FortiGate 100
Installation and
Configuration Guide
INTERNAL |
EXTERNAL |
DMZ |
|
POWER |
|
|
STATUS
FortiGate User Manual Volume 1
Version 2.50 MR2
18 August 2003
© Copyright 2003 Fortinet Inc. All rights reserved.
No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc.
FortiGate-100 Installation and Configuration Guide
Version 2.50 MR2
18 August 2003
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective holders.
Regulatory Compliance
FCC Class A Part 15 CSA/CUS
For technical support, please visit http://www.fortinet.com.
Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
Contents
Table of Contents |
|
Introduction .......................................................................................................... |
13 |
Antivirus protection ........................................................................................................... |
13 |
Web content filtering ......................................................................................................... |
14 |
Email filtering .................................................................................................................... |
14 |
Firewall.............................................................................................................................. |
15 |
NAT/Route mode .......................................................................................................... |
15 |
Transparent mode......................................................................................................... |
16 |
Network intrusion detection............................................................................................... |
16 |
VPN................................................................................................................................... |
16 |
Secure installation, configuration, and management........................................................ |
17 |
Web-based manager .................................................................................................... |
17 |
Command line interface ................................................................................................ |
18 |
Logging and reporting ................................................................................................... |
19 |
What’s new in Version 2.50 .............................................................................................. |
19 |
System administration................................................................................................... |
19 |
Firewall.......................................................................................................................... |
20 |
Users and authentication .............................................................................................. |
20 |
VPN............................................................................................................................... |
20 |
NIDS ............................................................................................................................. |
21 |
Antivirus ........................................................................................................................ |
21 |
Web Filter...................................................................................................................... |
21 |
Email filter ..................................................................................................................... |
21 |
Logging and Reporting.................................................................................................. |
21 |
About this document ......................................................................................................... |
22 |
Document conventions ..................................................................................................... |
23 |
Fortinet documentation ..................................................................................................... |
24 |
Comments on Fortinet technical documentation........................................................... |
24 |
Customer service and technical support........................................................................... |
25 |
Getting started ..................................................................................................... |
27 |
Package contents ............................................................................................................. |
28 |
Mounting ........................................................................................................................... |
28 |
Powering on...................................................................................................................... |
29 |
Connecting to the web-based manager............................................................................ |
30 |
Connecting to the command line interface (CLI)............................................................... |
31 |
Factory default FortiGate configuration settings ............................................................... |
31 |
Factory default NAT/Route mode network configuration .............................................. |
32 |
Factory default Transparent mode network configuration............................................. |
33 |
Factory default firewall configuration ............................................................................ |
33 |
Factory default content profiles..................................................................................... |
34 |
FortiGate-100 Installation and Configuration Guide |
3 |
Contents
Planning your FortiGate configuration .............................................................................. |
37 |
NAT/Route mode .......................................................................................................... |
37 |
NAT/Route mode with multiple external network connections...................................... |
38 |
Transparent mode......................................................................................................... |
38 |
Configuration options .................................................................................................... |
39 |
FortiGate model maximum values matrix ......................................................................... |
40 |
Next steps ......................................................................................................................... |
41 |
NAT/Route mode installation.............................................................................. |
43 |
Preparing to configure NAT/Route mode.......................................................................... |
43 |
Advanced NAT/Route mode settings............................................................................ |
44 |
DMZ interface ............................................................................................................... |
44 |
Using the setup wizard...................................................................................................... |
45 |
Starting the setup wizard .............................................................................................. |
45 |
Reconnecting to the web-based manager .................................................................... |
45 |
Using the command line interface..................................................................................... |
45 |
Configuring the FortiGate unit to operate in NAT/Route mode ..................................... |
45 |
Connecting the FortiGate unit to your networks................................................................ |
47 |
Configuring your networks ................................................................................................ |
48 |
Completing the configuration ............................................................................................ |
48 |
Configuring the DMZ interface ...................................................................................... |
48 |
Setting the date and time .............................................................................................. |
48 |
Enabling antivirus protection......................................................................................... |
49 |
Registering your FortiGate............................................................................................ |
49 |
Configuring virus and attack definition updates ............................................................ |
49 |
Configuration example: Multiple connections to the Internet ............................................ |
49 |
Configuring Ping servers............................................................................................... |
51 |
Destination based routing examples............................................................................. |
51 |
Policy routing examples ................................................................................................ |
54 |
Firewall policy example................................................................................................. |
55 |
Transparent mode installation............................................................................ |
57 |
Preparing to configure Transparent mode ........................................................................ |
57 |
Using the setup wizard...................................................................................................... |
58 |
Changing to Transparent mode .................................................................................... |
58 |
Starting the setup wizard .............................................................................................. |
58 |
Reconnecting to the web-based manager .................................................................... |
58 |
Using the command line interface..................................................................................... |
59 |
Changing to Transparent mode .................................................................................... |
59 |
Configuring the Transparent mode management IP address ....................................... |
59 |
Configure the Transparent mode default gateway........................................................ |
59 |
Connecting the FortiGate unit to your networks................................................................ |
60 |
4 |
Fortinet Inc. |
Contents
Completing the configuration ............................................................................................ |
61 |
Setting the date and time .............................................................................................. |
61 |
Enabling antivirus protection......................................................................................... |
61 |
Registering your FortiGate............................................................................................ |
61 |
Configuring virus and attack definition updates ............................................................ |
61 |
Transparent mode configuration examples....................................................................... |
62 |
Default routes and static routes .................................................................................... |
62 |
Example default route to an external network............................................................... |
63 |
Example static route to an external destination ............................................................ |
64 |
Example static route to an internal destination ............................................................. |
67 |
System status....................................................................................................... |
69 |
Changing the FortiGate host name................................................................................... |
70 |
Changing the FortiGate firmware...................................................................................... |
70 |
Upgrade to a new firmware version .............................................................................. |
71 |
Revert to a previous firmware version .......................................................................... |
72 |
Install a firmware image from a system reboot using the CLI ....................................... |
75 |
Test a new firmware image before installing it.............................................................. |
77 |
Installing and using a backup firmware image .............................................................. |
79 |
Manual virus definition updates ........................................................................................ |
82 |
Manual attack definition updates ...................................................................................... |
83 |
Displaying the FortiGate serial number............................................................................. |
83 |
Displaying the FortiGate up time....................................................................................... |
83 |
Backing up system settings .............................................................................................. |
83 |
Restoring system settings................................................................................................. |
84 |
Restoring system settings to factory defaults ................................................................... |
84 |
Changing to Transparent mode ........................................................................................ |
85 |
Changing to NAT/Route mode.......................................................................................... |
85 |
Restarting the FortiGate unit............................................................................................. |
85 |
Shutting down the FortiGate unit ...................................................................................... |
86 |
System status ................................................................................................................... |
86 |
Viewing CPU and memory status ................................................................................. |
86 |
Viewing sessions and network status ........................................................................... |
87 |
Viewing virus and intrusions status............................................................................... |
88 |
Session list........................................................................................................................ |
89 |
FortiGate-100 Installation and Configuration Guide |
5 |
Contents
Virus and attack definitions updates and registration ..................................... |
91 |
Updating antivirus and attack definitions .......................................................................... |
91 |
Connecting to the FortiResponse Distribution Network ................................................ |
92 |
Configuring scheduled updates .................................................................................... |
93 |
Configuring update logging ........................................................................................... |
94 |
Adding an override server............................................................................................. |
95 |
Manually updating antivirus and attack definitions........................................................ |
95 |
Configuring push updates ............................................................................................. |
95 |
Push updates through a NAT device ............................................................................ |
96 |
Scheduled updates through a proxy server ................................................................ |
100 |
Registering FortiGate units ............................................................................................. |
101 |
FortiCare Service Contracts........................................................................................ |
101 |
Registering the FortiGate unit ..................................................................................... |
102 |
Updating registration information .................................................................................... |
104 |
Recovering a lost Fortinet support password.............................................................. |
104 |
Viewing the list of registered FortiGate units .............................................................. |
104 |
Registering a new FortiGate unit ................................................................................ |
105 |
Adding or changing a FortiCare Support Contract number......................................... |
105 |
Changing your Fortinet support password .................................................................. |
106 |
Changing your contact information or security question ............................................. |
106 |
Downloading virus and attack definitions updates ...................................................... |
106 |
Registering a FortiGate unit after an RMA...................................................................... |
107 |
Network configuration....................................................................................... |
109 |
Configuring interfaces..................................................................................................... |
109 |
Viewing the interface list ............................................................................................. |
110 |
Bringing up an interface .............................................................................................. |
110 |
Changing an interface static IP address ..................................................................... |
110 |
Adding a secondary IP address to an interface .......................................................... |
110 |
Adding a ping server to an interface ........................................................................... |
111 |
Controlling management access to an interface......................................................... |
111 |
Configuring traffic logging for connections to an interface .......................................... |
112 |
Configuring the external interface with a static IP address ......................................... |
112 |
Configuring the external interface for DHCP............................................................... |
112 |
Configuring the external interface for PPPoE ............................................................. |
113 |
Changing the external interface MTU size to improve network performance ............. |
113 |
Configuring the management interface (Transparent mode) ...................................... |
114 |
Adding DNS server IP addresses ................................................................................... |
115 |
6 |
Fortinet Inc. |
Contents
Configuring routing.......................................................................................................... |
115 |
Adding a default route................................................................................................. |
116 |
Adding destination-based routes to the routing table.................................................. |
116 |
Adding routes in Transparent mode............................................................................ |
117 |
Configuring the routing table....................................................................................... |
118 |
Policy routing .............................................................................................................. |
118 |
Providing DHCP services to your internal network ......................................................... |
119 |
RIP configuration ............................................................................................... |
121 |
RIP settings..................................................................................................................... |
122 |
Configuring RIP for FortiGate interfaces......................................................................... |
124 |
Adding RIP neighbors..................................................................................................... |
125 |
Adding RIP filters ............................................................................................................ |
126 |
Adding a single RIP filter............................................................................................. |
126 |
Adding a RIP filter list.................................................................................................. |
127 |
Adding a neighbors filter ............................................................................................. |
128 |
Adding a routes filter ................................................................................................... |
128 |
System configuration ........................................................................................ |
129 |
Setting system date and time.......................................................................................... |
129 |
Changing web-based manager options .......................................................................... |
130 |
Adding and editing administrator accounts ..................................................................... |
132 |
Adding new administrator accounts ............................................................................ |
132 |
Editing administrator accounts.................................................................................... |
133 |
Configuring SNMP .......................................................................................................... |
134 |
Configuring the FortiGate unit for SNMP monitoring .................................................. |
134 |
Configuring FortiGate SNMP support ......................................................................... |
134 |
FortiGate MIBs............................................................................................................ |
135 |
FortiGate traps ............................................................................................................ |
136 |
Customizing replacement messages .............................................................................. |
136 |
Customizing replacement messages .......................................................................... |
137 |
Customizing alert emails............................................................................................. |
138 |
Firewall configuration........................................................................................ |
141 |
Default firewall configuration........................................................................................... |
142 |
Addresses ................................................................................................................... |
142 |
Services ...................................................................................................................... |
143 |
Schedules ................................................................................................................... |
143 |
Content profiles........................................................................................................... |
143 |
Adding firewall policies.................................................................................................... |
144 |
Firewall policy options................................................................................................. |
145 |
FortiGate-100 Installation and Configuration Guide |
7 |
Contents
Configuring policy lists .................................................................................................... |
149 |
Policy matching in detail ............................................................................................. |
149 |
Changing the order of policies in a policy list.............................................................. |
149 |
Enabling and disabling policies................................................................................... |
150 |
Addresses ....................................................................................................................... |
150 |
Adding addresses ....................................................................................................... |
151 |
Editing addresses ....................................................................................................... |
152 |
Deleting addresses ..................................................................................................... |
152 |
Organizing addresses into address groups ................................................................ |
152 |
Services .......................................................................................................................... |
153 |
Predefined services .................................................................................................... |
153 |
Providing access to custom services .......................................................................... |
156 |
Grouping services ....................................................................................................... |
156 |
Schedules ....................................................................................................................... |
157 |
Creating one-time schedules ...................................................................................... |
158 |
Creating recurring schedules ...................................................................................... |
158 |
Adding a schedule to a policy ..................................................................................... |
159 |
Virtual IPs........................................................................................................................ |
160 |
Adding static NAT virtual IPs ...................................................................................... |
160 |
Adding port forwarding virtual IPs ............................................................................... |
161 |
Adding policies with virtual IPs.................................................................................... |
163 |
IP pools ........................................................................................................................... |
164 |
Adding an IP pool........................................................................................................ |
164 |
IP Pools for firewall policies that use fixed ports......................................................... |
165 |
IP pools and dynamic NAT ......................................................................................... |
165 |
IP/MAC binding............................................................................................................... |
166 |
Configuring IP/MAC binding for packets going through the firewall............................ |
166 |
Configuring IP/MAC binding for packets going to the firewall ..................................... |
167 |
Adding IP/MAC addresses.......................................................................................... |
167 |
Viewing the dynamic IP/MAC list ................................................................................ |
168 |
Enabling IP/MAC binding ............................................................................................ |
168 |
Content profiles............................................................................................................... |
169 |
Default content profiles ............................................................................................... |
170 |
Adding a content profile .............................................................................................. |
170 |
Adding a content profile to a policy ............................................................................. |
171 |
Users and authentication .................................................................................. |
173 |
Setting authentication timeout......................................................................................... |
174 |
Adding user names and configuring authentication........................................................ |
174 |
Adding user names and configuring authentication .................................................... |
174 |
Deleting user names from the internal database ........................................................ |
175 |
Configuring RADIUS support.......................................................................................... |
176 |
Adding RADIUS servers ............................................................................................. |
176 |
Deleting RADIUS servers ........................................................................................... |
176 |
8 |
Fortinet Inc. |
Contents
Configuring LDAP support .............................................................................................. |
177 |
Adding LDAP servers.................................................................................................. |
177 |
Deleting LDAP servers................................................................................................ |
178 |
Configuring user groups.................................................................................................. |
179 |
Adding user groups..................................................................................................... |
179 |
Deleting user groups................................................................................................... |
180 |
IPSec VPN........................................................................................................... |
181 |
Key management............................................................................................................ |
182 |
Manual Keys ............................................................................................................... |
182 |
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... |
182 |
Manual key IPSec VPNs................................................................................................. |
183 |
General configuration steps for a manual key VPN .................................................... |
183 |
Adding a manual key VPN tunnel ............................................................................... |
183 |
AutoIKE IPSec VPNs...................................................................................................... |
185 |
General configuration steps for an AutoIKE VPN ....................................................... |
185 |
Adding a phase 1 configuration for an AutoIKE VPN.................................................. |
185 |
Adding a phase 2 configuration for an AutoIKE VPN.................................................. |
189 |
Managing digital certificates............................................................................................ |
191 |
Obtaining a signed local certificate ............................................................................. |
191 |
Obtaining a CA certificate ........................................................................................... |
195 |
Configuring encrypt policies............................................................................................ |
196 |
Adding a source address ............................................................................................ |
197 |
Adding a destination address...................................................................................... |
197 |
Adding an encrypt policy............................................................................................. |
197 |
IPSec VPN concentrators ............................................................................................... |
199 |
VPN concentrator (hub) general configuration steps .................................................. |
199 |
Adding a VPN concentrator ........................................................................................ |
201 |
VPN spoke general configuration steps...................................................................... |
202 |
Redundant IPSec VPNs.................................................................................................. |
203 |
Configuring redundant IPSec VPN ............................................................................. |
203 |
Monitoring and Troubleshooting VPNs ........................................................................... |
205 |
Viewing VPN tunnel status.......................................................................................... |
205 |
Viewing dialup VPN connection status ....................................................................... |
205 |
Testing a VPN............................................................................................................. |
206 |
PPTP and L2TP VPN .......................................................................................... |
207 |
Configuring PPTP ........................................................................................................... |
207 |
Configuring the FortiGate unit as a PPTP gateway .................................................... |
208 |
Configuring a Windows 98 client for PPTP ................................................................. |
210 |
Configuring a Windows 2000 client for PPTP ............................................................. |
211 |
Configuring a Windows XP client for PPTP ................................................................ |
212 |
FortiGate-100 Installation and Configuration Guide |
9 |
Contents
Configuring L2TP............................................................................................................ |
213 |
Configuring the FortiGate unit as a L2TP gateway ..................................................... |
214 |
Configuring a Windows 2000 client for L2TP.............................................................. |
217 |
Configuring a Windows XP client for L2TP ................................................................. |
218 |
Network Intrusion Detection System (NIDS) ................................................... |
221 |
Detecting attacks ............................................................................................................ |
221 |
Selecting the interfaces to monitor.............................................................................. |
222 |
Disabling the NIDS...................................................................................................... |
222 |
Configuring checksum verification .............................................................................. |
222 |
Viewing the signature list ............................................................................................ |
223 |
Viewing attack descriptions......................................................................................... |
223 |
Enabling and disabling NIDS attack signatures .......................................................... |
224 |
Adding user-defined signatures .................................................................................. |
224 |
Preventing attacks .......................................................................................................... |
225 |
Enabling NIDS attack prevention ................................................................................ |
225 |
Enabling NIDS attack prevention signatures .............................................................. |
226 |
Setting signature threshold values.............................................................................. |
226 |
Configuring synflood signature values ........................................................................ |
228 |
Logging attacks............................................................................................................... |
228 |
Logging attack messages to the attack log................................................................. |
228 |
Reducing the number of NIDS attack log and email messages.................................. |
229 |
Antivirus protection........................................................................................... |
231 |
General configuration steps............................................................................................ |
231 |
Antivirus scanning........................................................................................................... |
232 |
File blocking.................................................................................................................... |
233 |
Blocking files in firewall traffic ..................................................................................... |
233 |
Adding file patterns to block........................................................................................ |
233 |
Blocking oversized files and emails ................................................................................ |
234 |
Configuring limits for oversized files and email........................................................... |
234 |
Exempting fragmented email from blocking.................................................................... |
234 |
Viewing the virus list ....................................................................................................... |
234 |
Web filtering ....................................................................................................... |
235 |
General configuration steps............................................................................................ |
235 |
Content blocking ............................................................................................................. |
236 |
Adding words and phrases to the banned word list .................................................... |
236 |
URL blocking................................................................................................................... |
237 |
Using the FortiGate web filter ..................................................................................... |
237 |
Using the Cerberian web filter..................................................................................... |
240 |
Script filtering .................................................................................................................. |
242 |
Enabling the script filter............................................................................................... |
242 |
Selecting script filter options ....................................................................................... |
242 |
10 |
Fortinet Inc. |
Contents
Exempt URL list .............................................................................................................. |
243 |
Adding URLs to the exempt URL list .......................................................................... |
243 |
Email filter........................................................................................................... |
245 |
General configuration steps............................................................................................ |
245 |
Email banned word list.................................................................................................... |
246 |
Adding words and phrases to the banned word list .................................................... |
246 |
Email block list ................................................................................................................ |
247 |
Adding address patterns to the email block list........................................................... |
247 |
Email exempt list............................................................................................................. |
247 |
Adding address patterns to the email exempt list ....................................................... |
248 |
Adding a subject tag ....................................................................................................... |
248 |
Logging and reporting....................................................................................... |
249 |
Recording logs ................................................................................................................ |
249 |
Recording logs on a remote computer........................................................................ |
250 |
Recording logs on a NetIQ WebTrends server ........................................................... |
250 |
Recording logs in system memory.............................................................................. |
251 |
Filtering log messages .................................................................................................... |
251 |
Configuring traffic logging ............................................................................................... |
253 |
Enabling traffic logging................................................................................................ |
253 |
Configuring traffic filter settings................................................................................... |
254 |
Adding traffic filter entries ........................................................................................... |
254 |
Viewing logs saved to memory ....................................................................................... |
255 |
Viewing logs................................................................................................................ |
255 |
Searching logs ............................................................................................................ |
256 |
Configuring alert email .................................................................................................... |
256 |
Adding alert email addresses...................................................................................... |
256 |
Testing alert email....................................................................................................... |
257 |
Enabling alert email .................................................................................................... |
257 |
Glossary ............................................................................................................. |
259 |
Index .................................................................................................................... |
263 |
FortiGate-100 Installation and Configuration Guide |
11 |
Contents
12 |
Fortinet Inc. |
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2
The FortiGate Antivirus Firewall supports network-based deployment of application-level services—including antivirus protection and full-scan content filtering. FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate Antivirus Firewalls are ICSA-certified for firewall, IPSec and antivirus services.
Your FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include:
•application-level services such as virus protection and content filtering,
•network-level services such as firewall, intrusion detection, VPN, and traffic shaping.
Your FortiGate Antivirus Firewall employs Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks. The FortiGate series complements existing solutions, such as host-based antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration and maintenance.
The FortiGate-100 model is an easy-to- deploy and easy-to-administer solution that delivers exceptional value and performance for small office, home office, and branch office applications. The
FortiGate installation wizard guides users through a simple process that enables most installations to be up and running in minutes.
FortiGate ICSA-certified antivirus protection virus scans web (HTTP), file transfer (FTP), and email (SMTP, POP3, and IMAP) content as it passes through the FortiGate. If a virus is found, antivirus protection removes the file containing the virus from the content stream and forwards an replacement message to the intended recipient.
FortiGate-100 Installation and Configuration Guide |
13 |
Introduction
For extra protection, you also configure antivirus protection to block files of specified file types from passing through the FortiGate unit. You can use the feature to stop files that may contain new viruses.
If the FortiGate unit contains a hard disk, infected or blocked files can be quarantined. The FortiGate administrator can download quarantined files, so that they can be virus scanned, cleaned, and forwarded to the intended recipient. You can also configure the FortiGate unit to automatically delete quarantined files after a specified time period.
The FortiGate unit can send email alerts to system administrators when it detects and removes a virus from a content stream. The web and email content can be in normal network traffic or in encrypted IPSec VPN traffic.
ICSA Labs has certified that FortiGate Antivirus Firewalls:
•detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),
•detect viruses in compressed files using the PKZip format,
•detect viruses in e-mail that has been encoded using uuencode format,
•detect viruses in e-mail that has been encoded using MIME encoding,
•log all actions taken while scanning.
FortiGate web content filtering can be configured to scan all HTTP content protocol streams for URLs or for web page content. If a match is found between a URL on the URL block list, or if a web page is found to contain a word or phrase in the content block list, the FortiGate blocks the web page. The blocked web page is replaced with a message that you can edit using the FortiGate web-based manager.
You can configure URL blocking to block all or just some of the pages on a web site. Using this feature you can deny access to parts of a web site without denying access to it completely.
To prevent unintentional blocking of legitimate web pages, you can add URLs to an Exempt List that overrides the URL blocking and content blocking lists.
Web content filtering also includes a script filter feature that can be configured to block unsecure web content such as Java Applets, Cookies, and ActiveX.
You can also use the Cerberian URL blocking to block unwanted URLs.
FortiGate Email filtering can be configured to scan all IMAP and POP3 email content for unwanted senders or for unwanted content. If a match is found between a sender address pattern on the Email block list, or if an email is found to contain a word or phrase in the banned word list, the FortiGate adds a Email tag to subject line of the email. Receivers can then use their mail client software to filter messages based on the Email tag.
14 |
Fortinet Inc. |
Introduction |
NAT/Route mode |
|
|
You can configure Email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentional tagging of email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned word lists.
The FortiGate ICSA-certified firewall protects your computer networks from the hostile environment of the Internet. ICSA has granted FortiGate firewalls version 4.0 firewall certification, providing assurance that FortiGate firewalls successfully screen for and secure corporate networks against a wide range of threats from public or other untrusted networks.
After basic installation of the FortiGate unit, the firewall allows users on the protected network to access the Internet while blocking Internet access to internal networks. You can modify this firewall configuration to place controls on access to the Internet from the protected networks and to allow controlled access to internal networks.
FortiGate policies include a complete range of options that:
•control all incoming and outgoing network traffic,
•control encrypted VPN traffic,
•apply antivirus protection and web content filtering,
•block or allow access for all policy options,
•control when individual policies are in effect,
•accept or deny traffic to and from individual addresses,
•control standard and user defined network services individually or in groups,
•require users to authenticate before gaining access,
•include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy,
•include logging to track connections for individual policies,
•include Network address translation (NAT) mode and Route mode policies,
•include Mixed NAT and Route mode policies.
The FortiGate firewall can operate in NAT/Route mode or Transparent mode.
NAT/Route mode
In NAT/Route mode, you can create NAT mode policies and Route mode policies.
•NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network.
•Route mode policies accept or deny connections between networks without performing address translation.
FortiGate-100 Installation and Configuration Guide |
15 |
Transparent mode |
Introduction |
|
|
Transparent mode
Transparent mode provides the same basic firewall protection as NAT mode. Packets received by the FortiGate unit are intelligently forwarded or blocked according to firewall policies. The FortiGate unit can be inserted in your network at any point without the need to make changes to your network or any of its components. However, VPN and some advanced firewall features are only available in NAT/Route mode.
The FortiGate Network Intrusion Detection System (NIDS) is a real-time network intrusion detection sensor that detects and prevents a wide variety of suspicious network activity. NIDS detection uses attack signatures to identify over 1000 attacks. You can enable and disable the attacks that the NIDS detects. You can also write your own user-defined detection attack signatures.
NIDS prevention detects and prevents many common denial of service and packetbased attacks. You can enable and disable prevention attack signatures and customize attack signature thresholds and other parameters.
To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log and can be configured to send alert emails.
Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually, or you can configure the FortiGate to automatically check for and download attack definition updates.
VPN
Using FortiGate virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network.
FortiGate VPN features include the following:
•Industry standard and ICSA-certified IPSec VPN including:
•IPSec, ESP security in tunnel mode,
•DES, 3DES (triple-DES), and AES hardware accelerated encryption,
•HMAC MD5 and HMAC SHA1 authentication and data integrity,
•AutoIKE key based on pre-shared key tunnels,
•IPSec VPN using local or CA certificates,
•Manual Keys tunnels,
•Diffie-Hellman groups 1, 2, and 5,
•Aggressive and Main Mode,
•Replay Detection,
•Perfect Forward Secrecy,
•XAuth authentication,
•Dead peer detection.
16 |
Fortinet Inc. |
Introduction |
Web-based manager |
|
|
•PPTP for easy connectivity with the VPN standard supported by the most popular operating systems.
•L2TP for easy connectivity with a more secure VPN standard also supported by many popular operating systems.
•Firewall policy based control of IPSec VPN traffic.
•IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel.
•VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another tunnel through the FortiGate unit.
•IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network.
Installation is quick and simple. The first time you turn on the FortiGate unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the setup wizard to customize FortiGate IP addresses for your network, and the FortiGate unit is set to protect your network. You can then use the web-based manager to customize advanced FortiGate features to meet your needs.
You can also create a basic configuration using the FortiGate command line interface (CLI).
Web-based manager
Using HTTP or a secure HTTPS connection from any computer running Internet Explorer, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages. You can configure the FortiGate unit for HTTP and HTTPs administration from any FortiGate interface.
You can use the web-based manager for most FortiGate configuration settings. You can also use the web-based manager to monitor the status of the FortiGate unit. Configuration changes made with the web-based manager are effective immediately without the need to reset the firewall or interrupt service. Once a satisfactory configuration has been established, it can be downloaded and saved. The saved configuration can be restored at any time.
FortiGate-100 Installation and Configuration Guide |
17 |
Command line interface |
Introduction |
|
|
Figure 1: The FortiGate web-based manager and setup wizard
Command line interface
You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial Console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network connected to the FortiGate, including the Internet.
The CLI supports the same configuration and monitoring functionality as the web-based manager. In addition, you can use the CLI for advanced configuration options not available from the web-based manager. This Installation and Configuration Guide contains information about basic and advanced CLI commands. You can find a more complete description of connecting to and using the FortiGate CLI in the FortiGate CLI Reference Guide.
18 |
Fortinet Inc. |
Introduction |
Logging and reporting |
|
|
Logging and reporting
The FortiGate supports logging of various categories of traffic and of configuration changes. You can configure logging to:
•report traffic that connects to the firewall,
•report network services used,
•report traffic permitted by firewall policies,
•report traffic that was denied by firewall policies,
•report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks, and web page blocking,
•report attacks detected by the NIDS,
•send alert email to system administrators to report virus incidents, intrusions, and firewall or VPN events or violations.
Logs can be sent to a remote syslog server or to a WebTrends NetIQ Security Reporting Center and Firewall Suite server using the WebTrends enhanced log format. Some models can also save logs to an optional internal hard drive. If a hard drive is not installed, you can configure most FortiGates to log the most recent events and attacks detected by the NIDS to shared system memory.
This section presents a brief summary of some of the new features in FortiOS v2.50:
•Improved graphical FortiGate system health monitoring that includes CPU and memory usage, session number and network bandwidth usage, and the number of viruses and intrusions detected. See “System status” on page 86.
•Revised antivirus and attack definition update functionality that connects to a new version of the FortiResponse Distribution network. Updates can now be scheduled hourly and the System > Update page displays more information about the current update status. See “Updating antivirus and attack definitions” on page 91.
•Direct connection to the Fortinet tech support web page from the web-based manager. You can register your FortiGate unit and get access to other technical support resources. See “Registering FortiGate units” on page 101.
•New interface configuration options. See “Configuring interfaces” on page 109.
•Ping server and dead gateway detection for all interfaces.
•HTTP and Telnet administrative access to any interface.
•Secondary IP addresses for all FortiGate interfaces.
•Simplified direction-based routing configuration.
•Advanced policy routing (CLI only).
FortiGate-100 Installation and Configuration Guide |
19 |
Firewall |
Introduction |
|
|
•Addition of a WINS server to DHCP configuration.
•Reserve IP/MAC pair combinations for DHCP servers (CLI only).
RIP
•New RIP v1 and v2 functionality. See “RIP configuration” on page 121.
•SNMP v1 and v2 support.
•Support for RFC 1213 and RFC 2665
•Monitoring of all FortiGate configuration and functionality
•See “Configuring SNMP” on page 134
You can customize messages sent by the FortiGate unit:
•When a virus is detected,
•When a file is blocked,
•When a fragmented email is blocked
•When an alert email is sent
See “Customizing replacement messages” on page 136.
Firewall
•The firewall default configuration has changed. See “Default firewall configuration” on page 142.
•Add virtual IPs to all interfaces. See “Virtual IPs” on page 160.
•Add content profiles to firewall policies to configure blocking, scanning, quarantine, web content blocking, and email filtering. See “Content profiles” on page 169.
•LDAP authentication. See “Configuring LDAP support” on page 177.
VPN
See the FortiGate VPN Guide for a complete description of FortiGate VPN functionality. New features include:
•Phase 1
•AES encryption
•Certificates
•Advanced options including Dialup Group, Peer, XAUTH, NAT Traversal, DPD
•Phase 2
•AES encryption
•Encryption policies select service
•Generate and import local certificates
•Import CA certificates
20 |
Fortinet Inc. |
Introduction |
NIDS |
|
|
NIDS
See the FortiGate NIDS Guide for a complete description of FortiGate NIDS functionality. New features include:
•Attack detection signature groups
•User-configuration attack prevention
•Monitor multiple interfaces for attacks
•User-defined attack detection signatures
See the FortiGate Content Protection Guide for a complete description of FortiGate antivirus functionality. New features include:
•Content profiles
•Blocking oversized files
See the FortiGate Content Protection Guide for a complete description of FortiGate web filtering functionality. New features include:
•Cerberian URL Filtering
See the FortiGate Content Protection Guide for a complete description of FortiGate email filtering functionality.
See the FortiGate Logging and Message Reference Guide for a complete description of FortiGate logging.
•Log to remote host CSV format
•Log message levels: Emergency, Alert, critical, error, Warning, notification, information
•Log level policies
•Traffic log filter
•New antivirus, web filter, and email filter logs
•Alert email supports authentication
•Suppress email flooding
•Extended WebTrends support for graphing activity
FortiGate-100 Installation and Configuration Guide |
21 |
Logging and Reporting |
Introduction |
|
|
This installation and configuration guide describes how to install and configure the
FortiGate-100. This document contains the following information:
•Getting started describes unpacking, mounting, and powering on the FortiGate.
•NAT/Route mode installation describes how to install the FortiGate if you are planning on running it in NAT/Route mode.
•Transparent mode installation describes how to install the FortiGate if you are planning on running it in Transparent mode.
•System status describes how to view the current status of your FortiGate unit and related status procedures including installing updated FortiGate firmware, backing up and restoring system settings, and switching between Transparent and NAT/Route mode.
•Virus and attack definitions updates and registration describes configuring automatic virus and attack definition updates. This chapter also contains procedures for connecting to the FortiGate tech support webs site and for registering your FortiGate unit.
•Network configuration describes configuring interfaces, configuring routing, and configuring the FortiGate as a DHCP server for your internal network.
•RIP configuration describes the FortiGate RIP2 implementation and how to configure RIP settings.
•System configuration describes system administration tasks available from the System > Config web-based manager pages. This chapter describes setting system time, adding and changed administrative users, configuring SNMP, and editing replacement messages.
•Firewall configuration describes how to configure firewall policies to control traffic through the FortiGate unit and apply content protection profiles to content traffic.
•Users and authentication describes how to add user names to the FortiGate user database and how to configure the FortiGate to connect to a RADIUS server to authenticate users.
•IPSec VPN describes how to configure FortiGate IPSec VPN.
•PPTP and L2TP VPN describes how to configure PPTP and L2TP VPNs between the FortiGate and a windows client.
•Network Intrusion Detection System (NIDS) describes how to configure the FortiGate NIDS to detect and prevent network attacks.
•Antivirus protection describes how use the FortiGate to protect your network from viruses and worms.
•Web filtering describes how to configure web content filtering to prevent unwanted Web content from passing through the FortiGate.
•Email filter describes how to configure email filtering to screen unwanted email content.
•Logging and reporting describes how to configure logging and alert email to track activity through the FortiGate.
•The Glossary defines many of the terms used in this document.
22 |
Fortinet Inc. |
Introduction |
Logging and Reporting |
|
|
This guide uses the following conventions to describe CLI command syntax.
•angle brackets < > to indicate variable keywords For example:
execute restore config <filename_str>
You enter restore config myfile.bak <xxx_str> indicates an ASCII string variable keyword. <xxx_integer> indicates an integer variable keyword. <xxx_ip> indicates an IP address variable keyword.
•vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords
For example:
set system opmode {nat | transparent}
You can enter set system opmode nat or set system opmode transparent
•square brackets [ ] to indicate that a keyword is optional For example:
get firewall ipmacbinding [dhcpipmac] You can enter get firewall ipmacbinding or get firewall ipmacbinding dhcpipmac
FortiGate-100 Installation and Configuration Guide |
23 |
Comments on Fortinet technical documentation |
Introduction |
|
|
Information about FortiGate products is available from the following FortiGate User
Manual volumes:
•Volume 1: FortiGate Installation and Configuration Guide
Describes installation and basic configuration for the FortiGate unit. Also describes how to use FortiGate firewall policies to control traffic flow through the FortiGate unit and how to use firewall policies to apply antivirus protection, web content filtering, and email filtering to HTTP, FTP and email content passing through the FortiGate unit.
•Volume 2: FortiGate VPN Guide
Contains in-depth information about FortiGate IPSec VPN using certificates, preshared keys and manual keys for encryption. Also contains basic configuration information for the Fortinet Remote VPN Client, detailed configuration information for FortiGate PPTP and L2TP VPN, and VPN configuration examples.
•Volume 3: FortiGate Content Protection Guide
Describes how to configure antivirus protection, web content filtering, and email filtering to protect content as it passes through the FortiGate unit.
•Volume 4: FortiGate NIDS Guide
Describes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from network-based attacks.
•Volume 5: FortiGate Logging and Message Reference Guide
Describes how to configure FortiGate logging and alert email. Also contains the FortiGate log message reference.
•Volume 6: FortiGate CLI Reference Guide
Describes the FortiGate CLI and contains a reference to all FortiGate CLI commands.
The FortiGate online help also contains procedures for using the FortiGate web-based manager to configure and manage your FortiGate unit.
Comments on Fortinet technical documentation
You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
24 |
Fortinet Inc. |
Introduction |
Comments on Fortinet technical documentation |
|
|
For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com.
You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and modify your registration information at any time.
Fortinet email support is available from the following addresses:
amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin America and South America.
apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore, Malaysia, all other Asian countries, and Australia.
eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland Europe, Africa, and the Middle East.
For information on Fortinet telephone support, see http://support.fortinet.com.
When requesting technical support, please provide the following information:
•Your name
•Company name
•Location
•Email address
•Telephone number
•FortiGate unit serial number
•FortiGate model
•FortiGate FortiOS firmware version
•Detailed description of the problem
FortiGate-100 Installation and Configuration Guide |
25 |
Comments on Fortinet technical documentation |
Introduction |
|
|
26 |
Fortinet Inc. |
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2
This chapter describes unpacking, setting up, and powering on your FortiGate Antivirus Firewall. When you have completed the procedures in this chapter, you can proceed to one of the following:
•If you are going to operate the FortiGate unit in NAT/Route mode, go to “NAT/Route mode installation” on page 43.
•If you are going to operate the FortiGate unit in Transparent mode, go to “Transparent mode installation” on page 57.
This chapter describes:
•Package contents
•Mounting
•Powering on
•Connecting to the web-based manager
•Connecting to the command line interface (CLI)
•Factory default FortiGate configuration settings
•Planning your FortiGate configuration
•FortiGate model maximum values matrix
•Next steps
FortiGate-100 Installation and Configuration Guide |
27 |
Getting started
The FortiGate-100 package contains the following items:
•FortiGate-100 Antivirus Firewall
•one orange crossover ethernet cable
•one gray regular ethernet cable
•one null modem cable
•FortiGate-100 Quick Start Guide
•CD containing the FortiGate user documentation
•one power cable and AC adapter
Figure 2: FortiGate-100 package contents
Front
Ethernet Cables:
Orange - Crossover
Grey - Straight-through
POWER
INTERNAL EXTERNAL DMZ
STATUS |
Null-Modem Cable
(RS-232)
Internal, External, DMZ |
Status |
Power |
Interfaces |
LED |
LED |
Back
DC +12V 5A |
Console |
DMZ |
External |
Internal |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Power |
RS-232 Serial |
DMZ, External, Internal |
|||||||||||
Connection |
Connection |
|
|
|
Interfaces |
Power Cable Power Supply
FortiGate-100
QuickStart Guide
Copyright 2003 Fortinet Incorporated. All rights reserved.
Trademarks
Products mentioned in this document are trademarks.
Documentation
The FortiGate-100 unit can be installed on any stable surface. Make sure that the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling.
•10.25 x 6.13 x 1.75 in. (26 x 15.6 x 4.5 cm)
•1.75 lb. (0.8 kg)
•DC input voltage: 12 V
•DC input current: 5 A
28 |
Fortinet Inc. |
Getting started
•Operating temperature: 32 to 104°F (0 to 40°C)
•Storage temperature: -13 to 158°F (-25 to 70°C)
•Humidity: 5 to 95% non-condensing
To power on the FortiGate-100 unit:
1Connect the AC adapter to the power connection at the back of the FortiGate-100 unit.
2Connect the AC adapter to the power cable.
3Connect the power cable to a power outlet.
The FortiGate-100 unit starts up. The Power and Status lights light. The Status light flashes while the FortiGate-100 unit is starting up and remains lit when the system is up and running.
Table 1: FortiGate-100 LED indicators
LED |
State |
Description |
|
|
|
|
|
Power |
Green |
The FortiGate unit is powered on. |
|
|
|
|
|
|
Off |
The FortiGate unit is powered off. |
|
|
|
|
|
Status |
Flashing |
The FortiGate unit is starting up. |
|
|
green |
|
|
|
Green |
The FortiGate unit is running normally. |
|
|
|
|
|
|
Off |
The FortiGate unit is powered off. |
|
|
|
|
|
Internal |
Green |
The correct cable is in use, and the connected equipment has |
|
External |
|
power. |
|
DMZ |
Flashing |
Network activity at this interface. |
|
(front) |
green |
|
|
|
Off |
No link established. |
|
|
|
|
|
Internal |
Green |
The correct cable is in use, and the connected equipment has |
|
External |
|
power. |
|
DMZ |
Flashing |
Network activity at this interface. |
|
interfaces |
amber |
|
|
(back) |
|
|
|
Off |
No link established. |
||
|
|||
|
|
|
FortiGate-100 Installation and Configuration Guide |
29 |
Getting started
Use the following procedure to connect to the web-based manager for the first time. Configuration changes made with the web-based manager are effective immediately without the need to reset the firewall or interrupt service.
To connect to the web-based manager, you need:
•a computer with an ethernet connection,
•Internet Explorer version 4.0 or higher,
•a crossover cable or an ethernet hub and two ethernet cables.
Note: You can use the web-based manager with recent versions of most popular web browsers. The web-based manager is fully supported for Internet Explorer version 4.0 or higher.
Connecting to the web-based manager
1Set the IP address of the computer with an ethernet connection to the static IP address 192.168.1.2 and a netmask of 255.255.255.0.
2Using the crossover cable or the ethernet hub and cables, connect the Internal interface of the FortiGate unit to the computer ethernet connection.
3Start Internet Explorer and browse to the address https://192.168.1.99 (remember to include the “s” in https://).
The FortiGate login is displayed.
4Type admin in the Name field and select Login.
The Register Now window is displayed. Use the information on this window to register your FortiGate unit so that Fortinet can contact you for firmware updates. You must also register to receive updates to the FortiGate virus and attack definitions.
Figure 3: FortiGate login
30 |
Fortinet Inc. |