Fortinet FortiGate 100 User Manual

4.6 (17)
Fortinet FortiGate 100 User Manual

FortiGate 100

Installation and

Configuration Guide

INTERNAL

EXTERNAL

DMZ

 

POWER

 

 

STATUS

FortiGate User Manual Volume 1

Version 2.50 MR2

18 August 2003

© Copyright 2003 Fortinet Inc. All rights reserved.

No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc.

FortiGate-100 Installation and Configuration Guide

Version 2.50 MR2

18 August 2003

Trademarks

Products mentioned in this document are trademarks or registered trademarks of their respective holders.

Regulatory Compliance

FCC Class A Part 15 CSA/CUS

For technical support, please visit http://www.fortinet.com.

Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.

Contents

Table of Contents

 

Introduction ..........................................................................................................

13

Antivirus protection ...........................................................................................................

13

Web content filtering .........................................................................................................

14

Email filtering ....................................................................................................................

14

Firewall..............................................................................................................................

15

NAT/Route mode ..........................................................................................................

15

Transparent mode.........................................................................................................

16

Network intrusion detection...............................................................................................

16

VPN...................................................................................................................................

16

Secure installation, configuration, and management........................................................

17

Web-based manager ....................................................................................................

17

Command line interface ................................................................................................

18

Logging and reporting ...................................................................................................

19

What’s new in Version 2.50 ..............................................................................................

19

System administration...................................................................................................

19

Firewall..........................................................................................................................

20

Users and authentication ..............................................................................................

20

VPN...............................................................................................................................

20

NIDS .............................................................................................................................

21

Antivirus ........................................................................................................................

21

Web Filter......................................................................................................................

21

Email filter .....................................................................................................................

21

Logging and Reporting..................................................................................................

21

About this document .........................................................................................................

22

Document conventions .....................................................................................................

23

Fortinet documentation .....................................................................................................

24

Comments on Fortinet technical documentation...........................................................

24

Customer service and technical support...........................................................................

25

Getting started .....................................................................................................

27

Package contents .............................................................................................................

28

Mounting ...........................................................................................................................

28

Powering on......................................................................................................................

29

Connecting to the web-based manager............................................................................

30

Connecting to the command line interface (CLI)...............................................................

31

Factory default FortiGate configuration settings ...............................................................

31

Factory default NAT/Route mode network configuration ..............................................

32

Factory default Transparent mode network configuration.............................................

33

Factory default firewall configuration ............................................................................

33

Factory default content profiles.....................................................................................

34

FortiGate-100 Installation and Configuration Guide

3

Contents

Planning your FortiGate configuration ..............................................................................

37

NAT/Route mode ..........................................................................................................

37

NAT/Route mode with multiple external network connections......................................

38

Transparent mode.........................................................................................................

38

Configuration options ....................................................................................................

39

FortiGate model maximum values matrix .........................................................................

40

Next steps .........................................................................................................................

41

NAT/Route mode installation..............................................................................

43

Preparing to configure NAT/Route mode..........................................................................

43

Advanced NAT/Route mode settings............................................................................

44

DMZ interface ...............................................................................................................

44

Using the setup wizard......................................................................................................

45

Starting the setup wizard ..............................................................................................

45

Reconnecting to the web-based manager ....................................................................

45

Using the command line interface.....................................................................................

45

Configuring the FortiGate unit to operate in NAT/Route mode .....................................

45

Connecting the FortiGate unit to your networks................................................................

47

Configuring your networks ................................................................................................

48

Completing the configuration ............................................................................................

48

Configuring the DMZ interface ......................................................................................

48

Setting the date and time ..............................................................................................

48

Enabling antivirus protection.........................................................................................

49

Registering your FortiGate............................................................................................

49

Configuring virus and attack definition updates ............................................................

49

Configuration example: Multiple connections to the Internet ............................................

49

Configuring Ping servers...............................................................................................

51

Destination based routing examples.............................................................................

51

Policy routing examples ................................................................................................

54

Firewall policy example.................................................................................................

55

Transparent mode installation............................................................................

57

Preparing to configure Transparent mode ........................................................................

57

Using the setup wizard......................................................................................................

58

Changing to Transparent mode ....................................................................................

58

Starting the setup wizard ..............................................................................................

58

Reconnecting to the web-based manager ....................................................................

58

Using the command line interface.....................................................................................

59

Changing to Transparent mode ....................................................................................

59

Configuring the Transparent mode management IP address .......................................

59

Configure the Transparent mode default gateway........................................................

59

Connecting the FortiGate unit to your networks................................................................

60

4

Fortinet Inc.

Contents

Completing the configuration ............................................................................................

61

Setting the date and time ..............................................................................................

61

Enabling antivirus protection.........................................................................................

61

Registering your FortiGate............................................................................................

61

Configuring virus and attack definition updates ............................................................

61

Transparent mode configuration examples.......................................................................

62

Default routes and static routes ....................................................................................

62

Example default route to an external network...............................................................

63

Example static route to an external destination ............................................................

64

Example static route to an internal destination .............................................................

67

System status.......................................................................................................

69

Changing the FortiGate host name...................................................................................

70

Changing the FortiGate firmware......................................................................................

70

Upgrade to a new firmware version ..............................................................................

71

Revert to a previous firmware version ..........................................................................

72

Install a firmware image from a system reboot using the CLI .......................................

75

Test a new firmware image before installing it..............................................................

77

Installing and using a backup firmware image ..............................................................

79

Manual virus definition updates ........................................................................................

82

Manual attack definition updates ......................................................................................

83

Displaying the FortiGate serial number.............................................................................

83

Displaying the FortiGate up time.......................................................................................

83

Backing up system settings ..............................................................................................

83

Restoring system settings.................................................................................................

84

Restoring system settings to factory defaults ...................................................................

84

Changing to Transparent mode ........................................................................................

85

Changing to NAT/Route mode..........................................................................................

85

Restarting the FortiGate unit.............................................................................................

85

Shutting down the FortiGate unit ......................................................................................

86

System status ...................................................................................................................

86

Viewing CPU and memory status .................................................................................

86

Viewing sessions and network status ...........................................................................

87

Viewing virus and intrusions status...............................................................................

88

Session list........................................................................................................................

89

FortiGate-100 Installation and Configuration Guide

5

Contents

Virus and attack definitions updates and registration .....................................

91

Updating antivirus and attack definitions ..........................................................................

91

Connecting to the FortiResponse Distribution Network ................................................

92

Configuring scheduled updates ....................................................................................

93

Configuring update logging ...........................................................................................

94

Adding an override server.............................................................................................

95

Manually updating antivirus and attack definitions........................................................

95

Configuring push updates .............................................................................................

95

Push updates through a NAT device ............................................................................

96

Scheduled updates through a proxy server ................................................................

100

Registering FortiGate units .............................................................................................

101

FortiCare Service Contracts........................................................................................

101

Registering the FortiGate unit .....................................................................................

102

Updating registration information ....................................................................................

104

Recovering a lost Fortinet support password..............................................................

104

Viewing the list of registered FortiGate units ..............................................................

104

Registering a new FortiGate unit ................................................................................

105

Adding or changing a FortiCare Support Contract number.........................................

105

Changing your Fortinet support password ..................................................................

106

Changing your contact information or security question .............................................

106

Downloading virus and attack definitions updates ......................................................

106

Registering a FortiGate unit after an RMA......................................................................

107

Network configuration.......................................................................................

109

Configuring interfaces.....................................................................................................

109

Viewing the interface list .............................................................................................

110

Bringing up an interface ..............................................................................................

110

Changing an interface static IP address .....................................................................

110

Adding a secondary IP address to an interface ..........................................................

110

Adding a ping server to an interface ...........................................................................

111

Controlling management access to an interface.........................................................

111

Configuring traffic logging for connections to an interface ..........................................

112

Configuring the external interface with a static IP address .........................................

112

Configuring the external interface for DHCP...............................................................

112

Configuring the external interface for PPPoE .............................................................

113

Changing the external interface MTU size to improve network performance .............

113

Configuring the management interface (Transparent mode) ......................................

114

Adding DNS server IP addresses ...................................................................................

115

6

Fortinet Inc.

Contents

Configuring routing..........................................................................................................

115

Adding a default route.................................................................................................

116

Adding destination-based routes to the routing table..................................................

116

Adding routes in Transparent mode............................................................................

117

Configuring the routing table.......................................................................................

118

Policy routing ..............................................................................................................

118

Providing DHCP services to your internal network .........................................................

119

RIP configuration ...............................................................................................

121

RIP settings.....................................................................................................................

122

Configuring RIP for FortiGate interfaces.........................................................................

124

Adding RIP neighbors.....................................................................................................

125

Adding RIP filters ............................................................................................................

126

Adding a single RIP filter.............................................................................................

126

Adding a RIP filter list..................................................................................................

127

Adding a neighbors filter .............................................................................................

128

Adding a routes filter ...................................................................................................

128

System configuration ........................................................................................

129

Setting system date and time..........................................................................................

129

Changing web-based manager options ..........................................................................

130

Adding and editing administrator accounts .....................................................................

132

Adding new administrator accounts ............................................................................

132

Editing administrator accounts....................................................................................

133

Configuring SNMP ..........................................................................................................

134

Configuring the FortiGate unit for SNMP monitoring ..................................................

134

Configuring FortiGate SNMP support .........................................................................

134

FortiGate MIBs............................................................................................................

135

FortiGate traps ............................................................................................................

136

Customizing replacement messages ..............................................................................

136

Customizing replacement messages ..........................................................................

137

Customizing alert emails.............................................................................................

138

Firewall configuration........................................................................................

141

Default firewall configuration...........................................................................................

142

Addresses ...................................................................................................................

142

Services ......................................................................................................................

143

Schedules ...................................................................................................................

143

Content profiles...........................................................................................................

143

Adding firewall policies....................................................................................................

144

Firewall policy options.................................................................................................

145

FortiGate-100 Installation and Configuration Guide

7

Contents

Configuring policy lists ....................................................................................................

149

Policy matching in detail .............................................................................................

149

Changing the order of policies in a policy list..............................................................

149

Enabling and disabling policies...................................................................................

150

Addresses .......................................................................................................................

150

Adding addresses .......................................................................................................

151

Editing addresses .......................................................................................................

152

Deleting addresses .....................................................................................................

152

Organizing addresses into address groups ................................................................

152

Services ..........................................................................................................................

153

Predefined services ....................................................................................................

153

Providing access to custom services ..........................................................................

156

Grouping services .......................................................................................................

156

Schedules .......................................................................................................................

157

Creating one-time schedules ......................................................................................

158

Creating recurring schedules ......................................................................................

158

Adding a schedule to a policy .....................................................................................

159

Virtual IPs........................................................................................................................

160

Adding static NAT virtual IPs ......................................................................................

160

Adding port forwarding virtual IPs ...............................................................................

161

Adding policies with virtual IPs....................................................................................

163

IP pools ...........................................................................................................................

164

Adding an IP pool........................................................................................................

164

IP Pools for firewall policies that use fixed ports.........................................................

165

IP pools and dynamic NAT .........................................................................................

165

IP/MAC binding...............................................................................................................

166

Configuring IP/MAC binding for packets going through the firewall............................

166

Configuring IP/MAC binding for packets going to the firewall .....................................

167

Adding IP/MAC addresses..........................................................................................

167

Viewing the dynamic IP/MAC list ................................................................................

168

Enabling IP/MAC binding ............................................................................................

168

Content profiles...............................................................................................................

169

Default content profiles ...............................................................................................

170

Adding a content profile ..............................................................................................

170

Adding a content profile to a policy .............................................................................

171

Users and authentication ..................................................................................

173

Setting authentication timeout.........................................................................................

174

Adding user names and configuring authentication........................................................

174

Adding user names and configuring authentication ....................................................

174

Deleting user names from the internal database ........................................................

175

Configuring RADIUS support..........................................................................................

176

Adding RADIUS servers .............................................................................................

176

Deleting RADIUS servers ...........................................................................................

176

8

Fortinet Inc.

Contents

Configuring LDAP support ..............................................................................................

177

Adding LDAP servers..................................................................................................

177

Deleting LDAP servers................................................................................................

178

Configuring user groups..................................................................................................

179

Adding user groups.....................................................................................................

179

Deleting user groups...................................................................................................

180

IPSec VPN...........................................................................................................

181

Key management............................................................................................................

182

Manual Keys ...............................................................................................................

182

Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates .....

182

Manual key IPSec VPNs.................................................................................................

183

General configuration steps for a manual key VPN ....................................................

183

Adding a manual key VPN tunnel ...............................................................................

183

AutoIKE IPSec VPNs......................................................................................................

185

General configuration steps for an AutoIKE VPN .......................................................

185

Adding a phase 1 configuration for an AutoIKE VPN..................................................

185

Adding a phase 2 configuration for an AutoIKE VPN..................................................

189

Managing digital certificates............................................................................................

191

Obtaining a signed local certificate .............................................................................

191

Obtaining a CA certificate ...........................................................................................

195

Configuring encrypt policies............................................................................................

196

Adding a source address ............................................................................................

197

Adding a destination address......................................................................................

197

Adding an encrypt policy.............................................................................................

197

IPSec VPN concentrators ...............................................................................................

199

VPN concentrator (hub) general configuration steps ..................................................

199

Adding a VPN concentrator ........................................................................................

201

VPN spoke general configuration steps......................................................................

202

Redundant IPSec VPNs..................................................................................................

203

Configuring redundant IPSec VPN .............................................................................

203

Monitoring and Troubleshooting VPNs ...........................................................................

205

Viewing VPN tunnel status..........................................................................................

205

Viewing dialup VPN connection status .......................................................................

205

Testing a VPN.............................................................................................................

206

PPTP and L2TP VPN ..........................................................................................

207

Configuring PPTP ...........................................................................................................

207

Configuring the FortiGate unit as a PPTP gateway ....................................................

208

Configuring a Windows 98 client for PPTP .................................................................

210

Configuring a Windows 2000 client for PPTP .............................................................

211

Configuring a Windows XP client for PPTP ................................................................

212

FortiGate-100 Installation and Configuration Guide

9

Contents

Configuring L2TP............................................................................................................

213

Configuring the FortiGate unit as a L2TP gateway .....................................................

214

Configuring a Windows 2000 client for L2TP..............................................................

217

Configuring a Windows XP client for L2TP .................................................................

218

Network Intrusion Detection System (NIDS) ...................................................

221

Detecting attacks ............................................................................................................

221

Selecting the interfaces to monitor..............................................................................

222

Disabling the NIDS......................................................................................................

222

Configuring checksum verification ..............................................................................

222

Viewing the signature list ............................................................................................

223

Viewing attack descriptions.........................................................................................

223

Enabling and disabling NIDS attack signatures ..........................................................

224

Adding user-defined signatures ..................................................................................

224

Preventing attacks ..........................................................................................................

225

Enabling NIDS attack prevention ................................................................................

225

Enabling NIDS attack prevention signatures ..............................................................

226

Setting signature threshold values..............................................................................

226

Configuring synflood signature values ........................................................................

228

Logging attacks...............................................................................................................

228

Logging attack messages to the attack log.................................................................

228

Reducing the number of NIDS attack log and email messages..................................

229

Antivirus protection...........................................................................................

231

General configuration steps............................................................................................

231

Antivirus scanning...........................................................................................................

232

File blocking....................................................................................................................

233

Blocking files in firewall traffic .....................................................................................

233

Adding file patterns to block........................................................................................

233

Blocking oversized files and emails ................................................................................

234

Configuring limits for oversized files and email...........................................................

234

Exempting fragmented email from blocking....................................................................

234

Viewing the virus list .......................................................................................................

234

Web filtering .......................................................................................................

235

General configuration steps............................................................................................

235

Content blocking .............................................................................................................

236

Adding words and phrases to the banned word list ....................................................

236

URL blocking...................................................................................................................

237

Using the FortiGate web filter .....................................................................................

237

Using the Cerberian web filter.....................................................................................

240

Script filtering ..................................................................................................................

242

Enabling the script filter...............................................................................................

242

Selecting script filter options .......................................................................................

242

10

Fortinet Inc.

Contents

Exempt URL list ..............................................................................................................

243

Adding URLs to the exempt URL list ..........................................................................

243

Email filter...........................................................................................................

245

General configuration steps............................................................................................

245

Email banned word list....................................................................................................

246

Adding words and phrases to the banned word list ....................................................

246

Email block list ................................................................................................................

247

Adding address patterns to the email block list...........................................................

247

Email exempt list.............................................................................................................

247

Adding address patterns to the email exempt list .......................................................

248

Adding a subject tag .......................................................................................................

248

Logging and reporting.......................................................................................

249

Recording logs ................................................................................................................

249

Recording logs on a remote computer........................................................................

250

Recording logs on a NetIQ WebTrends server ...........................................................

250

Recording logs in system memory..............................................................................

251

Filtering log messages ....................................................................................................

251

Configuring traffic logging ...............................................................................................

253

Enabling traffic logging................................................................................................

253

Configuring traffic filter settings...................................................................................

254

Adding traffic filter entries ...........................................................................................

254

Viewing logs saved to memory .......................................................................................

255

Viewing logs................................................................................................................

255

Searching logs ............................................................................................................

256

Configuring alert email ....................................................................................................

256

Adding alert email addresses......................................................................................

256

Testing alert email.......................................................................................................

257

Enabling alert email ....................................................................................................

257

Glossary .............................................................................................................

259

Index ....................................................................................................................

263

FortiGate-100 Installation and Configuration Guide

11

Contents

12

Fortinet Inc.

FortiGate-100 Installation and Configuration Guide Version 2.50 MR2

Introduction

The FortiGate Antivirus Firewall supports network-based deployment of application-level services—including antivirus protection and full-scan content filtering. FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate Antivirus Firewalls are ICSA-certified for firewall, IPSec and antivirus services.

Your FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include:

application-level services such as virus protection and content filtering,

network-level services such as firewall, intrusion detection, VPN, and traffic shaping.

Your FortiGate Antivirus Firewall employs Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks. The FortiGate series complements existing solutions, such as host-based antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration and maintenance.

The FortiGate-100 model is an easy-to- deploy and easy-to-administer solution that delivers exceptional value and performance for small office, home office, and branch office applications. The

FortiGate installation wizard guides users through a simple process that enables most installations to be up and running in minutes.

Antivirus protection

FortiGate ICSA-certified antivirus protection virus scans web (HTTP), file transfer (FTP), and email (SMTP, POP3, and IMAP) content as it passes through the FortiGate. If a virus is found, antivirus protection removes the file containing the virus from the content stream and forwards an replacement message to the intended recipient.

FortiGate-100 Installation and Configuration Guide

13

Introduction

For extra protection, you also configure antivirus protection to block files of specified file types from passing through the FortiGate unit. You can use the feature to stop files that may contain new viruses.

If the FortiGate unit contains a hard disk, infected or blocked files can be quarantined. The FortiGate administrator can download quarantined files, so that they can be virus scanned, cleaned, and forwarded to the intended recipient. You can also configure the FortiGate unit to automatically delete quarantined files after a specified time period.

The FortiGate unit can send email alerts to system administrators when it detects and removes a virus from a content stream. The web and email content can be in normal network traffic or in encrypted IPSec VPN traffic.

ICSA Labs has certified that FortiGate Antivirus Firewalls:

detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),

detect viruses in compressed files using the PKZip format,

detect viruses in e-mail that has been encoded using uuencode format,

detect viruses in e-mail that has been encoded using MIME encoding,

log all actions taken while scanning.

Web content filtering

FortiGate web content filtering can be configured to scan all HTTP content protocol streams for URLs or for web page content. If a match is found between a URL on the URL block list, or if a web page is found to contain a word or phrase in the content block list, the FortiGate blocks the web page. The blocked web page is replaced with a message that you can edit using the FortiGate web-based manager.

You can configure URL blocking to block all or just some of the pages on a web site. Using this feature you can deny access to parts of a web site without denying access to it completely.

To prevent unintentional blocking of legitimate web pages, you can add URLs to an Exempt List that overrides the URL blocking and content blocking lists.

Web content filtering also includes a script filter feature that can be configured to block unsecure web content such as Java Applets, Cookies, and ActiveX.

You can also use the Cerberian URL blocking to block unwanted URLs.

Email filtering

FortiGate Email filtering can be configured to scan all IMAP and POP3 email content for unwanted senders or for unwanted content. If a match is found between a sender address pattern on the Email block list, or if an email is found to contain a word or phrase in the banned word list, the FortiGate adds a Email tag to subject line of the email. Receivers can then use their mail client software to filter messages based on the Email tag.

14

Fortinet Inc.

Introduction

NAT/Route mode

 

 

You can configure Email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentional tagging of email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned word lists.

Firewall

The FortiGate ICSA-certified firewall protects your computer networks from the hostile environment of the Internet. ICSA has granted FortiGate firewalls version 4.0 firewall certification, providing assurance that FortiGate firewalls successfully screen for and secure corporate networks against a wide range of threats from public or other untrusted networks.

After basic installation of the FortiGate unit, the firewall allows users on the protected network to access the Internet while blocking Internet access to internal networks. You can modify this firewall configuration to place controls on access to the Internet from the protected networks and to allow controlled access to internal networks.

FortiGate policies include a complete range of options that:

control all incoming and outgoing network traffic,

control encrypted VPN traffic,

apply antivirus protection and web content filtering,

block or allow access for all policy options,

control when individual policies are in effect,

accept or deny traffic to and from individual addresses,

control standard and user defined network services individually or in groups,

require users to authenticate before gaining access,

include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy,

include logging to track connections for individual policies,

include Network address translation (NAT) mode and Route mode policies,

include Mixed NAT and Route mode policies.

The FortiGate firewall can operate in NAT/Route mode or Transparent mode.

NAT/Route mode

In NAT/Route mode, you can create NAT mode policies and Route mode policies.

NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network.

Route mode policies accept or deny connections between networks without performing address translation.

FortiGate-100 Installation and Configuration Guide

15

Transparent mode

Introduction

 

 

Transparent mode

Transparent mode provides the same basic firewall protection as NAT mode. Packets received by the FortiGate unit are intelligently forwarded or blocked according to firewall policies. The FortiGate unit can be inserted in your network at any point without the need to make changes to your network or any of its components. However, VPN and some advanced firewall features are only available in NAT/Route mode.

Network intrusion detection

The FortiGate Network Intrusion Detection System (NIDS) is a real-time network intrusion detection sensor that detects and prevents a wide variety of suspicious network activity. NIDS detection uses attack signatures to identify over 1000 attacks. You can enable and disable the attacks that the NIDS detects. You can also write your own user-defined detection attack signatures.

NIDS prevention detects and prevents many common denial of service and packetbased attacks. You can enable and disable prevention attack signatures and customize attack signature thresholds and other parameters.

To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log and can be configured to send alert emails.

Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually, or you can configure the FortiGate to automatically check for and download attack definition updates.

VPN

Using FortiGate virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network.

FortiGate VPN features include the following:

Industry standard and ICSA-certified IPSec VPN including:

IPSec, ESP security in tunnel mode,

DES, 3DES (triple-DES), and AES hardware accelerated encryption,

HMAC MD5 and HMAC SHA1 authentication and data integrity,

AutoIKE key based on pre-shared key tunnels,

IPSec VPN using local or CA certificates,

Manual Keys tunnels,

Diffie-Hellman groups 1, 2, and 5,

Aggressive and Main Mode,

Replay Detection,

Perfect Forward Secrecy,

XAuth authentication,

Dead peer detection.

16

Fortinet Inc.

Introduction

Web-based manager

 

 

PPTP for easy connectivity with the VPN standard supported by the most popular operating systems.

L2TP for easy connectivity with a more secure VPN standard also supported by many popular operating systems.

Firewall policy based control of IPSec VPN traffic.

IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel.

VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another tunnel through the FortiGate unit.

IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network.

Secure installation, configuration, and management

Installation is quick and simple. The first time you turn on the FortiGate unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the setup wizard to customize FortiGate IP addresses for your network, and the FortiGate unit is set to protect your network. You can then use the web-based manager to customize advanced FortiGate features to meet your needs.

You can also create a basic configuration using the FortiGate command line interface (CLI).

Web-based manager

Using HTTP or a secure HTTPS connection from any computer running Internet Explorer, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages. You can configure the FortiGate unit for HTTP and HTTPs administration from any FortiGate interface.

You can use the web-based manager for most FortiGate configuration settings. You can also use the web-based manager to monitor the status of the FortiGate unit. Configuration changes made with the web-based manager are effective immediately without the need to reset the firewall or interrupt service. Once a satisfactory configuration has been established, it can be downloaded and saved. The saved configuration can be restored at any time.

FortiGate-100 Installation and Configuration Guide

17

Command line interface

Introduction

 

 

Figure 1: The FortiGate web-based manager and setup wizard

Command line interface

You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial Console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network connected to the FortiGate, including the Internet.

The CLI supports the same configuration and monitoring functionality as the web-based manager. In addition, you can use the CLI for advanced configuration options not available from the web-based manager. This Installation and Configuration Guide contains information about basic and advanced CLI commands. You can find a more complete description of connecting to and using the FortiGate CLI in the FortiGate CLI Reference Guide.

18

Fortinet Inc.

Introduction

Logging and reporting

 

 

Logging and reporting

The FortiGate supports logging of various categories of traffic and of configuration changes. You can configure logging to:

report traffic that connects to the firewall,

report network services used,

report traffic permitted by firewall policies,

report traffic that was denied by firewall policies,

report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks, and web page blocking,

report attacks detected by the NIDS,

send alert email to system administrators to report virus incidents, intrusions, and firewall or VPN events or violations.

Logs can be sent to a remote syslog server or to a WebTrends NetIQ Security Reporting Center and Firewall Suite server using the WebTrends enhanced log format. Some models can also save logs to an optional internal hard drive. If a hard drive is not installed, you can configure most FortiGates to log the most recent events and attacks detected by the NIDS to shared system memory.

What’s new in Version 2.50

This section presents a brief summary of some of the new features in FortiOS v2.50:

System administration

Improved graphical FortiGate system health monitoring that includes CPU and memory usage, session number and network bandwidth usage, and the number of viruses and intrusions detected. See “System status” on page 86.

Revised antivirus and attack definition update functionality that connects to a new version of the FortiResponse Distribution network. Updates can now be scheduled hourly and the System > Update page displays more information about the current update status. See “Updating antivirus and attack definitions” on page 91.

Direct connection to the Fortinet tech support web page from the web-based manager. You can register your FortiGate unit and get access to other technical support resources. See “Registering FortiGate units” on page 101.

Network configuration

New interface configuration options. See “Configuring interfaces” on page 109.

Ping server and dead gateway detection for all interfaces.

HTTP and Telnet administrative access to any interface.

Secondary IP addresses for all FortiGate interfaces.

Routing

Simplified direction-based routing configuration.

Advanced policy routing (CLI only).

FortiGate-100 Installation and Configuration Guide

19

Firewall

Introduction

 

 

DHCP server

Addition of a WINS server to DHCP configuration.

Reserve IP/MAC pair combinations for DHCP servers (CLI only).

RIP

New RIP v1 and v2 functionality. See “RIP configuration” on page 121.

SNMP

SNMP v1 and v2 support.

Support for RFC 1213 and RFC 2665

Monitoring of all FortiGate configuration and functionality

See “Configuring SNMP” on page 134

Replacement messages

You can customize messages sent by the FortiGate unit:

When a virus is detected,

When a file is blocked,

When a fragmented email is blocked

When an alert email is sent

See “Customizing replacement messages” on page 136.

Firewall

The firewall default configuration has changed. See “Default firewall configuration” on page 142.

Add virtual IPs to all interfaces. See “Virtual IPs” on page 160.

Add content profiles to firewall policies to configure blocking, scanning, quarantine, web content blocking, and email filtering. See “Content profiles” on page 169.

Users and authentication

LDAP authentication. See “Configuring LDAP support” on page 177.

VPN

See the FortiGate VPN Guide for a complete description of FortiGate VPN functionality. New features include:

Phase 1

AES encryption

Certificates

Advanced options including Dialup Group, Peer, XAUTH, NAT Traversal, DPD

Phase 2

AES encryption

Encryption policies select service

Generate and import local certificates

Import CA certificates

20

Fortinet Inc.

Introduction

NIDS

 

 

NIDS

See the FortiGate NIDS Guide for a complete description of FortiGate NIDS functionality. New features include:

Attack detection signature groups

User-configuration attack prevention

Monitor multiple interfaces for attacks

User-defined attack detection signatures

Antivirus

See the FortiGate Content Protection Guide for a complete description of FortiGate antivirus functionality. New features include:

Content profiles

Blocking oversized files

Web Filter

See the FortiGate Content Protection Guide for a complete description of FortiGate web filtering functionality. New features include:

Cerberian URL Filtering

Email filter

See the FortiGate Content Protection Guide for a complete description of FortiGate email filtering functionality.

Logging and Reporting

See the FortiGate Logging and Message Reference Guide for a complete description of FortiGate logging.

Log to remote host CSV format

Log message levels: Emergency, Alert, critical, error, Warning, notification, information

Log level policies

Traffic log filter

New antivirus, web filter, and email filter logs

Alert email supports authentication

Suppress email flooding

Extended WebTrends support for graphing activity

FortiGate-100 Installation and Configuration Guide

21

Logging and Reporting

Introduction

 

 

About this document

This installation and configuration guide describes how to install and configure the

FortiGate-100. This document contains the following information:

Getting started describes unpacking, mounting, and powering on the FortiGate.

NAT/Route mode installation describes how to install the FortiGate if you are planning on running it in NAT/Route mode.

Transparent mode installation describes how to install the FortiGate if you are planning on running it in Transparent mode.

System status describes how to view the current status of your FortiGate unit and related status procedures including installing updated FortiGate firmware, backing up and restoring system settings, and switching between Transparent and NAT/Route mode.

Virus and attack definitions updates and registration describes configuring automatic virus and attack definition updates. This chapter also contains procedures for connecting to the FortiGate tech support webs site and for registering your FortiGate unit.

Network configuration describes configuring interfaces, configuring routing, and configuring the FortiGate as a DHCP server for your internal network.

RIP configuration describes the FortiGate RIP2 implementation and how to configure RIP settings.

System configuration describes system administration tasks available from the System > Config web-based manager pages. This chapter describes setting system time, adding and changed administrative users, configuring SNMP, and editing replacement messages.

Firewall configuration describes how to configure firewall policies to control traffic through the FortiGate unit and apply content protection profiles to content traffic.

Users and authentication describes how to add user names to the FortiGate user database and how to configure the FortiGate to connect to a RADIUS server to authenticate users.

IPSec VPN describes how to configure FortiGate IPSec VPN.

PPTP and L2TP VPN describes how to configure PPTP and L2TP VPNs between the FortiGate and a windows client.

Network Intrusion Detection System (NIDS) describes how to configure the FortiGate NIDS to detect and prevent network attacks.

Antivirus protection describes how use the FortiGate to protect your network from viruses and worms.

Web filtering describes how to configure web content filtering to prevent unwanted Web content from passing through the FortiGate.

Email filter describes how to configure email filtering to screen unwanted email content.

Logging and reporting describes how to configure logging and alert email to track activity through the FortiGate.

The Glossary defines many of the terms used in this document.

22

Fortinet Inc.

Introduction

Logging and Reporting

 

 

Document conventions

This guide uses the following conventions to describe CLI command syntax.

angle brackets < > to indicate variable keywords For example:

execute restore config <filename_str>

You enter restore config myfile.bak <xxx_str> indicates an ASCII string variable keyword. <xxx_integer> indicates an integer variable keyword. <xxx_ip> indicates an IP address variable keyword.

vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords

For example:

set system opmode {nat | transparent}

You can enter set system opmode nat or set system opmode transparent

square brackets [ ] to indicate that a keyword is optional For example:

get firewall ipmacbinding [dhcpipmac] You can enter get firewall ipmacbinding or get firewall ipmacbinding dhcpipmac

FortiGate-100 Installation and Configuration Guide

23

Comments on Fortinet technical documentation

Introduction

 

 

Fortinet documentation

Information about FortiGate products is available from the following FortiGate User

Manual volumes:

Volume 1: FortiGate Installation and Configuration Guide

Describes installation and basic configuration for the FortiGate unit. Also describes how to use FortiGate firewall policies to control traffic flow through the FortiGate unit and how to use firewall policies to apply antivirus protection, web content filtering, and email filtering to HTTP, FTP and email content passing through the FortiGate unit.

Volume 2: FortiGate VPN Guide

Contains in-depth information about FortiGate IPSec VPN using certificates, preshared keys and manual keys for encryption. Also contains basic configuration information for the Fortinet Remote VPN Client, detailed configuration information for FortiGate PPTP and L2TP VPN, and VPN configuration examples.

Volume 3: FortiGate Content Protection Guide

Describes how to configure antivirus protection, web content filtering, and email filtering to protect content as it passes through the FortiGate unit.

Volume 4: FortiGate NIDS Guide

Describes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from network-based attacks.

Volume 5: FortiGate Logging and Message Reference Guide

Describes how to configure FortiGate logging and alert email. Also contains the FortiGate log message reference.

Volume 6: FortiGate CLI Reference Guide

Describes the FortiGate CLI and contains a reference to all FortiGate CLI commands.

The FortiGate online help also contains procedures for using the FortiGate web-based manager to configure and manage your FortiGate unit.

Comments on Fortinet technical documentation

You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.

24

Fortinet Inc.

Introduction

Comments on Fortinet technical documentation

 

 

Customer service and technical support

For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com.

You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and modify your registration information at any time.

Fortinet email support is available from the following addresses:

amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin America and South America.

apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore, Malaysia, all other Asian countries, and Australia.

eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland Europe, Africa, and the Middle East.

For information on Fortinet telephone support, see http://support.fortinet.com.

When requesting technical support, please provide the following information:

Your name

Company name

Location

Email address

Telephone number

FortiGate unit serial number

FortiGate model

FortiGate FortiOS firmware version

Detailed description of the problem

FortiGate-100 Installation and Configuration Guide

25

Comments on Fortinet technical documentation

Introduction

 

 

26

Fortinet Inc.

FortiGate-100 Installation and Configuration Guide Version 2.50 MR2

Getting started

This chapter describes unpacking, setting up, and powering on your FortiGate Antivirus Firewall. When you have completed the procedures in this chapter, you can proceed to one of the following:

If you are going to operate the FortiGate unit in NAT/Route mode, go to “NAT/Route mode installation” on page 43.

If you are going to operate the FortiGate unit in Transparent mode, go to “Transparent mode installation” on page 57.

This chapter describes:

Package contents

Mounting

Powering on

Connecting to the web-based manager

Connecting to the command line interface (CLI)

Factory default FortiGate configuration settings

Planning your FortiGate configuration

FortiGate model maximum values matrix

Next steps

FortiGate-100 Installation and Configuration Guide

27

Getting started

Package contents

The FortiGate-100 package contains the following items:

FortiGate-100 Antivirus Firewall

one orange crossover ethernet cable

one gray regular ethernet cable

one null modem cable

FortiGate-100 Quick Start Guide

CD containing the FortiGate user documentation

one power cable and AC adapter

Figure 2: FortiGate-100 package contents

Front

Ethernet Cables:

Orange - Crossover

Grey - Straight-through

POWER

INTERNAL EXTERNAL DMZ

STATUS

Null-Modem Cable

(RS-232)

Internal, External, DMZ

Status

Power

Interfaces

LED

LED

Back

DC +12V 5A

Console

DMZ

External

Internal

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Power

RS-232 Serial

DMZ, External, Internal

Connection

Connection

 

 

 

Interfaces

Power Cable Power Supply

FortiGate-100

QuickStart Guide

Copyright 2003 Fortinet Incorporated. All rights reserved.

Trademarks

Products mentioned in this document are trademarks.

Documentation

Mounting

The FortiGate-100 unit can be installed on any stable surface. Make sure that the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling.

Dimensions

10.25 x 6.13 x 1.75 in. (26 x 15.6 x 4.5 cm)

Weight

1.75 lb. (0.8 kg)

Power requirements

DC input voltage: 12 V

DC input current: 5 A

28

Fortinet Inc.

Getting started

Environmental specifications

Operating temperature: 32 to 104°F (0 to 40°C)

Storage temperature: -13 to 158°F (-25 to 70°C)

Humidity: 5 to 95% non-condensing

Powering on

To power on the FortiGate-100 unit:

1Connect the AC adapter to the power connection at the back of the FortiGate-100 unit.

2Connect the AC adapter to the power cable.

3Connect the power cable to a power outlet.

The FortiGate-100 unit starts up. The Power and Status lights light. The Status light flashes while the FortiGate-100 unit is starting up and remains lit when the system is up and running.

Table 1: FortiGate-100 LED indicators

LED

State

Description

 

 

 

Power

Green

The FortiGate unit is powered on.

 

 

 

 

Off

The FortiGate unit is powered off.

 

 

 

Status

Flashing

The FortiGate unit is starting up.

 

green

 

 

Green

The FortiGate unit is running normally.

 

 

 

 

Off

The FortiGate unit is powered off.

 

 

 

Internal

Green

The correct cable is in use, and the connected equipment has

External

 

power.

DMZ

Flashing

Network activity at this interface.

(front)

green

 

 

Off

No link established.

 

 

 

Internal

Green

The correct cable is in use, and the connected equipment has

External

 

power.

DMZ

Flashing

Network activity at this interface.

interfaces

amber

 

(back)

 

 

Off

No link established.

 

 

 

 

FortiGate-100 Installation and Configuration Guide

29

Getting started

Connecting to the web-based manager

Use the following procedure to connect to the web-based manager for the first time. Configuration changes made with the web-based manager are effective immediately without the need to reset the firewall or interrupt service.

To connect to the web-based manager, you need:

a computer with an ethernet connection,

Internet Explorer version 4.0 or higher,

a crossover cable or an ethernet hub and two ethernet cables.

Note: You can use the web-based manager with recent versions of most popular web browsers. The web-based manager is fully supported for Internet Explorer version 4.0 or higher.

Connecting to the web-based manager

1Set the IP address of the computer with an ethernet connection to the static IP address 192.168.1.2 and a netmask of 255.255.255.0.

2Using the crossover cable or the ethernet hub and cables, connect the Internal interface of the FortiGate unit to the computer ethernet connection.

3Start Internet Explorer and browse to the address https://192.168.1.99 (remember to include the “s” in https://).

The FortiGate login is displayed.

4Type admin in the Name field and select Login.

The Register Now window is displayed. Use the information on this window to register your FortiGate unit so that Fortinet can contact you for firmware updates. You must also register to receive updates to the FortiGate virus and attack definitions.

Figure 3: FortiGate login

30

Fortinet Inc.

Loading...
+ 242 hidden pages