Fortinet FortiGate 100 User Manual
FortiGate 100
Installation and
Configuration Guide
INTERNAL
EXTERNAL
POWER
DMZ
STATUS
FortiGate User Manual Volume 1
Version 2.50 MR2
18 August 2003
© Copyright 2003 Fortinet Inc. All rights reserved.
No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Fortinet Inc.
FortiGate-100 Installation and Configuration Guide
Version 2.50 MR2
18 August 2003
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective holders.
Regulatory Compliance
FCC Class A Part 15 CSA/CUS
For technical support, please visit http://www.fortinet.com.
Send information about errors or omissions in this document or any Fortinet technical documentation to
techdoc@fortinet.com.
Table of Contents
Introduction .......................................................................................................... 13
Antivirus protection ........................................................................................................... 13
Web content filtering ......................................................................................................... 14
Email filtering .................................................................................................................... 14
Firewall.............................................................................................................................. 15
NAT/Route mode .......................................................................................................... 15
Transparent mode......................................................................................................... 16
Network intrusion detection............................................................................................... 16
VPN................................................................................................................................... 16
Secure installation, configuration, and management ........................................................ 17
Web-based manager .................................................................................................... 17
Command line interface ................................................................................................ 18
Logging and reporting ................................................................................................... 19
What’s new in Version 2.50 .............................................................................................. 19
System administration................................................................................................... 19
Firewall.......................................................................................................................... 20
Users and authentication .............................................................................................. 20
VPN............................................................................................................................... 20
NIDS ............................................................................................................................. 21
Antivirus ........................................................................................................................ 21
Web Filter...................................................................................................................... 21
Email filter ..................................................................................................................... 21
Logging and Reporting.................................................................................................. 21
About this document ......................................................................................................... 22
Document conventions ..................................................................................................... 23
Fortinet documentation ..................................................................................................... 24
Comments on Fortinet technical documentation........................................................... 24
Customer service and technical support........................................................................... 25
Contents
Getting started ..................................................................................................... 27
Package contents ............................................................................................................. 28
Mounting ........................................................................................................................... 28
Powering on...................................................................................................................... 29
Connecting to the web-based manager............................................................................ 30
Connecting to the command line interface (CLI)............................................................... 31
Factory default FortiGate configuration settings ............................................................... 31
Factory default NAT/Route mode network configuration .............................................. 32
Factory default Transparent mode network configuration............................................. 33
Factory default firewall configuration ............................................................................ 33
Factory default content profiles..................................................................................... 34
FortiGate-100 Installation and Configuration Guide 3
Contents
Planning your FortiGate configuration .............................................................................. 37
NAT/Route mode .......................................................................................................... 37
NAT/Route mode with multiple external network connections ...................................... 38
Transparent mode......................................................................................................... 38
Configuration options .................................................................................................... 39
FortiGate model maximum values matrix ......................................................................... 40
Next steps......................................................................................................................... 41
NAT/Route mode installation.............................................................................. 43
Preparing to configure NAT/Route mode.......................................................................... 43
Advanced NAT/Route mode settings............................................................................ 44
DMZ interface ............................................................................................................... 44
Using the setup wizard...................................................................................................... 45
Starting the setup wizard .............................................................................................. 45
Reconnecting to the web-based manager .................................................................... 45
Using the command line interface..................................................................................... 45
Configuring the FortiGate unit to operate in NAT/Route mode ..................................... 45
Connecting the FortiGate unit to your networks................................................................ 47
Configuring your networks ................................................................................................ 48
Completing the configuration ............................................................................................ 48
Configuring the DMZ interface ...................................................................................... 48
Setting the date and time .............................................................................................. 48
Enabling antivirus protection......................................................................................... 49
Registering your FortiGate............................................................................................ 49
Configuring virus and attack definition updates ............................................................ 49
Configuration example: Multiple connections to the Internet ............................................ 49
Configuring Ping servers............................................................................................... 51
Destination based routing examples............................................................................. 51
Policy routing examples ................................................................................................ 54
Firewall policy example................................................................................................. 55
Transparent mode installation............................................................................ 57
Preparing to configure Transparent mode ........................................................................ 57
Using the setup wizard...................................................................................................... 58
Changing to Transparent mode .................................................................................... 58
Starting the setup wizard .............................................................................................. 58
Reconnecting to the web-based manager .................................................................... 58
Using the command line interface..................................................................................... 59
Changing to Transparent mode .................................................................................... 59
Configuring the Transparent mode management IP address ....................................... 59
Configure the Transparent mode default gateway........................................................ 59
Connecting the FortiGate unit to your networks................................................................ 60
4 Fortinet Inc.
Completing the configuration ............................................................................................ 61
Setting the date and time .............................................................................................. 61
Enabling antivirus protection......................................................................................... 61
Registering your FortiGate............................................................................................ 61
Configuring virus and attack definition updates ............................................................ 61
Transparent mode configuration examples....................................................................... 62
Default routes and static routes .................................................................................... 62
Example default route to an external network............................................................... 63
Example static route to an external destination ............................................................ 64
Example static route to an internal destination ............................................................. 67
System status....................................................................................................... 69
Changing the FortiGate host name................................................................................... 70
Changing the FortiGate firmware...................................................................................... 70
Upgrade to a new firmware version .............................................................................. 71
Revert to a previous firmware version .......................................................................... 72
Install a firmware image from a system reboot using the CLI ....................................... 75
Test a new firmware image before installing it .............................................................. 77
Installing and using a backup firmware image .............................................................. 79
Manual virus definition updates ........................................................................................ 82
Manual attack definition updates ...................................................................................... 83
Displaying the FortiGate serial number............................................................................. 83
Displaying the FortiGate up time....................................................................................... 83
Backing up system settings .............................................................................................. 83
Restoring system settings................................................................................................. 84
Restoring system settings to factory defaults ................................................................... 84
Changing to Transparent mode ........................................................................................ 85
Changing to NAT/Route mode.......................................................................................... 85
Restarting the FortiGate unit............................................................................................. 85
Shutting down the FortiGate unit ...................................................................................... 86
System status ................................................................................................................... 86
Viewing CPU and memory status ................................................................................. 86
Viewing sessions and network status ........................................................................... 87
Viewing virus and intrusions status............................................................................... 88
Session list........................................................................................................................ 89
Contents
FortiGate-100 Installation and Configuration Guide 5
Contents
Virus and attack definitions updates and registration ..................................... 91
Updating antivirus and attack definitions .......................................................................... 91
Connecting to the FortiResponse Distribution Network ................................................ 92
Configuring scheduled updates .................................................................................... 93
Configuring update logging ........................................................................................... 94
Adding an override server............................................................................................. 95
Manually updating antivirus and attack definitions........................................................ 95
Configuring push updates ............................................................................................. 95
Push updates through a NAT device ............................................................................ 96
Scheduled updates through a proxy server ................................................................ 100
Registering FortiGate units ............................................................................................. 101
FortiCare Service Contracts........................................................................................ 101
Registering the FortiGate unit ..................................................................................... 102
Updating registration information .................................................................................... 104
Recovering a lost Fortinet support password.............................................................. 104
Viewing the list of registered FortiGate units .............................................................. 104
Registering a new FortiGate unit ................................................................................ 105
Adding or changing a FortiCare Support Contract number......................................... 105
Changing your Fortinet support password .................................................................. 106
Changing your contact information or security question ............................................. 106
Downloading virus and attack definitions updates ...................................................... 106
Registering a FortiGate unit after an RMA...................................................................... 107
Network configuration....................................................................................... 109
Configuring interfaces ..................................................................................................... 109
Viewing the interface list ............................................................................................. 110
Bringing up an interface .............................................................................................. 110
Changing an interface static IP address ..................................................................... 110
Adding a secondary IP address to an interface .......................................................... 110
Adding a ping server to an interface ........................................................................... 111
Controlling management access to an interface ......................................................... 111
Configuring traffic logging for connections to an interface .......................................... 112
Configuring the external interface with a static IP address ......................................... 112
Configuring the external interface for DHCP............................................................... 112
Configuring the external interface for PPPoE ............................................................. 113
Changing the external interface MTU size to improve network performance ............. 113
Configuring the management interface (Transparent mode) ...................................... 114
Adding DNS server IP addresses ................................................................................... 115
6 Fortinet Inc.
Configuring routing.......................................................................................................... 115
Adding a default route................................................................................................. 116
Adding destination-based routes to the routing table.................................................. 116
Adding routes in Transparent mode............................................................................ 117
Configuring the routing table....................................................................................... 118
Policy routing .............................................................................................................. 118
Providing DHCP services to your internal network ......................................................... 119
RIP configuration ............................................................................................... 121
RIP settings..................................................................................................................... 122
Configuring RIP for FortiGate interfaces......................................................................... 124
Adding RIP neighbors..................................................................................................... 125
Adding RIP filters ............................................................................................................ 126
Adding a single RIP filter............................................................................................. 126
Adding a RIP filter list.................................................................................................. 127
Adding a neighbors filter ............................................................................................. 128
Adding a routes filter ................................................................................................... 128
Contents
System configuration ........................................................................................ 129
Setting system date and time.......................................................................................... 129
Changing web-based manager options .......................................................................... 130
Adding and editing administrator accounts..................................................................... 132
Adding new administrator accounts ............................................................................ 132
Editing administrator accounts.................................................................................... 133
Configuring SNMP .......................................................................................................... 134
Configuring the FortiGate unit for SNMP monitoring .................................................. 134
Configuring FortiGate SNMP support ......................................................................... 134
FortiGate MIBs............................................................................................................ 135
FortiGate traps ............................................................................................................ 136
Customizing replacement messages.............................................................................. 136
Customizing replacement messages .......................................................................... 137
Customizing alert emails............................................................................................. 138
Firewall configuration........................................................................................ 141
Default firewall configuration........................................................................................... 142
Addresses ................................................................................................................... 142
Services ...................................................................................................................... 143
Schedules ................................................................................................................... 143
Content profiles........................................................................................................... 143
Adding firewall policies.................................................................................................... 144
Firewall policy options................................................................................................. 145
FortiGate-100 Installation and Configuration Guide 7
Contents
Configuring policy lists .................................................................................................... 149
Policy matching in detail ............................................................................................. 149
Changing the order of policies in a policy list.............................................................. 149
Enabling and disabling policies................................................................................... 150
Addresses ....................................................................................................................... 150
Adding addresses ....................................................................................................... 151
Editing addresses ....................................................................................................... 152
Deleting addresses ..................................................................................................... 152
Organizing addresses into address groups ................................................................ 152
Services .......................................................................................................................... 153
Predefined services .................................................................................................... 153
Providing access to custom services .......................................................................... 156
Grouping services ....................................................................................................... 156
Schedules ....................................................................................................................... 157
Creating one-time schedules ...................................................................................... 158
Creating recurring schedules ...................................................................................... 158
Adding a schedule to a policy ..................................................................................... 159
Virtual IPs........................................................................................................................ 160
Adding static NAT virtual IPs ...................................................................................... 160
Adding port forwarding virtual IPs ............................................................................... 161
Adding policies with virtual IPs.................................................................................... 163
IP pools........................................................................................................................... 164
Adding an IP pool........................................................................................................ 164
IP Pools for firewall policies that use fixed ports ......................................................... 165
IP pools and dynamic NAT ......................................................................................... 165
IP/MAC binding ............................................................................................................... 166
Configuring IP/MAC binding for packets going through the firewall ............................ 166
Configuring IP/MAC binding for packets going to the firewall ..................................... 167
Adding IP/MAC addresses.......................................................................................... 167
Viewing the dynamic IP/MAC list ................................................................................ 168
Enabling IP/MAC binding ............................................................................................ 168
Content profiles............................................................................................................... 169
Default content profiles ............................................................................................... 170
Adding a content profile .............................................................................................. 170
Adding a content profile to a policy ............................................................................. 171
Users and authentication .................................................................................. 173
Setting authentication timeout......................................................................................... 174
Adding user names and configuring authentication ........................................................ 174
Adding user names and configuring authentication .................................................... 174
Deleting user names from the internal database ........................................................ 175
Configuring RADIUS support .......................................................................................... 176
Adding RADIUS servers ............................................................................................. 176
Deleting RADIUS servers ........................................................................................... 176
8 Fortinet Inc.
Configuring LDAP support .............................................................................................. 177
Adding LDAP servers.................................................................................................. 177
Deleting LDAP servers................................................................................................ 178
Configuring user groups.................................................................................................. 179
Adding user groups..................................................................................................... 179
Deleting user groups................................................................................................... 180
IPSec VPN........................................................................................................... 181
Key management............................................................................................................ 182
Manual Keys ............................................................................................................... 182
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... 182
Manual key IPSec VPNs................................................................................................. 183
General configuration steps for a manual key VPN .................................................... 183
Adding a manual key VPN tunnel ............................................................................... 183
AutoIKE IPSec VPNs ...................................................................................................... 185
General configuration steps for an AutoIKE VPN ....................................................... 185
Adding a phase 1 configuration for an AutoIKE VPN.................................................. 185
Adding a phase 2 configuration for an AutoIKE VPN.................................................. 189
Managing digital certificates............................................................................................ 191
Obtaining a signed local certificate ............................................................................. 191
Obtaining a CA certificate ........................................................................................... 195
Configuring encrypt policies............................................................................................ 196
Adding a source address ............................................................................................ 197
Adding a destination address...................................................................................... 197
Adding an encrypt policy............................................................................................. 197
IPSec VPN concentrators ............................................................................................... 199
VPN concentrator (hub) general configuration steps .................................................. 199
Adding a VPN concentrator ........................................................................................ 201
VPN spoke general configuration steps...................................................................... 202
Redundant IPSec VPNs.................................................................................................. 203
Configuring redundant IPSec VPN ............................................................................. 203
Monitoring and Troubleshooting VPNs ........................................................................... 205
Viewing VPN tunnel status.......................................................................................... 205
Viewing dialup VPN connection status ....................................................................... 205
Testing a VPN............................................................................................................. 206
Contents
PPTP and L2TP VPN .......................................................................................... 207
Configuring PPTP ........................................................................................................... 207
Configuring the FortiGate unit as a PPTP gateway .................................................... 208
Configuring a Windows 98 client for PPTP ................................................................. 210
Configuring a Windows 2000 client for PPTP ............................................................. 211
Configuring a Windows XP client for PPTP ................................................................ 212
FortiGate-100 Installation and Configuration Guide 9
Contents
Configuring L2TP............................................................................................................ 213
Configuring the FortiGate unit as a L2TP gateway ..................................................... 214
Configuring a Windows 2000 client for L2TP.............................................................. 217
Configuring a Windows XP client for L2TP ................................................................. 218
Network Intrusion Detection System (NIDS) ................................................... 221
Detecting attacks ............................................................................................................ 221
Selecting the interfaces to monitor.............................................................................. 222
Disabling the NIDS...................................................................................................... 222
Configuring checksum verification .............................................................................. 222
Viewing the signature list ............................................................................................ 223
Viewing attack descriptions......................................................................................... 223
Enabling and disabling NIDS attack signatures .......................................................... 224
Adding user-defined signatures .................................................................................. 224
Preventing attacks .......................................................................................................... 225
Enabling NIDS attack prevention ................................................................................ 225
Enabling NIDS attack prevention signatures .............................................................. 226
Setting signature threshold values.............................................................................. 226
Configuring synflood signature values ........................................................................ 228
Logging attacks............................................................................................................... 228
Logging attack messages to the attack log................................................................. 228
Reducing the number of NIDS attack log and email messages.................................. 229
Antivirus protection........................................................................................... 231
General configuration steps............................................................................................ 231
Antivirus scanning........................................................................................................... 232
File blocking.................................................................................................................... 233
Blocking files in firewall traffic ..................................................................................... 233
Adding file patterns to block........................................................................................ 233
Blocking oversized files and emails ................................................................................ 234
Configuring limits for oversized files and email........................................................... 234
Exempting fragmented email from blocking.................................................................... 234
Viewing the virus list ....................................................................................................... 234
Web filtering ....................................................................................................... 235
General configuration steps............................................................................................ 235
Content blocking ............................................................................................................. 236
Adding words and phrases to the banned word list .................................................... 236
URL blocking................................................................................................................... 237
Using the FortiGate web filter ..................................................................................... 237
Using the Cerberian web filter..................................................................................... 240
Script filtering .................................................................................................................. 242
Enabling the script filter............................................................................................... 242
Selecting script filter options ....................................................................................... 242
10 Fortinet Inc.
Exempt URL list .............................................................................................................. 243
Adding URLs to the exempt URL list .......................................................................... 243
Email filter........................................................................................................... 245
General configuration steps............................................................................................ 245
Email banned word list.................................................................................................... 246
Adding words and phrases to the banned word list .................................................... 246
Email block list ................................................................................................................ 247
Adding address patterns to the email block list........................................................... 247
Email exempt list............................................................................................................. 247
Adding address patterns to the email exempt list ....................................................... 248
Adding a subject tag ....................................................................................................... 248
Logging and reporting....................................................................................... 249
Contents
Recording logs................................................................................................................ 249
Recording logs on a remote computer ........................................................................ 250
Recording logs on a NetIQ WebTrends server ........................................................... 250
Recording logs in system memory.............................................................................. 251
Filtering log messages .................................................................................................... 251
Configuring traffic logging ............................................................................................... 253
Enabling traffic logging................................................................................................ 253
Configuring traffic filter settings................................................................................... 254
Adding traffic filter entries ........................................................................................... 254
Viewing logs saved to memory ....................................................................................... 255
Viewing logs................................................................................................................ 255
Searching logs ............................................................................................................ 256
Configuring alert email .................................................................................................... 256
Adding alert email addresses...................................................................................... 256
Testing alert email....................................................................................................... 257
Enabling alert email .................................................................................................... 257
Glossary ............................................................................................................. 259
Index .................................................................................................................... 263
FortiGate-100 Installation and Configuration Guide 11
Contents
12 Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2
Introduction
The FortiGate Antivirus Firewall supports network-based deployment of
application-level services—including antivirus protection and full-scan content filtering.
FortiGate Antivirus Firewalls improve network security, reduce network misuse and
abuse, and help you use communications resources more efficiently without
compromising the performance of your network. FortiGate Antivirus Firewalls are
ICSA-certified for firewall, IPSec and antivirus services.
Your FortiGate Antivirus Firewall is a dedicated easily managed security device that
delivers a full suite of capabilities that include:
• application-level services such as virus protection and content filtering,
• network-level services such as firewall, intrusion detection, VPN, and traffic
shaping.
Your FortiGate Antivirus Firewall employs Fortinet’s Accelerated Behavior and
Content Analysis System (ABACAS™) technology, which leverages breakthroughs in
chip design, networking, security, and content analysis. The unique ASIC-based
architecture analyzes content and behavior in real-time, enabling key applications to
be deployed right at the network edge where they are most effective at protecting your
networks. The FortiGate series complements existing solutions, such as host-based
antivirus protection, and enables new applications and services while greatly lowering
costs for equipment, administration and maintenance.
The FortiGate-100 model is an easy-todeploy and easy-to-administer solution
that delivers exceptional value and
performance for small office, home office,
and branch office applications. The
FortiGate installation wizard guides users through a simple process that enables most
installations to be up and running in minutes.
Antivirus protection
FortiGate ICSA-certified antivirus protection virus scans web (HTTP), file transfer
(FTP), and email (SMTP, POP3, and IMAP) content as it passes through the
FortiGate. If a virus is found, antivirus protection removes the file containing the virus
from the content stream and forwards an replacement message to the intended
recipient.
FortiGate-100 Installation and Configuration Guide 13
Introduction
For extra protection, you also configure antivirus protection to block files of specified
file types from passing through the FortiGate unit. You can use the feature to stop files
that may contain new viruses.
If the FortiGate unit contains a hard disk, infected or blocked files can be quarantined.
The FortiGate administrator can download quarantined files, so that they can be virus
scanned, cleaned, and forwarded to the intended recipient. You can also configure the
FortiGate unit to automatically delete quarantined files after a specified time period.
The FortiGate unit can send email alerts to system administrators when it detects and
removes a virus from a content stream. The web and email content can be in normal
network traffic or in encrypted IPSec VPN traffic.
ICSA Labs has certified that FortiGate Antivirus Firewalls:
• detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),
• detect viruses in compressed files using the PKZip format,
• detect viruses in e-mail that has been encoded using uuencode format,
• detect viruses in e-mail that has been encoded using MIME encoding,
• log all actions taken while scanning.
Web content filtering
FortiGate web content filtering can be configured to scan all HTTP content protocol
streams for URLs or for web page content. If a match is found between a URL on the
URL block list, or if a web page is found to contain a word or phrase in the content
block list, the FortiGate blocks the web page. The blocked web page is replaced with a
message that you can edit using the FortiGate web-based manager.
You can configure URL blocking to block all or just some of the pages on a web site.
Using this feature you can deny access to parts of a web site without denying access
to it completely.
To prevent unintentional blocking of legitimate web pages, you can add URLs to an
Exempt List that overrides the URL blocking and content blocking lists.
Web content filtering also includes a script filter feature that can be configured to block
unsecure web content such as Java Applets, Cookies, and ActiveX.
You can also use the Cerberian URL blocking to block unwanted URLs.
Email filtering
FortiGate Email filtering can be configured to scan all IMAP and POP3 email content
for unwanted senders or for unwanted content. If a match is found between a sender
address pattern on the Email block list, or if an email is found to contain a word or
phrase in the banned word list, the FortiGate adds a Email tag to subject line of the
email. Receivers can then use their mail client software to filter messages based on
the Email tag.
14 Fortinet Inc.
Introduction NAT/Route mode
You can configure Email blocking to tag email from all or some senders within
organizations that are known to send spam email. To prevent unintentional tagging of
email from legitimate senders, you can add sender address patterns to an exempt list
that overrides the email block and banned word lists.
Firewall
The FortiGate ICSA-certified firewall protects your computer networks from the hostile
environment of the Internet. ICSA has granted FortiGate firewalls version 4.0 firewall
certification, providing assurance that FortiGate firewalls successfully screen for and
secure corporate networks against a wide range of threats from public or other
untrusted networks.
After basic installation of the FortiGate unit, the firewall allows users on the protected
network to access the Internet while blocking Internet access to internal networks. You
can modify this firewall configuration to place controls on access to the Internet from
the protected networks and to allow controlled access to internal networks.
FortiGate policies include a complete range of options that:
• control all incoming and outgoing network traffic,
• control encrypted VPN traffic,
• apply antivirus protection and web content filtering,
• block or allow access for all policy options,
• control when individual policies are in effect,
• accept or deny traffic to and from individual addresses,
• control standard and user defined network services individually or in groups,
• require users to authenticate before gaining access,
• include traffic shaping to set access priorities and guarantee or limit bandwidth for
each policy,
• include logging to track connections for individual policies,
• include Network address translation (NAT) mode and Route mode policies,
• include Mixed NAT and Route mode policies.
The FortiGate firewall can operate in NAT/Route mode or Transparent mode.
NAT/Route mode
In NAT/Route mode, you can create NAT mode policies and Route mode policies.
• NAT mode policies use network address translation to hide the addresses in a
more secure network from users in a less secure network.
• Route mode policies accept or deny connections between networks without
performing address translation.
FortiGate-100 Installation and Configuration Guide 15
Transparent mode Introduction
Transparent mode
Transparent mode provides the same basic firewall protection as NAT mode. Packets
received by the FortiGate unit are intelligently forwarded or blocked according to
firewall policies. The FortiGate unit can be inserted in your network at any point
without the need to make changes to your network or any of its components.
However, VPN and some advanced firewall features are only available in NAT/Route
mode.
Network intrusion detection
The FortiGate Network Intrusion Detection System (NIDS) is a real-time network
intrusion detection sensor that detects and prevents a wide variety of suspicious
network activity. NIDS detection uses attack signatures to identify over 1000 attacks.
You can enable and disable the attacks that the NIDS detects. You can also write your
own user-defined detection attack signatures.
NIDS prevention detects and prevents many common denial of service and packetbased attacks. You can enable and disable prevention attack signatures and
customize attack signature thresholds and other parameters.
To notify system administrators of the attack, the NIDS records the attack and any
suspicious traffic to the attack log and can be configured to send alert emails.
VPN
Fortinet updates NIDS attack definitions periodically. You can download and install
updated attack definitions manually, or you can configure the FortiGate to
automatically check for and download attack definition updates.
Using FortiGate virtual private networking (VPN), you can provide a secure
connection between widely separated office networks or securely link telecommuters
or travellers to an office network.
FortiGate VPN features include the following:
• Industry standard and ICSA-certified IPSec VPN including:
• IPSec, ESP security in tunnel mode,
• DES, 3DES (triple-DES), and AES hardware accelerated encryption,
• HMAC MD5 and HMAC SHA1 authentication and data integrity,
• AutoIKE key based on pre-shared key tunnels,
• IPSec VPN using local or CA certificates,
• Manual Keys tunnels,
• Diffie-Hellman groups 1, 2, and 5,
• Aggressive and Main Mode,
• Replay Detection,
• Perfect Forward Secrecy,
• XAuth authentication,
• Dead peer detection.
16 Fortinet Inc.
Introduction Web-based manager
• PPTP for easy connectivity with the VPN standard supported by the most popular
operating systems.
• L2TP for easy connectivity with a more secure VPN standard also supported by
many popular operating systems.
• Firewall policy based control of IPSec VPN traffic.
• IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT
can connect to an IPSec VPN tunnel.
• VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from
one tunnel to another tunnel through the FortiGate unit.
• IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a
remote network.
Secure installation, configuration, and management
Installation is quick and simple. The first time you turn on the FortiGate unit, it is
already configured with default IP addresses and security policies. Connect to the
web-based manager, set the operating mode, and use the setup wizard to customize
FortiGate IP addresses for your network, and the FortiGate unit is set to protect your
network. You can then use the web-based manager to customize advanced FortiGate
features to meet your needs.
You can also create a basic configuration using the FortiGate command line interface
(CLI).
Web-based manager
Using HTTP or a secure HTTPS connection from any computer running Internet
Explorer, you can configure and manage the FortiGate unit. The web-based manager
supports multiple languages. You can configure the FortiGate unit for HTTP and
HTTPs administration from any FortiGate interface.
You can use the web-based manager for most FortiGate configuration settings. You
can also use the web-based manager to monitor the status of the FortiGate unit.
Configuration changes made with the web-based manager are effective immediately
without the need to reset the firewall or interrupt service. Once a satisfactory
configuration has been established, it can be downloaded and saved. The saved
configuration can be restored at any time.
FortiGate-100 Installation and Configuration Guide 17
Command line interface Introduction
Figure 1: The FortiGate web-based manager and setup wizard
Command line interface
You can access the FortiGate command line interface (CLI) by connecting a
management computer serial port to the FortiGate RS-232 serial Console connector.
You can also use Telnet or a secure SSH connection to connect to the CLI from any
network connected to the FortiGate, including the Internet.
The CLI supports the same configuration and monitoring functionality as the
web-based manager. In addition, you can use the CLI for advanced configuration
options not available from the web-based manager. This Installation and
Configuration Guide contains information about basic and advanced CLI commands.
You can find a more complete description of connecting to and using the FortiGate CLI
in the FortiGate CLI Reference Guide.
18 Fortinet Inc.
Introduction Logging and reporting
Logging and reporting
The FortiGate supports logging of various categories of traffic and of configuration
changes. You can configure logging to:
• report traffic that connects to the firewall,
• report network services used,
• report traffic permitted by firewall policies,
• report traffic that was denied by firewall policies,
• report events such as configuration changes and other management events, IPSec
tunnel negotiation, virus detection, attacks, and web page blocking,
• report attacks detected by the NIDS,
• send alert email to system administrators to report virus incidents, intrusions, and
firewall or VPN events or violations.
Logs can be sent to a remote syslog server or to a WebTrends NetIQ Security
Reporting Center and Firewall Suite server using the WebTrends enhanced log
format. Some models can also save logs to an optional internal hard drive. If a hard
drive is not installed, you can configure most FortiGates to log the most recent events
and attacks detected by the NIDS to shared system memory.
What’s new in Version 2.50
This section presents a brief summary of some of the new features in FortiOS v2.50:
System administration
• Improved graphical FortiGate system health monitoring that includes CPU and
memory usage, session number and network bandwidth usage, and the number of
viruses and intrusions detected. See “System status” on page 86.
• Revised antivirus and attack definition update functionality that connects to a new
version of the FortiResponse Distribution network. Updates can now be scheduled
hourly and the System > Update page displays more information about the current
update status. See “Updating antivirus and attack definitions” on page 91.
• Direct connection to the Fortinet tech support web page from the web-based
manager. You can register your FortiGate unit and get access to other technical
support resources. See “Registering FortiGate units” on page 101.
Network configuration
• New interface configuration options. See “Configuring interfaces” on page 109.
• Ping server and dead gateway detection for all interfaces.
• HTTP and Telnet administrative access to any interface.
• Secondary IP addresses for all FortiGate interfaces.
Routing
• Simplified direction-based routing configuration.
• Advanced policy routing (CLI only).
FortiGate-100 Installation and Configuration Guide 19
Firewall Introduction
DHCP server
• Addition of a WINS server to DHCP configuration.
• Reserve IP/MAC pair combinations for DHCP servers (CLI only).
RIP
• New RIP v1 and v2 functionality. See “RIP configuration” on page 121.
SNMP
• SNMP v1 and v2 support.
• Support for RFC 1213 and RFC 2665
• Monitoring of all FortiGate configuration and functionality
•See “Configuring SNMP” on page 134
Replacement messages
You can customize messages sent by the FortiGate unit:
• When a virus is detected,
• When a file is blocked,
• When a fragmented email is blocked
• When an alert email is sent
See “Customizing replacement messages” on page 136.
Firewall
• The firewall default configuration has changed. See “Default firewall configuration”
on page 142.
• Add virtual IPs to all interfaces. See “Virtual IPs” on page 160.
• Add content profiles to firewall policies to configure blocking, scanning, quarantine,
web content blocking, and email filtering. See “Content profiles” on page 169.
Users and authentication
• LDAP authentication. See “Configuring LDAP support” on page 177.
VPN
See the FortiGate VPN Guide for a complete description of FortiGate VPN
functionality. New features include:
•Phase 1
• AES encryption
• Certificates
• Advanced options including Dialup Group, Peer, XAUTH, NAT Traversal, DPD
•Phase 2
• AES encryption
• Encryption policies select service
• Generate and import local certificates
• Import CA certificates
20 Fortinet Inc.
Introduction NIDS
NIDS
See the FortiGate NIDS Guide for a complete description of FortiGate NIDS
functionality. New features include:
• Attack detection signature groups
• User-configuration attack prevention
• Monitor multiple interfaces for attacks
• User-defined attack detection signatures
Antivirus
See the FortiGate Content Protection Guide for a complete description of FortiGate
antivirus functionality. New features include:
• Content profiles
• Blocking oversized files
Web Filter
See the FortiGate Content Protection Guide for a complete description of FortiGate
web filtering functionality. New features include:
• Cerberian URL Filtering
Email filter
See the FortiGate Content Protection Guide for a complete description of FortiGate
email filtering functionality.
Logging and Reporting
See the FortiGate Logging and Message Reference Guide for a complete description
of FortiGate logging.
• Log to remote host CSV format
• Log message levels: Emergency, Alert, critical, error, Warning, notification,
information
• Log level policies
• Traffic log filter
• New antivirus, web filter, and email filter logs
• Alert email supports authentication
• Suppress email flooding
• Extended WebTrends support for graphing activity
FortiGate-100 Installation and Configuration Guide 21
Logging and Reporting Introduction
About this document
This installation and configuration guide describes how to install and configure the
FortiGate-100. This document contains the following information:
• Getting started describes unpacking, mounting, and powering on the FortiGate.
• NAT/Route mode installation describes how to install the FortiGate if you are
planning on running it in NAT/Route mode.
• Transparent mode installation describes how to install the FortiGate if you are
planning on running it in Transparent mode.
• System status describes how to view the current status of your FortiGate unit and
related status procedures including installing updated FortiGate firmware, backing
up and restoring system settings, and switching between Transparent and
NAT/Route mode.
• Virus and attack definitions updates and registration describes configuring
automatic virus and attack definition updates. This chapter also contains
procedures for connecting to the FortiGate tech support webs site and for
registering your FortiGate unit.
• Network configuration describes configuring interfaces, configuring routing, and
configuring the FortiGate as a DHCP server for your internal network.
• RIP configuration describes the FortiGate RIP2 implementation and how to
configure RIP settings.
• System configuration describes system administration tasks available from the
System > Config web-based manager pages. This chapter describes setting
system time, adding and changed administrative users, configuring SNMP, and
editing replacement messages.
• Firewall configuration describes how to configure firewall policies to control traffic
through the FortiGate unit and apply content protection profiles to content traffic.
• Users and authentication describes how to add user names to the FortiGate user
database and how to configure the FortiGate to connect to a RADIUS server to
authenticate users.
• IPSec VPN describes how to configure FortiGate IPSec VPN.
• PPTP and L2TP VPN describes how to configure PPTP and L2TP VPNs between
the FortiGate and a windows client.
• Network Intrusion Detection System (NIDS) describes how to configure the
FortiGate NIDS to detect and prevent network attacks.
• Antivirus protection describes how use the FortiGate to protect your network from
viruses and worms.
• Web filtering describes how to configure web content filtering to prevent unwanted
Web content from passing through the FortiGate.
• Email filter describes how to configure email filtering to screen unwanted email
content.
• Logging and reporting describes how to configure logging and alert email to track
activity through the FortiGate.
•The Glossary defines many of the terms used in this document.
22 Fortinet Inc.
Introduction Logging and Reporting
Document conventions
This guide uses the following conventions to describe CLI command syntax.
• angle brackets < > to indicate variable keywords
For example:
execute restore config <filename_str>
You enter restore config myfile.bak
<xxx_str> indicates an ASCII string variable keyword.
<xxx_integer> indicates an integer variable keyword.
<xxx_ip> indicates an IP address variable keyword.
• vertical bar and curly brackets {|} to separate alternative, mutually exclusive
required keywords
For example:
set system opmode {nat | transparent}
You can enter set system opmode nat or set system opmode
transparent
• square brackets [ ] to indicate that a keyword is optional
For example:
get firewall ipmacbinding [dhcpipmac]
You can enter get firewall ipmacbinding or
get firewall ipmacbinding dhcpipmac
FortiGate-100 Installation and Configuration Guide 23
Comments on Fortinet technical documentation Introduction
Fortinet documentation
Information about FortiGate products is available from the following FortiGate User
Manual volumes:
• Volume 1: FortiGate Installation and Configuration Guide
Describes installation and basic configuration for the FortiGate unit. Also describes
how to use FortiGate firewall policies to control traffic flow through the FortiGate
unit and how to use firewall policies to apply antivirus protection, web content
filtering, and email filtering to HTTP, FTP and email content passing through the
FortiGate unit.
• Volume 2: FortiGate VPN Guide
Contains in-depth information about FortiGate IPSec VPN using certificates, preshared keys and manual keys for encryption. Also contains basic configuration
information for the Fortinet Remote VPN Client, detailed configuration information
for FortiGate PPTP and L2TP VPN, and VPN configuration examples.
• Volume 3: FortiGate Content Protection Guide
Describes how to configure antivirus protection, web content filtering, and email
filtering to protect content as it passes through the FortiGate unit.
• Volume 4: FortiGate NIDS Guide
Describes how to configure the FortiGate NIDS to detect and protect the FortiGate
unit from network-based attacks.
• Volume 5: FortiGate Logging and Message Reference Guide
Describes how to configure FortiGate logging and alert email. Also contains the
FortiGate log message reference.
• Volume 6: FortiGate CLI Reference Guide
Describes the FortiGate CLI and contains a reference to all FortiGate CLI
commands.
The FortiGate online help also contains procedures for using the FortiGate web-based
manager to configure and manage your FortiGate unit.
Comments on Fortinet technical documentation
You can send information about errors or omissions in this document or any Fortinet
technical documentation to techdoc@fortinet.com.
24 Fortinet Inc.
Introduction Comments on Fortinet technical documentation
Customer service and technical support
For antivirus and attack definition updates, firmware updates, updated product
documentation, technical support information, and other resources, please visit the
Fortinet technical support web site at http://support.fortinet.com.
You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and
modify your registration information at any time.
Fortinet email support is available from the following addresses:
amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin
apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,
eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland
America and South America.
Malaysia, all other Asian countries, and Australia.
Europe, Africa, and the Middle East.
For information on Fortinet telephone support, see http://support.fortinet.com.
When requesting technical support, please provide the following information:
• Your name
• Company name
•Location
• Email address
• Telephone number
• FortiGate unit serial number
• FortiGate model
• FortiGate FortiOS firmware version
• Detailed description of the problem
FortiGate-100 Installation and Configuration Guide 25
Comments on Fortinet technical documentation Introduction
26 Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2
Getting started
This chapter describes unpacking, setting up, and powering on your FortiGate
Antivirus Firewall. When you have completed the procedures in this chapter, you can
proceed to one of the following:
• If you are going to operate the FortiGate unit in NAT/Route mode, go to
“NAT/Route mode installation” on page 43.
• If you are going to operate the FortiGate unit in Transparent mode, go to
“Transparent mode installation” on page 57.
This chapter describes:
• Package contents
• Mounting
• Powering on
• Connecting to the web-based manager
• Connecting to the command line interface (CLI)
• Factory default FortiGate configuration settings
• Planning your FortiGate configuration
• FortiGate model maximum values matrix
• Next steps
FortiGate-100 Installation and Configuration Guide 27
Package contents
The FortiGate-100 package contains the following items:
• FortiGate-100 Antivirus Firewall
• one orange crossover ethernet cable
• one gray regular ethernet cable
• one null modem cable
• FortiGate-100 Quick Start Guide
• CD containing the FortiGate user documentation
• one power cable and AC adapter
Figure 2: FortiGate-100 package contents
Front
INTERNAL
EXTERNAL
DMZ
Internal, External, DMZ
Interfaces
Back
POWER
STATUS
Status
LED
Power
LED
Getting started
Ethernet Cables:
Orange - Crossover
Grey - Straight-through
Null-Modem Cable
(RS-232)
Mounting
Power Cable Power Supply
FortiGate-100
POWER
INTERNAL
EXTERNAL
DMZ
USER MANUAL
Copyright 2003 Fortinet Incorporated. All rights reserved.
Trademarks
Products mentioned in this document are trademarks.
Documentation
STATUS
QuickStart Guide
Power
Connection
ConsoleDC +12V 5A
RS-232 Serial
Connection
External
DMZ
DMZ, External, Internal
Internal
Interfaces
The FortiGate-100 unit can be installed on any stable surface. Make sure that the
appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for
adequate air flow and cooling.
Dimensions
• 10.25 x 6.13 x 1.75 in. (26 x 15.6 x 4.5 cm)
Weight
• 1.75 lb. (0.8 kg)
Power requirements
• DC input voltage: 12 V
• DC input current: 5 A
28 Fortinet Inc.
Getting started
Powering on
Environmental specifications
• Operating temperature: 32 to 104°F (0 to 40°C)
• Storage temperature: -13 to 158°F (-25 to 70°C)
• Humidity: 5 to 95% non-condensing
To power on the FortiGate-100 unit:
1 Connect the AC adapter to the power connection at the back of the FortiGate-100 unit.
2 Connect the AC adapter to the power cable.
3 Connect the power cable to a power outlet.
The FortiGate-100 unit starts up. The Power and Status lights light. The Status light
flashes while the FortiGate-100 unit is starting up and remains lit when the system is
up and running.
Table 1: FortiGate-100 LED indicators
LED State Description
Power Green The FortiGate unit is powered on.
Off The FortiGate unit is powered off.
Status Flashing
Internal
External
DMZ
(front)
Internal
External
DMZ
interfaces
(back)
green
Green The FortiGate unit is running normally.
Off The FortiGate unit is powered off.
Green The correct cable is in use, and the connected equipment has
Flashing
green
Off No link established.
Green The correct cable is in use, and the connected equipment has
Flashing
amber
Off No link established.
The FortiGate unit is starting up.
power.
Network activity at this interface.
power.
Network activity at this interface.
FortiGate-100 Installation and Configuration Guide 29
Connecting to the web-based manager
Use the following procedure to connect to the web-based manager for the first time.
Configuration changes made with the web-based manager are effective immediately
without the need to reset the firewall or interrupt service.
To connect to the web-based manager, you need:
• a computer with an ethernet connection,
• Internet Explorer version 4.0 or higher,
• a crossover cable or an ethernet hub and two ethernet cables.
Note: You can use the web-based manager with recent versions of most popular web browsers.
The web-based manager is fully supported for Internet Explorer version 4.0 or higher.
Connecting to the web-based manager
1 Set the IP address of the computer with an ethernet connection to the static IP
address 192.168.1.2 and a netmask of 255.255.255.0.
2 Using the crossover cable or the ethernet hub and cables, connect the Internal
interface of the FortiGate unit to the computer ethernet connection.
3 Start Internet Explorer and browse to the address https://192.168.1.99 (remember to
include the “s” in https://).
The FortiGate login is displayed.
4 Type admin in the Name field and select Login.
The Register Now window is displayed. Use the information on this window to register
your FortiGate unit so that Fortinet can contact you for firmware updates. You must
also register to receive updates to the FortiGate virus and attack definitions.
Figure 3: FortiGate login
Getting started
30 Fortinet Inc.
Loading...