Fortinet support password
- 132 Viewing the list of registered FortiGate units
- 133 Registering a new FortiGate unit
- 133 Adding or changing a FortiCare Support Contract number
- 134 Changing your Fortinet support password
- 134 Changing your contact information or security question
- 135 Downloading virus and attack definitions updates
- 136 Registering a FortiGate unit after an RMA
- 137 Network configuration
- 137 Configuring zones
- 138 Adding zones
- 138 Deleting zones
- 138 Configuring interfaces
- 139 Viewing the interface list
- 139 Changing the administrative status of an interface
- 139 Adding an interface to a zone
- 140 Configuring an interface with a manual IP address
- 140 Configuring an interface for DHCP
- 141 Configuring an interface for PPPoE
- 142 Adding a secondary IP address to an interface
- 142 Adding a ping server to an interface
- 143 Controlling administrative access to an interface
- 144 Changing the MTU size to improve network performance
- 144 Configuring traffic logging for connections to an interface
- 144 Configuring the management interface in Transparent mode
- 145 VLAN overview
- 146 VLANs in NAT/Route mode
- 146 Rules for VLAN IDs
- 146 Rules for VLAN IP addresses
- 147 Adding VLAN subinterfaces
- 147 Virtual domains in Transparent mode
- 149 Virtual domain properties
- 149 Configuring a virtual domain
- 149 Adding a virtual domain
- 150 Adding VLAN subinterfaces to a virtual domain
- 150 Adding zones to virtual domains
- 152 Adding firewall policies for virtual domains
- 152 Adding addresses for virtual domains
- 152 Adding firewall policies for virtual domains
- 153 Deleting virtual domains
- 153 Adding DNS server IP addresses
- 153 Configuring routing
- 154 Adding a default route
- 154 Adding destination-based routes to the routing table
- 155 Adding routes in Transparent mode
- 156 Configuring the routing table
- 156 Policy routing
- 157 Policy routing command syntax
- 157 Configuring DHCP services
- 158 Configuring a DHCP relay agent
- 158 Configuring a DHCP server
- 158 Adding a DHCP server to an interface
- 158 Adding scopes to a DHCP server
- 160 Adding a reserve IP to a DHCP server
- 160 Viewing a DHCP server dynamic IP list
- 161 RIP configuration
- 161 RIP settings
- 163 Configuring RIP for FortiGate interfaces
- 165 Adding RIP filters
- 165 Adding a RIP filter list
- 166 Assigning a RIP filter list to the neighbors filter
- 166 Assigning a RIP filter list to the incoming filter
- 167 Assigning a RIP filter list to the outgoing filter
- 169 System configuration
- 169 Setting system date and time
- 170 Changing system options
- 171 Modifying the Dead Gateway Detection settings
- 172 Adding and editing administrator accounts
- 172 Adding new administrator accounts
- 173 Editing administrator accounts
- 173 Configuring SNMP
- 174 Configuring the FortiGate unit for SNMP monitoring
- 174 Configuring FortiGate SNMP support
- 174 Configuring SNMP access to an interface
- 174 Configuring SNMP community settings
- 176 FortiGate MIBs
- 177 FortiGate traps
- 177 General FortiGate traps
- 177 System traps
- 178 VPN traps
- 178 NIDS traps
- 178 Antivirus traps
- 178 Logging traps
- 179 Fortinet MIB fields
- 179 System configuration and status
- 179 Firewall configuration
- 180 Users and authentication configuration
- 180 VPN configuration and status
- 180 NIDS configuration
- 180 Antivirus configuration
- 180 Web filter configuration
- 181 Logging and reporting configuration
- 181 Replacement messages
- 182 Customizing replacement messages
- 183 Customizing alert emails
- 185 Firewall configuration
- 186 Default firewall configuration
- 187 Interfaces
- 187 VLAN subinterfaces
- 187 Zones
- 188 Addresses
- 188 Services
- 188 Schedules
- 189 Content profiles
- 189 Adding firewall policies
- 190 Firewall policy options
- 190 Source
- 191 Destination
- 191 Schedule
- 191 Service
- 191 Action
- 192 NAT
- 192 VPN Tunnel
- 192 Traffic Shaping
- 193 Authentication
- 193 Anti-Virus & Web filter
- 194 Log Traffic
- 194 Comments
- 195 Configuring policy lists
- 195 Policy matching in detail
- 196 Changing the order of policies in a policy list
- 196 Enabling and disabling policies
- 196 Disabling policies
- 196 Enabling policies
- 197 Addresses
- 197 Adding addresses
- 198 Editing addresses
- 199 Deleting addresses
- 199 Organizing addresses into address groups
- 200 Services
- 200 Predefined services
- 203 Adding custom TCP and UDP services
- 204 Adding custom ICMP services
- 204 Adding custom IP services
- 204 Grouping services
- 205 Schedules
- 206 Creating one-time schedules
- 207 Creating recurring schedules
- 208 Adding schedules to policies
- 208 Virtual IPs
- 209 Adding static NAT virtual IPs
- 210 Adding port forwarding virtual IPs
- 212 Adding policies with virtual IPs
- 213 IP pools
- 213 Adding an IP pool
- 214 IP Pools for firewall policies that use fixed ports
- 214 IP pools and dynamic NAT
- 214 IP/MAC binding
- 215 Configuring IP/MAC binding for packets going through the firewall
- 216 Configuring IP/MAC binding for packets going to the firewall
- 216 Adding IP/MAC addresses
- 217 Viewing the dynamic IP/MAC list
- 217 Enabling IP/MAC binding
- 218 Content profiles
- 219 Default content profiles
- 219 Adding content profiles
- 221 Adding content profiles to policies
- 223 Users and authentication
- 224 Setting authentication timeout
- 224 Adding user names and configuring authentication
- 224 Adding user names and configuring authentication
- 225 Deleting user names from the internal database
- 226 Configuring RADIUS support
- 226 Adding RADIUS servers
- 226 Deleting RADIUS servers
- 227 Configuring LDAP support
- 227 Adding LDAP servers
- 228 Deleting LDAP servers
- 229 Configuring user groups
- 229 Adding user groups
- 230 Deleting user groups
- 231 IPSec VPN
- 232 Key management
- 232 Manual Keys
- 232 Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates
- 232 AutoIKE with pre-shared keys
- 232 AutoIKE with certificates
- 233 Manual key IPSec VPNs
- 233 General configuration steps for a manual key VPN
- 233 Adding a manual key VPN tunnel
- 235 AutoIKE IPSec VPNs
- 235 General configuration steps for an AutoIKE VPN
- 235 Adding a phase 1 configuration for an AutoIKE VPN
- 237 Configuring advanced options
- 240 Adding a phase 2 configuration for an AutoIKE VPN
- 242 Managing digital certificates
- 242 Obtaining a signed local certificate
- 242 Generating the certificate request
- 244 Downloading the certificate request
- 244 Importing the signed local certificate
- 244 Backing up and restoring the local certificate and private key
- 245 Obtaining CA certificates
- 245 Importing CA certificates
- 245 Configuring encrypt policies
- 246 Adding a source address
- 247 Adding a destination address
- 247 Adding an encrypt policy
- 249 IPSec VPN concentrators
- 250 VPN concentrator (hub) general configuration steps
- 251 Adding a VPN concentrator
- 252 VPN spoke general configuration steps
- 253 Redundant IPSec VPNs
- 254 Configuring redundant IPSec VPNs
- 255 Monitoring and Troubleshooting VPNs
- 255 Viewing VPN tunnel status
- 255 Viewing dialup VPN connection status
- 256 Testing a VPN
- 257 PPTP and L2TP VPN
- 257 Configuring PPTP
- 258 Configuring the FortiGate unit as a PPTP gateway
- 260 Configuring a Windows 98 client for PPTP
- 261 Configuring a Windows 2000 client for PPTP
- 261 Configuring a Windows XP client for PPTP
- 263 Configuring L2TP
- 263 Configuring the FortiGate unit as an L2TP gateway
- 265 Configuring a Windows 2000 client for L2TP
- 267 Configuring a Windows XP client for L2TP
- 269 Network Intrusion Detection System (NIDS)
- 269 Detecting attacks
- 270 Selecting the interfaces to monitor
- 270 Disabling monitoring interfaces
- 270 Configuring checksum verification
- 271 Viewing the signature list
- 271 Viewing attack descriptions
- 272 Disabling NIDS attack signatures
- 272 Adding user-defined signatures
- 273 Downloading the user-defined signature list
- 274 Preventing attacks
- 274 Enabling NIDS attack prevention
- 274 Enabling NIDS attack prevention signatures
- 275 Setting signature threshold values
- 276 Logging attacks
- 276 Logging attack messages to the attack log
- 276 Reducing the number of NIDS attack log and email messages
- 276 Automatic message reduction
- 277 Manual message reduction
- 279 Antivirus protection
- 279 General configuration steps
- 280 Antivirus scanning
- 281 File blocking
- 282 Blocking files in firewall traffic
- 282 Adding file patterns to block
- 283 Quarantine
- 283 Quarantining infected files
- 283 Quarantining blocked files
- 284 Viewing the quarantine list
- 284 Sorting the quarantine list
- 285 Filtering the quarantine list
- 285 Deleting files from the quarantine list
- 285 Downloading quarantined files
- 285 Configuring quarantine options
- 286 Blocking oversized files and emails
- 286 Configuring limits for oversized files and email
- 287 Exempting fragmented email from blocking
- 287 Viewing the virus list
- 289 Web filtering
- 289 General configuration steps
- 290 Content blocking
- 290 Adding words and phrases to the Banned Word list
- 291 Clearing the Banned Word list
- 292 Backing up the Banned Word list
- 292 Restoring the Banned Word list
- 293 URL blocking
- 293 Configuring FortiGate Web URL blocking
- 293 Adding URLs to the Web URL block list
- 294 Clearing the Web URL block list
- 295 Downloading the Web URL block list
- 295 Uploading a URL block list
- 296 Configuring FortiGate Web pattern blocking
- 296 Configuring Cerberian URL filtering
- 297 Installing a Cerberian license key
- 297 Adding a Cerberian user
- 297 Configuring Cerberian web filter
- 297 About the default group and policy
- 298 Enabling Cerberian URL filtering
- 299 Script filtering
- 299 Enabling script filtering
- 299 Selecting script filter options
- 300 Exempt URL list
- 300 Adding URLs to the URL Exempt list
- 301 Downloading the URL Exempt List
- 301 Uploading a URL Exempt List
- 303 Email filter
- 303 General configuration steps
- 304 Email banned word list
- 304 Adding words and phrases to the email banned word list
- 305 Downloading the email banned word list
- 305 Uploading the email banned word list
- 306 Email block list
- 306 Adding address patterns to the email block list
- 306 Downloading the email block list
- 307 Uploading an email block list
- 307 Email exempt list
- 308 Adding address patterns to the email exempt list
- 308 Adding a subject tag
- 309 Logging and reporting
- 309 Recording logs
- 310 Recording logs on a remote computer
- 310 Recording logs on a NetIQ WebTrends server
- 311 Recording logs on the FortiGate hard disk
- 312 Recording logs in system memory
- 312 Log message levels
- 313 Filtering log messages
- 314 Configuring traffic logging
- 315 Enabling traffic logging
- 315 Enabling traffic logging for an interface
- 315 Enabling traffic logging for a VLAN subinterface
- 315 Enabling traffic logging for a firewall policy
- 316 Configuring traffic filter settings
- 316 Adding traffic filter entries
- 317 Viewing logs saved to memory
- 317 Viewing logs
- 318 Searching logs
- 318 Viewing and managing logs saved to the hard disk
- 319 Viewing logs
- 319 Searching logs
- 320 Downloading a log file to the management computer
- 320 Deleting all messages from an active log
- 320 Deleting a saved log file
- 321 Configuring alert email
- 321 Adding alert email addresses
- 321 Testing alert email
- 322 Enabling alert email
- 323 Glossary
- 327 Index