Fortinet Fortigate-3600A, Fortigate-3000, Fortigate-800, Fortigate-1000, Fortigate-500A Administration Manual
...
ADMINISTRATION GUIDE
FortiGate™
Version 3.0 MR4
www.fortinet.com
FortiGate™ Administration Guide
Version 3.0 MR4
2 January 2007
01-30004-0203-20070102
© Copyright 2007 Fortinet, Inc. All rights reserved. No part of this
publication including text, examples, diagrams or illustrations may be
reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose,
without prior written permission of Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC,
FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat
Management System, FortiGuard, FortiGuard-Antispam, FortiGuardAntivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer,
FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter,
FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of
Fortinet, Inc. in the United States and/or other countries. The names of
actual companies and products mentione d herein may be the trade marks
of their respective owners.
Contents
Contents
Introduction...................................................................................... 17
Introducing the FortiGate units...................................................................... 18
FortiGate-5000 series chassis .................................................................... 18
About the FortiGate-5000 series modules .................................................. 19
FortiGate-3600A.......................................................................................... 19
FortiGate-3600............................................................................................ 20
FortiGate-3000............................................................................................ 20
FortiGate-1000A.......................................................................................... 20
FortiGate-1000AFA2................................................................................... 21
FortiGate-1000............................................................................................ 21
FortiGate-800.............................................................................................. 21
FortiGate-800F............................................................................................ 21
FortiGate-500A............................................................................................ 22
FortiGate-500.............................................................................................. 22
FortiGate-400A............................................................................................ 22
FortiGate-400.............................................................................................. 22
FortiGate-300A............................................................................................ 22
FortiGate-300.............................................................................................. 23
FortiGate-200A............................................................................................ 23
FortiGate-200.............................................................................................. 23
FortiGate-100A............................................................................................ 23
FortiGate-100.............................................................................................. 23
FortiGate-60/60M/ADSL.............................................................................. 24
FortiWiFi-60/60A/60AM............................................................................... 24
FortiGate-50B.............................................................................................. 24
FortiGate-50A.............................................................................................. 24
Fortinet family of products............................................................................. 25
FortiGuard Subscription Services ............................................................... 25
FortiAnalyzer............................................................................................... 25
FortiClient.................................................................................................... 25
FortiManager............................................................................................... 26
FortiBridge................................................................................................... 26
FortiMail ...................................................................................................... 26
FortiReporter............................................................................................... 26
About this document....................................................................................... 27
Document conventions................................................................................ 29
FortiGate documentation ............................................................................... 29
Fortinet Tools and Documentation CD........................................................ 31
Fortinet Knowledge Center ........................................................................ 31
Comments on Fortinet technical documentation ................................ ........ 31
Customer service and technical support...................................................... 31
FortiGate Version 3 .0 MR4 Administration Guide
01-30004-0203-20070102 3
Contents
Web-based manager........................................................................ 33
Button bar features ......................................................................................... 34
Contact Customer Support ......................................................................... 34
Using the Online Help................................................................................. 34
Logout......................................................................................................... 36
Web-based manager pages............................................................................ 37
Web-based manager menu ........................................................................ 37
Lists............................................................................................................. 38
Icons ........................................................................................................... 38
System Status.................................................................................. 41
Status page.............. ... .... ... ... ... .... ... ... ... .... ....................................................... 41
Viewing system status ................................................................................ 41
Changing system information........................................................................ 49
Configuring system time ............................................................................. 49
Changing the FortiGate unit host name...................................................... 50
Changing the FortiGate firmware.................. ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... . 51
Upgrading to a new firmware version ......................................................... 51
Reverting to a previous firmware version.................................................... 51
Viewing operational history............................................................................ 52
Manually updating FortiGuard definitions.................................................... 53
Viewing Statistics............................................................................................ 54
Viewing the session list.............................................................. ... .... ... ... ... . 54
Viewing the Content Archive information.................................................... 55
Viewing the Attack Log ............................................................................... 56
Topology viewer.............................................................................................. 58
The Topology Viewer window.............................. ... ... ... .... ... ... ... ... .... ... ... ... . 58
Customizing the topology diagram.............................................................. 60
........................................................................................................................... 60
Using virtual domains ..................................................................... 61
Virtual domains................................................................................................ 61
VDOM configuration settings ...................................................................... 62
Global configuration settings....................................................................... 63
Enabling VDOMs.............................................................................................. 64
Configuring VDOMs and global settings............................. ... ... ... ... .... ... ... ... . 64
Working with VDOMs and global settings................................................... 65
Adding interfaces to a VDOM ..................................................................... 65
Assigning an administrator to a VDOM....................................................... 66
Changing the Management VDOM...................................................... ... ... . 67
FortiGate Version 3 .0 MR4 Administration Guide
4 01-30004-0203-20070102
Contents
System Network............................................................................... 69
Interface............................................................................................................ 69
Switch Mode........... ... ... .... ... ... ..................................................................... 71
Interface settings......................................................................................... 72
Configuring an ADSL interface.................................................................... 74
Creating an 802.3ad aggregate interface.................................................... 75
Creating a redundant interface............ ........................................................ 76
Creating a wireless interface....................................................................... 77
Configuring DHCP on an interface.............................................................. 78
Configuring an interface for PPPoE or PPPoA ........................................... 80
Configuring Dynamic DNS service for an interface..................................... 81
Configuring a virtual IPSec interface........................................................... 82
Additional configuration for interfaces......................................................... 83
Zone.................................................................................................................. 87
Zone settings............................................................................................... 87
Network Options.............................................................................................. 88
DNS Servers ............................................................................................... 89
Dead gateway detection.............................................................................. 89
Routing table (Transparent Mode)................................................................. 90
Transparent mode route settings ................................................................ 90
Configuring the modem interface.................................................................. 91
Configuring modem settings ....................................................................... 91
Redundant mode configuration................................................................... 93
Standalone mode configuration .................................................................. 94
Adding firewall policies for modem connections ......................................... 94
Connecting and disconnecting the modem............................. ... ... ... ... .... ... . 95
Checking modem status.............................................................................. 95
VLAN overview............................... .... ... ... ... .... ... ... ... ........................................ 96
FortiGate units and VLANs . ... ... .... ... ... ... .... ... .............................................. 96
VLANs in NAT/Route mode............................ ... ... ... ........................................ 97
Rules for VLAN IDs..................................................................................... 97
Rules for VLAN IP addresses ..................................................................... 97
Adding VLAN subinterfaces ........................................................................ 98
VLANs in Transparent mode .......................................................................... 99
Rules for VLAN IDs................................................................................... 101
Transparent mode virtual domains and VLANs ......... ... ... ... .... ... ... ... ... .... .. 101
Troubleshooting ARP Issues..................................................................... 104
FortiGate IPv6 support.................................................................................. 104
System Wireless............................................................................. 105
The FortiWiFi wireless LAN interface.......................................................... 105
Channel assignments.................................................................................... 106
System wireless settings (FortiWiFi-60)...................................................... 107
FortiGate Version 3 .0 MR4 Administration Guide
01-30004-0203-20070102 5
Contents
System wireless settings (FortiWiFi-60A and 60AM)................................. 109
Wireless MAC Filter....................................................................................... 110
Wireless Monitor............................................................................................ 111
System DHCP................................................................................. 113
FortiGate DHCP servers and relays............................................................. 113
Configuring DHCP services........................... ... ... .... ..................................... 114
Configuring an interface as a DHCP relay agent...................................... 115
Configuring a DHCP server ...................................................................... 115
Viewing address leases................................................................................ 116
Reserving IP addresses for specific clients .................. .... ... ..................... 117
System Config................................................................................ 119
HA .......................... ... ... .... .......................................................................... ... .. 119
HA options ................................................................................................ 119
Cluster members list ..................................... ... ......................................... 122
Viewing HA statistics........... .... ... ... ... .... ... ... ... ... ......................................... 125
Changing subordinate unit host name and device priority........................ 126
Disconnecting a cluster unit from a cluster............................................. .. 126
SNMP........... .... ... ... ... ... .... ... ... ... ...................................................................... 127
Configuring SNMP .................................................................................... 127
Configuring an SNMP community............................................................. 128
Fortinet MIBs............................................................................................. 130
FortiGate traps.......................................................................................... 131
Fortinet MIB fields..................................................................................... 133
Replacement messages . ... ... ... .... ... ... ............................................................ 136
Replacement messages list...................................................................... 137
Changing replacement messages ....... ... .................................................. 138
Changing the authentication login page.................. ... ... .... ... ... ... ... ............ 139
Changing the FortiGuard web filtering block override page...................... 140
Changing the SSL-VPN login message.................. ... ............................... 140
Changing the authentication disclaimer page............................... .... ... ... .. 140
Operation mode and VDOM management access................. ... ... ... .... ... ... .. 141
Changing operation mode............. ... .... ... ... ... ... .... ... ... ... .... ... ..................... 141
Management access................................................................................. 142
System Admin................................................................................ 143
Administrators................................... ... .... ... ... ... ............................................ 143
Configuring RADIUS authentication for administrators............................. 144
Viewing the administrators list ...................................... .... ... ... ... ... .... ... ..... 144
Configuring an administrator account....................................................... 146
Access profiles.............................................................................................. 148
Viewing the access profiles list ........................ .... ... ... ... .... ... ... ... ............... 151
Configuring an access profile..... ... ... ......................................................... 152
FortiGate Version 3 .0 MR4 Administration Guide
6 01-30004-0203-20070102
Contents
FortiManager.................................................................................................. 153
Settings........................................................................................................... 153
Monitoring administrators ................................................ ... ... .... ... ... ... ... ...... 154
System Maintenance...................................................................... 157
Backup and restore....................................................................................... 157
FortiGuard Center.......................................................................................... 161
FortiGuard Distribution Network................................................................ 161
FortiGuard Services .................................................................................. 161
Configuring the FortiGate unit for FDN and FortiGuard services.............. 162
Troubleshooting FDN connectivity ............................................................ 166
Updating antivirus and attack definitions................................................... 166
Enabling push updates.............................................................................. 168
License ........................................................................................................... 172
System Chassis (FortiGate-5000 series)...................................... 173
SMC (shelf manager card) ............................................................................ 173
Blades (FortiGate-5000 chassis slots)......................................................... 174
Chassis monitoring event log messages.................................................... 176
Router Static .................................................................................. 177
Routing concepts ......................................................................................... 177
How the routing table is built .................................................................... 178
How routing decisions are made .............................................................. 178
Multipath routing and determining the best route...................................... 178
How route sequence affects route priority ................................................ 179
Equal Cost Multipath (ECMP) Routes....................................................... 180
Static Route ...... .... ............................................................................. ... ... .... .. 180
Working with static routes .................................. ... .... ... ... ... ...................... 180
Default route and default gateway ........................................................... 181
Adding a static route to the routing table ............................ ....... ... ... ... .... .. 184
Policy Route .................................................................................................. 185
Adding a route policy ............. ... .... ............................................................ 186
Moving a route policy ................................................................................ 187
Router Dynamic.............................................................................. 189
RIP................................................................................................................... 189
How RIP works.......................................................................................... 190
Viewing and editing basic RIP settings..................................................... 190
Selecting advanced RIP options ............................................................... 192
Overriding the RIP operating parameters on an interface......................... 193
FortiGate Version 3 .0 MR4 Administration Guide
01-30004-0203-20070102 7
Contents
OSPF ... ... ... .......................................................................... .... ... ... ... ... ............ 194
OSPF autonomous systems ..................................................................... 194
Defining an OSPF AS ............................................................................... 195
Viewing and editing basic OSPF settings ................................................. 196
Selecting advanced OSPF options ................................... ... ... .................. 198
Defining OSPF areas................. ... ............................................................ 199
Specifying OSPF networks ....................................................................... 200
Selecting operating parameters for an OSPF interface ............................ 201
BGP . .... ... .......................................................................... ... ............................ 202
How BGP works........................................................................................ 202
Viewing and editing BGP settings............................................................. 203
Multicast......................................................................................................... 204
Viewing and editing multicast settings ...................................................... 204
Overriding the multicast settings on an interface...................................... 206
Router Monitor............................................................................... 209
Displaying routing information.................................................................... 209
Searching the FortiGate routing table.......................................... ... .... ........ 211
Firewall Policy................................................................................ 213
About firewall policies ...................... ... .... ... ... ... ... .... ... ... ............................... 213
How policy matching works....................................................................... 214
Viewing the firewall policy list...................................................................... 214
Adding a firewall policy ............................................................................. 215
Moving a policy to a different position in the policy list ............................. 216
Configuring firewall policies ........................................................................ 216
Firewall policy options.......................................................... ... ... ... .... ... ... .. 219
Adding authentication to firewall policies ...................... .... ... ... ... ... .... ... ..... 222
Adding traffic shaping to firewall policies .................................................. 223
IPSec firewall policy options ................ ... ... ............................................... 226
SSL-VPN firewall policy options................................................................ 226
Options to check FortiClient on hosts ..................... ... ... .... ... ... ... ............... 227
Firewall policy examples .............................................................................. 228
Scenario one: SOHO sized business...... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... .. 228
Scenario two: enterprise sized business................................................... 231
Firewall Address............................................................................ 235
About firewall addresses......................................... ... .................................. 235
Viewing the firewall address list .................................................................. 236
Configuring addresses ........................ .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ..... 237
Viewing the address group list ............................... ... ... ... .... ... ... ... ... .... ... ... .. 237
Configuring address groups........................................................................ 238
FortiGate Version 3 .0 MR4 Administration Guide
8 01-30004-0203-20070102
Contents
Firewall Service.............................................................................. 239
Viewing the predefined service list.............................................................. 239
Viewing the custom service list ................................................................... 243
Configuring custom services....................................................................... 243
Viewing the service group list...................................................................... 245
Configuring service groups.......................................................................... 245
Firewall Schedule........................................................................... 247
Viewing the one-time schedule list.............................................................. 247
Configuring one-time schedules.................................................................. 248
Viewing the recurring schedule list ............................................................. 248
Configuring recurring schedules................................................................. 249
Firewall Virtual IP........................................................................... 251
Virtual IPs.......... .... ... ... ... ... .... ......................................................................... 251
How virtual IPs map connections through the FortiGate unit.................... 251
Viewing the virtual IP list .............................................................................. 255
Configuring virtual IPs.................................................................................. 255
Adding a static NAT virtual IP for a single IP address............................... 256
Adding a static NAT virtual IP for an IP address range............................. 258
Adding static NAT port forwarding for a single IP address and a
single port.................................................................................................. 260
Adding static NAT port forwarding for an IP address range and a
port range.................................................................................................. 261
Adding a load balance virtual IP for an IP address range or real servers. 263
Adding a load balance port forwarding virtual IP....................................... 265
Adding dynamic virtual IPs........................................................................ 266
Virtual IP Groups ........................................................................................... 267
Viewing the VIP group list............................................................................. 267
Configuring VIP groups ................................................................................ 268
IP pools. .... ... .......................................................................... ... .... ... ... ... ......... 269
IP pools and dynamic NAT........................................................................ 269
IP Pools for firewall policies that use fixed ports....................................... 269
Viewing the IP pool list................................... ... ... ......................................... 270
Configuring IP Pools..................................................................................... 270
Firewall Protection Profile............................................................. 271
What is a protection profile .......................................................................... 271
Default protection profiles ......................................................................... 272
Viewing the protection profile list................................................................ 272
FortiGate Version 3 .0 MR4 Administration Guide
01-30004-0203-20070102 9
Contents
Configuring a protection profile................................................................... 272
Antivirus options........................................................................................ 273
Web filtering options ................................................................................. 275
FortiGuard-Web filtering options............................. ... ... .... ... ... ... ... .... ... ... .. 276
Spam filtering options ............................................................................... 277
IPS options................................................................................................ 279
Content archive options ............................................................................ 279
IM and P2P options................................................................................... 280
Logging options......................................................................................... 281
VoIP options.............................................................................................. 282
Adding a protection profile to a policy........................................................ 282
Protection profile CLI configuration....................................... ... ... ... .... ... ... .. 283
VPN IPSEC ..................................................................................... 285
Overview of IPSec interface mode............................................................. .. 285
Auto Key......................................................................................................... 287
Creating a new phase 1 configuration ..................................................... 287
Defining phase 1 advanced settings............................. .... ... ..................... 290
Creating a new phase 2 configuration ..................................................... 292
Defining phase 2 advanced settings............................. .... ... ..................... 293
Internet browsing configuration.................................................. ... .... ... ..... 295
Manual Key ..................................... ... ... .... ... ... ... ... .... ... .................................. 296
Creating a new manual key configuration ................................................ 297
Concentrator ..................................... ............................................................ 299
Defining concentrator options .............................. ... ... ... .... ... ... ... ............... 299
Monitor .......................................................................................................... 300
VPN PPTP....................................................................................... 303
PPTP Range.......... ... .............................................................................. ........ 303
VPN SSL.......................................................................................... 305
Config ............................................................................................................ 305
Monitor ............................ ... ... ... .... ... ... ... .... ..................................................... 307
VPN Certificates............................................................................. 309
Local Certificates ..................................... ... ... ... ............................................ 309
Generating a certificate request........................................................ ... ... .. 310
Downloading and submitting a certificate request .................................... 312
Importing a signed server certificate......................................................... 313
Importing an exported server certificate and private key .......................... 313
Importing separate server certificate and private key files........................ 314
Remote Certificates........................................................................ ............... 314
Importing Remote (OCSP) certificates...................................................... 315
FortiGate Version 3 .0 MR4 Administration Guide
10 01-30004-0203-20070102
Contents
CA Certificates............................................................................................... 315
Importing CA certificates........................................................................... 316
CRL ................................................................................................................. 317
Importing a certificate revocation list......................................................... 317
User................................................................................................. 319
Configuring user authentication.................................................................. 319
Setting authentication timeout................................................................... 320
Setting user authentication protocol support............................................. 320
Local user accounts...................................................................................... 321
Configuring a user account ....................................................................... 321
RADIUS servers.......... ... ... .... ... ... ... ................................................................ 322
Configuring a RADIUS server ................................................................... 322
LDAP servers.............. ... ... .... ... ... ... .... ............................................................ 323
Configuring an LDAP server ..................................................................... 324
PKI authentication......................................................................................... 325
Configuring PKI users ............................................................................... 326
Windows AD servers..................................................................................... 326
Configuring a Windows AD server ............................................................ 327
User group...................................................................................................... 327
User group types....................................................................................... 328
User group list........................................................................................... 329
Configuring a user group........................................................................... 330
Configuring FortiGuard override options for a user group......................... 331
Configuring SSL VPN user group options................................................. 332
Configuring peers and peer groups............................................................. 334
AntiVirus......................................................................................... 335
Order of operations....................................................................................... 335
Antivirus elements......................................................................................... 335
FortiGuard antivirus................................................................................... 336
Antivirus settings and controls.................................................................... 337
File pattern ..................................................................................................... 338
Viewing the file pattern list catalog............................................................ 338
Creating a new file pattern list................................................. .................. 339
Viewing the file pattern list ........................................................................ 339
Configuring the file pattern list................................................................... 340
Quarantine...................................................................................................... 341
Viewing the Quarantined Files list............................................................. 341
Viewing the AutoSubmit list....................................................................... 342
Configuring the AutoSubmit list................................................................. 343
Configuring quarantine options ................................................................. 343
FortiGate Version 3 .0 MR4 Administration Guide
01-30004-0203-20070102 11
Contents
Config....... ... .... ... ... ... ... ........................................................................... ... ... .. 345
Viewing the virus list ........... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ........................ 345
Viewing the grayware list .............................. ... .... ... ... ... ............................ 346
Antivirus CLI configuration................. ......................................................... 347
system global optimize.............................................................................. 347
config antivirus heuristic.......... ... ... ............................................................ 348
config antivirus quarantine........................................................................ 348
config antivirus service <service_name>................... ............................... 348
Intrusion Protection....................................................................... 349
About intrusion protection.. ... .... .................................................................. 349
IPS settings and controls ................................. .... ... ... ... .... ... ... ... ... .... ........ 350
When to use IPS....................................................................................... 350
Predefined signatures.................................................................... ... .... ... ... .. 351
Viewing the predefined signature list ................................ ... ... ... ... .... ... ..... 351
Configuring predefined signatures....................... ... ... ... .... ........................ 353
Fine tuning IPS predefined signatures for enhanced system performance 353
Custom signatures...................................... .................................................. 354
Viewing the custom signature list.............................................................. 354
Creating custom signatures ...................................................................... 355
Protocol Decoders......................................................................................... 356
Viewing the protocol decoder list ............................... ... .... ... ..................... 356
Upgrading IPS protocol decoder list ......................................................... 357
Anomalies ....................... ... ... ... .... ... ............................................................... 357
Viewing the traffic anomaly list.................................................................. 358
Configuring IPS traffic anomalies.............................................................. 358
IPS CLI configuration.................................................................................... 359
system autoupdate ips.............................................................................. 359
ips global fail-open............................... ... ... ... ... .... ... ... ... .... ........................ 359
ips global ip_protocol........................................... ... ... ... ............................ 359
ips global socket-size................................................................................ 359
(config ips anomaly) config limit................................................................ 359
Web Filter........................................................................................ 361
Order of web filtering.............. .... .................................................................. 361
How web filtering works ............................................................................... 361
Web filter controls............................................. ... .... ... ... ............................... 362
FortiGate Version 3 .0 MR4 Administration Guide
12 01-30004-0203-20070102
Contents
Content block................................................................................................. 364
Viewing the web content block list catalog................................................ 364
Creating a new web content block list....................................................... 365
Viewing the web content block list ............................................................ 365
Configuring the web content block list....................................................... 366
Viewing the web content exempt list catalog ............................................ 367
Creating a new web content exempt list ................................................... 367
Viewing the web content exempt list......................................................... 368
Configuring the web content exempt list ................................................... 369
URL filter................................ ... ...................................................................... 369
Viewing the URL filter list catalog........... .... ... ... ... ...................................... 369
Creating a new URL filter list..................................................................... 370
Viewing the URL filter list .......................................................................... 370
Configuring the URL filter list .................................................................... 371
Moving URLs in the URL filter list ............................................................. 373
FortiGuard - Web Filter.................................................................................. 373
Configuring FortiGuard-Web filtering ........................................................ 374
Viewing the override list ............................................................................ 374
Configuring override rules......................................................................... 375
Creating local categories........ ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... .................. 377
Viewing the local ratings list...................................................................... 377
Configuring local ratings............................................................................ 378
Category block CLI configuration.............................................................. 379
FortiGuard-Web Filter reports ................................................................... 379
Antispam......................................................................................... 381
Antispam ........................................................................................................ 381
Order of Spam Filtering............................................................................. 381
Anti-spam filter controls............................................................................. 382
Banned word.................................................................................................. 384
Viewing the antispam banned word list catalog ........................................ 384
Creating a new antispam banned word list............................................... 385
Viewing the antispam banned word list..................................................... 385
Configuring the antispam banned word list............................................... 386
Black/White List............................................................................................. 387
Viewing the antispam IP address list catalogue........................................ 387
Creating a new antispam IP address list................................................... 388
Viewing the antispam IP address list ........................................................ 388
Configuring the antispam IP address list................................................... 389
Viewing the antispam email address list catalog....................................... 389
Creating a new antispam email address list.............................................. 390
Viewing the antispam email address list ................................................... 390
Configuring the antispam email address list ............................................. 391
FortiGate Version 3 .0 MR4 Administration Guide
01-30004-0203-20070102 13
Contents
Advanced antispam configuration................................ ... .... ... ... ... ... ............ 392
config spamfilter mheader......................................................................... 392
config spamfilter rbl................................................................................... 393
Using Perl regular expressions........................... .... ... ... ... .... ... ... ... ... .... ... ... .. 393
Regular expression vs. wildcard match pattern ......................... ... .... ... ... .. 393
Word boundary ...... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ..................................... 394
Case sensitivity................ ... .... ... ............................................................... 394
Perl regular expression formats................................................................ 394
Example regular expressions........... .... ..................................................... 395
IM, P2P & VoIP................................................................................ 397
Overview............................. ... ... .... ... ... ... .... ..................................................... 397
Configuring IM/P2P protocols.............................................. ........................ 399
How to enable and disable IM/P2P options ............... ... .... ... ... .................. 399
How to configure IM/P2P options within a protection profile..................... 399
How to configure IM/P2P decoder log settings.......... ... .... ... ... ... ... .... ... ..... 400
How to configure older versions of IM/P2P applications........................... 400
How to configure protocols that are not supported ........... ... ... .................. 400
Statistics............................. ... ... .... ... ............................................................... 401
Viewing overview statistics ....................................................................... 401
Viewing statistics by protocol.................................................................... 402
User.................................. ... ... ......................................................................... 403
Viewing the Current Users list................................................................... 403
Viewing the User List........................................... ... ... ... .... ... ... .................. 404
Adding a new user to the User List........................................................... 404
Configuring a policy for unknown IM users................... .... ... ... ... ... .... ... ... .. 405
Log&Report.................................................................................... 407
FortiGate Logging ......................................................................................... 407
Log severity levels ........................................................................................ 408
Storing Logs ............................ .... ... ... ... .... ... ... ... ............................................ 409
Logging to a FortiAnalyzer unit......................................... ... ..................... 409
Connecting to FortiAnalyzer using Automatic Discovery .......................... 410
Testing the FortiAnalyzer configuration ........................................ .... ... ... .. 411
Logging to memory.............................................. ... .................................. 412
Logging to a Syslog server ........... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... .. 413
Logging to WebTrends............... ... ... .... ... ... ... ... .... ... ... ... .... ... ..................... 413
Logging to FortiGuard Log and Analysis server........................................ 414
High Availability cluster logging............................................................. ..... 415
FortiGate Version 3 .0 MR4 Administration Guide
14 01-30004-0203-20070102
Contents
Log types.. ... ... ... .............................................................................. ............... 415
Traffic log .................................................................................................. 415
Event log................................................................................................... 416
Antivirus log............................................................................................... 417
Web filter log ....................................... ... .... ............................................... 417
Attack log .................................................................................................. 418
Spam filter log ........................................................................................... 418
IM and P2P log.......................................................................................... 418
VoIP log..................................................................................................... 419
Log Access............................... ... ... .... ... ... ... .... ............................................... 419
Accessing log messages stored in memory.............................................. 420
Accessing log message stored in the hard disk........................................ 420
Accessing logs stored on the FortiAnalyzer unit ....................................... 421
Accessing logs on the FortiGuard Log & Analysis server ......................... 422
Viewing log information............................................................................. 422
Column settings ........................................................................................ 423
Filtering log messages .............................................................................. 423
Deleting logs stored on the FortiGuard Log & Analysis server ................. 424
Content Archive............................................................................................. 425
Alert Email.......................................... ... ... ... .... ............................................... 426
Configuring Alert Email ............................................................................. 426
Reports........................................................................................................... 428
Basic traffic reports ................................................................................... 428
FortiAnalyzer reports................................................................................. 429
Configuring a FortiAnalyzer report ........................................................... 430
Editing FortiAnalyzer reports..................................................................... 437
Printing your FortiAnalyzer report ............................................................. 437
Viewing FortiAnalyzer reports from a FortiGate unit ................................. 438
Viewing parts of a FortiAnalyzer report..................................................... 438
Index................................................................................................ 439
FortiGate Version 3 .0 MR4 Administration Guide
01-30004-0203-20070102 15
Contents
FortiGate Version 3 .0 MR4 Administration Guide
16 01-30004-0203-20070102
Introduction
Introduction
Welcome and thank you for selecting Fortinet products for your real-time network
protection.
FortiGate™ ASIC-accelerated multi-threat security systems improve network
security, reduce network misuse and abuse, and help you use communications
resources more efficiently without compromising the performance of your
network. FortiGate Systems are ICSA-certified for Antivirus, Firewall, IPSec,
SSL-TLS, IPS, Intrusion detection, and AntiSpyware services.
FortiGate Systems are dedicated, easily managed security device that delivers a
full suite of capabilities including:
• Application-level services such as virus protection, intrusion protection, spam
• Network-level services such as firewall, intrusion detection, IPSec and SSL
• Management services such as user authentication, logging, reporting with
The FortiGate security system uses Fortinet’s Dynamic Threat Prevention System
(DTPS™) technology, which leverages breakthroughs in chip design, networking,
security and content analysis. The unique ASIC-accelerated architecture anal yzes
content and behavior in real-time, enabling key applications to be deployed right
at the network edge where they are most effective at protecting your networks.
filtering, web content filtering, IM, P2P, and VoIP filtering
VPN, and traffic shaping
FortiAnalyzer, administration profiles, secure web and CLI administrative
access, and SNMP
This chapter contains the following sections:
• Introducing the FortiGate units
• Fortinet family of products
• About this document
• FortiGate documentation
• Customer service and technical support
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102 17
Introducing the FortiGat e un i ts Introduction
5
5
Introducing the FortiGate units
All FortiGate Unified Threat Management Systems from the FortiGate-50B to the
FortiGate-5000 series deliver similar SOHO or enterprise-class network-based
antivirus, content filtering, firewall, VPN, and network-based intrusion
detection/prevention features.
FortiGate-5000 series chassis
The FortiGate-5000 series Security Systems are chassis-based systems that
MSSPs and large enterprises can use to provide subscriber security services
such as firewall, VPN, antivirus protection, spam filtering, web filtering and
intrusion prevention (IPS). The wide variety of system configurations available
with FortiGate-5000 series provide flexibility to meet the changing needs of
growing high performance networks. The FortiGate-5000 series chassis support
multiple hot-swappable FortiGate-5000 series modules and power supplies. This
modular approach provides a scalable, high-performance and failure-proof
solution.
5140SAP
1311975312468101214
5140
PWR
PWR
PWR
PWR
PWR
ACC
ACC
ACC
CONSOLE
CONSOLE
USB
USB
1 2 3 4 5 6 7 8
1 2 3 4 5 6 7 8
STA IPM
STA IPM
STA IPM
PWR
ACC
ACC
ACC
MANAGEMENT
MANAGEMENT
E
T
H
CONSOLE
CONSOLE
USB
USB
1 2 3 4 5 6 7 8
1 2 3 4 5 6 7 8
STA IPM
O
CONSOLE
CONSOLE
USB
USB
SYSTEM
SYSTEM
CONSOLE
CONSOLE
R
S
2
3
2
1 2 3 4 5 6 7 8
1 2 3 4 5 6 7 8
Z
R
E
0
Z
R
E
1
Z
R
E
2
E1
E2
E2
1514
1312
1110
98
76
54
32
10
ZRE
ZRE
OKCLK
INTEXT
FLT
FLT
FLT
HOT SWAP
RESET
RESET
LED MODE
STA IPM
LED MODE
STA IPM
FILTER
012
FAN TRAY FAN TRAYFAN TRAY
SERIAL 1 SERIAL 2 ALARM
L
2
1
3
R
A
R
R
R
O
C
T
O
J
ER
E
E
N
TI
I
I
S
S
SE
A
S
R
U
U
U
M
E
M
C
R
USB
1 2 3 4 5 6 7 8
CONSOLE
5
ACC
PWR
PWR
PWR
PWR
PWR
ACC
ACC
ACC
CONSOLE
CONSOLE
E
T
H
O
R
S
2
3
2
Z
R
E
0
Z
R
E
1
Z
R
E
2
E1
1514
1312
1110
98
76
54
32
10
OKCLK
INTEXT
FLT
HOT SWAP
CONSOLE
USB
USB
1 2
1 2
3 4
3 4
5 6 7 8
5 6 7 8
STA IPM
STA IPM
STA IPM
PWR
ACC
ACC
ACC
CONSOLE
CONSOLE
USB
1 2
3 4
5 6 7 8
CONSOLE
USB
USB
USB
1 2
1 2
1 2
5000SM
ETH1
ETH0
10/100
10/100
link/Act
link/Act
3 4
3 4
3 4
ETH0
Service
RESET
STATUS
Hot Swap
5 6 7 8
5 6 7 8
5 6 7 8
12
5000SM
ETH0ETH1
10/100
10/100
link/Act
link/Act
ETH0
STA IPM
Service
STA IPM
STA IPM
RESET
STATUS
Hot Swap
PWR
USB
1 2 3 4 5 6 7 8
CONSOLE
4
ACC
PWR
USB
1 2 3 4 5 6 7 8
CONSOLE
ACC
PWR
3
ETH
O
RS232ZRE0ZRE1ZRE2
E1
1514
1312
2
1
5000SM
10/100
SMC
link/Act
ETH1
10/100
ETH0
link/Act
2
SYSTEM
CONSOLE
MANAGEMENT
ETH
O
RS232ZRE0ZRE1ZRE2
SYSTEM
CONSOLE
MANAGEMENT
5050SAP
ETH0
Service
SERIAL
STATUS
Hot Swap
RESET
1
USB
CONSOLE
RESET
STATUS
PWR
USB
CONSOLE
RESET
STATUS
PWR
1110
E2
E1
1514
1312
1110
E2
ALARM
162
162
OKCLK
9876543210
ZRE
OKCLK
9876543210
ZRE
SERIAL
2
3 4 5 6
IPM
3 4 5 6
IPM
STA IPM
STA IPM
STA IPM
INTEXT
FLT
HOT SWAP
RESET
POWER
LED MODE
FLT
INTEXT
FLT
HOT SWAP
RESET
LED MODE
FLT
5000SM
10/100
SMC
ETH0
Service
link/Act
STATUS
Hot Swap
10/100
RESET
ETH0ETH1
link/Act
1
PSU A
PSU B
ALT
ON/OFF
ALT
ON/OFF
FortiGate-5140 chassis
You can install up to 14 FortiGate-5000 series modules in the 14 slots of the
FortiGate-5140 ATCA chassis. The FortiGate-5140 is a 12U chassis that co nt a ins
two redundant hot swappable DC power entry modules that connect to -48 VDC
Data Center DC power. The FortiGate-5140 chassis also includes three hot
swappable cooling fan trays.
FortiGate-5050 chassis
You can install up to five FortiGate-5000 series modules in the five slots of the
FortiGate-5050 ATCA chassis. The FortiGate-5050 is a 5U chassis that contains
two redundant DC power connections that connect to -48 VDC Data Center DC
power. The FortiGate-5050 chassis also includes a hot swappable cooling fan
tray.
FortiGate Version 3 .0 MR4 Administration Guide
18 01-30004-0203-20070102
Introduction Introducing the FortiGate units
FortiGate-5020 chassis
You can install one or two FortiGate-5000 series modules in the two slots of the
FortiGate-5020 ATCA chassis. The FortiGate-5020 is a 4U chassis that contains
two redundant AC to DC power supplies that connect to AC power. The
FortiGate-5020 chassis also includes an internal cooling fan tray.
About the FortiGate-5000 series modules
Each FortiGate-5000 series module is a standalone security system th at can also
function as part of an HA cluster. All FortiGate-5000 series modules are also hot
swappable. All FortiGate-5000 series units are high capacity security systems
with multiple gigabit interfaces, multiple virtual domain capacity, and other high
end FortiGate features.
FortiGate-5005FA2 module
The FortiGate-5001SX module is an independent high- performance security
system with eight Gigabit ethernet interfaces; two of which include Fortinet
technology to accelerate small packet performance. The FortiGate
module also supports high-end features including 802.1Q VLANs and multiple
virtual domains.
-5005FA2
FortiGate-5001SX module
The FortiGate-5001SX module is an independent high- performance security
system with eight Gigabit ethernet interfaces. The FortiGate
supports high-end features including 802.1Q VLANs and multiple virtual domains.
FortiGate-5001FA2 module
The FortiGate-5001FA2 module is an independent high-performance security
system with six Gigabit ethernet interfaces. The FortiGate-5001FA2 module is
similar to the FortiGate-5001SX module except that two of the FortiGate-5001FA2
interfaces include Fortinet technology to accelerate small packet performance.
FortiGate-5002FB2 module
The FortiGate-5002FB2 module is an independent high-performance FortiGate
security system with a total of 6 Gigabit ethernet interfaces. Two of the
FortiGate-5002FB2 interfaces include Fortinet technology to accelerate small
packet performance.
FortiGate-3600A
The FortiGate-3600A
unit provides carrierclass levels of
performance and
reliability demanded by
large enterprises and
service providers. The
unit uses multiple CPUs and FortiASIC chips to deliver throughput of 4Gbps,
Esc Enter
-5001SX module
2
7856341
CONSOLE
PWR
9
10
Hi-Temp
USB
MODEM
FortiGate Version 3 .0 MR4 Administration Guide
01-30004-0203-20070102 19
Introducing the FortiGat e un i ts Introduction
meeting the needs of the most demanding applications. The FortiGate-3600A unit
includes redundant power supplies, which minimize single-point failures, and
supports load-balanced operation. The high-capacity, reliability and easy
management makes the FortiGate-3600A a natural choice for managed service
offerings.
FortiGate-3600
The FortiGate-3600
unit provides carrierclass levels of
performance and
reliability demanded by
Esc Enter
2
1
3 4 5/HA
large enterprises and
service providers. The
unit uses multiple CPUs and FortiASIC chips to deliver throughput of 4Gbps,
meeting the needs of the most demanding applications. The FortiGate-3600 unit
includes redundant power supplies, which minimize single-point failures, and
supports load-balanced operation. The high-capacity, reliability and easy
management makes the FortiGate-3600 a natural choice for managed service
offerings.
POWER
Hi-Temp 4
INTERNAL EXTERNAL
12
3
5/HA
EXT
INT
FortiGate-3000
The FortiGate-3000
unit provides the
carrier-class levels of
performance and
reliability demanded
by large enterprises
and service providers. The unit uses multiple CPUs and FortiASIC chips to deliver
a throughput of 3Gbps, meeting the needs of the most demanding applications.
The FortiGate-3000 unit includes redundant power supplies to minimize singlepoint failures, including load-balanced operation and redundant failover with no
interruption in service. The high capacity, reliability, and easy management of the
FortiGate-3000 makes it a natural choice for managed service offerings.
FortiGate-1000A
The FortiGate-1000A
Security System is a
high-performance
solution for the most
demanding large
enterprise and service
providers. The
FortiGate-1000A automatically keeps up to date information on Fortinet’s
FortiGuard Subscription Services by the FortiGuard Distribution Network,
ensuring around-the-clock protection against the latest viruses, worms, trojans
and other threats. The FortiGate-1000A has flexible architecture to quickly adapt
to emerging technologies such as IM, P2P or VOIP including identity theft
methods such as spyware, phishing and phar m i ng attacks.
Esc Enter
POWER
12
4/HA
Hi-Temp
INT
123 4/HA INTERNAL EXTERNAL
3
EXT
FortiGate Version 3 .0 MR4 Administration Guide
20 01-30004-0203-20070102
Introduction Introducing the FortiGate units
FortiGate-1000AFA2
The FortiGate1000AFA2 Security
System is a
high-performance
solution for the most
CONSOLE
USB
A2A1
demanding large
enterprise and service
providers. The FortiGate-1000AFA2 features two extra optical fiber ports with
Fortinet’s FortiAccel™ technology, enhancing small packet performance. The
FortiGate-1000AFA2 also delivers critical security functions in a hardened security
platform, tuned for reliability, usability, rapid deployment, low operational costs
and most importantly a superior detection rate against known and unknown
anomalies.
FortiGate-1000
The FortiGate-1000 unit is
designed for larger
enterprises. The FortiGate-
Enter
Esc
1000 meets the needs of
the most demanding applications, using multiple CPUs and FortiASIC chips to
deliver a throughput of 2Gps. The FortiGate-1000 unit includes support for
redundant power supplies to minimize single-port failures, load-balanced
operation, and redundant failover with no interruption in service.
1234 / HA
INTERNAL
EXTERNAL
FortiGate-800
FortiGate-800F
The FortiGate-800 provides
high throughput, a total of
eight network connections,
8
Esc Enter
INTERNAL EXTERNAL DMZ HA
PWR
123
4 USB
CONSOLE
(four of which are userdefined), VLAN support, and virtual domains. The FortiGate-800 also provides
stateful failover HA, when you are configuring a cluster of FortiGate units.The
FortiGate-800 is a natural choice for large enterprises, who demand top network
security performance.
The FortiGate-800F
provides the same features
as the FortiGate-800, using
800F
PWR
INTERNAL EXTERNAL DMZ HA 1 2 3
Esc Enter
CONSOLE
4 USB
four fibre-optic Internal,
External, DMZ and HA interfaces. The FortiGate-800F also provides stateful
failover HA, and support for the RIP and OSPF routing protocols. The FortiGate800F provides the flexibility, reliability and easy management large enterprises
are looking for.
FortiGate Version 3 .0 MR4 Administration Guide
01-30004-0203-20070102 21
Introducing the FortiGat e un i ts Introduction
FortiGate-500A
The FortiGate-500A unit
provides the carrier-class
levels of performance and
reliability demanded by
CONSOLE
Esc Enter
A
USB LAN
L1 L2 L3
L4
12 3 4
10/100 10/100/1000
56
large enterprises and
service providers. With a total of 10 network connections, (including a 4-port LAN
switch), and high-availability features with automatic failover with no session loss,
the FortiGate-500A is the choice for mission critical applications. The flexibility,
reliability, and easy management of the FortiGate-500A makes it a natural choice
for managed service offerings.
FortiGate-500
The FortiGate-500 unit is
designed for larger
INTERNAL
EXTERNAL 1 2 3 4 5 6 7 8
enterprises. The flexibility,
Esc Enter
reliability, and easy
management makes the
FortiGate-500 a natural choice for managed service offerings. The FortiGate-500
supports high availability (HA).
HADMZ
FortiGate-400A
FortiGate-400
FortiGate-300A
The FortiGate-400A unit
meets enterprise-class
requirements for
performance, availability,
Esc Enter
A
CONSOLE 10/100 10/100/1000USB
1 2 3 4 5 6
and reliability. The
FortiGate-400A also supports high availability (HA) and features automatic
failover with no session loss, making it the choice for mission critical applications.
The FortiGate-400 unit is
designed for larger
enterprises. The FortiGate-
Esc Enter
1
CONSOLE
4 / HA3
2
400 unit is capable of
throughput up to 500Mbps
and supports high availability (HA), which includes automatic failover with no
session loss.
The FortiGate-300A unit
meets enterprise-class
requirements for
Esc Enter
CONSOLE 10/100 10/100/1000USB
1 2 3 4 5 6
performance, availability,
and reliability. The
FortiGate-300A also supports high availability (HA) and includes automatic
failover with no session loss, making the FortiGate-300A a good choice for
mission critical applications.
FortiGate Version 3 .0 MR4 Administration Guide
22 01-30004-0203-20070102
Introduction Introducing the FortiGate units
FortiGate-300
The FortiGate-300 unit is
designed for larger
enterprises. The FortiGate-
Esc Enter
300 unit features high
availability (HA), which
includes automatic failover with no session loss. This feature makes the
FortiGate-300 an excellent choice for mission-critical applications.
FortiGate-200A
The FortiGate-200A unit is
an easy-to-deploy and
easy-to-administer solution
that delivers exceptional
Esc Enter
A
1234
DMZ2DMZ1INTERNAL WAN1 WAN2CONSOLE USB
value and performance for
small office, home office and branch office applications.
FortiGate-200
The FortiGate-200 unit is
designed for small
INTERNALPOWER STATUS
DMZ
businesses, home offices or
EXTERNAL
even branch office
applications. The FortiGate200 unit is an easy-to-deploy and easy-to-administer solution. The FortiGate-200
also supports high availability (HA).
INTERNAL
CONSOLE
DMZ
EXTERNAL
FortiGate-100A
FortiGate-100
The FortiGate-100A unit is
designed to be an
easy-to-administer solution for
small offices, home offices, and
WAN 1 WAN 2
PWR STATUS
A
DMZ 1
LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100
DMZ 2
INTERNAL
4321
branch office applications.
The FortiGate-100A supports advanced features such as 80 2.1Q VLAN, virtu al
domains, and the RIP and OSPF routing protocols.
The FortiGate-100 unit is designed
for SOHO, SMB and branch office
applications.
The FortiGate-100 supports
INTERNAL
EXTERNAL
POWER
DMZ
STATUS
advanced features such as 802.1Q
VLAN, virtual domains, high availability (HA), and the RIP and OSPF routing
protocols.
FortiGate Version 3 .0 MR4 Administration Guide
01-30004-0203-20070102 23
Introducing the FortiGat e un i ts Introduction
FortiGate-60/60M/ADSL
The FortiGate-60 unit is designed
for telecommuters remote offices,
and retail stores. The FortiGate-60
unit includes an external modem
PWR STATUS
INTERNAL
LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100
DMZ4321
WAN1 WAN2
port that can be used as a backup
or stand alone connection to the
Internet while the FortiGate-60M unit includes an internal mod em that can also be
used either as a backup or a standalone connection to the Internet. The FortiGate60ADSL includes an internal ADSL modem.
FortiWiFi-60/60A/60AM
The FortiWiFi-60 model provides a
secure, wireless LAN solution for
wireless connections. It combines
mobility and flexibility with FortiWiFi
Antivirus Firewall features, and can
be upgraded to future radio
technologies. The FortiWiFi-60
serves as the connection point
between wireless and wired networks
or the center-point of a standalone
wireless network.
PWR WLAN
INTERNAL
LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100
DMZ4321
WAN1 WAN2
FortiGate-50B
FortiGate-50A
The FortiGate-50B is designed for
telecommuters and small remote
offices with 10 to 50 employees.
The FortiGate-50B unit includes
POWER STATUS
WAN1 WAN2
INTERNAL
LINK / ACT
10/100
321
two WAN interfaces for redundant
connections to the Internet. The
FortiGate-50B unit also features a 3-port switch for internal network connections
and supports HA configurations with other FortiGate-50B units.
The FortiGate-50A unit is designed for
telecommuters and small remote
offices with 10 or fewer employees.
The FortiGate-50 unit includes an
STATUS
A
INTERNAL EXTERNAL
LINK 100 LINK 100
PWR
external modem port that can be used
as a backup or stand alone connection to the Internet.
FortiGate Version 3 .0 MR4 Administration Guide
24 01-30004-0203-20070102
Introduction Fortinet family of products
Fortinet family of products
Fortinet offers a family of products that includes both software and hardware
appliances for a complete network security solution including mail, logging,
reporting, network management, and securi ty alon g with FortiGate Unified Threat
Manager Systems. For more information on the Fortinet product family, go to
www.fortinet.com/products.
FortiGuard Subscription Services
FortiGuard Subscription Services are security services created, updated and
managed by a global team of Fortinet security professionals. They ensure the
latest attacks are detected and blocked before harming your corporate resources
or infecting your end-user computing devices. These services are created with the
latest security technology and designed to operate with the lowest possible
operational costs.
FortiGuard Subscription Services includes:
• FortiGuard Antivirus Service
• FortiGuard Intrusion Prevention subscription services (IPS)
• FortiGuard Web Filtering
• FortiGuard Antispam Service
• FortiGuard Log and Analysis
• FortiGuard Premier Service
An online virus scan ner and virus encyclopedia is also available for yo ur reference
from the FortiGuard Center.
FortiAnalyzer
FortiClient
FortiAnalyzer™ provides network administrators with the info rmation they need to
enable the best protection and security for their networks against attacks and
vulnerabilities. FortiAnalyzer features include:
• collects logs from FortiGate devices and syslog devices and FortiClient
• creates hundreds of reports using collected log data
• scans and reports vulnerabilities
• stores files quarantined from a FortiGate unit
The FortiAnalyzer unit can also be configured as a network analyzer to capture
real-time traffic on areas of your network where firewalls are not employed. You
can also use the unit as a storage device where users can access and sh are files,
including the reports and logs that are saved on the FortiAnalyzer hard disk.
FortiClient™ Host Security software provides a secure computing environment for
both desktop and laptop users running the most popular Microsoft Windows
operating systems. FortiClient offers many features including:
• creating VPN connections to remote networks
• configuring real-time protection against viruses
• guarding against modification of the Windows registry
• virus scanning.
FortiGate Version 3 .0 MR4 Administration Guide
01-30004-0203-20070102 25
Fortinet family of products Introduction
FortiClient also offers a silent installation feature, enabling an administrator to
efficiently distribute FortiClient to several users’ computers with preconfigured
settings.
FortiManager
FortiManager™ meets the needs of large enterprises (including managed security
service providers) responsible for establishing and maintaining security policies
across many dispersed FortiGate installations. With FortiManager you can
configure multiple FortiGate devices and monitor their status. You can also view
real-time and historical logs for FortiGate devices. FortiManager emp hasizes ease
of use, including easy integration with third party systems.
FortiBridge
FortiBridge™ products are designed to provide enterprise or ganizations operating
FortiGate units in Transparent mode with continuous network traffic flow in the
event of a power outage or a FortiGate system failure. The FortiBridge unit
bypasses the FortiGate unit to make sure that the network can continue
processing traffic. FortiBridge products are easy to use and deploy, including
providing customizable actions a FortiBridge unit takes in the event of a power
outage or FortiGate system failure.
FortiMail
FortiReporter
FortiMail™ provides powerful, flexible heuristic scanning and reporting capabilities
to incoming and outgoing email traffic. The FortiMail unit ha s reliable, high
performance features for detecting and blocking malicious att achments and sp am,
such as FortiGuard Antispam/Antivirus support, heuristic scanning, greylisting,
and Bayesian scanning. Built on Fortinet’s award winning For tiOS and FortiASIC
technology, FortiMail antivirus technology extends full content inspection
capabilities to detect the most advanced email threats.
FortiReporter Security Analyzer software generates easy-to-understand reports
and can collect logs from any FortiGate unit, as well as over 30 network and
security devices from third-party vendors. FortiReporter reveals network abuse,
manages bandwidth requirements, monitors web usage, and ensures employees
are using the office network appropriately. FortiReporter allows IT administrators
to identify and respond to attacks, including identifying ways to proactively secure
their networks before security threats arise.
FortiGate Version 3 .0 MR4 Administration Guide
26 01-30004-0203-20070102
Introduction About this document
About this document
This FortiGate Version 3.0 MR4 Administration Guide provides detailed
information about FortiGate™ web-based manager options a nd ho w to use them.
This guide also contains some information about the FortiGate CLI.
This administration guide describes web-based manager functions in the same
order as the web-based manager menu. The document begins with a general
description of the FortiGate web-based manager and a description of FortiGate
virtual domains. Following these chapters, each item in the System menu, Router
menu, Firewall menu, and VPN menu gets a separate chapter. Then User,
AntiVirus, Intrusion Protection, Web Filter, AntiSpam, IM/P2P, and Log & Report
are all described in single chapters. The document concludes with a detailed
index.
The most recent version of this document is available from the FortiGate page of
the Fortinet Technical Documentation web site. The information in this document
is also available in a slightly different form as FortiGate web-based manager
online help.
You can find more information about FortiOS v3.0 from the FortiGate page of the
Fortinet T echnical Document ation web site as well as from the Fortinet Knowledge
Center.
This administration guide contains the following chapters:
• Web-based manager provides an introduction to the features of the FortiGate
web-based manager and includes information about how to register a
FortiGate unit and about how to use the web-based manager online help.
• System Status describes the System Status page, the dashboard of your
FortiGate unit. At a glance you can view the current system status of the
FortiGate unit including serial number, uptime, FortiGuard license information,
system resource usage, alert messages and network statistics. This section
also describes status changes that you can make, including changing the unit
firmware, host name, and system time.
• Using virtual domains describes how to use virtual domains to operate your
FortiGate unit as multiple virtual FortiGate units, providing separate firewall
and routing services to multiple networks.
• System Network explains how to configure physical and virtual interfaces an d
DNS settings on the FortiGate unit.
• System Wireless describes how to configure the Wireless LAN interface on a
FortiWiFi-60 unit.
• System DHCP provides information about how to configure a FortiGate
interface as a DHCP server or DHCP relay agent.
• System Config contains procedures for configuring HA and virtual clustering,
configuring SNMP and replacement messages, and changing the operation
mode.
• System Admin guides you through adding and editing administrator accounts,
defining access profiles for administrators, configuring Fo rtiManager™ access,
and defining general administrative settings such as language, timeouts, and
web administration ports.
• System Maintenance details how to back up and restore the system
configuration using a management computer or the FortiUSB device, enable
FortiGuard services and FortiGuard Distribution Network (FDN) updates, and
enter a license key to increase the maximum number of virtual domains.
FortiGate Version 3 .0 MR4 Administration Guide
01-30004-0203-20070102 27
About this document Introduction
• System Chassis (FortiGate-5000 series) describes information displayed on
the system chassis web-based manager pages about all of the hardware
components in your FortiGate-5140 or FortiG at e- 50 5 0 cha ssis.
• Router Static explains how to define static routes and create route policies. A
static route causes packets to be forwarded to a destination other than the
factory configured default gateway.
• Router Static explains how to define static routes and create route policies. A
static route causes packets to be forwarded to a destination other than the
factory configured default gateway.
• Router Dynamic contains information about how to configure dynamic
protocols to route traffic through large or complex networks.
• Router Monitor explains how to interpret the Routing Monitor list. The list
displays the entries in the FortiGate routing table.
• Firewall Policy describes how to add firewall policies to control connections
and traffic between FortiGate interfaces, zones, and VLAN subinterfaces.
• Firewall Address describes how to configure addresses and address groups
for firewall policies.
• Firewall Service describes available services and how to configure service
groups for firewall policies.
• Firewall Schedule describes how to configure one-time and recurring
schedules for firewall policies.
• Firewall Virtual IP describes how to configure and use virtual IP addresses and
IP pools.
• Firewall Protection Profile describes how to configure protection profiles for
firewall policies.
• VPN IPSEC provides information about the tunnel-mode and route-based
(interface mode) Internet Protocol Security (IPSec) VPN options available
through the web-based manager.
• VPN PPTP explains how to use the web-based manager to spec ify a range of
IP addresses for PPTP clients.
• VPN SSL provides information about basic SSL VPN settings.
• VPN Certificates explains how to manage X.509 security certificates.
• User details how to control access to network resources through user
authentication.
• AntiVirus explains how to enable antivirus options when you create a firewall
protection profile.
• Intrusion Protection explains how to configure IPS options when a firewall
protection profile is created.
• Web Filter explains how to configure web filter options when a firewall
protection profile is created.
• Antispam explains how to configure spam filter options when a firewall
protection profile is created.
• IM, P2P & VoIP explains how to configure IM, P2P, and VoIP options when a
firewall protection profile is created. You can view IM, P2P, and VoIP statistics
to gain insight into how the protocols are being used within the network.
• Log&Report describes how to enable logging, view log files, and view the basic
reports available through the web-based manager.
FortiGate Version 3 .0 MR4 Administration Guide
28 01-30004-0203-20070102
Introduction FortiGate documentation
Document conventions
The following document conventions are used in this guide:
• In the examples, private IP addresses are used for both private and public IP
addresses.
• Notes and Cautions are used to provide important information:
Note: Highlights useful additional information.
Caution: Warns you about commands or procedures that could have unexpected or
!
undesirable results including loss of data or damage to equipment.
Typographic conventions
Fortinet documentation uses the following typographical conventions:
Convention Example
Menu commands Go to VPN > IPSEC > Phase 1 and select Create New.
Keyboard input In the Gateway Name field, type a name for the remote VPN
Code examples config sys global
CLI command syntax config firewall policy
Document names FortiGate Administration Guide
File content <HTML><HEAD><TITLE>Firewall
Program output Welcome!
Variables
peer or client (for example, Central_Office_1).
set ips-open enable
end
edit id_integer
set http_retry_count <retry_integer>
set natip <address_ipv4mask>
end
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
<address_ipv4>
FortiGate documentation
The most up-to-date publications and previous releases of Fortinet product
documentation are available from the Fortinet Technical Documentation web site
at http://docs.forticare.com.
The following FortiGate product documentation is available:
• FortiGate QuickStart Guide
Provides basic information about connecting and installing a FortiGate unit.
FortiGate Version 3 .0 MR4 Administration Guide
01-30004-0203-20070102 29
FortiGate documentation Introduction
• FortiGate Installation Guide
Describes how to install a FortiGate unit. Includes a hardware reference,
default configuration information, installation procedures, connection
procedures, and basic configuration procedures. Choose the guide for you r
product model number.
• FortiGate Administration Guide
Provides basic information about how to configure a FortiGate unit, including
how to define FortiGate protection profiles and firewall policies; how to apply
intrusion prevention, antivirus protection, web content filtering, and spam
filtering; and how to configure a VPN.
• FortiGate online help
Provides a context-sensitive and searchable version of the Administration
Guide in HTML format. You can access online help from the web-based
manager as you work.
• FortiGate CLI Reference
Describes how to use the FortiGate CLI and contains a reference to all
FortiGate CLI commands.
• FortiGate Log Message Reference
Available exclusively from the Fortinet Knowledge Center, the FortiGate Log
Message Reference describes the structure of FortiGate log messages and
provides information about the log messages that are generated by FortiGate
units.
• FortiGate High Availability Overview and FortiGate High Availability User
Guide
These documents contain in-depth information about the F ort iG ate High
Availability (HA) feature and the FortiGate clustering protocol.
• FortiGate IPS User Guide
Describes how to configure the FortiGate Intrusion Preventio n System settings
and how the FortiGate IPS deals with some common attacks.
• FortiGate IPSec VPN User Guide
Provides step-by-step instructions for configuring IPSec VPNs using the webbased manager.
• FortiGate SSL VPN User Guide
Compares FortiGate IPSec VPN and FortiGate SSL VPN technology, and
describes how to configure web-only mode and tunnel-m ode SSL VPN access
for remote users through the web-based manager.
• FortiGate PPTP VPN User Guide
Explains how to configure a PPTP VPN using the web-based manager.
• FortiGate Certificate Management User Guide
Contains procedures for managing digital certificates including generating
certificate requests, installing signed certificates, importing CA root certificates
and certificate revocation lists, and backing up and resto ring installed
certificates and private keys.
• FortiGate VLANs and VDOMs User Guide
Describes how to configure VLANs and VDOMS in both NAT/Route and
Transparent mode. Includes detailed examples.
FortiGate Version 3 .0 MR4 Administration Guide
30 01-30004-0203-20070102
Loading...