Fortinet FortiGate FortiGate-1000AFA2 Administration Manual
Add to my manuals
458 Pages
Fortinet FortiGate FortiGate-1000AFA2 is a high-performance firewall that provides comprehensive network security protection. It offers advanced features such as intrusion prevention, web filtering, and application control. Additionally, it supports SSL inspection, IPSec VPN, and IPv6.
advertisement
A D M I N I S T R AT I O N G U I D E
FortiGate™
Version 3.0 MR4
www.fortinet.com
FortiGate™ Administration Guide
Version 3.0 MR4
2 January 2007
01-30004-0203-20070102
© Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC,
FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat
Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-
Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer,
FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter,
FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of
Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Contents
Introduction ...................................................................................... 17
About the FortiGate-5000 series modules .................................................. 19
FortiGuard Subscription Services ............................................................... 25
Fortinet Tools and Documentation CD ........................................................ 31
Comments on Fortinet technical documentation ........................................ 31
Customer service and technical support ...................................................... 31
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
3
4
Contents
Web-based manager........................................................................ 33
Web-based manager menu ........................................................................ 37
System Status .................................................................................. 41
Changing the FortiGate unit host name ...................................................... 50
Upgrading to a new firmware version ......................................................... 51
Reverting to a previous firmware version.................................................... 51
Manually updating FortiGuard definitions .................................................... 53
Viewing the Content Archive information .................................................... 55
The Topology Viewer window ..................................................................... 58
Customizing the topology diagram.............................................................. 60
Using virtual domains ..................................................................... 61
Configuring VDOMs and global settings....................................................... 64
Working with VDOMs and global settings ................................................... 65
Adding interfaces to a VDOM ..................................................................... 65
Assigning an administrator to a VDOM ....................................................... 66
Changing the Management VDOM ............................................................. 67
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Contents
System Network ............................................................................... 69
Configuring an ADSL interface.................................................................... 74
Creating an 802.3ad aggregate interface.................................................... 75
Configuring DHCP on an interface .............................................................. 78
Configuring an interface for PPPoE or PPPoA ........................................... 80
Configuring Dynamic DNS service for an interface ..................................... 81
Configuring a virtual IPSec interface ........................................................... 82
Additional configuration for interfaces ......................................................... 83
Transparent mode route settings ................................................................ 90
Redundant mode configuration ................................................................... 93
Standalone mode configuration .................................................................. 94
Adding firewall policies for modem connections ......................................... 94
Connecting and disconnecting the modem ................................................. 95
Rules for VLAN IP addresses ..................................................................... 97
Transparent mode virtual domains and VLANs ........................................ 101
Troubleshooting ARP Issues..................................................................... 104
System Wireless............................................................................. 105
The FortiWiFi wireless LAN interface .......................................................... 105
System wireless settings (FortiWiFi-60)...................................................... 107
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
5
6
Contents
System wireless settings (FortiWiFi-60A and 60AM) ................................. 109
System DHCP ................................................................................. 113
FortiGate DHCP servers and relays............................................................. 113
Configuring an interface as a DHCP relay agent ...................................... 115
Configuring a DHCP server ...................................................................... 115
Reserving IP addresses for specific clients .............................................. 117
System Config................................................................................ 119
Changing subordinate unit host name and device priority ........................ 126
Disconnecting a cluster unit from a cluster ............................................... 126
Configuring an SNMP community ............................................................. 128
Replacement messages list ...................................................................... 137
Changing replacement messages ............................................................ 138
Changing the authentication login page.................................................... 139
Changing the FortiGuard web filtering block override page ...................... 140
Changing the SSL-VPN login message .................................................... 140
Changing the authentication disclaimer page ........................................... 140
Operation mode and VDOM management access...................................... 141
Changing operation mode......................................................................... 141
System Admin ................................................................................ 143
Configuring RADIUS authentication for administrators ............................. 144
Configuring an administrator account ....................................................... 146
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Contents
System Maintenance...................................................................... 157
FortiGuard Distribution Network ................................................................ 161
Configuring the FortiGate unit for FDN and FortiGuard services .............. 162
Troubleshooting FDN connectivity ............................................................ 166
Updating antivirus and attack definitions................................................... 166
System Chassis (FortiGate-5000 series)...................................... 173
Blades (FortiGate-5000 chassis slots)......................................................... 174
Chassis monitoring event log messages .................................................... 176
Router Static .................................................................................. 177
How routing decisions are made .............................................................. 178
Multipath routing and determining the best route ...................................... 178
How route sequence affects route priority ................................................ 179
Equal Cost Multipath (ECMP) Routes ....................................................... 180
Default route and default gateway ........................................................... 181
Adding a static route to the routing table .................................................. 184
Router Dynamic.............................................................................. 189
Viewing and editing basic RIP settings ..................................................... 190
Selecting advanced RIP options ............................................................... 192
Overriding the RIP operating parameters on an interface......................... 193
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
7
8
Contents
OSPF autonomous systems ..................................................................... 194
Viewing and editing basic OSPF settings ................................................. 196
Selecting advanced OSPF options ........................................................... 198
Specifying OSPF networks ....................................................................... 200
Selecting operating parameters for an OSPF interface ............................ 201
Viewing and editing BGP settings ............................................................. 203
Viewing and editing multicast settings ...................................................... 204
Overriding the multicast settings on an interface ...................................... 206
Router Monitor ............................................................................... 209
Searching the FortiGate routing table ......................................................... 211
Firewall Policy ................................................................................ 213
How policy matching works....................................................................... 214
Moving a policy to a different position in the policy list ............................. 216
Adding authentication to firewall policies .................................................. 222
Adding traffic shaping to firewall policies .................................................. 223
SSL-VPN firewall policy options................................................................ 226
Options to check FortiClient on hosts ....................................................... 227
Scenario one: SOHO sized business........................................................ 228
Scenario two: enterprise sized business................................................... 231
Firewall Address ............................................................................ 235
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Contents
Firewall Service .............................................................................. 239
Firewall Schedule........................................................................... 247
Configuring one-time schedules.................................................................. 248
Firewall Virtual IP ........................................................................... 251
How virtual IPs map connections through the FortiGate unit .................... 251
Adding a static NAT virtual IP for a single IP address............................... 256
Adding a static NAT virtual IP for an IP address range ............................. 258
Adding a load balance virtual IP for an IP address range or real servers . 263
Adding a load balance port forwarding virtual IP....................................... 265
IP pools and dynamic NAT........................................................................ 269
IP Pools for firewall policies that use fixed ports ....................................... 269
Firewall Protection Profile............................................................. 271
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
9
10
Contents
FortiGuard-Web filtering options ............................................................... 276
Adding a protection profile to a policy........................................................ 282
VPN IPSEC ..................................................................................... 285
Overview of IPSec interface mode............................................................... 285
Creating a new phase 1 configuration ..................................................... 287
Defining phase 1 advanced settings ......................................................... 290
Creating a new phase 2 configuration ..................................................... 292
Defining phase 2 advanced settings ......................................................... 293
Creating a new manual key configuration ................................................ 297
VPN PPTP ....................................................................................... 303
VPN SSL.......................................................................................... 305
VPN Certificates ............................................................................. 309
Downloading and submitting a certificate request .................................... 312
Importing a signed server certificate ......................................................... 313
Importing an exported server certificate and private key .......................... 313
Importing separate server certificate and private key files ........................ 314
Importing Remote (OCSP) certificates...................................................... 315
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Contents
User ................................................................................................. 319
Setting user authentication protocol support ............................................. 320
Configuring a RADIUS server ................................................................... 322
Configuring an LDAP server ..................................................................... 324
Configuring a Windows AD server ............................................................ 327
Configuring FortiGuard override options for a user group......................... 331
Configuring SSL VPN user group options ................................................. 332
Configuring peers and peer groups............................................................. 334
AntiVirus ......................................................................................... 335
Viewing the Quarantined Files list ............................................................. 341
Configuring quarantine options ................................................................. 343
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
11
12
Contents
Intrusion Protection....................................................................... 349
Viewing the predefined signature list ........................................................ 351
Configuring predefined signatures ............................................................ 353
Fine tuning IPS predefined signatures for enhanced system performance 353
Viewing the custom signature list.............................................................. 354
Viewing the protocol decoder list .............................................................. 356
Upgrading IPS protocol decoder list ......................................................... 357
Configuring IPS traffic anomalies.............................................................. 358
Web Filter........................................................................................ 361
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Contents
Viewing the web content block list catalog ................................................ 364
Creating a new web content block list ....................................................... 365
Viewing the web content block list ............................................................ 365
Configuring the web content block list....................................................... 366
Viewing the web content exempt list catalog ............................................ 367
Creating a new web content exempt list ................................................... 367
Viewing the web content exempt list ......................................................... 368
Configuring the web content exempt list ................................................... 369
Moving URLs in the URL filter list ............................................................. 373
Configuring FortiGuard-Web filtering ........................................................ 374
Category block CLI configuration .............................................................. 379
Antispam......................................................................................... 381
Viewing the antispam banned word list catalog ........................................ 384
Creating a new antispam banned word list ............................................... 385
Viewing the antispam banned word list ..................................................... 385
Configuring the antispam banned word list ............................................... 386
Viewing the antispam IP address list catalogue ........................................ 387
Creating a new antispam IP address list ................................................... 388
Viewing the antispam IP address list ........................................................ 388
Configuring the antispam IP address list................................................... 389
Viewing the antispam email address list catalog....................................... 389
Creating a new antispam email address list.............................................. 390
Viewing the antispam email address list ................................................... 390
Configuring the antispam email address list ............................................. 391
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
13
14
Contents
Advanced antispam configuration............................................................... 392
Regular expression vs. wildcard match pattern ........................................ 393
Perl regular expression formats ................................................................ 394
Example regular expressions.................................................................... 395
IM, P2P & VoIP................................................................................ 397
How to enable and disable IM/P2P options .............................................. 399
How to configure IM/P2P options within a protection profile ..................... 399
How to configure IM/P2P decoder log settings ......................................... 400
How to configure older versions of IM/P2P applications ........................... 400
How to configure protocols that are not supported ................................... 400
Adding a new user to the User List ........................................................... 404
Configuring a policy for unknown IM users ............................................... 405
Log&Report .................................................................................... 407
Connecting to FortiAnalyzer using Automatic Discovery .......................... 410
Testing the FortiAnalyzer configuration .................................................... 411
Logging to FortiGuard Log and Analysis server........................................ 414
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Contents
Accessing log messages stored in memory .............................................. 420
Accessing log message stored in the hard disk ........................................ 420
Accessing logs stored on the FortiAnalyzer unit ....................................... 421
Accessing logs on the FortiGuard Log & Analysis server ......................... 422
Deleting logs stored on the FortiGuard Log & Analysis server ................. 424
Configuring a FortiAnalyzer report ........................................................... 430
Printing your FortiAnalyzer report ............................................................. 437
Viewing FortiAnalyzer reports from a FortiGate unit ................................. 438
Viewing parts of a FortiAnalyzer report ..................................................... 438
Index................................................................................................ 439
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
15
Contents
16
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Introduction
Introduction
Welcome and thank you for selecting Fortinet products for your real-time network protection.
FortiGate™ ASIC-accelerated multi-threat security systems improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate Systems are ICSA-certified for Antivirus, Firewall, IPSec,
SSL-TLS, IPS, Intrusion detection, and AntiSpyware services.
FortiGate Systems are dedicated, easily managed security device that delivers a full suite of capabilities including:
• Application-level services such as virus protection, intrusion protection, spam filtering, web content filtering, IM, P2P, and VoIP filtering
• Network-level services such as firewall, intrusion detection, IPSec and SSL
VPN, and traffic shaping
• Management services such as user authentication, logging, reporting with
FortiAnalyzer, administration profiles, secure web and CLI administrative access, and SNMP
The FortiGate security system uses Fortinet’s Dynamic Threat Prevention System
(DTPS™) technology, which leverages breakthroughs in chip design, networking, security and content analysis. The unique ASIC-accelerated architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks.
This chapter contains the following sections:
•
Introducing the FortiGate units
•
•
•
•
Customer service and technical support
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
17
Introducing the FortiGate units Introduction
Introducing the FortiGate units
All FortiGate Unified Threat Management Systems from the FortiGate-50B to the
FortiGate-5000 series deliver similar SOHO or enterprise-class network-based antivirus, content filtering, firewall, VPN, and network-based intrusion detection/prevention features.
FortiGate-5000 series chassis
The FortiGate-5000 series Security Systems are chassis-based systems that
MSSPs and large enterprises can use to provide subscriber security services such as firewall, VPN, antivirus protection, spam filtering, web filtering and intrusion prevention (IPS). The wide variety of system configurations available with FortiGate-5000 series provide flexibility to meet the changing needs of growing high performance networks. The FortiGate-5000 series chassis support multiple hot-swappable FortiGate-5000 series modules and power supplies. This modular approach provides a scalable, high-performance and failure-proof solution.
13 11 9 7 5 3 1
5140
2
5140SAP
RES
ET
CR
ITIC
AL
JOR
MIN
OR
USE
R1
2
USER USE
R3
SERIAL 1 SERIAL 2
4 6 8 10
ALARM
12 14
MANAGEMENT
E
H
O
MANAGEMENT
E
H
O
SYSTEM
CONSOLE
R
S
3
2
Z
0
R
1
E2
14
12
10
8
6
4
2
0
ZRE
1
5
3
9
7
13
11
E1
15
R
2
CLK
EXT
FLT
OK
INT
FLT
HOT SWAP
RESET
E2
14
12
6
4
10
8
2
0
ZRE
1
5
3
9
7
13
11
E1
15
R
2
CLK
EXT
FLT
OK
INT
FLT
HOT SWAP
RESET
SYSTEM
CONSOLE
3
2
R
S
Z
0
R
1
LED MODE LED MODE
1 2
ETH0 ETH1
ETH0
Service
RESET
STATUS
Hot Swap
ETH0 ETH1
ETH0
Service
RESET
STATUS
Hot Swap
5
4
3
2
1
SMC
2
5000SM
10/100 link/Act
10/100 link/Act
ETH0 Service
CONSOLE
USB
PWR ACC
CONSOLE
USB
PWR ACC
PWR
ACC
CONSOLE
USB
E T H O
1
1
1
2
2
2
3
3
3
R S 2 3 2 Z R E 0 Z R E 1 Z R E 2
4
4
4
5 6
5 6
5 6
7 8
STA IPM
7 8
STA IPM
7 8
STA IPM
E T H O R S 2 3 2 Z R E 0 Z R E 1 Z R E 2
SERIAL
1
5050SAP
SERIAL
2
5000SM
10/100 link/Act
10/100 link/Act
ETH0 Service
POWER
SMC
1
PSU A
PSU B
FILTER
RESET
USB CONSOLE
USB
STATUS
CONSOLE
RESET
STATUS
1
PWR
1
PWR
4 5
4
IPM
5
IPM
6
ALT
ON/OFF
6
0 FA N T R AY 1 FA N T R AY 2 FA N T R AY
FortiGate-5140 chassis
You can install up to 14 FortiGate-5000 series modules in the 14 slots of the
FortiGate-5140 ATCA chassis. The FortiGate-5140 is a 12U chassis that contains two redundant hot swappable DC power entry modules that connect to -48 VDC
Data Center DC power. The FortiGate-5140 chassis also includes three hot swappable cooling fan trays.
FortiGate-5050 chassis
You can install up to five FortiGate-5000 series modules in the five slots of the
FortiGate-5050 ATCA chassis. The FortiGate-5050 is a 5U chassis that contains two redundant DC power connections that connect to -48 VDC Data Center DC power. The FortiGate-5050 chassis also includes a hot swappable cooling fan tray.
18
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Introduction Introducing the FortiGate units
FortiGate-5020 chassis
You can install one or two FortiGate-5000 series modules in the two slots of the
FortiGate-5020 ATCA chassis. The FortiGate-5020 is a 4U chassis that contains two redundant AC to DC power supplies that connect to AC power. The
FortiGate-5020 chassis also includes an internal cooling fan tray.
About the FortiGate-5000 series modules
Each FortiGate-5000 series module is a standalone security system that can also function as part of an HA cluster. All FortiGate-5000 series modules are also hot swappable. All FortiGate-5000 series units are high capacity security systems with multiple gigabit interfaces, multiple virtual domain capacity, and other high end FortiGate features.
FortiGate-5005FA2 module
The FortiGate-5001SX module is an independent high-performance security system with eight Gigabit ethernet interfaces; two of which include Fortinet technology to accelerate small packet performance. The FortiGate
-
5005FA2 module also supports high-end features including 802.1Q VLANs and multiple virtual domains.
FortiGate-5001SX module
The FortiGate-5001SX module is an independent high-performance security system with eight Gigabit ethernet interfaces. The FortiGate
-
5001SX module supports high-end features including 802.1Q VLANs and multiple virtual domains.
FortiGate-5001FA2 module
The FortiGate-5001FA2 module is an independent high-performance security system with six Gigabit ethernet interfaces. The FortiGate-5001FA2 module is similar to the FortiGate-5001SX module except that two of the FortiGate-5001FA2 interfaces include Fortinet technology to accelerate small packet performance.
FortiGate-5002FB2 module
The FortiGate-5002FB2 module is an independent high-performance FortiGate security system with a total of 6 Gigabit ethernet interfaces. Two of the
FortiGate-5002FB2 interfaces include Fortinet technology to accelerate small packet performance.
FortiGate-3600A
The FortiGate-3600A unit provides carrierclass levels of performance and
CONSOLE
reliability demanded by large enterprises and
Esc Enter
2
1
4
3
6
5
8
7 9
10
MODEM
service providers. The unit uses multiple CPUs and FortiASIC chips to deliver throughput of 4Gbps,
USB
PWR
Hi-Temp
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
19
Introducing the FortiGate units Introduction
meeting the needs of the most demanding applications. The FortiGate-3600A unit includes redundant power supplies, which minimize single-point failures, and supports load-balanced operation. The high-capacity, reliability and easy management makes the FortiGate-3600A a natural choice for managed service offerings.
FortiGate-3600
The FortiGate-3600 unit provides carrierclass levels of performance and
Esc Enter
POWER
Hi-Temp
1
4
2 3
5/HA INT EXT
1 2 3 4 5/HA INTERNAL EXTERNAL
reliability demanded by large enterprises and service providers. The unit uses multiple CPUs and FortiASIC chips to deliver throughput of 4Gbps, meeting the needs of the most demanding applications. The FortiGate-3600 unit includes redundant power supplies, which minimize single-point failures, and supports load-balanced operation. The high-capacity, reliability and easy management makes the FortiGate-3600 a natural choice for managed service offerings.
FortiGate-3000
The FortiGate-3000 unit provides the carrier-class levels of performance and
Esc Enter
POWER
Hi-Temp
1
4/HA
2
INT
3
EXT
1 2 3 4/HA INTERNAL EXTERNAL
reliability demanded by large enterprises and service providers. The unit uses multiple CPUs and FortiASIC chips to deliver a throughput of 3Gbps, meeting the needs of the most demanding applications.
The FortiGate-3000 unit includes redundant power supplies to minimize singlepoint failures, including load-balanced operation and redundant failover with no interruption in service. The high capacity, reliability, and easy management of the
FortiGate-3000 makes it a natural choice for managed service offerings.
FortiGate-1000A
The FortiGate-1000A
Security System is a high-performance solution for the most demanding large enterprise and service providers. The
FortiGate-1000A automatically keeps up to date information on Fortinet’s
FortiGuard Subscription Services by the FortiGuard Distribution Network, ensuring around-the-clock protection against the latest viruses, worms, trojans and other threats. The FortiGate-1000A has flexible architecture to quickly adapt to emerging technologies such as IM, P2P or VOIP including identity theft methods such as spyware, phishing and pharming attacks.
20
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Introduction Introducing the FortiGate units
FortiGate-1000AFA2
The FortiGate-
1000AFA2 Security
System is a high-performance CONSOLE
USB
A1 A2 solution for the most demanding large enterprise and service providers. The FortiGate-1000AFA2 features two extra optical fiber ports with
Fortinet’s FortiAccel™ technology, enhancing small packet performance. The
FortiGate-1000AFA2 also delivers critical security functions in a hardened security platform, tuned for reliability, usability, rapid deployment, low operational costs and most importantly a superior detection rate against known and unknown anomalies.
FortiGate-1000
The FortiGate-1000 unit is designed for larger enterprises. The FortiGate-
1000 meets the needs of
Esc
Enter
1 2 3 4 / HA INTERNAL
the most demanding applications, using multiple CPUs and FortiASIC chips to deliver a throughput of 2Gps. The FortiGate-1000 unit includes support for redundant power supplies to minimize single-port failures, load-balanced operation, and redundant failover with no interruption in service.
EXTERNAL
FortiGate-800
The FortiGate-800 provides high throughput, a total of eight network connections,
(four of which are user-
8
Esc Enter
P W R
I N T E R N A L E X T E R N A L D M Z HA 1 2 3 4 CONSOLE USB
defined), VLAN support, and virtual domains. The FortiGate-800 also provides stateful failover HA, when you are configuring a cluster of FortiGate units.The
FortiGate-800 is a natural choice for large enterprises, who demand top network security performance.
FortiGate-800F
The FortiGate-800F provides the same features as the FortiGate-800, using four fibre-optic Internal,
800F
Esc Enter
P W R
I N T E R N A L E X T E R N A L D M Z HA 1 2 3 4 CONSOLE USB
External, DMZ and HA interfaces. The FortiGate-800F also provides stateful failover HA, and support for the RIP and OSPF routing protocols. The FortiGate-
800F provides the flexibility, reliability and easy management large enterprises are looking for.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
21
Introducing the FortiGate units Introduction
FortiGate-500A
The FortiGate-500A unit provides the carrier-class levels of performance and reliability demanded by
A
Esc Enter
CONSOLE USB
L1 L2
LAN
L3 L4 1 2
10/100
3 4 5
10/100/1000
6
large enterprises and service providers. With a total of 10 network connections, (including a 4-port LAN switch), and high-availability features with automatic failover with no session loss, the FortiGate-500A is the choice for mission critical applications. The flexibility, reliability, and easy management of the FortiGate-500A makes it a natural choice for managed service offerings.
FortiGate-500
The FortiGate-500 unit is designed for larger enterprises. The flexibility, reliability, and easy
Esc Enter
INTERNAL EXTERNAL DMZ HA 1 2 3 4 5 6 7 8
management makes the
FortiGate-500 a natural choice for managed service offerings. The FortiGate-500 supports high availability (HA).
FortiGate-400A
The FortiGate-400A unit meets enterprise-class requirements for performance, availability,
A
Esc Enter
CONSOLE USB
1 2
10/100
3
10/100/1000
4 5 6
and reliability. The
FortiGate-400A also supports high availability (HA) and features automatic failover with no session loss, making it the choice for mission critical applications.
FortiGate-400
The FortiGate-400 unit is designed for larger enterprises. The FortiGate-
400 unit is capable of
Esc Enter
CONSOLE 1 2 3 4 / HA
throughput up to 500Mbps and supports high availability (HA), which includes automatic failover with no session loss.
FortiGate-300A
The FortiGate-300A unit meets enterprise-class requirements for performance, availability,
Esc Enter
CONSOLE USB
1 2
10/100
3
10/100/1000
4 5 6
and reliability. The
FortiGate-300A also supports high availability (HA) and includes automatic failover with no session loss, making the FortiGate-300A a good choice for mission critical applications.
22
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Introduction Introducing the FortiGate units
FortiGate-300
The FortiGate-300 unit is designed for larger enterprises. The FortiGate-
300 unit features high
Esc Enter
availability (HA), which includes automatic failover with no session loss. This feature makes the
FortiGate-300 an excellent choice for mission-critical applications.
FortiGate-200A
The FortiGate-200A unit is an easy-to-deploy and easy-to-administer solution that delivers exceptional
A
Esc Enter
value and performance for small office, home office and branch office applications.
CONSOLE USB
1 2
INTERNAL
3 4
DMZ1 DMZ2 WAN1 WAN2
FortiGate-200
The FortiGate-200 unit is designed for small businesses, home offices or even branch office
POWER STATUS INTERNAL EXTERNAL DMZ
CONSOLE INTERNAL EXTERNAL DMZ
applications. The FortiGate-
200 unit is an easy-to-deploy and easy-to-administer solution. The FortiGate-200 also supports high availability (HA).
FortiGate-100A
The FortiGate-100A unit is designed to be an easy-to-administer solution for small offices, home offices, and branch office applications.
A
PWR STATUS WAN 1 WAN 2 DMZ 1
LINK 100 LINK 100 LINK 100
DMZ 2
1
LINK 100 LINK 100
2
INTERNAL
3
LINK 100
4
LINK 100 LINK 100
The FortiGate-100A supports advanced features such as 802.1Q VLAN, virtual domains, and the RIP and OSPF routing protocols.
FortiGate-100
The FortiGate-100 unit is designed for SOHO, SMB and branch office applications.
INTERNAL EXTERNAL DMZ
POWER
STATUS
The FortiGate-100 supports advanced features such as 802.1Q
VLAN, virtual domains, high availability (HA), and the RIP and OSPF routing protocols.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
23
Introducing the FortiGate units Introduction
FortiGate-60/60M/ADSL
The FortiGate-60 unit is designed for telecommuters remote offices, and retail stores. The FortiGate-60 unit includes an external modem
PWR STATUS 1
LINK 100
2
LINK 100
INTERNAL
3
LINK 100
4
LINK 100
DMZ
LINK 100
WAN1
LINK 100
WAN2
LINK 100
port that can be used as a backup or stand alone connection to the
Internet while the FortiGate-60M unit includes an internal modem that can also be used either as a backup or a standalone connection to the Internet. The FortiGate-
60ADSL includes an internal ADSL modem.
FortiWiFi-60/60A/60AM
The FortiWiFi-60 model provides a secure, wireless LAN solution for wireless connections. It combines mobility and flexibility with FortiWiFi
Antivirus Firewall features, and can be upgraded to future radio technologies. The FortiWiFi-60 serves as the connection point between wireless and wired networks or the center-point of a standalone wireless network.
PWR WLAN 1 2
INTERNAL
3 4 DMZ WAN1 WAN2
LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100
FortiGate-50B
The FortiGate-50B is designed for telecommuters and small remote offices with 10 to 50 employees.
The FortiGate-50B unit includes
POWER STATUS
WAN1 WAN2
INTERNAL
1 2 3
LINK / ACT
10/100
two WAN interfaces for redundant connections to the Internet. The
FortiGate-50B unit also features a 3-port switch for internal network connections and supports HA configurations with other FortiGate-50B units.
FortiGate-50A
The FortiGate-50A unit is designed for telecommuters and small remote offices with 10 or fewer employees.
The FortiGate-50 unit includes an A external modem port that can be used as a backup or stand alone connection to the Internet.
PWR STATUS
INTERNAL EXTERNAL
LINK 100 LINK 100
24
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Introduction Fortinet family of products
Fortinet family of products
Fortinet offers a family of products that includes both software and hardware appliances for a complete network security solution including mail, logging, reporting, network management, and security along with FortiGate Unified Threat
Manager Systems. For more information on the Fortinet product family, go to www.fortinet.com/products .
FortiGuard Subscription Services
FortiGuard Subscription Services are security services created, updated and managed by a global team of Fortinet security professionals. They ensure the latest attacks are detected and blocked before harming your corporate resources or infecting your end-user computing devices. These services are created with the latest security technology and designed to operate with the lowest possible operational costs.
FortiGuard Subscription Services includes:
• FortiGuard Antivirus Service
• FortiGuard Intrusion Prevention subscription services (IPS)
• FortiGuard Web Filtering
• FortiGuard Antispam Service
• FortiGuard Log and Analysis
• FortiGuard Premier Service
An online virus scanner and virus encyclopedia is also available for your reference from the FortiGuard Center .
FortiAnalyzer
FortiAnalyzer™ provides network administrators with the information they need to enable the best protection and security for their networks against attacks and vulnerabilities. FortiAnalyzer features include:
• collects logs from FortiGate devices and syslog devices and FortiClient
• creates hundreds of reports using collected log data
• scans and reports vulnerabilities
• stores files quarantined from a FortiGate unit
The FortiAnalyzer unit can also be configured as a network analyzer to capture real-time traffic on areas of your network where firewalls are not employed. You can also use the unit as a storage device where users can access and share files, including the reports and logs that are saved on the FortiAnalyzer hard disk.
FortiClient
FortiClient™ Host Security software provides a secure computing environment for both desktop and laptop users running the most popular Microsoft Windows operating systems. FortiClient offers many features including:
• creating VPN connections to remote networks
• configuring real-time protection against viruses
• guarding against modification of the Windows registry
• virus scanning.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
25
Fortinet family of products Introduction
FortiManager
FortiManager™ meets the needs of large enterprises (including managed security service providers) responsible for establishing and maintaining security policies across many dispersed FortiGate installations. With FortiManager you can configure multiple FortiGate devices and monitor their status. You can also view real-time and historical logs for FortiGate devices. FortiManager emphasizes ease of use, including easy integration with third party systems.
FortiBridge
FortiClient also offers a silent installation feature, enabling an administrator to efficiently distribute FortiClient to several users’ computers with preconfigured settings.
FortiBridge™ products are designed to provide enterprise organizations operating
FortiGate units in Transparent mode with continuous network traffic flow in the event of a power outage or a FortiGate system failure. The FortiBridge unit bypasses the FortiGate unit to make sure that the network can continue processing traffic. FortiBridge products are easy to use and deploy, including providing customizable actions a FortiBridge unit takes in the event of a power outage or FortiGate system failure.
FortiMail
FortiMail™ provides powerful, flexible heuristic scanning and reporting capabilities to incoming and outgoing email traffic. The FortiMail unit has reliable, high performance features for detecting and blocking malicious attachments and spam, such as FortiGuard Antispam/Antivirus support, heuristic scanning, greylisting, and Bayesian scanning. Built on Fortinet’s award winning FortiOS and FortiASIC technology, FortiMail antivirus technology extends full content inspection capabilities to detect the most advanced email threats.
FortiReporter
FortiReporter Security Analyzer software generates easy-to-understand reports and can collect logs from any FortiGate unit, as well as over 30 network and security devices from third-party vendors. FortiReporter reveals network abuse, manages bandwidth requirements, monitors web usage, and ensures employees are using the office network appropriately. FortiReporter allows IT administrators to identify and respond to attacks, including identifying ways to proactively secure their networks before security threats arise.
26
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Introduction About this document
About this document
This FortiGate Version 3.0 MR4 Administration Guide provides detailed information about FortiGate™ web-based manager options and how to use them.
This guide also contains some information about the FortiGate CLI.
This administration guide describes web-based manager functions in the same order as the web-based manager menu. The document begins with a general description of the FortiGate web-based manager and a description of FortiGate virtual domains. Following these chapters, each item in the System menu, Router menu, Firewall menu, and VPN menu gets a separate chapter. Then User,
AntiVirus, Intrusion Protection, Web Filter, AntiSpam, IM/P2P, and Log & Report are all described in single chapters. The document concludes with a detailed index.
The most recent version of this document is available from the FortiGate page of the Fortinet Technical Documentation web site. The information in this document is also available in a slightly different form as FortiGate web-based manager online help.
You can find more information about FortiOS v3.0 from the FortiGate page of the
Fortinet Technical Documentation web site as well as from the Fortinet Knowledge
Center .
This administration guide contains the following chapters:
•
provides an introduction to the features of the FortiGate web-based manager and includes information about how to register a
FortiGate unit and about how to use the web-based manager online help.
•
describes the System Status page, the dashboard of your
FortiGate unit. At a glance you can view the current system status of the
FortiGate unit including serial number, uptime, FortiGuard license information, system resource usage, alert messages and network statistics. This section also describes status changes that you can make, including changing the unit firmware, host name, and system time.
•
Using virtual domains describes how to use virtual domains to operate your
FortiGate unit as multiple virtual FortiGate units, providing separate firewall and routing services to multiple networks.
•
System Network explains how to configure physical and virtual interfaces and
DNS settings on the FortiGate unit.
•
describes how to configure the Wireless LAN interface on a
FortiWiFi-60 unit.
•
provides information about how to configure a FortiGate interface as a DHCP server or DHCP relay agent.
•
contains procedures for configuring HA and virtual clustering, configuring SNMP and replacement messages, and changing the operation mode.
•
guides you through adding and editing administrator accounts, defining access profiles for administrators, configuring FortiManager™ access, and defining general administrative settings such as language, timeouts, and web administration ports.
•
System Maintenance details how to back up and restore the system
configuration using a management computer or the FortiUSB device, enable
FortiGuard services and FortiGuard Distribution Network (FDN) updates, and enter a license key to increase the maximum number of virtual domains.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
27
About this document
28
Introduction
•
System Chassis (FortiGate-5000 series)
describes information displayed on the system chassis web-based manager pages about all of the hardware components in your FortiGate-5140 or FortiGate-5050 chassis.
•
explains how to define static routes and create route policies. A static route causes packets to be forwarded to a destination other than the factory configured default gateway.
•
explains how to define static routes and create route policies. A static route causes packets to be forwarded to a destination other than the factory configured default gateway.
•
Router Dynamic contains information about how to configure dynamic
protocols to route traffic through large or complex networks.
•
Router Monitor explains how to interpret the Routing Monitor list. The list
displays the entries in the FortiGate routing table.
•
describes how to add firewall policies to control connections and traffic between FortiGate interfaces, zones, and VLAN subinterfaces.
•
describes how to configure addresses and address groups for firewall policies.
•
describes available services and how to configure service groups for firewall policies.
•
Firewall Schedule describes how to configure one-time and recurring
schedules for firewall policies.
•
Firewall Virtual IP describes how to configure and use virtual IP addresses and
IP pools.
•
describes how to configure protection profiles for firewall policies.
•
provides information about the tunnel-mode and route-based
(interface mode) Internet Protocol Security (IPSec) VPN options available through the web-based manager.
•
explains how to use the web-based manager to specify a range of
IP addresses for PPTP clients.
•
VPN SSL provides information about basic SSL VPN settings.
•
explains how to manage X.509 security certificates.
•
details how to control access to network resources through user authentication.
•
explains how to enable antivirus options when you create a firewall protection profile.
•
Intrusion Protection explains how to configure IPS options when a firewall
protection profile is created.
•
explains how to configure web filter options when a firewall protection profile is created.
•
Antispam explains how to configure spam filter options when a firewall
protection profile is created.
•
IM, P2P & VoIP explains how to configure IM, P2P, and VoIP options when a
firewall protection profile is created. You can view IM, P2P, and VoIP statistics to gain insight into how the protocols are being used within the network.
•
describes how to enable logging, view log files, and view the basic reports available through the web-based manager.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Introduction FortiGate documentation
Document conventions
The following document conventions are used in this guide:
• In the examples, private IP addresses are used for both private and public IP addresses.
• Notes and Cautions are used to provide important information:
Note: Highlights useful additional information.
!
Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.
Typographic conventions
Fortinet documentation uses the following typographical conventions:
Convention
Menu commands
Keyboard input
Code examples
CLI command syntax
Document names
File content
Program output
Variables
Example
Go to VPN > IPSEC > Phase 1 and select Create New.
In the Gateway Name field, type a name for the remote VPN peer or client (for example, Central_Office_1).
config sys global set ips-open enable end config firewall policy edit id_integer set http_retry_count <retry_integer> set natip <address_ipv4mask> end
FortiGate Administration Guide
<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this service.</H4>
Welcome!
<address_ipv4>
FortiGate documentation
The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com
.
The following FortiGate product documentation is available:
• FortiGate QuickStart Guide
Provides basic information about connecting and installing a FortiGate unit.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
29
FortiGate documentation
30
Introduction
• FortiGate Installation Guide
Describes how to install a FortiGate unit. Includes a hardware reference, default configuration information, installation procedures, connection procedures, and basic configuration procedures. Choose the guide for your product model number.
• FortiGate Administration Guide
Provides basic information about how to configure a FortiGate unit, including how to define FortiGate protection profiles and firewall policies; how to apply intrusion prevention, antivirus protection, web content filtering, and spam filtering; and how to configure a VPN.
• FortiGate online help
Provides a context-sensitive and searchable version of the Administration
Guide in HTML format. You can access online help from the web-based
manager as you work.
• FortiGate CLI Reference
Describes how to use the FortiGate CLI and contains a reference to all
FortiGate CLI commands.
•
FortiGate Log Message Reference
Available exclusively from the Fortinet Knowledge Center , the FortiGate Log
Message Reference describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units.
• FortiGate High Availability Overview and FortiGate High Availability User
Guide
These documents contain in-depth information about the FortiGate High
Availability (HA) feature and the FortiGate clustering protocol.
• FortiGate IPS User Guide
Describes how to configure the FortiGate Intrusion Prevention System settings and how the FortiGate IPS deals with some common attacks.
• FortiGate IPSec VPN User Guide
Provides step-by-step instructions for configuring IPSec VPNs using the webbased manager.
• FortiGate SSL VPN User Guide
Compares FortiGate IPSec VPN and FortiGate SSL VPN technology, and describes how to configure web-only mode and tunnel-mode SSL VPN access for remote users through the web-based manager.
• FortiGate PPTP VPN User Guide
Explains how to configure a PPTP VPN using the web-based manager.
• FortiGate Certificate Management User Guide
Contains procedures for managing digital certificates including generating certificate requests, installing signed certificates, importing CA root certificates and certificate revocation lists, and backing up and restoring installed certificates and private keys.
• FortiGate VLANs and VDOMs User Guide
Describes how to configure VLANs and VDOMS in both NAT/Route and
Transparent mode. Includes detailed examples.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Introduction Customer service and technical support
Fortinet Tools and Documentation CD
All Fortinet documentation is available from the Fortinet Tools and Documentation
CD shipped with your Fortinet product. The documents on this CD are current for your product at shipping time. For the latest versions of all Fortinet documentation see the Fortinet Technical Documentation web site at http://docs.forticare.com
.
Fortinet Knowledge Center
Additional Fortinet technical documentation is available from the Fortinet
Knowledge Center. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at http://kc.forticare.com
.
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to [email protected].
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your
Fortinet systems install quickly, configure easily, and operate reliably in your network.
Please visit the Fortinet Technical Support web site at http://support.fortinet.com
to learn about the technical support services that Fortinet provides.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
31
Customer service and technical support Introduction
32
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Web-based manager
Web-based manager
This section describes the features of the user-friendly web-based manager administrative interface of your FortiGate unit.
Using HTTP or a secure HTTPS connection from any computer running a web browser, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages. You can configure the FortiGate unit for
HTTP and HTTPS administration from any FortiGate interface.
Figure 1: Example FortiGate-5001SX Web-based manager dashboard
You can use the web-based manager to configure most FortiGate settings and to monitor the status of the FortiGate unit. Configuration changes made using the web-based manager are effective immediately without resetting the firewall or interrupting service. Once you are satisfied with a configuration, you can back it up. The saved configuration can be restored at any time.
The following topics are included in this section:
•
•
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
33
Button bar features Web-based manager
Button bar features
The button bar in the upper right corner of the web-based manager provides access to several important FortiGate features.
Figure 2: Web-based manager button bar
Contact Customer Support
Logout
Online Help
Contact Customer Support
The Contact Customer Support button opens the Fortinet Support web page in a new browser window. From this page you can:
• Access the Fortinet Knowledge Center .
• Log into Customer Support (Support Login).
• Register your FortiGate unit ( Product Registration ).
• Find out about Fortinet Training and Certification .
• Visit the FortiGuard Center .
To register your FortiGate unit, go to Product Registration and follow the instructions.
Using the Online Help
The Online Help button displays online help for the current web-based manager page. The online help page that is displayed contains information and procedures related to the controls on the current web-based manager page. Most help pages also contains hyperlinks to related topics. The online help system also includes a number of controls that you can use to find additional information.
Figure 3: Viewing system status online help page
Show Navigation
Previous
Next
Bookmark
34
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Web-based manager Button bar features
Show
Navigation
Previous
Next
Bookmark
Open the online help navigation pane. From the navigation pane you can use the online help table of contents, index, and search to access all of the information in the online help. The online help is organized in the same way as the FortiGate web-based manager and the
FortiGate
Administration Guide
.
Display the previous page in the online help.
Display the next page in the online help.
Send an email to Fortinet Technical Documentation at [email protected]. You can use this email address to let us know if you have a comment about or correction for the online help or any other
Fortinet technical documentation product.
Print the current online help page.
Add an entry for this online help page to your browser bookmarks or favorites list. Use this button to make it easier to find helpful online help pages. You cannot use the Bookmark icon to add an entry to your favorites list if you are viewing online help from Internet Explorer running on a management PC with Windows XP and service pack 2 installed.
Select Show Navigation to display the online help navigation pane.
Figure 4: Online help page with navigation pane
Contents Index Search Show in Contents
Contents
Index
Search
Show in
Contents
Display the online help table of contents. You can navigate through the table of contents to find information in the online help. The online help is organized in the same way as the FortiGate web-based manager and the
FortiGate Administration Guide
.
Display the online help index. You can use the index to find information in the online help.
help.
If you have used the index, search, or hyperlinks to find information in the online help, the table of contents may not be visible or the table of contents may be out of sync with the current help page. You can select
Show in Contents to display the table of contents showing the location of the current help page.
About searching the online help
Using the online help search, you can search for one word or multiple words in the full text of the FortiGate online help system. Please note the following about the search:
• If you search for multiple words, the search finds help pages that contain all of the words that you entered. The search does not find help pages that only contain one of the words that you entered.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
35
Button bar features
36
Web-based manager
Logout
3
4
1
2
• The help pages found by the search are ranked in order of relevance. The higher the ranking, the more likely the help page includes useful or detailed information about the word or words that you are searching for. Help pages with one or more of the search words in the help page title are ranked highest.
• You can use the asterisk (*) as a search wildcard character that is replaced by any number of characters. For example, if you search for auth* the search finds help pages containing auth, authenticate, authentication,
authenticates, and so on.
• In some cases the search only finds exact matches. For example if you search for windows the search may not find pages containing the word window. You can work around this using the * wildcard (for example by searching for
window*).
To search in the help system
From any web-based manager page, select the online help button.
Select Show Navigation to display the online help navigation pane.
Select Search.
Type one or more words to search for in the search field and then press enter or select Go.
The search pane lists the names of all the online help pages that contain the word or words that you entered. Select a name from the list to display that help page.
Using the keyboard to navigate in the online help
You can use the keyboard shortcuts listed in Table 1 to display and find information in the online help.
Table 1: Online help navigation keys
Key
Alt+1
Alt+2
Alt+3
Alt+4
Alt+5
Alt+7
Alt+8
Alt+9
Function
Display the table of contents.
Display the index.
Display the Search tab.
Go to the previous page.
Go to the next page.
Send an email to Fortinet Technical Documentation at [email protected]. You can use this email address to let us know if you have a comment about or correction for the online help or any other
Fortinet technical documentation product.
Print the current online help page.
Add an entry for this online help page to your browser bookmarks or favorites list. Use this button to make it easier to find helpful online help pages.
The Logout button immediately logs you out of the web-based manager. Log out before you close the browser window. If you simply close the browser or leave the web-based manager, you remain logged-in until the idle timeout (default 5 minutes) expires.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Web-based manager Web-based manager pages
Web-based manager pages
1
The web-based manager interface consists of a menu and pages, many of which have multiple tabs. When you select a menu item, such as System, it expands to reveal a submenu. When you select one of the submenu items, the associated page opens at its first tab. To view a different tab, select the tab.
The procedures in this manual direct you to a page by specifying the menu item, the submenu item and the tab, like this:
Go to System > Network > Interface.
Figure 5: Parts of the web-based manager (shown for the FortiGate-50B)
Tabs
Page
Button bar
Menu
Web-based manager menu
The menu provides access to configuration options for all major features of the
FortiGate unit.
System
Router
Firewall
VPN
User
AntiVirus
Intrusion
Protection
Web Filter
Configure system facilities, such as network interfaces, virtual domains,
DHCP services, High Availability (HA), system time and set system options.
Configure FortiGate static and dynamic routing.
Configure firewall policies and protection profiles that apply network protection features. Also configure virtual IP addresses and IP pools.
Configure IPSec, SSL, and PPTP virtual private networking.
Configure user accounts for use with firewall policies that require user authentication. Also configure external authentication servers such as
RADIUS, LDAP, and Windows AD.
Configure antivirus protection.
Configure the FortiGate Intrusion Protection System (IPS).
Configure web filtering.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
37
Web-based manager pages
Lists
Web-based manager
AntiSpam
Configure email spam filtering.
IM, P2P & VoIP Configure monitoring and control of internet messaging, peer-to-peer messaging, and voice over IP (VoIP) traffic.
Log & Report
Configure logging, alert email, and FortiGuard Log and Analysis. View log messages and reports. Connect to a FortiAnalyzer to view log messages and reports. View log messages stored by FortiGuard Log and
Analysis.
Many of the web-based manager pages are lists. There are lists of network interfaces, firewall policies, administrators, users, and so on.
Figure 6: Example of a web-based manager list
38
Icons
Delete
Edit
The list shows some information about each item and the icons in the right-most column enable you to take action on the item. In this example, you can select
Delete to remove the item or select Edit to modify the item.
To add another item to the list, you select Create New. This opens a dialog box in which you define the new item. The dialog box for creating a new item is similar to the one for editing an existing item.
The web-based manager has icons in addition to buttons to enable you to interact with the system. There are tooltips to assist you in understanding the function of the icon. Pause the mouse pointer over the icon to view the tooltip.
describes the icons that are available in the web-based manager.
Table 2: web-based manager icons
Icon Name Description
Change
Password
Clear
Change the administrator password. This icon appears in the
Administrators list if your access profile enables you to give write permission to administrators.
Clear a log file.
Collapse
Column
Settings
Delete
Collapse this section to hide some fields. This icon is used in some dialog boxes and some lists.
Select the columns to display. This icon is used in Log Access and firewall Policy lists among others.
Delete an item. This icon appears in lists where the item can be deleted and you have write permission on the page.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Web-based manager Web-based manager pages
Table 2: web-based manager icons (Continued)
Icon Name Description
Description The tooltip for this icon displays the Description field for this table entry.
Download or Backup
Download a log file or back up a configuration file.
Download Download a Certificate Signing Request.
Edit
Expand
Filter
Go
Edit a configuration. This icon appears in lists where you have write permission on the page.
Expand this section to reveal more fields. This icon is used in some dialog boxes and some lists.
Set a filter on one or more columns in this table. A dialog opens in which you can specify filters. The icon is green on columns where a filter is active, otherwise it is grey.
Do a search.
Insert Policy before
Create a new policy to precede the current one.
Move to Move item in list.
Next page View next page of list.
Previous page
Refresh
View previous page of list.
Update the information on this page.
Restore
View
Restore a configuration from a file.
View a configuration. This icon appears in lists instead of the
Edit icon when you do not have write permission on that page.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
39
Web-based manager pages Web-based manager
40
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Status Status page
System Status
This section describes the System Status page, the dashboard of your FortiGate unit. At a glance you can view the current system status of the FortiGate unit including serial number, uptime, FortiGuard™ license information, system resource usage, alert messages and network statistics.
Note: Your browser must support Javascript to view the System Status page.
The following topics are included in this section:
•
•
•
Changing the FortiGate firmware
•
•
Manually updating FortiGuard definitions
•
•
Status page
View the System Status page, also known as the system dashboard, for a snapshot of the current operating status of the FortiGate unit. FortiGate administrators whose access profiles permit read access to system configuration can view system status information.
When the FortiGate unit is part of an HA cluster, the Status page includes basic
HA cluster status information including the name of the cluster and the cluster members including their hostnames. To view more complete status information for the cluster, go to System > Config > HA. For more information, see
. HA is not available on FortiGate models 50A and 50AM.
FortiGate administrators whose access profiles permit write access to system configuration can change or update FortiGate unit information. For information on access profiles, see
“Access profiles” on page 148 .
Viewing system status
The System Status page displays by default when you log in to the web-based manager.
At any time, go to System > Status to view the System Status page.
To view this page, your access profile must permit read access to system configuration. If you also have system configuration write access, you can modify system information and update FortiGuard - AV and FortiGuard - IPS definitions.
For information on access profiles, see
“Access profiles” on page 148 .
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
41
Status page System Status
The System Status page is completely customizable. You can select which displays to show, where they are located on the page, and if they are minimized or maximized. Each display has an icon associated with it for easy recognition when minimized.
Figure 7: System Status page
42
Select Add Content to add any of the displays not currently shown on the System
Status page. Any displays current on the System Status page will be greyed out as you can only have one of each display on the System Status page. Optionally select Back to default to restore the historic System Status page configuration.
Position your mouse over a display’s titlebar to see your available options for that display. The options vary slightly from display to display.
Figure 8: A minimized display
Display title
Twistie arrow
Display Title
Twistie arrow
Refresh icon
Close icon
Refresh icon
Close icon
Shows the name of the display
Select to maximize or minimize the display.
Select to update the displayed information.
Select to close the display. You will be prompted to confirm the close.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Status
System information
Figure 9: Example FortiGate-5001 System Information
Status page
Serial Number
Uptime
System Time
Host Name
The serial number of the current FortiGate unit. The serial number is specific to the FortiGate unit and does not change with firmware upgrades.
The time in days, hours, and minutes since the FortiGate unit was last started.
The current date and time according to the FortiGate unit internal clock.
Select Change to change the time or configure the FortiGate unit to get the time from an NTP server. See
“Configuring system time” on page 49
.
The host name of the current FortiGate unit.
If the FortiGate unit is in HA mode, this field is not displayed.
Select Change to change the host name.
See “Changing the FortiGate unit host name” on page 50 .
Cluster Name
The name of the HA cluster for this FortiGate unit. See “HA” on page 119 .
The FortiGate unit must be operating in HA mode to display this field.
Cluster Members
The FortiGate units in the HA cluster. Information displayed about each member includes hostname, serial number, and if the unit is a primary (master) or subordinate (slave) unit in the cluster. See
.
The FortiGate unit must be operating in HA mode with virtual domains not enabled to display this field.
Virtual Cluster 1
Virtual Cluster 2
The role of each FortiGate unit in virtual cluster 1 and virtual cluster 2.
.
The FortiGate unit must be operating in HA mode with virtual domains enabled to display these fields.
Firmware Version
The version of the firmware installed on the current FortiGate unit.
Select Update to change the firmware.
See “Upgrading to a new firmware version” on page 51 .
FortiClient Version The currently loaded version of FortiClient. Select Update to upload a new FortiClient software image to this FortiGate unit from your management computer.
This is available only on FortiGate models that provide a portal from which hosts can download FortiClient software.
Operation Mode
The operating mode of the current FortiGate unit. A FortiGate can operated in NAT mode or Transparent mode. Select change to switch between NAT and Transparent mode. See
“Changing operation mode” on page 141
If virtual domains are enabled, this field shows the operating mode of the current virtual domain. A virtual domain can be operating in either
NAT mode or Transparent mode.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
43
Status page System Status
Virtual Domain
Current
Administrators
The status of virtual domains on your FortiGate unit. Select enable or disable to change the status of virtual domains.
If you change the state of virtual domains, your session will be terminated and you will need to login. For more information see
“Using virtual domains” on page 61
.
The number of administrators currently logged into the FortiGate unit.
Select Details to view more information about each administrator that is logged. The additional information includes user name, type of connection, IP address they are connecting from, and when they logged in.
License Information
License information displays the status of your FortiGate support contract, and
FortiGuard subscriptions. The FortiGate unit updates the license information status indicators automatically by connecting to the FortiGuard network.
FortiGuard subscriptions status indicators are green for OK, grey if the FortiGate unit cannot connect to the FortiGuard network, and yellow if the license has expired.
Selecting any of the Configure options will take you to the maintenance page. For more information, see
“System Maintenance” on page 157
.
Figure 10: Example License Information
44
Support Contract
The support contract number and expiry date.
If Not Registered is displayed, select Register to register the unit.
If Renew is visible, you need to renew your support contract.
Contact your local reseller.
FortiGuard Subscriptions
AntiVirus
AV Definitions
The FortiGuard Antivirus license version, issue date and service status. If your license has expired you can select
Renew two renew the license.
The current installed version of the FortiGuard Antivirus
Definitions. To update the definitions manually, select
Update. For more information, see
AV Definitions manually” on page 53 .
Intrusion Protection
The FortiGuard intrusion protection license version, issue date and service status. If your license has expired you can select Renew two renew the license.
IPS Definitions
The current installed version of the Intrusion Prevention
System (IPS) attack definitions. To update the definitions manually, select Update. For more information, see
“Updating the FortiGuard IPS Definitions manually” on page 53
.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Status
Web Filtering
Antispam
Log & Analysis
Virtual Domain
The FortiGuard Web Filtering license type, expiry date and service status. If your license has expired you can select
Renew two renew the license.
The FortiGuard Antispam license type, expiry date and service status. If your license has expired you can select
Renew two renew the license.
The FortiGuard Log & Analysis license type, expiry date and service status.
The number of virtual domains the unit supports.
For FortiGate models 3000 or higher, you can select the
Purchase More link to purchase a license key through
Fortinet Support to increase the maximum number of
VDOMs. See “License” on page 172
.
CLI Console
There are commands in FortiOS that are only accessible from the CLI. Generally to use the CLI you connect via telnet or SSH using a 3rd party program.
The System Status page includes a fully functional CLI console. To use the console, click on it and you are automatically logged in as the account you are currently using in the GUI. The CLI console default view cannot be resized or moved. You can cut & paste text from the CLI console.
Figure 11: CLI Console
Customize icon
Status page
The two controls on the CLI console window are the customize icon, and the
Detach control.
The Detach control moves the CLI console into its own window that is free to resize or be repositioned on your screen. The two controls on the detached CLI console are Customize and Attach. Customize has been explained. Attach simply puts the CLI console back in place on the System Status page.
The customize icon allows you to change the look of the console using fonts and colors for the text and background.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
45
Status page
Figure 12: Customize CLI Console window
System Status
46
Preview
Text
Background
See how your changes will appear on the CLI console.
Select this control, then choose a color from the color matrix to the right to change the color of the text in the CLI console.
Select this control, then choose a color from the color matrix to the right to change the color of the background in the CLI console.
Select to allow external input.
Use external command input box
Console buffer length Select the number of lines the console buffer keeps in memory.
Valid numbers are from 20 to 9999.
Font
Select a font from the list.
Size
Reset defaults
OK
Cancel
Select the size of the font. The default size is 10.
Select to return to the default settings, discarding any changes.
Select to save your changes and return to the CLI console.
Select to discard your change and return to the CLI console.
System Resources
Any System Resources that are not displayed on the status page can be viewed as a graph by selecting the History icon.
Figure 13: Example System Resources
History
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Status
History icon
CPU Usage
Memory Usage
FortiAnalyzer Disk
Quota
View a graphical representation of the last minute of CPU, memory, sessions, and network usage. This page also shows the virus and intrusion detections over the last 20 hours. For more information see
“Viewing operational history” on page 52 .
The current CPU status displayed as a dial gauge and as a percentage.
The web-based manager displays CPU usage for core processes only. CPU usage for management processes (for example, for
HTTPS connections to the web-based manager) is excluded.
The current memory status displayed as a dial gauge and as a percentage.
The web-based manager displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.
The current status of the FortiAnalyzer disk quota used for the
FortiGate unit displayed as a pie chart and a percentage.
This is available only if you have configured logging to a
FortiAnalyzer unit.
Interface Status
An illustration of the FortiGate unit front panel shows the status of the unit’s ethernet interfaces. If a network interface is shaded green, that interface is connected. Pause the mouse pointer over the interface to view the IP address, netmask and current status of the interface.
If you select Reboot or ShutDown a window will open allowing you to enter the reason for the system event. Your reason will be added to the Disk Event Log.
Disk logging will need to be enabled in the CLI. Event Logging and Admin Events
need to be enabled. For more information on Event Logging, see “Event log” on page 416
.
Figure 14: Example FortiGate-800 interface status (with no FortiAnalyzer)
Status page
INT / EXT / DMZ / HA /
1 / 2 / 3 / 4
The ports on the FortiGate unit. The names and number of these ports will vary with your unit.
The icon below the port name indicates its status by its color.
Green indicates the port is connected. Grey indicates there is no connection.
For more information about a port’s configuration position your mouse over the icon for that port. You will see the full name of the interface, the IP address and netmask, the status of the link, the speed of the interface, and the number of sent and received packets.
FortiAnalyzer
The icon on the link between the FortiGate unit graphic and the
FortiAnalyzer graphic indicates the status of their connection. An
‘X’ on a red icon indicates there is no connection. A check mark on a green icon indicates there is communication between the two units.
Select the FortiAnalyzer graphic to configure FortiAnalyzer logging
on your FortiGate unit. See “Log&Report” on page 407 .
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
47
Status page
48
System Status
Reboot
Shutdown
Reset
Select to shutdown and restart the FortiGate unit. You will be prompted to enter a reason for the reboot that will be entered into the logs.
Select to shutdown the FortiGate unit. You will be prompted for confirmation. You will be prompted to enter a reason for the shutdown that will be entered into the logs.
Select to reset the FortiGate unit to factory default settings. You will be prompted for confirmation.
Alert Message Console
Alert messages help you track changes to your FortiGate unit. The following types of messages can appear in the Alert Message Console:
Figure 15: Example Alert Message Console
System restart
Firmware upgraded by
<admin_name>
The system restarted. The restart could be due to operator action or power off/on cycling.
The named administrator upgraded the firmware to a more recent version on either the active or non-active partition.
Firmware downgraded by
<admin_name>
Found a new FortiAnalyzer
Lost the connection to
FortiAnalyzer
The named administrator downgraded the firmware to an older version on either the active or non-active partition.
FortiGate has reached connection limit for <n> seconds
The antivirus engine was low on memory for the duration of time shown. Depending on model and configuration, content can be blocked or pass unscanned under these conditions.
Shows that the FortiGate unit has either found or lost
the connection to a FortiAnalyzer unit. See “Logging to a FortiAnalyzer unit” on page 409 .
Each message shows the date and time that it was posted. If there is insufficient space for all of the messages, select Show All to view the entire list in a new window.
To clear alert messages, select All and then select Clear Alert Messages at the top of the new window. This will delete all current alert messages from your FortiGate unit.
Statistics
The statistics section of the status page is designed to allow you to see at a glance what is happening on your FortiGate unit with regards to network traffic and protection.
You can quickly see the amount and type of traffic as well as any attack attempts on your system. To investigate an area that draws your attention, simply select
Details for a detailed list of the most recent activity.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Status Changing system information
The information displayed in the statistics section is saved in log files that can be saved to a FortiAnalyzer unit, saved locally or backed up to an external source.
You can use this data to see trends in network activity or attacks over time and deal with it accordingly.
For detailed procedures involving the statistics list, see “Viewing Statistics” on page 54
.
Figure 16: Example Statistics
Reset
Since
Reset Icon
Sessions
Content Archive
Attack Log
The date and time when the counts were reset.
Counts are reset when the FortiGate unit reboots or when you select to the reset icon.
Reset the Archive and Attack Log counts to zero.
The number of communications sessions being processed by the
FortiGate unit. Select Details for detailed information. See
“Viewing the session list” on page 54
.
A summary of the HTTP, e-mail, FTP, and IM/P2P traffic that has passed through the FortiGate unit. The Details pages list the last 64 items of the selected type and provide links to the FortiAnalyzer unit where the archived traffic is stored. If logging to a FortiAnalyzer unit is not configured, the Details pages provide a link to the
Log & Report > Log Config > Log Settings page.
A summary of viruses, attacks, spam email messages and URLs the unit has intercepted. The Details pages list the most recent 10 items, providing the time, source, destination and other information.
Changing system information
FortiGate administrators whose access profiles permit write access to system configuration can change the system time, host name and the operation mode for the VDOM.
Configuring system time
1
2
3
Go to System > Status.
In the System Information section, select Change on the System Time line.
Select the time zone and then either set the date and time manually or configure synchronization with an NTP server.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
49
Changing system information
Figure 17: Time Settings
System Status
50
System Time
Refresh
Time Zone
The current FortiGate system date and time.
Update the display of the current FortiGate system date and time.
Select the current FortiGate system time zone.
Automatically adjust clock for daylight saving changes
Select to automatically adjust the FortiGate system clock when your time zone changes between daylight saving time and standard time.
Set Time
Synchronize with
NTP Server
Select to set the FortiGate system date and time to the values you set in the Hour, Minute, Second, Year, Month and Day fields.
Select to use an NTP server to automatically set the system date and time. You must specify the server and synchronization interval.
Server
Sync Interval
Enter the IP address or domain name of an NTP server. To find an
NTP server that you can use, see http://www.ntp.org.
Specify how often the FortiGate unit should synchronize its time with the NTP server. For example, a setting of 1440 minutes causes the FortiGate unit to synchronize its time once a day.
Changing the FortiGate unit host name
The FortiGate host name appears on the Status page and in the FortiGate CLI prompt. The host name is also used as the SNMP system name. For information about SNMP, see
.
The default host name is the FortiGate unit serial number. For example
FGT8002805030003 would be a FortiGate-800 unit.
Administrators whose access profiles permit system configuration write access can change the FortiGate unit host name.
3
4
1
2
Note: If the FortiGate unit is part of an HA cluster, you should use a unique hostname to distinguish the unit from others in the cluster.
To change the FortiGate unit host name
Go to System > Status.
In the Host Name field of the System Information section, select Change.
In the New Name field, type a new host name.
Select OK.
The new host name is displayed in the Host Name field, and in the CLI prompt, and is added to the SNMP System Name.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Status Changing the FortiGate firmware
Changing the FortiGate firmware
FortiGate administrators whose access profiles permit maintenance read and write access can change the FortiGate firmware.
Firmware changes either upgrade to a newer version or revert to an earlier version. Follow the appropriate procedure for the firmware change you want to perform:
•
Upgrading to a new firmware version
•
Reverting to a previous firmware version
Upgrading to a new firmware version
Use the following procedure to upgrade the FortiGate unit to a newer firmware version.
3
4
5
7
8
1
2
6
9
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure
“To update antivirus and attack definitions” on page 167 to
make sure that antivirus and attack definitions are up to date.
To upgrade the firmware using the web-based manager
Copy the firmware image file to your management computer.
Log into the web-based manager as the super admin, or an administrator account that has system configuration read and write privileges.
Go to System > Status.
In the System Information section, select Update on the Firmware Version line.
Type the path and filename of the firmware image file, or select Browse and locate the file.
Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, closes all sessions, restarts, and displays the FortiGate login. This process takes a few minutes.
Log into the web-based manager.
Go to System > Status and check the Firmware Version to confirm that the firmware upgrade is successfully installed.
Update antivirus and attack definitions. For information about updating antivirus
and attack definitions, see “FortiGuard Center” on page 161
.
Reverting to a previous firmware version
Use the following procedure to revert your FortiGate unit to a previous firmware version. This also reverts the FortiGate unit to its factory default configuration and deletes IPS custom signatures, web content lists, email filtering lists, and changes to replacement messages. Back up your FortiGate unit configuration to preserve this information. For information, see
“Backup and restore” on page 157 .
If you are reverting to a previous FortiOS™ version (for example, reverting from
FortiOS v3.0 to FortiOS v2.8), you might not be able to restore the previous configuration from the backup configuration file.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
51
Viewing operational history System Status
1
2
3
4
5
6
7
8
9
10
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure
“To update antivirus and attack definitions” on page 167 to
make sure that antivirus and attack definitions are up to date.
To revert to a previous firmware version using the web-based manager
Copy the firmware image file to the management computer.
Log into the web-based manager as the super admin, or an administrator account that has system configuration read and write privileges.
Go to System > Status.
In the System Information section, select Update on the Firmware Version line.
Type the path and filename of the firmware image file, or select Browse and locate the file.
Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes.
Log into the web-based manager.
Go to System > Status and check the Firmware Version to confirm that the firmware is successfully installed.
Restore your configuration.
For information about restoring your configuration, see
“Backup and restore” on page 157
.
Update antivirus and attack definitions.
Viewing operational history
1
2
The System Resource History page displays six graphs representing system resources and protection activity.
Go to System > Status.
Select History in the upper right corner of the System Resources section.
Time Interval
CPU Usage History
Memory Usage History
Session History
Network Utilization History
Virus History
Intrusion History
Select the time interval that the graphs show.
CPU usage for the preceding interval.
Memory usage for the preceding interval.
Number of sessions over the preceding interval.
Network utilization for the preceding interval.
Number of Viruses detected over the preceding interval.
Number of intrusion attempts detected over the preceding interval.
52
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Status
Figure 18: Sample system resources history
Manually updating FortiGuard definitions
Manually updating FortiGuard definitions
You can update your FortiGuard - AV and FortiGuard - Intrusion Protection definitions at any time from the License Information section of the System Status page.
Note: For information about configuring the FortiGate unit for automatic AV and automatic
IPS (attack) definitions updates, see
“FortiGuard Center” on page 161 .
Updating the FortiGuard AV Definitions manually
1
2
3
4
5
6
1
2
Download the latest AV definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager.
Start the web-based manager and go to System > Status.
In the License Information section, in the AV Definitions field of the FortiGuard
Subscriptions, select Update.
The Anti-Virus Definitions Update dialog box appears.
In the Update File field, type the path and filename for the AV definitions update file, or select Browse and locate the AV definitions update file.
Select OK to copy the AV definitions update file to the FortiGate unit.
The FortiGate unit updates the AV definitions. This takes about 1 minute.
Go to System > Status to confirm that the FortiGuard - AV Definitions version information has updated.
Updating the FortiGuard IPS Definitions manually
Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager.
Start the web-based manager and go to System > Status.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
53
Viewing Statistics System Status
3
4
5
6
In the License Information section, in the IPS Definitions field of the FortiGuard
Subscriptions, select Update.
The Intrusion Prevention System Definitions Update dialog box appears.
In the Update File field, type the path and filename for the attack definitions update file, or select Browse and locate the attack definitions update file.
Select OK to copy the attack definitions update file to the FortiGate unit.
The FortiGate unit updates the attack definitions. This takes about 1 minute.
Go to System > Status to confirm that the IPS Definitions version information has updated.
Viewing Statistics
The System Status Statistics provide information about sessions, content archiving and network protection activity.
Viewing the session list
The session list displays information about the current communications sessions on the FortiGate unit.
1
2
To view the session list
Go to System > Status.
In the Statistics section, select Details on the Sessions line.
Figure 19: Session list
54
Virtual Domain
Select a virtual domain to list the sessions being processed by that virtual domain. Select All to view sessions being processed by all virtual domains.
This is only available if multiple virtual domains are enabled.
Refresh
Update the session list.
Page up
Page down
View previous page in the session list.
View the next page in the session list.
Line
Enter the line number of the session to start the displayed session list.
For example if there are 5 sessions and you enter 3, only the sessions numbered 3, 4 and 5 will be displayed.
The number following the ‘/’ is the number of active sessions on the
FortiGate unit.
Clear All Filters
Select to reset any display filters that may have been set.
Filter Icon
The icon at the top of all columns except #, and Expiry. When selected it brings up the Edit Filter dialog allowing you to set the display filters by column.
Protocol
The service protocol of the connection, for example, udp, tcp, or icmp.
Source Address The source IP address of the connection.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Status Viewing Statistics
Source Port
Destination
Address
The source port of the connection.
The destination IP address of the connection.
Destination Port The destination port of the connection.
Policy ID
The number of the firewall policy allowing this session or blank if the session involves only one FortiGate interface (admin session, for example).
Expiry (sec)
Delete icon
The time, in seconds, before the connection expires.
Stop an active communication session. Your access profile must include read and write access to System Configuration.
Viewing the Content Archive information
From the Statistics section of the System Status page, you can view statistics about HTTP, email, FTP and IM traffic through the FortiGate unit. You can select the Details link beside each traffic type to view more information.
You can select Reset on the header of the Statistics section to clear the content archive and attack log information and reset the counts to zero.
1
2
Viewing archived HTTP content information
Go to System > Status.
In the Content Archive section, select Details for HTTP.
1
2
Date and Time
From
URL
The time when the URL was accessed.
The IP address from which the URL was accessed.
The URL that was accessed.
Viewing archived Email content information
Go to System > Status.
In the Content Archive section, select Details for Email.
Date and Time
From
To
Subject
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
The time that the email passed through the FortiGate unit.
The sender’s email address.
The recipient’s email address.
The subject line of the email.
55
Viewing Statistics
1
2
Viewing archived FTP content information
Go to System > Status.
In the Content Archive section, select Details for FTP.
System Status
56
1
2
Date and Time
Destination
User
Downloads
Uploads
The time of access.
The IP address of the FTP server that was accessed.
The User ID that logged into the FTP server.
The names of files that were downloaded.
The names of files that were uploaded.
Viewing archived IM content information
Go to System > Status.
In the Content Archive section, select Details for IM.
Date / Time
Protocol
Kind
Local
Remote
Direction
The time of access.
The protocol used in this IM session.
The kind of IM traffic this transaction is.
The local address for this transaction.
The remote address for this transaction
If the file was sent or received.
Viewing the Attack Log
From the Statistics section of the System Status page, you can view statistics about the network attacks that the FortiGate unit has stopped. You can select the
Details link beside each attack type to view more information.
You can select Reset on the header of the Statistics section to clear the content archive and attack log information and reset the counts to zero.
1
2
Viewing viruses caught
Go to System > Status.
In the Attack Log section, select Details for AV.
Date and Time
From
The time when the virus was detected.
The sender’s email address or IP address.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Status
1
2
To
Service
Virus
The intended recipient’s email address or IP address.
The service type, such as POP or HTTP.
The name of the virus that was detected.
Viewing attacks blocked
Go to System > Status.
In the Attack Log section, select Details for IPS.
Date and Time
From
To
Service
Attack
The time that the attack was detected.
The source of the attack.
The target host of the attack.
The service type.
The type of attack that was detected and prevented.
1
2
Viewing spam email detected
Go to System > Status.
In the Attack Log section, select Details for Spam.
Date and Time
From->To IP
The time that the spam was detected.
The sender and intended recipient IP addresses.
From->To Email Accounts
The sender and intended recipient email addresses.
Service
The service type, such as SMTP, POP or IMAP.
SPAM Type
The type of spam that was detected.
1
2
Viewing URLs blocked
Go to System > Status.
In the Attack Log section, select Details for Web.
Date and Time
From
URL Blocked
The time that the attempt to access the URL was detected.
The host that attempted to view the URL.
The URL that was blocked.
Viewing Statistics
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
57
Topology viewer System Status
Topology viewer
The Topology viewer provides a way to diagram and document the networks connected to your FortiGate unit. It is available on all FortiGate units except models numbered 50 and 60.
The Topology Viewer window
The Topology window consists of a large “canvas” upon which you can draw a network topology diagram for your FortiGate installation.
Figure 20: Topology viewer
View/edit controls
Text object
Subnet object
58
Main viewport
Viewport control
Main viewport and viewport control
The main viewport is a portion of the total drawing area. It corresponds to the dark rectangle in the viewport control. You can drag the main viewport rectangle within the viewport control to determine which part of the drawing area the main viewport displays. The “+” and “-” buttons in the viewport control have the same function as the Zoom in and Zoom out edit controls.
The FortiGate unit is a permanent part of the topology diagram. You can move it, but not delete it.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Status Topology viewer
View and edit controls
The toolbar at the top left of the Topology page shows controls for viewing and editing topology diagrams.
Table 3: View/Edit controls for Topology Viewer
Refresh the displayed diagram.
Zoom in. Select to show a smaller portion of the drawing area in the main viewport, making objects appear larger.
Zoom out. Select to show a larger portion of the drawing area in the main viewport, making objects appear smaller.
Edit. Select this button to begin editing the diagram.
The toolbar expands to show the editing controls described below:
Save any changes made to the diagram. You need to save changes before you switch to any other page in the web-based manager.
Add a subnet object to the diagram. The subnet object is based on the firewall address you select. The object has the name of the firewall address and is connected by a line to the interface associated with that address.
You can also create a new firewall address using this control, but it must be associated with a specific interface. For more information
about firewall addresses, see “Firewall Address” on page 235
.
Insert Text. Select this control and then click on the diagram where you want to place the text object. Type the text and then click outside the text box.
Delete. Select the object to delete and then select this control or press the Delete key.
Customize. Select to change the colors and the thickness of lines
used in the drawing. See “Customizing the topology diagram” on page 60 .
Drag. Select this control and then drag objects in the diagram to arrange them as needed.
Scroll. Select this control and then drag the drawing background to move the main viewport within the drawing area. This has the same effect as moving the main viewport rectangle in the viewport control.
Select. Select this control and then drag the mouse pointer to create a selection rectangle. Objects in the rectangle are selected when you release the mouse button.
Exit. Select this button to finish editing the diagram.
The toolbar contracts to show only the Refresh and Zoom controls.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
59
System Status
Customizing the topology diagram
Select the Customize button to open the Topology Customization window. Modify the settings as needed and select OK when you are finished.
Figure 21: Topology Customization window
60
Preview
Canvas Size
Resize to Image
Background
Background Color
Image path
Exterior Color
Line Color
Line Width
Reset to Default
A simulated topology diagram showing the effect of the selected appearance options.
The size of the drawing in pixels.
If you selected an image as Background, resize the diagram to fit within the image.
One of:
Solid - a solid color selected in Background Color
U.S. Map - a map of the United States.
World Map - a map of the world.
Upload My Image - upload the image from Image Path.
Select the color of the diagram background.
If you selected Upload My Image for Background, enter the path to you image, or use the Browse button to find it.
Select the color of the border region outside your diagram.
Select the color of connecting lines between subnet objects and interfaces.
Select the thickness of connecting lines.
Reset all settings to default.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Using virtual domains Virtual domains
Using virtual domains
This section describes how to use virtual domains to operate your FortiGate unit as multiple virtual units, providing separate firewall and routing services to multiple networks.
The following topics are included in this section:
•
•
•
Configuring VDOMs and global settings
Virtual domains
Virtual domains (VDOMs) enable a FortiGate unit to function as multiple independent units. A single FortiGate unit is then flexible enough to serve multiple departments of an organization, separate organizations or be the basis for a service provider’s managed security service.
VDOMs provide separate security domains that allow separate zones, user authentication, firewall policies, routing, and VPN configurations. Using VDOMs can also simplify administration of complex configurations because you do not
To configure and use VDOMs, you must enable virtual domain configuration. See
When you create and configure a VDOM, you must assign interfaces or VLAN subinterfaces to it. Optionally, you can assign an administrator account that can log in only to that VDOM. If the VDOM is created to serve an organization, this enables the organization to manage its configuration independently.The operating mode, NAT/Route or Transparent, is independently selectable for each VDOM.
When a packet enters a VDOM, it is confined to that VDOM. In a VDOM, you can create firewall policies for connections between VLAN subinterfaces or zones in the VDOM. Packets do not cross the virtual domain border internally. To travel between VDOMs a packet must pass through a firewall on a physical interface.
The packet then arrives at another VDOM on a different interface where it must pass through another firewall before entering. Both VDOMs are on the same
FortiGate unit.The one exception is if you configure inter-VDOM routing using CLI commands.
The remainder of FortiGate functionality is global. It applies to all VDOMs. This means that there is one intrusion prevention configuration, one antivirus configuration, one web filter configuration, one protection profile configuration, and so on. As well, VDOMs share firmware versions, antivirus and attack
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
61
Virtual domains
62
Using virtual domains
By default, your FortiGate unit supports a maximum of 10 VDOMs in any combination of NAT/Route and Transparent modes. For FortiGate models numbered 3000 and higher, you can purchase a license key to increase the maximum number of VDOMs to 25, 50, 100 or 250. For more information see
If virtual domain configuration is enabled and you log in as the default super admin, you can go to System > Status and look at Virtual Domain in the License
Information section to see the maximum number of virtual domains supported on your FortiGate unit.
By default, each FortiGate unit has a VDOM named root. This VDOM includes all of the FortiGate physical interfaces, VLAN subinterfaces, zones, firewall policies, routing settings, and VPN settings.
Management systems such as SNMP, logging, alert email, FDN-based updates and NTP-based time setting use addresses and routing in the management
VDOM to communicate with the network. They can connect only to network resources that communicate with the management virtual domain. The management VDOM is set to root by default, but can be changed. For more
information see “Changing the Management VDOM” on page 67
Once you add a VDOM you can configure it by adding VLAN subinterfaces, zones, firewall policies, routing settings, and VPN settings. You can also move physical interfaces from the root VDOM to other VDOMs and move VLAN subinterfaces from one VDOM to another. For more information on VLANs, see
.
For more information on VDOMs, see the
FortiGate VLANs and VDOMs Guide
.
VDOM configuration settings
The following configuration settings are exclusively part of a virtual domain and are not shared between virtual domains. A regular administrator for the VDOM sees only these settings. The default super admin can also access these settings, but must first select which VDOM to configure.
• System settings
• Zones
• DHCP services
• Operation mode (NAT/Route or Transparent)
• Management IP (Transparent mode)
• Router configuration
• Firewall settings
• Policies
• Addresses
• Service groups and custom services
• Schedules
• Virtual IPs
• IP pools
• VPN configuration
• IPSec
• PPTP
• SSL
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Using virtual domains Virtual domains
• User settings
• Users
• User groups
• RADIUS and LDAP servers
• Microsoft Windows Active Directory servers
• P2P Statistics (view/reset)
• Logging configuration, log access and log reports
Global configuration settings
The following configuration settings affect all virtual domains. When virtual domains are enabled, only the default super admin can access global settings.
• System settings
• Physical interfaces and VLAN subinterfaces
(Each physical interface or VLAN subinterface belongs to only one VDOM.
Each VDOM can use or configure only its own interfaces.)
• DNS settings
• Host name, System time, Firmware version (on System Status page)
• Idle and authentication timeout
• Web-based manager language
• LCD panel PIN, where applicable
• Dead gateway detection
• HA configuration
• SNMP configuration
• Replacement messages
• Administrators
(Each administrator belongs to only one VDOM. Each VDOM can configure only its own administrators.)
• Access profiles
• FortiManager configuration
• Configuration backup and restore
• FDN update configuration
• Bug reporting
• Firewall
• Predefined services
• Protection Profiles
• VPN certificates
• Antivirus configuration
• Intrusion Prevention configuration
• Web filter configuration
• Antispam configuration
• IM configuration
• Statistics
• User lists and policies
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
63
Enabling VDOMs Using virtual domains
Enabling VDOMs
Using the default admin administration account, you can enable multiple VDOM operation on the FortiGate unit.
1
2
3
To enable virtual domains
Log in to the web-based manager as admin.
Go to System > Status.
In System Information, next to Virtual Domain select Enable.
The FortiGate unit logs you off. You can now log in again as admin.
When virtual domains are enabled, the web-based manager and the CLI are changed as follows:
• Global and per-VDOM configurations are separated.
• A new VDOM entry appears under System.
• Only the admin account can view or configure global options.
• The admin account can configure all VDOM configurations.
• The admin account can connect through any interface in the root VDOM or though any interface that belongs to a VDOM for which a regular administrator account has been assigned.
• A regular administrator account can configure only the VDOM to which it is assigned and can access the FortiGate unit only through an interface that belongs to that VDOM.
When virtual domains are enabled, you can see what the current virtual domain is by looking at the bottom left of the screen. It will say Current VDOM: followed by the name of the virtual domain.
Configuring VDOMs and global settings
When Virtual Domains are enabled, only the default super admin account can:
• configure global settings
• create or delete VDOMs
• configure multiple VDOMs
• assign interfaces to a VDOM
• assign an administrator to a VDOM
A VDOM is not useful unless it contains at least two physical interfaces or virtual subinterfaces for incoming and outgoing traffic. Only the super admin can assign interfaces or subinterfaces to VDOMs. A regular administrator account can create a VLAN subinterface on a physical interface within their own VDOM.
Only the super admin can configure a VDOM unless you create and assign a regular administrator to that VDOM. Only the super admin can assign an administrator to a VDOM. An administrator account whose access profile provides read and write access to Admin Users can create additional administrators in its own VDOM.
64
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Using virtual domains Configuring VDOMs and global settings
Working with VDOMs and global settings
When you log in as admin and virtual domains are enabled you are automatically in global configuration, as demonstrated by the VDOM option under System.
Select System > VDOM to work with virtual domains.
Figure 22: VDOM list
Create New
Management
Delete
Switch
Name
Operation Mode
Interfaces
Management Virtual
Domain
Select to add a new VDOM. Enter the new VDOM name and select OK.
The VDOM must not have the same name as an existing VDOM,
VLAN or zone. The VDOM name can be a maximum of 11 characters long without spaces.
Change the management VDOM to the selected VDOM. The management VDOM is indicated in brackets. The default management VDOM is root.
If more than one VDOM is selected when Set Management is selected, the VDOM appearing first in the table will be assigned as the management VDOM. For more information see
“Changing the Management VDOM” on page 67
.
Delete the selected VDOM.
You cannot delete the root VDOM.
Select to enter that VDOM.
You can see which VDOM you are currently in by looking at the left side of the screen at the bottom where the name of the VDOM is displayed. The global settings screen does not have any
VDOM name in this location.
The name of the VDOM.
The VDOM operation mode, either NAT or Transparent.
The interfaces associated with this VDOM, including virtual interfaces.
Indicates which VDOM is the management domain. All nonmanagement domains are indicated with a “no”.
Adding interfaces to a VDOM
A VDOM must contain at least two interfaces. These can be physical or virtual interfaces such as VLAN subinterfaces. By default, all physical interfaces are in the root virtual domain.
As of FortiOS v3.0 MR1, inter-VDOM routing enables you to communicate between VDOMs internally without using a physical interface. This feature is only configurable with the CLI. For information on configuring inter-VDOM interfaces, see the
FortiGate CLI Reference
and the
FortiGate VLANs and VDOMs Guide
.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
65
Configuring VDOMs and global settings Using virtual domains
VLAN subinterfaces often need to be in a different VDOM than their physical interface. To do this, the super admin must first create the VDOM, then create the
VLAN subinterface, and assign it to the required VDOM.
System > Network > Interfaces is only in global settings, and is not available
within any VDOM. For information on creating VLAN subinterfaces, see “Adding
VLAN subinterfaces” on page 98
.
Assigning an interface to a VDOM
The following procedure describes how to reassign an existing interface from one virtual domain to another. It assumes VDOMs are enabled and more than one
VDOM exists.
You cannot delete a VDOM if it is used in any configurations, such as having an interface in that VDOM. You cannot remove an interface from a VDOM if the interface is included in of any of the following configurations:
• DHCP server
• zone
• routing
• firewall policy
• IP pool
• proxy arp (only accessible through the CLI)
Delete these items or modify them to remove the interface before proceeding.
Note: An interface or subinterface is available for reassigning or removing once the delete icon is displayed. Until then, the interface is used in a configuration somewhere.
1
2
3
4
5
To assign an interface to a VDOM
Log in as admin.
Go to System > Network > Interface.
Select Edit for the interface that you want to reassign.
Select the new Virtual Domain for the interface.
Configure other settings as required and select OK. For more information on the other interfaces settings see
“Interface settings” on page 72 .
The interface is assigned to the VDOM. Existing firewall IP pools and virtual IP addresses for this interface are deleted. You should manually delete any routes that include this interface, and create new routes for this interface in the new
VDOM. Otherwise your network traffic will not be properly routed.
Assigning an administrator to a VDOM
If you are creating a VDOM to serve an organization that will be administering its own resources, you need to create an administrator account for that VDOM.
A VDOM admin can change configuration settings within that VDOM but cannot make changes that affect other VDOMs on the FortiGate unit.
66
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Using virtual domains Configuring VDOMs and global settings
1
2
3
4
A regular administrator assigned to a VDOM can log in to the web-based manager or the CLI only on interfaces that belong to that VDOM. The super admin can connect to the web-based manager or CLI through any interface on the FortiGate unit that permits management access. Only the super admin or a regular administrator of the root domain can log in by connecting to the console interface.
To assign an administrator to a VDOM
Log in as the super admin.
Virtual domains must be enabled.
Go to System > Admin >Administrators.
Create and/or configure the new administrator account as required.
For detailed information about configuring an administrator account, see
“Configuring an administrator account” on page 146
.
While configuring this admin account, select the VDOM this administrator manages from the Virtual Domain list.
Select Apply.
5
Changing the Management VDOM
The management VDOM on your FortiGate unit is where some default types of traffic originate. These types of traffic include:
• SNMP
• logging
• alert email
• FDN-based updates
• NTP-based time setting
Before you change the management VDOM, ensure virtual domains are enabled.
Only one VDOM can be the management VDOM at any given time. If you accidently select more than one VDOM when setting the management VDOM, the
VDOM closest to the top of the list will become the management VDOM.
1
2
3
Note: You cannot change the management VDOM if any administrators are using RADIUS authentication.
To change the management VDOM
Go to System > VDOM.
Select the VDOM that will be the new management VDOM.
Select Management to apply the changes.
Management traffic will now originate from the new management VDOM.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
67
Configuring VDOMs and global settings Using virtual domains
68
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network
System Network
This section describes how to configure your FortiGate unit to operate in your network. Basic network settings include configuring FortiGate interfaces and DNS settings. More advanced configuration includes adding VLAN subinterfaces and zones to the FortiGate network configuration.
The following topics are included in this section:
•
•
•
•
Routing table (Transparent Mode)
•
Configuring the modem interface
•
•
•
•
Note: Where you can enter both an IP address and a netmask in the same field, you can use the short form of the netmask. For example, 192.168.1.100/255.255.255.0 can also be entered as 192.168.1.100/24.
Interface
In NAT/Route mode, go to System > Network > Interface to configure FortiGate interfaces. You can
• modify the configuration of a physical interface
• add and configure VLAN subinterfaces
• configure an ADSL interface
• aggregate several physical interfaces into an IEEE 802.3ad interface (models
800 and higher only)
• combine physical interfaces into a redundant interface
• add wireless interfaces (WiFi-60A and WiFi-60AM models only)
Note: Unless stated otherwise, in this section the term interface can refer to a physical
FortiGate interface or to a FortiGate VLAN subinterface.
For information about VLANs, see
“FortiGate units and VLANs” on page 96
.
Interface
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
69
Interface
Figure 23: Interface list - regular administrator view
System Network
Figure 24: Interface list - admin view with virtual domains enabled
Create New
Switch Mode
Select Create New to create a VLAN subinterface.
On models 800 and higher, you can also create an IEEE 802.3ad aggregated interface.
Select to change between switch mode and interface mode. Switch mode has the internal ports all on one interface. Interface mode gives each port its own configurable interface.
Before switching modes, all references to ‘internal’ interfaces must be removed.
This option is visible only on models 100A and 200A for Rev2.0 and higher. For more information see
show backplane interfaces
Select to make the two backplane interfaces visible as port9 and port10.
Once visible these interfaces can be treated as regular physical interfaces.
This option is available only on 5000 models.
Description icon The tooltip for this icon displays the Description field for this interface.
70
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network
Name
IP/Netmask
Access
The names of the physical interfaces on your FortiGate unit.
The name and number of a physical interface depends on the model.
Some names indicate the default function of the interface such as
Internal, External and DMZ. Other names are generic such as port1.
FortiGate models numbered 50 and 60 provide a modem interface. See
“Configuring the modem interface” on page 91 .
The oob/ha interface is the FortiGate model 4000 out of band management interface. You can connect to this interface to manage the
FortiGate unit. This interface is also available as an HA heartbeat interface.
On FortiGate 60ADSL units, you can configure the ADSL interface. See
“Configuring an ADSL interface” on page 74
.
On FortiGate models 800 and higher, if you combine several interfaces into an aggregate interface, only the aggregate interface is listed, not the component interfaces. The same is true for redundant interfaces.
See “Creating an 802.3ad aggregate interface” on page 75
or “Creating a redundant interface” on page 76
.
If you have added VLAN subinterfaces, they also appear in the name list, below the physical or aggregated interface to which they have been
added. See “VLAN overview” on page 96
.
If virtual domain configuration is enabled, you can view information only for the interfaces that are in your own virtual domain, unless you are the super admin.
If you have Interface Mode enabled on a FortiGate model 100A or 200A
Rev2.0 or higher you will see multiple internal interfaces.
The current IP address/netmask of the interface.
The administrative access configuration for the interface.
See “Additional configuration for interfaces” on page 83 .
Virtual Domain
The virtual domain to which the interface belongs. This column is visible only to the super admin and only when virtual domain configuration is enabled.
Status
The administrative status for the interface.
If the administrative status is a green arrow, the interface is up and can accept network traffic. If the administrative status is a red arrow, the interface is administratively down and cannot accept traffic. To change the administrative status, select Bring Down or Bring Up.
Delete, edit, and view icons
Delete, edit, or view an entry.
Switch Mode
The internal interface on 100A and 200A FortiGate models is a four port switch.
Normally the internal interface is configured as one interface shared by all four ports. Switch mode allows you to configure each interface on the switch separately with their own interfaces.
Switch mode has two states - switch mode and interface mode. Switch mode is the default mode with only one interface for the entire switch. Interface mode allows you to configure each of the internal interfaces separately. This allows you to assign different subnets and netmasks to each of the internal interfaces.
Switch mode is only available on 100A and 200A models of Rev2.0 and higher.
Selecting the Switch Mode control on the System > Network > Interface screen takes you to the Switch Mode Management screen.
!
Caution: Before you are able to switch between Switch Mode and Interface Mode all references to ‘internal’ interfaces must be removed. This includes references such as firewall policies, VDOM interface assignments, VLANS, and routing.
Interface
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
71
Interface System Network
Figure 25: Switch Mode Management
Switch Mode
Interface Mode
OK
Cancel
Select Switch Mode. Only one internal interface is displayed. This is the default mode.
Select Interface Mode. All internal interfaces on the switch are displayed as individually configurable interfaces.
Select to save your changes and return to the Interface screen.
Select to discard your changes and return to the Interface screen.
Interface settings
Go to System > Network > Interface. Select Create New to create a new interface. To edit an existing interface, select the Edit icon for that interface.
You cannot create a virtual IPSec interface here, but you can specify its endpoint addresses, enable administrative access and provide a description. For more information, see
“Configuring a virtual IPSec interface” on page 82 .
Figure 26: Create New Interface settings
Figure 27: Edit Interface settings
72
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network Interface
Name
Type
Enter a name for the interface.
You cannot change the name of an existing interface.
On models 800 and higher, you can create VLAN, 802.3ad Aggregate, and Redundant interfaces.
On models WiFi-60A and WiFi-60AM, you can create wireless interfaces and VLAN subinterfaces.
On the 60ADSL model, you can configure an ADSL interface.
Other models support creation of VLAN interfaces only and have no
Type field.
To configure an ADSL interface, see “Configuring an ADSL interface” on page 74 .
To create a VLAN subinterface, see
“FortiGate units and VLANs” on page 96 .
To create an aggregate interface, see “Creating an 802.3ad aggregate interface” on page 75
.
To create a redundant interface, see
“Creating a redundant interface” on page 76 .
To create a wireless interface, see
“Creating a wireless interface” on page 77 .
You cannot change the type of an existing interface.
Interface
Physical
Interface
Members
Select the name of the physical interface on which to create the VLAN.
Once created, the VLAN subinterface is listed below its physical interface in the Interface list.
You cannot change the interface of an existing VLAN subinterface.
This field is only displayed when Type is set to VLAN.
Move the interfaces to be included in the 802.3ad aggregate or
Redundant interface from the Available interfaces list to the Selected interfaces list.
This field is only displayed when Type is set to either 802.3ad aggregate or Redundant interface.
VLAN ID
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. You cannot change the VLAN ID of an existing VLAN subinterface.
The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch
connected to the VLAN subinterface. See “VLAN overview” on page 96
.
This field is only displayed when Type is set to VLAN.
Virtual Domain Select the virtual domain to which this VLAN subinterface belongs.
This is available to the super admin account when virtual domain configuration is enabled. See
“Using virtual domains” on page 61 .
Addressing mode
To configure a static IP address for the interface, select Manual.
You can also configure the interface for dynamic IP address assignment.
See
“Configuring DHCP on an interface” on page 78 or
“Configuring an interface for PPPoE or PPPoA” on page 80 .
IP/Netmask
DDNS
Enter the IP address/subnet mask in the IP/Netmask field. The IP address must be on the same subnet as the network to which the interface connects.
Two interfaces cannot have IP addresses on the same subnet.
This field is only available when Manual addressing mode is selected.
Select DDNS to configure a Dynamic DNS service for this interface.
Additional fields are displayed. See
“Configuring Dynamic DNS service for an interface” on page 81 .
Ping Server
Administrative
Access
HTTPS
To enable dead gateway detection, enter the IP address of the next hop router on the network connected to the interface and select Enable. See
“Dead gateway detection” on page 89 .
Select the types of administrative access permitted on this interface.
Allow secure HTTPS connections to the web-based manager through this interface.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
73
Interface System Network
MTU
Log
PING
HTTP
SSH
SNMP
TELNET
Secondary IP
Address
Description
Interface responds to pings. Use this setting to verify your installation and for testing.
Allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party.
Allow SSH connections to the CLI through this interface.
Allow a remote SNMP manager to request SNMP information by connecting to this interface. See
“Configuring SNMP” on page 127 .
Allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party.
To change the MTU, select Override default MTU value (1 500) and enter the MTU size based on the addressing mode of the interface
•
68 to 1 500 bytes for static mode
•
576 to 1 500 bytes for DHCP mode
•
576 to 1 492 bytes for PPPoE mode
•
up to 16 110 bytes for jumbo frames (FortiGate models numbered
3000 and higher)
This field is available only on physical interfaces. VLANs inherit the parent interface MTU size by default.
For more information on MTU and jumbo frames, see “Interface MTU packet size” on page 84 .
Select Log to record logs for any traffic to or from the interface. To record logs you must also enable traffic log for a logging location and set the logging severity level to Notification or lower. Go to Log&Report > Log
Config to configure logging locations and types. For information about logging see
.
Select the blue arrow to expand or hide this section and add additional
IP addresses to this interface. See “Secondary IP Addresses” on page 85 .
Optionally, enter a description up to 63 characters long.
Note: In Transparent mode, if you change the MTU of an interface, you must change the
MTU of all interfaces to match the new MTU.
Configuring an ADSL interface
The information that you need to provide for the ADSL interface depends on the addressing mode your ISP requires you to use. Static addressing using IPOA or
EOA requires only an IP address and netmask. If you are using dynamic addressing, you need to configure it as described in
“Configuring DHCP on an interface” on page 78
or “Configuring an interface for PPPoE or PPPoA” on page 80 .
To configure an ADSL interface, your FortiGate unit cannot be in Transparent mode.
Go to System > Network > Interface. Select Create New or select the Edit icon of an existing interface. In the Addressing mode section, select IPoA or EoA.
74
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network Interface
Figure 28: Settings for an ADSL interface
Address mode
IPOA
EOA
DHCP
PPPoE
PPPoA
Gateway
Connect to Server
Select the addressing mode that your ISP specifies.
IP over ATM. Enter the IP address and netmask that your
ISP provides.
Ethernet over ATM, also known as Bridged mode. Enter the IP address and netmask that your ISP provides.
“Configuring DHCP on an interface” on page 78 .
“Configuring an interface for PPPoE or PPPoA” on page 80
.
“Configuring an interface for PPPoE or PPPoA” on page 80
.
Enter the default gateway.
Enable Connect to Server so that the interface automatically attempts to connect. Disable this option if you are configuring the interface offline.
Virtual Circuit Identification Enter the VPI and VCI values your ISP provides.
MUX Type
Select the MUX type: LLC Encap or VC Encap.
Your ISP must provide this information.
Creating an 802.3ad aggregate interface
You can aggregate (combine) two or more physical interfaces to increase bandwidth and provide some link redundancy. This has the benefit of higher bandwidth but has more potential points of failure than redundant interfaces. The interfaces must connect to the same next-hop routing destination.
FortiGate firmware on models 800 and higher implements
IEEE standard 802.3ad
for link aggregation.
An interface is available for aggregation only if
• it is a physical interface, not a VLAN interface
• it is not already part of an aggregated or redundant interface
• it is in the same VDOM as the aggregated interface
• it has no defined IP address and is not configured for DHCP or PPPoE
• it has no DHCP server or relay configured on it
• it does not have any VLAN subinterfaces
• it is not referenced in any firewall policy, VIP, IP Pool or multicast policy
• it is not an HA heartbeat interface
• it is not one of the FortiGate 5000 series backplane interfaces
When an interface is included in an aggregate interface, it is not listed on the
System > Network > Interface page. It is no longer individually configurable and is not available for inclusion in firewall policies, VIPs, IP pools or routing.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
75
Interface
Figure 29: Settings for an 802.3ad aggregate interface
System Network
76
1
2
3
4
5
6
7
8
To create an 802.3ad Aggregate interface
Go to System > Network > Interface.
Select Create New.
In the Name field, enter a name for the aggregated interface.
The interface name must not be the same as any other interface, zone or VDOM.
From the Type list, select 802.3ad Aggregate.
One at a time, in the Available Interfaces list, select each interface that you want to include in the aggregate interface and then select the right arrow button to move it to the Selected Interfaces list.
If this interface operates in NAT/Route mode, you need to configure addressing for it. For information about dynamic addressing, see:
•
“Configuring DHCP on an interface” on page 78
•
“Configuring an interface for PPPoE or PPPoA” on page 80
Configure other interface options as required.
Select OK.
Creating a redundant interface
You can combine two or more physical interfaces to provide link redundancy. This feature allows you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails.
Redundant links differ from link aggregation in that traffic is only going over one interface at any time (no matter how many are in the redundant link), but redundant interfaces allow for more robust configurations with fewer possible points of failure. This is important in a fully meshed HA configuration.
FortiGate firmware on models 800 and higher implements redundant interfaces.
An interface is available to be in a redundant interface only if
• it is a physical interface, not a VLAN interface
• it is not already part of an aggregated or redundant interface
• it is in the same VDOM as the redundant interface
• it has no defined IP address and is not configured for DHCP or PPPoE
• it has no DHCP server or relay configured on it
• it does not have any VLAN subinterfaces
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network
• it is not referenced in any firewall policy, VIP, IP Pool or multicast policy
• it is not monitored by HA
When an interface is included in a redundant interface, it is not listed on the
System > Network > Interface page. It is no longer individually configurable and is not available for inclusion in firewall policies, VIPs, IP pools or routing.
Figure 30: Settings for a redundant interface
Interface
1
2
3
4
5
6
7
8
To create a redundant interface
Go to System > Network > Interface.
Select Create New.
In the Name field, enter a name for the redundant interface.
The interface name must not be the same as any other interface, zone or VDOM.
From the Type list, select Redundant Interface
One at a time, in the Available Interfaces list, select each physical interface that you want to include in the redundant interface and then select the right arrow button to move it to the Selected Interfaces list. The interfaces you add will be used in the order they appear in the Selected Interfaces list. For example if the first interface in the list fails, the second interface is used.
If this interface operates in NAT/Route mode, you need to configure addressing for it. For information about dynamic addressing, see:
•
“Configuring DHCP on an interface” on page 78
•
“Configuring an interface for PPPoE or PPPoA” on page 80
Configure other interface options as required.
Select OK.
Creating a wireless interface
1
2
3
4
On FortiWiFi-60A and FortiWiFi-60AM models, you can create wireless WLAN interfaces. (To create a wireless interface on a FortiWiFi-60 unit, see
“System wireless settings (FortiWiFi-60)” on page 107
.)
Go to System > Network > Interface.
Select Create New.
In the Name field, enter a name for the wireless interface.
The interface name must not be the same as any other interface, zone or VDOM.
From the Type list, select Wireless.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
77
Interface
5
In the Wireless Settings section, enter the following information:
Figure 31: Wireless interface settings
System Network
78
SSID
SSID Broadcast
Security Mode
Key
Pre-shared Key
RADIUS Server Name
Data Encryption
RTS Threshold
Fragmentation Threshold
Enter the wireless network name that the FortiWiFi-60 unit broadcasts. Users who want to use the wireless network must configure their computers to connect to the network that broadcasts this network name.
Select if you want the unit to broadcast its SSID. (Access
Point mode only)
To use WEP, select WEP64 or WEP128. To use WPA
(available in Access Point mode only), select WPA Preshared Key or WPA_Radius. Users of the FortiWiFi-60 wireless network must configure their computers with the same settings.
For a 64-bit WEP key, enter 10 hexadecimal digits (0-9 af). For a 128-bit WEP key, enter 26 hexadecimal digits (0-9 a-f). Users of the wireless network must configure their computers with the same key.
For WPA Pre-shared Key security mode, enter the preshared key. Users of the wireless network should configure their computers with the same key.
For WPA Radius security mode, choose the Radius server name from the list. The Radius server must be configured
in User > Radius. For more information, see “RADIUS servers” on page 322
.
This applies to WPA mode. Select either TKIP or AES
(WPA2) data encryption.
The Request to Send (RTS) threshold sets the time the unit waits for Clear to Send (CTS) acknowledgement from another wireless device.
Set the maximum size of a data packet before it is broken into two or more packets. Reducing the threshold can improve performance in environments that have high interference.
Configure other interface options as required.
Select OK.
6
7
Configuring DHCP on an interface
If you configure an interface to use DHCP, the FortiGate unit automatically broadcasts a DHCP request. The interface is configured with the IP address and optionally DNS server addresses and default gateway address that the DHCP server provides.
Go to System > Network > Interface. Select Create New or select the Edit icon of an existing interface. In the Addressing mode section, select DHCP.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network
Figure 32: Interface DHCP settings
Interface
Figure 33: ADSL interface DHCP settings
Status
Displays DHCP status messages as the FortiGate unit connects to the DHCP server and gets addressing information. Select Status to refresh the addressing mode status message.
This is only displayed if you selected Edit.
Status can be one of:
•
initializing - No activity.
•
connecting - The interface is attempting to connect to the
DHCP server.
•
connected - The interface retrieves an IP address, netmask, and other settings from the DHCP server.
Obtained
IP/Netmask
Renew
•
failed - The interface was unable to retrieve an IP address and other information from the DHCP server.
The IP address and netmask leased from the DHCP server.
This is only displayed if Status is connected.
Select to renew the DHCP license for this interface.
This is only displayed if Status is connected.
Expiry Date
The time and date when the leased IP address and netmask is no longer valid.
This is only displayed if Status is connected.
Default
Gateway
Distance
Retrieve default gateway from server
The IP address of the gateway defined by the DHCP server.
This is only displayed if Status is connected, and if Receive default gateway from server is selected,.
Enter the administrative distance for the default gateway retrieved from the DHCP server. The administrative distance, an integer from 1-255, specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route. The default distance for the default gateway is 1.
Enable Retrieve default gateway from server to retrieve a default gateway IP address from the DHCP server. The default gateway is added to the static routing table.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
79
Interface System Network
Override internal DNS Enable Override internal DNS to use the DNS addresses retrieved from the DHCP server instead of the DNS server IP addresses on the DNS page.
On models numbered 100 and lower, you should also enable
Obtain DNS server address automatically in System > Network >
Options. See “DNS Servers” on page 89
.
Connect to server
Enable Connect to Server so that the interface automatically attempts to connect to a DHCP server. Disable this option if you are configuring the interface offline.
Configuring an interface for PPPoE or PPPoA
If you configure the interface to use PPPoE
or PPPoA
, the FortiGate unit automatically broadcasts a PPPoE
or PPPoA request. You can disable Connect to
Server if you are configuring the FortiGate unit offline and you do not want the
FortiGate unit to send the PPPoE
or PPPoA request.
FortiGate units support many of the PPPoE RFC features (RFC 2516) including unnumbered IPs, initial discovery timeout and PPPoE Active Discovery Terminate
(PADT).
PPPoA is only available on FortiGate models that support ADSL.
Go to System > Network > Interface. Select Create New or select the Edit icon of an existing interface. In the Addressing mode section, select PPPoE
or PPPoA
.
Figure 34: Interface PPPoE settings
Figure 35: ADSL interface PPPoE or PPPoA settings
80
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network Interface
Status
Displays PPPoE or PPPoA status messages as the FortiGate unit connects to the PPPoE or PPPoA server and gets addressing information. Select Status to refresh the addressing mode status message.
This is only displayed if you selected Edit.
Status can be one of the following 4 messages.
initializing
No activity.
connecting The interface is attempting to connect to the PPPoE or PPPoA server.
connected
The interface retrieves an IP address, netmask, and other settings from the PPPoE server.
When the status is connected, PPPoE or PPPoA connection information is displayed.
failed
The interface was unable to retrieve an IP address and other information from the PPPoE or PPPoA server.
Reconnect Select to reconnect to the PPPoE or PPPoA server.
This is only displayed if Status is connected.
User Name
The PPPoE or PPPoA account user name.
Password
Initial Disc
Timeout
The PPPoE or PPPoA account password.
Unnumbered IP
Specify the IP address for the interface. If your ISP has assigned you a block of IP addresses, use one of them. Otherwise, this IP address can be the same as the IP address of another interface or can be any IP address.
Initial discovery timeout. The time to wait before starting to retry a
PPPoE or PPPoA discovery. Set Initial Disc Timeout to 0 to disable.
Initial PADT timeout
Distance
Retrieve default gateway from server
Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds.
Use this timeout to shut down the PPPoE or PPPoA session if it is idle for this number of seconds. PADT must be supported by your ISP. Set initial PADT timeout to 0 to disable.
Enter the administrative distance for the default gateway retrieved from the PPPoE or PPPoA server. The administrative distance, an integer from 1-255, specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route. The default distance for the default gateway is 1.
Enable Retrieve default gateway from server to retrieve a default gateway IP address from a PPPoE server. The default gateway is added to the static routing table.
Override internal
DNS
Enable Override internal DNS to replace the DNS server IP addresses on the System DNS page with the DNS addresses retrieved from the
PPPoE or PPPoA server.
Connect to server Enable Connect to Server so that the interface automatically attempts to connect to a PPPoE or PPPoA server when you select OK or Apply.
Disable this option if you are configuring the interface offline.
Configuring Dynamic DNS service for an interface
When the FortiGate unit has a static domain name and a dynamic public IP address, you can use a DDNS service to update Internet DNS servers when the
IP address for the domain changes.
Dynamic DNS is available only in NAT/Route mode.
Go to System > Network > Interface. Select Create New or select the Edit icon of an existing interface. Enable DDNS, just below the Addressing mode section, and configure the DDNS service using the information they have provided to you.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
81
Interface System Network
If at any time your Fortigate unit cannot contact the DDNS server, it will retry three times at one minute intervals and then change to retrying at three minute intervals.
This is to prevent flooding the DDNS server.
Figure 36: DDNS service configuration
Server
Select a DDNS server to use. The client software for these services is built into the FortiGate firmware. The FortiGate unit can connect only to one of these services.
The fully qualified domain name of the DDNS service.
Domain
Username The user name to use when connecting to the DDNS server.
Password The password to use when connecting to the DDNS server.
Configuring a virtual IPSec interface
You create a virtual IPSec interface by selecting IPSec Interface Mode in
VPN > IPSec > Auto Key or VPN > IPSec > Manual Key when you create a
VPN. You also select a physical or VLAN interface from the Local Interface list.
The virtual IPSec interface is listed as a subinterface of that interface in
System > Network > Interface. For more information, see
•
“Overview of IPSec interface mode” on page 285
•
Go to System > Network > Interface and select Edit on an IPSec interface to:
• configure IP addresses for the local and remote endpoints of the IPSec interface so that you can run dynamic routing over the interface or use ping to test the tunnel
• enable administrative access through the IPSec interface
• enable logging on the interface
• enter a description for the interface
Figure 37: Virtual IPSec interface settings
82
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network Interface
Name
Virtual Domain
IP
Remote IP
Administrative
Access
HTTPS
PING
HTTP
Log
SSH
SNMP
TELNET
Description
The name of the IPSec interface.
Select the VDOM of the IPSec interface.
If you want to use dynamic routing with the tunnel or be able to ping the tunnel interface, enter IP addresses for the local and remote ends of the tunnel. These two addresses must not be used anywhere else in the network.
Select the types of administrative access permitted on this interface.
Allow secure HTTPS connections to the web-based manager through this interface.
Interface responds to pings. Use this setting to verify your installation and for testing.
Allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party.
Allow SSH connections to the CLI through this interface.
Allow a remote SNMP manager to request SNMP information by connecting to this interface. See
“Configuring SNMP” on page 127 .
Allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party.
Select Log to record logs for any traffic to or from the interface. To record logs you must also enable traffic log for a logging location and set the logging severity level to Notification or lower. Go to
Log&Report > Log Config to configure logging locations and
types. For information about logging see “Log&Report” on page 407
.
Optionally, enter a description up to 63 characters long.
Additional configuration for interfaces
Once the interface is selected with the basic settings configured, some additional configuration may be considered. Additional configuration for an interface consists of setting:
•
Administrative access to an interface
•
•
Traffic logging for an interface
•
Administrative access to an interface
For a VDOM running in NAT/Route mode, you can control administrative access to the interfaces in that VDOM.
You can allow remote administration of the FortiGate unit. However, allowing remote administration from the Internet could compromise the security of the
FortiGate unit. You should avoid this unless it is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the
Internet:
Use secure administrative user passwords.
Change these passwords regularly.
Enable secure administrative access to this interface using only HTTPS or SSH.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
83
Interface
84
System Network
1
2
3
4
1
2
3
4
Do not change the system idle timeout from the default value of 5 minutes (see
).
For more information on configuring administrative access in Transparent mode,
see “Operation mode and VDOM management access” on page 141 .
To control administrative access to an interface
Go to System > Network > Interface.
Choose an interface and select Edit.
Select the Administrative Access methods for the interface.
Select OK to save the changes.
Interface MTU packet size
To improve network performance, you can change the maximum transmission unit
(MTU) of the packets that the FortiGate unit transmits. Ideally, the MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets. If the packets that the FortiGate unit sends are larger, they are broken up or fragmented, which slows down transmission.
Experiment by lowering the MTU to find an MTU size for best network performance.
FortiGate models numbered 3000 and higher support jumbo frames. Some models support a limit of 9 000 bytes while others support 16 110 bytes. Jumbo frames can be up to 9 000 bytes or 16110, much larger than standard Ethernet frames. Standard Ethernet frames (packets) can be a maximum of 1 500 bytes including header information. As new Ethernet standards have been implemented
(such as Gigabit Ethernet), 1 500-byte frames have been kept for backward compatibility.
To be able to send jumbo frames over a route, all Ethernet devices on that route must support jumbo frames. Otherwise your jumbo frames are not recognized and they are dropped.
If you have standard ethernet and jumbo frame traffic on the same interface, routing alone cannot route them to different routes based only on frame size.
However you can use VLANs to make sure the jumbo frame traffic is routed over network devices that support jumbo frames. VLANs will inherit the MTU size from the parent interface. You will need to configure the VLAN to include both ends of the route as well as all switches and routers along the route. For more information on VLAN configurations, see the
VLAN and VDOM guide
.
To change the MTU size of the packets leaving an interface
Go to System > Network > Interface.
Choose a physical interface and select Edit.
Select Override default MTU value (1500).
Set the MTU size.
If you select an MTU size larger than your FortiGate unit supports, an error message will indicate this. In this situation, try a smaller MTU size until the value is supported. Supported maximums are 16110, 9000, and 1500.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network
Note: If you change the MTU, you need to reboot the FortiGate unit to update the MTU value of VLAN subinterfaces on the modified interface.
Note: In Transparent mode, if you change the MTU of an interface, you must change the
MTU of all interfaces to match the new MTU.
Traffic logging for an interface
You can enable traffic logging for any interface. See
more information.
Secondary IP Addresses
An interface can be assigned more than one IP address. You can create and apply separate firewall policies for each IP address on an interface. You can also forward traffic and use RIP or OSPF routing with secondary IP addresses.
There can be up to 32 secondary IP addresses per interface. Primary and secondary IP addresses can share the same ping generator.
The following restrictions must be in place before you are able to assign a secondary IP address.
• A primary IP address must be assigned to the interface first.
• The interface must use manual addressing mode.
• By default, IP addresses cannot be part of the same subnet. To allow interface subnet overlap use the CLI command: config system global
(global)# set allow-interface-subnet-overlap enable
(global)#end
Secondary IP addresses cannot terminate a VPN tunnel.
You can use the CLI command config system interface to add a secondary IP address to an interface. For more information, see config secondaryip under system interface in the
FortiGate CLI Reference
.
Figure 38: Adding Secondary IP Addresses
Interface
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
85
Interface
86
System Network
IP/Netmask
Ping Server
Enter the IP address/subnet mask in the IP/Netmask field. The IP address must be on the same subnet as the network to which the interface connects.
Two interfaces cannot have IP addresses on the same subnet.
This field is only available when Manual addressing mode is selected.
To enable dead gateway detection, enter the IP address of the next hop router on the network connected to the interface and
select Enable. See “Dead gateway detection” on page 89 .
Multiple addresses can share the same ping server. This field is optional.
Select the types of administrative access permitted on the secondary IP. These can be different from the primary address.
Administrative
Access
HTTPS
PING
HTTP
SSH
SNMP
Allow secure HTTPS connections to the web-based manager through this secondary IP.
Secondary IP responds to pings. Use this setting to verify your installation and for testing.
Allow HTTP connections to the web-based manager through this secondary IP. HTTP connections are not secure and can be intercepted by a third party.
Allow SSH connections to the CLI through this secondary IP.
Allow a remote SNMP manager to request SNMP information by connecting to this secondary IP. See
“Configuring SNMP” on page 127 .
Add
TELNET
Allow Telnet connections to the CLI through this secondary IP.
Telnet connections are not secure and can be intercepted by a third party.
Select Add to add the configured secondary IP address to the secondary IP table shown below.
Addresses in this table are not added to the interface until you select OK or Apply at the bottom of this screen.
Secondary IP table
A table that shows all the secondary IP addresses that have been added to this interface.
These addresses are not permanently added to the interface until you select OK or Apply at the bottom of the screen. Otherwise some addresses may be removed from the table due to the above restrictions.
#
The number of the secondary IP address. There can be up to 32 additional IP addresses on an interface.
IP/Netmask The IP address and netmask for this secondary IP.
Ping Server The IP address of the ping server for this address. The ping server can be shared by multiple addresses.
The ping server is optional.
Enable
Indicates if the ping server option is selected.
Access
The administrative access methods for this address. They can be different from the primary IP address.
Delete Icon
Select to remove this secondary IP entry.
Note: It is recommended that after adding a secondary IP, you return to the secondary IP table and verify your new address is listed. If not, one of the restrictions prevented the address from being added.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network
Zone
You can use zones to group related interfaces and VLAN subinterfaces. Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. If you group interfaces and VLAN subinterfaces into a zone, you can configure policies for connections to and from this zone, but not between interfaces in the zone.
You can add zones, rename and edit zones, and delete zones from the zone list.
When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone.
Zones are added to virtual domains. If you have added multiple virtual domains to your FortiGate configuration, make sure you are configuring the correct virtual domain before adding or editing zones.
Figure 39: Zone list
Zone
Create New
Name
Select Create New to create a new zone.
The names of the zones that you have added.
Block intra-zone traffic
Displays Yes if traffic between interfaces in the same zone is blocked and No if traffic between interfaces in the same zone is not blocked.
Interface Members The names of the interfaces added to the zone. Interface names depend on the FortiGate model.
Edit/View icons
Delete icon
Edit or view a zone.
Delete a zone.
Zone settings
Go to System > Network > Zone to configure zones. Select Create New or select the Edit icon for a zone to modify that zone.
Figure 40: Zone options
Name
Block intra-zone traffic
Enter the name to identify the zone.
Select Block intra-zone traffic to block traffic between interfaces or
VLAN subinterfaces in the same zone.
Interface members Select the interfaces that are part of this zone. This list includes configured VLANs.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
87
Network Options System Network
Network Options
Network options include DNS server and dead gateway detection settings. These options are set on the Configuring Network Options screen.
Go to System > Network > Options to configure DNS servers and Dead
Gateway Detection settings.
Figure 41: Networking Options - FortiGate models 200 and higher
Figure 42: Networking Options - models numbered 100 and lower
88
Obtain DNS server address automatically
This option applies only to FortiGate models 100 and lower.
When DHCP is used on an interface, also obtain the DNS server IP address. Available only in NAT/Route mode. You should also enable Override internal DNS in the DHCP settings of the interface. See
“Configuring DHCP on an interface” on page 78
.
Use the following DNS server addresses
This option applies only to FortiGate models 100 and lower.
Use the specified Primary and Secondary DNS server addresses.
Primary DNS Server
Enter the primary DNS server IP address.
Secondary DNS Server
Enter the secondary DNS server IP address.
Local Domain Name
Enter the domain name to append to addresses with no domain portion when performing DNS lookups.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network Network Options
Enable DNS forwarding from This option applies only to FortiGate models 100 and lower operating in NAT/Route mode.
Select the interfaces that forward DNS requests they receive to the DNS servers that you configured.
Dead Gateway Detection
Detection Interval
Dead gateway detection confirms connectivity using a ping server added to an interface configuration. For information about adding a ping server to an interface, see
“Dead gateway detection” on page 89 .
Enter a number in seconds to specify how often the
FortiGate unit pings the target.
Fail-over Detection
Enter the number of times that the ping test fails before the FortiGate unit assumes that the gateway is no longer functioning.
DNS Servers
Several FortiGate functions use DNS, including alert email and URL blocking. You can specify the IP addresses of the DNS servers to which your FortiGate unit connects. DNS server IP addresses are usually supplied by your ISP.
You can configure FortiGate models numbered 100 and lower to obtain DNS server addresses automatically. To obtain these addresses automatically, at least one FortiGate unit interface must use the DHCP or PPPoE addressing mode. See
“Configuring DHCP on an interface” on page 78
or “Configuring an interface for
.
FortiGate models 100 and lower can provide DNS Forwarding on their interfaces.
Hosts on the attached network use the interface IP address as their DNS server.
DNS requests sent to the interface are forwarded to the DNS server addresses that you configured or that the FortiGate unit obtained automatically.
Dead gateway detection
Dead gateway detection periodically pings a ping server to confirm network connectivity. Typically, the ping server is the next-hop router that leads to an external network or the Internet. The ping period (Detection Interval) and the number of failed pings that is considered to indicate a loss of connectivity (Failover Detection) are set in System > Network > Options.
To apply dead gateway detection to an interface, you must configure a ping server on it.
1
2
3
4
5
To add a ping server to an interface
Go to System > Network > Interface.
Choose an interface and select Edit.
Set Ping Server to the IP address of the next hop router on the network connected to the interface.
Select the Enable check box.
Select OK to save the changes.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
89
Routing table (Transparent Mode) System Network
Routing table (Transparent Mode)
In Transparent mode, go to System > Network > Routing Table to add static routes from the FortiGate unit to local routers.
Figure 43: Routing table
Create New
#
IP
Mask
Gateway
Distance
Delete icon
View/edit icon
Move To icon
Add a new route.
Route number.
The destination IP address for this route.
The netmask for this route.
The IP address of the next hop router to which this route directs traffic.
The the relative preferability of this route. 1 is most preferred.
Remove a route.
Edit or view a route.
Change the position of a route in the list.
Transparent mode route settings
Go to System > Network > Routing Table and select Create New to add a route.
You can also select the Edit icon of an existing route to modify it.
Figure 44: Transparent mode route options
Destination IP
/Mask
Enter the destination IP address and netmask for this route.
To create a default route, set the Destination IP and Mask to 0.0.0.0.
Gateway
Distance
Enter the IP address of the next hop router to which this route directs traffic. For an Internet connection, the next hop routing gateway routes traffic to the Internet.
The relative preferability of this route. 1 is most preferred.
90
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network Configuring the modem interface
Configuring the modem interface
On FortiGate models with modem support, you can use the modem as either a backup interface or a standalone interface in NAT/Route mode.
• In redundant (backup) mode, the modem interface automatically takes over from a selected ethernet interface when that ethernet interface is unavailable.
• In standalone mode, the modem interface is the connection from the FortiGate unit to the Internet.
When connecting to the ISP, in either configuration, the FortiGate unit modem can automatically dial up to three dialup accounts until the modem connects to an ISP.
FortiGate models 50AM and 60M have a built-in modem. For these models, you can configure modem operation in the web-based manager. See
“Configuring modem settings” .
Models 50A and 60 can connect to an external modem through a USB-to-serial converter. For these models, you must configure modem operation using the CLI.
See the system modem command in the
FortiGate CLI Reference
.
Note: The modem interface is not the AUX port which is a port that is used for a remote console connection - it has no associated interface. The AUX port is only available on
FortiGate models 1000A, 1000AFA2, and 3000A. For more information, see the config system aux
command in the
FortiGate CLI Reference
.
Configuring modem settings
Configure modem settings so that the FortiGate unit uses the modem to connect to your ISP dialup accounts. You can configure up to three dialup accounts, select standalone or redundant operation, and configure how the modem dials and disconnects.
You can configure and use the modem in NAT/Route mode only.
Figure 45: Modem settings (Standalone)
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
91
Configuring the modem interface
Figure 46: Modem settings (Redundant)
System Network
92
Enable Modem
Modem status
Select to enable the FortiGate modem.
The modem status shows one of: “not active”, “connecting”,
“connected”, “disconnecting” or “hung up” (Standalone mode only).
Dial Now/Hang Up
(Standalone mode only) Select Dial Now to manually connect to a dialup account. If the modem is connected, you can select Hang
Up to manually disconnect the modem.
Mode
Auto-dial
Select Standalone or Redundant mode. In Standalone mode, the modem is an independent interface. In Redundant mode, the modem is a backup facility for a selected Ethernet interface.
(Standalone mode only) Select to dial the modem automatically if the connection is lost or the FortiGate unit is restarted. You cannot select Auto-dial if Dial on demand is selected.
Redundant for
Dial on demand
Idle timeout
Holddown
Timer
(Redundant mode only) Select the ethernet interface for which the modem provides backup service.
Select to dial the modem when packets are routed to the modem interface. The modem disconnects after the idle timeout period if there is no network activity. In Standalone mode, you cannot select
Dial on demand if Auto-dial is selected.
Enter the timeout duration in minutes. After this period of inactivity, the modem disconnects.
(Redundant mode only) Enter the time (1-60 seconds) that the
FortiGate unit waits before switching from the modem interface to the primary interface, after the primary interface has been restored.
The default is 1 second. Configure a higher value if you find the
FortiGate unit switching repeatedly between the primary interface and the modem interface.
Redial Limit
Dialup Account
The maximum number of times (1-10) that the FortiGate unit modem attempts to reconnect to the ISP if the connection fails. The default redial limit is 1. Select None to have no limit on redial attempts.
Configure up to three dialup accounts. The FortiGate unit tries connecting to each account in order until a connection can be established.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network Configuring the modem interface
Phone Number
User Name
Password
The phone number required to connect to the dialup account. Do not add spaces to the phone number. Make sure to include standard special characters for pauses, country codes, and other functions as required by your modem to connect to your dialup account.
The user name (maximum 63 characters) sent to the ISP.
The password sent to the ISP.
To configure the modem in Redundant mode, see “Redundant mode configuration” on page 93 .
To configure the modem in Standalone mode, see
“Standalone mode configuration” on page 94 .
Redundant mode configuration
The modem interface in redundant mode backs up a selected ethernet interface. If that ethernet interface disconnects from its network, the modem automatically dials the configured dialup accounts. When the modem connects to a dialup account, the FortiGate unit routes IP packets normally destined for the selected ethernet interface to the modem interface.
The FortiGate unit disconnects the modem interface and switches back to the ethernet interface when the ethernet interface can again connect to its network.
There is an optional timeout setting, after which the modem will disconnect if there is no network activity. This is useful in saving money on dialup connection charges.
For the FortiGate unit to be able to switch from an ethernet interface to the modem you must select the name of the interface in the modem configuration and configure a ping server for that interface. You must also configure firewall policies for connections between the modem interface and other FortiGate interfaces.
4
5
1
2
3
Note: Do not add policies for connections between the modem interface and the interface that the modem is backing up.
To configure redundant mode
Go to System > Network > Modem.
Select Redundant mode.
Enter the following information:
Mode
Redundant for
Holddown timer
Redial Limit
Redundant
From the list, select the interface to back up.
Enter the number of seconds to continue using the modem after the interface is restored.
Enter the maximum number of times to retry if the ISP does not answer.
Enter the ISP phone number, user name and password for up to three dialup accounts.
Dialup Account 1
Dialup Account 2
Dialup Account 3
Select Apply.
Configure a ping server for the ethernet interface the modem backs up.
See
“To add a ping server to an interface” on page 89 .
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
93
Configuring the modem interface System Network
6
Configure firewall policies for connections to the modem interface.
See
“Adding firewall policies for modem connections” on page 94
.
Standalone mode configuration
In standalone mode, the modem connects to a dialup account to provide a connection to the Internet. You can configure the modem to dial when the
FortiGate unit restarts or when there are unrouted packets. You can also hang up or redial the modem manually.
If the connection to the dialup account fails, the FortiGate unit will redial the modem. The modem redials the number of times specified by the redial limit, or until it connects to a dialup account.
There is an optional timeout setting, after which the modem will disconnect if there is no network activity. This is useful in saving money on dialup connection charges.
You must configure firewall policies for connections between the modem interface and other FortiGate interfaces.
1
2
3
4
To operate in standalone mode
Go to System > Network > Modem.
Enter the following information:
Mode
Auto-dial
Dial on demand
Idle timeout
Redial Limit
Dialup Account 1
Dialup Account 2
Dialup Account 3
Standalone
Select if you want the modem to dial when the FortiGate unit restarts.
Select if you want the modem to connect to its ISP whenever there are unrouted packets.
Enter the timeout duration in minutes. After this period of inactivity, the modem disconnects.
Enter the maximum number of times to retry if the ISP does not answer.
Enter the ISP phone number, user name and password for up to three dialup accounts.
Select Apply.
Configure firewall policies for connections to the modem interface.
See
“Adding firewall policies for modem connections” on page 94
.
Adding firewall policies for modem connections
The modem interface requires firewall addresses and policies. You can add one or more addresses to the modem interface. For information about adding addresses,
see “To add an IP address, IP range, or FQDN, go to Firewall > Address, select
Create New.” on page 237 . When you add addresses, the modem interface
appears on the policy grid.
You can configure firewall policies to control the flow of packets between the modem interface and the other interfaces on the FortiGate unit. For information
about adding firewall policies, see “Adding a firewall policy” on page 215 .
94
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network Configuring the modem interface
Connecting and disconnecting the modem
The modem must be in Standalone mode.
1
2
3
4
5
1
2
To connect to a dialup account
Go to System > Network > Modem.
Select Enable USB Modem.
Make sure there is correct information in one or more Dialup Accounts.
Select Apply if you make any configuration changes.
Select Dial Now.
The FortiGate unit initiates dialing into each dialup account in turn until the modem connects to an ISP.
To disconnect the modem
Use the following procedure to disconnect the modem from a dialup account.
Go to System > Network > Modem.
Select Hang Up if you want to disconnect from the dialup account.
Checking modem status
You can determine the connection status of your modem and which dialup account is active. If the modem is connected to the ISP, you can see the IP address and netmask.
To check the modem status, go to System > Network > Modem.
Modem status is one of the following:
not active connecting connected
The modem is not connected to the ISP.
The modem is attempting to connect to the ISP.
The modem is connected to the ISP.
disconnecting
The modem is disconnecting from the ISP.
hung up
The modem has disconnected from the ISP. (Standalone mode only)
The modem will not redial unless you select Dial Now.
A green check mark indicates the active dialup account.
The IP address and netmask assigned to the modem interface appears on the
System Network Interface page of the web-based manager.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
95
VLAN overview System Network
VLAN overview
A VLAN is group of PCs, servers, and other network devices that communicate as if they were on the same LAN segment, independent of where they are located.
For example, the workstations and servers for an accounting department could be scattered throughout an office or city and connected to numerous network segments, but still belong to the same VLAN.
A VLAN segregates devices logically instead of physically. Each VLAN is treated as a broadcast domain. Devices in VLAN 1 can connect with other devices in
VLAN 1, but cannot connect with devices in other VLANs. The communication among devices on a VLAN is independent of the physical network.
A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent and received by the devices in the VLAN. VLAN tags are 4-byte frame extensions that contain a VLAN identifier as well as other information.
For more information on VLANs, see the
FortiGate VLANs and VDOMs Guide
.
Figure 47: Basic VLAN topology
Internet
Untagged packets
Router
VL AN 1
VL AN 2
VL AN 1
VL AN 2
VLAN Switch
VL AN 1 Network
VL AN 2 Network
FortiGate units and VLANs
In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3 routers or firewalls add VLAN tags to packets. Packets passing between devices in the same VLAN can be handled by layer-2 switches. Packets passing between devices in different VLANs must be handled by a layer-3 device such as router, firewall, or layer-3 switch.
96
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network VLANs in NAT/Route mode
Using VLANs, a single FortiGate unit can provide security services and control connections between multiple security domains. Traffic from each security domain is given a different VLAN ID. The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between security domains. The FortiGate unit can also apply authentication, protection profiles, and other firewall policy features for network and VPN traffic that is allowed to pass between security domains.
VLANs in NAT/Route mode
Operating in NAT/Route mode, the FortiGate unit functions as a layer-3 device to control the flow of packets between VLANs. The FortiGate unit can also remove
VLAN tags from incoming VLAN packets and forward untagged packets to other networks, such as the Internet.
In NAT/Route mode, the FortiGate units support VLANs for constructing VLAN trunks between an IEEE 802.1Q-compliant switch (or router) and the FortiGate units. Normally the FortiGate unit internal interface connects to a VLAN trunk on an internal switch, and the external interface connects to an upstream Internet router untagged. The FortiGate unit can then apply different policies for traffic on each VLAN that connects to the internal interface.
In this configuration, you add VLAN subinterfaces to the FortiGate internal interface that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk. The FortiGate unit directs packets with VLAN IDs to subinterfaces with matching VLAN IDs.
You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate unit can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags from incoming packets and add a different VLAN tags to outgoing packets.
Rules for VLAN IDs
In NAT/Route mode, two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more
VLAN subinterfaces with the same VLAN IDs to different physical interfaces.
There is no internal connection or link between two VLAN subinterfaces with same VLAN ID. Their relationship is the same as the relationship between any two FortiGate network interfaces.
Rules for VLAN IP addresses
IP addresses of all FortiGate interfaces cannot overlap. That is, the IP addresses of all interfaces must be on different subnets. This rule applies to both physical interfaces and to VLAN subinterfaces.
Note: If you are unable to change your existing configurations to prevent IP overlap, enter the CLI command config system global and set allow-interface-subnetoverlap enable
to allow IP address overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is part of a subnet used by another interface. This command is recommended for advanced users only.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
97
VLANs in NAT/Route mode System Network
Figure 37 shows a simplified NAT/Route mode VLAN configuration. In this example, the FortiGate internal interface connects to a VLAN switch using an
802.1Q trunk and is configured with two VLAN subinterfaces (VLAN 100 and
VLAN 200). The external interface connects to the Internet. The external interface is not configured with VLAN subinterfaces.
When the VLAN switch receives packets from VLAN 100 and VLAN 200, it applies
VLAN tags and forwards the packets to local ports and across the trunk to the
FortiGate unit. The FortiGate unit is configured with policies that allow traffic to flow between the VLANs and from the VLANs to the external network.
Figure 48: FortiGate unit in NAT/Route mode
Internet
Untagged packets
External 172.16.21.2
FortiGate unit
Internal 192.168.110.126
802.1Q
trunk
VL AN 100
Fa 0/24
Fa 0/3
Fa 0/9
VLAN Switch
VL AN 200
98
VL AN 100 Network
10.1.1.0
VL AN 200 Network
10.1.2.0
Adding VLAN subinterfaces
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the
IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and
4096. Each VLAN subinterface must also be configured with its own IP address and netmask.
Note: A VLAN must not have the same name as a virtual domain or zone.
1
2
3
You add VLAN subinterfaces to the physical interface that receives VLAN-tagged packets.
To add a VLAN subinterface in NAT/Route mode
Go to System > Network > Interface.
Select Create New to add a VLAN subinterface.
Enter a Name to identify the VLAN subinterface.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network VLANs in Transparent mode
4
5
6
7
8
1
2
3
4
Select the physical interface that receives the VLAN packets intended for this
VLAN subinterface.
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
If you are the super admin, select the virtual domain to add this VLAN subinterface to. Otherwise, you can only create VLAN subinterfaces in your own
VDOM.
See
“Using virtual domains” on page 61
for information about virtual domains.
Configure the VLAN subinterface settings as you would for any FortiGate interface.
See
“Interface settings” on page 72
.
Select OK to save your changes.
The FortiGate unit adds the new VLAN subinterface to the interface that you selected in step
To add firewall policies for VLAN subinterfaces
Once you have added VLAN subinterfaces you can add firewall policies for connections between VLAN subinterfaces or from a VLAN subinterface to a physical interface.
Go to Firewall > Address.
Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets.
See
“About firewall addresses” on page 235
.
Go to Firewall > Policy.
Create or add firewall policies as required.
VLANs in Transparent mode
In Transparent mode, the FortiGate unit can apply firewall policies and services, such as authentication, protection profiles, and other firewall features, to traffic on an IEEE 802.1 VLAN trunk. You can insert the FortiGate unit operating in
Transparent mode into the trunk without making changes to your network. In a typical configuration, the FortiGate internal interface accepts VLAN packets on a
VLAN trunk from a VLAN switch or router connected to internal VLANs. The
FortiGate external interface forwards tagged packets through the trunk to an external VLAN switch or router which could be connected to the Internet. The
FortiGate unit can be configured to apply different policies for traffic on each
VLAN in the trunk.
For VLAN traffic to be able to pass between the FortiGate Internal and external interface you would add a VLAN subinterface to the internal interface and another
VLAN subinterface to the external interface. If these VLAN subinterfaces have the same VLAN IDs, the FortiGate unit applies firewall policies to the traffic on this
VLAN. If these VLAN subinterfaces have different VLAN IDs, or if you add more than two VLAN subinterfaces, you can also use firewall policies to control connections between VLANs.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
99
VLANs in Transparent mode System Network
If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you can configure a FortiGate unit operating in Transparent mode to provide security for network traffic passing between different VLANs. To support VLAN traffic in
Transparent mode, you add virtual domains to the FortiGate unit configuration. A virtual domain consists of two or more VLAN subinterfaces or zones. In a virtual domain, a zone can contain one or more VLAN subinterfaces.
When the FortiGate unit receives a VLAN tagged packet at an interface, the packet is directed to the VLAN subinterface with matching VLAN ID. The VLAN subinterface removes the VLAN tag and assigns a destination interface to the packet based on its destination MAC address. The firewall policies for this source and destination VLAN subinterface pair are applied to the packet. If the packet is accepted by the firewall, the FortiGate unit forwards the packet to the destination
VLAN subinterface. The destination VLAN ID is added to the packet by the
FortiGate unit and the packet is sent to the VLAN trunk.
Note: There is a maximum of 255 interfaces total allowed per VDOM in Transparent mode.
This includes VLANs. If no other interfaces are configured for a VDOM, you can configure up to 255 VLANs in that VDOM.
Figure 49: FortiGate unit with two virtual domains in Transparent mode
VLAN1
VLAN2
Internal
FortiGate unit root virtual domain
VLAN1
VLAN1
New virtual domain
VLAN3 VLAN3
External
Internet
VLAN3
Figure 50 shows a FortiGate unit operating in Transparent mode and configured with three VLAN subinterfaces. In this configuration the FortiGate unit could be added to this network to provide virus scanning, web content filtering, and other services to each VLAN.
100
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network
Figure 50: FortiGate unit in Transparent mode
Internet
Router
Untagged packets
VLAN Switch
VLAN Trunk
VL AN 1
VL AN 2
VL AN 3
FortiGate unit in Transparent mode
VLAN Trunk
VL AN 1
VL AN 2
VL AN 3
VLAN Switch
VL AN 1
VL AN 2
VL AN 3
VLANs in Transparent mode
VL AN 1 Network VL AN 2 Network VL AN 3 Network
Rules for VLAN IDs
In Transparent mode two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more
VLAN subinterfaces with the same VLAN IDs to different physical interfaces.
There is no internal connection or link between two VLAN subinterfaces with the same VLAN ID. Their relationship is the same as the relationship between any two FortiGate network interfaces.
Note: There is a maximum of 255 VLANs allowed per interface in Transparent mode.
Transparent mode virtual domains and VLANs
VLAN subinterfaces are added to and associated with virtual domains. By default the FortiGate configuration includes one virtual domain, named root, and you can add as many VLAN subinterfaces as you require to this virtual domain.
You can add more virtual domains if you want to separate groups of VLAN subinterfaces into virtual domains. For information on adding and configuring
virtual domains, see “Using virtual domains” on page 61
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
101
VLANs in Transparent mode System Network
To add a VLAN subinterface in Transparent mode
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the
IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4096. You add VLAN subinterfaces to the physical interface that receives VLAN-tagged packets.
Note: A VLAN must not have the same name as a virtual domain or zone.
3
4
1
2
5
6
7
8
9
3
4
1
2
Go to System > Network > Interface.
Select Create New to add a VLAN subinterface.
Enter a Name to identify the VLAN subinterface.
Select the physical interface that receives the VLAN packets intended for this
VLAN subinterface.
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
Select which virtual domain to add this VLAN subinterface to.
See
“Using virtual domains” on page 61 for information about virtual domains.
Configure the administrative access, and log settings as you would for any
FortiGate interface.
See
“Interface settings” on page 72 for more descriptions of these settings.
Select OK to save your changes.
The FortiGate unit adds the new subinterface to the interface that you selected.
Select Bring up to start the VLAN subinterface.
To add firewall policies for VLAN subinterfaces
Once you have added VLAN subinterfaces you can add firewall policies for connections between VLAN subinterfaces or from a VLAN subinterface to a physical interface.
Go to Firewall > Address.
Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets.
See
“About firewall addresses” on page 235
.
Go to Firewall > Policy.
Add firewall policies as required.
102
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Network VLANs in Transparent mode
Figure 51: FortiGate unit with two virtual domains in Transparent mode
VLAN1
VLAN2
Internal
FortiGate unit root virtual domain
VLAN1
VLAN1
New virtual domain
VLAN3 VLAN3
External
VLAN3
Internet
Figure 52 shows a FortiGate unit operating in Transparent mode and configured with three VLAN subinterfaces. In this configuration the FortiGate unit could be added to this network to provide virus scanning, web content filtering, and other services to each VLAN.
Figure 52: FortiGate unit in Transparent mode
Internet
Router
Untagged packets
VLAN Switch
VLAN Trunk
VL AN 1
VL AN 2
VL AN 3
FortiGate unit in Transparent mode
VLAN Trunk
VL AN 1
VL AN 2
VL AN 3
VLAN Switch
VL AN 1
VL AN 2
VL AN 3
VL AN 1 Network VL AN 2 Network
VL AN 3 Network
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
103
FortiGate IPv6 support System Network
Troubleshooting ARP Issues
Address Resolution Protocol (ARP) traffic is vital to communication on a network and is enabled on FortiGate interfaces by default. Normally you want ARP packets to pass through the FortiGate unit, especially if it is sitting between a client and a server or between a client and a router.
Duplicate ARP packets
ARP traffic can cause problems, especially in Transparent mode where ARP packets arriving on one interface are sent to all other interfaces, including VLAN subinterfaces. Some Layer 2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN. This instability can occur if the Layer 2 switch does not maintain separate MAC address tables for each VLAN. Unstable switches may reset causing network traffic to slow down.
ARP Forwarding
One solution to this problem is to enable ARP forwarding. it can be enabled in the
GUI or CLI. In the GUI, go to System > Config > Operation and select ARP
Forwarding. For details on the CLI, see the
FortiGate CLI Reference
.
When enabled, the Fortigate unit allows duplicate ARP packets resolving the previous delivery problems. However, this also opens up your network to potential hacking attempts that spoof packets.
For more secure solutions, see the
FortiGate VLANs and VDOMs Guide
.
FortiGate IPv6 support
You can assign both an IPv4 and an IPv6 address to any interface on a FortiGate unit. The interface functions as two interfaces, one for IPv4-addressed packets and another for IPv6-addressed packets.
FortiGate units support static routing, periodic router advertisements, firewall policies and tunneling of IPv6-addressed traffic over an IPv4-addressed network.
All of these features must be configured through the Command Line Interface
(CLI). See the
FortiGate CLI Reference
for information on the following commands:
Table 4: IPv6 CLI commands
Feature CLI Command
Interface configuration, including periodic router advertisements config system interface
See the keywords beginning with “ip6”.
config ip6-prefix-list
Static routing config router static6
IPv6 tunneling
Firewall config system ipv6_tunnel config firewall address6 config firewall addrgrp6 config firewall policy6
Execute execute ping6
104
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Wireless The FortiWiFi wireless LAN interface
System Wireless
This section describes how to configure the Wireless LAN interfaces on FortiWiFi units.
The following topics are included in this section:
•
The FortiWiFi wireless LAN interface
•
•
System wireless settings (FortiWiFi-60)
•
System wireless settings (FortiWiFi-60A and 60AM)
•
•
The FortiWiFi wireless LAN interface
You can configure the FortiWiFi Wireless interface to:
• provide an access point to which users with wireless network cards can connect (Access Point mode).
or
• connect the FortiWiFi unit to another wireless network (Client mode)
Access Point mode is the default mode. FortiWiFi-60A and FortiWiFi-60AM units can provide multiple WLANs.
FortiWiFi units support the following wireless network standards:
• IEEE 802.11a (5-GHz Band)
• IEEE 802.11b (2.4-GHz Band)
• IEEE 802.11g (2.4-GHz Band)
• Wired Equivalent Privacy (WEP)
• Wi-Fi Protected Access (WPA) using pre-shared key or Radius server (Access
Point mode only)
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
105
Channel assignments System Wireless
106
Channel assignments
The following tables list the channel assignments for wireless LANs.
Table 5: IEEE 802.11a (5-GHz Band) channel numbers
Channel number
34
36
38
40
42
44
46
48
52
56
60
64
149
153
157
161
Frequency
(MHz)
5170
5180
5190
5200
5210
5220
5230
5240
5260
5280
5300
5320
5745
5765
5785
5805
Americas
–
X
–
X
–
X
–
X
X
X
X
X
–
–
–
–
Europe
X
X
X
X
X
X
X
X
X
X
X
X
–
–
–
–
Regulatory Areas
Taiwan
–
–
–
–
–
–
–
–
X
X
X
X
–
–
–
–
Singapore
–
X
–
X
–
X
–
X
–
–
–
–
–
–
–
–
Japan
X
–
X
–
X
–
X
–
–
–
–
–
–
–
–
–
All channels are restricted to indoor usage except the Americas, which allows for indoor and outdoor use on channels 52 through 64 in the United States.
Table 6: IEEE 802.11b (2.4-GHz Band) channel numbers
Channel number
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Frequency
(MHz)
2412
2417
2422
2427
2432
2437
2442
2447
2452
2457
2462
2467
2472
2484
Americas
X
X
X
X
X
X
X
X
X
X
X
–
–
–
Regulatory Areas
EMEA
X
X
X
X
X
X
X
X
X
X
X
X
X
–
Israel
–
–
–
X
X
X
X
X
X
X
–
–
–
–
Japan
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure that the channel number complies with the regulatory standards of Mexico.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Wireless System wireless settings (FortiWiFi-60)
Table 7: IEEE 802.11g (2.4-GHz Band) channel numbers
9
10
11
12
7
8
5
6
13
14
Regulatory Areas
Channel number
Frequency
(MHz)
Americas EMEA Israel Japan
CCK ODFM CCK ODFM CCK ODFM CCK ODFM
3
4
1
2
2412
2417
2422
2427
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
–
–
–
–
–
–
–
–
X
X
X
X
X
X
X
X
2432
2437
2442
2447
2452
2457
2462
2467
2472
2484
X
X
X
X
X
X
X
–
–
–
X
X
X
X
X
X
X
–
–
–
X
X
X
X
X
X
X
X
X
–
X
X
X
X
X
X
X
X
X
–
X
X
X
X
–
–
–
–
–
–
X
X
X
X
–
–
–
–
–
–
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
–
X
X
X
X
System wireless settings (FortiWiFi-60)
Go to System > Wireless > Settings to configure wireless LAN settings.
Figure 53: Configuring wireless parameters
MAC Address
The MAC address of the Wireless interface.
Operation Mode The current operating mode. Select Change to change it.
Access Point mode makes the FortiWiFi-60 unit act as a wireless access point to which multiple clients can connect.
Client mode configures the unit to connect to another wireless network as a client.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
107
System wireless settings (FortiWiFi-60) System Wireless
Geography
Channel
SSID
Select your country or region. This determines which channels are available. You can select Americas, EMEA, Israel, or Japan. If you are in any other region, select World.
Select a channel for your FortiWiFi-60 wireless network. Users of the wireless network must configure their computers to use this channel.
The channels that you can select depend on the Geography setting. See
“Channel assignments” on page 106
for channel information.
Enter the wireless network name that the FortiWiFi-60 unit broadcasts.
Users who want to use the wireless network must configure their computers to connect to the network that broadcasts this network name.
SSID Broadcast Select Enable if you want the FortiWiFi-60 unit to broadcast its SSID.
(Access Point mode only)
Security mode
To use WEP, select WEP64 or WEP128. To use WPA (available in
Access Point mode only), select WPA Pre-shared Key or WPA_Radius.
Users of the FortiWiFi-60 wireless network must configure their computers with the same settings.
Key
For a 64-bit WEP key, enter 10 hexadecimal digits (0-9 a-f). For a 128-bit
WEP key, enter 26 hexadecimal digits (0-9 a-f). Users of the wireless network must configure their computers with the same key.
Pre-shared Key For WPA Pre-shared Key security mode, enter the pre-shared key.
Users of the wireless network should configure their computers with the same key.
Radius Server
Name
Advanced
For WPA Radius security mode, choose the Radius server name from the list. The Radius server must be configured in User > Radius. For more information, see
.
Open or close the Advanced settings section of the Wireless
Parameters.
Change settings if needed to address performance problems. Default values should work well for most situations.
Advanced settings are described below. (Access Point mode only)
Tx Power
Set the transmitter power level. The default is the maximum power,
31dBm.
Beacon Interval Set the interval between beacon packets. Access Points broadcast
Beacons or Traffic Indication Messages (TIM) to synchronize wireless networks. In an environment with high interference, decreasing the
Beacon Interval might improve network performance. In a location with few wireless nodes, you can increase this value.
RTS Threshold The Request to Send (RTS) threshold sets the time the unit waits for
Clear to Send (CTS) acknowledgement from another wireless device.
Fragmentation
Threshold
Set the maximum size of a data packet before it is broken into two or more packets. Reducing the threshold can improve performance in environments that have high interference.
108
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Wireless System wireless settings (FortiWiFi-60A and 60AM)
System wireless settings (FortiWiFi-60A and 60AM)
Go to System > Wireless > Settings to configure wireless LAN settings.
Figure 54: Wireless parameters - FortiWiFi-60A and FortiWiFi-60AM
Operation Mode The current operating mode.
Access Point mode makes the FortiWiFi unit act as a wireless access point to which multiple clients can connect.
Client mode configures the unit to connect to another wireless network as a client.
Band
Select the wireless frequency band you want to use. You can select from: 802.11a, 802.11b, and 802.11g.
Geography
Channel
Tx Power
Select your country or region. This determines which channels are available. You can select Americas, EMEA, Israel, or Japan. If you are in any other region, select World.
Select a channel for your FortiWiFi-60 wireless network. Users of the wireless network must configure their computers to use this channel.
The channels that you can select depend on the Geography setting. See
“Channel assignments” on page 106 for channel information.
Set the transmitter power level. The default is the maximum power,
31dBm.
Beacon Interval Set the interval between beacon packets. Access Points broadcast
Beacons or Traffic Indication Messages (TIM) to synchronize wireless networks. In an environment with high interference, decreasing the
Beacon Interval might improve network performance. In a location with few wireless nodes, you can increase this value.
Wireless interface list
Interface
The name of the WLAN interface. Select the name to edit the interface.
MAC Address
The MAC address of the Wireless interface.
SSID
The wireless network name that the unit broadcasts. Users who want to use the wireless network must configure their computers to connect to the network that broadcasts this network name.
SSID Broadcast Green checkmark icon indicates that the unit broadcasts its SSID.
(Access Point mode only)
Security Mode
WEP64, WEP128, WPA Pre-shared Key, WPA_Radius or none. WPA is available in Access Point mode only. Users of the wireless network must configure their computers with the same settings.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
109
Wireless MAC Filter System Wireless
Wireless MAC Filter
Go to System > Wireless > MAC Filter to allow or deny wireless access to users based on their MAC address.
Figure 55: Wireless MAC Filter
110
MAC Filter Enable
Enable the MAC Filter.
Access for PCs not
Select whether to allow or deny access to unlisted MAC addresses.
listed below
MAC Address
Enter the MAC address to filter.
Allow or Deny
Add
Allow List
Deny List
Arrow buttons
Remove (below
Allow list)
Remove (below
Deny list)
Select whether to allow or deny the MAC Address.
Add the MAC address to the Allow or Deny list, as selected.
List of MAC addresses allowed access to the wireless network.
List of MAC addresses denied access to the wireless network.
Move MAC addresses between lists.
Remove selected MAC addresses from Allow list.
Remove selected MAC addresses from Deny list.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Wireless Wireless Monitor
Wireless Monitor
Go to System > Wireless > Monitor to see who is connected to your wireless
LAN. This feature is available only if you are operating the wireless interface in
WPA security mode.
Figure 56: Wireless Monitor (FortiWiFi-60)
Figure 57: Wireless Monitor (FortiWiFi-60A and 60AM)
Statistics
Statistical information about wireless performance for each
WLAN. Available only on the FortiWiFi-60A and FortiWiFi-
60AM.
AP Name
The SSID of the WLAN interface.
Signal Strength (dBm)
The strength of the signal from the client.
Noise (dBm)
S/N (dB)
Rx (KBytes)
Tx (KBytes)
Clients
The received noise level.
The signal-to-noise ratio in deciBels calculated from signal strength and noise level.
The amount of data in kilobytes received this session.
The amount of data in kilobytes sent this session.
The number of clients connected to the WLAN and information about each of them.
The MAC address of the connected wireless client.
MAC Address
IP Address
AP Name
ID
The IP address assigned to the connected wireless client.
The name of the WLAN to which the client is connected.
Available on the FortiWiFi-60A and FortiWiFi-60AM only.
The user ID of the connected user using WPA RADIUS security mode. This field is blank if the client uses WPA
Pre-Shared Key or WEP security modes.
Available on the FortiWiFi-60 only.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
111
Wireless Monitor System Wireless
112
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System DHCP FortiGate DHCP servers and relays
System DHCP
This section describes how to use DHCP to provide convenient automatic network configuration for your clients.
The following topics are included in this section:
•
FortiGate DHCP servers and relays
•
•
FortiGate DHCP servers and relays
The DHCP protocol enables hosts to automatically obtain their assigned IP address. Optionally, they can also obtain default gateway and DNS server settings. A FortiGate interface or VLAN subinterface can provide the following
DHCP services:
• Regular DHCP servers for regular Ethernet connections
• IPSec DHCP servers for IPSec (VPN) connections
• DHCP relay for regular Ethernet or IPSec (VPN) connections
An interface cannot provide both a server and a relay for connections of the same type (regular or IPSec).
Note: You can configure a Regular DHCP server on an interface only if the interface has a static IP address. You can configure an IPSec DHCP server on an interface that has either a static or a dynamic IP address.
You can configure one or more DHCP servers on any FortiGate interface. A
DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their
IP addresses using DHCP.
If an interface is connected to multiple networks via routers, you can add a DHCP server for each network. The IP range of each DHCP server must match the network address range. The routers must be configured for DHCP relay.
To configure a DHCP server, see “Configuring a DHCP server” on page 115
.
You can configure a FortiGate interface as a DHCP relay. The interface forwards
DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the FortiGate unit.
To configure a DHCP relay see
“Configuring an interface as a DHCP relay agent” on page 115 .
DHCP services can also be configured through the Command Line Interface
(CLI). See the
FortiGate CLI Reference
for more information.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
113
Configuring DHCP services System DHCP
Configuring DHCP services
Go to System > DHCP > Service to configure DHCP services. On each FortiGate interface, you can configure a DHCP relay and add DHCP servers as needed.
On FortiGate models 50 and 60, a DHCP server is configured, by default, on the
Internal interface, as follows:
IP Range
Netmask
Default gateway
Lease time
DNS Server 1
192.168.1.110 to 192.168.1.210
255.255.255.0
192.168.1.99
7 days
192.168.1.99
You can disable or change this default DHCP Server configuration.
These settings are appropriate for the default Internal interface IP address of
192.168.1.99. If you change this address to a different network, you need to change the DHCP server settings to match.
Figure 58: DHCP service list - FortiGate-200A shown
114
Edit
Delete
Add DHCP Server
Interface
Server Name/
Relay IP
Type
List of FortiGate interfaces. Expand each listed interface to view the
Relay and Servers.
Name of FortiGate DHCP server or IP address of DHCP server accessed by relay.
Type of DHCP relay or server: Regular or IPSec.
Enable
Green check mark icon indicates that server or relay is enabled.
Add DHCP Server
Configure and add a DHCP server for this interface.
icon
Edit
Edit DHCP relay or server configuration.
Delete
Delete a DHCP server.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System DHCP Configuring DHCP services
Configuring an interface as a DHCP relay agent
Go to System > DHCP > Service and select an edit icon to view or modify the
DHCP relay configuration for an interface.
Figure 59: Edit DHCP relay settings for an interface
Interface Name
Enable
Type
Regular
The name of the interface.
Enable the DHCP relay agent on this interface.
Select the type of DHCP service required.
Configure the interface to be a DHCP relay agent for computers on the network connected to this interface.
IPSEC
Configure the interface to be a DHCP relay agent only for remote
VPN clients with an IPSec VPN connection to this interface.
DHCP Server IP
Enter the IP address of the DHCP server that will answer DHCP requests from computers on the network connected to the interface.
Configuring a DHCP server
Go to System > DHCP > Service to configure a DHCP server on an interface.
Select Add a DHCP Server beside the interface or select Edit beside an existing
DHCP server to change its settings.
Figure 60: DHCP Server options
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
115
Viewing address leases System DHCP
Name
Enable
Type
IP Range
Network Mask
Default Gateway
Domain
Lease Time
Advanced
DNS Server 1
DNS Server 2
DNS Server 3
WINS Server 1
WINS Server 2
Option 1
Option 2
Option 3
Enter a name for the DHCP server.
Enable the DHCP server.
Select Regular or IPSEC DHCP server.
You cannot configure a Regular DHCP server on an interface that has a dynamic IP address.
Enter the start and end for the range of IP addresses that this DHCP server assigns to DHCP clients.
Enter the netmask that the DHCP server assigns to DHCP clients.
Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.
Enter the domain that the DHCP server assigns to DHCP clients.
Select Unlimited for an unlimited lease time or enter the interval in days, hours, and minutes after which a DHCP client must ask the
DHCP server for new settings. The lease time can range from 5 minutes to 100 days.
Select to configure advanced options. The remaining options in this table are advanced options.
Enter the IP addresses of up to 3 DNS servers that the DHCP server assigns to DHCP clients.
Add the IP addresses of one or two WINS servers that the DHCP server assigns to DHCP clients.
Enter up to three custom DHCP options that can be sent by the
DHCP server. Code is the DHCP option code in the range 1 to 255.
Option is an even number of hexadecimal characters and is not required for some option codes. For detailed information about
DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor
Extensions.
Exclude Ranges
Add
Starting IP
End IP
Delete icon
Add an IP exclude range.
You can add up to 16 exclude ranges of IP addresses that the
DHCP server cannot assign to DHCP clients. No range can exceed
65536 IP addresses.
Enter the first IP address of the exclude range.
Enter the last IP address of the exclude range.
Delete the exclude range.
Viewing address leases
Go to System > DHCP > Address Leases to view the IP addresses that the
DHCP servers have assigned and the corresponding client MAC addresses.
Figure 61: Address leases list
116
Interface
Refresh
IP
Select interface for which to list leases.
Select Refresh to update Address leases list.
The assigned IP address.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System DHCP Viewing address leases
MAC
Expire
The MAC address of the device to which the IP address is assigned.
Expiry date and time of the DHCP lease.
Reserving IP addresses for specific clients
You can reserve an IP address for a specific client identified by the client device
MAC address and the connection type, regular Ethernet or IPSec. The DHCP server always assigns the reserved address to that client. You can define up to 50 reserved addresses.
Use the CLI system dhcp reserved-address command. For more information, see the
FortiGate CLI Reference
.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
117
Viewing address leases System DHCP
118
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Config
System Config
This section describes the configuration of several non-network features, such as
HA, SNMP, custom replacement messages, and VDOM operation.
The following topics are included in this section:
•
•
•
•
Operation mode and VDOM management access
HA, SNMP and Replacement messages are part of the global configuration of the
FortiGate unit. Changing operation mode applies to each individual VDOM.
HA
FortiGate high availability (HA) provides a solution for two key requirements of critical enterprise networking components: enhanced reliability and increased performance. This section contains a brief description of HA web-based manager configuration options, the HA cluster members list, HA statistics, and the disconnecting cluster members.
For complete information about how to configure and operate FortiGate HA clusters see the
FortiGate HA Overview
, the
FortiGate HA Guide
, and the Fortinet
Knowledge Center .
Note: For FortiOS v3.0 MR2 and previous versions, this HA section included extensive detail about HA. Starting with FortiOS v3.0 MR3 you should refer to the
FortiGate HA
Overview
or the
FortiGate HA Guide
for the full HA story.
HA is not available on FortiGate models 50A, 50AM and 224B. HA is available on all other FortiGate modules, including the FortiGate-50B.
The following topics are included in this section:
•
•
•
•
Changing subordinate unit host name and device priority
•
Disconnecting a cluster unit from a cluster
HA options
Configure HA options so that a FortiGate unit can join a cluster or to change the configuration of an operating cluster or cluster member.
To configure HA options so that a FortiGate unit can join an HA cluster, go to
System > Config > HA.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
119
HA
HA System Config
If HA is already enabled, go to System > Config > HA to display the cluster members list. Select edit for the FortiGate unit with Role of master (also called the primary unit). When you edit the HA configuration of the primary unit, all changes are synchronized to the other cluster units.
Figure 62: FortiGate-1000AFA2 unit HA configuration
120
Note: If your FortiGate cluster uses virtual domains, you are configuring HA virtual clustering. Most virtual cluster HA options are the same as normal HA options. However, virtual clusters include VDOM partitioning options. Other differences between configuration options for regular HA and for virtual clustering HA are described below and in the
FortiGate HA Overview
and the
FortiGate HA Guide
.
To configure HA options for a FortiGate unit with virtual domains enabled, log in as the global admin administrator and go to System > Config > HA.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Config
Figure 63: FortiGate-5001SX HA virtual cluster configuration
HA
Mode
Select an HA mode for the cluster or return the FortiGate units in the cluster to standalone mode. When configuring a cluster, you must set all members of the HA cluster to the same HA mode. You can select
Standalone (to disable HA), Active-Passive, or Active-Active. If virtual domains are enabled you can select Active-Passive or Standalone.
Device Priority
Optionally set the device priority of the cluster unit. Each cluster unit can have a different device priority. During HA negotiation, the unit with the highest device priority usually becomes the primary unit.
In a virtual cluster configuration, each cluster unit can have two device priorities, one for each virtual cluster. During HA negotiation, the unit with the highest device priority in a virtual cluster becomes the primary unit for that virtual cluster.
Changes to the device priority are not synchronized. You can accept the default device priority when first configuring a cluster. When the cluster is operating you can change the device priority for different cluster units as required.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
121
HA System Config
Group Name
Password
VDOM partitioning
Add a name to identify the cluster. The maximum group name length is 7 characters. The group name must be the same for all cluster units before the cluster units can form a cluster. After a cluster is operating you can change the group name. The group name change is synchronized to all cluster units.
The default group name is FGT-HA. You can accept the default group name when first configuring a cluster. When the cluster is operating you can change the group name if required. Two clusters on the same network cannot have the same group name.
Add a password to identify the cluster. The maximum password length is
15 characters. The password must be the same for all cluster units before the cluster units can form a cluster.
The default is no password. You can accept the default when first configuring a cluster. When the cluster is operating you can add a password if required. Two clusters on the same network must have different passwords.
Enable Session pickup
Enable session pickup so that if the primary unit fails, all sessions are picked up by the cluster unit that becomes the new primary unit.
Session pickup is disabled by default. You can accept the default setting for session pickup and then chose to enable session pickup after the cluster is operating.
Port Monitor
Enable or disable monitoring FortiGate interfaces to verify that the monitored interfaces are functioning properly and connected to their networks.
If a monitored interface fails or is disconnected from its network the interface leaves the cluster and a link failover occurs. The link failover causes the cluster to reroute the traffic being processed by that interface to the same interface of another cluster unit that still has a connection to the network. This other cluster unit becomes the new primary unit.
Port monitoring is disabled by default. Leave port monitoring disabled until the cluster is operating and then only enable port monitoring for connected interfaces.
Heartbeat
Interface
Enable or disable HA heartbeat communication for each interface in the cluster and set the heartbeat interface priority. The heartbeat interface with the highest priority processes all heartbeat traffic. If two or more heartbeat interfaces have the same priority, the heartbeat interface that is highest in the interface list processes all heartbeat traffic.
The default heartbeat interface configuration is different for each
FortiGate but usually sets the priority of two heartbeat interfaces to 50.
You can accept the default heartbeat interface configuration if one or both of the default heartbeat interfaces are connected.
The heartbeat interface priority range is 0 to 512. The default priority when you select a new heartbeat interface is 0.
You must select at least one heartbeat interface. If heartbeat communication is interrupted the cluster stops processing traffic. For more information about configuring heartbeat interfaces see the
FortiGate HA Guide
.
If you are configuring virtual clustering you can select the virtual domains to be in virtual cluster 1 and the virtual domains to be in virtual cluster 2. The root virtual domain must always be in virtual cluster 1. For more information about configuring VDOM partitioning see the
FortiGate
HA Guide
.
Cluster members list
Display the cluster members list to view the status of an operating cluster and the status of the FortiGate units in the cluster. To display the cluster members list, log into an operating cluster and go to System > Config > HA.
122
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Config
Figure 64: Example FortiGate-5001SX cluster members list
Up and Down
Arrows
Download Debug Log
Edit
Disconnect from Cluster
HA
If virtual domains are enabled, you can display the cluster members list to view the status of the operating virtual clusters. The virtual cluster members list shows the status of both virtual clusters including the virtual domains added to each virtual cluster.
To display the virtual cluster members list for an operating cluster log in as the global admin administrator and go to System > Config > HA.
Figure 65: Example FortiGate-5001SX virtual cluster members list
Up and Down
Arrows
Download Debug Log
Edit
Disconnect from Cluster
View HA Statistics
Display the serial number, status, and monitor information for each
cluster unit. See “Viewing HA statistics” on page 125
.
Up and down arrows Change the order in which cluster members are listed. The operation of the cluster or of the units in the cluster are not affected. All that changes is the order in which cluster units are displayed on the cluster members list.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
123
HA System Config
Cluster member
Hostname
Role
Illustrations of the front panels of the cluster units. If the network jack for an interface is shaded green, the interface is connected.
Pause the mouse pointer over each illustration to view the cluster unit host name, serial number, how long the unit has been operating (up time), and the interfaces that are configured for port monitoring.
The host name of the FortiGate unit. The default host name of the
FortiGate unit is the FortiGate unit serial number.
•
To change the primary unit host name, go to System > Status and select Change beside the current host name.
•
To change a subordinate unit host name, from the cluster members list select the edit icon for a subordinate unit.
The status or role of the cluster unit in the cluster.
•
Role is MASTER for the primary (or master) unit
Priority
•
Role is SLAVE for all subordinate (or backup) cluster units
The device priority of the cluster unit. Each cluster unit can have a different device priority. During HA negotiation, the unit with the highest device priority becomes the primary unit.
The device priority range is 0 to 255.
Disconnect a selected cluster unit from the cluster. See
“Disconnecting a cluster unit from a cluster” on page 126
.
Disconnect from cluster
Edit
Select Edit to change a cluster unit HA configuration.
•
For a primary unit, select Edit to change the cluster HA configuration. You can also change the device priority of the primary unit.
•
For a primary unit in a virtual cluster, select Edit to change the virtual cluster HA configuration. You can also change the virtual cluster 1 and virtual cluster 2 device priority of this cluster unit.
•
For a subordinate unit, select Edit to change the subordinate
•
For a subordinate unit in a virtual cluster, select Edit to change the subordinate unit host name. In addition you can change the device priority for the subordinate unit for the selected virtual cluster. See
“Changing subordinate unit host name and device priority” on page 126
.
Download debug log Download an encrypted debug log to a file. You can send this debug log file to Fortinet Technical Support
( http://support.fortinet.com
) to help diagnose problems with the cluster or with individual cluster units.
124
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Config
Viewing HA statistics
From the cluster members list you can select View HA statistics to display the serial number, status, and monitor information for each cluster unit. To view HA statistics, go to System > Config > HA and select View HA Statistics.
Figure 66: Example HA statistics (active-passive cluster)
HA
Refresh every
Select to control how often the web-based manager updates the HA statistics display.
Back to HA monitor Close the HA statistics list and return to the cluster members list.
Unit
Status
The host name and serial number of the cluster unit.
Indicates the status of each cluster unit. A green check mark indicates that the cluster unit is operating normally. A red X indicates that the cluster unit cannot communicate with the primary unit.
Up Time
The time in days, hours, minutes, and seconds since the cluster unit was last started.
Monitor
CPU Usage
Memory Usage
Active Sessions
Total Packets
Displays system status information for each cluster unit.
The current CPU status of each cluster unit. The web-based manager displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.
The current memory status of each cluster unit. The web-based manager displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.
The number of communications sessions being processed by the cluster unit.
The number of packets that have been processed by the cluster unit since it last started up.
The number of viruses detected by the cluster unit.
Virus Detected
Network Utilization The total network bandwidth being used by all of the cluster unit interfaces.
Total Bytes
The number of bytes that have been processed by the cluster unit since it last started up.
Intrusion Detected The number of intrusions or attacks detected by Intrusion Protection running on the cluster unit.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
125
HA System Config
Changing subordinate unit host name and device priority
To change the host name and device priority of a subordinate unit in an operating cluster, go to System > Config > HA to display the cluster members list. Select
Edit for any slave (subordinate) unit in the cluster members list.
To change the host name and device priority of a subordinate unit in an operating cluster with virtual domains enabled, log in as the global admin administrator and go to System > Config > HA to display the cluster members list. Select Edit for any slave (subordinate) unit in the cluster members list.
You can change the host name (Peer) and device priority (Priority) of this subordinate unit. These changes only affect the configuration of the subordinate unit.
Figure 67: Changing the subordinate unit host name and device priority
Peer
View and optionally change the subordinate unit host name.
Priority
View and optionally change the subordinate unit device priority.
The device priority is not synchronized among cluster members. In a functioning cluster you can change device priority to change the priority of any unit in the cluster. The next time the cluster negotiates, the cluster unit with the highest device priority becomes the primary unit.
The device priority range is 0 to 255. The default device priority is 128.
Disconnecting a cluster unit from a cluster
You can go to System > Config > HA and select a Disconnect from cluster icon to disconnect a cluster unit from a functioning cluster without disrupting the operation of the cluster. You can disconnect a cluster unit if you need to use the disconnected FortiGate unit for another purpose, such as to act as a standalone firewall.
Figure 68: Disconnect a cluster member
126
Serial Number Displays the serial number of the cluster unit to be disconnected from the cluster.
Interface
Select the interface that you want to configure. You also specify the IP address and netmask for this interface. When the FortiGate unit is disconnected, all management access options are enabled for this interface.
IP/Netmask
Specify an IP address and netmask for the interface. You can use this IP address to connect to this interface to configure the disconnected
FortiGate unit.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Config
SNMP
Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure the hardware, or FortiGate SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager is a computer running an application that can read the incoming traps from the agent and track the information. Using an SNMP manager, you can access SNMP traps and data from any FortiGate interface or
VLAN subinterface configured for SNMP management access.
Note: Part of configuring an SNMP manager is to list it as a host in a community on the
FortiGate unit it will be monitoring. Otherwise the SNMP monitor will not receive any traps from that FortiGate unit, or be able to query it.
The FortiGate SNMP implementation is read-only. SNMP v1 and v2c compliant
SNMP managers have read-only access to FortiGate system information and can receive FortiGate traps. To monitor FortiGate system information and receive
FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinetsupported standard MIBs into your SNMP manager.
RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most
of RFC 1213 (MIB II) (for more information, see “Fortinet MIBs” on page 130 .
Configuring SNMP
Go to System > Config > SNMP v1/v2c to configure the SNMP agent.
Figure 69: Configuring SNMP
SNMP
SNMP Agent
Description
Location
Contact
Apply
Create New
Communities
Name
Enable the FortiGate SNMP agent.
Enter descriptive information about the FortiGate unit. The description can be up to 35 characters long.
Enter the physical location of the FortiGate unit. The system location description can be up to 35 characters long.
Enter the contact information for the person responsible for this
FortiGate unit. The contact information can be up to 35 characters.
Save changes made to the description, location, and contact information.
Select Create New to add a new SNMP community.
See “Configuring an SNMP community” on page 128 .
The list of SNMP communities added to the FortiGate configuration.
You can add up to 3 communities.
The name of the SNMP community.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
127
SNMP System Config
Queries
Traps
The status of SNMP queries for each SNMP community. The query status can be enabled or disabled.
The status of SNMP traps for each SNMP community. The trap status can be enabled or disabled.
Enable
Delete icon
Select Enable to activate an SNMP community.
Select Delete to remove an SNMP community.
Edit/View icon Select to view or modify an SNMP community.
Configuring an SNMP community
An SNMP community is a grouping of equipment for network administration purposes. Add SNMP communities so that SNMP managers can connect to the
FortiGate unit to view system information and receive SNMP traps. You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiGate unit for a different set of events. You can also add the IP addresses of up to 8 SNMP managers to each community.
Figure 70: SNMP community options (part 1)
128
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Config
Figure 71: SNMP community options (part 2)
SNMP
1
2
Community Name
Enter a name to identify the SNMP community.
Hosts
Enter the IP address and Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit.
IP Address
Interface
Delete
Add
The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiGate unit. You can also set the IP address to 0.0.0.0 to so that any SNMP manager can use this
SNMP community.
Optionally select the name of the interface that this SNMP manager uses to connect to the FortiGate unit. You only have to select the interface if the SNMP manager is not on the same subnet as the
FortiGate unit. This can occur if the SNMP manager is on the
Internet or behind a router.
Select a Delete icon to remove an SNMP manager.
Queries
Add a blank line to the Hosts list. You can add up to 8 SNMP managers to a single community.
Enter the Port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiGate unit. Select the Enable check box to activate queries for each SNMP version.
Traps
SNMP Event
Enter the Local and Remote port numbers (port 162 for each by default) that the FortiGate unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community. Select the
Enable check box to activate traps for each SNMP version.
Enable each SNMP event for which the FortiGate unit should send traps to the SNMP managers in this community.
“Temperature too high” and “Voltage out of range” event traps are available only on FortiGate 5001.
To configure an interface for SNMP access
Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or more FortiGate interfaces to accept SNMP connections.
Go to System > Network > Interface.
Choose an interface that an SNMP manager connects to and select Edit.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
129
SNMP System Config
1
2
3
4
3
In Administrative Access, select SNMP.
Select OK.
To configure SNMP access in Transparent mode
Go to System > Config > Operation Mode.
Enter the IP address that you want to use for management access and the netmask in the Management IP/Netmask field.
Select Apply.
Fortinet MIBs
The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard
RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of
RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to
FortiGate unit configuration.
The FortiGate MIB is listed in Table 8 along with the two RFC MIBs. You can obtain these MIB files from Fortinet technical support. To be able to communicate with the SNMP agent, you must compile all of these MIBs into your SNMP manager.
Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIB to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.
Table 8: Fortinet MIBs
MIB file name or RFC Description fortinet.3.00.mib
The proprietary Fortinet MIB includes detailed FortiGate system configuration information and trap information. Your SNMP manager requires this information to monitor FortiGate configuration settings and receive traps from the FortiGate
SNMP agent. See “FortiGate traps” on page 131
RFC-1213 (MIB II)
The FortiGate SNMP agent supports MIB II groups with the following exceptions.
•
No support for the EGP group from MIB II (RFC 1213, section
3.11 and 6.10).
•
Protocol statistics returned for MIB II groups
(IP/ICMP/TCP/UDP/etc.) do not accurately capture all
FortiGate traffic activity. More accurate information can be obtained from the information reported by the Fortinet MIB.
RFC-2665 (Ethernetlike MIB)
The FortiGate SNMP agent supports Ethernet-like MIB information with the following exception.
No support for the dot3Tests and dot3Errors groups.
130
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Config
FortiGate traps
The FortiGate agent can send traps to SNMP managers that you have added to
SNMP communities. To receive traps, you must load and compile the Fortinet 3.0
MIB into the SNMP manager.
All traps include the trap message as well as the FortiGate unit serial number and hostname.
Table 9: Generic FortiGate traps
Trap message
ColdStart
WarmStart
LinkUp
LinkDown
Description
Standard traps as described in RFC 1215.
Table 10: FortiGate system traps
Trap message
CPU usage high
(fnTrapCpuHigh)
Memory low
(fnTrapMemLow)
Interface IP change
(fnTrapIfChange)
Description
CPU usage exceeds 90%. This threshold can be set in the
CLI using config system global.
Memory usage exceeds 90%. This threshold can be set in the CLI using config system global.
Change of IP address on a FortiGate interface. The trap message includes the name of the interface, the new IP address and the serial number of the FortiGate unit. You can use this trap to track interface IP address changes for interfaces with dynamic IP addresses set using DHCP or
PPPoE.
Temperature too high
(fnTrapTempHigh)
Voltage out of range
(fnTrapVoltageOutOfRange)
(fnFMTrapIfChange)
(fnFMTrapConfChange)
Hardware sensor detects high temperature.
This is available only for FortiGate 5001.
Hardware sensor detects abnormal power levels.
This is available only for FortiGate 5001.
No message. Interface changes IP. Only sent to monitoring
FortiManager.
Any configuration changes made to FortiGate unit, excluding any changes made by a connected FortiManager unit.
Table 11: FortiGate VPN traps
Trap message
VPN tunnel is up
(fnTrapVpnTunUp)
VPN tunnel down
(fnTrapVpnTunDown)
Description
An IPSec VPN tunnel started.
An IPSec VPN tunnel shuts down.
SNMP
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
131
SNMP
132
System Config
Table 12: FortiGate IPS traps
Trap message
IPS Anomaly fnTrapIpsAnomaly
IPS Signature fnTrapIpsSignature)
Description
IPS anomaly detected.
IPS signature detected.
Table 13: FortiGate antivirus traps
Trap message Description
Virus detected
(fnTrapAvEvent)
Filename block detected
(fnTrapAvPattern)
The FortiGate unit detects a virus and removes the infected file from an HTTP or FTP download or from an email message.
Oversize file/email detected
(fnTrapAvOversize)
The FortiGate unit antivirus scanner detects an oversized file.
The FortiGate unit antivirus scanner blocks a file matching a pattern.
Fragmented email detected
(fnTrapAvFragmented)
The FortiGate unit antivirus scanner detects a fragmented file or attachment.
Table 14: FortiGate logging traps
Trap message
Log full
(fnTrapLogFull)
Description
On a FortiGate unit with a hard drive, hard drive usage exceeds
90%. On a FortiGate unit without a hard drive, log to memory usage exceeds 90%.
This threshold can be set in the CLI using config system global
.
Table 15: FortiGate HA traps
Trap message
HA switch
(fnTrapHaSwitch)
HA Heartbeat Failure
(fnTrapHaHBFail)
Description
The primary unit in an HA cluster fails and is replaced with a new primary unit.
HA monitored interface fails heartbeat.
Table 16: FortiBridge traps
Trap message
FortiBridge detects fail
(fnTrapBridge)
Description
A FortiBridge unit detects a FortiGate unit failure.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Config
Fortinet MIB fields
The Fortinet MIB contains fields reporting current FortiGate unit status information. The tables below list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.3.00.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Table 17: System MIB fields
MIB field fnSysModel fnSysSerial
Description
FortiGate model number, for example, 400 for the FortiGate-400.
FortiGate unit serial number.
fnSysVersion fnSysVersionAv
The firmware version currently running on the FortiGate unit.
The antivirus definition version installed on the FortiGate unit.
fnSysVersionNids
The attack definition version installed on the FortiGate unit.
fnSysHaMode
The current High-Availability (HA) mode (standalone, A-A, A-P)
fnSysOpMode fnSysCpuUsage
The FortiGate unit operation mode (NAT or Transparent).
The current CPU usage (as a percent).
fnSysMemUsage
The current memory utilization (in MB).
fnSysDiskCapacity The hard disk capacity (MB)
fnSysDiskUsage fnSysSesCount
The current hard disk usage (MB)
The current IP session count.
Table 18: HA MIB fields
MIB field Description fnHaSchedule
Load balancing schedule for A-A mode.
fnHaStatsTable
Statistics for the individual FortiGate unit in the HA cluster.
fnHaStatsIndex fnHaStatsSerial
The index number of the unit in the cluster.
The FortiGate unit serial number.
fnHaStatsCpuUsage
The current FortiGate unit CPU usage (%).
fnHaStatsMemUsage
The current unit memory usage (MB).
fnHaStatsNetUsage fnHaStatsSesCount fnHaStatsPktCount fnHaStatsByteCount fnHaStatsIdsCount fnHaStatsAvCount
The current unit network utilization (Kbps).
The number of active sessions.
The number of packets processed.
The number of bytes processed by the
FortiGate unit
The number of attacks that the IPS detected in the last 20 hours.
The number of viruses that the antivirus system detected in the last 20 hours.
SNMP
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
133
SNMP
134
System Config
Table 19: Administrator accounts
MIB field Description fnAdminNumber
The number of administrators on the FortiGate unit.
fnAdminTable
Table of administrators.
fnAdminIndex fnAdminName fnAdminAddr fnAdminMask
Administrator account index number.
The user name of the administrator account.
An address of a trusted host or subnet from which this administrator account can be used.
The netmask for fnAdminAddr.
Table 20: Local users
MIB field Description fnUserNumber
The number of local user accounts on the FortiGate unit.
fnUserTable
Table of local users.
fnUserIndex
Local user account index number.
fnUserName fnUserAuth fnUserState
The user name of the local user account.
The authentication type for the local user:
local - a password stored on the FortiGate unit
radius-single - a password stored on a RADIUS server
radius-multiple - any user who can authenticate on the RADIUS server can log on
ldap - a password stored on an LDAP server
Whether the local user is enabled or disabled.
Table 21: Options
MIB field fnOptIdleTimeout
Description
The idle period in minutes after which the administrator must reauthenticate.
fnOptAuthTimeout
The idle period in minutes after which a user must re-authenticate with the firewall.
fnOptLanguage
The web-based manager language.
fnOptLcdProtection
Whether an LCD PIN has been set.
Table 22: Logging
MIB field fnLogOption
Description
Logging preferences.
Table 23: Custom messages
MIB field fnMessages
Description
The number of custom messages on the FortiGate unit.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Config
Table 24: Virtual domains
MIB field fnVdNumber fnVdTable
Description
The number of virtual domains on the FortiGate unit.
Table of virtual domains.
fnVdIndex
Internal virtual domain index number on the FortiGate unit.
fnVdName
The name of the virtual domain.
Table 25: Active IP sessions
MIB field fnIpSessIndex
Description
The index number of the active IP session.
fnIpSessProto
The IP protocol (TCP, UDP, ICMP, etc.) of the session.
fnIpSessFromAddr
The source IP address of the active IP session.
fnIpSessFromPort fnIpSessToPort fnIpSessToAddr fnIpSessExp
The source port of the active IP session.
The destination IP address of the active IP session.
The destination port of the active IP session.
The expiry time or time-to-live in seconds for the session.
Table 26: Dialup VPNs
MIB field fnVpnDialupIndex fnVpnDialupGateway fnVpnDialupLifetime fnVpnDialupTimeout fnVpnDialupSrcBegin fnVpnDialupSrcEnd fnVpnDialupDstAddr
Description
The index of the dialup VPN peer.
The remote gateway IP address.
VPN tunnel lifetime in seconds.
Time remaining until the next key exchange (seconds).
Remote subnet address.
Remote subnet mask.
Local subnet address.
SNMP
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
135
Replacement messages System Config
Table 27: VPN Tunnels
MIB field fnVpnTunEntIndex fnVpnTunEntPhase1Name fnVpnTunEntPhase2Name fnVpnTunEntRemGwyIp fnVpnTunEntRemGwyPort fnVpnTunEntLocGwyIp
Description
The unique index of the VPN tunnel.
The descriptive name of the Phase1 configuration.
The descriptive name of the Phase2 configuration.
The IP of the remote gateway.
The port of the remote gateway.
The IP of the local gateway.
fnVpnTunEntLocGwyPort
The port of the local gateway.
fnVpnTunEntSelectorSrcBeginIp
Beginning of the address range of a source selector.
fnVpnTunEntSelectorSrcEndIp
Ending of the address range of a source selector.
fnVpnTunEntSelectorSrcPort fnVpnTunEntSelectorDstEndIp
Source selector port
fnVpnTunEntSelectorDstBeginIp
Beginning of the address range of a destination selector
Ending of the address range of a destination selector.
fnVpnTunEntSelectorDstPort
Destination selector port.
fnVpnTunEntSelectorProto fnVpnTunEntSelectorLifeSecs fnVpnTunEntSelectorLifeBytes fnVpnTunEntTimeout fnVpnTunEntInOctets fnVpnTunEntOutOctets fnVpnTunEntStatus
Protocol number for the selector.
Lifetime of the tunnel in seconds.
Lifetime of the tunnel in bytes.
Timeout of the tunnel in seconds.
Number of bytes received on the tunnel.
Number of bytes sent out on the tunnel.
Current status of the tunnel - either up or down.
Replacement messages
Go to System > Config > Replacement Messages to change replacement messages and customize alert email and information that the FortiGate unit adds to content streams such as email messages, web pages, and FTP sessions.
The FortiGate unit adds replacement messages to a variety of content streams.
For example, if a virus is found in an email message, the file is removed from the email and replaced with a replacement message. The same applies to pages blocked by web filtering and email blocked by spam filtering.
Note: Disclaimer replacement messages provided by Fortinet are examples only.
136
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Config
Replacement messages list
Figure 72: Replacement messages list
Replacement messages
Note: FortiOS uses HTTP to send the Authentication Disclaimer page for the user to accept before the firewall policy is in effect. Therefore, the user must initiate an HTTP traffic first in order to trigger the Authentication Disclaimer page. Once the Disclaimer is accepted, the user can send whatever traffic is allowed by the firewall policy.
Name
The type of replacement message. Select the blue triangle to expand or collapse the category. You can change messages added to
•
email with virus-infected attachments
•
web pages (http)
•
ftp sessions
•
alert mail messages
•
smtp email blocked as spam
•
web pages blocked by web filter category blocking
•
instant messaging and peer-to-peer sessions
Also, you can modify
•
the login page and rejected login page for user authentication
•
disclaimer messages for user and administrator authentication (some models)
•
keep alive page for authentication
•
the FortiGuard web filtering block override page
•
the login page for the SSL-VPN
Description
Description of the replacement message type. The web-based manager describes where each replacement message is used by the FortiGate unit.
Edit or view icon
Select to edit or view a replacement message.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
137
Replacement messages
Changing replacement messages
Figure 73: Sample HTTP virus replacement message
System Config
138
Replacement messages can be text or HTML messages. You can add HTML code to HTML messages. Allowed Formats shows you which format to use in the replacement message. There is a limitation of 8192 characters for each replacement message.
In addition, replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message. Table 28 lists the replacement message tags that you can add.
Table 28: Replacement message tags
Tag
%%AUTH_LOGOUT%%
Description
The URL that will immediately delete the current policy and close the session. Used on the auth-keepalive page.
%%AUTH_REDIR_URL%%
The auth-keepalive page can prompt the user to open a new window which links to this tag.
%%CATEGORY%%
%%DEST_IP%%
The name of the content category of the web site.
The IP address of the request destination from which a virus was received. For email this is the IP address of the email server that sent the email containing the virus. For HTTP this is the IP address of web page that sent the virus.
%%EMAIL_FROM%%
%%EMAIL_TO%%
The email address of the sender of the message from which the file was removed.
The email address of the intended receiver of the message from which the file was removed.
%%FAILED_MESSAGE%%
The failed to login message displayed on the auth-login-failed page.
%%FILE%%
The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages.
%%FORTIGUARD_WF%%
The FortiGuard - Web Filtering logo.
%%FORTINET%%
The Fortinet logo.
%%HTTP_ERR_CODE%%
The HTTP error code. “404” for example.
%%HTTP_ERR_DESC%%
The HTTP error description.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Config Replacement messages
Table 28: Replacement message tags (Continued)
Tag
%%KEEPALIVEURL%%
%%NIDSEVENT%%
%%OVERRIDE%%
%%OVRD_FORM%%
%%PROTOCOL%%
%%QUARFILENAME%%
%%QUESTION%%
%%SERVICE%%
%%SOURCE_IP%%
%%TIMEOUT%%
%%URL%%
%%VIRUS%%
Description
auth-keepalive-page automatically connects to this URL every
%%TIMEOUT%% seconds to renew the connection policy.
The IPS attack message. %%NIDSEVENT%% is added to alert email intrusion messages.
The link to the FortiGuard Web Filtering override form. This is visible only if the user belongs to a group that is permitted to create FortiGuard web filtering overrides.
The FortiGuard web filter block override form. This tag must be present in the FortiGuard Web Filtering override form and should not be used in other replacement messages.
The protocol (http, ftp, pop3, imap, or smtp) in which a virus was detected. %%PROTOCOL%% is added to alert email virus messages.
The name of a file that has been removed from a content stream and added to the quarantine. This could be a file that contained a virus or was blocked by antivirus file blocking.
%%QUARFILENAME%%
can be used in virus and file block messages. Quarantining is only available on FortiGate units with a local disk.
Authentication challenge question on auth-challenge page.
Prompt to enter username and password on auth-login page.
The name of the web filtering service.
The IP address of the request originator who would have received the blocked file. For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed.
Configured number of seconds between authentication keepalive connections. Used on the auth-keepalive page.
The URL of a web page. This can be a web page that is blocked by web filter content or URL blocking. %%URL%% can also be used in http virus and file block messages to be the
URL of the web page from which a user attempted to download a file that is blocked.
The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages
Changing the authentication login page
Users see the authentication login page when they use a VPN or a firewall policy that requires authentication. You can customize this page in the same way as you modify other replacement messages, but there are some unique requirements:
• The login page must be an HTML page containing a form with ACTION="/" and
METHOD="POST"
• The form must contain the following hidden controls:
• <INPUT TYPE="hidden" NAME="%%MAGICID%%"
VALUE="%%MAGICVAL%%">
• <INPUT TYPE="hidden" NAME="%%STATEID%%"
VALUE="%%STATEVAL%%">
• <INPUT TYPE="hidden" NAME="%%REDIRID%%"
VALUE="%%PROTURI%%">
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
139
Replacement messages
140
System Config
• The form must contain the following visible controls:
• <INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25>
• <INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25>
Example
The following is an example of a simple authentication page that meets the requirements listed above.
<HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this service.</H4>
<FORM ACTION="/" method="post">
<INPUT NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%"
TYPE="hidden">
<TABLE ALIGN="center" BGCOLOR="#00cccc" BORDER="0"
CELLPADDING="15" CELLSPACING="0" WIDTH="320"><TBODY>
<TR><TH>Username:</TH>
<TD><INPUT NAME="%%USERNAMEID%%" SIZE="25" TYPE="text">
</TD></TR>
<TR><TH>Password:</TH>
<TD><INPUT NAME="%%PASSWORDID%%" SIZE="25" TYPE="password">
</TD></TR>
<TR><TD COLSPAN="2" ALIGN="center" BGCOLOR="#00cccc">
<INPUT NAME="%%STATEID%%" VALUE="%%STATEVAL%%"
TYPE="hidden">
<INPUT NAME="%%REDIRID%%" VALUE="%%PROTURI%%" TYPE="hidden">
<INPUT VALUE="Continue" TYPE="submit"> </TD></TR>
</TBODY></TABLE></FORM></BODY></HTML>
Changing the FortiGuard web filtering block override page
The %%OVRD_FORM%% tag provides the form used to initiate an override if
FortiGuard - Web Filtering blocks access to a web page. Do not remove this tag from the replacement message.
Changing the SSL-VPN login message
The SSL VPN login message presents a web page through which users log in to the SSL-VPN web portal. The page is linked to FortiGate functionality and you must construct it according to the following guidelines to ensure that it will work.
• The login page must be an HTML page containing a form with
ACTION="%%SSL_ACT%%" and METHOD="%%SSL_METHOD%%"
• The form must contain the %%SSL_LOGIN%% tag to provide the login form.
• The form must contain the %%SSL_HIDDEN%% tag.
Changing the authentication disclaimer page
The Authentication Disclaimer page, available on some models, makes a statement about usage policy to which the user must agree before the FortiGate unit permits access. You enable the disclaimer in the firewall policy. See User
Authentication Disclaimer in
“Firewall policy options” on page 219 . You should
change only the disclaimer text itself, not the HTML form code.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Config Operation mode and VDOM management access
Operation mode and VDOM management access
You can change the operation mode of each VDOM independently of other
VDOMs. This allows any combination of NAT/Route and Transparent operating modes on the FortiGate unit VDOMs.
Management access to a VDOM can be restricted based on which interfaces and protocols can be used to connect to the FortiGate unit.
Changing operation mode
You can set the operating mode for your VDOM and perform sufficient network configuration to ensure that you can connect to the web-based manager in the new mode.
1
2
To switch from NAT/Route to Transparent mode
Go to System > Config > Operation Mode or select Change beside Operation
Mode on the System Status page for the virtual domain.
From the Operation Mode list, select Transparent.
3
Enter the following information and select Apply.
Management IP/Netmask
Default Gateway
Asymmetric Routing
Enter the management IP address and netmask.
This must be a valid IP address for the network from which you want to manage the FortiGate unit.
Enter the default gateway required to reach other networks from the FortiGate unit.
Select to allow asymmetric routing.
1
2
To switch from Transparent to NAT/Route mode
Go to System > Config > Operation Mode or select Change beside Operation
Mode on the System Status page for the virtual domain.
From the Operation Mode list, select NAT.
3
Enter the following information and select Apply.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
141
Operation mode and VDOM management access System Config
Interface IP/Netmask
Device
Default Gateway
Gateway Device
Asymmetric Routing
Enter a valid IP address and netmask for the network from which you want to manage the FortiGate unit.
Select the interface to which the Interface IP/Netmask settings apply.
Enter the default gateway required to reach other networks from the FortiGate unit.
Select the interface to which the default gateway is connected.
Select to allow asymmetric routing.
Management access
. In NAT/Route mode, the interface IP address is used for management access. In Transparent mode, you configure a single management IP address that applies to all interfaces in your VDOM that permit management access. The FortiGate also uses this IP address to connect to
the FDN for virus and attack updates (see “FortiGuard Center” on page 161
).
The system administrator (admin) can access all VDOMs, and create regular administrator accounts. A regular administrator account can access only the
VDOM to which it belongs. The management computer must connect to an interface in that VDOM. It does not matter to which VDOM the interface belongs.
In both cases, the management computer must connect to an interface that permits management access and its IP address must be on the same network.
Management access can be via HTTP, HTTPS, telnet, or SSH sessions if those services are enabled on the interface. HTTPS and SSH are preferred as they are more secure.
You can allow remote administration of the FortiGate unit. However, allowing remote administration from the Internet could compromise the security of the
FortiGate unit. You should avoid this unless it is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the
Internet:
• Use secure administrative user passwords.
• Change these passwords regularly.
• Enable secure administrative access to this interface using only HTTPS or
SSH.
• Use Trusted Hosts to limit where the remote access can originate from.
• Do not change the system idle timeout from the default value of 5 minutes (see
142
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Admin Administrators
System Admin
This section describes how to configure administrator accounts on your FortiGate unit. Administrators access the FortiGate unit to configure its operation. In its factory default configuration, the unit has one administrator, admin. After connecting to the web-based manager or the CLI, you can configure additional administrators with various levels of access to different parts of the FortiGate unit configuration.
Note: Always end your FortiGate session by logging out, in the CLI or the GUI. If you do not, the session remains open.
This section includes the following topics:
•
•
•
•
•
Administrators
There are two levels of administrator accounts:
• regular administrator - an administrator with any access profile other than super_admin
• system administrator - includes the original system administrator ‘admin’, and any other administrators assigned to the super_admin profile
A regular administrator account has access to configuration options as determined by its access profile. If virtual domains are enabled, the regular administrator is assigned to one VDOM and cannot access global configuration options or the configuration for any other VDOM. For information about which
options are global and which are per-VDOM, see “VDOM configuration settings” on page 62
and “Global configuration settings” on page 63
.
Any administrator assigned to the super_admin access profile, as well as the default administrator account ‘admin’, has full access to the FortiGate unit configuration. In addition, they can:
• enable VDOM configuration
• create VDOMs
• configure VDOMs
• assign regular administrators to VDOMs
• configure global options
You cannot restrict or modify the privileges of the original ‘admin’ administrator.
You cannot delete the ‘admin’ account, but you can rename it, define trusted hosts for it, and change its password. By default, ‘admin’ has no password.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
143
Administrators System Admin
You can authenticate an administrator using a password stored on the FortiGate unit or on a RADIUS server. Optionally, you can store all administrator accounts on a RADIUS server, except for the default ‘admin’ account. RADIUS-based accounts on the same RADIUS server share the same access profile.
Configuring RADIUS authentication for administrators
If you want to use a RADIUS server to authenticate administrators in your VDOM, you must configure the authentication before you create the administrator accounts. To do this you need to:
• configure the FortiGate unit to access the RADIUS server
• create a user group with the RADIUS server as its only member
The following procedures assume that there is a RADIUS server on your network populated with the names and passwords of your administrators. For information on how to set up a RADIUS server, see the documentation for your RADIUS server.
5
6
7
3
4
1
2
1
2
3
4
To configure the FortiGate unit to access the RADIUS server
Go to User > RADIUS.
Select Create New.
Enter the following information:
Name
A name for the RADIUS server. You use this name when you create the user group.
Server Name/IP
The domain name or IP address of the RADIUS server.
Server Secret
The RADIUS server secret. The RADIUS server administrator can provide this information.
Select OK.
To create the administrator user group
Go to User > User Group.
Select Create New.
In the Group Name field, type a name for the administrator group.
In the Available Users list, select the RADIUS server name.
Select the green right arrow to move the name to the Members list.
Select any protection profile.
Select OK.
Viewing the administrators list
Use the default ‘admin’ account, an account with the super_admin access profile, or an administrator with Access Control Read Write to add new administrator accounts and control their permission levels. Go to System > Admin >
Administrators.
Unless your administrator account has the super_admin access profile, the
Administrators list shows only the administrators for the current virtual domain.
144
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Admin Administrators
Figure 74: Administrators list
1
2
3
4
Create New
Name
Trusted hosts
Add an administrator account.
The login name for an administrator account.
The IP address and netmask of trusted hosts from which the administrator can log in. For more information, see
“Using trusted hosts” on page 148
.
The access profile for the administrator.
Profile
Type
The type of authentication for this administrator, one of:
Local - a local password
RADIUS - authentication of a specific account on a RADIUS server
RADIUS+Wildcard - authentication of any account on a RADIUS server.
Delete icon
Delete the administrator account.
You cannot delete the original ‘admin’ administrator account.
Edit or View icon
Edit or view the administrator account.
Change Password
Change the password for the administrator account.
icon
To change an administrator password
Go to System > Admin > Administrators.
Select the Change Password icon next to the administrator account you want to change the password for.
Enter and confirm the new password.
Select OK.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
145
Administrators System Admin
Configuring an administrator account
Use the default ‘admin’ account, an account with the super_admin access profile, or an administrator with Access Control Read Write to create a new administrator.
Go to System > Admin > Administrators and select Create New.
Figure 75: Administrator account configuration - local authentication
Figure 76: Administrator account configuration - RADIUS authentication
146
Figure 77: Administrator account configuration - PKI authentication
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Admin Administrators
1
2
3
Administrator
Enter the login name for the administrator account.
RADIUS
Select to authenticate the administrator using a RADIUS server.
RADIUS authentication for administrators must be configured first. See
“Configuring RADIUS authentication for administrators” on page 144
.
User Group
Wildcard
If you are using RADIUS authentication, select the administrator user group that has the appropriate RADIUS server as a member.
Select to allow all accounts on the RADIUS server to be administrators.
This is available only if RADIUS is selected.
PKI
User Group
Password
Confirm
Password
Select to enable certificate-based authentication for the administrator.
Note: Only one configured administrator can have the PKI option enabled at all times.
If you are using PKI certificate-based authentication, select the administrator user group that includes the PKI (peer) users as members of the User Group.
Enter a password for the administrator account. For improved security, the password should be at least 6 characters long.
If RADIUS is enabled, the FortiGate unit attempts RADIUS authentication first, and if that fails, it attempts password authentication.
This is not available if Wildcard is selected. Not available when PKI authentication is selected.
Type the password for the administrator account a second time to confirm that you have typed it correctly.
This is not available if Wildcard is selected. Not available when PKI authentication is selected.
Trusted Host #1
Trusted Host #2
Trusted Host #3
Optionally, type the trusted host IP address and netmask that administrator login is restricted to on the FortiGate unit. You can specify up to three trusted hosts. These addresses all default to 0.0.0.0/0.
Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see
“Using trusted hosts” on page 148
.
Access Profile Select the access profile for the administrator. The pre-configured super_admin profile provides full access to the FortiGate unit. You can also select Create New to create a new access profile. For more information on access profiles, see
“Configuring an access profile” on page 152 .
To configure an administrator account
Go to System > Admin > Administrators.
Select Create New to add an administrator account or select the Edit icon to make changes to an existing administrator account.
In the Administrator field, type a login name for the administrator account.
If you are using RADIUS authentication for this administrator but not using the wildcard option, the administrator name must match an account on the RADIUS server.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
147
Access profiles System Admin
4
5
6
7
8
Select the type of authentication:
If you are using RADIUS authentication for this administrator:
• Select RADIUS.
• Select Wildcard if you want all accounts on the RADIUS server to be administrators of this FortiGate unit.
• Select the administrators user group from the User Group list.
If you are using PKI certificate-based authentication for this administrator:
• Select PKI.
• Select the administrators user group from the User Group list.
Type and confirm the password for the administrator account.
This step does not apply if you are using RADIUS Wildcard or PKI certificatebased authentication.
Optionally, type a Trusted Host IP address and netmask from which the administrator can log into the web-based manager.
Select the access profile for the administrator.
Select OK.
Using trusted hosts
Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255.
When you set trusted hosts for all administrators, the FortiGate unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.
The trusted hosts you define apply both to the web-based manager and to the CLI when accessed through telnet or SSH. CLI access through the console connector is not affected.
The trusted host addresses all default to 0.0.0.0/0. If you set one of the 0.0.0.0/0 addresses to a non-zero address, the other 0.0.0.0/0 will be ignored. The only way to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0. However, this is an unsecure configuration.
Access profiles
Each administrator account belongs to an access profile. The access profile separates FortiGate features into access control categories for which you can enable read and/or write access. The following table lists the web-based manager pages to which each category provides access:
148
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Admin Access profiles
Table 29: Access profile control of access to Web-based manager pages
Access control
Admin Users
Antivirus Configuration
Auth Users
Firewall Configuration
FortiGuard Update
IPS Configuration
Log & Report
Maintenance
Network Configuration
Router Configuration
Spamfilter Configuration
System Configuration
VPN Configuration
Webfilter Configuration
Affected web-based manager pages
System > Admin
System > Admin > FortiManager
System > Admin > Settings
AntiVirus
User
Firewall
System > Maintenance > FortiGuard Center
Intrusion Protection
Log & Report
System > Maintenance
System > Network > Interface
System > Network > Zone
System > DHCP
Router
AntiSpam
System > Status, including Session info
System > Config
System > Hostname
System > Network > Options
System > Admin > FortiManager
System > Admin > Settings
System > Status > System Time
VPN
Web Filter
Read access enables the administrator to view the web-based manager page.
The administrator needs write access to change the settings on the page.
You can now expand the firewall configuration access control to enable more granular control of access to the firewall functionality. You can control administrator access to policy, address, service, schedule, profile, and other (VIP) configurations.
Note: When Virtual Domain Configuration is enabled (see
“Settings” on page 153 ), only the
administrators with the access profile super_admin have access to global settings. When
Virtual Domain Configuration is enabled, other administrator accounts are assigned to one
VDOM and cannot access global configuration options or the configuration for any other
VDOM.
For information about which settings are global, see
“VDOM configuration settings” on page 62 .
The access profile has a similar effect on administrator access to CLI commands.
The following table shows which command types are available in each access control category. You can access “get” and “show” commands with read access.
Access to “config” commands requires write access.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
149
Access profiles System Admin
Table 30: Access profile control of access to CLI commands
Access control
Admin Users (admingrp)
Antivirus Configuration (avgrp)
Auth Users (authgrp)
Firewall Configuration (fwgrp)
FortiProtect Update (updategrp)
IPS Configuration (ipsgrp)
Log & Report (loggrp)
Maintenance (mntgrp)
Network Configuration (netgrp)
Router Configuration (routegrp)
Available CLI commands
system admin system accprofile antivirus user firewall
Use the set fwgrp custom, config fwgrp-permission commands to set some firewall permissions individually. Selections can be made for policy, address, service, schedule, profile, and other (VIP) configurations. For more information, see
FortiGate CLI Reference
.
system autoupdate execute update-av execute update-ips execute update-now ips alertemail log system fortianalyzer execute log execute formatlogdisk execute restore execute backup execute batch execute usb-disk system arp-table system dhcp system interface system zone execute dhcp lease-clear execute dhcp lease-list execute clear system arp table execute interface router execute router execute mrouter
150
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Admin Access profiles
Table 30: Access profile control of access to CLI commands
Spamfilter Configuration (spamgrp)
spamfilter
System Configuration (sysgrp)
system except accprofile, admin, arptable, autoupdate, fortianalyzer, interface, and zone execute date execute ha execute ping execute ping-options execute ping6 execute time execute traceroute execute cfg execute factoryreset execute reboot execute shutdown execute deploy execute set-next-reboot execute ssh execute telnet execute disconnect-admin-session execute usb
VPN Configuration (vpngrp)
vpn execute vpn
Webfilter Configuration (webgrp)
webfilter
Go to System > Admin > Access Profile to add access profiles for FortiGate administrators. Each administrator account belongs to an access profile. You can create access profiles that deny access to, allow read-only, or allow both read- and write-access to FortiGate features.
When an administrator has read-only access to a feature, the administrator can access the web-based manager page for that feature but cannot make changes to the configuration. There are no Create or Apply buttons and lists display only the
View ( ) icon instead of icons for Edit, Delete or other modification commands.
Viewing the access profiles list
Use the admin account or an account with Admin Users read and write access to create or edit access profiles. Go to System > Admin > Access Profile.
Figure 78: Access profile list
Create New
Add a new access profile.
Profile Name
The name of the access profile.
Delete icon
Edit icon
Select to delete the access profile.
You cannot delete an access profile that has administrators assigned to it.
Select to modify the access profile.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
151
Access profiles System Admin
Configuring an access profile
Use the admin account or an account with Admin Users read and write access to edit an access profile. Go to System > Admin > Access Profile and select
Create New.
Figure 79: Access profile option
152
Profile Name
Access Control
None
Read
Read Write
Access Control categories
Enter the name of the access profile.
Access Control lists the items to which the access profile controls access.
Select None to disable access to all Access Control categories.
Select Read to select Read access in all Access Control categories.
Select Read Write to select Read and Write access in all Access
Control categories.
Select Read and/or Read/Write access for Access Control categories as required. For detailed information about the access control categories, see
“Access profiles” on page 148 .
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Admin FortiManager
FortiManager
Go to System > Admin > FortiManager to configure the FortiGate unit to be managed through a FortiManager server. Communication between the FortiGate unit and the FortiManager server is via an IPSec VPN that is invisibly pre-configured on the FortiGate unit.
Figure 80: FortiManager configuration
Settings
Enable
ID
IP
Enable secure IPSec VPN communication between the FortiGate unit and a FortiManager Server. Otherwise, communication is nonsecured.
Enter the serial number of the FortiManager Server.
Enter the IP Address of the FortiManager Server.
Go to System > Admin > Settings to set the following options:
• Ports for HTTP and HTTPS administrative access
• The idle timeout setting
• The language of the web-based manager
• PIN protection for LCD and control buttons (LCD-equipped models only)
Figure 81: Administrators Settings
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
153
Monitoring administrators System Admin
Web Administration Ports
HTTP
HTTPS
Telnet Port
SSH Port
Enter the TCP port to be used for administrative HTTP access. The default is 80.
Enter the TCP port to be used for administrative HTTPS access. The default is 443.
Enter the telnet port to be used for administrative access.
The default is 23.
Enter the SSH port to be used for administrative access.
The default is 22.
Select to enable compatibility with SSH v1 in addition to v2. (Optional)
Enable v1 compatibility
Timeout Settings
Idle Timeout
Enter the number of minutes that an administrative connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). To improve security, keep the idle timeout at the default value of 5 minutes.
Language
Web Administration
Select a language for the web-based manager to use.
Choose from English, Simplified Chinese, Traditional
Chinese, Japanese, Korean, or French.
Note: You should select the language that the management computer operating system uses.
LCD Panel (LCD-equipped models only)
PIN Protection
Enable SCP
Select the PIN Protection check box and type a 6-digit
PIN.
Administrators must enter the PIN to use the control buttons and LCD.
Enable if you want users logged in through the SSH to be able to use the SCP to copy the configuration file.
Monitoring administrators
To see the number of logged-in administrators, go to System > Status. Under
System Information, you will see Current Administrators. Click on Details to view information about the administrators currently logged in to the FortiGate unit.
Figure 82: System Information > Current Administrators
154
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Admin
Figure 83: Administrators logged in monitor window
Monitoring administrators
Disconnect
Refresh
Close check box
User Name
Type
From
Time
Select to disconnect the selected administrators. This is available only if your access profile gives you System Configuration write permission.
Select to update the list.
Select to close the window.
Select and then select Disconnect to log off this administrator. This is available only if your access profile gives you System Configuration write access. Note: You cannot log off the default ‘admin’ user.
The administrator account name.
The type of access: WEB or CLI.
If Type is WEB, the value in From is the administrator’s IP address.
If Type is CLI, the value in From is “ssh” or “telnet” and either the administrator’s IP address or “console”.
The date and time that the administrator logged on.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
155
Monitoring administrators System Admin
156
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Maintenance Backup and restore
System Maintenance
This section describes how to back up and restore your system configuration and how to configure automatic updates from the FortiGuard Distribution Network.
This section includes the following topics:
•
•
•
Backup and restore
Go to System > Maintenance > Backup & Restore to back up and restore the system configuration and to manage firmware.
You can back up the system configuration, including web content files and spam filtering files, to the management computer or to a USB disk on models that support the USB disk. You can also restore the system configuration from previously downloaded backup files.
If you want the backup file to include VPN certificates, you must enable encryption of the backup file.
When virtual domain configuration is enabled, the content of the backup file depends on the administrator account that created it. A backup of the system configuration from the super admin account contains global settings and the settings for each VDOM. Only the super admin can restore the configuration from this file. When you back up the system configuration from a regular administrator account, the backup file contains the global settings and the settings for the
VDOM to which the regular administrator belongs. Only a regular administrator account can restore the configuration from this file.
Note: If you have a FortiGate model numbered less than 100, the Firmware section of the
Maintenance screen will not be displayed. In this situation you can change your firmware version by going to System > Status and selecting Update for Firmware Version.
Some FortiGate models support FortiClient by storing a FortiClient image that users can download. The FortiClient section of Backup and Restore is available only if your FortiGate model supports FortiClient.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
157
Backup and restore
Figure 84: Backup and restore options
System Maintenance
Figure 85: Backup and Restore
158
Last Backup
Backup
Backup configuration to:
Filename
The date and time of the last backup to local PC.
Backing up to USB does not save the time of backup.
Back up the current configuration.
Select Local PC or USB Disk to store the configuration file. You can select USB Disk only if the disk is connected to the FortiGate unit.
If you selected USB Disk, enter a name for the backup file.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Maintenance Backup and restore
Restore
Encrypt configuration file
Backup
Restore configuration from:
Filename
Select to encrypt the backup file. Enter a password in the
Password field and enter it again in the Confirm field. You will need this password to restore the file.
To backup VPN certificates, encryption must be enabled on the backup file.
Back up the configuration.
Restore the configuration from a file.
Select Local PC or USB Disk as the location of the configuration file. You can select USB Disk only if the disk is connected to the FortiGate unit.
Password
Restore
Select the configuration file name from the list if you are restoring the configuration from a USB disk.
Enter the configuration file name or use the Browse button if you are restoring the configuration from a file on the management. computer.
Enter the password if the backup file is encrypted.
Restore the configuration from the selected file.
Figure 86: Firmware
Partition
Active
Last Upgrade
Firmware
Version
Boot alternate firmware
A partition can contain one version of the firmware and the system configuration. FortiGate models numbered 100 and higher have two partitions. One partition is active and the other is a backup.
A green check mark indicates which partition contains the firmware and configuration currently in use.
The date and time of the last update to this partition.
The version and build number of the FortiGate firmware. On the backup partition, you can:
•
Select Upload to replace with firmware from the management computer or a USB disk.
•
Select Upload and Reboot to replace the firmware and make this the active partition.
Restart the FortiGate unit using the backup firmware.
This is available only on FortiGate models numbered 100 or higher.
Figure 87: FortiClient
Software Image
The current FortiClient image on this FortiGate unit. Select Upload to upload a new FortiClient image from your management computer.
Antivirus Database The current version of FortiGuard antivirus database on this
FortiGate unit. For more details, see
“Configuring the FortiGate unit for FDN and FortiGuard services” on page 162
.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
159
Backup and restore System Maintenance
Antivirus Engine
The current version of FortiGuard antivirus engine on this FortiGate unit. For more details, see
“Configuring the FortiGate unit for FDN and FortiGuard services” on page 162
.
Web Portal Port
Select the port for the web portal where users will be redirected if they are denied access due to FortiClient check options in the firewall policy. Select Save after changing the port number to commit your change.
The default port number is 8009. The port number should only be changed if there is a conflict.
Figure 88: Advanced
160
Advanced (USB Auto-Install)
This section is available only if a USB disk is connected to the FortiGate unit. Select the options as required and restart the FortiGate unit.
If you select both configuration and firmware update, both occur on the same reboot. The FortiGate unit will not reload a firmware or configuration file that is already loaded.
On system restart, automatically update
FortiGate configuration
On system restart, automatically update
FortiGate firmware
Automatically update the configuration on restart. Ensure that the Default configuration file name matches the configuration file name on the USB disk.
Automatically update the firmware on restart. Ensure that the Default image name matches the firmware file name on the USB disk.
Import Bulk CLI Commands
Import URL filter and Spam filter definitions from a text file on the management computer to the FortiGate unit.
Enter the file name and path or use the Browse button and locate the file.
You can create the text file by excerpting the appropriate section of a FortiGate configuration backup file or by typing the appropriate CLI commands.
Download Debug Log
Download an encrypted debug log to a file. You can send this debug log to Fortinet Technical Support to help diagnose problems with your FortiGate unit.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Maintenance FortiGuard Center
FortiGuard Center
The FortiGuard Center configures your FortiGate unit for the FortiGuard
Distribution Network (FDN) and FortiGuard Services. The FDN provides updates to antivirus and attack definitions. FortiGuard Services provides online IP address black list, URL black list, and other spam filtering tools.
FortiGuard Distribution Network
The FortiGuard Distribution Network (FDN) is a world-wide network of FortiGuard
Distribution Servers (FDSs). The FDN provides updates to antivirus (including grayware) and IPS attack definitions. When the FortiGate unit connects to the
FDN, it connects to the nearest FDS based on the current time zone setting.
The FortiGate unit supports the following update features:
• User-initiated updates from the FDN,
• Hourly, daily, or weekly scheduled antivirus and attack definition updates from the FDN,
• Push updates from the FDN,
• Update status including version numbers, expiry dates, and update dates and times,
• Push updates through a NAT device.
You must register the FortiGate unit on the Fortinet support web page. To register your FortiGate unit, go to Product Registration and follow the instructions.
To receive scheduled updates, the FortiGate unit must be able to connect to the
FDN using HTTPS on port 443. For information about configuring scheduled updates, see
“To enable scheduled updates” on page 167
.
You can also configure the FortiGate unit to receive push updates. For this to succeed, the FDN must be able to route packets to the FortiGate unit using UDP port 9443. For information about configuring push updates, see
“To enable push updates” on page 168 .
FortiGuard Services
Worldwide coverage of FortiGuard services are provided by FortiGuard Service
Points. When your FortiGateunit connects to the FDN, it is connecting to the closest FortiGuard Service Point. Fortinet adds new Service Points as required.
By default, the FortiGate unit communicates with the closest Service Point. If the
Service Point becomes unreachable for any reason, the FortiGate unit contacts another Service Point and information is available within seconds. By default, the
FortiGate unit communicates with the Service Point via UDP on port 53.
Alternately, the UDP port used for Service Point communication can be switched to port 8888 by going to System > Maintenance > FortiGuard Center.
If you need to change the default FortiGuard Service Point host name, use the hostname
keyword in the system fortiguard CLI command. You cannot change the FortiGuard Service Point name using the web-based manager.
For detailed information about FortiGuard services, see the FortiGuard Center web page.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
161
FortiGuard Center System Maintenance
FortiGuard-Antispam Service
FortiGuard-Antispam is an antispam system from Fortinet that includes an IP address black list, a URL black list, and spam filtering tools. The IP address black list contains IP addresses of email servers known to be used to generate spam.
The URL black list contains URLs of websites found in spam email.
FortiGuard-Antispam processes are completely automated and configured by
Fortinet. With constant monitoring and dynamic updates, FortiGuard-Antispam is always current. Enable or disable FortiGuard-Antispam in firewall protection
profiles. For more information, see “Spam filtering options” on page 277 .
Every FortiGate unit comes with a free 30-day FortiGuard-Antispam trial license.
FortiGuard-Antispam license management is performed by Fortinet servers; there is no need to enter a license number. The FortiGate unit automatically contacts a
FortiGuard-Antispam Service Point when enabling FortiGuard-Antispam. To renew the FortiGuard-Antispam license after the free trial, contact Fortinet
Technical Support.
Enable FortiGuard-Antispam globally in System > Maintenance >
FortiGuard Center and then configure the Spam Filtering options in each firewall protection profile. See
“Spam filtering options” on page 277
.
FortiGuard-Web Service
FortiGuard-Web is a managed web filtering solution provided by Fortinet.
FortiGuard-Web sorts hundreds of millions of web pages into a wide range of categories users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard-Web Service Point to determine the category of a requested web page then follows the firewall policy configured for that user or interface.
Every FortiGate unit comes with a free 30-day FortiGuard-Web Filter trial license.
FortiGuard license management is performed by Fortinet servers. There is no need to enter a license number. The FortiGate unit automatically contacts a
FortiGuard Service Point when enabling FortiGuard category blocking. To renew a
FortiGuard license after the free trial, contact Fortinet Technical Support.
Enable FortiGuard-Web globally in System > Maintenance > FortiGuard Center and then configure the FortiGuard Web Filtering options in each firewall protection profile. See
“FortiGuard-Web filtering options” on page 276
.
Configuring the FortiGate unit for FDN and FortiGuard services
Go to System > Maintenance > FortiGuard Center to configure access to FDN updates and FortiGuard services on the Update Center page.
The three sections of the Update Center are:
•
Support Contract and FortiGuard Subscription Services
•
•
Web Filtering and AntiSpam Options
Support Contract and FortiGuard Subscription Services
The Support Contract and FortiGuard Subscription Services sections are displayed in abbreviated form on the System Status page. See
“Viewing system status” on page 41 .
162
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Maintenance
Figure 89: Support Contract and FortiGuard Subscription Services section
FortiGuard Center
Support Contract
[Register]
The availability or status of your FortiGate unit support contract.
The status displayed can be one of: Unreachable, Not Registered or Valid Contract.
If Valid Contract is shown, the FortiOS version, expiry date of contract, and Support Level are also displayed.
Select to register your FortiGate unit support contract.
This is only displayed when Support Contract is Not Registered.
FortiGuard
Subscription Services
Availability and status information for each of the FortiGuard subscription services including:
•
AntiVirus AV Definitions
•
Intrusion Protection IPS Definitions
•
Web Filtering
•
AntiSpam
Availability
The availability of this service on this FortiGate unit, dependent on your service subscription. The status displayed can be one of:
Unreachable, Not Registered or Valid Contract.
The option to Subscribe will be displayed if Availability is Not
Registered.
The option to Renew will be displayed if Availability is Expired.
Status Icon
Icon shown indicates the status of the subscription service. The icon corresponds to the availability description.
•
grey - Unreachable - FortiGate unit is not able to connect to service
•
yellow - Not Registered - FortiGate unit can connect, but has no support registered for this service
•
yellow - Expired - FortiGate unit had a valid license that expired
•
green - Valid license - FortiGate unit can connect to FDN and has a registered support contract
If the Status Icon is green, the expiry date is displayed.
Version
The version number of the definition file currently installed on the
FortiGate unit for this service.
(Last update date and method)
The date of the last update and method used for last attempt to download definition updates for this service.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
163
FortiGuard Center System Maintenance
[Update]
(Date)
AntiVirus and IPS
Downloads
Web Filtering and
AntiSpam Options
Log & Analysis
Options
IPS Options
Select to manually update this service on your FortiGate unit.
This will prompt you to download the update file from your local computer. To download updates from FDN directly, use the
Update Now control.
Local system date when the FortiGate unit last checked for updates for this service.
Select the blue arrow to display or hide this section. See
“AntiVirus and IPS Downloads” on page 164 .
Select the blue arrow to display or hide this section. See “Web
Filtering and AntiSpam Options” on page 165
.
Select the blue arrow to display or hide this section. See “Log &
Analysis Options” on page 166 .
If you are not connected to a FortiGuard FortiAnalyzer unit, there will be no content in this section.
Select the blue arrow to display or hide this section.
Select to send attack details to FSN to improve IPS signature quality.
Fortinet recommends that you enable this feature.
AntiVirus and IPS Downloads
Select the blue arrow next to AntiVirus and IPS Downloads to access this section.
Figure 90: AntiVirus and IPS Downloads section
164
Use override server address
Select to configure an override server if you cannot connect to the FDN or if your organization provides updates using their own FortiGuard server.
When selected, enter the IP address or domain name of a FortiGuard server and select Apply. If the FDN Status still indicates no connection to the FDN, see
“Troubleshooting FDN connectivity” on page 166 .
Select to allow push updates.
Push Update Status Icon shows the status of the push update service.
Allow Push
Update
Push Update
The status of the FortiGate unit for receiving push updates:
Status Icon
•
grey - unreachable - FortiGate unit is not able to connect to push update service
•
yellow - not available - push update service is not available with current support license
•
green - available - push update service is allowed. See “To enable push updates” on page 168 .
If the icon is either grey or yellow, see “Troubleshooting FDN connectivity” on page 166 .
Use override push
Select to enable custom IP address and port to be used to connect to the push update server.
Available only if Allow Push Update is selected.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Maintenance FortiGuard Center
IP port
Scheduled
Update
Every
Daily
Weekly
Enter a new IP address to connect to the FDN push server.
Available only if Allow Push Update and Use override push are enabled.
Select a new port to use to connect to the FDN push server.
Available only if Use override push and IP address are set.
Select this check box to enable scheduled updates.
Attempt to update once every 1 to 23 hours. Select the number of hours between each update request.
Attempt to update once a day. You can specify the hour of the day to check for updates. The update attempt occurs at a randomly determined time within the selected hour.
Attempt to update once a week. You can specify the day of the week and the hour of the day to check for updates. The update attempt occurs at a randomly determined time within the selected hour.
Select Update Now to manually initiate an FDN update.
Update Now
Web Filtering and AntiSpam Options
Select the blue arrow next to Web Filtering and AntiSpam Options to access this section.
Figure 91: Web Filtering and AntiSpam Options section
Enable Web Filter
Select to enable FortiGuard Web Filter service.
Enable Cache
Select to enable caching FortiGuard Services information.
This improves performance by reducing FortiGate unit requests to the FortiGuard server. The cache uses 6% of the FortiGate memory.
When the cache is full, the least recently used IP address or URL is deleted.
Available only if Enable Web Filter is selected.
TTL
Time to live. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again.
Available only if both Enable Web Filter and Enable Cache are selected.
Enable Anti Spam
Select to enable FortiGuard AnitSpam service.
Use Default Port
(53)
Enable cache
Select to enable caching FortiGuard Services information.
This improves performance by reducing FortiGate unit requests to the FortiGuard server. The cache uses 6% of the FortiGate memory.
When the cache is full, the least recently used IP address or URL is deleted.
Available only if Enable Anti Spam is selected.
TTL
Time to live. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again.
Select to use port 53 to communicate with FortiGuard-Antispam servers.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
165
FortiGuard Center
166
System Maintenance
Use Alternate Port
(8888)
Select to use port 8888 to communicate with FortiGuard-Antispam servers.
Test Availability
Select to test the connection to the FortiGuard-Antispam server.
Results are shown below the button and on the Status indicators.
please click here
Select to re-evaluate a URL’s category rating on the FortiGuard
Web Filter service.
Log & Analysis Options
This section displays your configuration options for the FortiGuard Log & Analysis server.
Select the blue arrow next to Log & Analysis Options to access this section.
Figure 92: FDN Log & Analysis options
This section provides links to
“Logging to FortiGuard Log and Analysis server” on page 414
where you can configure your settings, and to purge your logs.
To configure how often to purge your logs, select how old the logs should be in months before being purged.
Troubleshooting FDN connectivity
If your FortiGate unit is unable to connect to the FDN, check your configuration.
For example, you may need to add routes to the FortiGate routing table or configure your network to allow the FortiGate unit to use HTTPS on port 443 to connect to the Internet.
You might have to connect to an override FortiGuard server to receive updates.
See
“To add an override server” on page 167 . If this is not successful, check your
configuration to make sure you can connect to the override FortiGuard server from the FortiGate unit.
Push updates might be unavailable if:
• you have not registered the FortiGate unit (To register your FortiGate unit, go to Product Registration and follow the instructions.)
• there is a NAT device installed between the FortiGate unit and the FDN (see
“Enabling push updates through a NAT device” on page 169
)
• your FortiGate unit connects to the Internet using a proxy server (see
“To enable scheduled updates through a proxy server” on page 168 ).
Updating antivirus and attack definitions
Use the following procedures to configure the FortiGate unit to connect to the
FortiGuard Distribution Network (FDN) to update the antivirus (including grayware) definitions and attack definitions.
1
To make sure the FortiGate unit can connect to the FDN
Go to System > Status and select Change on the System Time line in the System
Information section.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Maintenance FortiGuard Center
2
3
4
1
2
1
2
3
4
1
2
Make sure that the time zone is set correctly for the region in which your FortiGate unit is located.
Go to System > Maintenance > FortiGuard Center.
Select Refresh.
The FortiGate unit tests its connection to the FDN. The test results are displayed at the top of the System Update page.
To update antivirus and attack definitions
Go to System > Maintenance > FortiGuard Center.
Select Update Now to update the antivirus and attack definitions.
If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following:
Your update request has been sent. Your database will be updated in a few minutes. Please check your update page for the status of the update.
After a few minutes, if an update is available, the System Update Center page lists new version information for antivirus definitions and attack definitions. The
System Status page also displays new dates and version numbers for antivirus, attack and IPS definitions. Messages are recorded to the event log indicating whether the update was successful or not.
Note: Updating antivirus and attack definitions can cause a very short disruption in traffic currently being scanned while the FortiGate unit applies the new signature database. To minimize this possibility, schedule updates for times of light traffic.
To enable scheduled updates
Go to System > Maintenance > FortiGuard Center.
Select the Scheduled Update check box.
Select one of the following to check for and download updates.
Every
Daily
Weekly
Once every 1 to 23 hours. Select the number of hours and minutes between each update request.
Once a day. You can specify the time of day to check for updates.
Once a week. You can specify the day of the week and the time of day to check for updates.
Select Apply.
The FortiGate unit starts the next scheduled update according to the new update schedule.
Whenever the FortiGate unit runs a scheduled update, the event is recorded in the FortiGate event log.
To add an override server
If you cannot connect to the FDN, or if your organization provides antivirus and attack updates using their own FortiGuard server, you can use the following procedure to add the IP address of an override FortiGuard server.
Go to System > Maintenance > FortiGuard Center.
Select the Use override server address check box.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
167
FortiGuard Center System Maintenance
3
4
Type the fully qualified domain name or IP address of a FortiGuard server.
Select Apply.
The FortiGate unit tests the connection to the override server.
If the FortiGuard Distribution Network availability icon changes from grey, the
FortiGate unit has successfully connected to the override server.
If the FortiGuard Distribution Network availability icon stays gray, the FortiGate unit cannot connect to the override server. Check the FortiGate configuration and network configuration for settings that would prevent the FortiGate unit from connecting to the override FortiGuard server.
To enable scheduled updates through a proxy server
If your FortiGate unit must connect to the Internet through a proxy server, you can use the config system autoupdate tunneling command to allow the
FortiGate unit to connect (or tunnel) to the FDN using the proxy server. For more information, see the
FortiGate CLI Reference
.
Enabling push updates
The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. You must register the FortiGate unit before it can receive push updates. To register your FortiGate unit, go to Product Registration and follow the instructions.
When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a SETUP message to the FDN. The next time new antivirus or attack definitions are released, the FDN notifies all FortiGate units that are configured for push updates that a new update is available. Within 60 seconds of receiving a push notification, the FortiGate unit requests an update from the FDN.
1
2
3
Note: Push updates are not supported if the FortiGate unit must use a proxy server to connect to the FDN. For more information, see
“To enable scheduled updates through a proxy server” on page 168
.
When the network configuration permits, configuring push updates is recommended in addition to configuring scheduled updates. On average the
FortiGate unit receives new updates sooner through push updates than if the
FortiGate unit receives only scheduled updates. However, scheduled updates make sure that the FortiGate unit receives the latest updates.
Enabling push updates is not recommended as the only method for obtaining updates. The FortiGate unit might not receive the push notification. Also, when the
FortiGate unit receives a push notification it makes only one attempt to connect to the FDN and download updates.
To enable push updates
Go to System > Maintenance > FortiGuard Center.
Select Allow Push Update.
Select Apply.
168
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Maintenance FortiGuard Center
Push updates when FortiGate IP addresses change
The SETUP message that the FortiGate unit sends when you enable push updates includes the IP address of the FortiGate interface to which the FDN connects. The interface used for push updates is the interface configured in the default route of the static routing table.
The FortiGate unit sends the SETUP message if you change the IP address of this interface manually or if you have set the interface addressing mode to DHCP or PPPoE and your DHCP or PPPoE server changes the IP address.
The FDN must be able to connect to this IP address for your FortiGate unit to be able to receive push update messages. If your FortiGate unit is behind a NAT device, see
“Enabling push updates through a NAT device” on page 169 .
If you have redundant connections to the Internet, the FortiGate unit also sends the SETUP message when one Internet connection goes down and the FortiGate unit fails over to the other Internet connection.
In Transparent mode if you change the management IP address, the FortiGate unit also sends the SETUP message to notify the FDN of the address change.
Enabling push updates through a NAT device
If the FDN can only connect to the FortiGate unit through a NAT device, you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration. Using port forwarding, the FDN connects to the FortiGate unit using UDP on either port 9443 or an override push port that you specify.
Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic (for example, set using PPPoE or DHCP).
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
169
FortiGuard Center
Figure 93: Example network: Push updates through a NAT device
Internet
FDN
Server
NAT Device
Push Updates
System Maintenance
170
Internal Network
1
2
3
4
1
2
General procedure
Use the following steps to configure the FortiGate unit on the internal network and the NAT device so that the FortiGate unit on the internal network can receive push updates:
Register and license the FortiGate unit on the internal network so that it can receive push updates.
Configure the FortiGuard Center of the FortiGate unit on the internal network.
• Allow push updates
• Add an override push update IP. Usually this would be the IP address of the external interface of the NAT device
• If required, change the override push update port
Add a port forwarding virtual IP to the NAT device.
• Set the external IP address of the virtual IP to match the override push update
IP. Usually this would be the IP address of the external interface of the NAT device.
Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP.
To configure the FortiGuard Center of the FortiGate unit on the internal network
Go to System > Maintenance > FortiGuard Center.
Select Allow Push Update.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Maintenance FortiGuard Center
3
4
5
1
2
3
1
2
3
Select Use override push IP and enter the IP address of the external interface of the NAT device.
Do not change the push update port unless UDP port 9443 is blocked or used by other services on your network.
Select Apply.
The FortiGate unit sends the override push IP address and port to the FDN. The
FDN now uses this IP address and port for push updates to the FortiGate unit on the internal network. Push updates will not actually work until you add a virtual IP to the NAT device so that the NAT device accepts push update packets and forwards them to the FortiGate unit on the internal network.
Note: If the external IP address or external service port changes, add the changes to the
Use override push configuration and select Apply to update the push information on the
FDN.
To add a port forwarding virtual IP to the FortiGate NAT device
Configure the NAT device to use port forwarding to forward push update connections from the FDN to the FortiGate unit on the internal network.
Go to Firewall > Virtual IP and select Create New.
Add a port forwarding virtual IP that maps the external interface of the NAT device to the IP address of the FortiGate unit on the internal network using the push update UDP port.
Name
Add a name for the Virtual IP.
External Interface The interface on the NAT device that connects to the Internet.
Type
Static NAT.
External IP
Address/Range
The IP address that the FDN connects to send push updates to the
FortiGate unit on the Internal network. This would usually be the IP address of the external interface of the NAT device. This IP address must be the same as the FortiGuard Center push update override IP of the FortiGate unit on the internal network.
The IP address of the FortiGate unit on the Internal network.
Mapped IP
Address/Range
Port Forwarding Select Port Forwarding.
Protocol
UDP
External Service
Port
The external service port that the FDN connects to. The external service port for push updates is usually 9443. If you changed the push update port in the FortiGuard Center configuration of the FortiGate unit on the internal network, you must set the external service port to the changed push update port.
Map to Port
The map to port must be the same as the external service port.
Select OK.
To add a firewall policy to the FortiGate NAT device
Add a new external to internal firewall policy.
Configure the policy with the following settings:
Select OK.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
171
License
License
System Maintenance
1
2
To confirm that push updates to the FortiGate unit on the internal network are working
Go to System > Maintenance > FortiGuard Center.
Select Refresh.
The Push Update indicator should change to solid green.
If your FortiGate unit is model 3000 or higher, you can purchase a license key from Fortinet to increase the maximum number of VDOMs to 25, 50, 100 or 250.
By default, FortiGate units support a maximum of 10 VDOMs.
The license key is a 32-character string supplied by Fortinet. Fortinet requires your unit serial number to generate the license key.
Go to System > Maintenance > License to enter your license key.
Figure 94: License key for additional VDOMs
Current License
Input License Key
The current maximum number of Virtual Domains.
Enter the license key supplied by Fortinet and select Apply.
172
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Chassis (FortiGate-5000 series) SMC (shelf manager card)
System Chassis (FortiGate-5000 series)
For FortiGate-5000 series modules installed in a FortiGate-5050 or
FortiGate-5140 chassis, you can go to System > Chassis to view real-time operating status information about the hardware components installed in the chassis.
From the system chassis pages you can view information about all of the hardware components in the chassis. You can use the get chassis status command to display similar chassis information from the FortiGate CLI.
Information displayed by the system chassis pages and by the get chassis status
command depends on the FortiGate-5000 series chassis and the
FortiGate-5000 series modules installed in the chassis and not on the
FortiGate-5000 module that you are connecting to.
The system chassis pages display information received from the chassis shelf manager. The system chassis pages only display information if at least one shelf manager is functioning in the chassis and only if the FortiGate-5000 module that you have connected to can communicate with a shelf manager.
This section describes:
•
•
Blades (FortiGate-5000 chassis slots)
•
Chassis monitoring event log messages
SMC (shelf manager card)
Go to System > Chassis > SMC to view the status of the shelf manager cards
(SMCs) installed in the FortiGate-5000 series chassis. The SMC list is the same for the FortiGate-5140 chassis and the FortiGate-5050 chassis. The SMC list shows basic status information about the shelf manager cards in the chassis.
Figure 95: Shelf manager card (SMC) list
Refresh interval Set how often the web-based manager refreshes the information displayed on the SMC list.
Refresh
SMC #
Manually refresh the information displayed on the SMC list.
Shelf manager card slot number: SMC 1 or SCM 2.
Status
Current status of the shelf manager card in each chassis slot. The status can be Present if a shelf manager card is installed in the slot and Empty if a shelf manager card is not installed.
Active/Standby The mode of the shelf manager card in each chassis slot. Shelf managers can operate in active or standby mode. In active mode the shelf manager is operating the chassis. In standby mode the shelf manager is waiting to switch to active mode if it detects that the active shelf manager is not operating. If status is empty, active/standby is blank.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
173
Blades (FortiGate-5000 chassis slots) System Chassis (FortiGate-5000 series)
Blades (FortiGate-5000 chassis slots)
Go to System > Chassis > Blades to display a list of the slots in the
FortiGate-5000 chassis that the FortiGate-5000 series module is installed in. The list of slots shows whether the slot is empty or contains a FortiGate-5000 module.
If a slot contains a module, the display shows the type of module in the slot. Slots can contain node cards such as the FortiGate-5001SX module and switch cards such as the FortiSwitch-5003 module. The slot containing the FortiGate-5000 module that you are connecting to is highlighted in yellow.
If the FortiGate-5000 series module that you are connecting to is installed in a
FortiGate-5050 chassis, the blades list contains 5 rows. For a FortiGate-5140 chassis the blades list contains 14 rows.
For each slot that contains a module, the blades list indicates if the monitored temperatures and voltages for the module in that slot are within acceptable ranges. If temperature and voltage show good, the module is operating with acceptable ranges. If temperature or voltage show alarm, the shelf manager has registered an alarm because a temperature or voltage is outside of the acceptable range.
If you have SNMP enabled and have selected the Temperature too high and
Voltage out of range SNMP events, when the shelf manager registers a temperature or voltage alarm, the FortiGate-5000 module SNMP agent sends an
SNMP trap.
Figure 96: Example FortiGate-5050 blades list
Refresh interval
Set how often the web-based manager refreshes the information displayed on the blades list.
Refresh
Manually refresh the information displayed on the blades list.
Slot #
Blade Type
The slot number in the chassis. Slots 1 to 5 are listed for the
FortiGate-5050 chassis and slots 1 to 14 are listed for the
FortiGate-5140 chassis.
Indicates whether the slot contains a node card (for example, a
FortiGate-5001SX module) or a switch card (for example, a
FortiSwitch-5003 module).
174
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
System Chassis (FortiGate-5000 series) Blades (FortiGate-5000 chassis slots)
Temperature
Voltage
Indicates if the temperature sensors for the module in each slot are detecting a temperature within an acceptable range. Good indicates that all monitored temperatures are within acceptable ranges. Alarm indicates that a monitored temperature is too high (usually about
75°C) or too low (below 10°C).
You can mouse over the temperature indicator to view the temperatures being read by each sensor on the module. The mouse over display includes the name of the temperature sensor and the temperature reading.
The temperatures that are displayed depend on the FortiGate or
FortiSwitch module. For example:
For FortiGate-5005FA2 modules:
•
Incoming Air-Flow: 37°C
•
CPU Board Temp: 49°C
•
CPU1 Temp: 65°C
•
CPU2 Temp: 66°C
For FortiGate-5001SX and FortiGate-5001FA2 modules:
•
TEMP1: 37°C
•
TEMP2: 30°C
And for FortiSwitch-5003 modules:
•
Baseboard Temp: 35°C
•
Board (BRD) Top Temp: 33°C
•
BRD Bottom Temp: 33°C
•
BRD Center Temp: 38°C
Indicates if the voltage sensors for the module in each slot are detecting a voltage within an acceptable range. Good indicates that all monitored voltages are within acceptable ranges. Alarm indicates that a monitored voltage is too high or too low.
You can mouse over the voltage indicator for each slot to view the voltages being read by each sensor. The information displayed for each sensor includes the design voltage (for example 3.3V) and the actual measured voltage (for example, 3.288V). The acceptable voltage range depends on the sensor.
The voltages that are displayed are different for different
FortiGate-5000 series modules. For example:
For FortiGate-5005FA2 modules:
•
CPU1 Voltage: 1.1956V
•
CPU1 Voltage: 1.1858V
•
+5.0V: 4.851V
•
+3.3V: 3.321V
•
+2.5V CPU 1: 2.5376V
•
+2.5V CPU 2: 2.5498V
•
+1.2V 1: 1.1956V
•
+1.2V 2: 1.2054V
For FortiGate-5001SX and FortiGate-5001FA2 modules:
•
5V: 5.0764V
•
3.3V: 3.4884V
•
2.5V: 2.534V
•
1.8V: 1.8236V
•
1.5V: 1.5326V
And for FortiSwitch-5003 modules:
•
+1.5V: 1.521V
•
+2V: 1.989V
•
+2.5V: 2.4921V
•
+3.3V: 3.3024V
•
+3.3VSB: 3.3712V
•
+5VSB: 5.096V
•
+12V: 12.096V
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
175
Chassis monitoring event log messages System Chassis (FortiGate-5000 series)
Chassis monitoring event log messages
FortiGate-5000 series modules can send the log messages shown in
when chassis monitoring detects temperatures, voltages, or fan speeds that are outside of normal operating parameters. The messages in
all have the chassis log type and a severity of warning or critical. Warning messages are recorded when non-critical thresholds are reached. Critical messages are recorded when critical thresholds are reached.
Table 31: Chassis monitoring warning and critical event log messages
ID Message Meaning
99503 Chassis fan anomaly: Fan
<fan_integer>, <rpm_integer>
RPM Chassis fan anomaly
99504 Chassis temperature anomaly:
T <sensor_integer>,
<temp_integer> Celsius
A chassis fan is operating at an RPM value outside of the normal operating range.
<fan_integer> is the number of the fan tray. For the FortiGate-5140 <fan_integer> can be 0, 1, or
2. The FortiGate-5050 only has one fan tray.
<rpm_integer> is the RPM at which the fan is operating.
A temperature sensor has reported a temperature outside of the normal operating range for this sensor. A typical operating range is between 10 and 75 degrees Celsius.
<temp_integer> identifies the temperature sensor. <temp_integer> is the temperature being reported by the sensor.
99505 Chassis voltage anomaly:
V<design_voltage>,
<monitored_voltage> V
A chassis voltage sensor has detected a voltage level outside of the operating range for the sensor. <design_voltage> is the voltage the circuit should have at the sensor location during normal operation. For example,
<design_voltage> could be 3.3, 5, and so on.
<monitored_voltage> is the actual voltage measure by the sensor.
99506 Blade fan anomaly: Fan
<fan_integer>, <rpm_integer>
RPM
A blade fan is operating at an RPM value outside of the normal operating range. <fan_integer> identifies the fan. <rpm_integer> is the RPM at which the fan is operating.
99507 Blade temperature anomaly:
Blade <temp_integer>,
<temp_integer> Celsius
99508 Blade voltage anomaly: Blade
<design_voltage>,
<monitored_voltage> V
A temperature sensor on a FortiGate-5000 or
FortiSwitch-5000 series module has reported a temperature outside of the normal operating range for this sensor. A typical operating range is between 10 and 75 degrees Celsius.
<temp_integer> identifies the module temperature sensor. <temp_integer> is the temperature being reported by the sensor.
A voltage sensor on a FortiGate-5000 or
FortiSwitch-5000 series module has detected a voltage level outside of the operating range for the sensor. <design_voltage> is the voltage the circuit should have at the sensor location during normal operation. For example,
<design_voltage> could be 3.3, 5, and so on.
<monitored_voltage> is the actual voltage measure by the sensor.
176
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Static Routing concepts
Router Static
This section explains some general routing concepts, how to define static routes and route policies. A route provides the FortiGate unit with the information it needs to forward a packet to a particular destination on the network. A static route causes packets to be forwarded to a destination other than the factory configured default gateway.
The factory configured static default route provides you with a starting point to configure the default gateway. You must either edit the factory configured static default route to specify a different default gateway for the FortiGate unit, or delete the factory configured route and specify your own static default route that points to
the default gateway for the FortiGate unit. See “Default route and default gateway” on page 181
.
You define static routes manually. Static routes control traffic exiting the FortiGate unit—you can specify through which interface the packet will leave and to which device the packet should be routed.
As an option, you can define route policies. Route policies specify additional criteria for examining the properties of incoming packets. Using route policies, you can configure the FortiGate unit to route packets based on the IP source and/or destination addresses in packet headers and other criteria such as on which interface the packet was received and which protocol (service) and/or port is being used to transport the packet.
The following topics are included in this section:
•
•
•
Routing concepts
Routing is a complex topic. Because the FortiGate unit works as a security device on a network and packets must pass through the FortiGate unit, you need to understand a number of basic routing concepts in order to configure the FortiGate unit appropriately.
Whether you administer a small or large network, this module will help you understand how the FortiGate unit performs routing functions.
The following topics are covered in this section:
•
How the routing table is built
•
How routing decisions are made
•
Multipath routing and determining the best routeHow route sequence affects route priority
•
How route sequence affects route priority
•
Equal Cost Multipath (ECMP) Routes
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
177
Routing concepts Router Static
How the routing table is built
In the factory default configuration, the FortiGate routing table contains a single static default route. You can add routing information to the routing table by defining additional static routes. The table may include several different routes to the same destination—the IP addresses of the next-hop router specified in those routes or the FortiGate interfaces associated with those routes may vary.
The FortiGate unit selects the “best” route for a packet by evaluating the information in the routing table. The best route to a destination is typically associated with the shortest distance between the FortiGate unit and the closest next-hop router. In some cases, the next best route may be selected if the best route is unavailable for some reason. The best routes are installed in the FortiGate forwarding table, which is a subset of the FortiGate routing table. Packets are forwarded according to the information in the forwarding table.
How routing decisions are made
Whenever a packet arrives at one of the FortiGate unit’s interfaces, the FortiGate unit determines whether the packet was received on a legitimate interface by doing a reverse lookup using the source IP address in the packet header. If the
FortiGate unit cannot communicate with the computer at the source IP address through the interface on which the packet was received, the FortiGate unit drops the packet as it is likely an hacking attempt.
If the destination address can be matched to a local address (and the local configuration permits delivery), the FortiGate unit delivers the packet to the local network. If the packet is destined for another network, the FortiGate unit forwards the packet to a next-hop router according to a route policy and/or the information stored in the FortiGate forwarding table. See
.
Multipath routing and determining the best route
Multipath routing occurs when more than one entry to the same destination is present in the routing table. When multipath routing happens, the FortiGate unit may have several possible destinations for an incoming packet, forcing the
FortiGate unit to decide which next-hop is the best one.
Two methods to manually resolve multiple routes to the same destination are to lower the administrative distance of one route or to set the priority of both routes.
For the FortiGate unit to select a primary (preferred) route, manually lower the administrative distance associated with one of the possible routes. The administrative distance can be from 1 to 255.
Another method is to manually change the priority of both of the routes. If the nexthop administrative distances of two routes on the FortiGate unit are equal it may not be clear which route the packet will take. Configuring the priority for each of those routes will make it clear which next-hop will be used in the case of a tie. The priority for a route can only be set from the CLI. Lower priorities are preferred.
178
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Static Routing concepts
All entries in the routing table are associated with an administrative distance. If the routing table contains several entries that point to the same destination (the entries may have different gateways or interface associations), the FortiGate unit compares the administrative distances of those entries, selects the entries having the lowest distances, and installs them as routes in the FortiGate forwarding table.
As a result, the FortiGate forwarding table only contains routes having the lowest distances to every possible destination. For information about how to change the administrative distance associated with a static route, see
“Adding a static route to the routing table” on page 184 .
How route sequence affects route priority
After the FortiGate unit selects static routes for the forwarding table based on their administrative distances, the sequence numbers of those routes determines routing priority. When two routes to the same destination exist in the forwarding table, the route having the lowest sequence number is the best choice.
As of FortiOS v3.0, a priority field has been added for routes that are configured using the CLI. The priority field overrides route sequence for resolving two routes with the same administrative distance. The route with the lowest value in the priority field is considered the best route. When the priority value is a tie or is not used, the best route is the route with the lowest sequence number in the routing table. The best route is also the primary route. The command to set the priority field is: set priority <integer> under the config route static command. For more information see the
FortiGate CLI Reference.
When you add a static route to the Static Route list through the web-based manager, the FortiGate unit assigns the next unassigned sequence number to the new entry automatically. For example, in Figure 97 , two static routes to the same destination (1.1.1.0/24) were created to illustrate how entry numbers and sequence numbers are assigned through the web-based manager. The two routes specify the same gateway, but in one case, the packet would leave the
FortiGate unit through the interface named “port1”, and in the second case, the packet would leave the FortiGate unit through the interface named “port2”.
Figure 97: Static routes created through the web-based manager
Entry number 2 was created first and entry number 3 was created second, so their sequence numbers in the routing table are 2 and 3 respectively. When the
FortiGate unit evaluates these two routes to the same destination, both will be added to the forwarding table because they have low administrative distances.
After a route has been added to the forwarding table, its sequence number determines the priority of the route unless its priority was set in the CLI with the set priority
command. Because entry number 2 has the lowest sequence number, it is the preferred route.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
179
Static Route Router Static
Note: You can display the sequence numbers of static routes in the routing table through the CLI: type config router static, and then type get. The sequence number of a route is equivalent to the edit <ID_integer> value that one enters when defining a static route through the CLI. For more information, see config router static in the
FortiGate CLI Reference
.
The order of entries in the Static Route list typically mirrors the sequence of static routes in the routing table when all static routes are configured through the webbased manager. However, because you can specify the sequence number of a static route when you add the route through the CLI, the sequence number of a route may not always match its entry number in the Static Route list. Sequence numbers can be specified for static routes through the CLI only.
In summary, if a route in the routing table has a lower sequence number than another route to the same destination, the FortiGate unit will choose the route with the lower sequence number before choosing the other route. Because you can use the CLI to specify which sequence numbers or priority field settings to use when defining static routes, routes to the same destination can be prioritized according to their sequence numbers and priority field settings. For a static route to be the preferred route, you must create the route using the config router static
CLI command and specify a low sequence number or low priority for the route.
Equal Cost Multipath (ECMP) Routes
When there is more than one route to the same destination, it can be confusing which route or routes will be installed and used. This is based on distance and priority, as explained earlier. If the distance of both routes is the same and both priorities are the same, then they are an Equal Cost Multipath (ECMP) route. If you have load balancing enabled with ECMP routes, then different sessions will use different routes to the same address to load balance traffic.
Static Route
You configure static routes by defining the destination IP address and netmask of packets that the FortiGate unit is intended to intercept, and specifying a (gateway)
IP address for those packets. The gateway address specifies the next-hop router to which traffic will be routed.
Note: You can use the config router static6 CLI command to add, edit, or delete static routes for IPv6 traffic. For more information, see the “router” chapter of the
FortiGate
CLI Reference
.
Working with static routes
The Static Route list displays information that the FortiGate unit compares to packet headers in order to route packets. Initially, the list contains the factory configured static default route. See
“Default route and default gateway” on page 181
. Additional entries can be added manually.
180
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Static
When you add a static route to the Static Route list, the FortiGate unit evaluates the information to determine if it represents a different route compared to any other route already present in the FortiGate routing table. If no route having the same destination exists in the routing table, the FortiGate unit adds the route to the routing table.
To view the list of static routes, go to Router > Static > Static Route. To edit an existing static route entry, go to Router > Static > Static Route and select the
Edit icon beside the entry that you want to edit.
Figure 98 shows the static route list belonging to a FortiGate unit that has interfaces named “external” and “internal”. The names of the interfaces on your
FortiGate unit may be different.
Figure 98: Static Route list
Static Route
Delete
Edit
Create New
IP
Mask
Gateway
Device
Distance
Delete and Edit icons
The destination IP addresses of packets that the FortiGate unit intercepts.
The network masks associated with the IP addresses.
The IP addresses of the next-hop routers to which intercepted packets are forwarded.
The names of the FortiGate interfaces through which intercepted packets are received and sent.
The administrative distances associated with each route. The values represent distances to next-hop routers.
Delete or edit an entry in the list.
Default route and default gateway
In the factory default configuration, entry number 1 in the Static Route list is associated with a destination address of 0.0.0.0/0.0.0.0, which means any/all destinations. This route is called the “static default route”. If no other routes are present in the routing table and a packet needs to be forwarded beyond the
FortiGate unit, the factory configured static default route causes the FortiGate unit to forward the packet to the default gateway.
To prevent this you must either edit the factory configured static default route to specify a different default gateway for the FortiGate unit, or delete the factory configured route and specify your own static default route that points to the default gateway for the FortiGate unit.
For example, consider Figure 99 , which shows a FortiGate unit connected to a router. To ensure that all outbound packets destined to any network beyond the router are routed to the correct destination, you must edit the factory default configuration and make the router the default gateway for the FortiGate unit.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
181
Static Route
182
Router Static
Figure 99: Making a router the default gateway
Internet
Router
192.168.10.1
external
FortiGate_1
Internal network
192.168.20.0/24
To route outbound packets from the internal network to destinations that are not on network 192.168.20.0/24, you would edit the default route and include the following settings:
• Destination IP/mask: 0.0.0.0/0.0.0.0
• Gateway: 192.168.10.1
• Device: Name of the interface connected to network 192.168.10.0/24
(for example, external).
• Distance: 10
The Gateway setting specifies the IP address of the next hop router interface to the FortiGate external interface. The interface behind the router (192.168.10.1) is the default gateway for FortiGate_1.
In some cases, there may be routers behind the FortiGate unit. If the destination
IP address of a packet is not on the local network but is on a network behind one of those routers, the FortiGate routing table must include a static route to that network. For example, in Figure 100 , the FortiGate unit must be configured with static routes to interfaces 192.168.10.1 and 192.168.11.1 in order to forward packets to Network_1 and Network_2 respectively.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Static
Figure 100:Destinations on networks behind internal routers
Internet
Router_1
FortiGate_1
192.168.10.1
internal dmz
192.168.11.1
Router_2
Static Route
Network_1
192.168.20.0/24
Network_2
192.168.30.0/24
To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings:
Destination IP/mask: 192.168.30.0/24
Gateway: 192.168.11.1
Device: dmz
Distance: 10
To route packets from Network_2 to Network_1, Router_2 must be configured to use the FortiGate dmz interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings:
Destination IP/mask: 192.168.20.0/24
Gateway: 192.168.10.1
Device: internal
Distance: 10
Changing the gateway for the default route
The default gateway determines where packets matching the default route will be forwarded.
1
2
3
To change the gateway for the default route
Go to Router > Static > Static Route.
Select the Edit icon in row 1.
In the Gateway field, type the IP address of the next-hop router to which outbound traffic may be directed.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
183
Static Route Router Static
4
5
6
If the FortiGate unit reaches the next-hop router through a different interface
(compared to the interface that is currently selected in the Device field), select the name of the interface from the Device field.
In the Distance field, optionally adjust the administrative distance value.
Select OK.
Adding a static route to the routing table
A route provides the FortiGate unit with the information it needs to forward a packet to a particular destination. A static route causes packets to be forwarded to a destination other than the default gateway.
You define static routes manually. Static routes control traffic exiting the FortiGate unit—you can specify through which interface the packet will leave and to which device the packet should be routed.
To add a static route entry, go to Router > Static > Static Route and select
Create New.
When you add a static route through the web-based manager, the FortiGate unit assigns the next unassigned sequence number to the route automatically and adds the entry to the Static Route list.
Figure 101 shows the Edit Static Route dialog box belonging to a FortiGate unit that has an interface named “internal”. The names of the interfaces on your
FortiGate unit may be different.
Figure 101:Edit Static Route
Destination
IP/Mask
Gateway
Device
Distance
Type the destination IP address and network mask of packets that the
FortiGate unit has to intercept. The value 0.0.0.0/0.0.0.0 is reserved for the default route.
Type the IP address of the next-hop router to which the FortiGate unit will forward intercepted packets.
Select the name of the FortiGate interface through which the intercepted packets may be routed to the next-hop router.
Type an administrative distance for the route. The distance value is arbitrary and should reflect the distance to the next-hop router. A lower value indicates a more preferred route. The value can be an integer from
1 to 255.
184
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Static Policy Route
Policy Route
Whenever a packet arrives at a FortiGate unit interface, the FortiGate unit determines whether the packet was received on a legitimate interface by doing a reverse lookup using the source IP address in the packet header. If the FortiGate unit cannot communicate with the computer at the source IP address through the interface on which the packet was received, the FortiGate unit drops the packet.
If the destination address can be matched to a local address (and the local configuration permits delivery), the FortiGate unit delivers the packet to the local network. If the packet is destined for another network, the FortiGate unit forwards the packet to a next-hop router according to a route policy and/or the information
stored in the FortiGate forwarding table (see “Routing concepts” on page 177
).
When routing policies exist and a packet arrives at the FortiGate unit, the
FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy. If a match is found and the policy contains enough information to route the packet (the IP address of the next-hop router must be specified as well as the FortiGate interface for forwarding packets to the next-hop router), the FortiGate unit routes the packet using the information in the policy. If no route policy matches the packet, the FortiGate unit routes the packet using the routing table.
Note: Because most policy settings are optional, a matching policy alone might not provide enough information for the FortiGate unit to forward the packet. The FortiGate unit may refer to the routing table in an attempt to match the information in the packet header with a route in the routing table.
For example, if the outgoing interface is the only item given in the policy, the FortiGate unit looks up the IP address of the next-hop router in the routing table. This situation could happen when the FortiGate interfaces are dynamic (the interface receives an IP address through DHCP or PPPoE) and you do not want or are unable to specify the IP address of the next-hop router because the IP address changes dynamically.
To view the list of route policies, go to Router > Static > Policy Route. To edit an existing route policy, go to Router > Static > Policy Route and select the Edit icon beside the policy that you want to edit.
Figure 102 shows the policy route list belonging to a FortiGate unit that has interfaces named “external” and “internal”. The names of the interfaces on your
FortiGate unit may be different.
Figure 102:Policy Route list
Delete
Edit
Move
Create New Add a route policy. See “Adding a route policy” on page 186
.
#
The ID numbers of configured route policies. These numbers are sequential unless policies have been moved within the table.
Incoming
The interfaces on which packets subjected to route policies are received.
Outgoing
The interfaces through which policy routed packets are routed.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
185
Policy Route Router Static
Source
The IP source addresses and network masks that cause policy routing to occur.
Destination The IP destination addresses and network masks that cause policy routing to occur.
Delete icon Select to delete a policy route.
Edit icon
Select to edit a policy route.
Move To icon
Select to move policy route up or down in the policy route table. Selecting this icon will bring up the Move Policy Route screen where you can specify the new location in the Policy Route table. See “Moving a route policy”.
Adding a route policy
Route policy options define which attributes of a incoming packet cause policy routing to occur. If the attributes of a packet match all the specified conditions, the
FortiGate unit routes the packet through the specified interface to the specified gateway.
To add a route policy, go to Router > Static > Policy Route and select Create
New.
Figure 103 shows the New Routing Policy dialog box belonging to a FortiGate unit that has interfaces named “external” and “internal”. The names of the interfaces on your FortiGate unit may be different.
Figure 103:New Routing Policy
186
Protocol
To perform policy routing based on the value in the protocol field of the packet, type the protocol number to match. The range is from 0 to 255. A value of 0 disables the feature.
Incoming Interface Select the name of the interface through which incoming packets subjected to the policy are received.
Source Address /
Mask
Destination
Address / Mask
To perform policy routing based on the IP source address of the packet, type the source address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature.
To perform policy routing based on the IP destination address of the packet, type the destination address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature.
Destination Ports
To perform policy routing based on the port on which the packet is received, type the same port number in the From and To fields. If you want policy routing to apply to a range of ports, type the starting port number in the From field and the ending port number in the To field.
Zero values disable this feature.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Static Policy Route
Outgoing Interface Select the name of the interface through which packets affected by the policy will be routed.
Gateway Address
Type the IP address of the next-hop router that the FortiGate unit can access through the specified interface. A value of 0.0.0.0 is not valid.
Moving a route policy
A routing policy is added to the bottom of the routing table when it is created. If you want one policy to be used in preference to another, you may want to move it to a different location in the routing policy table.
The option to use one of two routes happens when both routes are a match, say
172.20.0.0/255.255.0.0 and 172.20.120.0/255.255.255.0. If both of these routes are in the policy table, both can match a route to 172.20.120.112 but the second one is a better match. In that case the best match route should be positioned before the other route in the policy table.
Using the CLI, you can assign priorities to routes. In the case of two matches in the routing table, the priority will determine which route is used. This feature is only available through the CLI.
Figure 104:Move Policy Route
Before / After
Policy route ID
Select before to place the selected Policy Route before the indicated route. Select After to place it following the indicated route.
Enter the Policy route ID of the route in the Policy route table to move the selected route before or after.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
187
Policy Route Router Static
188
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Dynamic RIP
Router Dynamic
This section explains how to configure dynamic protocols to route traffic through large or complex networks. Dynamic routing protocols enable the FortiGate unit to automatically share information about routes with neighboring routers and learn about routes and networks advertised by neighboring routers. The FortiGate unit supports these dynamic routing protocols:
• Routing Information Protocol (RIP)
• Open Shortest Path First (OSPF)
• Border Gateway Protocol (BGP)
Note: Basic RIP, OSPF, and BGP routing options can be configured through the web-based manager. Many additional options may be configured through CLI commands only. For complete descriptions and examples of how to use CLI commands to configure RIP, OSPF, and BGP settings, see the “router” chapter of
FortiGate CLI Reference
.
The FortiGate unit selects routes and updates its routing table dynamically based on the rules you specify. Given a set of rules, the FortiGate unit can determine the best route or path for sending packets to a destination. You can also define rules to suppress the advertising of routes to neighboring routers and/or change
FortiGate routing information before it is advertised.
Note: A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. FortiGate units support PIM sparse mode and dense mode and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected. PIM can use static routes, RIP, OSPF, or BGP to forward multicast packets to their destinations.
The following topics are included in this section:
•
•
•
•
RIP
RIP is a distance-vector routing protocol intended for small, relatively homogeneous, networks. The FortiGate implementation of RIP supports RIP version 1 (see RFC 1058) and RIP version 2 (see RFC 2453).
Note: Basic routing options can be configured through the web-based manager. Many additional options may be configured through CLI commands only. For complete descriptions and examples of how to use CLI commands to configure RIP settings, see the
“router” chapter of the
FortiGate CLI Reference
.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
189
RIP Router Dynamic
How RIP works
When RIP is enabled, the FortiGate unit broadcasts requests for RIP updates from each of its RIP-enabled interfaces. Neighboring routers respond with information from their routing tables. The FortiGate unit adds routes from neighbors to its own routing table only if those routes are not already recorded in the routing table. When a route already exists in the routing table, the FortiGate unit compares the advertised route to the recorded route and chooses the shortest route for the routing table.
RIP uses hop count as the metric for choosing the best route. A hop count of 1 represents a network that is connected directly to the FortiGate unit, while a hop count of 16 represents a network that the FortiGate unit cannot reach. Each network that a packet travels through to reach its destination usually counts as one hop. When the FortiGate unit compares two routes to the same destination, the route having the lowest hop count is added to the routing table.
Similarly, when RIP is enabled on an interface, the FortiGate unit sends RIP responses to neighboring routers on a regular basis. The updates provide information about the routes in the FortiGate routing table, subject to the rules that you specify for advertising those routes. You can specify how often the FortiGate unit sends updates, how long a route can be kept in the FortiGate routing table without being updated, and for routes that are not updated regularly, how long the
FortiGate unit advertises the route as unreachable before it is removed from the
FortiGate routing table.
Viewing and editing basic RIP settings
When you configure RIP settings, you have to specify the networks that are running RIP and specify any additional settings needed to adjust RIP operation on the FortiGate interfaces that are connected to the RIP-enabled network.
To configure basic settings for a FortiGate unit connected to a RIP network, go to
Router > Dynamic > RIP. To edit the operating parameters of a RIP-enabled interface, go to Router > Dynamic > RIP and select the Edit icon in the row that corresponds to the RIP-enabled interface.
Figure 105 shows the basic RIP settings on a FortiGate unit that has interfaces named “dmz” and “external”. The names of the interfaces on your FortiGate unit may be different.
190
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Dynamic RIP
Figure 105:Basic RIP settings
Delete
Delete
Edit
RIP Version
Select the level of RIP compatibility needed at the FortiGate unit. You can enable global RIP settings on all FortiGate interfaces connected to RIPenabled networks:
• Select 1 to send and receive RIP version 1 packets.
• Select 2 to send and receive RIP version 2 packets.
You can override the global settings for a specific FortiGate interface if
required (see “Overriding the RIP operating parameters on an interface” on page 193
).
Advanced
Options
Networks
Select advanced RIP options. See
“Selecting advanced RIP options” on page 192
.
The IP addresses and network masks of major networks (connected to the
FortiGate unit) that run RIP. When you add a network to the Networks list, the FortiGate interfaces that are part of the network are advertised in RIP updates. You can enable RIP on all FortiGate interfaces whose IP addresses match the RIP network address space.
IP/Netmask
Add
Enter the IP address and netmask that defines the RIPenabled network.
Select to add the network information to the Networks list.
Interfaces
Any additional settings needed to adjust RIP operation on a FortiGate interface.
Create New
Select to configure RIP operating parameters for an interface. These parameters will override the global RIP settings for that interface. See
“Overriding the RIP operating parameters on an interface” on page 193 .
Interface
Send Version
Select the interface to configure RIP operating parameters for.
Select the version of RIP used to send updates through each interface: 1, 2, or both.
Delete and
Edit icons
Receive Version Select the versions of RIP used to listen for updates on each interface: 1, 2, or both.
Authentication
Select the type of authentication used on this interface:
None, Text or MD5.
Passive
Select to block RIP broadcasts on this interface
Delete or edit a RIP network entry or a RIP interface definition.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
191
RIP Router Dynamic
Selecting advanced RIP options
Advanced RIP options let you specify settings for RIP timers and define metrics for redistributing routes that the FortiGate unit learns through some means other than RIP updates. For example, if the FortiGate unit is connected to an OSPF or
BGP network or you add a static route to the FortiGate routing table manually, you can configure the FortiGate unit to advertise those routes on RIP-enabled interfaces.
To select advanced RIP options, go to Router > Dynamic > RIP and expand
Advanced Options. After you select the options, select Apply.
Note: Additional advanced options can be configured through the CLI. For example, you can filter incoming or outgoing updates using a route map, an access list, or a prefix list.
The FortiGate unit also supports offset lists, which add the specified offset to the metric of a route. For more information, see the “router” chapter of the
FortiGate CLI Reference
.
Figure 106:Advanced Options (RIP)
192
Default Metric
Enable Defaultinformation-originate
RIP Timers
Enter the default hop count that the FortiGate unit should assign to routes that are added to the Fortinet routing table. The range is from 1 to 16.
This value also applies to Redistribute unless otherwise specified.
Select to generate and unconditionally advertise a default route into the FortiGate unit’s RIP-enabled networks. The generated route may be based on routes learned through a dynamic routing protocol, routes in the routing table or both.
Override the default RIP timer settings. The default settings are effective in most configurations — if you change these settings, take care to ensure that the new settings are compatible with local routers and access servers.
Update
Enter the amount of time (in seconds) that the
FortiGate unit will wait between sending RIP updates.
Timeout
Enter the maximum amount of time (in seconds) that a route is considered reachable while no updates are received for the route. This is the maximum time the FortiGate unit will keep a reachable route in the routing table while no updates for that route are received. If the FortiGate unit receives an update for the route before the timeout period expires, the timer is restarted.
The Timeout period should be at least three times longer than the Update period.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Dynamic
Redistribute
Garbage
Enter the amount of time (in seconds) that the
FortiGate unit will advertise a route as being unreachable before deleting the route from the routing table. The value determines how long an unreachable route is kept in the routing table.
Enable or disable RIP updates about routes that were not learned through RIP. The FortiGate unit can use RIP to redistribute routes learned from directly connected networks, static routes, OSPF, and/or BGP.
Connected Select to redistribute routes learned from directly connected networks. If you want to specify a hop count for those routes, select Metric, and in the
Metric field, enter the hop count. The range is from
1 to 16.
Static
OSPF
Select to redistribute routes learned from static routes. If you want to specify a hop count for those routes, select Metric, and in the Metric field, enter the hop count. The range is from 1 to 16.
Select to redistribute routes learned through OSPF.
If you want to specify a hop count for those routes, select Metric, and in the Metric field, enter the hop count. The range is from 1 to 16.
BGP
Select to redistribute routes learned through BGP. If you want to specify a hop count for those routes, select Metric, and in the Metric field, enter the hop count. The range is from 1 to 16.
Overriding the RIP operating parameters on an interface
RIP interface options enable you to override the global RIP settings that apply to all Fortinet interfaces connected to RIP-enabled networks. For example, if you want to suppress RIP advertising on an interface that is connected to a subnet of a RIP-enabled network, you can enable the interface to operate passively.
Passive interfaces listen for RIP updates but do not respond to RIP requests.
If RIP version 2 is enabled on the interface, you can optionally choose password authentication to ensure that the FortiGate unit authenticates a neighboring router before accepting updates from that router. The FortiGate unit and the neighboring router must both be configured with the same password. Authentication guarantees the authenticity of the update packet, not the confidentiality of the routing information in the packet.
Figure 107:New/Edit RIP Interface
RIP
To set specific RIP operating parameters for a RIP-enabled interface, go to
Router > Dynamic > RIP and select Create New
.
Note: Additional options such as split-horizon and key-chain settings can be configured per interface through the CLI. For more information, see the “router” chapter of the
FortiGate
CLI Reference
.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
193
OSPF Router Dynamic
Figure 107 shows the New/Edit RIP Interface dialog box belonging to a FortiGate unit that has an interface named “internal”. The names of the interfaces on your
FortiGate unit may be different.
Interface
Send Version,
Receive Version
Authentication
Select the name of the FortiGate interface to which these settings apply. The interface must be connected to a RIP-enabled network.
The interface can be a virtual IPSec or GRE interface.
Select to override the default RIP-compatibility setting for sending and receiving updates through the interface: RIP version 1, version 2 or Both.
Select an authentication method for RIP exchanges on the specified interface:
• Select None to disable authentication.
• If the interface is connected to a network that runs RIP version 2, optionally select Text and type a password (up to 35 characters) in the Password field. The FortiGate unit and the RIP updates router must both be configured with the same password. The password is sent in clear text over the network.
• Select MD5 to authenticate the exchange using MD5.
Passive Interface
Select to suppress the advertising of FortiGate routing information through the specified interface. For the interface to respond to RIP requests, clear Passive Interface.
OSPF
Open shortest path first (OSPF) is a link-state routing protocol that is most often used in large heterogeneous networks to share routing information among routers in the same Autonomous System (AS). FortiGate units support OSPF version 2
(see RFC 2328).
Note: Basic OSPF routing options can be configured through the web-based manager.
Many additional options may be configured through CLI commands only. For complete descriptions and examples of how to use CLI commands to configure OSPF settings, see the “router” chapter of the
FortiGate CLI Reference
.
OSPF autonomous systems
An OSPF AS is typically divided into logical areas linked by area border routers.
An area comprises a group of contiguous networks. An area border router links one or more areas to the OSPF network backbone (area ID 0). To specify the characteristics of an OSPF AS, see
“Defining an OSPF AS” on page 195
.
When the FortiGate unit has an interface to an OSPF area, it can participate in
OSPF communications. The FortiGate unit uses the OSPF Hello protocol to acquire neighbors in an area. A neighbor is any router that has an interface to the same area as the FortiGate unit. After initial contact, the FortiGate unit exchanges
Hello packets with its OSPF neighbors regularly to confirm that the neighbors can be reached.
194
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Dynamic OSPF
OSPF-enabled routers generate link-state advertisements and send them to their neighbors whenever the status of a neighbor changes or a new neighbor comes online. As long as the OSPF network is stable, link-state advertisements between
OSPF neighbors do not occur. A Link-State Advertisement (LSA) identifies the interfaces of all OSPF-enabled routers in an area, and provides information that enables OSPF-enabled routers to select the shortest path to a destination. All
LSA exchanges between OSPF-enabled routers are authenticated.
The FortiGate unit maintains a database of link-state information based on the advertisements that it receives from OSPF-enabled routers. To calculate the best route (shortest path) to a destination, the FortiGate unit applies the Shortest Path
First (SPF) algorithm to the accumulated link-state information. OSPF uses relative cost as a basic metric for choosing the best route. Cost imposes a penalty on the outgoing direction of a FortiGate interface. The cost of a route is calculated by adding together all of the costs associated with the outgoing interfaces along the path to a destination. The lowest overall cost indicates the best route.
The FortiGate unit updates its routing table dynamically based on the results of the SPF calculation to ensure that an OSPF packet will be routed using the shortest path to its destination. Depending on the network topology, the entries in the FortiGate routing table may include:
• the addresses of networks in the local OSPF area (to which packets are sent directly)
• routes to OSPF area border routers (to which packets destined for another area are sent)
• if the network contains OSPF areas and non-OSPF domains, routes to AS boundary routers, which reside on the OSPF network backbone and are configured to forward packets to destinations outside the OSPF AS
The number of routes that a FortiGate unit can learn through OSPF depends on the network topology. A single FortiGate unit can support tens of thousands of routes if the OSPF network is configured properly.
Defining an OSPF AS
Defining an OSPF AS, involves:
• Defining the characteristics of one or more OSPF areas.
• Creating associations between the OSPF areas that you defined and the local networks to include in the OSPF AS.
• If required, adjusting the settings of OSPF-enabled interfaces.
For more information about how to perform these tasks using the web-based manager, follow the procedure given below.
1
2
3
4
5
To define an OSPF AS
Go to Router > Dynamic > OSPF.
Under Areas, select Create New.
Define the characteristics of one or more OSPF areas. See
“Defining OSPF areas” on page 199 .
Under Networks, select Create New.
Create associations between the OSPF areas that you defined and the local
networks to include in the OSPF AS. See “Specifying OSPF networks” on page 200
.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
195
OSPF Router Dynamic
6
7
8
9
10
If you need to adjust the default settings of an OSPF-enabled interface, select
Create New under Interfaces.
Select the OSPF operating parameters for the interface. See
“Selecting operating parameters for an OSPF interface” on page 201 .
Repeat Steps 6 and 7 if required for additional OSPF-enabled interfaces.
Optionally select advanced OSPF options for the OSPF AS. See
“Selecting advanced OSPF options” on page 198 .
Select Apply.
Viewing and editing basic OSPF settings
When you configure OSPF settings, you have to define the AS in which OSPF is enabled and specify which of the FortiGate interfaces participate in the AS. As part of the AS definition, you specify the AS areas and specify which networks to include those areas. You may optionally adjust the settings associated with OSPF operation on the FortiGate interfaces.
To view and edit OSPF settings, go to Router > Dynamic > OSPF.
Figure 108 shows the basic OSPF settings on a FortiGate unit that has an interface named “port1”. The names of the interfaces on your FortiGate unit may be different.
Figure 108:Basic OSPF settings
196
Router ID
Enter a unique router ID to identify the FortiGate unit to other OSPF routers.
By convention, the router ID is the numerically highest IP address assigned to any of the FortiGate interfaces in the OSPF AS. Do not change the router
ID while OSPF is running.
Advanced
Options
Select advanced OSPF settings. See “Selecting advanced OSPF options” on page 198 .
Areas
Information about the areas making up an OSPF AS. The header of an
OSPF packet contains an area ID, which helps to identify the origination of a packet inside the AS.
Create New
Select to define an OSPF area and add the new area to the
Areas list. See
“Defining OSPF areas” on page 199 .
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Dynamic
Area
Type
The unique 32-bit identifiers of areas in the AS, in dotted decimal notation. Area ID 0.0.0.0 references the backbone of the AS and cannot be changed or deleted.
The types of areas in the AS:
•
If an area is a normal OSPF area, “Regular” is displayed.
•
If an area is not so stubby, “NSSA” is displayed.
•
If an area is a stub, “Stub” is displayed.
For more information, see “Defining OSPF areas” on page 199
.
Authentication The methods for authenticating OSPF packets sent and received through all FortiGate interfaces linked to each area:
•
When authentication is disabled, “None” is displayed.
•
When text-based password authentication is enabled,
“Text” is displayed.
•
When MD5 authentication is enabled, “MD5” is displayed.
A different authentication setting may apply to some of the interfaces in an area, as displayed under Interfaces. For example, if an area employs simple passwords for authentication, you can configure a different password for one or more of the networks in that area.
Networks
The networks in the OSPF AS and their area IDs. When you add a network to the Networks list, all FortiGate interfaces that are part of the network are advertised in OSPF link-state advertisements. You can enable OSPF on all
FortiGate interfaces whose IP addresses match the OSPF network address space.
Create New
Select to add a network to the AS, specify its area ID, and
add the definition to the Networks list. See “Specifying
Network
The IP addresses and network masks of networks in the AS on which OSPF runs. The FortiGate unit may have physical or VLAN interfaces connected to the network.
Area
Interfaces
Any additional settings needed to adjust OSPF operation on a FortiGate interface.
Create New
The area IDs that have been assigned to the OSPF network address space.
Select to add additional/different OSPF operating parameters for a FortiGate interface and add the
.
Name
The names of OSPF interface definitions.
Interface
IP
The names of FortiGate physical or VLAN interfaces having
OSPF settings that differ from the default values assigned to all other interfaces in the same area.
The IP addresses of the OSPF-enabled interfaces having additional/different settings.
Authentication The methods for authenticating LSA exchanges sent and received on specific OSPF-enabled interfaces. These settings override the area Authentication settings.
Delete and
Edit icons
Select to delete or edit an OSPF area entry, network entry, or interface definition.
OSPF
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
197
OSPF Router Dynamic
Selecting advanced OSPF options
Advanced OSPF options let you specify metrics for redistributing routes that the
FortiGate unit learns through some means other than OSPF link-state advertisements. For example, if the FortiGate unit is connected to a RIP or BGP network or you add a static route to the FortiGate routing table manually, you can configure the FortiGate unit to advertise those routes on OSPF-enabled interfaces.
To select advanced RIP options, go to Router > Dynamic > RIP and expand
Advanced Options. After you select the options, select Apply.
Figure 109:Advanced Options (OSPF)
198
Default
Information
Generate and advertise a default (external) route to the OSPF AS. The generated route may be based on routes learned through a dynamic routing protocol, or routes in the routing table, or both.
None
Regular
Disable the generation of a default route.
Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems only if the route is stored in the FortiGate routing table.
Always
Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems unconditionally, even if the route is not stored in the FortiGate routing table.
Redistribute
Enable or disable OSPF link-state advertisements about routes that were not learned through OSPF. The FortiGate unit can use OSPF to redistribute routes learned from directly connected networks, static routes,
RIP, and/or BGP.
Connected Select to redistribute routes learned from directly connected networks.
If you want to specify a cost for those routes, enter the cost in the Metric field. The range is from 1 to 16 777 214.
Static
Select to redistribute routes learned from static routes.
If you want to specify a cost for those routes, enter the cost in the Metric field. The range is from 1 to 16 777 214.
RIP
BGP
Select to redistribute routes learned through RIP.
If you want to specify a cost for those routes, enter the cost in the Metric field. The range is from 1 to 16 777 214.
Select to redistribute routes learned through BGP.
If you want to specify a cost for those routes, enter the cost in the Metric field. The range is from 1 to 16 777 214.
Note: Many additional advanced OSPF options can be configured through the CLI. For details, see the “router” chapter of the
FortiGate CLI Reference
.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Dynamic
Defining OSPF areas
An area logically defines part of the OSPF AS. Each area is identified by a 32-bit area ID expressed in decimal dot notation. Area ID 0.0.0.0 is reserved for the
OSPF network backbone. You can classify the remaining areas of an AS in one of three ways:
• Regular
• Stub
• NSSA
A regular area contains more than one router, each having at least one OSPFenabled interface to the area.
To reach the OSPF backbone, the routers in a stub area must send packets to an area border router. Routes leading to non-OSPF domains are not advertised to the routers in stub areas. The area border router advertises to the OSPF AS a single default route (destination 0.0.0.0) into the stub area, which ensures that any
OSPF packet that cannot be matched to a specific route will match the default route. Any router connected to a stub area is considered part of the stub area.
In a Not-So-Stubby Area (NSSA), routes that lead out of the area into a non-
OSPF domain are made known to OSPF AS. However, the area itself continues to be treated like a stub area by the rest of the AS.
Regular areas and stub areas (including not-so-stubby areas) are connected to the OSPF backbone through area border routers.
To define an OSPF area, go to Router > Dynamic > OSPF, and then under
Areas, select Create New. To edit the attributes of an OSPF area, go to Router >
Dynamic > OSPF and select the Edit icon in the row that corresponds to the area.
Note: If required, you can define a virtual link to an area that has lost its physical connection to the OSPF backbone. Virtual links can only be set up between two FortiGate units that act as area border routers. For more information, see “config virtual-link” under the OSPF “config area” subcommand in the
FortiGate CLI Reference
.
Figure 110:New/Edit OSPF Area
OSPF
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
199
OSPF Router Dynamic
Area
Type
Type a 32-bit identifier for the area. The value must resemble an IP address in decimal-dot notation. Once the OSPF area has been created, the area IP value cannot be changed.
Select an area type to classify the characteristics of the network that will be assigned to the area:
•
Select Regular if the area contains more than one router, each having at least one OSPF-enabled interface to the area.
•
Select NSSA if you want routes to external non-OSPF domains made known to OSPF AS and you want the area to be treated like a stub area by the rest of the AS.
•
Select STUB if the routers in the area must send packets to an area border router in order to reach the backbone and you do not want routes to non-OSPF domains to be advertised to the routers in the area.
Authentication Select the method for authenticating OSPF packets sent and received through all interfaces in the area:
•
Select None to disable authentication.
•
Select Text to enable text-based password authentication. to authenticate LSA exchanges using a plain-text password. The password is sent in clear text over the network.
•
Select MD5 to enable MD5 authentication using an MD5 hash.
If required, you can override this setting for one or more of the interfaces
in the area (see “Selecting operating parameters for an OSPF interface” on page 201 ).
Note: To assign a network to the area, see “Specifying OSPF networks” on page 200 .
Specifying OSPF networks
OSPF areas group a number of contiguous networks together. When you assign an area ID to a network address space, the attributes of the area are associated with the network.
To assign an OSPF area ID to a network, go to Router > Dynamic > OSPF, and then under Networks, select Create New. To change the OSPF area ID assigned to a network, go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to the network.
Figure 111:New/Edit OSPF Network
200
IP/Netmask
Enter the IP address and network mask of the local network that you want to assign to an OSPF area.
Area
Select an area ID for the network. The attributes of the area must match the characteristics and topology of the specified network. You must define
the area before you can select the area ID. See “Defining OSPF areas” on page 199 .
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Dynamic
Selecting operating parameters for an OSPF interface
An OSPF interface definition contains specific operating parameters for a
FortiGate OSPF-enabled interface. The definition includes the name of the interface (for example, external or VLAN_1), the IP address assigned to the interface, the method for authenticating LSA exchanges through the interface, and timer settings for sending and receiving OSPF Hello and dead-interval packets.
You can enable OSPF on all FortiGate interfaces whose IP addresses match the
OSPF-enabled network space. For example, define an area of 0.0.0.0 and the
OSPF network is defined as 10.0.0.0/16. Then define vlan1 as 10.0.1.1/24, vlan2 as 10.0.2.1/24 and vlan3 as 10.0.3.1/24. All three VLANs will run OSPF in area
0.0.0.0. To enable all interfaces, you would create OSPF network 0.0.0.0/0 having an area that matches a specific IP address.
You can configure different OSPF parameters for the same FortiGate interface when more than one IP address has been assigned to the interface. For example, the same FortiGate interface could be connected to two neighbors through different subnets. You could configure an OSPF interface definition containing one set of Hello and dead-interval parameters for compatibility with one neighbor’s settings, and a second OSPF interface definition for the same interface to ensure compatibility with the second neighbor’s settings.
To select OSPF operating parameters for a FortiGate interface, go to Router >
Dynamic > OSPF, and then under Interfaces, select Create New. To edit the operating parameters of an OSPF-enabled interface, go to Router > Dynamic >
OSPF and select the Edit icon in the row that corresponds to the OSPF-enabled interface.
Figure 112 shows the New/Edit OSPF Interface dialog box belonging to a
FortiGate unit that has an interface named “port1”. The interface names on your
FortiGate unit may differ.
Figure 112:New/Edit OSPF Interface
OSPF
Add
Name
Interface
Enter a name to identify the OSPF interface definition. For example, the name could indicate to which OSPF area the interface will be linked.
Select the name of the FortiGate interface to associate with this OSPF interface definition (for example, port1, external, or VLAN_1). The
FortiGate unit can have physical, VLAN, virtual IPSec or GRE interfaces connected to the OSPF-enabled network.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
201
BGP Router Dynamic
IP
Enter the IP address that has been assigned to the OSPF-enabled interface. The interface becomes OSPF-enabled because its IP address matches the OSPF network address space.
For example, if you defined an OSPF network of 172.20.120.0/24 and port1 has been assigned the IP address 172.20.120.140, type
172.20.120.140
.
Authentication Select an authentication method for LSA exchanges on the specified interface:
• Select None to disable authentication.
•
Select Text to authenticate LSA exchanges using a plain-text password. The password can be up to 35 characters, and is sent in clear text over the network.
• Select MD5 to use one or more keys to generate an MD5 hash.
This setting overrides the area Authentication setting.
Password
MD5 Keys
Enter the plain-text password. Enter an alphanumeric value of up to 15 characters. The OSPF neighbors that send link-state advertisements to this FortiGate interface must be configured with an identical password.
This field is available only if you selected plain-text authentication.
Enter the key identifier for the (first) password in the ID field (the range is from 1 to 255) and then type the associated password in the Key field.
The password is an alphanumeric string of up to 16 characters. The
OSPF neighbors that send link-state advertisements to this FortiGate interface must be configured with an identical MD5 key. If the OSPF neighbor uses more than one password to generate MD5 hash, select the
Add icon to add additional MD5 keys to the list. This field is available only if you selected MD5 authentication.
Hello Interval
Optionally, set the Hello Interval to be compatible with Hello Interval settings on all OSPF neighbors.
This setting defines the period of time (in seconds) that the FortiGate unit waits between sending Hello packets through the interface.
Dead Interval
Optionally, set the Dead interval to be compatible with Dead Interval settings on all OSPF neighbors.
This setting defines the period of time (in seconds) that the FortiGate unit waits to receive a Hello packet from an OSPF neighbor through the interface. If the FortiGate unit does not receive a Hello packet within the specified amount of time, the FortiGate unit declares the neighbor inaccessible.
By convention, the Dead Interval value is usually four times greater than the Hello Interval value.
202
BGP
Border Gateway Protocol (BGP) is an Internet routing protocol typically used by
ISPs to exchange routing information between different ISP networks. For example, BGP enables the sharing of network paths between the ISP network and an autonomous system (AS) that uses RIP and/or OSPF to route packets within the AS. The FortiGate implementation of BGP supports BGP-4 and complies with
RFC 1771.
How BGP works
When BGP is enabled, the FortiGate unit sends routing table updates to neighboring autonomous systems whenever any part of the FortiGate routing table changes. Each AS, including the local AS of which the FortiGate unit is a member, is associated with an AS number. The AS number references a particular destination network.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Dynamic
BGP updates advertise the best path to a destination network. When the
FortiGate unit receives a BGP update, the FortiGate unit examines the Multi-Exit
Discriminator (MED) attributes of potential routes to determine the best path to a destination network before recording the path in the FortiGate routing table.
BGP has the capability to gracefully restart. This capability limits the effects of software problems by allowing forwarding to continue when the control plane of the router fails. It also reduces routing flaps by stabilizing the network.
Note: Graceful restarting and other advanced settings cannot be configured through the web-based manager, only through CLI commands. For complete descriptions and examples of how to use CLI commands to configure BGP settings, see the “router” chapter of the
FortiGate CLI Reference
.
Viewing and editing BGP settings
When you configure BGP settings, specify the AS that includes the FortiGate unit as a member and enter a router ID to identify the FortiGate unit to other BGP routers. You must also identify the FortiGate unit’s BGP neighbors and specify which of the networks local to the FortiGate unit should be advertised to BGP neighbors.
To view and edit BGP settings, go to Router > Dynamic > BGP. The web-based manager offers a simplified user interface to configure basic BGP options.
A large number of advanced BGP options can be configured through the CLI. For more information, see the “router” chapter of the
FortiGate CLI Reference
.
Figure 113:Basic BGP options
BGP
Local AS
Router ID
Neighbors
Enter the number of the local AS that the FortiGate unit is a member of.
Enter a unique router ID to identify the FortiGate unit to other BGP routers. The router ID is an IP address written in dotted-decimal format.
If you change the router ID while BGP is running, all connections to BGP peers will be broken temporarily until they are re-established.
The IP addresses and AS numbers of BGP peers in neighboring autonomous systems.
IP
Enter the IP address of the neighbor interface to the BGPenabled network.
Remote AS Enter the number of the AS that the neighbor belongs to.
Add/Edit
Select to add the neighbor information to the Neighbors list, or edit an entry in the list.
Neighbor
The IP addresses of BGP peers.
Remote AS The numbers of the autonomous systems associated with the BGP peers.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
203
Multicast Router Dynamic
Networks
Delete icon
The IP addresses and network masks of networks to advertise to BGP peers. The FortiGate unit may have a physical or VLAN interface connected to those networks.
IP/Netmask Enter the IP address and netmask of the network to be advertised.
Add
Select to add the network information to the Networks list.
Network
The IP addresses and network masks of major networks that are advertised to BGP peers.
Select to delete a BGP neighbor entry or a BGP network definition.
Multicast
A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. FortiGate units support PIM sparse mode (RFC
2362) and PIM dense mode (RFC 3973) and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected.
Multicast server applications use a (Class D) multicast address to send one copy of a packet to a group of receivers. The PIM routers throughout the network ensure that only one copy of the packet is forwarded through the network until it reaches an end-point destination. At the end-point destination, copies of the packet are made only when required to deliver the information to multicast client applications that request traffic destined for the multicast address.
Note: To support PIM communications, the sending/receiving applications and all connecting PIM routers in between must be enabled with PIM version 2. PIM can use static routes, RIP, OSPF, or BGP to forward multicast packets to their destinations. To enable source-to-destination packet delivery, either sparse mode or dense mode must be enabled on all the PIM-router interfaces. Sparse mode routers cannot send multicast messages to dense mode routers. In addition, if a FortiGate unit is located between a source and a PIM router, two PIM routers, or is connected directly to a receiver, you must create a firewall policy manually to pass encapsulated (multicast) packets or decapsulated data (IP traffic) between the source and destination.
A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at least one Boot Strap Router (BSR). If sparse mode is enabled, the domain also contains a number of Rendezvous Points (RPs) and Designated
Routers (DRs). When PIM is enabled on a FortiGate unit, the FortiGate unit can perform any of these functions at any time as configured. If required for sparse mode operation, you can define static RPs.
Note: Basic options can be configured through the web-based manager. Many additional options may be configured through CLI commands only. For complete descriptions and examples of how to use CLI commands to configure PIM settings, see “multicast” in the
“router” chapter of the
FortiGate CLI Reference
.
Viewing and editing multicast settings
When multicast (PIM) routing is enabled, you can configure sparse mode or dense mode operation on any FortiGate interface.
204
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Dynamic
To view and edit PIM settings, go to Router > Dynamic > Multicast. The webbased manager offers a simplified user interface to configure basic PIM options.
Advanced PIM options can be configured through the CLI. For more information, see the “router” chapter of the
FortiGate CLI Reference
.
Figure 114:Basic Multicast options
Add Static RP
Multicast
Delete
Edit
Enable Multicast
Routing
Add Static RP
Select to enable PIM version 2 routing. A firewall policy must be created on PIM-enabled interfaces to pass encapsulated packets and decapsulated data between the source and destination,
If required for sparse mode operation, enter the IP address of a
Rendezvous Point (RP) that may be used as the root of a packet distribution tree for a multicast group. Join messages from the multicast group are sent to the RP, and data from the source is sent to the RP.
If an RP for the specified IP’s multicast group is already known to the Boot Strap Router (BSR), the RP known to the BSR is used and the static RP address that you specify is ignored.
Apply
Create New
Select to save the specified static RP addresses.
Select to create a new multicast entry for an interface.
This will allow you to fine-tune PIM operation on a specific
FortiGate interface or override the global PIM settings on a particular interface. See
“Overriding the multicast settings on an interface” on page 206
.
The names of FortiGate interfaces having specific PIM settings.
The mode of PIM operation (Sparse or Dense) on that interface.
Interface
Mode
Status
Priority
DR Priority
The status of parse-mode RP candidacy on the interface.
To enable or disable RP candidacy on an interface, select the Edit icon in the row that corresponds to the interface.
The priority number assigned to RP candidacy on that interface.
Only available when RP candidacy is enabled.
The priority number assigned to Designated Router (DR) candidacy on the interface. Only available when sparse mode is enabled.
Delete and Edit icons Select to delete or edit the PIM settings on the interface.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
205
Multicast Router Dynamic
Overriding the multicast settings on an interface
Multicast (PIM) interface options enable you to set operating parameters for
FortiGate interfaces connected to PIM domains. For example, you can enable dense mode on an interface that is connected to a PIM-enabled network segment.
When sparse mode is enabled, you can adjust the priority number that is used to advertise Rendezvous Point (RP) and/or Designated Router (DR) candidacy on the interface.
Figure 115:Multicast interface settings
Interface
PIM Mode
DR Priority
Select the name of the root VDOM FortiGate interface to which these settings apply. The interface must be connected to a PIM version 2 enabled network segment.
Select the mode of operation: Sparse Mode or Dense Mode. All
PIM routers connected to the same network segment must be running the same mode of operation. If you select Sparse Mode, adjust the remaining options as described below.
Enter the priority number for advertising DR candidacy on the
FortiGate interface. The range is from 1 to 4 294 967 295.
This value is compared to the DR interfaces of all other PIM routers on the same network segment, and the router having the highest DR priority is selected to be the DR.
RP Candidate
Select to enable or disable RP candidacy on the interface.
RP Candidate Priority Enter the priority number for advertising RP candidacy on the
FortiGate interface. The range is from 1 to 255.
206
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Dynamic Multicast
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
207
Multicast Router Dynamic
208
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Monitor Displaying routing information
Router Monitor
This section explains how to interpret the Routing Monitor list. The list displays the entries in the FortiGate routing table.
The following topics are included in this section:
•
Displaying routing information
•
Searching the FortiGate routing table
Displaying routing information
By default, all routes are displayed in the Routing Monitor list. The default static route is defined as 0.0.0.0/0, which matches the destination IP address of “any/all” packets.
To display the routes in the routing table, go to Router > Monitor.
Figure 116 shows the Routing Monitor list belonging to a FortiGate unit that has interfaces named “port1”, “port4”, and “lan”. The names of the interfaces on your
FortiGate unit may be different.
Figure 116:Routing Monitor list
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
209
Displaying routing information Router Monitor
Type
Select one of these route types to search the routing table and display routes of the selected type only:
•
All displays all routes recorded in the routing table.
•
Connected displays all routes associated with direct connections to
FortiGate interfaces.
•
Static displays the static routes that have been added to the routing table manually.
•
RIP displays all routes learned through RIP.
•
OSPF displays all routes learned through OSPF.
•
BGP displays all routes learned through BGP.
•
HA displays RIP, OSPF, and BGP routes synchronized between the primary unit and the subordinate units of a high availability (HA) cluster.
HA routes are maintained on subordinate units and are only visible if you are viewing the router monitor from a virtual domain that is configured as a subordinate virtual domain in a virtual cluster. For details about HA routing synchronization, see the
FortiGate High Availability User Guide
.
Network
Gateway
Apply Filter Select to search the entries in the routing table based on the specified search criteria and display any matching routes.
Type
The type values assigned to FortiGate routes (Static, Connected, RIP, OSPF, or BGP).
Subtype
Enter an IP address and netmask (for example, 172.16.14.0/24) to search the routing table and display routes that match the specified network.
Enter an IP address and netmask (for example, 192.168.12.1/32) to search the routing table and display routes that match the specified gateway.
Network
Distance
If applicable, the subtype classification assigned to OSPF routes.
•
An empty string implies an intra-area route. The destination is in an area to which the FortiGate unit is connected.
•
OSPF inter area
means the destination is in the OSPF AS, but the
FortiGate unit is not connected to that area.
•
External 1
means the destination is outside the OSPF AS. The metric of a redistributed route is calculated by adding the external cost and the
OSPF cost together.
•
External 2
means the destination is outside the OSPF AS. In this case, the metric of the redistributed route is equivalent to the external cost only, expressed as an OSPF cost.
•
OSPF NSSA 1
has the same meaning as External 1, but the route was received through a not-so-stubby area.
•
OSPF NSSA 2
has the same meaning as External 2, but the route was received through a not-so-stubby area.
The IP addresses and network masks of destination networks that the
FortiGate unit can reach.
The administrative distance associated with the route. A value of 0 means the route is preferable compared to routes to the same destination.
To modify the administrative distance assigned to static routes, see
“Adding a static route to the routing table” on page 184 . Refer to the
FortiGate CLI
Reference
for dynamic routes.
210
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Router Monitor Searching the FortiGate routing table
Metric
Gateway
Interface
Up Time
The metric associated with the route type. The metric of a route influences how the FortiGate unit dynamically adds it to the routing table:
•
Hop count is used for routes learned through RIP.
•
Relative cost is used for routes learned through OSPF.
•
Multi-Exit Discriminator (MED) is used for this metric for routes learned through BGP. However, several attributes besides MED determine the best path to a destination network.
The IP addresses of gateways to the destination networks.
The interface through which packets are forwarded to the gateway of the destination network.
The total accumulated amount of time that a route learned through RIP,
OSPF, or BGP has been reachable.
Searching the FortiGate routing table
You can apply a filter to search the routing table and display certain routes only.
For example, you can display static routes, connected routes, routes learned through RIP, OSPF, or BGP, and/or routes associated with the network or gateway that you specify.
If you want to search the routing table by route type and further limit the display according to network or gateway, all of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed (an implicit AND condition is applied to all of the search parameters you specify).
For example, if the FortiGate unit is connected to network 172.16.14.0/24 and you want to display all directly connected routes to network 172.16.14.0/24, you must select Connected from the Type list, type 172.16.14.0/24 in the Network field, and then select Apply Filter to display the associated routing table entry or entries.
Any entry that contains the word “Connected” in its Type field and the specified value in the Gateway field will be displayed.
1
2
3
4
5
To search the FortiGate routing table
Go to Router > Monitor > Routing Monitor.
From the Type list, select the type of route to display. For example, select
Connected to display all connected routes, or select RIP to display all routes learned through RIP.
If you want to display routes to a specific network, type the IP address and netmask of the network in the Networks field.
If you want to display routes to a specific gateway, type the IP address of the gateway in the Gateway field.
Select Apply Filter.
Note: All of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
211
Searching the FortiGate routing table Router Monitor
212
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Policy About firewall policies
Firewall Policy
Firewall policies control all traffic passing through the FortiGate unit. Add firewall policies to control connections and traffic between FortiGate interfaces, zones, and VLAN subinterfaces.
The following topics are included in this section:
•
•
Viewing the firewall policy list
•
•
About firewall policies
Firewall policies are instructions the FortiGate unit uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (by port number).
For the packet to be connected through the FortiGate unit, the source address, destination address, and service of the packet must match a firewall policy. The policy directs the firewall action on the packet. The action can be to allow the connection, deny the connection, require authentication before the connection is allowed, or process the packet as an IPSec VPN packet.
Each policy can be configured to route connections or apply network address translation (NAT) to translate source and destination IP addresses and ports. Add
IP pools to use dynamic NAT when the firewall translates source addresses. Use policies to configure port address translation (PAT) through the FortiGate unit.
Add protection profiles to firewall policies to apply different protection settings for the traffic that is controlled by firewall policies. For details about protection profiles, see
“Firewall Protection Profile” on page 271
.
Enable traffic logging for a firewall policy so the FortiGate unit logs all connections that use this policy.
The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. Arrange policies in the policy list from more specific to more general. For example, the default policy is a very general policy because it matches all connection attempts. Exceptions to that policy are added to the policy list above the default policy. No policy below the default policy will ever be matched.
Policy options are configurable when creating or editing a firewall policy.
Depending on the type of action selected, a different set of options is presented.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
213
Viewing the firewall policy list Firewall Policy
How policy matching works
When the FortiGate unit receives a connection attempt at an interface, it selects a policy list to search through for a policy that matches the connection attempt. The
FortiGate unit chooses the policy list based on the source and destination addresses of the connection attempt.
The FortiGate unit then starts at the top of the selected policy list and searches down the list for the first policy that matches the connection attempt source and destination addresses, service port, and time and date at which the connection attempt was received. The first policy that matches is applied to the connection attempt. If no policy matches, the connection is dropped. As a general rule, always order firewall policies from most specific to most general.
General policies are policies that can accept connections from multiple source and destination addresses or from address ranges. General policies can also accept connections from multiple service ports or have schedules that mean the policy can be matched over a wide range of times and dates. If you want to add policies that are exceptions to general policies, then these specific exception policies should be added to the policy list above the general policies.
For example, you may have a general policy that allows all users on your internal network to access all services on the Internet. If you want to block access to FTP servers on the Internet, you should add a policy that denies FTP connections above the general policy. The deny policy blocks FTP connections, but connection attempts for all other kinds of services do not match the FTP policy but do match the general policy. Therefore, the firewall still accepts all connections from the internal network to the Internet other than FTP connections.
Also note the following about policy matching:
• Policies that require authentication must be added to the policy list above matching policies that do not; otherwise, the policy that does not require authentication is selected first.
• IPSec VPN tunnel mode policies must be added to the policy list above matching accept or deny policies
• SSL VPN policies must be added to the policy list above matching accept or deny policies
Viewing the firewall policy list
If virtual domains are enabled on the FortiGate unit, firewall policies are configured separately for each virtual domain. To access policies, select a virtual domain from the main menu.
You can add, delete, edit, and re-order policies in the policy list.
To view the policy list, go to Firewall > Policy.
214
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Policy Viewing the firewall policy list
Figure 117:Sample policy list
Filter
Delete
Edit
Insert Policy Before
Move To
The policy list displays the following information by default:
Create New
Column Settings
Filter icon
ID
Source
Destination
Schedule
Service
choose to either add a firewall policy or firewall policy section.
A firewall policy section is a way of grouping firewall policies.
Select to customize the table view. You can select the columns to show and specify the column displaying order in the table.
Select to edit the column filters, which allow you to filter or sort the policy list according to the criteria you specify.
The policy identifier. Policies are numbered in the order they are added to the policy list.
The source address or address group to which the policy
applies. See “Firewall Address” on page 235
. Address information can also be edited from the policy list. Clicking on the address opens the Edit Address dialog box.
The destination address or address group to which the policy
applies. See “Firewall Address” on page 235
. Address information can also be edited from the policy list. Clicking on the address opens the Edit Address dialog box.
The schedule that controls when the policy should be active.
See
“Firewall Schedule” on page 247 .
The service to which the policy applies. See “Firewall
.
Profile
Action
Delete icon
The protection profile that is associated with the policy.
The response to make when the policy matches a connection attempt.
Select to delete the policy from the list.
Edit icon
Move To icon
Select to open the policy for editing.
Insert Policy Before icon
Select to add a new policy above the corresponding policy
(the New Policy screen appears).
Select to move the corresponding policy before or after
Adding a firewall policy
3
4
1
2
Use the following steps to add a firewall policy to a firewall policy list.
Go to Firewall > Policy.
Select Create New or select the Insert Policy before icon beside a policy in the list to add the new policy above that policy.
Select the source and destination interfaces.
Select the source and destination addresses.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
215
Configuring firewall policies Firewall Policy
5
6
7
Configure the policy.
For information about configuring policies, see
“Configuring firewall policies” on page 216
.
Select OK.
Arrange policies in the policy list so they have the expected results.
For information about arranging policies in a policy list, see
“How policy matching works” on page 214
and
“Moving a policy to a different position in the policy list” .
Moving a policy to a different position in the policy list
You can move a policy in the list to influence how policies are evaluated. When more than one policy has been defined for the same interface pair, the policy that is first in the list is evaluated first.
The ordering of firewall encryption policies is important to ensure that they take effect as expected—firewall encryption policies must be evaluated before regular firewall policies.
Moving a policy in the list does not change its policy ID number.
Figure 118:Move Policy
3
4
1
2
Go to Firewall > Policy.
Select the Move To icon in the row beside the policy that you want to move.
Specify the position for the policy.
Select OK.
Configuring firewall policies
Use firewall policies to define how a firewall policy is selected to be applied to a communication session and to define how the FortiGate unit process the packets in that communication session.
To add or edit a firewall policy go to Firewall > Policy.
You can add ACCEPT policies that accept communication sessions. Using an accept policy you can apply FortiGate features such as virus scanning and authentication to the communication session accepted by the policy. An ACCEPT policy can enable interface-mode IPSec VPN traffic if either the source or the
destination is an IPSec virtual interface. For more information, see “Overview of
IPSec interface mode” on page 285 .
You can add DENY policies to deny communication sessions.
216
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Policy Configuring firewall policies
You can also add IPSec encryption policies to enable IPSec tunnel mode VPN traffic and SSL VPN encryption policies to enable SSL VPN traffic. Firewall encryption policies determine which types of IP traffic will be permitted during an
IPSec or SSL VPN session. If permitted by the firewall encryption policy, a tunnel may be initiated automatically whenever an IP packet of the specified type arrives at the FortiGate interface to the local private network. For more information, see
“IPSec firewall policy options” on page 226
and/or
“SSL-VPN firewall policy options” on page 226 .
Figure 119:Policy options - NAT/Route mode ACCEPT policy
Figure 120:Policy options - Transparent mode ACCEPT policy
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
217
Configuring firewall policies
Figure 121:Policy options - DENY policy
Firewall Policy
Figure 122:Policy options - FortiClient check
218
The source and destination Interface/Zone match the firewall policy with the source and destination of a communication session. The Address Name matches the source and destination address of the communication session
Schedule defines when the firewall policy is enabled.
Service matches the firewall policy with the service used by a communication session.
Action defines how the FortiGate unit processes traffic. Specify an action to accept or deny traffic or configure a firewall encryption policy.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Policy Configuring firewall policies
You can use the remaining firewall policy options (NAT, Protection Profile, Log
Allowed Traffic, Log Violation Traffic, Authentication, and Traffic shaping) to set additional features. Log Violation Traffic can be applied to policies that deny traffic. Differentiated services can be configured through CLI commands (see the
“firewall” chapter of the
FortiGate CLI Reference
).
Firewall policy options
Go to Firewall > Policy and select Create New to add a firewall policy. You can configure the following firewall policy options:
Source
Specify the origination characteristics of IP packets that will be subject to the policy.
Interface/Zone
Select the name of the FortiGate interface or zone on which IP packets are received. Interfaces and zones are
configured on the System Network page. See “Interface” on page 69
for information about interfaces. See “Zone” on page 87 for information about zones.
If Action is set to IPSEC, the interface is associated with the local private network.
If Action is set to SSL-VPN, the interface is associated with connections from remote SSL VPN clients.
Address Name
Select the name of a previously defined IP address to associate with the source interface or zone, or select
Create New to define a new IP address. A packet must have the associated IP address in its header to be subject to the policy. Addresses can be created in advance. See
“Configuring addresses” on page 237
.
If Action is set to IPSEC, the address is the private IP address of the host, server, or network behind the
FortiGate unit.
If Action is set to SSL-VPN and the policy is for web-only mode clients, select all.
If Action is set to SSL-VPN and the policy is for tunnel mode clients, select the name of the address that you reserved for tunnel mode clients.
Destination
Specify the destination characteristics of IP packets that will be subject to the policy.
Interface/Zone
Select the name of the FortiGate interface or zone to which IP packets are forwarded. Interfaces and zones are configured on the System Network page. See
“Interface” on page 69 for information about interfaces.
See
“Zone” on page 87 for information about zones.
If Action is set to IPSEC, the interface is associated with the entrance to the VPN tunnel.
If Action is set to SSL-VPN, the interface is associated with the local private network.
Address Name
Select the name of a previously defined IP address to associate with the destination interface or zone, or select
Create New to define a new IP address. A packet must have the associated IP address in its header to be subject to the policy. Addresses can be created in advance. See
“Configuring addresses” on page 237
.
If Action is set to IPSEC, the address is the private IP address to which packets may be delivered at the remote end of the VPN tunnel.
If Action is set to SSL-VPN, select the name of the IP address that corresponds to the host, server, or network that remote clients need to access behind the FortiGate unit.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
219
Configuring firewall policies Firewall Policy
Schedule
Service
Action
NAT
Select a one-time or recurring schedule that controls when the policy is available to be matched with communication sessions. Schedules can
be created in advance by going to Firewall > Schedule. See “Firewall
You can also select Create New to create a Recurring or One-time schedule during policy configuration. Add the information required for the recurring or one-time schedule and select OK. The new schedule is added to the Schedule list.
Select the name of a service or service group that matches the service or protocol of the packets to be matched with this policy. Select from a wide range of predefined services. Custom services can be created in advanced by going to Firewall > Service > Custom. Service groups can be created in advance by going to Firewall > Service > Group. See
“Configuring custom services” on page 243 and
“Configuring service groups” on page 245 .
You can also select Create New to create a custom service or a service group during policy configuration. Add the information required for the custom service or service group and select OK. The new custom service or service group is added to the Service list.
Select how you want the firewall to respond when a packet matches the conditions of the policy.
ACCEPT
Accept traffic matched by the policy. You can configure
NAT, protection profiles, log traffic, shape traffic, set authentication options, or add a comment to the policy.
DENY
IPSEC
Reject traffic matched by the policy. The only other configurable policy options are to log traffic (to log the connections denied by this policy) or add a comment.
Configure an IPSec firewall encryption policy, which causes the FortiGate unit to process IPSec VPN packets.
See
“IPSec firewall policy options” on page 226
.
SSL-VPN
Configure an SSL-VPN firewall encryption policy, which causes the FortiGate unit to accept SSL VPN traffic. This option is available only after you have added a SSL-VPN
user group. See “SSL-VPN firewall policy options” on page 226 .
Enable Network Address Translation for the policy. NAT translates the source address and port of packets accepted by the policy. When NAT is selected, Dynamic IP Pool and Fixed Port can be configured. NAT is not available in Transparent mode.
220
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Policy Configuring firewall policies
Dynamic IP Pool
Select to translate the source address to an address randomly selected from an IP Pool. An IP
Pool can be a single IP address or an IP address range. An IP pool list appears if IP Pool addresses have been added to the destination interface.
Select the name of an IP Pool added to the destination interface to cause the FortiGate unit to translate the source address to one of the addresses defined by this IP Pool.
Dynamic IP Pool cannot be selected if the destination interface, VLAN subinterface, or one of the interfaces or VLAN subinterfaces in the destination zone is configured using DHCP or
PPPoE.
You cannot use IP pools when using zones. An IP pool can only be associated with an interface.
For information about adding IP Pools, see
Fixed Port
Select Fixed Port to prevent NAT from translating the source port.
Some applications do not function correctly if the source port is changed. In most cases, if Fixed
Port is selected, Dynamic IP pool is also selected.
If Dynamic IP pool is not selected, a policy with
Fixed Port selected can only allow one connection at a time.
Protection
Profile
Log Allowed
Traffic
Log Violation
Traffic
Select a protection profile to configure how antivirus, web filtering, web category filtering, spam filtering, IPS, content archiving, and logging are applied to a firewall policy. Protection profiles can be created in advance or during profile configuration. Profiles created at this point appear in the protection profile list. For information about adding and
configuring Protection profiles, see “Firewall Protection Profile” on page 271 .
For authentication in the advanced settings, the protection profile option is disabled because the user group chosen for authentication ia already tied to a protection profile. For more information about adding authentication to firewall policies, see
“Adding authentication to firewall policies” on page 222 .
Select Log Allowed Traffic, for Accept, IPSEC or SSL-VPN policies to record messages to the traffic log whenever the policy processes a connection. Enable traffic log for a logging location (syslog,
WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging severity level to Notification or lower. For information about
logging, see “Log&Report” on page 407 .
Select Log Violation Traffic, for Deny policies, to record messages to the traffic log whenever the policy processes a connection. Enable traffic log for a logging location (syslog, WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging severity level to Notification or lower. For information about logging, see
.
Authentication
Add users and a firewall protection profile to a user group before selecting Authentication. For information about adding and configuring
user groups, see “User group” on page 327 . Authentication is available
if Action is set to Accept or SSLVPN. For more information about adding authentication to firewall policies, see
“Adding authentication to firewall policies” on page 222 .
Check FortiClient is Installed and
Running
On the FortiGate model 1000A, 3600A, and 5005FA2, firewall policies can deny access for hosts that do not have FortiClient Host Security software installed and operating. See
“Options to check FortiClient on hosts” on page 227 .
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
221
Configuring firewall policies Firewall Policy
Traffic Shaping
Traffic Shaping controls the bandwidth available to, and sets the priority of the traffic processed by, the policy.
Note:
•
Be sure to enable traffic shaping on all firewall policies. If you do not apply any traffic shaping rule to a policy, the policy is set to high priority by default.
•
Distribute firewall policies over all three priority queues (low, medium and high).
User
Authentication
Disclaimer
Redirect URL
Comments
•
Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is significantly less than the bandwidth capacity of the interface.
For information about how to configure traffic shaping, see
“Adding traffic shaping to firewall policies” on page 223
Display the Authentication Disclaimer page (a replacement message).
The user must accept the disclaimer to connect to the destination. You can use the disclaimer in conjunction with authentication or a protection profile. This option is available on some models. It is not available for
SSL-VPN policies.
If you enter a URL, the user is redirected to the URL after authenticating and/or accepting the user authentication disclaimer. This option is available on some models. It is not available for SSL-VPN policies.
Add a description or other information about the policy. The comment can be up to 63 characters long, including spaces.
Adding authentication to firewall policies
Add users and a firewall protection profile to a user group before selecting
Authentication. For information about adding and configuring user groups, see
. Authentication is available if Action is set to Accept.
Select Authentication and select one or more user groups to require users to enter a user name and password before the firewall accepts the connection.
Figure 123:Selecting user groups for authentication
222
Select Authentication for any service. Users can authenticate with the firewall using HTTP, Telnet, or FTP. For users to be able to authenticate, add an HTTP,
Telnet, or FTP policy that is configured for authentication. When users attempt to connect through the firewall using this policy, they are prompted to enter a firewall username and password.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Policy Configuring firewall policies
The Firewall authentication method includes locally defined user groups, as well as LDAP, and RADIUS users. Select Active Directory from the drop-down list to choose Active Directory groups defined in User > User Group. Authentication with Active Directory groups and other groups cannot be combined in the same policy.
Note: To allow the FortiGate unit to authenticate with an Active Directory server, the
Fortinet Server Authentication Extensions (FSAE) must be installed on the Active Directory
Domain Controller. FSAE is available from Fortinet Technical Support.
For users to authenticate using other services (for example POP3 or IMAP), create a service group that includes the services for which to require authentication, as well as HTTP, Telnet, and FTP. Users can then authenticate with the policy using HTTP, Telnet, or FTP before using the other service.
In most cases, ensure users can use DNS through the firewall without authentication. If DNS is not available, users cannot connect to a web, FTP, or
Telnet server using a domain name.
Note: Policies that require authentication must be added to the policy list above matching policies that do not; otherwise, the policy that does not require authentication is selected first.
Adding traffic shaping to firewall policies
Traffic Shaping controls the bandwidth available to, and sets the priority of the traffic processed by, the policy. Traffic Shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the FortiGate device. For example, the policy for the corporate web server might be given higher priority than the policies for most employees’ computers. An employee who needs unusually high-speed Internet access could have a special outgoing policy set up with higher bandwidth.
Traffic shaping is available for Accept, IPSEC, and SSL-VPN policies. It is also available for all supported services, including H.323, TCP, UDP, ICMP, and ESP.
Guaranteed and maximum bandwidth in combination with queuing ensures minimum and maximum bandwidth is available for traffic.
Traffic shaping cannot increase the total amount of bandwidth available, but it can be used to improve the quality of bandwidth-intensive and sensitive traffic.
Note: For more information would traffic shaping you can also see the
FortiGate Traffic
Shaping Technical Note
.
Guaranteed bandwidth and maximum bandwidth
When you enter a value in the Guaranteed Bandwidth field of a firewall policy you guarantee the amount of bandwidth available for selected network traffic (in
Kbytes/sec). For example, you may want to give a higher guaranteed bandwidth to your e-commerce traffic.
When you enter a value in the Maximum Bandwidth field of a firewall policy you limit the amount of bandwidth available for selected network traffic
(in Kbytes/sec). For example, you may want to limit the bandwidth of IM traffic usage, so as to save some bandwidth for the more important e-commerce traffic.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
223
Configuring firewall policies Firewall Policy
The bandwidth available for traffic controlled by a policy is used for both the control and data sessions and is used for traffic in both directions. For example, if guaranteed bandwidth is applied to an internal to external FTP policy, and a user on an internal network uses FTP to put and get files, both the put and get sessions share the bandwidth available to the traffic controlled by the policy.
The guaranteed and maximum bandwidth available for a policy is the total bandwidth available to all traffic controlled by the policy. If multiple users start multiple communications session using the same policy, all of these communications sessions must share from the bandwidth available for the policy.
However, bandwidth availability is not shared between multiple instances of using the same service if these multiple instances are controlled by different policies.
For example, you can create one FTP policy to limit the amount of bandwidth available for FTP for one network address and create another FTP policy with a different bandwidth availability for another network address.
Traffic Priority
Set traffic priority to manage the relative priorities of different types of traffic.
Important and latency-sensitive traffic should be assigned a high priority. Less important and less sensitive traffic should be assigned a low priority.
The FortiGate Antivirus Firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections.
For example, you can add policies to guarantee bandwidth for voice and ecommerce traffic. Then you can assign a high priority to the policy that controls voice traffic and a medium priority to the policy that controls e-commerce traffic.
During a busy time, if both voice and e-commerce traffic are competing for bandwidth, the higher priority voice traffic will be transmitted before the ecommerce traffic.
Traffic shaping considerations
Traffic shaping will by definition attempt to “normalize” traffic peaks/bursts and can be configured to prioritize certain flows over others. But there is a physical limitation to the amount of data which can be buffered and for how long. Once these thresholds have been surpassed, frames and packets will be dropped, and sessions will be affected. Incorrect traffic shaping configurations may actually further degrade certain network flows, since the excessive discarding of packets can create additional overhead at the upper layers, which may be attempting to recover from these errors.
A basic traffic shaping example would be to prioritize certain traffic flows at the detriment of other traffic which can be discarded. This would mean that you accept to sacrifice certain performance and stability on traffic X, in order to increase or guarantee performance and stability to traffic Y.
If for example you are applying bandwidth limitations to certain flows, you must accept the fact that these sessions can be limited and therefore negatively impacted.
224
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Policy Configuring firewall policies
1
2
3
Traffic shaping which is applied to a firewall policy, is enforced for traffic which may flow in either direction. Therefore a session which may be setup by an internal host to an external one, via a Internal -> External policy, will have Traffic shaping applied even if the data stream is then coming from external to internal.
For example, an FTP “get” or a SMTP server connecting to an external one, in order to retrieve email.
Also note that traffic shaping is effective for normal IP traffic at normal traffic rates.
Traffic shaping is not effective during extremely high-traffic situations where the traffic is exceeding the FortiGate unit’s capacity. Packets must be received by the
FortiGate unit before they are subject to traffic shaping. If the FortiGate unit cannot process all of the traffic it receives, then dropped packets, delays, and latency are likely to occur.
To ensure that traffic shaping is working at its best, ensure that the interface ethernet statistics are clean of errors, collisions or buffer overruns. If these are not clean, then FortiGate and switch settings may require adjusting.
To make traffic shaping work efficiently, be sure to observe the following rules:
• Enable traffic shaping on all firewall policies. If you do not apply any traffic shaping rule to a policy, the policy is set to high priority by default.
• Distribute firewall policies over all three priority queues (low, medium and high).
Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is significantly less than the bandwidth capacity of the interface.Configuring
FortiGate traffic shaping
You enable and specify traffic shaping settings when you configure firewall policies.
To configure traffic shaping
Go to Firewall > Policy.
When you create a new policy or edit a policy, select the Traffic Shaping option.
Configure the following three options:
Guaranteed
Bandwidth
Maximum
Bandwidth
Use traffic shaping to guarantee the amount of bandwidth available through the firewall for a policy. Guarantee bandwidth (in Kbytes) to ensure there is enough bandwidth available for a high-priority service.
Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is significantly less than the bandwidth capacity of the interface.
Use traffic shaping to limit the amount of bandwidth available through the firewall for a policy. Limit bandwidth to keep less important services from using bandwidth needed for more important services.
Traffic Priority
Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections.
Be sure to enable traffic shaping on all firewall policies. If you do not apply any traffic shaping rule to a policy, the policy is set to high priority by default.
Distribute firewall policies over all three priority queues.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
225
Configuring firewall policies Firewall Policy
Note: If you set both guaranteed bandwidth and maximum bandwidth to 0 (zero), the policy does not allow any traffic.
IPSec firewall policy options
When Action is set to IPSEC, the following options are available:
Figure 124:IPSEC encryption policy
VPN Tunnel
Allow Inbound
Select the VPN tunnel name defined in the phase 1 configuration. The specified tunnel will be subject to this firewall encryption policy.
Select to enable traffic from a dialup client or computers on the remote private network to initiate the tunnel.
Allow outbound
Select to enable traffic from computers on the local private network to initiate the tunnel.
Inbound NAT
Select to translate the source IP addresses of inbound decrypted packets into the IP address of the FortiGate interface to the local private network.
Outbound NAT
Select in combination with a natip CLI value to translate the source addresses of outbound cleartext packets into the IP address that you specify. Do not select Outbound NAT unless you specify a natip value through the CLI. When a natip value is specified, the source addresses of outbound IP packets are replaced before the packets are sent through the tunnel. For more information, see the “firewall” chapter of the
FortiGate CLI Reference
.
Note: Route-based (interface mode) IPSec tunnels are not configured the same way as tunnel mode IPSec tunnels: instead of defining a (tunnel mode “IPSEC”) firewall encryption policy to permit VPN connections and control IP traffic through the tunnel, one binds a route-based VPN tunnel to an IPSec virtual interface, and then specifies the IPSec virtual interface as a source or destination interface in a regular (ACCEPT or DENY) firewall policy.
For more information, see the “Defining a firewall encryption policy” chapter of the
FortiGate IPSec VPN User Guide
.
SSL-VPN firewall policy options
When Action is set to SSL-VPN, the following options are available:
Note: The SSL-VPN option is available from the Action list after one or more SSL VPN user groups have been created. To create user accounts and SSL VPN user groups, see
“Configuring SSL VPN user group options” on page 332 .
Figure 125:SSL-VPN encryption policy
226
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Policy Configuring firewall policies
SSL Client
Certificate
Restrictive
Allow traffic generated by holders of a (shared) group certificate. The holders of the group certificate must be members of an SSL VPN user group, and the name of that user group must be present in the Allowed field.
Cipher Strength
Select one of the following options to determine the level of SSL encryption to use. The web browser on the remote client must be capable of matching the level that you select:
• To use any cipher suite, select Any.
• To use a 164-bit or greater cipher suite, select High >= 164.
• To use a 128-bit or greater cipher suite, select Medium >= 128.
User
Authentication
Method
Select one of the following options:
• If the user group that will be bound to this firewall policy is a local user group, select Local.
• If the remote clients will be authenticated by an external RADIUS server, select Radius.
• If the remote clients will be authenticated by an external LDAP server, select LDAP.
• Select Any to enable all of the above authentication methods. Local is attempted first, then Radius, then LDAP.
Available Groups Select the name of the user group requiring SSL VPN access, and then select the right-pointing arrow. Do not select more than one user group unless all members of the selected user groups have identical access requirements.
For information about how to create a firewall encryption policy for SSL VPN users, see the “SSL VPN administration tasks” chapter of the
FortiGate SSL VPN
User Guide
.
Options to check FortiClient on hosts
On the FortiGate model 1000A, 3600A, and 5005FA2, firewall policies can deny access for hosts that do not have FortiClient Host Security software installed and operating. This feature can detect FortiClient software version 3.0 MR2 or later.
Figure 126:FortiClient Host Security check options
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
227
Firewall policy examples Firewall Policy
Check FortiClient Installed and Running
Select to check that the source host is running FortiClient
Host Security software. Enable the following reasons to deny access as needed:
•
FortiClient is Not Installed
•
FortiClient is Not Licensed
•
AV/IPS Database Out-of-Date
•
AV Disabled
•
Firewall Disabled
•
Web Filter Disabled
Redirect Restricted Users to
FortiGate Download Portal
Select to redirect denied users to the internal web portal which provides the reason for denial. On units that support it, users can download FortiClient Host Security software.
Firewall policy examples
FortiGate units are fully capable of meeting various network requirements from home use to SOHO, to large enterprises and ISPs. The following two scenarios will demonstrate the practical applications of firewall policies in the SOHO and large enterprise environments.
For more detail on these two examples please see the Example Library Network and SOHO and SMB Network Protection example guides in the FortiOS v3.0 MR2 documentation.
•
Scenario one: SOHO sized business
•
Scenario two: enterprise sized business
Scenario one: SOHO sized business
Company A is a small software company performing development and providing customer support. In addition to their internal network of 15 computers, they also have several employees that work from home all or some of the time.
With their current network topography, all 15 of the internal computers are behind a router and must go to an external source to access the IPS Mail and Web servers. All home based employees access the router through open/non secured connections.
228
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Policy
Figure 127:Example SOHO network before FortiGate installation
Firewall policy examples
1
2
Company A requires secure connections for home-based workers. Like many companies, they rely heavily on email and Internet access to conduct business.
They want a comprehensive security solution to detect and prevent network attacks, block viruses, and decrease spam. They want to apply different protection settings for different departments. They also want to integrate web and email servers into the security solution.
To deal with their first requirement company A configures specific policies for each home-based worker to ensure secure communication between the home-based worker and the internal network.
Go to Firewall > Policy.
Select Create New and enter or select the following settings for Home_User_1:
Interface / Zone
Address Name
Schedule
Service
Action
VPN Tunnel
Allow Inbound
Allow outbound
Inbound NAT
Outbound NAT
Protection Profile
Source: internal
Source:
CompanyA_Network
Always
ANY
IPSEC
Home1
Destination: wan1
Destination: Home_User_1 yes yes yes no
Enable and select standard_profile
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
229
Firewall policy examples Firewall Policy
3
4
5
Select OK
Select Create New and enter or select the following settings for Home_User_2:
Interface / Zone
Address Name
Schedule
Service
Action
VPN Tunnel
Allow Inbound
Allow outbound
Inbound NAT
Outbound NAT
Protection Profile
Select OK
Source: internal
Source:
CompanyA_network
Always
ANY
IPSEC
Home2_Tunnel
Destination: wan1
Destination: All yes yes yes no
Enable and select standard_profile
Figure 128:SOHO network topology with FortiGate-100
230
The proposed network is based around a ForitGate 100A unit. The 15 internal computers are behind the FortiGate unit. They now access the email and web servers in a DMZ, which is also behind the FortiGate unit. All home based employees now access the office network through the FortiGate unit via VPN tunnels.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Policy Firewall policy examples
Scenario two: enterprise sized business
Located in a large city, the library system is anchored by a main downtown location serving most of the population, with more than a dozen branches spread throughout the city. Each branch is wired to the Internet but none are linked with each other by dedicated connections.
The current network topography at the main location consists of three user groups. The main branch staff and public terminals access the servers in the DMZ behind the firewall. The catalog access terminals directly access the catalog server without first going through the firewall.
The topography at the branch office has all three users accessing the servers at the main branch via non secured internet connections.
Figure 129:The library system’s current network topology
The library must be able to set different access levels for patrons and staff members.
The first firewall policy for main office staff members allows full access to the
Internet at all times. A second policy will allow direct access to the DMZ for staff members. A second pair of policies are required to allow branch staff members the same access.
The staff firewall policies will all use a protection profile configured specifically for staff access. Enabled features include virus scanning, spam filtering, IPS, and blocking of all P2P traffic. FortiGuard web filtering is also used to block advertising, malware, and spyware sites.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
231
Firewall policy examples Firewall Policy
A few users may need special web and catalog server access to update information on those servers, depending on how they’re configured. Special access can be allowed based on IP address or user.
The proposed topography has the main branch staff and the catalog access terminals going through a Fortigate HA cluster to the servers in a DMZ. The public access terminals first go through a ForitWiFi unit, where additional policies can be applied, to the HA Cluster and finally to the servers.
The branch office has all three users routed through a ForitWiFi unit to the main branch via VPN tunnels.
Figure 130:Proposed library system network topology
232
Policies are configured in Firewall > Policy. Protection Profiles are configured in
Firewall > Protection Profile.
Main office ‘staff to Internet’ policy:
Source Interface
Internal
Source Address
All
Destination Interface
External
Destination Address
All
Schedule
Always
Action
Accept
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Policy
Main office ‘staff to DMZ’ policy:
Source Interface
Internal
Source Address
All
Destination Interface
DMZ
Destination Address
Servers
Schedule
Always
Action
Accept
Branches ‘staff to Internet’ policy:
Source Interface
Branches
Source Address
Branch Staff
Destination Interface
External
Destination Address
All
Schedule
Always
Action
Accept
Branches ‘staff to DMZ’ policy:
Source Interface
Branches
Source Address
Branch Staff
Destination Interface
DMZ
Destination Address
Servers
Schedule
Always
Action
Accept
For more information regarding these examples, see:
• SOHO and SMB Configuration Example Guide
• FortiGate Enterprise Configuration Example
In the FortiGate section of http://docs.forticare.com.
Firewall policy examples
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
233
Firewall policy examples Firewall Policy
234
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Address About firewall addresses
Firewall Address
Add, edit, and delete firewall addresses as required. Firewall addresses are added to the source and destination address fields of firewall policies. Firewall addresses are added to firewall policies to match the source or destination IP addresses of packets that are received by the FortiGate unit.
The following topics are included in this section:
•
•
Viewing the firewall address list
•
•
Viewing the address group list
•
About firewall addresses
A firewall address can be:
• The IP address of a single computer (for example, 192.45.46.45).
• The IP address of a subnetwork (for example, 192.168.1.0 for a class C subnet).
• 0.0.0.0 to represent all possible IP addresses
The netmask corresponds to the type of address being added. For example:
• The netmask for the IP address of a single computer should be
255.255.255.255.
• The netmask for a class A subnet should be 255.0.0.0.
• The netmask for a class B subnet should be 255.255.0.0.
• The netmask for a class C subnet should be 255.255.255.0.
• The netmask for all addresses should be 0.0.0.0
An IP Range address represents:
• A range of IP addresses in a subnet (for example, 192.168.20.1 to
192.168.20.10)
Note: IP address: 0.0.0.0 and Netmask: 255.255.255.255 is not a valid firewall address.
Organize related addresses into address groups to simplify policy creation.
A firewall address can be configured with a name, an IP address, and a netmask, or a name and IP address range. It can also be a fully qualified domain name
(FQDN).
Enter an IP address and netmask using the following formats:
• x.x.x.x/x.x.x.x, for example 192.168.1.0/255.255.255.0
• x.x.x.x/x, for example 192.168.1.0/24
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
235
Viewing the firewall address list Firewall Address
Enter an IP address range using the following formats:
• x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120
• x.x.x.[x-x], for example 192.168.110.[100-120]
• x.x.x.*, for example 192.168.110.* to represent all addresses on the subnet
An IP/Mask address can represent:
• The address of a subnet (for example, a class C subnet, IP address:
192.168.20.0 and Netmask: 255.255.255.0).
• A single IP address (for example, IP Address: 192.168.20.1 and Netmask:
255.255.255.255)
• All possible IP addresses (represented by IP Address: 0.0.0.0 and Netmask:
0.0.0.0)
Enter an FQDN using the following formats:
• <host_name>.<second_level_domain_name>.<top_level_domain_name>
• <host_name>.<top_level_domain_name>
An FQDN can be:
• www.fortinet.com
• example.com
Viewing the firewall address list
If virtual domains are enabled on the FortiGate unit, addresses are configured separately for each virtual domain. To access addresses, select a virtual domain from the list in the main menu.
Add addresses to the list and edit existing addresses. The FortiGate unit comes configured with the default ‘All’ address which represents any IP address on the network. Addresses in the list are sorted by type: IP/Mask, IP Range, and FQDN.
To view the address list, go to Firewall > Address.
Figure 131:Sample address list
236
The address list has the following icons and features:
Create New
Name
Select to add a firewall address.
The name of the firewall address.
Address/FQDN
The IP address and mask, IP address range, or fully qualified domain name.
Delete icon
Select to remove the address from the list. The Delete icon is only available if the address has not been used in a firewall policy.
Edit icon
Select to edit the following information: Name, Type, Subnet/IP Range.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Address Configuring addresses
Configuring addresses
Addresses can also be created or edited during firewall policy configuration from the firewall policy window.
One FQDN may be mapped to multiple machines for load balancing and HA. A single FQDN firewall policy can be created in which the FortiGate unit automatically resolves and maintains a record of all addresses to which the FQDN resolves.
!
Caution: Using a fully qualified domain name in a firewall policy, while convenient, does present some security risks. Be very cautious when using this feature.
To add an IP address, IP range, or FQDN, go to Firewall > Address, select
Create New.
Figure 132:New address or IP range options
Address Name
Enter a name to identify the firewall address. Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies.
Type
Interface
Select the type of address: Subnet/IP Range or FQDN.
Subnet/IP Range Enter the firewall IP address, forward slash, and subnet mask or enter an IP address range separated by a hyphen
Select the interface or zone you want the IP address to associate with.
Select Any if you want to associate the IP address with the interface/zone when you create the policy.
Viewing the address group list
If virtual domains are enabled on the FortiGate unit, address groups are configured separately for each virtual domain. To access address groups, select a virtual domain from the list in the main menu.
Organize related addresses into address groups to make it easier to configure policies. For example, after adding three addresses and configuring them in an address group, configure a single policy using all three addresses.
To view the address group list, go to Firewall > Address > Group.
Note: If an address group is included in a policy, it cannot be deleted unless it is first removed from the policy.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
237
Configuring address groups Firewall Address
Figure 133:Sample address group list
The address group list has the following icons and features:
Create New
Group Name
Members
Delete icon
Edit icon
Select to add an address group.
The name of the address group.
The addresses in the address group.
Select to remove the group from the list. The Delete icon is only available if the address group has not been used in a firewall policy.
Select to edit the following information: Group Name and Members.
Configuring address groups
Address groups can be created during firewall configuration by selecting Create
New from the Address dropdown list.
To organize addresses into an address group, go to Firewall > Address > Group.
Figure 134:Address group options
238
Group Name
Available
Addresses
Members
Enter a name to identify the address group. Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies.
The list of configured and default firewall addresses. Use the arrows to move addresses between the lists.
The list of addresses in the group. Use the arrows to move addresses between the lists.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Service Viewing the predefined service list
Firewall Service
Use services to determine the types of communication accepted or denied by the firewall. Add any of the predefined services to a policy. Create custom services for each virtual domain and add services to service groups.
The following topics are included in this section:
•
Viewing the predefined service list
•
Viewing the custom service list
•
•
Viewing the service group list
•
Viewing the predefined service list
If virtual domains are enabled on the FortiGate unit, predefined services are available globally.
To view the predefined service list, on the main menu, select Global Configuration then go to Firewall > Service.
Figure 135:Predefined service list
The predefined services list has the following icons and features:
Name
Detail
The name of the predefined service.
The protocol for each predefined service.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
239
Viewing the predefined service list
240
Firewall Service
Table 32 lists the FortiGate predefined firewall services. Add these services to any policy.
Table 32: FortiGate predefined services
Service name
AH
ANY
AOL
BGP
DHCP
DNS
ESP
FINGER
FTP
FTP_GET
FTP_PUT
GOPHER
GRE
H323
HTTP
HTTPS
Description
Authentication Header. AH provides source host authentication and data integrity, but not secrecy. This protocol is used for authentication by IPSec remote gateways set to aggressive mode.
Protocol
Match connections on any port. A connection using any of the predefined services is allowed through the firewall.
AOL instant messenger protocol.
Dynamic Host Configuration Protocol
(DHCP) allocates network addresses and delivers configuration parameters from
DHCP servers to hosts.
Domain name service for translating domain names into IP addresses.
all
TCP
Border Gateway Protocol routing protocol.
BGP is an interior/exterior routing protocol.
TCP
UDP
TCP
UDP
Encapsulating Security Payload. This service is used by manual key and
AutoIKE VPN tunnels for communicating encrypted data. AutoIKE key VPN tunnels use ESP after establishing the tunnel using IKE.
A network service providing information about users.
TCP
FTP service for transferring files.
FTP service for uploading files.
FTP service for downloading files
Gopher communication service. Gopher organizes and displays Internet server contents as a hierarchically structured list of files.
TCP
TCP
Generic Routing Encapsulation. A protocol allowing an arbitrary network protocol to be transmitted over any other arbitrary network protocol, by encapsulating the packets of the protocol within GRE packets.
H.323 multimedia protocol. H.323 is a standard approved by the International
Telecommunication Union (ITU) defining how audiovisual conferencing data is transmitted across networks. For more information see the
FortiGate Support for
H.323 Technical Note
.
TCP
HTTP is the protocol used by the word wide web for transferring data for web pages.
HTTP with secure socket layer (SSL) service for secure communication with web servers.
TCP
TCP
TCP
TCP
Port
51 all
5190-5194
179
67
53
53
50
79
21
21
21
70
47
1720, 1503
80
443
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Service Viewing the predefined service list
Table 32: FortiGate predefined services (Continued)
Service name
ICMP_ANY
IKE
IMAP
NTP
NetMeeting
OSPF
PC-Anywhere
PING
POP3
PPTP
QUAKE
Description
Internet Control Message Protocol is a message control and error-reporting protocol between a host and gateway
(Internet).
Protocol
ICMP
IKE is the protocol to obtain authenticated keying material for use with ISAKMP for
IPSEC.
UDP
Internet Message Access Protocol is a protocol used for retrieving email messages.
TCP
INFO_ADDRESS ICMP information request messages.
ICMP
INFO_REQUEST ICMP address mask request messages.
ICMP
IRC
TCP
Internet-
Locator-Service
Internet Relay Chat allows people connected to the Internet to join live discussions.
Internet Locator Service includes LDAP,
User Locator Service, and LDAP over
TLS/SSL.
TCP
L2TP
LDAP
NFS
L2TP is a PPP-based tunnel protocol for remote access.
TCP
Lightweight Directory Access Protocol is a set of protocols used to access information directories.
TCP
Network File System allows network users to access shared files stored on computers of different types.
TCP
NNTP
Network News Transport Protocol is a protocol used to post, distribute, and retrieve USENET messages.
Network time protocol for synchronizing a computer’s time with a time server.
TCP
TCP
NetMeeting allows users to teleconference using the Internet as the transmission medium.
TCP
Open Shortest Path First (OSPF) routing protocol. OSPF is a common link state routing protocol.
PC-Anywhere is a remote control and file transfer protocol.
ICMP echo request/reply for testing connections to other devices.
UDP
ICMP
Post office protocol is an email protocol for downloading email from a POP3 server.
TCP
TCP Point-to-Point Tunneling Protocol is a protocol allowing corporations to extend their own corporate network through private tunnels over the public Internet.
For connections used by the popular
Quake multi-player computer game.
UDP
RAUDIO
RIP
For streaming real audio multimedia traffic. UDP
Routing Information Protocol is a common distance vector routing protocol.
UDP
Port
500
143
17
15
6660-6669
389
1701
389
111, 2049
119
123
1720
89
5632
8
110
1723
26000,
27000,
27910,
27960
7070
520
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
241
Viewing the predefined service list Firewall Service
Table 32: FortiGate predefined services (Continued)
Service name
RLOGIN
SAMBA
SIP
SIP-
MSNmessenger
SMTP
SNMP
SSH
SYSLOG
TALK
TCP
TELNET
TFTP
TIMESTAMP
UDP
UUCP
VDOLIVE
WAIS
WINFRAME
X-WINDOWS
Description
Rlogin service for remotely logging into a server.
Protocol
TCP
Samba allows Microsoft Windows clients to utilize file and print services from
TCP/IP-enabled hosts.
TCP
Session Initiation Protocol defines how audiovisual conferencing data is transmitted across networks. For more information see the
FortiGate SIP Support
Technical Note
.
UDP
Session Initiation Protocol is used by
Microsoft Messenger to initiate an interactive, possibly multimedia session.
Simple Mail Transfer Protocol is used to send mail between email servers on the
Internet.
Simple Network Management Protocol is a set of protocols for managing complex networks
TCP
UDP
Secure Shell is a service for secure connections to computers for remote management.
TCP
UDP
Syslog service for remote logging.
A protocol supporting conversations between two or more users.
All TCP ports.
Telnet service for connecting to a remote computer to run commands.
TCP
TCP
UDP
UDP
TCP
TCP
Trivial File Transfer Protocol is a simple file transfer protocol similar to FTP but with no security features.
UDP
ICMP timestamp request messages.
ICMP
All UDP ports.
Unix to Unix copy utility, a simple file copying protocol.
UDP
UDP
For VDO Live streaming multimedia traffic. TCP
TCP Wide Area Information Server is an
Internet search protocol.
For WinFrame communications between computers running Windows NT.
TCP
For remote communications between an
X-Window server and X-Window clients.
TCP
Port
513
139
5060
1863
25
161-162
161-162
22
22
514
517-518
0-65535
23
69
13
0-65535
540
7000-7010
210
1494
6000-6063
242
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Service Viewing the custom service list
Viewing the custom service list
If virtual domains are enabled on the FortiGate unit, custom services are configured separately for each virtual domain. To access custom services, select a virtual domain from the list in the main menu.
Add a custom service to create a policy for a service that is not in the predefined service list.
To view the custom service list, go to Firewall > Service > Custom.
Figure 136:Custom service list
The custom services list has the following icons and features:
Create New
Select a protocol and then Create New to add a custom service.
Service Name
The name of the custom service.
Detail
Delete icon
Edit icon
The protocol and port numbers for each custom service.
Select to remove the entry from the list. The Delete icon is only available if the service has not been used in a firewall policy.
Select to edit the following information: Name, Protocol Type, Type,
Protocol Number, Code, Source Port, and Destination Port.
Configuring custom services
Custom services can be created during firewall policy configuration by selecting
Create New from the Service dropdown list.
1
2
3
To add a custom TCP or UDP service
Go to Firewall > Service > Custom.
Set Protocol Type to TCP/UDP.
Configure the following.
Figure 137:New Custom Service - TCP/UDP
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
243
Configuring custom services Firewall Service
1
2
3
Name
Enter a name for the custom service.
Protocol Type
Select the protocol type of the custom service: TCP/UDP.
Protocol
Source Port
Select TCP or UDP as the protocol of the port range being added.
Specify the Source Port number range for the service by entering the low and high port numbers. If the service uses one port number, enter this number in both the low and high fields. The default values allow the use of any source port.
Destination Port Specify the Destination Port number range for the service by entering the low and high port numbers. If the service uses one port number, enter this number in both the low and high fields.
Add
Delete Icon
If the custom service being created requires more than one port range, select Add to allow more source and destination ranges.
Select to remove the entry from the list.
To add a custom ICMP service
Go to Firewall > Service > Custom.
Set Protocol Type to ICMP.
Configure the following.
Figure 138:New Custom Service - ICMP
244
1
2
3
Name
Enter the name of the ICMP custom service.
Protocol Type
Select the protocol type of the service being added: ICMP.
Type
Enter the ICMP type number for the service.
Code
Enter the ICMP code number for the service if required.
To add a custom IP service
Go to Firewall > Service > Custom.
Set Protocol Type to IP.
Configure the following.
Figure 139:New Custom Service - IP
Name
Enter the name of the IP custom service.
Protocol Type
Select the protocol type of the service being added: IP.
Protocol Number The IP protocol number for the service.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Service Viewing the service group list
Viewing the service group list
If virtual domains are enabled on the FortiGate unit, service groups are created separately for each virtual domain. To access service groups, select a virtual domain from the list in the main menu.
To make it easier to add policies, create groups of services and then add one policy to allow or block access for all the services in the group. A service group can contain predefined services and custom services in any combination. A service group cannot be added to another service group.
To view the service group list, go to Firewall > Service > Group.
Figure 140:Sample service group list
The service group list has the following icons and features:
Create New
Group Name
Members
Delete icon
Edit icon
Select to add a service group.
The name to identify the service group.
The services added to the service group.
Select to remove the entry from the list. The Delete icon is only available if the service group has not been used in a firewall policy.
Select to edit the following information: Group Name and Members.
Configuring service groups
Service groups can be created during firewall policy configuration by selecting
Create New from the dropdown list.
To organize services into a service group, go to Firewall > Service > Group.
Figure 141:Service group options
Group Name
Available
Services
Members
Enter a name to identify the service group.
The list of configured and predefined services. Use the arrows to move services between the lists.
The list of services in the group. Use the arrows to move services between the lists.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
245
Configuring service groups Firewall Service
246
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Schedule Viewing the one-time schedule list
Firewall Schedule
This section describes how to use schedules to control when policies are active or inactive. You can create one-time schedules or recurring schedules. One-time schedules are effective once for the period of time specified in the schedule.
Recurring schedules repeat weekly. Recurring schedules are effective only at specified times of the day or on specified days of the week.
The following topics are included in this section:
•
Viewing the one-time schedule list
•
Configuring one-time schedules
•
Viewing the recurring schedule list
•
Configuring recurring schedules
Viewing the one-time schedule list
If virtual domains are enabled on the FortiGate unit, one-time schedules are configured separately for each virtual domain. To access one-time schedules, select a virtual domain from the list on the main menu.
Create a one-time schedule that activates or deactivates a policy for a specified period of time. For example, a firewall might be configured with a default policy that allows access to all services on the Internet at all times. Add a one-time schedule to block access to the Internet during a holiday period.
To view the one-time schedule list, go to Firewall > Schedule > One-time.
Figure 142:One-time schedule list
The one-time schedule list has the following icons and features:
Create New
Name
Start
Stop
Delete icon
Edit icon
Select to add a one-time schedule.
The name of the one-time schedule.
The start date and time for the schedule.
The stop date and time for the schedule.
Select to remove the schedule from the list. The Delete icon only appears if the schedule is not being used in a firewall policy.
Select to edit the schedule.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
247
Configuring one-time schedules Firewall Schedule
Configuring one-time schedules
One-time schedules can be created during firewall policy configuration by selecting Create New from the Schedule dropdown list.
To add a one-time schedule, go to Firewall > Schedule > One-time.
Figure 143:New One-time Schedule
248
Name
Start
Stop
Enter the name to identify the one-time schedule.
Enter the start date and time for the schedule.
Enter the stop date and time for the schedule.
Set start and stop time to 00 for the schedule to be active for the entire day. Onetime schedules use a 24-hour clock.
Viewing the recurring schedule list
If virtual domains are enabled on the FortiGate unit, recurring schedules are created separately for each virtual domain. To access recurring schedules, select a virtual domain from the list on the main menu.
Create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week. For example, prevent game play during working hours by creating a recurring schedule.
Note: A recurring schedule with a stop time that occurs before the start time starts at the start time and finishes at the stop time on the next day. Use this technique to create recurring schedules that run from one day to the next. Create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time.
To view the recurring schedule list, go to Firewall > Schedule > Recurring.
Figure 144:Recurring schedule list
The recurring schedule list has the following icons and features:
Create New
Name
Day
Start
Select to add a recurring schedule.
The name of the recurring schedule.
The initials of the days of the week on which the schedule is active.
The start time of the recurring schedule.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Schedule Configuring recurring schedules
Stop
Delete icon
Edit icon
The stop time of the recurring schedule.
Select to remove the schedule from the list. The Delete icon only appears if the schedule is not being used in a firewall policy.
Select to edit the schedule.
Configuring recurring schedules
Recurring schedules can be created during firewall policy configuration by selecting Create New from the Schedule dropdown list.
To add a recurring schedule, go to Firewall > Schedule > Recurring.
Figure 145:New Recurring Schedule
Name
Select
Start
Stop
Enter the name to identify the recurring schedule.
Select the days of the week for the schedule to be active.
Select the start time for the recurring schedule.
Select the stop time for the recurring schedule.
Recurring schedules use a 24-hour clock.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
249
Configuring recurring schedules Firewall Schedule
250
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Virtual IP
Firewall Virtual IP
This section describes FortiGate Virtual IPs and IP Pools and how to configure and use them in firewall policies.
The following topics are included in this section:
•
•
•
•
•
•
•
•
•
Virtual IPs
Virtual IPs can be used to allow connections through a FortiGate unit using network address translation (NAT) firewall policies. Virtual IPs use Proxy ARP so that the FortiGate unit can respond to ARP requests on a network for a server that is actually installed on another network. Proxy ARP is defined in RFC 1027.
For example, you can add a virtual IP to an external FortiGate unit interface so that the external interface can respond to connection requests for users who are actually connecting to a server on the DMZ or internal network.
How virtual IPs map connections through the FortiGate unit
An example use of static NAT virtual IP is to allow easy public access to a web server on a private network protected by a FortiGate unit. Reduced to its basics, this example involves only three parts, as shown in Figure 146 : the web server on a private network, the browsing computer on the Internet, and the FortiGate unit connecting the two networks.
A client computer attempts to contact the server. The client computer sends data packets and the FortiGate unit receives them. The addresses in the packets are remapped, and they’re forwarded to the server on the private network.
Figure 146:A simple static NAT virtual IP example.
Virtual IPs
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
251
Virtual IPs
252
Firewall Virtual IP
The packets sent from the client computer have a source IP of 192.168.37.55 and a destination IP of 192.168.37.4. The FortiGate unit receives these packets at its external interface. The virtual IP settings indicate a mapping from 192.168.37.4 to
10.10.10.42 so the packets’ addresses are changed. The source address is changed to 10.10.10.2 and the destination is changed to 10.10.10.42. The
FortiGate unit makes a note of this translation in the firewall session table it maintains internally. The packets are then sent on their way and arrive at the server computer.
Figure 147:Example of packet address remapping during NAT from client to server.
Note that the client computer’s address does not appear in the packets the server receives. After the FortiGate unit translates the network addresses, there is no reference to the client computer’s network. The server has no indication another network exists. As far as the server can tell, all the communication is coming directly from the FortiGate unit.
When the server answers the client computer, the procedure works the same way but in the other direction. The server sends its response packets having a source
IP address of 10.10.10.42 and a destination IP address of 10.10.10.2. The
FortiGate unit receives these packets at its internal interface. This time however, the firewall session table entry is used to determine what the destination address will be translated to.
In this example, the source address is changed to 192.168.37.4 and the destination is changed to 192.168.37.55. The packets are then sent on their way and arrive at the client computer.
The server computer’s address does not appear in the packets the client receives.
After the FortiGate unit translates the network addresses, there is no reference to the server computer’s network. The client has no indication the server’s private network exists. As far as the client is concerned, the FortiGate unit is the web server.
Figure 148:Example of packet address remapping during NAT from server to client.
Note: Virtual IPs are not available or required in transparent mode.
A Virtual IP can be a single IP address or an IP address range bound to a
FortiGate unit interface. When you bind an IP address or IP address range to a
FortiGate unit interface using a virtual IP, the interface responds to ARP requests for the bound IP address or IP address range.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Virtual IP
If the NAT check box is not selected when building the firewall policy, the resulting policy will perform destination network address translation (DNAT). DNAT accepts packets from an external network that are intended for a specific destination IP address, translates the destination address of the packets to a mapped IP address on another hidden network, and then forwards the packets through the
FortiGate unit to the hidden destination network. Unlike in the previous examples, the source address is not translated. Once on the hidden destination network, the packets can arrive at their final destination.
Virtual IPs also translate the source IP address or addresses of return packets from the source address on the hidden network to be the same as the destination address of the originating packets.
Virtual IP ranges can be of almost any size and can translate addresses to different subnets. Virtual IP ranges have the following restrictions:
• The mapped IP cannot include 0.0.0.0 or 255.255.255.255.
• The external IP cannot be 0.0.0.0 if the virtual IP type is static NAT and is mapped to a range of IP addresses. Only load balance virtual IPs, and static NAT virtual IPs mapped to a single IP address, support an external IP of 0.0.0.0.
• Port mapping maps a range of external port numbers to a range of internal port numbers. The number of ports in these two ranges must be equal.
Therefore, the external port must not be set so that its range exceeds
65535. For example, an internal range of 20 ports mapped from external port 65530 is invalid as the last port in the range would be 65550.
• When port forwarding, the external IP range cannot include any interface IP addresses.
• The mapped IP range must not include any interface IP addresses.
• Virtual IP name cannot be the same as any address name or address group name.
• No duplicate entries or overlapping ranges are permitted.
In addition to binding the IP address or IP address range to the interface, the virtual IP also contains all of the information required to map the IP address or IP address range from the interface that receives the packets to the interface connected to the same network as the actual IP address or IP address range.
You can create different kinds of virtual IPs, each of which can be used for a different DNAT variation.
Virtual IPs
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
253
Virtual IPs
254
Firewall Virtual IP
Static NAT
Static NAT virtual IPs map an external IP address or IP address range on a source network to a mapped IP address or IP address range on a destination network.
Static NAT virtual IPs use one-to-one mapping. A single external IP address is mapped to a single mapped IP address. A range of external
IP addresses is mapped to a corresponding range of mapped IP addresses. A given IP address in the source address range is always mapped to the same IP address in the destination address range.
Static NAT Port
Forwarding
Static NAT port forwarding maps a single IP address or address range and a single port number or port range on one network to a different single IP address or address range and a different single port number or port range on another network.
Static NAT port forwarding is also just called port forwarding. Static NAT port forwarding virtual IPs use one-to-one mapping. A range of external
IP addresses is mapped to a corresponding range of mapped IP addresses and a range of external port numbers is mapped to a corresponding range of mapped port numbers.
Port forwarding virtual IPs can be used to configure the FortiGate unit for port address translation (PAT).
Load Balancing
Also called dynamic port forwarding. A load balancing virtual IP maps a single IP address on one network to an IP address range on another network.
Load balancing uses a one-to-many mapping and a load balancing algorithm to assign the destination IP address from the IP address range to ensure a more even distribution of traffic.
Load Balancing port forwarding
Load balancing with port forwarding maps a single IP address and port number on one network to a range of IP addresses and a range of port numbers on another network.
Load balancing port forwarding uses a one-to-many load balancing algorithm to assign the destination IP address from the IP address range to ensure a more even distribution of traffic, and also assigns the destination port from the destination port number range.
Dynamic virtual
IPs
Server Load
Balancing
Server Load
Balancing port forwarding
If you set the external IP address of a virtual IP to 0.0.0.0, you create a dynamic virtual IP in which any external IP address is translated to the mapped IP address or IP address range.
Server load balancing maps a single IP on one network to up to eight real server IPs on another network.
At least one real address must be added to use this feature.
Server load balancing with port forwarding maps a single IP address and port number on one network to up to eight specific server addresses and eight specific ports on another network.
You must add the virtual IP to a NAT firewall policy to actually implement the mapping configured in the virtual IP. To add a firewall policy that maps addresses on an external network to an internal network, you add an external to internal firewall policy and add the virtual IP to the destination address field of the policy.
For example, if the computer hosting a web server is located on the internal network, it might have a private IP address such as 10.10.10.42. To get packets from the Internet to the web server, there must be an external address for the web server on the Internet. Add a virtual IP to the firewall that maps the external IP address of the web server on the Internet to the actual address of the web server on the internal network. To allow connections from the Internet to the web server, add an external to internal firewall policy and set the Destination Address to the virtual IP.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Virtual IP
Viewing the virtual IP list
To view the virtual IP list, go to Firewall > Virtual IP > Virtual IP.
Figure 149:Virtual IP list
Viewing the virtual IP list
The virtual IP list has the following icons and features:
Create New
Name
IP
Service Port
Select to add a virtual IP.
The name of the virtual IP.
The external IP address or IP address range.
The external port number or port number range. The service port is included in port forwarding virtual IPs.
The mapped to IP address or address range on the destination network.
Map to IP/IP
Range
Map to Port
Delete icon
Edit icon
The mapped to port number or port number range. The map to port is included in port forwarding virtual IPs.
Remove the virtual IP from the list. The Delete icon only appears if the virtual IP is not being used in a firewall policy.
Edit the virtual IP to change any virtual IP option including the virtual IP name.
Configuring virtual IPs
To add a virtual IP, go to Firewall > Virtual IP > Virtual IP and select Create new.
To edit a virtual IP, go to Firewall > Virtual IP > Virtual IP and select the Edit icon for the virtual IP to edit.
Name
Enter or change the name to identify the virtual IP. To avoid confusion, firewall policies, addresses, address groups, and virtual IPs cannot share names.
External Interface Select the virtual IP external interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. You can select any
FortiGate interface, VLAN subinterface, or VPN interface.
Type
Select Static NAT, Load Balance, or Server Load Balance. For details about VIP types, see
“How virtual IPs map connections through the
.
External IP
Address/Range
Enter the external IP address that you want to map to an address on the destination network.
To configure a dynamic virtual IP that accepts connections for any IP address, set the external IP address to 0.0.0.0. For a static NAT dynamic virtual IP you can only add one mapped IP address. For a load balance dynamic virtual IP you can specify a single mapped address or a mapped address range.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
255
Configuring virtual IPs Firewall Virtual IP
Mapped IP
Address/Range
Enter the real IP address on the destination network to which the external IP address is mapped.
You can also enter an address range to forward packets to multiple IP addresses on the destination network.
For a static NAT virtual IP, if you add a mapped IP address range the
FortiGate unit calculates the external IP address range and adds the
IP address range to the External IP Address/Range field.
Port forwarding
Select to add a port forwarding virtual IP.
Protocol
External Service
Port
Map to Port
Select the protocol (TCP or UDP) that you want the forwarded packets to use.
Enter the external service port number for which you want to configure port forwarding.
Real Servers
Enter the port number on the destination network to which the external port number is mapped.
You can also enter a port number range to forward packets to multiple ports on the destination network.
For a static NAT virtual IP, if you add a map to port range the FortiGate unit calculates the external port number range and adds the port number range to the External Service port field.
If you select Server Load Balancing for the VIP type, enter the real server IP addresses. At least one IP address is required and you can enter up to eight addresses.
To enter a server IP address, select Add under Real Servers and enter the following information:
IP: Enter the IP address of the server.
Port: If you enable port forwarding, enter the port number on the destination network to which the external port number is mapped.
Dead interval: The interval of time that a connection can remain idle before it is dropped. A range of 10-255 seconds can be used.
Wake interval: The interval of time the connection will try to detect a server before giving up. A range of 10-255 seconds can be used.
Weight: Determines the weight value of a specific server. The high the weight value, the higher the percentage of connections the server will handle. A range of 1-255 can be used.
Health Check: Enable this option to check the status of the server before forwarding the session.
Ping Detection: Enable this option to use ping to test the server status. Health check must be enabled before using ping-detect.
Adding a static NAT virtual IP for a single IP address
The IP address 192.168.37.4 on the Internet is mapped to 10.10.10.42 on a private network. Attempts to communicate with 192.168.37.4 from the Internet are translated and sent to 10.10.10.42 by the FortiGate unit. The computers on the
Internet are unaware of this translation and see a single computer at 192.168.37.4 rather than a FortiGate unit with a private network behind it.
256
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Virtual IP
Figure 150:Static NAT virtual IP for a single IP address example
Configuring virtual IPs
1
2
3
To add a static NAT virtual IP for a single IP address
Go to Firewall > Virtual IP > Virtual IP.
Select Create New.
Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Name
simple_static_NAT
External Interface external
Type
External IP
Address/Range
Static NAT
The Internet IP address of the web server.
The external IP address must be a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using.
However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address.
Map to IP/IP Range The IP address of the server on the internal network. Since there is only one IP address, leave the second field blank.
Figure 151:Virtual IP options: static NAT virtual IP for a single IP address
4
Select OK.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
257
Configuring virtual IPs Firewall Virtual IP
1
2
3
4
To add a static NAT virtual IP for a single IP address to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP address packets pass through the FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the external IP to the DMZ network IP address of the web server.
Go to Firewall > Policy and select Create New.
Configure the firewall policy:
Source Interface/Zone
external
Source Address Name
All (or a more specific address)
Destination Interface/Zone dmz1
Destination Address Name simple_static_nat
Schedule
always
Service
Action
HTTP
ACCEPT
Select NAT.
Select OK.
Adding a static NAT virtual IP for an IP address range
The IP address range 192.168.37.4-192.168.37.6 on the Internet is mapped to
10.10.10.42-10.10.123.44 on a private network. Packets from Internet computers communicating with 192.168.37.4 are translated and sent to 10.10.10.42 by the
FortiGate unit. Similarly, packets destined for 192.168.37.5 are translated and sent to 10.10.10.43, and packets destined for 192.168.37.6 are translated and sent to 10.10.10.44. The computers on the Internet are unaware of this translation and see three computers with individual IP addresses rather than a FortiGate unit with a private network behind it.
Figure 152:Static NAT virtual IP for an IP address range example
258
1
2
To add a static NAT virtual IP for an IP address range
Go to Firewall > Virtual IP > Virtual IP.
Select Create New.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Virtual IP Configuring virtual IPs
3
Use the following procedure to add a virtual IP that allows users on the Internet to connect to three individual web servers on the DMZ network. In our example the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Name
External Interface
static_NAT_range external
Type
Static NAT
External IP Address/Range The Internet IP address range of the web servers.
The external IP addresses must be static IP addresses obtained from your ISP for your web server. These addresses must be unique IP addresses that are not used by another host and cannot be the same as the IP addresses of the external interface the virtual IP will be using. However, the external IP addresses must be routed to the selected interface. The virtual IP addresses and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP addresses.
Map to IP/IP Range
The IP address range of the servers on the internal network.
Define the range by entering the first address of the range in the first field and the last address of the range in the second field.
Figure 153:Virtual IP options; static NAT virtual IP with an IP address range
4
1
2
3
4
Select OK.
To add a static NAT virtual IP with an IP address range to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the server IP addresses, packets pass through the FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates the destination addresses of these packets from the external
IP to the DMZ network IP addresses of the servers.
Go to Firewall > Policy and select Create New.
Configure the firewall policy:
Source Interface/Zone
Source Address Name
external
All (or a more specific address)
Destination Interface/Zone dmz1
Destination Address Name static_NAT_range
Schedule
Service
Action
always
HTTP
ACCEPT
Select NAT.
Select OK.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
259
Configuring virtual IPs Firewall Virtual IP
Adding static NAT port forwarding for a single IP address and a single port
The IP address 192.168.37.4, port 80 on the Internet is mapped to 10.10.10.42, port 8000 on a private network. Attempts to communicate with 192.168.37.4, port 80 from the Internet are translated and sent to 10.10.10.42, port 8000 by the
FortiGate unit. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.4, port 80 rather than a FortiGate unit with a private network behind it.
Figure 154:Static NAT virtual IP port forwarding for a single IP address and a single port example
260
1
2
3
To add static NAT virtual IP port forwarding for a single IP address and a single port
Go to Firewall > Virtual IP > Virtual IP.
Select Create New.
Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Name
External Interface
Port_fwd_NAT_VIP external
Type
Static NAT
External IP Address/Range The Internet IP address of the web server.
The external IP address must be a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual
IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address.
Map to IP/IP Range
The IP address of the server on the internal network. Since there is only one IP address, leave the second field blank.
Port Forwarding
Protocol
External Service Port
Map Port
Selected
TCP
The port traffic from the Internet will use. For a web server, this will typically be port 80.
The port on which the server expects traffic. Since there is only one port, leave the second field blank.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Virtual IP Configuring virtual IPs
Figure 155:Virtual IP options; Static NAT port forwarding virtual IP for a single IP address and a single port
4
1
2
Select OK.
To add static NAT virtual IP port forwarding for a single IP address and a single port to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses, packets pass through the FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates the destination addresses and ports of these packets from the external IP to the dmz network IP addresses of the web servers.
Go to Firewall > Policy and select Create New.
Configure the firewall policy:
Source Interface/Zone
external
Source Address Name
All (or a more specific address)
Destination Interface/Zone dmz1
Destination Address Name Port_fwd_NAT_VIP
Schedule
Service
Action
always
HTTP
ACCEPT
Select NAT.
Select OK.
3
4
Adding static NAT port forwarding for an IP address range and a port range
Ports 80 to 83 of addresses 192.168.37.4 to 192.168.37.7 on the Internet are mapped to ports 8000 to 8003 of addresses 10.10.10.42 to 10.10.10.44 on a private network. Attempts to communicate with 192.168.37.5, port 82 from the
Internet, for example, are translated and sent to 10.10.10.43, port 8002 by the
FortiGate unit. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.5 rather than a FortiGate unit with a private network behind it.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
261
Configuring virtual IPs Firewall Virtual IP
Figure 156:Static NAT virtual IP port forwarding for an IP address range and a port range example
262
1
2
3
4
To add static NAT virtual IP port forwarding for an IP address range and a port range
Go to Firewall > Virtual IP > Virtual IP.
Select Create New.
Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Name
External Interface
Type
Port_fwd_NAT_VIP_port_range external
Static NAT
External IP Address/Range The external IP addresses must be static IP addresses obtained from your ISP. This addresses must be unique, not used by another host, and cannot be the same as the IP address of the external interface the virtual IP will be using.
However, the external IP addresses must be routed to the selected interface. The virtual IP addresses and the external
IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP addresses.
Map to IP/IP Range
Port Forwarding
The IP addresses of the server on the internal network.
Define the range by entering the first address of the range in the first field and the last address of the range in the second field.
Selected
Protocol
External Service Port
Map Port
TCP
The ports that traffic from the Internet will use. For a web server, this will typically be port 80.
The ports on which the server expects traffic. Define the range by entering the first port of the range in the first field and the last port of the range in the second field. If there is only one port, leave the second field blank.
Select OK.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Virtual IP Configuring virtual IPs
1
2
3
4
To add static NAT virtual IP port forwarding for an IP address range and a port range to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses, packets pass through the FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates the destination addresses and ports of these packets from the external IP to the dmz network IP addresses of the web servers.
Go to Firewall > Policy and select Create New.
Configure the firewall policy:
Source Interface/Zone
external
Source Address Name
All (or a more specific address)
Destination Interface/Zone dmz1
Destination Address Name Port_fwd_NAT_VIP_port_range
Schedule
always
Service
Action
HTTP
ACCEPT
Select NAT.
Select OK.
Adding a load balance virtual IP for an IP address range or real servers
The IP address 192.168.37.4 on the Internet is mapped to 10.10.123.42 through
10.10.123.44 on a private network. The IP address mapping is determined by the
FortiGate unit’s load balancing algorithm. Attempts to communicate with
192.168.37.4 from the Internet are translated and sent to 10.10.10.42,
10.10.10.10.43, or 10.10.10.44 by the FortiGate unit. The computers on the
Internet are unaware of this translation and see a single computer at 192.168.37.4 rather than a FortiGate unit with a private network behind it.
Figure 157:Load balance virtual IP for an IP address range
1
2
To add a load balance virtual IP for an IP address range
Go to Firewall > Virtual IP > Virtual IP.
Select Create New.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
263
Configuring virtual IPs Firewall Virtual IP
3
Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Name
External Interface
Load_Bal_VIP external
Type
Load Balance or Server Load Balance
External IP address/Range The Internet IP address of the web server.
The external IP address must be a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual
IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address.
Map to IP/IP Range (Load
Balance type)
The IP address of the servers on the internal network. Define the range by entering the first address of the range in the first field and the last address of the range in the second field.
Real Servers (Server Load
Balance type)
If you select Server Load Balancing for the VIP type, enter the real server IP addresses. For details about real server
settings, see “Configuring virtual IPs” on page 255 .
Figure 158:Virtual IP options; load balancing virtual IP
264
4
1
2
Select OK.
To add a load balance virtual IP for an IP address range to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP address packets pass through the FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the external IP to the dmz network IP addresses of the web servers.
Go to Firewall > Policy and select Create New.
Configure the firewall policy:
Source Interface/Zone
external
Source Address Name
All (or a more specific address)
Destination Interface/Zone dmz1
Destination Address Name Load_Bal_VIP
Schedule
always
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Virtual IP Configuring virtual IPs
3
4
Service
Action
Select NAT.
Select OK.
HTTP
ACCEPT
Adding a load balance port forwarding virtual IP
Connections to 192.168.37.4 on the Internet are mapped to 10.10.10.42 through
10.10.10.44 on a private network. The IP address mapping is determined by the
FortiGate unit’s load balancing algorithm. Ports 80 to 83 on 192.168.37.4 are mapped to 8000 through 8003, in sequence. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.4 rather than a FortiGate unit with a private network behind it.
Figure 159:Load balance virtual IP port forwarding for an IP address range and a port range example
1
2
3
To add a load balance virtual IP for an IP address range
Go to Firewall > Virtual IP > Virtual IP.
Select Create New.
Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Name
External Interface
Type
Load_Bal_VIP_port_forward external
Load Balance
External IP Address/Range The Internet IP address of the web server.
The external IP address must be a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual
IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address.
Map to IP/IP Range
The IP address of the servers on the internal network. Define the range by entering the first address of the range in the first field and the last address of the range in the second field.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
265
Configuring virtual IPs Firewall Virtual IP
4
1
2
3
4
Real Servers
Port Forwarding
Protocol
External Service Port
Map Port
If you select Server Load Balancing for the VIP type, enter the real server IP addresses. For details about real server
settings, see “Configuring virtual IPs” on page 255
.
Selected
TCP
The ports that traffic from the Internet will use. For a web server, this will typically be port 80.
The ports on which the server expects traffic. Define the range by entering the first port of the range in the first field and the last port of the range in the second field. If there is only one port, leave the second field blank.
Select OK.
To add a load balance virtual IP for an IP address range to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP address packets pass through the FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the external IP to the dmz network IP addresses of the web servers.
Go to Firewall > Policy and select Create New.
Configure the firewall policy:
Source Interface/Zone
external
Source Address Name
All (or a more specific address)
Destination Interface/Zone dmz1
Destination Address Name Load_Bal_VIP_port_forward
Schedule
always
Service
Action
HTTP
ACCEPT
Select NAT.
Select OK.
Adding dynamic virtual IPs
Adding a dynamic virtual IP is similar to adding a virtual IP. The difference is that the External IP address must be set to 0.0.0.0 so the External IP address matches any IP address.
1
2
3
4
To add a dynamic virtual IP
Go to Firewall > Virtual IP > Virtual IP.
Select Create New.
Enter a name for the dynamic virtual IP.
Select the virtual IP External Interface from the list.
The external interface is connected to the source network and receives the packets to be forwarded to the destination network.
Select any firewall interface or a VLAN subinterface.
266
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Virtual IP Virtual IP Groups
5
6
7
8
9
Set the External IP Address to 0.0.0.0.
The 0.0.0.0 External IP Address matches any IP address.
Enter the External Service Port number for which to configure dynamic port forwarding.
The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides PPTP passthrough access from the Internet to a PPTP server, the external service port number should be
1723 (the PPTP port).
Enter the Map to IP address to which to map the external IP address. For example, the IP address of a PPTP server on an internal network.
Enter the Map to Port number to be added to packets when they are forwarded.
Enter the same number as the External Service Port if the port is not to be translated.
Select OK.
Virtual IP Groups
You can create virtual IP groups to facilitate firewall policy traffic control. For example, on the DMZ interface, if you have two email servers that use Virtual IP mapping, you can put these two VIPs into one VIP group and create one externalto-DMZ policy, instead of two policies, to control the traffic.
Viewing the VIP group list
To view the virtual IP group list, go to Firewall > Virtual IP > VIP Group.
Figure 160:VIP Group list
The VIP group list has the following icons and features:
Create New
Group Name
Members
Interface
Delete icon
Edit icon
Select to add a new VIP group. See
“Configuring VIP groups” on page 268
.
The name of the virtual IP group.
Lists the group members.
Displays the interface that the VIP group belongs to.
Remove the VIP group from the list. The Delete icon only appears if the
VIP group is not being used in a firewall policy.
Edit the VIP group information, including the group name and membership.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
267
Configuring VIP groups Firewall Virtual IP
Configuring VIP groups
To add a VIP group, go to Firewall > Virtual IP > VIP Group and select Create new. To edit a VIP group, go to Firewall > Virtual IP > VIP Group and select the
Edit icon for the VIP group to edit.
Figure 161:Editing a VIP group
268
Configure the following settings and select OK:
Group Name
Interface
Available VIPs and
Members
Enter or modify the group name.
Select the interface for which you want to create the VIP group. If you are editing the group, the Interface box is grayed out.
Add or remove members.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Virtual IP
IP pools
Use IP pools to add NAT policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface.
An IP pool defines an address or a range of IP addresses, all of which respond to
ARP requests on the interface to which the IP pool is added.
Select Enable Dynamic IP Pool in a firewall policy to translate the source address of outgoing packets to an address randomly selected from the IP pool. An IP pool list appears when the policy destination interface is the same as the IP pool interface.
With an IP pool added to the internal interface, you can select Dynamic IP pool for policies with the internal interface as the destination.
Add multiple IP pools to any interface and select the IP pool to use when configuring a firewall policy.
A single IP address is entered normally. For example, 192.168.110.100 is a valid
IP pool address. If an IP address range is required, use either of the following formats.
• x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120
• x.x.x.[x-x], for example 192.168.110.[100-120]
IP pools and dynamic NAT
Use IP pools for dynamic NAT. For example, an organization might have purchased a range of Internet addresses but has only one Internet connection on the external interface of the FortiGate unit.
Assign one of the organization’s Internet IP addresses to the external interface of the FortiGate unit. If the FortiGate unit is operating in NAT/Route mode, all connections from the network to the Internet appear to come from this IP address.
For connections to originate from all the Internet IP addresses, add this address range to an IP pool for the external interface. Then select Dynamic IP Pool for all policies with the external interface as the destination. For each connection, the firewall dynamically selects an IP address from the IP pool to be the source address for the connection. As a result, connections to the Internet appear to be originating from any of the IP addresses in the IP pool.
IP Pools for firewall policies that use fixed ports
Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service. Select fixed port for NAT policies to prevent source port translation. However, selecting fixed port means that only one connection can be supported through the firewall for this service. To be able to support multiple connections, add an IP pool to the destination interface, and then select dynamic IP pool in the policy. The firewall randomly selects an IP address from the IP pool and assigns it to each connection. In this case the number of connections that the firewall can support is limited by the number of IP addresses in the IP pool.
IP pools
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
269
Viewing the IP pool list Firewall Virtual IP
Viewing the IP pool list
If virtual domains are enabled on the FortiGate unit, IP pools are created separately for each virtual domain. To access IP pools, select a virtual domain from the list on the main menu. IP pools are not available in Transparent mode.
To view the IP pool list go to Firewall > Virtual IP > IP Pool.
Figure 162:IP pool list
The IP pool list has the following icons and features:
Create New
Name
Start IP
End IP
Delete icon
Edit icon
Select to add an IP pool.
The name of the IP pool.
The start IP defines the start of an address range.
The end IP defines the end of an address range.
Select to remove the entry from the list. The Delete icon only appears if the IP pool is not being used in a firewall policy.
Select to edit the following information: Name, Interface, IP
Range/Subnet.
Configuring IP Pools
To add an IP pool, go to Firewall > Virtual IP > IP Pool.
Figure 163:New Dynamic IP Pool
Name
Enter or change the name for the IP pool.
Interface
Select the interface to which to add an IP pool.
IP Range/Subnet Enter the IP address range for the IP pool. The IP range defines the start and end of an address range. The start of the range must be lower than the end of the range. The IP range does not have to be on the same subnet as the IP address of the interface to which the IP pool is being added.
270
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Protection Profile What is a protection profile
Firewall Protection Profile
This section describes how to add protection profiles to NAT/Route mode and
Transparent mode policies.
The following topics are included in this section:
•
•
Viewing the protection profile list
•
•
Configuring a protection profile
•
Adding a protection profile to a policy
•
Protection profile CLI configuration
What is a protection profile
A protection profile is a group of settings you can adjust to suit a particular purpose. Since protection profiles apply different protection settings to traffic controlled by firewall policies, you can tailor the settings to the type of traffic each policy handles. Use protection profiles to:
• Configure antivirus protection for HTTP, FTP, IMAP, POP3, SMTP, and IM policies.
• Configure web filtering for HTTP and HTTPS policies.
• Configure web category filtering for HTTP and HTTPS policies.
• Configure spam filtering for IMAP, POP3, and SMTP policies.
• Enable IPS for all services.
• Configure content archiving for HTTP, HTTPS, FTP, IMAP, POP3, SMTP, and
IM policies.
• Configure IM filtering and access control for AIM, ICQ, MSN, Yahoo, and
SIMPLE instant messaging.
• Configure P2P access and bandwidth control for Bit Torrent, eDonkey,
Gnutella, Kazaa, Skype, and WinNY peer to peer clients.
• Configure which protection profile actions will be logged.
• Configure rate limiting for VoIP protocols (SIP and SCCP).
Using protection profiles, you can customize types and levels of protection for different firewall policies.
For example, while traffic between internal and external addresses might need strict protection, traffic between trusted internal addresses might need moderate protection. Configure policies for different traffic services to use the same or different protection profiles.
If virtual domains are enabled on the FortiGate unit, protection profiles are configured globally and are available to all virtual domains. To access protection profiles, go to Global Configuration > Firewall > Protection Profile.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
271
Viewing the protection profile list Firewall Protection Profile
Default protection profiles
The FortiGate unit is preconfigured with four protection profiles.
Strict
Scan
Web
Unfiltered
Apply maximum protection to HTTP, FTP, IMAP, POP3, and SMTP traffic. The strict protection profile may not be useful under normal circumstances but it is available when maximum protection is required.
Apply virus scanning to HTTP, FTP, IMAP, POP3, and SMTP traffic.
Quarantine is also selected for all content services. On FortiGate models with a hard drive, if antivirus scanning finds a virus in a file, the file is quarantined on the FortiGate hard disk. If required, system administrators can recover quarantined files.
Apply virus scanning and web content blocking to HTTP traffic. Add this protection profile to firewall policies that control HTTP traffic.
Apply no scanning, blocking or IPS. Use the unfiltered content profile if no content protection for content traffic is required. Add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected.
Viewing the protection profile list
To view the protection profile list, go to Firewall > Protection Profile.
Figure 164:Default protection profiles
272
The Protection Profile list has the following icons and features:
Create New
Name
Delete
Edit
Select to add a protection profile.
The name of the protection profile
Select to remove a protection profile from the list. The Delete icon is only available if the profile is not being used in a firewall policy.
Select to modify a protection profile.
Note: A protection profile cannot be deleted (the Delete icon is not visible) if it is selected in a firewall policy or included in a user group.
Configuring a protection profile
If the default protection profiles do not provide the settings required, create custom protection profiles.
To add a protection profile, go to Firewall > Protection Profile and select Create
New.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Protection Profile
Figure 165:New Protection Profile
Configuring a protection profile
Profile Name
Comments
AntiVirus
Enter a name for the protection profile.
If required, enter a description of the profile.
See
“Antivirus options” on page 273
.
Web Filtering
See
“Web filtering options” on page 275
.
FortiGuard-Web Filtering See
“FortiGuard-Web filtering options” on page 276 .
Spam Filtering
IPS
See
See
“Spam filtering options” on page 277
.
Content Archive
IM & P2P
Logging
VoIP
See
“Content archive options” on page 279 .
See
“IM and P2P options” on page 280 .
See
.
See
Note: If both Virus Scan and File Block are enabled, the FortiGate unit blocks files matching enabled file patterns before they are scanned for viruses.
Antivirus options
Figure 166:Protection profile antivirus options
Note: NNTP options cannot be selected. Support will be added in the future.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
273
Configuring a protection profile Firewall Protection Profile
The following options are available for antivirus through the protection profile.
Virus Scan
Enable or disable virus scanning for each protocol (HTTP, FTP, IMAP,
POP3, SMTP, IM). Grayware, if enabled in AntiVirus > Config >
Grayware, is included with the Virus Scan. Heuristic, if enabled with the CLI, is also included with the Virus Scan. Note that streaming mode is enabled automatically when you enable virus scanning.
File Pattern
Quarantine (log disk required)
Enable or disable file pattern processing for each protocol. Files can be blocked or allowed by name, extension, or any other pattern. File pattern processing provides the flexibility to block files that may contain harmful content.
File pattern drop-down list: Select which file pattern list will be used with this protection profile. The default file pattern list is called builtinpatterns.
Enable or disable quarantine for each protocol. Quarantine suspect files to view them or submit files to Fortinet for analysis. The quarantine option is not displayed in the protection profile if the FortiGate does not have a hard drive or a configured FortiAnalyzer unit.
Pass fragmented emails
Enable or disable passing fragmented email for mail protocols (IMAP,
POP3, SMTP). Fragmented email cannot be scanned for viruses.
Comfort Clients
Enable or disable client comforting for HTTP and FTP traffic. Client comforting provides a visual status for files that are being buffered for downloads using HTTP and FTP. Users can observe web pages being drawn or file downloads progressing. If disabled, users have no indication the FortiGate unit is buffering the download and they may cancel the transfer thinking it has failed.
Interval
The time in seconds before client comforting starts after the download has begun. It is also the time between subsequent intervals.
Oversized
File/Email
Amount
The number of bytes sent at each interval.
Select block or pass for files and email messages exceeding configured thresholds for each protocol.
Threshold
If the file is larger than the threshold value in megabytes, the file is passed or blocked, as set in the
Oversized File/Email drop down. The maximum threshold for scanning in memory is 10% of the
FortiGate unit RAM.
Note: For email scanning, the oversize threshold refers to the final size of the email after encoding by the email client, including attachments. Email clients may use a variety of encoding types and some encoding types translate into larger file sizes than the original attachment. The most common encoding, base64, translates 3 bytes of binary data into 4 bytes of base64 data. So a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the configured oversize threshold.
Add signature to outgoing emails
Create and enable a signature to append to outgoing email (SMTP only).
See
“AntiVirus” on page 335 for more antivirus configuration options.
274
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Protection Profile
Web filtering options
Figure 167:Protection profile web filtering options
Configuring a protection profile
The following options are available for web filtering through the protection profile.
Web Content Block
Web Content Exempt
Web URL Filter
ActiveX Filter
Cookie Filter
Java Applet Filter
Web resume download block
Block Invalid URLs
Enable or disable web page blocking for HTTP traffic based on the content block patterns in the content block list.
Web content block drop-down list: Select which content block list will be used with this protection profile.
Threshold: If the combined scores of the content block patterns appearing on a web page exceed the threshold value, the page will be blocked. See
“Viewing the web content block list” on page 365 for details.
Enable or disable the override of web content block based on the content exempt patterns in the content exempt list.
Web content exempt drop-down list: Select which content exempt list will be used with this protection profile.
Enable or disable web page filtering for HTTP and HTTPS traffic based on the URL list.
Web URL filter drop-down list: Select which web URL filter list will be used with this protection profile.
Enable blocking of ActiveX controls.
Enable blocking of cookies.
Enable blocking of Java applets.
Enable to block downloading parts of a file that have already been partially downloaded. Enabling this option will prevent the unintentional download of virus files hidden in fragmented files.
Note that some types of files, such as PDFs, are fragmented to increase download speed. Enabling this option can cause download interruptions with these types of file.
The FortiGate unit can perform validation on the CN to ensure that it is a valid hostname before applying web-filtering. If the
CN is not a valid hostname, the traffic will be blocked if you enable this option.
See
for more web filter configuration options.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
275
Configuring a protection profile Firewall Protection Profile
FortiGuard-Web filtering options
Figure 168:Protection profile FortiGuard-Web web filtering options
276
The following options are available for web category filtering through the protection profile.
Enable FortiGuard-Web
Filtering
Enable FortiGuard-Web
Filtering Overrides
Provide details for blocked
HTTP 4xx and 5xx errors
(HTTP only)
Enable FortiGuard-Web™ category blocking.
Enable category overrides. When selected, a list of groups is displayed. If no groups are available, the option is grayed out. For more information about overrides, see
“Viewing the override list” on page 374
and
“Configuring override rules” on page 375
. For more information about
groups, see “User group” on page 327 .
Display a replacement message for 400 and 500-series
HTTP errors. If the error is allowed through, malicious or objectionable sites can use these common error pages to circumvent web category blocking.
Rate images by URL (blocked images will be replaced with blanks) (HTTP only)
Block images that have been rated by FortiGuard.
Blocked images are replaced on the originating web pages with blanks.
Image types that are rated are GIF, JPEG, PNG, BMP, and
TIFF.
Allow websites when a rating error occurs
Allow web pages that return a rating error from the web filtering service.
Strict Blocking
When enabled, web site access is disallowed if any classification or category matches the block rating or lists.
When disabled, web site access is allowed if any classification or category matches the allowed list. This option is enabled by default.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Protection Profile Configuring a protection profile
Rate URLs by domain and IP address
When enabled, this option sends both the URL and the IP address of the requested site for checking, providing additional security against attempts to bypass the
FortiGuard system.
However, because IP rating is not updated as quickly as
URL rating, some false ratings may occur.
This option is disabled by default.
Category
Classification
The FortiGuard-Web content filtering service provides many categories by which to filter web traffic. Set the action to take on web pages for each category. Choose from allow, block, monitor, or allow override.
Classifications block whole classes of web sites. Web sites that provide cached content, Google for example, can be blocked. Web sites that allow image, audio, or video searches can also be blocked. Web sites that are classified are also rated in one of the categories or are unrated. Choose from allow, block, monitor, or allow override.
See
“FortiGuard - Web Filter” on page 373
for more category blocking configuration options.
Spam filtering options
Figure 169:Protection profile spam filtering options
Note: NNTP options cannot be selected. Support will be added in the future.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
277
Configuring a protection profile Firewall Protection Profile
The following options are available for spam filtering through the protection profile.
FortiGuard-Antispam IP address check
Enable or disable the FortiGuard-Antispam™ filtering IP address blacklist. FortiGuard-Antispam extracts the SMTP mail server source address and sends the IP address to a FortiGuard-Antispam server to see if this IP address matches the list of known spammers. If the IP address is found,
FortiGuard-Antispam terminates the session. If
FortiGuard-Antispam does not find a match, the mail server sends the email to the recipient.
See “FortiGuard-Antispam Service” on page 162
for more information about this service.
URL check Enable or disable the FortiGuard-Antispam spam filtering URL blacklist. FortiGuard-Antispam checks the body of email messages to extract any URL links. These URL links are sent to a FortiGuard-
Antispam server to see if any are listed. Spam messages often contain URL links to advertisements (also called spamvertizing). If a
URL match is found, FortiGuard-Antispam terminates the session. If FortiGuard-Antispam does not find a match, the mail server sends the email to the recipient.
See “FortiGuard-Antispam Service” on page 162
for more information about this service.
E-mail checksum check
Enable or disable the FortiGuard-Antispam e-mail message checksum blacklist. If enabled, this filter calculates the checksum of an email message and sends this checksum to the FortiGuard servers to determine if the checksum is in the blacklist. The
FortiGate unit then passes or marks/blocks the email message according to the server response.
Spam submission
When enabled, all e-mail messages marked as spam have a link added to the message body. If an email message is not spam, simply click the link in the message to inform FortiGuard of the false positive.
IP address BWL check Black/white list check. Enable or disable the checking incoming
IP addresses against the configured spam filter IP address list.
(SMTP only.)
IP address BWL check drop-down list: Select which IP address black/white list will be used with this protection profile.
HELO DNS lookup
E-mail address BWL check
Return e-mail DNS check
Banned word check
Enable or disable looking up the source domain name (from the
SMTP HELO command) in the Domain Name Server.
Enable or disable checking incoming email addresses against the configured spam filter email address list.
E-mail address BWL check drop-down list: Select which email address black/white list will be used with this protection profile.
Enable or disable checking that the domain specified in the replyto or from address has an A or MX record.
Enable or disable checking source email against the configured spam filter banned word list.
Banned word check drop-down list: Select which banned word list will be used with this protection profile.
Threshold: If the combined scores of the banned word patterns appearing in an email message exceed the threshold value, the message will be processed according to the Spam Action setting.
See
“Viewing the antispam banned word list” on page 385 for
details.
278
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Protection Profile Configuring a protection profile
Spam Action
Append to
Append with
Action the spam filter will take. Tagged allows you to append a custom tag to the subject or header of email identified as spam.
For SMTP, if you have virus scan or streaming mode (also known as splice) enabled, you will only be able to discard spam email.
(Note that streaming mode is enabled automatically when you enable virus scanning.) Discard immediately drops the connection. Without streaming mode or scanning enabled, you can chose to tag or discard SMTP spam.
You can tag email by adding a custom word or phrase to the subject or inserting a MIME header and value into the email header. You can choose to log any spam action in the event log.
Append the tag to the subject or MIME header of the email identified as spam.
Enter a word or phrase (tag) to append to email identified as spam. The maximum length is 63 characters.
Note: Some popular email clients cannot filter messages based on the MIME header.
Check email client features before deciding how to tag spam.
See
for more spam filter configuration options. To
IPS options
Figure 170:Protection profile IPS options
The following options are available for IPS through the protection profile.
IPS Signature
IPS Anomaly
Select one or more IPS signature severity levels for this profile.
Options are Critical, High, Medium, Low, and Information.
Signatures with severity levels that have not been selected are not triggered.
Select one or more IPS anomaly severity levels for this profile.
Options are Critical, High, Medium, Low, and Information.
Anomalies with severity levels that have not been selected are not triggered.
See
“Intrusion Protection” on page 349
for more IPS configuration options.
Content archive options
To be able to access all content archiving options, a FortiAnalyzer unit must be configured and logging to the FortiAnalyzer must be enabled. For more information, see
“Logging to a FortiAnalyzer unit” on page 409
.
Figure 171:Protection profile content archive options
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
279
Configuring a protection profile Firewall Protection Profile
Note: NNTP and file archiving options cannot be selected. Support will be added in the future.
The following options are available for content archive through the protection profile.
Display content metainformation on the system dashboard
Archive to FortiAnalyzer
Enable to have meta-information for each type of traffic display in the Statistics section of the FortiGate status page.
View statistics for HTTP traffic, HTTPS traffic, FTP traffic, and email message traffic (IMAP, POP3, and SMTP combined).
Select one from the following three options:
None: No archiving.
Summary: Archiving content meta-information to a
FortiAnalyzer unit for each protocol. Content metainformation can include date and time, source and destination information, request and response size, and scan result. Content archive is only available if
FortiAnalyzer is enabled under Log&Report > Log Config >
Log Setting.
Full: Archiving copies of downloaded files for HTTP and
FTP, or copies of all email messages for IMAP, POP3, and
STMP.
Archive SPAMed emails to
FortiAnalyzer
Enable to save spam email messages together with normal email messages. By default, spam email messages are not archived.
Display content metainformation on the system dashboard (AIM, ICQ, MSN,
Yahoo)
Enable to have meta-information for each type of traffic display in the Statistics section of the FortiGate status page.
Archive IM to FortiAnalyzer
(AIM, ICQ, MSN, Yahoo!)
Select one from the following three options:
None: No archiving.
Summary: Logging summary information for IM protocols:
AIM, ICQ, MSN, and Yahoo. Summary information can include date and time, source and destination information, request and response size, and scan result.
Full: Archiving full chat information for IM protocols to a
FortiAnalyzer unit for each protocol. Content archive is only available if FortiAnalyzer is enabled under Log&Report >
Log Config > Log Setting.
Note: You must enable IM options in the IM & P2P section of the protection profile for content archiving to function.
IM and P2P options
Figure 172:Protection profile IM and P2P options
280
The following options are available for IM and P2P through the protection profile.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Protection Profile Configuring a protection profile
Block Login
Block File Transfers
Enable to prevent instant message users from logging in to
AIM, ICQ, MSN, Yahoo, and SIMPLE services.
Enable to block file transfers for AIM, ICQ, MSN, and Yahoo protocols.
Block Audio
Inspect Non-standard Port
Enable inspection of non-standard ports for IM traffic.
Action
Pass, block, or rate limit P2P transfers for BitTorrent, eDonkey, Gnutella, Kazaa, and WinNY protocols. Skype transfers can be passed or blocked, but not rate limited.
Limit (KBytes/s)
Enable to block audio for AIM, ICQ, MSN, and Yahoo protocols.
Specify bandwidth limit for BitTorrent, eDonkey, Gnutella,
Kazaa, and WinNY protocols if action is set to rate limit.
Changes to IM protection profile options, while IM users are logged in, will take effect only upon their next login. Enabling Block Login, for example, cannot be used to disconnect currently logged in users.
See
for more IM configuration options.
Logging options
Figure 173:Protection profile logging options
The following options are available for logging through the protection profile:
Antivirus
Viruses
Blocked Files
Enable logging of scanned viruses.
Enable logging of blocked files.
Oversized Files/Emails Enable logging of oversized files and email messages.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
281
Adding a protection profile to a policy Firewall Protection Profile
Web Filtering
Content Block
URL Block
ActiveX Filter
Cookie Filter
Enable logging of content blocking.
Enable logging of blocked and exempted URLs.
Enable logging of blocked Active X.
Enable logging of blocked cookies.
Java Applet Filter Enable logging of blocked Java Applets.
FortiGuard Web
Filtering
Log rating errors (HTTP only)
Enable logging of rating errors.
Spam Filtering Log Spam Enable logging of spam detected.
IPS
Log Intrusions
IM and P2P
VoIP
Log IM Activity
Log P2P Activity
Log VoIP Activity
Enable logging of signature and anomaly intrusions.
Enable logging of IM activity.
Enable logging of P2P activity.
Enable logging of VoIP activity.
For more information about logging, see
.
VoIP options
The FortiGate unit supports rate limiting for SIP (including SIMPLE) and SCCP protocols.
Figure 174:Protection profile VoIP options
The following options are available for VoIP through the protection profile:
Limit RIGISTER Request
Limit INVITE Request
Limit Call Setup
Set a rate limit to SIP RIGISTER requests (per second).
Set a rate limit to SIP INVITE requests (per seconds).
Set a rate limit to SCCP call setup (calls per minute) between call clients and the call manager.
282
Adding a protection profile to a policy
1
2
3
Enable protection profiles for firewall policies with action set to allow or IPSec and with service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes these services.
If virtual domains are enabled on the FortiGate unit, protection profiles must be added to policies in each virtual domain. To access the policy, select a virtual domain from the main menu.
Go to Firewall > Policy.
Select a policy list to which to add a protection profile.
For example, to enable network protection for files downloaded from the web by internal network users, select an internal to external policy list.
Select Create New to add a policy, or select Edit for the policy to modify.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Firewall Protection Profile Protection profile CLI configuration
4
5
6
7
8
Select protection profile.
Select a protection profile from the list.
Configure the remaining policy settings, if required.
Select OK.
Repeat this procedure for any policies for which to enable network protection.
Protection profile CLI configuration
Use the config firewall profile CLI command to add, edit or delete protection profiles. Use protection profiles to apply different protection settings for traffic controlled by firewall policies.
Note: For complete descriptions and examples of how to use CLI commands, see the
FortiGate CLI Reference
.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
283
Protection profile CLI configuration Firewall Protection Profile
284
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN IPSEC Overview of IPSec interface mode
VPN IPSEC
This section provides information about policy-based (tunnel-mode) and routebased (interface mode) Internet Protocol Security (IPSec) VPN options available through the web-based manager. FortiGate units implement the Encapsulated
Security Payload (ESP) protocol. The encrypted packets look like ordinary packets that can be routed through any IP network. Internet Key Exchange (IKE) is performed automatically based on pre-shared keys or X.509 digital certificates.
As an option, you can specify manual keys. Interface mode is supported in
NAT/Route mode only. It creates a virtual interface for the local end of a VPN tunnel.
The following topics are included in this section:
•
Overview of IPSec interface mode
•
•
•
•
Overview of IPSec interface mode
When you define a route-based (interface mode) IPSec tunnel, a virtual IPSec interface is created automatically. Regardless of whether you choose to have IKE keys generated automatically or you specify the keys manually, the virtual IPSec interface is created as a subinterface to the local FortiGate physical, aggregate, or
VLAN interface that you select when you define IPSec phase 1 parameters.
An IPSec virtual interface is considered to be up when it can establish a phase 1 connection with a VPN peer or client. However, the virtual IPSec interface cannot be used to send traffic through a tunnel until it is bound to a phase 2 definition.
Virtual IPSec interface bindings are shown on the System > Network > Interface page. The names of all tunnels bound to physical interfaces are displayed under their associated physical interface names in the Name column. For more
information about the Interface page, see “Interface” on page 69 .
Note: You can bind a virtual IPSec interface to a zone.
After an IPSec virtual interface has been bound to a tunnel, traffic can be routed to the interface using specific metrics for both static routes and policy routes. In addition, you can create a firewall policy having the virtual IPSec interface as the source or destination interface.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
285
Overview of IPSec interface mode VPN IPSEC
You can create the equivalent of a tunnel-mode concentrator in any of the following ways:
• Define a firewall policy between each pair of IPSec interfaces that you want to concentrate. For dialup, the same interface can be both source and destination. This can become tedious if you have many site-to-site connections.
• Put all the IPSec interfaces into a zone and then define a single zone-to-zone policy.
• Put all the IPSec interfaces in a zone and enable intra-zone traffic. There must be more than one IPSec interface.
For more information and an example, see the
FortiGate IPSec VPN User Guide
.
When IP traffic that originates from behind a local FortiGate unit reaches an outbound FortiGate interface that acts as the local end of an IPSec tunnel (that is,
IPSec interface mode is enabled on the interface), the traffic is encapsulated by the tunnel and forwarded through the physical interface to which the IPSec virtual interface is bound. When encapsulated traffic from a remote VPN peer or client reaches a local FortiGate physical interface, the FortiGate unit determines if an
IPSec virtual interface is associated with the physical interface through selectors in the traffic. If the traffic matches predefined selectors, it is decapsulated and forwarded to the IPSec virtual interface.
In the outbound direction, the FortiGate unit performs a route lookup to find the interface through which it must forward traffic to reach the next hop router. If the
FortiGate unit finds a route through a virtual interface that is bound to a specific
VPN tunnel, the traffic is encrypted and sent through the VPN tunnel. In the inbound direction, the FortiGate unit identifies a VPN tunnel using the destination
IP address and the Security Parameter Index (SPI) in the ESP datagram to match a phase 2 Security Association (SA). If a matching SA is found, the datagram is decrypted and the associated IP traffic is redirected through the IPSec virtual interface.
The firewall policy associated with a specific path is responsible for controlling all
IP traffic passing between the source and destination addresses. If required, you can configure more than one firewall policy to regulate the flow of traffic going into and/or emerging from a route-based VPN tunnel. Two firewall policies are needed to support bidirectional traffic through a route-based IPSec tunnel: one to control traffic in the outbound direction, and the other to control traffic in the inbound direction.
Route-based VPNs help to simplify the implementation of VPN tunnel redundancy.
You can configure a route for the same IP traffic using different route metrics. You can also configure the exchange of dynamic (RIP, OSPF, or BGP) routing information through VPN tunnels. If the primary VPN connection fails or the priority of a route changes through dynamic routing, an alternative route will be selected to forward traffic using the redundant connection.
286
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN IPSEC
Auto Key
Two VPN peers (or a FortiGate dialup server and a VPN client) can be configured to generate unique Internet Key Exchange (IKE) keys automatically during the
IPSec phase 1 and phase 2 exchanges.
To configure the FortiGate unit to generate unique keys automatically in phase 1 and phase 2, go to VPN > IPSEC > Auto Key (IKE).
When you define phase 2 parameters, you can choose any set of phase 1 parameters to set up a secure connection for the tunnel and authenticate the remote peer.
Note: There can be only one phase 2 configuration associated with each phase 1 configuration.
Auto Key configuration applies to both tunnel-mode and interface-mode VPNs.
Figure 175:Auto Key list
Auto Key
Edit
Delete
Create Phase 1
Create Phase 2
Phase 1
Phase 2
Create a new phase 1 tunnel configuration. See “Creating a new phase 1 configuration” on page 287 .
Create a new phase 2 configuration. See “Creating a new phase 2 configuration” on page 292 .
The names of existing phase 1 tunnel configurations.
The names of existing phase 2 configurations.
Interface Binding
The names of the local physical, aggregate, or VLAN interfaces to which IPSec tunnels are bound.
Delete and Edit icons Delete or edit a phase 1 configuration.
Creating a new phase 1 configuration
In phase 1, two VPN peers (or a FortiGate dialup server and a VPN client) authenticate each other and exchange keys to establish a secure communication channel between them. The basic phase 1 settings associate IPSec phase 1 parameters with a remote gateway and determine:
• whether the various phase 1 parameters will be exchanged in multiple rounds with encrypted authentication information (main mode) or in a single message with authentication information that is not encrypted (aggressive mode)
• whether a pre-shared key or digital certificates will be used to authenticate the identities of the two VPN peers (or a VPN server and its client)
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
287
Auto Key VPN IPSEC
• whether a special identifier, certificate distinguished name, or group name will be used to identify the remote VPN peer or client when a connection attempt is made
To define basic IPSec phase 1 parameters, go to VPN > IPSEC > Auto Key (IKE) and select Create Phase 1.
Figure 176:New Phase 1
288
Name
Type a name to represent the phase 1 definition. The maximum name length is 15 characters for an interface mode VPN, 35 characters for a policy-based VPN.
For a tunnel mode VPN, the name should reflect the origination of the remote connection. For a route-based tunnel, the FortiGate unit also uses the name for the virtual IPSec interface that it creates automatically.
Remote Gateway
Select the nature of the remote connection:
•
If the remote peer has a static IP address, select Static IP
Address.
•
If one or more FortiClient™ or FortiGate dialup clients with dynamic IP addresses will connect to the FortiGate unit, select
Dialup User.
•
If a remote peer that has a domain name and subscribes to a dynamic DNS service will be connecting to the FortiGate unit, select Dynamic DNS.
IP Address
Dynamic DNS
Local Interface
If Static IP Address is selected, type the IP address of the remote peer.
If Dynamic DNS is selected, type the domain name of the remote peer.
This option is available in NAT/Route mode only. Select the name of the physical, aggregate, or VLAN interface through which remote peers or dialup clients connect to the FortiGate unit. The FortiGate unit obtains the IP address of the interface from System > Network
> Interface settings (see “Interface” on page 69 ) unless you are
configuring an IPSec interface, in which case you can specify a different IP address in the Local Gateway IP field under Advanced settings (see “Local Gateway IP” on page 291 ).
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN IPSEC
Mode
Select Main or Aggressive:
•
In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.
•
In Aggressive mode, the phase 1 parameters are exchanged in single message with authentication information that is not encrypted.
When the remote VPN peer or client has a dynamic IP address, or the remote VPN peer or client will be authenticated using an identifier (local ID), you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address.
Peer Options settings may require a particular mode. See Peer
Options , below.
Authentication
Method
Pre-shared Key
Accept this peer ID
Select Preshared Key or RSA Signature.
If Pre-shared Key is selected, type the pre-shared key that the
FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. You must define the same value at the remote peer or client. The key must contain at least 6 printable characters and should only be known by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters.
Certificate Name
If RSA Signature is selected, select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. To obtain and load the required server certificate, see the
FortiGate Certificate
Management User Guide
.
Peer Options
One or more of the following options are available to authenticate
VPN peers or clients, depending on the Remote Gateway and
Authentication Method settings.
Accept any peer ID
Accept the local ID of any remote VPN peer or client. The FortiGate unit does not check identifiers (local IDs). Mode can be set to
Aggressive or Main.
Authenticate remote peers based on a particular identifier. Enter the identifier in the field. The remote peer must be configured with the same identifier. This option is available only if the remote peer has a dynamic IP address.
If the remote peer is a FortiGate unit, the identifier must be specified in the Local ID field of the phase 1 configuration. For FortiClient dialup clients, select Config in the Policy section of the Advanced
Settings for the connection and specify the identifier in the Local ID field.
Accept peer ID in dialup group
Authenticate multiple FortiGate or FortiClient dialup clients that use unique identifiers and unique pre-shared keys (or unique pre-shared keys only) through the same VPN tunnel.
You must create a dialup user group for authentication purposes.
See “User group” on page 327 . Select the group from the list
adjacent to the Accept peer ID in dialup group option.
To configure FortiGate dialup clients, refer to the FortiGate
IPSec
VPN User Guide
. To configure FortiClient dialup clients, refer to the
Authenticating FortiClient Dialup Clients Technical Note.
Mode must be set to Aggressive when the dialup clients use unique identifiers and unique pre-shared keys. If the dialup clients use unique pre-shared keys only, you can set Mode to Main if there is only one dialup phase 1 configuration for this interface IP address.
Auto Key
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
289
Auto Key VPN IPSEC
Accept this peer certificate
Authenticate remote peers or dialup clients using a security certificate. Select the certificate from the list adjacent to the option.
only
You must add peer certificates to the FortiGate configuration through the User > PKI page before you can select them here. For more information, see PKI Certificates.
If the remote VPN peer or client has a dynamic IP address, set Mode to Aggressive.
This option is available when Authentication Method is set to RSA
Signature.
Accept this peer certificate
Use a certificate group to authenticate dialup clients that have dynamic IP addresses and use unique certificates.
group only
Select the name of the peer group from the list. You must first create the group through the config user peergrp CLI command before you can select it. For more information, see the “user” chapter of the
FortiGate CLI Reference
. Members of the peer group must be certificates added through the User > PKI page or the config user peer
CLI command.
If the remote VPN peer or client has a dynamic IP address, set Mode to Aggressive.
This option is available when Authentication Method is set to RSA
Signature and Remote Gateway is set to Dialup User.
Advanced
Define advanced phase 1 parameters. See “Defining phase 1 advanced settings” on page 290
.
Defining phase 1 advanced settings
The advanced P1 Proposal parameters select the encryption and authentication algorithms that the FortiGate unit uses to generate keys for the IKE exchange.
Additional advanced phase 1 settings can be selected to ensure the smooth operation of phase 1 negotiations.
To modify IPSec phase 1 advanced parameters, go to VPN > IPSEC >
Auto Key (IKE), select Create Phase 1, and then select Advanced.
Figure 177:Phase 1 advanced settings
Add
290
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN IPSEC Auto Key
Enable IPSec
Interface Mode
Create a virtual interface for the local end of the VPN tunnel.
This is not available in Transparent mode.
Local Gateway IP
If you selected Enable IPSec Interface Mode, you need to specify an
IP address for the local end of the VPN tunnel. Select one of the following:
•
Main Interface IP - the FortiGate unit obtains the IP address of the interface from System > Network > Interface settings (see
)
P1 Proposal
•
Specify - specify an IP address. The IP address is assigned to the physical, aggregate, or VLAN interface selected in the phase 1
Local Interface field (see “Local Interface” on page 288 ).
You cannot configure Interface mode in a Transparent mode VDOM.
Select the encryption and authentication algorithms used to generate keys for protecting negotiations.
Add or delete encryption and authentication algorithms as required.
Select a minimum of one and a maximum of three combinations. The remote peer or client must be configured to use at least one of the proposals that you define.
DH Group
Keylife
You can select any of the following symmetric-key algorithms:
•
DES-Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
•
3DES-Triple-DES, in which plain text is encrypted three times by three keys.
•
AES128-A 128-bit block algorithm that uses a 128-bit key.
•
AES192-A 128-bit block algorithm that uses a 192-bit key.
•
AES256-A 128-bit block algorithm that uses a 256-bit key.
You can select either of the following message digests to check the authenticity of messages during phase 1 negotiations:
•
MD5-Message Digest 5, the hash algorithm developed by RSA
Data Security.
•
SHA1-Secure Hash Algorithm 1, which produces a 160-bit message digest.
To specify a third combination, use the Add button beside the fields for the second combination.
Select one or more Diffie-Hellman groups from DH group 1, 2, and 5.
When using aggressive mode, DH groups cannot be negotiated.
•
If both VPN peers (or a VPN server and its client) have static IP addresses and use aggressive mode, select a single DH group.
The setting on the FortiGate unit must be identical to the setting on the remote peer or dialup client.
•
When the remote VPN peer or client has a dynamic IP address and uses aggressive mode, select up to three DH groups on the
FortiGate unit and one DH group on the remote peer or dialup client. The setting on the remote peer or client must be identical to one of the selections on the FortiGate unit.
•
If the VPN peer or client employs main mode, you can select multiple DH groups. At least one of the settings on the remote peer or client must be identical to the selections on the FortiGate unit.
Type the length of time (in seconds) until the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The keylife can be from 120 to 172800 seconds.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
291
Auto Key
292
VPN IPSEC
Local ID
XAuth
Nat-traversal
Keepalive
Frequency
Dead Peer
Detection
If the FortiGate unit will act as a VPN client and you are using peer
IDs for authentication purposes, enter the identifier that the FortiGate unit will supply to the VPN server during the phase 1 exchange.
If the FortiGate unit will act as a VPN client and you are using security certificates for authentication, select the distinguished name (DN) of the local server certificate that the FortiGate unit will use for authentication purposes.
If the FortiGate unit is a dialup client and will not be sharing a tunnel with other dialup clients (that is, the tunnel will be dedicated to this
FortiGate dialup client), set Mode to Aggressive.
This option is provided to support the authentication of dialup clients.
If the FortiGate unit is a dialup client and you select Enable as Client, type the user name and password that the FortiGate unit will need to authenticate itself to the remote XAuth server.
If Remote Gateway is set to Dialup User and dialup clients will authenticate as members of a dialup group, the FortiGate unit can act as an XAuth server. To select Enable as Server, you must first create user groups to identify the dialup clients that need access to the
network behind the FortiGate unit. See “Configuring a user group” on page 330 .
You must also configure the FortiGate unit to forward authentication requests to an external RADIUS or LDAP authentication server. For
information about these topics, see “Configuring a RADIUS server” on page 322
or
“Configuring an LDAP server” on page 324
.
Select a Server Type setting to determine the type of encryption method to use between the FortiGate unit, the XAuth client and the external authentication server, and then select the user group from the User Group list.
Enable this option if a NAT device exists between the local FortiGate unit and the VPN peer or client. The local FortiGate unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared) to connect reliably.
If you enabled NAT-traversal, enter a keepalive frequency setting.
The value represents an interval from 0 to 900 seconds.
Enable this option to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. You can use this option to be notified whenever a tunnel goes up or down, or enable the option to keep the tunnel connection open when no traffic is being generated inside the tunnel (for example, in scenarios where a dialup client or dynamic DNS peer connects from an IP address that changes periodically—traffic may be suspended while the IP address changes).
When the Dead Peer Detection option is selected, you can use the config vpn ipsec phase1
(tunnel mode) or config vpn ipsec phase1-interface
(interface mode) CLI command to optionally specify a retry count and a retry interval. For more information, see the
FortiGate CLI Reference
.
Creating a new phase 2 configuration
After IPSec phase 1 negotiations complete successfully, phase 2 begins. The phase 2 parameters define the algorithms that the FortiGate unit may use to encrypt and transfer data for the remainder of the session. During phase 2, the specific IPSec security associations needed to implement security services are selected and a tunnel is established.
The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1 configuration that specifies the remote end point of the VPN tunnel. In most cases, you need to configure only basic phase 2 settings.
To configure phase 2 settings, go to VPN > IPSEC > Auto Key (IKE) and select
Create Phase 2.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN IPSEC
Figure 178:New Phase 2
Name
Phase 1
Advanced
Type a name to identify the phase 2 configuration.
Select the phase 1 tunnel configuration. See “Creating a new phase 1 configuration” on page 287
. The phase 1 configuration describes how remote VPN peers or clients will be authenticated on this tunnel, and how the connection to the remote peer or client will be secured.
Define advanced phase 2 parameters. See
“Defining phase 2 advanced settings” on page 293 .
Defining phase 2 advanced settings
In phase 2, the FortiGate unit and the VPN peer or client exchange keys again to establish a secure communication channel between them. The P2 Proposal parameters select the encryption and authentication algorithms needed to generate keys for protecting the implementation details of Security Associations
(SAs). The keys are generated automatically using a Diffie-Hellman algorithm.
A number of additional advanced phase 2 settings are available to enhance the operation of the tunnel. To modify IPSec phase 2 advanced parameters, go to
VPN > IPSEC Auto Key (IKE), select Create Phase 2, and then select Advanced.
Figure 179:Phase 2 advanced settings
Add
Auto Key
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
293
Auto Key
294
VPN IPSEC
P2 Proposal
Select the encryption and authentication algorithms that will be used to change data into encrypted code.
Add or delete encryption and authentication algorithms as required.
Select a minimum of one and a maximum of three combinations. The remote peer must be configured to use at least one of the proposals that you define.
You can select any of the following symmetric-key algorithms:
•
NULL-Do not use an encryption algorithm.
•
DES-Digital Encryption Standard, a 64-bit block algorithm that uses a
56-bit key.
•
3DES-Triple-DES, in which plain text is encrypted three times by three keys.
•
AES128-A 128-bit block algorithm that uses a 128-bit key.
•
AES192-A 128-bit block algorithm that uses a 192-bit key.
•
AES256-A 128-bit block algorithm that uses a 256-bit key.
You can select either of the following message digests to check the authenticity of messages during an encrypted session:
•
NULL-Do not use a message digest.
•
MD5-Message Digest 5, the hash algorithm developed by RSA Data
Security.
•
SHA1-Secure Hash Algorithm 1, which produces a 160-bit message digest.
To specify one combination only, set the Encryption and Authentication options of the second combination to NULL. To specify a third combination, use the Add button beside the fields for the second combination.
Enable replay detection
Optionally enable or disable replay detection. Replay attacks occur when an unauthorized party intercepts a series of IPSec packets and replays them back into the tunnel.
Enable perfect forward secrecy (PFS)
Enable or disable PFS. Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires.
DH Group
Keylife
Select one Diffie-Hellman group (1, 2, or 5). The remote peer or dialup client must be configured to use the same group.
Select the method for determining when the phase 2 key expires:
Seconds, KBytes, or Both. If you select both, the key expires when either the time has passed or the number of KB have been processed. The range is from 120 to 172800 seconds, or from 5120 to 2147483648 KB.
Autokey Keep
Alive
Enable the option if you want the tunnel to remain active when no data is being processed.
DHCP-IPSec
Select Enable if the FortiGate unit acts as a dialup server and FortiGate
DHCP relay will be used to assign VIP addresses to FortiClient dialup clients. The DHCP relay parameters must be configured separately. For
more information, see “System DHCP” on page 113 .
If the FortiGate unit acts as a dialup server and you manually assigned
FortiClient dialup clients VIP addresses that match the network behind the dialup server, select Enable to cause the FortiGate unit to act as a proxy for the dialup clients.
This is available only for tunnel mode phase 2 configurations associated with a dialup phase 1 configuration.
Note: You can enable VPN users to browse the Internet through the FortiGate unit. See
“Internet browsing configuration” on page 295 .
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN IPSEC Auto Key
Quick Mode
Selector
Optionally specify the source and destination IP addresses to be used as selectors for IKE negotiations. If the FortiGate unit is a dialup server, the default value 0.0.0.0/0 should be kept unless you need to circumvent problems caused by ambiguous IP addresses between one or more of the private networks making up the VPN. You can specify a single host IP address, an IP address range, or a network address. You may optionally specify source and destination port numbers and/or a protocol number.
If you are editing an existing phase 2 configuration, the Source address and Destination address fields are unavailable if the tunnel has been configured to use firewall addresses as selectors. This option exists only in the CLI. See the dst-addr-type, dst-name, src-addr-type and src-name
keywords for the vpn ipsec phase2 command in the
FortiGate CLI Reference
.
Source address
If the FortiGate unit is a dialup server, type the source IP address that corresponds to the local sender(s) or network behind the local VPN peer (for example, 172.16.5.0/24 or
172.16.5.0/255.255.255.0
for a subnet, or
172.16.5.1/32
or
172.16.5.1/255.255.255.255
for a server or host, or 192.168.10.[80-100] or
192.168.10.80-192.168.10.100
for an address range). A value of 0.0.0.0/0 means all IP addresses behind the local VPN peer.
If the FortiGate unit is a dialup client, source address must refer to the private network behind the
FortiGate dialup client.
Source port
Destination address
Type the port number that the local VPN peer uses to transport traffic related to the specified service
(protocol number). The range is 0 to 65535. To specify all ports, type 0.
Type the destination IP address that corresponds to the recipient(s) or network behind the remote VPN peer (for example, 192.168.20.0/24 for a subnet, or 172.16.5.1/32 for a server or host, or
192.168.10.[80-100]
for an address range). A value of 0.0.0.0/0 means all IP addresses behind the remote VPN peer.
Destination port
Type the port number that the remote VPN peer uses to transport traffic related to the specified service
(protocol number). The range is 0 to 65535. To specify all ports, type 0.
Protocol
Type the IP protocol number of the service. The range is 1 to 255. To specify all services, type 0.
Internet browsing configuration
You can enable VPN users to browse the Internet through the
FortiGate
unit. You do this with firewall policies. The required policies are different for policy-based and route-based
VPNs.
For more information about firewall policies, see “Configuring firewall policies” on page 216
.
Policy-based VPN Internet browsing configuration
Configure an additional firewall policy as follows:
Source Interface/Zone
Source Address Name
Destination Interface/Zone
Destination Address Name
Action
Select the FortiGate unit public interface.
Select All
Select the FortiGate unit public interface.
Select the remote network address name.
Select IPSEC.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
295
Manual Key VPN IPSEC
VPN Tunnel
Select the tunnel that provides access to the private network behind the FortiGate unit.
Inbound NAT
Enable
Configure other settings as required.
Route-based VPN Internet browsing configuration
Configure an additional firewall policy as follows:
Source Interface/Zone
Source Address Name
Select the IPSec interface.
Select All
Destination Interface/Zone
Select the FortiGate unit public interface.
Destination Address Name
Select All
Action
NAT
Select ACCEPT.
Enable
Configure other settings as required.
Manual Key
If required, you can manually define cryptographic keys for establishing an IPSec
VPN tunnel. You would define manual keys in situations where:
• Prior knowledge of the encryption and/or authentication key is required (that is, one of the VPN peers requires a specific IPSec encryption and/or authentication key).
• Encryption and authentication needs to be disabled.
In both cases, you do not specify IPSec phase 1 and phase 2 parameters; you define manual keys on the VPN > IPSEC > Manual Key page instead.
Note: It may not be safe or practical to define manual keys because network administrators must be trusted to keep the keys confidential, and propagating changes to remote VPN peers in a secure manner may be difficult.
Figure 180:Manual Key list
296
Create New
Tunnel Name
Remote Gateway
Encryption
Algorithm
Edit
Delete
Create a new manual key configuration. See
“Creating a new manual key configuration” on page 297 .
The names of existing manual key configurations.
The IP addresses of remote peers or dialup clients.
The names of the encryption algorithms specified in the manual key configurations.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN IPSEC
Authentication
Algorithm
Delete and Edit icons
The names of the authentication algorithms specified in the manual key configurations.
Delete or edit a manual key configuration.
Creating a new manual key configuration
If one of the VPN devices uses specific authentication and/or encryption keys to establish a tunnel, both VPN devices must be configured to use identical authentication and/or encryption keys. In addition, it is essential that both VPN devices be configured with complementary Security Parameter Index (SPI) settings.
Each SPI identifies a Security Association (SA). The value is placed in ESP datagrams to link the datagrams to the SA. When an ESP datagram is received, the recipient refers to the SPI to determine which SA applies to the datagram. An
SPI must be specified manually for each SA. Because an SA applies to communication in one direction only, you must specify two SPIs per configuration
(a local SPI and a remote SPI) to cover bidirectional communications between two
VPN devices.
!
Caution: If you are not familiar with the security policies, SAs, selectors, and SA databases for your particular installation, do not attempt the following procedure without qualified assistance.
To specify manual keys for creating a tunnel, go to VPN > IPSEC > Manual Key and select Create New.
Figure 181:New Manual Key
Manual Key
Name
Local SPI
Remote SPI
Type a name for the VPN tunnel. The maximum name length is 15 characters for an interface mode VPN, 35 characters for a policybased VPN.
Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the SA that handles outbound traffic on the local
FortiGate unit. The valid range is from 0x100 to 0xffffffff. This value must match the Remote SPI value in the manual key configuration at the remote peer.
Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the SA that handles inbound traffic on the local FortiGate unit. The valid range is from 0x100 to 0xffffffff. This value must match the Local SPI value in the manual key configuration at the remote peer.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
297
Manual Key VPN IPSEC
Remote Gateway
Type the IP address of the public interface to the remote peer. The address identifies the recipient of ESP datagrams.
Local Interface
Encryption
Algorithm
This option is available in NAT/Route mode only. Select the name of the physical, aggregate, or VLAN interface to which the IPSec tunnel will be bound. The FortiGate unit obtains the IP address of the interface from System > Network > Interface settings (see
).
Select one of the following symmetric-key encryption algorithms:
•
DES-Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
•
3DES-Triple-DES, in which plain text is encrypted three times by three keys.
•
AES128-A 128-bit block algorithm that uses a 128-bit key.
•
AES192-A 128-bit block algorithm that uses a 192-bit key.
•
AES256-A 128-bit block algorithm that uses a 256-bit key.
Encryption Key
Authentication
Algorithm
If you selected:
•
DES, type a 16-character hexadecimal number (0-9, a-f).
•
3DES, type a 48-character hexadecimal number (0-9, a-f) separated into three segments of 16 characters.
•
AES128, type a 32-character hexadecimal number (0-9, a-f) separated into two segments of 16 characters.
•
AES192, type a 48-character hexadecimal number (0-9, a-f) separated into three segments of 16 characters.
•
AES256, type a 64-character hexadecimal number (0-9, a-f) separated into four segments of 16 characters.
Select one of the following message digests:
•
MD5-Message Digest 5 algorithm, which produces a 128-bit message digest.
•
SHA1-Secure Hash Algorithm 1, which produces a 160-bit message digest.
Authentication Key If you selected:
•
MD5, type a 32-character hexadecimal number (0-9, a-f) separated into two segments of 16 characters.
•
SHA1, type 40-character hexadecimal number (0-9, a-f) separated into one segment of 16 characters and a second segment of 24 characters.
IPSec Interface
Mode
Create a virtual interface for the local end of the VPN tunnel.
This command is available only in NAT/Route mode.
298
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN IPSEC Concentrator
Concentrator
In a hub-and-spoke configuration, policy-based VPN connections to a number of remote peers radiate from a single, central FortiGate unit. Site-to-site connections between the remote peers do not exist; however, VPN tunnels between any two of the remote peers can be established through the FortiGate unit “hub”.
In a hub-and-spoke network, all VPN tunnels terminate at the hub. The peers that connect to the hub are known as “spokes”. The hub functions as a concentrator on the network, managing all VPN connections between the spokes. VPN traffic passes from one tunnel to the other through the hub.
You define a concentrator to include spokes in the hub-and-spoke configuration.
To define a concentrator, go to VPN > IPSEC > Concentrator.
Figure 182:Concentrator list
Edit
Delete
Create New
Define a new concentrator for an IPSec hub-and-spoke
configuration. See “Defining concentrator options” on page 299
.
Concentrator Name The names of existing IPSec VPN concentrators.
Members
The tunnels that are associated with the concentrators.
Delete and Edit icons
Delete or edit a concentrator.
Defining concentrator options
A concentrator configuration specifies which spokes to include in an IPSec huband-spoke configuration.
To specify the spokes of an IPSec hub-and-spoke configuration, go to VPN >
IPSEC > Concentrator and select Create New.
Figure 183:New VPN Concentrator
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
299
Monitor
Monitor
VPN IPSEC
Concentrator Name Type a name for the concentrator.
Available Tunnels
A list of defined IPSec VPN tunnels. Select a tunnel from the list and then select the right-pointing arrow. Repeat these steps until all of the tunnels associated with the spokes are included in the concentrator.
Members
A list of tunnels that are members of the concentrator. To remove a tunnel from the concentrator, select the tunnel and select the leftpointing arrow.
You can use the monitor to view activity on IPSec VPN tunnels and start or stop those tunnels. The display provides a list of addresses, proxy IDs, and timeout information for all active tunnels, including tunnel mode and route-based (interface mode) tunnels.
To view active tunnels, go to VPN > IPSEC > Monitor.
Figure 184:Monitor list
Page down
Page up
300
The Dialup list provides information about the status of tunnels that have been established for dialup clients. The list displays the IP addresses of dialup clients and the names of all active tunnels. The number of tunnels shown in the list can change as dialup clients connect and disconnect.
Page up and Page down icons
Display the previous or next page of dialup-tunnel status listings.
Name
The names of configured tunnels.
Remote gateway
The public IP address and UDP port of the remote host device, or if a NAT device exists in front of the remote host, the public IP address and UDP port of the NAT device.
Username
Timeout
The peer ID, certificate name, or XAuth user name of the dialup client (if a peer ID, certificate name, or XAuth user name was assigned to the dialup client for authentication purposes).
The amount of time before the next phase 2 key exchange. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife. When the phase 2 key expires, a new key is generated without interrupting service.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN IPSEC
Proxy ID Source
Proxy ID
Destination
The IP addresses of the hosts, servers, or private networks behind the FortiGate unit. A network range may be displayed if the source address in the firewall encryption policy was expressed as a range of IP addresses.
When a FortiClient dialup client establishes a tunnel:
•
If VIP addresses are not used, the Proxy ID Destination field displays the public IP address of the remote host Network
Interface Card (NIC).
•
If VIP addresses were configured (manually or through FortiGate
DHCP relay), the Proxy ID Destination field displays either the
VIP address belonging to the FortiClient dialup client, or the subnet address from which VIP addresses were assigned.
When a FortiGate dialup client establishes a tunnel, the Proxy ID
Destination field displays the IP address of the remote private network.
Tunnel up or tunnel down icon
A green arrow pointing up means the tunnel is currently processing traffic. Select to bring down tunnel.
A red arrow pointing down means the tunnel is not processing traffic.
Select to bring up tunnel.
The Static IP and dynamic DNS list provides information about VPN tunnels to remote peers that have static IP addresses or domain names. You can use this list to view status and IP addressing information for each tunnel configuration. You can also start and stop individual tunnels from the list.
Page up and
Page down icons
Display the previous or next page of VPN-tunnel status listings.
Name
The names of configured tunnels.
Remote gateway The IP addresses and UDP ports of the remote gateways. For dynamic
DNS tunnels, the IP addresses are updated dynamically.
Timeout
The amount of time before the next phase 2 key exchange. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife. When the phase 2 key expires, a new key is generated without interrupting service.
Proxy ID Source The IP addresses of the hosts, servers, or private networks behind the
FortiGate unit. A network range may be displayed if the source address in the firewall encryption policy was expressed as a range of IP addresses.
Proxy ID
Destination
The IP addresses of the hosts, servers, or private networks behind the remote FortiGate unit.
Tunnel up or tunnel down icon
.A green arrow pointing up means the tunnel is currently processing traffic. Select to bring down tunnel.
A red arrow pointing down means the tunnel is not processing traffic.
Select to bring up tunnel.
Monitor
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
301
Monitor VPN IPSEC
302
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN PPTP
VPN PPTP
FortiGate units support PPTP to tunnel PPP traffic between two VPN peers.
Windows or Linux PPTP clients can establish a PPTP tunnel with a FortiGate unit that has been configured to act as a PPTP server. As an alternative, you can configure the FortiGate unit to forward PPTP packets to a PPTP server on the network behind the FortiGate unit.
PPTP VPN is available only in NAT/Route mode.The current maximum number of
PPTP and L2TP sessions is 254. The start and end IPs must be in the same 24bit subnet, e.g. x.x.x.1. - x.x.x.254.
This section explains how to use the web-based manager to specify a range of IP addresses for PPTP clients. For information about how to perform other related
PPTP VPN setup tasks, see the
FortiGate PPTP VPN User Guide
.
The following topics are included in this section:
•
PPTP Range
You can specify a PPTP address range on the PPTP Range page. The PPTP address range is the range of addresses reserved for remote PPTP clients. When the remote PPTP client connects, the FortiGate unit assigns an IP address from a reserved range of IP addresses to the client PPTP interface. The PPTP client uses the assigned IP address as its source address for the duration of the connection.
To enable PPTP and specify the PPTP address range, go to VPN > PPTP >
PPTP Range, select the required options, and then select Apply.
Figure 185:Edit PPTP range
PPTP Range
Enable PPTP
Select the option. You must add a user group before you can select the option. See
Type the starting address in the range of reserved IP addresses.
Starting IP
Ending IP
User Group
Type the ending address in the range of reserved IP addresses.
Select the name of the PPTP user group that you defined.
Disable PPTP
Select the option to disable PPTP support.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
303
PPTP Range VPN PPTP
304
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN SSL
VPN SSL
This section provides information about the features of the VPN > SSL page in the web-based manager. The SSL VPN feature is supported on FortiGate units that run in NAT/Route mode only.
Note: For detailed instructions about how to configure web-only mode or tunnel mode operation, see the
FortiGate SSL VPN User Guide
.
The following topics are included in this section:
•
•
Config
The Config page contains basic SSL VPN settings including timeout values and
SSL encryption preferences. If required, you can also enable the use of digital certificates for authenticating remote clients.
Note: If required, you can enable SSL version 2 encryption (for compatibility with older browsers) through a FortiGate CLI command. For more information, see “ssl settings” in the
“vpn” chapter of the
FortiGate CLI Reference
.
To display the current SSL configuration settings, go to VPN > SSL > Config.
Figure 186:SSL-VPN Settings
Config
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
305
Config VPN SSL
Enable SSL VPN
Login Port
Tunnel IP Range
Server Certificate
Require Client Certificate
Select to enable SSL VPN connections.
Optionally enter a different HTTPS port number for remote client web browsers to connect to the FortiGate unit. The default port number is 10443.
Specify the range of IP addresses reserved for tunnelmode SSL VPN clients. Type the starting and ending address that defines the range of reserved IP addresses.
Select the signed server certificate to use for authentication purposes. If you leave the default setting
(Self-Signed), the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect.
If you want to enable the use of group certificates for authenticating remote clients, select the option.
Afterward, when the remote client initiates a connection, the FortiGate unit prompts the client for its client-side certificate as part of the authentication process.
Encryption Key Algorithm
Default - RC4(128 bits) and higher
High - AES(128/256 bits) and 3DES
Select the algorithm for creating a secure SSL connection between the remote client web browser and the FortiGate unit.
If the web browser on the remote client is capable of matching a 128-bit or greater cipher suite, select this option.
If the web browser on the remote client is capable of matching a high level of SSL encryption, select this option to enable cipher suites that use more than 128 bits to encrypt data.
Low - RC4(64 bits),
DES and higher
Idle Timeout
If you are not sure which level of SSL encryption the remote client web browser supports, select this option to enable a 64-bit or greater cipher suite.
Type the period of time (in seconds) to control how long the connection can remain idle before the system forces the user to log in again. The range is from 10 to 28800 seconds. This setting applies to the SSL VPN session.
The interface does not time out when web application sessions or tunnels are up.
Portal Message
If you want to display a custom caption at the top of the web portal home page, type the message.
Advanced (DNS and WINS Servers)
DNS Server #1
DNS Server #2
WINS Server #1
WINS Server #2
Enter up to two DNS Servers to be provided for the use of clients.
Enter up to two WINS Servers to be provided for the use of clients.
306
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN SSL
Monitor
You can display a list of all active SSL VPN sessions. The list displays the user name of the remote user, the IP address of the remote client, and the time that the connection was made. The list also identifies which services are being provided.
To view the list of active SSL VPN sessions, go to VPN > SSL > Monitor.
Figure 187:Monitor list
Monitor
No.
User
Source IP
Begin Time
Description
Delete icon
Delete
The identifier of the connection.
The user names of all connected remote users.
The IP addresses of the host devices connected to the FortiGate unit.
The starting time of each connection.
Information about which services are being provided. When a tunnelmode user is connected, the Description field displays the IP address that the FortiGate unit assigned to the remote client.
Take down a tunnel.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
307
Monitor VPN SSL
308
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN Certificates Local Certificates
VPN Certificates
This section explains how to manage X.509 security certificates using the
FortiGate web-based manager. Refer to this module to generate certificate requests, install signed certificates, import CA root certificates and certificate revocation lists, and back up and restore installed certificates and private keys.
For additional background information, see the
FortiGate Certificate Management
User Guide
.
The following topics are included in this section:
•
•
•
•
Local Certificates
Certificate requests and installed server certificates are displayed in the Local
Certificates list. After you submit the request to a CA, the CA will verify the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign and send the signed certificate to you to install on the FortiGate unit.
To view certificate requests and/or import signed server certificates, go to VPN >
Certificates > Local Certificates. To view certificate details, select the View
Certificate Detail icon in the row that corresponds to the certificate.
The first entry in the list is the FortiGate unit’s self-signed certificate, which you cannot delete.
Figure 188:Local Certificates list
Download
Generate
Import
Name
Subject
Status
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
View Certificate Detail
Generate a local certificate request. See “Generating a certificate request” on page 310 .
Import a signed local certificate. See
“Importing a signed server certificate” on page 313 .
The names of existing local certificates and pending certificate requests.
The Distinguished Names (DNs) of local signed certificates.
The status of the local certificate. PENDING designates a certificate request that needs to be downloaded and signed.
309
Local Certificates VPN Certificates
View Certificate
Detail icon
Display certificate details such as the certificate name, issuer, subject, and valid certificate dates. See Figure 189 .
Delete icon
Delete the selected certificate request or installed server certificate from the FortiGate configuration. This is available only if the certificate can be deleted.
Download icon
Save a copy of the certificate request to a local computer. Send the request to your CA to obtain a signed server certificate for the
FortiGate unit.
Figure 189:Certificate Detail Information
For detailed information and step-by-step procedures related to obtaining and installing digital certificates, see the
FortiGate Certificate Management User
Guide
.
Generating a certificate request
The
FortiGate
unit generates a certificate request based on the information you enter to identify the FortiGate unit. Generated requests are displayed in the Local
Certificates list with a status of
PENDING
. After you generate a certificate request, you can download the request to a computer that has management access to the
FortiGate unit and then forward the request to a CA.
To fill out a certificate request, go to VPN > Certificates > Local Certificates and select Generate. To download and send the certificate request to a CA, see
“Downloading and submitting a certificate request” on page 312
.
310
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN Certificates
Figure 190:Generate Certificate Signing Request
Local Certificates
Certification Name
Subject Information
Host IP
Domain Name
Optional Information
Organization Unit
Organization
Locality (City)
State/Province
Country e-mail
Type a certificate name. Typically, this would be the name of the FortiGate unit. To enable the export of a signed certificate as a PKCS12 file later on if required, do not include spaces in the name.
Enter the information needed to identify the FortiGate unit:
If the FortiGate unit has a static IP address, select Host
IP and enter the public IP address of the FortiGate unit. If the FortiGate unit does not have a public IP address, use an email address (or domain name if available) instead.
If the FortiGate unit has a static IP address and subscribes to a dynamic DNS service, use a domain name if available to identify the FortiGate unit. If you select Domain Name, enter the fully qualified domain name of the FortiGate unit. Do not include the protocol specification (http://) or any port number or path names. If a domain name is not available and the FortiGate unit subscribes to a dynamic DNS service, an “unable to verify certificate” type message may be displayed in the user’s browser whenever the public IP address of the
FortiGate unit changes.
If you select E-mail, enter the email address of the owner of the FortiGate unit.
All fields under Optional Information are not required.
Type the name of your department.
Type the legal name of your company or organization.
Type the name of the city or town where the FortiGate unit is installed.
Type the name of the state or province where the
FortiGate unit is installed.
Select the country where the FortiGate unit is installed.
Type the contact email address.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
311
Local Certificates VPN Certificates
Key Type
Key Size
Enrollment Method
File Based
Online SCEP
Only RSA is supported.
Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate but they provide better security.
Select File Based to generate the certificate request.
Select Online SCEP to obtain a signed SCEP-based certificate automatically over the network.
CA Server URL: Enter the URL of the SCEP server from which to retrieve the CA certificate.
Challenge Password: Enter the CA server challenge password.
Downloading and submitting a certificate request
You have to fill out a certificate request and generate the request before you can
submit the results to a CA. For more information, see “Generating a certificate request” on page 310
.
3
4
5
1
2
6
To download and submit a certificate request
Go to VPN > Certificates > Local Certificates.
In the Local Certificates list, select the Download icon in the row that corresponds to the generated certificate request.
In the File Download dialog box, select Save to Disk.
Name the file and save it to the local file system.
Submit the request to your CA as follows:
• Using the web browser on the management computer, browse to the CA web site.
• Follow the CA instructions to place a base-64 encoded PKCS#12 certificate request and upload your certificate request.
• Follow the CA instructions to download their root certificate and Certificate
Revocation List (CRL), and then install the root certificate and CRL on each remote client (refer to the browser documentation).
When you receive the signed certificate from the CA, install the certificate on the
FortiGate unit. See
“Importing a signed server certificate” on page 313 .
312
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN Certificates Local Certificates
Importing a signed server certificate
Your CA will provide you with a signed server certificate to install on the FortiGate unit. When you receive the signed certificate from the CA, save the certificate on a computer that has management access to the FortiGate unit.
To install the signed server certificate, go to VPN > Certificates > Local
Certificates and select Import. Install the signed certificate through the Upload
Local Certificate dialog box at the top of the page. The certificate file can be in either PEM or DER format. The other dialog boxes are for importing previously exported certificates and private keys.
Figure 191:Upload Local Certificate
Certificate File
Browse
Enter the full path to and file name of the signed server certificate.
Alternatively, browse to the location on the management computer where the certificate has been saved, select the certificate, and then select OK.
Importing an exported server certificate and private key
The server certificate and private key to import must have been exported previously as a single PKCS12 file through the execute vpn certificate key export
CLI command. The file is associated with a password, which you will need to know in order to import the file. Before you begin, save a copy of the file on a computer that has management access to the FortiGate unit. For more information, see the
FortiGate Certificate Management User Guide
.
To import the PKCS12 file, go to VPN > Certificates > Local Certificates and select Import.
Figure 192:Upload PKCS12 Certificate
Certificate with key file
Browse
Password
Enter the full path to and file name of the previously exported
PKCS12 file.
Alternatively, browse to the location on the management computer where the PKCS12 file has been saved, select the file, and then select OK.
Type the password needed to upload the PKCS12 file.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
313
Remote Certificates VPN Certificates
Importing separate server certificate and private key files
Use the Upload Certificate dialog box to import a server certificate and the associated private key file when the server certificate request and private key were not generated by the FortiGate unit. The two files to import must be available on the management computer.
Figure 193:Upload Certificate
314
Certificate file
Key file
Browse
Password
Enter the full path to and file name of the previously exported certificate file.
Enter the full path to and file name of the previously exported key file.
Browse to the location of the previously exported certificate file/key file, select the file, and then select OK.
If a password is required to upload and open the files, type the password.
Remote Certificates
Note: The certificate file must not use 40-bit RC2-CBC encryption.
For dynamic certificate revocation, an OCSP (Online Certificate Status Protocol) server is used. Remote certificates are public certificates without a private key.
The OCSP is configured in the CLI only. For more information, see the
FortiGate
CLI Guide
.
Note: There is one OCSP per vdom.
Figure 194:Remote certificate list
Installed Remote (OCSP) certificates are displayed in the Remote Certificates list.
To view installed Remote (OCSP) certificates or import a Remote (OCSP) certificate, go to VPN > Certificates > Remote. To view certificate details, select the View Certificate Detail icon in the row that corresponds to the certificate.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN Certificates CA Certificates
Import
Name
Import a public OCSP certificate. See “Importing CA certificates” on page 316
.
The names of existing Remote (OCSP) certificates. The FortiGate unit assigns unique names (REMOTE_Cert_1, REMOTE_Cert_2,
REMOTE_Cert_3
, and so on) to the Remote (OCSP) certificates when they are imported.
Subject
Delete icon
Information about the Remote (OCSP) certificate.
Delete a Remote (OCSP) certificate from the FortiGate configuration.
View Certificate
Detail icon
Display certificate details.
Download icon
Save a copy of the Remote (OCSP) certificate to a local computer.
Importing Remote (OCSP) certificates
To import a Remote (OCSP) certificate, go to VPN > Certificates > Remote and select Import.
Figure 195:Upload Remote Certificate
Local PC
Use a local administrator’s PC to upload a public certificate. Enter the location, or browse to the location on the management computer where the certificate has been saved, select the certificate, and then select OK.
The system assigns a unique name to each Remote (OCSP) certificate. The names are numbered consecutively (REMOTE_Cert_1, REMOTE_Cert_2,
REMOTE_Cert_3
, and so on).
CA Certificates
When you apply for a signed personal (administrative) or group certificate to install on remote clients, you must obtain the corresponding root certificate and
CRL from the issuing CA.
When you receive the signed personal or group certificate, install the signed certificate on the remote client(s) according to the browser documentation. Install the corresponding root certificate and CRL from the issuing CA on the FortiGate unit.
Installed CA certificates are displayed in the CA Certificates list. You cannot delete the Fortinet_CA certificate. To view installed CA root certificates or import a
CA root certificate, go to VPN > Certificates > CA Certificates. To view root certificate details, select the View Certificate Detail icon in the row that corresponds to the certificate.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
315
CA Certificates VPN Certificates
Figure 196:CA Certificates list
View Certificate Detail
Download
Import
Name
Subject
Delete icon
Import a CA root certificate. See “Importing CA certificates” on page 316 .
The names of existing CA root certificates. The FortiGate unit assigns unique names (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on) to the CA certificates when they are imported.
Information about the issuing CA.
Delete a CA root certificate from the FortiGate configuration.
View Certificate
Detail icon
Display certificate details.
Download icon
Save a copy of the CA root certificate to a local computer.
For detailed information and step-by-step procedures related to obtaining and installing digital certificates, see the
FortiGate Certificate Management User
Guide
.
Importing CA certificates
After you download the root certificate of the CA, save the certificate on a PC that has management access to the FortiGate unit.
To import a CA root certificate, go to VPN > Certificates > CA Certificates and select Import.
Figure 197:Import CA Certificate
316
SCEP
Local PC
Select to use an SCEP server to access CA certificate for user authentication. Enter the URL of the SCEP server from which to retrieve the CA certificate. Optionally, enter identifying information of the CA, such as the file name. Select OK.
Select to use a local administrator’s PC to upload a public certificate. Enter the location, or browse to the location on the management computer where the certificate has been saved, select the certificate, and then select OK.
When you select OK and you have elected to import a certificate via the SCEP server, the system starts the retrieval process immediately.
The system assigns a unique name to each CA certificate. The names are numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
VPN Certificates
CRL
A Certificate Revocation List (CRL) is a list of CA certificate subscribers paired with certificate status information. Installed CRLs are displayed in the CRL list.
The FortiGate unit uses CRLs to ensure that the certificates belonging to CAs and remote clients are valid.
To view installed CRLs, go to VPN > Certificates > CRL.
Figure 198:Certificate revocation list
View Certificate Detail
Download
Import
Name
Import a CRL. See “Importing a certificate revocation list” on page 317 .
The names of existing certificate revocation lists. The FortiGate unit assigns unique names (CRL_1, CRL_2, CRL_3, and so on) to certificate revocation lists when they are imported.
Information about the certificate revocation lists.
Subject
Delete icon
View Certificate
Detail icon
Delete the selected CRL from the FortiGate configuration.
Display CRL details such as the issuer name and CRL update dates.
See example Figure 199 .
Download icon
Save a copy of the CRL to a local computer.
Figure 199:CRL Certificate Detail
CRL
Importing a certificate revocation list
Certificate revocation lists from CA web sites must be kept updated on a regular basisFortiGate to ensure that clients having revoked certificates cannot establish a connection with the FortiGate unit. After you download a CRL from the CA web site, save the CRL on a computer that has management access to the FortiGate unit.
Note: When the CRL is configured with an LDAP, HTTP, and/or SCEP server, the latest version of the CRL is retrieved automatically from the server when the FortiGate unit does not have a copy of it or when the current copy expires.
To import a certificate revocation list, go to VPN > Certificates > CRL and select
Import.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
317
CRL VPN Certificates
Figure 200:Import CRL
HTTP
LDAP
SCEP
Local PC
Select to use an HTTP server to retrieve the CRL. Enter the URL of the HTTP server.
Select to use an LDAP server to retrieve the CRL. Select the
LDAP server from the drop-down list.
Select to use an SCEP server to retrieve the CRL. Select the
Local Certificate from the drop-down list. Enter the URL of the
SCEP server from which the CRL can be retrieved.
Select to use a local administrator’s PC to upload a public certificate. Enter the location, or browse to the location on the management computer where the certificate has been saved, select the certificate, and then select OK.
The system assigns a unique name to each CRL. The names are numbered consecutively (CRL_1, CRL_2, CRL_3, and so on).
318
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
User Configuring user authentication
User
This section explains how to set up user accounts, user groups and external authentication servers. These are components of user authentication that you can use to control access to network resources.
The following topics are included in this section:
•
Configuring user authentication
•
•
•
•
•
•
•
Configuring peers and peer groups
Configuring user authentication
1
2
3
4
5
FortiGate authentication controls access by user group, but creating user groups is not the first step in configuring authentication. You must configure user authentication in the following order:
If external authentication using RADIUS or LDAP servers is needed, configure
access to those servers. See “RADIUS servers” on page 322
and “LDAP servers” on page 323
.
Configure local user accounts in User > Local. For each user, you can choose whether the password is verified by the FortiGate unit, by a RADIUS server or by
an LDAP server. See “Local user accounts” on page 321 .
If you use a Microsoft Windows Active Directory server for authentication, configure access to it. See
“Configuring a Windows AD server” on page 327
.
Users authenticated by Active Directory server do not need local user accounts on the FortiGate unit. You must install the Fortinet Server Authentication Extensions
(FSAE) on your Windows network.
To use certificate-based authentication for administrative access (HTTPS GUI),
IPSec, SSL-VPN, and web-based authentication, configure using User > PKI.
See
“Configuring PKI users” on page 326 .
Create user groups in User > User Group and add members. There are three
For PKI authentication, only Firewall and SSL VPN user groups are applicable.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
319
Configuring user authentication User
Setting authentication timeout
Authentication timeout controls how long an authenticated firewall connection can be idle before the user must authenticate again.
1
2
To set authentication timeout
Go to User > Authentication > Authentication.
In Authentication Timeout, type a number, in minutes.
The default authentication timeout is 30 minutes.
Figure 201:User Authentication Settings
Setting user authentication protocol support
User authentication can be performed for the following protocols:
• HTTP (can also be set to redirect to HTTPS)
• HTTPS
• FTP
• Telnet
When user authentication is enabled on a firewall policy, the authentication challenge is normally issued for any of the four protocols (dependent on the connection protocol). By making selections in the Protocol Support list, the user controls which protocols support the authentication challenge. The user must connect with a supported protocol first so they can subsequently connect with other protocols.
To set authentication protocol support
Go to User > Authentication > Authentication and in Protocol Support, select the required authentication protocols.
Figure 202:User Authentication Settings - Protocol Support
320
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
User Local user accounts
Local user accounts
Go to User > Local to add local user accounts and configure authentication.
Figure 203:Local user list
Create New
User Name
Type
Delete icon
Edit icon
Add a new local user account.
The local user name.
The authentication type to use for this user.
Delete the user.
Note: The delete icon is not available if the user belongs to a user group.
Edit the user account.
Note: Deleting the user name deletes the authentication configured for the user.
Configuring a user account
Go to User > Local and select Create New or the Edit icon of an existing user account.
Figure 204:Local user options
User Name
Disable
Password
LDAP
RADIUS
Type or edit the user name.
Select Disable to prevent this user from authenticating.
Select Password to authenticate this user using a password stored on the FortiGate unit.
Type or edit the password. The password should be at least six characters long.
Select LDAP to authenticate this user using a password stored on an
LDAP server. Select the LDAP server from the drop-down list.
Note: You can only select an LDAP server that has been added to the
FortiGate LDAP configuration. See
.
Select RADIUS to authenticate this user using a password stored on a
RADIUS server. Select the RADIUS server from the drop-down list.
Note: You can only select a RADIUS server that has been added to the
FortiGate RADIUS configuration. See “RADIUS servers” on page 322 .
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
321
RADIUS servers User
RADIUS servers
If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the FortiGate unit sends the user’s credentials to the
RADIUS server for authentication. If the RADIUS server can authenticate the user, the user is successfully authenticated with the FortiGate unit. If the RADIUS server cannot authenticate the user, the connection is refused by the FortiGate unit.
Note: The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645, use the CLI to change the default RADIUS port. For more information see the config system global
command in the
FortiGate CLI Reference
.
To configure a RADIUS server, go to User > RADIUS.
Figure 205:RADIUS server list
Create New
Add a new RADIUS server.
Name
The name of the RADIUS server on the FortiGate unit.
Server Name/IP
The domain name or IP address of the RADIUS server.
Delete icon
Edit icon
Delete a RADIUS server configuration.
Note: You cannot delete a RADIUS server that has been added to a user group.
Edit a RADIUS server configuration.
Configuring a RADIUS server
Go to User > RADIUS and select Create New or the Edit icon of an existing
RADIUS server.
Figure 206:RADIUS configuration
Name
Type or edit the name used to identify the RADIUS server.
Server Name/IP
Type or edit the domain name or IP address of the RADIUS server.
Server Secret
Type or edit the RADIUS server secret.
322
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
User LDAP servers
LDAP servers
If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication.
To authenticate with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated with the FortiGate unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiGate unit.
The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords. FortiGate LDAP supports all LDAP servers compliant with LDAP v3. In addition, FortiGate LDAP supports
LDAP over SSL/TLS. To configure SSL/TLS authentication, refer to the
FortiGate
CLI Reference.
FortiGate LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers.
FortiGate LDAP support does not supply information to the user about why authentication failed.
Go to User > LDAP to configure an LDAP server.
Figure 207:LDAP server list
Create New
Name
Add a new LDAP server.
The name that identifies the LDAP server on the FortiGate unit.
Server Name/IP
The domain name or IP address of the LDAP server.
Port
The port used to communicate with the LDAP server.
Common Name
Identifier
The common name identifier for the LDAP server. The common name identifier for most LDAP servers is cn. However, some servers use other common name identifiers such as uid.
Distinguished
Name
The distinguished name used to look up entries on the LDAP server.
The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier.
Delete icon
Edit icon
Delete the LDAP server configuration.
Edit the LDAP server configuration.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
323
LDAP servers
Configuring an LDAP server
Go to User > LDAP and select Create New or the Edit icon of an existing LDAP server.
Figure 208:LDAP server configuration
User
Name
Type or edit the name used to identify the LDAP server.
Server Name/IP
Type or edit the domain name or IP address of the LDAP server.
Server Port
Type or edit the port used to communicate with the LDAP server.
By default, LDAP uses port 389.
Common Name
Identifier
Type or edit the common name identifier for the LDAP server. 20 characters maximum.
The common name identifier for most LDAP servers is cn. However some servers use other common name identifiers such as uid.
Distinguished
Name
Type or edit the distinguished name used to look up entries on the
LDAP server.
Enter the base distinguished name for the server using the correct
X.500 or LDAP format. The FortiGate unit passes this distinguished name unchanged to the server.
For example, you could use the following base distinguished name: ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is domain component.
You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units: ou=accounts,ou=marketing,dc=fortinet,dc=com
Query icon
View the LDAP server Distinguished Name Query tree for the base
Distinguished Name.
The LDAP Distinguished Name Query list displays the LDAP Server IP address, and all the distinguished names associated with the Common
Name Identifier for the LDAP server. The tree helps you to determine the appropriate entry for the DN field. Expand the Common Name identifier to see the associated DNs. Select the DN from the list. The DN you select is displayed in the Distinguished Name field. Select OK and the Distinguished Name you selected will be saved in the Distinguished
Name field of the LDAP Server configuration. To see the users within the LDAP Server user group for the selected Distinguished Name, expand the Distinguished Name in the LDAP Distinguished Name
Query tree.
324
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
User
Figure 209:LDAP server Distinguished Name Query tree
PKI authentication
PKI authentication
Public Key Infrastructure (PKI) authentication utilizes a certificate authentication library that takes a list of ‘peers’, ‘peer’ groups, and/or user groups and returns authentication ‘successful’ or ‘denied’ notifications. Users only need a valid certificate for successful authentication - no username or password are necessary.
For more information about certificate authentication, see the
FortiGate Certificate
Management User Guide.
For information about the detailed PKI configuration settings only available through the CLI, see the
FortiGate CLI Reference.
Go to User > PKI to configure PKI users.
Figure 210:User > PKI user list
Create New
User Name
Subject
Issuer
Delete icon
Edit icon
Add a new PKI user.
The name of the PKI user.
The text string that appears in the subject field of the certificate of the authenticating user.
The CA certificate that is used to authenticate this user.
Delete this PKI user.
Edit this PKI user.
Note: The following fields in the PKI User List correspond to the noted fields in the PKI
User dialog:
User Name: Name
Subject: Subject
CA: Issuer (CA certificate)
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
325
Windows AD servers User
Configuring PKI users
Go to User > PKI and select Create New or the Edit icon of an existing PKI user.
Figure 211:PKI user configuration
326
Name
Subject
CA
Enter the name of the PKI user. This field is mandatory.
The PKI user can also be defined in the CLI using config user peer or config
. For more information, see the
FortiGate CLI Reference.
Enter the text string that appears in the subject field of the certificate of the authenticating user. This field is optional.
Enter the CA certificate that must be used to authenticate this user. This field is optional.
Note: Even though Subject and CA are optional fields, one of them must be set. The following fields in the PKI User dialog correspond to the noted fields in the PKI User List:
Name: User Name
Subject: Subject
Issuer: CA (CA certificate)
Windows AD servers
On networks that use Windows Active Directory (AD) servers for authentication,
FortiGate units can transparently authenticate users without asking them for their user name and password. You must install the Fortinet Server Authentication
Extensions (FSAE) on the network and configure the FortiGate unit to retrieve information from the Windows AD server. For more information about FSAE, see the
FSAE Technical Note
.
Go to User > Windows AD to configure Windows AD servers.
Figure 212:Windows AD server list
Create New
Add a new Windows AD server.
FortiClient AD The name of the Windows AD server with FSAE.
You can expand the server name to display Windows AD domain group information.
IP Address
Delete icon
The IP addresses and TCP ports of up to five collector agents that send
Windows AD server logon information to the FortiGate unit.
Delete this Windows AD server.
Edit icon
Edit this Windows AD server.
Refresh icon
Get current domain and group information from the Windows AD server.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
User
Configuring a Windows AD server
Go to User > Windows AD and select Create New or the Edit icon of an existing
Windows AD server.
Figure 213:Windows AD server configuration
User group
Name
Type or edit the name of the Windows AD server. This name appears in the list of Windows AD servers when you create user groups.
Enter the following information for up to five collector agents.
FSAE
Collector IP
Type or edit the IP address of the Windows AD server where this collector agent is installed.
Port
Type or edit the TCP port used for Windows AD. This must be the same as the FortiGate listening port specified in the FSAE collector agent configuration.
Password
Type or edit the password for the collector agent. This is required only if you configured your FSAE collector agent to require authenticated access.
User group
A user group is a list of user identities. An identity can be:
• a local user account (user name and password) stored on the FortiGate unit
• a local user account with a password stored on a RADIUS or LDAP server
• a RADIUS or LDAP server (all identities on the server can authenticate)
• a user group defined on a Microsoft Active Directory server
In most cases, the FortiGate unit authenticates users by requesting their user name and password. The FortiGate unit checks local user accounts first. If a match is not found, the FortiGate unit checks the RADIUS or LDAP servers that belong to the user group. Authentication succeeds when a matching user name and password are found.
For an Active Directory user group, the Active Directory server authenticates users when they log on to the network. The FortiGate unit receives the user’s name and IP address from the FSAE collector agent. For more information about
FSAE, see the FSAE Technical Note.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
327
User group
328
User
You can configure user groups to provide authenticated access to:
• Firewall policies that require authentication
See “Adding authentication to firewall policies” on page 222
.
• SSL VPNs on the FortiGate unit
See “SSL-VPN firewall policy options” on page 226 .
• IPSec VPN Phase 1 configurations for dialup users
See “Creating a new phase 1 configuration” on page 287 .
• XAuth for IPSec VPN Phase 1 configurations
See XAUTH in “Defining phase 1 advanced settings” on page 290 .
• FortiGate PPTP configuration
See “PPTP Range” on page 303 .
• FortiGate L2TP configuration
This is configurable only using the config vpn l2tp CLI command. See the
FortiGate CLI Reference
.
• Administrator login with RADIUS authentication
See “Configuring RADIUS authentication for administrators” on page 144 .
• FortiGuard Web Filtering override groups
See “FortiGuard - Web Filter” on page 373 .
For each resource that requires authentication, you specify which user groups are permitted access. You need to determine the number and membership of user groups appropriate to your authentication needs.
User group types
There are three types of user group:
•
•
•
Firewall
A firewall user group provides access to a firewall policy that requires firewall type authentication and lists the user group as one of the allowed groups. The
FortiGate unit requests the group member’s user name and password when the user attempts to access the resource that the policy protects. For more information, see
“Adding authentication to firewall policies” on page 222 .
A firewall user group can also provide access to an IPSec VPN for dialup users. In this case, the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup group peer option. The user’s VPN client is configured with the user name as peer
ID and the password as pre-shared key. The user can connect successfully to the
IPSec VPN only if the user name is a member of the allowed user group and the password matches the one stored on the FortiGate unit. A user group cannot be a dialup group if any member is authenticated using a RADIUS or LDAP server. For more information, see
“Creating a new phase 1 configuration” on page 287 .
A firewall user group can be used to provide override privileges for FortiGuard web filtering. See
“Configuring FortiGuard override options for a user group” on page 331
. For detailed information about FortiGuard Web Filter, including the
override feature, see “FortiGuard - Web Filter” on page 373 .
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
User
Active Directory
On a Microsoft Windows network, the FortiGate unit can allow access to members of Active Directory server user groups who have been authenticated on the
Windows network. The Fortinet Server Authentication Extensions (FSAE) must be installed on the network domain controllers.
An Active Directory user group provides access to a firewall policy that requires
Active Directory type authentication and lists the user group as one of the allowed groups. The members of the user group are Active Directory groups that you select from a list that the FortiGate unit receives from the Windows AD servers
that you have configured. See “Windows AD servers” on page 326 .
Note: An Active Directory user group cannot have FortiGuard Web Filter override privileges or SSL VPN access.
SSL VPN
An SSL VPN user group provides access to a firewall policy that requires
SSL VPN type authentication and lists the user group as one of the allowed groups. Local user accounts, LDAP, and RADIUS servers can be members of an
SSL VPN user group. The FortiGate unit requests the user’s user name and password when the user accesses the SSL VPN web portal. The user group
.
An SSL VPN user group can also provide access to an IPSec VPN for dialup users. In this case, the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup group peer option. The user’s VPN client is configured with the user name as peer ID and the password as pre-shared key. The user can connect successfully to the IPSec VPN only if the user name is a member of the allowed user group and the password matches the one stored on the FortiGate unit.
Note: A user group cannot be an IPSec dialup group if any member is authenticated using a RADIUS or LDAP server.
For more information, see
“Creating a new phase 1 configuration” on page 287
.
User group list
Go to User > User Group to configure user groups.
Figure 214:User group list
User group
Create New
Group Name
Members
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Add a new user group.
The name of the user group. User group names are listed by type of user group: Firewall, Active Directory and SSL VPN.
The users, RADIUS servers, or LDAP servers in the user group.
329
User group
Protection Profile The protection profile associated with this user group.
Delete icon
Delete the user group.
Note: You cannot delete a user group that is included in a firewall policy, a dialup user phase 1 configuration, or a PPTP or L2TP configuration.
Edit icon
Edit the membership and options of the group.
Configuring a user group
Go to User >Group and select Create New or the Edit icon of an existing user group.
Figure 215:User group configuration
User
330
Name
Type
Protection Profile
Available Users
Members
Right arrow button
Left arrow button
Type or enter the name of the user group.
Select the user group type: See “User group types” on page 328 .
Firewall
Select this group in any firewall policy that requires Firewall authentication. See
“Adding authentication to firewall policies” on page 222 .
Active Directory
Select this group in any firewall policy that requires Active Directory authentication.
See
“Adding authentication to firewall policies” on page 222
.
SSL VPN
Select this group in any firewall policy with
Action set to SSL VPN. See “SSL-VPN firewall policy options” on page 226 .
Available only if Type is Firewall or Active Directory.
Select a protection profile for this user group from the drop-down list. To create a new protection profile, select Create New.
The list of users, RADIUS servers, LDAP servers, or PKI users that can be added to the user group.
The list of users, RADIUS servers, LDAP servers, or PKI users that belong to the user group.
Add a user or server to the Members list.
Select a user or server name in the Available Users list and select the right arrow button to move it to the Members list.
Remove a user or server from the Members list.
Select a user name or server name in the Members list and select the left arrow button to move it to the Available Users list.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
User
FortiGuard Web
Filtering Override
Available only if Type is Firewall.
Configure Web Filtering override capabilities for this group.
See “Configuring FortiGuard override options for a user group” on page 331
.
SSL-VPN User Group
Options
Available only if Type is SSL-VPN.
For detailed instructions about how to configure web-only mode or tunnel mode operation, see the
FortiGate SSL VPN User
Guide
.
Note: If you try to add LDAP servers or local users to a group configured for administrator authentication, an “Entry not found” error occurs.
Configuring FortiGuard override options for a user group
Go to User > Group and select the Edit icon for a firewall user group. Expand the
FortiGuard Web Filtering Override section.
Figure 216:FortiGuard Web Filtering Override configuration
User group
Allowed to perform
FortiGuard Web
Filtering overrides
Select to allow members of this group to request an override on the
FortiGuard Web Filtering Block page. The firewall protection profile governing the connection must have FortiGuard overrides enabled.
The protection profile designates one user group as the Override
Group. Members of the Override Group can authenticate on the
FortiGuard Web Filter Block Override page to access the blocked site.
For detailed information see “FortiGuard - Web Filter” on page 373 .
Override Scope
The override can apply to just the user who requested the override, or include others. Make a selection from the drop-down list to include:
User
User Group
Only the user
The user group to which the user belongs
Override Type
IP
Profile
Any user at the user’s IP address
Any user with the specified protection profile of the user group
Ask
Authenticating user, who chooses the override scope
Select from the drop-down list to allow access to:
Directory
Domain
Categories
Ask
Only the lowest level directory in the URL
The entire website domain
The FortiGuard category
Authenticating user, who chooses the override type
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
331
User group User
Off-site URLs
Override Time
Select from the drop-down list whether the user can follow links to sites off of the blocked site:
Allow
Deny
User can follow links to other sites.
User can follow links only to destinations as defined by Override Type.
Ask
Authenticating user chooses whether to allow use of off-site links.
Select to set the duration of the override:
Constant
Ask
Select to set the duration of override in days, hours, minutes.
Select to allow the authenticating user to determine the duration of override. The duration set is the maximum.
Configuring SSL VPN user group options
Go to User > Group and select the Edit icon for an SSL VPN user group. Expand the SSL-VPN User Group Options section.
For detailed instructions about how to configure web-only mode or tunnel mode operation, see the
FortiGate SSL VPN User Guide
.
Figure 217:SSL-VPN user group options
332
Enable SSL-VPN Tunnel
Service
Select to allow users in this group to connect to the network behind the FortiGate unit using the SSL VPN tunnel. Not available in Transparent mode.
Allow Split Tunneling Select to allow split tunneling for this group. Split tunneling ensures that only the traffic for the private network is sent to the SSL VPN gateway. Internet traffic is sent through the usual unencrypted route.
Restrict tunnel IP range for this group
Type the starting and ending IP address range for this group if you want to override the Tunnel IP range defined in VPN >
SSL > Config.
Enable Web Application
Select to enable the web portal to provide access to web applications. This is not available in Transparent mode.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
User
HTTP/HTTPS Proxy
FTP
Telnet (applet)
Samba
VNC
RDP
If you enabled Web Application, select to enable each of the applications that users in this group are permitted to access.
Check FortiClient AV
Installed and Running
Select to allow the client to connect only if it is running
FortiClient Host Security AV software. For information about this software, see the Fortinet Technical Documentation web site .
Check FortiClient FW
Installed and Running
Select to allow the client to connect only if it is running
FortiClient Host Security FW software. For information about this software, see the Fortinet Technical
Documentation web site .
Check for Third Party
AV Software
Select to allow the client to connect only if it has supported antivirus software installed. The software must be installed and enabled (running).
See “AV/Firewall supported product detection” for supported products for Windows XP SP2. For all other systems,
Norton (Symantec) AntiVirus or McAfee VirusScan software is supported.
Note: This option is not available if you select Check
FortiClient Installed and Running.
Check for Third Party
Firewall Software
Select to allow the client to connect only if it has supported firewall software installed. The software must be installed and enabled (running).
See “AV/Firewall supported product detection” for supported products for Windows XP SP2. For all other systems,
Norton (Symantec) AntiVirus or McAfee VirusScan software is supported.
Note: This option is not available if you select Check
FortiClient Installed and Running.
Enable Cache Clean
Select to remove all temporary Internet files created on the client computer between user login and logout. This is executed with a downloaded ActiveX control for IE, and a plugin for Firefox. Works on Internet Explorer and Firefox with Windows 2000/ Windows XP.
Note: If the client’s browser cannot install and run the cache cleaner, the user is not allowed to access the SSL VPN portal.
Redirect URL
Select to open a second browser window at this URL when the SSL VPN web portal page opens. The web server for this URL must reside on the private network behind the
FortiGate unit.
Note: You can modify the SSL VPN web portal login page.
For more information, see “Changing the SSL-VPN login message” on page 140 .
Customize portal message for this group
Type or edit a custom web portal home page caption for this group.
User group
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
333
Configuring peers and peer groups User
Table 33: AV/Firewall supported product detection
Product
Norton Internet Security 2006
Trend Micro PC-cillin
McAfee
Sophos Anti-Virus
Panda Platinum 2006 Internet Security
F-Secure
Secure Resolutions
Cat Computer Services
AhnLab
Kaspersky
ZoneAlarm
Y
Y
Y
Y
AV
Y
Y
Y
Y
Y
Y
Y
Firewall
Y
Y
Y
Y
Y
N
Y
Y
Y
Y
Y
Configuring peers and peer groups
You can define peers and peer groups used for authentication in some VPN configurations and for PKI certificate authentication. Use the CLI config user peer
and config user peergrp commands to do this. For more information, see the “User” chapter of the
FortiGate CLI Reference
.
334
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
AntiVirus Order of operations
AntiVirus
This section describes how to configure the antivirus options associated with firewall protection profiles.
The following topics are included in this section:
•
•
•
Antivirus settings and controls
•
•
•
•
Order of operations
Antivirus processing includes various modules and engines that perform separate tasks. The FortiGate unit performs antivirus processing in the order the elements appear in the web-based manager menu:
• File pattern
• Virus scan
• Grayware
• Heuristics
If a file fails any of the elements of the antivirus scan, no further scans are performed. For example, if the file “fakefile.EXE”, is recognized as a blocked pattern, the FortiGate unit will send the end user a replacement message and the file will be deleted or quarantined. The virus scan, grayware and heuristic scans will not be performed as the file is already found to be a threat and has been dealt with; there is no need to use further system resources on the file at this time.
Antivirus elements
The antivirus elements work in sequence to give you an efficient method of scanning incoming files. The first three elements have specific functions, the fourth, the heuristics, is to cover any new, previously unknown, virus threats. The four elements work together to offer your network unparalleled antivirus protection. To ensure that your system is providing the most protection available, all virus definitions and signatures are up dated regularly through the FortiGuard antivirus services. The elements will be discussed in the order that they are applied followed by FortiGuard antivirus.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
335
Antivirus elements AntiVirus
File pattern
Once a file is accepted, the FortiGate unit applies the file pattern recognition filter.
The FortiGate will check the file against the file pattern setting you have configured. If the file is a blocked pattern, “.EXE” for example, then it is stopped and a replacement message is sent to the end user. No other levels of protected are applied. If the file is not a blocked pattern the next level of protection is applied.
Virus scan
If the file is passed by the file pattern it will have a virus scan applied to it. The virus definitions are keep up to date through the FortiNet Distribution Network.
The list is updated on a regular basis so you do not have to wait for a firmware upgrade. For more information on updating virus definitions see
Grayware
Once past the file pattern and the virus scan, the incoming file will be checked for grayware. Grayware configurations can be turned on and off as required and are kept up to date in the same manner as the antivirus definitions. For more
information on configuring grayware please see Viewing the grayware list .
Heuristics
After an incoming file has passed the first three antivirus elements, it is subjected to the heuristics element. The FortiGate heuristic antivirus engine performs tests on the file to detect virus-like behavior or known virus indicators. In this way, heuristic scanning may detect new viruses, but may also produce some false positive results.
Note: Heuristics is configurable only through the CLI. See the FortiGate CLI Guide.
FortiGuard antivirus
FortiGuard antivirus services are an excellent resource and include automatic updates of virus and IPS (attack) engines and definitions, as well as the local spam DNSBL, through the FortiGuard Distribution Network (FDN). The FortiGuard
Center also provides the FortiGuard antivirus virus and attack encyclopedia and the FortiGuard Bulletin. Visit the Fortinet Knowledge Center for details and a link to the FortiGuard Center.
The connection between the FortiGate unit and FortiGuard Center is configured in
System > Maintenance > FortiGuard Center. See
“Configuring the FortiGate unit for FDN and FortiGuard services” on page 162
for more information.
Note: If virtual domains are enabled on the FortiGate unit, antivirus features are configured globally. To access these features, select Global Configuration on the main menu.
336
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
AntiVirus Antivirus settings and controls
Antivirus settings and controls
While antivirus settings are configured for system-wide use, specific settings can be implemented on a per profile basis. Table 34 compares antivirus options in protection profiles and the antivirus menu.
Table 34: Antivirus and Protection Profile antivirus configuration
Protection Profile antivirus options
Virus Scan
Enable or disable virus scanning for each protocol (HTTP, FTP, IMAP, POP3, SMTP,
IM).
File Pattern
Enable or disable file pattern handling for each protocol.
Antivirus setting
AntiVirus > Config > Virus List
View a read-only list of current viruses.
AntiVirus > File Pattern
Configure file patterns to block or allow files. Patterns can also be individually enabled or disabled.
Quarantine AntiVirus > Quarantine
Enable or disable quarantining for each protocol. Quarantine is only available on units with a local disk, or with a configured
FortiAnalyzer unit.
View and sort the list of quarantined files, configure file patterns to upload automatically to Fortinet for analysis, and configure quarantining options in
AntiVirus.
Pass fragmented email messages
Enable or disable passing fragmented email messages. Fragmented email messages cannot be scanned for viruses.
Comfort Clients
Enable or disable for HTTP and FTP traffic.
Set the interval and byte amount to trigger client comforting.
Oversized file/email
Configure the FortiGate unit to block or pass oversized files and email messages for each protocol. Set the size thresholds for files and email messages for each protocol in
AntiVirus.
AntiVirus > Config > Grayware
Enable or disable blocking of Grayware by category.
Add signature to outgoing email messages
Create and enable a signature to append to outgoing email messages (SMTP only).
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
337
File pattern AntiVirus
File pattern
Configure file patterns to block all files that are a potential threat and to prevent active computer virus attacks. Files can be blocked by name, extension, or any other pattern. File pattern blocking provides the flexibility to block potentially harmful content.
Note: File pattern entries are not case sensitive. For example, adding *.exe to the file pattern list also blocks any files ending in .EXE.
For standard operation, you can choose to disable File Pattern in the Protection
Profile, and enable it temporarily to block specific threats as they occur.
The FortiGate unit blocks files that match a configured file pattern and displays a replacement message instead. The FortiGate unit also writes a message to the virus log and sends an alert email message if configured to do so.
If both File Pattern and Virus Scan are enabled, the FortiGate unit blocks files that match enabled file patterns and does not scan these files for viruses.
Note: If virtual domains are enabled on the FortiGate unit, antivirus features are configured globally. To access these features, select Global Configuration on the main menu.
Viewing the file pattern list catalog
You can add multiple file pattern listsFortiGate and then select the best file pattern list for each protection profile. To view the file pattern list catalog, go to AntiVirus
> File Pattern. To view any individual file pattern list, select the edit icon for the list you want to see.
Figure 218:Sample file pattern list catalog
338
Note: The default file pattern list catalog is called built-in-patterns.
Create New
Name
# Entries
Profiles
Comment
Delete icon
Select Create New to add a new file pattern list to the catalog.
The available file pattern lists.
The number of file patterns in each file pattern list.
The protection profiles each file pattern list has been applied to.
Optional description of each file pattern list.
Select to remove the file pattern list from the catalog. The delete icon is only available if the file pattern list is not selected in any protection profiles.
Select to edit the file pattern list, list name, or list comment.
Edit icon
Select file pattern lists in protection profiles. For more information, see
“Antivirus options” on page 273 .
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
AntiVirus
Creating a new file pattern list
To add a file pattern list to the file pattern list catalog, go to AntiVirus >
File Pattern and select Create New.
Figure 219:New File Pattern List dialog box
File pattern
Name
Comment
Enter the name of the new list.
Enter a comment to describe the list, if required.
Viewing the file pattern list
To view the file pattern list FortiGate, go to AntiVirus > File Pattern and select the edit icon of the file pattern list you want to view.
Figure 220:Sample file pattern list
The file pattern list has the following icons and features:
Name
Comment
File pattern list name. To change the name, edit text in the name field and select OK.
Optional comment. To add or edit comment, enter text in comment field and select OK.
OK
Create New
Pattern
Action
Enable
Delete icon
Edit icon
Move To icon
Select Create New to add a new pattern to the file pattern list.
The current list of file patterns.
Files matching the file patterns can be set to block or allow.
Clear the checkbox to disable the file pattern.
Select to remove the file pattern from the list.
Select to edit the file pattern and action.
Select to move the file pattern to any position in the list.
Files are compared to the enabled file patterns from top to bottom. If a file does not match any specified patterns, it is passed along to antivirus scanning (if enabled). In effect, files are passed if not explicitly blocked.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
339
File pattern AntiVirus
Using the allow action, this behavior can be reversed with all files being blocked unless explicitly passed. Simply enter all the file patterns to be passed with the allow attribute. At the end of the list, add an all-inclusive wildcard (*.*) with a block action. Allowed files continue to antivirus scanning (if enabled) while files not matching any allowed patterns are blocked by the wildcard at the end.
The file pattern list is preconfigured with a default list of file patterns:
• executable files (*.bat, *.com, and *.exe)
• compressed or archive files (*.gz, *.rar, *.tar, *.tgz, and *.zip)
• dynamic link libraries (*.dll)
• HTML application (*.hta)
• Microsoft Office files (*.doc, *.ppt, *.xl?)
• Microsoft Works files (*.wps)
• Visual Basic files (*.vb?)
• screen saver files (*.scr)
• program information files (*.pif)
File pattern is enabled in protection profiles. For more information, see
“Antivirus options” on page 273 .
Configuring the file pattern list
File patterns can be up to 80 characters long. The maximum number of file patterns in a list is 5000.
To add a new file pattern while viewing a file pattern list, select Create New. To edit an existing file pattern, select the edit icon associated with the pattern.
Figure 221:New file pattern
Pattern
Action
Enable
Enter the file pattern.The file pattern can be an exact file name or can include wildcards.
Select an action from the drop down list: Block or Allow.
Select to enable the pattern.
340
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
AntiVirus
Quarantine
FortiGate units with a local disk can quarantine blocked and infected files. View the file name and status information about the file in the quarantined file list.
Submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to Fortinet for analysis.
FortiGate units without a local disk can quarantine blocked and infected files to a
FortiAnalyzer unit. Files stored on the FortiAnalyzer can be retrieved for viewing.
To configure the FortiAnalyzer unit, go to Log & Report > Log Config > Log
Setting.
Note: If virtual domains are enabled on the FortiGate unit, antivirus features are configured globally. To access these features, select Global Configuration on the main menu.
Viewing the Quarantined Files list
The Quarantined Files list displays information about each file quarantined because of virus infection or file blocking. Sort the files by file name, date, service, status, duplicate count (DC), or time to live (TTL). Filter the list to view only quarantined files with a specific status or from a specific service.
To view the Quarantined Files list, go to AntiVirus > Quarantine > Quarantined
Files.
Figure 222:Quarantined files list
Quarantine
The quarantined files list has the following features and displays the following information about each quarantined file:
Apply
Sort by
Filter
File Name
Date
Select to apply the sorting and filtering selections to the quarantined files list.
Sort the list. Choose from: status, service, file name, date, TTL, or duplicate count. Select Apply to complete the sort.
Filter the list. Choose from status (infected, blocked, or heuristics) or service (IMAP, POP3, SMTP, FTP, or HTTP). Select Apply to complete the filtering. Heuristics mode is configurable through the CLI only. See
“Antivirus CLI configuration” on page 347 .
The processed file name of the quarantined file. When a file is quarantined, all spaces are removed from the file name, and a 32-bit checksum is performed on the file. The checksum appears in the replacement message but not in the quarantined file. The file is stored on the FortiGate hard disk with the following naming convention:
<32bit_CRC>.<processed_filename>
For example, a file named Over Size.exe is stored as
3fc155d2.oversize.exe.
The date and time the file was quarantined, in the format dd/mm/yyyy hh:mm. This value indicates the time that the first file was quarantined if the duplicate count increases.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
341
Quarantine AntiVirus
Service
Status
Status
Description
DC
The service from which the file was quarantined (HTTP, FTP, IMAP,
POP3, SMTP, IM).
The reason the file was quarantined: infected, heuristics, or blocked.
Specific information related to the status, for example, “File is infected with “W32/Klez.h”” or “File was stopped by file block pattern.”
TTL
Duplicate count. A count of how many duplicates of the same file were quarantined. A rapidly increasing number can indicate a virus outbreak.
Time to live in the format hh:mm. When the TTL elapses, the FortiGate unit labels the file as EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL.
The TTL information is not available if the files are quarantined on a
FortiAnalyzer unit.
Upload status
Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded.
Delete icon
Select to remove the file from the list.
Download icon
Select to download the corresponding file in its original format.
Submit icon
Select to upload a suspicious file to Fortinet for analysis.
Note: Duplicates of files (based on the checksum) are not stored, only counted. The TTL value and the duplicate count are updated each time a duplicate of a file is found.
Viewing the AutoSubmit list
Configure the FortiGate unit to upload suspicious files automatically to Fortinet for analysis. Add file patterns to the AutoSubmit list using wildcard characters (* or ?).
File patterns are applied for AutoSubmit regardless of file blocking settings.
Upload files to Fortinet based on status (blocked or heuristics), or submit individual files directly from the quarantined files list. The FortiGate unit uses encrypted email to autosubmit files to an SMTP server through port 25.
This option is only available on FortiGate units with a local disk.
To view the AutoSubmit list, go to AntiVirus > Quarantine > AutoSubmit.
Figure 223:Sample AutoSubmit list
342
AutoSubmit list has the following icons and features:
Create New
File Pattern
Delete icon
Edit icon
Select to add a new file pattern to the AutoSubmit list.
The current list of file patterns that will be automatically uploaded.
Create a pattern by using ? or * wildcard characters. Enable the check box to enable all file patterns in the list.
Select to remove the entry from the list.
Select to edit the following information: File Patter and Enable.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
AntiVirus
Configuring the AutoSubmit list
To add a file pattern to the AutoSubmit list, go to AntiVirus > Quarantine >
AutoSubmit.
Figure 224:New File Pattern dialog box
Quarantine
File Pattern
Enable
Enter the file pattern or file name to be upload automatically to
Fortinet.
Select to enable the file pattern
Note: To enable automatic uploading of the configured file patterns, go to AntiVirus >
Quarantine > Config, select Enable AutoSubmit, and select Use File Pattern.
Configuring quarantine options
Go to AntiVirus > Quarantine > Config to set quarantine configuration options, including whether to quarantine blocked or infected files and from which service.
Configure the time to live and file size values, and enable AutoSubmit settings.
Figure 225:Quarantine Configuration (FortiGate with local disk)
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
343
Quarantine AntiVirus
Figure 226:Quarantine Configuration (FortiAnalyzer from FortiGate with local disk)
Figure 227:Quarantine Configuration (FortiAnalyzer from FortiGate with no local disk)
344
Note: NNTP options cannot be selected. Support will be added in the future.
Quarantine configuration has the following options:
Options
Quarantine Infected Files: Select the protocols from which to quarantine infected files identified by antivirus scanning.
Quarantine Suspicious Files: Select the protocols from which to quarantine suspicious files identified by heuristics.
Quarantine Blocked Files. Select the protocols from which to quarantine blocked files identified by antivirus file blocking. The Quarantine Blocked
Files option is not available for HTTP, FTP, or IM because a file name is blocked before downloading and cannot be quarantined.
Age limit
The time limit in hours for which to keep files in quarantine. The age limit is used to formulate the value in the TTL column of the quarantined files list. When the limit is reached, the TTL column displays EXP. and the file is deleted (although a record is maintained in the quarantined files list).
Entering an age limit of 0 (zero) means files are stored on disk indefinitely, depending on low disk space action.
The maximum size of quarantined files in MB. Setting the maximum file size too large may affect performance.
Max filesize to quarantine
Low disk space Select the action to take when the local disk is full: overwrite the oldest file or drop the newest file.
FortiAnalyzer
Select to enable storage of blocked and quarantined files on a
FortiAnalyzer unit. See
for more information about configuring a FortiAnalyzer unit.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
AntiVirus
Enable
AutoSubmit
Apply
Enable AutoSubmit: enables the AutoSubmit feature. Select one or both of the options below.
Use file pattern: Enables the automatic upload of files matching the file patterns in the AutoSubmit list.
Use file status: Enables the automatic upload of quarantined files based on their status. Select either Heuristics or Block Pattern.
Heuristics is configurable through the CLI only. See “Antivirus CLI configuration” on page 347 .
Select to save the configuration.
Config
Config displays a list of the current viruses blocked by the FortiGate unit. Also configure file and email size limits, and grayware blocking.
Note: If virtual domains are enabled on the FortiGate unit, antivirus features are configured globally. To access these features, select Global Configuration on the main menu.
Viewing the virus list
The virus list displays an alphabetical list of the current FortiGuard virus definitions (also called AV definitions) installed on the FortiGate unit. The
FortiGate unit uses the virus definitions to detect and remove viruses, worms, trojans, and other threats from content as it passes through the FortiGate unit.
View the entire list or parts of the list by selecting the number or alphabet ranges.
To view the virus list, go to AntiVirus > Config.
The FortiGuard virus definitions list is updated every time the FortiGate unit receives a new version of the FortiGuard AV definitions.
The FortiGuard Center Virus Encyclopedia contains detailed descriptions of the viruses, worms, trojans, and other threats that can be detected and removed by your FortiGate unit using the information in the FortiGuard virus definitions.
Figure 228:Virus list (partial)
Config
Usually the FortiGuard AV definitions are updated automatically from the
FortiGuard Distribution Network (FDN). Go to System > Maintenance >
FortiGuard Center to configure automatic AV definition updates from the FDN.
You can also update the AV definitions manually from the system dashboard (go to System > Status).
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
345
Config AntiVirus
Viewing the grayware list
Grayware programs are unsolicited commercial software programs that get installed on computers, often without the user’s consent or knowledge. Grayware programs are generally considered an annoyance, but these programs can cause system performance problems or be used for malicious ends.
The FortiGate unit scans for known grayware executable programs in each enabled category. The category list and contents are added or updated whenever the FortiGate unit receives a virus update package. New categories may be added at any time and will be loaded with the virus updates. By default, all new categories are disabled. Grayware is enabled in a protection profile when Virus
Scan is enabled.
Grayware categories are populated with known executable files. Each time the
FortiGate unit receives a virus and attack definitions update, the grayware categories and contents are updated.
Note: If virtual domains are enabled on the FortiGate unit, antivirus features are configured globally. To access these features, select Global Configuration on the main menu.
To view the grayware list, go to AntiVirus > Config > Grayware.
Figure 229:Sample grayware options
346
Enabling a grayware category blocks all files listed in the category. The categories may change or expand when the FortiGate unit receives updates. You can choose to enable the following grayware categories:
Adware
BHO
Dial
Block adware programs. Adware is usually embedded in freeware programs and causes ads to pop up whenever the program is opened or used.
Block browser helper objects. BHOs are DLL files that are often installed as part of a software package so the software can control the behavior of Internet Explorer 4.x and later. Not all BHOs are malicious, but the potential exists to track surfing habits and gather other information.
Block dialer programs. Dialers allow others to use the PC modem to call premium numbers or make long distance calls.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
AntiVirus Antivirus CLI configuration
Misc
NMT
P2P
Plugin
Download
Game
HackerTool
Hijacker
Joke
Keylog
RAT
Spy
Toolbar
Block download programs. Download components are usually run at Windows startup and are designed to install or download other software, especially advertising and dial software.
Block games. Games are usually joke or nuisance games that you may want to block from network users.
Block hacker tools.
Block browser hijacking programs. Browser hijacking occurs when a ‘spyware’ type program changes web browser settings, including favorites or bookmarks, start pages, and menu options.
Block joke programs. Joke programs can include custom cursors and programs that appear to affect the system.
Block keylogger programs. Keylogger programs can record every keystroke made on a keyboard including passwords, chat, and instant messages.
Block any programs included in the miscellaneous grayware category.
Block network management tools. Network management tools can be installed and used maliciously to change settings and disrupt network security.
Block peer to peer communications programs. P2P, while a legitimate protocol, is synonymous with file sharing programs that are used to swap music, movies, and other files, often illegally.
Block browser plugins. Browser plugins can often be harmless
Internet browsing tools that are installed and operate directly from the browser window. Some toolbars and plugins can attempt to control or record and send browsing preferences.
Block remote administration tools. Remote administration tools allow outside users to remotely change and monitor a computer on a network.
Block spyware programs. Spyware, like adware, is often included with freeware. Spyware is a tracking and analysis program that can report your activities, such as web browsing habits, to the advertiser’s web site where it may be recorded and analyzed.
Block custom toolbars. While some toolbars are harmless, spyware developers can use these toolbars to monitor web habits and send information back to the developer.
Antivirus CLI configuration
This section describes the CLI commands that extend features available through the web-based manager. For complete descriptions and examples of how to enable additional features through CLI commands, see the
FortiGate CLI
Reference
.
system global optimize
The optimize feature configures CPU settings to ensure efficient operation of the
FortiGate unit for either antivirus scanning or straight throughput traffic. When optimize is set to antivirus, the FortiGate unit uses symmetric multiprocessing to spread the antivirus tasks to several CPUs, making scanning faster.
This feature is available on models numbered 1000 and higher.
For more information, see the
Antivirus failopen and optimization
Fortinet
Knowledge Center article.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
347
Antivirus CLI configuration AntiVirus
config antivirus heuristic
The FortiGate heuristic antivirus engine performs tests on files to detect virus-like behavior or known virus indicators. Heuristic scanning is performed last, after file blocking and virus scanning have found no matches. In this way, heuristic scanning may detect new viruses, but may also produce some false positive results.
The heuristic engine is enabled by default to pass suspected files to the recipient and send a copy to quarantine. Once configured in the CLI, heuristic scanning is enabled in a protection profile when Virus Scan is enabled.
Use the heuristic command to change the heuristic scanning mode.
config antivirus quarantine
The quarantine command also allows configuration of heuristic related settings.
This feature is available on models numbered 200 and higher.
config antivirus service <service_name>
Use this command to configure how the FortiGate unit handles antivirus scanning of large files in HTTP, FTP, IM, POP3, IMAP, or SMTP traffic, and what ports the
FortiGate unit scans for the service.
348
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Intrusion Protection About intrusion protection
Intrusion Protection
The FortiGuard Intrusion Prevention System (IPS) combines signature and anomaly intrusion detection and prevention with low latency and excellent reliability. IPS provides configuration access to the IPS options enabled when creating a firewall protection profile.
This section describes how to configure the FortiGate IPS settings. For detailed information about IPS, see the
FortiGate Intrusion Protection System (IPS) Guide
.
The following topics are included in this section:
•
•
•
•
•
•
About intrusion protection
The FortiGate unit can record suspicious traffic in logs, can send alert email to system administrators, and can log, pass, drop, reset, or clear suspicious packets or sessions. Adjust some IPS anomaly thresholds to work best with the normal traffic on the protected networks. Create custom signatures to customize the
FortiGate IPS for diverse network environments.
The FortiGate IPS matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks.
Fortinet’s FortiGuard infrastructure ensures the rapid identification of new threats and the development of new attack signatures.
FortiGuard services are a valuable customer resource and include automatic updates of virus and IPS (attack) engines and definitions through the FortiGuard
Distribution Network (FDN). The FortiGuard Center also provides the FortiGuard virus and attack encyclopedia and the FortiGuard Bulletin. Visit the Fortinet
Knowledge Center for details and a link to the FortiGuard Center.
The connection between the FortiGate unit and FortiGuard is configured in
System > Maintenance > FortiGuard Center. See
“Configuring the FortiGate unit for FDN and FortiGuard services” on page 162
for more information.
Configure the FortiGate unit to check automatically for and download updated attack definition files containing the latest signatures, or download the updated attack definition file manually. Alternately, configure the FortiGate unit to allow push updates of updated attack definition files as soon as they are available from the FortiGuard Distribution Network.
When the FortiGate unit installs an updated attack definition file, it checks to see if the default configuration for any existing signatures has changed. If the default configuration has changed, the changes are preserved.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
349
About intrusion protection Intrusion Protection
Create custom attack signatures for the FortiGate unit to use in addition to an extensive list of predefined attack signatures.
Whenever the IPS detects or prevents an attack, it generates an attack message.
Configure the FortiGate unit to add the message to the attack log and send an alert email to administrators. Configure how often the FortiGate unit sends alert email. Reduce the number of log messages and alerts by disabling signatures for attacks to which the system is not vulnerable, for example, web attacks when there is no web server running.
Packet logging provides administrators with the ability to analyze packets for forensics and false positive detection.
For more information about FortiGate logging and alert email, see
IPS settings and controls
Configure the IPS using either the web-based manager or the CLI, then enable or disable all signatures or all anomalies in individual firewall protection profiles.
Note: If virtual domains are enabled on the FortiGate unit, the IPS is configured globally. To access the IPS, select Global Configuration on the main menu.
Table 35 describes the IPS settings and where to configure and access them.
Table 35: Protection Profile IPS and IPS configuration
Protection Profile IPS options
IPS Signature
Enable or disable IPS signatures by severity level.
IPS Anomaly
Enable or disable IPS anomalies by severity level.
Log Intrusions
Enable logging of all signature and anomaly intrusions.
IPS setting
Intrusion Protection > Signature
View and configure a list of predefined signatures.
Create custom signatures based on the network requirements.
Configure protocol decoders.
Intrusion Protection > Anomaly
View and configure a list of predefined anomalies.
Intrusion Protection > Anomaly > [individual anomaly]
Enable logging for each signature.
Enable packet logging for each signature or anomaly.
To access protection profile IPS options, go to Firewall > Protection Profile, select Edit or Create New, and select IPS.
When to use IPS
IPS is best for large networks or for networks protecting highly sensitive information. Using IPS effectively requires monitoring and analysis of the attack logs to determine the nature and threat level of an attack. An administrator can adjust the threshold levels to ensure a balance between performance and intrusion prevention. Small businesses and home offices without network
350
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Intrusion Protection Predefined signatures
administrators may be overrun with attack log messages and not have the networking background required to configure the thresholds and other IPS settings. In addition, the other protection features in the FortiGate unit, such as antivirus (including grayware), spam filters, and web filters offer excellent protection for all networks.
Predefined signatures
By default, not all signatures are enabled. But logging of all signatures is enabled.
Check the default settings to ensure they meet the requirements of the network traffic.
Disabling unneeded signatures can improve system performance and reduce the number of log messages and alert email messages the IPS generates. For example, the IPS detects a large number of web server attacks. If access to a web server behind the FortiGate unit is not provided, disable all web server attack signatures.
Note: By allowing your IPS signature settings to run on default, you may be slowing down the overall performance of the FortiGate unit. By fine tuning the predefined signature and logging setting, you can ensure maximum performance as well as maximum protection.
See
“Fine tuning IPS predefined signatures for enhanced system performance” on page 353
Viewing the predefined signature list
Enable or disable and configure the settings for individual predefined signatures from the predefined signature list. The list can be viewed by signature severity level.
Note: If virtual domains are enabled on the FortiGate unit, the IPS is configured globally. To access the IPS, select Global Configuration on the main menu.
To view the predefined signature list, go to Intrusion Protection > Signature >
Predefined.
Figure 230:Predefined signature list
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
351
Predefined signatures
352
Intrusion Protection
Column
Settings
Name
Enable
Logging
Select to customize the signature information to display in the table. You can also readjust the column order.
By default, the signature ID, group name, and revision number are not displayed.
Name of the signature.
The status of the signature. A green circle indicates the signature is enabled. A gray circle indicates the signature is not enabled.
The logging status of the signature. By default, logging is enabled for all signatures. If logging is enabled, the action appears in the status field of the log message generated by the signature.
Action
Severity
The action set for the signature. Action can be Pass, Drop, Reset, Reset
Client, Reset Server, Drop Session, Clear Session, or Pass Session. If logging is enabled, the action appears in the status field of the log message generated by the signature. See
the actions.
The severity level set for the signature. Severity level can be set to
Information, Low, Medium, High, or Critical.
The protocol the signature applies to.
Protocols
OS
Applications
ID
Group
The operating system the signature applies to.
The applications the signature applies to.
The signature’s unique ID.
The name of the signature group that the signature belongs to.
Revision
The revision number of the signature.
Configure icon Configure settings for the signature.
Reset icon
Reset only appears when the default settings for a signature have been modified. Selecting Reset for a signature restores the default settings.
Table 36 describes each possible action to take for predefined signatures, custom
signatures and anomalies.
Table 36: Actions to select for each predefined signature
Action
Pass
Drop
Reset
Reset Client
Description
When a packet triggers a signature, the FortiGate unit generates an alert and allows the packet through the firewall without further action.
If logging is disabled and action is set to Pass, the signature is effectively disabled.
When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The firewall session is not touched.
Fortinet recommends using an action other than Drop for TCP connection based attacks.
When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The FortiGate unit sends a reset to both the client and the server and drops the firewall session from the firewall session table.
This is used for TCP connections only. If set for non-TCP connection based attacks, the action will behave as Clear Session. If the Reset action is triggered before the TCP connection is fully established, it acts as Clear Session.
When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The FortiGate unit sends a reset to the client and drops the firewall session from the firewall session table.
This is used for TCP connections only. If set for non-TCP connection based attacks, the action will behave as Clear Session. If the Reset
Client action is triggered before the TCP connection is fully established, it acts as Clear Session.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Intrusion Protection Predefined signatures
Table 36: Actions to select for each predefined signature (Continued)
Reset Server
Drop Session
Pass Session
Clear Session
When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The FortiGate unit sends a reset to the server and drops the firewall session from the firewall session table.
This is used for TCP connections only. If set for non-TCP connection based attacks, the action will behave as Clear Session. If the Reset
Server action is triggered before the TCP connection is fully established, it acts as Clear Session.
When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. For the remainder of this packet’s firewall session, all follow-up packets are dropped.
When a packet triggers a signature, the FortiGate unit generates an alert and allows the packet through the firewall. For the remainder of this packet’s session, the IPS is bypassed by all follow-up packets.
When a packet triggers a signature, the FortiGate unit generates an alert and the session to which the packet belongs is removed from the session table immediately. No reset is sent.
For TCP, all follow-up packets could be dropped.
For UDP, all follow-up packets could trigger the firewall to create a new session.
Configuring predefined signatures
For each signature, configure the action the FortiGate IPS takes when it detects an attack. The FortiGate IPS can pass, drop, reset or clear packets or sessions.
Enable or disable packet logging. Select a severity level to be applied to the signature.
Figure 231:Configure Predefined IPS Signatures
Action
Packet Log
Severity
Select an action from the list. Action can be Pass, Drop, Reset, Reset
Client, Reset Server, Drop Session, Clear Session, or Pass Session.
See
Table 36 for descriptions of the actions.
Enable packet logging.
Select a severity level from the dropdown list. Severity level can be
Information, Low, Medium, High, or Critical. Severity level is set for individual signatures.
Fine tuning IPS predefined signatures for enhanced system performance
By default, the FortiGate unit will have most of the predefined signatures enabled and will log all of them. If left on the default settings, the FortiGate will provide your system with the best protection available. By fine tuning the signatures and log settings you can still provide the best protection available but also free up valuable FortiGate resources. Fine tuning allows you to turn off features that you are not using. By turning off signatures and logs that you do not use, you allow the
FortiGate unit to perform tasks faster thus improving overall system performance.
Not all systems require you to scan for all signatures of the IPS suite all the time.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
353
Custom signatures Intrusion Protection
1
2
1
2
3
4
For example. If you have a FortiGate unit that is controlling computers that only have access to an internal database and do not have access to the internet or email, there is no point having the Fortigate unit scanning for certain types of signatures such as email, IM, and P2P.
By telling the FortiGate unit not to look for these signatures, you will maintain a high level of security and increase overall performance.
You should also review exactly how you use the information provided by the logging feature. If you find that you do not review the information, it is best to turn off the logging feature. Logging is best used to provide actionable intelligence.
To disable a signature
Go to Intrusion Protection > Signatures > Predefined.
Clear the Enable box for the signatures you want to disable.
To turn off logging for a signature
Go to Intrusion Protection > Signatures > Predefined.
Select the Configure icon on the right hand side of the signature you want to change.
Clear the Logging check box.
Select OK.
Custom signatures
Custom signatures provide the power and flexibility to customize the FortiGate
IPS for diverse network environments. The FortiGate predefined signatures cover common attacks. If an unusual or specialized application or an uncommon platform is being used, add custom signatures based on the security alerts released by the application and platform vendors.
You can also create custom signatures to help you block P2P protocols.
For more details about custom signatures, see the
FortiGate Intrusion Protection
System (IPS) Guide
.
Note: If virtual domains are enabled on the FortiGate unit, the IPS is configured globally. To access the IPS, select Global Configuration on the main menu.
Viewing the custom signature list
To view the custom signature list, go to Intrusion Protection > Signature >
Custom.
Figure 232:The custom signature list
Reset to recommended settings
Clear all custom signatures
354
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Intrusion Protection Custom signatures
View custom signatures with severity
Select filters then select Go to view only those custom signatures that match the filter criteria. Sort criteria can be <=, =, >= to All, Information,
Low, Medium, High, or Critical.
Create New
Select to create a new custom signature.
Clear all custom
Remove all the custom signatures.
signatures icon
Reset all the custom signatures to the recommended settings.
Reset to recommended settings icon
Name
Enable
The custom signature name.
The status of each custom signature. A check mark in the box indicates the signature is enabled.
Logging
Action
Severity
Delete icon
Edit icon
The logging status of each custom signature. A check mark in the box indicates logging is enabled for the custom signature.
The action set for each custom signature. Action can be Pass, Drop,
Reset, Reset Client, Reset Server, Drop Session, Clear Session, or
Pass Session. If logging is enabled, the action appears in the status field
of the log message generated by the signature. See Table 36 for
descriptions of the actions.
The severity level set for each custom signature. Severity level can be
Information, Low, Medium, High, or Critical. Severity level is set for individual signatures.
Select to delete the custom signature.
Select to edit the following information: Name, Signature, Action, Packet
Log, and Severity.
Creating custom signatures
Use custom signatures to block or allow specific traffic. For example, to block traffic containing pornography, add custom signatures similar to the following:
F-SBID (--protocol tcp; --flow established; --content "nude cheerleader"; -no_case)
When adding the signature, set action to Drop Session.
For more information on custom signature syntax, see the
FortiGate Intrusion
Protection System (IPS) Guide
.
Note: Custom signatures are an advanced feature. This document assumes the user has previous experience creating intrusion detection signatures.
To create a custom signature, go to Intrusion Protection > Signature > Custom.
Figure 233:Edit Custom Signature
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
355
Protocol Decoders Intrusion Protection
Name
Signature
Action
Packet Log
Severity
Enter a name for the custom signature.
Enter the custom signature. For more information about custom signature syntax, see “Custom signature syntax” in the
FortiGate
Intrusion Protection System (IPS) Guide
.
Select an action from the list. Action can be Pass, Drop, Reset, Reset
Client, Reset Server, Drop Session, Pass Session, or Clear Session.
See
Table 36 for descriptions of the actions.
Enable packet logging.
Select a severity level from the dropdown list. Severity level can be
Information, Low, Medium, High, or Critical. Severity level is set for individual signatures.
Protocol Decoders
The FortiGate IPS uses anomaly detection to identify network traffic that attempts to take advantage of known exploits.
Note: If virtual domains are enabled on the FortiGate unit, the IPS is configured globally. To access the IPS, select Global Configuration on the main menu.
Viewing the protocol decoder list
To view the decoder list, go to Intrusion Protection > Signature > Protocol
Decoder.
Figure 234:Portion of the protocol decoder list
356
Name
The protocol decoder name.
Ports
The port number or numbers the decoder monitors.
Configure icon Click to modify the signature attributes. By default, you cannot modify settings of some decoders, because they are used by the system.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Intrusion Protection
Upgrading IPS protocol decoder list
IPS protocol decoders are included in the IPS upgrade package available through the FortiGuard Distribution Network (FDN). There is no need to wait for firmware upgrades. The IPS upgrade package will keep the IPS decoder list up to date with new threats such as the latest versions of existing IM/P2P as well as new applications.
Anomalies
The FortiGate IPS uses anomaly detection to identify network traffic that does not fit known or preset traffic patterns.
The FortiGate IPS identifies the four statistical anomaly types for the TCP, UDP, and ICMP protocols.
Flooding
Scan
If the number of sessions targeting a single destination in one second is over a specified threshold, the destination is experiencing flooding.
If the number of sessions from a single source in one second is over a specified threshold, the source is scanning.
Source session limit
If the number of concurrent sessions from a single source is over a specified threshold, the source session limit is reached.
Destination session limit
If the number of concurrent sessions to a single destination is over a specified threshold, the destination session limit is reached.
Enable or disable logging for each traffic anomaly, and configure the IPS action in response to detecting an anomaly. In many cases, the thresholds the anomaly uses to detect traffic patterns that could represent an attack are configurable.
Note: It is important to know normal and expected network traffic before changing the default anomaly thresholds. Setting the thresholds too low could cause false positives, and setting the thresholds too high could miss some attacks.
Use the CLI to configure session control based on source and destination network address.
The traffic anomaly detection list can be updated only when the FortiGate firmware image is upgraded.
Note: If virtual domains are enabled on the FortiGate unit, the IPS is configured globally. To access the IPS, select Global Configuration on the main menu.
Anomalies
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
357
Anomalies
Viewing the traffic anomaly list
To view the anomaly list, go to Intrusion Protection > Anomaly.
Figure 235:A portion of the traffic anomaly list
Intrusion Protection
View traffic anomalies with severity
Select filters then select Go to view only those anomalies that match the filter criteria. Sort criteria can be <=, =, >= to All, Information, Low,
Medium, High, or Critical.
Name
Enable
Logging
Action
The traffic anomaly name.
The status of the traffic anomaly. A check mark in the box indicates the anomaly signature is enabled.
The logging status for each traffic anomaly. A check mark in the box indicates logging is enabled for the anomaly.
The action set for each traffic anomaly. Action can be Pass, Drop, Reset,
Reset Client, Reset Server, Drop Session, Clear Session, or Pass
Session. If logging is enabled, the action appears in the status field of the log message generated by the Anomaly. See
the actions.
Severity
Edit icon
Reset icon
The severity level set for each traffic anomaly. Severity level can be
Information, Low, Medium, High, or Critical. Severity level is set for individual anomalies.
Select to edit the following information: Action, Severity, and Threshold.
The Reset icon is displayed only if an anomaly has been modified. Use the Reset icon to restore modified settings to the recommended values.
Configuring IPS traffic anomalies
Each IPS traffic anomaly is preset with a recommended configuration. Use the recommended configurations, or modify the recommended configurations to meet the needs of your network.
To configure IPS traffic anomalies, go to Intrusion Protection > Anomaly.
Figure 236:Edit IPS Traffic Anomaly: icmp_dst_session
358
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Intrusion Protection IPS CLI configuration
Action
Severity
Threshold
Select an action from the dropdown list: Pass, Drop, Reset, Reset Client, Reset
Server, Drop Session, Pass Session, Clear Session. See
descriptions of the actions.
Select a severity level from the dropdown list: Information, Low, Medium, High, or Critical.
For the IPS anomalies that include the threshold setting, traffic over the specified threshold triggers the anomaly.
IPS CLI configuration
This section describes the CLI commands that extend features available through the web-based manager. For complete descriptions and examples of how to enable additional features through CLI commands, see the
FortiGate CLI Reference
.
system autoupdate ips
When the IPS is updated, user-modified settings are retained. If recommended IPS signature settings have not been modified, and the updated settings are different, signature settings will be set according to accept-recommended-settings.
ips global fail-open
If for any reason the IPS should cease to function, it will fail open by default. This means crucial network traffic will not be blocked, and the firewall will continue to operate while the problem is being resolved.
ips global ip_protocol
Save system resources by restricting IPS processing to only those services allowed by firewall policies.
ips global socket-size
Set the size of the IPS buffer.
(config ips anomaly) config limit
Access the config limit subcommand using the config ips anomaly
<name_str> command. Use this command for session control based on source and destination network address. This command is available for tcp_src_session, tcp_dst_session
, icmp_src_session, icmp_dst_session, udp_src_session
, udp_dst_session.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
359
IPS CLI configuration Intrusion Protection
360
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Web Filter Order of web filtering
Web Filter
The three main sections of the web filtering function, the Web Filter Content
Block, the URL Filter, and the FortiGuard Web filter, interact with each other in such a way as to provide maximum control and protection for the Internet users.
This section contains the following topics:
•
•
•
•
•
•
Order of web filtering
6
7
4
5
1
2
3
Web filters are applied in a specific order:
URL Exempt (Web Exempt List)
URL Block (Web URL Block)
URL Block (Web Pattern Block)
FortiGuard Web Filtering (Also called Category Block)
Content Block (Web Content Block)
Script Filter (Web Script Filter)
Antivirus scanning
The URL filter list is processed in order from top to bottom. (In FortiOS v2.80 the
URL filter is processed as an unordered list.) An exempt match stops all further checking including AV scanning. An allow match exits the URL filter list and checks the other web filters.
Local ratings are checked prior to other FortiGuard Web Filtering categories.
The FortiGate unit applies the rules in this order and failure to comply with a rule will automatically block a site despite what the setting for later filters might be.
How web filtering works
The following information shows how the filters interact with each other and how to use them to your advantage.
The first section, the URL exempt and block filters, will allow you to decide what action to take for specific addresses. For example, if you want to exempt www.google.com from being scanned, you can add it to the URL exempt list. Then no web filtering or virus scanning will be taken to this web site.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
361
Web filter controls Web Filter
If you have blocked a pattern but want certain users to have access to URLs within that pattern, you can use the Override within the FortiGuard Web Filter. This will allow you to specify which users have access to which blocked URLs and how long they have that access. For example, you want User1 to be able to access www.fakeLAND.com for 1 hour. You can use this section to set up the exemption.
Any user listed in an override must fill out an online authentication form before the
FortiGuard unit will grant access to the blocked URL.
FortiGuard Web Filter also lets you create local categories to block groups of
URLs. Once you have created the category, you can use the local rating to add specific sites to the local category you have created. You then use the Firewall >
Protection Profile to tell the FortiGuard Unit what action to take with the Local category. The local ratings overwrite the FortiGuard ratings.
Finally the FortiGuard unit applies script filtering for ActiveX, Cookie, and Java applet, which can be configured in Firewall > Protection Profile > Web Filtering.
Once you have finished configuring all of these settings, you still have to turn them all on in the Firewall > Protection Profile > Web filtering and Firewall >
Protection Profile >FortiGuard Web Filtering. By enabling them here, you are telling the FortiGate unit to start using the filters as you have configured them.
This section describes how to configure web filtering options. Web filtering functions must be enabled in the active protection profile for the corresponding settings in this section to have any effect.
Web filter controls
As a general rule you go to Web Filter to configure the web filtering settings and to enable the filters for use in a protection profile. To actually activate the enabled filters you go to Firewall> Protection Profile.
Note: Enabled means that the filter will be used when you turn on web filtering. It does not mean that the filter is turned on. To turn on all enabled filters you must go to Firewall>
Protection Profile.
FortiGuard - Web Filter is described in detail in
be submitted on the FortiGuard Center web page. Visit the Fortinet Knowledge
Center for details and a link to the FortiGuard Center.
The following tables compare web filtering options in protection profiles and the web filter menu.
Table 37: Web filter and Protection Profile web content block configuration
Protection Profile web filtering options
Web Content Block
Enable or disable web page blocking based on the banned words and patterns in the content block list for HTTP traffic.
Web Filter setting
Web Filter > Content Block
Add words and patterns to block web pages containing those words or patterns.
362
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Web Filter Web filter controls
Table 38: Web filter and Protection Profile web URL filtering configuration
Protection Profile web filtering options Web Filter setting
Web URL Filter Web Filter > URL Filter
Enable or disable web page filtering for HTTP traffic based on the URL filter list.
Add URLs and URL patterns to exempt or block web pages from specific sources.
Table 39: Web filter and Protection Profile web script filtering and download configuration
Protection Profile web filtering options Web Filter setting
Active X Filter, Cookie Filter, Java Applet Filter n/a
Enable or disable blocking scripts from web pages for HTTP traffic.
Web resume Download Block
Enable to block downloading the remainder of a file that has already been partially downloaded. Enabling this option prevents the unintentional download of virus files, but can cause download interruptions.
n/a
Table 40: Web filter and Protection Profile web category filtering configuration
Protection Profile web filtering options Web Filter setting
Enable FortiGuard Web Filtering (HTTP only). FortiGuard Web Filter > Configuration
Enable FortiGuard Web Filtering Overrides
(HTTP only).
FortiGuard Web Filtering > Overrides
Provide details for blocked HTTP 4xx and 5xx errors (HTTP only.)
Rate images by URL (Blocked images will be replaced with blanks) (HTTP only).
Allow web sites when a rating error occurs
(HTTP only).
Strict Blocking (HTTP only)
Category / Action
FortiGuard-Web filtering service provides many categories by which to filter web traffic.
Set the action to take on web pages for each category. Choose from allow, block, log, or allow override.
Local Categories can be configured to best suit local requirements.
Classification/Action
When selected, users can access web sites that provide content cache, and provide searches for image, audio, and video files.
Choose from allow, block, log, or allow override.
FortiGuard Web Filtering > Local
Categories | Local Ratings
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
363
Content block Web Filter
1
2
3
To access protection profile web filter options
Go to Firewall > Protection Profile.
Select edit or Create New.
Select Web Filtering or Web Category Filtering.
Note: If virtual domains are enabled on the FortiGate unit, web filtering features are configured globally. To access these features, select Global Configuration on the main menu.
Content block
Control web content by blocking specific words or patterns. If enabled in the protection profile, the FortiGate unit searches for words or patterns in on requested web pages. If matches are found, values assigned to the words are totalled. If a user-defined threshold value is exceeded, the web page is blocked
Use Perl regular expressions or wildcards to add banned word patterns to the list.
Note: Perl regular expression patterns are case sensitive for Web Filter content block. To make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i
blocks all instances of bad language regardless of case. Wildcard patterns are not case sensitive.
Viewing the web content block list catalog
You can add multiple web content block lists and then select the best web content block list for each protection profile. To view the web content block list catalog, go to Web Filter > Content Block. To view any individual web content block list, select the edit icon for the list you want to see.
Figure 237:Sample web content block list catalog
364
The web content block list catalogue has the following icons and features:
Add
Name
# Entries
Profiles
Comment
Delete icon
To add a new list to the catalog, enter a name and select Add. New lists are empty by default.
The available web content block lists.
The number of content patterns in each web content block list.
The protection profiles each web content block list has been applied to.
Optional description of each web content block list.
Select to remove the web content block list from the catalog. The delete icon is only available if the web content block list is not selected in any protection profiles.
Select to edit the web content block list, list name, or list comment.
Edit icon
Select web content block lists in protection profiles. For more information, see
“Web filtering options” on page 275 .
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Web Filter
Creating a new web content block list
1
2
To add a web content block list to the web content block list catalog
Go to Web Filter > Content Block.
Select Create New.
Figure 238:New Web Content Block list dialog box
Content block
Name
Comment
Enter the name of the new list.
Enter a comment to describe the list, if required.
Viewing the web content block list
With web content block enabled, every requested web page is checked against the content block list. The score value of each pattern appearing on the page is added, and if the total is greater than the threshold value set in the protection profile, the page is blocked. The score for a pattern is applied only once even if it appears on the page multiple times.
1
2
To view the web content block list
Go to Web Filter > Content Block.
Select the edit icon of the web content block list you want to view.
Figure 239:Sample web content block list
Note: Enable Web Filtering > Web Content Block in a firewall Protection Profile to activate the content block settings.
The web content block list has the following icons and features:
Name
Comment
Web content block list name. To change the name, edit text in the name field and select OK.
Optional comment. To add or edit comment, enter text in comment field and select OK.
Create new
Total
Select to add a pattern to the web content block list.
The number of patterns in the web content block list.
Page up icon
Select to view the previous page.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
365
Content block Web Filter
Page down icon Select to view the next page.
Remove All
Entries icon
Select to clear the table.
Banned word
The current list of patterns. Select the check box to enable all the patterns in the list.
Pattern type
The pattern type used in the pattern list entry. Choose from wildcard or regular expression. See
“Using Perl regular expressions” on page 393 .
Language
Score
Delete icon
The character set to which the pattern belongs: Simplified Chinese,
Traditional Chinese, French, Japanese, Korean, Thai, or Western.
A numerical weighting applied to the pattern. The score values of all the matching patterns appearing on a page are added, and if the total is greater than the threshold value set in the protection profile, the page is blocked.
Select to delete an entry from the list.
Edit icon
Select to edit the following information: Banned Word, Pattern Type,
Language, and Enable.
Configuring the web content block list
Web content patterns can be one word or a text string up to 80 characters long.
The maximum number of banned words in the list is 5000.
1
2
3
To add or edit a content block pattern
Go to Web Filter > Content Block.
Select Create New or
Select the edit icon of the web content block list you want to view.
Figure 240:New content block pattern
366
Banned Word
Pattern Type
Language
Score
Enable
Enter the content block pattern. For a single word, the FortiGate checks all web pages for that word. For a phrase, the FortiGate checks all web pages for any word in the phrase. For a phrase in quotation marks, the FortiGate unit checks all web pages for the entire phrase.
Select a pattern type from the dropdown list: Wildcard or regular
Expression.
Select a language from the dropdown list.
Enter a score for the pattern.
Select to enable the pattern.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Web Filter
Viewing the web content exempt list catalog
You can add multiple web content exempt lists and then select the best web content exempt list for each protection profile.
To view the web content block list catalog
• Go to Web Filter > Content Block > Web Content Exempt.
To view any individual web content exempt list
• Select the edit icon for the list you want to see.
Figure 241:Sample web content exempt list catalog
Content block
The web content exempt list catalogue has the following icons and features:
Add
Name
# Entries
Profiles
Comment
Delete icon
To add a new list to the catalog, enter a name and select Add. New lists are empty by default.
The available web content block lists.
The number of content patterns in each web content block list.
The protection profiles each web content block list has been applied to.
Optional description of each web content block list.
Select to remove the web content block list from the catalog. The delete icon is only available if the web content block list is not selected in any protection profiles.
Select to edit the web content block list, list name, or list comment.
Edit icon
Select web content block lists in protection profiles. For more information, see
“Web filtering options” on page 275 .
Creating a new web content exempt list
1
2
To add a web content exempt list to the web content exempt list catalog
Go to Web Filter > Content Block > Web Content Exempt.
Select Create New.
Figure 242:New Web Content Exempt list dialog box
Name
Comment
Enter the name of the new list.
Enter a comment to describe the list, if required.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
367
Content block Web Filter
Viewing the web content exempt list
Web content exempt allows overriding of the web content block feature. If any patterns defined in the web content exempt list appear on a web page, the page will not be blocked even if the web content block feature would otherwise block it.
1
2
To view the web content exempt list
Go to Web Filter > Content Block > Web Content Exempt.
Select the edit icon of the web content block list you want to view.
Figure 243:Sample web content exempt list
368
Note: Enable Web Filtering > Web Content Exempt in a firewall Protection Profile to activate the content exempt settings.
The web content exempt list has the following icons and features:
Name
Comment
Web content exempt list name. To change the name, edit text in the name field and select OK.
Optional comment. To add or edit comment, enter text in comment field and select OK.
Select to add a pattern to the web content exempt list.
Create new
Total
The number of patterns in the web content exempt list.
Page up icon
Select to view the previous page.
Page down icon Select to view the next page.
Remove All
Entries icon
Select to clear the table.
Pattern
Pattern type
The current list of patterns. Select the check box to enable all the patterns in the list.
The pattern type used in the pattern list entry. Choose from wildcard or regular expression. See
“Using Perl regular expressions” on page 393 .
Language
Delete icon
The character set to which the pattern belongs: Simplified Chinese,
Traditional Chinese, French, Japanese, Korean, Thai, or Western.
Select to delete an entry from the list.
Edit icon
Select to edit the following information: Pattern, Pattern Type, Language, and Enable.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Web Filter
Configuring the web content exempt list
Web content patterns can be one word or a text string up to 80 characters long.
The maximum number of banned words in the list is 5000.
1
2
3
To add or edit a content block pattern
Go to Web Filter > Content Exempt.
Select create New.
or
Select the edit icon of the web content block pattern you want to view.
Figure 244:New content exempt pattern
URL filter
Pattern Word
Pattern Type
Language
Enable
Enter the content exempt pattern. For a single word, the FortiGate checks all web pages for that word. For a phrase, the FortiGate checks all web pages for any word in the phrase. For a phrase in quotation marks, the FortiGate unit checks all web pages for the entire phrase.
Select a pattern type from the dropdown list: Wildcard or regular
Expression.
Select a language from the dropdown list.
Select to enable the pattern.
URL filter
Allow or block access to specific URLs by adding them to the URL filter list. Add patterns using text and regular expressions (or wildcard characters) to allow or block URLs. The FortiGate unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead.
Note: Enable Web filtering > Web URL Filter in a firewall Protection Profile to activate the
URL filter settings.
Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.example.com
. Instead, use firewall policies to deny FTP connections.
Viewing the URL filter list catalog
You can add multiple URL filter lists and then select the best URL filter list for each protection profile.
To view the URL filter list catalog
• Go to Web Filter > URL Filter.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
369
URL filter Web Filter
1
2
To view any individual URL filter list
Go to Web Filter > URL Filter.
Select the edit icon for the list you want to see.
Figure 245:Sample URL filter list catalog
The URL filter list catalogue has the following icons and features:
Add
Name
# Entries
Profiles
Comment
Delete icon
To add a new list to the catalog, enter a name and select Add. New lists are empty by default.
The available URL filter lists.
The number of URL patterns in each URL filter list.
The protection profiles each URL filter list has been applied to.
Optional description of each URL filter list.
Select to remove the URL filter list from the catalog. The delete icon is only available if the URL filter list is not selected in any protection profiles.
Select to edit the URL filter list, list name, or list comment.
Edit icon
Creating a new URL filter list
1
2
To add a URL filter list to the URL filter list catalog
Go to Web Filter> URL Filter.
Select Create New.
Figure 246:New URL Filter list dialog box
370
Name
Comment
Enter the name of the new list.
Enter a comment to describe the list, if required.
Viewing the URL filter list
Add specific URLs to block or exempt. Add the following items to the URL filter list:
• complete URLs
• IP addresses
• partial URLs to allow or block all sub-domains
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Web Filter
1
2
To view the URL filter list
Go to Web Filter > URL Filter.
Select the edit icon of the URL filter list you want to view.
Figure 247:URL filter list
URL filter
The URL filter list has the following icons and features:
Name
Comment
URL filter list name. To change the name, edit text in the name field and select OK.
Optional comment. To add or edit comment, enter text in comment field and select OK.
Create New
Page up icon
Page down icon
Select to view the next page.
Clear All URL
Filters icon
Select to clear the table.
URL
Type
The current list of blocked/exempt URLs. Select the check box to enable all the URLs in the list.
The type of URL: Simple or Regex (regular expression).
Action
Select to add a URL to the URL block list.
Select to view the previous page.
Delete icon
Edit icon
The action taken when the URL matches: Allow, Block, or Exempt.
An allow match exits the URL filter list and checks the other web filters.
An exempt match stops all further checking including AV scanning.
A block match blocks the URL and no further checking will be done.
Select to remove an entry from the list.
Move icon
Select to edit the following information: URL, Type, Action, and
Enable.
Select to open the Move URL Filter dialog box.
Configuring the URL filter list
The URL filter list can have up to 5000 entries.
1
2
Note: Type a top-level domain suffix (for example, “com” without the leading period) to block access to all URLs with this suffix.
To add a URL to the URL filter list
Go to Web Filter > URL Filter.
Select Create New.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
371
URL filter
372
Web Filter
3
4
5
6
7
Type in a URL or IP address.
Select the type of expression.
Select the action to be taken.
Select the Enable check box
Select OK.
Figure 248:New URL Filter
URL
Type
Action
Enable
Enter the URL. Do not include http://
Select a type from the dropdown list: Simple or Regex (regular expression).
Select an action from the dropdown list: Allow, Block, or Exempt.
An allow match exits the URL filter list and checks the other web filters.
An exempt match stops all further checking including AV scanning.
A block match blocks the URL and no further checking will be done.
Select to enable the URL.
Type a top-level URL or IP address to control access to all pages on a web site.
For example, www.example.com or 192.168.144.155 controls access to all pages at this web site.
Enter a top-level URL followed by the path and filename to control access to a single page on a web site. For example, www.example.com/news.html or
192.168.144.155/news.html
controls the news page on this web site.
To control access to all pages with a URL that ends with example.com, add example.com
to the filter list. For example, adding example.com controls access to www.example.com, mail.example.com, www.finance.example.com
, and so on.
Control access to all URLs that match patterns created using text and regular expressions (or wildcard characters). For example, example.* matches example.com
, example.org, example.net and so on.
FortiGate web pattern blocking supports standard regular expressions.
Note:
URLs with an action set to exempt are not scanned for viruses. If users on the network download files through the FortiGate unit from trusted website, add the URL of this website to the URL filter list with an action set to exempt so the
FortiGate unit does not virus scan files downloaded from this URL.
Note: Enable Web filtering > Web URL Filter in a firewall Protection Profile to activate the web URL filter settings.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Web Filter FortiGuard - Web Filter
Moving URLs in the URL filter list
To make the URL filter list easier to use, the entries can be moved to different positions in the list.
1
2
3
4
5
To move a URL in the URL filter list
Go to Web Filter > URL Filter.
Select the Edit icon for the URL list.
Drag and drop a URL or select the Move icon to the right of the URL to be moved.
Specify the location for the URL.
Select OK.
Figure 249:Move URL Filter
Move to
(URL)
Select the location in the list to place the URL.
Enter the URL before or after which the new URL is to be located in the list.
FortiGuard - Web Filter
FortiGuard-Web is a managed web filtering solution provided by Fortinet.
FortiGuard-Web sorts hundreds of millions of web pages into a wide range of categories users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard-Web Service Point to determine the category of a requested web page then follows the firewall policy configured for that user or interface.
FortiGuard-Web includes over 60 million individual ratings of web sites applying to hundreds of millions of pages. Pages are sorted and rated into 56 categories users can allow, block, or monitor. Categories may be added to, or updated, as the Internet evolves. To make configuration simpler, users can also choose to allow, block, or monitor entire groups of categories. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy.
FortiGuard-Web ratings are performed by a combination of proprietary methods including text analysis, exploitation of the Web structure, and human raters. Users can notify the FortiGuard-Web Service Points if they feel a web page is not categorized correctly, and new sites are quickly rated as required.
Use the procedure
“FortiGuard-Web filtering options” on page 276 to configure
FortiGuard category blocking in a protection profile. To configure the
FortiGuard Web service, see
“Configuring the FortiGate unit for FDN and
FortiGuard services” on page 162
.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
373
FortiGuard - Web Filter Web Filter
Configuring FortiGuard-Web filtering
To configure the FortiGuard-Web service
• Go to System > Maintenance > FortiGuard Center.
For additional information, see
“Configuring the FortiGate unit for FDN and
FortiGuard services” on page 162 .
Viewing the override list
Users may require access to web sites that are blocked by a policy. In this case, an administrator can give the user the ability to override the block for a specified period of time.
When a user attempts to access a blocked site, if override is enabled, a link appears on the block page directing the user to an authentication form. The user must provide a correct user name and password or the web site remains blocked.
Authentication is based on user groups and can be performed for local, RADIUS, and LDAP users. For more information about authentication and configuring user
groups, see “User group” on page 327 .
To view the override list
• Go to Web Filter > FortiGuard-Web Filter > Override.
Figure 250:Override list
374
The override list has the following icons and features:
Create New
Page up icon
Page down icon
Clear All icon
URL/Category
Scope
Off-site URLs
Initiator
Expiry Date
Delete icon
Edit icon
Select to add a new override rule to the list.
The total number of override rules in the list.
Select to view the previous page.
Select to view the next page.
Select to clear the table.
The URL or category to which the override applies.
The user or user group who may use the override.
Does this override permit the user to access links from the category or URL being overridden. A green check mark indicates off-site access is permitted. A gray cross indicates off-site access is denied.
The creator of the override rule.
The expiry date of the override rule.
Select to remove the entry from the list.
Select to edit the following information: Type, URL, Scope, User,
Off-site URLs, and Override Duration.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Web Filter FortiGuard - Web Filter
Configuring override rules
Override rules can be configured to allow access to blocked web sites based on directory, domain name, or category.
6
7
4
5
8
1
2
3
To create an override rule for a directory or domain
Go to Web Filter > FortiGuard-Web Filter > Override.
Select Create New.
Select the Type.
Select the Scope.
Select the information that corresponds with Scope.
Select allow or Block for the off-site URLs.
Set the duration of the override.
Select OK.
Figure 251:New Override Rule - Directory or Domain
Type
URL
Scope
User
User Group
IP
Profile
Off-site URLs
Override Duration
Select Directory or Domain.
Enter the URL or the domain name of the website.
Select one of the following: User, User Group, IP, or Profile.
Depending on the option selected, a different option appears below Scope.
Enter the name of the user selected in Scope.
Select a user group from the dropdown list. User groups must be configured before FortiGuard-Web configuration. Fore more
information, see “User group” on page 327 .
Enter the IP address of the computer initiating the override.
Select a protection profile from the dropdown list.
Select Allow or Block. This will allow the user to access links on the override web site.
Enter the duration in days, hours, and minutes. When displayed in the override list, the expiry date of the override is calculated.
To create an override for categories, go to Web Filter > FortiGuard-Web Filter >
Override.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
375
FortiGuard - Web Filter
Figure 252:New Override Rule - Categories
Web Filter
376
Type
Categories
Classifications
Scope
User
User Group
IP
Profile
Off-site URLs
Override Duration
Select Categories.
Select the categories to which the override applies. A category group or a subcategory can be selected. Local categories are also displayed.
Select the classifications to which the override applies. When selected, users can access web sites that provide content cache, and provide searches for image, audio, and video files.
Select one of the following: User, User Group, IP, or Profile.
Depending on the option selected, a different option appears below Scope.
Enter the name of the user selected in Scope.
Select a user group from the dropdown list.
Enter the IP address of the computer initiating the override.
Select a protection profile from the dropdown list.
Select Allow or Block. This will allow the user to access links on the override web site.
Enter the duration in days, hours, and minutes. When displayed in the override list, the expiry date of the override is calculated.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Web Filter FortiGuard - Web Filter
Creating local categories
User-defined categories can be created to allow users to block groups of URLs on a per-profile basis. The categories defined here appear in the global URL category list when configuring a protection profile. Users can rate URLs based on the local categories.
Figure 253:Local categories list
Add
Delete icon
Enter the name of the category then select Add.
Select to remove the entry from the list
Viewing the local ratings list
To view the local ratings list
• Go to Web Filter > FortiGuard-Web Filter > Local Ratings.
Figure 254:Local ratings list
The local ratings list has the following icons and features:
Create New
Search
1 - 3 of 3
Page up icon
Page down icon
Clear All icon
URL
Category
Delete icon
Edit icon
Select to add a rating to the list.
Enter search criteria to filter the list.
The total number of local ratings in the list.
Select to view the previous page.
Select to view the next page.
Select to clear the table.
The rated URL. Select the green arrow to sort the list by URL.
The category or classification in which the URL has been placed.
If the URL is rated in more than one category or classification, trailing dots appear. Select the gray funnel to open the Category
Filter dialog box. When the list has been filtered, the funnel changes to green.
Select to remove the entry from the list.
Select to edit the following information: URL, Category Rating, and
Classification Rating.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
377
FortiGuard - Web Filter
Figure 255:Category Filter
Web Filter
378
Clear Filter
Category Name
Enable Filter
Select to remove all filters.
Select the blue arrow to expand the category.
Select to enable the filter for the category or the individual subcategory.
Classification Name
The classifications that can be filtered.
Enable Filter
Select to enable the classification filter.
Configuring local ratings
Users can create user-defined categories then specify the URLs that belong to the category. This allows users to block groups of web sites on a per profile basis. The ratings are included in the global URL list with associated categories and compared in the same way the URL block list is processed.
The local ratings override the FortiGuard server ratings and appear in reports as
“Local Category”.
To create a local rating
• Go to Web Filter > FortiGuard-Web Filter > Local Ratings.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Web Filter
Figure 256:New Local Rating
FortiGuard - Web Filter
URL
Enter the URL to be rated.
Category Name
Enable Filter
Select the blue arrow to expand the category.
Select to enable the filter for the category or the individual subcategory.
Classification Name
The classifications that can be filtered.
Enable Filter
Select to enable the classification filter.
Category block CLI configuration
Use the hostname keyword for the webfilter fortiguard command to change the default host name (URL) for the FortiGuard-Web Service Point. The
FortiGuard-Web Service Point name cannot be changed using the web-based manager. Configure all FortiGuard-Web settings using the CLI. For more information, see the
FortiGate CLI Reference
for descriptions of the webfilter fortiguard
keywords.
FortiGuard-Web Filter reports
Note: FortiGuard Web Filter reports are only available on FortiGate units with a hard disk.
Generate a text and pie chart format report on FortiGuard-Web Filtering for any protection profile. The FortiGate unit maintains statistics for allowed, blocked, and monitored web pages for each category. View reports for a range of hours or days, or view a complete report of all activity.
To create a web filter report
• Go to Web Filter > FortiGuard-Web Filter > Reports.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
379
FortiGuard - Web Filter
Figure 257:Sample FortiGuard Web Filtering report
Web Filter
380
The following table describes the options for generating reports:
Profile
Report Type
Select the protection profile for which to generate a report.
Select the time frame for the report. Choose from hour, day, or all historical statistics.
Report Range
Select the time range (24 hour clock) or day range (from six days ago to today) for the report. For example, for an ‘hour’ report type with a range of 13 to 16, the result is a category block report for 1 pm to 4 pm today.
For a ‘day’ report type with a range of 0 to 3, the result is a category block report for 3 days ago to today.
Get Report
Select to generate the report.
A generated report includes a pie chart and the following information:
Category
Allowed
Blocked
Monitored
The category for which the statistic was generated.
The number of allowed web addresses accessed in the selected time frame.
The number of blocked web addresses accessed in the selected time frame.
The number of monitored web addresses accessed in the selected time frame.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Antispam Antispam
Antispam
This section explains how to configure the spam filtering options associated with a firewall protection profile.
The following topics are included in this section:
•
•
•
•
Advanced antispam configuration
•
Using Perl regular expressions
Antispam
Antispam can be configured to manage unsolicited commercial email by detecting spam email messages and identifying spam transmissions from known or suspected spam servers.
FortiGuard-Antispam is one of the features designed to manage spam. FortiGuard is an antispam system from Fortinet that includes an IP address black list, a URL black list, and spam filtering tools. The FortiGuard Center accepts submission of spam email messages as well as well as reports of false positives. Visit the
Fortinet Knowledge Center for details and a link to the FortiGuard Center.
Order of Spam Filtering
The order in which incoming mail is passed through the FortiGate Antispam filters is determined by the protocol used to transfer the mail:
5
6
3
4
7
1
2
1
2
For SMTP
IP address BWL check on last hop IP
RBL & ORDBL check on last hop IP, FortiGuard-Antispam IP check on last hop IP,
HELO DNS lookup
MIME headers check, E-mail address BWL check
Banned word check on email subject
IP address BWL check (for IPs extracted from “Received” headers)
Banned word check on email body
Return e-mail DNS check, FortiGuard Anti Spam check, RBL & ORDBL check on public IP extracted from header
For POP3 and IMAP
MIME headers check, E-mail address BWL check
Banned word check on email subject
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
381
Antispam
382
Antispam
3
4
5
IP BWL check
Banned word check on email body
Return e-mail DNS check, FortiGuard AntiSpam check, RBL & ORDBL check
For SMTP, POP3, and IMAP
Filters requiring a query to a server and a reply (FortiGuard Antispam Service and
DNSBL/ORDBL) are run simultaneously. To avoid delays, queries are sent while other filters are running. The first reply to trigger a spam action takes effect as soon as the reply is received.
Each spam filter passes the email to the next if no matches or problems are found.
If the action in the filter is Mark as Spam, the FortiGate unit will tag or discard
(SMTP only) the email according to the settings in the protection profile. If the action in the filter is Mark as Clear, the email is exempt from any remaining filters.
If the action in the filter is Mark as Reject, the email session is dropped. Rejected
SMTP email messages are substituted with a configurable replacement message.
Anti-spam filter controls
Spam filters are configured for system-wide use, but enabled on a per profile basis.
Table 41 describes the Antispam settings and where to configure and access them.
Table 41: AntiSpam and Protection Profile spam filtering configuration
Protection Profile spam filtering options AntiSpam setting
IP address FortiGuard-Antispam check System > Maintenance >
FortiGuard Centre
Enable or disable Fortinet’s antispam service called FortiGuard-Antispam. FortiGuard-
Antispam is Fortinet’s own DNSBL server that provides spam IP address and URL blacklists. Fortinet keeps the FortiGuard-
Antispam IP and URLs up-to-date as new spam source are found.
Enable FortiGuard-Antispam, check the status of the FortiGuard-Antispam server, view the license type and expiry date, and configure the cache. For details, see
“Configuring the FortiGate unit for FDN and FortiGuard services” on page 162
IP address BWL check AntiSpam > Black/White List > IP Address
Black/white list check. Enable or disable checking incoming IP addresses against the configured spam filter IP address list. (SMTP only.)
Add to and edit IP addresses to the list.
You can configure the action to take as spam, clear, or reject for each IP address.
You can place an IP address anywhere in the list. The filter checks each IP address in sequence. (SMTP only.)
DNSBL & ORDBL check Command line only
Enable or disable checking email traffic against configured DNS Blackhole List
(DNSBL) and Open Relay Database List
(ORDBL) servers.
HELO DNS lookup
Add or remove DNSBL and ORDBL servers to and from the list. You can configure the action to take as spam or reject for email identified as spam from each server (SMTP only).
DNSBL and ORDBL configuration can only be changed using the command line interface. For more information, see the
FortiGate CLI Reference
. n/a
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Antispam Antispam
Table 41: AntiSpam and Protection Profile spam filtering configuration (Continued)
Protection Profile spam filtering options AntiSpam setting
Enable or disable checking the source domain name against the registered IP address in the Domain Name Server. If the source domain name does not match the IP address the email is marked as spam and the action selected in the protection profile is taken.
E-mail address BWL check AntiSpam > Black/White List > E-mail
Address
Enable or disable checking incoming email addresses against the configured spam filter email address list.
Add to and edit email addresses to the list, with the option of using wildcards and regular expressions. You can configure the action as spam or clear for each email address. You can place an email address anywhere in the list. The filter checks each email address in sequence.
Return e-mail DNS check
Enable or disable checking incoming email return address domain against the registered
IP address in the Domain Name Server. If the return address domain name does not match the IP address the email is marked as spam and the action selected in the protection profile is taken.
n/a
MIME headers check
Enable or disable checking source MIME headers against the configured spam filter
MIME header list.
Command line only
Add to and edit MIME headers, with the option of using wildcards and regular expressions. You can configure the action for each MIME header as spam or clear.
DNSBL and ORDBL configuration can only be changed using the command line interface. For more information, see the
FortiGate CLI Reference
.
AntiSpam > Banned Word Banned word check
Enable or disable checking source email against the configured spam filter banned word list.
Spam Action
Add to and edit banned words to the list, with the option of using wildcards and regular expressions. You can configure the language and whether to search the email body, subject, or both. You can configure the action to take as spam or clear for each word.
n/a
The action to take on email identified as spam. POP3 and IMAP messages are tagged. Choose Tagged or Discard for SMTP messages. You can append a custom word or phrase to the subject or MIME header of tagged email. You can choose to log any spam action in the event log.
Append to: Choose to append the tag to the subject or MIME header of the email identified as spam.
Append with: Enter a word or phrase (tag) to append to email identified as spam. The maximum length is 63 characters.
Add event into the system log
Enable or disable logging of spam actions to the event log.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
383
Banned word Antispam
To access protection profile Antispam options go to Firewall > Protection Profile, edit or Create New, Spam Filtering.
Note: If virtual domains are enabled on the FortiGate unit, spam filtering features are configured globally. To access these features, select Global Configuration on the main menu.
Banned word
Control spam by blocking email messages containing specific words or patterns. If enabled in the protection profile, the FortiGate unit searches for words or patterns in email messages. If matches are found, values assigned to the words are totalled. If a user-defined threshold value is exceeded, the message is marked as spam. If no match is found, the email message is passed along to the next filter.
Use Perl regular expressions or wildcards to add banned word patterns to the list.
Note: Perl regular expression patterns are case sensitive for antispam banned words. To make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i
will block all instances of bad language regardless of case. Wildcard patterns are not case sensitive.
Viewing the antispam banned word list catalog
You can add multiple antispam banned word lists and then select the best antispam banned word list for each protection profile. To view the antispam banned word list catalog, go to AntiSpam > Banned Word. To view any individual antispam banned word list, select the edit icon for the list you want to see.
Figure 258:Sample antispam banned word list catalog
384
The antispam banned word list catalogue has the following icons and features:
Add
Name
# Entries
Profiles
Comment
Delete icon
Edit icon
To add a new list to the catalog, enter a name and select Add. New lists are empty by default.
The available antispam banned word lists.
The number of entries in each antispam banned word list.
The protection profiles each antispam banned word list has been applied to.
Optional description of each antispam banned word list.
Select to remove the antispam banned word list from the catalog. The delete icon is only available if the antispam banned word list is not selected in any protection profiles.
Select to edit the antispam banned word list, list name, or list comment.
Select antispam banned word lists in protection profiles. For more information, see
“Spam filtering options” on page 277
.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Antispam Banned word
Creating a new antispam banned word list
To add an antispam banned word list to the antispam banned word list catalog, go to AntiSpam > Banned Word and select Create New.
Figure 259:New AntiSpam Banned Word list dialog box
Name
Comment
Enter the name of the new list.
Enter a comment to describe the list, if required.
Viewing the antispam banned word list
Each email message is checked against the antispam banned word list. Add one or more banned words to sort email messages containing those words in the subject, body, or both. The score value of each banned word appearing in the message is added, and if the total is greater than the threshold value set in the protection profile, the message is processed according to the Spam Action setting in the protection profile. The score for a pattern is applied only once even if it appears in the message multiple times.
To view the banned word list, go to AntiSpam > Banned Word and select the edit icon of the banned word list you want to view.
Figure 260:Sample banned word List
The banned word list has the following icons and features:
Name
Comment
Banned word list name. To change the name, edit text in the name field and select OK.
Optional comment. To add or edit comment, enter text in comment field and select OK.
Select to add a word or phrase to the banned word list.
Create new
Total
The number of items in the list.
Page up icon
Select to view the previous page.
Page down icon Select to view the next page.
Remove All
Entries icon
Select to clear the table.
Pattern
The list of banned words. Select the check box to enable all the banned words in the list.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
385
Banned word Antispam
Pattern Type
Language
Where
Score
Delete icon
Edit icon
The pattern type used in the banned word list entry. Choose from wildcard or regular expression. For more information, see
“Using Perl regular expressions” on page 393
.
The character set to which the banned word belongs: Simplified
Chinese, Traditional Chinese, French, Japanese, Korean, Thai, or
Western.
The location which the FortiGate unit searches for the banned word: subject, body, or all.
A numerical weighting applied to the banned word. The score values of all the matching words appearing in an email message are added, and if the total is greater than the spamwordthreshold value set in the protection profile, the page is processed according to whether the spam action command for the mail traffic type (e.g. smtp3-spamaction) is set to pass or tag in the protection profile. The score for a banned word is counted once even if the word appears multiple times on the web page.
Select to remove the word from the list.
Select to edit the following information: Pattern, Pattern Type, Language,
Where, Action, and Enable.
Configuring the antispam banned word list
Words can be marked as spam or clear. Banned words can be one word or a phrase up to 127 characters long.
For a single word, the FortiGate unit blocks all email containing the word. For a phrase, the FortiGate unit blocks all email containing the exact phrase. To block any word in a phrase, use Perl regular expressions.
To add or edit a banned word, go to AntiSpam > Banned Word.
Figure 261:Add Banned Word
Pattern
Pattern Type
Language
Where
Enable
Enter the word or phrase you want to include in the banned word list.
Select the pattern type for the banned word. Choose from wildcard or regular expression. See
“Using Perl regular expressions” on page 393 .
Select the character set for the banned word. Choose from: Chinese
Simplified, Chinese Traditional, French, Japanese, Korean, Thai, or
Western.
Select the location to search for the banned word. Choose from: subject, body, or all.
Select to enable scanning for the banned word.
386
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Antispam Black/White List
Black/White List
The FortiGate unit uses both an IP address list and an email address list to filter incoming email, if enabled in the protection profile.
When doing an IP address list check, the FortiGate unit compares the IP address of the message’s sender to the IP address list in sequence. If a match is found, the action associated with the IP address is taken. If no match is found, the message is passed to the next enabled spam filter.
When doing an email list check, the FortiGate unit compares the email address of the message’s sender to the email address list in sequence. If a match is found, the action associated with the email address is taken. If no match is found, the message is passed to the next enabled antispam filter.
Viewing the antispam IP address list catalogue
You can add multiple antispam IP address lists and then select the best antispam
IP address list for each protection profile. To view the antispam IP address list catalog, go to AntiSpam > Black/White List > IP Address. To view any individual antispam IP address list, select the edit icon for the list you want to see.
Figure 262:Sample antispam IP address list catalog
The antispam IP address list catalogue has the following icons and features:
Add
Name
# Entries
Profiles
Comment
Delete icon
To add a new list to the catalog, enter a name and select Add. New lists are empty by default.
The available antispam IP address lists.
The number of entries in each antispam IP address list.
The protection profiles each antispam IP address list has been applied to.
Optional description of each antispam IP address list.
Select to remove the antispam IP address list from the catalog. The delete icon is only available if the antispam IP address list is not selected in any protection profiles.
Select to edit the antispam IP address list, list name, or list comment.
Edit icon
Select antispam banned word lists in protection profiles. For more information,
see “Spam filtering options” on page 277 .
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
387
Black/White List Antispam
Creating a new antispam IP address list
To add an antispam IP address list to the antispam IP address list catalog, go to
AntiSpam > Black/White List and select Create New.
Figure 263:New AntiSpam IP Address list dialog box
Name
Comment
Enter the name of the new list.
Enter a comment to describe the list, if required.
Viewing the antispam IP address list
Configure the FortiGate unit to filter email from specific IP addresses. The
FortiGate unit compares the IP address of the sender to the list in sequence. Mark each IP address as clear, spam, or reject. Filter single IP addresses or a range of addresses at the network level by configuring an address and mask.
To view the antispam IP address list, go to AntiSpam > Black/White List > IP
Address and select the edit icon of the antispam IP address list you want to view.
Figure 264:Sample IP address list
388
The antispam IP address list has the following icons and features:
Name
Comment
Create New
Total
Page up icon
Antispam IP address list name. To change the name, edit text in the name field and select OK.
Optional comment. To add or edit comment, enter text in comment field and select OK.
Select to add an IP address to the antispam IP address list.
The number if items in the list.
Select to view the previous page.
Page down icon
Select to view the next page.
Remove All Entries
Select to clear the table.
icon
IP address/Mask
The current list of IP addresses.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Antispam Black/White List
Action
Delete icon
Edit icon
The action to take on email from the configured IP address. Actions are: Mark as Spam to apply the configured spam action, Mark as
Clear to bypass this and remaining spam filters, or Mark as Reject
(SMTP only) to drop the session. If an IP address is set to reject but mail is delivered from that IP address via POP3 or IMAP, the e-mail messages will be marked as spam.
Select to remove the address from the list.
Select to edit address information: IP Address/Mask, Insert, Action, and Enable.
Configuring the antispam IP address list
To add an IP address to the IP address list, go to AntiSpam > Black/White List >
IP Address and select Create New. Enter an IP address or a pair of IP address and mask in the following formats:
• x.x.x.x, for example, 62.128.69.100.
• x.x.x.x/x.x.x.x, for example, 62.128.69.100/255.255.255.0
• x.x.x.x/x, for example, 62.128.69.100/24
Figure 265:Add IP Address
IP Address/Mask
Enter the IP address or the IP address/mask pair.
Insert
Action
Enable
Select the position in the list to place the address.
Select an action. Actions are: Mark as Spam to apply the spam action configured in the protection profile, Mark as Clear to bypass this and remaining spam filters, or Mark as Reject (SMTP only) to drop the session.
Enable the address.
Viewing the antispam email address list catalog
You can add multiple antispam email address lists and then select the best antispam email address list for each protection profile. To view the antispam email address list catalog, go to AntiSpam > Black/White List > E-mail Address. To view any individual antispam email address list, select the edit icon for the list you want to see.
Figure 266:Sample antispam email address list catalog
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
389
Black/White List Antispam
The antispam email address list catalogue has the following icons and features:
Add
Name
# Entries
Profiles
Comment
Delete icon
Edit icon
To add a new list to the catalog, enter a name and select Add. New lists are empty by default.
The available antispam email address lists.
The number of entries in each antispam email address list.
The protection profiles each antispam email address list has been applied to.
Optional description of each antispam email address list.
Select to remove the antispam email address list from the catalog.
The delete icon is only available if the antispam email address list is not selected in any protection profiles.
Select to edit the antispam email address list, list name, or list comment.
Select antispam banned word lists in protection profiles. For more information, see
“Spam filtering options” on page 277
.
Creating a new antispam email address list
To add an antispam email address list to the antispam email address list catalog, go to
AntiSpam > Black/White List > E-mail Address and select Create New.
Figure 267:New AntiSpam E-mail Address list dialog box
Name
Comment
Enter the name of the new list.
Enter a comment to describe the list, if required.
Viewing the antispam email address list
The FortiGate unit can filter email from specific senders or all email from a domain
(such as example.net). Mark each email address as clear or spam.
To view the antispam email address list, go to AntiSpam > Black/White List > E-mail
Address and select the edit icon of the antispam email address list you want to view.
390
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Antispam
Figure 268:Sample email address list
Black/White List
The antispam email address list has the following icons and features:
Name
Comment
Create New
Total
Page up icon
Antispam email address list name. To change the name, edit text in the name field and select OK.
Optional comment. To add or edit comment, enter text in comment field and select OK.
Add an email address to the email address list.
The number of items in the list.
View the previous page.
Page down icon
View the next page.
Remove All Entries
Clear the table.
icon
Email address
The current list of email addresses.
Pattern Type
Action
Delete icon
Edit icon
The pattern type used in the email address entry. Choose from wildcard or regular expression. For more information, see
“Using Perl regular expressions” on page 393 .
The action to take on email from the configured address. Actions are:
Mark as Spam to apply the spam action configured in the protection profile, or Mark as Clear to let the email message bypass this and remaining spam filters.
Select to remove the email address from the list.
Select to edit the following information: E-Mail Address, Pattern Type,
Insert, Action, and Enable.
Configuring the antispam email address list
To add an email address or domain to the list, go to AntiSpam > Black/White
List > E-mail Address.
Figure 269:Add E-mail Address
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
391
Advanced antispam configuration Antispam
1
2
3
4
5
6
E-Mail Address
Pattern Type
Insert
Action
Enable
Enter the email address.
Select a pattern type: Wildcard or Regular Expression. For more information, see
“Using Perl regular expressions” on page 393 .
Select the location in the list to insert the email address.
Select an action:
•
To apply the spam action configured in the protection profile, select Mark as Spam.
•
Select Mark as Clear to allow the email message bypass this and remaining spam filters.
Enable the email address.
Enter the email address or pattern.
Select a pattern type for the list entry.
If required, select before or after another email address in the list to place the new email address in the correct position.
Select the action to take on email from the configured address or domain.
Select Enable.
Select OK.
Advanced antispam configuration
Advanced antispam configuration covers only command line interface (CLI) commands not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands, see the
FortiGate CLI Reference
.
config spamfilter mheader
Use this command to configure email filtering based on the MIME header. MIME header filtering is enabled within each protection profile.
The FortiGate unit compares the MIME header key-value pair of incoming email to the list pair in sequence. If a match is found, the corresponding action is taken. If no match is found, the email is passed on to the next spam filter.
MIME (Multipurpose Internet Mail Extensions) headers are added to email to describe content type and content encoding, such as the type of text in the email body or the program that generated the email. Some examples of MIME headers include:
• X-mailer: outgluck
• X-Distribution: bulk
• Content_Type: text/html
• Content_Type: image/jpg
The first part of the MIME header is called the header key, or just header. The second part is called the value. Spammers often insert comments into header values or leave them blank. These malformed headers can fool some spam and virus filters.
392
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Antispam Using Perl regular expressions
Use the MIME headers list to mark email from certain bulk mail programs or with certain types of content that are common in spam messages. Mark the email as spam or clear for each header configured.
config spamfilter rbl
Use this command to configure email filtering using DNS-based Blackhole List
(DNSBL), also called Realtime Blackhole List (RBL), and Open Relay Database
List (ORDBL) servers. DNSBL and ORDBL filtering is enabled within each protection profile.
The FortiGate unit compares the IP address or domain name of the sender to any database lists configured, in sequence. If a match is found, the corresponding action is taken. If no match is found, the email is passed on to the next spam filter.
Some spammers use unsecured third party SMTP servers to send unsolicited bulk email. Using DNSBLs and ORDBLs is an effective way to tag or reject spam as it enters the network. These lists act as domain name servers that match the domain of incoming email to a list of IP addresses known to send spam or allow spam to pass through.
There are several free and subscription servers available that provide reliable access to continually updated DNSBLs and ORDBLs. Please check with the service being used to confirm the correct domain name for connecting to the server.
Note: Because the FortiGate unit uses the server domain name to connect to the DNSBL or ORDBL server, it must be able to look up this name on the DNS server. For information
on configuring DNS, see “Network Options” on page 88 .
Using Perl regular expressions
Email address list, MIME headers list, and banned word list entries can include wildcards or Perl regular expressions.
See http://perldoc.perl.org/perlretut.html
for detailed information about using Perl regular expressions.
Regular expression vs. wildcard match pattern
A wildcard character is a special character that represents one or more other characters. The most commonly used wildcard characters are the asterisk (*), which typically represents zero or more characters in a string of characters, and the question mark (?), which typically represents any one character.
In Perl regular expressions, the ‘.’ character refers to any single character. It is similar to the ‘?’ character in wildcard match pattern. As a result:
• fortinet.com not only matches fortinet.com but also fortinetacom, fortinetbcom, fortinetccom, and so on.
To match a special character such as '.' and ‘*’ use the escape character ‘\’. For example:
• To match fortinet.com, the regular expression should be: fortinet\.com
In Perl regular expressions, ‘*’ means match 0 or more times of the character before it, not 0 or more times of any character. For example:
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
393
Using Perl regular expressions
394
Antispam
• forti*.com matches fortiiii.com but does not match fortinet.com
To match any character 0 or more times, use ‘.*’ where ‘.’ means any character and the ‘*’ means 0 or more times. For example, the wildcard match pattern forti*.com should therefore be fort.*\.com.
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary.
For example, the regular expression “test” not only matches the word “test” but also any word that contains “test” such as “atest”, “mytest”, “testimony”, “atestb”.
The notation “\b” specifies the word boundary. To match exactly the word “test”, the expression should be \btest\b.
Case sensitivity
Regular expression pattern matching is case sensitive in the web and antispam filters. To make a word or phrase case insensitive, use the regular expression /i.
For example, /bad language/i will block all instances of “bad language”, regardless of case.
Perl regular expression formats
Table 42 lists and describes some example Perl regular expression formats.
Table 42: Perl regular expression formats
Expression
abc
^abc abc$ a|b
^abc|abc$ ab{2,4}c ab{2,}c ab*c ab+c ab?c
a.c
a\.c
[abc]
[Aa]bc
[abc]+
[^abc]+
\d\d
/i
\w+
Matches
“abc” (the exact character sequence, but anywhere in the string)
“abc” at the beginning of the string
“abc” at the end of the string
Either of “a” and “b”
The string “abc” at the beginning or at the end of the string
“a” followed by two, three or four “b”s followed by a “c”
“a” followed by at least two “b”s followed by a “c”
“a” followed by any number (zero or more) of “b”s followed by a “c”
“a” followed by one or more b's followed by a c
“a” followed by an optional “b” followed by a” c”; that is, either “abc” or” ac”
“a” followed by any single character (not newline) followed by a” c “
“a.c” exactly
Any one of “a”, “b” and “c”
Either of “Abc” and “abc”
Any (nonempty) string of “a”s, “b”s and “c”s (such as “a”, “abba”,
”acbabcacaa”)
Any (nonempty) string which does not contain any of “a”, “b”, and “c”
(such as “defg”)
Any two decimal digits, such as 42; same as \d{2}
Makes the pattern case insensitive. For example, /bad language/i blocks any instance of bad language regardless of case.
A “word”: A nonempty sequence of alphanumeric characters and low lines (underscores), such as foo and 12bar8 and foo_1
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Antispam Using Perl regular expressions
Table 42: Perl regular expression formats (Continued)
100\s*mk abc\b perl\B
\x
/x
The strings “100” and “mk” optionally separated by any amount of white space (spaces, tabs, newlines)
“abc” when followed by a word boundary (for example, in “abc!” but not in
“abcd”)
“perl” when not followed by a word boundary (for example, in “perlert” but not in “perl stuff”)
Tells the regular expression parser to ignore white space that is neither preceded by a backslash character nor within a character class. Use this to break up a regular expression into (slightly) more readable parts.
Used to add regular expressions within other text. If the first character in a pattern is forward slash '/', the '/' is treated as the delimiter. The pattern must contain a second '/'. The pattern between ‘/’ will be taken as a regular expressions, and anything after the second ‘/’ will be parsed as a list of regular expression options ('i', 'x', etc). An error occurs If the second '/' is missing. In regular expressions, the leading and trailing space is treated as part of the regular expression.
Example regular expressions
To block any word in a phrase
/block|any|word/
To block purposely misspelled words
Spammers often insert other characters between the letters of a word to fool spam blocking software.
/^.*v.*i.*a.*g.*r.*o.*$/i
/cr[eéèêë][\+\-
\*=<>\.\,;!\?%&§@\^°\$£€\{\}()\[\]\|\\_01]dit/i
To block common spam phrases
The following phrases are some examples of common phrases found in spam messages.
/try it for free/i
/student loans/i
/you’re already approved/i
/special[\+\-
\*=<>\.\,;!\?%&~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
395
Using Perl regular expressions Antispam
396
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
IM, P2P & VoIP Overview
IM, P2P & VoIP
The IM, P2P & VoIP menu provides IM user management tools and statistics for network IM, P2P, and VIOP usage. IM, P2P, and VoIP protocols must be enabled in the active protection profile for the settings in this section to have any effect.
The following topics are included in this section:
•
•
•
•
Overview
With FortiOS v3.0 MR4 firmware, you can control and monitor the usage of
IM/P2P applications and VoIP protocols.
FortiOS supports two VoIP protocols: Session Initiation Protocol (SIP) and Skinny
Client Control Protocol (SCCP).
Fortinet Inc. recognizes that IM/P2P applications are becoming part of doing business but also, if abused, can seriously decrease productivity and network performance.
FortiGate systems allow you to set up user lists that either allow or block the use of applications, to determine which applications are allowed and how much bandwidth can be used by the applications.
By combining comprehensive protection policies and easy-to-view statistical reports, you can see which applications are being used and for what purpose, making it easy to control IM/P2P applications and to maximize productivity.
The FortiOS 3.0 system comes with an impressive list of supported IM/P2P protocols and can be kept up-to-date with upgrades available for download from the Fortinet Distribution Network. There is no need to wait for firmware upgrade to stay ahead of the latest protocols. FortiOS 3.0 also provides ways for you to deal with unknown protocols even before upgrades are available.
lists the IM/P2P applications that are currently recognized by FortiOS 3.0. The table includes the decoders, the applications associated with the decoders and the location of the decoders in the FortiGate interface.
Note: Applications in Table 43 on page 398 marked as bold can connect to multiple P2P
networks. Turning on IM and P2P decoders and signatures will help improve IPS performance. For example, if you want to use IPS, but you do not want to block IM or P2P applications, you should leave IM/P2P decoders and signatures enabled. Normally, if you turn off other signatures, the performance will be better, but for IM/P2P, it's the opposite.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
397
Overview
398
IM, P2P & VoIP
Table 43: IM/P2P applications covered by IPS in FortiOS 3.0
IPS
Instant Messaging
AIM (Firewall > Protection Profile > IM/P2P)
ICQ (Firewall > Protection Profile > IM/P2P)
MSN (Firewall > Protection Profile > IM/P2P) qq (Intrusion Protection > Signatures > Protocol decoder
> im_decoder)
Yahoo! (Firewall > Protection Profile > IM/P2P) msn_web_messenger (Intrusion Protection > Signatures
> Protocol decoder > im_decoder) google_talk (Intrusion Protection > Signatures > Protocol decoder > im_decoder) rediff (Intrusion Protection > Signatures > Protocol decoder > im_decoder)
P2P
Applications
AIM, AIM Triton
ICQ
MSN Messenger
Yahoo Messenger
MSN web Messenger
Google Instant Messenger
Rediff Instant Messenger
BitTorrent (Firewall > Protection Profile > IM/P2P) eDonkey (Firewall > Protection Profile > IM/P2P)
Gnutella (Firewall > Protection Profile > IM/P2P)
KaZaA (Firewall > Protection Profile > IM/P2P)
Skype (Firewall > Protection Profile > IM/P2P)
WinNY (Firewall > Protection Profile > IM/P2P) ares (Intrusion Protection > Signatures > Protocol decoder > p2p_decoder) direct_connect (Intrusion Protection > Signatures >
Protocol decoder > p2p_decoder)
BitComet
Bitspirit
Azureus
Shareaza
eMule
Overnet
Edonkey2K
Shareaza
BearShare
MLdonkey iMesh
BearShare
Shareaza
LimeWire
Xolox
Swapper
iMesh
MLdonkey
Gnucleus
Morpheus
Openext
Mutella
Qtella
Qcquisition
Acquisition
NapShare gtk-gnutella
KaZaA
Skype
WinNY
Ares Galaxy
DC++
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
IM, P2P & VoIP Configuring IM/P2P protocols
Configuring IM/P2P protocols
Different organizations require different policies regarding IM/P2P. The FortiGate unit allows you to configure your unit in the way that best serves your needs.
How to enable and disable IM/P2P options
This section will tell you the four main locations to enable or disable the IM/P2P options. This section includes how to enable predefined signatures, custom signatures and unknown user policies.
1
2
3
4
5
5
6
7
3
4
1
2
1
2
3
To enable predefined IM/P2P signatures in intrusion protection
Go to Intrusion Protection > Signatures > Predefined.
Select the blue arrow next to IM, or P2P.
Enable the signature by selecting the Enable box.
Enable logging for a signature by selecting the Logging box.
In the row that corresponds to the signature you want to edit, select the Edit icon.
Set the action and severity.
Select OK.
To create custom IM/P2P signatures for unknown protocols
Go to Intrusion Protection > Signature > Custom > Create New.
Enter a name for the signature.
Enter the signature.
Select the severity and what action to perform.
Select OK.
To set up the policy for unknown IM users
Go to IM/P2P > User > Config.
Select Allow or Block for each of the four IM applications.
Select Apply.
How to configure IM/P2P options within a protection profile
There are four main areas within a protection profile that deal with IM/P2P applications. The four areas are antivirus, logging, content archive, and
FortiGuard web filtering. This section will show you where to access the configuration settings for each.
For more detailed information on protection profiles, please see the Firewall
Profile chapter of this guide.
1
2
3
To configure protection profiles settings for IM/P2P applications
Go to Firewall > Protection Profile.
In the row that corresponds to the profile you want to edit, select the Edit icon.
Or select Create New.
To control the antivirus settings, select the blue arrow for Antivirus.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
399
Configuring IM/P2P protocols
400
IM, P2P & VoIP
4
5
6
7
To control Log settings, select the blue arrow for Logging
To control content archive settings, select the blue arrow for Content Archive
To control FortiGuard web filtering, select the blue arrow for FortiGuard Web
Filtering.
Select OK.
How to configure IM/P2P decoder log settings
This section will show you how to enable know protocol decoders for both IM and
P2P applications as well as how to turn on the logging feature for the application.
3
4
1
2
5
6
7
To enable and log known decoders for IM/P2P applications
Go to Intrusion Protection > Signature > Protocol Decoder.
Select the blue arrow for IM or P2P encoders.
Select Enable to enable the protocol.
Select Logging to log the protocol.
In the row that corresponds to the protocol decoder you want to edit, select the
Edit icon.
Set the action and severity.
Select OK.
How to configure older versions of IM/P2P applications
Some older versions of IM protocols are able to bypass file blocking because the message types are not recognized.
Supported IM protocols include:
• MSN 6.0 and above
• ICQ 4.0 and above
• AIM 5.0 and above
• Yahoo 6.0 and above
If you want to block a protocol that is older than the ones listed above, use the CLI command: For details see the
FortiGate CLI Reference
.
config imp2p old-version
.
How to configure protocols that are not supported
If you find a protocol that is not supported, please ensure that the IPS package is up to date. If the IPS package is up to date and the protocol is still not supported you can use the custom signature.
3
4
1
2
5
To create a custom signature
Go to Intrusion Protection > Signature > Custom > Create New.
Enter a name for the signature.
Enter the signature.
Use the drop down boxes to select an action and the severity for the signature.
Select apply.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
IM, P2P & VoIP
Note:
To detect new IM/P2P applications or new versions of the existing applications, you only need update the IPS package, available through the
FortiNet Distribution Network (FDN). No firmware upgrade is needed.
Statistics
You can view the IM, P2P and VoIP statistics to gain insight into how the protocols are being used within the network. Overview statistics are provided for all supported IM, P2P and VoIP protocols. Detailed individual statistics are provided for each IM protocol.
Note: If virtual domains are enabled on the FortiGate unit, IM, P2P and VoIP features are configured globally. To access these features, select Global Configuration on the main menu.
Viewing overview statistics
The Summary tab provides a summary of statistics for all IM, P2P and VoIP protocols.
To view IM/P2P statistics, go to IM/P2P > Statistics > Summary.
Figure 270:IM, P2P and VoIP statistics summary
Statistics
The Summary tab has the following icons and features:
Automatic Refresh
Interval
Refresh
Reset Stats
Users
Select the automatic refresh interval for statistics. Set the interval from none to 30 seconds.
Click to refresh the page with the latest statistics.
Click to reset the statistics to zero.
For each IM protocol, the following user information is listed:
•
Current Users
•
(Users) Since Last Reset
•
(Users) Blocked.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
401
Statistics IM, P2P & VoIP
Chat
File Transfers
Voice Chat
P2P Usage
VoIP Usage
For each IM protocol, the following chat information is listed:
•
Total Chat Sessions
•
Total Messages.
For each IM protocol, the following file transfer information is listed:
(File transfers) Since Last Reset and (File transfers) Blocked.
For each IM protocol, the following voice chat information is listed:
•
(Voice chats) Since Last Reset
•
(Voice chats) Blocked.
For each P2P protocol, the following usage information is listed:
•
Total Bytes transferred
•
Average Bandwidth.
For SIP and SCCP protocol, the following information is listed:
•
Active Sessions (phones connected)
•
Total calls (since last reset)
•
Calls failed/Dropped
•
Calls Succeeded
Viewing statistics by protocol
The protocol tab provides detailed statistics for individual IM protocols.
To view protocol statistics, go to IM/P2P > Statistics > Protocol.
You can log IM chat information and the limitations placed on it, by enabling
Archive full IM chat info to FortiAnalyzer in the protection profile.
Figure 271:IM statistics by Protocol
402
The IM/P2P Protocol tab has the following icons and features:
Automatic Refresh
Interval
Protocol
Select the automatic refresh interval for statistics. Set the interval from none to 30 seconds.
Select the protocol for which statistics are to be displayed: AIM,
ICQ, MSN, or Yahoo.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
IM, P2P & VoIP
Users
Chat
Messages
File Transfers
Voice Chat
For the selected protocol, the following user information is displayed: Current Users, (Users) Since Last Reset, and (Users)
Blocked.
For the selected protocol, the following chat information is displayed: Total Chat Sessions, Server-based Chat, Group Chat, and Direct/Private Chat.
For the selected protocol, the following message information is displayed: Total Messages, (Messages) Sent, and (Messages)
Received.
For the selected protocol, the following file transfer information is displayed: (File transfers) Since Last Reset, (File transfers) Sent,
(File transfers) Received, and (File transfers) Blocked.
For the selected protocol, the following voice chat information is displayed: (Voice chats) Since Last Reset and (Voice chats)
Blocked.
User
After IM users connect through the firewall, the FortiGate unit displays which users are connected in the Current Users list. You can analyze the list and decide which users to allow or block. A policy can be configured to deal with unknown users.
Note: If virtual domains are enabled on the FortiGate unit, IM features are configured globally. To access these features, select Global Configuration on the main menu.
Viewing the Current Users list
The Current User list displays information about instant messaging users who are currently connected. The list can be filtered by protocol.
To view current users, go to IM/P2P > Users > Current User.
Figure 272:Current Users list
User
The Current Users list has the following features:
Protocol
Protocol
User Name
Source IP
Last Login
Block
Filter the list by selecting the protocol for which to display current users: AIM, ICQ, MSN, or Yahoo. All current users can also be displayed.
The protocol being used.
The name selected by the user when registering with an IM protocol. The same user name can be used for multiple IM protocols. Each user name/protocol pair appears separately in the list.
The Address from which the user initiated the IM session.
The last time the current user used the protocol.
Select to add the user name to the permanent black list. Each user name/protocol pair must be explicitly blocked by the administrator.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
403
User IM, P2P & VoIP
Viewing the User List
The User List displays information about users who have been allowed access to
(white list) or have been blocked from (black list) instant messaging services.
Users can be added using Create New or from the temporary users list.
To view the User List, go to IM/P2P > Users > User List.
Figure 273:User List
404
The user list has the following icons and features:
Create New
Protocol
Policy
Protocol
Username
Policy
Edit icon
Delete icon
Select to add a new user to the list.
Filter the list by selecting a protocol: AIM, ICQ, MSN, Yahoo, or
All.
Filter the list by selecting a policy: Allow, Deny, or All.
The protocol associated with the user.
The name selected by the user when registering with an IM protocol. The same user name can be used for multiple IM protocols. Each user name/protocol pair appears separately in the list.
The policy applied to the user when attempting to use the protocol:
Block or Deny.
Change the following user information: Protocol, Username, and
Policy.
Permanently remove users from the User List.
Adding a new user to the User List
Add users to the User List to allow them to access instant messaging services or to block them from these services.
Go to IM/P2P > User > User List and select Create New.
Figure 274:Edit User
Protocol
Username
Policy
Select a protocol from the dropdown list: AIM, ICQ, MSN, or
Yahoo!
Enter a name for the user.
Select a policy from the dropdown list: Allow or Block.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
IM, P2P & VoIP
Configuring a policy for unknown IM users
The User Policy determines the action to be taken with unknown users. Unknown users can be either allowed to use some or all of the IM protocols and added to a white list, or blocked from using some or all of the IM protocols and added to a black list. You can later view the white and black lists and add the users to the user list.
To configure the IM policy, go to IM/P2P > User > Config.
Figure 275:IM User policy
User
Configure or view the following settings for the IM user policy:
Automatically Allow
Select the protocols that unknown users are allowed to use. The unknown users are added to a temporary white list.
Automatically Block
Select the protocols to which unknown users are denied access.
The unknown users are added to a temporary black list.
List of Temporary
Users
New users who have been added to the temporary white or black lists. User information includes Protocol, Username, and the
Policy applied to the user.
Note: If the FortiGate unit is rebooted, the list is cleared.
Protocol
Username
Select a protocol by which to filter the list of temporary users.
The name selected by the user when registering with an IM protocol. The same user name can be used for multiple IM protocols. Each user name/protocol pair appears separately in the list.
Policy
The policy applied to the user when attempting to use the protocol:
Block or Deny.
Permanently Allow
Select to add the user to the permanent white list. The user remains online and is listed in IM/P2P > Users > User List.
Permanently Block
Select to add the user to the permanent black list. The user is listed in IM/P2P > Users > User List.
Apply
Click to apply the global user policy.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
405
User IM, P2P & VoIP
406
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report FortiGate Logging
Log&Report
This section provides information on how to enable logging, viewing of log files and the viewing of reports available through the web-based manager. FortiGate units provide extensive logging capabilities for traffic, system and network protection functions. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network misuse and abuse.
The following topics are included in this section:
•
•
•
•
High Availability cluster logging
•
•
•
•
•
•
Viewing FortiAnalyzer reports from a FortiGate unit
Note: VDOMs affect logging and reporting features. Before configuring logging in FortiOS
3.0MR4, make sure your VDOM configuration enables you to configure and enable
FortiGate logging and reporting features. For example, if you have a management VDOM, you can only configure logging to a FortiAnalyzer unit or Syslog server, and viewing logs is
not available. See “Using virtual domains” on page 61
for more information on VDOMs in
FortiOS 3.0MR4.
FortiGate Logging
A FortiGate unit can log many different network activities and traffic including:
• overall network traffic
• system-related events including system restarts, HA and VPN activity
• anti-virus infection and blocking
• web filtering, URL and HTTP content blocking
• signature and anomaly attack and prevention
• Spam filtering
• Instant Messaging and Peer-to-peer traffic
You can customize the level that the FortiGate unit logs these events at and where the FortiGate unit stores the logs. The level that the FortiGate unit logs these events at, or the log severity level, is defined where you configure the logging location. There are six severity levels to choose from. See
“Log severity levels” on page 408 for more information.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
407
Log severity levels Log&Report
408
For better log storage and retrieval, the FortiGate unit can send log messages to a
FortiAnalyzer™ unit. FortiAnalyzer units are network appliances that provide integrated log collection, analysis tools and data storage. Detailed log reports provide historical as well as current analysis of network and email activity, to help identify security issues and reduce network misuse. The FortiGate unit can send all log message types, as well as quarantine files, to a FortiAnalyzer unit for storage. The FortiAnalyzer unit can upload log files to an FTP server for archival purposes. See
“Logging to a FortiAnalyzer unit” on page 409
for details on configuring the FortiGate unit to send log messages to a FortiAnalyzer unit.
The FortiGate unit can send log messages to either a Syslog server or
WebTrends server for storage and archival purposes. You can configure the
FortiGate unit to send log messages to its hard disk, if available.
You can also configure the FortiGate unit to log to a FortiGuard Log & Analysis server after subscribing for FortiGuard Log & Analysis subscription-based services. The FortiGuard Log & Analysis server enables you to store FortiGate logs, similar to other logging devices such as a FortiAnalyzer unit or Syslog server. This service is only available to FortiGate-100 units and lower. The
FortiGuard Log & Analysis subscription-based services will be available soon.
Contact technical support for more information.
The FortiGate unit enables you to view log messages available in memory, on a
FortiAnalyzer unit running firmware version 3.0 or higher, hard disk if available, and the FortiGuard Log & Analysis server. Customizable filters enable you to easily locate specific information within the log files.
See the
FortiGate Log Message Reference
for details and descriptions of log messages and formats.
Note: See the
FortiGate CLI Reference
for details on saving logs to the FortiGate hard disk.
Log severity levels
You can define what severity level the FortiGate unit records logs at when configuring the logging location. The FortiGate unit logs all messages at and above the logging severity level you select. For example, if you select Error, the unit logs Error, Critical, Alert and Emergency level messages.
Table 44: Log severity levels
Levels Description Generated by
0 - Emergency The system has become unstable.
Event logs, specifically administrative events, can generate an emergency severity level.
1 - Alert Immediate action is required.
2 - Critical
3 - Error
Functionality is affected.
An error condition exists and functionality could be affected.
Attack logs are the only logs that generate an Alert severity level.
Event, Antivirus, and Spam filter logs.
Event and Spam filter logs.
4 - Warning Functionality could be affected.
5 - Notification Information about normal events.
6 - Information General information about system operations.
Event and Antivirus logs.
Traffic and Web Filter logs.
Content Archive, Event, and
Spam filter logs.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report Storing Logs
Storing Logs
The type and frequency of log messages you intend to save dictates the type of log storage to use. For example, you can store a limited number of log messages in memory and older log messages are overwritten. Storing log messages to one or more locations, such as a FortiAnalyzer unit, may be better suited for your specific logging purposes. If you want to log traffic and content logs, you need to configure logging to a FortiAnalyzer unit or Syslog server because the FortiGate system memory is unable to log these particular log files.
In Log&Report > Log Config > Log Setting, you can configure where the
FortiGate unit stores logs.
You can enable logging to a FortiGuard server when you subscribe for the
FortiGuard Log & Analysis subscription-based services. The FortiGuard Log &
Analysis services provide another option for storing your logs when you do not have a logging device, such as a FortiAnalyzer unit or Syslog server. These services are only available for FortiGate-100 units and lower.
You can enable logging of most FortiGate features, except for traffic and full content archiving. Summary content archiving is supported. Reports are not supported.
The FortiGate unit sends logs to the FortiGuard Log & Analysis server using TCP port 514. This connection is secured by SSL and the logs are encrypted, providing a secure transfer of log information.
The storage space on the FortiGuard Log & Analysis server depends on the type of FortiGuard Log & Analysis subscription-based services purchased. Contact customer support for more information.
Note: If your FortiGate unit has a hard disk, use the CLI to enable logging to the FortiGate hard disk. See the
FortiGate CLI Reference
for more information before enabling logging to the hard disk. You can view logs stored on the hard disk from Log & Report > Log Access
> Disk.
Note: If VDOMs are enabled, make sure the VDOM you are currently in allows access for enabling logging locations. Certain VDOM configurations may only allow access to certain
FortiGate features. VDOM configuration also affects FortiGuard Log & Analysis services
and logging. See “Using virtual domains” on page 61
for more information.
Logging to a FortiAnalyzer unit
FortiAnalyzer units are network appliances that provide integrated log collection, analysis tools and data storage. Detailed log reports provide historical as well as current analysis of network and email activity to help identify security issues and reduce network misuse and abuse.
Figure 276:Configuring a connection to the FortiAnalyzer unit
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
409
Storing Logs Log&Report
3
4
1
2
5
6
To configure the FortiGate unit to send logs to the FortiAnalyzer unit
Go to Log&Report > Log Config > Log Setting.
Select FortiAnalyzer.
Select the blue arrow to expand the FortiAnalyzer options.
Set the level of the log messages to send to the FortiAnalyzer unit.
Enter the Server IP address of the FortiAnalyzer unit.
Select Apply.
The FortiAnalyzer unit needs to be configured to receive logs from the FortiGate unit after configuring log settings on the FortiGate unit. Contact a FortiAnalyzer administrator to complete the configuration.
Note: The FortiGate unit can log up to three FortiAnalyzer units. The FortiGate unit sends logs to all three FortiAnalyzer units where the logs are stored on each of the FortiAnalyzer units. This provides real-time backup protection in the event one of the FortiAnalyzer units fails. This feature is only available through the CLI. See the
FortiGate CLI Reference
for more information.
Connecting to FortiAnalyzer using Automatic Discovery
You can connect to a FortiAnalyzer unit by using the Automatic Discovery feature.
Automatic discovery is a method of establishing a connection to a FortiAnalyzer unit. When you select Automatic Discovery, the FortiGate unit uses HELLO packets to locate any FortiAnalyzer units available on the network within the same subnet. When the FortiGate unit discovers the FortiAnalyzer unit, the FortiGate unit automatically enables logging to the FortiAnalyzer unit and begins sending log data, if logging is configured for traffic and so on, to the FortiAnalyzer unit.
3
4
1
2
5
6
Note: The Automatic Discovery feature needs to be enabled on the FortiAnalyzer unit so the feature works properly. The Automatic Discovery feature is disabled by default. The
FortiAnalyzer unit requires FortiAnalyzer 3.0 firmware to use the feature.
Note: If your FortiGate unit is in Transparent mode, the interface using the automatic discovery feature will not carry traffic. Use the Fortinet Knowledge center article, Fortinet
Discovery Protocol in Transparent mode , to enable the interface to also carry traffic when using the automatic discovery feature.
To enable automatic discovery
Go to Log&Report > Log Config > Log Setting.
Select the blue arrow for FortiAnalyzer to expand the options.
Select Automatic Discovery.
Select Discover.
The FortiGate unit searches within the same subnet for a response from any available FortiAnalyzer units.
Select a FortiAnalyzer unit from the Connect To list.
Select Apply.
410
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report Storing Logs
Testing the FortiAnalyzer configuration
After configuring FortiAnalyzer settings, you can test the connection between the
FortiGate unit and the FortiAnalyzer unit to ensure the connection is working correctly. This enables you to see the connection between the FortiGate unit and the FortiAnalyzer unit including the settings specified for transmitting and receiving logs, reports, content archive, and quarantine files between the
FortiGate unit and the FortiAnalyzer unit.
1
2
3
4
Note: Make sure the FortiGate unit learns the IP address of the FortiAnalyzer unit before testing the connection between both units. A false test report failure may occur if you select
Test Connectivity before the FortiGate unit learns the FortiAnalyzer unit’s IP address.
To test the connection
Go to Log&Report > Log Config > Log Setting.
Select the blue arrow for FortiAnalyzer to expand the options.
Select the blue arrow to expand the FortiAnalyzer options.
Select Test Connectivity.
Figure 277:Test Connectivity with FortiAnalyzer
FortiAnalyzer
(Hostname)
The name of the FortiAnalyzer unit. The default name of a FortiAnalyzer unit is its product name, for example, FortiAnalyzer-400.
The serial number of the FortiGate unit.
FortiGate
(Device ID)
Registration
Status
The registration status of the FortiGate unit.
Connection
Status
The connection status between FortiGate and FortiAnalyzer units. A checkmark indicates there is a connection and an X indicates there is no connection.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
411
Storing Logs Log&Report
Disk Space Allocated
Space
The amount of space designated for logs.
Used Space The amount of used space.
Privileges
Total Free
Space
The amount of unused space.
Displays the permissions of the device for sending and viewing logs and reports.
•
Tx indicates the FortiGate unit is configured to transmit log packets to the FortiAnalyzer unit.
•
Rx indicates the FortiGate unit is allowed to view reports and logs stored on the FortiAnalyzer unit.
A check mark indicates the FortiGate unit has permissions to send or view log information and reports. An X indicates the FortiGate unit is not allowed to send or view log information.
You can also test the connection status between the FortiGate unit and the
FortiAnalyzer unit by using the following CLI command: get system fortianalyzer-connectivity status
The command displays the status and the amount of disk usage in percent. See the FortiGate CLI Reference for more information.
Logging to memory
The FortiGate system memory has a limited capacity for log messages. It displays the most recent log entries. The FortiGate unit does not store Traffic and Content logs in the memory due to their size and frequency of log entries. When the memory is full, the FortiGate unit overwrites the oldest messages. All log entries are cleared when the FortiGate unit restarts.
3
4
1
2
Note: If your FortiGate unit has a hard disk, use the CLI to enable logging to the FortiGate hard disk. See the
FortiGate CLI Reference
for more information before enabling logging to your FortiGate hard disk.
To configure the FortiGate unit to save logs in memory
Go to Log&Report > Log Config > Log Setting.
Select Memory.
Select the blue arrow to expand the Memory options.
Select the severity level.
The FortiGate unit logs all messages at and above the logging severity level you select. For details on the logging levels, see
Table 44, “Log severity levels,” on page 408
.
412
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report
Logging to a Syslog server
The syslog is a remote computer running a syslog server. Syslog is an industry standard used to capture log information provided by network devices.
Figure 278:Logging to a Syslog server
Storing Logs
3
4
1
2
To configure the FortiGate unit to send logs to a syslog server
Go to Log&Report > Log Config > Log Setting.
Select Syslog.
Select the blue arrow to expand the Syslog options.
Set the following syslog options and select Apply:
Name/IP
Port
Level
The domain name or IP address of the syslog server.
The port number for communication with the syslog server, typically port 514.
The FortiGate unit logs all messages at and above the logging severity level you select. For details on the logging levels, see
Table 44, “Log severity levels,” on page 408
.
Facility
Facility indicates to the syslog server the source of a log message.
By default, FortiGate reports Facility as local7. You may want to change Facility to distinguish log messages from different FortiGate units.
Enable CSV Format If you enable CSV format, the FortiGate unit produces the log in
Comma Separated Value (CSV) format. If you do not enable CSV format the FortiGate unit produces plain text files.
Note: If more than one Syslog server is configured, the Syslog servers and their settings display on the Log Settings page.
Logging to WebTrends
WebTrends is a remote computer running a NetIQ WebTrends firewall reporting server. FortiGate log formats comply with WebTrends Enhanced Log Format
(WELF) and are compatible with NetIQ WebTrends Security Reporting Center and
Firewall Suite 4.1.
Use the command line interface to configure the FortiGate unit to send log messages to WebTrends. After logging into the CLI, enter the following commands: config log webtrends setting
set status {disable | enable} end
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
413
Storing Logs
414
Log&Report
Keywords and variables Description
server <address_ipv4>
Enter the IP address of the WebTrends server that stores the logs.
status
{disable | enable}
Enter enable to enable logging to a
WebTrends server.
Default
No default.
disable
Example
This example shows how to enable logging to a WebTrends server and to set an
IP address for the server. config log webtrends setting set status enable set server 220.210.200.190
end
See the Log chapter in the
FortiGate CLI Reference
for details on setting the options for the types of logs sent to WebTrends.
Logging to FortiGuard Log and Analysis server
You can enable logging to the FortiGuard Log & Analysis server after subscribing to receive FortiGuard Log & Analysis services.
7
8
1
2
3
4
5
6
Note: The FortiGate unit requires a valid license before logging to the FortiGuard Log &
Analysis server.
To enable logging to the FortiGuard Log & Analysis server
Go to System > Maintenance > FortiGuard Center.
Select the blue arrow to expand Log & Analysis Options.
Select the link in the sentence, To configure FortiGuard Log & Analysis options, please click here.
You are redirected to Log&Report > Log Config > Log Setting.
Select the blue arrow to expand the FortiGuard Log & Analysis options.
Select the FortiGuard Log & Analysis checkbox on the Log Setting page.
Select to either overwrite or stop logging from the When Log disk is full drop-down list.
Select a minimum severity level from the Minimum severity level drop-down list.
Select Apply.
After enabling logging, it is recommended to verify your connection by selecting
Update Now in Antivirus and IPS Downloads options on the FortiGuard Center page. You can also restart your FortiGate unit in the event selecting Update Now is unsuccessful.
You can view your connection to the FortiGuard Log and Analysis server in
System > Maintenance > FortiGuard Center. In the System Resources category, a pie chart displays the percentage of used space on the FortiGuard Log
& Analysis server. You can also view the amount of space used and available when you expand the FortiGuard Log & Analysis options on the Log Settings page.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report High Availability cluster logging
High Availability cluster logging
When configuring logging with a High Availability (HA) cluster, configure the primary unit to send logs to a FortiAnalyzer unit or a Syslog server. The settings will apply to the subordinate units.The subordinate units send the log messages to the primary unit, and the primary unit sends all logs to the FortiAnalyzer unit or
Syslog server.
If you configured a secure connection via an IPSec VPN tunnel between a
FortiAnalyzer unit and a HA cluster, the connection is between the FortiAnalyzer unit and the HA cluster primary unit.
See the
FortiGate High Availability User Guide
for more information.
Note: If VDOMs are enabled, make sure the VDOM you are currently in allows access for
HA cluster logging. Certain VDOM configurations may only allow access to certain
FortiGate features.
Log types
Traffic log
The FortiGate unit provides a wide range of logging options for monitoring your network. This section describes each log type and how to enable the log.
Note: Configure the device where you want to store the log files before recording any logs.
See
“Storing Logs” on page 409 for more information.
Note: If VDOMs are enabled, make sure the VDOM you are currently in allows access to enabling logging of FortiGate features. Certain VDOMs only allow access to certain
FortiGate features.
The Traffic Log records all the traffic to and through the FortiGate interfaces. You can configure logging of traffic controlled by firewall policies and for traffic between any source and destination addresses. You can apply the following filters:
Allowed traffic
Violation traffic
The FortiGate unit logs all traffic that is allowed according to the firewall policy settings.
The FortiGate unit logs all traffic that violates the firewall policy settings.
Note: You need to set the logging severity level to Notification when configuring a logging location to record traffic log messages. Traffic log messages generally have a severity level no higher than Notification. If VDOMs are enabled, make sure the VDOM you are currently in allows access for enabling traffic logs.
Enabling traffic logging
Traffic logging records any traffic to or from the interface or VLAN subinterface.
You need to set the logging severity level to Notification or lower to record traffic logs.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
415
Log types
416
Log&Report
1
2
3
3
4
1
2
4
5
To enable traffic logging for an interface or VLAN subinterface
Go to System > Network > Interface.
Select the Edit icon for an interface.
Select Log.
Select OK.
Enabling firewall policy traffic logging
Firewall policy traffic logging records the traffic that is both permitted and denied by the firewall policy, based on the protection profile.
To enable firewall policy traffic logging
Go to Firewall > Policy.
Select the blue arrow to expand the policy list for a policy.
Select the Edit icon.
If required, create a new firewall policy by selecting Create.
Select Log Allowed Traffic.
Select OK.
Event log
1
2
The Event Log records management and activity events. For example, when a configuration has changed, or VPN and High Availability (HA) events occur.
To enable the event logs
Go to Log&Report > Log Config > Event Log.
Select from the following logs:
System Activity event
IPSec negotiation event
DHCP service event
L2TP/PPTP/PPPoE service event
Admin event
The FortiGate unit logs all DHCP-events, such as the request and response log.
The FortiGate unit logs all protocol-related events, such as manager and socket creation processes.
HA activity event
The FortiGate unit logs all administrative events, such as user logins, resets, and configuration updates.
The FortiGate unit logs all high availability events, such as link, member, and state information.
Firewall authentication event
Pattern update event
SSL VPN user authentication event
The FortiGate unit logs all system-related events, such as ping server failure and gateway status.
The FortiGate unit logs all IPSec negotiation events, such as progress and error reports.
The FortiGate unit logs all firewall-related events, such as user authentication.
The FortiGate unit logs all pattern update events, such as antivirus and IPS pattern updates and update failures.
The FortiGate unit logs all user authentication events for an SSL
VPN connection, such as logging in, logging out and timeout due to inactivity.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report
3
Antivirus log
SSL VPN administrator event
The FortiGate unit logs all administrator events related to SSL
VPN, such as SSL configuration and CA certificate loading and removal.
SSL VPN session event
The FortiGate unit logs all session activity such as application launches and blocks, timeouts, verifications and so on.
Select Apply.
The Antivirus Log records virus incidents in Web, FTP, and email traffic. For example, when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized file or email that is logged, an antivirus log is recorded. You can apply the following filters:
Viruses
Blocked Files
Oversized Files/
Emails
AV Monitor
The FortiGate unit logs all virus infections.
The FortiGate unit logs all instances of blocked files.
The FortiGate unit logs all instances of files and email messages exceeding defined thresholds.
The FortiGate unit logs all instances of viruses, blocked files, and oversized files and email. This applies to HTTP, FTP, IMAP, POP3,
SMTP, and IM traffic.
1
2
3
4
5
Web filter log
To enable antivirus logs
Go to Firewall > Protection Profile.
Select the Edit icon beside the protection profile to enable logging of antivirus events.
Select the blue arrow to expand the Logging options.
Select the antivirus events you want logged.
Select OK.
1
2
3
4
5
6
The Web Filter Log records HTTP FortiGuard log rating errors including web content blocking actions.
To enable web filter logs
Go to Firewall > Protection Profile.
Select edit for a protection profile.
Select the blue arrow to expand the Logging options.
Select the web filtering events to log.
Select the FortiGuard Web Filtering Log rating errors (HTTP only), to log
FortiGuard filtering.
Select OK.
Log types
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
417
Log types
418
Log&Report
Attack log
The Attack Log records attacks detected and prevented by the FortiGate unit. The
FortiGate unit logs the following:
Attack Signature
Attack Anomaly
The FortiGate unit logs all detected and prevented attacks based on the attack signature, and the action taken by the FortiGate unit.
The FortiGate unit logs all detected and prevented attacks based on unknown or suspicious traffic patterns, and the action taken by the
FortiGate unit.
1
2
3
4
5
To enable the attack logs
Go to Firewall > Protection Profile.
Select edit for a protection profile.
Select the blue arrow to expand the Logging options.
Select Log Intrusions
Select OK.
Note: Make sure attack signature and attack anomaly settings are enabled to log the attack. The logging options for the signatures included with the FortiGate unit are set by default. Ensure any custom signatures also have the logging option enabled. For details, see
“Intrusion Protection” on page 349
.
Spam filter log
The Spam Filter Log records blocking of email address patterns and content in
SMTP, IMAP and POP3 traffic.
1
2
3
4
5
To enable the Spam log
Go to Firewall > Protection Profile.
Select edit for a protection profile.
Select the blue arrow to expand the Logging options.
Select the Log Spam.
Select OK.
IM and P2P log
The Instant Message (IM) and Peer-to-Peer (P2P) log records instant message text and audio communications, file transfers attempted by users, the time the transmission was attempted, the type of IM application used and the content of the transmission.
4
5
6
1
2
3
To enable IM and P2P logs
Go to Firewall > Protection Profile.
Select the Edit icon for a protection profile.
Select the blue arrow to expand the Logging options.
Select Log IM Activity
Select Log P2P Activity
Select OK.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report Log Access
VoIP log
3
4
1
2
5
1
2
3
4
5
6
7
8
You can now log Voice over Internet Protocol (VoIP) calls. You can also configure
VoIP rate limiting for Session Initiated Protocol (SIP) and Skinny Client Control
Protocol (SCCP) or Skinny protocol. SIP and SCCP are two types of VoIP protocols. Rate limiting is generally different between SCCP and SIP. For SIP, rate limiting is for that SIP traffic flowing through the FortiGate unit. For SCCP, the call setup rate is between the FortiGate unit and the clients because the call manager normally resides on the opposite side of the FortiGate unit from the clients.
To enable VoIP logs
Go to Firewall > Protection Profile.
Select the Edit icon for a protection profile.
Select the blue arrow to expand the Logging options.
Select Log VoIP Activity.
Select OK.
To configure VoIP activity
Go to Firewall > Protection Profile.
Select the Edit icon for a protection profile.
Select the blue arrow to expand the VoIP options.
Select the SIP and SCCP checkboxes.
Enter a number for requests per second in the Limit REGISTER request
(requests/sec) (SIP only) field.
Enter a number for requests per second in the Limit INVITE request
(requests/sec) (SIP only) field
Enter a number for the maximum calls per minute in the Limit Call Setup
(calls/min) (SCCP only) field.
Select OK.
Log Access
The FortiGate unit enables you to view the logs stored in memory, hard disk or stored on a FortiAnalyzer unit running FortiAnalyzer 3.0. The FortiGate unit also enables you to view logs stored on the FortiGuard Log & Analysis server.
Logs are accessed in the Log Access menu. The Log Access menu provides a tab for memory, hard disk, FortiAnalyzer unit, and the FortiGuard Log & Analysis server. Each tab provides options for viewing log messages, such as search and filtering options, including selecting the log type you want to view.
Note: The FortiAnalyzer unit must be running firmware version 3.0 or higher so the
FortiGate unit can view logs that are located on a FortiAnalyzer unit.
Note: If VDOMs are enabled, make sure the VDOM you are currently in allows access to
FortiGate logs stored on the system memory, hard disk, FortiAnalyzer unit or the FortiGuard
Log & Analysis server. Certain VDOMs may only allow access to certain FortiGate features.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
419
Log Access Log&Report
Accessing log messages stored in memory
From the Log Access page, you can access logs stored in the FortiGate system memory. Traffic logs are not stored in memory because of the amount of space required to log them.
1
2
3
To view log messages in the FortiGate memory buffer
Go to Log&Report > Log Access.
Select the Memory tab.
Select a log type from the Log Type list.
Accessing log message stored in the hard disk
You can access logs stored on your FortiGate hard disk, if your FortiGate unit has a hard disk. The logs are accessible the same way as when accessing logs stored on the FortiAnalyzer unit. You can view, navigate, and download logs stored on the hard disk.
1
2
3
To access log files on the hard disk
Go to Log & Report > Log Access.
Select the Disk tab.
Select a log type from the Log Type list.
Figure 279:Viewing log files stored on the FortiGate hard disk
Clear log icon
Download icon
View icon
420
Delete icon
Log Type
Select the type of log you want to view. Some log files, such as the traffic log, cannot be stored to memory due to the volume of information logged.
File name
The name(s) of the log file(s) of that type stored on the FortiGate hard disk.
When a log file reaches its maximum size, the FortiAnalyzer unit saves the log files with an incremental number, and starts a new log file with the same name. For example, the current attack log is alog.log. Any subsequent saved logs appear as alog.n, where n is the number of rolled logs.
The size of the log file in bytes.
Size
Last access time
The day of the week, month, day, time, and year a log message packet was last sent to by the FortiGate unit.
Clear log icon
Select to clear the current log file. When you select the Clear Log icon, you only delete the current log messages of that log file. The log file is not deleted.
Download icon
Select to download the log file or rolled log file. Select either Download file in Normal format link or Download file in CSV format link. Select the
Return link to return to the Disk tab page. Downloading the log file only includes current log messages.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report
View icon
Delete icon
Display the log file through the web-based manager.
Select to delete rolled logs. It is recommended to download the rolled log file before deleting it because the rolled log file cannot be retrieve after deleting it.
Accessing logs stored on the FortiAnalyzer unit
You can view and navigate logs saved to the FortiAnalyzer unit. For details on configuring the FortiGate unit to send log files to the FortiAnalyzer unit, see
“Logging to a FortiAnalyzer unit” on page 409 .
1
2
3
Note: The FortiAnalyzer unit must be running firmware version 3.0 or higher to view logs from the FortiGate unit.
To access log files on the FortiAnalyzer unit
Go to Log&Report > Log Access.
Select the FortiAnalyzer tab.
Select a log type from the Log Type list.
Figure 280:Viewing log files stored on the FortiAnalyzer unit
Log Access
Previous page
Next Page
Log Type
Previous Page
Next Page
View per page
Select the type of log you want to view. Some log files, such as the traffic log, cannot be stored to memory due to the volume of information logged.
Select to view the previous page of log messages.
Select to view the next page of log messages.
Select to view 30, 50 or 1000 log messages on the page.
Line
Enter a number to view that log message. For example, entering the number 5 displays the fifth log message and all log messages after the fifth log message.
Column Settings
Select to add or remove columns. See
for more information.
Raw
Select to view the current log messages in their non-formatted format.
By default, the FortiGate unit displays log messages in formatted format.
Clear All Filters
Select to clear all filter settings.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
421
Log Access Log&Report
Accessing logs on the FortiGuard Log & Analysis server
You can access logs on the FortiGuard Log & Analysis server from the Log
Access page. The Log Access page contains a FortiGuard tab, enabling you to view all logs that are on the FortiGuard Log & Analysis server.
1
2
3
To access logs on the FortiGuard Log & Analysis server
Go to Log&Report > Log Access.
Select the FortiGuard tab.
Select a log type from the Log Type list.
Viewing log information
The log viewer provides a display of the log message information. The columns that appear reflect the content found in the log file. The top portion of the Log
Access page includes navigational features to help you move through the log messages, and locate specific information.
Figure 281:Viewing log messages
Previous
Page
Next Page icon
Column settings icon
422
Previous page icon
Select to view the previous page in the log file.
Next page icon
Select to view the next page in the log file.
View per page
Select the number of log messages displayed on each page.
Line
Column settings icon
Type the line number of the first line you want to display. The number following the slash (“/”) is the total number of lines in the log.
Select to add or remove log information columns to display.
Raw or Formatted Select Raw to switch to an unformatted log message display. Select
Formatted to switch to a log message display organized into columns.
Clear All Filters
Select to remove applied filtering options for the log file.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report
Column settings
Customize and filter the log messages display using the Column Settings icon.
The column settings apply when viewing the formatted (not raw) log messages.
Figure 282:Column settings for viewing log messages
Log Access
uir
3
4
1
2
5
6
7
To customize the columns
Go to Log&Report > Log Access.
Select the tab to view logs from, Memory, FortiAnalyzer or FortiGuard.
Select a log type from the Log Type list.
Select the View icon if you are viewing a log file on a FortiAnalyzer unit.
Select the Column Settings icon.
Select a column name and select one of the following to change the views of the log information:
->
<-
Move up
Move down
Select OK.
Select the right arrow to move selected fields from Available fields list to
Show these fields in this order list.
Select the left arrow to move selected fields from the Show these fields in this order list to the Available fields list.
Move the selected field up one position in the Show these fields list.
Move the selected field down one position in the Show these fields list.
Note: The Detailed Information column provides the entire raw log entry and is only needed if the log contains information not available in any of the other columns. The VDOM column displays which VDOM the log was recorded in.
Filtering log messages
You can filter the contents of the logs to find specific information within a large log file or many log messages. Filtering provides a form of advanced search for each column of information in the log.
Figure 283:Log filters
Filter in use
Column filter
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
423
Log Access Log&Report
The filter settings you apply remains for the duration of the time you are logged in to the web-based manager. The log filters are reset when you log out of the web-based manager.
Note: The filters can only be used when viewing log contents in the formatted view.
1
2
3
4
5
6
To filter log messages
Go to Log&Report > Log Access.
Select the tab to view logs from, Memory, FortiAnalyzer or FortiGuard.
Select a log type from the Log Type drop-down list.
Select the View icon if you are viewing a log file on a FortiAnalyzer unit.
Enter the line number you want to view in the Line field.
The line number you entered is shown along with all lines that come after it.
Select Raw if you want to view all files in an unformatted format.
You can filter log messages using the Column Settings icon when in formatted type. With the Column Settings icon, you can view only the message of the log, or several parts of the log, for example the date, time, source port, destination port,
and ID. See “Column settings” on page 423
for more information.
Deleting logs stored on the FortiGuard Log & Analysis server
You may want to delete or purge logs stored on the FortiGuard Log & Analysis server. You can delete or purge logs that are 1 month old and up to 24 months old.
This option to delete or purge logs stored on the FortiGuard Log & Analysis server is only available after enabling logging to the FortiGuard Log & Analysis server.
1
2
3
4
5
To delete logs stored on the FortiGuard Log & Analysis server
Go to System > Maintenance > FortiGuard Center.
Select the blue arrow to expand the FortiGuard Log & Analysis Options.
Select a number from the drop-down list in the sentence, To purge logs older than
[#] month(s) now, please click here.
Select the link in the sentence, To purge logs older than [#] month(s) now, please click here.
A message appears similar to the following:
Warning: This will erase log files from FortiGuard. Are you sure you want to continue?
Select OK.
Note: It is recommended to download all log files before deleting them.
424
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report Content Archive
Content Archive
The Content Archive menu enables you to view archived logs stored on the
FortiAnalyzer unit from the FortiGate web-based manager. The Content Archive menu has four tabs, HTTP, FTP, Email, and IM where you can view each of these archived log types.
Before viewing content archives, you need to enable this feature on your
FortiGate unit. Content archiving is enabled from within a protection profile. See
“Firewall Protection Profile” on page 271
for more information about enabling content archiving in a protection profile.
3
4
1
2
5
6
7
Note: The FortiGuard Log & Analysis server only provides content summary of logs stored on the server. Make sure the VDOM you are currently in allows access to viewing content archived logs on the FortiGate unit and content summary logs from the FortiGuard Log &
Analysis server. Certain VDOM configurations only allow access to certain FortiGate features.
To enable content archiving for your FortiGate unit
Go to Firewall > Protection Profile.
Select the Edit icon beside a protection profile.
Select the blue triangle to expand the Content Archive option.
Select the check boxes you require for Display content meta-information on the system dashboard.
Select None, Summary or Full from each drop-down list you require for Archive to
FortiAnalyzer/FortiGuard.
Select the checkbox for Archive SPAMed email to FortiAnalyzer, if required.
Select OK.
If you are logging to the FortiGuard Log & Analysis server, only None and
Summary are available in the drop-down list for Archive to
FortiAnalyzer/FortiGuard.
Note: NNTP options will be supported in future releases.
1
2
1
2
3
To view content archives
Go to Log&Report > Content Archive.
Select the tab of the archived log type to view.
To view content summary logs from the FortiGuard Log & Analysis server
Go to Log&Report > Content Archive.
Select FortiGuard from Select Log Device drop-down list.
Select the tab of the content summary log type to view.
If you require to view logs in Raw format, select Raw beside the Column Settings icon. See
for more information about the Column
Settings icon. If you are logging to a FortiGuard Log & Analysis server, you will only see the content summary of logs. Content summary of logs do not contain links because they are not archived.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
425
Alert Email
Alert Email
Log&Report
The Alert Email feature enables the FortiGate unit to monitor logs for log messages, notifying by email of a specific activity or event logged. For example, if you require notification about administrator(s) logging in and out, you can configure an alert email that is sent whenever an administrator(s) logs in and out.
This feature sends out an alert email based on the severity level logged as well.
Note: If VDOMs are enabled, make sure the VDOM you are currently in allows access for configuring an alert email. Certain VDOMs may only allow access to certain FortiGate features.
Figure 284:Alert Email options
426
Configuring Alert Email
When configuring alert email, you must configure at least one DNS server. The
FortiGate unit uses the SMTP server name to connect to the mail server, and must look up this name on your DNS server.
1
2
To configure alert email
Go to Log&Report > Log Config > Alert E-mail.
Set the following options and select Apply.
SMTP Server
Email from
Email To
Authentication
Enable
The name/address of the SMTP email server.
The SMTP user name.
Enter up to three email recipients for the alert email message.
Select the Authentication Enable check box to enable SMTP authentication.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report Alert Email
3
4
5
6
7
SMTP user
Password
Enter the user name for logging on to the SMTP server to send alert email messages. You only need to do this if you have enabled the
SMTP authentication.
Enter the password for logging on to the SMTP server to send alert email. You only need to do this if you selected SMTP authentication.
Select Test Connectivity to receive a test email message to the email account you configured in the above step.
Select Send alert email for the following if you require sending an email based on one or all of the following:
Interval Time
Intrusion detected
Enter the number of minutes before an alert email is sent to the recipient.
Select if you require an alert email message based on intrusion detection.
Virus detected
Select if you require an alert email message based on virus detection.
Web access blocked Select if you require an alert email message based on blocked web sites that were accessed.
HA status changes
Select if you require an alert email message based on HA status changes.
Violation traffic detected
Select if you require an alert email message based on violated traffic the FortiGate unit detects.
Firewall authentication device
Select if you require an alert email message based on firewall authentication.
SSL VPN login failure Select if you require an alert email message based on any SSL
VPN logins that failed.
Administrator login/logout
Select if you require an alert email message based on whether the administrator(s) logs in and logs out.
IPSec tunnel errors
Select if you require an alert email message based on whether there is an error in the IPSec tunnel configuration.
L2TP/PPTP/PPPoE errors
Select if you require an alert email message based on errors that occurred in L2TP, PPTP, or PPPoE.
Configuration changes
FDS license expiry time (in days)
Select if you require an alert email message based on any changes made to the FortiGate configuration.
Enter the number of days for notification of FDS license expiry time.
Disk usage in percent
FortiGuard log disk quota
Enter a number for the percentage of disk usage that an alert email will be sent.
Select if you require an alert email message based on the
FortiGuard Log & Analysis log disk quota.
Select Send an alert based on severity if you require sending an alert email based on log severity level.
This enables the FortiGate unit to send an alert email whenever a specific log level appears in the log.
Select the minimum severity level in the Minimum severity level list.
Select Apply.
Note: The default minimum log severity level is Alert. If the FortiGate unit collects more than one log message before an interval is reached, the FortiGate unit combines the messages and sends out one alert email.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
427
Reports Log&Report
Reports
The FortiAnalyzer reporting features are now more integrated with the FortiGate unit. From the Log&Report menu, you can configure a simple FortiAnalyzer report, view the report, and print the report. You can even view content archive logs stored on the FortiAnalyzer unit.
You can configure basic traffic reports from the Log&Report menu. Basic traffic reports use the log information stored in your FortiGate memory to present basic traffic information in a graphical format.
Note: If VDOMs are enabled, make sure the VDOM you are currently in allows access to configure, view, edit and/or print reports. Certain VDOMs may only allow you to access certain FortiGate features.
Basic traffic reports
The FortiGate unit uses collected log information and presents it in graphical format to show network usage for a number of services. The charts show the bytes used for the service traffic.
Note: The data used to present the graphs is stored in memory. When the FortiGate unit is reset or rebooted, the data is erased.
You can view logs from Log&Report > Report Access > Memory.
Figure 285:Viewing the Bandwidth Per Service graph
428
Time Period
Select a time range to view for the graphical analysis. You can choose from one day, three days, one week or one month. The default is one day. When you refresh your browser or go to a different menu, the settings revert to default.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report
Services
By default all services are selected. When you refresh your browser or go to a different menu, all services revert to default settings. Deselect the services you do not want to include in the graphical analysis.
•
Browsing
•
Streaming
•
DNS
•
•
FTP
•
Gaming
•
•
•
•
TFTP
VoIP
Generic TCP
Generic UDP
•
Instant Messaging
•
Newsgroups
•
P2P
•
Generic ICMP
•
Generic IP
The report is not updated in real-time. You can refresh the report by selecting the
Memory tab.
1
2
3
4
Configuring the graphical view
The FortiGate basic traffic report includes a wide range of services you can monitor. For example, you can view only email services for the last three days.
To change the graphical information
Go to Log&Report > Report Access > Memory.
Select the time period to include in the graph from the Time Period list.
Deselect the services to not include in the graph. All services are selected by default.
Select Apply.
The graph refreshes and displays with the content you specified in the above procedure. The Top Protocols Ordered by Total Volume graph does not change.
Note: If you require a more specific and detailed report, configure a report from the
FortiAnalyzer web-based manager or CLI. See “Configuring a FortiAnalyzer report” on page 430
if you require a simple FortiAnalyzer report. The FortiAnalyzer unit can generate over 140 different reports providing you with more options than the FortiGate unit provides.
FortiAnalyzer reports
You can configure a simple FortiAnalyzer report from FortiGate logs in the web-based manager or CLI. If you want to configure a report using the CLI interface, see the
FortiGate CLI Reference
for more information.
See the
FortiAnalyzer Administration Guide
for details on how to add and configure additional report profiles.
Note: FortiAnalyzer reports do not appear if the FortiGate unit is not connected to a
FortiAnalyzer unit, or if the FortiAnalyzer unit is not running firmware 3.0 or higher.
Reports
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
429
Reports Log&Report
Configuring a FortiAnalyzer report
You can configure a FortiAnalyzer report from the Report Config menu. The
Report Config menu also includes the CLI command, multi-report, enabling you to configure multiple FortiAnalyzer reports. The multi-report command is disabled by default.
By default, only the default FortiAnalyzer report is available in the Report Config menu. The default FortiAnalyzer report is automatically configured by the
FortiAnalyzer unit and is specific to your FortiGate unit. The report is also given a default name, for example, Default_100281021024. The default report name is taken from the FortiGate device identification number.
You can edit either scheduled reports or the default FortiAnalyzer report. See
“Editing FortiAnalyzer reports” on page 437
to edit a scheduled report or the default FortiAnalyzer report.
5
6
3
4
7
8
1
2
9
To configure the FortiAnalyzer report profile
Log into the CLI.
Enter the following commands: config log fortianalyzer settings set multi-report enable end
Log into the web-based manager.
Go to Log&Report > Report Config.
Enter a name for the report.
Enter a title for the report.
Enter a description of what the report includes, if required.
:
Select the blue arrow next to the options you need to configure
Properties
Report Scope
Report Types
Report Format
Output
Schedule
Summary Layout
Select to customize the header and footer and include the company name. See
“Configuring the report properties” on page 431 for more information.
Select the type of results to include in the report. See
“Configuring the report types” on page 433
for more information.
Select the types of reports to include. See
“Configuring the report types” on page 433 for more information.
Select to resolve host names or rank reports using variables. See
“Configuring the report format” on page 433
for more information.
Select the file format for the reports. See “Configuring the report output” on page 434
for more information.
Configure when the FortiAnalyzer unit runs the report, for example, weekly, or monthly. See
“Configuring the report schedule” on page 435 for more information.
Configure a customized layout of summarize categories. See
“Configuring the summary layout” on page 435
for more information.
Select OK.
430
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report
Configuring the report properties
Enter your company’s name, a header comment or a footer for the report. These are optional.
Figure 286:Report properties options
Reports
Configuring the report scope
Select the time period and/or log filters for the report. You can select different time periods, for example, if you want the report to include log files from July 31, 2005 to September 9, 2005.
Figure 287:Report configuration time period
Time Period
From Date
Select the time period for the report. When you select last n hours, days or weeks, a field will appear. Enter a number in the field, for example, eight, for last n of hours, days of weeks.
Select to configure the start date of the report. For example, you may want to begin the report on May 5, 2005 at 13:00. The hours are in the 24-hour format.
Select to configure the end date of the report.
To Date
Figure 288:Report configuration data log filter
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
431
Reports
432
Log&Report
Filter logs
Include logs that match
Priority
Source(s)
Destination(s)
Interface(s)
Users
Groups
Virtual Domain(s)
Policy IDs
Service(s)
Messages
Day of the Week
Select None to not apply a filter to the logs in the report.
Select Custom to apply filters to the log report.
Select the matching criteria for the filter.
Select all to include logs in the report that match all filter settings.
If information within a log does not match all the criteria, the
FortiAnalyzer unit will not include the log in the report.
Select any to include logs in the report that match any of the filter settings. If any of the filter content, even one filter setting, matches information in a log file, the log the FortiAnalyzer unit includes the log in the report.
Select the check box to enable the priority level filter options.
Set the priority level to look for in the logs, and set whether the information should be less than, greater than or equal to the priority level.
Enter the source IP address for the matching criteria. Use a comma to separate multiple sources.
Select Not to exclude the source IP address from the report. For example, do not include any information from a specific source IP address in the log report.
Enter the destination IP address for the matching criteria. Use a comma to separate multiple sources.
Select Not to exclude the destination IP address from the report.
For example, do not include any information from a specific destination IP address in the log report.
You can filter IP ranges, including subnets to report on groups within the company. For example:
•
172.20.110.0-255 filters all IP addresses in the
172.20.110.0/255.255.255.0 or 172.20.110.0/24 subnet
•
172.20.110.0-140.255þ filters all IP addresses from
172.20.110.0 to 172.20.140.255
•
172.16.0.0-20.255.255 filters all IP addresses from 172.16.0.0 to 172.20.255.255)
Enter the interface you want to include in the report. Separate multiple interface names with a comma.
Select Not to exclude the interface information from the report. For example, do not include any information from a specific interface in the log report.
Enter the user names to include in the report. Separate multiple user names with a comma.
Enter the group names to include in the report. Separate multiple group names with a comma.
Enter the virtual domains (VDOM) to include in the report.
Separate multiple VDOMs with a comma.
Select Not to exclude the VDOM from the report. For example, do not include any information from a specific VDOM in the log report.
Enter the firewall policy ID numbers to include in the report. The report will include the traffic information from the FortiGate firewall policies in the logs. Separate multiple policy IDs with a comma.
Enter specific services to include in the report. Separate multiple services with a comma.
Select Not to exclude the service from the report. For example, do not include any information from a specific service in the log report.
Enter specific email messages you want the report to include from the email reports. Separate multiple messages with a comma.
Select the days of the week that the information is pulled from the log files to include in the report.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report
Configuring the report types
Select the type of information you want to include in the report:
• Select Basic to include the most common report types.
• Select All to include all report types. If data does not exist for a report type, that report will appear with the message “No matching log data for this report.”
• Select Custom to select the reports you want to include. Select the blue arrow to expand the report categories and select individual reports.
Configuring the report format
Select to resolve service names, host names or rank the top items for the report using variables.
Figure 289:Report configuration formats
Reports
Display category summary reports
Select to display the category summary reports.
Include reports with no matching data
Select to include reports that have no matching data.
Resolve Service
Names
Select to display network service names rather than port numbers. For example, HTTP rather than port 80.
Resolve Host
Names
Select to display host names by a recognizable name rather than IP addresses. For example, Sally_Accounting. For details on configuring
IP address host names see the
FortiAnalyzer Administration Guide
.
Select to include obscure user group names.
Obfuscate User
(Group) Names
Advanced
Select to include the top ranked items for your report, summary information, and/or a table of contents.
In 'Ranked
Reports' show top
For some report types, you can set the top ranked items for the report. These reports have “Top” in their name, and will always show only the top number of entries. For example, report on the most active mail clients within the organization rather than all mail clients.
Reports that do not include “Top” in their name will always show all information. Changing the values for top field will not affect these reports.
Include
Summary
Information
Select to include a roll up of the report contents, if required.
Include Table of
Select to include a table of contents for your report.
Contents
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
433
Reports Log&Report
Configuring the report output
Select a destination and format(s) for the report. You can select from several different formats, including Text format. You can also select a different format for file output and email output.
When configuring the FortiAnalyzer unit to email a report, you must configure the mail server on the FortiAnalyzer unit. For details, see the
FortiAnalyzer
Administration Guide
or contact a FortiAnalyzer administrator.
Note: If you are emailing HTML reports to a user, and their email client does not support
HTML, they will see the HTML code for each report in the message body.
Figure 290:Report configuration output
434
File output
Email output
Email Subject
Email attachment name
Email body
Select the file format for the generated reports that are saved to the FortiAnalyzer hard disk.
Select the file formats for the generated reports that the
FortiAnalyzer unit sends as an email attachment.
Enter to customize the subject line of the email.
Enter the name of the attachment sent in the email.
Email from
Email server
Email to
Email list
Enter the body of the email message.
Enter the sender’s email address.
Select an email server from the drop-down list.
Enter the recipient’s email address.
Enter the email addresses of the recipients of the report. Add multiple recipients by selecting Add. Select Delete if you want to delete a recipient in the list.
Upload Report to FTP
Select to upload completed report files to an FTP server.
Server
Server Type
Select the type of server to upload the report to. You can select to upload the report to an FTP server, SFTP server, or SCP server.
IP address
Username
Enter the IP address of the FTP server.
Enter the user name to log onto the FTP server.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report
Password
Upload report(s) in gzipped format
Delete file(s) after uploading
Enter the password to log onto the FTP server.
Select to compress the report files as gzip files before uploading to the FTP server.
Select to delete the report files from the FortiAnalyzer hard disk after the FortiAnalyzer unit completes the upload to the FTP server.
Configuring the report schedule
Set a schedule for when the FortiAnalyzer unit generates the reports. Choose a recurring schedule, for example, to generate weekly reports on mail traffic.
Figure 291:Report configuration schedule
Reports
Schedule Select to set a schedule when the FortiAnalyzer report generates.
Not
Scheduled
Select to not generate a daily report. Use this setting when you want to run the report as needed.
Daily
Select to generate the report every day at the same time.
Time
These Days Select specific days of the week to generate the report.
These
Dates
Select specific days of the month to generate the report. For example, to generate the report on the first and fifteenth of every month, enter 1,15.
Select the time of day when the FortiAnalyzer generates the report.
Time
Select the time of the day when the FortiAnalyzer generates the report.
Configuring the summary layout
Select Customize List to configure a customized layout of charts from the specified categories.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
435
Reports
Figure 292:Report summary layout
Log&Report
436
Customize
Chart
Select the number of columns, charts to add to the layout, and edit or remove the charts.
Columns
Select a number from the drop-down list to specify how many columns to include in the chart. You can choose only one column or up to four columns.
Available
Charts to Add
Select to add the different types of charts to your summary layout. You can edit or delete each chart individually, if required. There are 25 different types of charts to choose from.
Edit icon Select to edit each individual chart. You can edit the style of the chart or the TopN number. Select OK to save your changes.
Chart Name The name of the chart.
Chart Style Select the style of the chart.
You can choose from line, pie, and column. The default is column.
TopN Enter a number for the Top number of that particular item.
X icon Removes the chart from the layout.
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Log&Report
Editing FortiAnalyzer reports
After a scheduled FortiAnalyzer report is configured and generated, you can then edit the report from the Report Config menu. The FortiAnalyzer tab enables you to edit the report, and view information about other scheduled FortiAnalyzer reports.
You can view and edit scheduled reports from the FortiAnalyzer tab. You can also edit the default FortiAnalyzer report that the FortiAnalyzer unit automatically generates for your FortiGate unit.
After enabling the multi-report command from the CLI, the FortiAnalyzer page displays if there is a report currently being generated by the FortiAnalyzer unit, when the next scheduled report will be generated, and if the Report Engine is active or inactive.
3
4
1
2
To edit a scheduled or default FortiAnalyzer report
Go to Log&Report > Report Config > FortiAnalyzer.
Select the Edit icon beside a report if you are not editing the default FortiAnalyzer report.
Edit the settings you want for the scheduled report.
Select OK.
Printing your FortiAnalyzer report
After the FortiAnalyzer unit generates the report, you may want to print the report to have as a hardcopy reference or for a presentation. You can print your report(s) from the web-based manager in the Report Access menu.
1
2
3
4
To print a FortiAnalyzer report
Go to Log&Report > Report Access > FortiAnalyzer.
Select Historical Reports.
In the list of FortiAnalyzer reports, select the report you want to print.
Select Print.
Note: Make sure to check the Report Title of the report displayed on the FortiAnalyzer page before printing.
Reports
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
437
Viewing FortiAnalyzer reports from a FortiGate unit Log&Report
Viewing FortiAnalyzer reports from a FortiGate unit
The FortiAnalyzer unit can generate a number of specific reports for a FortiGate unit, and run these reports at scheduled times, or on demand. If you are using a
FortiGate unit with FortiOS 3.0MR2 or higher, you can view any report generated from the FortiAnalyzer unit for that FortiGate unit on the Report Access page.
Note: The FortiAnalyzer report that appears on the FortiAnalyzer page may not be the report you want to view. Always select Historical Reports to find the report you want to view.
1
2
3
To view FortiAnalyzer reports
Go to Log&Report > Report Access > FortiAnalyzer.
Select Historical Reports.
Select the report name to view the report.
Viewing parts of a FortiAnalyzer report
You can view different parts of a FortiAnalyzer report in the web-based manager.
The following procedure enables you to view the Mail Activity section of a report.
3
4
1
2
To view Mail Filter Activity in a report
Go to Log&Report > Report Access > FortiAnalyzer.
Select Historical Reports.
Select the blue arrow to expand the report.
Select MailFilter Activity.html.
Use the above procedure for viewing other sections of a report. For example, select Content Activity.html, instead of selecting MailFilter Activity.html.
438
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Index
Index
Numerics
802.3ad aggregate interface
A
accept action
accessing log messages
accessing logs on FortiGuard Log & Analysis server
action
protection profile P2P option 281
action type
active sessions
ActiveX filter
add signature to outgoing email
address
Address Name
administrative access
administrator account
administrators, monitoring 154
adware
age limit
aggregate interface
alert email
Alert Message Console
allow inbound
firewall policy 226 ipsec policy 226
allow outbound
allow web sites when a rating error occurs
allowed
amount, comfort clients
anomaly
destination session limit 357 flooding 357
scan 357 source session limit 357 traffic 357
antispam
configure antivirus heuristic 348
hijacker grayware 347 joke grayware 347 keylog grayware 347
P2P grayware 347 plugin grayware 347
quarantine 341 quarantine files list 341
spy grayware 347 system global av_failopen 347 system global optimize 347 toolbar grayware 347
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
439
440
view virus list 345 virus list 345
antivirus options
ANY
AOL
append to
append with
archive content meta-information
archive IM summary information
AS
attack updates
authentication
Authentication Algorithm, Manual Key
Authentication Key, Manual Key
Authentication Method
Auto Key list
Autokey Keep Alive
AutoSubmit
autosubmit list
configuring 343 enabling uploading 343
av_failopen
B
back to HA monitor
backup (redundant) mode
backup mode
bandwidth
banned word
Index
adding words to the Spam filter banned word list
banned word (Spam filter)
pattern 385, 386 pattern type 386 where 386
banned word check
beacon interval
BGP
BHO
blades
block audio (IM)
block file transfers (IM)
block login (IM)
blocked
bookmark
C
catalog
email address back/white list 389
IP address black/white list 387
category
category block
Certificate Name
channel, wireless setting
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Index
clear session
predefined signature action 353
CLI configuration
cluster members list 124 priority 124 role 124
cluster unit
connect to a cluster 126 disconnect from a cluster 126
comfort clients
comments
concentrator, for route-based VPN 286
Concentrator, IPSec tunnel mode 299 list 299 name 299 options 299
config antivirus heuristic
config limit, CLI command for IPS 359
contact information
content archive options
content block
content exempt
content streams, replacement messages 136
contents
cookie filter
CPU usage
Create New
custom service
adding 243 adding a TCP or UDP custom service 243 list 243
custom signature
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
D
date
DC
Dead Peer Detection
delete after upload
deleting logs on FortiGuard Log & Analysis server 424
deny action
dest
destination
destination network address translation
destination port 244 destination port, custom services 244
destination session limit
device priority
DH Group
Phase 1 IPSec interface mode 291
DHCP
DHCP-IPSec
diagram
dial
dialup VPN
disk space
display content meta-information on dashboard
DNAT
DNS
documentation
download
drop
predefined signature action 352
drop sessiondrop
predefined signature action 353
duplicates
441
442
Dynamic DNS
dynamic IP pool NAT option
E
email address
action type 391 adding to the email address list 391
BWL check, protection profile 278
Enable category block (HTTP only)
Enable FortiGuard-web filtering overrides
Enable perfect forward secrecy (PFS)
Enable replay detection
enable session pickup
Encryption Algorithm
Encryption Algorithm, Manual Key
Encryption Key, Manual Key
end IP
Equal Cost Multipath (ECMP) 180
ESP
exclude range
expire
external interface
external IP address
external service port
Index
F
FDN
FortiGuard Distribution Network 161
port forwarding connection 169
proxy server 168 push update 164, 168
FDS
FortiGuard Distribution Server 161
file block
list, antivirus 339 pattern 339
file name
file pattern
quarantine autosubmit list 342
filter
FINGER
firewall 213, 235, 239, 247, 251, 271
configuring 213, 235, 239, 247, 251, 271
overview 213, 235, 239, 247, 251, 271
policy list 214 policy matching 214
firewall address
adding 237 address group 237 address name 237
firewall address group
adding 238 available addresses 238 group name 238 members 238
firewall IP pool list 270 firewall IP pool options 270
firewall policy
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Index
adding a protection profile 282
allow inbound 226 allow outbound 226
changing the position in the policy list 216
dynamic IP pool NAT option 221 fixed port NAT option 221
schedule 215, 220 service 215, 220
firewall protection profile
default protection profiles 272 list 272 options 272
firewall service
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
firmware
fixed port
firewall policy NAT option 221
flooding
FortiGate documentation
FortiGate unit
FortiGate-5000
FortiGate-5001FA2
FortiGate-5001SX
FortiGate-5002FB2
443
444
FortiGate-5020
FortiGate-5050
FortiGate-5140
FortiGuard Antispam
FortiGuard Distribution Network 161
FortiGuard Distribution Network (FDN) 166
FortiGuard Distribution Server 161
FortiGuard Log & Analysis server 409
fragmentation threshold
from IP
from port
FTP
FTP_GET
FTP_PUT
G
game
geography
GOPHER
Index
download 347 game 347 hijacker 347 joke 347 keylog 347 misc 347
group name
groups
guaranteed bandwidth
firewall policy 225 traffic shaping 225
H
H323
changing cluster unit host names 124 cluster member 124
enable session pickup 122 group name 122 heartbeat interface 122
subordinate unit device priority 126 subordinate unit host name 126
HA statistics
active sessions 125 back to HA monitor 125
CPU usage 125 intrusion detected 125 memory usage 125 monitor 125
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Index
heartbeat, HA
HELO DNS lookup
help
navigate using keyboard shortcuts 36
heuristics
hijacker
host name
hostname
HTTP
virus scanning large files 348
I
ICMP custom service 244 code 244 protocol type 244 type 244
ICMP_ANY
ID
IKE
IMAP
inbound NAT
index
INFO_ADDRESS
INFO_REQUEST
insert policy before
inspect non-standard port (IM)
interface
administrative access 73, 83, 86
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Interface/Zone
internet browsing
Internet-Locator-Service
interval, comfort clients
introduction
intrusion detected
intrusion prevention system, see IPS
IP
IP address
antispam black/white list catalog 387
Auto-Key Phase 1 interface mode 288
BWL check, protection profile 278
IP custom service 244 protocol number 244 protocol type 244
adding 270 configuring 270 create new 270
IP range/subnet 270 list 270 name 270 options 270
IP range/subnet
IPS
anomaly, protection profile 279
options, protection profile 279
predefined signature action 352
predefined signature list 351 signature 351
signature, protection profile 279
ipsec action
445
446
ipsec policy
allow inbound 226 inbound NAT 226 outbound NAT 226
IPSec VPN
authentication for user group 328
IRC
J
java applet filter
joke
K
Keepalive Frequency
key
keyboard shortcut
Keylife
keylog
L
language
LDAP
license
limit (P2P)
Local certificate
Local Gateway IP
Local ID
Local Interface
IPSec Phase 1 interface mode 288
Local SPI, Manual Key
Index
attack anomaly 418 attack signature 418
column settings 423 filter 423
log traffic
logging
content block 282 cookie filter 282
IM activity 282 intrusions 282 java applet filter 282
logging to FortiGuard Log & Analysis server 414
logs
low disk space
M
MAC address
MAC filter
manual key IPSec VPN
interface mode configuration 297
Manual Key list
Manual Key options
map to IP
map to port
matching
max filesize to quarantine
maximum bandwidth 225 firewall policy 225 traffic shaping 225
MD5
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Index
Members
memory usage
misc
Mode
modem
configuring settings 91 redundant (backup) mode 91
monitor
move to
Multi-Exit Discriminator (MED) 203
N
Name
IPSec Phase 1 interface mode 288
IPSec Phase 2 interface mode 293
NAT
inbound 226 ipsec policy 226 outbound 226
NAT device
port forwarding 169 virtual IP 169
Nat-traversal
netmask
administrator account 147, 148
NetMeeting
network
network utilization
next
NFS
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
NMT
NNTP
NTP
O
one-time schedule
online help
operation mode
optimize
OSPF
Dead interval 202 dead packets 202
metrics for redistributing routes 198
multiple interface parameter sets 201
outbound NAT
firewall policy 226 ipsec policy 226
oversized file/email
447
448
P
P1 Proposal
Phase 1 IPSec interface mode 291
P2 Proposal
Phase 2 IPSec interface mode 294
P2P
pass
predefined signature action 352
pass fragmented email
pass sessiondrop
predefined signature action 353
password
PAT
pattern
default list of file block patterns 340
Spam filter banned word 385, 386
pattern type
PC-Anywhere
Peer option
Perl regular expressions
Phase 1
IPSec Phase 2 interface mode 293
Phase 1 advanced options
Phase 2
Phase 2 advanced options
PIM
PING
plugin
policy
Index
changing the position in the policy list 216
dynamic IP pool NAT option 221 fixed port NAT option 221
schedule 215, 220 service 215, 220
POP3
port address translation
port monitor
PPPoE
predefined signature
reset action 352 reset client action 352
Pre-shared Key
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Index
previous
priority
profile
protection profile
add signature to outgoing email 274
adding to a firewall policy 282
allow web sites when a rating error occurs 276
archive content meta-information 280 archive IM summary information 280
block audio (IM) 281 block file transfers (IM) 281 block login (IM) 281
default protection profiles 272
display content meta-information on dashboard
enable category block (HTTP only) 276 enable FortiGuard-web filtering overrides 276
FortiGuard Antispam IP address check 278
FortiGuard Antispam URL check 278
FortiGuard email checksum check 278
FortiGuard spam submission 278
inspect non-standard port (IM) 281
logging, oversized files/emails 281
logging, P2P activity 282 logging, rating errors 282 logging, spam 282 logging, URL block 282
oversized file/email 274 pass fragmented email 274
provide details for blocked HTTP errors 276
rate URLs by domain and IP address 277
scan (default protection profile) 272
strict (default protection profile) 272
strict blocking (HTTP only) 276
threshold, banned word check 278
threshold, oversized file/email 274
threshold, web content block 275
unfiltered (default protection profile) 272
web (default protection profile) 272
protocol
Protocol Independent Multicast (PIM) 204
provide details for blocked HTTP errors
Proxy ID Destination
Proxy ID Source
proxy server 168 push updates 168
pTx Power
push update 164, 168 configuring 168
external IP address changes 169 interface 169
IP addresses change 169 management IP address changes 169
NAT device 169 through a NAT device 169
Q
QUAKE
quarantine
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
449
450
Index
autosubmit list 342 autosubmit list file pattern 342
configuration 343 configuring the autosubmit list 343
enabling uploading autosubmit file patterns 343
low disk space 344 max filesize to quarantine 344 options 344
quarantine files list
antivirus 341 apply 341 date 341
DC 342 download 342 duplicates 342
status 342 status description 342
Quick Mode Selector
R
RADIUS server name
range
RAT
rate images by URL
rate URLs by domain and IP address
RAUDIO
read & write access level
administrator account 50, 145, 158
read only access level
administrator account 50, 145, 147
recurring schedule
refresh every
register
Remote Gateway
Remote gateway
remote peer
Remote SPI, Manual Key
resolve host names 433 resolve service names 433
reset
predefined signature action 352
reset client
predefined signature action 352
reset server
predefined signature action 353
resolve host names
resolve service names
return email DNS check
RIP
RLOGIN
role
route
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Index
router monitor
routing
RTS threshold
S
SAMBA
scan
default protection profile 272
schedule
automatic antivirus and attack definition updates
scheduled antivirus and attack updates 168
scheduled updates
search
online help 35 online help icon 35
security mode
select
server
service
organizing services into groups 245
service group 245 adding 245 create new 245 list 245
service point
service port
session pickup
shelf manager
shelf monitoring
show in contents
show navigation
signature
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
451
452
Index
SIP
SIP-MSNmessenger
SMC
SMTP
SNMP
SNMP community, configuring 128
sort by
source
source session limit
spam
spam action
adding an email address or domain to the email address list 391
adding words to the Spam filter banned word list
FortiGuard Antispam Service Point 162
spam filtering options
spy
SSID
SSID broadcast
SSL
SSL VPN
checking client certificates 306
setting the cipher suite 306 specifying server certificate 306 specifying timeout values 306
Standalone mode
start
start IP
static IP
static route
default gateway 181 default route 181
selecting 178 table building 178
table priority 179 table sequence 179
statistics
status
status description
stop
Strict
default protection profile 272
strict blocking (HTTP only)
stub
subnet
Subscription
SYSLOG
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Index
system
system global av_failopen
system global optimize
T
TALK
TCP
destination port 244 protocol type 244 source port 244
TELNET
temperature
TFTP
threshold
banned word check, protection profile 278
oversized file/email, protection profile 274
web content block, protection profile 275
Timeout
TIMESTAMP
to IP
toolbar
total bytes
total packets
traffic priority
firewall policy 225 traffic shaping 225
traffic shaping
guaranteed bandwidth 225 maximum bandwidth 225 traffic priority 225
Transparent mode
traps
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
trusted host
TTL
Tunnel Name
Tx Power
U
destination port 244 protocol type 244 source port 244
Unfiltered
default protection profile 272
unit
up time
update
upgrade
upload status
URL block
add a URL to the web filter block list 371
URL filter
user authentication
user groups
Username
UUCP
V
VDOLIVE
VDOM
453
454
Index
VDOM partitioning
viewing log messages on hard disk 420
viewing logs on FortiGuard Log & Analysis server 422
Virtual Circuit Identification (VCI) 75
Virtual Domain Configuration 64
destination network address translation 253
external interface 255 external IP address 255
PAT 254 port address translation 254
virus detected
virus list 345 view, update 345
virus protection See also antivirus 335
virus scan
virus-infected attachments 137
VLAN
voltage
W
WAIS
Web
default protection profile 272
web category block
web content block
web content block list
web content exempt
Web Filter
add a URL to the web URL block list 371
configuring the web content block list 366
configuring the web URL block list 371
web filtering options
web resume download block
web site, content category 138
web URL block
configuring the web URL block list 371
web-based manager
where
wildcard
WINFRAME
wireless
advanced settings 108 beacon interval 108, 109 channel, FortiWiFi-60 108
RTS threshold 108 security mode 108
settings for WiFi-60A or WiFi-60AM 109
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Index
WLAN
interface, creating on WiFi-60 107
interface, creating on WiFi-60A 77
X
XAuth
X-WINDOWS
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
455
Index
456
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
www.fortinet.com
www.fortinet.com
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Key Features
- Unified Threat Management (UTM) solution
- High-performance firewall
- Intrusion prevention
- Web filtering
- Application control
- SSL inspection
- IPSec VPN
- IPv6 support
Related manuals
Frequently Answers and Questions
What is the FortiGate-1000AFA2?
What are the key features of the FortiGate-1000AFA2?
What are the benefits of using the FortiGate-1000AFA2?
advertisement
Table of contents
- 3 Contents
- 17 Introduction
- 18 Introducing the FortiGate units
- 18 FortiGate-5000 series chassis
- 18 FortiGate-5140 chassis
- 18 FortiGate-5050 chassis
- 19 FortiGate-5020 chassis
- 19 About the FortiGate-5000 series modules
- 19 FortiGate-5005FA2 module
- 19 FortiGate-5001SX module
- 19 FortiGate-5001FA2 module
- 19 FortiGate-5002FB2 module
- 19 FortiGate-3600A
- 20 FortiGate-3600
- 20 FortiGate-3000
- 20 FortiGate-1000A
- 21 FortiGate-1000AFA2
- 21 FortiGate-1000
- 21 FortiGate-800
- 21 FortiGate-800F
- 22 FortiGate-500A
- 22 FortiGate-500
- 22 FortiGate-400A
- 22 FortiGate-400
- 22 FortiGate-300A
- 23 FortiGate-300
- 23 FortiGate-200A
- 23 FortiGate-200
- 23 FortiGate-100A
- 23 FortiGate-100
- 24 FortiGate-60/60M/ADSL
- 24 FortiWiFi-60/60A/60AM
- 24 FortiGate-50B
- 24 FortiGate-50A
- 25 Fortinet family of products
- 25 FortiGuard Subscription Services
- 25 FortiAnalyzer
- 25 FortiClient
- 26 FortiManager
- 26 FortiBridge
- 26 FortiMail
- 26 FortiReporter
- 27 About this document
- 29 Document conventions
- 29 Typographic conventions
- 29 FortiGate documentation
- 31 Fortinet Tools and Documentation CD
- 31 Fortinet Knowledge Center
- 31 Comments on Fortinet technical documentation
- 31 Customer service and technical support
- 33 Web-based manager
- 34 Button bar features
- 34 Contact Customer Support
- 34 Using the Online Help
- 35 About searching the online help
- 36 Using the keyboard to navigate in the online help
- 36 Logout
- 37 Web-based manager pages
- 37 Web-based manager menu
- 38 Lists
- 38 Icons
- 41 System Status
- 41 Status page
- 41 Viewing system status
- 43 System information
- 44 License Information
- 45 CLI Console
- 46 System Resources
- 47 Interface Status
- 48 Alert Message Console
- 48 Statistics
- 49 Changing system information
- 49 Configuring system time
- 50 Changing the FortiGate unit host name
- 51 Changing the FortiGate firmware
- 51 Upgrading to a new firmware version
- 51 Reverting to a previous firmware version
- 52 Viewing operational history
- 53 Manually updating FortiGuard definitions
- 54 Viewing Statistics
- 54 Viewing the session list
- 55 Viewing the Content Archive information
- 56 Viewing the Attack Log
- 58 Topology viewer
- 58 The Topology Viewer window
- 58 Main viewport and viewport control
- 59 View and edit controls
- 60 Customizing the topology diagram
- 61 Using virtual domains
- 61 Virtual domains
- 62 VDOM configuration settings
- 63 Global configuration settings
- 64 Enabling VDOMs
- 64 Configuring VDOMs and global settings
- 65 Working with VDOMs and global settings
- 65 Adding interfaces to a VDOM
- 66 Assigning an interface to a VDOM
- 66 Assigning an administrator to a VDOM
- 67 Changing the Management VDOM
- 69 System Network
- 69 Interface
- 71 Switch Mode
- 72 Interface settings
- 74 Configuring an ADSL interface
- 75 Creating an 802.3ad aggregate interface
- 76 Creating a redundant interface
- 77 Creating a wireless interface
- 78 Configuring DHCP on an interface
- 80 Configuring an interface for PPPoE or PPPoA
- 81 Configuring Dynamic DNS service for an interface
- 82 Configuring a virtual IPSec interface
- 83 Additional configuration for interfaces
- 83 Administrative access to an interface
- 84 Interface MTU packet size
- 85 Traffic logging for an interface
- 85 Secondary IP Addresses
- 87 Zone
- 87 Zone settings
- 88 Network Options
- 89 DNS Servers
- 89 Dead gateway detection
- 90 Routing table (Transparent Mode)
- 90 Transparent mode route settings
- 91 Configuring the modem interface
- 91 Configuring modem settings
- 93 Redundant mode configuration
- 94 Standalone mode configuration
- 94 Adding firewall policies for modem connections
- 95 Connecting and disconnecting the modem
- 95 Checking modem status
- 96 VLAN overview
- 96 FortiGate units and VLANs
- 97 VLANs in NAT/Route mode
- 97 Rules for VLAN IDs
- 97 Rules for VLAN IP addresses
- 98 Adding VLAN subinterfaces
- 99 VLANs in Transparent mode
- 101 Rules for VLAN IDs
- 101 Transparent mode virtual domains and VLANs
- 104 Troubleshooting ARP Issues
- 104 Duplicate ARP packets
- 104 ARP Forwarding
- 104 FortiGate IPv6 support
- 105 System Wireless
- 105 The FortiWiFi wireless LAN interface
- 106 Channel assignments
- 107 System wireless settings (FortiWiFi-60)
- 109 System wireless settings (FortiWiFi-60A and 60AM)
- 110 Wireless MAC Filter
- 111 Wireless Monitor
- 113 System DHCP
- 113 FortiGate DHCP servers and relays
- 114 Configuring DHCP services
- 115 Configuring an interface as a DHCP relay agent
- 115 Configuring a DHCP server
- 116 Viewing address leases
- 117 Reserving IP addresses for specific clients
- 119 System Config
- 119 HA
- 119 HA options
- 122 Cluster members list
- 125 Viewing HA statistics
- 126 Changing subordinate unit host name and device priority
- 126 Disconnecting a cluster unit from a cluster
- 127 SNMP
- 127 Configuring SNMP
- 128 Configuring an SNMP community
- 130 Fortinet MIBs
- 131 FortiGate traps
- 133 Fortinet MIB fields
- 136 Replacement messages
- 137 Replacement messages list
- 138 Changing replacement messages
- 139 Changing the authentication login page
- 140 Changing the FortiGuard web filtering block override page
- 140 Changing the SSL-VPN login message
- 140 Changing the authentication disclaimer page
- 141 Operation mode and VDOM management access
- 141 Changing operation mode
- 142 Management access
- 143 System Admin
- 143 Administrators
- 144 Configuring RADIUS authentication for administrators
- 144 Viewing the administrators list
- 146 Configuring an administrator account
- 148 Using trusted hosts
- 148 Access profiles
- 151 Viewing the access profiles list
- 152 Configuring an access profile
- 153 FortiManager
- 153 Settings
- 154 Monitoring administrators
- 157 System Maintenance
- 157 Backup and restore
- 161 FortiGuard Center
- 161 FortiGuard Distribution Network
- 161 FortiGuard Services
- 162 FortiGuard-Antispam Service
- 162 FortiGuard-Web Service
- 162 Configuring the FortiGate unit for FDN and FortiGuard services
- 162 Support Contract and FortiGuard Subscription Services
- 164 AntiVirus and IPS Downloads
- 165 Web Filtering and AntiSpam Options
- 166 Log & Analysis Options
- 166 Troubleshooting FDN connectivity
- 166 Updating antivirus and attack definitions
- 168 Enabling push updates
- 169 Push updates when FortiGate IP addresses change
- 169 Enabling push updates through a NAT device
- 172 License
- 173 System Chassis (FortiGate-5000 series)
- 173 SMC (shelf manager card)
- 174 Blades (FortiGate-5000 chassis slots)
- 176 Chassis monitoring event log messages
- 177 Router Static
- 177 Routing concepts
- 178 How the routing table is built
- 178 How routing decisions are made
- 178 Multipath routing and determining the best route
- 179 How route sequence affects route priority
- 180 Equal Cost Multipath (ECMP) Routes
- 180 Static Route
- 180 Working with static routes
- 181 Default route and default gateway
- 183 Changing the gateway for the default route
- 184 Adding a static route to the routing table
- 185 Policy Route
- 186 Adding a route policy
- 187 Moving a route policy
- 189 Router Dynamic
- 189 RIP
- 190 How RIP works
- 190 Viewing and editing basic RIP settings
- 192 Selecting advanced RIP options
- 193 Overriding the RIP operating parameters on an interface
- 194 OSPF
- 194 OSPF autonomous systems
- 195 Defining an OSPF AS
- 196 Viewing and editing basic OSPF settings
- 198 Selecting advanced OSPF options
- 199 Defining OSPF areas
- 200 Specifying OSPF networks
- 201 Selecting operating parameters for an OSPF interface
- 202 BGP
- 202 How BGP works
- 203 Viewing and editing BGP settings
- 204 Multicast
- 204 Viewing and editing multicast settings
- 206 Overriding the multicast settings on an interface
- 209 Router Monitor
- 209 Displaying routing information
- 211 Searching the FortiGate routing table
- 213 Firewall Policy
- 213 About firewall policies
- 214 How policy matching works
- 214 Viewing the firewall policy list
- 215 Adding a firewall policy
- 216 Moving a policy to a different position in the policy list
- 216 Configuring firewall policies
- 219 Firewall policy options
- 222 Adding authentication to firewall policies
- 223 Adding traffic shaping to firewall policies
- 223 Guaranteed bandwidth and maximum bandwidth
- 224 Traffic Priority
- 224 Traffic shaping considerations
- 226 IPSec firewall policy options
- 226 SSL-VPN firewall policy options
- 227 Options to check FortiClient on hosts
- 228 Firewall policy examples
- 228 Scenario one: SOHO sized business
- 231 Scenario two: enterprise sized business
- 235 Firewall Address
- 235 About firewall addresses
- 236 Viewing the firewall address list
- 237 Configuring addresses
- 237 Viewing the address group list
- 238 Configuring address groups
- 239 Firewall Service
- 239 Viewing the predefined service list
- 243 Viewing the custom service list
- 243 Configuring custom services
- 245 Viewing the service group list
- 245 Configuring service groups
- 247 Firewall Schedule
- 247 Viewing the one-time schedule list
- 248 Configuring one-time schedules
- 248 Viewing the recurring schedule list
- 249 Configuring recurring schedules
- 251 Firewall Virtual IP
- 251 Virtual IPs
- 251 How virtual IPs map connections through the FortiGate unit
- 255 Viewing the virtual IP list
- 255 Configuring virtual IPs
- 256 Adding a static NAT virtual IP for a single IP address
- 258 Adding a static NAT virtual IP for an IP address range
- 260 Adding static NAT port forwarding for a single IP address and a single port
- 261 Adding static NAT port forwarding for an IP address range and a port range
- 263 Adding a load balance virtual IP for an IP address range or real servers
- 265 Adding a load balance port forwarding virtual IP
- 266 Adding dynamic virtual IPs
- 267 Virtual IP Groups
- 267 Viewing the VIP group list
- 268 Configuring VIP groups
- 269 IP pools
- 269 IP pools and dynamic NAT
- 269 IP Pools for firewall policies that use fixed ports
- 270 Viewing the IP pool list
- 270 Configuring IP Pools
- 271 Firewall Protection Profile
- 271 What is a protection profile
- 272 Default protection profiles
- 272 Viewing the protection profile list
- 272 Configuring a protection profile
- 273 Antivirus options
- 275 Web filtering options
- 276 FortiGuard-Web filtering options
- 277 Spam filtering options
- 279 IPS options
- 279 Content archive options
- 280 IM and P2P options
- 281 Logging options
- 282 VoIP options
- 282 Adding a protection profile to a policy
- 283 Protection profile CLI configuration
- 285 VPN IPSEC
- 285 Overview of IPSec interface mode
- 287 Auto Key
- 287 Creating a new phase 1 configuration
- 290 Defining phase 1 advanced settings
- 292 Creating a new phase 2 configuration
- 293 Defining phase 2 advanced settings
- 295 Internet browsing configuration
- 295 Policy-based VPN Internet browsing configuration
- 296 Route-based VPN Internet browsing configuration
- 296 Manual Key
- 297 Creating a new manual key configuration
- 299 Concentrator
- 299 Defining concentrator options
- 300 Monitor
- 303 VPN PPTP
- 303 PPTP Range
- 305 VPN SSL
- 305 Config
- 307 Monitor
- 309 VPN Certificates
- 309 Local Certificates
- 310 Generating a certificate request
- 312 Downloading and submitting a certificate request
- 313 Importing a signed server certificate
- 313 Importing an exported server certificate and private key
- 314 Importing separate server certificate and private key files
- 314 Remote Certificates
- 315 Importing Remote (OCSP) certificates
- 315 CA Certificates
- 316 Importing CA certificates
- 317 CRL
- 317 Importing a certificate revocation list
- 319 User
- 319 Configuring user authentication
- 320 Setting authentication timeout
- 320 Setting user authentication protocol support
- 321 Local user accounts
- 321 Configuring a user account
- 322 RADIUS servers
- 322 Configuring a RADIUS server
- 323 LDAP servers
- 324 Configuring an LDAP server
- 325 PKI authentication
- 326 Configuring PKI users
- 326 Windows AD servers
- 327 Configuring a Windows AD server
- 327 User group
- 328 User group types
- 328 Firewall
- 329 Active Directory
- 329 SSL VPN
- 329 User group list
- 330 Configuring a user group
- 331 Configuring FortiGuard override options for a user group
- 332 Configuring SSL VPN user group options
- 334 Configuring peers and peer groups
- 335 AntiVirus
- 335 Order of operations
- 335 Antivirus elements
- 336 File pattern
- 336 Virus scan
- 336 Grayware
- 336 Heuristics
- 336 FortiGuard antivirus
- 337 Antivirus settings and controls
- 338 File pattern
- 338 Viewing the file pattern list catalog
- 339 Creating a new file pattern list
- 339 Viewing the file pattern list
- 340 Configuring the file pattern list
- 341 Quarantine
- 341 Viewing the Quarantined Files list
- 342 Viewing the AutoSubmit list
- 343 Configuring the AutoSubmit list
- 343 Configuring quarantine options
- 345 Config
- 345 Viewing the virus list
- 346 Viewing the grayware list
- 347 Antivirus CLI configuration
- 347 system global optimize
- 348 config antivirus heuristic
- 348 config antivirus quarantine
- 348 config antivirus service <service_name>
- 349 Intrusion Protection
- 349 About intrusion protection
- 350 IPS settings and controls
- 350 When to use IPS
- 351 Predefined signatures
- 351 Viewing the predefined signature list
- 353 Configuring predefined signatures
- 353 Fine tuning IPS predefined signatures for enhanced system performance
- 354 Custom signatures
- 354 Viewing the custom signature list
- 355 Creating custom signatures
- 356 Protocol Decoders
- 356 Viewing the protocol decoder list
- 357 Upgrading IPS protocol decoder list
- 357 Anomalies
- 358 Viewing the traffic anomaly list
- 358 Configuring IPS traffic anomalies
- 359 IPS CLI configuration
- 359 system autoupdate ips
- 359 ips global fail-open
- 359 ips global ip_protocol
- 359 ips global socket-size
- 359 (config ips anomaly) config limit
- 361 Web Filter
- 361 Order of web filtering
- 361 How web filtering works
- 362 Web filter controls
- 364 Content block
- 364 Viewing the web content block list catalog
- 365 Creating a new web content block list
- 365 Viewing the web content block list
- 366 Configuring the web content block list
- 367 Viewing the web content exempt list catalog
- 367 Creating a new web content exempt list
- 368 Viewing the web content exempt list
- 369 Configuring the web content exempt list
- 369 URL filter
- 369 Viewing the URL filter list catalog
- 370 Creating a new URL filter list
- 370 Viewing the URL filter list
- 371 Configuring the URL filter list
- 373 Moving URLs in the URL filter list
- 373 FortiGuard - Web Filter
- 374 Configuring FortiGuard-Web filtering
- 374 Viewing the override list
- 375 Configuring override rules
- 377 Creating local categories
- 377 Viewing the local ratings list
- 378 Configuring local ratings
- 379 Category block CLI configuration
- 379 FortiGuard-Web Filter reports
- 381 Antispam
- 381 Antispam
- 381 Order of Spam Filtering
- 381 For SMTP
- 381 For POP3 and IMAP
- 382 For SMTP, POP3, and IMAP
- 382 Anti-spam filter controls
- 384 Banned word
- 384 Viewing the antispam banned word list catalog
- 385 Creating a new antispam banned word list
- 385 Viewing the antispam banned word list
- 386 Configuring the antispam banned word list
- 387 Black/White List
- 387 Viewing the antispam IP address list catalogue
- 388 Creating a new antispam IP address list
- 388 Viewing the antispam IP address list
- 389 Configuring the antispam IP address list
- 389 Viewing the antispam email address list catalog
- 390 Creating a new antispam email address list
- 390 Viewing the antispam email address list
- 391 Configuring the antispam email address list
- 392 Advanced antispam configuration
- 392 config spamfilter mheader
- 393 config spamfilter rbl
- 393 Using Perl regular expressions
- 393 Regular expression vs. wildcard match pattern
- 394 Word boundary
- 394 Case sensitivity
- 394 Perl regular expression formats
- 395 Example regular expressions
- 395 To block any word in a phrase
- 395 To block purposely misspelled words
- 395 To block common spam phrases
- 397 IM, P2P & VoIP
- 397 Overview
- 399 Configuring IM/P2P protocols
- 399 How to enable and disable IM/P2P options
- 399 How to configure IM/P2P options within a protection profile
- 400 How to configure IM/P2P decoder log settings
- 400 How to configure older versions of IM/P2P applications
- 400 How to configure protocols that are not supported
- 401 Statistics
- 401 Viewing overview statistics
- 402 Viewing statistics by protocol
- 403 User
- 403 Viewing the Current Users list
- 404 Viewing the User List
- 404 Adding a new user to the User List
- 405 Configuring a policy for unknown IM users
- 407 Log&Report
- 407 FortiGate Logging
- 408 Log severity levels
- 409 Storing Logs
- 409 Logging to a FortiAnalyzer unit
- 410 Connecting to FortiAnalyzer using Automatic Discovery
- 411 Testing the FortiAnalyzer configuration
- 412 Logging to memory
- 413 Logging to a Syslog server
- 413 Logging to WebTrends
- 414 Example
- 414 Logging to FortiGuard Log and Analysis server
- 415 High Availability cluster logging
- 415 Log types
- 415 Traffic log
- 415 Enabling traffic logging
- 416 Enabling firewall policy traffic logging
- 416 Event log
- 417 Antivirus log
- 417 Web filter log
- 418 Attack log
- 418 Spam filter log
- 418 IM and P2P log
- 419 VoIP log
- 419 Log Access
- 420 Accessing log messages stored in memory
- 420 Accessing log message stored in the hard disk
- 421 Accessing logs stored on the FortiAnalyzer unit
- 422 Accessing logs on the FortiGuard Log & Analysis server
- 422 Viewing log information
- 423 Column settings
- 423 Filtering log messages
- 424 Deleting logs stored on the FortiGuard Log & Analysis server
- 425 Content Archive
- 426 Alert Email
- 426 Configuring Alert Email
- 428 Reports
- 428 Basic traffic reports
- 429 Configuring the graphical view
- 429 FortiAnalyzer reports
- 430 Configuring a FortiAnalyzer report
- 431 Configuring the report properties
- 431 Configuring the report scope
- 433 Configuring the report types
- 433 Configuring the report format
- 434 Configuring the report output
- 435 Configuring the report schedule
- 435 Configuring the summary layout
- 437 Editing FortiAnalyzer reports
- 437 Printing your FortiAnalyzer report
- 438 Viewing FortiAnalyzer reports from a FortiGate unit
- 438 Viewing parts of a FortiAnalyzer report
- 439 Index