Fortinet 60c manual

FortiGate 60 Installation Guide INTERNAL DMZ 4 3 2 1 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN 1 WAN 2 PWR ST A TUS Ve r s i o n 2 . 8 0 M R 8 28 January 2005 01-28008-00 18-2005012 8[...]

© Copyright 2005 Fortine t Inc. All rights rese rved. No part of this publication incl uding text, examples , diagrams or illustrations may be reproduced, transmitted, or translated in any form or by an y means, electro nic, mechanical, manual, optical or otherwise, for any purpose, without prio r written pe rmission of Fort inet Inc. FortiGate-60[...]

Contents FortiGate-60 Installation Guide 01-28008-0018-20050128 3 Table of Contents Introduction ............. .............................. ........................................................ ......... 5 Secure installation, configurat ion, and management ................ ...................... .................... 5 Web-based manager ......[...]

Contents 4 01-28008-0018-2005012 8 Fortinet Inc. Using the command line interface... ......................... ....................... ....................... ........... 30 Configuring the FortiGate unit to operate in NAT/Route mode ...... ....................... ........ 30 Using the setup wizard............. ....................... .............[...]

FortiGate-60 Inst allation Guide V ersion 2.80 MR8 FortiGate-60 Installation Guide 01-28008-0018-20050128 5 Introduction FortiGate A ntivirus Firewalls im prove network se curity , reduce network misu se and abuse, and help you use communication s resources more efficiently without compromising the performance of yo ur netw ork. FortiGate Antivirus[...]

6 01-28008-0018-2005012 8 Fortinet Inc. Secure installation, configurat ion, and management Introduction The CLI or the web-based manager can then be used to comple te configuration and to perform maintenance and administration. Web-based manager Using HTTP or a secure HTTPS connection from any co mputer running Internet Explorer , you can configur[...]

Introduction Document conventions FortiGate-60 Installation Guide 01-28008-0018-20050128 7 Setup wizard The FortiGate setup wizard p r ovides an easy way to configure the basic initial settings for the FortiGate unit. Th e wizard walks through the con f iguration of a ne w administrato r password, FortiGate interfaces, DHCP server settings, inte rn[...]

8 01-28008-0018-2005012 8 Fortinet Inc. FortiGate documentation Introduction For example: set allowaccess {ping https ssh snmp http telnet} Y ou can enter any of the following: set allowaccess ping set allowaccess ping https ssh set allowaccess https ping ssh set allowaccess snmp In most ca ses to make chan ges to list s that cont ain options separ[...]

Introduction Related documentati on FortiGate-60 Installation Guide 01-28008-0018-20050128 9 • FortiGate I PS Guide Describes how to configure the FortiGate Intrusion Prevention System setting s and how the FortiGate IPS deals with some common att a cks. • FortiGate VPN Guide Explains how to configur e VPNs using the web-b a sed mana ger . Fort[...]

10 01-28008-0018-2005012 8 Fortinet Inc. Customer service and technical support Introduction FortiMail documentation • FortiMail Administration Guide Describes how to install, configure, and manage a FortiMail unit in gateway mode and server mode, including how to configure the unit; create profiles and policies; configure antisp a m and antiviru[...]

Introduction Customer service a nd technical suppo rt FortiGate-60 Installation Guide 01-28008-0018-20050128 11 For information on Fortinet tele phone su pport, see http://support.fortinet .com. When requesting tech nical support, please provide the following informa tion: • Y our name • Compa ny name •L o c a t i o n • Email address • T [...]

12 01-28008-0018-2005012 8 Fortinet Inc. Customer service and technical support Introduction[...]

FortiGate-60 Inst allation Guide V ersion 2.80 MR8 FortiGate-60 Installation Guide 01-28008-0018-20050128 13 Getting st arted This section describes unp acking, setting up, and powering on a FortiGate Antivirus Firewall unit. This section includes: • Package content s • Mounting • T urning the FortiGate unit power on and of f • Connecting t[...]

14 01-28008-0018-2005012 8 Fortinet Inc. Package contents Getting started Package content s The FortiGate-60 p ackage contains the following items: • FortiGate-6 0 Antivirus Firewall • one orange crossover ethe rnet cable (Fortinet part number CC300248) • one gray regular ethern et cable (Fortinet pa rt number CC300249) • one RS-232 null mo[...]

Getting sta rted Turning the Fo rtiGa te unit power on and off FortiGate-60 Installation Guide 01-28008-0018-20050128 15 Power requirements • DC input voltage: 12 V • DC input current: 3 A Environmental specifications • Operating temperature: 32 to 10 4°F (0 to 40°C) • S torage temperature: -13 to 158°F (-25 to 70°C) • Humidity: 5 to [...]

16 01-28008-0018-2005012 8 Fortinet Inc. Connecting to the web-based manager Getting started Connecting to the web-based manager Use the followin g procedure to connect to the web-based manager for the first time. Configuration changes ma de with the web- based m anager are effective immediately without resetting the firewall or in terrupting servi[...]

Getting started Connecting to the command line interface (CLI) FortiGate-60 Installation Guide 01-28008-0018-20050128 17 Connecting to the command line interface (CLI) As an alternative to the web-based ma nager , you can install and configure the FortiGate unit using the CLI. Configuration changes mad e with the CLI are effective immediately witho[...]

18 01-28008-0018-2005012 8 Fortinet Inc. Quick installation us ing factory defaults Getting started Quick inst allation using factory default s Y ou can quickly set up your FortiGate unit for a home or sm all office using the web- based manager a nd the factory default FortiG ate configur ation. All you need to do is set your network computers to o[...]

Getting started Factory default FortiGate configurati on settings FortiGate-60 Installation Guide 01-28008-0018-20050128 19 7 Select one of the following DNS settings • Obtain DNS se rver address automatically: select to get the DNS addresses from the ISP , select Apply • Use the following DNS server addresse s: select and ente r the DNS server[...]

20 01-28008-0018-2005012 8 Fortinet Inc. Factory default FortiGate confi guration settings Getting started Factory default NAT/Route m ode network configuration When the FortiGate unit is first p o wered on , it is running in NA T/Rout e mode and has the basic netw ork configuration list ed in T able 3 on pag e 20 . This configuration allows you to[...]

Getting started Factory default FortiGate configurati on settings FortiGate-60 Installation Guide 01-28008-0018-20050128 21 Factory default Transparent mode network configuration In T ransparent mode, the FortiGate un it has the default network configuration listed in Ta b l e 4 . Factory default firewall configuration FortiGate firewall policies c[...]

22 01-28008-0018-2005012 8 Fortinet Inc. Factory default FortiGate confi guration settings Getting started The factory default firewall configu ration is the same in NA T/Route and T ranspar ent mode. Factory default protection profiles Use protection profiles to apply dif ferent protection settings for traffic that is controlled by firewall po lic[...]

Getting started Planning the FortiGate configura tion FortiGate-60 Installation Guide 01-28008-0018-20050128 23 Figure 5: Web protection profile settings Planning the FortiGate configuration Before you configure the Fo rtiGate unit, you need to plan how to integrate the unit into the network. Amo ng other things, you mu st decide whether you wan t [...]

24 01-28008-0018-2005012 8 Fortinet Inc. Planning the FortiGa te configuration Getting started Y ou must configure routing to support the redundant W AN1 and W AN2 internet connections. Routing can be used to au tomatically redirect connections from an interface if its connectio n to the external network fails. Y ou c an add firewall policies to co[...]

Getting started Planning the FortiGate configura tion FortiGate-60 Installation Guide 01-28008-0018-20050128 25 Otherwise, security policy configuration is similar to a NA T/Route mode configuration with a single Internet connection. Y ou wo uld create NA T mode firewall policies to control traffic flowing between the internal, private networ k and[...]

26 01-28008-0018-2005012 8 Fortinet Inc. Next steps Getting started Configuration options Once you have selected T ranspar ent or NA T/Route mode operatio n, you can complete the configuration plan an d begin to configure the FortiGate unit. Choose among three dif ferent tools to configure the FortiGate unit. Web-based manager and setup wizard The [...]

FortiGate-60 Inst allation Guide V ersion 2.80 MR8 FortiGate-60 Installation Guide 01-28008-0018-20050128 27 NA T/Route mode inst allation This chapter describes how to inst all the FortiGate un it in NA T/Route mode. For information about installing a FortiGate unit in T ransparent mode, see “Tr ansparent mode inst allation” on pag e 39 . For [...]

28 01-28008-0018-2005012 8 Fortinet Inc. Using the web-based ma nager NAT/Route mode installa tion DHCP or PPPoE configuration Y ou can configure any FortiGate interface to acquire its IP address from a DHCP or PPPoE server . Y our ISP may provide IP add resses using one of these protocols. T o use the FortiGate DHCP server , you need to configure [...]

NAT/Route mode installati on Using the web-based manager FortiGate-60 Installation Guide 01-28008-0018-20050128 29 Configuring basic settings After conne c ting to the web-based manager you can use the following procedures to complete the basic configurat ion of th e FortiGate unit. T o add/change the administrator p assword 1 Go to System > Adm[...]

30 01-28008-0018-2005012 8 Fortinet Inc. Using the command line interface NAT/Route mode installa tion 1 Go to System > Router > St atic . 2 If the S tatic Route t able contai ns a default route (IP and Mask set to 0.0.0.0) , select the Delete icon to delete this route. 3 Select Create New . 4 Set Destination IP to 0. 0.0.0. 5 Set Mask to 0.0[...]

NAT/Route mode installation Using the command line interface FortiGate-60 Installation Guide 01-28008-0018-20050128 31 Example config system interface edit internal set mode static set ip <192.168.120.99> <255.255.255.0> end 3 Set the IP address an d netmask of the WAN1 interface to the IP addr ess and netmask that you recorded in T abl[...]

32 01-28008-0018-2005012 8 Fortinet Inc. Using the setu p wizard NAT/Route mode installa tion T o configure DNS server sett ings • Set the primar y and secondary DNS server IP addresses. Enter config system dns set primary <address_ip> set secondary <address_ip> end Example config system dns set primary 293.44.75.21 set secondary 293.[...]

NAT/Route mode installati on Using the setup wizard FortiGate-60 Installation Guide 01-28008-0018-20050128 33 If you are configuring the FortiGate unit to operate in NA T/Route mode (the default), you can use the setup wizar d to: • add the administration p assword • configure the inter nal interface address • choose either a manual (static) [...]

34 01-28008-0018-2005012 8 Fortinet Inc. Connecting the FortiGate unit to the network(s) NAT/Route mode installati on Starting the setup wizard 1 In the web-based manager, sele ct Easy Setup Wizard. Figure 9: Select the Easy Setup W izard 2 Follow the instructions on th e wizard pages and use the in formation that you gathered in T able 6 on page 2[...]

NAT/Route mode installati on Connecting the FortiGate unit to the ne twork(s) FortiGate-60 Installation Guide 01-28008-0018-20050128 35 • One DMZ port for connectin g to a DMZ network. • Modem is the interface for connecting an external modem to the FortiGate-60 . See “Configuring the Modem interface” on p age 36 T o connect the FortiGate u[...]

36 01-28008-0018-2005012 8 Fortinet Inc. Configuring the netw orks NAT/Route mode installati on Configuring the networks If you are running the FortiGate unit in NA T/Route mode, your networks must be configured to route all Internet traf fic to t he IP address of the FortiGate interface to which they are connected. • For the internal ne twork, c[...]

NAT/Route mode installati on Next steps FortiGate-60 Installation Guide 01-28008-0018-20050128 37 T o set the date and time For effective scheduling and logging, the FortiGate syst em date and time must be accurate. Y ou can either man ually set the system date and time or configure the FortiGate unit to automatically keep it s ti me correct by syn[...]

38 01-28008-0018-2005012 8 Fortinet Inc. Next steps NAT/Route mode installati on 1 Go to System > Maintenance > Up date Center . 2 Select Refresh to test the FortiGate unit connectivity with the FortiProte ct Distribution Network (FDN). T o be able to connect to the FDN the Fort iGate unit default route must point to a network such as the Int[...]

FortiGate-60 Inst allation Guide V ersion 2.80 MR8 FortiGate-60 Installation Guide 01-28008-0018-20050128 39 T ransp arent mode inst allation This chapter de scribes how to install a FortiGate unit in T ranspar ent mode. If you want to install the FortiGate un it in NA T/Ro ute m ode, see “NA T/Route mode installation” on pag e 27 . If you want[...]

40 01-28008-0018-2005012 8 Fortinet Inc. Using the web-based manage r Transparent mode installa tion Using the web-based manager Y ou can use the web-based manager to complete the initial configuration of the FortiGate unit. Y ou can continue to use the web-based manager for all FortiGate unit settings. For information about co nnecting to the web-[...]

Transparent mode installatio n Using the command line interface FortiGate-60 Installation Guide 01-28008-0018-20050128 41 T o configure DNS server sett ings 1 Go to System > Network > DNS . 2 Enter the IP address of the primary DNS se rver . 3 Enter the IP address of the secondary DNS server . 4 Select OK. T o configure the default gateway 1 [...]

42 01-28008-0018-2005012 8 Fortinet Inc. Using the command line interface Transparent mode i nstallation The CLI displa ys the status of the For tiGat e unit including the following line of text: Operation mode: Transparent T o configure the management IP address 1 Make sure that you are logge d into the CLI. 2 Set the management IP addr ess and ne[...]

Transparent mode installatio n Using the setup wizard FortiGate-60 Installation Guide 01-28008-0018-20050128 43 Example If the default gate way IP is 204.23.1.2 and this gateway is connected to port 2: config router static edit 1 set dst 0.0.0.0 0.0.0.0 set gateway 204.23.1.2 set device port2 end Using the setup wizard From the web-based manager, y[...]

44 01-28008-0018-2005012 8 Fortinet Inc. Connecting the FortiGate unit to your network Transparent mode installation Connecting the FortiGate unit to your network When you have com pleted the initial conf iguration, you can conne ct the FortiGate unit between yo ur internal netw ork and the Inter net using the In ternal and WAN1 interfaces. Y ou ca[...]

Transparent mode installatio n Next steps FortiGate-60 Installation Guide 01-28008-0018-20050128 45 Next step s Y ou can use the following information to co nfigure FortiGate system t ime, to register the FortiGate unit, and to configure ant ivirus and attack definition updates. Refer to the FortiGate Administration Guide for complete informat ion [...]

46 01-28008-0018-2005012 8 Fortinet Inc. Next steps Transparen t mode installation 1 Go to System > Maintenance > Up date Center . 2 Select Refresh to test the FortiGate unit connectivity with the FortiProte ct Distribution Network (FDN). T o be able to connect to the FDN the Fort iGate unit default route must point to a network such as the I[...]

FortiGate-60 Inst allation Guide V ersion 2.80 MR8 FortiGate-60 Installation Guide 01-28008-0018-20050128 47 High availability inst allation This chapter describes how to install two or more FortiGate units in an HA cluster . HA installation involves three basic steps: • Configuring FortiGate un its for HA operation • Connecting the cluster to [...]

48 01-28008-0018-2005012 8 Fortinet Inc. Configuring FortiGate units for HA operation High availability installati on T a ble 10: High availability settings Mode Active-Active Load balancing and failo ve r HA. Each FortiGate unit in the HA cluster actively processes co nnections and monitors the statu s of the ot her FortiGate units in the cluster [...]

High availability installation Confi guring FortiGate units for HA operation FortiGate-60 Installation Guide 01-28008-0018-20050128 49 Configuring FortiGate units for HA using the web-based manager Use the followin g procedure to configure each FortiGate unit f or HA operation. T o change the FortiGate unit host name Changing th e host name is op t[...]

50 01-28008-0018-2005012 8 Fortinet Inc. Configuring FortiGate units for HA operation High availability installati on T o configure a FortiGate unit for HA operation 1 Go to System > Config > HA . 2 Select High Availability . 3 Select the mode. 4 Select a Group ID for the HA cluster . 5 If required, change the Unit Priority . 6 If required, s[...]

High availability installation Conne cting the cluste r to your networks FortiGate-60 Installation Guide 01-28008-0018-20050128 51 T o configure the FortiGate unit for HA operation 1 Configure HA settings. Use the following command to: • Set the HA mode • Set the Group ID • Change the unit priority • Enable ov erride master • Enter an HA [...]

52 01-28008-0018-2005012 8 Fortinet Inc. Connecting the cluster to your ne tworks High availability installation Inserting an HA cluster into your networ k temporar ily interrupt s communications on the network because new phys ical connections are being made to route traf fic through the cluster . Also, starting th e cluster interrup ts network tr[...]

High availability installation Inst alling and configu ring the cluster FortiGate-60 Installation Guide 01-28008-0018-20050128 53 2 Power on all the FortiGat e units in the cluster . As the units st art, they negotiate to choose the primary cluster unit and the subordinat e units. This negotiation occurs with no user inte rvention and normally just[...]

54 01-28008-0018-2005012 8 Fortinet Inc. Installing and configuring the cluster High availability installati on[...]

FortiGate-60 Inst allation Guide V ersion 2.80 MR8 FortiGate-60 Installation Guide 01-28008-0018-20050128 55 Configuring the modem interface The FortiG ate-60 includes th e option of an external modem for use as e ither a redundant interface or a st andalone interface in NA T/Route mode. • In redundant mode , the modem interface au tomatically ta[...]

56 01-28008-0018-2005012 8 Fortinet Inc. Selecting a modem mode Configuring the modem interface For the For tiGate unit to switc h from an ethe rnet interface t o the modem yo u must select the name of the interf ace in the modem configuration and configure a ping server for that interface. Y ou must also configure firewall policies for connections[...]

Configuring the modem i nterface Configuring modem settings FortiGate-60 Installation Guide 01-28008-0018-20050128 57 3 Configure other modem settings as required. See “Configuring modem settings” on page 5 7 . Make sure there is correct info rmation in one or more Dialup Accounts. 4 Configure firewall policies for conn ections to the mode m in[...]

58 01-28008-0018-2005012 8 Fortinet Inc. Connecting and disconnecting the modem in Stand alone mode Configuring the modem interface Y ou can configure and use the modem in NA T/Route mode only . T o configure modem settings 1 Go to System > Network > Modem . 2 Select Enable Modem. 3 Change any of the followin g dialup connection settin gs: 4 [...]

Configuri ng the modem interface Defining a Ping Server FortiGate-60 Installation Guide 01-28008-0018-20050128 59 5 Select Dial Now . The FortiGate unit initiates dialing into ea ch dialup acco unt in turn until the modem connect s to an ISP . Modem status is one of the following: A green check mark indicates the active dialup account. The IP addre[...]

60 01-28008-0018-2005012 8 Fortinet Inc. Adding firewall policies for modem conn ections Configuring the modem interface 3 For Fail-over Detection, type a number of times that th e connec tion test fails before the FortiGate unit assumes that t he gateway is no longer function ing. 4 Select Apply . Adding firewall policies for modem connections The[...]

FortiGate-60 Installation Guide 01-28008-0018-20050128 61 FortiGate-60 Inst allation Guide V ersion 2.80 MR8 Index A auto-dial 57 C CLI 6 configuring IP addresses 41 configuring NAT/Route mode 30 connecting to 17 cluster connecting 51, 53 command line interface 6 configuring redundant mode 55 configuring standalone mode 56 connect cluster 51, 53 co[...]

62 01-28008-0018-2005012 8 Fortinet Inc. Index S set time 37, 45 setup wizard 28, 32, 40, 43 starting 2 9, 34, 40, 43 standalone mode configuring 56 modem 55, 56 starting I P DHCP 20 synchronize with NTP server 37, 45 T technical support 10 time zone 37, 45 Transparen t mode changing to 41 configuring the defa ult gateway 42 management IP address 4[...]