How it Works
Fortinet
Loading...
FortiGate 400
User Manual
308 pgs5.1 Mb0
Table of contents
Loading...

Fortinet FortiGate 400 User Manual

FortiGate 400
Installation and
Configuration Guide
Esc Enter
CONSOLE
1
4 / HA3
2
FortiGate User Manual Volume 1
18 August 2003
© Copyright 2003 Fortinet Inc. All rights reserved.
No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 18 August 2003
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective holders.
Regulatory Compliance
FCC Class A Part 15 CSA/CUS
CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.
For technical support, please visit http://www.fortinet.com.
Send information about errors or omissions in this document or any Fortinet technical documentation to
techdoc@fortinet.com.

Table of Contents

Introduction .......................................................................................................... 15
Antivirus protection ........................................................................................................... 15
Web content filtering ......................................................................................................... 16
Email filtering .................................................................................................................... 16
Firewall.............................................................................................................................. 17
NAT/Route mode .......................................................................................................... 17
Transparent mode......................................................................................................... 18
VLAN................................................................................................................................. 18
Network intrusion detection............................................................................................... 18
VPN................................................................................................................................... 19
High availability ................................................................................................................. 19
Secure installation, configuration, and management ........................................................ 20
Web-based manager .................................................................................................... 20
Command line interface ................................................................................................ 21
Logging and reporting ................................................................................................... 21
What’s new in Version 2.50 .............................................................................................. 22
System administration................................................................................................... 22
Firewall.......................................................................................................................... 23
Users and authentication .............................................................................................. 23
VPN............................................................................................................................... 23
NIDS ............................................................................................................................. 24
Antivirus ........................................................................................................................ 24
Web Filter...................................................................................................................... 24
Email filter ..................................................................................................................... 24
Logging and Reporting.................................................................................................. 24
About this document ......................................................................................................... 25
Document conventions ..................................................................................................... 26
Fortinet documentation ..................................................................................................... 27
Comments on Fortinet technical documentation........................................................... 27
Customer service and technical support........................................................................... 28
Contents
Getting started ..................................................................................................... 29
Package contents ............................................................................................................. 30
Mounting ........................................................................................................................... 30
Powering on...................................................................................................................... 31
Connecting to the web-based manager............................................................................ 32
Connecting to the command line interface (CLI)............................................................... 33
Factory default FortiGate configuration settings ............................................................... 33
Factory default NAT/Route mode network configuration .............................................. 34
Factory default Transparent mode network configuration............................................. 35
Factory default firewall configuration ............................................................................ 35
Factory default content profiles..................................................................................... 36
FortiGate-400 Installation and Configuration Guide 3
Contents
Planning your FortiGate configuration .............................................................................. 39
NAT/Route mode .......................................................................................................... 39
NAT/Route mode with multiple external network connections ...................................... 40
Transparent mode......................................................................................................... 41
Configuration options .................................................................................................... 41
FortiGate model maximum values matrix ......................................................................... 42
Next steps......................................................................................................................... 43
NAT/Route mode installation.............................................................................. 45
Preparing to configure NAT/Route mode.......................................................................... 45
Using the setup wizard...................................................................................................... 46
Starting the setup wizard .............................................................................................. 46
Reconnecting to the web-based manager .................................................................... 46
Using the front control buttons and LCD........................................................................... 47
Using the command line interface..................................................................................... 47
Configuring the FortiGate unit to operate in NAT/Route mode ..................................... 47
Connecting the FortiGate unit to your networks................................................................ 49
Configuring your network .................................................................................................. 50
Completing the configuration ............................................................................................ 50
Configuring interface 3.................................................................................................. 50
Configuring interface 4/HA............................................................................................ 51
Setting the date and time .............................................................................................. 51
Enabling antivirus protection......................................................................................... 51
Registering your FortiGate unit ..................................................................................... 51
Configuring virus and attack definition updates ............................................................ 52
Configuration example: Multiple connections to the Internet ............................................ 52
Configuring Ping servers............................................................................................... 53
Destination based routing examples............................................................................. 54
Policy routing examples ................................................................................................ 57
Firewall policy example................................................................................................. 58
Transparent mode installation............................................................................ 61
Preparing to configure Transparent mode ........................................................................ 61
Using the setup wizard...................................................................................................... 62
Changing to Transparent mode .................................................................................... 62
Starting the setup wizard .............................................................................................. 62
Reconnecting to the web-based manager .................................................................... 62
Using the front control buttons and LCD........................................................................... 63
Using the command line interface..................................................................................... 63
Changing to Transparent mode .................................................................................... 63
Configuring the Transparent mode management IP address ....................................... 64
Configure the Transparent mode default gateway........................................................ 64
4 Fortinet Inc.
Completing the configuration ............................................................................................ 64
Setting the date and time .............................................................................................. 64
Enabling antivirus protection......................................................................................... 64
Registering your FortiGate............................................................................................ 65
Configuring virus and attack definition updates ............................................................ 65
Connecting the FortiGate unit to your networks................................................................ 65
Transparent mode configuration examples....................................................................... 66
Default routes and static routes .................................................................................... 67
Example default route to an external network............................................................... 67
Example static route to an external destination ............................................................ 69
Example static route to an internal destination ............................................................. 72
High availability.................................................................................................... 75
Active-passive HA............................................................................................................. 75
Active-active HA................................................................................................................ 76
HA in NAT/Route mode .................................................................................................... 77
Installing and configuring the FortiGate units................................................................ 77
Configuring the HA interfaces ....................................................................................... 77
Configuring the HA cluster ............................................................................................ 78
Connecting the HA cluster to your network................................................................... 80
Starting the HA cluster .................................................................................................. 82
HA in Transparent mode................................................................................................... 82
Installing and configuring the FortiGate units................................................................ 82
Configuring the HA interface and HA IP address.......................................................... 82
Configuring the HA cluster ............................................................................................ 83
Connecting the HA cluster to your network................................................................... 85
Starting the HA cluster .................................................................................................. 86
Managing the HA cluster................................................................................................... 86
Viewing the status of cluster members ......................................................................... 86
Monitoring cluster members.......................................................................................... 87
Monitoring cluster sessions........................................................................................... 88
Viewing and managing cluster log messages ............................................................... 88
Managing individual cluster units .................................................................................. 89
Synchronizing the cluster configuration ........................................................................ 89
Returning to standalone configuration .......................................................................... 90
Replacing a FortiGate unit after fail-over ...................................................................... 90
Advanced HA options ....................................................................................................... 91
Selecting a FortiGate unit to a permanent primary unit ................................................ 91
Configuring weighted-round-robin weights ................................................................... 92
Contents
FortiGate-400 Installation and Configuration Guide 5
Contents
System status....................................................................................................... 93
Changing the FortiGate host name................................................................................... 94
Changing the FortiGate firmware...................................................................................... 94
Upgrade to a new firmware version .............................................................................. 95
Revert to a previous firmware version .......................................................................... 96
Install a firmware image from a system reboot using the CLI ....................................... 99
Test a new firmware image before installing it ............................................................ 101
Installing and using a backup firmware image ............................................................ 103
Manual virus definition updates ...................................................................................... 106
Manual attack definition updates .................................................................................... 107
Displaying the FortiGate serial number........................................................................... 107
Displaying the FortiGate up time..................................................................................... 107
Displaying log hard disk status ....................................................................................... 107
Backing up system settings ............................................................................................ 108
Restoring system settings............................................................................................... 108
Restoring system settings to factory defaults ................................................................. 108
Changing to Transparent mode ...................................................................................... 109
Changing to NAT/Route mode........................................................................................ 109
Restarting the FortiGate unit........................................................................................... 109
Shutting down the FortiGate unit .................................................................................... 110
System status ................................................................................................................. 110
Viewing CPU and memory status ............................................................................... 110
Viewing sessions and network status ......................................................................... 111
Viewing virus and intrusions status............................................................................. 112
Session list...................................................................................................................... 113
Virus and attack definitions updates and registration ................................... 115
Updating antivirus and attack definitions ........................................................................ 115
Connecting to the FortiResponse Distribution Network .............................................. 116
Configuring scheduled updates .................................................................................. 117
Configuring update logging ......................................................................................... 118
Adding an override server........................................................................................... 119
Manually updating antivirus and attack definitions...................................................... 119
Configuring push updates ........................................................................................... 119
Push updates through a NAT device .......................................................................... 120
Scheduled updates through a proxy server ................................................................ 124
Registering FortiGate units ............................................................................................. 125
FortiCare Service Contracts........................................................................................ 125
Registering the FortiGate unit ..................................................................................... 126
6 Fortinet Inc.
Updating registration information .................................................................................... 128
Recovering a lost Fortinet support password.............................................................. 128
Viewing the list of registered FortiGate units .............................................................. 128
Registering a new FortiGate unit ................................................................................ 129
Adding or changing a FortiCare Support Contract number......................................... 129
Changing your Fortinet support password .................................................................. 130
Changing your contact information or security question ............................................. 130
Downloading virus and attack definitions updates ...................................................... 130
Registering a FortiGate unit after an RMA...................................................................... 131
Network configuration....................................................................................... 133
Configuring zones........................................................................................................... 133
Adding zones .............................................................................................................. 133
Adding interfaces to a zone ........................................................................................ 134
Adding VLAN subinterfaces to a zone ........................................................................ 134
Renaming zones ......................................................................................................... 134
Deleting zones ............................................................................................................ 135
Configuring interfaces ..................................................................................................... 135
Viewing the interface list ............................................................................................. 135
Bringing up an interface .............................................................................................. 135
Changing an interface static IP address ..................................................................... 136
Adding a secondary IP address to an interface .......................................................... 136
Adding a ping server to an interface ........................................................................... 136
Controlling management access to an interface ......................................................... 137
Configuring traffic logging for connections to an interface .......................................... 137
Changing the MTU size to improve network performance .......................................... 137
Configuring port4/ha ................................................................................................... 138
Configuring the management interface (Transparent mode) ...................................... 138
Configuring VLANs ......................................................................................................... 139
VLAN network configuration ....................................................................................... 139
Adding VLAN subinterfaces ........................................................................................ 141
Configuring routing.......................................................................................................... 143
Adding a default route................................................................................................. 143
Adding destination-based routes to the routing table.................................................. 143
Adding routes in Transparent mode............................................................................ 145
Configuring the routing table....................................................................................... 145
Policy routing .............................................................................................................. 146
Providing DHCP services to your internal network ......................................................... 147
Contents
RIP configuration ............................................................................................... 149
RIP settings..................................................................................................................... 150
Configuring RIP for FortiGate interfaces......................................................................... 152
Adding RIP neighbors..................................................................................................... 153
FortiGate-400 Installation and Configuration Guide 7
Contents
Adding RIP filters ............................................................................................................ 154
Adding a single RIP filter............................................................................................. 154
Adding a RIP filter list.................................................................................................. 155
Adding a neighbors filter ............................................................................................. 156
Adding a routes filter ................................................................................................... 156
System configuration ........................................................................................ 157
Setting system date and time.......................................................................................... 157
Changing web-based manager options .......................................................................... 158
Adding and editing administrator accounts..................................................................... 160
Adding new administrator accounts ............................................................................ 160
Editing administrator accounts.................................................................................... 161
Configuring SNMP .......................................................................................................... 162
Configuring the FortiGate unit for SNMP monitoring .................................................. 162
Configuring FortiGate SNMP support ......................................................................... 162
FortiGate MIBs............................................................................................................ 163
FortiGate traps ............................................................................................................ 164
Customizing replacement messages.............................................................................. 164
Customizing replacement messages .......................................................................... 165
Customizing alert emails............................................................................................. 166
Firewall configuration........................................................................................ 169
Default firewall configuration........................................................................................... 170
Interfaces .................................................................................................................... 170
VLAN subinterfaces .................................................................................................... 170
Zones .......................................................................................................................... 171
Addresses ................................................................................................................... 171
Services ...................................................................................................................... 172
Schedules ................................................................................................................... 172
Content profiles........................................................................................................... 172
Adding firewall policies.................................................................................................... 172
Firewall policy options................................................................................................. 173
Configuring policy lists .................................................................................................... 177
Policy matching in detail ............................................................................................. 177
Changing the order of policies in a policy list.............................................................. 178
Enabling and disabling policies................................................................................... 178
Addresses ....................................................................................................................... 179
Adding addresses ....................................................................................................... 179
Editing addresses ....................................................................................................... 180
Deleting addresses ..................................................................................................... 180
Organizing addresses into address groups ................................................................ 181
8 Fortinet Inc.
Services .......................................................................................................................... 182
Predefined services .................................................................................................... 182
Providing access to custom services .......................................................................... 184
Grouping services ....................................................................................................... 185
Schedules ....................................................................................................................... 186
Creating one-time schedules ...................................................................................... 186
Creating recurring schedules ...................................................................................... 187
Adding a schedule to a policy ..................................................................................... 188
Virtual IPs........................................................................................................................ 188
Adding static NAT virtual IPs ...................................................................................... 189
Adding port forwarding virtual IPs ............................................................................... 190
Adding policies with virtual IPs.................................................................................... 191
IP pools........................................................................................................................... 192
Adding an IP pool........................................................................................................ 192
IP Pools for firewall policies that use fixed ports ......................................................... 193
IP pools and dynamic NAT ......................................................................................... 193
IP/MAC binding ............................................................................................................... 193
Configuring IP/MAC binding for packets going through the firewall ............................ 194
Configuring IP/MAC binding for packets going to the firewall ..................................... 195
Adding IP/MAC addresses.......................................................................................... 195
Viewing the dynamic IP/MAC list ................................................................................ 196
Enabling IP/MAC binding ............................................................................................ 196
Content profiles............................................................................................................... 197
Default content profiles ............................................................................................... 197
Adding a content profile .............................................................................................. 197
Adding a content profile to a policy ............................................................................. 199
Contents
Users and authentication .................................................................................. 201
Setting authentication timeout......................................................................................... 202
Adding user names and configuring authentication ........................................................ 202
Adding user names and configuring authentication .................................................... 202
Deleting user names from the internal database ........................................................ 203
Configuring RADIUS support .......................................................................................... 204
Adding RADIUS servers ............................................................................................. 204
Deleting RADIUS servers ........................................................................................... 204
Configuring LDAP support .............................................................................................. 205
Adding LDAP servers.................................................................................................. 205
Deleting LDAP servers................................................................................................ 206
Configuring user groups.................................................................................................. 207
Adding user groups..................................................................................................... 207
Deleting user groups................................................................................................... 208
FortiGate-400 Installation and Configuration Guide 9
Contents
IPSec VPN........................................................................................................... 209
Key management............................................................................................................ 210
Manual Keys ............................................................................................................... 210
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... 210
Manual key IPSec VPNs................................................................................................. 211
General configuration steps for a manual key VPN .................................................... 211
Adding a manual key VPN tunnel ............................................................................... 211
AutoIKE IPSec VPNs ...................................................................................................... 213
General configuration steps for an AutoIKE VPN ....................................................... 213
Adding a phase 1 configuration for an AutoIKE VPN.................................................. 213
Adding a phase 2 configuration for an AutoIKE VPN.................................................. 217
Managing digital certificates............................................................................................ 219
Obtaining a signed local certificate ............................................................................. 219
Obtaining a CA certificate ........................................................................................... 223
Configuring encrypt policies............................................................................................ 224
Adding a source address ............................................................................................ 225
Adding a destination address...................................................................................... 225
Adding an encrypt policy............................................................................................. 225
IPSec VPN concentrators ............................................................................................... 227
VPN concentrator (hub) general configuration steps .................................................. 227
Adding a VPN concentrator ........................................................................................ 229
VPN spoke general configuration steps...................................................................... 230
Redundant IPSec VPNs.................................................................................................. 231
Configuring redundant IPSec VPN ............................................................................. 231
Monitoring and Troubleshooting VPNs ........................................................................... 233
Viewing VPN tunnel status.......................................................................................... 233
Viewing dialup VPN connection status ....................................................................... 233
Testing a VPN............................................................................................................. 234
PPTP and L2TP VPN .......................................................................................... 235
Configuring PPTP ........................................................................................................... 235
Configuring the FortiGate unit as a PPTP gateway .................................................... 236
Configuring a Windows 98 client for PPTP ................................................................. 238
Configuring a Windows 2000 client for PPTP ............................................................. 239
Configuring a Windows XP client for PPTP ................................................................ 240
Configuring L2TP............................................................................................................ 241
Configuring the FortiGate unit as a L2TP gateway ..................................................... 242
Configuring a Windows 2000 client for L2TP.............................................................. 245
Configuring a Windows XP client for L2TP ................................................................. 246
10 Fortinet Inc.
Network Intrusion Detection System (NIDS) ................................................... 249
Detecting attacks ............................................................................................................ 249
Selecting the interfaces to monitor.............................................................................. 250
Disabling the NIDS...................................................................................................... 250
Configuring checksum verification .............................................................................. 250
Viewing the signature list ............................................................................................ 251
Viewing attack descriptions......................................................................................... 251
Enabling and disabling NIDS attack signatures .......................................................... 252
Adding user-defined signatures .................................................................................. 252
Preventing attacks .......................................................................................................... 253
Enabling NIDS attack prevention ................................................................................ 253
Enabling NIDS attack prevention signatures .............................................................. 254
Setting signature threshold values.............................................................................. 254
Configuring synflood signature values ........................................................................ 256
Logging attacks............................................................................................................... 256
Logging attack messages to the attack log................................................................. 256
Reducing the number of NIDS attack log and email messages.................................. 257
Contents
Antivirus protection........................................................................................... 259
General configuration steps............................................................................................ 259
Antivirus scanning........................................................................................................... 260
File blocking.................................................................................................................... 261
Blocking files in firewall traffic ..................................................................................... 262
Adding file patterns to block........................................................................................ 262
Quarantine ...................................................................................................................... 263
Quarantining infected files .......................................................................................... 263
Quarantining blocked files........................................................................................... 263
Viewing the quarantine list .......................................................................................... 264
Sorting the quarantine list ........................................................................................... 264
Filtering the quarantine list.......................................................................................... 265
Deleting files from quarantine ..................................................................................... 265
Downloading quarantined files.................................................................................... 265
Configuring quarantine options ................................................................................... 265
Blocking oversized files and emails ................................................................................ 266
Configuring limits for oversized files and email........................................................... 266
Exempting fragmented email from blocking.................................................................... 266
Viewing the virus list ....................................................................................................... 266
Web filtering ....................................................................................................... 267
General configuration steps............................................................................................ 267
Content blocking ............................................................................................................. 268
Adding words and phrases to the banned word list .................................................... 268
FortiGate-400 Installation and Configuration Guide 11
Contents
URL blocking................................................................................................................... 269
Using the FortiGate web filter ..................................................................................... 269
Using the Cerberian web filter..................................................................................... 272
Script filtering .................................................................................................................. 274
Enabling the script filter............................................................................................... 274
Selecting script filter options ....................................................................................... 274
Exempt URL list .............................................................................................................. 275
Adding URLs to the exempt URL list .......................................................................... 275
Email filter........................................................................................................... 277
General configuration steps............................................................................................ 277
Email banned word list.................................................................................................... 278
Adding words and phrases to the banned word list .................................................... 278
Email block list ................................................................................................................ 279
Adding address patterns to the email block list........................................................... 279
Email exempt list............................................................................................................. 279
Adding address patterns to the email exempt list ....................................................... 280
Adding a subject tag ....................................................................................................... 280
Logging and reporting....................................................................................... 281
Recording logs................................................................................................................ 281
Recording logs on a remote computer ........................................................................ 282
Recording logs on a NetIQ WebTrends server ........................................................... 282
Recording logs on the FortiGate hard disk ................................................................. 283
Recording logs in system memory.............................................................................. 284
Filtering log messages .................................................................................................... 284
Configuring traffic logging ............................................................................................... 286
Enabling traffic logging................................................................................................ 286
Configuring traffic filter settings................................................................................... 287
Adding traffic filter entries ........................................................................................... 288
Viewing logs saved to memory ....................................................................................... 289
Viewing logs................................................................................................................ 289
Searching logs ............................................................................................................ 289
Viewing and managing logs saved to the hard disk........................................................ 290
Viewing logs................................................................................................................ 290
Searching logs ............................................................................................................ 290
Downloading a log file to the management computer................................................. 291
Deleting all messages in an active log........................................................................ 291
Deleting a saved log file.............................................................................................. 292
Configuring alert email .................................................................................................... 292
Adding alert email addresses...................................................................................... 292
Testing alert email....................................................................................................... 293
Enabling alert email .................................................................................................... 293
12 Fortinet Inc.
Glossary ............................................................................................................. 295
Index .................................................................................................................... 299
Contents
FortiGate-400 Installation and Configuration Guide 13
Contents
14 Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2

Introduction

The FortiGate Antivirus Firewall supports network-based deployment of application-level services—including antivirus protection and full-scan content filtering. FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate Antivirus Firewalls are ICSA-certified for firewall, IPSec and antivirus services.
Your FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include:
application-level services such as virus protection and content filtering,
network-level services such as firewall, intrusion detection, VPN, and traffic shaping.
Your FortiGate Antivirus Firewall employs Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks. The FortiGate series complements existing solutions, such as host-based antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration and maintenance.
The FortiGate-400 model meets enterprise-class requirements for performance, availability, and reliability. With throughput up to 500Mbps and high-availability features including automatic failover with no session loss, the FortiGate-400 is the choice for mission critical applications.

Antivirus protection

FortiGate ICSA-certified antivirus protection virus scans web (HTTP), file transfer (FTP), and email (SMTP, POP3, and IMAP) content as it passes through the FortiGate. If a virus is found, antivirus protection removes the file containing the virus from the content stream and forwards an replacement message to the intended recipient.
FortiGate-400 Installation and Configuration Guide 15
Web content filtering Introduction
For extra protection, you also configure antivirus protection to block files of specified file types from passing through the FortiGate unit. You can use the feature to stop files that may contain new viruses.
If the FortiGate unit contains a hard disk, infected or blocked files can be quarantined. The FortiGate administrator can download quarantined files, so that they can be virus scanned, cleaned, and forwarded to the intended recipient. You can also configure the FortiGate unit to automatically delete quarantined files after a specified time period.
The FortiGate unit can send email alerts to system administrators when it detects and removes a virus from a content stream. The web and email content can be in normal network traffic or in encrypted IPSec VPN traffic.
ICSA Labs has certified that FortiGate Antivirus Firewalls:
detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),
detect viruses in compressed files using the PKZip format,
detect viruses in e-mail that has been encoded using uuencode format,
detect viruses in e-mail that has been encoded using MIME encoding,
log all actions taken while scanning.

Web content filtering

FortiGate web content filtering can be configured to scan all HTTP content protocol streams for URLs or for web page content. If a match is found between a URL on the URL block list, or if a web page is found to contain a word or phrase in the content block list, the FortiGate blocks the web page. The blocked web page is replaced with a message that you can edit using the FortiGate web-based manager.
You can configure URL blocking to block all or just some of the pages on a web site. Using this feature you can deny access to parts of a web site without denying access to it completely.
To prevent unintentional blocking of legitimate web pages, you can add URLs to an Exempt List that overrides the URL blocking and content blocking lists.
Web content filtering also includes a script filter feature that can be configured to block unsecure web content such as Java Applets, Cookies, and ActiveX.
You can also use the Cerberian URL blocking to block unwanted URLs.

Email filtering

FortiGate Email filtering can be configured to scan all IMAP and POP3 email content for unwanted senders or for unwanted content. If a match is found between a sender address pattern on the Email block list, or if an email is found to contain a word or phrase in the banned word list, the FortiGate adds a Email tag to subject line of the email. Receivers can then use their mail client software to filter messages based on the Email tag.
16 Fortinet Inc.
Introduction Firewall
You can configure Email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentional tagging of email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned word lists.

Firewall

The FortiGate ICSA-certified firewall protects your computer networks from the hostile environment of the Internet. ICSA has granted FortiGate firewalls version 4.0 firewall certification, providing assurance that FortiGate firewalls successfully screen for and secure corporate networks against a wide range of threats from public or other untrusted networks.
After basic installation of the FortiGate unit, the firewall allows users on the protected network to access the Internet while blocking Internet access to internal networks. You can modify this firewall configuration to place controls on access to the Internet from the protected networks and to allow controlled access to internal networks.
FortiGate policies include a complete range of options that:
control all incoming and outgoing network traffic,
control encrypted VPN traffic,
apply antivirus protection and web content filtering,
block or allow access for all policy options,
control when individual policies are in effect,
accept or deny traffic to and from individual addresses,
control standard and user defined network services individually or in groups,
require users to authenticate before gaining access,
include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy,
include logging to track connections for individual policies,
include Network address translation (NAT) mode and Route mode policies,
include Mixed NAT and Route mode policies.
The FortiGate firewall can operate in NAT/Route mode or Transparent mode.

NAT/Route mode

In NAT/Route mode, you can create NAT mode policies and Route mode policies.
NAT mode policies use network address translation to hide the addresses in a more secure zone from users in a less secure zone.
Route mode policies accept or deny connections between zones without performing address translation.
FortiGate-400 Installation and Configuration Guide 17
VLAN Introduction

Transparent mode

Transparent mode provides the same basic firewall protection as NAT mode. Packets received by the FortiGate unit are intelligently forwarded or blocked according to firewall policies. The FortiGate unit can be inserted in your network at any point without the need to make changes to your network or any of its components. However, VPN, VLAN, multi-zone functionality, and some advanced firewall features are only available in NAT/Route mode.

VLAN

Fortigate Antivirus Firewalls support IEEE 802.1Q-compliant virtual LAN (VLAN) tags. Using VLAN technology a single FortiGate unit can provide security services to, and control connections between multiple security domains according to the VLAN IDs added to VLAN packets. The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between each security domain. It can also apply authentication, content filtering, and antivirus protection to VLAN-tagged network and VPN traffic.

Network intrusion detection

The FortiGate Network Intrusion Detection System (NIDS) is a real-time network intrusion detection sensor that detects and prevents a wide variety of suspicious network activity. NIDS detection uses attack signatures to identify over 1000 attacks. You can enable and disable the attacks that the NIDS detects. You can also write your own user-defined detection attack signatures.
NIDS prevention detects and prevents many common denial of service and packet­based attacks. You can enable and disable prevention attack signatures and customize attack signature thresholds and other parameters.
To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log and can be configured to send alert emails.
Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually, or you can configure the FortiGate to automatically check for and download attack definition updates.
18 Fortinet Inc.
Introduction VPN
VPN
Using FortiGate virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network.
FortiGate VPN features include the following:
Industry standard and ICSA-certified IPSec VPN including:
IPSec, ESP security in tunnel mode,
DES, 3DES (triple-DES), and AES hardware accelerated encryption,
HMAC MD5 and HMAC SHA1 authentication and data integrity,
AutoIKE key based on pre-shared key tunnels,
IPSec VPN using local or CA certificates,
Manual Keys tunnels,
Diffie-Hellman groups 1, 2, and 5,
Aggressive and Main Mode,
Replay Detection,
Perfect Forward Secrecy,
XAuth authentication,
Dead peer detection.
PPTP for easy connectivity with the VPN standard supported by the most popular operating systems.
L2TP for easy connectivity with a more secure VPN standard also supported by many popular operating systems.
Firewall policy based control of IPSec VPN traffic.
IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel.
VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another tunnel through the FortiGate unit.
IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network.

High availability

High Availability (HA) provides fail-over between two or more FortiGate units. Fortinet achieves HA through the use of redundant hardware: matching FortiGate models running in NAT/Route mode. You can configure the FortiGate units for either active-passive (A-P) or active-active (A-A) HA.
Both A-P and A-A HA use similar redundant high availability hardware configurations. High availability software guarantees that if one of the FortiGate units in the HA group fails, all functions, established firewall connections, and IPSec VPN sessions are maintained.
FortiGate-400 Installation and Configuration Guide 19
Secure installation, configuration, and management Introduction

Secure installation, configuration, and management

Installation is quick and simple. The first time you turn on the FortiGate unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the setup wizard to customize FortiGate IP addresses for your network, and the FortiGate unit is set to protect your network. You can then use the web-based manager to customize advanced FortiGate features to meet your needs.
You can also create a basic configuration using the FortiGate front panel control buttons and LCD.

Web-based manager

Using HTTP or a secure HTTPS connection from any computer running Internet Explorer, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages. You can configure the FortiGate unit for HTTP and HTTPs administration from any FortiGate interface.
You can use the web-based manager for most FortiGate configuration settings. You can also use the web-based manager to monitor the status of the FortiGate unit. Configuration changes made with the web-based manager are effective immediately without the need to reset the firewall or interrupt service. Once a satisfactory configuration has been established, it can be downloaded and saved. The saved configuration can be restored at any time.
Figure 1: The FortiGate web-based manager and setup wizard
20 Fortinet Inc.
Introduction Secure installation, configuration, and management

Command line interface

You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial Console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network connected to the FortiGate, including the Internet.
The CLI supports the same configuration and monitoring functionality as the web-based manager. In addition, you can use the CLI for advanced configuration options not available from the web-based manager. This Installation and Configuration Guide contains information about basic and advanced CLI commands. You can find a more complete description of connecting to and using the FortiGate CLI in the FortiGate CLI Reference Guide.

Logging and reporting

The FortiGate supports logging of various categories of traffic and of configuration changes. You can configure logging to:
report traffic that connects to the firewall,
report network services used,
report traffic permitted by firewall policies,
report traffic that was denied by firewall policies,
report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks, and web page blocking,
report attacks detected by the NIDS,
send alert email to system administrators to report virus incidents, intrusions, and firewall or VPN events or violations.
Logs can be sent to a remote syslog server or to a WebTrends NetIQ Security Reporting Center and Firewall Suite server using the WebTrends enhanced log format. Some models can also save logs to an optional internal hard drive. If a hard drive is not installed, you can configure most FortiGates to log the most recent events and attacks detected by the NIDS to shared system memory.
FortiGate-400 Installation and Configuration Guide 21
What’s new in Version 2.50 Introduction

What’s new in Version 2.50

This section presents a brief summary of some of the new features in FortiOS v2.50:

System administration

Improved graphical FortiGate system health monitoring that includes CPU and memory usage, session number and network bandwidth usage, and the number of viruses and intrusions detected. See “System status” on page 110.
Revised antivirus and attack definition update functionality that connects to a new version of the FortiResponse Distribution network. Updates can now be scheduled hourly and the System > Update page displays more information about the current update status. See “Updating antivirus and attack definitions” on page 115.
Direct connection to the Fortinet tech support web page from the web-based manager. You can register your FortiGate unit and get access to other technical support resources. See “Registering FortiGate units” on page 125.
Network configuration
Changes have been made to how zones are added and used. See “Configuring
zones” on page 133.
Changes have been made to how VLANs are added and used. See “Configuring
VLANs” on page 139.
New interface configuration options. See “Configuring interfaces” on page 135.
Ping server and dead gateway detection for all interfaces.
HTTP and Telnet administrative access to any interface.
Secondary IP addresses for all FortiGate interfaces.
Routing
Simplified direction-based routing configuration.
Advanced policy routing (CLI only).
DHCP server
DHCP server for the internal network (CLI only).
Reserve IP/MAC pair combinations for DHCP servers (CLI only).
Routing Information Protocol (RIP)
New RIP v1 and v2 functionality. See “RIP configuration” on page 149.
SNMP
SNMP v1 and v2 support.
Support for RFC 1213 and RFC 2665
Monitoring of all FortiGate configuration and functionality
•See “Configuring SNMP” on page 162
22 Fortinet Inc.
Introduction What’s new in Version 2.50
HA
Active-active HA using switches and with the ability to select the schedule
Transparent mode HA
A/V update for HA clusters
Configuration synchronizing for HA
See “High availability” on page 75.
Replacement messages
You can customize messages sent by the FortiGate unit:
When a virus is detected,
When a file is blocked,
When a fragmented email is blocked
When an alert email is sent
See “Customizing replacement messages” on page 164.

Firewall

The firewall default configuration has changed. See “Default firewall configuration”
on page 170.
Add virtual IPs to all interfaces. See “Virtual IPs” on page 188.
Add content profiles to firewall policies to configure blocking, scanning, quarantine, web content blocking, and email filtering. See “Content profiles” on page 197.

Users and authentication

LDAP authentication. See “Configuring LDAP support” on page 205.
VPN
See the FortiGate VPN Guide for a complete description of FortiGate VPN functionality. New features include:
•Phase 1
AES encryption
Certificates
Advanced options including Dialup Group, Peer, XAUTH, NAT Traversal, DPD
•Phase 2
AES encryption
Encryption policies select service
Generate and import local certificates
Import CA certificates
FortiGate-400 Installation and Configuration Guide 23
What’s new in Version 2.50 Introduction

NIDS

See the FortiGate NIDS Guide for a complete description of FortiGate NIDS functionality. New features include:
Attack detection signature groups
User-configuration attack prevention
Monitor multiple interfaces for attacks
Monitor VLAN subinterfaces for attacks
User-defined attack detection signatures

Antivirus

See the FortiGate Content Protection Guide for a complete description of FortiGate antivirus functionality. New features include:
Content profiles
Quarantine for files containing viruses or files that are blocked
Blocking oversized files

Web Filter

See the FortiGate Content Protection Guide for a complete description of FortiGate web filtering functionality. New features include:
Cerberian URL Filtering

Email filter

See the FortiGate Content Protection Guide for a complete description of FortiGate email filtering functionality.

Logging and Reporting

See the FortiGate Logging and Message Reference Guide for a complete description of FortiGate logging.
Log to remote host CSV format
Log message levels: Emergency, Alert, critical, error, Warning, notification, information
Log level policies
Traffic log filter
New antivirus, web filter, and email filter logs
Alert email supports authentication
Suppress email flooding
Extended WebTrends support for graphing activity
24 Fortinet Inc.
Introduction About this document

About this document

This installation and configuration guide describes how to install and configure the FortiGate-400. This document contains the following information:
Getting started describes unpacking, mounting, and powering on the FortiGate.
NAT/Route mode installation describes how to install the FortiGate if you are planning on running it in NAT/Route mode.
Transparent mode installation describes how to install the FortiGate if you are planning on running it in Transparent mode.
High availability describes how to install and configure the FortiGate in a high availability configuration.
System status describes how to view the current status of your FortiGate unit and related status procedures including installing updated FortiGate firmware, backing up and restoring system settings, and switching between Transparent and NAT/Route mode.
Virus and attack definitions updates and registration describes configuring automatic virus and attack definition updates. This chapter also contains procedures for connecting to the FortiGate tech support webs site and for registering your FortiGate unit.
Network configuration describes configuring interfaces, zones, and VLANs and configuring routing.
RIP configuration describes the FortiGate RIP2 implementation and how to configure RIP settings.
System configuration describes system administration tasks available from the System > Config web-based manager pages. This chapter describes setting system time, adding and changed administrative users, configuring SNMP, and editing replacement messages.
Firewall configuration describes how to configure firewall policies to control traffic through the FortiGate unit and apply content protection profiles to content traffic.
Users and authentication describes how to add user names to the FortiGate user database and how to configure the FortiGate to connect to a RADIUS server to authenticate users.
IPSec VPN describes how to configure FortiGate IPSec VPN.
PPTP and L2TP VPN describes how to configure PPTP and L2TP VPNs between the FortiGate and a windows client.
Network Intrusion Detection System (NIDS) describes how to configure the FortiGate NIDS to detect and prevent network attacks.
Antivirus protection describes how use the FortiGate to protect your network from viruses and worms.
Web filtering describes how to configure web content filtering to prevent unwanted Web content from passing through the FortiGate.
Email filter describes how to configure email filtering to screen unwanted email content.
Logging and reporting describes how to configure logging and alert email to track activity through the FortiGate.
•The Glossary defines many of the terms used in this document.
FortiGate-400 Installation and Configuration Guide 25
Document conventions Introduction

Document conventions

This guide uses the following conventions to describe CLI command syntax.
angle brackets < > to indicate variable keywords For example:
execute restore config <filename_str> You enter restore config myfile.bak
<xxx_str> indicates an ASCII string variable keyword. <xxx_integer> indicates an integer variable keyword. <xxx_ip> indicates an IP address variable keyword.
vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords
For example:
set system opmode {nat | transparent} You can enter set system opmode nat or set system opmode
transparent
square brackets [ ] to indicate that a keyword is optional For example:
get firewall ipmacbinding [dhcpipmac] You can enter get firewall ipmacbinding or
get firewall ipmacbinding dhcpipmac
26 Fortinet Inc.
Introduction Fortinet documentation

Fortinet documentation

Information about FortiGate products is available from the following FortiGate User Manual volumes:
Volume 1: FortiGate Installation and Configuration Guide
Describes installation and basic configuration for the FortiGate unit. Also describes how to use FortiGate firewall policies to control traffic flow through the FortiGate unit and how to use firewall policies to apply antivirus protection, web content filtering, and email filtering to HTTP, FTP and email content passing through the FortiGate unit.
Volume 2: FortiGate VPN Guide
Contains in-depth information about FortiGate IPSec VPN using certificates, pre­shared keys and manual keys for encryption. Also contains basic configuration information for the Fortinet Remote VPN Client, detailed configuration information for FortiGate PPTP and L2TP VPN, and VPN configuration examples.
Volume 3: FortiGate Content Protection Guide
Describes how to configure antivirus protection, web content filtering, and email filtering to protect content as it passes through the FortiGate unit.
Volume 4: FortiGate NIDS Guide
Describes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from network-based attacks.
Volume 5: FortiGate Logging and Message Reference Guide
Describes how to configure FortiGate logging and alert email. Also contains the FortiGate log message reference.
Volume 6: FortiGate CLI Reference Guide
Describes the FortiGate CLI and contains a reference to all FortiGate CLI commands.
The FortiGate online help also contains procedures for using the FortiGate web-based manager to configure and manage your FortiGate unit.

Comments on Fortinet technical documentation

You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
FortiGate-400 Installation and Configuration Guide 27
Customer service and technical support Introduction

Customer service and technical support

For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com.
You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and modify your registration information at any time.
Fortinet email support is available from the following addresses:
amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin
apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,
eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland
For information on Fortinet telephone support, see http://support.fortinet.com.
When requesting technical support, please provide the following information:
Your name
Company name
•Location
Email address
Telephone number
FortiGate unit serial number
FortiGate model
FortiGate FortiOS firmware version
Detailed description of the problem
America and South America.
Malaysia, all other Asian countries, and Australia.
Europe, Africa, and the Middle East.
28 Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2

Getting started

This chapter describes unpacking, setting up, and powering on your FortiGate Antivirus Firewall. When you have completed the procedures in this chapter, you can proceed to one of the following:
If you are going to operate the FortiGate unit in NAT/Route mode, go to
“NAT/Route mode installation” on page 45.
If you are going to operate the FortiGate unit in Transparent mode, go to
“Transparent mode installation” on page 61.
If you are going to operate two or more FortiGate units in HA mode, go to “High
availability” on page 75.
This chapter describes:
Package contents
Mounting
Powering on
Connecting to the web-based manager
Connecting to the command line interface (CLI)
Factory default FortiGate configuration settings
Planning your FortiGate configuration
FortiGate model maximum values matrix
Next steps
FortiGate-400 Installation and Configuration Guide 29
Package contents Getting started

Package contents

The FortiGate-400 package contains the following items:
FortiGate-400 Antivirus Firewall
one orange crossover ethernet cable
one gray regular ethernet cable
one null modem cable
FortiGate-400 QuickStart Guide
one power cable
CD containing the FortiGate user documentation
two 19-inch rack mount brackets
Figure 2: FortiGate-400 package contents
Ethernet Cables:
Orange - Crossover
Grey - Straight-through
Null-Modem Cable
(RS-232)
Esc Enter
Front
1
CONSOLE
4 / HA3
2

Mounting

LCD Control
Buttons
RS-232 Serial
Connection
Interface
1, 2, 3, 4/HA
Power Light
Power Cable
Back
Rack-Mount Brackets
FortiGate-400
4 / HA3
1
CONSOLE
2
Esc Enter
QuickStart Guide
Copyright 2003 Fortinet Incorporated. All rights reserved. Trademarks Products mentioned in this document are trademarks.
Documentation
Removable
Hard Drive
Power Switch
Power
Connection
USER MANUAL
The FortiGate-400 unit can be mounted in a standard 19-inch rack. It requires 1 U of vertical space in the rack.
The FortiGate-400 unit can also be installed as a free-standing appliance on any stable surface. For free-standing installation, make sure that the appliance has at least
1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling.

Dimensions

16.75 x 12 x 1.75 in. 42.7 x 30.5 x 4.5 cm

Weight

11 lb. (5 kg)
30 Fortinet Inc.
Loading...
+ 278 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use