Fortinet FortiGate Series, FortiGate-50 Series, FortiGate-5000 Series, FortiGate-5001SX, FortiGate-5001A Administration Manual

FortiGate

™

Version 4.0 MR1

Administration Guide

Preliminary version: This version of the FortiGate Administration Guide includes fixes to a number of bugs reported about the 24 August 2009 version of this guide. We expect to correct more errors and omissions and release multiple versions between now and October 2009. See the most recent FortiOS 4.0 MR1 release notes for up-to-date information about new 4.0 MR1 features. Contact techdoc@fortinet.com if you have any questions or comments about this preliminary version of the FortiOS 4.0 MR1 FortiGate Administration Guide.

Visit http://support.fortinet.com to register your FortiGate product. By registering you can

receive product updates, technical support, and FortiGuard services.

FortiGate Administration Guide

Version 4.0 MR1 3 September 2009 01-410-89802-20090903

© Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

Trademarks

Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Introduction ............................................................................................ 23

Fortinet products .......................................................................................................... 23

About this document .................................................................................................... 24

Registering your Fortinet product............................................................................... 26

Customer service and technical support.................................................................... 26

Training .......................................................................................................................... 27

Documentation ............................................................................................................. 27

Fortinet Tools and Documentation CD ..................................................................... 27

Fortinet Knowledge Base.......................................................................................... 27

Comments on Fortinet technical documentation ..................................................... 27

Scope ............................................................................................................................. 27

Conventions .................................................................................................................. 28

IP addresses............................................................................................................. 28

Notes, Tips and Cautions ......................................................................................... 28

Typographical conventions....................................................................................... 29

Command syntax conventions.................................................................................. 29

What’s new in FortiOS Version 4.0 MR1 .............................................. 33

New SIP ALG configuration options ........................................................................... 34

Opening and closing SIP register and non-register pinholes.................................... 34

Support for RFC 2543-compliant branch commands ............................................... 34

Easy FortiCare and FortiGuard services registration and renewal.......................... 35

Endpoint control enhancements ................................................................................. 35

Per-VDOM replacement messages.............................................................................. 35

Content archiving is now DLP archive........................................................................ 36

Topology viewer is now a custom web-based manager page.................................. 36

Usage page shows application, policy, and DLP archive usage .............................. 37

Alert Message Console enhancements ...................................................................... 37

WCCP widget................................................................................................................. 37

SSL VPN enhancements............................................................................................... 38

Single Sign-On.......................................................................................................... 38

IP address ranges are now defined as firewall addresses ....................................... 39

OS Check changes................................................................................................... 40

Client check changes................................................................................................ 40

Virtual Desktop enhancements................................................................................. 41

Virtual Desktop Application Control .......................................................................... 42

Two-factor authentication ............................................................................................ 43

Force UTF-8 login..................................................................................................... 44

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 3

http://docs.fortinet.com/ • Feedback

Contents

FortiGate wireless controller ....................................................................................... 44

Interface status detection for gateway load balancing ............................................. 44

Enhanced ECMP route failover and load balancing .................................................. 44

SCEP extensions........................................................................................................... 44

Dynamic routing for IPv6 traffic................................................................................... 47

Additions to router bgp command............................................................................. 47

router access-list6..................................................................................................... 51

router ospf6............................................................................................................... 52

router prefix-list6....................................................................................................... 56

router ripng ............................................................................................................... 58

get router info6 {bgp | ospf | protocols | rip} .............................................................. 62

IPv6 DNS ........................................................................................................................ 63

IPv6 transparent mode ................................................................................................. 63

IPv6 administrative access .......................................................................................... 63

Network interface changes for IPv6.......................................................................... 64

Administrator settings ............................................................................................... 65

UTM features support IPv6 traffic................................................................................ 66

HTTP basic authentication in firewall policies ........................................................... 66

VDOM dashboard .......................................................................................................... 66

IPsec protocol improvements...................................................................................... 67

Support for IKE v2 .................................................................................................... 67

Support for DH-2048 (Group 14) .............................................................................. 67

Support for SHA256.................................................................................................. 68

Auto-configuration of IPsec VPNs............................................................................... 69

IPsec Phase 1 CLI configuration for IKE Configuration Method ............................... 69

IPsec Phase 2 configuration for IKE Configuration Method...................................... 71

Integral basic DNS server............................................................................................. 72

Creating local DNS entries ....................................................................................... 72

Enabling DNS on an interface .................................................................................. 73

Per-VDOM DNS configuration...................................................................................... 74

Password policy............................................................................................................ 75

Use LDAP groups in firewall and SSL-VPN authentication ...................................... 76

Traffic shaping enhancements .................................................................................... 77

Shared traffic shaping............................................................................................... 77

Per-IP traffic shaping ................................................................................................ 77

Accounting and quota enforcement.......................................................................... 78

Logging enhancements................................................................................................ 79

Support for per-VDOM FortiAnalyzer units or syslog devices .................................. 79

SQL log format for Executive Summary reports ....................................................... 81

Antivirus changes ......................................................................................................... 82

FortiGate Version 4.0 MR1 Administration Guide

4 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

Reliable syslog .............................................................................................................. 83

Web filtering combined block/exempt list .................................................................. 83

Web filtering by content header .................................................................................. 85

Safe search .................................................................................................................... 86

Data Leak Prevention supports international character sets ................................... 86

SNMPv3 enhancements................................................................................................ 87

Support for snmpEngineID ....................................................................................... 87

Authentication and privacy........................................................................................ 87

Schedule groups........................................................................................................... 88

Web-based manager.............................................................................. 89

Common web-based manager tasks........................................................................... 90

Connecting to the web-based manager.................................................................... 90

Changing your FortiGate administrator password .................................................... 91

Changing the web-based manager language........................................................... 91

Changing administrative access to your FortiGate unit ............................................ 92

Changing the web-based manager idle timeout ....................................................... 92

Connecting to the FortiGate CLI from the web-based manager ............................... 93

Button bar features ....................................................................................................... 93

Contacting Customer Support..................................................................................... 93

Backing up your FortiGate configuration ................................................................... 94

Using FortiGate Online Help ........................................................................................ 94

Searching the online help ......................................................................................... 96

Logging out ................................................................................................................... 97

Web-based manager pages.......................................................................................... 97

Using the web-based manager menu....................................................................... 98

Using web-based manager lists................................................................................ 99

Adding filters to web-based manager lists ................................................................ 99

Using page controls on web-based manager lists .................................................. 102

Using column settings to control the columns displayed ........................................ 103

Using filters with column settings............................................................................ 104

Web-based manager icons......................................................................................... 105

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 5

http://docs.fortinet.com/ • Feedback

Contents

System Status ...................................................................................... 107

Viewing the system dashboard ................................................................................. 107

VDOM and global dashboards................................................................................ 108

Viewing the system dashboard............................................................................... 108

System Information................................................................................................. 109

License Information ................................................................................................ 110

Unit Operation......................................................................................................... 113

System Resources.................................................................................................. 114

Alert Message Console........................................................................................... 115

Log and Archive Statistics ...................................................................................... 117

CLI Console............................................................................................................ 119

Top Sessions.......................................................................................................... 120

Viewing the current sessions list............................................................................. 122

Top Viruses............................................................................................................. 124

Top Attacks............................................................................................................. 124

Traffic History.......................................................................................................... 124

Changing system information ................................................................................... 125

Configuring system time ......................................................................................... 125

Changing the FortiGate unit host name.................................................................. 126

Changing the FortiGate firmware .............................................................................. 126

Upgrading to a new firmware version ..................................................................... 127

Reverting to a previous firmware version ............................................................... 128

Viewing operational history ....................................................................................... 129

Manually updating FortiGuard definitions................................................................ 129

Viewing Log and Archive Statistics .......................................................................... 130

Viewing DLP Archive information on the Statistics widget...................................... 130

Viewing the Attack Log ........................................................................................... 132

Configuring AMC modules......................................................................................... 133

Auto-bypass and recovery for AMC bridge module.......................................... 134

Enabling or disabling bypass mode for AMC bridge modules ................................ 135

Viewing application, policy, and DLP archive usage data ...................................... 137

Top Application Usage............................................................................................ 137

Top Policy Usage.................................................................................................... 139

DLP Archive Usage ................................................................................................ 141

Using the topology viewer ......................................................................................... 142

Adding a subnet object ........................................................................................... 145

Customizing the topology diagram ......................................................................... 146

Managing firmware versions............................................................... 147

Backing up your configuration .................................................................................. 148

Backing up your configuration through the web-based manager ........................... 148

Backing up your configuration through the CLI....................................................... 148

Backing up your configuration to a USB key .......................................................... 149

FortiGate Version 4.0 MR1 Administration Guide

6 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

Testing firmware before upgrading........................................................................... 150

Upgrading your FortiGate unit................................................................................... 151

Upgrading to FortiOS 4.0 through the web-based manager................................... 151

Upgrading to FortiOS 4.0 through the CLI.............................................................. 152

Verifying the upgrade.............................................................................................. 153

Reverting to a previous firmware image................................................................... 154

Downgrading to a previous firmware through the web-based manager ................. 154

Verifying the downgrade......................................................................................... 155

Downgrading to a previous firmware through the CLI ............................................ 155

Restoring your configuration..................................................................................... 157

Restoring your configuration settings in the web-based manager.......................... 157

Restoring your configuration settings in the CLI ..................................................... 157

Using virtual domains.......................................................................... 159

Virtual domains ........................................................................................................... 159

Benefits of VDOMs ................................................................................................. 159

VDOM configuration settings.................................................................................. 160

Global configuration settings .................................................................................. 163

Enabling VDOMs ......................................................................................................... 164

Configuring VDOMs and global settings .................................................................. 165

VDOM licenses ....................................................................................................... 165

Creating a new VDOM............................................................................................ 166

Working with VDOMs and global settings............................................................... 167

Adding interfaces to a VDOM ................................................................................. 168

Inter-VDOM links .................................................................................................... 169

Assigning an interface to a VDOM.......................................................................... 170

Assigning an administrator to a VDOM................................................................... 171

Changing the management VDOM......................................................................... 172

Configuring VDOM resource limits ........................................................................... 172

Setting VDOM global resource limits...................................................................... 173

Configuring resource usage for individual VDOMs................................................. 174

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 7

http://docs.fortinet.com/ • Feedback

Contents

System Network ................................................................................... 177

Configuring interfaces................................................................................................ 177

Switch Mode ........................................................................................................... 180

Interface settings .................................................................................................... 181

Creating a VLAN subinterface ................................................................................ 185

Creating a loopback interface................................................................................. 185

Creating an 802.3ad aggregate interface ............................................................... 186

Creating a redundant interface ............................................................................... 187

Configuring DHCP on an interface ......................................................................... 188

Configuring an interface for PPPoE........................................................................ 190

Configuring Dynamic DNS on an interface ............................................................. 191

Configuring a virtual IPSec interface ...................................................................... 191

Configuring administrative access to an interface .................................................. 192

Interface status detection for gateway load balancing............................................ 193

Interface MTU packet size...................................................................................... 195

Secondary IP Addresses ........................................................................................ 196

Adding a software switch interface ......................................................................... 197

Configuring zones....................................................................................................... 198

Configuring the modem interface.............................................................................. 199

Configuring modem settings................................................................................... 199

Redundant mode configuration............................................................................... 201

Standalone mode configuration.............................................................................. 202

Adding firewall policies for modem connections ..................................................... 203

Connecting and disconnecting the modem............................................................. 203

Checking modem status ......................................................................................... 204

Configuring Networking Options............................................................................... 204

DNS Servers........................................................................................................... 205

Configuring FortiGate DNS services......................................................................... 205

About split DNS ...................................................................................................... 206

Configuring FortiGate DNS services....................................................................... 206

Configuring the FortiGate DNS database ............................................................... 208

Configuring the explicit web proxy ........................................................................... 210

Configuring WCCP...................................................................................................... 212

Routing table (Transparent Mode)............................................................................. 213

Transparent mode route settings............................................................................ 214

System Wireless................................................................................... 215

FortiWiFi wireless interfaces ..................................................................................... 215

Channel assignments ................................................................................................. 216

IEEE 802.11a channel numbers............................................................................. 216

IEEE 802.11b channel numbers............................................................................. 216

IEEE 802.11g channel numbers............................................................................. 217

FortiGate Version 4.0 MR1 Administration Guide

8 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

Wireless settings......................................................................................................... 218

Adding a wireless interface..................................................................................... 219

Wireless MAC Filter .................................................................................................... 221

Managing the MAC Filter list................................................................................... 222

Wireless Monitor ......................................................................................................... 223

Rogue AP detection .................................................................................................... 224

Viewing wireless access points .............................................................................. 224

System DHCP ....................................................................................... 227

FortiGate DHCP servers and relays .......................................................................... 227

Configuring DHCP services ....................................................................................... 228

Configuring an interface as a DHCP relay agent.................................................... 229

Configuring a DHCP server .................................................................................... 229

Viewing address leases.............................................................................................. 231

Reserving IP addresses for specific clients ............................................................ 231

System Config...................................................................................... 233

HA ................................................................................................................................. 233

HA options .............................................................................................................. 233

Cluster members list............................................................................................... 236

Viewing HA statistics .............................................................................................. 238

Changing subordinate unit host name and device priority...................................... 239

Disconnecting a cluster unit from a cluster ............................................................. 240

SNMP............................................................................................................................ 241

Configuring SNMP.................................................................................................. 242

Configuring an SNMP community........................................................................... 242

Fortinet MIBs .......................................................................................................... 244

Fortinet and FortiGate traps.................................................................................... 245

Fortinet and FortiGate MIB fields............................................................................ 248

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 9

http://docs.fortinet.com/ • Feedback

Contents

Replacement messages ............................................................................................. 250

VDOM and global replacement messages ............................................................. 251

Viewing the replacement messages list.................................................................. 251

Changing replacement messages .......................................................................... 252

Mail replacement messages................................................................................... 254

HTTP replacement messages ................................................................................ 254

FTP replacement messages................................................................................... 255

NNTP replacement messages................................................................................ 256

Alert Mail replacement messages........................................................................... 256

Spam replacement messages ................................................................................ 257

Administration replacement message..................................................................... 257

Authentication replacement messages................................................................... 258

FortiGuard Web Filtering replacement messages .................................................. 259

IM and P2P replacement messages....................................................................... 260

Endpoint NAC replacement message..................................................................... 261

NAC quarantine replacement messages ................................................................ 261

Traffic quota control replacement messages.......................................................... 262

SSL VPN replacement message ............................................................................ 262

Replacement message tags ................................................................................... 262

Operation mode and VDOM management access ................................................... 263

Changing operation mode ...................................................................................... 263

Management access............................................................................................... 264

System Admin ...................................................................................... 267

Administrators............................................................................................................. 267

Viewing the administrators list ................................................................................ 269

Configuring an administrator account..................................................................... 270

Changing an administrator account password........................................................ 272

Configuring regular (password) authentication for administrators .......................... 272

Configuring remote authentication for administrators ............................................. 272

Configuring PKI certificate authentication for administrators .................................. 278

Admin profiles ............................................................................................................. 280

Viewing the admin profiles list ................................................................................ 283

Configuring an admin profile................................................................................... 284

Central Management................................................................................................... 285

Settings ........................................................................................................................ 286

Monitoring administrators.......................................................................................... 289

FortiGate IPv6 support ............................................................................................... 289

Customizable web-based manager ........................................................................... 290

FortiGate Version 4.0 MR1 Administration Guide

10 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

System Certificates.............................................................................. 301

Local Certificates ....................................................................................................... 302

Generating a certificate request.............................................................................. 303

Downloading and submitting a certificate request .................................................. 304

Importing a signed server certificate....................................................................... 305

Importing an exported server certificate and private key ........................................ 305

Importing separate server certificate and private key files...................................... 306

Remote Certificates .................................................................................................... 306

Importing Remote (OCSP) certificates ................................................................... 307

CA Certificates ............................................................................................................ 307

Importing CA certificates......................................................................................... 308

CRL............................................................................................................................... 309

Importing a certificate revocation list ...................................................................... 309

System Maintenance............................................................................ 311

About the Maintenance menu .................................................................................... 311

Backing up and restoring........................................................................................... 312

Basic backup and restore options........................................................................... 313

Upgrading and downgrading firmware.................................................................... 316

Upgrading and downgrading firmware through FortiGuard .................................... 317

Configuring advanced options ................................................................................ 318

Managing configuration revisions............................................................................. 319

Using script files ......................................................................................................... 320

Creating script files ................................................................................................. 321

Uploading script files............................................................................................... 321

Configuring FortiGuard Services .............................................................................. 322

FortiGuard Distribution Network ............................................................................. 322

FortiGuard services ................................................................................................ 322

Configuring the FortiGate unit for FDN and FortiGuard subscription services ....... 323

Troubleshooting FDN connectivity ........................................................................... 328

Updating antivirus and attack definitions................................................................. 328

Enabling push updates............................................................................................... 330

Enabling push updates when a FortiGate unit IP address changes....................... 330

Enabling push updates through a NAT device ....................................................... 331

Adding VDOM Licenses.............................................................................................. 333

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 11

http://docs.fortinet.com/ • Feedback

Contents

Router Static ........................................................................................ 335

Routing concepts ....................................................................................................... 335

How the routing table is built .................................................................................. 336

How routing decisions are made ........................................................................... 336

Multipath routing and determining the best route ................................................... 336

Route priority ......................................................................................................... 337

Blackhole Route...................................................................................................... 337

Static Route ................................................................................................................ 338

Working with static routes ...................................................................................... 338

Default route and default gateway ......................................................................... 340

Adding a static route to the routing table ............................................................... 343

ECMP route failover and load balancing .................................................................. 344

Configuring spill-over or usage-based ECMP......................................................... 346

Configuring weighted static route load balancing ................................................... 348

Policy Route ............................................................................................................... 351

Adding a policy route .............................................................................................. 352

Moving a policy route.............................................................................................. 354

Router Dynamic.................................................................................... 357

RIP ................................................................................................................................ 357

Viewing and editing basic RIP settings................................................................... 358

Selecting advanced RIP options............................................................................. 360

Configuring a RIP-enabled interface....................................................................... 361

OSPF ............................................................................................................................ 362

Defining an OSPF AS—Overview .......................................................................... 363

Configuring basic OSPF settings............................................................................ 364

Selecting advanced OSPF options......................................................................... 366

Defining OSPF areas.............................................................................................. 367

Specifying OSPF networks ..................................................................................... 368

Selecting operating parameters for an OSPF interface .......................................... 369

BGP .............................................................................................................................. 370

Viewing and editing BGP settings........................................................................... 371

Multicast....................................................................................................................... 372

Viewing and editing multicast settings.................................................................... 373

Overriding the multicast settings on an interface.................................................... 374

Multicast destination NAT ....................................................................................... 374

Bi-directional Forwarding Detection (BFD) .............................................................. 375

Configuring BFD ..................................................................................................... 375

FortiGate Version 4.0 MR1 Administration Guide

12 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

Customizable routing widgets ................................................................................... 377

Access List.............................................................................................................. 377

Distribute List.......................................................................................................... 378

Key Chain ............................................................................................................... 378

Offset List................................................................................................................ 379

Prefix List................................................................................................................ 380

Route Map .............................................................................................................. 380

Router Monitor ..................................................................................... 383

Viewing routing information ...................................................................................... 383

Searching the FortiGate routing table....................................................................... 385

Firewall Policy ...................................................................................... 387

How list order affects policy matching ..................................................................... 387

Moving a policy to a different position in the policy list ........................................... 388

Enabling and disabling policies............................................................................... 389

Multicast policies ........................................................................................................ 389

Viewing the firewall policy list ................................................................................... 390

Configuring firewall policies ...................................................................................... 391

Adding authentication to firewall policies ................................................................ 396

Identity-based firewall policy options (non-SSL-VPN) ............................................ 397

IPSec firewall policy options ................................................................................... 399

Configuring SSL VPN identity-based firewall policies............................................. 400

Using DoS policies to detect and prevent attacks................................................... 404

Viewing the DoS policy list...................................................................................... 404

Configuring DoS policies ........................................................................................ 406

Using one-arm sniffer policies to detect network attacks ...................................... 406

Viewing the sniffer policy list................................................................................... 407

Configuring sniffer policies...................................................................................... 409

How FortiOS selects unused NAT ports ................................................................... 410

Global pool.............................................................................................................. 411

Global per-protocol pool ......................................................................................... 411

Per NAT IP pool...................................................................................................... 411

Per NAT IP, destination IP, port, and protocol pool ................................................ 412

Firewall policy examples ............................................................................................ 414

Scenario one: SOHO-sized business ..................................................................... 414

Scenario two: enterprise-sized business ................................................................ 417

Firewall Address .................................................................................. 421

About firewall addresses............................................................................................ 421

Viewing the firewall address list................................................................................ 422

Configuring addresses ............................................................................................... 423

Viewing the address group list .................................................................................. 424

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 13

http://docs.fortinet.com/ • Feedback

Contents

Configuring address groups...................................................................................... 424

Firewall Service.................................................................................... 427

Viewing the predefined service list ........................................................................... 427

Viewing the custom service list................................................................................. 432

Configuring custom services..................................................................................... 433

Viewing the service group list ................................................................................... 435

Configuring service groups ....................................................................................... 435

Firewall Schedule................................................................................. 437

Viewing the recurring schedule list........................................................................... 437

Configuring recurring schedules .............................................................................. 438

Viewing the one-time schedule list ........................................................................... 438

Configuring one-time schedules ............................................................................... 439

Configuring schedule groups .................................................................................... 439

Traffic Shaping..................................................................................... 441

Guaranteed bandwidth and maximum bandwidth ................................................... 441

Traffic priority.............................................................................................................. 442

Traffic shaping considerations.................................................................................. 442

Configuring shared traffic shapers ........................................................................... 443

Configuring Per IP traffic shaping............................................................................. 444

Accounting and quota enforcement.......................................................................... 445

Firewall Virtual IP ................................................................................. 447

How virtual IPs map connections through FortiGate units..................................... 447

Inbound connections............................................................................................... 447

Outbound connections............................................................................................ 450

VIP requirements.................................................................................................... 451

Viewing the virtual IP list............................................................................................ 451

Configuring virtual IPs................................................................................................ 452

Adding a static NAT virtual IP for a single IP address ............................................ 454

Adding a static NAT virtual IP for an IP address range .......................................... 455

Adding static NAT port forwarding for a single IP address and a single port.......... 457

Adding static NAT port forwarding for an IP address range and a port range........ 459

Adding dynamic virtual IPs ..................................................................................... 460

Adding a virtual IP with port translation only........................................................... 461

Virtual IP Groups......................................................................................................... 462

Viewing the VIP group list.......................................................................................... 462

Configuring VIP groups.............................................................................................. 462

FortiGate Version 4.0 MR1 Administration Guide

14 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

IP pools ........................................................................................................................ 463

IP pools and dynamic NAT ..................................................................................... 464

IP Pools for firewall policies that use fixed ports..................................................... 464

Source IP address and IP pool address matching.................................................. 464

Viewing the IP pool list ............................................................................................... 465

Configuring IP Pools................................................................................................... 465

Double NAT: combining IP pool with virtual IP........................................................ 466

Adding NAT firewall policies in transparent mode .................................................. 468

Firewall Load Balance ......................................................................... 471

How load balancer works ........................................................................................... 471

Configuring virtual servers ........................................................................................ 472

Configuring real servers............................................................................................. 475

Configuring health check monitors........................................................................... 476

Monitoring the servers ............................................................................................... 478

Firewall Protection Profile................................................................... 479

What is a protection profile?...................................................................................... 479

Adding a protection profile to a firewall policy ........................................................ 480

Default protection profiles ......................................................................................... 480

Viewing the protection profile list ............................................................................. 481

SSL content scanning and inspection ...................................................................... 481

Supported FortiGate models................................................................................... 482

Setting up certificates to avoid client warnings ....................................................... 482

Configuring SSL content scanning and inspection ................................................. 484

Configuring a protection profile ................................................................................ 486

Protocol recognition options ................................................................................... 487

Anti-Virus options.................................................................................................... 489

IPS options ............................................................................................................. 492

Web Filtering options.............................................................................................. 493

FortiGuard Web Filtering options............................................................................ 495

Email Filtering options ............................................................................................ 498

Data Leak Prevention Sensor options .................................................................... 501

Application Control options..................................................................................... 502

Logging options ...................................................................................................... 503

SIP support........................................................................................... 505

VoIP and SIP ................................................................................................................ 505

The FortiGate unit and VoIP security ........................................................................ 507

SIP NAT.................................................................................................................. 507

How SIP support works .............................................................................................. 509

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 15

http://docs.fortinet.com/ • Feedback

Contents

Configuring SIP ........................................................................................................... 510

Enabling SIP support and setting rate limiting from the web-based manager ........ 510

Enabling SIP support from the CLI ......................................................................... 511

Enabling SIP logging .............................................................................................. 512

Enabling advanced SIP features in an application list ............................................ 512

AntiVirus ............................................................................................... 517

Order of operations..................................................................................................... 517

Antivirus tasks ............................................................................................................ 518

FortiGuard antivirus ................................................................................................ 519

Antivirus settings and controls ................................................................................. 519

File Filter ...................................................................................................................... 521

Built-in patterns and supported file types................................................................ 521

Viewing the file filter list catalog.............................................................................. 522

Creating a new file filter list..................................................................................... 522

Viewing the file filter list .......................................................................................... 523

Configuring the file filter list..................................................................................... 523

File Quarantine ............................................................................................................ 524

Viewing the AutoSubmit list .................................................................................... 525

Configuring the AutoSubmit list .............................................................................. 525

Configuring quarantine options............................................................................... 525

Selecting the virus database...................................................................................... 527

Antivirus CLI configuration........................................................................................ 528

Intrusion Protection............................................................................. 531

About intrusion protection......................................................................................... 531

Intrusion Protection settings and controls............................................................... 532

When to use Intrusion Protection............................................................................ 532

Signatures.................................................................................................................... 532

Viewing the predefined signature list...................................................................... 533

Using display filters................................................................................................. 534

Custom signatures...................................................................................................... 535

Viewing the custom signature list ........................................................................... 535

Creating custom signatures.................................................................................... 535

Protocol decoders....................................................................................................... 536

Viewing the protocol decoder list............................................................................ 536

Upgrading the IPS protocol decoder list ................................................................. 537

FortiGate Version 4.0 MR1 Administration Guide

16 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

IPS sensors.................................................................................................................. 537

Viewing the IPS sensor list ..................................................................................... 537

Adding an IPS sensor............................................................................................. 538

Configuring IPS sensors ......................................................................................... 538

Configuring filters.................................................................................................... 540

Configuring pre-defined and custom overrides....................................................... 541

Packet logging ........................................................................................................ 543

DoS sensors ................................................................................................................ 545

Viewing the DoS sensor list .................................................................................... 546

Configuring DoS sensors........................................................................................ 546

Understanding the anomalies................................................................................. 547

Intrusion protection CLI configuration ..................................................................... 548

Web Filter.............................................................................................. 549

Order of web filtering.................................................................................................. 549

How web filtering works ............................................................................................. 550

Web filter controls....................................................................................................... 550

Web content filter........................................................................................................ 552

Viewing the web content filter list catalog ............................................................... 553

Creating a new web content filter list ...................................................................... 553

Viewing the web content filter list............................................................................ 553

Configuring the web content filter list...................................................................... 554

URL filter ...................................................................................................................... 555

Viewing the URL filter list catalog ........................................................................... 556

Creating a new URL filter list .................................................................................. 556

Viewing the URL filter list........................................................................................ 556

Configuring the URL filter list .................................................................................. 557

URL formats............................................................................................................ 558

Moving URLs in the URL filter list ........................................................................... 559

FortiGuard - Web Filter ............................................................................................... 559

Configuring FortiGuard Web Filtering..................................................................... 560

Viewing the override list.......................................................................................... 560

Configuring administrative override rules ............................................................... 561

Creating local categories ........................................................................................ 563

Viewing the local ratings list.................................................................................... 563

Configuring local ratings ......................................................................................... 564

Category block CLI configuration ............................................................................. 565

FortiGuard Web Filtering reports .............................................................................. 565

Email filtering ....................................................................................... 567

FortiGuard Email Filtering (also called the FortiGuard Antispam Service)........... 567

Order of email filtering ............................................................................................ 567

Email filter controls ................................................................................................. 568

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 17

http://docs.fortinet.com/ • Feedback

Contents

Banned word ............................................................................................................... 570

Viewing the banned word list catalog ..................................................................... 570

Creating a new banned word list ............................................................................ 571

Viewing the email filtering banned word list............................................................ 571

Adding words to the banned word list..................................................................... 572

IP address and email address black/white lists ....................................................... 573

Viewing the Email Filter IP address list catalog ...................................................... 573

Creating a new IP address list ................................................................................ 573

Viewing the IP address list...................................................................................... 574

Adding an IP address ............................................................................................. 575

Viewing the Email Filter email address list catalog................................................. 575

Creating a new email address list........................................................................... 576

Viewing the email address list ................................................................................ 576

Configuring the email address list........................................................................... 577

Advanced Email Filter configuration......................................................................... 577

config spamfilter mheader ...................................................................................... 577

config spamfilter dnsbl............................................................................................ 578

Using wildcards and Perl regular expressions ........................................................ 578

Perl regular expression formats.............................................................................. 579

Example regular expressions ................................................................................. 580

Data Leak Prevention........................................................................... 583

DLP Sensors................................................................................................................ 583

Viewing the DLP sensor list .................................................................................... 583

Adding and configuring a DLP sensor .................................................................... 584

Adding or editing a rule or compound rule in a DLP sensor ................................... 585

DLP archiving .............................................................................................................. 588

Configuring DLP archiving ...................................................................................... 589

Configuring spam email message archiving........................................................... 593

Viewing DLP archives............................................................................................. 594

DLP Rules .................................................................................................................... 594

Viewing the DLP rule list......................................................................................... 594

Adding or configuring DLP rules ............................................................................. 596

DLP Compound Rules ................................................................................................ 599

Viewing the DLP compound rule list....................................................................... 599

Adding and configuring DLP compound rules ........................................................ 600

Application Control.............................................................................. 603

What is application control? ...................................................................................... 603

FortiGuard application control database.................................................................. 603

Viewing the application control black/white lists .................................................... 604

Creating a new application control black/white list................................................. 605

Configuring an application control black/white list................................................. 605

FortiGate Version 4.0 MR1 Administration Guide

18 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

Adding or configuring an application control black/white list entry...................... 606

Application control statistics..................................................................................... 608

IPSec VPN............................................................................................. 611

Overview of IPSec VPN configuration....................................................................... 611

Policy-based versus route-based VPNs ................................................................... 612

Auto Key ...................................................................................................................... 613

Creating a new phase 1 configuration .................................................................... 614

Defining phase 1 advanced settings....................................................................... 616

Creating a new phase 2 configuration .................................................................... 619

Defining phase 2 advanced settings....................................................................... 619

Manual Key .................................................................................................................. 622

Creating a new manual key configuration .............................................................. 622

Internet browsing configuration ................................................................................ 624

Concentrator ............................................................................................................... 625

Defining concentrator options................................................................................. 625

Monitoring VPNs ......................................................................................................... 626

PPTP VPN ............................................................................................. 629

PPTP configuration using FortiGate web-based manager...................................... 629

PPTP configuration using CLI commands ............................................................... 631

SSL VPN................................................................................................ 633

ssl.root ......................................................................................................................... 634

Configuring SSL VPN ................................................................................................. 634

SSL VPN web portal.................................................................................................... 635

Default web portal configurations ........................................................................... 636

Configuring web portal settings .............................................................................. 638

Configuring the virtual desktop ............................................................................... 638

Configuring security control .................................................................................... 639

Configuring web portal layout ................................................................................. 640

Session Information widget..................................................................................... 641

Bookmarks widget .................................................................................................. 641

Connection Tool widget .......................................................................................... 644

Tunnel Mode widget ............................................................................................... 645

Virtual Desktop Application Control ......................................................................... 647

Host Check list ............................................................................................................ 648

SSL VPN monitor list .................................................................................................. 649

User ....................................................................................................... 651

Getting started - User authentication........................................................................ 651

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 19

http://docs.fortinet.com/ • Feedback

Contents

Local user accounts ................................................................................................... 652

Configuring Local user accounts ............................................................................ 652

Remote ......................................................................................................................... 655

RADIUS ........................................................................................................................ 655

Configuring a RADIUS server................................................................................. 656

LDAP ............................................................................................................................ 657

Configuring an LDAP server ................................................................................... 658

TACACS+ ..................................................................................................................... 661

Configuring TACACS+ servers............................................................................... 661

Directory Service......................................................................................................... 662

Configuring a Directory Service server ................................................................... 663

PKI ............................................................................................................................... 664

Configuring peer users and peer groups ................................................................ 665

User Group .................................................................................................................. 666

Firewall user groups ............................................................................................... 667

Directory Service user groups ................................................................................ 668

SSL VPN user groups............................................................................................. 668

Viewing the User group list..................................................................................... 669

Configuring a user group ........................................................................................ 669

Configuring FortiGuard Web filtering override options............................................ 672

Dynamically assigning VPN client IP addresses from a user group ............... 673

Options......................................................................................................................... 675

Monitor ......................................................................................................................... 676

Firewall user monitor list......................................................................................... 676

IM user monitor list ................................................................................................. 677

NAC quarantine and the Banned User list................................................................ 678

NAC quarantine and DLP ....................................................................................... 678

NAC quarantine and DLP replacement messages ................................................. 679

Configuring NAC quarantine................................................................................... 679

The Banned User list .............................................................................................. 680

WAN optimization and web caching .................................................. 683

Configuring WAN optimization .................................................................................. 683

Moving a rule to a different position in the rule list.................................................. 685

Configuring a WAN optimization rule ....................................................................... 685

About WAN optimization addresses ....................................................................... 687

Configuring WAN optimization peers ....................................................................... 688

Configuring authentication groups ........................................................................... 689

WAN optimization monitoring.................................................................................... 690

Changing web cache settings.................................................................................... 692

FortiGate Version 4.0 MR1 Administration Guide

20 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

Endpoint NAC....................................................................................... 695

Configuring Endpoint NAC overview ........................................................................ 695

Configuring FortiClient installer download and version enforcement .................. 696

Configuring application detection lists..................................................................... 697

Viewing the application list...................................................................................... 699

Configuring Endpoint NAC profiles .......................................................................... 699

Monitoring endpoints ................................................................................................. 700

Wireless Controller .............................................................................. 703

Configuration overview .............................................................................................. 703

Enabling the wireless controller................................................................................ 703

Configuring FortiWiFi units as managed access points ......................................... 704

Configuring a virtual wireless access point ............................................................. 704

Configuring a physical access point......................................................................... 705

Configuring DHCP for your wireless LAN ................................................................ 707

Configuring firewall policies for the wireless LAN .................................................. 707

Monitoring wireless clients ........................................................................................ 707

Monitoring rogue APs................................................................................................. 707

Log&Report .......................................................................................... 709

Configuring how a FortiGate unit stores logs.......................................................... 710

Remote logging to a FortiAnalyzer unit................................................................... 710

Remote logging to the FortiGuard Analysis and Management Service .................. 712

Remote logging to a Syslog server......................................................................... 713

Local logging to memory......................................................................................... 714

Local logging to disk ............................................................................................... 714

Configuring Alert Email .............................................................................................. 715

Configuring Event logging ......................................................................................... 717

Data Leak Prevention log ....................................................................................... 718

Application Control log............................................................................................ 718

Antivirus log ............................................................................................................ 719

Web filter log........................................................................................................... 719

Spam filter log......................................................................................................... 719

Attack log (IPS)....................................................................................................... 720

Accessing and viewing log messages...................................................................... 720

Accessing logs stored in memory........................................................................... 721

Accessing logs stored on the hard disk .................................................................. 722

Accessing logs stored on the FortiAnalyzer unit..................................................... 722

Accessing logs stored on the FortiGuard Analysis and Management Service ....... 723

Customizing the display of log messages............................................................... 723

Column settings...................................................................................................... 724

Filtering log messages............................................................................................ 725

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 21

http://docs.fortinet.com/ • Feedback

Contents

Viewing DLP Archives ................................................................................................ 725

Viewing the File Quarantine list................................................................................. 726

Configuring FortiAnalyzer report schedules............................................................ 727

Viewing Executive Summary reports from SQL logs .............................................. 730

Viewing FortiAnalyzer reports ................................................................................... 730

Printing your FortiAnalyzer report ........................................................................... 731

Viewing basic traffic reports ...................................................................................... 731

Log severity levels ...................................................................................................... 733

Log types ..................................................................................................................... 734

Traffic log................................................................................................................ 734

Example configuration: logging all FortiGate traffic ............................................... 735

Index...................................................................................................... 737

FortiGate Version 4.0 MR1 Administration Guide

22 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Introduction Fortinet products

Introduction

Ranging from the FortiGate®-50 series for small businesses to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines the FortiOS™ security operating system with FortiASIC™ processors and other hardware to provide a high-performance array of security and networking functions including:

• firewall, VPN, and traffic shaping

• Intrusion Prevention system (IPS)

• antivirus/antispyware/antimalware

• web filtering

• antispam

• application control (for example, IM and P2P)

• VoIP support (H.323, SIP, and SCCP)

• Layer 2/3 routing

• multiple redundant WAN interface options FortiGate appliances provide cost-effective, comprehensive protection against network,

content, and application-level threats, including complex attacks favored by cybercriminals, without degrading network availability and uptime. FortiGate platforms include sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain capabilities to separate various networks requiring different security policies.

This chapter contains the following sections:

• Fortinet products

• About this document

• Registering your Fortinet product

• Customer service and technical support

• Training

• Documentation

• Scope

• Conventions

Fortinet products

Fortinet's portfolio of security gateways and complementary products offers a powerful blend of ASIC-accelerated performance, integrated multi-threat protection, and constantly updated, in-depth threat intelligence. This unique combination delivers network, content, and application security for enterprises of all sizes, managed service providers, and telecommunications carriers, while providing a flexible, scalable path for expansion. For more information on the Fortinet product family, go to www.fortinet.com/products.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 23

http://docs.fortinet.com/ • Feedback

About this document Introduction

About this document

This FortiGate Version 4.0 MR1 Administration Guide provides detailed information for system administrators about FortiGate™ web-based manager and FortiOS options and how to use them. This guide also contains some information about the FortiGate CLI.

This section of the guide contains a brief explanation of the structure of the guide, and gives an overview of each chapter.

The administration guide describes web-based manager functions in the same order as the web-based manager (or GUI) menu. The document begins with several chapters that provide an overview to help you start using the product: the FortiGate web-based manager, System Status, Managing Firmware, and Using virtual domains. Following these chapters, each item in the System, Router, Firewall, UTM, and VPN menus gets a separate chapter. Then User, WAN optimization, Endpoint NAC, and Log&Report are all described in single chapters. The document concludes with a detailed index.

VDOM and Global icons appear in this administration guide to indicate that a chapter or section is part of either the VDOM or Global configuration. VDOM and Global configuration settings apply only to a FortiGate unit operating with virtual domains enabled. No distinction is made between these configuration settings when virtual domains are not enabled.

The most recent version of this document is available from the FortiGate page of the

Fortinet Technical Documentation web site. The information in this document is also

available in a slightly different form as FortiGate web-based manager online help. You can also find more information about FortiOS from the same FortiGate page, as well

as from the Fortinet Knowledge Base. This administration guide contains the following chapters:

• What’s new in FortiOS Version 4.0 MR1 lists and describes some of the new features

and changes in FortiOS Version 4.0 MR1.

• Web-based manager introduces the features of the FortiGate web-based manager,

and explains how to connect to it. It also includes information about how to use the web-based manager online help.

• System Status describes the System Status page, the dashboard of your FortiGate

unit. At a glance you can view the current system status of the FortiGate unit including serial number, uptime, FortiGuard license information, system resource usage, alert messages and network statistics. You can also access the CLI from this page. This section also describes status changes that you can make, including changing the unit firmware, host name, and system time. Finally this section describes the topology viewer that is available on all FortiGate models except those with model numbers 50 and 60.

• Managing firmware versions describes upgrading and managing firmware versions.

You should review this section before upgrading your FortiGate firmware because it contains important information about how to properly back up your current configuration settings and what to do if the upgrade is unsuccessful.

• Using virtual domains describes how to use virtual domains to operate your FortiGate

unit as multiple virtual FortiGate units, which effectively provides multiple separate firewall and routing services to multiple networks.

• System Network explains how to configure physical and virtual interfaces and DNS

settings on the FortiGate unit.

• System Wireless describes how to configure the Wireless LAN interface on a

FortiWiFi-60 unit.

FortiGate Version 4.0 MR1 Administration Guide

24 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Introduction About this document

• System DHCP explains how to configure a FortiGate interface as a DHCP server or

DHCP relay agent.

• System Config contains procedures for configuring HA and virtual clustering,

configuring SNMP and replacement messages, and changing the operation mode.

• System Admin guides you through adding and editing administrator accounts, defining

admin profiles for administrators, configuring central management using the FortiGuard Management Service or FortiManager, defining general administrative settings such as language, timeouts, and web administration ports.

• System Certificates explains how to manage X.509 security certificates used by

various FortiGate features such as IPSec VPN and administrator authentication.

• System Maintenance details how to back up and restore the system configuration

using a management computer or a USB disk, use revision control, enable FortiGuard services and FortiGuard Distribution Network (FDN) updates, and enter a license key to increase the maximum number of virtual domains.

• Router Static explains how to define static routes and create route policies. A static

route causes packets to be forwarded to a destination other than the factory configured default gateway.

• Router Dynamic explains how to configure dynamic protocols to route traffic through

large or complex networks.

• Router Monitor explains how to interpret the Routing Monitor list. The list displays the

entries in the FortiGate routing table.

• Firewall Policy describes how to add firewall policies to control connections and traffic

between FortiGate interfaces, zones, and VLAN subinterfaces. Also describes how to add DoS policies to apply DoS sensors to network traffic and how to add sniffer policies to operate the FortiGate unit as an IDS appliance by sniffing packets for attacks without actually receiving and otherwise processing the packets

• Firewall Address describes how to configure addresses and address groups for firewall

policies.

• Firewall Service describes available services and how to configure service groups for

firewall policies.

• Firewall Schedule describes how to configure one-time and recurring schedules for

firewall policies.

• Traffic Shaping how to create traffic shaping instances and add them to firewall

policies.

• Firewall Virtual IP describes how to configure and use virtual IP addresses and IP

pools.

• Firewall Load Balance describes how to use FortiGuard load balancing to intercept

incoming traffic and balance it across available servers.

• Firewall Protection Profile describes how to configure protection profiles for firewall

policies.

• SIP support includes some high-level information about VoIP and SIP and describes

how FortiOS SIP support works and how to configure the key SIP features.

• AntiVirus explains how to enable antivirus options when you create a firewall protection

profile.

• Intrusion Protection explains how to configure IPS options when a firewall protection

profile is created.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 25

http://docs.fortinet.com/ • Feedback

Registering your Fortinet product Introduction

• Web Filter explains how to configure web filter options when a firewall protection profile

is created.

• Email filtering explains how to configure email filter options when a firewall protection

profile is created.

• Data Leak Prevention explains how use FortiGate data leak prevention to prevent

sensitive data from leaving your network.

• Application Control describes how to configure the application control options

associated with firewall protection profiles.

• IPSec VPN provides information about the tunnel-mode and route-based (interface

mode) Internet Protocol Security (IPSec) VPN options available through the webbased manager.

• PPTP VPN explains how to use the web-based manager to specify a range of IP

addresses for PPTP clients.

• SSL VPN provides information about basic SSL VPN settings.

• User describes how to control access to network resources through user

authentication.

• WAN optimization and web caching describes how to use FortiGate units to improve

performance and security of traffic passing between locations on your wide area network (WAN) or over the Internet by applying WAN optimization and web caching.

• Endpoint NAC describes how to use FortiGate endpoint NAC to enforce the use of

FortiClient End Point Security (Enterprise Edition) in your network.

• Wireless Controller describes how to configure a FortiGate unit to act as a wireless

network controller, managing the wireless Access Point (AP) functionality of FortiWiFi units

• Log&Report describes how to enable logging, view log files, and view the basic reports

available through the web-based manager.

Registering your Fortinet product

Before you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.

Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.

For more information, see the Fortinet Knowledge Center article Registration Frequently

Asked Questions.

Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your Fortinet products install quickly, configure easily, and operate reliably in your network.

To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com.

You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Center article What does

Fortinet Technical Support require in order to best assist the customer?

FortiGate Version 4.0 MR1 Administration Guide

26 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Introduction Training

Training

Fortinet Training Services provides classes that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide.

To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email them at

training@fortinet.com.

Documentation

The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes.

In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Center.

Fortinet Tools and Documentation CD

Scope

Many Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.

Fortinet Knowledge Base

The Fortinet Knowledge Center provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Center at http://kb.fortinet.com.

Comments on Fortinet technical documentation

Please send information about any errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.

This document assumes you have already successfully installed a FortiGate unit by following the instructions in the appropriate FortiGate Installation Guide.

At this stage:

• You have administrative access to the web-based manager and/or CLI.

• The FortiGate unit is integrated into your network.

• The operation mode has been configured.

• The system time, DNS settings, administrator password, and network interfaces have

been configured.

• Firmware, FortiGuard Antivirus and FortiGuard Antispam updates are completed. Once that basic installation is complete, you can use this document. This document

explains how to use the web-based manager to:

• maintain the FortiGate unit, including backups

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 27

http://docs.fortinet.com/ • Feedback

Conventions Introduction

• reconfigure basic items that were configured during installation

• configure advanced features This document does not cover all commands for the command line interface (CLI). For

information on the CLI, see the FortiGate CLI Reference. This document is intended for administrators, not end users.

Conventions

Fortinet technical documentation uses the conventions described below.

IP addresses

To avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.

Notes, Tips and Cautions

Fortinet technical documentation uses the following guidance and styles for notes, tips and cautions.

Tip: Highlights useful additional information, often tailored to your workplace activity.

Note: Also presents useful information, but usually focused on an alternative, optional

method, such as a shortcut, to perform a step.

Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.

FortiGate Version 4.0 MR1 Administration Guide

28 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Introduction Conventions

Typographical conventions

Fortinet documentation uses the following typographical conventions:

Table 1: Typographical conventions in Fortinet technical documentation

Convention Example Button, menu, text box,

field, or check box label CLI input* config system dns

CLI output FGT-602803030703 # get system settings

Emphasis HTTP connections are not secure and can be intercepted by

File content <HTML><HEAD><TITLE>Firewall

Hyperlink Visit the Fortinet Technical Support web site,

Keyboard entry Type a name for the remote VPN peer or client, such as

Navigation Go to VPN > IPSEC > Auto Key (IKE). Publication For details, see the

From Minimum log level, select Notification.

set primary <address_ipv4>

end

comments : (null) opmode : nat

a third party.

Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</H4>

https://support.fortinet.com.

Central_Office_1.

FortiGate Administration Guide.

* For conventions used to represent command syntax, see “Command syntax conventions” on

page 29.

Command syntax conventions

The command line interface (CLI) requires that you use valid syntax, and conform to expected input constraints. It will reject invalid commands.

Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as <address_ipv4>, indicate which data types or string patterns are acceptable value input.

Table 2: Command syntax notation

Convention Description Square brackets [] A non-required word or series of words. For example:

[verbose {1 | 2 | 3}]

indicates that you may either omit or type both the verbose word and its accompanying option, such as:

verbose 3

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 29

http://docs.fortinet.com/ • Feedback

Conventions Introduction

Table 2: Command syntax notation

Angle brackets <> A word constrained by data type.

To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example:

<retries_int>

indicates that you should enter a number of retries, such as 5. Data types include:

• <xxx_name>: A name referring to another part of the configuration, such as policy_A.

• <xxx_index>: An index number referring to another part of the configuration, such as 0 for the first static route.

• <xxx_pattern>: A regular expression or word with wild cards that matches possible variations, such as *@example.com to match all email addresses ending in @example.com.

• <xxx_fqdn>: A fully qualified domain name (FQDN), such as mail.example.com.

• <xxx_email>: An email address, such as admin@mail.example.com.

• <xxx_url>: A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as http://www.fortinet./com/.

• <xxx_ipv4>: An IPv4 address, such as 192.168.1.99.

• <xxx_v4mask>: A dotted decimal IPv4 netmask, such as

255.255.255.0.

• <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask separated by a space, such as

192.168.1.99 255.255.255.0.

• <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDRnotation netmask separated by a slash, such as such as

192.168.1.99/24.

• <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

• <xxx_v6mask>: An IPv6 netmask, such as /96.

• <xxx_ipv6mask>: An IPv6 address and netmask separated by a space.

• <xxx_str>: A string of characters that is not another data type, such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences.

<xxx_int>: An integer number that is not another data type,

• such as 15 for the number of minutes.

Curly braces {} A word or series of words that is constrained to a set of options

delimited by either vertical bars or spaces. You must enter at least one of the options, unless the set of options is

surrounded by square brackets [ ].

FortiGate Version 4.0 MR1 Administration Guide

30 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

+ 734 hidden pages

Fortinet FortiGate Series, FortiGate-50 Series, FortiGate-5000 Series, FortiGate-5001SX, FortiGate-5001A Administration Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Introduction

Fortinet products

About this document

Registering your Fortinet product

Customer service and technical support

Training

Documentation

Fortinet Tools and Documentation CD

Scope

Fortinet Knowledge Base

Comments on Fortinet technical documentation

Conventions

IP addresses

Notes, Tips and Cautions

Typographical conventions

Command syntax conventions