Fortinet FortiGate-800 Bedienungsanleitung

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336

Zur Seite of

Richtige Gebrauchsanleitung

Die Vorschriften verpflichten den Verkäufer zur Übertragung der Gebrauchsanleitung Fortinet FortiGate-800 an den Erwerber, zusammen mit der Ware. Eine fehlende Anleitung oder falsche Informationen, die dem Verbraucher übertragen werden, bilden eine Grundlage für eine Reklamation aufgrund Unstimmigkeit des Geräts mit dem Vertrag. Rechtsmäßig lässt man das Anfügen einer Gebrauchsanleitung in anderer Form als Papierform zu, was letztens sehr oft genutzt wird, indem man eine grafische oder elektronische Anleitung von Fortinet FortiGate-800, sowie Anleitungsvideos für Nutzer beifügt. Die Bedingung ist, dass ihre Form leserlich und verständlich ist.

Was ist eine Gebrauchsanleitung?

Das Wort kommt vom lateinischen „instructio”, d.h. ordnen. Demnach kann man in der Anleitung Fortinet FortiGate-800 die Beschreibung der Etappen der Vorgehensweisen finden. Das Ziel der Anleitung ist die Belehrung, Vereinfachung des Starts, der Nutzung des Geräts oder auch der Ausführung bestimmter Tätigkeiten. Die Anleitung ist eine Sammlung von Informationen über ein Gegenstand/eine Dienstleistung, ein Hinweis.

Leider widmen nicht viele Nutzer ihre Zeit der Gebrauchsanleitung Fortinet FortiGate-800. Eine gute Gebrauchsanleitung erlaubt nicht nur eine Reihe zusätzlicher Funktionen des gekauften Geräts kennenzulernen, sondern hilft dabei viele Fehler zu vermeiden.

Was sollte also eine ideale Gebrauchsanleitung beinhalten?

Die Gebrauchsanleitung Fortinet FortiGate-800 sollte vor allem folgendes enthalten:
- Informationen über technische Daten des Geräts Fortinet FortiGate-800
- Den Namen des Produzenten und das Produktionsjahr des Geräts Fortinet FortiGate-800
- Grundsätze der Bedienung, Regulierung und Wartung des Geräts Fortinet FortiGate-800
- Sicherheitszeichen und Zertifikate, die die Übereinstimmung mit entsprechenden Normen bestätigen

Warum lesen wir keine Gebrauchsanleitungen?

Der Grund dafür ist die fehlende Zeit und die Sicherheit, was die bestimmten Funktionen der gekauften Geräte angeht. Leider ist das Anschließen und Starten von Fortinet FortiGate-800 zu wenig. Eine Anleitung beinhaltet eine Reihe von Hinweisen bezüglich bestimmter Funktionen, Sicherheitsgrundsätze, Wartungsarten (sogar das, welche Mittel man benutzen sollte), eventueller Fehler von Fortinet FortiGate-800 und Lösungsarten für Probleme, die während der Nutzung auftreten könnten. Immerhin kann man in der Gebrauchsanleitung die Kontaktnummer zum Service Fortinet finden, wenn die vorgeschlagenen Lösungen nicht wirksam sind. Aktuell erfreuen sich Anleitungen in Form von interessanten Animationen oder Videoanleitungen an Popularität, die den Nutzer besser ansprechen als eine Broschüre. Diese Art von Anleitung gibt garantiert, dass der Nutzer sich das ganze Video anschaut, ohne die spezifizierten und komplizierten technischen Beschreibungen von Fortinet FortiGate-800 zu überspringen, wie es bei der Papierform passiert.

Warum sollte man Gebrauchsanleitungen lesen?

In der Gebrauchsanleitung finden wir vor allem die Antwort über den Bau sowie die Möglichkeiten des Geräts Fortinet FortiGate-800, über die Nutzung bestimmter Accessoires und eine Reihe von Informationen, die erlauben, jegliche Funktionen und Bequemlichkeiten zu nutzen.

Nach dem gelungenen Kauf des Geräts, sollte man einige Zeit für das Kennenlernen jedes Teils der Anleitung von Fortinet FortiGate-800 widmen. Aktuell sind sie genau vorbereitet oder übersetzt, damit sie nicht nur verständlich für die Nutzer sind, aber auch ihre grundliegende Hilfs-Informations-Funktion erfüllen.

Inhaltsverzeichnis der Gebrauchsanleitungen

  • Seite 1

    FortiGate 800 Installation and Configuration Guide Esc Enter CONSOLE INTERNAL EXTERNAL DMZ HA 123 4 USB 8 PWR FortiGate User Manual V olume 1 Ve r s i o n 2 . 5 0 January 15 2004[...]

  • Seite 2

    © Copyright 2004 Fortine t Inc. All rights reserved . No part of this publication incl uding text, examples , diagrams or illustrations may be reproduced, transmitted, or translated in any form or by an y means, electro nic, mechanical, manual, optical or otherwise, for any purpose, without prio r written permiss ion of Fort inet Inc. FortiGate-80[...]

  • Seite 3

    Contents FortiGate-800 Installation and Configuration Guide 3 Table of Contents Introduction ............. ................................ .................................................. ........... 15 Antivirus protection ......................... ................ ................ ............. ................ ............. ........ 16 Web co[...]

  • Seite 4

    Contents 4 Fortinet Inc. NAT/Route mode installation ...... ................................ ............................... ......... 41 Preparing to configure NAT/Route mode .............. ................ ................ ................. ........... 41 Advanced NAT/Route mode settings ............................. ................ ............[...]

  • Seite 5

    Contents FortiGate-800 Installation and Configuration Guide 5 Transparent mode configuration examples..... ................ ................ ................ ................ .. 64 Default routes and static routes ........ ................ ............. ................ ................ ............. .. 65 Example default route to an external net w[...]

  • Seite 6

    Contents 6 Fortinet Inc. Displaying the FortiGate up time .............. ................ ................. ................ ............. ......... 108 Displaying log hard disk status .......................... ................ ................ ............. ................ 108 Backing up system settings ........ ............. ................ ..[...]

  • Seite 7

    Contents FortiGate-800 Installation and Configuration Guide 7 Network configuration .............. ................................................. ............... ......... 137 Configuring zones ................. ................ ............. ................ ............. ................ ............. ... 13 7 Adding zones ................. ..[...]

  • Seite 8

    Contents 8 Fortinet Inc. Adding RIP filters ............... ............. ................ ............. ................ ............. ................ ...... 165 Adding a RIP filter list ........ ................ ............. ............. ................ ............. ................ ... 165 Assigning a RIP filter list to the neighbors filter[...]

  • Seite 9

    Contents FortiGate-800 Installation and Configuration Guide 9 Services ............ ............. ............. ................ ............. ................. ............ ............. .......... ... 200 Predefined services .................... ............ ............. ................. ............ ................. ......... 200 Adding custo[...]

  • Seite 10

    Contents 10 Fortinet Inc. IPSec VPN .................... ............................................................... ............... ......... 231 Key management ........... ............. ................ ............. ................. ............ ................. ......... 232 Manual Keys .............. ............. ................ ......[...]

  • Seite 11

    Contents FortiGate-800 Installation and Configuration Guide 11 Network Intrusion Detection System (NIDS) .... ............................ ............ ....... 269 Detecting attacks ............... ............. ................ ............. ............. ................ ............. ......... 2 69 Selecting the interfaces to monitor .... ......[...]

  • Seite 12

    Contents 12 Fortinet Inc. URL blocking............... ............. ................ ............. ................ ............. ................ ............. 293 Configuring FortiGate Web U RL blocking ...................... ............. ................ ............. ... 293 Configuring FortiGate Web pattern bloc king ..... ............. .....[...]

  • Seite 13

    Contents FortiGate-800 Installation and Configuration Guide 13 Viewing logs saved to memory ................ .......... ...... ............. ............. ................ ............. 317 Viewing logs ......... ............. ................ ............. ................ ................ ............. ................ 31 7 Searching logs .......[...]

  • Seite 14

    Contents 14 Fortinet Inc.[...]

  • Seite 15

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 15 Introduction FortiGate A ntivirus Firew alls support netw ork-based deployment of application-level services, including antivirus protection and full-scan con tent filtering. FortiGate Antivirus Firewalls improve network secu rit[...]

  • Seite 16

    16 Fortinet Inc. Antivirus protection Introduction Antivirus protection FortiGate I CSA-certified a ntivirus prot ection scans web (HTTP) , file transfe r (FTP), and email (SMTP , POP3, and IMAP) content as it p asses through the FortiGate unit. If a virus is found, a ntivirus protection remove s the file containin g the virus from the content stre[...]

  • Seite 17

    Introduction Email filtering FortiGate-800 Installation and Configuration Guide 17 Email filtering FortiGate email filtering can scan all IM AP and POP3 email content for un wanted senders or unwanted content. If there is a match between a sender add ress pattern on the email block list, or an email cont ains a word or phra se in the banned word li[...]

  • Seite 18

    18 Fortinet Inc. VLANs and virtual domains Introduction NAT/Route mode In NA T/Route mode, yo u can create NA T mode policie s and Route mode policies. • NA T mode policies use networ k address translation to hide the addresses in a more secure network from u s ers in a less secure network. • Route mode p olicies accept or deny connections betw[...]

  • Seite 19

    Introduction VPN FortiGate-800 Installation and Configuration Guide 19 VPN Using FortiGate virtual private network ing (VPN), you can provide a secure connection between wid ely separated office netw orks or secu rely link telec ommuters or travellers to an of fice network. Service providers can also use the FortiGate unit to provide VPN services f[...]

  • Seite 20

    20 Fortinet Inc. Secure installation, configurat ion, and management Introduction Secure inst allation, configuration, and management The first tim e you powe r on the F ortiGate uni t, it is already configured with default IP addresses and security po licies. Connect to the we b-based manager, set the operating mode, and use the Setup wizard to cu[...]

  • Seite 21

    Introduction Secure installation, configura tion, and management FortiGate-800 Installation and Configuration Guide 21 Command line interface Y ou can access the FortiGate command line interface (CLI) by connecting a management compute r serial port to the Fo rtiGate RS-232 serial console connector . Y ou can also use T elnet or a secure SSH co nne[...]

  • Seite 22

    22 Fortinet Inc. Document co nventions Introduction Document conventions This guide uses the fo llowing conven tions to de scribe CLI co mmand syntax. • angle brac kets < > to indicate variable keywords For example: execute restore config <filename_str> Y ou enter restore config myfile.bak <xxx_str> indicates an ASCII string var[...]

  • Seite 23

    Introduction Customer service and technical su pport FortiGate-800 Installation and Configuration Guide 23 • V olume 4: FortiGat e NIDS Guide Describes how to configure the FortiGate NI DS to dete ct and pr otect the Fo rtiGate unit from network-based att acks. • V olume 5: FortiGat e Logging an d Message Refe rence Guide Describes how to confi[...]

  • Seite 24

    24 Fortinet Inc. Customer service and technical support Introduction[...]

  • Seite 25

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 25 Getting st arted This chapter describes unp acking, setting up, and powering on a FortiGate Antivirus Firewall unit. When you have completed the procedures in this chapte r , you can proceed to one of the following: • If you ar[...]

  • Seite 26

    26 Fortinet Inc. Package contents Getting started Package content s The FortiGate-800 p ackage contains the following items: • FortiGate -800 Antivirus Fir ewall • one orange crossover ethern et cable • one grey regular ethernet cable • one RJ-45 serial cable • one RJ-45 to DB-9 conve rtor • one power cable • two 19-inch rack mount br[...]

  • Seite 27

    Getting started Powering on FortiGate-800 Installation and Configuration Guide 27 Power requirements • Power dissipatio n: 300 W (max) • AC input volt age: 100 to 2 40 V AC • AC input current: 6 A • Frequency: 50 to 60 Hz Environmental specifications • Operating temperature: 41 to 95 °F (5 to 35°C) • S torage temperature: -4 to 176°F[...]

  • Seite 28

    28 Fortinet Inc. Connecting to the web-based manager Getting started Connecting to the web-based manager Use the followin g proced ure to con nect to the web-based manager for the first time. Configuration changes ma de with the web- based manager ar e effective imm ediately without resetting the firewall or in terrupting service. T o connect to th[...]

  • Seite 29

    Getting started Connecting to the command line in terface (CLI) FortiGate-800 Installation and Configuration Guide 29 Connecting to the command line interface (CLI) As an alternative to the web-based ma nager , you can install and configure the FortiGate unit using the CLI. Configuration changes mad e with the CLI are effective immediately without [...]

  • Seite 30

    30 Fortinet Inc. Factory default FortiGate confi guration setting s Getting started Factory default FortiGate configuration settings The FortiGate unit is shipped with a fa ct ory default conf iguration. Th e default configuration allows you to connect to and use the FortiGa te web-based manager to configure th e FortiGate un it onto the ne twork. [...]

  • Seite 31

    Getting started Factory default FortiGate configurati on settings FortiGate-800 Installation and Configuration Guide 31 Factory default Transparent mode network configuration If you switch the FortiGate unit to T ranspar ent mode, it has the default network configuration listed in Ta b l e 3 . External interface IP: 192.168.100.99 Netmask: 255.255.[...]

  • Seite 32

    32 Fortinet Inc. Factory default FortiGate confi guration setting s Getting started Factory default firewall configuration The factory default firewall configu ration is the same in NA T/Route and Tr ansparent mode. Management access Internal HTTPS, Ping External Ping DMZ HTTPS, Ping Interface 1 Ping Interface 2 Ping Interface 3 Ping Interface 4 Pi[...]

  • Seite 33

    Getting started Factory default FortiGate configurati on settings FortiGate-800 Installation and Configuration Guide 33 Factory default content profiles Y ou ca n use cont ent profiles to apply d ifferent protection settings for conten t traffic that is controlled by fi rewall policies. Y ou can use cont ent profiles fo r: • Antivirus protection [...]

  • Seite 34

    34 Fortinet Inc. Factory default FortiGate confi guration setting s Getting started Scan content profile Use the scan content profile to apply antivirus scannin g to HTTP , FTP , IMAP , POP3, and SMTP content traf fic. Quarantine is al so selected for all content services. On FortiGate models with a hard drive, if antivirus scanning finds a virus i[...]

  • Seite 35

    Getting started Factory default FortiGate configurati on settings FortiGate-800 Installation and Configuration Guide 35 Web content profile Use the web content profile to apply antiv irus scanning and web content blocking to HTTP content traffic. Y ou can add this cont ent profile to firewall policies that control HTTP traffic. Unfiltered content p[...]

  • Seite 36

    36 Fortinet Inc. Planning the FortiGa te configuration Getting started Planning the FortiGate configuration Before you configure t he FortiGate unit, you need to plan how to integrate the unit into the network. Amo ng other thing s, you must decide wh ether you wan t the unit to be visible to the network, which firewall functi ons yo u want it to p[...]

  • Seite 37

    Getting started Planning the FortiGate configura tion FortiGate-800 Installation and Configuration Guide 37 NAT/Route mode with multiple external network connections In NA T/Route mode, yo u can configure th e Fort iGate unit with multiple redundant connections to the external net work (usually the Int ernet). For ex ample, you co uld create the fo[...]

  • Seite 38

    38 Fortinet Inc. Planning the FortiGa te configuration Getting started Figure 6: Example T ransparent mode network configuration Y ou can connect up to 8 network segments to the FortiGate unit to control traf fic between these network segment s. • External can connect to the external firewall or router . • Internal can conne ct to the internal [...]

  • Seite 39

    Getting started Fo rtiGate model maximum values matrix FortiGate-800 Installation and Configuration Guide 39 Front keypad and LCD If you are configuring the FortiGate unit to operate in NA T/Route mode, you can use the control but tons and LCD to add th e IP add ress of the FortiGate interfaces as well as the external default gatewa y . If you are [...]

  • Seite 40

    40 Fortinet Inc. Next steps Getting started Next step s Now that your FortiGate unit is operating , y ou can proceed to configure it to connect to networks: • If you are goin g to operate the F ort iGate unit in NA T/Route mode, go to “NA T/Route mo de installation” on page 41 . • If you are going to op erate the For tiG ate unit in T ransp[...]

  • Seite 41

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 41 NA T/Route mode inst allation This chapter describes how to install the FortiGate un it in NA T/Route mode. For information about installing a FortiGate unit in T r ansparent mode, see “T ransparent mode inst allation” on pag[...]

  • Seite 42

    42 Fortinet Inc. Preparing to configure NAT/Route mode NAT/Route mode installa tion Advanced NAT/Route mode settings Use Ta b l e 11 to gather the information that you need to customize advanced FortiGate N A T/Route mode settings. T able 10: NA T/Route mode settings Administrator Password: Internal interface IP: _____._____._____._____ Netmask: __[...]

  • Seite 43

    NAT/Route mode installati on Using the setup wizard FortiGate-800 Installation and Configuration Guide 43 DMZ and user-def ined interfaces Use Ta b l e 1 2 to record the IP addresses and netmasks of the FortiGate DMZ and user-defined interfaces if you are con fig uring them during inst allation. The HA interface is configur ed during HA in stallati[...]

  • Seite 44

    44 Fortinet Inc. Using the front control buttons and LCD NAT/Route mode i nstallation Using the front control buttons and LCD As an alternative to the setup wizard, use the information that you recorded in T able 10 on page 42 and T able 12 on page 43 to complete the following pr ocedure. S tarting with Main Menu displayed on the LCD, use the fron [...]

  • Seite 45

    NAT/Route mode installation Using the command line interface FortiGate-800 Installation and Configuration Guide 45 3 Set the IP address and netma sk of the external interfa ce to the external IP address and netmask that you recor ded in T able 10 on page 42 . set system interface external mode static ip <IP_address> <netmask> Example se[...]

  • Seite 46

    46 Fortinet Inc. Connecting the FortiGate unit to your networks NAT/Route mode installati on 9 Set the default route to the Default Gateway IP address (not required for DHCP and PPPoE). set system route number <route_no> dst 0.0.0.0 0.0.0.0 gw1 <gateway_ip> Example set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 204.23.1.2 Connecting [...]

  • Seite 47

    NAT/Route mode installati on Connecting the FortiGa te unit to your networks FortiGate-800 Installation and Configuration Guide 47 Figure 7: FortiGate-800 NA T/Route mode connection s T o connect to FortiGate-800 us er-defined interface s 1 Connect the user-defined interface to the h ub or switch connected to the intended network. 2 Repeat for all [...]

  • Seite 48

    48 Fortinet Inc. Configuring your networks NAT/Route mode installati on Figure 8: Example FortiGate-800 user-d efined interface c onnections Configuring your networks If you are running the FortiGate unit in NA T/Route mode , your networks must be configured to route all Internet traf fic to t he IP address of the FortiGate interface to which they [...]

  • Seite 49

    NAT/Route mode installation Completing the configura tion FortiGate-800 Installation and Configuration Guide 49 Completing the configuration Use the information in this se ction to complete the configur ation of the FortiGate unit. Configuring the DMZ interface Use the follo wing proced ure to con figure the D MZ interfac e: 1 Log into the web-base[...]

  • Seite 50

    50 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation Registering your FortiGate unit After pur chasing and inst alling a new For tiGat e unit, you can register the u nit by goin g to the System Update Support page, or usin g a web browser to connect to http://support.fortinet .com and selecting P[...]

  • Seite 51

    NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-800 Installation and Configuration Guide 51 Figure 9: Example multiple Internet connection configuration Configuring ping servers Use the follo wing proced ure to mak e gateway 1 the ping s erver for the extern al interface and gate way 2 the ping se[...]

  • Seite 52

    52 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation Using the CLI 1 Add a ping server to the ex ternal inter face. set system interface external config detectserver 1.1.1.1 gwdetect enable 2 Add a ping serv er to the DMZ interface. set system interface dmz config detectserver 2.2.2.1 gwdetect en[...]

  • Seite 53

    NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-800 Installation and Configuration Guide 53 Load sharing Y ou can also configure destination routing to direct traf fic through both gateways at the same time. If users on the internal network connect to the networks of ISP1 and ISP2, you can add rou[...]

  • Seite 54

    54 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation 3 Select New to add a route for connections to the network of ISP1. • Destination IP: 100.100.100.0 • Mask: 255.255.255.0 • Gateway #1: 1.1.1.1 • Gateway #2: 2.2.2.1 • Device #1: external • Device #2: dmz 4 Select New to add a route[...]

  • Seite 55

    NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-800 Installation and Configuration Guide 55 Policy routing examples Adding policy routing increases your control over how p ackets are routed. Policy routing works on top of destination- based ro uting. T o increase the control provided by destinatio[...]

  • Seite 56

    56 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation Firewall policy example Firewall policies control how traf fic flow s through t he FortiGat e unit. After you configure routing for multiple Internet co nnections, you must create firewall policie s. Firewall policies control which traf fic is [...]

  • Seite 57

    NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-800 Installation and Configuration Guide 57 Restricting access to a singl e Internet connection In some case s you might want to lim it some traffic to be ing able to use only on e Internet connection. For exampl e, in the topolo gy shown in Figure 9[...]

  • Seite 58

    58 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation[...]

  • Seite 59

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 59 T ransp arent mode inst allation This chapter describes how to install your FortiGate unit in Transp arent mo de. If you want to install the FortiGa te unit in NA T/Route mod e, see “NA T/Route m ode insta llation” on page 41[...]

  • Seite 60

    60 Fortinet Inc. Using the setu p wizard Transparen t mode instal lation Using the setup wizard From the web-based manager, you can use th e setup wizard to begin the initial configuration of the FortiGate unit. For in formation about connecting to the web-based manager, see “C onnecting to the web-base d manager” on p age 28 . Changing to Tran[...]

  • Seite 61

    Transparent mode installatio n Usin g the front control buttons an d LCD FortiGate-800 Installation and Configuration Guide 61 Using the front control buttons and LCD This procedure descr ibes how to use t he control buttons and LCD to configur e T ransparent mode IP addresses. Use the informa tion that you recorded in T a ble 1 6 on pag e 59 to co[...]

  • Seite 62

    62 Fortinet Inc. Completing the configuration T ransparent mod e installation Configuring the Transparent mode management IP address 1 Make sure that you are logge d into the CLI. 2 Set the management IP addr ess and netmask to the IP addr ess and netmask that you recorde d in T able 16 on p age 59 . Enter: set system management ip <IP address&g[...]

  • Seite 63

    Transparent mode installatio n Connecting the FortiGate un it to your networks FortiGate-800 Installation and Configuration Guide 63 Registering your FortiGate unit After pur chasing and inst alling a new For tiGat e unit, you can register the u nit by goin g to the System Update Support page, or usin g a web browser to connect to http://support.fo[...]

  • Seite 64

    64 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 10: FortiGate -800 T ransparent mode connections T ransparent mode configuration examples A FortiGate unit operating in T ransparent mode still requir es a basic configuration to operate as a node on the IP networ k. As a minimum, the F ortiGate unit m[...]

  • Seite 65

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-800 Installation and Configuration Guide 65 This section describes: • Default routes and st atic routes • Example default r oute to an extern al network • Example static route to an external destination • Example static r oute to an internal destination Defau[...]

  • Seite 66

    66 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 1 1: Default route to an external network General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode . 2 Configure the Manag ement IP address and Netmask o f the FortiGate unit. 3 Configure the default route to the external ne[...]

  • Seite 67

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-800 Installation and Configuration Guide 67 Web-based manager exampl e configuration steps T o configure basic T ransparent mode settings and a default route using the web-based manager 1 Go to System > St atus . • Select Change to T ransparen t Mode. • Select[...]

  • Seite 68

    68 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 12: St atic route to an external destination General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode . 2 Configure the Manag ement IP address and Netmask o f the FortiGate unit. 3 Configure the st atic route to the FortiRes[...]

  • Seite 69

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-800 Installation and Configuration Guide 69 2 Go to System > Network > Management . • Change the Man agement IP and Netma sk: IP: 192.168.1.1 Mask: 255.255.2 55.0 • Select Apply . 3 Go to System > Network > Routing . • Select New to add the static r[...]

  • Seite 70

    70 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 13: St atic route to an internal destination General configuration steps 1 Set the unit to operate in T ransparent mode. 2 Configure the Manag ement IP address and Netmask o f the FortiGate unit. 3 Configure the st atic route to the management co mpute[...]

  • Seite 71

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-800 Installation and Configuration Guide 71 Web-based manager exampl e configuration steps T o configure the FortiGate basic settings, a static route, and a d efault route using the web-based manager : 1 Go to System > St atus . • Select Change to T ransparen t [...]

  • Seite 72

    72 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation[...]

  • Seite 73

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 73 High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster uses the same overall security policy and shar es the same con[...]

  • Seite 74

    74 Fortinet Inc. Configuring an HA clu ster High availabili ty An active-passive (A -P) HA cluster , also referr ed to as ho t standby HA, cons ists of a primary FortiGate unit that processes traf fic, and one or more subordinate FortiGate units. The su bordinate FortiGate unit s are connected to the network and to the primary FortiGate unit but do[...]

  • Seite 75

    High availability Configuring an HA cluster FortiGate-800 Installation and Configuration Guide 75 6 Select the HA mode. Select Active-Active mode to crea te an Active-Active HA clust er . Select Active-Passive mode to crea te an Active-Passive H A cluster . The HA mode must be the same for all FortiGate unit s in the HA cluster . 7 Enter and confir[...]

  • Seite 76

    76 Fortinet Inc. Configuring an HA clu ster High availabili ty Figure 14: Example Active-Active HA con figuration 11 If you are configuring a NA T/Route mode cluste r , power off the FortiGate un it and then repeat this procedur e for all the FortiGate uni t s in the cluster . Once all the units ar e configured, proceed to “Connecting the cluster[...]

  • Seite 77

    High availability Configuring an HA cluster FortiGate-800 Installation and Configuration Guide 77 Inserting an HA cluster into your networ k temporarily interrupt s communications on the network because ne w physical con nections are being made to route traf fic through the cluster . Also, starting th e cluster inte rrupts network traffic until the[...]

  • Seite 78

    78 Fortinet Inc. Managing an HA clu ster High availabili ty 2 Power on all the FortiGat e units in the cluster . As the units powe r on they negotiate to choose the prima ry cluster unit and the subordinate unit s. This negotiation occurs with no user intervention . When negotiation is complete the you can co nfigure th e cluster as if it was a sin[...]

  • Seite 79

    High availability Managing an HA cluster FortiGate-800 Installation and Configuration Guide 79 Y ou can also use SNMP to m anage the cluster by con figuring a cluster interfa ce for SNMP administrative access. Using an SNMP manager you can get cluster configuration informa tion and receive tr aps. Y ou can change the cluster configuration by connec[...]

  • Seite 80

    80 Fortinet Inc. Managing an HA clu ster High availabili ty T o monitor cluster inte rfaces 1 Connect to the cluster and lo g into the web-based manager. 2 Go to System > Config > HA . 3 In the Monitor on Interface sect ion, select the names of the interfaces that you want to monitor . 4 Select Apply . The cluster synchronizes this configur a[...]

  • Seite 81

    High availability Managing an HA cluster FortiGate-800 Installation and Configuration Guide 81 3 Select Sessions & Network. The cluster displays sessions and networ k status for each cluster member . The primary unit is identified as Local and the other unit s in the cluster are listed by serial number . The display includes bar graph s of the [...]

  • Seite 82

    82 Fortinet Inc. Managing an HA clu ster High availabili ty Viewing cluster sessions T o view the clus ter communication sessions 1 Connect to the cluster and lo g into the web-based manager. 2 Go to System > St atus > Session . The session t able displays the sessions pro cessed by the primary un it in the cluster , including HA communicatio[...]

  • Seite 83

    High availability Managing an HA cluster FortiGate-800 Installation and Configuration Guide 83 Monitoring cluster units for failover If the primary unit in the cluster fails, the unit s in the cluster renego tiate to select a new primary unit. Failure of the primar y unit results in the following: • If SNMP is enabled, the new pr imary FortiGate [...]

  • Seite 84

    84 Fortinet Inc. Managing an HA clu ster High availabili ty T o manag e a cluster unit 1 Use SSH to connect to the cluster an d log into the CLI. Connect to any clu ster interfac e configur e d for SSH m anagemen t to log into the cluster . Y ou can also use a direct cable conn ection to log into the primary unit CLI. (T o do this you must know whi[...]

  • Seite 85

    High availability Managing an HA cluster FortiGate-800 Installation and Configuration Guide 85 Synchronizing the cl uster configuration Cluster synchronization keeps all unit s in the cluster synchro nized with the master unit. This includes: • System configuration • Virus d efinition updates • Attack definition u pdates • Web filter list s[...]

  • Seite 86

    86 Fortinet Inc. Managing an HA clu ster High availabili ty 4 Repeat steps 2 and 3 for all the subordin ate units in the HA cluster . Upgrading firmware T o upgrade the firmware of the For tiGate units in a cluster , you must upgrade the firmware of each unit sep a rately . In most cases, if you ar e upgrading to a new firmware build within the sam[...]

  • Seite 87

    High availability Advanced HA opti ons FortiGate-800 Installation and Configuration Guide 87 Replacing a FortiGate unit after failover A failover can occur be cause of a hardware or sof tware problem . When a failover occurs, you can atte mpt to restart the failed FortiGate u n it by cycling its power . If the FortiGate un it starts up correctly , [...]

  • Seite 88

    88 Fortinet Inc. Advanced HA options High availabili ty set system ha override enable Enable override so that the permanent prim ary unit overrides any othe r primary unit. For example, if the p ermanent primary unit sh uts down, one o f the other unit s in the cluster replaces it as the primary unit. When the permanent primary unit is rest arted, [...]

  • Seite 89

    High availability Active-Active cl uster packet flow FortiGate-800 Installation and Configuration Guide 89 Weight values are enter ed in order according to the pr iority of the unit s in the cluster . For example, if you have a cluster of thre e FortiGate units, you can enter the following command to configure the weigh t values for each unit: set [...]

  • Seite 90

    90 Fortinet Inc. Active-Active cluster packet flow High availabili ty NAT/Route mode packet flow In NA T/Route mode , five MAC ad dresses are involved in active-active communication between a client and a server if the cluster rout es the packet s to the subordinate un it in the cluster: • Virtu al cluster MAC address (MAC_V) • Client MAC addre[...]

  • Seite 91

    High availability Active-Active cl uster packet flow FortiGate-800 Installation and Configuration Guide 91 The following are exa mples of switches that are compatible with the FGCP because they use a Global MAC address t able: • HP 4100 GL series, • HP2628, • HP5300, • Cisco Catalyst, • Cisco 2850, • Cisco 3550, • Nortel PP8600 , • [...]

  • Seite 92

    92 Fortinet Inc. Active-Active cluster packet flow High availabili ty[...]

  • Seite 93

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 93 System st atus Y ou can connect to the web-based manager and view the current system st atus of the FortiGate unit. The status infor mation that is displayed includes the current firmware version, the current viru s and attack de[...]

  • Seite 94

    94 Fortinet Inc. Changing the FortiGat e host name System status Changing the FortiGate host name The FortiGate host name ap pears on the S tatus p age and in the FortiGate CLI prompt. The host name is al so used as the SNMP system name. Fo r information about the SNMP system name, see “Config uring SNMP” on pa ge 173 . The default h ost name i[...]

  • Seite 95

    System status Changing the Forti Gate firmware FortiGate-800 Installation and Configuration Guide 95 Upgrading to a new firmware version Use the following procedures to upgra de the FortiGate unit to a newer firmware version. Upgrading the firmware usi ng the web-based manager T o upgrade t he firmware using the web-based manage r 1 Copy the firmwa[...]

  • Seite 96

    96 Fortinet Inc. Changing the FortiGate fi rmware System status 4 Make sure the FortiGate uni t c an connect to the TFTP server . Y ou can use the following command to ping the computer running the TFTP ser ver . For example, if the IP address of the TFTP server is 192.16 8.1.168: execute ping 192.168.1.168 5 Enter the following command to copy the[...]

  • Seite 97

    System status Changing the Forti Gate firmware FortiGate-800 Installation and Configuration Guide 97 If you are reverting to a previous FortiOS ve rsion (for example, reverting from F ortiOS v2.50 to FortiOS v2.36) you might not be able to restore the pr evious configuration from the backup configuration file. T o revert to a previous firmware vers[...]

  • Seite 98

    98 Fortinet Inc. Changing the FortiGate fi rmware System status If you are reverting to a previous FortiOS ve rsion (for example, reverting from F ortiOS v2.50 to FortiOS v2.36) you might not be ab le to restore your previous configu ration from the backup configuration file. T o use the following procedur e you must have a TFTP server that the For[...]

  • Seite 99

    System status Changing the Forti Gate firmware FortiGate-800 Installation and Configuration Guide 99 11 Update antivirus and atta ck definitions. For information, see “Manually initiating antivirus and att ack definitions updates” on pa ge 1 19 , or fr om the CLI, enter : execute updatecenter updatenow 12 T o confirm that the antivirus and att [...]

  • Seite 100

    100 Fortinet Inc. Changing the FortiGate fi rmware System status 5 T o confirm that the FortiGate unit can co nnect to the TFTP se rver , use the following command to ping the computer running the TFTP server . For example, if the IP address of the TFTP server is 192.168.1.168 , enter: execute ping 192.168.1.168 6 Enter the following co mmand to re[...]

  • Seite 101

    System status Changing the Forti Gate firmware FortiGate-800 Installation and Configuration Guide 101 11 Enter the firmware image filen ame and press Enter . The TFTP server up loads the firmware imag e file to the FortiGate unit and messages similar to the following are displayed: • FortiGate unit running v2.x BIOS Do You Want To Save The Image?[...]

  • Seite 102

    102 Fortinet Inc. Changing the FortiGate fi rmware System status T o run this pr ocedure you: • access the CLI by connecting to the Fo rtiGate console port using a null-modem cable, • install a TFTP server that you can conn ect to from the F ortiGate int ernal interfac e. The TFTP server should be on the same subnet as the internal interface. T[...]

  • Seite 103

    System status Changing the Forti Gate firmware FortiGate-800 Installation and Configuration Guide 103 9 T ype the address of th e TFTP server and press Ente r . The following m essage appears: Enter Local Address [192.168.1.188]: 10 T ype the address of th e internal interfac e of the FortiGate unit and pr ess Enter . The following m essage appears[...]

  • Seite 104

    104 Fortinet Inc. Changing the FortiGate fi rmware System status T o inst all a backup firmware image 1 Connect to the CLI using the null-modem cable and FortiGate console por t. 2 Make sure that the TFTP server is running. 3 Copy the new firmware image file to the root directory of your TFTP server . 4 T o confirm that the FortiGate unit can co nn[...]

  • Seite 105

    System status Changing the Forti Gate firmware FortiGate-800 Installation and Configuration Guide 105 Switching to the ba ckup firmware image Use this procedure to switch th e FortiGate unit to operating with a backup firmwar e image that you previously in stalled. When yo u switch the FortiGat e unit to the backup firmware image, the FortiGa te un[...]

  • Seite 106

    106 Fortinet Inc. Manual virus definition updates System status Switching back to the default firmware image Use this procedure to switch th e FortiGate unit to operating with the backup firmware image that had been running as the default fi rmware image. When you switch to this backup firmware image, the configuration sa ved with this firm ware im[...]

  • Seite 107

    System status Manual attack definition updates FortiGate-800 Installation and Configuration Guide 107 4 T ype the path and filenam e for the antivirus definitions update file , or select Browse and locate the antivirus definitions update file. 5 Select OK to copy the antivirus defini tions update file to the FortiGate unit. The FortiGate u nit upda[...]

  • Seite 108

    108 Fortinet Inc. Displayi ng the FortiG ate up time System status Displaying the FortiGate up time 1 Go to System > St atus . The FortiGate up time displays the tim e in days, hours, and minutes since the FortiGate u nit was las t started. Displaying log hard disk st atus 1 Go to System > St atus . Log Hard Disk displays Avai lable if the Fo[...]

  • Seite 109

    System status Restoring system settings to factory defaults FortiGate-800 Installation and Configuration Guide 109 Restoring system settings to factory default s Use the following procedur e to restore system se ttings to the values set at the factory . This procedure does not ch ange the firmw are version or th e antivirus or attack definitions. T[...]

  • Seite 110

    11 0 Fortinet Inc. Changing to NAT/Route mode System status Changing to NA T/Route mode Use the follo wing proced ure to cha nge the Fo rtiGate u nit from Transparent mode to NA T/Route mode. After you change the Fort iGate unit to NA T/R oute mode, most of the configura tion resets to NA T/Route mode fac tory defaults. The following items are not [...]

  • Seite 111

    System status System status FortiGate-800 Installation and Configuration Guide 111 System st atus Y ou can use the system status moni tor to di splay FortiGate system health inform ation. The system health information includes memory usage, the numbe r of active communication sessions, and the am ount of network bandwidth currently in use. The web-[...]

  • Seite 112

    11 2 Fortinet Inc. System status System status Figure 19: CPU and memory status monitor Viewing sessions and network status Use the session and network st atus display to track how many network sessions the FortiGate u nit is process ing and to s ee what effect the num ber of sess ions has on th e available network bandwid th. Also, by compar ing C[...]

  • Seite 113

    System status System status FortiGate-800 Installation and Configuration Guide 11 3 4 Select Refresh to ma nually update the information displayed. Figure 20: Sessions an d network st atus monitor Viewing virus and intrusions status Use the virus and intrusions st atus display to track when viruses are found by the FortiGate antivirus system and to[...]

  • Seite 114

    11 4 Fortinet Inc. Session list System status Figure 21: Sessions an d network st atus monitor Session list The session list displays information abo ut the communications sessions cu rrently being processed by the FortiGate unit. Y ou can use the session list to view current sessions. FortiGate administrators with read and write permission and the[...]

  • Seite 115

    System status Session list FortiGate-800 Installation and Configuration Guide 11 5 Each line of the session list di splays the following information. Figure 22: Example session list Protocol The service protocol of the connection, for example, udp, tcp, or icmp. From IP T he source IP address of the conne ction. From Port The source port of th e co[...]

  • Seite 116

    11 6 Fortinet Inc. Session list System status[...]

  • Seite 117

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 11 7 V irus and att ack definitions up dates and registration Y ou can configure the FortiGate unit to c onnect to the FortiResponse Distribution Network (FDN ) to update the antiv irus and attack defi nitions and the an tivirus eng[...]

  • Seite 118

    11 8 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration The Update p age on the web-based manage r displays the following antiviru s and attack defin ition update information. This section describes: • Connecting to the FortiResponse Distribution Network • Manually initiating an tivir[...]

  • Seite 119

    Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-800 Installation and Configuration Guide 11 9 Manually initiating antivirus and attack definitions updates Y ou can use the following procedure to update the antivirus and at tack definition s at any time. The FortiGate unit must be able to c[...]

  • Seite 120

    120 Fortinet Inc. Scheduling updates Virus and attack defi nitions updates and registra tion Configuring update logging Use the follo wing proced ure to con figure Fort iGate loggin g to record log mess ages when the Fo rtiGate un it updates antivirus and a ttack definitions. T he update log messages are reco rded on the FortiGate Event log. T o co[...]

  • Seite 121

    Virus and attack definitions upda tes and registration Scheduling updates FortiGate-800 Installation and Configuration Guide 121 4 Select Apply . The FortiGate unit star ts the next sche dule d update according to the new update schedule. Whenever the FortiGate unit runs a scheduled update, the event is recor ded in the FortiGate e vent log. Figure[...]

  • Seite 122

    122 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Enabling scheduled updat es through a proxy server If your FortiGate unit must connect to the Internet throu gh a proxy se rver , yo u can use the set system autoupdate tunneling command to allow the FortiGate unit to connect (or tunnel) to the FDN using[...]

  • Seite 123

    Virus and attack definitions updates and registration Enabling push updates FortiGate-800 Installation and Configuration Guide 123 When the network configuratio n permits, c onfig uring push update s is recommended in addition to configuring scheduled updates. On aver age the FortiGate unit receives new updates sooner through push up dates than if [...]

  • Seite 124

    124 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Enabling push updates th rough a NAT device If the FDN can connect to the FortiGate un it only throug h a NA T device, you must configure port forwarding on the NA T device and add th e port forwarding information to the push update configuration. Using [...]

  • Seite 125

    Virus and attack definitions updates and registration Enabling push updates FortiGate-800 Installation and Configuration Guide 125 Figure 24: Example network topolog y: Push updates through a NA T device General procedure Use the following steps to config ure the Fo rtiGate NA T device and the FortiGate unit on the internal network so that the Fort[...]

  • Seite 126

    126 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Adding a port forwarding virtual IP to the FortiGate NAT device Use the follo wing proced ure to con figure a FortiGate NA T device to use port forwarding to forward push update connection s from the FDN to a FortiGate unit on the internal networ k. T o [...]

  • Seite 127

    Virus and attack definitions updates and registration Enabling push updates FortiGate-800 Installation and Configuration Guide 127 Figure 25: Pus h update port forwarding virtual I P Adding a firewall policy for the port forwarding virtual IP T o configure the FortiGate NA T device 1 Add a new external to internal firewall policy . 2 Configure the [...]

  • Seite 128

    128 Fortinet Inc. Registering Forti Gate units Virus and attack defi nitions updates and registra tion 4 Set IP to the external IP address added to the virtual IP . For the examp le topology , enter 64.2 30.123. 149. 5 Set Port to the external servic e port added to the virtual IP . For the example top ology , enter 45001. 6 Select Apply . The Fort[...]

  • Seite 129

    Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-800 Installation and Configuration Guide 129 All registration information is stored in the Fortinet Customer Support dat abase. This information is used to make sure tha t your registered FortiGate units can be kept up to date. All information is strict ly[...]

  • Seite 130

    130 Fortinet Inc. Registering Forti Gate units Virus and attack defi nitions updates and registra tion Registering the FortiGate unit Before registering a FortiGate unit, you require the follo wing information: • Y our co ntact information includin g: • First and last name • Compa ny name • Email address (Y our Fortin et support login user [...]

  • Seite 131

    Virus and attack definitions updates and registration Updating registration informati on FortiGate-800 Installation and Configuration Guide 131 4 Select the model number of the Product Model to register . 5 Enter the Serial Number of the Fo rtiGate unit. 6 If you have purchased a FortiCare Support Co ntract for this FortiGate unit, en ter the suppo[...]

  • Seite 132

    132 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on Recovering a lost Fortinet support password If you provided a security question and answer wh en you registered on the Fortinet support web site, you can use the following proced ure to receive a replacement password. If you did not pr ovide [...]

  • Seite 133

    Virus and attack definitions updates and registration Updating registration informati on FortiGate-800 Installation and Configuration Guide 133 Figure 29: Sample list of registered Fo rtiGate unit s Registering a new FortiGate unit T o register a n ew FortiGa te unit 1 Go to System > Up date > Support . 2 Select Support Login. 3 Enter your Fo[...]

  • Seite 134

    134 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on 6 Select the Serial Nu mber of the F ortiGate unit for which to add or change a FortiCare Support Contract number . 7 Add the new Support Contract number . 8 Select Finish. The list of FortiGate product s that you have registered is displayed[...]

  • Seite 135

    Virus and attack definitions updates and registration Updating registration informati on FortiGate-800 Installation and Configuration Guide 135 Downloading virus and attack definitions updates Use the followin g procedur e to manu ally download virus and attack de finitions updates. This proce dure also describes how to inst all the attack definiti[...]

  • Seite 136

    136 Fortinet Inc. Registering a FortiGate unit after an RMA Vi rus and attack defi nitions updates and registra tion Registering a FortiGate unit af ter an RMA The Return Material Authoriz ation (RMA) process sta rts when a registered FortiGate unit does not work properly be cause of a hardware failure . If this happens while the FortiGate unit is [...]

  • Seite 137

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 137 Network configuration Y ou can use the System Network page to change an y of the following FortiGate network set tings: • Configuring zones • Configuring interfaces • VLAN overview • VLANs in NA T/Route mode • Vir tual[...]

  • Seite 138

    138 Fortinet Inc. Configuring interfac es Network configuration Adding zones The new zone does not appe ar in the policy grid until you add an interface to it, see “T o add an interfac e to a zone” below , and add a firewall address for it (see “Adding addresses” on p age 197 ). T o add a zone 1 Go to System > Network > Zone . 2 Selec[...]

  • Seite 139

    Network configuration Configuring interfaces FortiGate-800 Installation and Configuration Guide 139 Viewing the interface list T o view the interface list 1 Go to System > Network > Interface . The interface list is display ed. The interface list shows the following status inform ation for all the FortiGate interfaces and VLAN subi nterfaces:[...]

  • Seite 140

    140 Fortinet Inc. Configuring interfac es Network configuration T o add an interf ace to a zone 1 Go to System > Network > Interface . 2 Choose the interface or VLAN subint erface to add to a zone and select Modify . 3 From the Belong to Zone list, select the zone that you want to add the interface to. The belong to zone list only appears if [...]

  • Seite 141

    Network configuration Configuring interfaces FortiGate-800 Installation and Configuration Guide 141 4 Clear the Retr ieve default gateway and DNS from server check box if you do not wan t the FortiGate unit to obta in a default gat eway IP addr ess and DNS server IP addresses from the DHCP server . By default, this option is enabled. 5 Clear the Co[...]

  • Seite 142

    142 Fortinet Inc. Configuring interfac es Network configuration 7 Select Apply . The FortiGate unit attempts to cont act the PPPoE server from the in terface to set the IP address, netmask, defaul t gate way IP address, and DNS server IP addresses. 8 Select S tatus: to refresh th e addressin g mode status m essage. Poss ible message s: 9 Select OK.[...]

  • Seite 143

    Network configuration Configuring interfaces FortiGate-800 Installation and Configuration Guide 143 Controlling administrati ve access to an interface For a FortiGate unit running in NA T/Rout e mode, you can cont rol administrative access to an interface to contro l how adminis trators acce ss the Fo rtiGate unit a nd the FortiGate inte rfaces to [...]

  • Seite 144

    144 Fortinet Inc. Configuring interfac es Network configuration Changing the MTU size to improve network performance T o improve ne twork perfo rmance, yo u can chan ge the ma ximum trans mission unit (MTU) of the packet s that the FortiGate unit transmits from any interface. Ideally , this MTU should be the same as the smalle st MTU of all the net[...]

  • Seite 145

    Network configuration VLAN overview FortiGate-800 Installation and Configuration Guide 145 • Enable secure administrative access to this interface using only HTTPS or SSH, • Do not change the system idle timeo ut from the default value of 5 minutes ( see “T o set the system idle timeout” on page 1 70 ). T o configure the management interfac[...]

  • Seite 146

    146 Fortinet Inc. VLANs in NAT/Route mode Network configuration In a typical VLAN configur ation, 802.1Q-com pliant VLAN layer-2 switches or layer-3 routers or firewalls add VLAN t ags to pa cket s. Packet s passing be tween device s in the same VLAN can be handled by layer 2 switches. Packets p assing between devices in different VLANs must be han[...]

  • Seite 147

    Network configuration Virtual domains in Transparent mode FortiGate-800 Installation and Configuration Guide 147 Adding VLAN subinterfaces The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router . The VLAN ID can be any number between 1 and 409 6. Each VLAN subinterface must also be configured with it [...]

  • Seite 148

    148 Fortinet Inc. Virtual domains in Transparen t mode Network configuration T o support VLANs in Transparent mode, you add virtu al domains to the F ortiGate unit. A virtual domain contains at lea st 2 VLAN subi nterfaces. Fo r VLAN traffic to b e able to pass between the FortiGate Internal and ex ternal interface you woul d add a VLAN subinterfac[...]

  • Seite 149

    Network configuration Virtual domains in Transparent mode FortiGate-800 Installation and Configuration Guide 149 Virtual domain properties A virtual domain has the following exclu sive properties: • VLAN name, •V L A N I D , • VLAN interf ace assign ment, • VLAN zone assign ment (optional), • Firewall policy . Vir tual domains share the f[...]

  • Seite 150

    150 Fortinet Inc. Virtual domains in Transparen t mode Network configuration Adding VLAN subinterf aces to a virtual domain Use the following procedure to add VLAN su binterfaces to a virtual domain. Y ou must add at least two VLAN subinterfaces to each virtual domain. In most configurat ions a virtual domain is used to send VLAN- tagg ed packet s [...]

  • Seite 151

    Network configuration Virtual domains in Transparent mode FortiGate-800 Installation and Configuration Guide 151 Figure 32: FortiGate unit cont aining a virtual domain with zone s Multiple zones in a single virtual domain can not be connected to a single VLAN tr unk. This configuration is correct b ecause each zone is connected to a dif ferent VLAN[...]

  • Seite 152

    152 Fortinet Inc. Virtual domains in Transparen t mode Network configuration Adding firewall policies for virtual domains Once the network configuration for th e virtual domain is complete, you must create firewall policies for the virtua l domain to allow packets to flow throug h the firewall between VL AN subinterfa ces. • Adding addresses fo r[...]

  • Seite 153

    Network configuration Adding DNS server IP addresses FortiGate-800 Installation and Configuration Guide 153 Deleting virtual domains Y ou must remove all VLAN subinterfaces and zones that have been added to the virtual domain before you ca n delete the virtual domain. T o remove VLAN subinterfaces a nd zones you must remove all firewall policies an[...]

  • Seite 154

    154 Fortinet Inc. Configuring routing Network configuration Adding a default route Y ou can add a default route for ne twork traffic leavin g the external interface. T o add a defa ult route 1 Go to System > Network > Routing T able . 2 Select New to add a new route. 3 Set the Source IP and Netm ask to 0. 0.0.0. 4 Set the Destination IP and N[...]

  • Seite 155

    Network configuration Configuring routing FortiGate-800 Installation and Configuration Guide 155 6 Set Device #1 to the FortiGate interface or VLAN subinterface through which to route traffic to connect to Gateway #1. Y ou can select the name of an interface, VLAN subinterface, or Auto (the default). If you select the name of an interface or VLAN s[...]

  • Seite 156

    156 Fortinet Inc. Configuring routing Network configuration 5 Select OK to save the new route. 6 Repeat steps 1 t o 5 to add more rout es as req uired. Configuring the routing table The routing ta ble shows the destination IP address and mask of each route that you add, as well as the gateways and devices ad ded to the route. Th e routing t able al[...]

  • Seite 157

    Network configuration Configuring DHCP services FortiGate-800 Installation and Configuration Guide 157 Using policy routing you can bui ld a routing policy dat abase (RPDB) that selects the appropriate route for tr affic by applying a se t of routing rules. T o select a route for traffic, the FortiGate unit matches the traf fic with the po licy rou[...]

  • Seite 158

    158 Fortinet Inc. Configuring DHCP servi ces Network configurati on Configuring a DHCP relay agent In a DHCP relay configuration, the Fort iGate unit forwards DHCP request s from DHCP clients through th e FortiGate unit to a DHCP server . The FortiGate unit also returns response s from the DH CP server to the DHCP clients. The DHCP server must have[...]

  • Seite 159

    Network configuration Configuring DHCP services FortiGate-800 Installation and Configuration Guide 159 Y ou can add multiple scopes to an interface so that th e DHCP server added to that interface can supply IP addresses to compute rs on multiple subnets. Add multiple scopes if the DHCP server re ceives DHCP requests from subnets that are not conne[...]

  • Seite 160

    160 Fortinet Inc. Configuring DHCP servi ces Network configurati on Adding a reserve IP to a DHCP server If you have configured an inte rfac e as a DHCP server , you can reserve an IP address for a pa rticular device on the n etwork acco rding to the MAC address of the device. When you add the MAC address of a device and an IP address to the reserv[...]

  • Seite 161

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 161 RIP configuration The FortiGate implement ation of the Routing Information Protocol (RIP) support s both RIP version 1 as defined by RFC 1058, a nd RIP ver sion 2 as defined by RFC 2453. RIP version 2 enables RIP messages to car[...]

  • Seite 162

    162 Fortinet Inc. RIP settings RIP configuration 5 Change the following RIP time r settings, as re quired. RIP timer de faults are effective in most configurations. Y ou should only have to change these timers to tr oubleshoot netw ork routing problems. All routers and access servers in the network should ha ve the same RIP timer settings. 6 Select[...]

  • Seite 163

    RIP configuration Configuring RIP for FortiGate interfaces FortiGate-800 Installation and Configuration Guide 163 Figure 34: Configuring RIP settings Configuring RIP for FortiGate interfaces Y ou can customize a RIP configuration for each FortiGate interface. This allows you to customize RIP for the network to which each interface is connected. T o[...]

  • Seite 164

    164 Fortinet Inc. Configuring RIP for Forti Gate interfaces RIP configuration 4 Select OK to save the R IP config uration for the selected interface. Figure 35: Example RIP configuration for an internal interface Password Enter the password to be used for RIP version 2 authentication. The password can be up to 16 characters long. Mode Defines the a[...]

  • Seite 165

    RIP configuration Adding RIP filters FortiGate-800 Installation and Configuration Guide 165 Adding RIP filters Use the Filter pag e to create RIP filter list s and assign RIP filter list s to the neighbor s filter , inco ming rout e filter , or outgo ing route filter . The neighbors filter allows or denie s updates from other ro uters. The incoming[...]

  • Seite 166

    166 Fortinet Inc. Adding RIP filters RIP configuration 3 For Filter Name, type a nam e for the RIP filter list. The name can be 15 characters long an d can contai n upper and lower case letters, numbers, and special char acters. The name cannot cont ain sp aces. 4 Select the Blank Filter check box to create a RIP filter lis t with no entries, or en[...]

  • Seite 167

    RIP configuration Adding RIP filters FortiGate-800 Installation and Configuration Guide 167 Assigning a RIP fi lter list to the outgoing filter The outgoing filter allows or denie s addi ng rout es to outgoing RIP update packet s. Y ou can assign a single RIP filter list to the outgoing filter . T o assig n a RIP filter list to the outgoing filter [...]

  • Seite 168

    168 Fortinet Inc. Adding RIP filters RIP configuration[...]

  • Seite 169

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 169 System configuration Use the System Config page to make any of the following chan ges to the FortiGate system configuration: • Setting system date and time • Changing system options • Adding and editing administra tor acco[...]

  • Seite 170

    170 Fortinet Inc. Changing system options System co nfiguration 9 Select Apply . Figure 36: Example date and time setti ng Changing system options On the System Config Options page, you can: • Set the system idle timeout. • Set the authentication timeout. • Select the language for th e web-base manage r . • Modify the dead gate way detec ti[...]

  • Seite 171

    System configuration Changing system opti ons FortiGate-800 Installation and Configuration Guide 171 3 Select Apply . Auth T imeout controls the amount of inacti ve time that the fi rewall waits before requiring users to authen ticate again. For more informatio n, see “Users and authenti cation” on page 223 . The default Auth T imeout is 15 min[...]

  • Seite 172

    172 Fortinet Inc. Adding and editing administrato r accounts System configuration Adding and editing administrator account s When the FortiGate unit is initia lly installed, it is configur ed with a single administr ator account with the user name admin. From this administrator accou nt, you can add and edit administra tor accoun ts. Y ou can also [...]

  • Seite 173

    System configuration Configuring SNMP FortiGate-800 Installation and Configuration Guide 173 Editing administrator accounts The admin account user can change indi vidual administrator account p asswords, configure the IP addresses from which administrato rs can access the web-based manager, and change the admin istrator permission levels. Administr[...]

  • Seite 174

    174 Fortinet Inc. Configuring SNMP System configuration RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II) (for more info rmation, see FortiGate MIBs ). This section describes: • Configuring the FortiGate unit fo r SNMP monitoring • Configuring FortiGate SNMP suppor t • FortiGate MI Bs • Fort[...]

  • Seite 175

    System configuration Configuring SNMP FortiGate-800 Installation and Configuration Guide 175 T o configure SNMP community settings 1 Go to System > Config > SNMP v1/v2c . 2 Select the Enable SNMP check box. 3 Configure the following SNMP settings: 4 Select Apply . System Name Automatically set to the FortiGate host name. T o change the System[...]

  • Seite 176

    176 Fortinet Inc. Configuring SNMP System configuration Figure 37: Sample SNMP configuration FortiGate MIBs The FortiGate SNMP agent suppo rts FortiGat e propriet ary MIBs as well as standa rd RFC 1213 and RFC 2665 MIBs. The FortiGate MIBs are listed in Ta b l e 2 0 . Y ou can obtain th ese MIB files from Fortinet technical support. T o be able to [...]

  • Seite 177

    System configuration Configuring SNMP FortiGate-800 Installation and Configuration Guide 177 FortiGate traps The FortiGa te agent ca n send t raps to up to thre e SNMP tr ap receiver s on your network that are configur ed to receive tr ap s from the FortiGate unit. For these SNMP managers to receive trap s, you must load and compile th e Fortinet t[...]

  • Seite 178

    178 Fortinet Inc. Configuring SNMP System configuration VPN traps NIDS traps Antivirus traps Logging traps T able 23: FortiGate VPN traps T rap message Description VPN tunnel is up An IPSec VPN tunnel starts up and begins processing network traf- fic. VPN tunnel down An IPSe c VPN tunnel shuts down. T able 24: FortiGate NIDS traps T rap message Des[...]

  • Seite 179

    System configuration Configuring SNMP FortiGate-800 Installation and Configuration Guide 179 Fortinet MIB fields The Fortinet MIB contain s fields for co nfiguration settings and current st atus information for all parts of the FortiGate pr oduct. This section list s the names of the high-level MIB f ields and de scribes the configuratio n and stat[...]

  • Seite 180

    180 Fortinet Inc. Configuring SNMP System configuration Users and authentication configuration VPN configuration and status NIDS configuration Antivirus configur ation Web filter configuration T able 29: User and authentication MIB fields FnUserLoca lT able Local user list. FnUserRadiusSrvT able RADIUS server list. FnUserGrpT ab le User group list.[...]

  • Seite 181

    System configuration Replacement messa ges FortiGate-800 Installation and Configuration Guide 181 Logging and reporting configuration Replacement messages Replacement messages are adde d to content passin g through the firewall to repla ce: • Files or other content r emoved from POP3 and IMAP email messages by the antivirus system, • Files or o[...]

  • Seite 182

    182 Fortinet Inc. Replacement messages System configuration Customizing replacement messages Each of the replacement messages in the replace ment message list is created by combining replacement message se ctions. Y ou can use these sections as building blocks to create your own replacement messages. Y ou can edit any of the replacement messages in[...]

  • Seite 183

    System configuration Replacement messa ges FortiGate-800 Installation and Configuration Guide 183 Customizing alert emails Customize alert emails to control the content disp layed in alert email messages sent to system administrators. T o customize alert emails 1 Go to System > Config > Replacement Mes sages . 2 For the alert email message th[...]

  • Seite 184

    184 Fortinet Inc. Replacement messages System configuration %%SOURCE_IP%% The IP add ress from which the block file was received. For email this is the IP address of the email server that sent the email containing the blocked file. For HTTP this is the IP address of web page that sent the blocked file. %%DEST_IP%% The IP address of the computer tha[...]

  • Seite 185

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 185 Firewall configuration Firewall policies control all traf fic passing th rough the FortiGate unit. Firewall policies are instructions tha t the FortiGate unit uses to decide what to do with a connection request. When the firewal[...]

  • Seite 186

    186 Fortinet Inc. Default firewall configuration Firewall configuration This chapter describes : • Default firewall configuration • Adding firewall policies • Configuring policy lists • Addresses • Services • Schedules • Vir t ua l IP s • IP pools • IP/MAC binding • Content prof iles Default firewall configuration By default, th[...]

  • Seite 187

    Firewall confi guration Default firewall configurati on FortiGate-800 Installation and Configuration Guide 187 Interfaces Add policies to control connections b etween FortiGate interfaces and be tween the networks conn ected to these int erfaces. By def ault, you can add policie s for connections that include the interna l, external, and DMZ interf[...]

  • Seite 188

    188 Fortinet Inc. Default firewall configuration Firewall configuration Addresses T o add policies be tween interfaces, VLAN subinterfaces, and zones, the firewall configuration must cont ain addresses for each interfa ce, VLAN subinterface, or zone. By default the firewall configuration includes the addresses listed in Ta b l e 3 7 . The firewall [...]

  • Seite 189

    Firewall confi guration Adding firewall policies FortiGate-800 Installation and Configuration Guide 189 Content profiles Add content p rofiles to po licies to apply antivirus pr otection, we b filtering, a nd email filtering to web, file transfer , and ema il services. The FortiGate unit includes the following default content profiles: • S trict?[...]

  • Seite 190

    190 Fortinet Inc. Adding firewall policies Firewall configuration Figure 40: Adding a NA T/Ro ute policy Firewall policy options This section describes the o ptions th at you can add to fir ewall policies. Source Select an address o r address group that matches the source address of the p acket. Before you can add th is address to a policy , you mu[...]

  • Seite 191

    Firewall confi guration Adding firewall policies FortiGate-800 Installation and Configuration Guide 191 Destination Select an address or address group that matches the destin ation address of the packet. Before you can add this address to a p olicy , you must add it to the destina tion interface, VLAN subinterface, or zone . Fo r information about [...]

  • Seite 192

    192 Fortinet Inc. Adding firewall policies Firewall configuration NAT Configure the policy fo r NA T . NA T translates the source address and the sour ce port of packets accepted by the policy . If you select NA T , y ou can also select Dynamic IP Pool and Fixed Port . NA T is not available in Transp arent mode . VPN Tunnel Select a VPN tunnel for [...]

  • Seite 193

    Firewall confi guration Adding firewall policies FortiGate-800 Installation and Configuration Guide 193 Authentication Select Authentication and select a user gr oup to require users to enter a user name and password b efore the firewall accept s the connection. Select the user gr oup to control the user s that can auth enticate with this policy . [...]

  • Seite 194

    194 Fortinet Inc. Adding firewall policies Firewall configuration Figure 41: Adding a T ransp arent mode policy Log Traffic Select Log Traf fic to write me ssages to the t raffic log whenever th e policy proces ses a connection. For information abo ut logging, see “Logging and reporting” on page 309 . Comments Y ou can add a description or othe[...]

  • Seite 195

    Firewall confi guration Configuring policy lists FortiGate-800 Installation and Configuration Guide 195 Configuring policy list s The firewall matches policies by searching for a match starting at the top of the po licy list and moving down until it finds the firs t match. Y ou must arrange policies in the policy list from more spec ific to more ge[...]

  • Seite 196

    196 Fortinet Inc. Configuring policy lists Firewall co nfiguration Changing the order of po licies in a policy list T o change t he order of a policy in a policy list 1 Go to Firewa ll > Policy . 2 Select the policy list that you want to change the o rder of. 3 Choose the policy that you want to move an d select Move T o to change it s order in [...]

  • Seite 197

    Firewall confi guration Addresses FortiGate-800 Installation and Configuration Guide 197 Addresses All policies require source and de stination addresses. T o add addresses to a policy , you must first add addresses to the address list for the interfaces, zones, or VLAN subinterfaces o f the policy . Y ou can add, edit, and delete all firewall a dd[...]

  • Seite 198

    198 Fortinet Inc. Addresses Firewall configurati on 6 Enter the Netmask. The netmask corre sponds to the type of address th at you are adding. For exam ple: • The netmask for the IP address of a si ngle computer should be 255.255.255.255 . • The netmask for a class A subnet shou ld be 255.0.0.0. • The netmask for a class B subnet sh ould be 2[...]

  • Seite 199

    Firewall confi guration Addresses FortiGate-800 Installation and Configuration Guide 199 Deleting addresses Deleting an address removes it from an address list. T o delete an address that has been added to a policy , you must first remove the address from the policy . T o delete an address 1 Go to Firewall > Address . 2 Select the interface list[...]

  • Seite 200

    200 Fortinet Inc. Services Firewall configuration Figure 43: Adding an in ternal ad dress group Services Use services to determine the types of communication accepted or denied by the firewall. Y ou can add any of t he predefine d services to a policy . Y ou can also create custom services and add services to service group s. This section describes[...]

  • Seite 201

    Firewall confi guration Services FortiGate-800 Installation and Configuration Guide 201 GRE Generic Routing Encapsulation. A protocol that allows an arbitrary network p rotocol to be transmitte d over any other arbi trary network protocol, by encapsulating the packet s of the protocol within GRE packets. 47 AH Authentication Header. AH provides sou[...]

  • Seite 202

    202 Fortinet Inc. Services Firewall configuration LDAP Lightweight Directory Access Protocol is a set of protocols used to access information directories. tcp 389 NetMeeting NetMeeting allows users to teleconference using the Internet as th e transmission medium. tcp 1720 NFS Network File System allows network use rs to access shared files stored o[...]

  • Seite 203

    Firewall confi guration Services FortiGate-800 Installation and Configuration Guide 203 Adding custom TC P and UDP services Add a custom TCP or UDP service if you need to create a policy fo r a service that is not in the predef ined service list. T o add a custom TCP or UDP servic e 1 Go to Firewall > Service > Cus tom . 2 Select TCP/UDP from[...]

  • Seite 204

    204 Fortinet Inc. Services Firewall configuration Adding custom ICMP services Add a custom ICMP service if you need to cr eate a policy for a service that is not in the predefin ed service list . T o add a cust om ICMP service 1 Go to Firewall > Service > Cus tom . 2 Select ICMP from the Prot ocol list. 3 Select New . 4 T ype a Name for the n[...]

  • Seite 205

    Firewall confi guration Schedules FortiGate-800 Installation and Configuration Guide 205 3 T ype a Group Name to identify the group . This name appears in the service list when you add a policy and cannot be the same as a predefined service nam e. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special cha[...]

  • Seite 206

    206 Fortinet Inc. Schedules Firewall configura tion Creating one-time schedules Y ou can create a one-time schedule that activates or deactivates a policy for a specified pe riod of time . For exam ple, yo ur firewall might be configured with the default policy that allows acce ss to all services on the In ternet at all times. Y ou can add a one-ti[...]

  • Seite 207

    Firewall confi guration Schedules FortiGate-800 Installation and Configuration Guide 207 Creating recurring schedules Y ou can create a recurring schedule tha t acti vates or deactivates policies at specified times of the day or on specified days of t he week. For example, you might want to prevent Internet use outs ide working hours by creating a [...]

  • Seite 208

    208 Fortinet Inc. Virtual IPs Firewall configuration Adding schedules to policies After you create schedules, you can ad d them to policies to schedule when the policies are active . Y ou can add th e new schedules to policie s when you create the policy , or you can ed it existing policies and add a new schedule to them. T o add a sche dule to a p[...]

  • Seite 209

    Firewall confi guration Virtual IPs FortiGate-800 Installation and Configuration Guide 209 This section describes: • Adding static NA T virtual IPs • Adding port fo rwarding vir tual IPs • Adding policies with virtual IPs Adding static NAT virtual IPs T o add a st atic NA T virtual IP 1 Go to Firewall > Virtual IP . 2 Select New to add a v[...]

  • Seite 210

    210 Fortinet Inc. Virtual IPs Firewall configuration 7 In Map to IP , type the real IP address on the destination networ k, for example, the IP address of a web server on an intern al network. 8 Select OK to save the v irtual IP . Y ou can now add the virtual IP to firewall policies. Figure 47: Adding a st atic NA T virtual IP Adding port forwar di[...]

  • Seite 211

    Firewall confi guration Virtual IPs FortiGate-800 Installation and Configuration Guide 21 1 6 Enter the External IP Address that you want to map to an addr ess on the destination zone. Y ou can set the external IP address to the IP address of the external interface selected in step 4 or to any other address. If the IP address of the external interf[...]

  • Seite 212

    212 Fortinet Inc. Virtual IPs Firewall configuration Figure 48: Adding a port forwarding virtu al IP Adding policies wi th virtual IPs Use the followin g proced ure to add a policy that uses a virt ual IP to fo rward packets. T o add a policy with a virtual IP 1 Go to Firewall > Polic y . 2 Select the type of policy that you want to add. • The[...]

  • Seite 213

    Firewall confi guration IP pools FortiGate-800 Installation and Configuration Guide 213 4 Select OK to save the policy . IP pools An IP pool (also called a dynamic IP pool) is a range of IP ad dresses added to a firewall interface. If you add IP pools to an interface, you can select Dynamic IP Pool when you configure a policy with the destinati on [...]

  • Seite 214

    214 Fortinet Inc. IP/MAC binding Firewall configuration Figure 49: Adding an IP Pool IP Pools for firewall pol icies that use fixed ports Some network configurations do not operate correctly if a NA T policy tran slates the source port of packet s used by the connec tion. NA T translates source port s to keep track of conn ections for a particular [...]

  • Seite 215

    Firewall confi guration IP/MAC binding FortiGate-800 Installation and Configuration Guide 215 Y ou can enter the static IP addresses an d corresponding MAC addresses of trusted computers in the st atic IP/MAC t able. If you have trusted co mputers wit h dynami c IP addresses that are set by th e FortiGate DHCP server , the FortiGate unit adds these[...]

  • Seite 216

    216 Fortinet Inc. IP/MAC binding Firewall configuration For example, if the IP/MAC pair IP 1.1.1. 1 and 12 :34:56:78:90:ab:cd is added to the IP/MAC binding list: • A packet with IP addre ss 1.1.1.1 a nd MAC address 12:34: 56:78:90:ab:cd is allowed to go on to be matched with a firewall policy . • A packet with IP 1.1.1.1 but with a dif f erent[...]

  • Seite 217

    Firewall confi guration IP/MAC binding FortiGate-800 Installation and Configuration Guide 217 3 Enter the IP Address and th e MAC Address. Y ou can bind multiple IP addresses to the same MAC address. Y ou cannot bi nd multiple MAC addresses to the same IP address. However , you can set the IP address to 0.0.0.0 for multiple MAC addresses. This mean[...]

  • Seite 218

    218 Fortinet Inc. Content profiles Firewall configuration Figure 50: IP/MAC settings Content profiles Use content profiles to app ly diff erent prot ection settings for content traf fic that is controlled by firewall policies. Y ou can use content profiles to: • Configure antivirus protection for HT TP , FTP , POP3, SMTP , and IMAP policies • C[...]

  • Seite 219

    Firewall confi guration Content profiles FortiGate-800 Installation and Configuration Guide 219 Default content profiles The FortiGate unit has the following four default content profiles that are displayed on the Firewall Cont ent Profile page. Y o u can use the default content prof iles or create your own. Adding content profiles If the default c[...]

  • Seite 220

    220 Fortinet Inc. Content profiles Firewall configuration 6 Enable the email filter protec tion options that you want. 7 Enable the fragmented email and oversized file an d email options that you want. 8 Select OK. Figure 51: Example con tent profile Web Content Block Block web pages that contain unwanted words or phrases. See “Content blocking?[...]

  • Seite 221

    Firewall confi guration Content profiles FortiGate-800 Installation and Configuration Guide 221 Adding content prof iles to policies Y ou can add content profiles to policies with actio n set to allow or encryp t and with service set to ANY , HTTP , FTP , IMAP , POP3, SMTP , or a service group that includes these services. T o add a cont ent profil[...]

  • Seite 222

    222 Fortinet Inc. Content profiles Firewall configuration[...]

  • Seite 223

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 223 Users and authentication FortiGate un its support user authe ntication to the FortiGate user database, a RADIUS server , a nd an LD AP server . Y ou can add use r names to the FortiG ate user database and then add a p assword to[...]

  • Seite 224

    224 Fortinet Inc. Setting authentication timeout Users and authenticati on This chapter describes : • Setting authentication timeout • Adding user names and co nfiguring authentication • Configuring RADIUS support • Configuring LDAP support • Configuring user group s Setting authentication timeout Authentication timeout controls how long [...]

  • Seite 225

    Users and authentication Adding user names and con figuring authentica tion FortiGate-800 Installation and Configuration Guide 225 5 Select the T ry other servers if connect to selected server fails check box if you have selected Radius and you want th e FortiGate unit to try to connect to other RADIUS servers added to the FortiGate RADIUS configur[...]

  • Seite 226

    226 Fortinet Inc. Configuring RADIUS supp ort Users and authentication Configuring RADIUS support If you have configur ed RADIUS support and a user is required to authenticate using a RADIUS server , the FortiGate unit cont ac ts the RADIUS server for authentication. This section describes: • Adding RADIUS servers • Deleting RADIUS servers Addi[...]

  • Seite 227

    Users and authentication Configuring LDAP suppo rt FortiGate-800 Installation and Configuration Guide 227 Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server , the FortiGate unit contact s the LDAP server for authentication. T o authenticat e with the F ortiGate unit, the us er en[...]

  • Seite 228

    228 Fortinet Inc. Configuri ng LDAP support Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server . Enter the base distinguishe d name for the server using the correct X.500 or LDAP format. The FortiGate u nit passes this distinguished name unchanged to the server . For example, you could use the followi[...]

  • Seite 229

    Users and authentication Configuring user groups FortiGate-800 Installation and Configuration Guide 229 Configuring user group s T o enable authentication, yo u mu st add user names, RADIUS servers, and LDAP servers to one or more user gr oups. Y ou can then select a user group wh en you require authenticati on. Y ou can select a user group to conf[...]

  • Seite 230

    230 Fortinet Inc. Configuring user g roups Users and authentication Figure 55: Adding a user group 3 Enter a Group Name to identify th e user group. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _. Other sp ecial characters and sp aces are not allowed. 4 T o add users to the user[...]

  • Seite 231

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 231 IPSec VPN A Virtua l Private Network (VPN) is an extension of a private network that encompasses links across sh ared or public networks such as the Intern et. For example, a compan y that has two offices in di fferen t cities, [...]

  • Seite 232

    232 Fortinet Inc. Key management IPSec VPN Key management There are three basic elem ents in any en cryption system: • an algorithm that change s info rmation into code, • a cryptographic key that serves as a secret starting point for the algorithm, • a management system to control the ke y . IPSec provides two ways to handle key exchange and[...]

  • Seite 233

    IPSec VPN Manual key IPSec VPNs FortiGate-800 Installation and Configuration Guide 233 In some respect s, certificates are simpler to manage than manual keys or pre-shared keys. For this reason, certificates are best suited to large network deployments. Manual key IPSec VPNs When using manual keys, comple mentary secur ity paramete rs must be enter[...]

  • Seite 234

    234 Fortinet Inc. Manual key IPSec VPNs IPSec VPN 5 Enter the Remote SPI. The Remote Security Parameter Index is a hexade cimal number of up to eight digit s (digits can be 0 to 9, a to f) in the rang e bb8 to FFFFFFF . This number must be added to the Local SPI at the opposite end of the tunnel. 6 Enter the Remote Gateway . This is the external IP[...]

  • Seite 235

    IPSec VPN AutoIKE IPSec VPNs FortiGate-800 Installation and Configuration Guide 235 AutoIKE IPSec VPNs FortiGate unit s support two methods of Au tomatic Internet Key Exchange (AutoIKE) for establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates. • General configuration step s for an AutoIKE VPN • Addi[...]

  • Seite 236

    236 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 3 T ype a Gateway Name for the remot e VPN peer . The remote VPN pee r can be either a gatewa y to another netw ork or an individual client on the In ternet. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _. Other sp ecial characters [...]

  • Seite 237

    IPSec VPN AutoIKE IPSec VPNs FortiGate-800 Installation and Configuration Guide 237 10 Configure the Local ID the that the FortiGate un it sends to the remote VPN peer . • Preshared key: If the FortiGate unit is fu nctioning as a client and uses its ID to authenticate it self to the remote VPN peer , enter an ID. If no ID is s pecified, the Forti[...]

  • Seite 238

    238 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Optionally , configure NA T T raversal. 5 Optionally , configur e Dead Peer Detection . Use these settings to monitor the st atus of the connec tion between VPN peer s. DPD allows dead connections to be cleane d up and new VPN tunnels est ablished. DPD is not suppor ted by all ve ndors. 6 Select OK t[...]

  • Seite 239

    IPSec VPN AutoIKE IPSec VPNs FortiGate-800 Installation and Configuration Guide 239 Figure 56: Adding a ph ase 1 con figuration ( St andard options) Figure 57: Adding a ph ase 1 con figuration ( Advanced options)[...]

  • Seite 240

    240 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN Adding a phase 2 configurat ion for an AutoIKE VPN Add a phas e 2 configu ration to spec ify the paramete rs used to c reate and maintain a VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer (the VPN gateway or client). T o add a phase 2 configuration 1 Go to VPN > IP[...]

  • Seite 241

    IPSec VPN AutoIKE IPSec VPNs FortiGate-800 Installation and Configuration Guide 241 10 Enable Autokey Kee p Alive if you want to kee p the VPN tunnel ru nning even if no da ta is being processed. 11 Select a concentra tor if you want the tunn el to be part of a hub and spoke VPN configuration. If you use the pro cedure, “Add ing a VPN concentrato[...]

  • Seite 242

    242 Fortinet Inc. Managing digital certificates IPSec VPN Managing digit al certificates Use digital cer tificates to make sure that both participants in an IPSec communication session are trustworthy , prior to setting up an encrypted VPN tunnel between the particip ants. Fortinet uses a manual proc edure to obtain certificates. This involves copy[...]

  • Seite 243

    IPSec VPN Managing digital certificates FortiGate-800 Installation and Configuration Guide 243 6 Configure the key . 7 Select OK to generate the private and pub lic key p air and the certificate re quest. The private/public key p air are generated and the certificate request is displayed on the Local Certificates list with a status of Pend ing. Fig[...]

  • Seite 244

    244 Fortinet Inc. Managing digital certificates IPSec VPN Downloading the certificate request Use the followin g proced ure to dow nload a ce rtificate request from the FortiGate unit to the management compute r . T o downlo ad the certificate reque st 1 Go to VPN > Certificates > Local Certificates . 2 Select Download to download the local c[...]

  • Seite 245

    IPSec VPN Configuring encrypt policies FortiGate-800 Installation and Configuration Guide 245 Obtaining CA certificates For the VPN peers to authenticate themselves to each other , they must both obtain a CA certificate from th e same certificate author ity . The CA certificate provides the VPN peers with a means to validate the digit al ce rtifica[...]

  • Seite 246

    246 Fortinet Inc. Configuring encrypt policies IPSec VPN In addition to defining membership in th e VPN by address, you can configure the encrypt policy for services such as DNS, FTP , and POP3, and to allow connectio ns according to a predefined schedule ( by the time of the day or the day of the week, month, or year). Y ou can also configure the [...]

  • Seite 247

    IPSec VPN Configuring encrypt policies FortiGate-800 Installation and Configuration Guide 247 Adding a destination address The destination addr ess can be a VPN client address on the Inte rnet or the addr ess of a network behin d a remote VPN gatew ay . T o add a dest ination address 1 Go to Firewall > Address . 2 Select an extern al interfac e.[...]

  • Seite 248

    248 Fortinet Inc. Configuring encrypt policies IPSec VPN For information about configu ring the remaining policy settin gs, see “Adding firewall policies” on page 18 9 . 9 Select OK to save the encry pt policy . T o make sure that the encrypt policy is matched for VPN connection s, arrange the encrypt policy above other policies with similar so[...]

  • Seite 249

    IPSec VPN IPSec VPN concen trators FortiGate-800 Installation and Configuration Guide 249 Figure 60: Adding an encryp t policy IPSec VPN concentrators In a hub-and-spoke networ k, all VPN tunnels terminate at a single VPN peer called a hub. The pee rs that connect to th e hub are know n as spokes. The hu b functions as a concentrat or on the n etwo[...]

  • Seite 250

    250 Fortinet Inc. IPSec VPN concentrators IPSec VPN If the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (but not to the other spokes) . It also requires policies tha t control it s encrypted connectio ns to the other spokes and it s non-encrypted co nnections to other networks, such as the Internet. • VPN concentra[...]

  • Seite 251

    IPSec VPN IPSec VPN concen trators FortiGate-800 Installation and Configuration Guide 251 See “Adding an encrypt policy” on p age 247 . 5 Arrange the policie s in the following order: • encrypt policies • default non-encrypt policy (Interna l_All -> External_All) Adding a VPN concentrator T o add a VPN concent rator configuration 1 Go to[...]

  • Seite 252

    252 Fortinet Inc. IPSec VPN concentrators IPSec VPN VPN spoke general co nfiguration steps A remote VPN pe er that fu nctions as a spoke re quires the f ollowing conf iguration: • A tunnel (Auto IKE phase 1 an d phase 2 conf iguration or manu al key configura tion) for the hub. • The source addre ss of the local VPN spoke. • The destination a[...]

  • Seite 253

    IPSec VPN Redundant IPSec VPNs FortiGate-800 Installation and Configuration Guide 253 See “Adding an encrypt policy” on p age 247 . 6 Arrange the policie s in the following order: • outbound encrypt policies • inbound encrypt policy • default non-encrypt policy (Interna l_All -> External_All) Redundant IPSec VPNs T o ensure the continu[...]

  • Seite 254

    254 Fortinet Inc. Redundant IPSec VPNs IPSec VPN Configuring redundant IPSec VPNs Prior to configuring the VPN, make sure t hat bo th FortiGate units have multiple connections to the Internet. For each unit, first add multiple (two or more) external interfaces. Then assig n each interface to an external zone. Finally , add a route to the Internet t[...]

  • Seite 255

    IPSec VPN Monitoring and Troublesh ooting VPNs FortiGate-800 Installation and Configuration Guide 255 Monitoring and T roubleshooting VPNs • Viewin g VPN tunnel st atus • Viewing dialu p VPN connection status • T esting a VPN Viewing VPN tunnel status Y ou can use the IPSec VPN tunnel list to vi ew the status of all IPSec AutoIKE key VPN tunn[...]

  • Seite 256

    256 Fortinet Inc. Monitoring and Troubleshooti ng VPNs IPSec VPN Figure 63: Dialup Monitor Testing a VPN T o confirm tha t a VPN betwe en two netw orks has been config ured corre ctly , use the ping command from one inter nal network to connect to a co mputer on the other internal network. The IPSec VPN tunn el sta rts automa tically when the first[...]

  • Seite 257

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 257 PPTP and L2TP VPN Y ou can use PPTP and L2TP to crea te a virtual private network (VPN) between a remote client computer that is runn ing Wi ndows and your internal netwo rk. Because PPTP and L2TP are supported by Win dows you d[...]

  • Seite 258

    258 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN Configuring the FortiGat e unit as a PPTP gateway Use the followin g proced ures to con figure the FortiGate u nit as a PPTP gate way: T o add users and user group s Add a user for each PPTP clie nt. 1 Go to User > Local . 2 Add and configure PPTP users. For information about adding and config[...]

  • Seite 259

    PPTP and L2TP VPN Configuring PPTP FortiGate-800 Installation and Configuration Guide 259 3 Select New to add an addr ess. 4 Enter the Address Name, IP Address, and NetMask for an addr ess in the PPTP address range. 5 Select OK to sa ve the sour ce address. 6 Repeat for all addresses in the PP TP address range. T o add a sourc e address group Organ[...]

  • Seite 260

    260 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 6 Set Service to match the traffic ty pe inside the PP TP VPN tunnel. For example, if PPTP user s can ac cess a web server , select HTTP . 7 Set Action to ACCEPT . 8 Select NA T if address tr anslation is required. Y ou can also configure traf fic shaping, logging, and antivirus and web filter se[...]

  • Seite 261

    PPTP and L2TP VPN Configuring PPTP FortiGate-800 Installation and Configuration Guide 261 T o connect to the PPTP VPN 1 S tart the dialup connection that yo u configured in the previous procedure. 2 Enter your PPTP VPN Us er Name and Password. 3 Select Connect. Configuring a Windows 2000 client for PPTP Use the following p rocedure to co nfigure a [...]

  • Seite 262

    262 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 5 Name the connectio n and select Next. 6 If the Public Network dialog box appears, choose the appropriate ini tial connection and select Next. 7 In the VPN Server Selection dialog, enter the IP addr ess or host name of the FortiGate unit to connect to and select Next. 8 Select Finish. T o config[...]

  • Seite 263

    PPTP and L2TP VPN Configuring L2TP FortiGate-800 Installation and Configuration Guide 263 Configuring L2TP Some implement ations of L2TP support elem ents of IPSec. These element s must be disabled when L2TP is used with a Fo rtiGate unit. This section describes: • Configuring the FortiGate unit as an L2 TP gateway • Configuring a Windows 2000 [...]

  • Seite 264

    264 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN Figure 65: Sample L2TP addres s range configura tion T o add source addresses Add a sour ce address for ever y address in the L2TP addr ess range. 1 Go to Firewall > Address . 2 Select the interface to which L2T P clients connect. This can be an interface, VLAN subinterfa ce, or zone. 3 Select[...]

  • Seite 265

    PPTP and L2TP VPN Configuring L2TP FortiGate-800 Installation and Configuration Guide 265 6 Select OK to add the address group . T o add a dest ination address Add an address to which L2TP users can conn ect. 1 Go to Firewall > Address . 2 Select the internal interf ace or the DMZ interface. 3 Select New to add an addr ess. 4 Enter the Address N[...]

  • Seite 266

    266 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 7 In the Connect window , select Properties. 8 Select the Security tab. 9 Make sure th at Require d ata encryption is selected. 10 Select the Networking tab. 11 Set VPN server type to La yer-2 T unneling Pr otocol (L2TP) . 12 Save the changes and continue with the following proc edure. T o disabl[...]

  • Seite 267

    PPTP and L2TP VPN Configuring L2TP FortiGate-800 Installation and Configuration Guide 267 4 In the connect window , enter the User Name and Password tha t you use to connect to your dialup network conne ction. This user name and p assword is not the same as your VPN user name and p assword. Configuring a Windows XP client for L2TP Use the following[...]

  • Seite 268

    268 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN T o disable IPSec 1 Select the Networking tab. 2 Select Internet Protocol (TCP/IP) properti es. 3 Double-click t he Advanced tab. 4 Go to the Options tab and select IP security properties. 5 Make sure that Do not use IPSEC is selected. 6 Select OK and close the co nnection properties window . 7 U[...]

  • Seite 269

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 269 Network Intrusion Detection System (NIDS) The FortiGat e NIDS is a re al-time netw ork intrusio n detectio n sensor th at uses at tack signature definitions to both detect and prev ent a wide variet y of suspicious network traff[...]

  • Seite 270

    270 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Selecting the interfaces to monitor T o select t he interfaces to monitor for att acks 1 Go to NIDS > Detection > General . 2 Select the interfaces to monitor for ne twork attacks. Y ou can select up to a total of 4 interfaces and VLAN subinterfaces. 3 Select Appl[...]

  • Seite 271

    Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-800 Installation and Configuration Guide 271 Viewing the signature list Y ou can display the current list of NIDS signature groups and the members o f a signature group. T o view the signa ture list 1 Go to NIDS > Detection > Signature List . 2 View the names an d action s[...]

  • Seite 272

    272 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Figure 67: Example signatur e group members list Disabling NIDS attack signatures By default, all NIDS attack signatures ar e enabled . Y ou can use the NIDS signature list to disable detection of some atta cks. Disabling unnecessary NIDS attack signatures can improve s[...]

  • Seite 273

    Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-800 Installation and Configuration Guide 273 T o add user- defined signatures 1 Go to NIDS > Detection > User Defined Signature List . 2 Select Upload . 3 T ype the path and filenam e of the text file for the user-defined signatu re list or select Browse and lo cate the fi[...]

  • Seite 274

    274 Fortinet Inc. Preventing attacks Network Intrusion Detection System (NIDS) Preventing att acks NIDS attack prev ention prot ects the FortiGat e unit an d the netwo rks connect ed to it from common TCP , ICMP , UDP , and IP atta cks. Y ou can enable NIDS attack prevention to prevent a set of default att a cks with default threshold values. Y ou [...]

  • Seite 275

    Network Intrusion Detection S ystem (NIDS) Preventing attacks FortiGate-800 Installation and Configuration Guide 275 Setting signature threshold values Y ou can change the default threshold val ues for the NIDS Prevention sig natures listed in Ta b l e 4 0 . The th reshold depends on the type of attack. F or flooding att acks, the threshold is the [...]

  • Seite 276

    276 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS) T o set Pr evention signat ure threshold values 1 Go to NIDS > Prevention . 2 Select Modify beside the signature for which you want to set the Threshold value. Signatures that do not ha ve threshol d valu es do not have Modify icons. 3 T ype the Threshold va lue. 4 Selec[...]

  • Seite 277

    Network Intrusion Detection System (NIDS) Logging attacks FortiGate-800 Installation and Configuration Guide 277 The FortiGate unit uses an alert email queu e in which each new message is compared with the p revious messages. If the new messag e is not a duplicate, the FortiGate unit sends it immedia tely and put s a copy in the queue . If the new [...]

  • Seite 278

    278 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS)[...]

  • Seite 279

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 279 Antivirus protection Y ou can enable antivirus protection in fire wall policies. Y ou can select a content profile that controls how the antivir us protection behaves. Content profiles control th e type of traffic protected (HTT[...]

  • Seite 280

    280 Fortinet Inc. Antivirus scanning Antivirus protection 6 Configure the FortiGate unit to send an alert email when it blocks or delet es an infected file. See “Configur ing alert email” in the Logging and Message Refere nce Guide. Antivirus scanning Virus scan ning intercepts mo st files (including files compressed with up to 12 laye rs of co[...]

  • Seite 281

    Antivirus protection File blocking FortiGate-800 Installation and Configuration Guide 281 Figure 69: Example content profile for virus scan ning File blocking Enable file b locking to re move all files that are a potential threat and to provide th e best protection fr om active computer virus attacks. Blocking files is the only pr otection from a v[...]

  • Seite 282

    282 Fortinet Inc. File blocking Antivirus protection By default, w hen blocki ng is enabled, the FortiG ate unit bl ocks the follo wing file patterns: • executable files (*.bat, *.com, and *.exe) • compressed or archive files (*.gz, *.rar , *.tar , *.tgz, and *.zip) • dynamic link libraries (*.dll) • HTML applic ation (*.hta) • Microsoft [...]

  • Seite 283

    Antivirus protection Quarantine FortiGate-800 Installation and Configuration Guide 283 Quarantine FortiGate u nits with a hard disk can quaranti ne blocked o r infecte d files. The quarantined files are rem oved from the cont ent stream and stored on the FortiGate hard disk. Users receive a message that the remove d files have been quarantined. On [...]

  • Seite 284

    284 Fortinet Inc. Quarantine Antivirus protection 5 Add this content prof ile to firewall policies. See “Adding content profiles to policies” on pag e 221 . Viewing the qua rantine list T o view the quaran tine list 1 Go to Anti-Virus > Quaran tine . The quarantine list displays the following info rmation: Sorting the quarantine list Y ou ca[...]

  • Seite 285

    Antivirus protection Quarantine FortiGate-800 Installation and Configuration Guide 285 Filtering the quarantine list Y ou can filter the quarantine list to: • Display only blocked files • Display only infected files • Display blocked and infected files found only in IMAP , POP3, SMTP , FTP , or HTT P traffic T o filter the Quarantine list to [...]

  • Seite 286

    286 Fortinet Inc. Blocking oversized files and emails Antivirus protection 3 T ype the Age Limit (TTL) in ho urs to specify how long files are left in quaranti ne. The maximum number of hours is 48 0. The Fo rtiGate unit automatic ally deletes a file when the T TL reache s 00:00. 4 T ype the maximum file size in MB to quara ntine. The FortiGate uni[...]

  • Seite 287

    Antivirus protection Exempting fragmented email from blocking FortiGate-800 Installation and Configuration Guide 287 Exempting fragmented email from blocking A fragmented email is a large email message that has been split into smaller messages that are sent individu ally and recombined when they are receive d. By default, whe n antivirus protection[...]

  • Seite 288

    288 Fortinet Inc. Viewing the virus list Antivirus protection[...]

  • Seite 289

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 289 W eb filtering When you enable Anti-V irus & Web filter in a firewall policy , you select a content profile that controls how web filterin g behave s for HTTP traf fic. Co ntent profiles control the following types of conten[...]

  • Seite 290

    290 Fortinet Inc. Content blocking Web filtering 3 Configure web filtering settin gs to control how the FortiGate unit app lies web filtering to the HTTP traf fic allowed by policies. See: • “URL block ing” on page 29 3 , • “Configuring Cerber ian URL filtering” on p age 296 , • “Content blocking” on page 290 , • “Script filte[...]

  • Seite 291

    Web filtering Content blocking FortiGate-800 Installation and Configuration Guide 291 4 T ype a banned word or phrase. If you type a single word (for ex ample, banned ), the FortiGate unit blocks all web pages that contain that word. If you type a phrase (for example, banned phrase ), the FortiGate unit blocks web pages th at conta in both word s. [...]

  • Seite 292

    292 Fortinet Inc. Content blocking Web filtering Backing up the Banned Word list Y ou can back up the banned word list by downloading it to a text file on the management compu ter . T o back up th e banned word list 1 Go to Web Filter > Cont ent Block . 2 Select Backup Banned Word List . The FortiGate unit downloads the list to a text file on th[...]

  • Seite 293

    Web filtering URL blocking FortiGate-800 Installation and Configuration Guide 293 5 Select Return to display the updated Banned W ord List. 6 Y ou can continue to maint ain the Banned Word List by makin g changes to the text file and uploading it again as nece ssary . . URL blocking Y ou can block the unwanted web URLs usi ng FortiGate Web URL bl o[...]

  • Seite 294

    294 Fortinet Inc. URL blocking Web filtering 4 Ensure that th e Enable ch eckbox has been select ed and then select OK. 5 Select OK to add the URL to the Web URL block list. Y ou can enter multiple URLs and the n select Check All to enable all items in the Web URL block list. Y ou can disable all of the URLs on the list by selecting Uncheck All . E[...]

  • Seite 295

    Web filtering URL blocking FortiGate-800 Installation and Configuration Guide 295 Downloading the Web URL block list Y ou can back up the Web URL bl ock list by downloading it to a text file on the management compu ter . T o downlo ad a Web URL bloc k list 1 Go to Web Filter > Web URL Block . 2 Select Download URL Block List . The FortiGate unit[...]

  • Seite 296

    296 Fortinet Inc. Configuring Cerberian URL filtering Web filtering 8 Y ou can continue to maintain the W eb URL bl ock list by makin g changes to the text file and uploading it again. Configuring FortiGate Web pattern blocking Y ou can configure FortiGate web pattern bl ocking to blo ck web pages that match a URL pattern. Create URL p atterns usin[...]

  • Seite 297

    Web filtering Configuring Cerberian URL filtering FortiGate-800 Installation and Configuration Guide 297 Installing a Cerberian license key Before you ca n use the C erberian we b filter , yo u must install a license key . The license key determines th e number of end users allowe d to use Cerberian web filtering through the Fort iGate unit. T o in[...]

  • Seite 298

    298 Fortinet Inc. Configuring Cerberian URL filtering Web filtering Y ou can add users to the default group and apply any po licies to the group. Use the default group to add: • All the users who are not assigned alias names on the FortiGate unit. • All the users who are no t assigned to ot her user groups. The Cerberian web filte r groups URLs[...]

  • Seite 299

    Web filtering Script filtering FortiGate-800 Installation and Configuration Guide 299 Script filtering Y ou can configure the FortiGate unit to re move Java applet s, cookies, and ActiveX scripts from the HT ML web pages. • Enabling script filtering • Selecting script filter o ptions Enabling script filtering 1 Go to Firewall > Content Profi[...]

  • Seite 300

    300 Fortinet Inc. Exempt URL list Web filtering Exempt URL list Add URLs to the exempt URL list to allow legitimate traf fic that might otherwise be blocked by content or URL blocking. For exam ple, if content blocking is set to block pornography-rela ted words and a re putable we bsite runs a story on pornog raphy , web pages from the repu table w[...]

  • Seite 301

    Web filtering Exempt URL list FortiGate-800 Installation and Configuration Guide 301 Figure 75: Example URL Exempt list Downloading the URL Exempt List Y ou can back up the URL Exempt List by downloading it to a text file on the management compu ter . 1 Go to Web Filter > URL Exempt . 2 Select Download URL Exempt List . The FortiGate unit downlo[...]

  • Seite 302

    302 Fortinet Inc. Exempt URL list Web filtering 3 Select Upload URL Exempt List . 4 T ype the path and filename of your URL Exe m pt List text file, or select Browse and locate the file. 5 Select OK to upload the f ile to the FortiGate unit. 6 Select Return to display the updated URL Exemp t List. 7 Y ou can continue to maintain the URL Exempt List[...]

  • Seite 303

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 303 Email filter Email filtering is enabled in firewall policies. When you en able Anti-V irus & Web filte r in a firewall policy , you select a content profile that controls how email filtering behaves for email (IM AP and POP3[...]

  • Seite 304

    304 Fortinet Inc. Email banned word list Email filter Email banned word list When the FortiGate unit detect s an email that contains a word or phr ase in the banned word list, the FortiGate unit adds a t ag to the subject line of the email and writes a message to the event log. Recei vers can then use their mail client sof tware to filter messages [...]

  • Seite 305

    Email filter Email banned word list FortiGate-800 Installation and Configuration Guide 305 Downloading the email banned word list Y ou can back up the banned word list by downloading it to a text file on the management compu ter: T o downlo ad the banned word list 1 Go to Email Filter > Content Block . 2 Select Download. The FortiGate unit downl[...]

  • Seite 306

    306 Fortinet Inc. Email block list Email filter Email block list Y ou can configure the FortiGate unit to ta g all IMAP and POP3 protocol tra ffic sent from unwanted email addresse s. When the FortiGate unit dete cts an email sent from an unwanted address p attern, the FortiGate un it adds a t ag to the subject line of the email and writes a messag[...]

  • Seite 307

    Email filter Email exempt li st FortiGate-800 Installation and Configuration Guide 307 Uploading an email block list Y ou can create a email block list in a text ed itor and then upload the text file to the FortiGate unit. Add one p attern to each line of the text file. Y ou can follow the pattern with a space and the n a 1 to enable or a zero (0) [...]

  • Seite 308

    308 Fortinet Inc. Adding a subject tag Email filter Adding address patterns to the email exempt list T o add an addre ss p attern to the email exempt list 1 Go to Email Filter > Exempt List . 2 Select New . 3 T ype the add ress pattern that you wan t to exempt. • T o exempt email sent from a specific email add ress, type the email address. For[...]

  • Seite 309

    FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 309 Logging and reporting Y ou can configure the FortiGate unit to log network activity from routine configuration changes and traf fic sessions to emergency event s. Y ou can also configure the FortiGate u nit to send alert email m[...]

  • Seite 310

    310 Fortinet Inc. Recording logs Logging and reporting Recording logs on a remote computer Y ou can configure the FortiGate unit to re cord log messages on a r emote computer . The remote computer must be configu red with a syslog server . T o record logs on a remote computer 1 Go to Log&Report > Log Settin g . 2 Select the Log to Remote Hos[...]

  • Seite 311

    Logging and repo rting Recording logs FortiGate-800 Installation and Configuration Guide 31 1 5 Select Config Policy . T o configure the FortiGate unit to filter the types of logs and event s to record, use the procedures in “Filtering log messag es” on page 313 an d “Configuring traf fic logging” on page 314 . 6 Select OK. 7 Select Apply .[...]

  • Seite 312

    312 Fortinet Inc. Recording logs Logging and reporting Recording logs in system memory If your FortiGate unit does not cont ain a hard disk, you can config ure the FortiGate unit to rese rve some s ystem me mory for storing current event, attack, antivirus, web filter , and email filter log messages. Loggin g to memory allows quick access to only t[...]

  • Seite 313

    Logging and repo rting Filtering log me ssages FortiGate-800 Installation and Configuration Guide 313 Filtering log messages Y ou can configure the logs t hat you want to record and the message categorie s that you want to record in each log. T o filter log entries 1 Go to Log&Report > Log Settin g . 2 Select Config Policy for the log locati[...]

  • Seite 314

    314 Fortinet Inc. Configuring traffic loggi ng Logging and reporting Figure 79: Exam ple log filter con figuration Configuring traffic logging Y ou can configure the FortiGate unit to reco rd traffic log messages for connections to: • An interface • A VLAN subinterface • A firewall policy The FortiGate unit can filter traf fic logs for a sour[...]

  • Seite 315

    Logging and repo rting Configuring traffic loggi ng FortiGate-800 Installation and Configuration Guide 315 Enabling traf fic logging Y ou can enable logging on any interface, VLAN subinterface, an d firewall policy . Enabling traffic loggi ng for an interface If you enable traf fic logging for a n interface, all connections to and through the inter[...]

  • Seite 316

    316 Fortinet Inc. Configuring traffic loggi ng Logging and reporting Configuring traffic filter settings Y ou can configure the information re corded in all tr affic log messages. T o conf igure traffic filter settings 1 Go to Log&Report > Log Settin g > T raffic Filter . 2 Select the settings that you wa nt to apply to all traf fic log m[...]

  • Seite 317

    Logging and repo rting Viewing logs saved to memory FortiGate-800 Installation and Configuration Guide 317 4 Select OK. The traf fic filter list displays the new traffi c address entry with the settings that you selected in “Enabling traf fic logging” on page 315 . Figure 81: Example new traffic address entry V iewing logs saved to memory If th[...]

  • Seite 318

    318 Fortinet Inc. Viewing and managing logs saved to the hard disk Logging and reporti ng 4 T o view a specific line in the log, type a li ne number in the Go to line field and select . 5 T o navigate through th e log message pages, sele ct Go to next page or Go to previous page . Searching logs T o search log messages saved in system memory 1 Go t[...]

  • Seite 319

    Logging and reporting Viewing and managing logs saved to the hard disk FortiGate-800 Installation and Configuration Guide 319 Viewing logs Log messages are listed with the mo st recent message at the top. T o view the ac tive or saved logs 1 Go to Log&Report > Logging . 2 Select Traf f ic Log, Ev ent Log, A ttack Log, Antivi rus Log, Web Fil[...]

  • Seite 320

    320 Fortinet Inc. Viewing and managing logs saved to the hard disk Logging and reporti ng Downloading a log file to the management computer Y ou can download log files to the management compu ter as plain text files or comma- separated value (CSV) files. Af ter downloading, you can view the te xt file with a text editor or the CSV file us ing a spr[...]

  • Seite 321

    Logging and repo rting Configu ring aler t email FortiGate-800 Installation and Configuration Guide 321 Configuring alert email Y ou can configure the FortiGate unit to send ale rt email to up to three email addresses when there are virus incident s, block incidents, network intrusions, and other firewall or VPN events or violations. Af ter you set[...]

  • Seite 322

    322 Fortinet Inc. Configu ring aler t email Logging and reporting Enabling alert email Y ou can configure the FortiGate unit to send alert email in respon se to virus incidents, intrusion attempts, and critical firewall or VPN event s or violations. If you have configured logging to a local disk, you can enable sending an alert email when the hard [...]

  • Seite 323

    FortiGate-800 Installation and Configuration Guide 323 FortiGate-800 Inst allation and Co nfiguration Guide V ersion 2.50 Glossary Connection : A link between machines, applications, processes, and so on t hat can be logical, phys ical, or both. DMZ, Demilit arized Zone : Used to host Internet services without allowing unau thorized access to an in[...]

  • Seite 324

    324 Fortinet Inc. Glossary LAN, Local Area Network : A computer n etwork that spans a relatively small area. Most LANs connect worksta tions and personal computers. Each computer on a LAN is able to ac cess data and devices a nywhere on the LAN. This means that many users can share data as well as physical re sources such as printers. MAC address, [...]

  • Seite 325

    Glossary FortiGate-800 Installation and Configuration Guide 325 SSH , Secure shell : A secure T elnet replacement that you can use to log into another computer over a network and run commands. SSH provides str ong secure authentication and secure communications over insecure channels. Subnet : A portion of a network that shares a comm on address co[...]

  • Seite 326

    326 Fortinet Inc. Glossary[...]

  • Seite 327

    FortiGate-800 Installation and Configuration Guide 327 FortiGate-800 Inst allation and Configuration Guide V ersion 2.50 Index A accept policy 191 action policy option 191 active log deleting all messages 320 searching 318, 319 viewing and maintaining saved logs 318 ActiveX 299 removing from web pages 299 address 197 adding 197 adding firewall addr[...]

  • Seite 328

    328 Fortinet Inc. Index attack updates configuring 121 scheduling 120 through a proxy server 122 authentication 193, 223 configuring 224 enabling 229 LDAP server 227 RADIUS server 226 timeout 170 auto device in route 155 AutoIKE 232 certificates 23 2 introduction 232 pre-shared keys 232 automatic antivirus and attack definition updates configuring [...]

  • Seite 329

    Index FortiGate-800 Installation and Configuration Guide 329 DHCP adding a DHCP server to an interface 158 adding a reserved IP to a DHCP server 160 adding a scope to a DHCP server 158 configuring 157 configuring a DHCP server 158 configuring DHCP relay 158 interface addressing mode 140 viewing a dynamic IP list 16 0 dialup L2TP configuring Windows[...]

  • Seite 330

    330 Fortinet Inc. Index FortiResponse Distribution Ne twork 118 connecting to 118 FortiResponse D istribution Server 118 from IP system status 115 from port system status 115 front keypad and LCD configuring IP address 61 G get community SNMP 175 grouping services 2 04 groups address 199 user 229 guaranteed bandwidth 192 H HA 73 connecting a NAT/Ro[...]

  • Seite 331

    Index FortiGate-800 Installation and Configuration Guide 331 IPSec VPN authentication for user group 229 AutoIKE 232 certificates 23 2 disabling 266, 268 manual keys 232 pre-shared keys 232 remote gateway 229 status 2 55 timeout 255, 256 IPSec VPN tunnel testing 256 J Java applets 299 removing from web pages 299 K keyword log search 318, 319 L L2TP[...]

  • Seite 332

    332 Fortinet Inc. Index mode Transparent 18 monitor system status 114 monitored in terfaces 270 monitoring system status 111 MTU size 144 changing 144 definition 324 improving network performance 144 interface 144 N NAT introduction 18 policy option 192 push update 124 NAT mode adding policy 189 IP addresses 44 NAT/Rout e mode changing to 110 confi[...]

  • Seite 333

    Index FortiGate-800 Installation and Configuration Guide 333 PPTP dialup connection configuring Windows 2000 client 261 configuring Windows 98 clien t 260 configuring Windows XP client 261 PPTP gateway configuring 258 predefined services 20 0 pre-shared keys introduction 232 prevention NIDS 274 protocol service 200 system status 115 proxy server 12[...]

  • Seite 334

    334 Fortinet Inc. Index schedule 205 applying to policy 2 08 automatic antivirus and at tack defin ition updates 120 creating one-time 206 creating recurring 207 one-time 206 policy option 191 recurring 207 scheduled antivirus and attack updates 122 scheduled updates through a proxy server 122 scheduling 120 scope adding a DHCP scope 158 script fil[...]

  • Seite 335

    Index FortiGate-800 Installation and Configuration Guide 335 system settings backing up 108 restoring 108 restoring to factory default 109 system status 93, 111, 161 system status monitor 114 T TCP configuring checksum verification 270 custom service 203 technical support 23 testing alert email 321 time log search 318, 319 setting 169 time zone 169[...]

  • Seite 336

    336 Fortinet Inc. Index viewing dialup connection status 2 55 logs 318, 319 logs saved to memory 317 VPN tunnel status 255 virtual domain adding 149 adding a VLAN 150 adding a zone 150 adding firewall addresses 152 adding firewall policies 152 configuring 149 configuring in Transpa rent mode 147 deleting 153 properties 149 virtual IP 208 adding 209[...]