Fortinet 50A manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of Fortinet 50A, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Fortinet 50A one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of Fortinet 50A. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of Fortinet 50A should contain:
- informations concerning technical data of Fortinet 50A
- name of the manufacturer and a year of construction of the Fortinet 50A item
- rules of operation, control and maintenance of the Fortinet 50A item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Fortinet 50A alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Fortinet 50A, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Fortinet service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Fortinet 50A.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the Fortinet 50A item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    FortiGate 50A Installation and Configuration Guide INTERNAL EXTERNAL LINK 100 LINK 100 PWR STA TUS A FortiGate User Manual V olume 1 Ve r s i o n 2 . 5 0 29 February 2004[...]

  • Page 2

    © Copyright 2004 Fortine t Inc. All rights re served. No part of this publication incl uding text, examples , diagrams or illustrations may be reproduced, transmitted, or translated in any form or by an y means, electro nic, mechanical, manual, optical or otherwise, for any purpose, without prio r written pe rmission of F ortinet I nc. FortiGate-5[...]

  • Page 3

    Contents FortiGate-50A Installation and Configuration Gu ide 3 Table of Contents Introduction ............. ................................ .................................................. ........... 13 NAT/Route mode and Transparent mode .................... ................ ................... ................ .. 13 NAT/Route mode ...........[...]

  • Page 4

    Contents 4 Fortinet Inc. Completing the configuration ................... ....... ......... ................. ................ ............. ........... 38 Setting the date and time ..... ................ ................ ................. ............ ................. ........... 38 Changing antivirus protection ........ ................ ........[...]

  • Page 5

    Contents FortiGate-50A Installation and Configuration Gu ide 5 Shutting down the FortiGate unit ............................. ................. ................ ................ ........ 66 System status .................... ................ ............. ................ ................ ................ ................ . . 6 7 Viewing CPU and me[...]

  • Page 6

    Contents 6 Fortinet Inc. Network configuration .............. ................. ................................................. ......... 93 Configuring interfaces ........... ................ ................ ................ ................ ................. ........... 9 3 Viewing the interface list ......... ................ ................[...]

  • Page 7

    Contents FortiGate-50A Installation and Configuration Gu ide 7 Changing system options...... ................ ................ ................ ............. ................ ............. 122 Adding and editing admi nistrator accounts ........... ................ ................ ................. ......... 123 Adding new administrator accounts ..[...]

  • Page 8

    Contents 8 Fortinet Inc. Virtual IPs.... ................ ................ ................ ............. ................. ................ ............. ..... .... 157 Adding static NAT virtual IPs ............ ................ ................ ................ ................. ......... 158 Adding port forwarding virtual IPs .. ............. ..[...]

  • Page 9

    Contents FortiGate-50A Installation and Configuration Gu ide 9 AutoIKE IPSec VPN s .................. ................ ................. ............. ................ ................ ...... 182 General configuration steps for an AutoIKE VPN ............. ................ ............. ............. 183 Adding a phase 1 configuration for an AutoI [...]

  • Page 10

    Contents 10 Fortinet Inc. Logging attacks ..................... ................ ............. ................ ................ ................ ............. 222 Logging attack messages to t he attack log .... ............. ................ ................ ............. ... 222 Reducing the number of NIDS attack log and email messages ..... ....[...]

  • Page 11

    Contents FortiGate-50A Installation and Configuration Gu ide 11 Email block list .. ................. ............. ................ ................ ................ ................ ............. .. . 2 4 8 Adding address patterns to t he email block list .... ................. ................ ................ ...... 248 Downloading the email bl[...]

  • Page 12

    Contents 12 Fortinet Inc.[...]

  • Page 13

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 13 Introduction The FortiGate-50 A Antivirus Firewall is an easy-to-d eplo y and easy-to- administer solution that delivers exceptional value and perfor mance for small office and hom e office (SOHO) applications. Y our FortiGate-5[...]

  • Page 14

    14 Fortinet Inc. Document co nventions Introduction Document conventions This guide uses the fo llowing conventio ns to descr ibe CLI comma nd syntax. • angle brac kets < > to indicate variable keywords For example: execute restore config <filename_str> Y ou enter restore config myfile.bak <xxx_str> indicates an ASCII string var[...]

  • Page 15

    Introduction Fortinet documentati on FortiGate-50A Installation and Configuration Gu ide 15 Fortinet document ation Information about FortiGate product s is av ailable from the follo wing FortiGate User Manual volumes: • V olume 1: FortiGate Installation a nd Configuration Guide Describes installation and basic configurat ion for the F ortiGate u[...]

  • Page 16

    16 Fortinet Inc. Customer service and technical support Introduction Customer service and technical support For antiviru s and attack def inition up dates, firmware updates, updated product documentation , technical support informatio n, and other resources, p lease visit the Fortinet technical support we b site at http://support.fortinet.com. Y ou[...]

  • Page 17

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 17 Getting st arted This chapter describes unp acking, setting up, and powering on a FortiGate Antivir us Firewall unit. When you have completed the procedures in this chap ter , you can proceed to one of the following: • If you [...]

  • Page 18

    18 Fortinet Inc. Package contents Getting started Package content s The FortiGate-50A p ackage contains the following items: • the FortiGate-50A Antivirus Firewall • one orange cross-over ethernet cable • one gray regular ethernet cable • one null-modem ca ble • FortiGate -50A QuickS tart Gu ide • A CD contai ning the FortiGate user doc[...]

  • Page 19

    Getting started Powering on FortiGate-50A Installation and Configuration Gu ide 19 Environmental specifications • Operating temperature: 32 to 10 4°F (0 to 40°C) • S torage temperature: -13 to 158°F (-25 to 70°C) • Humidity: 5 to 95% non-co ndensing Powering on T o power on the FortiGate-50A unit 1 Connect the AC adapter to the power conn[...]

  • Page 20

    20 Fortinet Inc. Connecting to the command line interface (CLI) Getting started T o connect to the we b-based manager 1 Set the IP address of the computer with an ethernet connection to the st atic IP address 192.168.1.2 and a ne tmask of 255.255.255.0. Y ou can also configure the management computer to obta in an IP address automatically using DHC[...]

  • Page 21

    Getting started Connecting to the command line in terface (CLI) FortiGate-50A Installation and Configuration Gu ide 21 T o connect to the CLI 1 Connect the null modem cable to the communication s port of your computer and to the FortiGate Console p ort. 2 Make sure that the FortiGa te unit is powered on. 3 S tart HyperT erminal, en ter a name for t[...]

  • Page 22

    22 Fortinet Inc. Factory default FortiGate confi guration settings Getting started Factory default FortiGate configuration settings The FortiGate unit is shipped with a fa ct ory defa ult configura tion. The default configuration allows you to connect to and use the FortiGa te web-based manager to configure th e FortiGate un it onto the netw ork. T[...]

  • Page 23

    Getting started Factory default FortiGate configurati on settings FortiGate-50A Installation and Configuration Gu ide 23 Factory default NAT/Route m ode network configuration When the FortiGate unit is first p owered on , it is running in NA T/Ro ute mode and has the basic ne twork config uration listed in Ta b l e 3 . This configurat ion allows yo[...]

  • Page 24

    24 Fortinet Inc. Factory default FortiGate confi guration settings Getting started Recurring Schedule Always The schedule is valid at all times. This means that the firewall policy is valid at all times. Firewall Policy Int -> Ext Firewall policy for connection s from the internal network to the external network. Source Internal_All The policy s[...]

  • Page 25

    Getting started Factory default FortiGate configurati on settings FortiGate-50A Installation and Configuration Gu ide 25 Factory default content profiles Y ou ca n use cont ent profiles to apply different protection s ettings for c ontent traffic that is controlled by fi rewall policies. Y ou can use cont ent profiles for: • Antivirus protection [...]

  • Page 26

    26 Fortinet Inc. Factory default FortiGate confi guration settings Getting started Scan content profile Use the scan content profile to apply antivirus scannin g to HTTP , FTP , IMAP , POP3, and SMTP content traf fic. Web content profile Use the web content profile to apply antiv irus scanning and web content blocking to HTTP content traffic. Y ou [...]

  • Page 27

    Getting started Planning the FortiGate configura tion FortiGate-50A Installation and Configuration Gu ide 27 Unfiltered content profile Use the unfilte red conten t profile if you do not wan t to apply co ntent prot ection to traffic. Y ou can add this content profile to firewall policies fo r connections between highly trusted or highly secu re ne[...]

  • Page 28

    28 Fortinet Inc. Planning the FortiGa te configuration Getting started Y ou ty pically use NA T/Rout e mode whe n the Fo rtiGate unit is operating as a gateway between private and public networks. In th is configuration, you would cre ate NA T mode policies to control traf fic flowing between the internal, pr ivate network and the external, public [...]

  • Page 29

    Getting started Planning the FortiGate configura tion FortiGate-50A Installation and Configuration Gu ide 29 In NA T/Route mode you can also ch ange t he configuration of the FortiGate DHCP server to supply IP addresses for the computer s on your internal network. Y ou can also configure the FortiGate to allow Inte rnet access to your internal Web,[...]

  • Page 30

    30 Fortinet Inc. FortiGate model maximum valu es matrix Getting started FortiGate model maximum values matrix T able 10: FortiGate maximum va lues matrix FortiGate model 50A 60 100 200 300 400 500 800 1000 3000 3600 4000 Routes 500 500 500 500 500 500 500 500 500 500 500 5 00 Policy routing gateways 500 500 500 500 500 500 500 500 500 500 500 5 00 [...]

  • Page 31

    Getting started Next steps FortiGate-50A Installation and Configuration Gu ide 31 Next step s Now that your FortiGate unit is operating , y ou can proceed to configure it to connect to networks: • If you are goin g to operate the For t iGate unit in NA T/Route mode, go to “NA T/Route mode installation ” on page 33 . • If you are going to op[...]

  • Page 32

    32 Fortinet Inc. Next steps Getting started[...]

  • Page 33

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 33 NA T/Route mode inst allation This chapter describes ho w to install the FortiGate unit in NA T/Route mode. T o install the FortiGate unit in T ransparen t mode, see “T ransparent mode installatio n” on pag e 41 . This chapt[...]

  • Page 34

    34 Fortinet Inc. Preparing to configure NAT/Route mode NAT/Route mode installa tion T o use the fa ctory default configuration, fo llow these step s to install the FortiGate unit: 1 Configure the TCP/IP setting s of the computers on your intern al network to obtain an IP address automatically using DHCP . Refer to your computer document ation for a[...]

  • Page 35

    NAT/Route mode installati on Using the setup wizard FortiGate-50A Installation and Configuration Gu ide 35 Advanced NAT/Route mode settings Use Ta b l e 1 3 to gather the information that you need to custo mize advanced FortiGate N A T/Route m ode setting s. Using the setup wizard From the web-based manager, you can use the setup wizar d to create [...]

  • Page 36

    36 Fortinet Inc. Using the command line interface NAT/Route mode installa tion Using the command line interface As an alternative to using the setup wizard, you ca n configure the FortiGate unit using the command line interface (CLI). T o connect to the CLI, see “Connecting to the command line interface (CLI)” on p age 20 . Configuring the Fort[...]

  • Page 37

    NAT/Route mode installati on Connecting the FortiGa te unit to your networks FortiGate-50A Installation and Configuration Gu ide 37 6 Optionally , set the secondary DNS server IP addresses. Enter set system dns secondary <IP address> Example set system dns secondary 293.44.75.22 7 Set the default route to the Default Gateway IP address (not r[...]

  • Page 38

    38 Fortinet Inc. Configuring your networks NAT/Route mode installati on T o connect the FortiGate- 50A unit: 1 Connect the Internal interface to the h ub or switch connected to your internal network. 2 Connect the External interface to the Internet. Connect to the pu blic switch or router pro v ided by your Internet Servic e Provider . If you are a[...]

  • Page 39

    NAT/Route mode installation Completing the configura tion FortiGate-50A Installation and Configuration Gu ide 39 Registering your FortiGate unit After pur chasing and installing a new FortiGat e unit, you can register the unit by go ing to System > Update > Support, or using a web browser to connect to http://support.fortinet .com and selecti[...]

  • Page 40

    40 Fortinet Inc. Completing the configuration NAT/Route mode installation[...]

  • Page 41

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 41 T ransp arent mode inst allation This chapter describes ho w to install your F ortiGate un it in T ran sparent mode. If y ou want to install the FortiGa t e unit in NA T/Route mode, see “NA T/Route mode insta llation” on pag[...]

  • Page 42

    42 Fortinet Inc. Using the setu p wizard Transparen t mode installation Using the setup wizard From the web-based manager, you can use the setup wizar d to create the initial configuration of your FortiGate unit. T o connect to the web-based manag er, see “Connecting to th e web-based manager” on p age 19 . Changing to Transparent mode The firs[...]

  • Page 43

    Transparent mode installatio n Connecting the FortiGate un it to your networks FortiGate-50A Installation and Configuration Gu ide 43 Changing to Transparent mode 1 Log into the CLI if you ar e not alrea dy logged in. 2 Switch to T ransparent mo de. Enter: set system opmode transparent After a few seconds, the logi n prompt appears. 3 Ty p e admin [...]

  • Page 44

    44 Fortinet Inc. Connecting the FortiGate unit to your networks Transparent mode installa tion T o connect the FortiGate unit: 1 Connect the Internal interface to the h ub or switch connected to your internal network. 2 Connect the External interface to the Internet. Connect to the public sw itch or rout er provided b y your Inter net Service Provi[...]

  • Page 45

    Transparent mode installatio n Completing the configura tion FortiGate-50A Installation and Configuration Gu ide 45 Completing the configuration Use the information in this se ction to complete th e initial configuratio n of t he FortiGat e unit. Setting the date and time For effective scheduling and logging, the FortiGate system date and time shou[...]

  • Page 46

    46 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode installation T ransparent mode configuration examples A FortiGate unit operating in T r ansparent mode still requir es a basic configuration to operate as a node on the IP networ k. As a minimum, the FortiGate unit mu st be configured with an IP address and subnet mask. Th[...]

  • Page 47

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-50A Installation and Configuration Gu ide 47 Example default route to an external network Figure 7 shows a FortiGate unit where all de stinations, including the mana gement computer , are located on the external net work. T o reach these destinations, the FortiGate u[...]

  • Page 48

    48 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode installation Web-based manager exampl e configuration steps T o configure basic T ransparent mode settings and a de fault route using the web-based manager : 1 Go to System > St atus . • Select Change to T ransparent Mode. • Select T ransparen t in the Operation Mod[...]

  • Page 49

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-50A Installation and Configuration Gu ide 49 Figure 8: St atic route to an external destination General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode. 2 Configure the Manag ement IP address and Netmask of the FortiGate unit. 3 Configure[...]

  • Page 50

    50 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode installation Web-based manager exampl e configuration steps T o configure the basic FortiGate settings and a static route using the web-based manager: 1 Go to System > St atus . • Select Change to T ransparent Mode. • Select T ransparen t in the Operation Mode list.[...]

  • Page 51

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-50A Installation and Configuration Gu ide 51 Example static route to an internal destination Figure 9 shows a FortiGate unit where the FDN is located on an extern al subnet and the management computer is located on a remote, internal subnet. T o reach the FDN, you ne[...]

  • Page 52

    52 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode installation 4 Configure the default route to the external networ k. Web-based manager exampl e configuration steps T o configure the FortiGate basic settings, a static route, and a d efault route using the web-based manager : 1 Go to System > St atus . • Select Chang[...]

  • Page 53

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 53 System st atus Y ou can connect to the web-based manager and view the current system status of the FortiGate unit. The status infor mation that is displayed includes the current firmware version, the current viru s and attack de[...]

  • Page 54

    54 Fortinet Inc. Changing the FortiGa te host name System status Changing the FortiGate host name The FortiGate host name ap pears on the S tatus p age and in the FortiGate CLI prompt. The host name is al so used as the SNMP system name. For information about the SNMP system name, see “Config uring SNMP” on page 125 . The default host n ame is [...]

  • Page 55

    System status Changing the Forti Gate firmware FortiGate-50A Installation and Configuration Gu ide 55 Upgrading to a new firmware version Use the following procedures to upgra de the FortiGate unit to a newer firmware version. Upgrading the firmware usi ng the web-based manager T o upgrade the firmware using the web -based manager 1 Copy the firmwa[...]

  • Page 56

    56 Fortinet Inc. Changing the FortiGa te firmware System status 4 Make sure the FortiGate uni t c an connect to the TFTP s erver . Y ou can use the following command to ping the computer running the TFTP ser v er . For example, if the IP address of the TFTP server is 192.16 8.1.168: execute ping 192.168.1.168 5 Enter the following command to copy t[...]

  • Page 57

    System status Changing the Forti Gate firmware FortiGate-50A Installation and Configuration Gu ide 57 If you are reverting to a previous FortiOS ve rsion (for example, r everting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore the pr evious configuration from the backup configuration file. T o revert to a previous fir mware ve[...]

  • Page 58

    58 Fortinet Inc. Changing the FortiGa te firmware System status T o use the following procedur e you must have a TFTP server that the FortiGate unit can connect to. T o revert to a previous firmwar e version using the CLI 1 Make sure that the TFTP server is running. 2 Copy the new firmware image file to the root directory of the TFT P server . 3 Lo[...]

  • Page 59

    System status Changing the Forti Gate firmware FortiGate-50A Installation and Configuration Gu ide 59 12 T o confirm that the antivirus and att ack definitions have been updated, enter the following command to display the an tivirus engi ne, virus and at tack definitions version, contract ex piry , and last update attempt information. get system ob[...]

  • Page 60

    60 Fortinet Inc. Changing the FortiGa te firmware System status 6 Enter the following co mmand to restart the FortiGate unit: execute reboot As the FortiGate units st arts, a series o f system startup messages is displayed. When one of the following messages appears: Press any key to enter configuration menu..... ...... 7 Immediately press any key [...]

  • Page 61

    System status Changing the Forti Gate firmware FortiGate-50A Installation and Configuration Gu ide 61 Restoring the previ ous configuration Change the internal interface addr esses if required. Y ou can do this from the CLI using the command: set system interface After changing the in terface addresses, you can access the FortiGate unit from th e w[...]

  • Page 62

    62 Fortinet Inc. Changing the FortiGa te firmware System status 5 Enter the following co mmand to restart the FortiGate unit: execute reboot 6 As the FortiGate unit reboot s, press any key to interrupt the system st artup. As the FortiGate units st arts, a series o f system startup messages are displayed. When one of the following messages appears:[...]

  • Page 63

    System status Manual virus defin ition updates FortiGate-50A Installation and Configuration Gu ide 63 Manual virus definition up dates The S tatus page of the FortiGate web-base d manager displays the current insta lled versions of the FortiGate antivirus definitions. T o up date the antivirus definitions manually 1 Download the latest antivirus de[...]

  • Page 64

    64 Fortinet Inc. Displayi ng the FortiGate serial number System status Displaying the FortiGate serial number 1 Go to System > St atus . The serial number is displayed on the System St atus page of the web-based manager. The serial number is specific to th e F ortiGate unit and does not change with firmware upgr ades. Displaying the FortiGate up[...]

  • Page 65

    System status Restoring system settings to factory defaults FortiGate-50A Installation and Configuration Gu ide 65 Restoring system settings to factory default s Use the following procedur e to restore system se ttings to the values set at the factory . This procedure does not ch ange the firmw are version or the antivirus or attack definitions. T [...]

  • Page 66

    66 Fortinet Inc. Changing to NAT/Route mode System status Changing to NA T/Route mode Use the follo wing proced ure to cha nge the Fort iGate unit fr om T r ansparent mode t o NA T/Route mod e. After you change the Fort iGate unit to NA T/R oute mode, most of the configura tion resets to NA T/Route mo de factory defaults. The following items are no[...]

  • Page 67

    System status System status FortiGate-50A Installation and Configuration Gu ide 67 System st atus Y ou can use the system status moni tor to di splay FortiGate system health information. The system health information includes memory usage, the numbe r of active communication sessions, and the am ount of network bandwidth currently in use. The web-b[...]

  • Page 68

    68 Fortinet Inc. System status System status Figure 1: CPU and memo ry status monitor Viewing sessions and network status Use the session and network st atus display to track how many network sessions the FortiGate u nit is process ing and to see what effect the numb er of sessions h as on the available network bandwid th. Also, by comparing CPU an[...]

  • Page 69

    System status System status FortiGate-50A Installation and Configuration Gu ide 69 4 Select Refresh to ma nually update the information displayed. Figure 2: Sessions an d network st atus monitor Viewing virus and intrusions status Use the virus and intrusions st atus display to track when viruses are found by the FortiGate antivirus system and to t[...]

  • Page 70

    70 Fortinet Inc. Session list System status Figure 3: Sessions an d network st atus monitor Session list The session list displays information abo ut the communications sessions cu rrently being processed by the FortiGate unit. Y ou can use the session list to view current sessions. FortiGate administrators with read and write permission and the Fo[...]

  • Page 71

    System status Session list FortiGate-50A Installation and Configuration Gu ide 71 Each line of the session list di splays the following information. Figure 4: Example sessio n list Protocol The service protocol of the connection, for example, udp, tcp, or icmp. From IP The source IP address of th e connection. From Port The source port of th e conn[...]

  • Page 72

    72 Fortinet Inc. Session list System status[...]

  • Page 73

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 73 V i rus and att a ck definitions up dates and registration Y ou can configure the FortiGate unit to c onnect to the FortiResponse Distribution Network (FDN ) to update the antiv irus and attack definit ions and the antiv irus en[...]

  • Page 74

    74 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration The Update p age on the web-based manage r displa ys the following antivirus and attack defin ition update information. This section describes: • Connecting to the FortiResponse Distribution Network • Manually initiating an tivirus[...]

  • Page 75

    Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-50A Installation and Configuration Gu ide 75 Manually initiating antivirus and attack definitions updates Y ou can use the following procedure to update the antivirus and at tack definitions a t any time. The FortiGate unit must be able to co[...]

  • Page 76

    76 Fortinet Inc. Scheduling updates Virus and attack defi nitions updates and registra tion Configuring update logging Use the follo wing proced ure to configu re FortiGa te logging t o record log messages when the Fo rtiGate unit updates an tivirus and attack de finitions. The update log messages are reco rded on the FortiGate Event log. T o confi[...]

  • Page 77

    Virus and attack definitions upda tes and registration Scheduling updates FortiGate-50A Installation and Configuration Gu ide 77 4 Select Apply . The FortiGate unit star ts the next sche duled update according to the new upd ate schedule. Whenever the FortiGate unit runs a scheduled update, th e event is recorded in the FortiGate e vent log. Figure[...]

  • Page 78

    78 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Enabling scheduled updat es through a proxy server If your FortiGate unit must connect to the Inter net through a proxy serv er , yo u can use the set system autoupdate tunneling command to allow the FortiGate unit to connect (or tunnel) to the FDN using [...]

  • Page 79

    Virus and attack definitions updates and registration Enabling push updates FortiGate-50A Installation and Configuration Gu ide 79 When the network configuratio n permits, c onfiguring push updates is recommend ed in addition to configuring scheduled updates. On average the Forti Gate unit receives new updates sooner through push up dates than if t[...]

  • Page 80

    80 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Example: push update s through a NAT device This examp le describes how to conf igure a FortiG ate NA T dev ice to forwar d push updates to a FortiGat e unit installed on its internal networ k. For the FortiGate unit on the internal network to receive pus[...]

  • Page 81

    Virus and attack definitions updates and registration Enabling push updates FortiGate-50A Installation and Configuration Gu ide 81 General procedure Use the following steps to config ure the Fo rtiGate NA T device and the FortiGate unit on the internal network so that the FortiGate un it on the internal network can receive push updates: 1 Add a por[...]

  • Page 82

    82 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Figure 3: Push update port forwarding virtua l IP Adding a firewall policy for the port forwarding virtual IP T o configure the FortiGate NA T device 1 Add a new external to internal firewall policy . 2 Configure the policy with the following settings: 3 [...]

  • Page 83

    Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-50A Installation and Configuration Gu ide 83 4 Set IP to the external IP address added to the virtual IP . For the examp le topology , ente r 64.230.12 3.149. 5 Set Port to the external servic e port added to the virtual IP . For the example top ology , en[...]

  • Page 84

    84 Fortinet Inc. Registering Forti Gate units Virus and attack defi nitions updates and registra tion All registration information is stored in the Fortinet Customer Support dat abase. This information is used to make sure that yo ur registered FortiGate units can be kept up to date. All information is strict ly confidential. Fortinet doe s not sha[...]

  • Page 85

    Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-50A Installation and Configuration Gu ide 85 Registering the FortiGate unit Before registering a FortiGate unit, you require the follo wing information: • Y our co ntact information includin g: • First and last name • Compa ny name • Email address [...]

  • Page 86

    86 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on 4 Select the model number of the Product Model to register . 5 Enter the Serial Number of the Fo rtiGate unit. 6 If you have purchased a FortiCare Support Co ntract for this Fort iGate unit, enter the support contract number . Figure 6: Regist[...]

  • Page 87

    Virus and attack definitions updates and registration Updating registration informati on FortiGate-50A Installation and Configuration Gu ide 87 T o recover a lost Fortinet support p assword 1 Go to System > Up date > Support . 2 Select Support Login. 3 Enter your Fort inet support user name. 4 Select Forgot your password? 5 Enter your email a[...]

  • Page 88

    88 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on Figure 7: Sample list of registered Forti Gate units Registering a new FortiGate unit T o register a new FortiGate unit 1 Go to System > Up date > Support . 2 Select Support Login. 3 Enter your Fort inet support use r name and password. [...]

  • Page 89

    Virus and attack definitions updates and registration Updating registration informati on FortiGate-50A Installation and Configuration Gu ide 89 6 Select the Serial Nu mber of the F ortiGate unit for which to add or change a FortiCare Support Contract number . 7 Add the new Support Contract number . 8 Select Finish. The list of FortiGate product s t[...]

  • Page 90

    90 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on Downloading virus and attack definitions updates Use the followin g procedur e to manually download virus and attack definitio ns updates. This proce dure also describes how to install the att ack definitions updates on your FortiG ate unit. T[...]

  • Page 91

    Virus and attack definitions upda tes and registra tion Registering a Fort iGate unit after an RMA FortiGate-50A Installation and Configuration Gu ide 91 Registering a FortiGate unit af ter an RMA The Return Material Authoriz ation (RMA) process sta rts when a regi stered FortiGate unit does not work properly be cause of a hardware failure. If this[...]

  • Page 92

    92 Fortinet Inc. Registering a FortiGate unit after an RMA Vi rus and attack defi nitions updates and registrati on[...]

  • Page 93

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 93 Network configuration Y ou can use the System Network page to change an y of the following FortiGate network set tings: • Configuring interfaces • Adding DNS server IP addres ses • Configuring routing • Configuring DHCP [...]

  • Page 94

    94 Fortinet Inc. Configuring interfac es Network configuration Viewing the interface list T o view the interface list 1 Go to System > Network > Interface . The interface list is display ed. The interface list shows the following status inform ation for all the FortiGate interfaces and VLAN subi nterfaces: • The name of the interface • Th[...]

  • Page 95

    Network configuration Configuring interfaces FortiGate-50A Installation and Configuration Gu ide 95 4 Change the IP address and Netmask as requ ired. The IP address of the interface must be o n the same subnet as the network the interface is connecting to . T wo interfaces cannot have the same IP address and cannot have IP addresses on the same sub[...]

  • Page 96

    96 Fortinet Inc. Configuring interfac es Network configuration Configuring an interface for PPPoE Use the follo wing proced ure to configu re any FortiGate interface to use PPPoE. If you configure the interface to use PPPoE, the FortiGate unit auto matically broadcasts a PPPoE request. Y o u can disable connect to server if yo u are configuring the[...]

  • Page 97

    Network configuration Configuring interfaces FortiGate-50A Installation and Configuration Gu ide 97 Y ou can also configure management access and add a pi ng server to the secondary IP address. set system interface <intf_str> config secallowaccess ping https ssh snmp http telnet set system interface <intf_str> config secgwdetect enable [...]

  • Page 98

    98 Fortinet Inc. Configuring interfac es Network configuration 2 Choose an interface and select Modify . 3 Select the Administrative Ac cess methods for t he interface. 4 Select OK to save the changes. Changing the MTU size to improve network performance T o improve ne twork perfo rmance, you can change the maximum transmissio n unit (MTU) of the p[...]

  • Page 99

    Network configuration Configuring interfaces FortiGate-50A Installation and Configuration Gu ide 99 Configuring the management interface in Transparent mode Configure the management int erface in Transparent mode to set the managem ent IP address of the FortiGat e unit. Admin istrators con nect to this IP address t o administer the FortiGate unit. [...]

  • Page 100

    100 Fortinet Inc. Adding DNS server IP addres ses Network configuration Adding DNS server IP addresses Several FortiGat e functions, incl uding se nding email alerts and URL blocking, use DNS. Use the following procedure to add the IP addresses of the DNS servers that your FortiGate unit can connect to. DNS server IP addresses are usua lly supplied[...]

  • Page 101

    Network configuration Configuring routing FortiGate-50A Installation and Configuration Guide 101 Adding destination-based r outes to the routing table Y ou can add destination-based routes to th e FortiGate routing t a ble to control the destination of traffic exiting the F ortiGat e unit. Y ou configure rou tes by adding destination IP ad dresses [...]

  • Page 102

    102 Fortinet Inc. Configuring routing Network configuration 7 Set Device #2 to the FortiGate interface th r ough which to route traffic to co nnect to Gateway #2. Y ou can select the name of an interface or Au to (the default). If you select the na me of an interface , the traffic is routed to tha t in terface. If you select Auto the system selects[...]

  • Page 103

    Network configuration Configuring routing FortiGate-50A Installation and Configuration Guide 103 T o configure the routing t able 1 Go to System > Network > Routing T able . 2 Choose the route that you want to move and select Move to to change its order in the routing table. 3 T ype a number in the Move to field to specify where in the routin[...]

  • Page 104

    104 Fortinet Inc. Configuring DHCP servi ces Network configuration Policy routing command syntax Configure policy routing using th e following CLI command. set system route policy <route_int> src <source_ip> <source_mask> iifname <source-interface_name> dst <destination_ip> <destination_mask> oifname <destinat[...]

  • Page 105

    Network configuration Configuring DHCP services FortiGate-50A Installation and Configuration Gu ide 105 Configuring a DHCP server As a DHCP server , the FortiGate unit dyna mically assigns IP addresses to hosts located on connected subnet s. Y ou can configure a DHCP server for any FortiGa te interface. Y ou can also configur e a DHCP server for mo[...]

  • Page 106

    106 Fortinet Inc. Configuring DHCP servi ces Network configuration 3 Select an interface. Y ou must configure the inte rface as a DHCP server before it can be sele cted. 4 Select New to add an address scope. 5 Configure the ad dress scope. 6 Select Advanced if you want to configure Adva nced Options. 7 Select OK. Adding a reserve IP to a DHCP serve[...]

  • Page 107

    Network configuration Confi guring the modem interface FortiGate-50A Installation and Configuration Gu ide 107 7 Select OK. Viewing a DHCP server dynamic IP list Y ou can view the list of IP addresses t hat the DHCP server has assigned, th eir corresponding MAC addr esses, and the expi ry time and date for these addresses. T o view a DHCP server dy[...]

  • Page 108

    108 Fortinet Inc. Configur ing the modem interfac e Network con figuration Connecting a modem to the FortiGate unit The FortiGa te unit can operate with most standard external ser ial interface modems that support st andard Hayes A T commands. T o connect, install a USB-to -serial converter between one of the two USB port s on the FortiGate unit an[...]

  • Page 109

    Network configuration Confi guring the modem interface FortiGate-50A Installation and Configuration Gu ide 109 4 Enter the following Dialup Acco unt 1 settings: 5 If you have multiple dia lup accounts, enter Ph one Number , User Name, and Password for Dialup Account 2 and Dialup Account 3. 6 Select Apply . Connecting to a dialup account Use the fol[...]

  • Page 110

    11 0 Fortinet Inc. Configur ing the modem interfac e Network con figuration Viewing modem status T o view the statu s of the modem connection go to System > Network > Mo dem . Modem status is one of the following: A green check mark indicates the active dialup account. The IP address and netmask a ssigned to t he modem interface a ppears on t[...]

  • Page 111

    Network configuration Confi guring the modem interface FortiGate-50A Installation and Configuration Gu ide 111 If the connection to the dialup account fails, the FortiGate unit re dials the modem. Th e modem redials the number of times specified by th e redi al limit, or until it conn ects to a dialup account. In standalo ne mode the modem interfac[...]

  • Page 112

    11 2 Fortinet Inc. Configur ing the modem interfac e Network con figuration[...]

  • Page 113

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 11 3 RIP configuration The FortiGate implement ation of the Routing Information Pr otocol (RIP) supports both RIP version 1 as defined by RFC 1058, a nd RIP ver sion 2 as defined by RFC 2453. RIP version 2 enables RIP messages to c[...]

  • Page 114

    11 4 Fortinet Inc. RIP settings RIP configuration 5 Change the following RIP time r settings, as re quired. RIP timer de faults are effective in most configurations. Y ou should only have to change these timers to tr oubleshoot netw ork routing problems. All routers and access servers in the network should ha ve the same RIP timer settings. 6 Selec[...]

  • Page 115

    RIP configuration Configuring RIP for FortiGate interfaces FortiGate-50A Installation and Configuration Gu ide 11 5 Figure 1: Configuring RIP settings Configuring RIP for FortiGate interfaces Y ou can customize a RIP configuration for each FortiGate in terface. This allows you to customize RIP for the network to which each interface is connected. T[...]

  • Page 116

    11 6 Fortinet Inc. Configuring RIP for Forti Gate interfaces RIP configuration 4 Select OK to save the R IP config uration for the selected interface. Figure 2: Example RIP configuration for an internal interface Password Enter the password to be used for RIP version 2 authentication. The password can be up to 16 characters long. Mode Defines the a[...]

  • Page 117

    RIP configuration Adding RIP filters FortiGate-50A Installation and Configuration Gu ide 11 7 Adding RIP filters Use the Filter pag e to create RIP filter lists and assign RIP filter list s to the neighbors filter , incoming r oute filter , o r outgoing route filter . The neighbors fil ter allows or denies updates from other ro uters. The incoming [...]

  • Page 118

    11 8 Fortinet Inc. Adding RIP filters RIP co nfiguration 3 For Filter Name, type a nam e for the RIP filter list. The name can be 15 characters long an d can contain upper and lower case letters, numbers, and special char acters. The name cannot contain sp aces. 4 Select the Blank Filter check box to create a RIP filter lis t with no entries, or en[...]

  • Page 119

    RIP configuration Adding RIP filters FortiGate-50A Installation and Configuration Gu ide 11 9 Assigning a RIP fi lter list to the outgoing filter The outgoing filter allows or denies addi n g routes to outgoing RIP update packets . Y ou can assign a single RIP filter list to the outgoing filter . T o assign a RIP filter list to the out going filter[...]

  • Page 120

    120 Fortinet Inc. Adding RIP filters RIP co nfiguration[...]

  • Page 121

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 121 System configuration Use the System Config page to make any of the following chan ges to the FortiGate system configuration: • Setting system date and time • Changing system options • Adding and editing administra tor acc[...]

  • Page 122

    122 Fortinet Inc. Changing system options System configuration 9 Select Apply . Figure 1: Example date and time setti ng Changing system options On the System Config Options page, you can: • Set the system idle timeout. • Set the authentication timeout. • Select the language for th e web-base manager . • Modify the dead gate way detection s[...]

  • Page 123

    System configuration Adding and editing administrator accounts FortiGate-50A Installation and Configuration Gu ide 123 3 Select Apply . Auth T imeout controls the amount of inacti ve time that the fi rewall waits before requiring users to authen ticate again. For more information, see “Users and authenti cation” on page 171 . The default Auth T[...]

  • Page 124

    124 Fortinet Inc. Adding and editing administrato r accounts System configuration Adding new administrator accounts From the admin accou nt, use the following proc edure to a dd new adm inistrator accounts and contro l their permission levels . T o add an administrator acc ount 1 Go to System > Config > Admin . 2 Select New to add an administ[...]

  • Page 125

    System configuration Configuring SNMP FortiGate-50A Installation and Configuration Gu ide 125 T o edit an administrator acc ount 1 Go to System > Config > Admin . 2 T o change an administrator account password, select Change Password . 3 T ype the Old Password. 4 T ype and confirm a new password. For improved security , the password shou ld b[...]

  • Page 126

    126 Fortinet Inc. Configuring SNMP System configuration This section describes: • Configuring the FortiGate unit fo r SNMP monitoring • Configuring FortiGate SNMP suppor t • FortiGate MI Bs • FortiGate tra ps • Fortinet MIB fields Configuring the FortiGate unit for SNMP monitoring Before a remote SNMP manager can connect to the For tiGate[...]

  • Page 127

    System configuration Configuring SNMP FortiGate-50A Installation and Configuration Gu ide 127 T o configure SNMP community settin gs 1 Go to System > Config > SNMP v1/v2c . 2 Select the Enable SNMP check box. 3 Configure the following SNMP settings: 4 Select Apply . System Name Automatically set to the FortiGate host name. T o change the Syst[...]

  • Page 128

    128 Fortinet Inc. Configuring SNMP System configuration Figure 2: Sample SNMP configuration FortiGate MIBs The FortiGate SNMP agent suppo rts FortiGate propriet ary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. The FortiGate MIBs are listed in Ta b l e 1 . Y ou can obtain th ese MIB files from Fortinet technical support. T o be able to commu[...]

  • Page 129

    System configuration Configuring SNMP FortiGate-50A Installation and Configuration Gu ide 129 FortiGate traps The FortiGa te agent ca n send tra ps to up to three S NMP trap r eceivers on your network that are configur ed to receive tr aps from the FortiGate unit. For these SNMP managers to receive trap s, you must load and compile the Fortinet tra[...]

  • Page 130

    130 Fortinet Inc. Configuring SNMP System configuration VPN traps NIDS traps Antivirus traps Logging traps Fortinet MIB fields The Fortinet MIB contain s fields for co nfiguration settings and curren t status information for all parts of the FortiGate pr oduct. This section list s the names of the high-level MIB f ields and de scribes the configura[...]

  • Page 131

    System configuration Configuring SNMP FortiGate-50A Installation and Configuration Gu ide 131 System configuration and status Firewall configuration Users and authentication configuration T able 8: System MIB fields MIB field Description fnSysSt atus FortiGate system configurat ion including operation mode, firmware version, virus definition versio[...]

  • Page 132

    132 Fortinet Inc. Configuring SNMP System configuration VPN configuration and status NIDS configuration Antivirus configur ation Web filter configuration Logging and reporting configuration T able 1 1: VPN MIB fields fnVpnIp s ec IPSec VPN configuration including the Phase 1 list, Phase 2 list, manual key list, and VPN concentrator list. S tatus an[...]

  • Page 133

    System configuration Replacement messa ges FortiGate-50A Installation and Configuration Gu ide 133 Replacement messages Replacement messages are adde d to content passing through the fir ewall to replace: • Files or other content r emoved from POP3 and IMAP email messages by the antivirus system, • Files or other content r emoved from HTTP down[...]

  • Page 134

    134 Fortinet Inc. Replacement messages System configuration 2 For the replacement message that you wan t to customize, select Modify . 3 In the Message setup dialog box, e dit the content of the message. Ta b l e 1 6 lists the replacement message sections that can be added to repla cement messages and describes the t ags that can app ear in each se[...]

  • Page 135

    System configuration Replacement messa ges FortiGate-50A Installation and Configuration Gu ide 135 T able 17: Alert email message sections NIDS event Used for NIDS event alert email messages Section St art <**NIDS_EVENT**> Allowed T a gs %%NIDS_EVENT%% The NIDS attack message. Section End <**/NIDS_EVENT**> Virus alert Used for virus ale[...]

  • Page 136

    136 Fortinet Inc. Replacement messages System configuration Critical event Used for critical firewal l event alert emails. Section St art <**CRITICAL_EVENT**> Allowed T a gs %%CRITICAL_EVENT %% The firewall critical event message Section End <**/CRITICAL_EVENT**>[...]

  • Page 137

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 137 Firewall configuration Firewall policies control all traf fic passing through the FortiGate unit. Firewall policies are instructions tha t the FortiGate unit uses to decide what to do with a connection request. When the firewal[...]

  • Page 138

    138 Fortinet Inc. Default firewall configuration Firewall configuration This chapter describes: • Default firewall configuration • Adding firewall policies • Configuring policy lists • Addresses • Services • Schedules • Vir t ua l I P s • IP pools • IP/MAC binding • Content prof iles Default firewall configuration Firewall polic[...]

  • Page 139

    Firewall confi guration Default firewall configurati on FortiGate-50A Installation and Configuration Gu ide 139 The firewall uses these addresse s to match the source an d destination ad dresses of packets received by the f irewall. The defa ult policy matches all connections from the internal network because it includes the In ternal_All address. [...]

  • Page 140

    140 Fortinet Inc. Adding firewall policies Firewall configuration Adding firewall policies Add Firewall policies to con trol connections and traffic between FortiGate interf aces. T o add a firewall policy 1 Go to Firewall > Polic y . 2 Select the policy list to whic h you want to add the policy . 3 Select New to add a new policy . Y ou can also[...]

  • Page 141

    Firewall confi guration Adding firewall policies FortiGate-50A Installation and Configuration Gu ide 141 Figure 5: Addi ng a NA T/Route po licy Action Select how you want the firewall to respond when the policy ma tches a connection attempt. ACCEPT Accept the connecti on. If you select ACCEPT , you can also configure NA T and Authentication for the[...]

  • Page 142

    142 Fortinet Inc. Adding firewall policies Firewall configuration NAT Configure the policy fo r NA T . NA T translates the source address and the source por t of packets accepted by the policy . If you select NA T , you can also select Dynamic IP Pool and Fixed Port . NA T is not available in Transparent mode. VPN Tunnel Select a VPN tunnel for an [...]

  • Page 143

    Firewall confi guration Adding firewall policies FortiGate-50A Installation and Configuration Gu ide 143 Authentication Select Authentication and select a user gr oup to require users to enter a user name and password b efore the firewall accepts the connection. Sele ct the user group to control the user s that can auth enticate with this policy . [...]

  • Page 144

    144 Fortinet Inc. Configuring policy lists Firewall co nfiguration Figure 6: Adding a T ransparent mode pol icy Log Traffic Select Log Traf fic to write message s to the traffic log when ever the polic y processes a connection. For information abo ut logging, see “L ogging and reporting” on p age 251 . Comments Y ou can add a description or oth[...]

  • Page 145

    Firewall confi guration Configuring policy lists FortiGate-50A Installation and Configuration Gu ide 145 For example, the default policy is a very general policy be cause it matches all connection attempt s. When you create exceptio ns to that policy , you must add them to the policy list above the defaul t policy . No policy below the default poli[...]

  • Page 146

    146 Fortinet Inc. Addresses Firewall configurati on Enabling and disabling policies Y ou can enable and disable policies in the po licy list to control wh ether the policy is active or not. The FortiGate unit matc hes enabled policies bu t does not match disabled policies. Disabling policies Disable a policy to tem porarily prevent the fi rewall fr[...]

  • Page 147

    Firewall confi guration Addresses FortiGate-50A Installation and Configuration Gu ide 147 This section describes: • Adding addresses • Editing addresses • Deleting addresses • Organizing addresses into address gr oups Adding addresses T o add an address 1 Go to Firewall > Address . 2 Select the interface that you want to add the addre s [...]

  • Page 148

    148 Fortinet Inc. Addresses Firewall configurati on Editing addresses Edit an address to change it s IP address and netmask. Y ou cannot edit the address name. T o change the address name , you must delete the address en try and then add the address ag ain with a new name. T o edit an address 1 Go to Firewall > Address . 2 Select the interface l[...]

  • Page 149

    Firewall confi guration Services FortiGate-50A Installation and Configuration Gu ide 149 5 T o remove addresses from the addr ess group, select an address fro m the Members list and select the left arrow to remove it from the group. 6 Select OK to add the address group . Figure 8: Adding an internal addre ss group Services Use services to determine[...]

  • Page 150

    150 Fortinet Inc. Services Firewall configuration GRE Generic Routing Encapsulation. A protocol that allows an arbitrary network p rotocol to be transmitte d over any other arbitrary netwo rk protocol, by encapsulating the packet s of the protocol within GRE packets. 47 AH Authentication Header. AH provides source host authentication and data integ[...]

  • Page 151

    Firewall confi guration Services FortiGate-50A Installation and Configuration Gu ide 151 LDAP Lightweight Directory Access Protocol is a set of protocols used to access information directories. tcp 389 NetMeeting NetMeeting allows users to teleconference using the Internet as th e transmission medium. tcp 1720 NFS Network File System allows network[...]

  • Page 152

    152 Fortinet Inc. Services Firewall configuration Adding custom TC P and UDP services Add a custom TCP or UDP service if you need to create a policy fo r a service that is not in the predef ined service list. T o add a custom TCP or UDP service 1 Go to Firewall > Service > Cus tom . 2 Select TCP/UDP from the Protocol list. 3 Select New . 4 T [...]

  • Page 153

    Firewall confi guration Services FortiGate-50A Installation and Configuration Gu ide 153 Adding custom ICMP services Add a custom ICMP service if you need to cr eate a policy for a service that is not in the predefin ed service list . T o add a custom ICMP service 1 Go to Firewall > Service > Cus tom . 2 Select ICMP from the Prot ocol list. 3[...]

  • Page 154

    154 Fortinet Inc. Schedules Firewall configura tion 3 T ype a Group Name to identify the group. This name appears in the service list when you add a policy and cannot be the same as a predefined service nam e. The name can cont ain numbers (0-9), uppercase and lowerca se letters (A-Z, a-z), and the special characters - and _. Other sp ecial charact[...]

  • Page 155

    Firewall confi guration Schedules FortiGate-50A Installation and Configuration Gu ide 155 Creating one-time schedules Y ou can create a one-time schedule that activates or deactivates a policy for a specified pe riod of time . For example , yo ur firewall might be configured with the default policy that allows acce ss to all services on the In tern[...]

  • Page 156

    156 Fortinet Inc. Schedules Firewall configura tion If you create a recurring schedule with a stop time that occurs be fore the start time, the schedule st arts at the st art time and finishes at the stop time on the next day . Y ou can use this techniqu e to create recurring schedules that r un from one day to the next. Y ou can also create a recu[...]

  • Page 157

    Firewall confi guration Virtual IPs FortiGate-50A Installation and Configuration Gu ide 157 T o add a schedule to a policy 1 Go to Firewa ll > Policy . 2 Create a new policy or edit a policy to change its schedule. 3 Configure the policy as req uired. 4 Add a sched ule by selecting it from the Schedule list. 5 Select OK to save the policy . 6 Ar[...]

  • Page 158

    158 Fortinet Inc. Virtual IPs Firewall configuration Adding static NAT virtual IPs T o add a st atic NA T virtual IP 1 Go to Firewall > Virtual IP . 2 Select New to add a virtual IP . 3 T ype a N ame for the virtual IP . The name can cont ain numbers (0-9), uppercase and lowerca se letters (A-Z, a-z), and the special characters - and _. Other sp[...]

  • Page 159

    Firewall confi guration Virtual IPs FortiGate-50A Installation and Configuration Gu ide 159 Figure 12: Adding a st atic NA T virtual IP Adding port forwar ding virtual IPs T o add port forwarding virtual IPs 1 Go to Firewall > Virtual IP . 2 Select New to add a virtual IP . 3 T ype a N ame for the virtual IP . The name can cont ain numbers (0-9)[...]

  • Page 160

    160 Fortinet Inc. Virtual IPs Firewall configuration 7 Enter the External Service Port numbe r that you want to configure port forwarding for . The external se rvice port number must matc h th e destination port of the packet s to be forwarded. For example, if the virtual IP provide s access from the Internet to a web server , the external service [...]

  • Page 161

    Firewall confi guration IP pools FortiGate-50A Installation and Configuration Gu ide 161 Adding policies wi th virtual IPs Use the followin g procedur e to add a policy that use s a virtua l IP to forwar d packets. T o add a policy with a virtual IP 1 Go to Firewall > Polic y . 2 Select the type of policy that you want to add. • The sourc e in[...]

  • Page 162

    162 Fortinet Inc. IP pools Firewall configura tion Adding an IP pool T o add an IP pool 1 Go to Firewall > IP Pool . 2 Select the interface to which to add the IP pool. 3 Select New to add a new IP poo l to the select ed interf ace. 4 Enter the S tart IP and End IP addresses for the range o f addresses in the IP pool. The start IP an d end IP mu[...]

  • Page 163

    Firewall confi guration IP/MAC binding FortiGate-50A Installation and Configuration Gu ide 163 If you want connections to originate from a ll your Internet IP ad dresses, you can add this address range to an IP pool for th e external interface. T hen you ca n select Dynamic IP Pool for all policies with the exter nal interface as the de stination. [...]

  • Page 164

    164 Fortinet Inc. IP/MAC binding Firewall configuration 4 Select New to add IP/MAC binding pairs to the IP/MAC binding list . All packet s that would normally be allowed through the firewall by a firewall policy are first compared with the entries in the IP/MAC binding list. If a match is found, th en the firewall attempt s to match the packet with[...]

  • Page 165

    Firewall confi guration IP/MAC binding FortiGate-50A Installation and Configuration Gu ide 165 Adding IP/MAC addresses T o add an IP/MAC address 1 Go to Firewall > IP/M AC Binding > St atic IP/MAC . 2 Select New to add an IP ad dress/MAC addre ss pair . 3 Enter the IP Address and th e MAC Address. Y ou can bind multiple IP addresses to the sa[...]

  • Page 166

    166 Fortinet Inc. Content profiles Firewall configuration Figure 15: IP/MAC settings Content profiles Use content profiles to app ly different prot ection settings for content traffic that is controlled by firewall policies. Y ou can use content profiles to: • Configure antivirus protection for HT TP , FTP , POP3, SMTP , and I MAP policies • Co[...]

  • Page 167

    Firewall confi guration Content profiles FortiGate-50A Installation and Configuration Gu ide 167 Default content profiles The FortiGate unit has the following four default content profiles that are displayed on the Firewall Cont ent Profile page. Y ou can use the default content profiles or cre ate your own. Adding content profiles If the default c[...]

  • Page 168

    168 Fortinet Inc. Content profiles Firewall configuration 6 Enable the email filter protec tion options that you want. 7 Enable the fragmented email and oversized file and email options that you want. 8 Select OK. Figure 16: Example cont ent profile Web Exempt List Exempt URLs from web filt ering and virus scanning. See “Exempt URL list” on pag[...]

  • Page 169

    Firewall confi guration Content profiles FortiGate-50A Installation and Configuration Gu ide 169 Adding content prof iles to policies Y ou can add content profiles to policies with actio n set to allow or encrypt and with service set to ANY , HTTP , FTP , IMAP , POP3, SMTP , or a se rvice group that includes these services. T o add a content profil[...]

  • Page 170

    170 Fortinet Inc. Content profiles Firewall configuration[...]

  • Page 171

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 171 Users and authentication FortiGate un its support user authe ntication to the FortiGate user database, a RADIUS server , and a n LDAP serv er . Y ou can add user na mes to th e FortiGat e user database and then add a p assword [...]

  • Page 172

    172 Fortinet Inc. Setting authentication timeout Users and authenticati on This chapter describes: • Setting authentication timeout • Adding user names and co nfiguring authentication • Configuring RADIUS support • Configuring LDAP support • Configuring user group s Setting authentication timeout Authentication timeout controls how long a[...]

  • Page 173

    Users and authentication Adding user names and con figuring authentica tion FortiGate-50A Installation and Configuration Gu ide 173 5 Select the T ry ot her servers if connect t o selected server fails check box if you have selected Radius and you want th e FortiGate unit to try to connect to other RADIUS servers added to the FortiGate RADIUS confi[...]

  • Page 174

    174 Fortinet Inc. Configuring RADIUS supp ort Users and authentication Configuring RADIUS support If you have configur ed RADIUS support and a user is required to authenticate using a RADIUS server , the FortiGate unit cont ac ts the RADIUS server for authentication. This section describes: • Adding RADIUS servers • Deleting RADIUS servers Addi[...]

  • Page 175

    Users and authentication Configuring LDAP suppo rt FortiGate-50A Installation and Configuration Gu ide 175 Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server , the FortiGate unit contact s the LDAP server for authentication. T o authenticat e with the F ortiGate un it, the us er [...]

  • Page 176

    176 Fortinet Inc. Configuri ng LDAP support Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server . Enter the base distinguishe d name for the server using the correct X.500 or LDAP format. The FortiGate u nit passes this distinguished name unchanged to the server . For example, you could use the followi[...]

  • Page 177

    Users and authentication Configuring user groups FortiGate-50A Installation and Configuration Gu ide 177 Configuring user group s T o enable authentication, yo u mu st add user names, RADIUS servers, and LDAP servers to one or more user gr oups. Y ou can then select a user group when you require authenticati on. Y ou can select a user group to conf[...]

  • Page 178

    178 Fortinet Inc. Configuring user g roups Users and authentication Figure 20: Adding a user group 7 T o remove users, RADIUS servers, or LDAP servers from the user gr oup, select a user , RADIUS server , or LD AP server from the Members list and select the lef t arrow to remove the name , RADIUS server , or LDAP server from the group. 8 Select OK.[...]

  • Page 179

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 179 IPSec VPN A Virtua l Private Network (VPN) is an extension of a private network that encompasses links across sh ared or public networks such as the Intern et. For example, a compan y that has two office s in different cities, [...]

  • Page 180

    180 Fortinet Inc. Key management IPSec VPN Key management There are three basic elem ents in any encryption system: • an algorithm that change s info rmation into code, • a cryptographic key that serves as a secret starting point for the algorithm, • a management system to control the ke y . IPSec provides two ways to handle key exchange and [...]

  • Page 181

    IPSec VPN Manual key IPSec VPNs FortiGate-50A Installation and Configuration Gu ide 181 Manual key IPSec VPNs When using manual keys, comple mentary security p arameters must be entered at both ends of the tunn el. In addit ion to encryption and authentication algorithms and keys, the security pa rameter index (SPI) is re quired. The SPI is an arbi[...]

  • Page 182

    182 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 6 Enter the Remote Gateway . This is the external IP addr ess of the Fo rtiGate unit or other IPSec gateway at the opposite end of the tunnel. 7 Select an Encryption Algorithm from the list. Use the same algorithm at both e nds of the tunnel. 8 Enter the Encryption Key . Each two-character combination [...]

  • Page 183

    IPSec VPN AutoIKE IPSec VPNs FortiGate-50A Installation and Configuration Gu ide 183 General configuration steps for an Au toIKE VPN An AutoIKE VPN configuration consists of phase 1 and phase 2 configu ration paramete rs, the source and destination addresses for both ends of the tunnel, a nd an encrypt policy to control access to the VPN tunnel. T [...]

  • Page 184

    184 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Select a Remote Gateway address type. • If the rem ote VPN peer ha s a static IP addre ss, select St atic IP Address. • If the remote VPN peer has a dynamically assigned IP address (DHCP or PPPoE), or if the remote VPN peer has a st atic IP address that is not required in the peer identification [...]

  • Page 185

    IPSec VPN AutoIKE IPSec VPNs FortiGate-50A Installation and Configuration Gu ide 185 10 Configure the Local ID the that the FortiGate un it sends to the remote VPN peer . • Preshared key: If the FortiGate unit is fu nctioning as a client and uses its ID to authenticate it self to the remote VPN peer , enter an ID. If no ID is s pecified, the Fort[...]

  • Page 186

    186 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Optionally , configure NA T Traver sal. 5 Optionally , configure De ad Peer Detection. Use these settings to monitor the st atus of the connection betw een VPN peers. DPD allows dead connections to be cleane d up and new VPN tunnels established. DPD is not suppor ted by all vend ors. 6 Select OK to s[...]

  • Page 187

    IPSec VPN AutoIKE IPSec VPNs FortiGate-50A Installation and Configuration Gu ide 187 Figure 21: Adding a phase 1 configurat ion (St andard options ) Figure 22: Adding a phase 1 configurat ion (Advanced optio ns)[...]

  • Page 188

    188 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN Adding a phase 2 configurat ion for an AutoIKE VPN Add a phas e 2 configura tion to spec ify the parameters used to cre ate and main tain a VPN tunnel between the local VPN peer (the FortiGate unit) and the r emote VPN peer (the VPN gateway or client). T o add a phase 2 configuration 1 Go to VPN > I[...]

  • Page 189

    IPSec VPN AutoIKE IPSec VPNs FortiGate-50A Installation and Configuration Gu ide 189 10 Enable Autokey Kee p Alive if you want to kee p the VPN tunnel runn ing even if no data is being processed. 11 Select a concentra tor if you want the tunnel to be part of a hub and spoke VPN configuration. If you use the pro cedure, “Adding a VPN concentrator?[...]

  • Page 190

    190 Fortinet Inc. Managing digital certificates IPSec VPN Managing digit al certificates Use digital cer tificates to make sure that both participants in an IPSec communication session are trustworthy , prior to setting up an encrypted VPN tunnel between the particip ants. Fortinet uses a manual proc edure to obtain certificates. This involves copy[...]

  • Page 191

    IPSec VPN Managing digital certificates FortiGate-50A Installation and Configuration Gu ide 191 6 Configure the key . 7 Select OK to generate the private and pub lic key p air and the certificate request. The private/public key p air are generated and the certificate r equest is displayed on the Local Certificates list with a status of Pend ing. Fi[...]

  • Page 192

    192 Fortinet Inc. Managing digital certificates IPSec VPN Downloading the certificate request Use the followin g procedur e to downlo ad a ce rtificate request from the FortiGate unit to the management compute r . T o download the cer tificate request 1 Go to VPN > Certificates > Local Certificates . 2 Select Download to download the local ce[...]

  • Page 193

    IPSec VPN Co nfiguring encrypt policies FortiGate-50A Installation and Configuration Gu ide 193 The FortiGate unit obt ains the CA certificate to validate the digital certificate that it receives from the remote VPN peer . The remote VPN peer obt ains the CA certificate to validate the digital certificate that it receives from the Fo rtiGate unit. [...]

  • Page 194

    194 Fortinet Inc. Configuring encrypt policies IPSec VPN In addition to defining membership in th e VPN by address, you can configure the encrypt policy for services such as DNS, FTP , and POP3, and to allow connectio ns according to a predefined schedule ( by the time of the day or the day of the week, month, or year). Y ou can also configure the [...]

  • Page 195

    IPSec VPN Co nfiguring encrypt policies FortiGate-50A Installation and Configuration Gu ide 195 4 Enter the Address Name, IP Address, and NetMask for a single co mputer or for an entire subn etwork on an internal inte rface of th e remote V PN peer . 5 Select OK to save the destination addres s. Adding an encrypt policy T o add an encrypt polic y 1[...]

  • Page 196

    196 Fortinet Inc. IPSec VPN concentrators IPSec VPN T o make sure that the encrypt policy is matched for VPN connection s, arrange the encrypt policy above other policies with similar source and destination addresse s and services in the policy list. Figure 25: Adding an encryp t policy IPSec VPN concentrators In a hub-and-spoke networ k, all VPN t[...]

  • Page 197

    IPSec VPN IPSec VPN concen trators FortiGate-50A Installation and Configuration Gu ide 197 If the VPN peer is a FortiGate unit fu nctioning as the hub, or concen trator , it requires a VPN configura tion connecting it to ea ch spoke (AutoIKE ph ase 1 and 2 settings or manual key settings, plus encrypt policies). It also requires a concen trator con[...]

  • Page 198

    198 Fortinet Inc. IPSec VPN concentrators IPSec VPN 4 Add an encrypt policy fo r each spoke. Encrypt policies control the directio n of traffic through the hub and allo w inbound and ou tbound VPN connections betwee n the hub and the spokes. The encrypt policy for ea ch spoke must include the tunnel name of the spoke. The source address must be In [...]

  • Page 199

    IPSec VPN IPSec VPN concen trators FortiGate-50A Installation and Configuration Gu ide 199 Figure 26: Adding a VPN concentrato r VPN spoke general co nfiguration steps A remote VPN pe er that fu nctions as a spoke requ ires the followin g configu ration: • A tunnel (Auto IKE phase 1 and phase 2 co nf iguration or manual ke y configuration) for th[...]

  • Page 200

    200 Fortinet Inc. IPSec VPN concentrators IPSec VPN 4 Add a separate ou tbound encrypt policy for e ach remote VPN spoke. These policies control the encrypted connections initia ted by the local VPN spoke. The encrypt policy must include the ap propr iate source and destination addresse s and the tunnel added in step 1 . Use the following co nfigur[...]

  • Page 201

    IPSec VPN Monitoring and Troublesh ooting VPNs FortiGate-50A Installation and Configuration Gu ide 201 Monitoring and T roubleshooting VPNs • Viewin g VPN tunnel status • Viewing dialu p VPN connection status • T esting a VPN Viewing VPN tunnel status Y ou can use the IPSec VPN tunnel list to vi ew the status of all IPSec AutoIKE key VPN tunn[...]

  • Page 202

    202 Fortinet Inc. Monitoring and Troubleshooti ng VPNs IPSec VPN Figure 28: Dialup Monitor Testing a VPN T o confirm tha t a VPN between two netw orks has be en configured correctly , u se the ping command from one inter nal network to connect to a computer on the other internal network. The IPSec VPN tunnel st arts automatica lly when the first da[...]

  • Page 203

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 203 PPTP and L2TP VPN Y ou can use PPTP and L2TP to crea te a virtual private network (VPN) between a remote client computer that is runn ing Wi ndows and your internal network. Because PPTP and L2TP are supported by Windows you do[...]

  • Page 204

    204 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 2 Add and configure PPTP users. For information about adding and configuring users, see “Adding user names and configuring authentication” o n page 172 . 3 Go to User > User Group . 4 Add and configure PPTP user groups. For information about adding and configuring user groups, see “Confi[...]

  • Page 205

    PPTP and L2TP VPN Configuring PPTP FortiGate-50A Installation and Configuration Gu ide 205 T o add a source address group Organize the source addresses in to an address group. 1 Go to Firewall > Address > Group . 2 Add a new address group to the interface to which PP TP clients connect. 3 Enter a Group Name to iden tify the address group. The[...]

  • Page 206

    206 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN Configuring a Windows 98 client for PPTP Use the following procedure to configure a client computer running Windows 98 so that it can connect to a F ortiGate PPTP VPN. T o configure the Windows 98 client, you must install and configu re Windows dialup networking and virtual private networking sup[...]

  • Page 207

    PPTP and L2TP VPN Configuring PPTP FortiGate-50A Installation and Configuration Gu ide 207 Configuring a Windows 2000 client for PPTP Use the following p rocedure to co nfigure a client computer ru nning Window s 2000 so that it can connect to a FortiGate PP TP VPN. T o configure a PPTP dialup connection 1 Go to St art > Settings > Network an[...]

  • Page 208

    208 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 8 Select Finish. T o configure the VPN connectio n 1 Right-click the Connecti on icon that you created in the previous procedure. 2 Select Properties > Security . 3 Select T ypical to configure typical settings. 4 Select Require data encryption. 5 Select Advanced to configure ad vanced setting[...]

  • Page 209

    PPTP and L2TP VPN Configuring L2TP FortiGate-50A Installation and Configuration Gu ide 209 Configuring L2TP Some implement ations of L2TP support elem ents of IPSec. These e lements must be disabled when L2TP is used with a Fo rtiGate unit. This section describes: • Configuring the FortiGate unit as an L2 TP gateway • Configuring a Windows 2000[...]

  • Page 210

    210 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN Figure 30: Sample L2TP addre ss range configuration T o add source address es Add a sour ce address for every addr ess in the L2TP address ran ge. 1 Go to Firewall > Address . 2 Select the interface to which L2T P clients connect. 3 Select New to add an addr ess. 1 Enter the Address Name, IP A[...]

  • Page 211

    PPTP and L2TP VPN Configuring L2TP FortiGate-50A Installation and Configuration Gu ide 21 1 T o add a destination address Add an address to which L2TP users can conn ect. 1 Go to Firewall > Address . 2 Select the internal interface. 3 Select New to add an addr ess. 4 Enter the Address Name, IP Address, and NetMask for a single co mputer or for a[...]

  • Page 212

    212 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 8 Select the Security tab. 9 Make sure th at Require d ata encryption is se lected. 10 Select the Networking tab. 11 Set VPN server type to Laye r-2 T unn eling Protocol ( L2TP). 12 Save the changes and continue with the following proc edure. T o disable IPSec 1 Select the Networking tab. 2 Selec[...]

  • Page 213

    PPTP and L2TP VPN Configuring L2TP FortiGate-50A Installation and Configuration Gu ide 213 Configuring a Windows XP client for L2TP Use the following procedure to configure a client computer running Windows XP so that it can connect to a FortiGate L2TP VPN. T o configure an L2TP VPN dialup connection 1 Go to St art > Settings . 2 Select Network [...]

  • Page 214

    214 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 4 Go to the Options tab and select IP security properties. 5 Make sure that Do not use IPSEC is selected. 6 Select OK and close the co nnection properties window . 7 Use the registry editor (rege dit) to lo cate the following ke y in the registry: HKEY_LOCAL_MACHINESystemCurrentControlSetServi[...]

  • Page 215

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 215 Network Intrusion Detection System (NIDS) The FortiGat e NIDS is a re al-time netw ork intrusion de tection se nsor that u ses attack signature definitions to both detect and prev ent a wide variet y of suspicious network traff[...]

  • Page 216

    216 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Selecting the interfaces to monitor T o select the interface s to monitor for attacks 1 Go to NIDS > Detection > General . 2 Select the interfaces to monitor for ne twork attacks. Y ou can select one or more interfaces. 3 Select Apply . Disabling monitoring interf[...]

  • Page 217

    Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-50A Installation and Configuration Gu ide 217 Viewing the signature list Y ou can display the current list of NIDS signature groups and the members o f a signature group. T o view the signature list 1 Go to NIDS > Detection > Signature List . 2 View the names an d action s[...]

  • Page 218

    218 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Figure 32: Example signature gro up members list Disabling NIDS attack signatures By default, all NIDS attack signatures ar e enabled . Y ou can use the NIDS signature list to disable detection of some atta cks. Disabling unnecessary NIDS attack signatures can improve s[...]

  • Page 219

    Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-50A Installation and Configuration Gu ide 219 T o add user-defined sign atures 1 Go to NIDS > Detection > User Defined Signature List . 2 Select Upload . 3 T ype the path and filename of the text file for the user -defined signature list or select Browse and lo cate the fi[...]

  • Page 220

    220 Fortinet Inc. Preventing attacks Network Intrusion Detection System (NIDS) Preventing att acks NIDS attack prev ention prot ects the FortiGat e unit and the networks connected t o it from common TCP , ICMP , UDP , and IP atta cks. Y ou can enable NIDS atta ck prevention to prevent a set of default att a cks with default threshold values. Y ou c[...]

  • Page 221

    Network Intrusion Detection S ystem (NIDS) Preventing attacks FortiGate-50A Installation and Configuration Gu ide 221 Setting signature threshold values Y ou can change the default threshold val ues for the NIDS Prevention signatures listed in Ta b l e 2 0 . The threshold depends on the type of attack. For flooding att acks, the threshold is the ma[...]

  • Page 222

    222 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS) T o set Prevent ion signature threshold values 1 Go to NIDS > Prevention . 2 Select Modify beside the signature for which you want to set the Threshold value. Signatures that do not ha ve threshol d values do not have Modify icons. 3 T ype the Thre shold value. 4 Select [...]

  • Page 223

    Network Intrusion Detection System (NIDS) Logging attacks FortiGate-50A Installation and Configuration Gu ide 223 The FortiGate unit uses an alert email queu e in which each new message is compared with the p revious messages. If the new message is not a duplicate, the FortiGate unit sends it immedia tely and puts a copy in the qu eue. If the new m[...]

  • Page 224

    224 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS)[...]

  • Page 225

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 225 Antivirus protection Y ou can enable antivirus protection in fire wall policies. Y ou can select a content profile that controls how the antivir us protection behaves. Content profiles control the type of traffic protected (HTT[...]

  • Page 226

    226 Fortinet Inc. Antivirus scanning Antivirus protection Antivirus scanning Virus scan ning intercepts most files (including files compressed with up to 12 layers of compression using zip, rar , gzip, tar , upx, and OLE) in the content streams for which you enable antiviru s protection. Eac h file is tested to determin e the file type and the most[...]

  • Page 227

    Antivirus protection File blocking FortiGate-50A Installation and Configuration Gu ide 227 File blocking Enable file b locking to re move all files th at are a po tential thre at and to pro vide the best protection fr om active computer virus atta cks. Blocking files is the only protection from a virus that is so new that antiviru s scanning cannot[...]

  • Page 228

    228 Fortinet Inc. Blocking oversized files and emails Antivirus protection 3 T ype the new pattern in the File Pattern field. Y ou can use an asterisk (*) to represent an y characters and a questio n mark (?) to represent any single character . For exampl e, *.dot blocks Microsof t Word template files and *.do? blocks both Micr osoft Word template [...]

  • Page 229

    Antivirus protection Viewing the virus list FortiGate-50A Installation and Configuration Gu ide 229 V iewing the virus list Y ou can view the names of the viruses and worms in the current virus definition list. T o view the virus list 1 Go to Anti-Virus > Config > Virus List . 2 Scroll through the virus and wo rm list to v iew the names of al[...]

  • Page 230

    230 Fortinet Inc. Viewing the virus list Antivirus protect ion[...]

  • Page 231

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 231 W e b filtering When you enable Anti-V irus & Web filter in a firewall policy , you select a content profile that controls how web filterin g behave s for HTTP traffic. Co ntent profiles control the following types of co nt[...]

  • Page 232

    232 Fortinet Inc. Content blocking Web filtering 4 Configure the messages that users rec eive when the FortiGate unit blocks unwanted content or unwanted URLs. See “Replacement messages” on pag e 133 . 5 Configure the FortiGate unit to record log messages when it blo cks unwanted content or unwanted URLs. See “Recording logs” on page 251 . [...]

  • Page 233

    Web filtering Content blocking FortiGate-50A Installation and Configuration Gu ide 233 Figure 35: Exam ple banned word li st Clearing the Banned Word list 1 Go to Web Filter > Cont ent Block . 2 Select Clear List to remove all banned words and phrases from th e banned word list. Backing up the Banned Word list Y ou can back up the banned word li[...]

  • Page 234

    234 Fortinet Inc. Content blocking Web filtering Figure 36: Example Banned Word List text file T o restore the banned wor d list 1 Go to Web Filter > Cont ent Block . 2 Select Restore Banned W ord List . 3 T ype the path and filename of the banned wo rd list text file, or select Browse and locate the file. 4 Select OK to upload the f ile to the [...]

  • Page 235

    Web filtering URL blocking FortiGate-50A Installation and Configuration Gu ide 235 URL blocking Y ou can block the unwanted web URLs usi ng FortiGate Web URL blocking, FortiGate Web p attern blocking, and Cerberian web filtering. • Configuring FortiGate W eb URL blocking • Configuring FortiGate W eb pattern blockin g • Configuring Cerber ian [...]

  • Page 236

    236 Fortinet Inc. URL blocking Web filtering 5 Select OK to add the URL to the Web URL block list. Y ou can enter multiple URLs and the n select Check All to enable all items in the Web URL block list. Y ou can disable all of the URLs on the list by selecting Uncheck All . Each page of the Web URL block list displays 100 URLs. 6 Use Page Up and Pag[...]

  • Page 237

    Web filtering URL blocking FortiGate-50A Installation and Configuration Gu ide 237 Figure 38: Example URL block list text file Y ou can either create the URL block list or add a URL list created by a third-party URL block or blacklist service. For example, yo u can do wnload the squidGuard blacklist s available at http://www .squidguard.org/black l[...]

  • Page 238

    238 Fortinet Inc. Configuring Cerberian URL filtering Web filtering 4 Select Enable to block the pattern. 5 Select OK to add the pattern to the W eb pattern block list. Configuring Cerberian URL filtering The FortiGate unit support s Cerberian URL filtering. For inform ation about Cerberian URL filtering, see www .cerberian.com. If you have purchas[...]

  • Page 239

    Web filtering Configuring Cerberian URL filtering FortiGate-50A Installation and Configuration Gu ide 239 4 Enter the IP address and netmask of the user comp uters. Y ou can enter the IP address of a sing le user . For example, 192.168.100.19 255.255.255.255. Y ou can also enter a subn et of a group of users. Fo r exampl e, 192.168.100.0 255.255 .2[...]

  • Page 240

    240 Fortinet Inc. Script filtering Web filtering 3 Go to Firewall > Content Profile . 4 Create a new or select an existing c o ntent profile and enable W eb URL Block. 5 Go to Firewall > Polic y . 6 Create a new or select an existing policy . 7 Select Anti-Virus & W eb filter . 8 Select the content profile from the Content Profile list. 9[...]

  • Page 241

    Web filtering Exempt URL list FortiGate-50A Installation and Configuration Gu ide 241 Exempt URL list Add URLs to the exempt URL list to allow legitimate traf fic that might otherwise be blocked by content or URL blocking. For exam ple, if content blocking is set to block pornography-rela ted words and a reputa ble website runs a story on pornograp[...]

  • Page 242

    242 Fortinet Inc. Exempt URL list Web filtering Figure 40: Example URL Exempt list Downloading the URL Exempt List Y ou can back up the URL Exempt List by downloading it to a text file on the management compu ter . 1 Go to Web Filter > URL Exempt . 2 Select Download URL Exempt List . The FortiGate unit downloads the list to a text file on the ma[...]

  • Page 243

    Web filtering Exempt URL list FortiGate-50A Installation and Configuration Gu ide 243 3 Select Upload URL Exempt List . 4 T ype the path and filename of your URL Exem pt List text file, or select Browse and locate the file. 5 Select OK to upload the f ile to the FortiGate unit. 6 Select Return to display the updated URL Exemp t List. 7 Y ou can con[...]

  • Page 244

    244 Fortinet Inc. Exempt URL list Web filtering[...]

  • Page 245

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 245 Email filter Email filtering is enabled in firewall policies. When you en able Anti-V irus & Web filter in a firewall policy , you select a content profile that co ntrols how email filtering behaves for email (IM A P and PO[...]

  • Page 246

    246 Fortinet Inc. Email banned word list Email filter Email banned word list When the FortiGate unit detect s an email that contains a word or phrase in the banned word list, the FortiGate unit adds a t ag to the subject line of the email and writes a message to the event log. Recei vers can then use their mail client software to filter messages ba[...]

  • Page 247

    Email filter Email banned word list FortiGate-50A Installation and Configuration Gu ide 247 Downloading the email banned word list Y ou can back up the banned word list by downloading it to a text file on the management compu ter: T o download the banned wo rd list 1 Go to Email Filter > Content Block . 2 Select Download. The FortiGate unit down[...]

  • Page 248

    248 Fortinet Inc. Email block list Email filter Email block list Y ou can configure the FortiGate unit to ta g all IMAP and POP3 protocol tra ffic sent from unwanted email addresse s. When the FortiGate unit detects an email sent from an unwanted address p attern, the FortiGate un it adds a tag to the subjec t line of the email and writes a message[...]

  • Page 249

    Email filter Email exempt li st FortiGate-50A Installation and Configuration Gu ide 249 Uploading an email block list Y ou can create a email block list in a text ed itor and then upload the text file to the FortiGate unit. Add one p attern to each line of the text file. Y ou can follow the pattern with a space and the n a 1 to enable or a zero (0)[...]

  • Page 250

    250 Fortinet Inc. Adding a subject tag Email filter Adding address patterns to the email exempt list T o add an address p attern to the email exempt list 1 Go to Email Filter > Exempt List . 2 Select New . 3 T ype the address pattern th at you want to exemp t. • T o exempt email sent from a specific email add ress, type the email address. For [...]

  • Page 251

    FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 251 Logging and reporting Y ou can configure the FortiGate unit to log network activity from routine configuration changes and traf fic sessions to emergency events. Y ou can also configure the FortiGate u nit to send alert email m[...]

  • Page 252

    252 Fortinet Inc. Recording logs Logging and reporting 4 T y pe the port num ber of the syslog server . 5 Select the severity leve l for which you want to record log messages. The FortiGate unit logs all le vels of severity down to, bu t not lower than, the level you choose. For example, if you want to record emergency , alert, critical, and error [...]

  • Page 253

    Logging and repo rting Filtering log me ssages FortiGate-50A Installation and Configuration Gu ide 253 Log message levels Ta b l e 2 3 lists and describes Fo rt iGate log messa ge levels. Filtering log messages Y ou can configure the logs t hat you want to record and the message categorie s that you want to record in each log. T o filter log entrie[...]

  • Page 254

    254 Fortinet Inc. Configuring traffic loggi ng Logging and reporting 4 Select the message categories that you wa nt the FortiGa t e unit to record if you selected Event Log, V irus Log, W eb Filter ing Log, Att ack Log, Email Filter Log, or Update in step 3 . 5 Select OK. Figure 44: Exampl e log filter config uration Configuring traffic logging Y o[...]

  • Page 255

    Logging and repo rting Configuring traffic loggi ng FortiGate-50A Installation and Configuration Guide 255 This section describes: • Enabling traffic logging • Configuring traffic filter settings • Adding traf fic filter entries Enabling traf fic logging Y ou can enable logging on any interface and firewall policy . Enabling traffic loggi ng [...]

  • Page 256

    256 Fortinet Inc. Configuring traffic loggi ng Logging and reporting 3 Select Apply . Figure 45: Example traffic filter list Adding traffic filter entries Add entries to the traffic filter list to filter the messages that are recorded in the traf fic log. If you do not add any entries to the tr affi c filter list, the Fort iGate unit records all tr[...]

  • Page 257

    Logging and repo rting Configu ring alert email FortiGate-50A Installation and Configuration Gu ide 257 Figure 46: Example new traffic address entry Configuring alert email Y ou can configure the FortiGate unit to send ale rt email to up to three email addresses when there are virus incident s, block incidents, network intrusions, and other firewal[...]

  • Page 258

    258 Fortinet Inc. Configu ring alert email Logging and reporting 3 In the SMTP Server field, type the name of the SMTP server where you want the FortiGate unit to send email, in the forma t smtp.domain.com . The SMTP server can be located on any networ k connected to the FortiGate unit. 4 In the SMTP User field, type a valid email address in the fo[...]

  • Page 259

    FortiGate-50A Installation and Configuration Gu ide 259 FortiGate-50A Inst allation and Co nfiguration Guide V ersion 2.50 Glossary Connection : A link between machines, applications, processes, and so on t hat can be lo gical, physical, or both. DMZ, Demilit arized Zone : Used to host Internet services without allowing unau thorized access to an i[...]

  • Page 260

    260 Fortinet Inc. Glossary LAN, Local Area Network : A computer n etwork that spans a relatively small area. Most LA Ns connect worksta tions and personal computers. Each computer on a LAN is able to ac cess data and devices a nywhere on the LAN. This means that many users can shar e data as well as physical re sources such as printers. MAC address[...]

  • Page 261

    Glossary FortiGate-50A Installation and Configuration Gu ide 261 SSH , Secure shell : A secure T elnet replacement that you can use to log into another computer over a network and run commands. SSH provides str ong secure authentication and secure communications over insecure channels. Subnet : A portion of a network that shares a comm on address c[...]

  • Page 262

    262 Fortinet Inc. Glossary[...]

  • Page 263

    FortiGate-50A Installation and Configuration Gu ide 263 FortiGate-50A Inst allation and Configuration Guide V ersion 2.50 Index A accept policy 141 action policy option 141 ActiveX 240 removing from web pages 240 address 146 adding 147 editing 148 group 148 IP/MAC binding 165 virtual IP 157 address group 148 example 149 address name 147 addressing [...]

  • Page 264

    264 Fortinet Inc. Index AutoIKE 180 certificates 18 0 introduction 180 pre-shared keys 180 automatic antivirus and attack definition updates configuring 77 B backing up system settings 64 backup mode modem 107, 110 bandwidth guaranteed 142 maximum 143 banned word l ist adding words 2 32, 246 restoring 247 blacklist URL 237, 249 block traffic IP/MAC[...]

  • Page 265

    Index FortiGate-50A Installation and Configuration Gu ide 265 dialup VPN viewing connection statu s 201 disabling NIDS 216 DMZ interface definition 259 DNS server addresses 100 domain DHCP 106 downloading attack definition updates 90 virus definition updates 90 dynamic IP list viewing 107 dynamic IP pool IP pool 142 dynamic IP/MAC list 163 viewing [...]

  • Page 266

    266 Fortinet Inc. Index H hard disk full alert email 258 HTTP enabling web filtering 231, 245 HTTPS 150, 259 I ICMP 151, 259 configuring checksum verification 216 ICMP service custom 153 idle timeout web-based manager 122 IKE 259 IMAP 150, 259 Inbound NAT encrypt policy 142 interface adding a DHCP server 105 administ rative access 97 administrative[...]

  • Page 267

    Index FortiGate-50A Installation and Configuration Gu ide 267 loggin g 251 attack log 253 configuring traffic settings 255 connections to an interface 98 email filter log 253 enabling alert email 258 event log 253 filtering log messages 253 log to remote host 251 log to WebTrends 252 message levels 253 recording 251 selecting what to log 253 traffi[...]

  • Page 268

    268 Fortinet Inc. Index P password adding 172 changing administrator account 125 Fortinet support 8 9 recovering a lost Fortinet support 86 PAT 159 pattern web pattern blocking 237 permission administ rator account 125 ping server adding to an interface 97 policy accept 141 Anti-Virus & Web filter 143 arranging in policy list 144 Comments 144 d[...]

  • Page 269

    Index FortiGate-50A Installation and Configuration Gu ide 269 restarting 66 restoring system settings 64 restoring system settings to factory default 65 reverting firmware to an olde r version 59 RIP configuring 113 filters 117 interface configuration 115 settings 113 RMA registering a FortiGate unit 91 route adding default 100 adding to routing ta[...]

  • Page 270

    270 Fortinet Inc. Index status CPU 67 interface 94 intrusions 69 IPSec VPN tunnel 201 memory 67 network 68 sessions 68 viewing dialup con nection status 201 viewing VPN tunnel status 201 virus 69 subnet definition 261 subnet address definition 261 support contract number adding 88 changing 88 support password changing 89 syn interval 121 synchroniz[...]

  • Page 271

    Index FortiGate-50A Installation and Configuration Gu ide 271 URL blocking 235 exempt URL list 241, 249 web pattern blocking 237 URL exempt list see also exempt URL list 241, 249 use selectors from policy quick mode identifier 189 use wildcard selectors quick mode identifier 189 user authentication 171 user groups configuring 177 deleting 178 user [...]

  • Page 272

    272 Fortinet Inc. Index[...]