Fortinet 3045 User Manual
Configuring the FortiGate unit NAT/Route mode installation
config system dns
set primary <address_ip>
set secondary <address_ip>
end
Example
config system dns
set primary 293.44.75.21
set secondary 293.44.75.22
end
Adding a default route
Add a default route to configure where the FortiGate unit sends traffic that should
be sent to an external network (usually the Internet). Adding the default route also
defines which interface is connected to an external network. The default route is
not required if the interface connected to the external network is configured using
DHCP or PPPoE.
To add a default route
Set the default route to the Default Gateway IP address. Enter:
config router static
edit <seq_num>
set dst <class_ip&net_netmask>
set gateway <gateway_IP>
set device <interface>
end
100
50B
WiFi-50B
Example
If the default gateway IP is 10.10.1.2 and this gateway is connected to the
external interface:
config router static
edit 1
set dst 0.0.0.0 0.0.0.0
set gateway 10.10.1.2
set device external
end
Verify the connection
To verify the connection, try the following:
• ping the FortiGate unit
• browse to the web-based manager GUI
• retrieve or send email from your email account
If you cannot browse to the web site or retrieve/send email from your account,
review the previous steps to ensure all information was entered correctly and try
again.
You are now finished the initial configuration of the FortiGate unit.
FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide
01-30004-0265-20070522 41
NAT/Route mode installation Configuring the FortiGate unit
Connecting the FortiGate unit to the network(s)
When you have completed the initial configuration, you can connect the FortiGate
unit between your internal network and the Internet.
The following network connections are available on the FortiGate unit:
• Internal for connecting to your internal network
• External or WAN1 for connecting to the Internet
Modem is the interface for connecting an external modem to the FortiGate-50A.
50A
You can configure the modem interface as a redundant interface or stand alone
interface to the Internet. For details on configuring the modem interface, see
“Configuring the modem for the FortiGate-50A” on page 53.
100
DMZ for connecting to a DMZ network. You can also connect both the external
and DMZ interfaces to different Internet connections to provide a redundant
connection to the Internet.
To connect the FortiGate unit
1 Connect the Internal interface to the hub or switch connected to your internal
network.
2 Connect the External or WAN1 interface to the Internet.
Connect to the public switch or router provided by your ISP. If you are a DSL or
cable subscriber, connect the External interface to the internal or LAN connection
of your DSL or cable modem.
3 Optionally connect the DMZ interface to your DMZ network.
You can use a DMZ network to provide access from the Internet to a web server or
other server without installing the servers on your internal network.
Configuring the networks
If you are running the FortiGate unit in NAT/Route mode, your networks must be
configured to route all Internet traffic to the IP address of the interface where the
networks are connected.
• For the internal network, change the default gateway address of all computers
and routers connected directly to your internal network to the IP address of the
FortiGate internal interface.
• For the DMZ network, change the default gateway address of all computers
and routers connected directly to your DMZ network to the IP address of the
FortiGate DMZ interface.
• For the external network, route all packets to the FortiGate external interface.
If you are using the FortiGate unit as the DHCP server for your internal network,
configure the computers on your internal network for DHCP.
Make sure the connected FortiGate unit is functioning properly by connecting to
the Internet from a computer on the internal network. You should be able to
connect to any Internet address.
FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide
42 01-30004-0265-20070522
Configuring the FortiGate unit Transparent mode installation
Transparent mode installation
This section describes how to install the FortiGate unit in NAT/Route mode. This
section includes the following topics:
• Preparing to configure Transparent mode
• Using the web-based manager
• Using the command line interface
• Connecting the FortiGate unit to your network
Preparing to configure Transparent mode
Use Tab le 14 to gather the information you need to customize Transparent mode
settings.
You can configure Transparent mode using one of the following methods:
• the web-based manager GUI
• the command line interface (CLI)
The method you choose depends on the complexity of the configuration, access
and equipment, and the type of interface you are most comfortable using.
Table 14: Transparent mode settings
Administrator Password:
IP: _____._____._____._____
Netmask: _____._____._____._____
Management IP
DNS Settings
Default Gateway: _____._____._____._____
The management IP address and netmask must be valid for the
network from which you will manage the FortiGate unit. Add a default
gateway if the FortiGate unit must connect to a router to reach the
management computer.
Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____
Using the web-based manager
You can use the web-based manager to complete the initial configuration of the
FortiGate unit. You can continue to use the web-based manager for all FortiGate
unit settings.
For information about connecting to the web-based manager, see “Connecting to
the web-based manager” on page 21.
The first time you connect to the FortiGate unit, it is configured to run in
NAT/Route mode.
To switch to Transparent mode using the web-based manager
1 Go to System > Status.
2 Select Change beside the Operation Mode.
3 Select Transparent in the Operation Mode list.
4 Type the Management IP/Netmask address and the Default Gateway address you
gathered in Table 14 on page 43.
5 Select Apply.
FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide
01-30004-0265-20070522 43
Transparent mode installation Configuring the FortiGate unit
You do not have to reconnect to the web-based manager at this time. Once you
select Apply, the changes are immediate, and you can go to the system
dashboard to verify the FortiGate unit has changed to Transparent mode.
To configure DNS server settings
1 Go to System > Network > Options.
2 Enter the IP address of the primary DNS server.
3 Enter the IP address of the secondary DNS server.
4 Select Apply.
Using the command line interface
As an alternative to the web-based manager, you can begin the initial
configuration of the FortiGate unit using the command line interface (CLI). To
connect to the CLI, see “Connecting to the CLI” on page 23. Use the information
you gathered in Table 14 on page 43 to complete the following procedures.
To change to Transparent mode using the CLI
1 Make sure you are logged into the CLI.
2 Switch to Transparent mode. Enter:
config system settings
set opmode transparent
set manageip <address_ip> <netmask>
set gateway <address_ip>
end
After a few seconds, the following prompt appears:
Changing to TP mode
3 To confirm you have changed to transparent mode, enter the following:
get system status
The CLI displays the status of the FortiGate unit including the management IP
address and netmask:
opmode : transparent
manageip : <address_ip> <netmask>
You should verify the DNS server settings are correct. The DNS settings carry
over from NAT/Route mode and may not be correct for your specific Transparent
mode configuration.
To verify the DNS server settings
Enter the following commands to verify the FortiGate unit’s DNS server settings:
show system dns
The above command should give you the following DNS server setting
information:
config system dns
set primary 293.44.75.21
set secondary 293.44.75.22
set fwdirtf internal
end
FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide
44 01-30004-0265-20070522
Configuring the FortiGate unit Transparent mode installation
To configure DNS server settings
Set the primary and secondary DNS server IP addresses. Enter:
config system dns
set primary <address_ip>
set secondary <address_ip>
end
Example
config system dns
set primary 293.44.75.21
set secondary 293.44.75.22
end
Reconnecting to the web-based manager
When the FortiGate unit has switched to Transparent mode, you can reconnect to
the web-based manager using the new IP address. Browse to https:// followed by
the new IP address. If you connect to the management interface through a router,
make sure you have added a default gateway for that route to the management IP
default gateway field.
Connecting the FortiGate unit to your network
When you complete the initial configuration, you can connect the FortiGate unit
between your internal network and the Internet, and optionally connect an
additional network to the other interfaces if applicable.
To connect the FortiGate unit running in Transparent mode:
1 Connect the Internal interface to the hub or switch connected to your internal
network.
2 Connect the External or WAN1 interface to network segment connected to the
external firewall or router.
Connect to the public switch or router provided by your ISP.
Verify the connection
To verify the connection, try the following:
• ping the FortiGate unit
• browse to the web-based manager GUI
• retrieve or send email from your email account
If you cannot browse to the web site or retrieve/send email from your account,
review the previous steps to ensure all information was entered correctly and try
again.
FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide
01-30004-0265-20070522 45
Next steps Configuring the FortiGate unit
Figure 10: FortiGate-50B Transparent mode connections
Internal
network
Next steps
Set the date and time
Internet
Router
(or public switch)
WAN 1
FortiGate-50B
Internal
Hub,
switch or router
Use the following information to configure FortiGate system time, and to configure
antivirus and attack definition updates.
Refer to the FortiGate Administration Guide for complete information on
configuring, monitoring, and maintaining your FortiGate unit.
For effective scheduling and logging, the FortiGate system date and time must be
accurate. You can either manually set the system date and time or configure the
FortiGate unit to automatically keep its time correct by synchronizing with a
Network Time Protocol (NTP) server.
To set the date and time
1 Go to System > Status.
Management
Computer
2 Under System Information > System Time, select Change.
3 Select Refresh to display the current FortiGate system date and time.
4 Select your Time Zone from the list.
5 Optionally, select Automatically adjust clock for daylight saving changes check
box.
6 Select Set Time and set the FortiGate system date and time.
7 Set the hour, minute, second, month, day, and year as required.
8 Select OK.
Note: If you choose the option Automatically adjust clock for daylight saving changes, the
system time must be manually adjusted after daylight savings time ends.
To use NTP to set the FortiGate date and time
1 Go to System > Status.
2 Under System Information > System Time, select Change.
3 Select Synchronize with NTP Server to configure the FortiGate unit to use NTP to
automatically set the system time and date.
4 Enter the IP address or domain name of the NTP server that the FortiGate unit
can use to set its time and date.
FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide
46 01-30004-0265-20070522
Configuring the FortiGate unit Next steps
5 Specify how often the FortiGate unit should synchronize its time with the NTP
server.
6 Select OK.
Updating antivirus and IPS signatures
Configure the FortiGate unit to connect to the FortiGuard Distribution Network
(FDN) to update the antivirus (including grayware), antispam and IPS attack
definitions.
The FDN is a world wide network of FortiGuard Distribution Servers (FDS). When
the FortiGate unit connects to the FDN, it connects to the nearest FDS. To do this,
all FortiGate units are programmed with a list of FDS addresses sorted by nearest
time zone according to the time zone configured for the FortiGate unit.
You can update your antivirus and IPS signatures using the web-based manager
or the CLI. Before you can begin receiving updates, you must register your
FortiGate unit from the Fortinet web page.
Note: Update AV and IPS signatures on a regular basis. If you do not update AV and IPS
signatures regularly, the FortiGate unit can become vulnerable to new viruses.
After registering your FortiGate unit, verify the FortiGate unit can connect to the
FDN:
• Check that the FortiGate unit’s system time is correct.
• From the web-based manager, select refresh from the FortiGuard Center.
If you cannot connect to the FDN, follow the procedure for registering your
FortiGate unit and try again or see “Adding an override server” on page 49.
Updating antivirus and IPS signatures from the web-based
manager
After you have registered your FortiGate unit, you can update antivirus and IPS
signatures using the web-based manager. The FortiGuard Center enables you to
receive push updates, allow push update to a specific IP address, and schedule
updates for daily, weekly, or hourly intervals.
To update antivirus definitions and IPS signatures
1 Go to System > Maintenance > FortiGuard Center.
2 Select the blue arrow for AntiVirus and IPS Downloads to expand the options.
3 Select Update Now to update the antivirus definitions.
If the connection to the FDN is successful, the web-based manager displays a
message similar to the following:
Your update request has been sent. Your database will
be updated in a few minutes. Please check your update
page for the status of the update.
After a few minutes, if an update is available, the System FortiGuard Center page
lists new version information for antivirus definitions. The System Status page
also displays new dates and version numbers for the antivirus definitions.
Messages are recorded to the event log indicating whether the update was
successful or not.
FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide
01-30004-0265-20070522 47
Next steps Configuring the FortiGate unit
Note: Updating antivirus definitions can cause a very short disruption in traffic currently
being scanned while the FortiGate unit applies the new signature database. Schedule
updates when traffic is light, for example overnight, to minimize any disruption.
Updating the IPS signatures from the CLI
You can update IPS signatures using the CLI. Use the following procedure to
update IPS signatures.
Note: You can only update antivirus definitions from the web-based manager.
To update IPS signatures using the CLI
1 Log into the CLI.
2 Enter the following CLI command:
configure system autoupdate ips
set accept-recommended-settings enable
end
Scheduling antivirus and IPS updates
You can schedule regular, automatic updates of antivirus and IPS signatures,
either from the web-based manager or the CLI.
To enable schedule updates from the web-based manager
1 Go to System > Maintenance > FortiGuard Center.
2 Select the Scheduled Update check box.
3 Select one of the following to check for and download updates
Every Once every 1 to 23 hours. Select the number of hours and
Daily Once a day. You can specify the time of day to check for updates.
Weekly Once a week. You can specify the day of the week and time of day
4 Select Apply.
The FortiGate unit starts the next scheduled update according to the new update
schedule.
Whenever the FortiGate unit runs a scheduled update, the event is recorded in the
FortiGate event log.
To enable schedule updates from the CLI
1 Log into the CLI.
minutes between each update request.
to check for updates.
2 Enter the following command:
config system autoupdate schedule
set frequency {every | daily | weekly}
set status {enable | disable}
set time <hh:mm>
end
FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide
48 01-30004-0265-20070522
Configuring the FortiGate unit Next steps
Example
config system autoupdate schedule
set update every Sunday
set frequency weekly
set status enable
set time 16:45
end
Adding an override server
If you cannot connect to the FDN, or if your organization provides updates using
their own FortiGuard server, use the following procedures to add the IP address of
an override FortiGuard server in either the web-based manager or the CLI.
To add an override server from the web-based manager
1 Go to System > Maintenance > FortiGuard Center.
2 Select the blue arrow for AntiVirus and IPS Downloads to expand the options.
3 Select the Use override server address check box.
4 Type the fully qualified domain name or IP address of a FortiGuard server.
5 Select Apply.
The FortiGate unit tests the connection to the override server.
If the FDN setting changes to available, the FortiGate unit has successfully
connected to the override server.
If the FDN stays set to not available, the FortiGate unit cannot connect to the
override server. Check the FortiGate configuration and network configuration for
settings that would prevent the FortiGate unit from connecting to the override
FortiGuard server.
To add an override server using the CLI
1 Log into the CLI.
2 Enter the following command:
config system autoupdate override
set address
set status
end
FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide
01-30004-0265-20070522 49
Next steps Configuring the FortiGate unit
FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide
50 01-30004-0265-20070522
Configuring the modem interface Connecting a modem to the FortiGate-50A
Configuring the modem interface
50A
The modem interface is only available on the FortiGate-50A.
The following sections will cover how to configure the FortiGate-50A modem
using the CLI.
The FortiGate-50A supports a redundant or stand alone 56K modem interface in
NAT/Route mode.
• In redundant mode, the modem interface automatically takes over from a
selected Ethernet interface when that Ethernet interface is unavailable.
• In stand alone mode, the modem interface is the connection from the FortiGate
unit to the Internet.
When connecting to an ISP in either configuration, the modem can automatically
dial up to three dial-up accounts until the modem connects to an ISP.
This section includes the following topics:
• Connecting a modem to the FortiGate-50A
• Selecting a modem mode
• Configuring the modem for the FortiGate-50A
• Adding a Ping Server
• Adding firewall policies for modem connections
Connecting a modem to the FortiGate-50A
The FortiGate-50A can operate with most standard external serial interface
modems that support standard Hayes AT commands. To connect, install a
USB-to-serial converter between one of the two USB ports on the FortiGate unit
and the serial port on the modem. The FortiGate unit does not support a direct
USB connection between the two devices.
FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide
01-30004-0265-20070522 51
Selecting a modem mode Configuring the modem interface
Figure 11: Example modem interface network connection
FortiGate-50A
DC+12V
Internal
External
Modem Console
USB-to-serial converter
V.9 2
USB
External modem
Selecting a modem mode
The modem interface can work in one of two modes:
• redundant mode
• stand alone mode
Redundant mode configuration
The redundant modem interface serves as a backup to the Ethernet interface. If
that Ethernet interface disconnects from its network, the modem automatically
dials the configured dial-up account(s). When the modem connects to a dial-up
account, the FortiGate unit routes IP packets normally destined for the selected
Ethernet interface to the modem interface. During this time, the unit pings the
Ethernet connection to check when it is back online.
When the Ethernet interface can connect to its network again, the FortiGate unit
disconnects the modem interface and switches back to the Ethernet interface.
For the FortiGate unit to switch from an Ethernet interface to the modem you must
select the name of the interface in the modem configuration and configure a ping
server for that interface. You must also configure firewall policies for connections
between the modem interface and other FortiGate interfaces.
Stand alone mode configuration
In stand alone mode, you manually connect the modem to a dial-up account. The
modem interface operates as the primary connection to the Internet. The
FortiGate unit routes traffic through the modem interface, which remains
permanently connected to the dial-up account.
If the connection to the dial-up account fails, the FortiGate unit modem
automatically redials the number. The modem redials the ISP number based on
the amount of times specified by the redial limit, or until it connects to a dial-up
account.
FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide
52 01-30004-0265-20070522
Configuring the modem interface Configuring the modem for the FortiGate-50A
In stand alone mode the modem interface replaces the external Ethernet
interface. You must also configure firewall policies for connections between the
modem interface and other FortiGate interfaces.
Configuring the modem for the FortiGate-50A
Configure the modem for the FortiGate-50A using the CLI. The following table of
CLI commands are specifically for the FortiGate-50A modem configuration.
Table 15: CLI commands for the FortiGate-50A
Keywords and
variables
altmode
{enable | disable}
auto-dial
{enable | disable}
connect_timeout
<seconds>
dial-on-demand
{enable | disable}
holddown-timer
<seconds>
idle-timer
<minutes>
interface <name> Enter an interface name to associate the
mode <mode> Enter the required mode:
passwd1
<password_srt>
Description Default
Enable for installations using PPP in China. enable
Enable to dial the modem automatically if the
connection is lost, or the FortiGate unit is
restarted.
dial-on-demand must be disabled.
mode must be standalone.
Set the connection completion timeout (30-255
seconds).
Enable the FortiGate unit to dial the modem
when packets are routed to the modem
interface. The modem disconnects after it
reaches the idle-timer period value if there
is no traffic through the modem interface within
that time. When traffic occurs on the interface,
the FortiGate unit dials the modem again.
auto-dial must be disabled when in
standalone mode.
Used only when the modem is configured as a
backup for an interface. Set the time (1-50B
seconds) that the FortiGate unit waits before
switching from the modem interface to the
primary interface, after the primary interface
has been restored.
mode must be redundant.
Set the number of minutes the traffic through
the modem connection is idle before it the
FortiGate unit disconnects.
mode must be standalone.
modem interface with the Ethernet interface
that you want to either back up (backup
configuration) or replace (standalone
configuration).
• standalone
The modem interface is the connection from
the FortiGate unit to the Internet.
• redundant
The modem interface automatically takes over
from a selected Ethernet interface when that
Ethernet interface is unavailable.
Enter the password used to access the
specified dialup account.
disable
90
disable
60
5
No default.
standalone
No default
FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide
01-30004-0265-20070522 53
Loading...