Fortinet FortiGate 100 User Manual

Download

FortiGate 100

Installation and

Configuration Guide

INTERNAL

EXTERNAL

POWER

DMZ

STATUS

FortiGate User Manual Volume 1

Version 2.50 MR2

18 August 2003

No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc.

FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 18 August 2003

Trademarks

Products mentioned in this document are trademarks or registered trademarks of their respective holders.

Regulatory Compliance

FCC Class A Part 15 CSA/CUS

For technical support, please visit http://www.fortinet.com.

Send information about errors or omissions in this document or any Fortinet technical documentation to

techdoc@fortinet.com.

Introduction .......................................................................................................... 13

Antivirus protection ........................................................................................................... 13

Web content filtering ......................................................................................................... 14

Email filtering .................................................................................................................... 14

Firewall.............................................................................................................................. 15

NAT/Route mode .......................................................................................................... 15

Transparent mode......................................................................................................... 16

Network intrusion detection............................................................................................... 16

VPN................................................................................................................................... 16

Secure installation, configuration, and management ........................................................ 17

Web-based manager .................................................................................................... 17

Command line interface ................................................................................................ 18

Logging and reporting ................................................................................................... 19

What’s new in Version 2.50 .............................................................................................. 19

System administration................................................................................................... 19

Firewall.......................................................................................................................... 20

Users and authentication .............................................................................................. 20

VPN............................................................................................................................... 20

NIDS ............................................................................................................................. 21

Antivirus ........................................................................................................................ 21

Web Filter...................................................................................................................... 21

Email filter ..................................................................................................................... 21

Logging and Reporting.................................................................................................. 21

About this document ......................................................................................................... 22

Document conventions ..................................................................................................... 23

Fortinet documentation ..................................................................................................... 24

Comments on Fortinet technical documentation........................................................... 24

Customer service and technical support........................................................................... 25

Contents

Getting started ..................................................................................................... 27

Package contents ............................................................................................................. 28

Mounting ........................................................................................................................... 28

Powering on...................................................................................................................... 29

Connecting to the web-based manager............................................................................ 30

Connecting to the command line interface (CLI)............................................................... 31

Factory default FortiGate configuration settings ............................................................... 31

Factory default NAT/Route mode network configuration .............................................. 32

Factory default Transparent mode network configuration............................................. 33

Factory default firewall configuration ............................................................................ 33

Factory default content profiles..................................................................................... 34

FortiGate-100 Installation and Configuration Guide 3

Contents

Planning your FortiGate configuration .............................................................................. 37

NAT/Route mode .......................................................................................................... 37

NAT/Route mode with multiple external network connections ...................................... 38

Transparent mode......................................................................................................... 38

Configuration options .................................................................................................... 39

FortiGate model maximum values matrix ......................................................................... 40

Next steps......................................................................................................................... 41

NAT/Route mode installation.............................................................................. 43

Preparing to configure NAT/Route mode.......................................................................... 43

Advanced NAT/Route mode settings............................................................................ 44

DMZ interface ............................................................................................................... 44

Using the setup wizard...................................................................................................... 45

Starting the setup wizard .............................................................................................. 45

Reconnecting to the web-based manager .................................................................... 45

Using the command line interface..................................................................................... 45

Configuring the FortiGate unit to operate in NAT/Route mode ..................................... 45

Connecting the FortiGate unit to your networks................................................................ 47

Configuring your networks ................................................................................................ 48

Completing the configuration ............................................................................................ 48

Configuring the DMZ interface ...................................................................................... 48

Setting the date and time .............................................................................................. 48

Enabling antivirus protection......................................................................................... 49

Registering your FortiGate............................................................................................ 49

Configuring virus and attack definition updates ............................................................ 49

Configuration example: Multiple connections to the Internet ............................................ 49

Configuring Ping servers............................................................................................... 51

Destination based routing examples............................................................................. 51

Policy routing examples ................................................................................................ 54

Firewall policy example................................................................................................. 55

Transparent mode installation............................................................................ 57

Preparing to configure Transparent mode ........................................................................ 57

Using the setup wizard...................................................................................................... 58

Changing to Transparent mode .................................................................................... 58

Starting the setup wizard .............................................................................................. 58

Reconnecting to the web-based manager .................................................................... 58

Using the command line interface..................................................................................... 59

Changing to Transparent mode .................................................................................... 59

Configuring the Transparent mode management IP address ....................................... 59

Configure the Transparent mode default gateway........................................................ 59

Connecting the FortiGate unit to your networks................................................................ 60

4 Fortinet Inc.

Completing the configuration ............................................................................................ 61

Setting the date and time .............................................................................................. 61

Enabling antivirus protection......................................................................................... 61

Registering your FortiGate............................................................................................ 61

Configuring virus and attack definition updates ............................................................ 61

Transparent mode configuration examples....................................................................... 62

Default routes and static routes .................................................................................... 62

Example default route to an external network............................................................... 63

Example static route to an external destination ............................................................ 64

Example static route to an internal destination ............................................................. 67

System status....................................................................................................... 69

Changing the FortiGate host name................................................................................... 70

Changing the FortiGate firmware...................................................................................... 70

Upgrade to a new firmware version .............................................................................. 71

Revert to a previous firmware version .......................................................................... 72

Install a firmware image from a system reboot using the CLI ....................................... 75

Test a new firmware image before installing it .............................................................. 77

Installing and using a backup firmware image .............................................................. 79

Manual virus definition updates ........................................................................................ 82

Manual attack definition updates ...................................................................................... 83

Displaying the FortiGate serial number............................................................................. 83

Displaying the FortiGate up time....................................................................................... 83

Backing up system settings .............................................................................................. 83

Restoring system settings................................................................................................. 84

Restoring system settings to factory defaults ................................................................... 84

Changing to Transparent mode ........................................................................................ 85

Changing to NAT/Route mode.......................................................................................... 85

Restarting the FortiGate unit............................................................................................. 85

Shutting down the FortiGate unit ...................................................................................... 86

System status ................................................................................................................... 86

Viewing CPU and memory status ................................................................................. 86

Viewing sessions and network status ........................................................................... 87

Viewing virus and intrusions status............................................................................... 88

Session list........................................................................................................................ 89

Contents

FortiGate-100 Installation and Configuration Guide 5

Contents

Virus and attack definitions updates and registration ..................................... 91

Updating antivirus and attack definitions .......................................................................... 91

Connecting to the FortiResponse Distribution Network ................................................ 92

Configuring scheduled updates .................................................................................... 93

Configuring update logging ........................................................................................... 94

Adding an override server............................................................................................. 95

Manually updating antivirus and attack definitions........................................................ 95

Configuring push updates ............................................................................................. 95

Push updates through a NAT device ............................................................................ 96

Scheduled updates through a proxy server ................................................................ 100

Registering FortiGate units ............................................................................................. 101

FortiCare Service Contracts........................................................................................ 101

Registering the FortiGate unit ..................................................................................... 102

Updating registration information .................................................................................... 104

Recovering a lost Fortinet support password.............................................................. 104

Viewing the list of registered FortiGate units .............................................................. 104

Registering a new FortiGate unit ................................................................................ 105

Adding or changing a FortiCare Support Contract number......................................... 105

Changing your Fortinet support password .................................................................. 106

Changing your contact information or security question ............................................. 106

Downloading virus and attack definitions updates ...................................................... 106

Registering a FortiGate unit after an RMA...................................................................... 107

Network configuration....................................................................................... 109

Configuring interfaces ..................................................................................................... 109

Viewing the interface list ............................................................................................. 110

Bringing up an interface .............................................................................................. 110

Changing an interface static IP address ..................................................................... 110

Adding a secondary IP address to an interface .......................................................... 110

Adding a ping server to an interface ........................................................................... 111

Controlling management access to an interface ......................................................... 111

Configuring traffic logging for connections to an interface .......................................... 112

Configuring the external interface with a static IP address ......................................... 112

Configuring the external interface for DHCP............................................................... 112

Configuring the external interface for PPPoE ............................................................. 113

Changing the external interface MTU size to improve network performance ............. 113

Configuring the management interface (Transparent mode) ...................................... 114

Adding DNS server IP addresses ................................................................................... 115

6 Fortinet Inc.

Configuring routing.......................................................................................................... 115

Adding a default route................................................................................................. 116

Adding destination-based routes to the routing table.................................................. 116

Adding routes in Transparent mode............................................................................ 117

Configuring the routing table....................................................................................... 118

Policy routing .............................................................................................................. 118

Providing DHCP services to your internal network ......................................................... 119

RIP configuration ............................................................................................... 121

RIP settings..................................................................................................................... 122

Configuring RIP for FortiGate interfaces......................................................................... 124

Adding RIP neighbors..................................................................................................... 125

Adding RIP filters ............................................................................................................ 126

Adding a single RIP filter............................................................................................. 126

Adding a RIP filter list.................................................................................................. 127

Adding a neighbors filter ............................................................................................. 128

Adding a routes filter ................................................................................................... 128

Contents

System configuration ........................................................................................ 129

Setting system date and time.......................................................................................... 129

Changing web-based manager options .......................................................................... 130

Adding and editing administrator accounts..................................................................... 132

Adding new administrator accounts ............................................................................ 132

Editing administrator accounts.................................................................................... 133

Configuring SNMP .......................................................................................................... 134

Configuring the FortiGate unit for SNMP monitoring .................................................. 134

Configuring FortiGate SNMP support ......................................................................... 134

FortiGate MIBs............................................................................................................ 135

FortiGate traps ............................................................................................................ 136

Customizing replacement messages.............................................................................. 136

Customizing replacement messages .......................................................................... 137

Customizing alert emails............................................................................................. 138

Firewall configuration........................................................................................ 141

Default firewall configuration........................................................................................... 142

Addresses ................................................................................................................... 142

Services ...................................................................................................................... 143

Schedules ................................................................................................................... 143

Content profiles........................................................................................................... 143

Adding firewall policies.................................................................................................... 144

Firewall policy options................................................................................................. 145

FortiGate-100 Installation and Configuration Guide 7

Contents

Configuring policy lists .................................................................................................... 149

Policy matching in detail ............................................................................................. 149

Changing the order of policies in a policy list.............................................................. 149

Enabling and disabling policies................................................................................... 150

Addresses ....................................................................................................................... 150

Adding addresses ....................................................................................................... 151

Editing addresses ....................................................................................................... 152

Deleting addresses ..................................................................................................... 152

Organizing addresses into address groups ................................................................ 152

Services .......................................................................................................................... 153

Predefined services .................................................................................................... 153

Providing access to custom services .......................................................................... 156

Grouping services ....................................................................................................... 156

Schedules ....................................................................................................................... 157

Creating one-time schedules ...................................................................................... 158

Creating recurring schedules ...................................................................................... 158

Adding a schedule to a policy ..................................................................................... 159

Virtual IPs........................................................................................................................ 160

Adding static NAT virtual IPs ...................................................................................... 160

Adding port forwarding virtual IPs ............................................................................... 161

Adding policies with virtual IPs.................................................................................... 163

IP pools........................................................................................................................... 164

Adding an IP pool........................................................................................................ 164

IP Pools for firewall policies that use fixed ports ......................................................... 165

IP pools and dynamic NAT ......................................................................................... 165

IP/MAC binding ............................................................................................................... 166

Configuring IP/MAC binding for packets going through the firewall ............................ 166

Configuring IP/MAC binding for packets going to the firewall ..................................... 167

Adding IP/MAC addresses.......................................................................................... 167

Viewing the dynamic IP/MAC list ................................................................................ 168

Enabling IP/MAC binding ............................................................................................ 168

Content profiles............................................................................................................... 169

Default content profiles ............................................................................................... 170

Adding a content profile .............................................................................................. 170

Adding a content profile to a policy ............................................................................. 171

Users and authentication .................................................................................. 173

Setting authentication timeout......................................................................................... 174

Adding user names and configuring authentication ........................................................ 174

Adding user names and configuring authentication .................................................... 174

Deleting user names from the internal database ........................................................ 175

Configuring RADIUS support .......................................................................................... 176

Adding RADIUS servers ............................................................................................. 176

Deleting RADIUS servers ........................................................................................... 176

8 Fortinet Inc.

Configuring LDAP support .............................................................................................. 177

Adding LDAP servers.................................................................................................. 177

Deleting LDAP servers................................................................................................ 178

Configuring user groups.................................................................................................. 179

Adding user groups..................................................................................................... 179

Deleting user groups................................................................................................... 180

IPSec VPN........................................................................................................... 181

Key management............................................................................................................ 182

Manual Keys ............................................................................................................... 182

Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... 182

Manual key IPSec VPNs................................................................................................. 183

General configuration steps for a manual key VPN .................................................... 183

Adding a manual key VPN tunnel ............................................................................... 183

AutoIKE IPSec VPNs ...................................................................................................... 185

General configuration steps for an AutoIKE VPN ....................................................... 185

Adding a phase 1 configuration for an AutoIKE VPN.................................................. 185

Adding a phase 2 configuration for an AutoIKE VPN.................................................. 189

Managing digital certificates............................................................................................ 191

Obtaining a signed local certificate ............................................................................. 191

Obtaining a CA certificate ........................................................................................... 195

Configuring encrypt policies............................................................................................ 196

Adding a source address ............................................................................................ 197

Adding a destination address...................................................................................... 197

Adding an encrypt policy............................................................................................. 197

IPSec VPN concentrators ............................................................................................... 199

VPN concentrator (hub) general configuration steps .................................................. 199

Adding a VPN concentrator ........................................................................................ 201

VPN spoke general configuration steps...................................................................... 202

Redundant IPSec VPNs.................................................................................................. 203

Configuring redundant IPSec VPN ............................................................................. 203

Monitoring and Troubleshooting VPNs ........................................................................... 205

Viewing VPN tunnel status.......................................................................................... 205

Viewing dialup VPN connection status ....................................................................... 205

Testing a VPN............................................................................................................. 206

Contents

PPTP and L2TP VPN .......................................................................................... 207

Configuring PPTP ........................................................................................................... 207

Configuring the FortiGate unit as a PPTP gateway .................................................... 208

Configuring a Windows 98 client for PPTP ................................................................. 210

Configuring a Windows 2000 client for PPTP ............................................................. 211

Configuring a Windows XP client for PPTP ................................................................ 212

FortiGate-100 Installation and Configuration Guide 9

Contents

Configuring L2TP............................................................................................................ 213

Configuring the FortiGate unit as a L2TP gateway ..................................................... 214

Configuring a Windows 2000 client for L2TP.............................................................. 217

Configuring a Windows XP client for L2TP ................................................................. 218

Network Intrusion Detection System (NIDS) ................................................... 221

Detecting attacks ............................................................................................................ 221

Selecting the interfaces to monitor.............................................................................. 222

Disabling the NIDS...................................................................................................... 222

Configuring checksum verification .............................................................................. 222

Viewing the signature list ............................................................................................ 223

Viewing attack descriptions......................................................................................... 223

Enabling and disabling NIDS attack signatures .......................................................... 224

Adding user-defined signatures .................................................................................. 224

Preventing attacks .......................................................................................................... 225

Enabling NIDS attack prevention ................................................................................ 225

Enabling NIDS attack prevention signatures .............................................................. 226

Setting signature threshold values.............................................................................. 226

Configuring synflood signature values ........................................................................ 228

Logging attacks............................................................................................................... 228

Logging attack messages to the attack log................................................................. 228

Reducing the number of NIDS attack log and email messages.................................. 229

Antivirus protection........................................................................................... 231

General configuration steps............................................................................................ 231

Antivirus scanning........................................................................................................... 232

File blocking.................................................................................................................... 233

Blocking files in firewall traffic ..................................................................................... 233

Adding file patterns to block........................................................................................ 233

Blocking oversized files and emails ................................................................................ 234

Configuring limits for oversized files and email........................................................... 234

Exempting fragmented email from blocking.................................................................... 234

Viewing the virus list ....................................................................................................... 234

Web filtering ....................................................................................................... 235

General configuration steps............................................................................................ 235

Content blocking ............................................................................................................. 236

Adding words and phrases to the banned word list .................................................... 236

URL blocking................................................................................................................... 237

Using the FortiGate web filter ..................................................................................... 237

Using the Cerberian web filter..................................................................................... 240

Script filtering .................................................................................................................. 242

Enabling the script filter............................................................................................... 242

Selecting script filter options ....................................................................................... 242

10 Fortinet Inc.

Exempt URL list .............................................................................................................. 243

Adding URLs to the exempt URL list .......................................................................... 243

Email filter........................................................................................................... 245

General configuration steps............................................................................................ 245

Email banned word list.................................................................................................... 246

Adding words and phrases to the banned word list .................................................... 246

Email block list ................................................................................................................ 247

Adding address patterns to the email block list........................................................... 247

Email exempt list............................................................................................................. 247

Adding address patterns to the email exempt list ....................................................... 248

Adding a subject tag ....................................................................................................... 248

Logging and reporting....................................................................................... 249

Contents

Recording logs................................................................................................................ 249

Recording logs on a remote computer ........................................................................ 250

Recording logs on a NetIQ WebTrends server ........................................................... 250

Recording logs in system memory.............................................................................. 251

Filtering log messages .................................................................................................... 251

Configuring traffic logging ............................................................................................... 253

Enabling traffic logging................................................................................................ 253

Configuring traffic filter settings................................................................................... 254

Adding traffic filter entries ........................................................................................... 254

Viewing logs saved to memory ....................................................................................... 255

Viewing logs................................................................................................................ 255

Searching logs ............................................................................................................ 256

Configuring alert email .................................................................................................... 256

Adding alert email addresses...................................................................................... 256

Testing alert email....................................................................................................... 257

Enabling alert email .................................................................................................... 257

Glossary ............................................................................................................. 259

Index .................................................................................................................... 263

FortiGate-100 Installation and Configuration Guide 11

Contents

12 Fortinet Inc.

FortiGate-100 Installation and Configuration Guide Version 2.50 MR2

Introduction

The FortiGate Antivirus Firewall supports network-based deployment of application-level services—including antivirus protection and full-scan content filtering. FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate Antivirus Firewalls are ICSA-certified for firewall, IPSec and antivirus services.

Your FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include:

• application-level services such as virus protection and content filtering,

• network-level services such as firewall, intrusion detection, VPN, and traffic shaping.

Your FortiGate Antivirus Firewall employs Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks. The FortiGate series complements existing solutions, such as host-based antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration and maintenance.

The FortiGate-100 model is an easy-todeploy and easy-to-administer solution that delivers exceptional value and performance for small office, home office, and branch office applications. The FortiGate installation wizard guides users through a simple process that enables most installations to be up and running in minutes.

Antivirus protection

FortiGate ICSA-certified antivirus protection virus scans web (HTTP), file transfer (FTP), and email (SMTP, POP3, and IMAP) content as it passes through the FortiGate. If a virus is found, antivirus protection removes the file containing the virus from the content stream and forwards an replacement message to the intended recipient.

FortiGate-100 Installation and Configuration Guide 13

Introduction

For extra protection, you also configure antivirus protection to block files of specified file types from passing through the FortiGate unit. You can use the feature to stop files that may contain new viruses.

If the FortiGate unit contains a hard disk, infected or blocked files can be quarantined. The FortiGate administrator can download quarantined files, so that they can be virus scanned, cleaned, and forwarded to the intended recipient. You can also configure the FortiGate unit to automatically delete quarantined files after a specified time period.

The FortiGate unit can send email alerts to system administrators when it detects and removes a virus from a content stream. The web and email content can be in normal network traffic or in encrypted IPSec VPN traffic.

ICSA Labs has certified that FortiGate Antivirus Firewalls:

• detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),

• detect viruses in compressed files using the PKZip format,

• detect viruses in e-mail that has been encoded using uuencode format,

• detect viruses in e-mail that has been encoded using MIME encoding,

• log all actions taken while scanning.

Web content filtering

FortiGate web content filtering can be configured to scan all HTTP content protocol streams for URLs or for web page content. If a match is found between a URL on the URL block list, or if a web page is found to contain a word or phrase in the content block list, the FortiGate blocks the web page. The blocked web page is replaced with a message that you can edit using the FortiGate web-based manager.

You can configure URL blocking to block all or just some of the pages on a web site. Using this feature you can deny access to parts of a web site without denying access to it completely.

To prevent unintentional blocking of legitimate web pages, you can add URLs to an Exempt List that overrides the URL blocking and content blocking lists.

Web content filtering also includes a script filter feature that can be configured to block unsecure web content such as Java Applets, Cookies, and ActiveX.

You can also use the Cerberian URL blocking to block unwanted URLs.

Email filtering

FortiGate Email filtering can be configured to scan all IMAP and POP3 email content for unwanted senders or for unwanted content. If a match is found between a sender address pattern on the Email block list, or if an email is found to contain a word or phrase in the banned word list, the FortiGate adds a Email tag to subject line of the email. Receivers can then use their mail client software to filter messages based on the Email tag.

14 Fortinet Inc.

Introduction NAT/Route mode

You can configure Email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentional tagging of email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned word lists.

Firewall

The FortiGate ICSA-certified firewall protects your computer networks from the hostile environment of the Internet. ICSA has granted FortiGate firewalls version 4.0 firewall certification, providing assurance that FortiGate firewalls successfully screen for and secure corporate networks against a wide range of threats from public or other untrusted networks.

After basic installation of the FortiGate unit, the firewall allows users on the protected network to access the Internet while blocking Internet access to internal networks. You can modify this firewall configuration to place controls on access to the Internet from the protected networks and to allow controlled access to internal networks.

FortiGate policies include a complete range of options that:

• control all incoming and outgoing network traffic,

• control encrypted VPN traffic,

• apply antivirus protection and web content filtering,

• block or allow access for all policy options,

• control when individual policies are in effect,

• accept or deny traffic to and from individual addresses,

• control standard and user defined network services individually or in groups,

• require users to authenticate before gaining access,

• include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy,

• include logging to track connections for individual policies,

• include Network address translation (NAT) mode and Route mode policies,

• include Mixed NAT and Route mode policies.

The FortiGate firewall can operate in NAT/Route mode or Transparent mode.

NAT/Route mode

In NAT/Route mode, you can create NAT mode policies and Route mode policies.

• NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network.

• Route mode policies accept or deny connections between networks without performing address translation.

FortiGate-100 Installation and Configuration Guide 15

Transparent mode Introduction

Transparent mode

Transparent mode provides the same basic firewall protection as NAT mode. Packets received by the FortiGate unit are intelligently forwarded or blocked according to firewall policies. The FortiGate unit can be inserted in your network at any point without the need to make changes to your network or any of its components. However, VPN and some advanced firewall features are only available in NAT/Route mode.

Network intrusion detection

The FortiGate Network Intrusion Detection System (NIDS) is a real-time network intrusion detection sensor that detects and prevents a wide variety of suspicious network activity. NIDS detection uses attack signatures to identify over 1000 attacks. You can enable and disable the attacks that the NIDS detects. You can also write your own user-defined detection attack signatures.

NIDS prevention detects and prevents many common denial of service and packetbased attacks. You can enable and disable prevention attack signatures and customize attack signature thresholds and other parameters.

To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log and can be configured to send alert emails.

VPN

Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually, or you can configure the FortiGate to automatically check for and download attack definition updates.

Using FortiGate virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network.

FortiGate VPN features include the following:

• Industry standard and ICSA-certified IPSec VPN including:

• IPSec, ESP security in tunnel mode,

• DES, 3DES (triple-DES), and AES hardware accelerated encryption,

• HMAC MD5 and HMAC SHA1 authentication and data integrity,

• AutoIKE key based on pre-shared key tunnels,

• IPSec VPN using local or CA certificates,

• Manual Keys tunnels,

• Diffie-Hellman groups 1, 2, and 5,

• Aggressive and Main Mode,

• Replay Detection,

• Perfect Forward Secrecy,

• XAuth authentication,

• Dead peer detection.

16 Fortinet Inc.

Introduction Web-based manager

• PPTP for easy connectivity with the VPN standard supported by the most popular operating systems.

• L2TP for easy connectivity with a more secure VPN standard also supported by many popular operating systems.

• Firewall policy based control of IPSec VPN traffic.

• IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel.

• VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another tunnel through the FortiGate unit.

• IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network.

Secure installation, configuration, and management

Installation is quick and simple. The first time you turn on the FortiGate unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the setup wizard to customize FortiGate IP addresses for your network, and the FortiGate unit is set to protect your network. You can then use the web-based manager to customize advanced FortiGate features to meet your needs.

You can also create a basic configuration using the FortiGate command line interface (CLI).

Web-based manager

Using HTTP or a secure HTTPS connection from any computer running Internet Explorer, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages. You can configure the FortiGate unit for HTTP and HTTPs administration from any FortiGate interface.

You can use the web-based manager for most FortiGate configuration settings. You can also use the web-based manager to monitor the status of the FortiGate unit. Configuration changes made with the web-based manager are effective immediately without the need to reset the firewall or interrupt service. Once a satisfactory configuration has been established, it can be downloaded and saved. The saved configuration can be restored at any time.

FortiGate-100 Installation and Configuration Guide 17

Command line interface Introduction

Figure 1: The FortiGate web-based manager and setup wizard

Command line interface

You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial Console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network connected to the FortiGate, including the Internet.

The CLI supports the same configuration and monitoring functionality as the web-based manager. In addition, you can use the CLI for advanced configuration options not available from the web-based manager. This Installation and Configuration Guide contains information about basic and advanced CLI commands. You can find a more complete description of connecting to and using the FortiGate CLI in the FortiGate CLI Reference Guide.

18 Fortinet Inc.

Introduction Logging and reporting

Logging and reporting

The FortiGate supports logging of various categories of traffic and of configuration changes. You can configure logging to:

• report traffic that connects to the firewall,

• report network services used,

• report traffic permitted by firewall policies,

• report traffic that was denied by firewall policies,

• report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks, and web page blocking,

• report attacks detected by the NIDS,

• send alert email to system administrators to report virus incidents, intrusions, and firewall or VPN events or violations.

Logs can be sent to a remote syslog server or to a WebTrends NetIQ Security Reporting Center and Firewall Suite server using the WebTrends enhanced log format. Some models can also save logs to an optional internal hard drive. If a hard drive is not installed, you can configure most FortiGates to log the most recent events and attacks detected by the NIDS to shared system memory.

What’s new in Version 2.50

This section presents a brief summary of some of the new features in FortiOS v2.50:

System administration

• Improved graphical FortiGate system health monitoring that includes CPU and memory usage, session number and network bandwidth usage, and the number of viruses and intrusions detected. See “System status” on page 86.

• Revised antivirus and attack definition update functionality that connects to a new version of the FortiResponse Distribution network. Updates can now be scheduled hourly and the System > Update page displays more information about the current update status. See “Updating antivirus and attack definitions” on page 91.

• Direct connection to the Fortinet tech support web page from the web-based manager. You can register your FortiGate unit and get access to other technical support resources. See “Registering FortiGate units” on page 101.

Network configuration

• New interface configuration options. See “Configuring interfaces” on page 109.

• Ping server and dead gateway detection for all interfaces.

• HTTP and Telnet administrative access to any interface.

• Secondary IP addresses for all FortiGate interfaces.

Routing

• Simplified direction-based routing configuration.

• Advanced policy routing (CLI only).

FortiGate-100 Installation and Configuration Guide 19

Firewall Introduction

DHCP server

• Addition of a WINS server to DHCP configuration.

• Reserve IP/MAC pair combinations for DHCP servers (CLI only).

RIP

• New RIP v1 and v2 functionality. See “RIP configuration” on page 121.

SNMP

• SNMP v1 and v2 support.

• Support for RFC 1213 and RFC 2665

• Monitoring of all FortiGate configuration and functionality

•See “Configuring SNMP” on page 134

Replacement messages

You can customize messages sent by the FortiGate unit:

• When a virus is detected,

• When a file is blocked,

• When a fragmented email is blocked

• When an alert email is sent

See “Customizing replacement messages” on page 136.

Firewall

• The firewall default configuration has changed. See “Default firewall configuration”

on page 142.

• Add virtual IPs to all interfaces. See “Virtual IPs” on page 160.

• Add content profiles to firewall policies to configure blocking, scanning, quarantine, web content blocking, and email filtering. See “Content profiles” on page 169.

Users and authentication

• LDAP authentication. See “Configuring LDAP support” on page 177.

VPN

See the FortiGate VPN Guide for a complete description of FortiGate VPN functionality. New features include:

•Phase 1

• AES encryption

• Certificates

• Advanced options including Dialup Group, Peer, XAUTH, NAT Traversal, DPD

•Phase 2

• AES encryption

• Encryption policies select service

• Generate and import local certificates

• Import CA certificates

20 Fortinet Inc.

Introduction NIDS

NIDS

See the FortiGate NIDS Guide for a complete description of FortiGate NIDS functionality. New features include:

• Attack detection signature groups

• User-configuration attack prevention

• Monitor multiple interfaces for attacks

• User-defined attack detection signatures

Antivirus

See the FortiGate Content Protection Guide for a complete description of FortiGate antivirus functionality. New features include:

• Content profiles

• Blocking oversized files

Web Filter

See the FortiGate Content Protection Guide for a complete description of FortiGate web filtering functionality. New features include:

• Cerberian URL Filtering

Email filter

See the FortiGate Content Protection Guide for a complete description of FortiGate email filtering functionality.

Logging and Reporting

See the FortiGate Logging and Message Reference Guide for a complete description of FortiGate logging.

• Log to remote host CSV format

• Log message levels: Emergency, Alert, critical, error, Warning, notification, information

• Log level policies

• Traffic log filter

• New antivirus, web filter, and email filter logs

• Alert email supports authentication

• Suppress email flooding

• Extended WebTrends support for graphing activity

FortiGate-100 Installation and Configuration Guide 21

Logging and Reporting Introduction

About this document

This installation and configuration guide describes how to install and configure the FortiGate-100. This document contains the following information:

• Getting started describes unpacking, mounting, and powering on the FortiGate.

• NAT/Route mode installation describes how to install the FortiGate if you are planning on running it in NAT/Route mode.

• Transparent mode installation describes how to install the FortiGate if you are planning on running it in Transparent mode.

• System status describes how to view the current status of your FortiGate unit and related status procedures including installing updated FortiGate firmware, backing up and restoring system settings, and switching between Transparent and NAT/Route mode.

• Virus and attack definitions updates and registration describes configuring automatic virus and attack definition updates. This chapter also contains procedures for connecting to the FortiGate tech support webs site and for registering your FortiGate unit.

• Network configuration describes configuring interfaces, configuring routing, and configuring the FortiGate as a DHCP server for your internal network.

• RIP configuration describes the FortiGate RIP2 implementation and how to configure RIP settings.

• System configuration describes system administration tasks available from the System > Config web-based manager pages. This chapter describes setting system time, adding and changed administrative users, configuring SNMP, and editing replacement messages.

• Firewall configuration describes how to configure firewall policies to control traffic through the FortiGate unit and apply content protection profiles to content traffic.

• Users and authentication describes how to add user names to the FortiGate user database and how to configure the FortiGate to connect to a RADIUS server to authenticate users.

• IPSec VPN describes how to configure FortiGate IPSec VPN.

• PPTP and L2TP VPN describes how to configure PPTP and L2TP VPNs between the FortiGate and a windows client.

• Network Intrusion Detection System (NIDS) describes how to configure the FortiGate NIDS to detect and prevent network attacks.

• Antivirus protection describes how use the FortiGate to protect your network from viruses and worms.

• Web filtering describes how to configure web content filtering to prevent unwanted Web content from passing through the FortiGate.

• Email filter describes how to configure email filtering to screen unwanted email content.

• Logging and reporting describes how to configure logging and alert email to track activity through the FortiGate.

•The Glossary defines many of the terms used in this document.

22 Fortinet Inc.

Introduction Logging and Reporting

Document conventions

This guide uses the following conventions to describe CLI command syntax.

• angle brackets < > to indicate variable keywords For example:

execute restore config <filename_str> You enter restore config myfile.bak

<xxx_str> indicates an ASCII string variable keyword. <xxx_integer> indicates an integer variable keyword. <xxx_ip> indicates an IP address variable keyword.

• vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords

For example:

set system opmode {nat | transparent} You can enter set system opmode nat or set system opmode

transparent

• square brackets [ ] to indicate that a keyword is optional For example:

get firewall ipmacbinding [dhcpipmac] You can enter get firewall ipmacbinding or

get firewall ipmacbinding dhcpipmac

FortiGate-100 Installation and Configuration Guide 23

Comments on Fortinet technical documentation Introduction

Fortinet documentation

Information about FortiGate products is available from the following FortiGate User Manual volumes:

• Volume 1: FortiGate Installation and Configuration Guide

Describes installation and basic configuration for the FortiGate unit. Also describes how to use FortiGate firewall policies to control traffic flow through the FortiGate unit and how to use firewall policies to apply antivirus protection, web content filtering, and email filtering to HTTP, FTP and email content passing through the FortiGate unit.

• Volume 2: FortiGate VPN Guide

Contains in-depth information about FortiGate IPSec VPN using certificates, preshared keys and manual keys for encryption. Also contains basic configuration information for the Fortinet Remote VPN Client, detailed configuration information for FortiGate PPTP and L2TP VPN, and VPN configuration examples.

• Volume 3: FortiGate Content Protection Guide

Describes how to configure antivirus protection, web content filtering, and email filtering to protect content as it passes through the FortiGate unit.

• Volume 4: FortiGate NIDS Guide

Describes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from network-based attacks.

• Volume 5: FortiGate Logging and Message Reference Guide

Describes how to configure FortiGate logging and alert email. Also contains the FortiGate log message reference.

• Volume 6: FortiGate CLI Reference Guide

Describes the FortiGate CLI and contains a reference to all FortiGate CLI commands.

The FortiGate online help also contains procedures for using the FortiGate web-based manager to configure and manage your FortiGate unit.

Comments on Fortinet technical documentation

You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.

24 Fortinet Inc.

Introduction Comments on Fortinet technical documentation

Customer service and technical support

For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com.

You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and modify your registration information at any time.

Fortinet email support is available from the following addresses:

amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin

apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,

eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland

America and South America.

Malaysia, all other Asian countries, and Australia.

Europe, Africa, and the Middle East.

For information on Fortinet telephone support, see http://support.fortinet.com.

When requesting technical support, please provide the following information:

• Your name

• Company name

•Location

• Email address

• Telephone number

• FortiGate unit serial number

• FortiGate model

• FortiGate FortiOS firmware version

• Detailed description of the problem

FortiGate-100 Installation and Configuration Guide 25

Comments on Fortinet technical documentation Introduction

26 Fortinet Inc.

FortiGate-100 Installation and Configuration Guide Version 2.50 MR2

Getting started

This chapter describes unpacking, setting up, and powering on your FortiGate Antivirus Firewall. When you have completed the procedures in this chapter, you can proceed to one of the following:

• If you are going to operate the FortiGate unit in NAT/Route mode, go to

“NAT/Route mode installation” on page 43.

• If you are going to operate the FortiGate unit in Transparent mode, go to

“Transparent mode installation” on page 57.

This chapter describes:

• Package contents

• Mounting

• Powering on

• Connecting to the web-based manager

• Connecting to the command line interface (CLI)

• Factory default FortiGate configuration settings

• Planning your FortiGate configuration

• FortiGate model maximum values matrix

• Next steps

FortiGate-100 Installation and Configuration Guide 27

Package contents

The FortiGate-100 package contains the following items:

• FortiGate-100 Antivirus Firewall

• one orange crossover ethernet cable

• one gray regular ethernet cable

• one null modem cable

• FortiGate-100 Quick Start Guide

• CD containing the FortiGate user documentation

• one power cable and AC adapter

Figure 2: FortiGate-100 package contents

Front

INTERNAL

EXTERNAL

DMZ

Internal, External, DMZ

Interfaces

Back

POWER

STATUS

Status LED

Power

LED

Getting started

Ethernet Cables:

Orange - Crossover

Grey - Straight-through

Null-Modem Cable

(RS-232)

Mounting

Power Cable Power Supply

FortiGate-100

POWER

INTERNAL

EXTERNAL

DMZ

USER MANUAL

Documentation

STATUS

QuickStart Guide

Power

Connection

ConsoleDC +12V 5A

RS-232 Serial

Connection

External

DMZ

DMZ, External, Internal

Internal

Interfaces

The FortiGate-100 unit can be installed on any stable surface. Make sure that the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling.

Dimensions

• 10.25 x 6.13 x 1.75 in. (26 x 15.6 x 4.5 cm)

Weight

• 1.75 lb. (0.8 kg)

Power requirements

• DC input voltage: 12 V

• DC input current: 5 A

28 Fortinet Inc.

Getting started

Powering on

Environmental specifications

• Operating temperature: 32 to 104°F (0 to 40°C)

• Storage temperature: -13 to 158°F (-25 to 70°C)

• Humidity: 5 to 95% non-condensing

To power on the FortiGate-100 unit:

1 Connect the AC adapter to the power connection at the back of the FortiGate-100 unit.

2 Connect the AC adapter to the power cable.

3 Connect the power cable to a power outlet.

The FortiGate-100 unit starts up. The Power and Status lights light. The Status light flashes while the FortiGate-100 unit is starting up and remains lit when the system is up and running.

Table 1: FortiGate-100 LED indicators

LED State Description

Power Green The FortiGate unit is powered on.

Off The FortiGate unit is powered off.

Status Flashing

Internal External DMZ (front)

Internal External DMZ interfaces (back)

green

Green The FortiGate unit is running normally.

Off The FortiGate unit is powered off.

Green The correct cable is in use, and the connected equipment has

Flashing green

Off No link established.

Green The correct cable is in use, and the connected equipment has

Flashing amber

Off No link established.

The FortiGate unit is starting up.

power.

Network activity at this interface.

power.

Network activity at this interface.

FortiGate-100 Installation and Configuration Guide 29

Connecting to the web-based manager

Use the following procedure to connect to the web-based manager for the first time. Configuration changes made with the web-based manager are effective immediately without the need to reset the firewall or interrupt service.

To connect to the web-based manager, you need:

• a computer with an ethernet connection,

• Internet Explorer version 4.0 or higher,

• a crossover cable or an ethernet hub and two ethernet cables.

Note: You can use the web-based manager with recent versions of most popular web browsers. The web-based manager is fully supported for Internet Explorer version 4.0 or higher.

Connecting to the web-based manager

1 Set the IP address of the computer with an ethernet connection to the static IP

address 192.168.1.2 and a netmask of 255.255.255.0.

2 Using the crossover cable or the ethernet hub and cables, connect the Internal

interface of the FortiGate unit to the computer ethernet connection.

3 Start Internet Explorer and browse to the address https://192.168.1.99 (remember to

include the “s” in https://). The FortiGate login is displayed.

4 Type admin in the Name field and select Login.

The Register Now window is displayed. Use the information on this window to register your FortiGate unit so that Fortinet can contact you for firmware updates. You must also register to receive updates to the FortiGate virus and attack definitions.

Figure 3: FortiGate login

Getting started

30 Fortinet Inc.

Getting started

Connecting to the command line interface (CLI)

As an alternative to the web-based manager, you can install and configure the FortiGate unit using the CLI. Configuration changes made with the CLI are effective immediately without the need to reset the firewall or interrupt service.

To connect to the FortiGate CLI, you need:

• a computer with an available communications port,

• the null modem cable included in your FortiGate package,

• terminal emulation software such as HyperTerminal for Windows.

Note: The following procedure describes how to connect to the CLI using Windows HyperTerminal software. You can use any terminal emulation program.

To connect to the CLI:

1 Connect the null modem cable to the communications port of your computer and to

the FortiGate Console port.

2 Make sure that the FortiGate unit is powered on.

3 Start HyperTerminal, enter a name for the connection, and select OK.

4 Configure HyperTerminal to connect directly to the communications port on the

computer to which you have connected the null modem cable and select OK.

5 Select the following port settings and select OK.

Bits per second 9600

Data bits 8

Parity None

Stop bits 1

Flow control None

6 Press Enter to connect to the FortiGate CLI.

The following prompt appears:

FortiGate-100 login:

7 Type admin and press Enter twice.

The following prompt appears:

Type ? for a list of commands.

For information on how to use the CLI, see the FortiGate CLI Reference Guide.

Factory default FortiGate configuration settings

The FortiGate unit is shipped with a factory default configuration. This default configuration allows you to connect to and use the FortiGate web-based manager to configure the FortiGate unit onto your network. To configure the FortiGate unit onto your network you add an administrator password, change network interface IP addresses, add DNS server IP addresses, and configuring routing if required.

FortiGate-100 Installation and Configuration Guide 31

Factory default NAT/Route mode network configuration Getting started

If you are planning on operating the FortiGate unit in Transparent mode, you can switch to transparent mode from the factory default configuration and then configure the FortiGate unit onto your network in Transparent mode.

Once the network configuration is complete, you can perform additional configuration tasks such as setting system time, configuring virus and attack definition updates, and registering the FortiGate unit.

The factory default firewall configuration includes a single network address translation (NAT) policy that allows users on your internal network to connect to the external network, and stops users on the external network from connecting to the internal network. You can add more policies to provide more control of the network traffic passing through the FortiGate unit.

The factory default content profiles can be used to quickly apply different levels of antivirus protection, web content filtering, and email filtering to the network traffic controlled by firewall policies.

• Factory default NAT/Route mode network configuration

• Factory default Transparent mode network configuration

• Factory default firewall configuration

• Factory default content profiles

Factory default NAT/Route mode network configuration

When the FortiGate unit is first powered on, it is running in NAT/Route mode and has the basic network configuration listed in Ta bl e 2. This configuration allows you to connect to the FortiGate unit web-based manager and establish the configuration required to connect the FortiGate unit to your network. In Table 2 HTTPS management access means you can connect to the web-based manager using this interface. Ping management access means this interface responds to ping requests.

Table 2: Factory default NAT/Route mode network configuration

Administrator account

Internal interface

External interface Manual:

DMZ interface

User name: admin

Password: (none)

IP: 192.168.1.99

Netmask: 255.255.255.0

Management Access: HTTPS, Ping

IP: 192.168.100.99

Netmask: 255.255.255.0

Default Gateway: 192.168.100.1

Primary DNS Server: 207.194.200.1

Secondary DNS Server: 207.194.200.129

Management Access: Ping

IP: 10.10.10.1

Netmask: 255.255.255.0

Management Access: HTTPS, Ping

32 Fortinet Inc.

Getting started Factory default Transparent mode network configuration

Factory default Transparent mode network configuration

If you switch the FortiGate unit to Transparent mode, it has the default network configuration listed in Ta bl e 3.

Table 3: Factory default Transparent mode network configuration

Administrator account

Management IP

DNS

Management access

User name: admin

Password: (none)

IP: 10.10.10.1

Netmask: 255.255.255.0

Primary DNS Server: 207.194.200.1

Secondary DNS Server: 207.194.200.129

Internal HTTPS, Ping

External Ping

DMZ HTTPS, Ping

Factory default firewall configuration

The factory default firewall configuration is the same in NAT/Route and Transparent mode.

Table 4: Factory default firewall configuration

Internal Address

External Address

DMZ Address

Recurring Schedule

Firewall Policy

Internal_All

External_All

DMZ_All

Always The schedule is valid at all times. This means that

Int->Ext Firewall policy for connections from the internal

Source Internal_All The policy source address. Internal_All means that

Destination External_All The policy destination address. External_All means

Schedule Always The policy schedule. Always means that the policy

Service ANY The policy service. ANY means that this policy

Action ACCEPT The policy action. ACCEPT means that the policy

; NAT NAT is selected for the NAT/Route mode default

IP: 0.0.0.0 Represents all of the IP addresses on the internal Mask: 0.0.0.0 IP: 0.0.0.0 Represents all of the IP addresses on the external Mask: 0.0.0.0 IP: 0.0.0.0 Represents all of the IP addresses on the DMZ Mask: 0.0.0.0

network.

the firewall policy is valid at all times.

network to the external network.

the policy accepts connections from any internal IP address.

that the policy accepts connections with a destination address to any IP address on the external network.

is valid at any time.

processes connections for all services.

allows connections.

policy so that the policy applies network address translation to the traffic processed by the policy. NAT is not available for Transparent mode policies.

FortiGate-100 Installation and Configuration Guide 33

Factory default content profiles Getting started

Table 4: Factory default firewall configuration (Continued)

 Traffic Shaping Traffic shaping is not selected. The policy does not

 Authentication Authentication is not selected. Users do not have to

 Antivirus & Web Filter Antivirus & Web Filter is not selected. This policy

 Log Traffic Log Traffic is not selected. This policy does not

apply traffic shaping to the traffic controlled by the policy. You can select this option to control the maximum or minimum amount of bandwidth available to traffic processed by the policy.

authenticate with the firewall before connecting to their destination address. You can configure user groups and select this option to require users to authenticate with the firewall before they can connect through the firewall.

does not include a content profile that applies antivirus protection, web content filtering, or email filtering to content traffic processed by this policy. You can select this option and select a content profile to apply different levels of content protection to traffic processed by this policy.

record messages to the traffic log for the traffic processed by this policy. You can configure FortiGate logging and select Log Traffic to record all connections through the firewall that are accepted by this policy.

Factory default content profiles

You can use content profiles to apply different protection settings for content traffic controlled by firewall policies. You can use content profiles for:

• Antivirus protection of HTTP, FTP, IMAP, POP3, and SMTP network traffic

• Web content filtering for HTTP network traffic

• Email filtering for IMAP and POP3 network traffic

• Oversized file and email blocking for HTTP, FTP, POP3, SMTP, and IMAP network traffic

• Passing fragmented emails in IMAP, POP3, and SMTP email traffic

Using content profiles you can build up protection configurations that can be easily applied to different types of Firewall policies. This allows you to customize different types and different levels of protection for different firewall policies.

For example, while traffic between internal and external addresses might need strict protection, traffic between trusted internal addresses might need moderate protection. You can configure policies for different traffic services to use the same or different content profiles.

Content profiles can be added to NAT/Route mode and Transparent mode policies.

34 Fortinet Inc.

Getting started Factory default content profiles

Strict content profile

Use the strict content profile to apply maximum content protection to HTTP, FTP, IMAP, POP3, and SMTP content traffic. You would not use the strict content profile under normal circumstances, but it is available if you are having extreme problems with viruses and require maximum content screening protection.

Table 5: Strict content profile

Options HTTP FTP IMAP POP3 SMTP

Antivirus Scan ;;;;;

File Block ;;;;;

Web URL Block ;

Web Content Block ;

Web Script Filter ;

Web Exempt List ;

Email Block List ;;

Email Exempt List ;;

Email Content Block ;;

Oversized File/Email Block block block block block block

Pass Fragmented Emails 

Scan content profile

Use the scan content profile to apply antivirus scanning to HTTP, FTP, IMAP, POP3, and SMTP content traffic.

Table 6: Scan content profile

Options HTTP FTP IMAP POP3 SMTP

Antivirus Scan ;;;;;

File Block 

Web URL Block 

Web Content Block 

Web Script Filter 

Web Exempt List 

Email Block List 

Email Exempt List 

Email Content Block 

Oversized File/Email Block pass pass pass pass pass

Pass Fragmented Emails 

FortiGate-100 Installation and Configuration Guide 35

Factory default content profiles Getting started

Web content profile

Use the web content profile to apply antivirus scanning and Web content blocking to HTTP content traffic. You can add this content profile to firewall policies that control HTTP traffic.

Table 7: Web content profile

Options HTTP FTP IMAP POP3 SMTP

Antivirus Scan ;

File Block 

Web URL Block ;

Web Content Block ;

Web Script Filter 

Web Exempt List 

Email Block List 

Email Exempt List 

Email Content Block 

Oversized File/Email Block pass pass pass pass pass

Pass Fragmented Emails 

Unfiltered content profile

Use the unfiltered content profile if you do not want to apply any content protection to content traffic. You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected.

Table 8: Unfiltered content profile

Options HTTP FTP IMAP POP3 SMTP

Antivirus Scan 

File Block 

Web URL Block 

Web Content Block 

Web Script Filter 

Web Exempt List ;

Email Block List 

Email Exempt List ;;

Email Content Block 

Oversized File/Email Block pass pass pass pass pass

Pass Fragmented Emails ;;;

36 Fortinet Inc.

Getting started NAT/Route mode

Planning your FortiGate configuration

Before beginning to configure the FortiGate unit, you need to plan how to integrate the unit into your network. Among other things, you have to decide whether or not the unit will be visible to the network, which firewall functions it will provide, and how it will control the traffic flowing between its interfaces.

Your configuration plan is dependent upon the operating mode that you select. The FortiGate unit can be configured in either of two modes: NAT/Route mode (the default) or Transparent mode.

NAT/Route mode

In NAT/Route mode, the unit is visible to the network. Like a router, all of its interfaces are on different subnets. The following interfaces are available in NAT/Route mode:

• External is the interface to the external network (usually the Internet).

• Internal is the interface to the internal network.

• DMZ is the interface to the DMZ network.

You can add security policies to control whether communications through the FortiGate unit operate in NAT mode or in route mode. Security policies control the flow of traffic based on each packet’s source address, destination address and service. In NAT mode, the FortiGate performs network address translation before the packet is sent to the destination network. In route mode, no translation takes place.

By default, the FortiGate unit has a NAT mode security policy that allows users on the internal network to securely download content from the external network. No other traffic is possible until you have configured more security policies.

You would typically use NAT/Route mode when the FortiGate unit is used as a gateway between private and public networks. In this configuration, you would create NAT mode policies to control traffic flowing between the internal, private network and the external, public network (usually the Internet).

If you have multiple internal networks, such as a DMZ network in addition to the internal, private network, you could create route mode policies for traffic flowing between them.

Figure 4: Example NAT/Route mode network configuration

FortiGate-100 Installation and Configuration Guide 37

NAT/Route mode with multiple external network connections Getting started

NAT/Route mode with multiple external network connections

In NAT/Route mode, you can configure the FortiGate unit with multiple redundant connections to the external network (usually the Internet). For example, you could create the following configuration:

• External is the default interface to the external network (usually the Internet).

• DMZ is the redundant interface to the external network.

• Internal is the interface to the internal network.

You must configure routing to support redundant internet connections. Routing can be used to automatically re-direct connections from an interface if its connection to the external network fails.

Otherwise, security policy configuration is similar to a NAT/Route mode configuration with a single Internet connection. You would create NAT mode policies to control traffic flowing between the internal, private network and the external, public network (usually the Internet). If you have multiple internal networks, such as a DMZ network in addition to the internal, private network, you could create route mode policies for traffic flowing between them.

Figure 5: Example NAT/Route multiple internet connection configuration

Transparent mode

In Transparent mode, the FortiGate unit is invisible to the network. Similar to a network bridge, all of FortiGate interfaces must be on the same subnet. You only have to configure a management IP address so that you can make configuration changes. The management IP address is also used for antivirus and attack definition updates.

You would typically use the FortiGate unit in Transparent mode on a private network behind an existing firewall or behind a router. The FortiGate unit performs firewalling as well as antivirus and content scanning but not VPN.

Figure 6: Example Transparent mode network configuration

38 Fortinet Inc.

Getting started Configuration options

You can connect up to three network segments to the FortiGate unit to control traffic between these network segments.

• External can connect to the external firewall or router.

• Internal can connect to the internal network.

• DMZ can connect to another network segment.

Configuration options

Once you have selected Transparent or NAT/Route mode operation, you can complete your configuration plan, and begin configuring the FortiGate unit.

You can use the web-based manager setup wizard or the command line interface (CLI) for the basic configuration of the FortiGate unit.

Setup Wizard

If you are configuring the FortiGate unit to operate in NAT/Route mode (the default), the Setup Wizard prompts you to add the administration password and the internal interface address. The Setup Wizard also prompts you to choose either a manual (static) or a dynamic (DHCP or PPPoE) address for the external interface. Using the wizard, you can also add DNS server IP addresses and a default route for the external interface.

In NAT/Route mode you can also configure the FortiGate DHCP server to supply IP addresses for the computers on your internal network. You can also configure the FortiGate to allow Internet access to your internal Web, FTP, or email servers.

If you are configuring the FortiGate unit to operate in Transparent mode, you can switch to Transparent mode from the web-based manager and then use the Setup Wizard to add the administration password, the management IP address and gateway, and the DNS server addresses.

CLI

If you are configuring the FortiGate unit to operate in NAT/Route mode, you can add the administration password and all interface addresses. You can also use the CLI to configure the external interface for either a manual (static) or a dynamic (DHCP or PPPoE) address. Using the CLI, you can also add DNS server IP addresses and a default route for the external interface.

In NAT/Route mode you can also configure the FortiGate DHCP server to supply IP addresses for the computers on your internal network.

If you are configuring the FortiGate unit to operate in Transparent mode, you can use the CLI to switch to Transparent mode, Then you can add the administration password, the management IP address and gateway, and the DNS server addresses.

FortiGate-100 Installation and Configuration Guide 39

Configuration options Getting started

FortiGate model maximum values matrix

Table 9: FortiGate maximum values matrix

FortiGate model

50 60 100 200 300 400 500 1000 2000 3000 3600

Policy 200 500 1000 2000 5000 5000 20000 50000 50000 50000 50000

Address 500 500 500 500 3000 3000 6000 10000 10000 10000 10000

Address group 500 500 500 500 500 500 500 500 500 500 500

Service 500 500 500 500 500 500 500 500 500 500 500

Service group 500 500 500 500 500 500 500 500 500 500 500

Recurring schedule 256 256 256 256 256 256 256 256 256 256 256

Onetime schedule 256 256 256 256 256 256 256 256 256 256 256

User 20 500 1000 1000 1000 1000 1000 1000 1000 1000 1000

User group 100 100 100 100 100 100 100 100 100 100 100

Group members 300 300 300 300 300 300 300 300 300 300 300

Virtual IPs 500 500 500 500 500 500 500 500 500 500 500

IP/MAC binding 50 100 1000 1000 2000 2000 2000 5000 5000 5000 5000

Route 500 500 500 500 500 500 500 500 500 500 500

Policy route gateway 500 500 500 500 500 500 500 500 500 500 500

Admin user 500 500 500 500 500 500 500 500 500 500 500

IPsec Phase 1 20 50 80 200 1500 1500 3000 5000 5000 5000 5000

VPN concentrator 500 500 500 500 500 500 500 500 500 500 500

VLAN subinterface N/A N/A N/A N/A N/A 1024* 1024* 2048* 2048* 8192* 8192*

Zone N/A N/A N/A N/A N/A 100 100 200 200 300 500

IP pool 50 50 50 50 50 50 50 50 50 50 50

RADIUS server 66666666666

File pattern 56 56 56 56 56 56 56 56 56 56 56

PPTP user 500 500 500 500 500 500 500 500 500 500 500

L2TP user 500 500 500 500 500 500 500 500 500 500 500

URL block no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit

Content block no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit

Exempt URL no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit

40 Fortinet Inc.

Getting started Configuration options

Next steps

Now that your FortiGate unit is operating, you can proceed to configure it to connect to networks:

• If you are going to operate the FortiGate unit in NAT/Route mode, go to

“NAT/Route mode installation” on page 43.

• If you are going to operate the FortiGate unit in Transparent mode, go to

“Transparent mode installation” on page 57.

FortiGate-100 Installation and Configuration Guide 41

Configuration options Getting started

42 Fortinet Inc.

FortiGate-100 Installation and Configuration Guide Version 2.50 MR2

NAT/Route mode installation

This chapter describes how to install the FortiGate unit in NAT/Route mode. To install the FortiGate unit in Transparent mode, see “Transparent mode installation” on

page 57.

This chapter describes:

• Preparing to configure NAT/Route mode

• Using the setup wizard

• Using the command line interface

• Connecting the FortiGate unit to your networks

• Configuring your networks

• Completing the configuration

• Configuration example: Multiple connections to the Internet

Preparing to configure NAT/Route mode

Use Tab le 1 0 to gather the information that you need to customize NAT/Route mode settings.

Table 10: NAT/Route mode settings

Administrator password:

Internal interface

External interface

Internal servers

IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ Default Gateway: _____._____._____._____ Primary DNS Server: _____._____._____._____ Secondary DNS Server: _____._____._____._____ Web Server: _____._____._____._____ SMTP Server: _____._____._____._____ POP3 Server: _____._____._____._____ IMAP Server: _____._____._____._____ FTP Server: _____._____._____._____

If you provide access from the Internet to a web server, mail server, IMAP server, or FTP server installed on an internal network, add the IP addresses of the servers here.

FortiGate-100 Installation and Configuration Guide 43

Advanced NAT/Route mode settings NAT/Route mode installation

Advanced NAT/Route mode settings

Use Tab le 11 to gather the information that you need to customize advanced FortiGate NAT/Route mode settings.

Table 11: Advanced FortiGate NAT/Route mode settings

DMZ interface

If your Internet Service Provider (ISP) supplies you with an IP address using DHCP, no further information is required.

User name:

Password:

Starting IP: _____._____._____._____ Ending IP: _____._____._____._____ Netmask: _____._____._____._____ Default Route: _____._____._____._____ DNS IP: _____._____._____._____

External interface

DHCP server

DHCP:

PPPoE:

If your ISP supplies you with an IP address using PPPoE, record your PPPoE user name and password.

The FortiGate unit contains a DHCP server that you can configure to automatically set the addresses of the computers on your internal network.

Use Tab le 1 2 to record the IP address and netmask of the FortiGate DMZ interface if you are configuring it during installation.

Table 12: DMZ interface (Optional)

DMZ IP: _____._____._____._____ Netmask: _____._____._____._____

44 Fortinet Inc.

NAT/Route mode installation Starting the setup wizard

Using the setup wizard

From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiGate unit. To connect to the web-based manager, see

“Connecting to the web-based manager” on page 30.

Starting the setup wizard

1 Select Easy Setup Wizard (the middle button in the upper-right corner of the

web-based manager).

2 Use the information that you gathered in Table 10 on page 43 to fill in the wizard fields.

Select the Next button to step through the wizard pages.

3 Confirm your configuration settings and then select Finish and Close.

Note: If you use the setup wizard to configure internal server settings, the FortiGate unit adds

port forwarding virtual IPs and firewall policies for each server. For each server located on your internal network the FortiGate unit adds an Ext->Int policy. For each server located on your DMZ network, the FortiGate unit adds an Ext->DMZ policy.

Reconnecting to the web-based manager

If you used the setup wizard to change the IP address of the internal interface, you must reconnect to the web-based manager using a new IP address. Browse to https:// followed by the new IP address of the internal interface. Otherwise, you can reconnect to the web-based manager by browsing to https://192.168.1.99.

You have now completed the initial configuration of your FortiGate unit, and you can proceed to “Connecting the FortiGate unit to your networks” on page 47.

Using the command line interface

As an alternative to using the setup wizard, you can configure the FortiGate unit using the command line interface (CLI). To connect to the CLI, see “Connecting to the

command line interface (CLI)” on page 31.

Configuring the FortiGate unit to operate in NAT/Route mode

Use the information that you gathered in Table 10 on page 43 to complete the following procedures.

Configuring NAT/Route mode IP addresses

1 Log into the CLI if you are not already logged in.

2 Set the IP address and netmask of the internal interface to the internal IP address and

netmask that you recorded in Table 10 on page 43. Enter:

set system interface internal mode static ip <IP address> <netmask>

Example

set system interface internal mode static ip 192.168.1.1

255.255.255.0

FortiGate-100 Installation and Configuration Guide 45

Configuring the FortiGate unit to operate in NAT/Route mode NAT/Route mode installation

3 Set the IP address and netmask of the external interface to the external IP address

and netmask that you recorded in Table 10 on page 43. To set the manual IP address and netmask, enter:

set system interface external mode static ip <IP address> <netmask>

Example

set system interface external mode

255.255.255.0

To set the external interface to use DHCP, enter:

set system interface external mode dhcp connection enable

To set the external interface to use PPPoE, enter:

set system interface external mode pppoe password

Example

set system interface external mode pppoe username user@domain.com password mypass connection enable

4 Optionally set the IP address and netmask of the DMZ interface to the DMZ IP

address and netmask that you recorded in Table 12 on page 44. Enter:

set system interface dmz mode static ip <IP address> <netmask>

Example

set system interface dmz mode static ip 10.10.10.2

255.255.255.0

5 Confirm that the addresses are correct. Enter:

get system interface

The CLI lists the IP address, netmask and other settings for each of the FortiGate interfaces.

6 Set the primary DNS server IP addresses. Enter

set system dns primary <IP address>

Example

set system dns primary 293.44.75.21

7 Optionally, set the secondary DNS server IP addresses. Enter

set system dns secondary <IP address>

Example

set system dns secondary 293.44.75.22

8 Set the default route to the Default Gateway IP address (not required for DHCP and

PPPoE).

set system route number <route_no> dst 0.0.0.0 0.0.0.0 gw1 <gateway_ip>

Example

set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 204.23.1.2

connection

static

enable

ip 204.23.1.5

username

46 Fortinet Inc.

NAT/Route mode installation Configuring the FortiGate unit to operate in NAT/Route mode

Connecting the FortiGate unit to your networks

When you have completed the initial configuration, you can connect the FortiGate unit between your internal network and the Internet.

There are three 10/100Base-TX connectors on the FortiGate-100:

• Internal for connecting to your internal network

• External for connecting to the Internet

• DMZ for connecting to a DMZ network

Note: You can also connect both the external and DMZ interfaces to different Internet connections to provide a redundant connection to the Internet. See “Configuration example:

Multiple connections to the Internet” on page 49.

To connect the FortiGate unit:

1 Connect the Internal interface to the hub or switch connected to your internal network.

2 Connect the External interface to the Internet.

Connect to the public switch or router provided by your Internet Service Provider. If you are a DSL or cable subscriber, connect the External interface to the internal or LAN connection of your DSL or cable modem.

3 Optionally connect the DMZ interface to your DMZ network.

You can use a DMZ network to provide access from the Internet to a web server or other server without installing the servers on your internal network.

Figure 7: FortiGate-100 NAT/Route mode connections

FortiGate-100 Installation and Configuration Guide 47

Configuring the DMZ interface NAT/Route mode installation

Configuring your networks

If you are running the FortiGate unit in NAT/Route mode, your networks must be configured to route all Internet traffic to the IP address of the FortiGate interface to which they are connected. For your internal network, change the default gateway address of all computers and routers connected directly to your internal network to the IP address of the FortiGate internal interface. For your DMZ network, change the default gateway address of all computers and routers connected directly to your DMZ network to the IP address of the FortiGate DMZ interface. For your external network, route all packets to the FortiGate external interface.

If you are using the FortiGate unit as the DHCP server for your internal network, configure the computers on your internal network for DHCP.

Make sure that the connected FortiGate unit is functioning properly by connecting to the Internet from a computer on your internal network. You should be able to connect to any Internet address.

Completing the configuration

Use the information in this section to complete the initial configuration of the FortiGate unit.

Configuring the DMZ interface

If you are planning to configure a DMZ network, you might want to change the IP address of the DMZ interface. Use the following procedure to configure the DMZ interface using the web-based manager.

1 Log into the web-based manager.

2 Go to System > Network > Interface.

3 For the dmz interface, select Modify .

4 Change the IP address and Netmask as required.

5 Select Apply.

Setting the date and time

For effective scheduling and logging, the FortiGate system date and time should be accurate. You can either manually set the system date and time or you can configure the FortiGate unit to automatically keep its time correct by synchronizing with a Network Time Protocol (NTP) server.

To set the FortiGate system date and time, see “Setting system date and time” on

page 129.

1 Go to Firewall > Policy > Int->Ext.

48 Fortinet Inc.

NAT/Route mode installation Enabling antivirus protection

Enabling antivirus protection

To enable antivirus protection to protect users on your internal network from downloading a virus from the Internet:

1 Go to Firewall > Policy > Int->Ext.

2 Select Edit to edit this policy.

3 Select Anti-Virus & Web filter to enable antivirus protection for this policy.

4 Select the Scan Content Profile.

5 Select OK to save your changes.

Registering your FortiGate

After purchasing and installing a new FortiGate unit, you can register the unit by going to System > Update > Support, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration.

Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased. Registration is quick and easy. You can register multiple FortiGate units in a single session without re-entering your contact information.

For more information about registration, see “Registering FortiGate units” on

page 101.

Configuring virus and attack definition updates

You can go to System > Update to configure the FortiGate unit to automatically check to see if new versions of the virus definitions and attack definitions are available. If it finds new versions, the FortiGate unit automatically downloads and installs the updated definitions.

The FortiGate unit uses HTTPS on port 8890 to check for updates. The FortiGate external interface must have a path to the FortiResponse Distribution Network (FDN) using port 8890.

To configure automatic virus and attack updates, see “Updating antivirus and attack

definitions” on page 91.

Configuration example: Multiple connections to the Internet

This section describes some basic routing and firewall policy configuration examples for a FortiGate unit with multiple connections to the Internet (see Figure 8). In this topology, the organization operating the FortiGate unit uses two Internet service providers to connect to the Internet. The FortiGate unit is connected to the Internet using the external and DMZ interfaces. The external interface connects to gateway 1, operated by ISP1 and the DMZ interface connects to gateway 2, operated by ISP2.

By adding ping servers to interfaces, and by configuring routing you can control how traffic uses each Internet connection. With this routing configuration is place you can proceed to create firewall policies to support multiple internet connections.

FortiGate-100 Installation and Configuration Guide 49

Configuring virus and attack definition updates NAT/Route mode installation

This section provides some examples of routing and firewall configurations to configure the FortiGate unit for multiple internet connections. To use the information in this section you should be familiar with FortiGate routing (see “Configuring routing” on

page 115) and FortiGate firewall configuration (see “Firewall configuration” on page 141).

The examples below show how to configure destination-based routing and policy routing to control different traffic patterns.

• Configuring Ping servers

• Destination based routing examples

• Policy routing examples

• Firewall policy example

Figure 8: Example multiple Internet connection configuration

50 Fortinet Inc.

NAT/Route mode installation Configuring Ping servers

Configuring Ping servers

Use the following procedure to make Gateway 1 the ping server for the external interface and Gateway 2 the ping server for the DMZ interface.

1 Go to System > Network > Interface.

2 For the external interface, select Modify .

• Ping Server: 1.1.1.1

• Select Enable Ping Server

•Select OK

3 For the DMZ interface, select Modify .

• Ping Server: 2.2.2.1

• Select Enable Ping Server

•Select OK

Using the CLI

1 Add a ping server to the WAN1 interface.

1 Add a ping server to the external interface.

set system interface external config detectserver 1.1.1.1 gwdetect enable

2 Add a ping server to the DMZ interface.

set system interface dmz config detectserver 2.2.2.1 gwdetect enable

Destination based routing examples

This section describes the following destination-based routing examples:

• Primary and backup links to the Internet

• Load sharing

• Load sharing and primary and secondary connections

Primary and backup links to the Internet

Use the following procedure to add a default destination-based route that directs all outgoing traffic to Gateway 1. If Gateway 1 fails, all connections are re-directed to Gateway 2. Gateway 1 is the primary link to the Internet and Gateway 2 is the backup link.

1 Go to System > Network > Routing Table.

2 Select New.

• Destination IP: 0.0.0.0

• Mask: 0.0.0.0

• Gateway #1: 1.1.1.1

• Gateway #2: 2.2.2.1

• Device #1: external

• Device #2: dmz

•Select OK.

FortiGate-100 Installation and Configuration Guide 51

Destination based routing examples NAT/Route mode installation

Using the CLI

1 Add the route to the routing table.

set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1 dev1 external gw2 2.2.2.1 dev2 dmz

Table 13: Route for primary and backup links

Destination IP‘ Mask Gateway #1 Device #1 Gateway #2 Device #2

0.0.0.0 0.0.0.0 1.1.1.1 external 2.2.2.1 dmz

Load sharing

You can also configure destination routing to direct traffic through both gateways at the same time. If users on your internal network connect to the networks of ISP1 and ISP2, you can add routes for each of these destinations. Each route can include a backup destination to the network of the other ISP.

Table 14: Load sharing routes

Destination IP‘ Mask Gateway #1 Device #1 Gateway #2 Device #2

100.100.100.0 255.255.255.0 1.1.1.1 external 2.2.2.1 dmz

200.200.200.0 255.255.255.0 2.2.2.1 dmz 1.1.1.1 external

The first route directs all traffic destined for the 100.100.100.0 network to gateway 1 with the IP address 1.1.1.1. If this router is down, traffic destined for the 100.100.100.0 network is re-directed to gateway 2 with the IP address 2.2.2.1.

Load sharing and primary and secondary connections

You can combine these routes into a more complete multiple internet connection configuration. In the topology shown in Figure 8 on page 50, users on the Internal network would connect to the Internet to access web pages and other Internet resources. However, they may also connect to services, such as email, provided by their ISPs. You can combine the routes described in the previous examples to provide users with a primary and backup connection to the Internet, while at the same time routing traffic to each ISP network as required.

The routing described below allows a user on the internal network to connect to the Internet through gateway 1 and ISP1. At the same time, this user can also connect through the DMZ interface to gateway 2 to access a mail server maintained by ISP2.

Adding the routes using the web-based manager

1 Go to System > Network > Routing Table. 2 Select New to add the default route for primary and backup links to the Internet.

• Destination IP: 0.0.0.0

• Mask: 0.0.0.0

• Gateway #1: 1.1.1.1

• Gateway #2: 2.2.2.1

• Device #1: external

• Device #2: dmz

•Select OK.

52 Fortinet Inc.

NAT/Route mode installation Destination based routing examples

3 Select New to add a route for connections to the network of ISP1.

• Destination IP: 100.100.100.0

• Mask: 255.255.255.0

• Gateway #1: 1.1.1.1

• Gateway #2: 2.2.2.1

• Device #1: external

• Device #2: dmz

4 Select New to add a route for connections to the network of ISP2.

• Destination IP: 200.200.200.0

• Mask: 255.255.255.0

• Gateway #1: 2.2.2.1

• Gateway #2: 1.1.1.1

• Device #1: external

• Device #2: dmz

•Select OK.

5 Change the order of the routes in the routing table to move the default route below the

other two routes.

• For the default route select Move to .

• Type a number in the Move to field to move this route to the bottom of the list. If there are only 3 routes, type 3.

•Select OK.

Adding the routes using the CLI

1 Add the route for connections to the network of ISP2.

set system route number 1 dst 100.100.100.0 255.255.255.0 gw1

1.1.1.1 dev1 external gw2 2.2.2.1 dev2 dmz

1 Add the route for connections to the network of ISP1.

set system route number 2 dst 200.200.200.0 255.255.255.0 gw1

2.2.2.1 dev1 dmz gw2 1.1.1.1 dev2 external

2 Add the default route for primary and backup links to the Internet.

set system route number 3 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1 dev1 external gw2 2.2.2.1 dev2 dmz

The routing table should have routes arranged as shown in Tab le 1 5.

Table 15: Example combined routing table

Destination IP‘ Mask Gateway #1 Device #1 Gateway #2 Device #2

100.100.100.0 255.255.255.0 1.1.1.1 external 2.2.2.1 dmz

200.200.200.0 255.255.255.0 2.2.2.1 dmz 1.1.1.1 external

0.0.0.0 0.0.0.0 1.1.1.1 external 2.2.2.1 dmz

FortiGate-100 Installation and Configuration Guide 53

Policy routing examples NAT/Route mode installation

Policy routing examples

Policy routing can be added to increase the control you have over how packets are routed. Policy routing works on top of destination-based routing. This means you should configure destination-based routing first and then build policy routing on top to increase the control provided by destination-based routing.

For example, if you have used destination-based routing to configure routing for dual internet connections, you can use policy routing to apply more control to which traffic is sent to which destination route. This section describes the following policy routing examples, based on topology similar to that shown in Figure 8 on page 50. Differences are noted in each example.

The policy routes described in these examples only work if you have already defined destination routes similar to those described in the previous section.

• Routing traffic from internal subnets to different external networks

• Routing a service to an external network

For more information about policy routing, see “Policy routing” on page 118.

Routing traffic from internal subnets to different external networks

If the FortiGate unit provides internet access for multiple internal subnets, you can use policy routing to control the route that traffic from each network takes to the Internet. For example, if the internal network includes the subnets 192.168.10.0 and

192.168.20.0 you can enter the following policy routes:

1 Enter the following command to route traffic from the 192.168.10.0 subnet to the

100.100.100.0 external network:

set system route policy 1 src 192.168.10.0 255.255.255.0 dst

100.100.100.0 255.255.255.0 gw 1.1.1.1

2 Enter the following command to route traffic from the 192.168.20.0 subnet to the

200.200.200.0 external network:

set system route policy 2 src 192.168.20.0 255.255.255.0 dst

200.200.200.0 255.255.255.0 gw 2.2.2.1

Routing a service to an external network

You can use the following policy routes to direct all HTTP traffic (using port 80) to one external network and all other traffic to the other external network.

1 Enter the following command to route all HTTP traffic using port 80 to the next hop

gateway with IP address 1.1.1.1.

set system route policy 1 src 0.0.0.0 0.0.0.0 dst 0.0.0.0

0.0.0.0 protocol 6 port 1 1000 gw 1.1.1.1

2 Enter the following command to route all other traffic to the next hop gateway with IP

address 2.2.2.1.

Set system route policy 2 src 0.0.0.0 0.0.0.0 dst 0.0.0.0

0.0.0.0 gw 2.2.2.1

54 Fortinet Inc.

NAT/Route mode installation Firewall policy example

Firewall policy example

Firewall policies control how traffic flows through the FortiGate unit. Once routing for multiple internet connections has been configured you must create firewall policies to control which traffic is allowed through the FortiGate unit and the interfaces through which this traffic can connect.

For traffic originating on the Internal network to be able to connect to the Internet through both Internet connections, you must add redundant policies from the internal interface to each interface that connects to the Internet. Once these policies have been added, the routing configuration controls which internet connection is actually used.

Adding a redundant default policy

Figure 8 on page 50 shows a FortiGate unit connected to the Internet using its internal

and DMZ interfaces. The default policy allows all traffic from the internal network to connect to the Internet through the external interface. If you add a similar policy to the internal to DMZ policy list, this policy will allow all traffic from the internal network to connect to the Internet through the DMZ interface. With both of these policies added to the firewall configuration, the routing configuration will determine which Internet connection the traffic from the internal network actually uses. For more information about the default policy, see “Default firewall configuration” on page 142.

To add a redundant default policy

1 Go to Firewall > Policy > Int->DMZ.

2 Select New.

3 Configure the policy to match the default policy.

Source Internal_All

Destination DMZ_All

Schedule Always

Service ANY

Action Accept

NAT Select NAT.

4 Select OK to save your changes.

Adding more firewall policies

In most cases your firewall configuration includes more than just the default policy. However, the basic premise of creating redundant policies applies even as the firewall configuration becomes more complex. To configure the FortiGate unit to use multiple Internet connections you must add duplicate policies for connections between the internal network and both interfaces connected to the Internet. As well, as you add redundant policies, you must arrange them in both policy lists in the same order.

FortiGate-100 Installation and Configuration Guide 55

Firewall policy example NAT/Route mode installation

Restricting access to a single Internet connection

In some cases you might want to limit some traffic to only being able to use one Internet connection. For example, in the topology shown in Figure 8 on page 50 the organization might want its mail server to only be able to connect to the SMTP mail server of ISP1. To do this, you add a single Int->Ext firewall policy for SMTP connections. Because redundant policies have not been added, SMTP traffic from the Internet network is always connected to ISP1. If the connection to ISP1 fails the SMTP connection is not available.

56 Fortinet Inc.

FortiGate-100 Installation and Configuration Guide Version 2.50 MR2

Transparent mode installation

This chapter describes how to install your FortiGate unit in Transparent mode. If you want to install the FortiGate unit in NAT/Route mode, see “NAT/Route mode

installation” on page 43.

This chapter describes:

• Preparing to configure Transparent mode

• Using the setup wizard

• Using the command line interface

• Connecting the FortiGate unit to your networks

• Completing the configuration

• Transparent mode configuration examples

Preparing to configure Transparent mode

Use Ta bl e 1 6 to gather the information that you need to customize Transparent mode settings.

Table 16: Transparent mode settings

Administrator Password:

IP: _____._____._____._____ Netmask: _____._____._____._____

Management IP

The management IP address and netmask must be valid for the network from which you will manage the FortiGate unit. Add a default gateway if the FortiGate unit must connect to a router to reach the management computer.

DNS Settings

Default Gateway: _____._____._____._____

Primary DNS Server: _____._____._____._____ Secondary DNS Server: _____._____._____._____

FortiGate-100 Installation and Configuration Guide 57

Changing to Transparent mode Transparent mode installation

Using the setup wizard

From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiGate unit. To connect to the web-based manager, see

“Connecting to the web-based manager” on page 30.

Changing to Transparent mode

The first time that you connect to the FortiGate unit, it is configured to run in NAT/Route mode. To switch to Transparent mode using the web-based manager:

1 Go to System > Status.

2 Select Change to Transparent Mode.

3 Select Transparent in the Operation Mode list.

4 Select OK.

The FortiGate unit changes to Transparent mode.

To reconnect to the web-based manager, change the IP address of your management computer to 10.10.10.2. Connect to the internal or DMZ interface and browse to https:// followed by the Transparent mode management IP address. The default FortiGate Transparent mode management IP address is 10.10.10.1.

Starting the setup wizard

1 Select Easy Setup Wizard (the middle button in upper-right corner of the web-based

manager).

2 Use the information that you gathered in Table 16 on page 57 to fill in the wizard fields.

Select the Next button to step through the wizard pages.

3 Confirm your configuration settings and then select Finish and Close.

Reconnecting to the web-based manager

If you changed the IP address of the management interface while you were using the setup wizard, you must reconnect to the web-based manager using the new IP address. Browse to https:// followed by the new IP address of the management interface. Otherwise, you can reconnect to the web-based manager by browsing to https://10.10.10.1. If you connect to the management interface through a router, make sure that you have added a default gateway for that router to the management IP default gateway field.

58 Fortinet Inc.

Transparent mode installation Changing to Transparent mode

Using the command line interface

As an alternative to the setup wizard, you can configure the FortiGate unit using the command line interface (CLI). To connect to the CLI, see “Connecting to the command

line interface (CLI)” on page 31. Use the information that you gathered in Table 16 on page 57 to complete the following procedures.

Changing to Transparent mode

1 Log into the CLI if you are not already logged in.

2 Switch to Transparent mode. Enter:

set system opmode transparent

After a few seconds, the login prompt appears.

3 Type admin and press Enter.

The following prompt appears:

Type ? for a list of commands.

4 Confirm that the FortiGate unit has switched to Transparent mode. Enter:

get system status

The CLI displays the status of the FortiGate unit. The last line shows the current operation mode.

Operation mode: Transparent

Configuring the Transparent mode management IP address

1 Log into the CLI if you are not already logged in.

2 Set the management IP address and netmask to the IP address and netmask that you

recorded in Table 16 on page 57. Enter:

set system management ip <IP address> <netmask>

Example

set system management ip 10.10.10.2 255.255.255.0

3 Confirm that the address is correct. Enter:

get system management

The CLI lists the management IP address and netmask.

Configure the Transparent mode default gateway

1 Log into the CLI if you are not already logged in.

2 Set the default route to the default gateway that you recorded in Table 16 on page 57.

Enter:

set system route number <number> gateway <IP address>

Example

set system route

You have now completed the initial configuration of the FortiGate unit.

number 1 gw1

204.23.1.2

FortiGate-100 Installation and Configuration Guide 59

Configure the Transparent mode default gateway Transparent mode installation

Connecting the FortiGate unit to your networks

When you have completed the initial configuration, you can connect the FortiGate unit between your internal network and the Internet. You can also connect a network to the DMZ interface.

There are three 10/100Base-TX connectors on the FortiGate-100:

• Internal for connecting to your internal network

• External for connecting to the Internet

• DMZ for connecting to another network

To connect the FortiGate unit running in Transparent mode:

1 Connect the Internal interface to the hub or switch connected to your internal network.

2 Connect the External interface to the Internet.

Connect to the public switch or router provided by your Internet Service Provider.

3 Connect the DMZ interface to another network.

Figure 9: FortiGate-100 Transparent mode connections

In Transparent mode, the FortiGate unit does not change the layer 3 topology. This means that all of its interfaces are on the same IP subnet and that it appears to other devices as a bridge. Typically, the FortiGate unit would be deployed in Transparent mode when it is intended to provide antivirus and content scanning behind an existing firewall solution.

60 Fortinet Inc.

Transparent mode installation Setting the date and time

A FortiGate unit in Transparent mode can also perform firewalling. Even though it takes no part in the layer 3 topology, it can examine layer 3 header information and make decisions on whether to block or pass traffic.

Completing the configuration

Use the information in this section to complete the initial configuration of the FortiGate unit.

Setting the date and time

For effective scheduling and logging, the FortiGate system date and time should be accurate. You can either manually set the date and time or you can configure the FortiGate unit to automatically keep its date and time correct by synchronizing with a Network Time Protocol (NTP) server.

To set the FortiGate system date and time, see “Setting system date and time” on

page 129.

Enabling antivirus protection

To enable antivirus protection to protect users on your internal network from downloading a virus from the Internet:

1 Go to Firewall > Policy > Int->Ext.

2 Select Edit to edit this policy.

3 Select Anti-Virus & Web filter to enable antivirus protection for this policy.

4 Select the Scan Content Profile.

5 Select OK to save your changes.

Registering your FortiGate

For more information about registration, see “Registering FortiGate units” on

page 101.

Configuring virus and attack definition updates

You can configure the FortiGate unit to automatically check to see if new versions of the virus definitions and attack definitions are available. If it finds new versions, the FortiGate unit automatically downloads and installs the updated definitions.

FortiGate-100 Installation and Configuration Guide 61

Default routes and static routes Transparent mode installation

The FortiGate unit uses HTTPS on port 8890 to check for updates. The FortiGate external interface must have a path to the FortiResponse Distribution Network (FDN) using port 8890.

To configure automatic virus and attack updates, see “Updating antivirus and attack

definitions” on page 91.

Transparent mode configuration examples

A FortiGate unit operating in Transparent mode still requires a basic configuration to operate as a node on the IP network. As a minimum, the FortiGate unit must be configured with an IP address and subnet mask. These are used for management access and to allow the unit to receive antivirus and definitions updates. Also, the unit must have sufficient route information to reach:

• the management computer,

• The FortiResponse Distribution Network (FDN),

• a DNS server.

A route is required whenever the FortiGate unit connects to a router to reach a destination. If all of the destinations are located on the external network, you may be required to enter only a single default route. If, however, the network topology is more complex, you may be required to enter one or more static routes in addition to the default route.

This section describes:

• Default routes and static routes

• Example default route to an external network

• Example static route to an external destination

• Example static route to an internal destination

Default routes and static routes

To create a route to a destination, you need to define an IP prefix which consists of an IP network address and a corresponding netmask value. A default route matches any prefix and forwards traffic to the next hop router (otherwise known as the default gateway). A static route matches a more specific prefix and forwards traffic to the next hop router.

Default route example:

IP Prefix 0.0.0.0 (IP address)

0.0.0.0 (Netmask)

Next Hop 192.168.1.2

Static Route example:

IP Prefix 172.100.100.0 (IP address)

255.255.255.0 (Netmask)

Next Hop 192.168.1.2

62 Fortinet Inc.

Transparent mode installation Example default route to an external network

Note: When adding routes to the FortiGate unit, add the default route last so that it appears on the bottom of the route list. This ensures that the unit will attempt to match more specific routes before selecting the default route.

Example default route to an external network

Figure 10 shows a FortiGate unit where all destinations, including the management

computer, are located on the external network. To reach these destinations, the FortiGate unit must connect to the “upstream” router leading to the external network. To facilitate this connection, you must enter a single default route that points to the upstream router as the next hop/default gateway.

Figure 10: Default route to an external network

General configuration steps

1 Set the FortiGate unit to operate in Transparent mode.

2 Configure the Management IP address and Netmask of the FortiGate unit.

FortiGate-100 Installation and Configuration Guide 63

Example static route to an external destination Transparent mode installation

3 Configure the default route to the external network.

Web-based manager example configuration steps

To configure basic Transparent mode settings and a default route using the web-based manager:

1 Go to System > Status.

• Select Change to Transparent Mode.

• Select Transparent in the Operation Mode list.

•Select OK. The FortiGate unit changes to Transparent mode.

2 Go to System > Network > Management.

• Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.0

• Select Apply.

3 Go to System > Network > Routing.

• Select New to add the default route to the external network. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2

•Select OK.

CLI configuration steps

To configure the Fortinet basic settings and a default route using the CLI:

1 Change the system to operate in Transparent Mode.

set system opmode transparent

2 Add the Management IP address and Netmask.

set system management ip 192.168.1.1 255.255.255.0

3 Add the default route to the external network.

set system route number 1 gw1 192.168.1.2

Example static route to an external destination

Figure 11 shows a FortiGate unit that requires routes to the FDN located on the

external network. The Fortigate unit does not require routes to the DNS servers or management computer because they are located on the internal network.

To connect to the FDN, you would typically enter a single default route to the external network. However, to provide an extra degree of security, you could enter static routes to a specific FortiResponse server in addition to a default route to the external network. If the static route becomes unavailable (perhaps because the IP address of the FortiResponse server changes) the FortiGate unit will still be able to receive antivirus and NIDS updates from the FDN using the default route.

64 Fortinet Inc.

Transparent mode installation Example static route to an external destination

Note: This is an example configuration only. To configure a static route, you require a destination IP address.

Figure 11: Static route to an external destination

General configuration steps

1 Set the FortiGate unit to operate in Transparent mode.

2 Configure the Management IP address and Netmask of the FortiGate unit.

3 Configure the static route to the FortiResponse server.

4 Configure the default route to the external network.

FortiGate-100 Installation and Configuration Guide 65

Example static route to an external destination Transparent mode installation

Web-based manager example configuration steps

To configure the basic FortiGate settings and a static route using the web-based manager:

1 Go to System > Status.

• Select Change to Transparent Mode.

• Select Transparent in the Operation Mode list.

•Select OK. The FortiGate unit changes to Transparent mode.

2 Go to System > Network > Management.

• Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.0

• Select Apply.

3 Go to System > Network > Routing.

• Select New to add the static route to the FortiResponse server. Destination IP: 24.102.233.5 Mask: 255.255.255.0 Gateway: 192.168.1.2

•Select OK.

• Select New to add the default route to the external network. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2

•Select OK.

CLI configuration steps

To configure the Fortinet basic settings and a static route using the CLI:

1 Set the system to operate in Transparent Mode.

set system opmode transparent

2 Add the Management IP address and Netmask.

set system management ip 192.168.1.1 255.255.255.0

3 Add the static route to the primary FortiResponse server.

set system route number 1 dst 24.102.233.5 255.255.255.0 gw1

192.168.1.2

4 Add the default route to the external network.

set system route number 2 gw1 192.168.1.2

66 Fortinet Inc.

Transparent mode installation Example static route to an internal destination

Example static route to an internal destination

Figure 12 shows a FortiGate unit where the FDN is located on an external subnet and

the management computer is located on a remote, internal subnet. To reach the FDN, you need to enter a single default route that points to the upstream router as the next hop/default gateway. To reach the management computer, you need to enter a single static route that leads directly to it. This route will point to the internal router as the next hop. (No route is required for the DNS servers because they are on the same layer 3 subnet as the FortiGate unit.)

Figure 12: Static route to an internal destination

General configuration steps

1 Set the unit to operate in Transparent mode. 2 Configure the Management IP address and Netmask of the FortiGate unit. 3 Configure the static route to the management computer on the internal network. 4 Configure the default route to the external network.

FortiGate-100 Installation and Configuration Guide 67

Example static route to an internal destination Transparent mode installation

Web-based manager example configuration steps

To configure the FortiGate basic settings, a static route, and a default route using the web-based manager:

1 Go to System > Status.

• Select Change to Transparent Mode.

• Select Transparent in the Operation Mode list.

•Select OK. The FortiGate unit changes to Transparent mode.

2 Go to System > Network > Management.

• Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.0

• Select Apply.

3 Go to System > Network > Routing.

• Select New to add the static route to the management computer. Destination IP: 172.16.1.11 Mask: 255.255.255.0 Gateway: 192.168.1.3

•Select OK.

• Select New to add the default route to the external network. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2

•Select OK.

CLI configuration steps

To configure the FortiGate basic settings, a static route, and a default route using the CLI:

1 Set the system to operate in Transparent Mode.

set system opmode transparent

2 Add the Management IP address and Netmask.

set system management ip 192.168.1.1 255.255.255.0

3 Add the static route to the management computer.

set system route number 1 dst 172.16.1.11 255.255.255.0 gw1

192.168.1.3

4 Add the default route to the external network.

set system route number 2 gw1 192.168.1.2

68 Fortinet Inc.

FortiGate-100 Installation and Configuration Guide Version 2.50 MR2

System status

You can connect to the web-based manager and go to System > Status to view the current status of your FortiGate unit. The status information that is displayed includes the current firmware version, the current virus and attack definitions, and the FortiGate unit serial number.

If you have logged into the web-based manager using the admin administrator account, you can use System Status to make any of the following changes to the FortiGate system settings:

• Changing the FortiGate host name

• Changing the FortiGate firmware

• Manual virus definition updates

• Manual attack definition updates

• Backing up system settings

• Restoring system settings

• Restoring system settings to factory defaults

• Changing to Transparent mode

• Changing to NAT/Route mode

• Restarting the FortiGate unit

• Shutting down the FortiGate unit

If you log into the web-based manager with any other administrator account, you can go to System > Status to view the system settings including:

• Displaying the FortiGate serial number

• Displaying the FortiGate up time

All administrative users can also go to System > Status > Monitor and view FortiGate system status. System status displays FortiGate health monitoring information including CPU and memory status, Session and network status.

• System status

All administrative users can also go to System > Status > Session and view the active communication sessions to and through the FortiGate unit.

• Session list

FortiGate-100 Installation and Configuration Guide 69

Changing the FortiGate host name

The FortiGate host name appears on the System > Status page and on the FortiGate CLI prompt. The host name is also used as the SNMP System Name (see

“Configuring SNMP” on page 134).

The default host name is FortiGate-100.

To change the FortiGate host name:

1 Go to System > Status.

2 Select Edit Host Name .

3 Enter a new host name.

4 Select OK.

The new host name appears on the System Status page and is added to the SNMP System Name.

System status

Changing the FortiGate firmware

After you download a FortiGate firmware image from Fortinet, you can use the procedures in Tab le 1 to install the firmware image on your FortiGate unit.

Table 1: Firmware upgrade procedures

Procedure Description

Upgrade to a new firmware version

Revert to a previous firmware version

Install a firmware image from a system reboot using the CLI

Test a new firmware image before installing it

Installing and using a backup firmware image

Commonly-used web-based manager and CLI procedures to upgrade to a new FortiOS firmware version or to a more recent build of the same firmware version.

Use the web-based manager or CLI procedure to revert to a previous firmware version. This procedure reverts your FortiGate unit to its factory default configuration.

Use this procedure to install a new firmware version or revert to a previous firmware version. You must run this procedure by connecting to the CLI using the FortiGate console port and a nullmodem cable. This procedure reverts your FortiGate unit to its factory default configuration.

Use this procedure to test a new firmware image before installing it. You must run this procedure by connecting to the CLI using the FortiGate console port and a null-modem cable. This procedure temporarily installs a new firmware image using your current configuration. You can test the firmware image before installing it permanently. If the firmware image works correctly you can use one of the other procedures listed in this table to install it permanently.

If your FortiGate unit is running BIOS version v3.x, you can install a backup firmware image. Once the backup firmware image is installed you can switch to this backup image when required.

70 Fortinet Inc.

System status Upgrade to a new firmware version

Upgrade to a new firmware version

Use the following procedures to upgrade your FortiGate to a newer firmware version.

Upgrading the firmware using the web-based manager

Note: Installing firmware replaces your current antivirus and attack definitions with the

definitions included with the firmware release that you are installing. When you have installed new firmware, use the procedure “Manually updating antivirus and attack definitions” on

page 95 to make sure that antivirus and attack definitions are up-to-date.

1 Copy the firmware image file to your management computer.

2 Login to the FortiGate web-based manager as the admin administrative user.

3 Go to System > Status.

4 Select Firmware Upgrade .

5 Enter the path and filename of the firmware image file, or select Browse and locate the

file.

6 Select OK.

The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process takes a few minutes.

7 Login to the web-based manager.

8 Go to System > Status and check the Firmware Version to confirm that the firmware

upgrade has been installed successfully.

9 Use the procedure “Manually updating antivirus and attack definitions” on page 95 to

update antivirus and attack definitions.

Upgrading the firmware using the CLI

To use the following procedure you must have a TFTP server that you can connect to from the FortiGate unit.

Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. When you have installed new firmware, use the procedure “Manually updating antivirus and attack definitions” on

page 95 to make sure that antivirus and attack definitions are up-to-date. You can also use the

CLI command definitions.

1 Make sure that the TFTP server is running.

2 Copy the new firmware image file to the root directory of the TFTP server.

3 Log into the CLI as the admin administrative user.

4 Make sure the FortiGate unit can connect to the TFTP server.

You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168:

execute ping 192.168.1.168

execute updatecenter updatenow to update the antivirus and attack

FortiGate-100 Installation and Configuration Guide 71

Revert to a previous firmware version System status

5 Enter the following command to copy the firmware image from the TFTP server to the

FortiGate:

execute restore image <name_str> <tftp_ip> Where <name_str> is the name of the firmware image file on the TFTP server and

<tftp_ip> is the IP address of the TFTP server. For example, if the firmware image

file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image FGT_300-v250-build045-FORTINET.out

192.168.1.168

The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes.

6 Reconnect to the CLI.

7 To confirm that the new firmware image has been loaded, enter:

get system status

8 Use the procedure “Manually updating antivirus and attack definitions” on page 95 to

update antivirus and attack definitions, or from the CLI, enter:

execute updatecenter updatenow

9 To confirm that the antivirus and attack definitions have been updated, enter the

following command to display the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information.

get system objver

Revert to a previous firmware version

Use the following procedures to revert your FortiGate unit to a previous firmware version.

Reverting to a previous firmware version using the web-based manager

The following procedures return your FortiGate unit to its factory default configuration and delete NIDS user-defined signatures, web content lists, email filtering lists, and changes to replacement messages.

Before running this procedure you can:

• Backup the FortiGate unit configuration, use the procedure “Backing up system

settings” on page 83.

• Backup the NIDS user defined signatures, see the FortiGate NIDS Guide

• Backup web content and email filtering lists, see the FortiGate Content Protection Guide.

If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you may not be able to restore your previous configuration from the backup configuration file.

72 Fortinet Inc.

System status Revert to a previous firmware version

page 95 to make sure that antivirus and attack definitions are up-to-date.

1 Copy the firmware image file to your management computer.

2 Login to the FortiGate web-based manager as the admin administrative user.

3 Go to System > Status.

4 Select Firmware Upgrade .

5 Enter the path and filename of the previous firmware image file, or select Browse and

locate the file.

6 Select OK.

The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes.

7 Login to the web-based manager.

For information about logging into the web-based manager when the FortiGate unit is set to factory defaults, see “Connecting to the web-based manager” on page 30.

8 Go to System > Status and check the Firmware Version to confirm that the firmware

has been installed successfully.

9 Restore your configuration.

See “Restoring system settings” on page 84 to restore your previous configuration.

10 Use the procedure “Manually updating antivirus and attack definitions” on page 95 to

update antivirus and attack definitions.

Reverting to a previous firmware version using the CLI

This procedure reverts your FortiGate unit to its factory default configuration and deletes NIDS user-defined signatures, web content lists, email filtering lists, and changes to replacement messages.

Before running this procedure you can:

• Backup the FortiGate unit configuration using the command execute backup config.

• Backup the NIDS user defined signatures using the command execute backup

nidsuserdefsig

• Backup web content and email filtering lists, see the FortiGate Content Protection Guide.

FortiGate-100 Installation and Configuration Guide 73

Revert to a previous firmware version System status

page 95 to make sure that antivirus and attack definitions are up-to-date. You can also use the

CLI command definitions.

execute updatecenter updatenow to update the antivirus and attack

To use the following procedure you must have a TFTP server that you can connect to from the FortiGate unit.

1 Make sure that the TFTP server is running.

2 Copy the new firmware image file to the root directory of the TFTP server.

3 Login to the FortiGate CLI as the admin administrative user.

4 Make sure the FortiGate unit can connect to the TFTP server.

You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168:

execute ping 192.168.1.168

5 Enter the following command to copy the firmware image from the TFTP server to the

FortiGate unit:

execute restore image <name_str> <tftp_ip> Where <name_str> is the name of the firmware image file on the TFTP server and

<tftp_ip> is the IP address of the TFTP server. For example, if the firmware image

file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image FGT_300-v250-build045-FORTINET.out

192.168.1.168

The FortiGate unit uploads the firmware image file. Once the file has been uploaded a message similar to the following is displayed:

Get image from tftp server OK. This operation will downgarde the current firmware version! Do you want to continue? (y/n)

6 Type Y

7 The FortiGate unit reverts to the old firmware version, resets the configuration to

factory defaults, and restarts. This process takes a few minutes.

8 Reconnect to the CLI.

For information about logging into the web-based manager when the FortiGate unit is set to factory defaults, see “Connecting to the command line interface (CLI)” on

page 31.

9 To confirm that the new firmware image has been loaded, enter:

get system status

10 Restore your previous configuration. Use the following command:

execute restore config

11 Use the procedure “Manually updating antivirus and attack definitions” on page 95 to

update antivirus and attack definitions, or from the CLI, enter:

execute updatecenter updatenow

74 Fortinet Inc.

System status Install a firmware image from a system reboot using the CLI

12 To confirm that the antivirus and attack definitions have been updated, enter the

following command to display the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information.

get system objver

Install a firmware image from a system reboot using the CLI

This procedure installs a specified firmware image and resets the FortiGate unit to default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or to re-install the current firmware.

Note: There are a few variations on this procedure for different FortiGate BIOS versions. These variations are explained in the procedure steps that are affected. The version of the BIOS running on your FortiGate unit is displayed when you restart the FortiGate unit while accessing the CLI by connecting to the FortiGate console port using a null-modem cable.

To run this procedure you:

• access the CLI by connecting to the FortiGate console port using a null-modem cable,

• install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

Before running this procedure you can:

• Backup the FortiGate unit configuration, use the procedure “Backing up system

settings” on page 83.

• Backup the NIDS user defined signatures, see the FortiGate NIDS Guide

• Backup web content and email filtering lists, see the FortiGate Content Protection Guide.

page 95 to make sure that antivirus and attack definitions are up-to-date.

To install firmware from a system reboot

1 Connect to the CLI using the null modem cable and FortiGate console port.

2 Make sure that the TFTP server is running.

3 Copy the new firmware image file to the root directory of your TFTP server.

4 Make sure that the internal interface is connected to the same network as the TFTP

server.

5 To confirm that the FortiGate unit can connect to the TFTP server, use the following

command to ping the computer running the TFTP server. For example, if the TFTP server’s IP address is 192.168.1.168:

execute ping 192.168.1.168

FortiGate-100 Installation and Configuration Guide 75

Install a firmware image from a system reboot using the CLI System status

6 Enter the following command to restart the FortiGate unit:

execute reboot

As the FortiGate units starts, a series of system startup messages are displayed. When one of the following messages appears:

• FortiGate unit running v2.x BIOS

Press Any Key To Download Boot Image. ...

• FortiGate unit running v3.x BIOS

Press any key to enter configuration menu.....

......

7 Immediately press any key to interrupt the system startup.

Note: You only have 3 seconds to press any key. If you do not press any key soon enough, the FortiGate unit reboots and you must log in and repeat the

execute reboot command.

If you successfully interrupt the startup process, one of the following messages appears:

• FortiGate unit running v2.x BIOS

Enter TFTP Server Address [192.168.1.168]:

Go to step 9.

• FortiGate unit running v3.x BIOS

[G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options.

Enter G,F,B,Q,or H:

8 Type G to get the new firmware image from the TFTP server.

9 Type the address of the TFTP server and press Enter.

The following message appears:

Enter Local Address [192.168.1.188]:

10 Type the address of the internal interface of the FortiGate unit and press Enter.

Note: The local IP address is only used to download the firmware image. After the firmware is

installed the address of this interface is changed back to the default IP address for this interface.

The following message appears:

Enter File Name [image.out]:

76 Fortinet Inc.

System status Test a new firmware image before installing it

11 Enter the firmware image file name and press Enter.

The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear.

• FortiGate unit running v2.x BIOS

Do You Want To Save The Image? [Y/n]

Type Y.

• FortiGate unit running v3.x BIOS

Save as Default firmware/Run image without saving:[D/R] Save as Default firmware/Backup firmware/Run image without

saving:[D/B/R]

Type D.

The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete.

Restoring your previous configuration

You can then restore your previous configuration. Begin by changing the interface addresses if required. You can do this from the CLI using the command:

set system interface

After changing the interface addresses, you can access the FortiGate unit from the web-based manager and restore your configuration.

To restore your FortiGate unit configuration, see “Restoring system settings” on

page 84. To restore NIDS user defined signatures, see the FortiGate NIDS Guide. To

restore web content and email filtering lists, see the FortiGate Content Protection Guide.

If you are reverting to a previous firmware version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you may not be able to restore your previous configuration from the backup up configuration file.

12 Update the virus and attack definitions to the most recent version, see “Manually

updating antivirus and attack definitions” on page 95.

Test a new firmware image before installing it

You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit restarts it will be operating with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure “Upgrade to a new firmware version” on page 71.

To run this procedure you:

• access the CLI by connecting to the FortiGate console port using a null-modem cable,

• install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

FortiGate-100 Installation and Configuration Guide 77

Test a new firmware image before installing it System status

To test a new firmware image:

1 Connect to the CLI using a null modem cable and FortiGate console port.

2 Make sure the TFTP server is running.

3 Copy the new firmware image file to the root directory of the TFTP server.

4 Make sure that the internal interface is connected to the same network as the TFTP

server. You can use the following command to ping the computer running the TFTP server.

For example, if the TFTP server's IP address is 192.168.1.168:

execute ping 192.168.1.168

5 Enter the following command to restart the FortiGate unit:

execute reboot

6 As the FortiGate unit reboots, press any key to interrupt the system startup.

As the FortiGate units starts, a series of system startup messages are displayed. When one of the following messages appears:

• FortiGate unit running v2.x BIOS

Press Any Key To Download Boot Image. ...

• FortiGate unit running v3.x BIOS

Press any key to enter configuration menu.....

......

7 Immediately press any key to interrupt the system startup.

Note: You only have 3 seconds to press any key. If you do not press any key soon enough, the FortiGate unit reboots and you must log in and repeat the execute reboot command.

If you successfully interrupt the startup process, one of the following messages appears:

• FortiGate unit running v2.x BIOS

Enter TFTP Server Address [192.168.1.168]:

Go to step 9.

• FortiGate unit running v3.x BIOS

[G]: Get firmware image from TFTP server. [F]: Format boot device. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options.

Enter G,F,Q,or H:

8 Type G to get the new firmware image from the TFTP server.

9 Type the address of the TFTP server and press Enter.

The following message appears:

Enter Local Address [192.168.1.188]:

10 Type the address of the internal interface of the FortiGate unit and press Enter.

78 Fortinet Inc.

System status Installing and using a backup firmware image

Note: The local IP address is only used to download the firmware image. After the firmware is installed the address of this interface is changed back to the default IP address for this interface.

The following message appears:

Enter File Name [image.out]:

11 Enter the firmware image file name and press Enter.

The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear.

• FortiGate unit running v2.x BIOS

Do You Want To Save The Image? [Y/n]

Type N.

• FortiGate unit running v3.x BIOS

Save as Default firmware/Run image without saving:[D/R]

Type R.

The FortiGate image is installed to system memory and the FortiGate starts running the new firmware image but with its current configuration.

12 You can login to the CLI or the web-based manager using any administrative account.

13 To confirm that the new firmware image has been loaded, from the CLI enter:

get system status

You can test the new firmware image as required.

Installing and using a backup firmware image

If your FortiGate unit is running BIOS version v3.x, you can install a backup firmware image. Once the backup firmware image is installed you can switch to this backup image when required.

This section describes:

• Installing a backup firmware image

• Switching to the backup firmware image

• Switching back to the default firmware image

Installing a backup firmware image

To run this procedure you:

• access the CLI by connecting to the FortiGate console port using a null-modem cable,

• install a TFTP server that you can connect to from the FortiGate as described in the procedure “Install a firmware image from a system reboot using the CLI” on

page 75.

To install a backup firmware image:

1 Connect to the CLI using the null modem cable and FortiGate console port.

2 Make sure that the TFTP server is running.

3 Copy the new firmware image file to the root directory of your TFTP server.

FortiGate-100 Installation and Configuration Guide 79

Installing and using a backup firmware image System status

4 To confirm that the FortiGate unit can connect to the TFTP server, use the following

command to ping the computer running the TFTP server. For example, if the TFTP server’s IP address is 192.168.1.168:

execute ping 192.168.1.168

5 Enter the following command to restart the FortiGate unit:

execute reboot

As the FortiGate units starts, a series of system startup messages are displayed. When one of the following messages appears:

Press any key to enter configuration menu.....

......

6 Immediately press any key to interrupt the system startup.

Note: You only have 3 seconds to press any key. If you do not press any key soon enough, the FortiGate unit reboots and you must log in and repeat the

execute reboot command.

If you successfully interrupt the startup process, one of the following messages appears:

Enter G,F,B,Q,or H:

7 Type G to get the new firmware image from the TFTP server.

8 Type the address of the TFTP server and press Enter.

The following message appears:

Enter Local Address [192.168.1.188]:

9 Type the address of the interface of the FortiGate unit that can connect to the TFTP

server and press Enter.

The following message appears:

Enter File Name [image.out]:

10 Enter the firmware image file name and press Enter.

The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear.

Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]

11 Type B.

The FortiGate unit saves the backup firmware image and restarts. When the FortiGate unit restarts it is running the previously installed firmware version.

80 Fortinet Inc.

System status Installing and using a backup firmware image

Switching to the backup firmware image

Use this procedure to switch your FortiGate unit to operating with a backup firmware image that you have previous installed. When you switch the FortiGate unit to the backup firmware image, the FortiGate unit operates using the configuration that was saved with that firmware image.

If you install a new backup image from a reboot the configuration saved with this firmware image is the factory default configuration. If you use the procedure

“Switching back to the default firmware image” on page 82 to switch to a backup

firmware image that was previously running as the default firmware image, the configuration saved with this firmware image is restored.

1 Connect to the CLI using the null modem cable and FortiGate console port.

2 Enter the following command to restart the FortiGate unit:

execute reboot

As the FortiGate units starts, a series of system startup messages are displayed. When one of the following messages appears:

Press any key to enter configuration menu.....

......

3 Immediately press any key to interrupt the system startup.

Note: You only have 3 seconds to press any key. If you do not press any key soon enough, the FortiGate unit reboots and you must log in and repeat the

execute reboot command.

If you successfully interrupt the startup process, one of the following messages appears:

Enter G,F,B,Q,or H:

4 Type B to load the backup firmware image.

The FortiGate unit loads the backup firmware image and restarts. When the FortiGate unit restarts it is running the backup firmware version and the configuration is set to factory default.

FortiGate-100 Installation and Configuration Guide 81

Installing and using a backup firmware image System status

Switching back to the default firmware image

Use this procedure to switch your FortiGate unit to operating with the backup firmware image that had been running as the default firmware image. When you switch to this backup firmware image, the configuration saved with this firmware image is restored.

1 Connect to the CLI using the null modem cable and FortiGate console port.

2 Enter the following command to restart the FortiGate unit:

execute reboot

As the FortiGate units starts, a series of system startup messages are displayed. When one of the following messages appears:

Press any key to enter configuration menu.....

......

3 Immediately press any key to interrupt the system startup.

Note: You only have 3 seconds to press any key. If you do not press any key soon enough, the FortiGate unit reboots and you must log in and repeat the

If you successfully interrupt the startup process, one of the following messages appears:

execute reboot command.

Enter G,F,B,Q,or H:

4 Type B to load the backup firmware image.

The FortiGate unit loads the backup firmware image and restarts. When the FortiGate unit restarts it is running the backup firmware version with a restored configuration.

Manual virus definition updates

The System > Status page of the FortiGate web-based manager displays the current installed versions of the FortiGate Antivirus Definitions. You can use the following procedure to update the antivirus definitions manually.

Note: To configure the FortiGate unit for automatic antivirus definitions updates, see “Virus and

attack definitions updates and registration” on page 91. You can also manually initiate an

antivirus definitions update by going to System > Update and selecting Update Now.

1 Download the latest antivirus definitions update file from Fortinet and copy it to the

computer that you use to connect to the web-based manager.

2 Start the web-based manager and go to System > Status.

3 To the right of the Antivirus Definitions Version, select Definitions Update .

4 Enter the path and filename for the antivirus definitions update file, or select Browse

and locate the antivirus definitions update file.

82 Fortinet Inc.

System status Installing and using a backup firmware image

5 Select OK to copy the antivirus definitions update file to the FortiGate unit.

The FortiGate unit updates the antivirus definitions. This takes about 1 minute.

6 Go to System > Status to confirm that the Antivirus Definitions Version information

has been updated.

Manual attack definition updates

The System > Status page of the FortiGate web-based manager displays the current installed versions of the FortiGate Attack Definitions used by the Network Intrusion Detection System (NIDS). You can use the following procedure to update the attack definitions manually.

Note: To configure the FortiGate unit for automatic attack definitions updates, see “Virus and

attack definitions updates and registration” on page 91. You can also manually initiate an attack

definitions update by going to System > Update and selecting Update Now.

1 Download the latest attack definitions update file from Fortinet and copy it to the

computer that you use to connect to the web-based manager.

2 Start the web-based manager and go to System > Status.

3 To the right of the Attack Definitions Version, select Definitions Update .

4 Enter the path and filename for the attack definitions update file, or select Browse and

locate the attack definitions update file.

5 Select OK to copy the attack definitions update file to the FortiGate unit.

The FortiGate unit updates the attack definitions. This takes about 1 minute.

6 Go to System > Status to confirm that the Attack Definitions Version information has

been updated.

Displaying the FortiGate serial number

1 Go to System > Status.

The serial number is displayed in the System Status page of the web-based manager. The serial number is specific to the FortiGate unit and does not change with firmware upgrades.

Displaying the FortiGate up time

1 Go to System > Status.

The FortiGate up time displays the time in days, hours, and minutes since the FortiGate unit was last started.

Backing up system settings

You can back up system settings by downloading them to a text file on the management computer:

1 Go to System > Status.

FortiGate-100 Installation and Configuration Guide 83

Installing and using a backup firmware image System status

2 Select System Settings Backup.

3 Select Backup System Settings.

4 Type a name and location for the file.

The system settings file is backed up to the management computer.

5 Select Return to go back to the Status page.

Restoring system settings

You can restore system settings by uploading a previously downloaded system settings text file:

1 Go to System > Status.

2 Select System Settings Restore.

3 Enter the path and filename of the system settings file, or select Browse and locate

the file.

4 Select OK to restore the system settings file to the FortiGate unit.

The FortiGate unit restarts, loading the new system settings.

5 Reconnect to the web-based manager and review your configuration to confirm that

the uploaded system settings have taken effect.

Restoring system settings to factory defaults

Use the following procedure to restore system settings to the values set at the factory. This procedure does not change the firmware version or the antivirus or attack definitions.

Caution: This procedure deletes all changes that you have made to the FortiGate configuration and reverts the system to its original configuration, including resetting interface addresses.

1 Go to System > Status.

2 Select Restore Factory Defaults.

3 Select OK to confirm.

The FortiGate unit restarts with the configuration that it had when it was first powered on.

4 Reconnect to the web-based manager and review the system configuration to confirm

that it has been reset to the default settings. To restore your system settings, see “Restoring system settings” on page 84.

84 Fortinet Inc.

System status Installing and using a backup firmware image

Changing to Transparent mode

Use the following procedure to switch the FortiGate unit from NAT/Route mode to Transparent mode. When the FortiGate unit has changed to Transparent mode its configuration resets to Transparent mode factory defaults.

1 Go to System > Status.

2 Select Change to Transparent Mode.

3 Select Transparent in the operation mode list.

4 Select OK.

The FortiGate unit changes operation mode.

5 To reconnect to the web-based manager, connect to the interface configured for

Transparent mode management access and browse to https:// followed by the Transparent mode management IP address.

By default in Transparent mode, you can connect to the internal or DMZ interface. The default Transparent mode management IP address is 10.10.10.1.

Changing to NAT/Route mode

Use the following procedure to switch the FortiGate unit from Transparent mode to NAT/Route mode. When the FortiGate unit has changed to NAT/Route mode its configuration resets to NAT/Route mode factory defaults.

1 Go to System > Status.

2 Select Change to NAT Mode.

3 Select NAT/Route in the operation mode list.

4 Select OK.

The FortiGate unit changes operation mode.

5 To reconnect to the web-based manager you must connect to the interface configured

by default for management access. By default in NAT/Route mode, you can connect to the internal or DMZ interface. The

default Transparent mode management IP address is 192.168.1.99. See “Connecting to the web-based manager” on page 30 or “Connecting to the

command line interface (CLI)” on page 31.

Restarting the FortiGate unit

1 Go to System > Status.

2 Select Restart.

The FortiGate unit restarts.

FortiGate-100 Installation and Configuration Guide 85

Viewing CPU and memory status System status

Shutting down the FortiGate unit

1 Go to System > Status.

2 Select Shutdown.

The FortiGate unit shuts down and all traffic flow stops. The FortiGate unit can only be restarted after shutdown by turning the power off, then

on.

System status

You can use the system status monitor to display FortiGate system health information. The system health information includes memory usage, the number of active communication sessions, and the amount of network bandwidth currently in use. The web-based manager displays current statistics as well as statistics for the previous minute.

You can also view current virus and intrusion status. The web-based manager displays the current number of viruses and attacks as well as a graph of virus and attack levels over the previous 20 hours.

In each case you can set an automatic refresh interval that updates the display every 5 to 30 seconds. You can also refresh the display manually.

• Viewing CPU and memory status

• Viewing sessions and network status

• Viewing virus and intrusions status

Viewing CPU and memory status

Current CPU and memory status indicates how close the FortiGate unit is to running at full capacity. The web-based manager displays CPU and memory usage for core processes only. CPU and memory use for management processes (for example, for HTTPS connections to the web-based manager) is excluded.

If CPU and memory use is low, the FortiGate unit is able to process much more network traffic than is currently running. If CPU and memory use is high, the FortiGate unit is performing near its full capacity. Placing additional demands on the system could lead to traffic processing delays.

86 Fortinet Inc.

System status Viewing sessions and network status

Figure 1: CPU and memory status monitor

CPU and memory intensive processes such as encrypting and decrypting IPSec VPN traffic, virus scanning, and processing high levels of network traffic containing small packets will increase CPU and memory usage.

1 Go to System > Status > Monitor.

CPU & Memory status is displayed. The display includes bar graphs of current CPU and memory usage as well as line graphs of CPU and memory usage for the last minute.

2 Set the automatic refresh interval and select Go to control how often the web-based

manager updates the display.

More frequent updates use system resources and increase network traffic. However, this only occurs when you are viewing the display using the web-based manager.

3 Select Refresh to manually update the information displayed.

Viewing sessions and network status

Use the session and network status display to track how many network sessions the FortiGate unit is processing and to see what effect the number of sessions has on the available network bandwidth. Also, by comparing CPU and memory usage with session and network status you can see how much demand network traffic is placing on system resources.

Sessions displays the total number of sessions being processed by the FortiGate unit on all interfaces. Sessions also displays the sessions as a percentage of the maximum number of sessions that the FortiGate unit is designed to support.

Network utilization displays the total network bandwidth being used through all FortiGate interfaces. Network utilization also displays network utilization as a percentage of the maximum network bandwidth that can be processed by the FortiGate unit.

1 Go to System > Status > Monitor.

FortiGate-100 Installation and Configuration Guide 87

Viewing virus and intrusions status System status

2 Select Sessions & Network.

Sessions and network status is displayed. The display includes bar graphs of the current number of sessions and current network utilization as well as line graphs of session and network utilization usage for the last minute. The line graph scales are shown in the upper left corner of the graph.

Figure 2: Sessions and network status monitor

3 Set the automatic refresh interval and select Go to control how often the web-based

manager updates the display. More frequent updates use system resources and increase network traffic. However,

this only occurs when you are viewing the display using the web-based manager.

4 Select Refresh to manually update the information displayed.

Viewing virus and intrusions status

Use the virus and intrusions status display to track when viruses are found by the FortiGate antivirus system and to track when the NIDS detects a network-based attack.

1 Go to System > Status > Monitor.

2 Select Virus & Intrusions.

Virus and intrusions status is displayed. The display includes bar graphs of the number viruses and intrusions detected per hour as well as line graphs of the number of viruses and intrusions detected for the last 20 hours.

88 Fortinet Inc.

System status Viewing virus and intrusions status

Figure 3: Sessions and network status monitor

3 Set the automatic refresh interval and select Go to control how often the web-based

manager updates the display. More frequent updates use system resources and increase network traffic. However,

this only occurs when you are viewing the display using the web-based manager. The line graph scales are shown on the upper right corner of the graph.

4 Select Refresh to manually update the information displayed.

Session list

The session list displays information about the communications sessions currently being processed by the FortiGate unit. You can use the session list to view current sessions. FortiGate administrators with read and write permission, and the FortiGate admin user can also stop active communication sessions.

Viewing the session list

1 Go to System > Status > Session.

The web-based manager displays the total number of active sessions in the FortiGate unit session table and lists the top 16.

2 To page through the list of sessions, select Page Up or Page Down .

3 Select Refresh to update the session list.

4 If you have logged in as an administrative user with read and write privileges or as the

admin user, you can select Clear to stop any active session.

Each line of the session list displays the following information:

Protocol The service protocol of the connection, for example, udp, tcp, or icmp. From IP The source IP address of the connection. From Port The source port of the connection.

FortiGate-100 Installation and Configuration Guide 89

Viewing virus and intrusions status System status

To IP The destination IP address of the connection. To Po r t The destination port of the connection. Expire The time, in seconds, before the connection expires. Clear Stop an active communication session.

Figure 4: Example session list

90 Fortinet Inc.

FortiGate-100 Installation and Configuration Guide Version 2.50 MR2

Virus and attack definitions updates and registration

You can configure the FortiGate unit to connect to the FortiResponse Distribution Network (FDN) to update the antivirus and attack definitions and antivirus engine. You have the following update options:

• Request updates from the FDN manually,

• Schedule updates to automatically request the latest versions hourly, daily, or weekly

• Push updates so that the FDN contacts your FortiGate unit when a new update is available.

To receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet Support web page.

This chapter describes:

• Updating antivirus and attack definitions

• Registering FortiGate units

• Updating registration information

• Registering a FortiGate unit after an RMA

Updating antivirus and attack definitions

You can configure the FortiGate unit to connect to the FortiResponse Distribution Network (FDN) to automatically receive the latest antivirus and attack definitions and antivirus engine updates. The FortiGate unit supports the following antivirus and attack definition update features:

• User-initiated manual updates from the FDN,

• Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus engine updates from the FDN,

• Push updates from the FDN,

• View the update status including version numbers, expiry dates, and update dates and times,

• Push updates through a NAT device.

FortiGate-100 Installation and Configuration Guide 91

Connecting to the FortiResponse Distribution Network Virus and attack definitions updates and registration

The System > Update page web-based manager displays the following antivirus and attack definition update information:

Version Displays the current antivirus engine, virus definition, and attack definition

Expiry date Displays the expiry date of your license for antivirus engine, virus definition,

Last update attempt

Last update status

version numbers.

and attack definition updates.

Displays the date and time on which the FortiGate unit last attempted to download antivirus engine, virus definition, and attack definition updates.

Displays the success or failure of the last update attempt. No updates means the last update attempt was successful but no new updates are available. Update succeeded or similar messages mean the last update attempt was successful and new updates were installed. Other messages can indicate that the FortiGate was not able to connect to the FDN and other error conditions.

This section describes:

• Connecting to the FortiResponse Distribution Network

• Configuring scheduled updates

• Configuring update logging

• Adding an override server

• Manually updating antivirus and attack definitions

• Configuring push updates

• Push updates through a NAT device

• Scheduled updates through a proxy server

Connecting to the FortiResponse Distribution Network

Before the FortiGate unit can receive antivirus and attack updates, it must be able to connect to the FortiResponse Distribution Network (FDN). The FortiGate unit uses HTTPS on port 8890 to connect to the FDN. The FortiGate external interface must have a path to the internet using port 8890. To configure scheduled updates, see

“Configuring scheduled updates” on page 93.

You can also configure the FortiGate unit to allow push updates. Push updates are provided to the FortiGate unit from the FDN using HTTPS on UDP port 9443. To receive push updates, the FDN must have a path to the FortiGate external interface using UDP port 9443. To configure push updates, see “Configuring push updates” on

page 95.

The FDN is a world-wide network of FortiResponse Distribution Servers (FDSs). When your FortiGate unit connects to the FDN it actually connects to the nearest FDS. To do this, all FortiGate units are programmed with a list of FDS addresses sorted by nearest time zone according to the time zone configured for the FortiGate unit. To make sure the FortiGate unit receives updates from the nearest FDS, go to System > Config > Time and make sure you have selected the correct time zone for your area.

92 Fortinet Inc.

Virus and attack definitions updates and registration Configuring scheduled updates

To make sure the FortiGate unit can connect to the FDN:

1 Go to System > Config > Time and make sure the time zone is set to the correct time

zone for your area.

2 Go to System > Update.

3 Select Refresh.

The FortiGate unit tests its connection to the FDN. The test results are displayed at the top of the System Update page.

Table 1: Connections to the FDN

Connections Status Comments

Available The FortiGate unit can connect to the FDN. You can

Not available The FortiGate unit cannot connect to the FDN. You

FortiResponse Distribution Network

Available The FDN can connect to the FortiGate unit to send

Not available The FDN cannot connect to the FortiGate unit to send

Push Update

configure the FortiGate unit for scheduled updates. See “Configuring scheduled updates” on page 93.

must configure your FortiGate unit and your network so that the FortiGate unit can connect to the Internet and to the FDN. For example, you may need to add routes to the FortiGate routing table or configure your network to allow the FortiGate unit to use HTTPS on port 8890 to connect to the Internet.

You may also have to connect to an override FortiResponse server to receive updates. See

“Configuring update logging” on page 94.

push updates. You can configure the FortiGate unit to receive push updates. See “Configuring push updates”

on page 95.

push updates. Push updates may not be available if you have not registered the FortiGate unit (see

“Registering the FortiGate unit” on page 102), if there is

a NAT device installed between the FortiGate unit and the FDN (see “Push updates through a NAT device” on

page 96), or if your FortiGate unit connects to the

Internet using a proxy server (see “Scheduled updates

through a proxy server” on page 100).

Configuring scheduled updates

You can configure the FortiGate unit to check for and download updated definitions hourly, daily, or weekly according to the schedule you specify.

1 Go to System > Update.

2 Select Scheduled Update.

3 Select whether to check for and download updates hourly, daily, or weekly:

Hourly Once every 1 to 23 hours. Select the number of hours and minutes between

Daily Once a day. You can specify the time of day to check for updates.

Weekly Once a week. You can specify the day of the week and the time of day to check

FortiGate-100 Installation and Configuration Guide 93

each update request.

for updates.

Configuring update logging Virus and attack definitions updates and registration

4 Select Apply.

The FortiGate unit starts the next scheduled update according to the new update schedule.

Whenever a scheduled update is run, the event is recorded in the FortiGate event log.

Figure 1: Configuring automatic antivirus and attack definitions updates

Configuring update logging

Use the following procedure to configure FortiGate logging to record log messages when the FortiGate unit updates antivirus and attack definitions. Update log messages are recorded on the FortiGate Event log.

1 Go to Log&Report > Log Setting.

2 Select Config Policy for the type of logs that the FortiGate unit is configured to record.

See “Recording logs” on page 249.

3 Select Update to record log messages when the FortiGate unit updates antivirus and

attack definitions.

4 Select the following update log options:

Failed Update The FortiGate unit records a log message whenever and update attempt

Successful Update

FDN error The FortiGate unit records a log messages whenever it cannot connect to

fails.

The Fortigate unit records a log message whenever an update attempt is successful.

the FDN or whenever it receives an error message from the FDN.

5 Select OK.

94 Fortinet Inc.

Virus and attack definitions updates and registration Adding an override server

Adding an override server

If you cannot connect to the FDN or if your organization provides antivirus and attack updates using their own FortiResponse server, you can use the following procedure to add the IP address of an override FortiResponse server.

1 Go to System > Update.

2 Select Use override server address and add the IP address of a FortiResponse

server.

3 Select Apply.

The FortiGate unit tests the connection to the override server. If the FortiResponse Distribution Network setting changes to available, the FortiGate

unit has successfully connected to the override server. If the FortiResponse Distribution Network stays set to not available, the FortiGate unit

cannot connect to the override server. Check the FortiGate configuration and the network configuration to make sure you can connect to the override FortiResponse server from the FortiGate unit.

Manually updating antivirus and attack definitions

You can use the following procedure to update the antivirus and attack definitions at any time. To run this procedure the FortiGate unit must be able to connect to the FDN or to an override FortiResponse server.

1 Go to System > Update.

2 Select Update Now to update the antivirus and attack definitions.

If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following:

Your update request has been sent. Your database will be updated in a few minutes. Please check your update page for the status of the update.

After a few minutes, if an update is available, the System Update page lists new version information for antivirus definitions, the antivirus engine, or for attack definitions. The System Status page will also displays new dates and version numbers for antivirus and attack definitions. Messages are recorded to the event log indicating whether the update was successful or not.

Configuring push updates

The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. You must register the FortiGate unit before it can receive push updates. See “Registering the FortiGate unit” on page 102.

If the FDN must connect to the FortiGate unit through a NAT device, see “Push

updates through a NAT device” on page 96.

Push updates are not supported if the FortiGate unit must use a proxy server to connect to the FDN. See “Scheduled updates through a proxy server” on page 100 for more information.

FortiGate-100 Installation and Configuration Guide 95

Push updates through a NAT device Virus and attack definitions updates and registration

To enable push updates

1 Go to System > Update.

2 Select Allow Push Update.

3 Select Apply.

About push updates

When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a SETUP message to the FDN. The next time a new antivirus engine, new antivirus definitions, or new attack definitions are released, the FDN notifies all FortiGate units configured for push updates that a new update is available. Within 60 seconds of receiving a push notification, the FortiGate unit attempts to request an update from the FDN.

If available for your network configuration, configuring push updates is recommended in addition to configuring scheduled updates. Push updates mean that on average the FortiGate unit receives new updates sooner than if the FortiGate just receives scheduled updates. However, scheduled updates make sure that the FortiGate unit does eventually receives the latest updates.

Enabling push updates is not recommended as the only method for obtaining updates. The push notification may not be received by the FortiGate unit. Also, when the FortiGate unit receives a push notification it will only make one attempt to connect to the FDN and download updates.

Push updates and external dynamic IP addresses

If the external interface of the FortiGate unit is configured with a dynamic IP address (using PPPoE or DHCP), whenever the IP address of the external interface changes, a SETUP message is sent to the FDN to notify it of the change. As long as this SETUP message is sent, the FDN will have the most up-to-date IP address and the next push notification is sent to this IP address.

Push updates through a NAT device

If the FDN can only connect to the FortiGate unit through a NAT device, you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration. Using port forwarding, the FDN connects to the FortiGate unit using either port 9443 or an override push port that you assign.

Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic (for example, set using PPPoE or DHCP).

96 Fortinet Inc.

Virus and attack definitions updates and registration Push updates through a NAT device

Example: push updates through a NAT device

This example describes how to configure a FortiGate NAT device to forward push updates to a FortiGate unit installed on its internal network. For the FortiGate unit on the internal network to receive push updates, the FortiGate NAT device must be configured with a port forwarding virtual IP. This virtual IP maps the IP address of the external interface of the FortiGate NAT device and a custom port to the IP address of the FortiGate unit on the internal network. This IP address can either be the external IP address of the FortiGate unit if it is operating in NAT/Route mode or the Management IP address of the FortiGate unit if it is operating in Transparent mode.

Note: This example describes the configuration for a FortiGate NAT device. However, any NAT device with a static external IP address that can be configured for port forwarding can be used.

Figure 2: Example network topology: Push updates through a NAT device

FortiGate-100 Installation and Configuration Guide 97

Push updates through a NAT device Virus and attack definitions updates and registration

General procedure

Use the following steps to configure the FortiGate NAT device and the FortiGate unit on the Internal network so that the FortiGate unit on the Internal network can receive push updates:

1 Add a port forwarding virtual IP to the FortiGate NAT device.

2 Add a firewall policy to the FortiGate NAT device that includes the port forwarding

virtual IP.

3 Configure the FortiGate unit on the internal network with an override push IP and port.

Note: Before completing the following procedure you should register the FortiGate unit on the

internal network so that it can receive push updates.

Adding a port forwarding virtual IP to the FortiGate NAT device

Use the following procedure to configure a FortiGate NAT device to use port forwarding to forward push update connections from the FDN to a FortiGate unit on the internal network.

To configure the FortiGate NAT device:

1 Go to Firewall > Virtual IP.

2 Select New.

3 Add a name for the virtual IP.

4 Select the External interface that the FDN connects to.

For the example topology, select the external interface.

5 Select Port Forwarding.

6 Enter the External IP address that the FDN connects to.

For the example topology, enter 64.230.123.149.

7 Enter the External Service Port that the FDN connects to.

For the example topology, enter 45001.

8 Set Map to IP to the IP address of the FortiGate unit on the internal network.

If the FortiGate unit is operating in NAT/Route mode, enter the IP address of the external interface.

If the FortiGate unit is operating in Transparent mode, enter the management IP address.

For the example topology, enter 192.168.1.99.

9 Set the Map to Port to 9443.

10 Set Protocol to UDP.

11 Select OK.

98 Fortinet Inc.

Virus and attack definitions updates and registration Push updates through a NAT device

Figure 3: Push update port forwarding virtual IP

Adding a firewall policy for the port forwarding virtual IP

To configure the FortiGate NAT device:

1 Add a new external to internal firewall policy.

2 Configure the policy with the following settings:

Source External_All

Destination The virtual IP added above.

Schedule Always

Service ANY

Action Accept

NAT Selected.

3 Select OK.

Configure the FortiGate unit with an override push IP and port

To configure the FortiGate unit on the internal network:

1 Go to System > Update.

2 Select Allow Push Update.

3 Select Use override push.

4 Set IP to the External IP Address added to the virtual IP.

For the example topology, enter 64.230.123.149.

FortiGate-100 Installation and Configuration Guide 99

Scheduled updates through a proxy server Virus and attack definitions updates and registration

5 Set Port to the External Service Port added to the virtual IP.

For the example topology, enter 45001.

6 Select Apply.

The FortiGate unit sends the override push IP address and Port to the FDN. The FDN will now use this IP address and port for push updates to the FortiGate unit on the internal network.

If the External IP Address or External Service Port change, add the changes to the Use override push configuration and select Apply to update the push information on the FDN.

Figure 4: Example push update configuration

7 Select Apply.

8 You can select Refresh to make sure that push updates work.

Push Update should change to Available.

Scheduled updates through a proxy server

If your FortiGate unit must connect to the Internet through a proxy server, you can use the set system autoupdate tunneling command to allow the FortiGate unit to connect (or tunnel) to the FDN using the proxy server. Using the command you can specify the IP address and port of the proxy server. As well, if the proxy server requires authentication, you can add the user name and password required for the proxy server to the autoupdate configuration. The full syntax for enabling updates through a proxy server is:

set system autouopdate tunneling enable [address <proxy-address_ip> [port <proxy-port> [username <username_str> [password <password_str>]]]]

For example, if the IP address of the proxy server is 64.23.6.89 and its port is 8080, enter the following command:

set system autouopdate tunneling enable address 64.23.6.89 port 8080

For more information about the set system autoupdate command, see Volume 6, FortiGate CLI Reference Guide.

The FortiGate unit connects to the proxy server using the HTTP CONNECT method, as described in RFC 2616. The FortiGate unit sends an HTTP CONNECT request to the proxy server (optionally with authentication information) specifying the IP address and port required to connect to the FDN. The proxy server establishes the connection to the FDN and passes information between the FortiGate unit and the FDN.

The CONNECT method is used mostly for tunneling SSL traffic. Some proxy servers won't allow the CONNECT to connect to just any port; they restrict the allowed ports to the well known ports for HTTPS and perhaps some other similar services. Because FortiGate autoupdates use HTTPS on port 8890 to connect to the FDN, your proxy server may have to be configured to allow connections on this port.

100 Fortinet Inc.

Fortinet FortiGate 100 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Table of Contents

Introduction

Antivirus protection

Web content filtering

Email filtering

Firewall

NAT/Route mode

Transparent mode

Network intrusion detection

Secure installation, configuration, and management

Web-based manager

Command line interface

Logging and reporting

What’s new in Version 2.50

System administration

Network configuration

Routing

DHCP server

SNMP

Replacement messages

Firewall

Users and authentication

NIDS

Antivirus

Web Filter

Email filter

Logging and Reporting

About this document

Document conventions

Fortinet documentation

Comments on Fortinet technical documentation

Customer service and technical support

Getting started

Package contents

Mounting

Dimensions

Weight

Power requirements

Powering on

Environmental specifications

Connecting to the web-based manager

Connecting to the command line interface (CLI)

Factory default FortiGate configuration settings

Factory default NAT/Route mode network configuration

Factory default Transparent mode network configuration

Factory default firewall configuration

Factory default content profiles

Strict content profile

Scan content profile

Web content profile

Unfiltered content profile

Planning your FortiGate configuration

NAT/Route mode

NAT/Route mode with multiple external network connections

Transparent mode

Configuration options

Setup Wizard

FortiGate model maximum values matrix

Next steps

NAT/Route mode installation

Preparing to configure NAT/Route mode

Advanced NAT/Route mode settings

DMZ interface

Using the setup wizard

Starting the setup wizard

Reconnecting to the web-based manager

Using the command line interface

Configuring the FortiGate unit to operate in NAT/Route mode

Configuring NAT/Route mode IP addresses

Connecting the FortiGate unit to your networks

Configuring your networks

Completing the configuration

Configuring the DMZ interface

Setting the date and time

Enabling antivirus protection

Registering your FortiGate