Fortinet FortiGate 4000 User Manual

FortiGate – 4000

KVM/ACCESS

PWR/KVMSTATUS

LAN 1 LAN 2

User Manual

KVM/ACCESS

KVM ACCESS

KVM/ACCESS

PWR/KVMSTATUS

LAN 1 LAN 2

PWR/KVMSTATUS

LAN 1 LAN 2

KVM/ACCESS

PWR/KVMSTATUS

LAN 1 LAN 2

POWER ON/OFF

No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc.

FortiGate-4000 Installation and Configuration Guide

Version 2.50 February 5 2004

Trademarks

Products mentioned in this document are trademarks or registered trademarks of their respective holders.

Regulatory Compliance

FCC Class A Part 15 CSA/CUS

CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.

For technical support, please visit http://www.fortinet.com.

Send information about errors or omissions in this document or any Fortinet technical documentation to

techdoc@fortinet.com.

Introduction .......................................................................................................... 15

Antivirus protection ........................................................................................................... 16

Web content filtering ......................................................................................................... 16

Email filtering .................................................................................................................... 17

Firewall.............................................................................................................................. 17

NAT/Route mode .......................................................................................................... 18

Transparent mode......................................................................................................... 18

VLANs and virtual domains............................................................................................... 18

Network intrusion detection............................................................................................... 18

VPN................................................................................................................................... 19

High availability ................................................................................................................. 19

Secure installation, configuration, and management ........................................................ 20

Web-based manager .................................................................................................... 20

Command line interface ................................................................................................ 21

Logging and reporting ................................................................................................... 21

Document conventions ..................................................................................................... 21

Fortinet documentation ..................................................................................................... 22

Comments on Fortinet technical documentation........................................................... 23

Customer service and technical support........................................................................... 23

Contents

Getting started ..................................................................................................... 25

Warnings and cautions ..................................................................................................... 26

Warning......................................................................................................................... 26

Package contents ............................................................................................................. 26

Physical description .......................................................................................................... 27

Front panel features.......................................................................................................... 28

FortiBlade-4010 module................................................................................................ 29

KVM switch module ...................................................................................................... 30

Rear panel features .......................................................................................................... 31

Power supplies and power connections........................................................................ 32

Cooling fan trays ........................................................................................................... 33

Management module .................................................................................................... 33

10/100 out of band management module ..................................................................... 34

Pass-through interface module ..................................................................................... 35

Switched interface module............................................................................................ 36

FortiGate-4000 Installation and Configuration Guide 3

Contents

Installing hardware............................................................................................................ 37

Choosing a suitable environment.................................................................................. 37

Choosing a rack ............................................................................................................ 37

Attaching the mounting rail ........................................................................................... 37

Installing FortiBlade-4010 modules............................................................................... 38

FortiGate-4000P network connections.......................................................................... 39

FortiGate-4000S network connections.......................................................................... 39

Out of band management connections ......................................................................... 40

Console management connections............................................................................... 40

Turning FortiGate-4000 chassis power on and off............................................................ 40

Turning on FortiGate-4000 chassis power.................................................................... 40

Turning off FortiGate-4000 chassis power.................................................................... 41

Hot swapping modules...................................................................................................... 41

Hot swapping FortiBlade-4010 modules ....................................................................... 42

Hot swapping cooling fan trays ..................................................................................... 42

Hot swapping power supplies ....................................................................................... 42

Hot swapping interface modules ................................................................................... 43

Hot swapping the 10/100 out of band management module ........................................ 43

Hot swapping the management module ....................................................................... 44

Hot swapping the KVM switch module.......................................................................... 44

Connecting to the web-based manager............................................................................ 44

Connecting to the FortiGate-4000 internal interface module ........................................ 45

Connecting to the FortiGate-4000 10/100 out of band management module............... 46

Connecting to the Command Line Interface (CLI) ............................................................ 47

Factory default configuration............................................................................................. 48

Factory default NAT/Route mode network configuration .............................................. 48

Factory default Transparent mode network configuration............................................. 49

Factory default firewall configuration ............................................................................ 50

Factory default content profiles..................................................................................... 51

Planning the FortiGate configuration ................................................................................ 54

NAT/Route mode standalone configuration .................................................................. 54

Transparent mode standalone configuration ................................................................ 55

FortiGate-4000 HA configuration .................................................................................. 56

FortiGate-4000 units with external load balancers........................................................ 57

FortiGate model maximum values matrix ......................................................................... 59

Next steps......................................................................................................................... 60

NAT/Route mode installation.............................................................................. 61

Preparing to configure NAT/Route mode.......................................................................... 61

Advanced NAT/Route mode settings............................................................................ 62

Out of band management interface .............................................................................. 63

Using the setup wizard...................................................................................................... 63

Starting the setup wizard .............................................................................................. 63

Reconnecting to the web-based manager .................................................................... 63

4 Fortinet Inc.

Using the command line interface..................................................................................... 64

Configuring the FortiGate unit to operate in NAT/Route mode ..................................... 64

Configuring the out of band management interface...................................................... 65

Connecting the FortiGate unit to your networks................................................................ 65

Configuring your networks ................................................................................................ 66

Completing the configuration ............................................................................................ 66

Configuring the out of band management interface...................................................... 66

Setting the date and time .............................................................................................. 66

Changing antivirus protection ....................................................................................... 66

Registering your FortiGate unit ..................................................................................... 67

Configuring virus and attack definition updates ............................................................ 67

Transparent mode installation............................................................................ 69

Preparing to configure Transparent mode ........................................................................ 69

Out of band management interface .............................................................................. 70

Using the setup wizard...................................................................................................... 70

Changing to Transparent mode using the web-based manager................................... 70

Starting the setup wizard .............................................................................................. 70

Reconnecting to the web-based manager .................................................................... 71

Using the command line interface..................................................................................... 71

Changing to Transparent mode using the CLI .............................................................. 71

Configuring the Transparent mode management IP address ....................................... 71

Configure the Transparent mode default gateway........................................................ 72

Configure the out of band management interface......................................................... 72

Completing the configuration ............................................................................................ 72

Setting the date and time .............................................................................................. 72

Enabling antivirus protection......................................................................................... 72

Registering your FortiGate unit ..................................................................................... 73

Configuring virus and attack definition updates ............................................................ 73

Connecting the FortiGate unit to your networks................................................................ 73

Transparent mode configuration examples....................................................................... 74

Default routes and static routes .................................................................................... 74

Example default route to an external network............................................................... 75

Example static route to an external destination ............................................................ 76

Example static route to an internal destination ............................................................. 78

Contents

High availability.................................................................................................... 81

Configuring an HA cluster ................................................................................................. 82

Configuring FortiGate units for HA operation ................................................................ 82

Connecting the cluster .................................................................................................. 84

Adding a new FortiGate unit to a functioning cluster .................................................... 86

FortiGate-4000 Installation and Configuration Guide 5

Contents

Managing an HA cluster.................................................................................................... 87

Configuring cluster interface monitoring ....................................................................... 88

Viewing the status of cluster members ......................................................................... 88

Monitoring cluster members.......................................................................................... 89

Viewing cluster sessions............................................................................................... 90

Viewing and managing cluster log messages ............................................................... 90

Monitoring cluster units for failover ............................................................................... 91

Viewing cluster communication sessions...................................................................... 91

Managing individual cluster units .................................................................................. 92

Changing cluster unit host names................................................................................. 92

Synchronizing the cluster configuration ........................................................................ 93

Upgrading firmware....................................................................................................... 94

Replacing a FortiGate unit after failover ....................................................................... 95

Advanced HA options ....................................................................................................... 95

Selecting a FortiGate unit as a permanent primary unit................................................ 95

Configuring the priority of each FortiGate unit in the cluster ......................................... 96

Configuring weighted-round-robin weights ................................................................... 96

Active-Active cluster packet flow....................................................................................... 97

NAT/Route mode packet flow ....................................................................................... 97

Configuring switches to work with a NAT/Route mode cluster ..................................... 98

Transparent mode packet flow...................................................................................... 99

System status..................................................................................................... 101

Changing the FortiGate host name................................................................................. 102

Changing the FortiGate firmware.................................................................................... 102

Upgrading to a new firmware version ......................................................................... 103

Reverting to a previous firmware version.................................................................... 104

Installing firmware images from a system reboot using the CLI ................................. 107

Testing a new firmware image before installing it ....................................................... 109

Installing and using a backup firmware image ............................................................ 111

Manual virus definition updates ...................................................................................... 114

Manual attack definition updates .................................................................................... 115

Displaying the FortiGate serial number........................................................................... 115

Displaying the FortiGate up time..................................................................................... 115

Backing up system settings ............................................................................................ 115

Restoring system settings............................................................................................... 116

Restoring system settings to factory defaults ................................................................. 116

Changing to Transparent mode ...................................................................................... 117

Changing to NAT/Route mode........................................................................................ 117

Restarting the FortiGate unit........................................................................................... 118

Shutting down the FortiGate unit .................................................................................... 118

6 Fortinet Inc.

System status ................................................................................................................. 118

Viewing CPU and memory status ............................................................................... 119

Viewing sessions and network status ......................................................................... 120

Viewing virus and intrusions status............................................................................. 121

Session list...................................................................................................................... 122

Virus and attack definitions updates and registration ................................... 123

Updating antivirus and attack definitions ........................................................................ 123

Connecting to the FortiResponse Distribution Network .............................................. 124

Manually initiating antivirus and attack definitions updates ........................................ 125

Configuring update logging ......................................................................................... 126

Scheduling updates ........................................................................................................ 126

Enabling scheduled updates....................................................................................... 126

Adding an override server........................................................................................... 127

Enabling scheduled updates through a proxy server.................................................. 128

Enabling push updates ................................................................................................... 128

Enabling push updates ............................................................................................... 129

Push updates when FortiGate IP addresses change.................................................. 129

Enabling push updates through a NAT device............................................................ 129

Registering FortiGate units ............................................................................................. 133

FortiCare Service Contracts........................................................................................ 134

Registering the FortiGate unit ..................................................................................... 134

Updating registration information .................................................................................... 136

Recovering a lost Fortinet support password.............................................................. 136

Viewing the list of registered FortiGate units .............................................................. 137

Registering a new FortiGate unit ................................................................................ 137

Adding or changing a FortiCare Support Contract number......................................... 138

Changing your Fortinet support password .................................................................. 138

Changing your contact information or security question ............................................. 138

Downloading virus and attack definitions updates ...................................................... 139

Registering a FortiGate unit after an RMA...................................................................... 140

Contents

FortiGate-4000 Installation and Configuration Guide 7

Contents

Network configuration....................................................................................... 141

Configuring zones........................................................................................................... 141

Adding zones .............................................................................................................. 142

Deleting zones ............................................................................................................ 142

Configuring interfaces ..................................................................................................... 142

Viewing the interface list ............................................................................................. 143

Changing the administrative status of an interface ..................................................... 143

Adding an interface to a zone ..................................................................................... 143

Configuring an interface with a manual IP address .................................................... 144

Configuring an interface for DHCP ............................................................................. 144

Configuring an interface for PPPoE ............................................................................ 145

Adding a secondary IP address to an interface .......................................................... 146

Adding a ping server to an interface ........................................................................... 146

Controlling administrative access to an interface........................................................ 147

Changing the MTU size to improve network performance .......................................... 148

Configuring traffic logging for connections to an interface .......................................... 148

Configuring the management interface in Transparent mode..................................... 148

Out of band management ............................................................................................... 149

Out of band management interface CLI command ..................................................... 150

VLAN overview ............................................................................................................... 150

VLANs in NAT/Route mode ............................................................................................ 151

Rules for VLAN IDs..................................................................................................... 151

Rules for VLAN IP addresses ..................................................................................... 152

Adding VLAN subinterfaces ........................................................................................ 152

Virtual domains in Transparent mode ............................................................................. 153

Virtual domain properties ............................................................................................ 154

Configuring a virtual domain ....................................................................................... 154

Adding firewall policies for virtual domains ................................................................. 157

Deleting virtual domains.............................................................................................. 158

Adding DNS server IP addresses ................................................................................... 158

Configuring routing.......................................................................................................... 158

Adding a default route................................................................................................. 159

Adding destination-based routes to the routing table.................................................. 159

Adding routes in Transparent mode............................................................................ 160

Configuring the routing table....................................................................................... 161

Policy routing .............................................................................................................. 161

Configuring DHCP services ............................................................................................ 162

Configuring a DHCP relay agent................................................................................. 163

Configuring a DHCP server ........................................................................................ 163

8 Fortinet Inc.

RIP configuration ............................................................................................... 167

RIP settings..................................................................................................................... 167

Configuring RIP for FortiGate interfaces......................................................................... 169

Adding RIP filters ............................................................................................................ 171

Adding a RIP filter list.................................................................................................. 171

Assigning a RIP filter list to the neighbors filter........................................................... 172

Assigning a RIP filter list to the incoming filter ............................................................ 172

Assigning a RIP filter list to the outgoing filter............................................................. 173

System configuration ........................................................................................ 175

Setting system date and time.......................................................................................... 175

Changing system options................................................................................................ 176

Adding and editing administrator accounts..................................................................... 178

Adding new administrator accounts ............................................................................ 178

Editing administrator accounts.................................................................................... 179

Configuring SNMP .......................................................................................................... 180

Configuring the FortiGate unit for SNMP monitoring .................................................. 180

Configuring FortiGate SNMP support ......................................................................... 180

FortiGate MIBs............................................................................................................ 182

FortiGate traps ............................................................................................................ 183

Fortinet MIB fields ....................................................................................................... 185

Replacement messages ................................................................................................. 187

Customizing replacement messages .......................................................................... 188

Customizing alert emails............................................................................................. 189

Contents

Firewall configuration........................................................................................ 191

Default firewall configuration........................................................................................... 192

Interfaces .................................................................................................................... 192

VLAN subinterfaces .................................................................................................... 193

Zones .......................................................................................................................... 193

Addresses ................................................................................................................... 193

Services ...................................................................................................................... 194

Schedules ................................................................................................................... 194

Content profiles........................................................................................................... 194

Adding firewall policies.................................................................................................... 194

Firewall policy options................................................................................................. 196

Configuring policy lists .................................................................................................... 200

Policy matching in detail ............................................................................................. 200

Changing the order of policies in a policy list.............................................................. 201

Enabling and disabling policies................................................................................... 201

FortiGate-4000 Installation and Configuration Guide 9

Contents

Addresses ....................................................................................................................... 202

Adding addresses ....................................................................................................... 202

Editing addresses ....................................................................................................... 203

Deleting addresses ..................................................................................................... 204

Organizing addresses into address groups ................................................................ 204

Services .......................................................................................................................... 205

Predefined services .................................................................................................... 205

Adding custom TCP and UDP services ...................................................................... 208

Adding custom ICMP services .................................................................................... 209

Adding custom IP services.......................................................................................... 209

Grouping services ....................................................................................................... 209

Schedules ....................................................................................................................... 210

Creating one-time schedules ...................................................................................... 211

Creating recurring schedules ...................................................................................... 212

Adding schedules to policies....................................................................................... 213

Virtual IPs........................................................................................................................ 213

Adding static NAT virtual IPs ...................................................................................... 214

Adding port forwarding virtual IPs ............................................................................... 215

Adding policies with virtual IPs.................................................................................... 217

IP pools........................................................................................................................... 218

Adding an IP pool........................................................................................................ 218

IP Pools for firewall policies that use fixed ports ......................................................... 219

IP pools and dynamic NAT ......................................................................................... 219

IP/MAC binding ............................................................................................................... 220

Configuring IP/MAC binding for packets going through the firewall ............................ 220

Configuring IP/MAC binding for packets going to the firewall ..................................... 221

Adding IP/MAC addresses.......................................................................................... 221

Viewing the dynamic IP/MAC list ................................................................................ 222

Enabling IP/MAC binding ............................................................................................ 222

Content profiles............................................................................................................... 223

Default content profiles ............................................................................................... 224

Adding content profiles ............................................................................................... 224

Adding content profiles to policies .............................................................................. 226

Users and authentication .................................................................................. 227

Setting authentication timeout......................................................................................... 228

Adding user names and configuring authentication ........................................................ 228

Adding user names and configuring authentication .................................................... 228

Deleting user names from the internal database ........................................................ 229

Configuring RADIUS support .......................................................................................... 230

Adding RADIUS servers ............................................................................................. 230

Deleting RADIUS servers ........................................................................................... 230

10 Fortinet Inc.

Configuring LDAP support .............................................................................................. 231

Adding LDAP servers.................................................................................................. 231

Deleting LDAP servers................................................................................................ 232

Configuring user groups.................................................................................................. 232

Adding user groups..................................................................................................... 233

Deleting user groups................................................................................................... 234

IPSec VPN........................................................................................................... 235

Key management............................................................................................................ 236

Manual Keys ............................................................................................................... 236

Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... 236

Manual key IPSec VPNs................................................................................................. 237

General configuration steps for a manual key VPN .................................................... 237

Adding a manual key VPN tunnel ............................................................................... 237

AutoIKE IPSec VPNs ...................................................................................................... 239

General configuration steps for an AutoIKE VPN ....................................................... 239

Adding a phase 1 configuration for an AutoIKE VPN.................................................. 239

Adding a phase 2 configuration for an AutoIKE VPN.................................................. 244

Managing digital certificates............................................................................................ 246

Obtaining a signed local certificate ............................................................................. 246

Obtaining CA certificates ............................................................................................ 249

Configuring encrypt policies............................................................................................ 249

Adding a source address ............................................................................................ 250

Adding a destination address...................................................................................... 251

Adding an encrypt policy............................................................................................. 251

IPSec VPN concentrators ............................................................................................... 253

VPN concentrator (hub) general configuration steps .................................................. 254

Adding a VPN concentrator ........................................................................................ 255

VPN spoke general configuration steps...................................................................... 256

Monitoring and Troubleshooting VPNs ........................................................................... 257

Viewing VPN tunnel status.......................................................................................... 257

Viewing dialup VPN connection status ....................................................................... 258

Testing a VPN............................................................................................................. 258

Contents

PPTP and L2TP VPN .......................................................................................... 259

Configuring PPTP ........................................................................................................... 259

Configuring the FortiGate unit as a PPTP gateway .................................................... 260

Configuring a Windows 98 client for PPTP ................................................................. 262

Configuring a Windows 2000 client for PPTP ............................................................. 263

Configuring a Windows XP client for PPTP ................................................................ 263

Configuring L2TP............................................................................................................ 265

Configuring the FortiGate unit as an L2TP gateway ................................................... 265

Configuring a Windows 2000 client for L2TP.............................................................. 267

Configuring a Windows XP client for L2TP ................................................................. 268

FortiGate-4000 Installation and Configuration Guide 11

Contents

Network Intrusion Detection System (NIDS) ................................................... 271

Detecting attacks ............................................................................................................ 271

Selecting the interfaces to monitor.............................................................................. 272

Disabling monitoring interfaces................................................................................... 272

Configuring checksum verification .............................................................................. 272

Viewing the signature list ............................................................................................ 273

Viewing attack descriptions......................................................................................... 273

Disabling NIDS attack signatures ............................................................................... 274

Adding user-defined signatures .................................................................................. 274

Preventing attacks .......................................................................................................... 276

Enabling NIDS attack prevention ................................................................................ 276

Enabling NIDS attack prevention signatures .............................................................. 276

Setting signature threshold values.............................................................................. 277

Logging attacks............................................................................................................... 278

Logging attack messages to the attack log................................................................. 278

Reducing the number of NIDS attack log and email messages.................................. 278

Antivirus protection........................................................................................... 281

General configuration steps............................................................................................ 281

Antivirus scanning........................................................................................................... 282

File blocking.................................................................................................................... 283

Blocking files in firewall traffic ..................................................................................... 284

Adding file patterns to block........................................................................................ 284

Blocking oversized files and emails ................................................................................ 285

Configuring limits for oversized files and email........................................................... 285

Exempting fragmented email from blocking.................................................................... 285

Viewing the virus list ....................................................................................................... 286

Web filtering ....................................................................................................... 287

General configuration steps............................................................................................ 287

Content blocking ............................................................................................................. 288

Adding words and phrases to the Banned Word list ................................................... 288

Clearing the Banned Word list .................................................................................... 289

Backing up the Banned Word list................................................................................ 290

Restoring the Banned Word list .................................................................................. 290

URL blocking................................................................................................................... 291

Configuring FortiGate Web URL blocking ................................................................... 291

Configuring FortiGate Web pattern blocking............................................................... 294

Configuring Cerberian URL filtering ................................................................................ 294

Installing a Cerberian license key ............................................................................... 295

Adding a Cerberian user ............................................................................................. 295

Configuring Cerberian web filter ................................................................................. 295

Enabling Cerberian URL filtering ................................................................................ 296

12 Fortinet Inc.

Script filtering .................................................................................................................. 297

Enabling script filtering................................................................................................ 297

Selecting script filter options ....................................................................................... 297

Exempt URL list .............................................................................................................. 298

Adding URLs to the URL Exempt list .......................................................................... 298

Downloading the URL Exempt List ............................................................................. 299

Uploading a URL Exempt List..................................................................................... 299

Email filter........................................................................................................... 301

General configuration steps............................................................................................ 301

Email banned word list.................................................................................................... 302

Adding words and phrases to the email banned word list........................................... 302

Downloading the email banned word list .................................................................... 303

Uploading the email banned word list ......................................................................... 303

Email block list ................................................................................................................ 304

Adding address patterns to the email block list........................................................... 304

Downloading the email block list................................................................................. 304

Uploading an email block list ...................................................................................... 305

Email exempt list............................................................................................................. 305

Adding address patterns to the email exempt list ....................................................... 306

Adding a subject tag ....................................................................................................... 306

Contents

Logging and reporting....................................................................................... 307

Recording logs................................................................................................................ 307

Recording logs on a remote computer ........................................................................ 308

Recording logs on a NetIQ WebTrends server ........................................................... 308

Recording logs in system memory.............................................................................. 309

Log message levels .................................................................................................... 309

Filtering log messages .................................................................................................... 310

Configuring traffic logging ............................................................................................... 311

Enabling traffic logging................................................................................................ 312

Configuring traffic filter settings................................................................................... 313

Adding traffic filter entries ........................................................................................... 313

Viewing logs saved to memory ....................................................................................... 314

Viewing logs................................................................................................................ 314

Searching logs ............................................................................................................ 315

Configuring alert email .................................................................................................... 315

Adding alert email addresses...................................................................................... 316

Testing alert email....................................................................................................... 316

Enabling alert email .................................................................................................... 317

Glossary ............................................................................................................. 319

Index .................................................................................................................... 323

FortiGate-4000 Installation and Configuration Guide 13

Contents

14 Fortinet Inc.

FortiGate-4000 Installation and Configuration Guide Version 2.50

Introduction

FortiGate Antivirus Firewalls support network-based deployment of application-level services, including antivirus protection and full-scan content filtering. FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate Antivirus Firewalls are ICSA-certified for firewall, IPSec, and antivirus services.

The FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include:

• application-level services such as virus protection and content filtering,

• network-level services such as firewall, intrusion detection, VPN, and traffic shaping.

The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks. The FortiGate series complements existing solutions, such as hostbased antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration, and maintenance.

The FortiGate-4000 model is a chassis based system that broadband Service providers can use to provide subscriber security services such as firewall, VPN, and antivirus protection. The FortiGate-4000 system scales from 1 to 10 blades enabling customers to add incremental performance. Two basic system configurations provides flexibility to meet the network layout of high performance networks. The FortiGate-4000 supports high-end features including

802.1Q VLAN support, redundant hot-swappable power supplies and cooling, and

stateful failover HA.

FortiGate-4000 Installation and Configuration Guide 15

Antivirus protection Introduction

Antivirus protection

FortiGate ICSA-certified antivirus protection scans web (HTTP), file transfer (FTP), and email (SMTP, POP3, and IMAP) content as it passes through the FortiGate unit. If a virus is found, antivirus protection removes the file containing the virus from the content stream and forwards a replacement message to the intended recipient.

For extra protection, you can configure antivirus protection to block specified file types from passing through the FortiGate unit. You can use the feature to stop files that might contain new viruses.

If the FortiGate unit contains a hard disk, infected or blocked files can be quarantined. The FortiGate administrator can download quarantined files so that they can be virus scanned, cleaned, and forwarded to the intended recipient. You can also configure the FortiGate unit to automatically delete quarantined files after a specified time.

The FortiGate unit can send email alerts to system administrators when it detects and removes a virus from a content stream. The web and email content can be in normal network traffic or encrypted IPSec VPN traffic.

ICSA Labs has certified that FortiGate Antivirus Firewalls:

• detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),

• detect viruses in compressed files using the PKZip format,

• detect viruses in email that has been encoded using uuencode format,

• detect viruses in email that has been encoded using MIME encoding,

• log all actions taken while scanning.

Web content filtering

FortiGate web content filtering can scan all HTTP content protocol streams for URLs or web page content. If there is a match between a URL on the URL block list, or a web page contains a word or phrase that is in the content block list, the FortiGate unit blocks the web page. The blocked web page is replaced with a message that you can edit using the FortiGate web-based manager.

You can configure URL blocking to block all or some of the pages on a web site. Using this feature, you can deny access to parts of a web site without denying access to it completely.

To prevent unintentionally blocking legitimate web pages, you can add URLs to an exempt list that overrides the URL blocking and content blocking lists.

Web content filtering also includes a script filter feature that can block unsecure web content such as Java applets, cookies, and ActiveX.

You can use the Cerberian URL blocking to block unwanted URLs.

16 Fortinet Inc.

Introduction Email filtering

Email filtering

FortiGate email filtering can scan all IMAP and POP3 email content for unwanted senders or unwanted content. If there is a match between a sender address pattern on the email block list, or an email contains a word or phrase in the banned word list, the FortiGate adds an email tag to the subject line of the email. The recipient can use the mail client software to filter messages based on the email tag.

You can configure email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentionally tagging email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned words lists.

Firewall

The FortiGate ICSA-certified firewall protects your computer networks from Internet threats. ICSA has granted FortiGate firewalls version 4.0 firewall certification, providing assurance that FortiGate firewalls successfully screen and secure corporate networks against a range of threats from public or other untrusted networks.

After basic installation of the FortiGate unit, the firewall allows users on the protected network to access the Internet while blocking Internet access to internal networks. You can configure the firewall to put controls on access to the Internet from the protected networks and to allow controlled access to internal networks.

FortiGate policies include a range of options that:

• control all incoming and outgoing network traffic,

• control encrypted VPN traffic,

• apply antivirus protection and web content filtering,

• block or allow access for all policy options,

• control when individual policies are in effect,

• accept or deny traffic to and from individual addresses,

• control standard and user defined network services individually or in groups,

• require users to authenticate before gaining access,

• include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy,

• include logging to track connections for individual policies,

• include Network Address Translation (NAT) mode and Route mode policies,

• include mixed NAT and Route mode policies.

The FortiGate firewall can operate in NAT/Route mode or Transparent mode.

FortiGate-4000 Installation and Configuration Guide 17

VLANs and virtual domains Introduction

NAT/Route mode

In NAT/Route mode, you can create NAT mode policies and Route mode policies.

• NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network.

• Route mode policies accept or deny connections between networks without performing address translation.

Transparent mode

Transparent mode provides the same basic firewall protection as NAT mode. Packets that the FortiGate unit receives are forwarded or blocked according to firewall policies. The FortiGate unit can be inserted in the network at any point without having to make changes to your network or its components. However, VPN and some advanced firewall features are available only in NAT/Route mode.

VLANs and virtual domains

Fortigate Antivirus Firewalls support IEEE 802.1Q-compliant virtual LAN (VLAN) tags. Using VLAN technology, a single FortiGate unit can provide security services to, and control connections between, multiple security domains according to the VLAN IDs added to VLAN packets. The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between each security domain. The FortiGate unit can also apply authentication, content filtering, and antivirus protection to VLAN-tagged network and VPN traffic.

The FortiGate unit supports VLANs in NAT/Route and Transparent mode. In NAT/Route mode, you enter VLAN subinterfaces to receive and send VLAN packets. In Transparent mode, you create virtual domains and then add VLAN subinterfaces to those virtual domains.

Network intrusion detection

The FortiGate Network Intrusion Detection System (NIDS) is a real-time network intrusion detection sensor that detects and prevents a variety of suspicious network activity. NIDS uses attack signatures to identify more than 1000 attacks. You can enable and disable the attacks that the NIDS detects. You can also write user-defined detection attack signatures.

NIDS prevention detects and prevents many common denial of service and packetbased attacks. You can enable and disable prevention attack signatures and customize attack signature thresholds and other parameters.

To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log, and can be configured to send alert emails.

Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually or you can configure the FortiGate unit to automatically check for and download attack definition updates.

18 Fortinet Inc.

Introduction VPN

VPN

Using FortiGate virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network. Service providers can also use the FortiGate unit to provide VPN services for their clients.

FortiGate VPN features include the following:

• Industry standard and ICSA-certified IPSec VPN, including:

• IPSec, ESP security in tunnel mode,

• DES, 3DES (triple-DES), and AES hardware accelerated encryption,

• HMAC MD5 and HMAC SHA1 authentication and data integrity,

• AutoIKE key based on pre-shared key tunnels,

• IPSec VPN using local or CA certificates,

• Manual Keys tunnels,

• Diffie-Hellman groups 1, 2, and 5,

• Aggressive and Main Mode,

• Replay Detection,

• Perfect Forward Secrecy,

• XAuth authentication,

• Dead peer detection.

• PPTP for easy connectivity with the VPN standard supported by the most popular operating systems.

• L2TP for easy connectivity with a more secure VPN standard, also supported by many popular operating systems.

• Firewall policy based control of IPSec VPN traffic.

• IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel.

• VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another through the FortiGate unit.

• IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network.

High availability

High Availability (HA) provides failover between two or more FortiGate units. Fortinet achieves HA by using redundant hardware: matching FortiGate models running in NAT/Route mode. You can configure the FortiGate units for either active-passive (A-P) or active-active (A-A) HA.

Both A-P and A-A HA use similar redundant hardware configurations. High availability software guarantees that if one of the FortiGate units in the HA group fails, all functions, established firewall connections, and IPSec VPN sessions are maintained.

FortiGate-4000 Installation and Configuration Guide 19

Secure installation, configuration, and management Introduction

Secure installation, configuration, and management

The first time you power on the FortiGate unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the Setup wizard to customize FortiGate IP addresses for your network, and the FortiGate unit is ready to protect your network. You can then use the web-based manager to customize advanced FortiGate features.

Web-based manager

Using HTTP or a secure HTTPS connection from any computer running Internet Explorer, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages. You can configure the FortiGate unit for HTTP and HTTPS administration from any FortiGate interface.

You can use the web-based manager to configure most FortiGate settings. You can also use the web-based manager to monitor the status of the FortiGate unit. Configuration changes made using the web-based manager are effective immediately without resetting the firewall or interrupting service. Once you are satisfied with a configuration, you can download and save it. The saved configuration can be restored at any time.

Figure 1: The FortiGate web-based manager and setup wizard

20 Fortinet Inc.

Introduction Document conventions

Command line interface

You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network that is connected to the FortiGate unit, including the Internet.

The CLI supports the same configuration and monitoring functionality as the web-based manager. In addition, you can use the CLI for advanced configuration options that are not available from the web-based manager.

This Installation and Configuration Guide contains information about basic and advanced CLI commands. For a more complete description about connecting to and using the FortiGate CLI, see the FortiGate CLI Reference Guide.

Logging and reporting

The FortiGate unit supports logging for various categories of traffic and configuration changes. You can configure logging to:

• report traffic that connects to the firewall,

• report network services used,

• report traffic that was permitted by firewall policies,

• report traffic that was denied by firewall policies,

• report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks, and web page blocking,

• report attacks detected by the NIDS,

• send alert email to system administrators to report virus incidents, intrusions, and firewall or VPN events or violations.

Logs can be sent to a remote syslog server or a WebTrends NetIQ Security Reporting Center and Firewall Suite server using the WebTrends enhanced log format. Some models can also save logs to an optional internal hard drive. If a hard drive is not installed, you can configure most FortiGate units to log the most recent events and attacks detected by the NIDS to the system memory.

Document conventions

This guide uses the following conventions to describe CLI command syntax.

• angle brackets < > to indicate variable keywords

For example:

FortiGate-4000 Installation and Configuration Guide 21

Fortinet documentation Introduction

execute restore config <filename_str>

You enter restore config myfile.bak

<xxx_str> indicates an ASCII string variable keyword.

<xxx_integer> indicates an integer variable keyword.

<xxx_ip> indicates an IP address variable keyword.

• vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords

For example:

set system opmode {nat | transparent}

You can enter set system opmode nat or set system opmode transparent

• square brackets [ ] to indicate that a keyword is optional

For example:

get firewall ipmacbinding [dhcpipmac]

You can enter get firewall ipmacbinding or get firewall ipmacbinding dhcpipmac

Fortinet documentation

Information about FortiGate products is available from the following FortiGate User Manual volumes:

• Volume 1: FortiGate Installation and Configuration Guide

Describes installation and basic configuration for the FortiGate unit. Also describes how to use FortiGate firewall policies to control traffic flow through the FortiGate unit and how to use firewall policies to apply antivirus protection, web content filtering, and email filtering to HTTP, FTP, and email content passing through the FortiGate unit.

• Volume 2: FortiGate VPN Guide

Contains in-depth information about FortiGate IPSec VPN using certificates, preshared keys and manual keys for encryption. Also contains basic configuration information for the Fortinet Remote VPN Client, detailed configuration information for FortiGate PPTP and L2TP VPN, and VPN configuration examples.

• Volume 3: FortiGate Content Protection Guide

Describes how to configure antivirus protection, web content filtering, and email filtering to protect content as it passes through the FortiGate unit.

22 Fortinet Inc.

Introduction Customer service and technical support

• Volume 4: FortiGate NIDS Guide

Describes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from network-based attacks.

• Volume 5: FortiGate Logging and Message Reference Guide

Describes how to configure FortiGate logging and alert email. Also contains the FortiGate log message reference.

• Volume 6: FortiGate CLI Reference Guide

Describes the FortiGate CLI and contains a reference to all FortiGate CLI commands.

The FortiGate online help also contains procedures for using the FortiGate web-based manager to configure and manage the FortiGate unit.

Comments on Fortinet technical documentation

You can send information about errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.

Customer service and technical support

For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com.

You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and change your registration information at any time.

Fortinet email support is available from the following addresses:

amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin

apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,

eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland

For information on Fortinet telephone support, see http://support.fortinet.com.

When requesting technical support, please provide the following information:

• Your name

• Company name

•Location

• Email address

• Telephone number

• FortiGate unit serial number

• FortiGate model

• FortiGate FortiOS firmware version

• Detailed description of the problem

America and South America.

Malaysia, all other Asian countries, and Australia.

Europe, Africa, and the Middle East.

FortiGate-4000 Installation and Configuration Guide 23

Customer service and technical support Introduction

24 Fortinet Inc.

FortiGate-4000 Installation and Configuration Guide Version 2.50

Getting started

This chapter describes unpacking, setting up, and powering on a FortiGate-4000 Antivirus Firewall. When you have completed the procedures in this chapter, you can proceed to one of the following:

• If you are going to operate the FortiGate unit in NAT/Route mode, go to

“NAT/Route mode installation” on page 61.

• If you are going to operate the FortiGate unit in Transparent mode, go to

“Transparent mode installation” on page 69.

• If you are going to operate two or more FortiGate units in HA mode, go to “High

availability” on page 81.

This chapter describes:

• Warnings and cautions

• Package contents

• Physical description

• Front panel features

• Rear panel features

• Installing hardware

• Turning FortiGate-4000 chassis power on and off

• Hot swapping modules

• Connecting to the web-based manager

• Connecting to the Command Line Interface (CLI)

• Factory default configuration

• Planning the FortiGate configuration

• FortiGate model maximum values matrix

• Next steps

FortiGate-4000 Installation and Configuration Guide 25

Warnings and cautions Getting started

Warnings and cautions

You should be aware of the following cautions and warnings before operating the FortiGate-4000 antivirus firewall.

Warning

Turning off all power switches may not turn off all power to the FortiGate-4000 unit. Disconnect the FortiGate-4000 unit from its power source and from any telecommunications links and networks before installing and removing FortiGate-4000 components or performing other maintenance tasks. Failure to do this can result in personal injury or equipment damage. Some circuitry in the unit may continue to operate even though all power switches are off.

The procedures in this chapter are for qualified technical personnel with experience installing and configuring servers. Read and adhere to all warnings, cautions, and notices in this chapter.

Caution: Electrostatic discharge (ESD) can damage FortiGate-4000 components. You should only perform the procedures described in this chapter from an ESD workstation. If no such station is available, you can provide some ESD protection by wearing an anti-static wrist strap and attaching it to a metal part of the FortiGate-4000 chassis.

Package contents

The FortiGate-4000 package consists of two or more packages. One or more of the packages contains two FortiBlade-4010 modules. Each FortiBlade-4010 module is capable of functioning as a standalone FortiGate-4000 antivirus firewall or being part of a FortiGate-4000 HA cluster.

The other package contains the following components:

• FortiGate-4000 chassis which includes the following components (already

• Three power cables,

• One RJ-45 to DB-9 serial cable (only the black header works with the

• One mounting rail kit,

• One FortiGate-4000 QuickStart Guide,

• One documentation CD containing Fortinet user documentation.

installed).

• One KVM switch module (front panel),

• Ten FortiGate-4000 empty slot covers (front panel),

• One management module (rear panel),

• Seven power supply modules (rear panel),

• Four cooling fan trays (rear panel),

• Two pass-through interface modules (FortiGate-4000P rear panel), or

• Two switched interface modules (FortiGate-4000S rear panel),

• One 10/100 out of band management module (rear panel).

FortiGate-4000 unit),

26 Fortinet Inc.

Getting started Physical description

Figure 2: FortiGate-4000 package contents

FortiGate-4000P Chassis (back view)

KVM/ACCESS

PWR/KVMSTATUS

LAN 1 LAN 2

POWER ON/OFF

Physical description

The FortiGate-4000 chassis is a 4U 19-inch rack mounted steel shelf with the following features:

• High density design accommodates up to 10 FortiBlade-4010 modules,

• Gigabit LAN interfaces,

• SFP connectors for multimode fibre optic interfaces (FortiGate-4000S),

• Built-in KVM switch module,

• Hot-swappable FortiBlade-4010 modules, power modules, and cooling fan trays,

• Redundant power modules for high reliability.

FortiGate-4000 Installation and Configuration Guide 27

Front panel features Getting started

Table 1: FortiGate-4000 chassis

Dimensions 42.6 x 17.7 x 67.0 cm 16.78 x 6.97 x 26.40 in.

Weight Minimum: 28 kg (61 lb) (no FortiBlade-4010 modules installed)

Operating Environment Temperature: 0 to 35°C

Storage Environment Temperature: -20 to 80°C

Power dissipation Minimum: 1050 watts

Power Requirements 100 ~ 230 VAC input

Power Consumption Minimum: 1.3 KVA (3+1 redundancy)

Front panel features

physical description

(W x H x D)

Maximum: 50 kg (110 lb) when full configured.

FortiBlade-4010: 2 kg

Relative humidity: 10% to 90% (Non-condensing)

Maximum: 2100 watts

AC inlet x 3

Maximum: 2.6 KVA (6+1 redundancy)

Figure 3 shows the location of the FortiGate-4000 chassis front panel components.

The front panel contains and provides access to up to 10 FortiBlade-4010 modules and the KVM switch module.

Figure 3: FortiGate-4000 chassis front panel

KVM/ACCESS

PWR/KVMSTATUS

LAN 1 LAN 2

POWER ON/OFF

Note: Do not operate the FortiGate-4000 chassis with open slots on the front panel. For optimum cooling performance, all front panel slots must either contain a FortiBlade-4010 module or be covered by an empty slot cover.

28 Fortinet Inc.

Getting started Front panel features

FortiBlade-4010 module

Each FortiBlade-4010 module is an independent FortiGate-4000 antivirus firewall capable of operating at gigabit network speeds. You can install up to 10 FortiBlade-4010 modules in the FortiGate-4000 chassis. Each FortiBlade-4010 module can operate as a standalone FortiGate-4000 antivirus firewall or you can group FortiBlade-4010 modules into high availability (HA) clusters. Each cluster provides failover between the FortiBlade-4010 modules in the cluster. In addition, when operating in active-active HA mode, the FortiBlade-4010 clusters provide antivirus scanning load balancing to increase virus scanning performance.

Figure 4: FortiBlade-4010 front panel

Mounting Knots

KVM/ACCESS

button

PWR/KVM and

STATUS LEDs

LAN 1 and

LAN 2 LEDs

KVM/ACCESS

PWR/KVMSTATUS

LAN 1 LAN 2

Not used

Power button

POWER ON/OFF

Module lock

and handle

Table 2: FortiBlade-4010 module front panel buttons

Button Description

KVM/Access Press and hold for approximately 5 seconds for KVM access to a

FortiBlade-4010 module.

Power Power the FortiBlade-4010 module on or off.

FortiGate-4000 Installation and Configuration Guide 29

Front panel features Getting started

Table 3: FortiBlade-4010 module front panel LEDs

LED State Description

PWR/KVM Blue The FortiBlade-4010 module is powered on.

Green KVM access to this FortiBlade-4010 module is enabled.

STATUS Off Normal operation.

Red System Fault.

LAN 1 Green The correct cable is connected to the internal interface of this

FortiBlade-4010 module and the connected equipment has power.

Flashing Network activity at the internal interface of this FortiBlade-4010

module.

LAN 2 Green The correct cable is connected to the external interface of this

FortiBlade-4010 module and the connected equipment has power.

Flashing Network activity at the external interface of this FortiBlade-4010

module.

KVM switch module

Use the KVM switch module to switch serial connections to the CLI of each FortiBlade-4010 module installed in the FortiGate-4000 chassis. To access the CLI, connect the the black header of the RJ-45 to DB-9 serial cable to the management module (see “Management module” on page 33) and to a management PC. You can use the FortiBlade select buttons on the KVM switch module to select the FortiBlade4010 module that you can connect to.

Figure 5: KVM switch module front panel

Mounting Knot

ALARM

KVM

FortiBlade

select buttons

Not used

ALARM

KVM

30 Fortinet Inc.

+ 302 hidden pages

Fortinet FortiGate 4000 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Table of Contents

Introduction

Antivirus protection

Web content filtering

Email filtering

Firewall

NAT/Route mode

Transparent mode

VLANs and virtual domains

Network intrusion detection

High availability

Secure installation, configuration, and management

Web-based manager

Command line interface

Logging and reporting

Document conventions

Fortinet documentation

Comments on Fortinet technical documentation

Customer service and technical support

Getting started

Warnings and cautions

Warning

Package contents

Physical description

Front panel features

FortiBlade-4010 module

KVM switch module