Fortinet 400 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308

Ir a la página of

Buen manual de instrucciones

Las leyes obligan al vendedor a entregarle al comprador, junto con el producto, el manual de instrucciones Fortinet 400. La falta del manual o facilitar información incorrecta al consumidor constituyen una base de reclamación por no estar de acuerdo el producto con el contrato. Según la ley, está permitido adjuntar un manual de otra forma que no sea en papel, lo cual últimamente es bastante común y los fabricantes nos facilitan un manual gráfico, su versión electrónica Fortinet 400 o vídeos de instrucciones para usuarios. La condición es que tenga una forma legible y entendible.

¿Qué es un manual de instrucciones?

El nombre proviene de la palabra latina “instructio”, es decir, ordenar. Por lo tanto, en un manual Fortinet 400 se puede encontrar la descripción de las etapas de actuación. El propósito de un manual es enseñar, facilitar el encendido o el uso de un dispositivo o la realización de acciones concretas. Un manual de instrucciones también es una fuente de información acerca de un objeto o un servicio, es una pista.

Desafortunadamente pocos usuarios destinan su tiempo a leer manuales Fortinet 400, sin embargo, un buen manual nos permite, no solo conocer una cantidad de funcionalidades adicionales del dispositivo comprado, sino también evitar la mayoría de fallos.

Entonces, ¿qué debe contener el manual de instrucciones perfecto?

Sobre todo, un manual de instrucciones Fortinet 400 debe contener:
- información acerca de las especificaciones técnicas del dispositivo Fortinet 400
- nombre de fabricante y año de fabricación del dispositivo Fortinet 400
- condiciones de uso, configuración y mantenimiento del dispositivo Fortinet 400
- marcas de seguridad y certificados que confirmen su concordancia con determinadas normativas

¿Por qué no leemos los manuales de instrucciones?

Normalmente es por la falta de tiempo y seguridad acerca de las funcionalidades determinadas de los dispositivos comprados. Desafortunadamente la conexión y el encendido de Fortinet 400 no es suficiente. El manual de instrucciones siempre contiene una serie de indicaciones acerca de determinadas funcionalidades, normas de seguridad, consejos de mantenimiento (incluso qué productos usar), fallos eventuales de Fortinet 400 y maneras de solucionar los problemas que puedan ocurrir durante su uso. Al final, en un manual se pueden encontrar los detalles de servicio técnico Fortinet en caso de que las soluciones propuestas no hayan funcionado. Actualmente gozan de éxito manuales de instrucciones en forma de animaciones interesantes o vídeo manuales que llegan al usuario mucho mejor que en forma de un folleto. Este tipo de manual ayuda a que el usuario vea el vídeo entero sin saltarse las especificaciones y las descripciones técnicas complicadas de Fortinet 400, como se suele hacer teniendo una versión en papel.

¿Por qué vale la pena leer los manuales de instrucciones?

Sobre todo es en ellos donde encontraremos las respuestas acerca de la construcción, las posibilidades del dispositivo Fortinet 400, el uso de determinados accesorios y una serie de informaciones que permiten aprovechar completamente sus funciones y comodidades.

Tras una compra exitosa de un equipo o un dispositivo, vale la pena dedicar un momento para familiarizarse con cada parte del manual Fortinet 400. Actualmente se preparan y traducen con dedicación, para que no solo sean comprensibles para los usuarios, sino que también cumplan su función básica de información y ayuda.

Índice de manuales de instrucciones

  • Página 1

    FortiGate 400 Installation and Configuration Guide 4 / HA 3 CONSOLE 1 2 Esc Enter FortiGate User Manual V olume 1 Ve r s i o n 2 . 5 0 M R 2 18 August 2003[...]

  • Página 2

    © Copyright 2003 Fortine t Inc. All rights reserved . No part of this publication incl uding text, examples , diagrams or illustrations may be reproduced, transmitted, or translated in any form or by an y means, electro nic, mechanical, manual, optical or otherwise, for any purpose, without prio r written permiss ion of Fort inet Inc. FortiGate-40[...]

  • Página 3

    Contents FortiGate-400 Installation and Configuration Guide 3 Table of Contents Introduction ............. ................................ .................................................. ........... 15 Antivirus protection ......................... ................ ................ ............. ................ ............. ........ 15 Web co[...]

  • Página 4

    Contents 4 Fortinet Inc. Planning your FortiGate configurat ion ............... ................ ............. ................ ................ .. 39 NAT/Route mode ........... ................ ............. ................ ............. ................ ............. ........ 39 NAT/Route mode with multiple external networ k connections .... ...[...]

  • Página 5

    Contents FortiGate-400 Installation and Configuration Guide 5 Completing the configuration ................... ....... ...... ................ ............. ............. ............. ..... 64 Setting the date and time .................. ................ ............. ................ ............. ................ .. 64 Enabling antivirus protect[...]

  • Página 6

    Contents 6 Fortinet Inc. System status .......... ................................ .................................................. ........... 93 Changing the FortiGate host name .......... ................ ................. ............ ................. ........... 94 Changing the FortiGate firmware ............. ................ .............[...]

  • Página 7

    Contents FortiGate-400 Installation and Configuration Guide 7 Updating registration information ................ .... ......... ................. ............ ............. ............. 128 Recovering a lost Fortinet s upport password .............. ............. ................ ............. ...... 128 Viewing the list of registered FortiGate un[...]

  • Página 8

    Contents 8 Fortinet Inc. Adding RIP filters ............... ............. ................ ............. ................ ............. ................ ...... 154 Adding a single RIP filter ......... ............. ................ ............. ................ ............. ............. 154 Adding a RIP filter list ........ ................ ....[...]

  • Página 9

    Contents FortiGate-400 Installation and Configuration Guide 9 Services ............ ............. ............. ................ ............. ................. ............ ............. .......... ... 182 Predefined services .................... ............ ............. ................. ............ ................. ......... 182 Providing ac[...]

  • Página 10

    Contents 10 Fortinet Inc. IPSec VPN .................... ................................................. .............. ............... ......... 209 Key management ........... ............. ................ ............. ................. ............ ................. ......... 210 Manual Keys .............. ............. ................ .....[...]

  • Página 11

    Contents FortiGate-400 Installation and Configuration Guide 11 Network Intrusion Detection System (NIDS) .... ............................ ............ ....... 249 Detecting attacks ............... ............. ................ ............. ............. ................ ............. ......... 2 49 Selecting the interfaces to monitor .... ......[...]

  • Página 12

    Contents 12 Fortinet Inc. URL blocking............... ............. ................ ............. ................ ............. ................ ............. 269 Using the FortiGate web filter ........... ............. ................ ................ ............. ................ 269 Using the Cerberian web filter ........ ............. .....[...]

  • Página 13

    Contents FortiGate-400 Installation and Configuration Guide 13 Glossary ............... ................................. ................................................. ............ 295 Index .............. ................................. ............................................ ............... .......... 299[...]

  • Página 14

    Contents 14 Fortinet Inc.[...]

  • Página 15

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 15 Introduction The FortiGate Antivirus Firewall suppor ts network-based dep loyment of application-leve l services—in cluding antiviru s protection and full-scan con tent filtering. FortiGate A ntivirus Firew alls improv e net[...]

  • Página 16

    16 Fortinet Inc. Web content filtering Introduction For extra prot ection, you also con figure antivi rus protection to block files of specified file types from passing thr ough the FortiGate unit. Y ou can use the feature to stop files that may cont ain new viruses. If the FortiGate unit cont ains a hard disk, infected or blocked files can be quar[...]

  • Página 17

    Introduction Firewall FortiGate-400 Installation and Configuration Guide 17 Y ou can configure Email blocking to tag email from all or so me senders within organizations that are known to send sp am email. T o prevent u nintentional tagging of email from legitimate se nders, you can add se nder address p atterns to an exempt list that overrides the[...]

  • Página 18

    18 Fortinet Inc. VLAN Introduction Transparent mode T ransparent mode provides the same basic fire wall protection as NA T mode. Packets received by the FortiGate unit are intellig ently forwarded or blocked according to firewall policies. The FortiGate unit can be inserted in your network at any point without the need to make changes to your netwo[...]

  • Página 19

    Introduction VPN FortiGate-400 Installation and Configuration Guide 19 VPN Using FortiGate virtual private network ing (VPN), you can provide a secure connection between wid ely separated office netw orks or secu rely link telec ommuters or travellers to an of fice network. FortiGate VPN features include the following: • Industry stan dard and IC[...]

  • Página 20

    20 Fortinet Inc. Secure installation, configurat ion, and management Introduction Secure inst allation, configuration, and management Installation is quick and simp le. Th e first time you turn on the FortiGate unit, it is already configured with de fault IP addres ses and security po licies. Connect to the web-based manager , set the operating mod[...]

  • Página 21

    Introduction Secure installation, configura tion, and management FortiGate-400 Installation and Configuration Guide 21 Command line interface Y ou can access the FortiGate command line interface (CLI) by connecting a management compute r serial port to the Fo rtiGate RS-232 serial Console connector . Y ou can also use T elnet or a secure SSH co nne[...]

  • Página 22

    22 Fortinet Inc. What’s new in Version 2.50 Introduction What’ s new in V ersion 2.50 This section present s a brief summary of so me of the new features in FortiOS v2.50: System administration • Improved graphica l FortiGate system heal th monitoring that include s CPU and memory usage, se ssion number an d netwo rk bandwid th usage, and the[...]

  • Página 23

    Introduction What’s new in Version 2.50 FortiGate-400 Installation and Configuration Guide 23 HA • Active-active HA using switches and with the ability to s elect the schedule • T ransparent mode HA • A/V update for HA clusters • Configuration synchronizing fo r HA See “High av ailability” on page 75 . Replacement messages Y ou can cu[...]

  • Página 24

    24 Fortinet Inc. What’s new in Version 2.50 Introduction NIDS See the FortiGate NIDS Guide for a complete description of F ortiGate NIDS functionality . New features includ e: • Attack detection signature group s • User-configuration att ack prevention • Monitor multiple in terfaces for att acks • Monitor VLAN subinterfaces for attacks ?[...]

  • Página 25

    Introduction About this document FortiGate-400 Installation and Configuration Guide 25 About this document This inst allation and con figuration guide descr ibes how to inst all and configure the FortiGate-400. This documen t contains the following infor mation: • Getting started describes unp acking, mounting, and powering on the FortiGate. • [...]

  • Página 26

    26 Fortinet Inc. Document co nventions Introduction Document conventions This guide uses the fo llowing conven tions to de scribe CLI co mmand syntax. • angle brac kets < > to indicate variable keywords For example: execute restore config <filename_str> Y ou enter restore config myfile.bak <xxx_str> indicates an ASCII string var[...]

  • Página 27

    Introduction Fortinet documentati on FortiGate-400 Installation and Configuration Guide 27 Fortinet document ation Information about FortiGate product s is av ailable from the follo wing FortiGate User Manual volumes: • V olume 1: FortiGate Installation and Configurat ion Guide Describes installation and basic configurat ion for the FortiGate uni[...]

  • Página 28

    28 Fortinet Inc. Customer service and technical support Introduction Customer service and technical support For antiviru s and attack d efinition u p dates, firmware updates, updated product documentation , technical support informatio n , and other resources, please visit the Fortinet technical support we b site at http://support.fortinet.com. Y o[...]

  • Página 29

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 29 Getting st arted This chapter describes unpacking, sett ing up, and powering on your FortiGate Antivirus Firewall. When you have completed the procedure s in this chapter , you can proceed to one of the following: • If you a[...]

  • Página 30

    30 Fortinet Inc. Package contents Getting started Package content s The FortiGate-400 p ackage contains the following items: • FortiGate -400 Antivirus Fir ewall • one orange crossover ethern et cable • one gray regular ethernet cable • one null modem cable • FortiGate -400 QuickS ta rt Guide • one power cable • CD containing the Fo r[...]

  • Página 31

    Getting started Powering on FortiGate-400 Installation and Configuration Guide 31 Power requirements • Power dissipatio n: 180 W (max) • AC input volt age: 100 to 2 40 V AC • AC input current: 4 A • Frequency: 47 to 63 Hz Environmental specifications • Operating temperature: 32 to 10 4°F (0 to 40°C) • S torage temperature: -13 to 158?[...]

  • Página 32

    32 Fortinet Inc. Connecting to the web-based manager Getting started Connecting to the web-based manager Use the followin g proced ure to con nect to the web-based manager for the first time. Configuration changes ma de with the web- based manager ar e effective imm ediately without the need to reset the firewall or inte rrupt serv ice. T o connect[...]

  • Página 33

    Getting started Connecting to the command line in terface (CLI) FortiGate-400 Installation and Configuration Guide 33 Connecting to the command line interface (CLI) As an alternative to the web-based ma nager , you can install and configure the FortiGate unit using the CLI. Configuration changes mad e with the CLI are effective immediately with out[...]

  • Página 34

    34 Fortinet Inc. Factory default FortiGate confi guration setting s Getting started If you are planning on operating the FortiGa te unit in T ransparent mode, you can switch to transparent mode from the factory default configuration and then configure the FortiGate unit onto your network in T ransparent mode. Once the network con figuration is comp[...]

  • Página 35

    Getting started Factory default FortiGate configurati on settings FortiGate-400 Installation and Configuration Guide 35 Factory default Transparent mode network configuration If you switch the FortiGate unit to T ranspar ent mode, it has the default network configuration listed in Ta b l e 3 . Factory default firewall configuration The factory defa[...]

  • Página 36

    36 Fortinet Inc. Factory default FortiGate confi guration setting s Getting started Factory default content profiles Y ou ca n use cont ent profiles to apply d ifferent protection settings for conten t traffic controlled by firewall policies. Y ou can use content profiles for: • Antivirus protection of HTTP , FTP , IMAP , POP3, and SMTP network t[...]

  • Página 37

    Getting started Factory default FortiGate configurati on settings FortiGate-400 Installation and Configuration Guide 37 Strict content profile Use the strict content prof ile to apply maximum content protection to HTTP , FTP , IMAP , PO P3, and SMTP content traffic. Y ou would not use the strict content profile under normal circumst ances, but it i[...]

  • Página 38

    38 Fortinet Inc. Factory default FortiGate confi guration setting s Getting started Web content profile Use the web content profile to apply antivir us scanning and Web content blo cking to HTTP content traffic. Y ou can add this cont ent profile to firewall policies that control HTTP traffic. Unfiltered content profile Use the unfiltered content p[...]

  • Página 39

    Getting started Planning your Fort iGate configurati on FortiGate-400 Installation and Configuration Guide 39 Planning your FortiGate configuration Before beginning to configure th e FortiGate unit, you need to plan how to integrate the unit into your net work. Among ot her things, y ou have to decide whethe r or not the unit will be visible to the[...]

  • Página 40

    40 Fortinet Inc. Planning your FortiGa te configuration Getting started Figure 4: Example NA T/Route mode networ k configura tion NAT/Route mode with multiple external network connections In NA T/Route mode, yo u can configure th e Fort iGate unit with multiple redundant connections to the external net work (usually the Int ernet). For ex ample, yo[...]

  • Página 41

    Getting started Planning your Fort iGate configurati on FortiGate-400 Installation and Configuration Guide 41 Transparent mode In T ransparent mode, the Fo rtiGate unit is invisible to the network. Similar to a network bridge, all of FortiGate interfaces must be on the same subnet. Y ou only have to configure a mana gement IP address so tha t you c[...]

  • Página 42

    42 Fortinet Inc. FortiGate model maximum valu es matrix Getting started CLI If you are configuring the FortiGate unit to operate in NA T/Route mode, you can add the administration p a ssword and all interface addresses. Using the CLI, you can also add DNS server IP add resses and a default route for the exter nal interfac e. If you are configuring [...]

  • Página 43

    Getting started Next steps FortiGate-400 Installation and Configuration Guide 43 Next step s Now that your FortiGate unit is operating , y ou can proceed to configure it to connect to networks: • If you are goin g to operate the F ort iGate unit in NA T/Route mode, go to “NA T/Route mo de installation” on page 45 . • If you are going to op [...]

  • Página 44

    44 Fortinet Inc. Next steps Getting started[...]

  • Página 45

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 45 NA T/Route mode inst allation This chapter de scribes how to inst all your Fo rtiGate unit in NA T/Route mode. T o install your FortiGa te unit in T ransparent mode, see “T ransparent mode inst allation” on pag e 61 . T o [...]

  • Página 46

    46 Fortinet Inc. Using the setu p wizard NAT/Route mode installati on Using the setup wizard From the web-based manager, you can use the setup wizar d to create the initial configuration of your FortiGate unit. T o connect to the web-based manager, see “Connecting to th e web-based manage r” on page 3 2 . Starting the setup wizard T o star t th[...]

  • Página 47

    NAT/Route mode installati on Using the front control buttons an d LCD FortiGate-400 Installation and Configuration Guide 47 Using the front control buttons and LCD As an alternative to the setup wizard, use the information that you recorded in T able 10 on page 45 to complete the following pr ocedure. S tarting with Ma in Menu displayed on the LCD,[...]

  • Página 48

    48 Fortinet Inc. Using the command line interface NAT/Route mode installa tion 3 Set the IP address and netmask of interf ace 2 to the external IP address and netmask that you recorded in T able 10 on p age 45 . set system interface port2 mode static ip <IP_address> <netmask> Example set system interface por t2 mode static ip 204.23.1.5[...]

  • Página 49

    NAT/Route mode installati on Connecting the FortiGa te unit to your networks FortiGate-400 Installation and Configuration Guide 49 Connecting the FortiGate unit to your networks When you have com pleted the init ial configuratio n, you can conne ct the FortiGat e unit between yo ur internal network a nd the Inte rnet. The FortiGate-400 ha s four 10[...]

  • Página 50

    50 Fortinet Inc. Configuring your network NAT/Route mode installati on Figure 7: FortiGate-400 NA T/Route mode connection s Configuring your network If you are running the FortiGate unit in NA T/Route mode , your networks must be configured to route all Internet traf fic to t he IP address of the FortiGate interface to which they are connected. Com[...]

  • Página 51

    NAT/Route mode installation Completing the configura tion FortiGate-400 Installation and Configuration Guide 51 Configuring interface 4/HA Use the followin g proced ure to con figure interf ace 4/HA t o connect to a network : 1 Log into the web-base d manager. 2 Go to System > Network > Interface . 3 Choose port4/ha and select Modify . 4 Make[...]

  • Página 52

    52 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation Configuring virus and attack definition updates Y ou can go to System > Update to configur e the FortiGate unit to automatically check to see if new versions of the virus definitions an d attack definitions are available. If it finds new ver[...]

  • Página 53

    NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-400 Installation and Configuration Guide 53 Figure 8: Example multiple Internet connection configuration Configuring Ping servers Use the following procedure to make Gateway 1 the ping server for po rt2 and Gateway 2 the ping server for port3. 1 Go t[...]

  • Página 54

    54 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation Using the CLI 1 Add a ping ser ver to port2. set system interface port2 config detectserver 1.1.1.1 gwdetect enable 2 Add a ping ser ver to port3. set system interface port3 config detectserver 2.2.2.1 gwdetect enable Destination based routing [...]

  • Página 55

    NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-400 Installation and Configuration Guide 55 Load sharing Y ou can also configure destination routing to direct traf fic through both gateways at the same time. If users on yo ur internal network connect to the networks of ISP1 and ISP2, you can add r[...]

  • Página 56

    56 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation 3 Select New to add a route for connections to the network of ISP1. • Destination IP: 100.100.100.0 • Mask: 255.255.255.0 • Gateway #1: 1.1.1.1 • Gateway #2: 2.2.2.1 • Device #1: port2 • Device #2: port3 4 Select New to add a route [...]

  • Página 57

    NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-400 Installation and Configuration Guide 57 Policy routing examples Policy routing can be added to increase the control you have over how packet s are routed. Policy routing works on top of d e stination-based routing . This means you should configur[...]

  • Página 58

    58 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation Firewall policy example Firewall policies control how traf fic flows th rough the FortiGa te unit. Once routing for multiple internet connections has be en conf igured you must create firewall policies to control which traffic is allo wed thro [...]

  • Página 59

    NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-400 Installation and Configuration Guide 59 Adding more firewall policies In most cas es your fire wall configura tion includes more than just the de fault policy . However , the basic premise of crea ting redundant policie s applies even as the fir [...]

  • Página 60

    60 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation[...]

  • Página 61

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 61 T ransp arent mode inst allation This chapter describes how to install your FortiGate unit in Transp arent mo de. If you want to install the FortiGa te unit in NA T/Route mod e, see “NA T/Route m ode insta llation” on page[...]

  • Página 62

    62 Fortinet Inc. Using the setu p wizard Transparen t mode instal lation Using the setup wizard From the web-based manager, you can use the setup wizar d to create the initial configuration of your FortiGate unit. T o connect to the web-based manager, see “Connecting to th e web-based manage r” on page 3 2 . Changing to Transparent mode The fir[...]

  • Página 63

    Transparent mode installatio n Usin g the front control buttons an d LCD FortiGate-400 Installation and Configuration Guide 63 Using the front control buttons and LCD This procedure descr ibes how to use t he control buttons and LCD to configur e T ransparent mode IP addresses. Use the informa tion that you recorded in T able 14 on pag e 61 to comp[...]

  • Página 64

    64 Fortinet Inc. Completing the configuration T ransparent mod e installation Configuring the Transparent mode management IP address 1 Log into the CLI if you are not alr eady logged in . 2 Set the management IP addr ess and netmask to the IP addr ess and netmask that you recorde d in T able 14 on p age 61 . Enter: set system management ip <IP a[...]

  • Página 65

    Transparent mode installatio n Connecting the FortiGate un it to your networks FortiGate-400 Installation and Configuration Guide 65 Registering your FortiGate After pur chasing and inst alling a new For tiGat e unit, you can register the u nit by goin g to System > Update > Support, or using a web browser to connect to http://support.fortine[...]

  • Página 66

    66 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 9: FortiGate-400 T ransparent mode connections T ransparent mode configuration examples A FortiGate unit operating in T ransparent mode still requir es a basic configuration to operate as a node on the IP networ k. As a minimum, the F ortiGate unit mus[...]

  • Página 67

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-400 Installation and Configuration Guide 67 This section describes: • Default routes and st atic routes • Example default r oute to an extern al network • Example static route to an external destination • Example static r oute to an internal destination Defau[...]

  • Página 68

    68 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 10: Default rout e to an external network General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode . 2 Configure the Manag ement IP address and Netmask o f the FortiGate unit. 3 Configure the default route to the external ne[...]

  • Página 69

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-400 Installation and Configuration Guide 69 Web-based manager exampl e configuration steps T o configure basic T ransparent mode settings and a default route using the web-based manager : 1 Go to System > St atus . • Select Change to T ransparen t Mode. • Sele[...]

  • Página 70

    70 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 1 1: Static route to an external destination General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode . 2 Configure the Manag ement IP address and Netmask o f the FortiGate unit. 3 Configure the st atic route to the FortiRes[...]

  • Página 71

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-400 Installation and Configuration Guide 71 Web-based manager exampl e configuration steps T o configure the basic FortiGate settings and a static route using the web-based manager: 1 Go to System > St atus . • Select Change to T ransparen t Mode. • Select T r[...]

  • Página 72

    72 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Example static route to an internal destination Figure 12 shows a FortiGa te unit where the FDN is located on an external subnet and the management computer is located on a r emote, internal subnet. T o reach the FDN, you need to enter a single default rou te[...]

  • Página 73

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-400 Installation and Configuration Guide 73 Web-based manager exampl e configuration steps T o configure the FortiGate basic settings, a static route, and a d efault route using the web-based manager : 1 Go to System > St atus . • Select Change to T ransparen t [...]

  • Página 74

    74 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation[...]

  • Página 75

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 75 High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). The FortiGate un its in the HA cluster enforce the same overall security policy and shar e the s[...]

  • Página 76

    76 Fortinet Inc. Active-active HA High availabili ty During star tup the members of an HA clus ter negotiate to select the primar y unit. The primary unit allows other FortiGate unit s to join the HA cluster as subordinate units and assigns each subordin ate unit a priority . The primary FortiGate unit sends session mess ages to the subordinate uni[...]

  • Página 77

    High availability HA in NAT/Route mode FortiGate-400 Installation and Configuration Guide 77 During star tup the members of the HA cluster ne gotiate to select the primary unit. The primary unit allows other FortiGate unit s to join the HA cluster as subordinate units and assigns each subordin ate unit a priority . The FortiGate unit s in the HA cl[...]

  • Página 78

    78 Fortinet Inc. HA in NAT/Route mode High availabili ty The 4/HA interface of each Fo rtiGate-400 unit must be co nf igured with a different IP address. The addre sses of the 4/HA interf aces must be on the same subnet and they must be configur ed for managemen t access. Repeat the following procedu re for each FortiGate unit in the HA cluster: 1 [...]

  • Página 79

    High availability HA in NAT/Route mode FortiGate-400 Installation and Configuration Guide 79 4 Select the HA mode. Select Active-Passive mode to create an Active-Passive HA cluster , in which one FortiGate unit in the HA cluster is actively processing all connections and the others are passively mo nitoring the status and re maining synchronized wi[...]

  • Página 80

    80 Fortinet Inc. HA in NAT/Route mode High availabili ty 8 Under Monitor on Interface, select the na mes of the interfaces to be monitored. Monitor FortiGate interfaces to mak e sure th ey are functioning properly and that they are connected to their networks. If a monito red inter face fails or is discon nected from its network, the FortiGat e uni[...]

  • Página 81

    High availability HA in NAT/Route mode FortiGate-400 Installation and Configuration Guide 81 The network eq uipment to use an d the proced ure to follow are the sa me, whether you are configuring the FortiGa te units for ac tive-active HA or active-passive HA. T o connect the FortiGate units to yo ur network: 1 Connect port 1 of each FortiGate unit[...]

  • Página 82

    82 Fortinet Inc. HA in Transparent mode High availabili ty Starting the HA cluster After all of the FortiGate unit s in the cluster are configur ed for HA and once the cluster is connected, use the following procedure to st art the HA cluster . 1 Power on all of the HA units in the cluster . As the units powe r on they negotiate to choose the prima[...]

  • Página 83

    High availability HA in Transparent mo de FortiGate-400 Installation and Configuration Guide 83 5 Change the HA IP address and Netmask as required. 6 Optionally configure management access for other interfaces. 7 Select Apply . Now that you have configured the HA interfaces, procee d to “Configuring the HA cluster” . Configuring the HA cluster [...]

  • Página 84

    84 Fortinet Inc. HA in Transparent mode High availabili ty 7 If you are config uring Active-Act ive HA, select a sche dule. The schedule controls load balancing am ong the FortiGate units in the active-active HA cluster . The schedule must be the same for all FortiGate unit s in the HA cluster . 8 Under Monitor on Interface, select the na mes of th[...]

  • Página 85

    High availability HA in Transparent mo de FortiGate-400 Installation and Configuration Guide 85 Figure 15: Sample a ctive-passive HA configuration 10 Repeat this procedure to add each FortiGate unit in the HA cluster . When you ha ve configured all o f the FortiGate unit s, proceed to “Connecting the HA cluster to your network” . Connecting the[...]

  • Página 86

    86 Fortinet Inc. Managing the HA cluster High availabili ty Starting the HA cluster After all of the FortiGate unit s in the cluster are configur ed for HA and once the cluster is connected, use the following procedure to st art the HA cluster . 1 Power on all of the HA units in the cluster . As the units powe r on they negotiate to choose the prim[...]

  • Página 87

    High availability Managing the HA cluster FortiGate-400 Installation and Configuration Guide 87 Figure 16: Example cluster members lis t Monitoring cluster members T o monitor health information for each cluster member . 1 Connect to the cluster and lo g into the web-based manager. 2 Go to System > St atus > Monitor . CPU, Memory S tatus, and[...]

  • Página 88

    88 Fortinet Inc. Managing the HA cluster High availabili ty 4 Select Virus & Intrusions. Virus and intr usions status is displayed fo r each clust er member . The primar y unit is identified as Local and the other unit s in the cluster are listed by serial number . The display includes bar gr aphs of the numb er viruses a nd intrusions detected[...]

  • Página 89

    High availability Managing the HA cluster FortiGate-400 Installation and Configuration Guide 89 Managing individual cluster units Y ou can manage individual cluster units by connecting to each unit’s HA interface using either the web-base d manager or the CLI. T o do this, the HA interfaces of each unit have to be configured for HTTPS and SSH man[...]

  • Página 90

    90 Fortinet Inc. Managing the HA cluster High availabili ty Use the following proc edure to make co nfiguration chan ges to the primar y FortiGate unit and then synchronize the co nfiguration of th e subordinate unit s. 1 Connect to the cluster and lo g into the web-based manager or CLI. 2 Make configuration changes as required. 3 Connect to the CL[...]

  • Página 91

    High availability Advanced HA opti ons FortiGate-400 Installation and Configuration Guide 91 Advanced HA options The following advanced HA options are available fro m the FortiGate CLI: • Selecting a FortiGate unit to a perm anent primary unit • Configuring weighted-ro und-robin weight s Selecting a FortiGate unit to a permanent primary unit In[...]

  • Página 92

    92 Fortinet Inc. Advanced HA options High availabili ty Configuring weighted-round-robin weights By default, in active-active HA mode the weighted round-robin schedule assigns the same weight to each FortiGate unit in the clus ter . Once the cluster is configured to use the weighted round-ro bin schedule, you can use the set system ha weig ht comma[...]

  • Página 93

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 93 System st atus Y ou can connect to the web-based manager and go to System > S tatus to view the current status of your FortiGate unit. The st atus information tha t is displayed includes the current firmware version, the cu[...]

  • Página 94

    94 Fortinet Inc. Changing the FortiGat e host name System status Changing the FortiGate host name The FortiGate host name ap pears on the System > S tatus p age and on the FortiGate CLI prompt. The host name is also used as the SNMP System Name (see “Configuring SNMP” on p a ge 162 ). The default h ost name is FortiGate-40 0. T o change the [...]

  • Página 95

    System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 95 Upgrade to a new firmware version Use the following procedure s to upgrade your FortiGate to a newer firm ware version. Upgrading the firmware usi ng the web-based manager 1 Copy the firmware image file to your manage ment computer . 2 Login to the [...]

  • Página 96

    96 Fortinet Inc. Changing the FortiGate fi rmware System status 5 Enter the following command to copy the fir mware image from the TFTP server to the FortiGate: execute restore image <name_str> <tftp_ip> Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the IP address of the TFTP ser[...]

  • Página 97

    System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 97 1 Copy the firmware image file to your manage ment computer . 2 Login to the FortiGate web- based manage r as the admin administra tive user . 3 Go to System > St atus . 4 Select Firmware Upgrade . 5 Enter the path and filename of the previous fi[...]

  • Página 98

    98 Fortinet Inc. Changing the FortiGate fi rmware System status T o use the followin g procedure you must have a TFTP server that you can connect to from the FortiGate unit. 1 Make sure that the TFTP server is running. 2 Copy the new firmware image file to the root directory of the TFT P server . 3 Login to th e FortiGate CLI as th e admin administ[...]

  • Página 99

    System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 99 12 T o confirm that the antivirus and att ack definitions have been updated, enter the following command to display the an tivirus engi ne, virus and attack definitions version, contract ex piry , and last update attempt information. get system objv[...]

  • Página 100

    100 Fortinet Inc. Changing the FortiGate fi rmware System status 6 Enter the following co mmand to restart the FortiGate unit: execute reboot As the FortiGate units st arts, a series of system st artup messages are displayed. When one of the following messages appears: • FortiGate unit running v2.x BIOS Press Any Key To Download Boot Image. ... ?[...]

  • Página 101

    System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 101 11 Enter the firmware image file name an d press Enter . The TFTP server up loads the firmware imag e file to the FortiGate unit and messages similar to the following appear . • FortiGate unit running v2.x BIOS Do You Want To Save The Image? [Y/n[...]

  • Página 102

    102 Fortinet Inc. Changing the FortiGate fi rmware System status T o test a new firmware image: 1 Connect to the CLI using a null modem cable and FortiGate con sole port. 2 Make sure the TFTP se rver is running. 3 Copy the new firmware image file to the root directory of the TFT P server . 4 Make sure that port1 is connected to the same network as [...]

  • Página 103

    System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 103 The following m essage appears: Enter File Name [image.out]: 11 Enter the firmware image file name an d press Enter . The TFTP server up loads the firmware imag e file to the FortiGate unit and messages similar to the following appear . • FortiGa[...]

  • Página 104

    104 Fortinet Inc. Changing the FortiGate fi rmware System status 4 T o confirm that the FortiGate unit can co nnect to the TFTP se rver , use the following command to ping the computer running the TFTP serve r . For example, if the TFTP server ’s IP addr ess is 192.168.1.168: execute ping 192.168.1.168 5 Enter the following co mmand to restart th[...]

  • Página 105

    System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 105 Switching to the ba ckup firmware image Use this procedure to switch yo ur FortiG ate unit to operatin g with a backup firmware image that you have p revious installed. W h en you switch the FortiGate unit to the backup firm ware image , the FortiG[...]

  • Página 106

    106 Fortinet Inc. Manual virus definition updates System status Switching back to the default firmware image Use this proced ure to switch your F ortiGate unit to o perating with the b ackup firmwar e image that had been running as the default fi rmware image. When you switch to this backup firmware image, the configuration sa ved with this firm wa[...]

  • Página 107

    System status Manual attack definition updates FortiGate-400 Installation and Configuration Guide 107 5 Select OK to copy the antivirus defini tions update file to the FortiGate unit. The FortiGate u nit updates the antiviru s definitions. This t akes about 1 mi nute. 6 Go to System > St atus to confirm that the Antivirus Definitions V ersion in[...]

  • Página 108

    108 Fortinet Inc. Backing up system settings System status Backing up system settings Y ou can back up system settings by down loading them to a text file on the management compu ter: 1 Go to System > St atus . 2 Select System Settings Backup. 3 Select Backup Sy stem Setting s. 4 T ype a name and location for the file. The system settings file i[...]

  • Página 109

    System status Changing to T ransparent mode FortiGate-400 Installation and Configuration Guide 109 Changing to T ransp arent mode Use the followin g proced ure to switch the FortiG ate unit fro m NA T/Route mode to T ransparent mode. When the FortiGate u nit has changed to T ransparent mode it s configuration reset s to T ransparent mode factory de[...]

  • Página 110

    11 0 Fortinet Inc. Shutting down the FortiGate unit System status Shutting down the FortiGate unit 1 Go to System > S tatus . 2 Select Shutdown. The FortiGate unit shut s down and all traf fic flow stops. The FortiGate unit can only be rest arted af te r shutdown by turning t he power off, then on. System st atus Y ou can use the system status m[...]

  • Página 111

    System status System status FortiGate-400 Installation and Configuration Guide 111 Figure 1: CPU and memo ry st atus monitor CPU and memory inte nsive processes such a s encrypting and de crypting IPSec VPN traffic, virus scanning, and processing hig h levels of network traffic cont aining small packet s will increase CPU and memory usage. 1 Go to [...]

  • Página 112

    11 2 Fortinet Inc. System status System status Network utilization displays the total netwo rk bandwidth being used through all FortiGate interf aces. N etwork utilization also di splays netw ork utilization as a percentag e of the maximum network band wid th that can be proce ssed by the FortiGate u nit. 1 Go to System > St atus > Monitor . [...]

  • Página 113

    System status Session list FortiGate-400 Installation and Configuration Guide 11 3 Figure 3: Sessions and ne twork st atus monitor 3 Set the automatic refresh interva l and select Go to control how of ten the web-based manager updates the display . More frequent updates use system resources and increase network traf fic. However , this only occurs [...]

  • Página 114

    11 4 Fortinet Inc. Session list System status Figure 4: Example session list To I P The destination IP a ddress of the connection . To P o r t The destination port of the connection. Expire The time, in seconds, before the connection expires. Clear S top an active communication session.[...]

  • Página 115

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 11 5 V irus and att ack definitions up dates and registration Y ou can configure the FortiGate unit to c onnect to the FortiResponse Distribution Network (FDN) to update the antivirus and att ack definitions and antivirus engi ne[...]

  • Página 116

    11 6 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration The System > Update p age web-based manage r displa ys the following antivirus and attack defin ition update information: This section describes: • Connecting to the FortiResponse Distribution Network • Configuring scheduled u[...]

  • Página 117

    Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-400 Installation and Configuration Guide 11 7 T o make sure the FortiGate unit ca n connect to the FDN: 1 Go to System > Config > Time and make su re the time zone is set to the correct time zone for your area. 2 Go to System > Up da[...]

  • Página 118

    11 8 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration 4 Select Apply . The FortiGate unit star ts the next sche dule d update according to the new update schedule. Whenever a scheduled u pdate is run, the ev ent is record ed in the FortiGate event log. Figure 1: Configurin g automatic a[...]

  • Página 119

    Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-400 Installation and Configuration Guide 11 9 Adding an override server If you cannot connect to the F DN or if your organization provides antivirus and att ack updates usin g their own FortiResponse server , you can use the following p roced[...]

  • Página 120

    120 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration To enable push updates 1 Go to System > Up date . 2 Select Allow Push Update. 3 Select Apply . About push updates When you config ure a FortiGat e unit to a llow push updates, the FortiGate unit sends a SETUP message to the F DN. T[...]

  • Página 121

    Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-400 Installation and Configuration Guide 121 Figure 2: Example network topology: Push updates through a NA T device General procedure Use the following steps to config ure the Fo rtiGate NA T device and the FortiGate unit on the Internal netw[...]

  • Página 122

    122 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration Adding a port forwarding virtual IP to the FortiGate NA T device Use the follo wing proced ure to con figure a FortiGate NA T device to use port forwarding to forward push update connection s from the FDN to a FortiGate unit on the in[...]

  • Página 123

    Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-400 Installation and Configuration Guide 123 Figure 3: Push update port forwarding virtual IP Adding a firewall policy for the port forwarding virtual IP T o configure the FortiGate NA T device: 1 Add a new external to internal firewall polic[...]

  • Página 124

    124 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration 5 Set Port to the External Servic e Port added to the virtual IP . For the example top ology , enter 45001. 6 Select Apply . The FortiGate unit sends the override push IP address and Port to the FDN. The FDN will now use this IP addre[...]

  • Página 125

    Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-400 Installation and Configuration Guide 125 There are no special tun neling requirement s if you have configured an override server address to connect to the FDN. Push updates are not supported if the FortiG ate must connect to the Internet through a prox[...]

  • Página 126

    126 Fortinet Inc. Registering Forti Gate units Virus and attack defi nitions updates and registra tion T o activate the For tiCare Support Contract, you must regi ster the FortiGate unit and add the FortiCare Support Contr act number to the registration information. Y ou can also register th e FortiGate unit without pu rchasing a FortiCare Supp ort[...]

  • Página 127

    Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-400 Installation and Configuration Guide 127 Figure 5: Registering a FortiGate unit (c ontact information and security question) 3 Provide a security question and an answe r to the security question. 4 Select the model number of the Product Model to regist[...]

  • Página 128

    128 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on Up dating registration information Y ou can use your Fortinet support user nam e and password to log on to the Fortinet Support web site at any time to view or update your Fortinet support infor mation. This section describes: • Recovering [...]

  • Página 129

    Virus and attack definitions updates and registration Updating registration informati on FortiGate-400 Installation and Configuration Guide 129 Figure 7: Sample list of registered FortiGa te unit s Registering a new FortiGate unit 1 Go to System > Up date > Support and select Suppor t Login. 2 Enter your Fort inet support use r name and passw[...]

  • Página 130

    130 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on 7 Select Finish. The list of FortiGate product s that you have registered is displayed. Th e list now includes the new suppor t contract information. Changing your Forti net support password 1 Go to System > Up date > Support and select[...]

  • Página 131

    Virus and attack definitions upda tes and registra tion Registering a Fort iGate unit after an RMA FortiGate-400 Installation and Configuration Guide 131 Figure 8: Downloading virus and attack definition updates For information about how to in stall the downloaded files, see “Manual virus definition updates” on p age 106 and “Manual attack de[...]

  • Página 132

    132 Fortinet Inc. Registering a FortiGate unit after an RMA Vi rus and attack defi nitions updates and registra tion[...]

  • Página 133

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 133 Network configuration Go to System > Network to make any of the following changes to the FortiGate network set tings: • Configuring zones • Configuring interfaces • Configuring VLANs • Configuring routing • Provi[...]

  • Página 134

    134 Fortinet Inc. Configuring zones Network configuration 3 T ype a Name for the zone. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _. Other sp ecial characters and sp aces are not allowed. 4 Optionally select Block intra-zone tr affic to bl ock traffic b etween interfaces in th[...]

  • Página 135

    Network configuration Configuring interfaces FortiGate-400 Installation and Configuration Guide 135 Deleting zones Y ou must remove all interfaces and VLAN subinterfaces from a zone before you can delete the zone. Y ou can only dele te zones that have the Delete icon beside them in the zone list. 1 Go to System > Network > Zone . 2 Select Del[...]

  • Página 136

    136 Fortinet Inc. Configuring interfac es Network configuration Changing an interface static IP address Use the follo wing proced ure to cha nge the static IP address o f any FortiG ate interface: 1 Go to System > Network > Interface . 2 Select Modify for t h e interface to change . 3 Change the IP address and Netmask as requ ired. The IP add[...]

  • Página 137

    Network configuration Configuring interfaces FortiGate-400 Installation and Configuration Guide 137 Controlling management access to an interface 1 Go to System > Network > Interface . 2 Select Modify for the interface for which to co nfigure management access. 3 Select the management Access methods for the interface. Configuring management a[...]

  • Página 138

    138 Fortinet Inc. Configuring interfac es Network configuration 4 Set the MTU size. Set the maximum p acket size in the range of 68 to 1500 bytes. Th e default MTU size is 1500. Experiment by lo wering the MTU to find an MTU size for best network performance. Configuring port4/ha Y ou can use port4/ha as a firewall in terface or for communication b[...]

  • Página 139

    Network configuration Configuring VLANs FortiGate-400 Installation and Configuration Guide 139 3 Add a default gateway IP a ddress if th e Fo rtiGate unit must connect to a default gateway to reac h the managem ent compute r . 4 Select the management Access methods for each interf ace. 5 Select Apply to sa ve your changes. Configuring VLANs Using V[...]

  • Página 140

    140 Fortinet Inc. Configuring VLAN s Network configuration Figure 9: T ypical VLAN n etwork configuration In a typical VLAN config uration, a number of ph ysical networks could be connected to a single IEEE 802.1Q-compliant router . The router is configured to add VLAN IDs to the packet s that it receives from each netw ork and then route the p ack[...]

  • Página 141

    Network configuration Configuring VLANs FortiGate-400 Installation and Configuration Guide 141 Adding VLAN subinterfaces The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router . The VLAN ID can be any number between 1 and 409 6. Each VLAN subinterface must also be configured with it s own IP address a[...]

  • Página 142

    142 Fortinet Inc. Configuring VLAN s Network configuration 6 Enter the IP address and Netmask for the VLAN su binterface. 7 Optionally select a zone to add the VLAN subinterface to a zone. 8 Select the management Access for the VLAN subinterface to control how administr ators on the network that connects to this subi nterface can connect to and man[...]

  • Página 143

    Network configuration Configuring routi ng FortiGate-400 Installation and Configuration Guide 143 Configuring routing This section describes ho w to configure Fo rtiGate routing. Y ou can configure routing to add stat ic routes from the FortiGate unit to local routers. Usin g policy routing you can increase the flexibility of FortiGate routing to s[...]

  • Página 144

    144 Fortinet Inc. Configuring routing Network configuration T o support routing failo ver , the IP address of each gateway must be added to the ping server of t he interfa ce connec ted to the same netw ork as th e gateway . See “Adding a ping server to an interface” on page 136 . Adding destination -based routes to the routing t able 1 Go to S[...]

  • Página 145

    Network configuration Configuring routi ng FortiGate-400 Installation and Configuration Guide 145 Adding routes in Transparent mode Use the follo wing proced ure to add routes when operating the FortiGate unit in T ransparent mode. 1 Go to System > Network > Routing . 2 Select New to add a new route. 3 Enter the Destination IP address and Net[...]

  • Página 146

    146 Fortinet Inc. Configuring routing Network configuration Figure 1 1: Routing t able Policy routing Policy routing extend s the functions of de stination rout ing. Using policy rout ing you can route traffic base d not only the destination address but also on: • Source address • Protocol, service type, or port range • Incoming or sour ce in[...]

  • Página 147

    Network configuration Providing DHCP services to your internal network FortiGate-400 Installation and Configuration Guide 147 Providing DHCP services to your internal network If the FortiGate unit is operating in NA T/Route mode, you can use the CLI command set system dhcpserver to configure the For tiGate unit to be th e DHCP server for your inter[...]

  • Página 148

    148 Fortinet Inc. Providing DHCP services to your inte rnal network Network configuration[...]

  • Página 149

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 149 RIP configuration The FortiGate implement ation of the Routing Information Protocol (RIP) support s both RIP version 1 (as defined by RFC 1058) and RIP version 2 (also called RIP2 and defined by RFC 2453). RIP2 enables RIP me[...]

  • Página 150

    150 Fortinet Inc. RIP settings RIP configuration This chapter describes how to configur e FortiGate RIP: • RIP settings • Configuring RIP for FortiGate interfaces • Adding RIP neighbors • Adding RIP filters RIP settings Configure RIP settings to enable basic RIP functio nality and metrics and to configure RIP timers. 1 Go to System > RIP[...]

  • Página 151

    RIP configuration RIP settings FortiGate-400 Installation and Configuration Guide 151 7 Select Apply to sa ve your changes. Figure 1: Configuring RIP settings Up date The time interval in seconds between sendi ng routing table updates. The default is 30 seconds. Invalid The time interval in seconds after which a route is declared invalid. Invalid s[...]

  • Página 152

    152 Fortinet Inc. Configuring RIP for Forti Gate interfaces RIP configuration Configuring RIP for FortiGate interfaces Y ou can create a unique RIP configuratio n for each FortiGate interface and VLA N subinterface. T his allows you to customize RIP for the network to which each interface or each VLA N subint erface is con nected. For examp le: •[...]

  • Página 153

    RIP configuration Adding RIP neighbors FortiGate-400 Installation and Configuration Guide 153 4 Select OK to save the R IP config uration for the selected interface. Figure 2: Example RIP configuration for an internal interface Adding RIP neighbors Add RIP neighbors to de fine a neighbori ng router with which to exchange routing information. Add ne[...]

  • Página 154

    154 Fortinet Inc. Adding RIP filters RIP configuration 3 Add the IP address of a neighbor router that you want the F ortiGate unit to exch ange routing information with. 4 Select Enable Se nd RIP1 to se nd RIP1 messa ges to the neighbor . 5 Select Enable Se nd RIP2 to se nd RIP2 messa ges to the neighbor . 6 Select OK to add the RIP neighbor to the[...]

  • Página 155

    RIP configuration Adding RIP filters FortiGate-400 Installation and Configuration Guide 155 4 Select OK to save the RIP f ilter . Adding a RIP filter list Add a RIP filter list to filter multiple routes. A RIP filter list consist s of a RIP filter name and a series of route prefixes. Y ou can add a total of four RIP filte rs or RIP Filter lists. Wh[...]

  • Página 156

    156 Fortinet Inc. Adding RIP filters RIP configuration Adding a neighbors filter Y ou can select a single RIP filter or a RI P filter list to be the neighbors filter . 1 Go to System > RIP > Filter . 2 Add RIP filters and RIP f ilter list s as required. 3 For Neighbors Filter , select the name of the RI P filter or RIP filter list to become t[...]

  • Página 157

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 157 System configuration Go to System > Config to make any of the following changes to the FortiGat e system configuration: • Setting system date and time • Changing web-based man ager options • Adding and editing admini[...]

  • Página 158

    158 Fortinet Inc. Changing web-based manager options System configuration 8 S pecify how often the FortiGate unit should synchronize its time with the NTP server . A typical Syn Interval would be 1440 minute s for the FortiGate unit to synchronize it s time once a day . 9 Select Apply . Figure 1: Example date and time setting Changing web-base d ma[...]

  • Página 159

    System configuration Chang ing web-base d manager options FortiGate-400 Installation and Configuration Guide 159 T o set the Auth timeou t 1 For Auth T imeout, type a number in minutes. 2 Select Apply . Auth T imeout controls the amount of inacti ve time that the fi rewall waits before requiring users to authen ticate again. For more informatio n, [...]

  • Página 160

    160 Fortinet Inc. Adding and editing administrato r accounts System configuration Adding and editing administrator account s When the FortiGate unit is initia lly installed, it is configur ed with a single administr ator account with the user name admin. From this administrator accou nt, you can add and edit administra tor accoun ts. Y ou can also [...]

  • Página 161

    System configuration Adding and editing administrator accounts FortiGate-400 Installation and Configuration Guide 161 Editing administrator accounts The admin account user can change indi vidual administrator account p asswords, configure the IP addresses from which administrato rs can access the web-based manager, and change the admin istrator per[...]

  • Página 162

    162 Fortinet Inc. Configuring SNMP System configuration Configuring SNMP Configure the FortiGate SNMP agent to report system information and se nd traps to SNMP managers. The FortiGate SNMP agent supp orts SNMP v1 and v2c. RFC support includes RFC 1213 and RFC 2665. The FortiGate SNMP impleme ntation is read-only . SNMP v1 and v2c compliant SNMP ma[...]

  • Página 163

    System configuration Configuring SNMP FortiGate-400 Installation and Configuration Guide 163 4 Select Apply . Figure 2: Sample SNMP configuration FortiGate MIBs The FortiGate SNMP agent suppo rts FortiGat e propriet ary MIBs as well as standa rd RFC 1213 and RFC 2665 MIBs. The FortiGate MIBs are listed in Ta b l e 1 . Y ou can obtain th ese MIB fil[...]

  • Página 164

    164 Fortinet Inc. Customizing replacement messages System configuration FortiGate traps The FortiGa te agent ca n send t raps to up to thre e SNMP tr ap receiver s on your network that are configur ed to receive tr ap s from the FortiGate unit. For these SNMP managers to receive trap s, you must load and compile th e Fortinet trap MIB onto the SNMP[...]

  • Página 165

    System configuration Custom izing replacement messages FortiGate-400 Installation and Configuration Guide 165 This section describes: • Customizing replacement messages • Customizing alert emails Figure 3: Sample replacement m essage Customizing replacement messages Each of the replacement messages in the replace ment message list is created by[...]

  • Página 166

    166 Fortinet Inc. Customizing replacement messages System configuration Customizing alert emails Customize alert emails to control the content disp layed in alert email messages sent to system administrators. 1 Go to System > Config > Replacement Mes sages . 2 For the alert email message you want to customize, select Modify . 3 In the Message[...]

  • Página 167

    System configuration Custom izing replacement messages FortiGate-400 Installation and Configuration Guide 167 %%EMAIL_FROM%% The email address of the sender of the message in which the virus was found. %%EMAIL_TO%% The email address of the intended receiver of the message in which the virus was found. Block alert Used for file block alert email mes[...]

  • Página 168

    168 Fortinet Inc. Customizing replacement messages System configuration[...]

  • Página 169

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 169 Firewall configuration Firewall policies control all traf fic passing th rough the FortiGate unit. Firewall policies are instructions used by the Fort iGate un it to decide what to do with a connection request. When the firew[...]

  • Página 170

    170 Fortinet Inc. Default firewall configuration Firewall configuration Default firewall configuration By default, t he users on the netw ork connec ted to por t1 can co nnect throu gh the FortiGate unit to the network connected to po rt2. The firewall blocks all other connections. The firewall is configured with a default policy that matches any c[...]

  • Página 171

    Firewall confi guration Default firewall configurati on FortiGate-400 Installation and Configuration Guide 171 Zones Y ou can add zones to the FortiGate configuration to group together related interfaces and VLAN subinterfaces to simplify firewa ll policy creation. For more information about zones, see “Configurin g zones” on page 133 . T o add[...]

  • Página 172

    172 Fortinet Inc. Adding firewall policies Firewall configuration Services Policies can also control connections based o n the service or destination port num ber of packet s. The defaul t policy accepts co nnec tions to using an y service or destination port number . The firewall is conf igured with over 40 pred efined services. Y ou can add these[...]

  • Página 173

    Firewall confi guration Adding firewall policies FortiGate-400 Installation and Configuration Guide 173 Figure 5: Adding a NA T/Route po licy Firewall policy options This section describes the o ptions th at you can add to fir ewall policies. Source Select an address o r address group that matches the source address of the p acket. Before you can a[...]

  • Página 174

    174 Fortinet Inc. Adding firewall policies Firewall configuration For NA T/Route mode po licies where the addre ss on the destination network is hidden from the source network using NA T , the destina tion can also be a virtual IP that maps the destinatio n address of the packet to a hidde n destination ad dress. See “Virtual IPs” on pag e 188 [...]

  • Página 175

    Firewall confi guration Adding firewall policies FortiGate-400 Installation and Configuration Guide 175 Traffic Shaping T raffic Shaping controls the bandwidth ava ilabl e to and sets the priority of the traf fic processed by the po licy . T raffic Shap ing makes it possible to control w hich policies have the highest priority when large amount s o[...]

  • Página 176

    176 Fortinet Inc. Adding firewall policies Firewall configuration In most cases you should make su re that users can use DNS through th e firewall without auth entication. If DNS is not availa bl e users cannot connect to a web, FTP , or T elnet server u sing a domain name. Anti-Virus & Web filter Enable antivirus protection and web filter cont[...]

  • Página 177

    Firewall confi guration Configuring poli cy lists FortiGate-400 Installation and Configuration Guide 177 Log Traffic Select Log Traf fic to write me ssages to the t raffic log whenever th e policy proces ses a connection. For more informatio n about logging, see “Logging and reporting” on page 281 . Comments Optionally add a description or othe[...]

  • Página 178

    178 Fortinet Inc. Configuring policy lists Firewall co nfiguration A policy that is an exception to the defa ul t policy , for example, a policy to block FTP connections, must be placed above the default policy in the port1 -> port2 policy list. In this example, all FTP connection atte mpts from the internal network would then match the FTP poli[...]

  • Página 179

    Firewall confi guration Addresses FortiGate-400 Installation and Configuration Guide 179 Addresses All policies require source and de stination addresses. T o add addresses to a policy , you must first add addresses to the address list for the interfaces, zones, or VLAN subinterfaces o f the policy . Y ou can add, edit, and delete all firewall a dd[...]

  • Página 180

    180 Fortinet Inc. Addresses Firewall configurati on 6 Enter the NetMask. The netmask should cor respond to the type of address that you are addin g. For example: • The netmask for the IP address of a si ngle computer should be 255.255.255.255 . • The netmask for a class A subnet shou ld be 255.0.0.0. • The netmask for a class B subnet sh ould[...]

  • Página 181

    Firewall confi guration Addresses FortiGate-400 Installation and Configuration Guide 181 3 Choose an address to delete and select Delete . 4 Select OK to delete the addre ss. Organizing addresses in to address groups Y ou can organize related addresses into address gr oups to make it easier to add policies. For e xample, if you add th ree a ddresse[...]

  • Página 182

    182 Fortinet Inc. Services Firewall configuration Services Use services to control the types of communication accep ted or denied by the fire wall. Y ou can add any of the predefined se rvices to a policy . Y ou can also create your own custom services and add services to service group s. This section describes: • Predefined se rvices • Providi[...]

  • Página 183

    Firewall confi guration Services FortiGate-400 Installation and Configuration Guide 183 H323 H.32 3 multimedia protocol. H.323 is a standard approved by the Internatio nal T elecommunicati on Union (ITU) that defines how audiovisual conferenci ng data is transmitted across networks. tcp 1720, 1503 HTTP HTTP is the protocol used by the word wide web[...]

  • Página 184

    184 Fortinet Inc. Services Firewall configuration Providing access to custom services Add a custom service if you need to create a policy fo r a service that is not in the predefined service list. 1 Go to Firewall > Service > Custo m . 2 Select New . 3 Enter a Name for the service. This name appears in the service list used when you add a pol[...]

  • Página 185

    Firewall confi guration Services FortiGate-400 Installation and Configuration Guide 185 5 S pecify a Source and Destination Port number r ange for the service by enteri ng the low and high port numbers. If th e service uses one port number , enter this number in both the low and high fields. 6 If the service has more than one port range, sele ct Ad[...]

  • Página 186

    186 Fortinet Inc. Schedules Firewall configura tion Schedules Use scheduling to control when policies ar e active or inactive. Y ou can create one-time schedu les and recurring schedules. Y ou can use one-time sched ules to create policies that are ef fect ive once fo r the perio d of time sp ecified in th e schedule. Recurring schedules repea t we[...]

  • Página 187

    Firewall confi guration Schedules FortiGate-400 Installation and Configuration Guide 187 Creating recurring schedules Y ou can create a recurring schedule tha t acti vates or deactivates policies at specified times of the day or on specified days of t he week. For example, you might want to prevent In ternet us e outside of work ing hours b y creat[...]

  • Página 188

    188 Fortinet Inc. Virtual IPs Firewall configuration Adding a schedule to a policy After you have created schedules, you can add them to policies to schedule when the policies are active . Y ou can add th e new schedules to policie s when you create the policy , or you can ed it existing policies and add a new schedule to them. 1 Go to Firewa ll &g[...]

  • Página 189

    Firewall confi guration Vi rtual IPs FortiGate-400 Installation and Configuration Guide 189 This section describes: • Adding static NA T virtual IPs • Adding port fo rwarding vir tual IPs • Adding policies with virtual IPs Adding static NAT virtual IPs 1 Go to Firewall > Virtual IP . 2 Select New to add a virtual IP . 3 Enter a Name for th[...]

  • Página 190

    190 Fortinet Inc. Virtual IPs Firewall configuration 8 Select OK to save the v irtual IP . Y ou can now add the virtual IP to firewall policies. Adding port forwar ding virtual IPs 1 Go to Firewall > Virtual IP . 2 Select New to add a virtual IP . 3 Enter a Name for the virtual IP . The name can cont ain numbers (0-9), u ppercase and lowercase l[...]

  • Página 191

    Firewall confi guration Vi rtual IPs FortiGate-400 Installation and Configuration Guide 191 Figure 13: Adding a port forwarding virtu al IP Adding policies wi th virtual IPs Use the followin g proced ure to add a policy that uses a virt ual IP to fo rward packets. 1 Go to Firewall > Polic y . 2 Select the type of policy to add. • The sourc e i[...]

  • Página 192

    192 Fortinet Inc. IP pools Firewall configura tion 4 Select OK to save the policy . IP pools An IP pool (also called a dynamic IP pool) is a range of IP ad dresses added to a firewall interface. If you add IP pools to an interface, you can select Dynamic IP Pool when you configure a policy with the destinati on set to this interface. Y ou can add a[...]

  • Página 193

    Firewall confi guration IP/MAC binding FortiGate-400 Installation and Configuration Guide 193 Figure 14: Adding an IP Pool IP Pools for firewall pol icies that use fixed ports Some network configurations will not operate correctly if a NA T policy translates the source port of packet s used by the connec tion. NA T translates source ports to keep t[...]

  • Página 194

    194 Fortinet Inc. IP/MAC binding Firewall configuration Y ou can enter the static IP addresses an d corresponding MAC addresses of trusted computers in the S tatic IP/MAC table. IP/MAC binding can be enab led for packet s connecting to the fir ewall or passing through the firewall. This section describes: • Configuring IP/ MAC bindin g for packet[...]

  • Página 195

    Firewall confi guration IP/MAC binding FortiGate-400 Installation and Configuration Guide 195 Configuring IP/MAC binding for packets going to the firewall Use the followin g procedur e to use IP/ MAC binding to filter packet s that would normally connect with the firewall (fo r exampl e, when an administrator is con necting to the FortiGate unit fo[...]

  • Página 196

    196 Fortinet Inc. IP/MAC binding Firewall configuration Viewing the dyna mic IP/MAC list 1 Go to Firewall > IP/M AC Binding > Dynami c IP/MAC . Enabling IP/MAC binding 1 Go to Firewall > IP/M AC Binding > Setting . 2 Select Enable IP/MAC binding going throug h the firewall to turn on IP/MAC binding for packet s that could be matched by [...]

  • Página 197

    Firewall confi guration Content profiles FortiGate-400 Installation and Configuration Guide 197 Content profiles Use content profiles to app ly diff erent prot ection settings for content traf fic controlled by firewall policies. Y ou can use content profiles to: • Configure antivirus protection for HT TP , FTP , POP3, SMTP , and IMAP policies ?[...]

  • Página 198

    198 Fortinet Inc. Content profiles Firewall configuration 3 T ype a Profile Name. 4 Enable antivirus protection options. 5 Enable Web filtering options. 6 Enable Email filter protection options. 7 Enable fragmented email and oversized file and email options. 8 Select OK. Anti Virus Scan Scan web, FTP , and email traffic for viruses and worms. See ?[...]

  • Página 199

    Firewall confi guration Content profiles FortiGate-400 Installation and Configuration Guide 199 Figure 16: Example con tent profile Adding a content pr ofile to a policy Y ou can add content profiles to policies with actio n set to allow or encryp t and with Service set to ANY , HTTP , FTP , IMAP , POP3, SMTP , or a service group th at includes the[...]

  • Página 200

    200 Fortinet Inc. Content profiles Firewall configuration[...]

  • Página 201

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 201 Users and authentication FortiGate unit s support user authenticati on to the FortiG ate user database, to a RADIUS serve r , and to an LDAP ser ver . Y ou can add us er names t o the Fort iGate user dat abase and then add a [...]

  • Página 202

    202 Fortinet Inc. Setting authentication timeout Users and authenticati on This chapter describes : • Setting authentication timeout • Adding user names and co nfiguring authentication • Configuring RADIUS support • Configuring LDAP support • Configuring user group s Setting authentication timeout T o set authenti cation timeout: 1 Go to [...]

  • Página 203

    Users and authentication Adding user names and con figuring authentica tion FortiGate-400 Installation and Configuration Guide 203 5 Select T ry other servers if conn ect to selected server fa ils if you have selected Radius and you want the FortiGate unit to try to conn ect to other RADIUS servers added to the FortiGate RADI US configura tion. 6 S[...]

  • Página 204

    204 Fortinet Inc. Configuring RADIUS supp ort Users and authentication Configuring RADIUS support If you have configur ed RADIUS support and a user is required to authenticate using a RADIUS server , the FortiGate unit cont ac ts the RADIUS server for authentication. This section describes: • Adding RADIUS servers • Deleting RADIUS servers Addi[...]

  • Página 205

    Users and authentication Configuring LDAP suppo rt FortiGate-400 Installation and Configuration Guide 205 Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server , the FortiGate unit contact s the LDAP server for authentication. T o authentication with the FortiGate un it, the user en[...]

  • Página 206

    206 Fortinet Inc. Configuri ng LDAP support Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server . Enter the base distinguishe d name for the server using the correct X.500 or LDAP format. The FortiGate u nit passes this distinguished name unchanged to the server . For example, you could use the followi[...]

  • Página 207

    Users and authentication Configuring user groups FortiGate-400 Installation and Configuration Guide 207 Configuring user group s T o enable authentication, yo u mu st add user names, RADIUS servers and LDAP servers to one or more user gr oups. Y ou can then select a user group wh en you require authenticati on. Y ou can select a user group to confi[...]

  • Página 208

    208 Fortinet Inc. Configuring user g roups Users and authentication Figure 20: Adding a user group 3 Enter a Group Name to identify th e user group. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _. Other sp ecial characters and sp aces are not allowed. 4 T o add users to the user[...]

  • Página 209

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 209 IPSec VPN A Virtua l Private Network (VPN) is an extension of a private network that encompasses links across sh ared or public networks such as the Intern et. For example, a compan y that has two offices in di fferen t citie[...]

  • Página 210

    210 Fortinet Inc. Key management IPSec VPN Key management There are three basic elem ents in any en cryption system: • an algorithm which changes informa tion into code, • a cryptographic key which serves as a secret starting point for the algor ithm, • a management system to control the ke y . IPSec provides two ways to handle key exchange a[...]

  • Página 211

    IPSec VPN Manual key IPSec VPNs FortiGate-400 Installation and Configuration Guide 21 1 Manual key IPSec VPNs When manu al keys are employed , compleme ntary security parameter s must be entered at both ends of the tunnel. In ad dition to encryption and authen tication algorithms and keys, the security parameter index (SPI) is required. The SPI is [...]

  • Página 212

    212 Fortinet Inc. Manual key IPSec VPNs IPSec VPN 5 Enter the Remote SPI. The Remote Security Parameter Index is a hexade cimal number of up to eight digit s (digits can be 0 to 9, a to f) in the rang e bb8 to FFFFFFF . This number must be added to the Local SPI at the opposite end of the tunnel. 6 Enter the Remote Gateway . This is the external IP[...]

  • Página 213

    IPSec VPN AutoIKE IPSec VPNs FortiGate-400 Installation and Configuration Guide 213 AutoIKE IPSec VPNs Fortunate support s two methods of Automa tic Internet Key Exch ange (AutoIKE) fo r the purpose of establish ing IPSec VPN tu nnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates. • General configuration step s for an AutoIK[...]

  • Página 214

    214 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 3 Enter a Gateway Name for the remote VPN peer . The remote VPN pee r can be either a gatewa y to another netw ork or an individual client on the In ternet. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _. Other sp ecial characters a[...]

  • Página 215

    IPSec VPN AutoIKE IPSec VPNs FortiGate-400 Installation and Configuration Guide 215 10 Optionally , enter th e Local ID of th e FortiGat e unit. The entry is required if the FortiGate unit is functioning as a client and uses its local ID to authenticate itself to the remote VPN peer . (If you do not add a local ID, the FortiGate unit will transm it[...]

  • Página 216

    216 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Optionally , configure NA T T raversal. 5 Optionally , configur e Dead Peer Detection . Use these settings to monitor the st atus of the connec tion between VPN peer s. DPD allows dead connections to be cleane d up and new VPN tunnels est ablished. DPD is not suppor ted by all ve ndors. 6 Select OK t[...]

  • Página 217

    IPSec VPN AutoIKE IPSec VPNs FortiGate-400 Installation and Configuration Guide 217 Figure 21: Adding a phase 1 config uration Adding a phase 2 configurat ion for an AutoIKE VPN Add a phas e 2 configu ration to spec ify the paramete rs used to c reate and maintain a VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer [...]

  • Página 218

    218 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Select a Remote Gateway to as sociate with the VPN tunnel. A remote gateway can be either a gateway to another network or an individu al client on the Internet. Remote gateways are added as pa rt of the phase 1 configuration. For details, see “Adding a phase 1 configura tion for an AutoIKE VP N” [...]

  • Página 219

    IPSec VPN Managing d igital certificates FortiGate-400 Installation and Configuration Guide 219 Figure 22: Adding a phase 2 config uration Managing digit al certificates Digital certifica tes are used to ensure that both p articipant s in an IPSec communications session are trustworthy , prior to an encrypted VPN tunnel being set up between the par[...]

  • Página 220

    220 Fortinet Inc. Managing digital certificates IPSec VPN Generating the certificate request With this procedure, you gen erate a privat e and public key p air . The public key is the base component of the certificate request. T o generate the certificate requ est: 1 Go to VPN > Local Certificates . 2 Select Generate. 3 Enter a Certificate Name.[...]

  • Página 221

    IPSec VPN Managing d igital certificates FortiGate-400 Installation and Configuration Guide 221 Figure 23: Adding a Local Certific ate Downloading the certificate request With this procedure, you down load the cert ificate request f rom the Fo rtiGate u nit to the management computer . T o download th e certificate request: 1 Go to VPN > Local C[...]

  • Página 222

    222 Fortinet Inc. Managing digital certificates IPSec VPN 4 Request the signed local certificate. Follow the CA web server instructions to: • add a base64 encod ed PKCS#10 certif icate requ est to the CA web server , • paste the certificate re quest to the CA web server , • submit the certificate request to the CA web server . The certificate[...]

  • Página 223

    IPSec VPN Managing d igital certificates FortiGate-400 Installation and Configuration Guide 223 3 Enter the path or browse to locate the signed local certificate on the management computer . 4 Select OK. The signed local certificate will be displayed on the Local Cert ificates list with a status of OK. Obtaining a CA certificate For the VPN peers t[...]

  • Página 224

    224 Fortinet Inc. Configuring encrypt policies IPSec VPN Configuring encrypt policies A VPN connects the local, intern al network to a remote, external network. The principal role of the encrypt policy is to define (and limit) which addresses on th ese networks can use the VPN. A VPN requires only one encr ypt policy to control both inbound and out[...]

  • Página 225

    IPSec VPN Co nfiguring encrypt policies FortiGate-400 Installation and Configuration Guide 225 Adding a source address The source address is located with in the inte rnal ne twork of the local VPN peer . It can be a single computer addre ss or the address of a network. 1 Go to Firewall > Address . 2 Select an internal interface. (Methods will di[...]

  • Página 226

    226 Fortinet Inc. Configuring encrypt policies IPSec VPN Refer to the FortiGate Inst allation and Configuration Guide to configur e the remaining policy settings. 9 Select OK to save the encry pt policy . T o make sure that the encrypt policy is matched for VPN connection s, arrange the encrypt policy above other policies with similar source and de[...]

  • Página 227

    IPSec VPN IPSec VPN concen trators FortiGate-400 Installation and Configuration Guide 227 IPSec VPN concentrators In a hub-and-spoke ne twork, all VPN tunnels termin ate at a single VPN peer known as a hub. The peer s that connect to th e hub are known as sp okes. The hub fun ctions as a concentr ator on the network , managing the VPN conn ections [...]

  • Página 228

    228 Fortinet Inc. IPSec VPN concentrators IPSec VPN T o create a VPN concentrator configuratio n: 1 Configure a tunnel fo r each spoke. Choose betwe en a manual key tunnel or an AutoIKE tunnel. • A manual key tunnel consist s of a name fo r the tunnel, the IP address of the sp oke (client or gateway) at the opposite end of the tu nnel, and the en[...]

  • Página 229

    IPSec VPN IPSec VPN concen trators FortiGate-400 Installation and Configuration Guide 229 Adding a VPN concentrator T o add a VPN concentrator configuration: 1 Go to VPN > IPSec > Concentrator . 2 Select New to ad d a VPN conc entrator . 3 Enter the name of the new conce ntrator in the Concentrator Name field. 4 T o add tunnels to the VPN con[...]

  • Página 230

    230 Fortinet Inc. IPSec VPN concentrators IPSec VPN VPN spoke general co nfiguration steps A remote VPN pee r that is functio ning as a spok e requires the f ollowing configur ation: • A tunnel (Auto IKE phase 1 an d phase 2 conf iguration or manu al key configura tion) for the hub. • The source addre ss of the local VPN spoke. • The destinat[...]

  • Página 231

    IPSec VPN Redundant IPSec VPNs FortiGate-400 Installation and Configuration Guide 231 See “Adding an encrypt policy” on p age 225 . 6 Arrange the policie s in the following order: • outbound encrypt policies • inbound encrypt policy • default non-encrypt policy (Interna l_All -> External_All) Redundant IPSec VPNs T o ensure the continu[...]

  • Página 232

    232 Fortinet Inc. Redundant IPSec VPNs IPSec VPN Configure the two FortiGate un its with symmetric al settings for their connections to the Internet. For example, if the remote FortiG ate unit has tw o external int erfaces grou ped within one zon e, then the local FortiG ate unit sho uld have two externa l interfac es grouped within one zone. Simil[...]

  • Página 233

    IPSec VPN Monitoring and Troublesh ooting VPNs FortiGate-400 Installation and Configuration Guide 233 Monitoring and T roubleshooting VPNs This section provid es a number of ge ne ral maintenance and monitoring procedures for VPNs. This section describes: • Viewin g VPN tunnel st atus • Viewing dialu p VPN connection status • T esting a VPN V[...]

  • Página 234

    234 Fortinet Inc. Monitoring and Troubleshooti ng VPNs IPSec VPN T o view dialup connection st atus: 1 Go to VPN > IPSec > Dialup . The Lifetime column displays how long the connection has been up. The T imeout column displays the time before the next key exchange. The tim e is calculated by subtracting the tim e elapsed since the last key ex[...]

  • Página 235

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 235 PPTP and L2TP VPN Y ou can use PPTP and L2TP to crea te a virtual private network (VPN) between a remote client PC running the Windows op er ating system an d your inte rnal netw ork. Because they are is a Windows st andards,[...]

  • Página 236

    236 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN Figure 29: PPTP VPN between a Windows client and the FortiGate unit Configuring the FortiGat e unit as a PPTP gateway Use the followin g proced ures to con figure the FortiGate u nit as a PPTP gate way: Adding users and user groups T o add a user for each PP TP client: 1 Go to User > Local . 2[...]

  • Página 237

    PPTP and L2TP VPN Configuring PPTP FortiGate-400 Installation and Configuration Guide 237 Figure 30: Example PPTP Range configu ration Adding a source address Add a sour ce address for ever y address in the PPT P address range. 1 Go to Firewall > Address . 2 Select the interface to which PP TP clients connect. This can be an interface, VLAN subi[...]

  • Página 238

    238 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 5 T o remove addresses from the addr ess group, select an address from the Member s list and select the left arrow to remove it from the group. Select OK to add the address group . Adding a destination address Add an address to which PP TP users can connect. 1 Go to Firewall > Address . 2 Sele[...]

  • Página 239

    PPTP and L2TP VPN Configuring PPTP FortiGate-400 Installation and Configuration Guide 239 4 Select Add. 5 Select Microsof t as the manufacturer . 6 Select Microsoft V irtual Private Networking Adapter . 7 Select OK twice. 8 Insert diskettes or CDs as required. 9 Restart the com puter . Configuring a PPTP dialup connection 1 Go to My Computer > D[...]

  • Página 240

    240 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 5 Set Connection Availability to On ly for myself and select Next. 6 Select Finish. 7 In the Connect window , select Properties. 8 Select the Security tab. 9 Uncheck Requir e da ta encryption. 10 Select OK. Connecting to the PPTP VPN 1 S tart the dialup connection that yo u configured in the prev[...]

  • Página 241

    PPTP and L2TP VPN Configuring L2TP FortiGate-400 Installation and Configuration Guide 241 5 Select Advanced to configure ad vanced settings. 6 Select Settings. 7 Select Challenge Handshake Authen tication Protocol (CHAP). 8 Make sure that none of the other settings are selected. 9 Select the Networking tab. 10 Make sure that the fo llowing opt ions[...]

  • Página 242

    242 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN Figure 31: L2TP VPN between a Windows client and the FortiGate unit Configuring the FortiGat e unit as a L2TP gateway Use the follo wing proced ures to c onfigure th e FortiGa te unit as a n L2TP g ateway: Adding users and user groups T o add a user for each L2TP client: 1 Go to User > Local .[...]

  • Página 243

    PPTP and L2TP VPN Configuring L2TP FortiGate-400 Installation and Configuration Guide 243 Figure 32: Sample L2TP addres s range configura tion 6 Add the addresses from the L2TP ad dress range to the External zo ne address list. The addresses can be grouped into an Exter nal address group. 7 Add addresses to the destination zone a ddress list to con[...]

  • Página 244

    244 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 2 Add a new address group to the interface to which L2TP clients co nnect. This can be an interface, VLAN subinterfa ce, or zone. 3 Enter a Group Name to iden tify the address grou p. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - a[...]

  • Página 245

    PPTP and L2TP VPN Configuring L2TP FortiGate-400 Installation and Configuration Guide 245 Configuring a Windows 2000 client for L2TP Use the following p rocedure to co nfigure a clie nt computer running Wi ndows 2000 s o that it can connect to a FortiGate L2TP VPN. Configuring an L2TP dialup connection 1 Go to St art > Settings > Network and [...]

  • Página 246

    246 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 8 Add the following registry value to this key: Value Name: ProhibitIpSec Data Type: REG_DWORD Value: 1 9 Save your changes and rest art the computer for the changes to t ake ef fect. Y ou must add the ProhibitIpSec registry value to each Windows 2000-based endpoint comp uter of an L2TP or IPSec [...]

  • Página 247

    PPTP and L2TP VPN Configuring L2TP FortiGate-400 Installation and Configuration Guide 247 5 Select Advanced to configure ad vanced settings. 6 Select Settings. 7 Select Challenge Handshake Authen tication Protocol (CHAP). 8 Make sure that none of the other settings are selected. 9 Select the Networking tab. 10 Make sure that the fo llowing opt ions[...]

  • Página 248

    248 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN Connecting to the L2TP VPN 1 Connect to your ISP . 2 S tart the VPN connection that yo u co nfigured in the previous pr ocedure. 3 Enter your L2TP VPN User Name and Password. 4 Select Connect. 5 In the connect window , enter the User Name and Password tha t you use to connect to your dialup netwo[...]

  • Página 249

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 249 Network Intrusion Detection System (NIDS) The FortiGat e NIDS is a re al-time netw ork intrusio n detectio n sensor th at uses at tack signature definitions to both detect and prev ent a wide variet y of suspicious network tr[...]

  • Página 250

    250 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Selecting the interfaces to monitor 1 Go to NIDS > Detection > General . 2 Select the interfaces to monitor for ne twork attacks. Y ou can select up to 4 interfaces and VLAN subinterfaces. 3 Select Apply . Disabling the NIDS 1 Go to NIDS > Detection > Genera[...]

  • Página 251

    Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-400 Installation and Configuration Guide 251 Viewing the signature list T o display the current list of NIDS signature group s and to view the members of a signature group: 1 Go to NIDS > Detection > Signature List . 2 View the names an d action status of the signature gro[...]

  • Página 252

    252 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Enabling and disabling NI DS attack signatures By default, all NIDS attack signatures ar e enabled . Y ou can use the NIDS signature list to disable detection of some atta cks. Disabling unnecessary NIDS attack signatures can improve system performa nce and reduce the n[...]

  • Página 253

    Network Intrusion Detection S ystem (NIDS) Preventing attacks FortiGate-400 Installation and Configuration Guide 253 Figure 35: Example user -defined si gnature list Downloading the user-defined signature list Y ou can back up the user-defined signature lis t by downloading it to a text file on the management compu ter . 1 Go to NIDS > Detection[...]

  • Página 254

    254 Fortinet Inc. Preventing attacks Network Intrusion Detection System (NIDS) Enabling NIDS attack prevention signatures The NIDS Prevention mo dule contain s signat ures that are designed to protect you r network against attacks. Some signatures are enabled by defa ult; others must be enabled. For a complete list of NIDS Prevention signatures and[...]

  • Página 255

    Network Intrusion Detection S ystem (NIDS) Preventing attacks FortiGate-400 Installation and Configuration Guide 255 For example, setting the icmpflood signat ure threshold to 500 will allow 500 echo requests from a source address, to which the system sends echo replies. If the number of requests is 501 or higher , th e FortiGate unit will block th[...]

  • Página 256

    256 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS) Configuring synflood signature values For synflood signatures, yo u can set the thre shold, queu e size, and keep alive values. 1 Go to NIDS > Prevention . 2 Select Modify for the synflood signature. 3 T ype the Threshold va lue. 4 T ype the Queue Size. 5 T ype the T ime[...]

  • Página 257

    Network Intrusion Detection System (NIDS) Logging attacks FortiGate-400 Installation and Configuration Guide 257 Reducing the number of NIDS attack log and email messages Intrusion attempt s may generate an excessive number of attack messages. T o help you distingu ish real warn ings from f alse al arms, the FortiGate unit provides methods to reduc[...]

  • Página 258

    258 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS)[...]

  • Página 259

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 259 Antivirus protection Antivirus protection is enabled in fire wall policies. When you enable antivirus protection for a firewall polic y , you select a content profile that controls how the antivirus protection behaves. Conten[...]

  • Página 260

    260 Fortinet Inc. Antivirus scanning Antivirus protection 6 Configure the FortiGate unit to send an alert email when it blocks or delet es an infected file. See “Configur ing alert email” in the Logging and Message Refere nce Guide. Antivirus scanning Virus scan ning intercepts mo st files (including files compressed with up to 12 laye rs of co[...]

  • Página 261

    Antivirus protection File blocking FortiGate-400 Installation and Configuration Guide 261 Figure 37: Example content profile for virus scan ning File blocking Enable file blocking to remove all files that pose a potential threat and to provide the best protection fr om active computer virus attacks. Blocking files is the only pr otection available [...]

  • Página 262

    262 Fortinet Inc. File blocking Antivirus protection By default, w hen blocki ng is enabled, the FortiG ate unit bl ocks the follo wing file patterns: • executable files (*.bat, *.com, and *.exe) • compressed or archive files (*.gz, *.rar , *.tar , *.tgz, and *.zip) • dynamic link libraries (*.dll) • HTML applic ation (*.hta) • Microsoft [...]

  • Página 263

    Antivirus protection Quarantine FortiGate-400 Installation and Configuration Guide 263 Quarantine FortiGate w ith hard dis ks can be co nfigur ed to quarantine blocked or infected files. The quarantined file s are removed from the content str eam and stored on the FortiGate hard disk. Users re ceived a messag e informing th em that the removed file[...]

  • Página 264

    264 Fortinet Inc. Quarantine Antivirus protection Viewing the qua rantine list 1 Go to Anti-Virus > Quaran tine . The quarantine list provides the following information. Sorting the quarantine list Y ou can sort the quarantine list according to status (in fected or blocked), service (IMAP , POP3, SMTP , FTP , or HTTP), al phabeti cally by file n[...]

  • Página 265

    Antivirus protection Quarantine FortiGate-400 Installation and Configuration Guide 265 Filtering the quarantine list Y ou can filter the quarantine list to: • Display only blocked files • Display only infected files • Display blocked and infected files found only in IMAP , POP3, SMTP , FTP , or HTTP traffic Deleting files from quarantine 1 Go[...]

  • Página 266

    266 Fortinet Inc. Blocking oversized files and emails Antivirus protection Blocking oversized files and emails Y ou can configure the FortiGate unit to buff er 1 to 15 percent of available memory to store oversized files and email. Th e FortiGat e unit then blocks a file or email that exceeds this limit instead of byp assing anti vir us scanning an[...]

  • Página 267

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 267 W eb filtering Web filtering is enabled in firewall policies. When you enable Anti-V irus & Web filter in a firewall policy , you select a content profile that controls how we b filtering behaves for HTTP traffic. Content[...]

  • Página 268

    268 Fortinet Inc. Content blocking Web filtering 4 Configure the messages that users rec eive when the FortiGate unit blocks unwanted content or unwanted URLs. See “Customizing replacement messages” on page 164 . 5 Configure the FortiGate unit to send an alert email when it blocks or delet es an infected file. See “Configur ing alert email”[...]

  • Página 269

    Web filtering URL blocking FortiGate-400 Installation and Configuration Guide 269 Figure 38: Exam ple banned w ord list URL blocking Y ou can block the unwanted web URLs usin g both the F ortiGate we b filter and the Cerberian web filter . • Using the FortiGate web filter • Using the Cerberian web filter Using the FortiGate web filter Y ou can [...]

  • Página 270

    270 Fortinet Inc. URL blocking Web filtering 3 T ype the URL/Pattern to block. T ype a top-level URL or IP address to block access to all pages on a website. For example, www.badsite.com or 122.133.144.155 blocks access to all pages at this website. T ype a top-level URL followed by the p ath an d filename to block access to a single page on a webs[...]

  • Página 271

    Web filtering URL blocking FortiGate-400 Installation and Configuration Guide 271 Downloading the URL block list Y ou can back up the URL block list by downloading it to a text file on the management computer . 1 Go to Web Filter > URL Block . 2 Select Download URL Block List . The FortiGate unit downloads the list to a text file on the manageme[...]

  • Página 272

    272 Fortinet Inc. URL blocking Web filtering Using the Cer berian web fi lter The FortiGate unit support s Cerberian web filtering. For information about Cer berian web filter , see www .cerberian.com. If you have purchased the Cerberian web f ilter ing functionality with your For tiGate unit, use the following configurat ion proced ures to configu[...]

  • Página 273

    Web filtering URL blocking FortiGate-400 Installation and Configuration Guide 273 2 Select Cerberian URL Filtering. 3 Select New . 4 Enter the IP address and netmask of the user comp uters. Y ou can enter the IP address of a single user . For example, 192.168.100.1 9 255.255.255.255 . Y ou can also enter a subnet of a grou p of users. For example, [...]

  • Página 274

    274 Fortinet Inc. Script filtering Web filtering 3 Select the Cerberian URL Filtering option. 4 Go to Firewall > Content Profile. 5 Create a new or select an existing c o ntent profile and enable W eb URL Block. 6 Go to Firewall > Polic y . 7 Create a new or select an existing policy that will use the content profile. 8 Select Anti-Virus &[...]

  • Página 275

    Web filtering Exempt URL list FortiGate-400 Installation and Configuration Guide 275 Figure 41: Example script filter setting s to block Java applets and ActiveX Exempt URL list Add URLs to the exempt URL list to allow legitimate traf fic that might otherwise be blocked by content or URL blocking. For exam ple, if content blocking is set to block p[...]

  • Página 276

    276 Fortinet Inc. Exempt URL list Web filtering 5 Select OK to add the URL to the exempt URL list. Y ou can enter multiple URLs and then select Check All to activa te all items in the exempt UR L list. Each page of the exempt URL list displays 100 URLs. 6 Use Page Down and Page Up to navigate through the exempt URL list. Figure 42: Example exempt U[...]

  • Página 277

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 277 Email filter Email filtering is enabled in firewall policies. When you en able Anti-Virus & Web filter in a firewall policy, you sele ct a conten t profile tha t controls h ow email filterin g behaves for email (IMAP an d[...]

  • Página 278

    278 Fortinet Inc. Email banned word list Email filter Email banned word list When the FortiGate unit detect s email that contai ns a word or phrase in the banne d word list, the FortiGate unit adds a t ag to the subject line of the email and writes a message to the event log. Recei vers can then use their mail client sof tware to filter messages ba[...]

  • Página 279

    Email filter Email block list FortiGate-400 Installation and Configuration Guide 279 Email block list Y ou can configure the FortiGate unit to ta g all IMAP and POP3 protocol tra ffic sent from unwanted email addresse s. When the FortiGate unit dete cts an email sent from an unwanted address p attern, the FortiGate un it adds a t ag to the subject [...]

  • Página 280

    280 Fortinet Inc. Adding a subject tag Email filter Adding address patterns to the email exempt list 1 Go to Email Filter > Exempt List . 2 Select New to add an address pattern to the em ail exempt list. 3 T ype the address pattern to ex empt. • T o exempt email sent from a specific email add ress, type the email address. For example, sender@a[...]

  • Página 281

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 281 Logging and reporting Y ou can configure the FortiGate unit to log network activity from routine configuration changes and traf fic sessions to emergency event s. Y ou can also configure the FortiGate u nit to send alert emai[...]

  • Página 282

    282 Fortinet Inc. Recording logs Logging and reporting This section describes: • Recording logs on a remote computer • Recording logs on a NetIQ W ebT rends server • Recording logs on the FortiGate hard disk • Recording logs in system memory Recording logs on a remote computer Use the following procedure to configure the FortiGate unit to r[...]

  • Página 283

    Logging and repo rting Recording logs FortiGate-400 Installation and Configuration Guide 283 4 Select the severity leve l for which you want to record log messages. The FortiGate will log all levels of severity down to but not lower than the level you choose. For example, if you want to record emergency , alert, critical, and error messages, select[...]

  • Página 284

    284 Fortinet Inc. Filtering log me ssages Logging and reporting Recording logs in system memory If your Fo rtiGate unit does not contain a hard disk , you can use the fo llowing procedure to configure the FortiGate unit to rese rve some system memory for storing current event, at tack, antivirus , web filter and email filter log messages. Logging t[...]

  • Página 285

    Logging and repo rting Filtering log me ssages FortiGate-400 Installation and Configuration Guide 285 4 Select the message categories that you wa nt the FortiGa te unit to record if you selected Event Log, V irus Log, Web Filter ing Log, Att ack Log, Email Filter Log, or Update in step 3 . 5 Select OK. Figure 43: Exam ple log filter con figuration [...]

  • Página 286

    286 Fortinet Inc. Configuring traffic loggi ng Logging and reporting Configuring traffic logging Y ou can configure the FortiGate unit to reco rd traffic log messages for connections to: • Any interface • Any VLAN subinterface • Any firewall policy The FortiGate unit can filter traf fic logs for any source and destination address and service.[...]

  • Página 287

    Logging and repo rting Configuring traffic loggi ng FortiGate-400 Installation and Configuration Guide 287 5 Repeat this procedure for each VLAN subinterface fo r which you want to enable logging. Enabling traffic logging for a firewall policy If you enable traffic logging for a firewall policy , all connections accepted by firewall policy are reco[...]

  • Página 288

    288 Fortinet Inc. Configuring traffic loggi ng Logging and reporting Adding traffic filter entries Add entries to the traffic filter list to filter the messages that are recorded in the traf fic log. If you do not add any entries to the tr affic filte r list, the FortiGate records all traf fic log messages. Y ou can add entries to th e traffic filt[...]

  • Página 289

    Logging and repo rting Viewing logs saved to memory FortiGate-400 Installation and Configuration Guide 289 V iewing logs saved to memory If the FortiGate is configured to save log messages in system memory , you can use the web-based manager to view , search, and clear the log message s. This section describes: • Viewin g logs • Searching logs [...]

  • Página 290

    290 Fortinet Inc. Viewing and managing logs saved to the hard disk Logging and reporting V iewing and managing logs saved to the hard disk If your FortiGate unit cont ains a hard disk for recording lo gs, you can use the following procedures to view , search and mainta in logs: • Viewin g logs • Searching logs • Downloading a log file to the [...]

  • Página 291

    Logging and reporting Viewing and managing logs saved to the hard disk FortiGate-400 Installation and Configuration Guide 291 8 Select OK to run the sear ch. The web-based man ager displays the messa ges that match th e search criteria. Y ou can scroll throug h the message s or run another se arch. Downloading a log file to the management computer [...]

  • Página 292

    292 Fortinet Inc. Configu ring aler t email Logging and reporting Deleting a saved log file Use the follo wing proced ure to delete a saved log file: 1 Go to Log&Report > Logging . 2 Select Traf fic Log, Event Log, Attack log, Ant ivirus Log, Web Filter Log, or Email Filter Log. The web-based m anager list s all saved logs of the selected ty[...]

  • Página 293

    Logging and repo rting Configu ring aler t email FortiGate-400 Installation and Configuration Guide 293 6 T ype up to three destination email ad dresses in the Email T o fields. These are the actual email addresse s to wh ich the FortiGate unit sends alert email. 7 Select Apply . Testing alert email Y ou can test the alert email settings by sending[...]

  • Página 294

    294 Fortinet Inc. Configu ring aler t email Logging and reporting[...]

  • Página 295

    FortiGate-400 Installation and Configuration Guide 295 FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 Glossary Connection : A link between machines, applications, processes, and so on t hat can be logical, phys ical, or both. DMZ, Demilit arized Zone : Used to host Internet services without allowing unau thorized access to an[...]

  • Página 296

    296 Fortinet Inc. Glossary LAN, Local Area Network : A computer n etwork that spans a relatively small area. Most LANs connect worksta tions and personal computers. Each computer on a LAN is able to ac cess data and devices a nywhere on the LAN. This means that many users can share data as well as physical re sources such as printers. MAC address, [...]

  • Página 297

    Glossary FortiGate-400 Installation and Configuration Guide 297 SSH , Secure shell : A secure T elnet replacement that you can use to log into another computer over a network and run commands. SSH provides str ong secure authentication and secure communications over insecure channels. Subnet : A portion of a network that shares a comm on address co[...]

  • Página 298

    298 Fortinet Inc. Glossary[...]

  • Página 299

    FortiGate-400 Installation and Configuration Guide 299 FortiGate-400 Inst allation and Co nfiguration Guide V ersion 2.50 MR2 Index Numerics 4/HA configuring for HA 77, 82 A accept policy 174 action policy option 174 active log deleting all messages 291 searching 289, 290 viewing and maintaining saved logs 290 ActiveX 275 removing from web pages 27[...]

  • Página 300

    300 Fortinet Inc. Index AutoIKE 210 certificates 21 0 introduction 210 pre-shared keys 210 automatic antivirus and attack definition updates configuring 118 B backing up system settings 108 bandwidth guaranteed 175 maximum 175 banned word l ist adding words 2 68, 278 blacklist URL 271 block traffic IP/MAC binding 194, 1 95 log option 283 blocking a[...]

  • Página 301

    Index FortiGate-400 Installation and Configuration Guide 301 E email alert testing 293 email filter log 285 enabling policy 178 encrypt policy 174 encrypt policy allow inbound 175 allow outbound 175 Inbound NAT 175 Outbound NAT 175 ending IP address PPTP 236, 242 environmental specifications 31 event log 284 viewing 289 exempt URL list 275, 279 add[...]

  • Página 302

    302 Fortinet Inc. Index HTTPS 20, 139, 183, 295 I ICMP 183, 295 configuring checksum verification 250 idle timeout web-based manager 158 IDS log viewing 289 IKE 295 IMAP 183, 295 Inbound NAT encrypt policy 175 interface RIP 152 internal address example 180 internal address group example 181 internal network configuring 50 Internet blocking access t[...]

  • Página 303

    Index FortiGate-400 Installation and Configuration Guide 303 loggin g 21, 281 attack log 284 configuring traffic settings 286, 287 deleting all messages 291 deleting log files 292 downloading log files 291 email filter log 285 enabling alert email 293 event log 284 filtering log messages 284 log to local 283 log to memory 284 log to remote host 282[...]

  • Página 304

    304 Fortinet Inc. Index ping management access 139 policy accept 174 Anti-Virus & Web filter 176 arranging in policy list 177 Comments 177 deny 174 disabling 178 enabling 178 enabling authenticati on 207 fixed port 174 guaranteed bandwidth 175 Log Traffic 177 matching 177 maximum bandwidth 175 policy list configuring 177 policy routing 146 POP3[...]

  • Página 305

    Index FortiGate-400 Installation and Configuration Guide 305 RMA registering a FortiGate unit 131 route adding default 143 adding to routing table 143 adding to routing table (Transparent mode) 145 destination 143 devic e 144 router next hop 136 routing 29 6 adding static routes 1 43 configuring 143 configuring routing table 14 5 policy 146 routing[...]

  • Página 306

    306 Fortinet Inc. Index system settings backing up 108 restoring 108 restoring to factory default 108 system status 93, 149 system status monitor 110, 111, 112, 113 T TCP configuring checksum verification 250 technical support 28 testing alert email 293 time log search 289, 291 setting 157 time zone 157 timeout firewall authentica tion 159 idle 158[...]

  • Página 307

    Index FortiGate-400 Installation and Configuration Guide 307 virus definitions updating 115, 119 virus incidents enabling alert email 293 virus list displaying 266 viewing 266 virus log 284 virus protection overview 259 worm protection 15 VLAN configuring 139 network configuration 139 VLAN network typical configuration 140 VPN configuring L2TP gate[...]

  • Página 308

    308 Fortinet Inc. Index[...]