Fortinet v3.0 MR7 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of Fortinet v3.0 MR7, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Fortinet v3.0 MR7 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of Fortinet v3.0 MR7. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of Fortinet v3.0 MR7 should contain:
- informations concerning technical data of Fortinet v3.0 MR7
- name of the manufacturer and a year of construction of the Fortinet v3.0 MR7 item
- rules of operation, control and maintenance of the Fortinet v3.0 MR7 item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Fortinet v3.0 MR7 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Fortinet v3.0 MR7, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Fortinet service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Fortinet v3.0 MR7.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the Fortinet v3.0 MR7 item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    www.fortinet.com FortiO S v 3. 0 MR 7 User Authentication User Guide USER GUIDE[...]

  • Page 2

    FortiOS v3.0 MR7 User Au thentication User Guide 28 Aug 2008 01-30007-03 47-20080828 © Copyright 2008 Fortine t, Inc. All rights reserved. No part of this publication including text, examples , diagrams or illustrations may be reproduced, tra nsmitted, or translated in any fo rm or by any means, electronic, mechanical, man ual, optical or otherwis[...]

  • Page 3

    Contents FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 3 Contents Introduction ............... ................................. .............................. .......... 5 About authentication .................. ................ ................ .................... ................ ... 5 User’s view of authentication .[...]

  • Page 4

    FortiOS v3.0 MR7 User Authentication User Guide 4 01-30007-0347-200808 28 Contents Users/peers and user groups ................ ............................... .......... 31 Users/peers ........... ............. ................ ............. ................ ............. ................ .... 31 Creating local users ......... ................ ...[...]

  • Page 5

    Introduction About authentication FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 5 Introduction This section introduces you to the authe ntication process from the user and the administr ato r s per sp ec tive , an d pr ov ides supplementary informa tio n about Fortinet publications. The following topics are co vered in thi[...]

  • Page 6

    FortiOS v3.0 MR7 User Authentication User Guide 6 01-30007-0347-200808 28 User ’s view of authentication Introduction User ’ s view of authentication The user sees a req uest for au thenticat ion when they try to access a protected resource. Th e way in which the request is presented to th e user depends on the method of access to that resource[...]

  • Page 7

    Introduction FortiGate administrator ’s view of authentication FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 7 FortiClient can store the user name and password for a VPN as part of the configuration for the VPN conn ection an d pass them to the FortiGate unit as needed. Or , FortiClient can request the user name a nd pas[...]

  • Page 8

    FortiOS v3.0 MR7 User Authentication User Guide 8 01-30007-0347-200808 28 FortiGate administrator ’s view of authentication Introduction 3 Create use r groups. Add local/peer user members to each use r group as appropriate. Y ou can also add an authentication serv er to a user grou p. In this case , all users in the ser ver’s database can authe[...]

  • Page 9

    Introduction FortiGate administrator ’s view of authentication FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 9 Public Key Infrastructure (PKI) authentication A Public Key Infrastructure (PKI) is a comprehensive system of policies, processes, an d te ch no log ie s w ork in g toge t her to enable users of the Internet to [...]

  • Page 10

    FortiOS v3.0 MR7 User Authentication User Guide 10 01-30007-0347-200808 28 About this document Introduction Authentication timeout An authentica ted connect ion expires when it has been idle for a len gth of time that you specify . The authenticat ion timeout value set in User > Au thentication > Authentication applie s to every user of the s[...]

  • Page 11

    Introduction FortiGate documentation FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 11 • In the examples, private IP addre sses ar e used for both private and public IP addresses. • Notes and Cautions are used to provide impo rtant information: Typographic conventions FortiGate document ation uses the fo llowing typogra[...]

  • Page 12

    FortiOS v3.0 MR7 User Authentication User Guide 12 01-30007-0347-200808 28 Related documentation Introduction • FortiGate Administration Guide Provides basic informati on about how to configure a For tiGate unit, including how to define FortiGate pr otection profiles and firewall p olicies; h ow to apply intrusion prevention, antivirus protecti o[...]

  • Page 13

    Introduction Related documentation FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 13 FortiManager documentation • FortiManager QuickS tar t Guide Explains how to install the FortiMana ger Console, set up the FortiManager Server , and configure basic settings. • FortiManager System Admini stration Guide Describes how to [...]

  • Page 14

    FortiOS v3.0 MR7 User Authentication User Guide 14 01-30007-0347-200808 28 Customer service and technical support Introduction Fortinet Tools and Documentation CD All Fortinet document atio n is availab le from the Fo rtinet T ools and Do cument ation CD shipped with your Fortinet product. The document s on this CD are current at shipping time. For[...]

  • Page 15

    Authentication servers RADIUS servers FortiOS v3.0 MR7 User Au thentica tion User Guide 01-30007-0347-2008082 8 15 Authentication servers FortiGate unit s support the use of authenti cation servers. If you are going to use FortiGate authentication servers, you must configure the servers before you configure FortiGate users or user group s that requ[...]

  • Page 16

    FortiOS v3.0 MR7 User Authentication User Guide 16 01-30007-0347-200808 28 RADIUS servers Authentication servers In order to supp ort vendor-sp ecific attributes (VSA), th e RADIUS server requires a dictionary to define what the VSAs are. Fortinet’s dictionary is configured this way: ## Fortinet’s VSA’s # VENDOR fortinet 12356 BEGIN-VENDOR fo[...]

  • Page 17

    Authentication servers RADIUS servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 17 • Change the FortiGate unit de fault RADIUS port to 1645 using the CLI: config system global set radius_port 1645 end T o configure the FortiGate unit fo r RADIUS authentication - web-based manager 1 Go to User > Remote > RADIUS [...]

  • Page 18

    FortiOS v3.0 MR7 User Authentication User Guide 18 01-30007-0347-200808 28 RADIUS servers Authentication servers T o config ure the Forti Gate unit for RADIUS a uthenticat ion - CLI config user radius edit <server_name> set all-usergroup {enable | disable } set auth-type <authentication_protocol> set nas-ip <nas_ip_called_id> set [...]

  • Page 19

    Authentication servers LDAP servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 19 T o remove a RADIUS server from the For tiGate unit configuration - CLI config user radius delete <server_name> end LDAP servers Lightweight Directory Access Protocol (LDA P) is an Internet pr otocol use d to maintain authe ntication[...]

  • Page 20

    FortiOS v3.0 MR7 User Authentication User Guide 20 01-30007-0347-200808 28 LDAP servers Authentication servers FortiGate LDAP does no t support proprietar y functionality , such as notification of password expiration, which is available from some LDAP servers. F ortiGate LD AP does not supply inform ation to the user abou t why authen tication fail[...]

  • Page 21

    Authentication servers LDAP servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 21 The output is lengthy , but the information you need is in the first few lines: version: 2 # # filter: (objectclass=*) # requesting: ALL # dn: dc=example,dc=com dc: example objectClass: top objectClass: domain dn: ou=People,dc=example,dc=c[...]

  • Page 22

    FortiOS v3.0 MR7 User Authentication User Guide 22 01-30007-0347-200808 28 LDAP servers Authentication servers Figure 3: Configur e Fo rtiGate u nit for LDAP authentication Name Enter the name that id entifies the LDAP server on the FortiGate unit. Server Name/IP Enter the domain name or IP ad dress of the LDAP server . Server Port Enter the TCP po[...]

  • Page 23

    Authentication servers LDAP servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 23 T o configure the Fort iGate unit for LDAP authentic ation - CLI config user ldap edit <server_name> set cnid <common_name_identifier> set dn <distinguished_name> set port <port_number> set server <domain> set[...]

  • Page 24

    FortiOS v3.0 MR7 User Authentication User Guide 24 01-30007-0347-200808 28 LDAP servers Authentication servers T o remove an LDAP server from the Fort iGate unit configuration - CLI config user ldap delete <server_name> end Using the Query icon The LDAP Distinguish ed N ame Query list dis pla ys the LDA P Server IP address, and all the distin[...]

  • Page 25

    Authentication servers T ACACS+ servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 25 T ACACS+ servers In recent years, remote netwo rk access has shifted from term inal access to LAN access. Users are now connecting to thei r cor porate networ k (using note books or home PCs) with computers that utilize complete networ[...]

  • Page 26

    FortiOS v3.0 MR7 User Authentication User Guide 26 01-30007-0347-200808 28 T ACACS+ servers Authentication servers Figure 6: T ACACS+ ser ver co nfiguration T o configure the FortiGate unit for T ACACS+ authentication - CLI config user tacacs+ edit <server_name> set auth-type {ascii | auto | chap | ms_chap | pap} set key <server_key> se[...]

  • Page 27

    Authentication servers Directory Service servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 27 T o remove a T ACACS+ server from th e FortiGate unit configuration - CLI config user tacacs+ delete <server_name> end Directory Service servers Windows Active Directory (AD) an d Novell edi rector y provide central auth[...]

  • Page 28

    FortiOS v3.0 MR7 User Authentication User Guide 28 01-30007-0347-200808 28 Directory Service servers Authentication servers T o view the list of Directory Service servers, go to User > Directory Service . Figure 8: Example Directory Se rvice server list Configuring the FortiGate unit to use a Director y Service server Y ou need to configur e the[...]

  • Page 29

    Authentication servers Directory Service servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 29 For more information about FSAE, see the FSAE T e chnical Note . T o configure the FortiGate unit for Directory Service authen tication - web-based manager 1 Go to User > Direct ory Service and select Create New . 2 Enter t[...]

  • Page 30

    FortiOS v3.0 MR7 User Authentication User Guide 30 01-30007-0347-200808 28 Directory Service servers Authentication servers T o remove a Director y Service se rver fr om the For tiGate unit conf iguration - web-based manag er 1 Go to User > Directory Service . 2 Select the Delete icon beside the name of the Dire ctory Service server that you wan[...]

  • Page 31

    Authentication servers Directory Service servers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 31 Figure 1 1: Example Dir ecto ry Service server list Create New Add a new Directory Service server . Name Y ou can select th e Expand arrow beside the server/domai n/group name to display Directory Service domain and group info[...]

  • Page 32

    FortiOS v3.0 MR7 User Authentication User Guide 32 01-30007-0347-200808 28 Directory Service servers Authentication servers[...]

  • Page 33

    Users/peers and user groups Users/peers FortiOS v3.0 MR7 User Au thentica tion User Guide 01-30007-0347-2008082 8 33 Users/peers and user group s FortiGate authentication controls system access by user group. First you configure users/peer s, then you create user group s and add users/peers to them. • Configure local user acco unts. For each user[...]

  • Page 34

    FortiOS v3.0 MR7 User Authentication User Guide 34 01-30007-0347-200808 28 Users/peers Users/peers and user groups This section describes how to configure local users and peer users. For information ab ou t co nf igu ra tio n of auth e nt ica tion ser ve rs se e “Authentication servers” on p age 15 . Creating local users T o de fin e a loc al u[...]

  • Page 35

    Users/peers and user groups Users/peers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 35 T o view a list of all local users, go to User > Local . Figure 13: Loca l us e r lis t T o create a local user - CLI config user local edit <user_name> set type password set passwd <user_password> end or User Name T ype[...]

  • Page 36

    FortiOS v3.0 MR7 User Authentication User Guide 36 01-30007-0347-200808 28 Users/peers Users/peers and user groups config user local edit <user_name> set type ldap set ldap_server <server_name> end or config user local edit <user_name> set type radius set radius_server <server_name> end or config user local edit <user_nam[...]

  • Page 37

    Users/peers and user groups Users/peers FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 37 • a peer user name • the text from the subject field of the ce rtificate of the auth enticating peer user , or the CA certificate used to authenti cate the peer user . Y ou can configure a peer user with no values for the subje c t[...]

  • Page 38

    FortiOS v3.0 MR7 User Authentication User Guide 38 01-30007-0347-200808 28 Users/peers Users/peers and user groups T o create a peer user for PKI authenti cation - CLI config user peer edit <peer name> set subject <subject_string> set ca <ca_cert_string> end T o remove a PKI peer user from th e FortiGate unit configuration - web-b[...]

  • Page 39

    Users/peers and user groups User group s FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 39 User group s A user group is a list of user/peer identitie s. An identity can be: • a local user account (user name/pa ssword) stored on the FortiGate unit • a local user account with the password stored on a RADIUS, LDAP , or TA [...]

  • Page 40

    FortiOS v3.0 MR7 User Authentication User Guide 40 01-30007-0347-200808 28 User groups Users/peers and user groups For a Directory Service user group, the Directory Service server authen ticates users when they log o n to the ne twork. The FortiGate unit receives the user ’s name and IP address from the FSAE collector agent. Fo r more inform atio[...]

  • Page 41

    Users/peers and user groups User group s FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 41 For more informatio n about protection profiles, see the FortiGate Administration Guide . Configuring user groups Y ou create a user group by typing a n ame, selecting users and/or authentication servers, and selecting a protection pr[...]

  • Page 42

    FortiOS v3.0 MR7 User Authentication User Guide 42 01-30007-0347-200808 28 User groups Users/peers and user groups 3 Select OK. T o create a firewall use r group - CLI config user group edit <group_name> set group-type <grp_type> set member <user1> <user2> ... <user n > set profile <profile_name> end For more spe[...]

  • Page 43

    Users/peers and user groups User group s FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 43 Figure 19: User group configuratio n - Directory Service Configuring SSL VPN user groups For detailed instr uctions about how to configure SSL VPN web-only mode or tunnel mode operation, see the FortiGate SS L VPN User Guide . Name T [...]

  • Page 44

    FortiOS v3.0 MR7 User Authentication User Guide 44 01-30007-0347-200808 28 User groups Users/peers and user groups Configuring Peer user groups Peer user group s can only be configured using the CLI. Peers are di gital certificat e holders d efined us ing the config user peer command. Y ou use the peer group s you define here in the config vpn ipse[...]

  • Page 45

    Users/peers and user groups User group s FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 45 T o remove a user group from the FortiGate unit config uration - web-based manager 1 Go to User > User Group . 2 Select the Delete icon beside the name of the user group that you want to remove. 3 Select OK. Figure 21: Remove user [...]

  • Page 46

    FortiOS v3.0 MR7 User Authentication User Guide 46 01-30007-0347-200808 28 User groups Users/peers and user groups[...]

  • Page 47

    Configuring authenticated access Authentication timeout FortiOS v3.0 MR7 User Au thentica tion User Guide 01-30007-0347-2008082 8 47 Configuring authenticated access When you h ave configu red authentic ation serv ers, users, and user g roups, you are ready to configure firewall policies and cert ain types of VPNs to require user authenticatio n. T[...]

  • Page 48

    FortiOS v3.0 MR7 User Authentication User Guide 48 01-30007-0347-200808 28 Firewall policy authentication Configuring authentica ted access When user authentication is enable d on a firewall policy , the authentication challenge is normally issued for any of th e four protocols (dependent on th e connection protocol). By making selection s in the P[...]

  • Page 49

    Configuring authenticated access Firewall policy authenticati on FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 49 The style of the authe ntication m ethod varies by the authentication protocol. If you have selected HTTP , FTP or T elnet, user name and p assword-based authentication occurs: the FortiGate unit prompt s netwo[...]

  • Page 50

    FortiOS v3.0 MR7 User Authentication User Guide 50 01-30007-0347-200808 28 Firewall policy authentication Configuring authentica ted access 7 One at a time, select user group names from the Available Gro ups list and select the right-pointing arrow bu tton to move them to the Allowed list. All members of the groups in the Allowed list will be au th[...]

  • Page 51

    Configuring authenticated access Firewall policy authenticati on FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 51 The FortiGate unit performs au thenticat ion only on request s to access HTTP , HTTPS, FTP , and T elnet. Once the user is authenticated, th e user can access other services if the firewall policy permits. 4 Se[...]

  • Page 52

    FortiOS v3.0 MR7 User Authentication User Guide 52 01-30007-0347-200808 28 VPN authentication Configuring authentica ted access VPN authentication All VPN configurations require users to authenticate. Authentication based on user groups ap plies to: • SSL VPNs • PPT P and L2TP VPNs • an IPSec VPN that authenticates users using dialup group s [...]

  • Page 53

    Configuring authenticated access VPN authentication FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 53 Server Certificate Select the signed server certificate to use for authentication purposes. If y ou leave the default setting (Self-Signed) , th e Fo rti G at e unit offer s its factory installed (self-signed) certific ate [...]

  • Page 54

    FortiOS v3.0 MR7 User Authentication User Guide 54 01-30007-0347-200808 28 VPN authentication Configuring authentica ted access T o configure authentication for an SSL VPN - CLI config vpn ssl settings set algorithm set auth-timeout set dns-server1 set dns-server2 set idle-timeout set portal-heading set reqclientcert set route-source-interface set [...]

  • Page 55

    Configuring authenticated access VPN authentication FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 55 T o enable strong authentication for an SSL VPN 1 Go to VPN > SSL > Config . 2 Select Require Client Certific ate, and then select Apply . 3 Go to Firewall > Policy . 4 Select the Edit icon in the row that co rresp[...]

  • Page 56

    FortiOS v3.0 MR7 User Authentication User Guide 56 01-30007-0347-200808 28 VPN authentication Configuring authentica ted access 4 Enter S tarting IP and Ending IP addresses . This defines the range of ad dresses assigned to VPN clients. 5 Select the user group that is to have acce ss to this VPN. The FortiGate unit authenticates members of this use[...]

  • Page 57

    Configuring authenticated access VPN authentication FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 57 2 Go to VPN > IPSec > Auto K ey (IKE), select Create Phase 1 and en te r th e following information. Figure 28: C onfigure VPN IPSec dial up authenti cation 3 Select Advanced to reveal additi onal parameters and confi[...]

  • Page 58

    FortiOS v3.0 MR7 User Authentication User Guide 58 01-30007-0347-200808 28 VPN authentication Configuring authentica ted access Configuring XAut h authentication Extended Authentication (XAuth) increases security by requiring additional user authentication in a sep arate exchan ge at the end o f the VPN Phase 1 negotiation. The FortiGate unit chall[...]

  • Page 59

    Configuring authenticated access VPN authentication FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 828 59 3 Select Advanced to reveal add itional parameters and en ter the following information. 4 Configure other VPN gate way parameters as needed. 5 Select OK. For more informatio n about XAU TH configuration, see the FortiGate [...]

  • Page 60

    FortiOS v3.0 MR7 User Authentication User Guide 60 01-30007-0347-200808 28 VPN authentication Configuring authentica ted access[...]

  • Page 61

    Index FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 731 61 Index A Active Directory - see Directory Service administrator authentication 7 ASCII 25 attributes RADIUS 15 authenticated access configuring 47 authenticating users FortiGate 33 with LDAP servers 34 with RADIUS servers 34 with TACACS+ servers 34 authentication 54 abo[...]

  • Page 62

    FortiOS v3.0 MR7 User Authentication User Guide 62 01-30007-0347-200807 31 Index FSAE collector agent 27 FSAE domain controller 27 redundant configuration 28 removing from FortiGate configuration 30 retrieving information from LDAP server 28 viewing domain and group information 30 viewing list of 28 Directory Service user groups configuring 42 crea[...]

  • Page 63

    Index FortiOS v3.0 MR7 User Authentication User Guide 01-30007-0347-20080 731 63 list order changing 50 firewall policy 50 local users configuring 34 creating 34 deleting from FortiGate con figuration 36 removing from FortiGate configuration 36 viewing list of 35 M MS-CHAP 25 N Novell edirectory - see Directory Service P PAP 25 peer user groups con[...]

  • Page 64

    FortiOS v3.0 MR7 User Authentication User Guide 64 01-30007-0347-200807 31 Index timeout authentication 10 tunnel mode SSL VPN IP range 52 types of user groups 39 types of users 33 Typographic conventions 11 U user authentication IPSec VPN dialup users 56 L2TP VPN 56 PPTP VPN 55 protocols 47 SSL VPN 52 timeout 47 XAuth 58 user groups 39 about 9 cre[...]

  • Page 65

    www.fortinet.com[...]

  • Page 66

    www.fortinet.com[...]