Fortinet FortiGate 400 инструкция обслуживания

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308

Идти на страницу of

Хорошее руководство по эксплуатации

Законодательство обязывает продавца передать покупателю, вместе с товаром, руководство по эксплуатации Fortinet FortiGate 400. Отсутствие инструкции либо неправильная информация, переданная потребителю, составляют основание для рекламации в связи с несоответствием устройства с договором. В законодательстве допускается предоставлении руководства в другой, чем бумажная форме, что, в последнее время, часто используется, предоставляя графическую или электронную форму инструкции Fortinet FortiGate 400 или обучающее видео для пользователей. Условием остается четкая и понятная форма.

Что такое руководство?

Слово происходит от латинского "instructio", тоесть привести в порядок. Следовательно в инструкции Fortinet FortiGate 400 можно найти описание этапов поведения. Цель инструкции заключается в облегчении запуска, использования оборудования либо выполнения определенной деятельности. Инструкция является набором информации о предмете/услуге, подсказкой.

К сожалению немного пользователей находит время для чтения инструкций Fortinet FortiGate 400, и хорошая инструкция позволяет не только узнать ряд дополнительных функций приобретенного устройства, но и позволяет избежать возникновения большинства поломок.

Из чего должно состоять идеальное руководство по эксплуатации?

Прежде всего в инструкции Fortinet FortiGate 400 должна находится:
- информация относительно технических данных устройства Fortinet FortiGate 400
- название производителя и год производства оборудования Fortinet FortiGate 400
- правила обслуживания, настройки и ухода за оборудованием Fortinet FortiGate 400
- знаки безопасности и сертификаты, подтверждающие соответствие стандартам

Почему мы не читаем инструкций?

Как правило из-за нехватки времени и уверенности в отдельных функциональностях приобретенных устройств. К сожалению само подсоединение и запуск Fortinet FortiGate 400 это слишком мало. Инструкция заключает ряд отдельных указаний, касающихся функциональности, принципов безопасности, способов ухода (даже то, какие средства стоит использовать), возможных поломок Fortinet FortiGate 400 и способов решения проблем, возникающих во время использования. И наконец то, в инструкции можно найти адресные данные сайта Fortinet, в случае отсутствия эффективности предлагаемых решений. Сейчас очень большой популярностью пользуются инструкции в форме интересных анимаций или видео материалов, которое лучше, чем брошюра воспринимаются пользователем. Такой вид инструкции позволяет пользователю просмотреть весь фильм, не пропуская спецификацию и сложные технические описания Fortinet FortiGate 400, как это часто бывает в случае бумажной версии.

Почему стоит читать инструкции?

Прежде всего здесь мы найдем ответы касательно конструкции, возможностей устройства Fortinet FortiGate 400, использования отдельных аксессуаров и ряд информации, позволяющей вполне использовать все функции и упрощения.

После удачной покупки оборудования/устройства стоит посвятить несколько минут для ознакомления с каждой частью инструкции Fortinet FortiGate 400. Сейчас их старательно готовят или переводят, чтобы они были не только понятными для пользователя, но и чтобы выполняли свою основную информационно-поддерживающую функцию.

Содержание руководства

  • Страница 1

    FortiGate 400 Installation and Configuration Guide 4 / HA 3 CONSOLE 1 2 Esc Enter FortiGate User Manual V olume 1 Ve r s i o n 2 . 5 0 M R 2 18 August 2003[...]

  • Страница 2

    © Copyright 2003 Fortine t Inc. All rights reserved . No part of this publication incl uding text, examples , diagrams or illustrations may be reproduced, transmitted, or translated in any form or by an y means, electro nic, mechanical, manual, optical or otherwise, for any purpose, without prio r written permiss ion of Fort inet Inc. FortiGate-40[...]

  • Страница 3

    Contents FortiGate-400 Installation and Configuration Guide 3 Table of Contents Introduction ............. ................................ .................................................. ........... 15 Antivirus protection ......................... ................ ................ ............. ................ ............. ........ 15 Web co[...]

  • Страница 4

    Contents 4 Fortinet Inc. Planning your FortiGate configurat ion ............... ................ ............. ................ ................ .. 39 NAT/Route mode ........... ................ ............. ................ ............. ................ ............. ........ 39 NAT/Route mode with multiple external networ k connections .... ...[...]

  • Страница 5

    Contents FortiGate-400 Installation and Configuration Guide 5 Completing the configuration ................... ....... ...... ................ ............. ............. ............. ..... 64 Setting the date and time .................. ................ ............. ................ ............. ................ .. 64 Enabling antivirus protect[...]

  • Страница 6

    Contents 6 Fortinet Inc. System status .......... ................................ .................................................. ........... 93 Changing the FortiGate host name .......... ................ ................. ............ ................. ........... 94 Changing the FortiGate firmware ............. ................ .............[...]

  • Страница 7

    Contents FortiGate-400 Installation and Configuration Guide 7 Updating registration information ................ .... ......... ................. ............ ............. ............. 128 Recovering a lost Fortinet s upport password .............. ............. ................ ............. ...... 128 Viewing the list of registered FortiGate un[...]

  • Страница 8

    Contents 8 Fortinet Inc. Adding RIP filters ............... ............. ................ ............. ................ ............. ................ ...... 154 Adding a single RIP filter ......... ............. ................ ............. ................ ............. ............. 154 Adding a RIP filter list ........ ................ ....[...]

  • Страница 9

    Contents FortiGate-400 Installation and Configuration Guide 9 Services ............ ............. ............. ................ ............. ................. ............ ............. .......... ... 182 Predefined services .................... ............ ............. ................. ............ ................. ......... 182 Providing ac[...]

  • Страница 10

    Contents 10 Fortinet Inc. IPSec VPN .................... ................................................. .............. ............... ......... 209 Key management ........... ............. ................ ............. ................. ............ ................. ......... 210 Manual Keys .............. ............. ................ .....[...]

  • Страница 11

    Contents FortiGate-400 Installation and Configuration Guide 11 Network Intrusion Detection System (NIDS) .... ............................ ............ ....... 249 Detecting attacks ............... ............. ................ ............. ............. ................ ............. ......... 2 49 Selecting the interfaces to monitor .... ......[...]

  • Страница 12

    Contents 12 Fortinet Inc. URL blocking............... ............. ................ ............. ................ ............. ................ ............. 269 Using the FortiGate web filter ........... ............. ................ ................ ............. ................ 269 Using the Cerberian web filter ........ ............. .....[...]

  • Страница 13

    Contents FortiGate-400 Installation and Configuration Guide 13 Glossary ............... ................................. ................................................. ............ 295 Index .............. ................................. ............................................ ............... .......... 299[...]

  • Страница 14

    Contents 14 Fortinet Inc.[...]

  • Страница 15

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 15 Introduction The FortiGate Antivirus Firewall suppor ts network-based dep loyment of application-leve l services—in cluding antiviru s protection and full-scan con tent filtering. FortiGate A ntivirus Firew alls improv e net[...]

  • Страница 16

    16 Fortinet Inc. Web content filtering Introduction For extra prot ection, you also con figure antivi rus protection to block files of specified file types from passing thr ough the FortiGate unit. Y ou can use the feature to stop files that may cont ain new viruses. If the FortiGate unit cont ains a hard disk, infected or blocked files can be quar[...]

  • Страница 17

    Introduction Firewall FortiGate-400 Installation and Configuration Guide 17 Y ou can configure Email blocking to tag email from all or so me senders within organizations that are known to send sp am email. T o prevent u nintentional tagging of email from legitimate se nders, you can add se nder address p atterns to an exempt list that overrides the[...]

  • Страница 18

    18 Fortinet Inc. VLAN Introduction Transparent mode T ransparent mode provides the same basic fire wall protection as NA T mode. Packets received by the FortiGate unit are intellig ently forwarded or blocked according to firewall policies. The FortiGate unit can be inserted in your network at any point without the need to make changes to your netwo[...]

  • Страница 19

    Introduction VPN FortiGate-400 Installation and Configuration Guide 19 VPN Using FortiGate virtual private network ing (VPN), you can provide a secure connection between wid ely separated office netw orks or secu rely link telec ommuters or travellers to an of fice network. FortiGate VPN features include the following: • Industry stan dard and IC[...]

  • Страница 20

    20 Fortinet Inc. Secure installation, configurat ion, and management Introduction Secure inst allation, configuration, and management Installation is quick and simp le. Th e first time you turn on the FortiGate unit, it is already configured with de fault IP addres ses and security po licies. Connect to the web-based manager , set the operating mod[...]

  • Страница 21

    Introduction Secure installation, configura tion, and management FortiGate-400 Installation and Configuration Guide 21 Command line interface Y ou can access the FortiGate command line interface (CLI) by connecting a management compute r serial port to the Fo rtiGate RS-232 serial Console connector . Y ou can also use T elnet or a secure SSH co nne[...]

  • Страница 22

    22 Fortinet Inc. What’s new in Version 2.50 Introduction What’ s new in V ersion 2.50 This section present s a brief summary of so me of the new features in FortiOS v2.50: System administration • Improved graphica l FortiGate system heal th monitoring that include s CPU and memory usage, se ssion number an d netwo rk bandwid th usage, and the[...]

  • Страница 23

    Introduction What’s new in Version 2.50 FortiGate-400 Installation and Configuration Guide 23 HA • Active-active HA using switches and with the ability to s elect the schedule • T ransparent mode HA • A/V update for HA clusters • Configuration synchronizing fo r HA See “High av ailability” on page 75 . Replacement messages Y ou can cu[...]

  • Страница 24

    24 Fortinet Inc. What’s new in Version 2.50 Introduction NIDS See the FortiGate NIDS Guide for a complete description of F ortiGate NIDS functionality . New features includ e: • Attack detection signature group s • User-configuration att ack prevention • Monitor multiple in terfaces for att acks • Monitor VLAN subinterfaces for attacks ?[...]

  • Страница 25

    Introduction About this document FortiGate-400 Installation and Configuration Guide 25 About this document This inst allation and con figuration guide descr ibes how to inst all and configure the FortiGate-400. This documen t contains the following infor mation: • Getting started describes unp acking, mounting, and powering on the FortiGate. • [...]

  • Страница 26

    26 Fortinet Inc. Document co nventions Introduction Document conventions This guide uses the fo llowing conven tions to de scribe CLI co mmand syntax. • angle brac kets < > to indicate variable keywords For example: execute restore config <filename_str> Y ou enter restore config myfile.bak <xxx_str> indicates an ASCII string var[...]

  • Страница 27

    Introduction Fortinet documentati on FortiGate-400 Installation and Configuration Guide 27 Fortinet document ation Information about FortiGate product s is av ailable from the follo wing FortiGate User Manual volumes: • V olume 1: FortiGate Installation and Configurat ion Guide Describes installation and basic configurat ion for the FortiGate uni[...]

  • Страница 28

    28 Fortinet Inc. Customer service and technical support Introduction Customer service and technical support For antiviru s and attack d efinition u p dates, firmware updates, updated product documentation , technical support informatio n , and other resources, please visit the Fortinet technical support we b site at http://support.fortinet.com. Y o[...]

  • Страница 29

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 29 Getting st arted This chapter describes unpacking, sett ing up, and powering on your FortiGate Antivirus Firewall. When you have completed the procedure s in this chapter , you can proceed to one of the following: • If you a[...]

  • Страница 30

    30 Fortinet Inc. Package contents Getting started Package content s The FortiGate-400 p ackage contains the following items: • FortiGate -400 Antivirus Fir ewall • one orange crossover ethern et cable • one gray regular ethernet cable • one null modem cable • FortiGate -400 QuickS ta rt Guide • one power cable • CD containing the Fo r[...]

  • Страница 31

    Getting started Powering on FortiGate-400 Installation and Configuration Guide 31 Power requirements • Power dissipatio n: 180 W (max) • AC input volt age: 100 to 2 40 V AC • AC input current: 4 A • Frequency: 47 to 63 Hz Environmental specifications • Operating temperature: 32 to 10 4°F (0 to 40°C) • S torage temperature: -13 to 158?[...]

  • Страница 32

    32 Fortinet Inc. Connecting to the web-based manager Getting started Connecting to the web-based manager Use the followin g proced ure to con nect to the web-based manager for the first time. Configuration changes ma de with the web- based manager ar e effective imm ediately without the need to reset the firewall or inte rrupt serv ice. T o connect[...]

  • Страница 33

    Getting started Connecting to the command line in terface (CLI) FortiGate-400 Installation and Configuration Guide 33 Connecting to the command line interface (CLI) As an alternative to the web-based ma nager , you can install and configure the FortiGate unit using the CLI. Configuration changes mad e with the CLI are effective immediately with out[...]

  • Страница 34

    34 Fortinet Inc. Factory default FortiGate confi guration setting s Getting started If you are planning on operating the FortiGa te unit in T ransparent mode, you can switch to transparent mode from the factory default configuration and then configure the FortiGate unit onto your network in T ransparent mode. Once the network con figuration is comp[...]

  • Страница 35

    Getting started Factory default FortiGate configurati on settings FortiGate-400 Installation and Configuration Guide 35 Factory default Transparent mode network configuration If you switch the FortiGate unit to T ranspar ent mode, it has the default network configuration listed in Ta b l e 3 . Factory default firewall configuration The factory defa[...]

  • Страница 36

    36 Fortinet Inc. Factory default FortiGate confi guration setting s Getting started Factory default content profiles Y ou ca n use cont ent profiles to apply d ifferent protection settings for conten t traffic controlled by firewall policies. Y ou can use content profiles for: • Antivirus protection of HTTP , FTP , IMAP , POP3, and SMTP network t[...]

  • Страница 37

    Getting started Factory default FortiGate configurati on settings FortiGate-400 Installation and Configuration Guide 37 Strict content profile Use the strict content prof ile to apply maximum content protection to HTTP , FTP , IMAP , PO P3, and SMTP content traffic. Y ou would not use the strict content profile under normal circumst ances, but it i[...]

  • Страница 38

    38 Fortinet Inc. Factory default FortiGate confi guration setting s Getting started Web content profile Use the web content profile to apply antivir us scanning and Web content blo cking to HTTP content traffic. Y ou can add this cont ent profile to firewall policies that control HTTP traffic. Unfiltered content profile Use the unfiltered content p[...]

  • Страница 39

    Getting started Planning your Fort iGate configurati on FortiGate-400 Installation and Configuration Guide 39 Planning your FortiGate configuration Before beginning to configure th e FortiGate unit, you need to plan how to integrate the unit into your net work. Among ot her things, y ou have to decide whethe r or not the unit will be visible to the[...]

  • Страница 40

    40 Fortinet Inc. Planning your FortiGa te configuration Getting started Figure 4: Example NA T/Route mode networ k configura tion NAT/Route mode with multiple external network connections In NA T/Route mode, yo u can configure th e Fort iGate unit with multiple redundant connections to the external net work (usually the Int ernet). For ex ample, yo[...]

  • Страница 41

    Getting started Planning your Fort iGate configurati on FortiGate-400 Installation and Configuration Guide 41 Transparent mode In T ransparent mode, the Fo rtiGate unit is invisible to the network. Similar to a network bridge, all of FortiGate interfaces must be on the same subnet. Y ou only have to configure a mana gement IP address so tha t you c[...]

  • Страница 42

    42 Fortinet Inc. FortiGate model maximum valu es matrix Getting started CLI If you are configuring the FortiGate unit to operate in NA T/Route mode, you can add the administration p a ssword and all interface addresses. Using the CLI, you can also add DNS server IP add resses and a default route for the exter nal interfac e. If you are configuring [...]

  • Страница 43

    Getting started Next steps FortiGate-400 Installation and Configuration Guide 43 Next step s Now that your FortiGate unit is operating , y ou can proceed to configure it to connect to networks: • If you are goin g to operate the F ort iGate unit in NA T/Route mode, go to “NA T/Route mo de installation” on page 45 . • If you are going to op [...]

  • Страница 44

    44 Fortinet Inc. Next steps Getting started[...]

  • Страница 45

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 45 NA T/Route mode inst allation This chapter de scribes how to inst all your Fo rtiGate unit in NA T/Route mode. T o install your FortiGa te unit in T ransparent mode, see “T ransparent mode inst allation” on pag e 61 . T o [...]

  • Страница 46

    46 Fortinet Inc. Using the setu p wizard NAT/Route mode installati on Using the setup wizard From the web-based manager, you can use the setup wizar d to create the initial configuration of your FortiGate unit. T o connect to the web-based manager, see “Connecting to th e web-based manage r” on page 3 2 . Starting the setup wizard T o star t th[...]

  • Страница 47

    NAT/Route mode installati on Using the front control buttons an d LCD FortiGate-400 Installation and Configuration Guide 47 Using the front control buttons and LCD As an alternative to the setup wizard, use the information that you recorded in T able 10 on page 45 to complete the following pr ocedure. S tarting with Ma in Menu displayed on the LCD,[...]

  • Страница 48

    48 Fortinet Inc. Using the command line interface NAT/Route mode installa tion 3 Set the IP address and netmask of interf ace 2 to the external IP address and netmask that you recorded in T able 10 on p age 45 . set system interface port2 mode static ip <IP_address> <netmask> Example set system interface por t2 mode static ip 204.23.1.5[...]

  • Страница 49

    NAT/Route mode installati on Connecting the FortiGa te unit to your networks FortiGate-400 Installation and Configuration Guide 49 Connecting the FortiGate unit to your networks When you have com pleted the init ial configuratio n, you can conne ct the FortiGat e unit between yo ur internal network a nd the Inte rnet. The FortiGate-400 ha s four 10[...]

  • Страница 50

    50 Fortinet Inc. Configuring your network NAT/Route mode installati on Figure 7: FortiGate-400 NA T/Route mode connection s Configuring your network If you are running the FortiGate unit in NA T/Route mode , your networks must be configured to route all Internet traf fic to t he IP address of the FortiGate interface to which they are connected. Com[...]

  • Страница 51

    NAT/Route mode installation Completing the configura tion FortiGate-400 Installation and Configuration Guide 51 Configuring interface 4/HA Use the followin g proced ure to con figure interf ace 4/HA t o connect to a network : 1 Log into the web-base d manager. 2 Go to System > Network > Interface . 3 Choose port4/ha and select Modify . 4 Make[...]

  • Страница 52

    52 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation Configuring virus and attack definition updates Y ou can go to System > Update to configur e the FortiGate unit to automatically check to see if new versions of the virus definitions an d attack definitions are available. If it finds new ver[...]

  • Страница 53

    NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-400 Installation and Configuration Guide 53 Figure 8: Example multiple Internet connection configuration Configuring Ping servers Use the following procedure to make Gateway 1 the ping server for po rt2 and Gateway 2 the ping server for port3. 1 Go t[...]

  • Страница 54

    54 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation Using the CLI 1 Add a ping ser ver to port2. set system interface port2 config detectserver 1.1.1.1 gwdetect enable 2 Add a ping ser ver to port3. set system interface port3 config detectserver 2.2.2.1 gwdetect enable Destination based routing [...]

  • Страница 55

    NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-400 Installation and Configuration Guide 55 Load sharing Y ou can also configure destination routing to direct traf fic through both gateways at the same time. If users on yo ur internal network connect to the networks of ISP1 and ISP2, you can add r[...]

  • Страница 56

    56 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation 3 Select New to add a route for connections to the network of ISP1. • Destination IP: 100.100.100.0 • Mask: 255.255.255.0 • Gateway #1: 1.1.1.1 • Gateway #2: 2.2.2.1 • Device #1: port2 • Device #2: port3 4 Select New to add a route [...]

  • Страница 57

    NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-400 Installation and Configuration Guide 57 Policy routing examples Policy routing can be added to increase the control you have over how packet s are routed. Policy routing works on top of d e stination-based routing . This means you should configur[...]

  • Страница 58

    58 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation Firewall policy example Firewall policies control how traf fic flows th rough the FortiGa te unit. Once routing for multiple internet connections has be en conf igured you must create firewall policies to control which traffic is allo wed thro [...]

  • Страница 59

    NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-400 Installation and Configuration Guide 59 Adding more firewall policies In most cas es your fire wall configura tion includes more than just the de fault policy . However , the basic premise of crea ting redundant policie s applies even as the fir [...]

  • Страница 60

    60 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation[...]

  • Страница 61

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 61 T ransp arent mode inst allation This chapter describes how to install your FortiGate unit in Transp arent mo de. If you want to install the FortiGa te unit in NA T/Route mod e, see “NA T/Route m ode insta llation” on page[...]

  • Страница 62

    62 Fortinet Inc. Using the setu p wizard Transparen t mode instal lation Using the setup wizard From the web-based manager, you can use the setup wizar d to create the initial configuration of your FortiGate unit. T o connect to the web-based manager, see “Connecting to th e web-based manage r” on page 3 2 . Changing to Transparent mode The fir[...]

  • Страница 63

    Transparent mode installatio n Usin g the front control buttons an d LCD FortiGate-400 Installation and Configuration Guide 63 Using the front control buttons and LCD This procedure descr ibes how to use t he control buttons and LCD to configur e T ransparent mode IP addresses. Use the informa tion that you recorded in T able 14 on pag e 61 to comp[...]

  • Страница 64

    64 Fortinet Inc. Completing the configuration T ransparent mod e installation Configuring the Transparent mode management IP address 1 Log into the CLI if you are not alr eady logged in . 2 Set the management IP addr ess and netmask to the IP addr ess and netmask that you recorde d in T able 14 on p age 61 . Enter: set system management ip <IP a[...]

  • Страница 65

    Transparent mode installatio n Connecting the FortiGate un it to your networks FortiGate-400 Installation and Configuration Guide 65 Registering your FortiGate After pur chasing and inst alling a new For tiGat e unit, you can register the u nit by goin g to System > Update > Support, or using a web browser to connect to http://support.fortine[...]

  • Страница 66

    66 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 9: FortiGate-400 T ransparent mode connections T ransparent mode configuration examples A FortiGate unit operating in T ransparent mode still requir es a basic configuration to operate as a node on the IP networ k. As a minimum, the F ortiGate unit mus[...]

  • Страница 67

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-400 Installation and Configuration Guide 67 This section describes: • Default routes and st atic routes • Example default r oute to an extern al network • Example static route to an external destination • Example static r oute to an internal destination Defau[...]

  • Страница 68

    68 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 10: Default rout e to an external network General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode . 2 Configure the Manag ement IP address and Netmask o f the FortiGate unit. 3 Configure the default route to the external ne[...]

  • Страница 69

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-400 Installation and Configuration Guide 69 Web-based manager exampl e configuration steps T o configure basic T ransparent mode settings and a default route using the web-based manager : 1 Go to System > St atus . • Select Change to T ransparen t Mode. • Sele[...]

  • Страница 70

    70 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 1 1: Static route to an external destination General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode . 2 Configure the Manag ement IP address and Netmask o f the FortiGate unit. 3 Configure the st atic route to the FortiRes[...]

  • Страница 71

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-400 Installation and Configuration Guide 71 Web-based manager exampl e configuration steps T o configure the basic FortiGate settings and a static route using the web-based manager: 1 Go to System > St atus . • Select Change to T ransparen t Mode. • Select T r[...]

  • Страница 72

    72 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Example static route to an internal destination Figure 12 shows a FortiGa te unit where the FDN is located on an external subnet and the management computer is located on a r emote, internal subnet. T o reach the FDN, you need to enter a single default rou te[...]

  • Страница 73

    Transparent mode installatio n Trans parent mo de configuration examples FortiGate-400 Installation and Configuration Guide 73 Web-based manager exampl e configuration steps T o configure the FortiGate basic settings, a static route, and a d efault route using the web-based manager : 1 Go to System > St atus . • Select Change to T ransparen t [...]

  • Страница 74

    74 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation[...]

  • Страница 75

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 75 High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). The FortiGate un its in the HA cluster enforce the same overall security policy and shar e the s[...]

  • Страница 76

    76 Fortinet Inc. Active-active HA High availabili ty During star tup the members of an HA clus ter negotiate to select the primar y unit. The primary unit allows other FortiGate unit s to join the HA cluster as subordinate units and assigns each subordin ate unit a priority . The primary FortiGate unit sends session mess ages to the subordinate uni[...]

  • Страница 77

    High availability HA in NAT/Route mode FortiGate-400 Installation and Configuration Guide 77 During star tup the members of the HA cluster ne gotiate to select the primary unit. The primary unit allows other FortiGate unit s to join the HA cluster as subordinate units and assigns each subordin ate unit a priority . The FortiGate unit s in the HA cl[...]

  • Страница 78

    78 Fortinet Inc. HA in NAT/Route mode High availabili ty The 4/HA interface of each Fo rtiGate-400 unit must be co nf igured with a different IP address. The addre sses of the 4/HA interf aces must be on the same subnet and they must be configur ed for managemen t access. Repeat the following procedu re for each FortiGate unit in the HA cluster: 1 [...]

  • Страница 79

    High availability HA in NAT/Route mode FortiGate-400 Installation and Configuration Guide 79 4 Select the HA mode. Select Active-Passive mode to create an Active-Passive HA cluster , in which one FortiGate unit in the HA cluster is actively processing all connections and the others are passively mo nitoring the status and re maining synchronized wi[...]

  • Страница 80

    80 Fortinet Inc. HA in NAT/Route mode High availabili ty 8 Under Monitor on Interface, select the na mes of the interfaces to be monitored. Monitor FortiGate interfaces to mak e sure th ey are functioning properly and that they are connected to their networks. If a monito red inter face fails or is discon nected from its network, the FortiGat e uni[...]

  • Страница 81

    High availability HA in NAT/Route mode FortiGate-400 Installation and Configuration Guide 81 The network eq uipment to use an d the proced ure to follow are the sa me, whether you are configuring the FortiGa te units for ac tive-active HA or active-passive HA. T o connect the FortiGate units to yo ur network: 1 Connect port 1 of each FortiGate unit[...]

  • Страница 82

    82 Fortinet Inc. HA in Transparent mode High availabili ty Starting the HA cluster After all of the FortiGate unit s in the cluster are configur ed for HA and once the cluster is connected, use the following procedure to st art the HA cluster . 1 Power on all of the HA units in the cluster . As the units powe r on they negotiate to choose the prima[...]

  • Страница 83

    High availability HA in Transparent mo de FortiGate-400 Installation and Configuration Guide 83 5 Change the HA IP address and Netmask as required. 6 Optionally configure management access for other interfaces. 7 Select Apply . Now that you have configured the HA interfaces, procee d to “Configuring the HA cluster” . Configuring the HA cluster [...]

  • Страница 84

    84 Fortinet Inc. HA in Transparent mode High availabili ty 7 If you are config uring Active-Act ive HA, select a sche dule. The schedule controls load balancing am ong the FortiGate units in the active-active HA cluster . The schedule must be the same for all FortiGate unit s in the HA cluster . 8 Under Monitor on Interface, select the na mes of th[...]

  • Страница 85

    High availability HA in Transparent mo de FortiGate-400 Installation and Configuration Guide 85 Figure 15: Sample a ctive-passive HA configuration 10 Repeat this procedure to add each FortiGate unit in the HA cluster . When you ha ve configured all o f the FortiGate unit s, proceed to “Connecting the HA cluster to your network” . Connecting the[...]

  • Страница 86

    86 Fortinet Inc. Managing the HA cluster High availabili ty Starting the HA cluster After all of the FortiGate unit s in the cluster are configur ed for HA and once the cluster is connected, use the following procedure to st art the HA cluster . 1 Power on all of the HA units in the cluster . As the units powe r on they negotiate to choose the prim[...]

  • Страница 87

    High availability Managing the HA cluster FortiGate-400 Installation and Configuration Guide 87 Figure 16: Example cluster members lis t Monitoring cluster members T o monitor health information for each cluster member . 1 Connect to the cluster and lo g into the web-based manager. 2 Go to System > St atus > Monitor . CPU, Memory S tatus, and[...]

  • Страница 88

    88 Fortinet Inc. Managing the HA cluster High availabili ty 4 Select Virus & Intrusions. Virus and intr usions status is displayed fo r each clust er member . The primar y unit is identified as Local and the other unit s in the cluster are listed by serial number . The display includes bar gr aphs of the numb er viruses a nd intrusions detected[...]

  • Страница 89

    High availability Managing the HA cluster FortiGate-400 Installation and Configuration Guide 89 Managing individual cluster units Y ou can manage individual cluster units by connecting to each unit’s HA interface using either the web-base d manager or the CLI. T o do this, the HA interfaces of each unit have to be configured for HTTPS and SSH man[...]

  • Страница 90

    90 Fortinet Inc. Managing the HA cluster High availabili ty Use the following proc edure to make co nfiguration chan ges to the primar y FortiGate unit and then synchronize the co nfiguration of th e subordinate unit s. 1 Connect to the cluster and lo g into the web-based manager or CLI. 2 Make configuration changes as required. 3 Connect to the CL[...]

  • Страница 91

    High availability Advanced HA opti ons FortiGate-400 Installation and Configuration Guide 91 Advanced HA options The following advanced HA options are available fro m the FortiGate CLI: • Selecting a FortiGate unit to a perm anent primary unit • Configuring weighted-ro und-robin weight s Selecting a FortiGate unit to a permanent primary unit In[...]

  • Страница 92

    92 Fortinet Inc. Advanced HA options High availabili ty Configuring weighted-round-robin weights By default, in active-active HA mode the weighted round-robin schedule assigns the same weight to each FortiGate unit in the clus ter . Once the cluster is configured to use the weighted round-ro bin schedule, you can use the set system ha weig ht comma[...]

  • Страница 93

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 93 System st atus Y ou can connect to the web-based manager and go to System > S tatus to view the current status of your FortiGate unit. The st atus information tha t is displayed includes the current firmware version, the cu[...]

  • Страница 94

    94 Fortinet Inc. Changing the FortiGat e host name System status Changing the FortiGate host name The FortiGate host name ap pears on the System > S tatus p age and on the FortiGate CLI prompt. The host name is also used as the SNMP System Name (see “Configuring SNMP” on p a ge 162 ). The default h ost name is FortiGate-40 0. T o change the [...]

  • Страница 95

    System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 95 Upgrade to a new firmware version Use the following procedure s to upgrade your FortiGate to a newer firm ware version. Upgrading the firmware usi ng the web-based manager 1 Copy the firmware image file to your manage ment computer . 2 Login to the [...]

  • Страница 96

    96 Fortinet Inc. Changing the FortiGate fi rmware System status 5 Enter the following command to copy the fir mware image from the TFTP server to the FortiGate: execute restore image <name_str> <tftp_ip> Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the IP address of the TFTP ser[...]

  • Страница 97

    System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 97 1 Copy the firmware image file to your manage ment computer . 2 Login to the FortiGate web- based manage r as the admin administra tive user . 3 Go to System > St atus . 4 Select Firmware Upgrade . 5 Enter the path and filename of the previous fi[...]

  • Страница 98

    98 Fortinet Inc. Changing the FortiGate fi rmware System status T o use the followin g procedure you must have a TFTP server that you can connect to from the FortiGate unit. 1 Make sure that the TFTP server is running. 2 Copy the new firmware image file to the root directory of the TFT P server . 3 Login to th e FortiGate CLI as th e admin administ[...]

  • Страница 99

    System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 99 12 T o confirm that the antivirus and att ack definitions have been updated, enter the following command to display the an tivirus engi ne, virus and attack definitions version, contract ex piry , and last update attempt information. get system objv[...]

  • Страница 100

    100 Fortinet Inc. Changing the FortiGate fi rmware System status 6 Enter the following co mmand to restart the FortiGate unit: execute reboot As the FortiGate units st arts, a series of system st artup messages are displayed. When one of the following messages appears: • FortiGate unit running v2.x BIOS Press Any Key To Download Boot Image. ... ?[...]

  • Страница 101

    System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 101 11 Enter the firmware image file name an d press Enter . The TFTP server up loads the firmware imag e file to the FortiGate unit and messages similar to the following appear . • FortiGate unit running v2.x BIOS Do You Want To Save The Image? [Y/n[...]

  • Страница 102

    102 Fortinet Inc. Changing the FortiGate fi rmware System status T o test a new firmware image: 1 Connect to the CLI using a null modem cable and FortiGate con sole port. 2 Make sure the TFTP se rver is running. 3 Copy the new firmware image file to the root directory of the TFT P server . 4 Make sure that port1 is connected to the same network as [...]

  • Страница 103

    System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 103 The following m essage appears: Enter File Name [image.out]: 11 Enter the firmware image file name an d press Enter . The TFTP server up loads the firmware imag e file to the FortiGate unit and messages similar to the following appear . • FortiGa[...]

  • Страница 104

    104 Fortinet Inc. Changing the FortiGate fi rmware System status 4 T o confirm that the FortiGate unit can co nnect to the TFTP se rver , use the following command to ping the computer running the TFTP serve r . For example, if the TFTP server ’s IP addr ess is 192.168.1.168: execute ping 192.168.1.168 5 Enter the following co mmand to restart th[...]

  • Страница 105

    System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 105 Switching to the ba ckup firmware image Use this procedure to switch yo ur FortiG ate unit to operatin g with a backup firmware image that you have p revious installed. W h en you switch the FortiGate unit to the backup firm ware image , the FortiG[...]

  • Страница 106

    106 Fortinet Inc. Manual virus definition updates System status Switching back to the default firmware image Use this proced ure to switch your F ortiGate unit to o perating with the b ackup firmwar e image that had been running as the default fi rmware image. When you switch to this backup firmware image, the configuration sa ved with this firm wa[...]

  • Страница 107

    System status Manual attack definition updates FortiGate-400 Installation and Configuration Guide 107 5 Select OK to copy the antivirus defini tions update file to the FortiGate unit. The FortiGate u nit updates the antiviru s definitions. This t akes about 1 mi nute. 6 Go to System > St atus to confirm that the Antivirus Definitions V ersion in[...]

  • Страница 108

    108 Fortinet Inc. Backing up system settings System status Backing up system settings Y ou can back up system settings by down loading them to a text file on the management compu ter: 1 Go to System > St atus . 2 Select System Settings Backup. 3 Select Backup Sy stem Setting s. 4 T ype a name and location for the file. The system settings file i[...]

  • Страница 109

    System status Changing to T ransparent mode FortiGate-400 Installation and Configuration Guide 109 Changing to T ransp arent mode Use the followin g proced ure to switch the FortiG ate unit fro m NA T/Route mode to T ransparent mode. When the FortiGate u nit has changed to T ransparent mode it s configuration reset s to T ransparent mode factory de[...]

  • Страница 110

    11 0 Fortinet Inc. Shutting down the FortiGate unit System status Shutting down the FortiGate unit 1 Go to System > S tatus . 2 Select Shutdown. The FortiGate unit shut s down and all traf fic flow stops. The FortiGate unit can only be rest arted af te r shutdown by turning t he power off, then on. System st atus Y ou can use the system status m[...]

  • Страница 111

    System status System status FortiGate-400 Installation and Configuration Guide 111 Figure 1: CPU and memo ry st atus monitor CPU and memory inte nsive processes such a s encrypting and de crypting IPSec VPN traffic, virus scanning, and processing hig h levels of network traffic cont aining small packet s will increase CPU and memory usage. 1 Go to [...]

  • Страница 112

    11 2 Fortinet Inc. System status System status Network utilization displays the total netwo rk bandwidth being used through all FortiGate interf aces. N etwork utilization also di splays netw ork utilization as a percentag e of the maximum network band wid th that can be proce ssed by the FortiGate u nit. 1 Go to System > St atus > Monitor . [...]

  • Страница 113

    System status Session list FortiGate-400 Installation and Configuration Guide 11 3 Figure 3: Sessions and ne twork st atus monitor 3 Set the automatic refresh interva l and select Go to control how of ten the web-based manager updates the display . More frequent updates use system resources and increase network traf fic. However , this only occurs [...]

  • Страница 114

    11 4 Fortinet Inc. Session list System status Figure 4: Example session list To I P The destination IP a ddress of the connection . To P o r t The destination port of the connection. Expire The time, in seconds, before the connection expires. Clear S top an active communication session.[...]

  • Страница 115

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 11 5 V irus and att ack definitions up dates and registration Y ou can configure the FortiGate unit to c onnect to the FortiResponse Distribution Network (FDN) to update the antivirus and att ack definitions and antivirus engi ne[...]

  • Страница 116

    11 6 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration The System > Update p age web-based manage r displa ys the following antivirus and attack defin ition update information: This section describes: • Connecting to the FortiResponse Distribution Network • Configuring scheduled u[...]

  • Страница 117

    Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-400 Installation and Configuration Guide 11 7 T o make sure the FortiGate unit ca n connect to the FDN: 1 Go to System > Config > Time and make su re the time zone is set to the correct time zone for your area. 2 Go to System > Up da[...]

  • Страница 118

    11 8 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration 4 Select Apply . The FortiGate unit star ts the next sche dule d update according to the new update schedule. Whenever a scheduled u pdate is run, the ev ent is record ed in the FortiGate event log. Figure 1: Configurin g automatic a[...]

  • Страница 119

    Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-400 Installation and Configuration Guide 11 9 Adding an override server If you cannot connect to the F DN or if your organization provides antivirus and att ack updates usin g their own FortiResponse server , you can use the following p roced[...]

  • Страница 120

    120 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration To enable push updates 1 Go to System > Up date . 2 Select Allow Push Update. 3 Select Apply . About push updates When you config ure a FortiGat e unit to a llow push updates, the FortiGate unit sends a SETUP message to the F DN. T[...]

  • Страница 121

    Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-400 Installation and Configuration Guide 121 Figure 2: Example network topology: Push updates through a NA T device General procedure Use the following steps to config ure the Fo rtiGate NA T device and the FortiGate unit on the Internal netw[...]

  • Страница 122

    122 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration Adding a port forwarding virtual IP to the FortiGate NA T device Use the follo wing proced ure to con figure a FortiGate NA T device to use port forwarding to forward push update connection s from the FDN to a FortiGate unit on the in[...]

  • Страница 123

    Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-400 Installation and Configuration Guide 123 Figure 3: Push update port forwarding virtual IP Adding a firewall policy for the port forwarding virtual IP T o configure the FortiGate NA T device: 1 Add a new external to internal firewall polic[...]

  • Страница 124

    124 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration 5 Set Port to the External Servic e Port added to the virtual IP . For the example top ology , enter 45001. 6 Select Apply . The FortiGate unit sends the override push IP address and Port to the FDN. The FDN will now use this IP addre[...]

  • Страница 125

    Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-400 Installation and Configuration Guide 125 There are no special tun neling requirement s if you have configured an override server address to connect to the FDN. Push updates are not supported if the FortiG ate must connect to the Internet through a prox[...]

  • Страница 126

    126 Fortinet Inc. Registering Forti Gate units Virus and attack defi nitions updates and registra tion T o activate the For tiCare Support Contract, you must regi ster the FortiGate unit and add the FortiCare Support Contr act number to the registration information. Y ou can also register th e FortiGate unit without pu rchasing a FortiCare Supp ort[...]

  • Страница 127

    Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-400 Installation and Configuration Guide 127 Figure 5: Registering a FortiGate unit (c ontact information and security question) 3 Provide a security question and an answe r to the security question. 4 Select the model number of the Product Model to regist[...]

  • Страница 128

    128 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on Up dating registration information Y ou can use your Fortinet support user nam e and password to log on to the Fortinet Support web site at any time to view or update your Fortinet support infor mation. This section describes: • Recovering [...]

  • Страница 129

    Virus and attack definitions updates and registration Updating registration informati on FortiGate-400 Installation and Configuration Guide 129 Figure 7: Sample list of registered FortiGa te unit s Registering a new FortiGate unit 1 Go to System > Up date > Support and select Suppor t Login. 2 Enter your Fort inet support use r name and passw[...]

  • Страница 130

    130 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on 7 Select Finish. The list of FortiGate product s that you have registered is displayed. Th e list now includes the new suppor t contract information. Changing your Forti net support password 1 Go to System > Up date > Support and select[...]

  • Страница 131

    Virus and attack definitions upda tes and registra tion Registering a Fort iGate unit after an RMA FortiGate-400 Installation and Configuration Guide 131 Figure 8: Downloading virus and attack definition updates For information about how to in stall the downloaded files, see “Manual virus definition updates” on p age 106 and “Manual attack de[...]

  • Страница 132

    132 Fortinet Inc. Registering a FortiGate unit after an RMA Vi rus and attack defi nitions updates and registra tion[...]

  • Страница 133

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 133 Network configuration Go to System > Network to make any of the following changes to the FortiGate network set tings: • Configuring zones • Configuring interfaces • Configuring VLANs • Configuring routing • Provi[...]

  • Страница 134

    134 Fortinet Inc. Configuring zones Network configuration 3 T ype a Name for the zone. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _. Other sp ecial characters and sp aces are not allowed. 4 Optionally select Block intra-zone tr affic to bl ock traffic b etween interfaces in th[...]

  • Страница 135

    Network configuration Configuring interfaces FortiGate-400 Installation and Configuration Guide 135 Deleting zones Y ou must remove all interfaces and VLAN subinterfaces from a zone before you can delete the zone. Y ou can only dele te zones that have the Delete icon beside them in the zone list. 1 Go to System > Network > Zone . 2 Select Del[...]

  • Страница 136

    136 Fortinet Inc. Configuring interfac es Network configuration Changing an interface static IP address Use the follo wing proced ure to cha nge the static IP address o f any FortiG ate interface: 1 Go to System > Network > Interface . 2 Select Modify for t h e interface to change . 3 Change the IP address and Netmask as requ ired. The IP add[...]

  • Страница 137

    Network configuration Configuring interfaces FortiGate-400 Installation and Configuration Guide 137 Controlling management access to an interface 1 Go to System > Network > Interface . 2 Select Modify for the interface for which to co nfigure management access. 3 Select the management Access methods for the interface. Configuring management a[...]

  • Страница 138

    138 Fortinet Inc. Configuring interfac es Network configuration 4 Set the MTU size. Set the maximum p acket size in the range of 68 to 1500 bytes. Th e default MTU size is 1500. Experiment by lo wering the MTU to find an MTU size for best network performance. Configuring port4/ha Y ou can use port4/ha as a firewall in terface or for communication b[...]

  • Страница 139

    Network configuration Configuring VLANs FortiGate-400 Installation and Configuration Guide 139 3 Add a default gateway IP a ddress if th e Fo rtiGate unit must connect to a default gateway to reac h the managem ent compute r . 4 Select the management Access methods for each interf ace. 5 Select Apply to sa ve your changes. Configuring VLANs Using V[...]

  • Страница 140

    140 Fortinet Inc. Configuring VLAN s Network configuration Figure 9: T ypical VLAN n etwork configuration In a typical VLAN config uration, a number of ph ysical networks could be connected to a single IEEE 802.1Q-compliant router . The router is configured to add VLAN IDs to the packet s that it receives from each netw ork and then route the p ack[...]

  • Страница 141

    Network configuration Configuring VLANs FortiGate-400 Installation and Configuration Guide 141 Adding VLAN subinterfaces The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router . The VLAN ID can be any number between 1 and 409 6. Each VLAN subinterface must also be configured with it s own IP address a[...]

  • Страница 142

    142 Fortinet Inc. Configuring VLAN s Network configuration 6 Enter the IP address and Netmask for the VLAN su binterface. 7 Optionally select a zone to add the VLAN subinterface to a zone. 8 Select the management Access for the VLAN subinterface to control how administr ators on the network that connects to this subi nterface can connect to and man[...]

  • Страница 143

    Network configuration Configuring routi ng FortiGate-400 Installation and Configuration Guide 143 Configuring routing This section describes ho w to configure Fo rtiGate routing. Y ou can configure routing to add stat ic routes from the FortiGate unit to local routers. Usin g policy routing you can increase the flexibility of FortiGate routing to s[...]

  • Страница 144

    144 Fortinet Inc. Configuring routing Network configuration T o support routing failo ver , the IP address of each gateway must be added to the ping server of t he interfa ce connec ted to the same netw ork as th e gateway . See “Adding a ping server to an interface” on page 136 . Adding destination -based routes to the routing t able 1 Go to S[...]

  • Страница 145

    Network configuration Configuring routi ng FortiGate-400 Installation and Configuration Guide 145 Adding routes in Transparent mode Use the follo wing proced ure to add routes when operating the FortiGate unit in T ransparent mode. 1 Go to System > Network > Routing . 2 Select New to add a new route. 3 Enter the Destination IP address and Net[...]

  • Страница 146

    146 Fortinet Inc. Configuring routing Network configuration Figure 1 1: Routing t able Policy routing Policy routing extend s the functions of de stination rout ing. Using policy rout ing you can route traffic base d not only the destination address but also on: • Source address • Protocol, service type, or port range • Incoming or sour ce in[...]

  • Страница 147

    Network configuration Providing DHCP services to your internal network FortiGate-400 Installation and Configuration Guide 147 Providing DHCP services to your internal network If the FortiGate unit is operating in NA T/Route mode, you can use the CLI command set system dhcpserver to configure the For tiGate unit to be th e DHCP server for your inter[...]

  • Страница 148

    148 Fortinet Inc. Providing DHCP services to your inte rnal network Network configuration[...]

  • Страница 149

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 149 RIP configuration The FortiGate implement ation of the Routing Information Protocol (RIP) support s both RIP version 1 (as defined by RFC 1058) and RIP version 2 (also called RIP2 and defined by RFC 2453). RIP2 enables RIP me[...]

  • Страница 150

    150 Fortinet Inc. RIP settings RIP configuration This chapter describes how to configur e FortiGate RIP: • RIP settings • Configuring RIP for FortiGate interfaces • Adding RIP neighbors • Adding RIP filters RIP settings Configure RIP settings to enable basic RIP functio nality and metrics and to configure RIP timers. 1 Go to System > RIP[...]

  • Страница 151

    RIP configuration RIP settings FortiGate-400 Installation and Configuration Guide 151 7 Select Apply to sa ve your changes. Figure 1: Configuring RIP settings Up date The time interval in seconds between sendi ng routing table updates. The default is 30 seconds. Invalid The time interval in seconds after which a route is declared invalid. Invalid s[...]

  • Страница 152

    152 Fortinet Inc. Configuring RIP for Forti Gate interfaces RIP configuration Configuring RIP for FortiGate interfaces Y ou can create a unique RIP configuratio n for each FortiGate interface and VLA N subinterface. T his allows you to customize RIP for the network to which each interface or each VLA N subint erface is con nected. For examp le: •[...]

  • Страница 153

    RIP configuration Adding RIP neighbors FortiGate-400 Installation and Configuration Guide 153 4 Select OK to save the R IP config uration for the selected interface. Figure 2: Example RIP configuration for an internal interface Adding RIP neighbors Add RIP neighbors to de fine a neighbori ng router with which to exchange routing information. Add ne[...]

  • Страница 154

    154 Fortinet Inc. Adding RIP filters RIP configuration 3 Add the IP address of a neighbor router that you want the F ortiGate unit to exch ange routing information with. 4 Select Enable Se nd RIP1 to se nd RIP1 messa ges to the neighbor . 5 Select Enable Se nd RIP2 to se nd RIP2 messa ges to the neighbor . 6 Select OK to add the RIP neighbor to the[...]

  • Страница 155

    RIP configuration Adding RIP filters FortiGate-400 Installation and Configuration Guide 155 4 Select OK to save the RIP f ilter . Adding a RIP filter list Add a RIP filter list to filter multiple routes. A RIP filter list consist s of a RIP filter name and a series of route prefixes. Y ou can add a total of four RIP filte rs or RIP Filter lists. Wh[...]

  • Страница 156

    156 Fortinet Inc. Adding RIP filters RIP configuration Adding a neighbors filter Y ou can select a single RIP filter or a RI P filter list to be the neighbors filter . 1 Go to System > RIP > Filter . 2 Add RIP filters and RIP f ilter list s as required. 3 For Neighbors Filter , select the name of the RI P filter or RIP filter list to become t[...]

  • Страница 157

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 157 System configuration Go to System > Config to make any of the following changes to the FortiGat e system configuration: • Setting system date and time • Changing web-based man ager options • Adding and editing admini[...]

  • Страница 158

    158 Fortinet Inc. Changing web-based manager options System configuration 8 S pecify how often the FortiGate unit should synchronize its time with the NTP server . A typical Syn Interval would be 1440 minute s for the FortiGate unit to synchronize it s time once a day . 9 Select Apply . Figure 1: Example date and time setting Changing web-base d ma[...]

  • Страница 159

    System configuration Chang ing web-base d manager options FortiGate-400 Installation and Configuration Guide 159 T o set the Auth timeou t 1 For Auth T imeout, type a number in minutes. 2 Select Apply . Auth T imeout controls the amount of inacti ve time that the fi rewall waits before requiring users to authen ticate again. For more informatio n, [...]

  • Страница 160

    160 Fortinet Inc. Adding and editing administrato r accounts System configuration Adding and editing administrator account s When the FortiGate unit is initia lly installed, it is configur ed with a single administr ator account with the user name admin. From this administrator accou nt, you can add and edit administra tor accoun ts. Y ou can also [...]

  • Страница 161

    System configuration Adding and editing administrator accounts FortiGate-400 Installation and Configuration Guide 161 Editing administrator accounts The admin account user can change indi vidual administrator account p asswords, configure the IP addresses from which administrato rs can access the web-based manager, and change the admin istrator per[...]

  • Страница 162

    162 Fortinet Inc. Configuring SNMP System configuration Configuring SNMP Configure the FortiGate SNMP agent to report system information and se nd traps to SNMP managers. The FortiGate SNMP agent supp orts SNMP v1 and v2c. RFC support includes RFC 1213 and RFC 2665. The FortiGate SNMP impleme ntation is read-only . SNMP v1 and v2c compliant SNMP ma[...]

  • Страница 163

    System configuration Configuring SNMP FortiGate-400 Installation and Configuration Guide 163 4 Select Apply . Figure 2: Sample SNMP configuration FortiGate MIBs The FortiGate SNMP agent suppo rts FortiGat e propriet ary MIBs as well as standa rd RFC 1213 and RFC 2665 MIBs. The FortiGate MIBs are listed in Ta b l e 1 . Y ou can obtain th ese MIB fil[...]

  • Страница 164

    164 Fortinet Inc. Customizing replacement messages System configuration FortiGate traps The FortiGa te agent ca n send t raps to up to thre e SNMP tr ap receiver s on your network that are configur ed to receive tr ap s from the FortiGate unit. For these SNMP managers to receive trap s, you must load and compile th e Fortinet trap MIB onto the SNMP[...]

  • Страница 165

    System configuration Custom izing replacement messages FortiGate-400 Installation and Configuration Guide 165 This section describes: • Customizing replacement messages • Customizing alert emails Figure 3: Sample replacement m essage Customizing replacement messages Each of the replacement messages in the replace ment message list is created by[...]

  • Страница 166

    166 Fortinet Inc. Customizing replacement messages System configuration Customizing alert emails Customize alert emails to control the content disp layed in alert email messages sent to system administrators. 1 Go to System > Config > Replacement Mes sages . 2 For the alert email message you want to customize, select Modify . 3 In the Message[...]

  • Страница 167

    System configuration Custom izing replacement messages FortiGate-400 Installation and Configuration Guide 167 %%EMAIL_FROM%% The email address of the sender of the message in which the virus was found. %%EMAIL_TO%% The email address of the intended receiver of the message in which the virus was found. Block alert Used for file block alert email mes[...]

  • Страница 168

    168 Fortinet Inc. Customizing replacement messages System configuration[...]

  • Страница 169

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 169 Firewall configuration Firewall policies control all traf fic passing th rough the FortiGate unit. Firewall policies are instructions used by the Fort iGate un it to decide what to do with a connection request. When the firew[...]

  • Страница 170

    170 Fortinet Inc. Default firewall configuration Firewall configuration Default firewall configuration By default, t he users on the netw ork connec ted to por t1 can co nnect throu gh the FortiGate unit to the network connected to po rt2. The firewall blocks all other connections. The firewall is configured with a default policy that matches any c[...]

  • Страница 171

    Firewall confi guration Default firewall configurati on FortiGate-400 Installation and Configuration Guide 171 Zones Y ou can add zones to the FortiGate configuration to group together related interfaces and VLAN subinterfaces to simplify firewa ll policy creation. For more information about zones, see “Configurin g zones” on page 133 . T o add[...]

  • Страница 172

    172 Fortinet Inc. Adding firewall policies Firewall configuration Services Policies can also control connections based o n the service or destination port num ber of packet s. The defaul t policy accepts co nnec tions to using an y service or destination port number . The firewall is conf igured with over 40 pred efined services. Y ou can add these[...]

  • Страница 173

    Firewall confi guration Adding firewall policies FortiGate-400 Installation and Configuration Guide 173 Figure 5: Adding a NA T/Route po licy Firewall policy options This section describes the o ptions th at you can add to fir ewall policies. Source Select an address o r address group that matches the source address of the p acket. Before you can a[...]

  • Страница 174

    174 Fortinet Inc. Adding firewall policies Firewall configuration For NA T/Route mode po licies where the addre ss on the destination network is hidden from the source network using NA T , the destina tion can also be a virtual IP that maps the destinatio n address of the packet to a hidde n destination ad dress. See “Virtual IPs” on pag e 188 [...]

  • Страница 175

    Firewall confi guration Adding firewall policies FortiGate-400 Installation and Configuration Guide 175 Traffic Shaping T raffic Shaping controls the bandwidth ava ilabl e to and sets the priority of the traf fic processed by the po licy . T raffic Shap ing makes it possible to control w hich policies have the highest priority when large amount s o[...]

  • Страница 176

    176 Fortinet Inc. Adding firewall policies Firewall configuration In most cases you should make su re that users can use DNS through th e firewall without auth entication. If DNS is not availa bl e users cannot connect to a web, FTP , or T elnet server u sing a domain name. Anti-Virus & Web filter Enable antivirus protection and web filter cont[...]

  • Страница 177

    Firewall confi guration Configuring poli cy lists FortiGate-400 Installation and Configuration Guide 177 Log Traffic Select Log Traf fic to write me ssages to the t raffic log whenever th e policy proces ses a connection. For more informatio n about logging, see “Logging and reporting” on page 281 . Comments Optionally add a description or othe[...]

  • Страница 178

    178 Fortinet Inc. Configuring policy lists Firewall co nfiguration A policy that is an exception to the defa ul t policy , for example, a policy to block FTP connections, must be placed above the default policy in the port1 -> port2 policy list. In this example, all FTP connection atte mpts from the internal network would then match the FTP poli[...]

  • Страница 179

    Firewall confi guration Addresses FortiGate-400 Installation and Configuration Guide 179 Addresses All policies require source and de stination addresses. T o add addresses to a policy , you must first add addresses to the address list for the interfaces, zones, or VLAN subinterfaces o f the policy . Y ou can add, edit, and delete all firewall a dd[...]

  • Страница 180

    180 Fortinet Inc. Addresses Firewall configurati on 6 Enter the NetMask. The netmask should cor respond to the type of address that you are addin g. For example: • The netmask for the IP address of a si ngle computer should be 255.255.255.255 . • The netmask for a class A subnet shou ld be 255.0.0.0. • The netmask for a class B subnet sh ould[...]

  • Страница 181

    Firewall confi guration Addresses FortiGate-400 Installation and Configuration Guide 181 3 Choose an address to delete and select Delete . 4 Select OK to delete the addre ss. Organizing addresses in to address groups Y ou can organize related addresses into address gr oups to make it easier to add policies. For e xample, if you add th ree a ddresse[...]

  • Страница 182

    182 Fortinet Inc. Services Firewall configuration Services Use services to control the types of communication accep ted or denied by the fire wall. Y ou can add any of the predefined se rvices to a policy . Y ou can also create your own custom services and add services to service group s. This section describes: • Predefined se rvices • Providi[...]

  • Страница 183

    Firewall confi guration Services FortiGate-400 Installation and Configuration Guide 183 H323 H.32 3 multimedia protocol. H.323 is a standard approved by the Internatio nal T elecommunicati on Union (ITU) that defines how audiovisual conferenci ng data is transmitted across networks. tcp 1720, 1503 HTTP HTTP is the protocol used by the word wide web[...]

  • Страница 184

    184 Fortinet Inc. Services Firewall configuration Providing access to custom services Add a custom service if you need to create a policy fo r a service that is not in the predefined service list. 1 Go to Firewall > Service > Custo m . 2 Select New . 3 Enter a Name for the service. This name appears in the service list used when you add a pol[...]

  • Страница 185

    Firewall confi guration Services FortiGate-400 Installation and Configuration Guide 185 5 S pecify a Source and Destination Port number r ange for the service by enteri ng the low and high port numbers. If th e service uses one port number , enter this number in both the low and high fields. 6 If the service has more than one port range, sele ct Ad[...]

  • Страница 186

    186 Fortinet Inc. Schedules Firewall configura tion Schedules Use scheduling to control when policies ar e active or inactive. Y ou can create one-time schedu les and recurring schedules. Y ou can use one-time sched ules to create policies that are ef fect ive once fo r the perio d of time sp ecified in th e schedule. Recurring schedules repea t we[...]

  • Страница 187

    Firewall confi guration Schedules FortiGate-400 Installation and Configuration Guide 187 Creating recurring schedules Y ou can create a recurring schedule tha t acti vates or deactivates policies at specified times of the day or on specified days of t he week. For example, you might want to prevent In ternet us e outside of work ing hours b y creat[...]

  • Страница 188

    188 Fortinet Inc. Virtual IPs Firewall configuration Adding a schedule to a policy After you have created schedules, you can add them to policies to schedule when the policies are active . Y ou can add th e new schedules to policie s when you create the policy , or you can ed it existing policies and add a new schedule to them. 1 Go to Firewa ll &g[...]

  • Страница 189

    Firewall confi guration Vi rtual IPs FortiGate-400 Installation and Configuration Guide 189 This section describes: • Adding static NA T virtual IPs • Adding port fo rwarding vir tual IPs • Adding policies with virtual IPs Adding static NAT virtual IPs 1 Go to Firewall > Virtual IP . 2 Select New to add a virtual IP . 3 Enter a Name for th[...]

  • Страница 190

    190 Fortinet Inc. Virtual IPs Firewall configuration 8 Select OK to save the v irtual IP . Y ou can now add the virtual IP to firewall policies. Adding port forwar ding virtual IPs 1 Go to Firewall > Virtual IP . 2 Select New to add a virtual IP . 3 Enter a Name for the virtual IP . The name can cont ain numbers (0-9), u ppercase and lowercase l[...]

  • Страница 191

    Firewall confi guration Vi rtual IPs FortiGate-400 Installation and Configuration Guide 191 Figure 13: Adding a port forwarding virtu al IP Adding policies wi th virtual IPs Use the followin g proced ure to add a policy that uses a virt ual IP to fo rward packets. 1 Go to Firewall > Polic y . 2 Select the type of policy to add. • The sourc e i[...]

  • Страница 192

    192 Fortinet Inc. IP pools Firewall configura tion 4 Select OK to save the policy . IP pools An IP pool (also called a dynamic IP pool) is a range of IP ad dresses added to a firewall interface. If you add IP pools to an interface, you can select Dynamic IP Pool when you configure a policy with the destinati on set to this interface. Y ou can add a[...]

  • Страница 193

    Firewall confi guration IP/MAC binding FortiGate-400 Installation and Configuration Guide 193 Figure 14: Adding an IP Pool IP Pools for firewall pol icies that use fixed ports Some network configurations will not operate correctly if a NA T policy translates the source port of packet s used by the connec tion. NA T translates source ports to keep t[...]

  • Страница 194

    194 Fortinet Inc. IP/MAC binding Firewall configuration Y ou can enter the static IP addresses an d corresponding MAC addresses of trusted computers in the S tatic IP/MAC table. IP/MAC binding can be enab led for packet s connecting to the fir ewall or passing through the firewall. This section describes: • Configuring IP/ MAC bindin g for packet[...]

  • Страница 195

    Firewall confi guration IP/MAC binding FortiGate-400 Installation and Configuration Guide 195 Configuring IP/MAC binding for packets going to the firewall Use the followin g procedur e to use IP/ MAC binding to filter packet s that would normally connect with the firewall (fo r exampl e, when an administrator is con necting to the FortiGate unit fo[...]

  • Страница 196

    196 Fortinet Inc. IP/MAC binding Firewall configuration Viewing the dyna mic IP/MAC list 1 Go to Firewall > IP/M AC Binding > Dynami c IP/MAC . Enabling IP/MAC binding 1 Go to Firewall > IP/M AC Binding > Setting . 2 Select Enable IP/MAC binding going throug h the firewall to turn on IP/MAC binding for packet s that could be matched by [...]

  • Страница 197

    Firewall confi guration Content profiles FortiGate-400 Installation and Configuration Guide 197 Content profiles Use content profiles to app ly diff erent prot ection settings for content traf fic controlled by firewall policies. Y ou can use content profiles to: • Configure antivirus protection for HT TP , FTP , POP3, SMTP , and IMAP policies ?[...]

  • Страница 198

    198 Fortinet Inc. Content profiles Firewall configuration 3 T ype a Profile Name. 4 Enable antivirus protection options. 5 Enable Web filtering options. 6 Enable Email filter protection options. 7 Enable fragmented email and oversized file and email options. 8 Select OK. Anti Virus Scan Scan web, FTP , and email traffic for viruses and worms. See ?[...]

  • Страница 199

    Firewall confi guration Content profiles FortiGate-400 Installation and Configuration Guide 199 Figure 16: Example con tent profile Adding a content pr ofile to a policy Y ou can add content profiles to policies with actio n set to allow or encryp t and with Service set to ANY , HTTP , FTP , IMAP , POP3, SMTP , or a service group th at includes the[...]

  • Страница 200

    200 Fortinet Inc. Content profiles Firewall configuration[...]

  • Страница 201

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 201 Users and authentication FortiGate unit s support user authenticati on to the FortiG ate user database, to a RADIUS serve r , and to an LDAP ser ver . Y ou can add us er names t o the Fort iGate user dat abase and then add a [...]

  • Страница 202

    202 Fortinet Inc. Setting authentication timeout Users and authenticati on This chapter describes : • Setting authentication timeout • Adding user names and co nfiguring authentication • Configuring RADIUS support • Configuring LDAP support • Configuring user group s Setting authentication timeout T o set authenti cation timeout: 1 Go to [...]

  • Страница 203

    Users and authentication Adding user names and con figuring authentica tion FortiGate-400 Installation and Configuration Guide 203 5 Select T ry other servers if conn ect to selected server fa ils if you have selected Radius and you want the FortiGate unit to try to conn ect to other RADIUS servers added to the FortiGate RADI US configura tion. 6 S[...]

  • Страница 204

    204 Fortinet Inc. Configuring RADIUS supp ort Users and authentication Configuring RADIUS support If you have configur ed RADIUS support and a user is required to authenticate using a RADIUS server , the FortiGate unit cont ac ts the RADIUS server for authentication. This section describes: • Adding RADIUS servers • Deleting RADIUS servers Addi[...]

  • Страница 205

    Users and authentication Configuring LDAP suppo rt FortiGate-400 Installation and Configuration Guide 205 Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server , the FortiGate unit contact s the LDAP server for authentication. T o authentication with the FortiGate un it, the user en[...]

  • Страница 206

    206 Fortinet Inc. Configuri ng LDAP support Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server . Enter the base distinguishe d name for the server using the correct X.500 or LDAP format. The FortiGate u nit passes this distinguished name unchanged to the server . For example, you could use the followi[...]

  • Страница 207

    Users and authentication Configuring user groups FortiGate-400 Installation and Configuration Guide 207 Configuring user group s T o enable authentication, yo u mu st add user names, RADIUS servers and LDAP servers to one or more user gr oups. Y ou can then select a user group wh en you require authenticati on. Y ou can select a user group to confi[...]

  • Страница 208

    208 Fortinet Inc. Configuring user g roups Users and authentication Figure 20: Adding a user group 3 Enter a Group Name to identify th e user group. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _. Other sp ecial characters and sp aces are not allowed. 4 T o add users to the user[...]

  • Страница 209

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 209 IPSec VPN A Virtua l Private Network (VPN) is an extension of a private network that encompasses links across sh ared or public networks such as the Intern et. For example, a compan y that has two offices in di fferen t citie[...]

  • Страница 210

    210 Fortinet Inc. Key management IPSec VPN Key management There are three basic elem ents in any en cryption system: • an algorithm which changes informa tion into code, • a cryptographic key which serves as a secret starting point for the algor ithm, • a management system to control the ke y . IPSec provides two ways to handle key exchange a[...]

  • Страница 211

    IPSec VPN Manual key IPSec VPNs FortiGate-400 Installation and Configuration Guide 21 1 Manual key IPSec VPNs When manu al keys are employed , compleme ntary security parameter s must be entered at both ends of the tunnel. In ad dition to encryption and authen tication algorithms and keys, the security parameter index (SPI) is required. The SPI is [...]

  • Страница 212

    212 Fortinet Inc. Manual key IPSec VPNs IPSec VPN 5 Enter the Remote SPI. The Remote Security Parameter Index is a hexade cimal number of up to eight digit s (digits can be 0 to 9, a to f) in the rang e bb8 to FFFFFFF . This number must be added to the Local SPI at the opposite end of the tunnel. 6 Enter the Remote Gateway . This is the external IP[...]

  • Страница 213

    IPSec VPN AutoIKE IPSec VPNs FortiGate-400 Installation and Configuration Guide 213 AutoIKE IPSec VPNs Fortunate support s two methods of Automa tic Internet Key Exch ange (AutoIKE) fo r the purpose of establish ing IPSec VPN tu nnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates. • General configuration step s for an AutoIK[...]

  • Страница 214

    214 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 3 Enter a Gateway Name for the remote VPN peer . The remote VPN pee r can be either a gatewa y to another netw ork or an individual client on the In ternet. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _. Other sp ecial characters a[...]

  • Страница 215

    IPSec VPN AutoIKE IPSec VPNs FortiGate-400 Installation and Configuration Guide 215 10 Optionally , enter th e Local ID of th e FortiGat e unit. The entry is required if the FortiGate unit is functioning as a client and uses its local ID to authenticate itself to the remote VPN peer . (If you do not add a local ID, the FortiGate unit will transm it[...]

  • Страница 216

    216 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Optionally , configure NA T T raversal. 5 Optionally , configur e Dead Peer Detection . Use these settings to monitor the st atus of the connec tion between VPN peer s. DPD allows dead connections to be cleane d up and new VPN tunnels est ablished. DPD is not suppor ted by all ve ndors. 6 Select OK t[...]

  • Страница 217

    IPSec VPN AutoIKE IPSec VPNs FortiGate-400 Installation and Configuration Guide 217 Figure 21: Adding a phase 1 config uration Adding a phase 2 configurat ion for an AutoIKE VPN Add a phas e 2 configu ration to spec ify the paramete rs used to c reate and maintain a VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer [...]

  • Страница 218

    218 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Select a Remote Gateway to as sociate with the VPN tunnel. A remote gateway can be either a gateway to another network or an individu al client on the Internet. Remote gateways are added as pa rt of the phase 1 configuration. For details, see “Adding a phase 1 configura tion for an AutoIKE VP N” [...]

  • Страница 219

    IPSec VPN Managing d igital certificates FortiGate-400 Installation and Configuration Guide 219 Figure 22: Adding a phase 2 config uration Managing digit al certificates Digital certifica tes are used to ensure that both p articipant s in an IPSec communications session are trustworthy , prior to an encrypted VPN tunnel being set up between the par[...]

  • Страница 220

    220 Fortinet Inc. Managing digital certificates IPSec VPN Generating the certificate request With this procedure, you gen erate a privat e and public key p air . The public key is the base component of the certificate request. T o generate the certificate requ est: 1 Go to VPN > Local Certificates . 2 Select Generate. 3 Enter a Certificate Name.[...]

  • Страница 221

    IPSec VPN Managing d igital certificates FortiGate-400 Installation and Configuration Guide 221 Figure 23: Adding a Local Certific ate Downloading the certificate request With this procedure, you down load the cert ificate request f rom the Fo rtiGate u nit to the management computer . T o download th e certificate request: 1 Go to VPN > Local C[...]

  • Страница 222

    222 Fortinet Inc. Managing digital certificates IPSec VPN 4 Request the signed local certificate. Follow the CA web server instructions to: • add a base64 encod ed PKCS#10 certif icate requ est to the CA web server , • paste the certificate re quest to the CA web server , • submit the certificate request to the CA web server . The certificate[...]

  • Страница 223

    IPSec VPN Managing d igital certificates FortiGate-400 Installation and Configuration Guide 223 3 Enter the path or browse to locate the signed local certificate on the management computer . 4 Select OK. The signed local certificate will be displayed on the Local Cert ificates list with a status of OK. Obtaining a CA certificate For the VPN peers t[...]

  • Страница 224

    224 Fortinet Inc. Configuring encrypt policies IPSec VPN Configuring encrypt policies A VPN connects the local, intern al network to a remote, external network. The principal role of the encrypt policy is to define (and limit) which addresses on th ese networks can use the VPN. A VPN requires only one encr ypt policy to control both inbound and out[...]

  • Страница 225

    IPSec VPN Co nfiguring encrypt policies FortiGate-400 Installation and Configuration Guide 225 Adding a source address The source address is located with in the inte rnal ne twork of the local VPN peer . It can be a single computer addre ss or the address of a network. 1 Go to Firewall > Address . 2 Select an internal interface. (Methods will di[...]

  • Страница 226

    226 Fortinet Inc. Configuring encrypt policies IPSec VPN Refer to the FortiGate Inst allation and Configuration Guide to configur e the remaining policy settings. 9 Select OK to save the encry pt policy . T o make sure that the encrypt policy is matched for VPN connection s, arrange the encrypt policy above other policies with similar source and de[...]

  • Страница 227

    IPSec VPN IPSec VPN concen trators FortiGate-400 Installation and Configuration Guide 227 IPSec VPN concentrators In a hub-and-spoke ne twork, all VPN tunnels termin ate at a single VPN peer known as a hub. The peer s that connect to th e hub are known as sp okes. The hub fun ctions as a concentr ator on the network , managing the VPN conn ections [...]

  • Страница 228

    228 Fortinet Inc. IPSec VPN concentrators IPSec VPN T o create a VPN concentrator configuratio n: 1 Configure a tunnel fo r each spoke. Choose betwe en a manual key tunnel or an AutoIKE tunnel. • A manual key tunnel consist s of a name fo r the tunnel, the IP address of the sp oke (client or gateway) at the opposite end of the tu nnel, and the en[...]

  • Страница 229

    IPSec VPN IPSec VPN concen trators FortiGate-400 Installation and Configuration Guide 229 Adding a VPN concentrator T o add a VPN concentrator configuration: 1 Go to VPN > IPSec > Concentrator . 2 Select New to ad d a VPN conc entrator . 3 Enter the name of the new conce ntrator in the Concentrator Name field. 4 T o add tunnels to the VPN con[...]

  • Страница 230

    230 Fortinet Inc. IPSec VPN concentrators IPSec VPN VPN spoke general co nfiguration steps A remote VPN pee r that is functio ning as a spok e requires the f ollowing configur ation: • A tunnel (Auto IKE phase 1 an d phase 2 conf iguration or manu al key configura tion) for the hub. • The source addre ss of the local VPN spoke. • The destinat[...]

  • Страница 231

    IPSec VPN Redundant IPSec VPNs FortiGate-400 Installation and Configuration Guide 231 See “Adding an encrypt policy” on p age 225 . 6 Arrange the policie s in the following order: • outbound encrypt policies • inbound encrypt policy • default non-encrypt policy (Interna l_All -> External_All) Redundant IPSec VPNs T o ensure the continu[...]

  • Страница 232

    232 Fortinet Inc. Redundant IPSec VPNs IPSec VPN Configure the two FortiGate un its with symmetric al settings for their connections to the Internet. For example, if the remote FortiG ate unit has tw o external int erfaces grou ped within one zon e, then the local FortiG ate unit sho uld have two externa l interfac es grouped within one zone. Simil[...]

  • Страница 233

    IPSec VPN Monitoring and Troublesh ooting VPNs FortiGate-400 Installation and Configuration Guide 233 Monitoring and T roubleshooting VPNs This section provid es a number of ge ne ral maintenance and monitoring procedures for VPNs. This section describes: • Viewin g VPN tunnel st atus • Viewing dialu p VPN connection status • T esting a VPN V[...]

  • Страница 234

    234 Fortinet Inc. Monitoring and Troubleshooti ng VPNs IPSec VPN T o view dialup connection st atus: 1 Go to VPN > IPSec > Dialup . The Lifetime column displays how long the connection has been up. The T imeout column displays the time before the next key exchange. The tim e is calculated by subtracting the tim e elapsed since the last key ex[...]

  • Страница 235

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 235 PPTP and L2TP VPN Y ou can use PPTP and L2TP to crea te a virtual private network (VPN) between a remote client PC running the Windows op er ating system an d your inte rnal netw ork. Because they are is a Windows st andards,[...]

  • Страница 236

    236 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN Figure 29: PPTP VPN between a Windows client and the FortiGate unit Configuring the FortiGat e unit as a PPTP gateway Use the followin g proced ures to con figure the FortiGate u nit as a PPTP gate way: Adding users and user groups T o add a user for each PP TP client: 1 Go to User > Local . 2[...]

  • Страница 237

    PPTP and L2TP VPN Configuring PPTP FortiGate-400 Installation and Configuration Guide 237 Figure 30: Example PPTP Range configu ration Adding a source address Add a sour ce address for ever y address in the PPT P address range. 1 Go to Firewall > Address . 2 Select the interface to which PP TP clients connect. This can be an interface, VLAN subi[...]

  • Страница 238

    238 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 5 T o remove addresses from the addr ess group, select an address from the Member s list and select the left arrow to remove it from the group. Select OK to add the address group . Adding a destination address Add an address to which PP TP users can connect. 1 Go to Firewall > Address . 2 Sele[...]

  • Страница 239

    PPTP and L2TP VPN Configuring PPTP FortiGate-400 Installation and Configuration Guide 239 4 Select Add. 5 Select Microsof t as the manufacturer . 6 Select Microsoft V irtual Private Networking Adapter . 7 Select OK twice. 8 Insert diskettes or CDs as required. 9 Restart the com puter . Configuring a PPTP dialup connection 1 Go to My Computer > D[...]

  • Страница 240

    240 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 5 Set Connection Availability to On ly for myself and select Next. 6 Select Finish. 7 In the Connect window , select Properties. 8 Select the Security tab. 9 Uncheck Requir e da ta encryption. 10 Select OK. Connecting to the PPTP VPN 1 S tart the dialup connection that yo u configured in the prev[...]

  • Страница 241

    PPTP and L2TP VPN Configuring L2TP FortiGate-400 Installation and Configuration Guide 241 5 Select Advanced to configure ad vanced settings. 6 Select Settings. 7 Select Challenge Handshake Authen tication Protocol (CHAP). 8 Make sure that none of the other settings are selected. 9 Select the Networking tab. 10 Make sure that the fo llowing opt ions[...]

  • Страница 242

    242 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN Figure 31: L2TP VPN between a Windows client and the FortiGate unit Configuring the FortiGat e unit as a L2TP gateway Use the follo wing proced ures to c onfigure th e FortiGa te unit as a n L2TP g ateway: Adding users and user groups T o add a user for each L2TP client: 1 Go to User > Local .[...]

  • Страница 243

    PPTP and L2TP VPN Configuring L2TP FortiGate-400 Installation and Configuration Guide 243 Figure 32: Sample L2TP addres s range configura tion 6 Add the addresses from the L2TP ad dress range to the External zo ne address list. The addresses can be grouped into an Exter nal address group. 7 Add addresses to the destination zone a ddress list to con[...]

  • Страница 244

    244 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 2 Add a new address group to the interface to which L2TP clients co nnect. This can be an interface, VLAN subinterfa ce, or zone. 3 Enter a Group Name to iden tify the address grou p. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - a[...]

  • Страница 245

    PPTP and L2TP VPN Configuring L2TP FortiGate-400 Installation and Configuration Guide 245 Configuring a Windows 2000 client for L2TP Use the following p rocedure to co nfigure a clie nt computer running Wi ndows 2000 s o that it can connect to a FortiGate L2TP VPN. Configuring an L2TP dialup connection 1 Go to St art > Settings > Network and [...]

  • Страница 246

    246 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 8 Add the following registry value to this key: Value Name: ProhibitIpSec Data Type: REG_DWORD Value: 1 9 Save your changes and rest art the computer for the changes to t ake ef fect. Y ou must add the ProhibitIpSec registry value to each Windows 2000-based endpoint comp uter of an L2TP or IPSec [...]

  • Страница 247

    PPTP and L2TP VPN Configuring L2TP FortiGate-400 Installation and Configuration Guide 247 5 Select Advanced to configure ad vanced settings. 6 Select Settings. 7 Select Challenge Handshake Authen tication Protocol (CHAP). 8 Make sure that none of the other settings are selected. 9 Select the Networking tab. 10 Make sure that the fo llowing opt ions[...]

  • Страница 248

    248 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN Connecting to the L2TP VPN 1 Connect to your ISP . 2 S tart the VPN connection that yo u co nfigured in the previous pr ocedure. 3 Enter your L2TP VPN User Name and Password. 4 Select Connect. 5 In the connect window , enter the User Name and Password tha t you use to connect to your dialup netwo[...]

  • Страница 249

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 249 Network Intrusion Detection System (NIDS) The FortiGat e NIDS is a re al-time netw ork intrusio n detectio n sensor th at uses at tack signature definitions to both detect and prev ent a wide variet y of suspicious network tr[...]

  • Страница 250

    250 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Selecting the interfaces to monitor 1 Go to NIDS > Detection > General . 2 Select the interfaces to monitor for ne twork attacks. Y ou can select up to 4 interfaces and VLAN subinterfaces. 3 Select Apply . Disabling the NIDS 1 Go to NIDS > Detection > Genera[...]

  • Страница 251

    Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-400 Installation and Configuration Guide 251 Viewing the signature list T o display the current list of NIDS signature group s and to view the members of a signature group: 1 Go to NIDS > Detection > Signature List . 2 View the names an d action status of the signature gro[...]

  • Страница 252

    252 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Enabling and disabling NI DS attack signatures By default, all NIDS attack signatures ar e enabled . Y ou can use the NIDS signature list to disable detection of some atta cks. Disabling unnecessary NIDS attack signatures can improve system performa nce and reduce the n[...]

  • Страница 253

    Network Intrusion Detection S ystem (NIDS) Preventing attacks FortiGate-400 Installation and Configuration Guide 253 Figure 35: Example user -defined si gnature list Downloading the user-defined signature list Y ou can back up the user-defined signature lis t by downloading it to a text file on the management compu ter . 1 Go to NIDS > Detection[...]

  • Страница 254

    254 Fortinet Inc. Preventing attacks Network Intrusion Detection System (NIDS) Enabling NIDS attack prevention signatures The NIDS Prevention mo dule contain s signat ures that are designed to protect you r network against attacks. Some signatures are enabled by defa ult; others must be enabled. For a complete list of NIDS Prevention signatures and[...]

  • Страница 255

    Network Intrusion Detection S ystem (NIDS) Preventing attacks FortiGate-400 Installation and Configuration Guide 255 For example, setting the icmpflood signat ure threshold to 500 will allow 500 echo requests from a source address, to which the system sends echo replies. If the number of requests is 501 or higher , th e FortiGate unit will block th[...]

  • Страница 256

    256 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS) Configuring synflood signature values For synflood signatures, yo u can set the thre shold, queu e size, and keep alive values. 1 Go to NIDS > Prevention . 2 Select Modify for the synflood signature. 3 T ype the Threshold va lue. 4 T ype the Queue Size. 5 T ype the T ime[...]

  • Страница 257

    Network Intrusion Detection System (NIDS) Logging attacks FortiGate-400 Installation and Configuration Guide 257 Reducing the number of NIDS attack log and email messages Intrusion attempt s may generate an excessive number of attack messages. T o help you distingu ish real warn ings from f alse al arms, the FortiGate unit provides methods to reduc[...]

  • Страница 258

    258 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS)[...]

  • Страница 259

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 259 Antivirus protection Antivirus protection is enabled in fire wall policies. When you enable antivirus protection for a firewall polic y , you select a content profile that controls how the antivirus protection behaves. Conten[...]

  • Страница 260

    260 Fortinet Inc. Antivirus scanning Antivirus protection 6 Configure the FortiGate unit to send an alert email when it blocks or delet es an infected file. See “Configur ing alert email” in the Logging and Message Refere nce Guide. Antivirus scanning Virus scan ning intercepts mo st files (including files compressed with up to 12 laye rs of co[...]

  • Страница 261

    Antivirus protection File blocking FortiGate-400 Installation and Configuration Guide 261 Figure 37: Example content profile for virus scan ning File blocking Enable file blocking to remove all files that pose a potential threat and to provide the best protection fr om active computer virus attacks. Blocking files is the only pr otection available [...]

  • Страница 262

    262 Fortinet Inc. File blocking Antivirus protection By default, w hen blocki ng is enabled, the FortiG ate unit bl ocks the follo wing file patterns: • executable files (*.bat, *.com, and *.exe) • compressed or archive files (*.gz, *.rar , *.tar , *.tgz, and *.zip) • dynamic link libraries (*.dll) • HTML applic ation (*.hta) • Microsoft [...]

  • Страница 263

    Antivirus protection Quarantine FortiGate-400 Installation and Configuration Guide 263 Quarantine FortiGate w ith hard dis ks can be co nfigur ed to quarantine blocked or infected files. The quarantined file s are removed from the content str eam and stored on the FortiGate hard disk. Users re ceived a messag e informing th em that the removed file[...]

  • Страница 264

    264 Fortinet Inc. Quarantine Antivirus protection Viewing the qua rantine list 1 Go to Anti-Virus > Quaran tine . The quarantine list provides the following information. Sorting the quarantine list Y ou can sort the quarantine list according to status (in fected or blocked), service (IMAP , POP3, SMTP , FTP , or HTTP), al phabeti cally by file n[...]

  • Страница 265

    Antivirus protection Quarantine FortiGate-400 Installation and Configuration Guide 265 Filtering the quarantine list Y ou can filter the quarantine list to: • Display only blocked files • Display only infected files • Display blocked and infected files found only in IMAP , POP3, SMTP , FTP , or HTTP traffic Deleting files from quarantine 1 Go[...]

  • Страница 266

    266 Fortinet Inc. Blocking oversized files and emails Antivirus protection Blocking oversized files and emails Y ou can configure the FortiGate unit to buff er 1 to 15 percent of available memory to store oversized files and email. Th e FortiGat e unit then blocks a file or email that exceeds this limit instead of byp assing anti vir us scanning an[...]

  • Страница 267

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 267 W eb filtering Web filtering is enabled in firewall policies. When you enable Anti-V irus & Web filter in a firewall policy , you select a content profile that controls how we b filtering behaves for HTTP traffic. Content[...]

  • Страница 268

    268 Fortinet Inc. Content blocking Web filtering 4 Configure the messages that users rec eive when the FortiGate unit blocks unwanted content or unwanted URLs. See “Customizing replacement messages” on page 164 . 5 Configure the FortiGate unit to send an alert email when it blocks or delet es an infected file. See “Configur ing alert email”[...]

  • Страница 269

    Web filtering URL blocking FortiGate-400 Installation and Configuration Guide 269 Figure 38: Exam ple banned w ord list URL blocking Y ou can block the unwanted web URLs usin g both the F ortiGate we b filter and the Cerberian web filter . • Using the FortiGate web filter • Using the Cerberian web filter Using the FortiGate web filter Y ou can [...]

  • Страница 270

    270 Fortinet Inc. URL blocking Web filtering 3 T ype the URL/Pattern to block. T ype a top-level URL or IP address to block access to all pages on a website. For example, www.badsite.com or 122.133.144.155 blocks access to all pages at this website. T ype a top-level URL followed by the p ath an d filename to block access to a single page on a webs[...]

  • Страница 271

    Web filtering URL blocking FortiGate-400 Installation and Configuration Guide 271 Downloading the URL block list Y ou can back up the URL block list by downloading it to a text file on the management computer . 1 Go to Web Filter > URL Block . 2 Select Download URL Block List . The FortiGate unit downloads the list to a text file on the manageme[...]

  • Страница 272

    272 Fortinet Inc. URL blocking Web filtering Using the Cer berian web fi lter The FortiGate unit support s Cerberian web filtering. For information about Cer berian web filter , see www .cerberian.com. If you have purchased the Cerberian web f ilter ing functionality with your For tiGate unit, use the following configurat ion proced ures to configu[...]

  • Страница 273

    Web filtering URL blocking FortiGate-400 Installation and Configuration Guide 273 2 Select Cerberian URL Filtering. 3 Select New . 4 Enter the IP address and netmask of the user comp uters. Y ou can enter the IP address of a single user . For example, 192.168.100.1 9 255.255.255.255 . Y ou can also enter a subnet of a grou p of users. For example, [...]

  • Страница 274

    274 Fortinet Inc. Script filtering Web filtering 3 Select the Cerberian URL Filtering option. 4 Go to Firewall > Content Profile. 5 Create a new or select an existing c o ntent profile and enable W eb URL Block. 6 Go to Firewall > Polic y . 7 Create a new or select an existing policy that will use the content profile. 8 Select Anti-Virus &[...]

  • Страница 275

    Web filtering Exempt URL list FortiGate-400 Installation and Configuration Guide 275 Figure 41: Example script filter setting s to block Java applets and ActiveX Exempt URL list Add URLs to the exempt URL list to allow legitimate traf fic that might otherwise be blocked by content or URL blocking. For exam ple, if content blocking is set to block p[...]

  • Страница 276

    276 Fortinet Inc. Exempt URL list Web filtering 5 Select OK to add the URL to the exempt URL list. Y ou can enter multiple URLs and then select Check All to activa te all items in the exempt UR L list. Each page of the exempt URL list displays 100 URLs. 6 Use Page Down and Page Up to navigate through the exempt URL list. Figure 42: Example exempt U[...]

  • Страница 277

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 277 Email filter Email filtering is enabled in firewall policies. When you en able Anti-Virus & Web filter in a firewall policy, you sele ct a conten t profile tha t controls h ow email filterin g behaves for email (IMAP an d[...]

  • Страница 278

    278 Fortinet Inc. Email banned word list Email filter Email banned word list When the FortiGate unit detect s email that contai ns a word or phrase in the banne d word list, the FortiGate unit adds a t ag to the subject line of the email and writes a message to the event log. Recei vers can then use their mail client sof tware to filter messages ba[...]

  • Страница 279

    Email filter Email block list FortiGate-400 Installation and Configuration Guide 279 Email block list Y ou can configure the FortiGate unit to ta g all IMAP and POP3 protocol tra ffic sent from unwanted email addresse s. When the FortiGate unit dete cts an email sent from an unwanted address p attern, the FortiGate un it adds a t ag to the subject [...]

  • Страница 280

    280 Fortinet Inc. Adding a subject tag Email filter Adding address patterns to the email exempt list 1 Go to Email Filter > Exempt List . 2 Select New to add an address pattern to the em ail exempt list. 3 T ype the address pattern to ex empt. • T o exempt email sent from a specific email add ress, type the email address. For example, sender@a[...]

  • Страница 281

    FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 281 Logging and reporting Y ou can configure the FortiGate unit to log network activity from routine configuration changes and traf fic sessions to emergency event s. Y ou can also configure the FortiGate u nit to send alert emai[...]

  • Страница 282

    282 Fortinet Inc. Recording logs Logging and reporting This section describes: • Recording logs on a remote computer • Recording logs on a NetIQ W ebT rends server • Recording logs on the FortiGate hard disk • Recording logs in system memory Recording logs on a remote computer Use the following procedure to configure the FortiGate unit to r[...]

  • Страница 283

    Logging and repo rting Recording logs FortiGate-400 Installation and Configuration Guide 283 4 Select the severity leve l for which you want to record log messages. The FortiGate will log all levels of severity down to but not lower than the level you choose. For example, if you want to record emergency , alert, critical, and error messages, select[...]

  • Страница 284

    284 Fortinet Inc. Filtering log me ssages Logging and reporting Recording logs in system memory If your Fo rtiGate unit does not contain a hard disk , you can use the fo llowing procedure to configure the FortiGate unit to rese rve some system memory for storing current event, at tack, antivirus , web filter and email filter log messages. Logging t[...]

  • Страница 285

    Logging and repo rting Filtering log me ssages FortiGate-400 Installation and Configuration Guide 285 4 Select the message categories that you wa nt the FortiGa te unit to record if you selected Event Log, V irus Log, Web Filter ing Log, Att ack Log, Email Filter Log, or Update in step 3 . 5 Select OK. Figure 43: Exam ple log filter con figuration [...]

  • Страница 286

    286 Fortinet Inc. Configuring traffic loggi ng Logging and reporting Configuring traffic logging Y ou can configure the FortiGate unit to reco rd traffic log messages for connections to: • Any interface • Any VLAN subinterface • Any firewall policy The FortiGate unit can filter traf fic logs for any source and destination address and service.[...]

  • Страница 287

    Logging and repo rting Configuring traffic loggi ng FortiGate-400 Installation and Configuration Guide 287 5 Repeat this procedure for each VLAN subinterface fo r which you want to enable logging. Enabling traffic logging for a firewall policy If you enable traffic logging for a firewall policy , all connections accepted by firewall policy are reco[...]

  • Страница 288

    288 Fortinet Inc. Configuring traffic loggi ng Logging and reporting Adding traffic filter entries Add entries to the traffic filter list to filter the messages that are recorded in the traf fic log. If you do not add any entries to the tr affic filte r list, the FortiGate records all traf fic log messages. Y ou can add entries to th e traffic filt[...]

  • Страница 289

    Logging and repo rting Viewing logs saved to memory FortiGate-400 Installation and Configuration Guide 289 V iewing logs saved to memory If the FortiGate is configured to save log messages in system memory , you can use the web-based manager to view , search, and clear the log message s. This section describes: • Viewin g logs • Searching logs [...]

  • Страница 290

    290 Fortinet Inc. Viewing and managing logs saved to the hard disk Logging and reporting V iewing and managing logs saved to the hard disk If your FortiGate unit cont ains a hard disk for recording lo gs, you can use the following procedures to view , search and mainta in logs: • Viewin g logs • Searching logs • Downloading a log file to the [...]

  • Страница 291

    Logging and reporting Viewing and managing logs saved to the hard disk FortiGate-400 Installation and Configuration Guide 291 8 Select OK to run the sear ch. The web-based man ager displays the messa ges that match th e search criteria. Y ou can scroll throug h the message s or run another se arch. Downloading a log file to the management computer [...]

  • Страница 292

    292 Fortinet Inc. Configu ring aler t email Logging and reporting Deleting a saved log file Use the follo wing proced ure to delete a saved log file: 1 Go to Log&Report > Logging . 2 Select Traf fic Log, Event Log, Attack log, Ant ivirus Log, Web Filter Log, or Email Filter Log. The web-based m anager list s all saved logs of the selected ty[...]

  • Страница 293

    Logging and repo rting Configu ring aler t email FortiGate-400 Installation and Configuration Guide 293 6 T ype up to three destination email ad dresses in the Email T o fields. These are the actual email addresse s to wh ich the FortiGate unit sends alert email. 7 Select Apply . Testing alert email Y ou can test the alert email settings by sending[...]

  • Страница 294

    294 Fortinet Inc. Configu ring aler t email Logging and reporting[...]

  • Страница 295

    FortiGate-400 Installation and Configuration Guide 295 FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 Glossary Connection : A link between machines, applications, processes, and so on t hat can be logical, phys ical, or both. DMZ, Demilit arized Zone : Used to host Internet services without allowing unau thorized access to an[...]

  • Страница 296

    296 Fortinet Inc. Glossary LAN, Local Area Network : A computer n etwork that spans a relatively small area. Most LANs connect worksta tions and personal computers. Each computer on a LAN is able to ac cess data and devices a nywhere on the LAN. This means that many users can share data as well as physical re sources such as printers. MAC address, [...]

  • Страница 297

    Glossary FortiGate-400 Installation and Configuration Guide 297 SSH , Secure shell : A secure T elnet replacement that you can use to log into another computer over a network and run commands. SSH provides str ong secure authentication and secure communications over insecure channels. Subnet : A portion of a network that shares a comm on address co[...]

  • Страница 298

    298 Fortinet Inc. Glossary[...]

  • Страница 299

    FortiGate-400 Installation and Configuration Guide 299 FortiGate-400 Inst allation and Co nfiguration Guide V ersion 2.50 MR2 Index Numerics 4/HA configuring for HA 77, 82 A accept policy 174 action policy option 174 active log deleting all messages 291 searching 289, 290 viewing and maintaining saved logs 290 ActiveX 275 removing from web pages 27[...]

  • Страница 300

    300 Fortinet Inc. Index AutoIKE 210 certificates 21 0 introduction 210 pre-shared keys 210 automatic antivirus and attack definition updates configuring 118 B backing up system settings 108 bandwidth guaranteed 175 maximum 175 banned word l ist adding words 2 68, 278 blacklist URL 271 block traffic IP/MAC binding 194, 1 95 log option 283 blocking a[...]

  • Страница 301

    Index FortiGate-400 Installation and Configuration Guide 301 E email alert testing 293 email filter log 285 enabling policy 178 encrypt policy 174 encrypt policy allow inbound 175 allow outbound 175 Inbound NAT 175 Outbound NAT 175 ending IP address PPTP 236, 242 environmental specifications 31 event log 284 viewing 289 exempt URL list 275, 279 add[...]

  • Страница 302

    302 Fortinet Inc. Index HTTPS 20, 139, 183, 295 I ICMP 183, 295 configuring checksum verification 250 idle timeout web-based manager 158 IDS log viewing 289 IKE 295 IMAP 183, 295 Inbound NAT encrypt policy 175 interface RIP 152 internal address example 180 internal address group example 181 internal network configuring 50 Internet blocking access t[...]

  • Страница 303

    Index FortiGate-400 Installation and Configuration Guide 303 loggin g 21, 281 attack log 284 configuring traffic settings 286, 287 deleting all messages 291 deleting log files 292 downloading log files 291 email filter log 285 enabling alert email 293 event log 284 filtering log messages 284 log to local 283 log to memory 284 log to remote host 282[...]

  • Страница 304

    304 Fortinet Inc. Index ping management access 139 policy accept 174 Anti-Virus & Web filter 176 arranging in policy list 177 Comments 177 deny 174 disabling 178 enabling 178 enabling authenticati on 207 fixed port 174 guaranteed bandwidth 175 Log Traffic 177 matching 177 maximum bandwidth 175 policy list configuring 177 policy routing 146 POP3[...]

  • Страница 305

    Index FortiGate-400 Installation and Configuration Guide 305 RMA registering a FortiGate unit 131 route adding default 143 adding to routing table 143 adding to routing table (Transparent mode) 145 destination 143 devic e 144 router next hop 136 routing 29 6 adding static routes 1 43 configuring 143 configuring routing table 14 5 policy 146 routing[...]

  • Страница 306

    306 Fortinet Inc. Index system settings backing up 108 restoring 108 restoring to factory default 108 system status 93, 149 system status monitor 110, 111, 112, 113 T TCP configuring checksum verification 250 technical support 28 testing alert email 293 time log search 289, 291 setting 157 time zone 157 timeout firewall authentica tion 159 idle 158[...]

  • Страница 307

    Index FortiGate-400 Installation and Configuration Guide 307 virus definitions updating 115, 119 virus incidents enabling alert email 293 virus list displaying 266 viewing 266 virus log 284 virus protection overview 259 worm protection 15 VLAN configuring 139 network configuration 139 VLAN network typical configuration 140 VPN configuring L2TP gate[...]

  • Страница 308

    308 Fortinet Inc. Index[...]