advertisement
FortiGate-800 Installation and Configuration Guide Version 2.50
Network configuration
You can use the System Network page to change any of the following FortiGate network settings:
•
•
•
•
•
Virtual domains in Transparent mode
•
Adding DNS server IP addresses
•
•
Configuring zones
In NAT/Route mode, you can use zones to group related interfaces and VLAN subinterfaces. Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. If you group interfaces an VLAN subinterfaces into a zone, you can configure policies for connections to and from this zone, rather than to and from each interface and VLAN subinterface.
You can add zones, rename and edit zones, and delete zones from the zone list.
A new zone does not appear in the policy grid until you add an interface to it (see
“Adding an interface to a zone” on page 139 ) and add a firewall address for it (see
“Adding addresses” on page 197 ).
This section describes:
•
•
FortiGate-800 Installation and Configuration Guide
137
Configuring interfaces Network configuration
Adding zones
The new zone does not appear in the policy grid until you add an interface to it, see
“To add an interface to a zone” below, and add a firewall address for it (see
“Adding addresses” on page 197 ).
1
2
3
4
5
To add a zone
Go to System > Network > Zone.
Select New.
Type a name for the zone.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Select the Block intra-zone traffic check box if you want to block traffic between interfaces in the same zone.
Select OK.
Deleting zones
You must remove all interfaces and VLAN subinterfaces from a zone before you can delete the zone. You can only delete zones that have the Delete icon beside them in the zone list.
1
2
3
To delete a zone
Go to System > Network > Zone.
Select Delete to remove a zone from the list.
Select OK to delete the zone.
Configuring interfaces
Use the following procedures to configure FortiGate interfaces and VLAN subinterfaces. All of these procedures can be used for physical FortiGate interfaces and for VLAN subinterfaces.
•
•
Changing the administrative status of an interface
•
•
Configuring an interface with a manual IP address
•
Configuring an interface for DHCP
•
Configuring an interface for PPPoE
•
Adding a secondary IP address to an interface
•
Adding a ping server to an interface
•
Controlling administrative access to an interface
•
Changing the MTU size to improve network performance
•
Configuring traffic logging for connections to an interface
•
Configuring the management interface in Transparent mode
138
Fortinet Inc.
Network configuration Configuring interfaces
Viewing the interface list
1
To view the interface list
Go to System > Network > Interface.
The interface list is displayed. The interface list shows the following status information for all the FortiGate interfaces and VLAN subinterfaces:
• The name of the interface
• The IP address of the interface
• The netmask of the interface
• The zone that the interface has been added to
• The administrative access configuration for the interface
See
“Controlling administrative access to an interface” on page 143 for information
about administrative access options.
• The administrative status for the interface
If the administrative status is a green arrow, the interface is up and can accept network traffic. If the administrative status is a red arrow, the interface is administratively down and cannot accept traffic. To change the administrative
status, see “Changing the administrative status of an interface” on page 139 .
Changing the administrative status of an interface
You can use the following procedures to start an interface that is administratively down and stop and interface that is administratively up.
1
2
1
To start up an interface that is administratively down
Go to System > Network > Interface.
The interface list is displayed.
Select Bring Up for the interface that you want to start.
To stop an interface that is administratively up
From the FortiGate CLI, enter the command: set system interface <intf_str> config status down
You can only stop an interface that is administratively up from the FortiGate command line interface (CLI).
Adding an interface to a zone
If you have added zones to the FortiGate unit, you can use the following procedure to add an interface or VLAN subinterface to a zone.
You must delete any firewall addresses added to an interface or VLAN subinterface before adding the interface or VLAN subinterface to a zone. For information about
deleting addresses, see “Deleting addresses” on page 199 .
When you add an interface or VLAN subinterface to a zone, you cannot add firewall addresses to the interface or VLAN subinterface and the interface or VLAN subinterface does not appear on the policy grid.
FortiGate-800 Installation and Configuration Guide
139
Configuring interfaces Network configuration
1
2
3
4
5
To add an interface to a zone
Go to System > Network > Interface.
Choose the interface or VLAN subinterface to add to a zone and select Modify
From the Belong to Zone list, select the zone that you want to add the interface to.
The belong to zone list only appears if you have added zones and if you have not added firewall addresses for the interface.
Select OK to save the changes.
Repeat these steps to add more interfaces or VLAN subinterfaces to zones.
.
Configuring an interface with a manual IP address
You can change the static IP address of any FortiGate interface.
3
4
1
2
5
To change an interface with a manual IP address
Go to System > Network > Interface.
Choose an interface and select Modify .
Set Addressing Mode to Manual.
Change the IP address and Netmask as required.
The IP address of the interface must be on the same subnet as the network the interface is connecting to.
Two interfaces cannot have the same IP address and cannot have IP addresses on the same subnet.
Select OK to save your changes.
If you changed the IP address of the interface to which you are connecting to manage the FortiGate unit, you must reconnect to the web-based manager using the new interface IP address.
Configuring an interface for DHCP
You can configure any FortiGate interface to use DHCP.
If you configure the interface to use DHCP, the FortiGate unit automatically broadcasts a DHCP request. You can disable connect to server if you are configuring the
FortiGate unit offline and you do not want the FortiGate unit to send the DHCP request.
By default, the FortiGate unit also retrieves a default gateway IP address and DNS server IP addresses from the DHCP server. You can disable the option Retrieve default gateway and DNS from server if you do not want the DHCP server to configure these FortiGate settings.
1
2
3
To configure an interface for DHCP
Go to System > Network > Interface.
Choose an interface and select Modify .
In the Addressing Mode section, select DHCP.
140
Fortinet Inc.
Network configuration Configuring interfaces
4
5
6
7
8
Clear the Retrieve default gateway and DNS from server check box if you do not want the FortiGate unit to obtain a default gateway IP address and DNS server IP addresses from the DHCP server.
By default, this option is enabled.
Clear the Connect to Server check box if you do not want the FortiGate unit to connect to the DHCP server.
By default, this option is enabled.
Select Apply.
The FortiGate unit attempts to contact the DHCP server from the interface to set the
IP address, netmask, default gateway IP address, and DNS server IP addresses.
Select Status to refresh the addressing mode status message. initializing connecting connected failed
No activity
The FortiGate unit is attempting to connect to the DHCP server.
The FortiGate unit retrieves an IP address, netmask, and other settings from the DHCP server.
The FortiGate unit was unable to retrieve an IP address and other information from the DHCP server.
Select OK.
Configuring an interface for PPPoE
Use the following procedure to configure any FortiGate interface to use PPPoE.
If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoE request. You can disable connect to server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE request.
By default, the FortiGate unit also retrieves a default gateway IP address and DNS server IP addresses from the PPPoE server. You can disable the option Retrieve default gateway and DNS from server if you do not want the PPPoE server to configure these FortiGate settings.
1
2
3
4
5
6
To configure an interface for PPPoE
Go to System > Network > Interface.
Choose an interface and select Modify .
In the Addressing Mode section, select PPPoE.
Enter your PPPoE account User Name and Password.
Clear the Retrieve default gateway and DNS from server check box if you do not want the FortiGate unit to obtain a default gateway IP address and DNS server IP addresses from the PPPoE server.
By default, this option is enabled.
Clear the Connect to Server check box if you do not want the FortiGate unit to connect to the PPPoE server.
By default, this option is enabled.
FortiGate-800 Installation and Configuration Guide
141
Configuring interfaces Network configuration
7
8
9
Select Apply.
The FortiGate unit attempts to contact the PPPoE server from the interface to set the
IP address, netmask, default gateway IP address, and DNS server IP addresses.
Select Status: to refresh the addressing mode status message. Possible messages: initializing connecting connected failed
No activity
The FortiGate unit is attempting to connect to the DHCP server.
The FortiGate unit retrieves an IP address, netmask, and other settings from the PPPoE server.
The FortiGate unit was unable to retrieve an IP address and other information from the PPPoE server.
Select OK.
Adding a secondary IP address to an interface
You can use the CLI to add a secondary IP address to any FortiGate interface. The secondary IP address cannot be the same as the primary IP address but it can be on the same subnet.
To add a secondary IP address from the CLI enter the command: set system interface <intf_str> config secip <second_ip>
<netmask_ip>
You can also configure management access and add a ping server to the secondary
IP address.
set system interface <intf_str> config secallowaccess ping https ssh snmp http telnet set system interface <intf_str> config secgwdetect enable
Adding a ping server to an interface
Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface. Adding a ping server is required for routing failover. See
“Adding destination-based routes to the routing table” on page 154
.
1
2
3
4
5
To add a ping server to an interface
Go to System > Network > Interface.
Choose an interface and select Modify .
Set Ping Server to the IP address of the next hop router on the network connected to the interface.
Select the Enable check box.
The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to make sure that the FortiGate unit can connect to this IP address. To configure dead gateway detection, see
“Modifying the Dead Gateway Detection settings” on page 171 .
Select OK to save the changes.
142
Fortinet Inc.
Network configuration Configuring interfaces
Controlling administrative access to an interface
For a FortiGate unit running in NAT/Route mode, you can control administrative access to an interface to control how administrators access the FortiGate unit and the
FortiGate interfaces to which administrators can connect.
Controlling administrative access for an interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet. However, allowing remote administration from the Internet could compromise the security of your FortiGate unit. You should avoid allowing administrative access for an interface connected to the Internet unless this is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the Internet:
• Use secure administrative user passwords,
• Change these passwords regularly,
• Enable secure administrative access to this interface using only HTTPS or SSH,
• Do not change the system idle timeout from the default value of 5 minutes (see
“To set the system idle timeout” on page 170
).
To configure administrative access in Transparent mode, see
“Configuring the management interface in Transparent mode” on page 144
.
1
2
3
4
To control administrative access to an interface
Go to System > Network > Interface.
Choose an interface and select Modify .
Select the Administrative Access methods for the interface.
HTTPS
PING
HTTP
To allow secure HTTPS connections to the web-based manager through this interface.
If you want this interface to respond to pings. Use this setting to verify your installation and for testing.
To allow HTTP connections to the web-based manager through this interface.
HTTP connections are not secure and can be intercepted by a third party.
To allow SSH connections to the CLI through this interface.
SSH
SNMP To allow a remote SNMP manager to request SNMP information by connecting to this interface. See
“Configuring SNMP” on page 173 .
TELNET To allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party.
Select OK to save the changes.
FortiGate-800 Installation and Configuration Guide
143
Configuring interfaces Network configuration
Changing the MTU size to improve network performance
To improve network performance, you can change the maximum transmission unit
(MTU) of the packets that the FortiGate unit transmits from any interface. Ideally, this
MTU should be the same as the smallest MTU of all the networks between the
FortiGate unit and the destination of the packets. If the packets that the FortiGate unit sends are larger, they are broken up or fragmented, which slows down transmission.
Experiment by lowering the MTU to find an MTU size for best network performance.
1
2
3
4
To change the MTU size of the packets leaving an interface
Go to System > Network > Interface.
Choose an interface and select Modify
Select Override default MTU value (1500).
.
Set the MTU size.
Set the maximum packet size. For manual and DHCP addressing mode the MTU size can be from 576 to 1500 bytes. For PPPoE addressing mode the MTU size can be from 576 to 1492 bytes.
Configuring traffic logging for connections to an interface
1
2
3
4
To configure traffic logging for connections to an interface
Go to System > Network > Interface.
Choose an interface and select Modify .
Select the Log check box to record log messages whenever a firewall policy accepts a connection to this interface.
Select OK to save the changes.
Configuring the management interface in Transparent mode
Configure the management interface in Transparent mode to set the management IP address of the FortiGate unit. Administrators connect to this IP address to administer the FortiGate unit. The FortiGate also uses this IP address to connect to the FDN for virus and attack updates (see
“Updating antivirus and attack definitions” on page 117 )
You can also configure the management interface to control how administrators connect to the FortiGate unit for administration and the FortiGate interfaces to which administrators can connect.
Controlling administrative access to a FortiGate interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet.
However, allowing remote administration from the Internet could compromise the security of the FortiGate unit. You should avoid allowing administrative access for an interface connected to the Internet unless this is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the
Internet:
• Use secure administrative user passwords,
• Change these passwords regularly,
144
Fortinet Inc.
Network configuration VLAN overview
5
6
3
4
1
2
• Enable secure administrative access to this interface using only HTTPS or SSH,
• Do not change the system idle timeout from the default value of 5 minutes (see
“To set the system idle timeout” on page 170
).
To configure the management interface in Transparent mode
Go to System > Network > Management.
Change the Management IP and Netmask as required.
This must be a valid address for the network that you want to manage the FortiGate unit from.
Add a default gateway IP address if the FortiGate unit must connect to a default gateway to reach the management computer.
Select the administrative access methods for each interface.
HTTPS
PING
To allow secure HTTPS connections to the web-based manager through this interface.
If you want this interface to respond to pings. Use this setting to verify your installation and for testing.
HTTP To allow HTTP connections to the web-based manager through this interface.
HTTP connections are not secure and can be intercepted by a third party.
SSH
SNMP
To allow SSH connections to the CLI through this interface.
To allow a remote SNMP manager to request SNMP information by connecting to this interface. See
“Configuring SNMP” on page 173 .
TELNET To allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party.
Select Log for each interface that you want to record log messages whenever a firewall policy accepts a connection to this interface.
Select Apply to save the changes.
VLAN overview
FortiGate units support IEEE 802.1Q Virtual LAN (VLAN) technology. A VLAN is group of PCs, servers, and other network devices that communicate as if they were on the same LAN segment, even though they may not be. For example, the workstations and servers for an accounting department could be scattered throughout an office, connected to numerous network segments, but they can still belong to the same
VLAN.
A VLAN segregates devices logically instead of physically. Each VLAN is treated as a broadcast domain. Devices in VLAN 1 can connect with other devices in VLAN 1, but cannot connect with devices in other VLANs. The communication among devices on a
VLAN is independent of the physical network.
A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent and received by the devices in the VLAN. VLAN tags are 4-byte frame extensions that contain a VLAN identifier as well as other information.
FortiGate-800 Installation and Configuration Guide
145
VLANs in NAT/Route mode Network configuration
In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3 routers or firewalls add VLAN tags to packets. Packets passing between devices in the same VLAN can be handled by layer 2 switches. Packets passing between devices in different VLANs must be handled by a layer 3 device such as router, firewall, or layer 3 switch.
Operating in NAT/Route mode, the FortiGate unit functions as a layer 3 device to control the flow of packets between VLANs. See
“VLANs in NAT/Route mode” on page 146 for more information.
Operating in Transparent mode, the FortiGate unit functions as a layer 2 device to control the flow of packets between segments in the same VLAN. See
“Virtual domains in Transparent mode” on page 147 .
VLANs in NAT/Route mode
In NAT/Route mode, FortiGate units support VLANs for constructing VLAN trunks between an IEEE 802.1Q-compliant switch (or router) and the FortiGate unit. Normally the FortiGate unit internal interface connects to a VLAN trunk on an internal switch, and the external interface connects to an upstream Internet router untagged. The
FortiGate unit can then apply different policies for traffic on each VLAN that connects to the internal interface.
In this configuration, you add VLAN subinterfaces to the FortiGate internal interface that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk. The
FortiGate unit directs packets with VLAN IDs, to subinterfaces with matching VLAN
IDs.
You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate unit can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags from incoming packets and add different VLAN tags to outgoing packets.
Rules for VLAN IDs
Two VLAN subinterfaces added to the same physical interface cannot have the same
VLAN ID. However, you can add two or more VLAN subinterfaces with the same
VLAN IDs to different physical interfaces. There is no internal connection or link between two VLAN subinterfaces with same VLAN ID. Their relationship is the same as the relationship between any two FortiGate network interfaces.
Rules for VLAN IP addresses
IP addresses of all FortiGate interfaces cannot overlap. That is, the IP addresses of all interfaces must be on different subnets. This rule applies to both physical interfaces and to VLAN subinterfaces.
Note: You can enter the CLI command set system ip-overlap enable to allow IP address overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is part of a subnet used by another interface. This command is recommended for advanced users only.
146
Fortinet Inc.
Network configuration Virtual domains in Transparent mode
Adding VLAN subinterfaces
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE
802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096.
Each VLAN subinterface must also be configured with its own IP address and netmask.
You add VLAN subinterfaces to the physical interface that receives VLAN-tagged packets.
1
2
3
4
5
6
7
To add VLAN subinterfaces
Go to System > Network > Interface.
Select New VLAN to add a VLAN subinterface.
Enter a Name to identify the VLAN subinterface.
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Select the interface that receives the VLAN packets intended for this VLAN subinterface.
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
The VLAN ID can be any number between 1 and 4096 but must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch.
Configure the VLAN subinterface settings as you would for any FortiGate interface.
You can add the VLAN subinterface to a zone, configure addressing, add a ping server, and configure administrative access to the VLAN subinterface. For more information, see
“Configuring interfaces” on page 138 .
Select OK to save your changes.
The FortiGate unit adds the new subinterface to the interface that you selected in step 4 .
Virtual domains in Transparent mode
In Transparent mode, The FortiGate unit can apply firewall policies and services, such as virus scanning, to traffic on an IEEE 802.1 VLAN trunk. The FortiGate unit operating in Transparent mode can be inserted into the trunk without making changes to the network. In a typical configuration, the FortiGate internal interface accepts
VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal
VLANs. The FortiGate external interface forwards tagged packets through the trunk to an external VLAN switch or router. This external switch or router could be connected to the Internet. The FortiGate unit can be configured to apply different policies for traffic on each VLAN in the trunk.
FortiGate-800 Installation and Configuration Guide
147
Virtual domains in Transparent mode Network configuration
To support VLANs in Transparent mode, you add virtual domains to the FortiGate unit.
A virtual domain contains at least 2 VLAN subinterfaces. For VLAN traffic to be able to pass between the FortiGate Internal and external interface you would add a VLAN subinterface to the internal interface and another VLAN subinterface to the external interface. If these VLAN subinterfaces have the same VLAN IDs, the FortiGate unit applies firewall policies to the traffic on this VLAN. If these VLAN subinterfaces have different VLAN IDs, or if you add more than two VLAN subinterfaces to the virtual domain, you can also use firewall policies to control connections between VLANs.
When the FortiGate unit receives a VLAN tagged packet at an interface, the packet is directed to the VLAN subinterface with matching VLAN ID. The VLAN subinterface removes the VLAN tag and assigns a destination interface to the packet based on its destination MAC address. The firewall policies for this source and destination VLAN subinterface pair are applied to the packet. If the packet is accepted by the firewall, the FortiGate unit forwards the packet to the destination VLAN subinterface. The destination VLAN ID is added to the packet and it is sent to the VLAN trunk.
When a packet enters a virtual domain on the FortiGate unit, it is confined to that virtual domain. In a given domain, you can only create firewall policies for connections between VLAN subinterfaces or zones in the virtual domain. The packet never crosses the virtual domain border.
The FortiGate-800 supports 64 virtual domains.
•
•
•
Adding firewall policies for virtual domains
•
Figure 31: FortiGate unit with two virtual domains
VLAN Switch or router
FortiGate unit
VLAN1
VLAN2
Internal
VLAN1
VLAN2
VLAN3
VLAN trunk
Virtual Domain 1 content filtering
VLAN1 antivirus
NIDS VLAN1
VLAN2
VLAN3 content filtering antivirus
NIDS
VLAN2
VLAN3
VLAN3
External
VLAN1
VLAN2
VLAN3
VLAN trunk
VLAN Switch or router
Internet
148
Fortinet Inc.
Network configuration Virtual domains in Transparent mode
Virtual domain properties
A virtual domain has the following exclusive properties:
• VLAN name,
• VLAN ID,
• VLAN interface assignment,
• VLAN zone assignment (optional),
• Firewall policy.
Virtual domains share the following global properties with other processes on the
FortiGate unit:
• System settings,
• Firewall policy objects (addresses, services, schedule, content profiles, and so on),
• User information,
• NIDS settings,
• Antivirus, Web filter, Mail filter settings,
• Log & report settings.
In addition to the global properties, virtual domains share a common administrative model. Administrators have access to all of the virtual domains on the FortiGate unit.
Only their administrative access level varies.
Configuring a virtual domain
Configure a virtual domain by adding the virtual domain to the FortiGate configuration.
Then add matching pairs of VLAN subinterfaces to the virtual domain.
•
•
Adding VLAN subinterfaces to a virtual domain
•
Adding zones to virtual domains
1
2
3
4
Adding a virtual domain
Use the following procedure to add a virtual domain to the FortiGate unit. You must add at least one virtual domain to support VLANs in Transparent mode. Add more virtual domains to simplify configuration if you are planning to add a large number of
VLANs.
To add a virtual domain
Go to System > Virtual Domain.
Select New to add a virtual domain.
Type a Name for the virtual domain.
Select OK to add the virtual domain.
FortiGate-800 Installation and Configuration Guide
149
Virtual domains in Transparent mode Network configuration
1
2
3
4
5
6
7
8
9
1
2
3
Adding VLAN subinterfaces to a virtual domain
Use the following procedure to add VLAN subinterfaces to a virtual domain. You must add at least two VLAN subinterfaces to each virtual domain. In most configurations a virtual domain is used to send VLAN-tagged packets received at one FortiGate physical interface to another FortiGate physical interface (for example, from the internal interface to the external interface). For this to occur, you must add VLAN subinterfaces to the receiving and sending physical interfaces (for example, to the internal and external interfaces.
To add VLAN subinterfaces to a virtual domain
Go to System > Network > VLAN.
Select the Virtual Domain to add the VLAN subinterface to.
Select New to add a VLAN subinterface.
Type a Name for the VLAN subinterface.
Select the interface to associate the VLAN subinterface with.
The VLAN subinterface must be added to the FortiGate interface that receives the
VLAN-tagged packets.
Enter a VLAN ID for the VLAN subinterface.
The VLAN ID can be any number between 1 and 4095.
Optionally, select a zone to add the VLAN subinterface to a zone.
To add a zone to a virtual domain, see
“Adding zones to virtual domains” on page 150 .
Select OK to add the VLAN subinterface.
Repeat these steps to add more VLAN subinterfaces to the virtual domain.
To configure management access and traffic logging for VLAN subinterfaces
Go to System > Network > Management.
Configure management access as required for the VLAN subinterfaces that you have added.
You can select HTTPS, PING, SSH, SNMP, HTTP, or TELNET.
Select Log to configure traffic logging for the VLAN subinterfaces that you have added.
Adding zones to virtual domains
Add zones to a virtual domain to group together related VLAN subinterfaces. Use zones to simplify firewall policy creation if you have many VLAN subinterfaces in a
150
Fortinet Inc.
Network configuration Virtual domains in Transparent mode
Figure 32: FortiGate unit containing a virtual domain with zones
VLAN Switch or router
FortiGate unit
VLAN1
VLAN2
Internal
VLAN1
VLAN2
VLAN3
VLAN trunk
VLAN1
Virtual Domain
VLAN1 zone1
VLAN2
VLAN3 zone2
VLAN2
VLAN3
External
VLAN1
VLAN2
VLAN3
VLAN trunk
VLAN Switch or router
VLAN3
Internet
3
4
1
2
5
6
3
4
5
6
1
2
Multiple zones in a single virtual domain cannot be connected to a single VLAN trunk.
This configuration is correct because each zone is connected to a different VLAN trunk (zone1 connected to the VLAN trunk on the internal interface and zone2 connected to the VLAN trunk on the external interface). If you were to add another zone (for example, zone3 connected to the VLAN trunk on the internal interface) the
FortiGate unit would not be able to successfully differentiate between traffic for zone1 and zone3. This is the case because both zone 1 and zone3 traffic would be routed to the same MAC address.
To add a zone to a virtual domain
Go to System > Network > Zone.
Select New to add a zone.
Type a Name for the zone.
Select the Virtual Domain to add the zone to.
Optionally select Block intra-zone traffic to block traffic between VLAN subinterfaces in the same zone.
Select OK to add the zone.
To add VLAN subinterfaces to a zone
Go to System > Network > VLAN.
Set Virtual Domain to All or to the virtual domain containing the VLAN subinterfaces to add to a zone.
Select List to list all of VLAN subinterfaces added to the FortiGate unit or to the selected virtual domain.
For a VLAN subinterface to add to a zone, select Modify .
From the zone list, select the name of the zone to add the VLAN subinterface to.
Select OK to save your changes.
You can also use the procedure
“Adding VLAN subinterfaces” on page 147
to add a
VLAN subinterface to a zone if you are adding new VLAN subinterfaces to a virtual domain to which you have already added zones.
FortiGate-800 Installation and Configuration Guide
151
Virtual domains in Transparent mode Network configuration
Adding firewall policies for virtual domains
Once the network configuration for the virtual domain is complete, you must create firewall policies for the virtual domain to allow packets to flow through the firewall between VLAN subinterfaces.
•
Adding addresses for virtual domains
•
Adding firewall policies for virtual domains
5
6
7
3
4
1
2
Adding addresses for virtual domains
Before you can create firewall policies for a virtual domain, you must add source and destination addresses for the VLAN subinterfaces and zones added to the virtual domain.
Go to Firewall > Address.
Select the VLAN subinterface or zone to which to add the address.
Select New to add a new address.
Enter an Address Name to identify the address.
Enter the IP Address.
Enter the NetMask.
Select OK to add the address.
5
6
7
3
4
1
2
Adding firewall policies for virtual domains
Add Firewall policies to control connections and traffic between FortiGate VLAN subinterfaces and zones in a virtual domain.
Go to Firewall > Policy.
Select the Virtual Domain to which you want to add the policy.
Select a source VLAN subinterface or zone.
Select a destination VLAN subinterface or zone.
VLAN subinterfaces or zones only appear in the source and destination lists if they have been added to the selected virtual domain and if you have added firewall addresses for them.
The source and destination cannot be the same VLAN subinterface or zone.
Select New to add a new policy.
Configure the policy.
Select OK to add the policy.
152
Fortinet Inc.
Network configuration Adding DNS server IP addresses
Deleting virtual domains
You must remove all VLAN subinterfaces and zones that have been added to the virtual domain before you can delete the virtual domain. To remove VLAN subinterfaces and zones you must remove all firewall policies and firewall addresses for the VLAN subinterfaces and zones. You can only delete virtual domains that have the Delete icon beside them in the zone list.
Delete the virtual domain components in the following order:
• firewall policies
• source and destination addresses
• VLAN subinterfaces
• zones
• the virtual domain
Adding DNS server IP addresses
Several FortiGate functions, including sending email alerts and URL blocking, use
DNS. Use the following procedure to add the IP addresses of the DNS servers that your FortiGate unit can connect to. DNS server IP addresses are usually supplied by your ISP.
1
2
3
To add DNS server IP addresses
Go to System > Network > DNS.
Change the primary and secondary DNS server IP addresses as required.
Select Apply to save the changes.
Configuring routing
This section describes how to configure FortiGate routing. You can configure routing to add static routes from the FortiGate unit to local routers. Using policy routing you can increase the flexibility of FortiGate routing to support more advanced routing functions.
You can also use routing to create a multiple Internet connection configuration that supports redundancy and load sharing between the two Internet connections.
This section describes:
•
•
Adding destination-based routes to the routing table
•
Adding routes in Transparent mode
•
•
FortiGate-800 Installation and Configuration Guide
153
Configuring routing Network configuration
Adding a default route
You can add a default route for network traffic leaving the external interface.
1
2
3
4
5
6
To add a default route
Go to System > Network > Routing Table.
Select New to add a new route.
Set the Source IP and Netmask to 0.0.0.0.
Set the Destination IP and Netmask to 0.0.0.0.
Set Gateway 1 to the IP address of the routing gateway that routes traffic to the
Internet.
Select OK to save the default route.
Note: Only one default route can be active at a time. If two default routes are added to the routing table, only the default route closest to the top of the routing table is active.
Adding destination-based routes to the routing table
You can add destination-based routes to the FortiGate routing table to control the destination of traffic exiting the FortiGate unit. You configure routes by adding destination IP addresses and netmasks and adding gateways for these destination addresses. The gateways are the next hop routers to which to route traffic that matches the destination addresses in the route.
You can add one or two gateways to a route. If you add one gateway, the FortiGate unit routes the traffic to that gateway. You can add a second gateway to route traffic to the second gateway if the first gateway fails.
To support routing failover, the IP address of each gateway must be added to the ping server of the interface connected to the same network as the gateway. For information
about adding a ping server, see “Adding a ping server to an interface” on page 142 .
3
4
1
2
5
To add destination-based routes to the routing table
Go to System > Network > Routing Table.
Select New to add a new route.
Type the Destination IP address and netmask for the route.
Add the IP address of Gateway #1.
Gateway #1 is the IP address of the primary destination for the route.
Gateway #1 must be on the same subnet as a Fortigate interface.
If you are adding a static route from the FortiGate unit to a single destination router, you need to specify only one gateway.
Add the IP address of Gateway #2, if you want to route traffic to multiple gateways.
154
Fortinet Inc.
Network configuration Configuring routing
6
7
8
Set Device #1 to the FortiGate interface or VLAN subinterface through which to route traffic to connect to Gateway #1.
You can select the name of an interface, VLAN subinterface, or Auto (the default). If you select the name of an interface or VLAN subinterface the traffic is routed to that interface. If you select Auto the system selects the interface according to the following rules:
• If the Gateway #1 IP address is on the same subnet as a FortiGate interface or
VLAN subinterface, the system sends the traffic to that interface.
• If the Gateway #1 IP address is not on the same subnet as a FortiGate interface or
VLAN subinterface, the system routes the traffic to the external interface, using the default route.
You can use Device #1 to send packets to an interface that is on a different subnet than the destination IP address of the packets without routing them using the default route.
Set Device #2 to the FortiGate interface or VLAN subinterface through which to route traffic to connect to Gateway #2.
You can select the name of an interface, VLAN subinterface, or Auto (the default). If you select the name of an interface or VLAN subinterface the traffic is routed to that interface. If you select Auto the system selects the interface according to the following rules:
• If the Gateway #2 IP address is on the same subnet as a FortiGate interface or
VLAN subinterface, the system sends the traffic to that interface.
• If the Gateway #2 IP address is not on the same subnet as a FortiGate interface or
VLAN subinterface, the system routes the traffic to the external interface, using the default route.
You can use Device #2 to send packets to an interface that is on a different subnet than the destination IP address of the packets without routing them using the default route.
Select OK to save the route.
Note: Any two routes in the routing table must differ by something other than just the gateway to be simultaneously active. If two routes added to the routing table are identical except for their gateway IP addresses, only the route closer to the top of the routing table can be active.
Note: Arrange routes in the routing table from more specific to more general. For information about arranging routes in the routing table, see
“Configuring the routing table” .
Adding routes in Transparent mode
Use the following procedure to add routes when operating the FortiGate unit in
Transparent mode.
3
4
1
2
To add a route in Transparent mode
Go to System > Network > Routing.
Select New.
Enter the Destination IP address and Netmask for the route.
Enter the Gateway IP address for the route.
FortiGate-800 Installation and Configuration Guide
155
Configuring routing Network configuration
5
6
Select OK to save the new route.
Repeat steps 1 to 5 to add more routes as required.
Configuring the routing table
The routing table shows the destination IP address and mask of each route that you add, as well as the gateways and devices added to the route. The routing table also displays the gateway connection status. A green check mark indicates that the
FortiGate unit has used the ping server and dead gateway detection to determine that it can connect to the gateway. A red X means that a connection cannot be established.
A blue question mark means that the connection status is unknown. For more information, see
“Adding a ping server to an interface” on page 142 .
The FortiGate unit assigns routes using a best match algorithm based on the destination address of the packet and the destination address of the route. To select a route for a packet, the FortiGate unit searches the routing table for a route that best matches the destination address of the packet. If a match is not found, the FortiGate unit routes the packet using the default route.
1
2
3
4
To configure the routing table
Go to System > Network > Routing Table.
Choose the route that you want to move and select Move to the routing table.
to change its order in
Type a number in the Move to field to specify where in the routing table to move the route and select OK.
Select Delete to delete a route from the routing table.
Figure 33: Routing table
156
Policy routing
Policy routing extends the functions of destination routing. Using policy routing you can route traffic based on the following:
• Destination address
• Source address
• Protocol, service type, or port range
• Incoming or source interface
Fortinet Inc.
Network configuration Configuring DHCP services
Using policy routing you can build a routing policy database (RPDB) that selects the appropriate route for traffic by applying a set of routing rules. To select a route for traffic, the FortiGate unit matches the traffic with the policy routes added to the RPDB starting at the top of the list. The first policy route that matches is used to set the route for the traffic. The route supplies the next hop gateway as well as the FortiGate interface to be used by the traffic.
Packets are matched with policy routes before they are matched with destination routes. If a packet does not match a policy route, it is routed using destination routes.
The gateway added to a policy route must also be added to a destination route. When the FortiGate unit matches packets with a route in the RPDB, the FortiGate unit looks in the destination routing table for the gateway that was added to the policy route. If a match is found, the FortiGate unit routes the packet using the matched destination route. If a match is not found, the FortiGate unit routes the packet using normal routing.
To find a route with a matching gateway, the FortiGate unit starts at the top of the destination routing table and searches until it finds the first matching destination route.
This matched route is used to route the packet.
For policy routing examples, see
“Policy routing examples” on page 55
.
Policy routing command syntax
Configure policy routing using the following CLI command.
set system route policy <route_int> src <source_ip>
<source_mask> iifname <source-interface_name> dst <destination_ip> <destination_mask> oifname <destination-interface_name> protocol <protocol_int> port <low-port_int> <high-port_int> gw <gateway_ip>
Complete policy routing command syntax is described in Volume 6: FortiGate CLI
Reference Guide.
Configuring DHCP services
You can configure DHCP server or DHCP relay agent functionality on any FortiGate interface.
A FortiGate interface can act as either a DHCP server or as a DHCP relay agent. An interface cannot provide both functions.
Note: To configure DHCP server or DHCP relay functionality on an interface, the FortiGate unit must be in NAT/Route mode and the interface must have a static IP address.
This section describes the following:
•
Configuring a DHCP relay agent
•
FortiGate-800 Installation and Configuration Guide
157
Configuring DHCP services Network configuration
Configuring a DHCP relay agent
In a DHCP relay configuration, the FortiGate unit forwards DHCP requests from
DHCP clients through the FortiGate unit to a DHCP server. The FortiGate unit also returns responses from the DHCP server to the DHCP clients. The DHCP server must have a route to the FortiGate unit that is configured as the DHCP relay so that the packets sent by the DHCP server to the DHCP client arrive at the FortiGate performing DHCP relay.
4
5
6
1
2
3
To configure an interface as a DHCP relay agent
Go to System > Network > DHCP.
Select Service.
Select the interface to be the DHCP relay agent.
Select DHCP Relay Agent.
Enter the DHCP Server IP address.
Select Apply.
Configuring a DHCP server
As a DHCP server, the FortiGate unit dynamically assigns IP addresses to hosts located on connected subnets. You can configure a DHCP server for any FortiGate interface. You can also configure a DHCP server for more than one FortiGate interface. For each DHCP server configuration you can add multiple scopes (also called address scopes) so that the DHCP server can assign IP addresses to computers on multiple subnets.
Use these procedures to configure an interface as a DHCP server:
•
Adding a DHCP server to an interface
•
Adding scopes to a DHCP server
•
Adding a reserve IP to a DHCP server
•
Viewing a DHCP server dynamic IP list
1
2
3
4
5
Adding a DHCP server to an interface
To add a DHCP server to an interface
Go to System > Network > DHCP.
Select Service.
Select an interface.
Select DHCP Server.
Select Apply.
Adding scopes to a DHCP server
If you have configured an interface as a DHCP server, the interface requires at least one scope (also called an address scope). The scope designates the starting IP and ending IP for the range of addresses that the FortiGate unit assigns to DHCP clients.
158
Fortinet Inc.
Network configuration Configuring DHCP services
4
5
1
2
3
6
7
You can add multiple scopes to an interface so that the DHCP server added to that interface can supply IP addresses to computers on multiple subnets.
Add multiple scopes if the DHCP server receives DHCP requests from subnets that are not connected directly to the FortiGate unit. In this case, the DHCP requests are sent to the FortiGate unit through DHCP relay. DHCP relay packets contain DHCP relay IP, which is the IP address of the subnet from which the DHCP relay received the request.
If the DHCP request received by the DHCP server is not forwarded by a DHCP relay, the DHCP server decides which scope to use based on the IP address of the interface that received the DHCP request; usually the scope with the same subnet as the interface.
If the DHCP request received by the server is forwarded by a DHCP relay, the relay IP is used to select the scope.
To add a scope to a DHCP server
Go to System > Network > DHCP.
Select Address Scope.
Select an interface.
You must configure the interface as a DHCP server before it can be selected.
Select New to add an address scope.
Configure the address scope.
Scope Name
IP Pool
Enter the address scope name.
Enter the starting IP and ending IP for the range of IP addresses that this
DHCP server assigns to DHCP clients.
Netmask Enter the netmask that the DHCP server assigns to the DHCP clients.
Lease Duration Enter the interval, in days, hours and minutes, after which a DHCP client must ask the DHCP server for a new address.
If you select Unlimited, DHCP leases never expire.
Domain
Default Route
Optionally enter in the domain that the DHCP server assigns to the DHCP clients.
Enter the default route to be assigned to DHCP clients. The default route must be on the same subnet as the IP pool.
Select Advanced if you want to configure Advanced Options.
DNS IP Enter the addresses of up to 3 DNS servers that the DHCP server assigns to the DHCP clients.
WINS Server IP Add the IP addresses of one or two WINS servers to be assigned to DHCP clients.
Exclusion Range Optionally enter up to 4 exclusion ranges of IP addresses within the IP pool that cannot be assigned to DHCP clients.
Select OK.
FortiGate-800 Installation and Configuration Guide
159
Configuring DHCP services Network configuration
1
2
3
4
5
6
Adding a reserve IP to a DHCP server
If you have configured an interface as a DHCP server, you can reserve an IP address for a particular device on the network according to the MAC address of the device.
When you add the MAC address of a device and an IP address to the reserve IP list, the DHCP server always assigns this IP address to the device.
To add a reserve IP you must first select the interface and scope to which you want to add the reserve IP.
To add a reserve IP to a DHCP server
Go to System > Network > DHCP.
Select Reserve IP.
Select an interface.
You must configure the interface as a DHCP server before you can select it.
Select a scope.
You must configure an address scope for the interface before you can select it.
Select New to add a reserved IP.
Configure the reserved IP.
IP
MAC
Name
Enter an IP address. The IP address must be within the IP pool added to the selected scope.
Enter the MAC address of the device.
Optionally, specify a name for the IP and MAC address pair.
7
1
2
3
Note: The reserved IP cannot be assigned to any other device. You can only add a given IP address or MAC address once.
Select OK.
Viewing a DHCP server dynamic IP list
You can view the list of IP addresses that the DHCP server has assigned, their corresponding MAC addresses, and the expiry time and date for these addresses.
To view a DHCP server dynamic IP list
Go to System > Network > DHCP.
Select Dynamic IP.
Select the interface for which you want to view the list.
160
Fortinet Inc.
advertisement
Key Features
- High-performance hardware platform
- Advanced software features
- Comprehensive protection against a wide range of threats
- Web content filtering
- Email filtering
- Firewall
- VPN support
- High availability
- Secure installation, configuration, and management
- Web-based manager and command line interface
Related manuals
Frequently Answers and Questions
What are the benefits of using the FortiGate-800?
What are the key features of the FortiGate-800?
How do I configure the FortiGate-800?
advertisement