Fortinet FortiGate-5003, FortiGate-5001FA2, FortiGate-5001, FortiGate-5001SX, FortiGate-5002FB2 Administration Manual

...

Download

Page 1

FortiGate 5000 series

USB

CONSOLE

PWRACC

CONSOLE

PWRACC

ShMC

1 2 3 4 5 6 7 8

USB

1 2 3 4 5 6 7 8

USB

1 2 3 4 5 6 7 8

CONSOLE

USB

1 2 3 4 5 6 7 8

CONSOLE

USB

1 2 3 4 5 6 7 8

CONSOLE

ETH

MANAGEMENT

ETH

RS232ZRE0ZRE1ZRE2

SYSTEM

CONSOLE

RS232ZRE0ZRE1ZRE2

SYSTEM

CONSOLE

STA IPM

OKCLK

INTEXT

FLT

9876543210

1514

1312

1110

1514

1312

1110

9876543210

HOT SWAP

RESET

ZRE

LED MODE

FLT

OKCLK

INTEXT

FLT

HOT SWAP

RESET

ZRE

LED MODE

FLT

CRITICAL MAJOR

ALARM RESET

ALARMS

HOT SWAP

STATUS

MINOR

Administration Guide

PSUA

PSU B

POWER

ShMC

PWRACC

CONSOLE

USB

1 2 3 4 5 6 7 8

STA IPM

PWRACC

CONSOLE

USB

1 2 3 4 5 6 7 8

CONSOLE

USB

1 2 3 4 5 6 7 8

STA IPM

223

PWRACC

MANAGEMENT

CONSOLE

USB

SYSTEM

CONSOLE

1 2 3 4 5 6 7 8

1514

1312

1110

ZRE

OKCLK

INTEXT

FLT

HOT SWAP

RESET

LED MODE

STA IPM

PWRACC

CONSOLE

USB

1 2 3 4 5 6 7 8

STA IPM

PWRACC

CONSOLE

USB

1 2 3 4 5 6 7 8

CONSOLE

USB

1 2 3 4 5 6 7 8

STA IPM

5140

PWRACC

CONSOLE

USB

1 2 3 4 5 6 7 8

STA IPM

FortiGate-5000 series Administration Guide

Version 2.80 MR8

4 February 2005

01-28008-0013-20050204

Page 2

No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc.

FortiGate-5000 series Administration Guide

Version 2.80 MR8 4 February 2005 01-28008-0013-20050204

Trademarks

Products mentioned in this document are trademarks or registered trademarks of their respective holders.

Regulatory Compliance

FCC Class A Part 15 CSA/CUS

CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.

For technical support, please visit http://www.fortinet.com.

Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.

Page 3

Table of Contents

Introduction.......................................................................................................... 13

About FortiGate Antivirus Firewalls................................................................................... 13

Antivirus protection ....................................................................................................... 14

Web content filtering ..................................................................................................... 15

Spam filtering ................................................................................................................ 15

Firewall.......................................................................................................................... 16

VLANs and virtual domains........................................................................................... 17

Intrusion Prevention System (IPS)................................................................................ 17

VPN............................................................................................................................... 17

High availability ............................................................................................................. 18

Secure installation, configuration, and management .................................................... 19

Document conventions ..................................................................................................... 20

FortiGate documentation .................................................................................................. 21

Fortinet Knowledge Center ........................................................................................... 22

Comments on Fortinet technical documentation........................................................... 22

Related documentation ..................................................................................................... 22

FortiManager documentation ........................................................................................ 22

FortiClient documentation ............................................................................................. 23

FortiMail documentation................................................................................................ 23

FortiLog documentation ................................................................................................ 23

Customer service and technical support........................................................................... 24

Contents

Web-based manager............................................................................................ 25

Button bar features ........................................................................................................... 26

Contact Customer Support ........................................................................................... 26

Online Help ................................................................................................................... 27

Easy Setup Wizard ....................................................................................................... 27

Console Access ............................................................................................................ 28

Logout ........................................................................................................................... 28

Web-based manager pages.............................................................................................. 29

Web-based manager menu .......................................................................................... 29

Lists............................................................................................................................... 30

Icons ............................................................................................................................. 30

Status bar...................................................................................................................... 31

Organization of this manual .............................................................................................. 32

System Status ...................................................................................................... 33

Status................................................................................................................................ 33

Viewing system status .................................................................................................. 34

Changing unit information ............................................................................................. 37

Session list........................................................................................................................ 39

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 3

Page 4

Contents

Changing the FortiGate firmware...................................................................................... 40

Upgrading to a new firmware version ........................................................................... 41

Reverting to a previous firmware version...................................................................... 43

Installing firmware images from a system reboot using the CLI ................................... 45

Testing a new firmware image before installing it ......................................................... 48

Installing and using a backup firmware image .............................................................. 51

System Network................................................................................................... 55

Interface............................................................................................................................ 55

Interface settings........................................................................................................... 56

Configuring interfaces ................................................................................................... 61

Zone.................................................................................................................................. 66

Zone settings ................................................................................................................ 66

Management..................................................................................................................... 67

DNS .................................................................................................................................. 68

Routing table (Transparent Mode).................................................................................... 69

Routing table list ........................................................................................................... 69

Transparent mode route settings .................................................................................. 70

VLAN overview ................................................................................................................. 70

FortiGate units and VLANs ........................................................................................... 71

VLANs in NAT/Route mode .............................................................................................. 71

Rules for VLAN IDs....................................................................................................... 72

Rules for VLAN IP addresses ....................................................................................... 72

Adding VLAN subinterfaces .......................................................................................... 73

VLANs in Transparent mode............................................................................................. 74

Rules for VLAN IDs....................................................................................................... 76

Transparent mode virtual domains and VLANs ............................................................ 76

Transparent mode VLAN list......................................................................................... 76

Transparent mode VLAN settings................................................................................. 76

FortiGate IPv6 support...................................................................................................... 78

System DHCP ....................................................................................................... 79

Service.............................................................................................................................. 79

DHCP service settings .................................................................................................. 80

Server ............................................................................................................................... 81

DHCP server settings ................................................................................................... 82

Exclude range................................................................................................................... 83

DHCP exclude range settings....................................................................................... 84

IP/MAC binding................................................................................................................. 84

DHCP IP/MAC binding settings .................................................................................... 85

Dynamic IP........................................................................................................................ 85

4 01-28008-0013-20050204 Fortinet Inc.

Page 5

System Config...................................................................................................... 87

System time ...................................................................................................................... 87

Options.............................................................................................................................. 88

HA..................................................................................................................................... 90

HA overview.................................................................................................................. 90

HA configuration ........................................................................................................... 92

Configuring an HA cluster ............................................................................................. 98

Managing an HA cluster.............................................................................................. 102

SNMP.............................................................................................................................. 105

Configuring SNMP ...................................................................................................... 106

SNMP community ....................................................................................................... 107

FortiGate MIBs............................................................................................................ 109

FortiGate traps ............................................................................................................ 110

Fortinet MIB fields ....................................................................................................... 112

Replacement messages ................................................................................................. 114

Replacement messages list ........................................................................................ 115

Changing replacement messages .............................................................................. 116

FortiManager................................................................................................................... 117

Contents

System Admin .................................................................................................... 119

Administrators................................................................................................................. 121

Administrators list........................................................................................................ 121

Administrators options ................................................................................................ 121

Access profiles................................................................................................................ 123

Access profile list ........................................................................................................ 123

Access profile options ................................................................................................. 124

System Maintenance ......................................................................................... 125

Backup and restore......................................................................................................... 125

Backing up and Restoring........................................................................................... 126

Update center ................................................................................................................. 128

Updating antivirus and attack definitions .................................................................... 130

Enabling push updates ............................................................................................... 133

Support ........................................................................................................................... 135

Sending a bug report .................................................................................................. 136

Registering a FortiGate unit ........................................................................................ 137

Shutdown........................................................................................................................ 139

System Virtual Domain...................................................................................... 141

Virtual domain properties................................................................................................ 142

Exclusive virtual domain properties ............................................................................ 142

Shared configuration settings ..................................................................................... 143

Administration and management ................................................................................ 144

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 5

Page 6

Contents

Virtual domains ............................................................................................................... 144

Adding a virtual domain .............................................................................................. 145

Selecting a virtual domain........................................................................................... 145

Selecting a management virtual domain..................................................................... 145

Configuring virtual domains ............................................................................................ 146

Adding interfaces, VLAN subinterfaces, and zones to a virtual domain ..................... 146

Configuring routing for a virtual domain ...................................................................... 148

Configuring firewall policies for a virtual domain......................................................... 148

Configuring IPSec VPN for a virtual domain ............................................................... 150

Router ................................................................................................................. 151

Static............................................................................................................................... 151

Static route list ............................................................................................................ 153

Static route options ..................................................................................................... 154

Policy .............................................................................................................................. 155

Policy route list............................................................................................................ 155

Policy route options..................................................................................................... 156

RIP.................................................................................................................................. 156

General ....................................................................................................................... 157

Networks list................................................................................................................ 158

Networks options ........................................................................................................ 159

Interface list................................................................................................................. 159

Interface options ......................................................................................................... 160

Distribute list ............................................................................................................... 161

Distribute list options................................................................................................... 162

Offset list ..................................................................................................................... 163

Offset list options ........................................................................................................ 163

Router objects................................................................................................................. 164

Access list ................................................................................................................... 164

New access list ........................................................................................................... 165

New access list entry .................................................................................................. 165

Prefix list ..................................................................................................................... 166

New Prefix list ............................................................................................................. 166

New prefix list entry..................................................................................................... 167

Route-map list............................................................................................................. 167

New Route-map .......................................................................................................... 168

Route-map list entry.................................................................................................... 169

Key chain list............................................................................................................... 170

New key chain............................................................................................................. 170

Key chain list entry...................................................................................................... 171

Monitor............................................................................................................................ 172

Routing monitor list ..................................................................................................... 172

6 01-28008-0013-20050204 Fortinet Inc.

Page 7

CLI configuration............................................................................................................. 173

get router info ospf ...................................................................................................... 173

get router info protocols .............................................................................................. 173

get router info rip......................................................................................................... 174

config router ospf ....................................................................................................... 174

config router static6..................................................................................................... 197

Firewall................................................................................................................ 199

Policy .............................................................................................................................. 200

How policy matching works......................................................................................... 200

Policy list ..................................................................................................................... 200

Policy options.............................................................................................................. 202

Advanced policy options ............................................................................................. 204

Configuring firewall policies ........................................................................................ 207

Policy CLI configuration .............................................................................................. 208

Address........................................................................................................................... 209

Address list ................................................................................................................. 210

Address options .......................................................................................................... 210

Configuring addresses ................................................................................................ 211

Address group list ....................................................................................................... 212

Address group options ................................................................................................ 212

Configuring address groups........................................................................................ 213

Service............................................................................................................................ 213

Predefined service list................................................................................................. 214

Custom service list...................................................................................................... 217

Custom service options............................................................................................... 217

Configuring custom services....................................................................................... 219

Service group list ........................................................................................................ 220

Service group options ................................................................................................. 220

Configuring service groups ......................................................................................... 221

Schedule......................................................................................................................... 221

One-time schedule list ................................................................................................ 222

One-time schedule options ......................................................................................... 222

Configuring one-time schedules ................................................................................. 223

Recurring schedule list................................................................................................ 223

Recurring schedule options ........................................................................................ 224

Configuring recurring schedules ................................................................................. 224

Virtual IP ......................................................................................................................... 225

Virtual IP list ................................................................................................................ 226

Virtual IP options......................................................................................................... 226

Configuring virtual IPs................................................................................................. 227

Contents

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 7

Page 8

Contents

IP pool............................................................................................................................. 229

IP pool list ................................................................................................................... 230

IP pool options ............................................................................................................ 230

Configuring IP pools.................................................................................................... 231

IP Pools for firewall policies that use fixed ports ......................................................... 231

IP pools and dynamic NAT ......................................................................................... 232

Protection profile............................................................................................................. 232

Protection profile list.................................................................................................... 233

Default protection profiles ........................................................................................... 233

Protection profile options ............................................................................................ 234

Configuring protection profiles .................................................................................... 239

Profile CLI configuration.............................................................................................. 240

User..................................................................................................................... 243

Setting authentication timeout......................................................................................... 244

Local ............................................................................................................................... 244

Local user list .............................................................................................................. 244

Local user options....................................................................................................... 244

RADIUS .......................................................................................................................... 245

RADIUS server list ...................................................................................................... 245

RADIUS server options............................................................................................... 246

LDAP............................................................................................................................... 246

LDAP server list .......................................................................................................... 247

LDAP server options ................................................................................................... 247

User group ...................................................................................................................... 249

User group list............................................................................................................. 249

User group options...................................................................................................... 250

CLI configuration............................................................................................................. 251

peer............................................................................................................................. 251

peergrp........................................................................................................................ 252

VPN...................................................................................................................... 255

Phase 1........................................................................................................................... 256

Phase 1 list ................................................................................................................. 256

Phase 1 basic settings ................................................................................................ 257

Phase 1 advanced settings......................................................................................... 259

Phase 2........................................................................................................................... 260

Phase 2 list ................................................................................................................. 261

Phase 2 basic settings ................................................................................................ 261

Phase 2 advanced options.......................................................................................... 262

Manual key...................................................................................................................... 263

Manual key list ............................................................................................................ 264

Manual key options ..................................................................................................... 264

8 01-28008-0013-20050204 Fortinet Inc.

Page 9

Concentrator ................................................................................................................... 266

Concentrator list.......................................................................................................... 266

Concentrator options................................................................................................... 267

Ping Generator................................................................................................................ 267

Ping generator options................................................................................................ 268

Monitor............................................................................................................................ 268

Dialup monitor............................................................................................................. 269

Static IP and dynamic DNS monitor............................................................................ 269

PPTP............................................................................................................................... 270

PPTP range ................................................................................................................ 270

L2TP .............................................................................................................................. 271

L2TP range ................................................................................................................. 271

Certificates...................................................................................................................... 272

Local certificate list...................................................................................................... 272

Certificate request....................................................................................................... 273

Importing signed certificates ...................................................................................... 274

CA certificate list ......................................................................................................... 275

Importing CA certificates............................................................................................. 275

VPN configuration procedures........................................................................................ 276

IPSec configuration procedures.................................................................................. 276

PPTP configuration procedures .................................................................................. 278

L2TP configuration procedures................................................................................... 278

CLI configuration............................................................................................................. 279

ipsec phase1............................................................................................................... 279

ipsec phase2............................................................................................................... 281

ipsec vip ...................................................................................................................... 281

Contents

IPS ....................................................................................................................... 285

Signature......................................................................................................................... 286

Predefined................................................................................................................... 286

Custom........................................................................................................................ 290

Anomaly.......................................................................................................................... 292

Anomaly CLI configuration.......................................................................................... 295

Configuring IPS logging and alert email.......................................................................... 296

Default fail open setting .................................................................................................. 296

Antivirus ............................................................................................................. 297

File block......................................................................................................................... 298

File block list ............................................................................................................... 299

Configuring the file block list ....................................................................................... 300

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 9

Page 10

Contents

Quarantine ...................................................................................................................... 300

Quarantined files list ................................................................................................... 300

Quarantined files list options....................................................................................... 301

AutoSubmit list ............................................................................................................ 302

AutoSubmit list options ............................................................................................... 302

Configuring the AutoSubmit list................................................................................... 302

Config.......................................................................................................................... 303

Config.............................................................................................................................. 304

Virus list ...................................................................................................................... 304

Config.......................................................................................................................... 304

Grayware .................................................................................................................... 305

Grayware options........................................................................................................ 305

CLI configuration............................................................................................................. 307

system global av_failopen........................................................................................... 307

system global optimize................................................................................................ 308

config antivirus heuristic.............................................................................................. 308

config antivirus quarantine .......................................................................................... 309

config antivirus service http......................................................................................... 310

config antivirus service ftp........................................................................................... 311

config antivirus service pop3....................................................................................... 313

config antivirus service imap....................................................................................... 315

config antivirus service smtp....................................................................................... 316

Web filter............................................................................................................. 319

Content block.................................................................................................................. 321

Web content block list ................................................................................................. 321

Web content block options.......................................................................................... 321

Configuring the web content block list ........................................................................ 322

URL block ....................................................................................................................... 322

Web URL block list...................................................................................................... 323

Web URL block options .............................................................................................. 323

Configuring the web URL block list ............................................................................. 324

Web pattern block list.................................................................................................. 324

Web pattern block options .......................................................................................... 325

Configuring web pattern block .................................................................................... 325

URL exempt.................................................................................................................... 325

URL exempt list........................................................................................................... 326

URL exempt list options .............................................................................................. 326

Configuring URL exempt............................................................................................. 326

10 01-28008-0013-20050204 Fortinet Inc.

Page 11

Category block................................................................................................................ 327

FortiGuard managed web filtering service .................................................................. 327

Category block configuration options.......................................................................... 328

Configuring web category block.................................................................................. 329

Category block reports................................................................................................ 329

Category block reports options ................................................................................... 330

Generating a category block report............................................................................. 330

Category block CLI configuration................................................................................ 330

Script filter....................................................................................................................... 331

Web script filter options............................................................................................... 332

Spam filter .......................................................................................................... 333

FortiShield....................................................................................................................... 335

FortiShield Spam filtering............................................................................................ 335

FortiShield options ...................................................................................................... 337

Configuring the FortiShield cache............................................................................... 337

FortiShield CLI configuration....................................................................................... 338

Contents

IP address....................................................................................................................... 339

IP address list ............................................................................................................. 339

IP address options ...................................................................................................... 339

Configuring the IP address list .................................................................................... 339

DNSBL & ORDBL ........................................................................................................... 340

DNSBL & ORDBL list.................................................................................................. 341

DNSBL & ORDBL options........................................................................................... 341

Configuring the DNSBL & ORDBL list ........................................................................ 341

Email address ................................................................................................................. 342

Email address list........................................................................................................ 342

Email address options................................................................................................. 342

Configuring the email address list............................................................................... 342

MIME headers................................................................................................................. 343

MIME headers list ....................................................................................................... 344

MIME headers options ................................................................................................ 344

Configuring the MIME headers list.............................................................................. 345

Banned word................................................................................................................... 345

Banned word list ......................................................................................................... 346

Banned word options .................................................................................................. 346

Configuring the banned word list ................................................................................ 347

Using Perl regular expressions....................................................................................... 347

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 11

Page 12

Contents

Log & Report ...................................................................................................... 351

Log config ....................................................................................................................... 352

Log Setting options ..................................................................................................... 352

Alert E-mail options..................................................................................................... 356

Log filter options.......................................................................................................... 357

Configuring log filters .................................................................................................. 360

Enabling traffic logging................................................................................................ 360

Log access...................................................................................................................... 361

Disk log file access ..................................................................................................... 361

Viewing log messages ................................................................................................ 362

Searching log messages............................................................................................. 365

CLI configuration............................................................................................................. 366

fortilog setting.............................................................................................................. 366

syslogd setting ............................................................................................................ 367

FortiGuard categories ....................................................................................... 371

Glossary ............................................................................................................. 377

Index .................................................................................................................... 383

12 01-28008-0013-20050204 Fortinet Inc.

Page 13

FortiGate-5000 series Administration Guide Version 2.80 MR8

Introduction

FortiGate Antivirus Firewalls support network-based deployment of application-level services, including antivirus protection and full-scan content filtering. FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate Antivirus Firewalls are ICSA-certified for firewall, IPSec, and antivirus services.

This chapter introduces you to FortiGate Antivirus Firewalls and the following topics:

• About FortiGate Antivirus Firewalls

• Document conventions

• FortiGate documentation

• Related documentation

• Customer service and technical support

About FortiGate Antivirus Firewalls

The FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include:

• application-level services such as virus protection and content filtering,

• network-level services such as firewall, intrusion detection, VPN, and traffic shaping.

The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks. The FortiGate series complements existing solutions, such as hostbased antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration, and maintenance.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 13

Page 14

About FortiGate Antivirus Firewalls Introduction

The FortiGate-5000 series Antivirus Firewalls are chassis-based systems that broadband service providers can use to provide subscriber security services such as

USB

1 2 3 4 5 6 7 8

CONSOLE

PWRACC

USB

1 2 3 4 5 6 7 8

CONSOLE

PWRACC

PSUA

PSU B

STA IPM

firewall, VPN, antivirus protection, spam filtering, web filtering and intrusion prevention (IPS). The wide variety of system configurations available with FortiGate-5000 series provides flexibility to meet the changing needs of growing high performance networks. The FortiGate-5000 series chassis support multiple hot-swappable FortiGate-5001 modules and power supplies.

Each FortiGate-5000 series system can support two or more FortiGate-5001 modules. Each FortiGate-5001 module is a standalone high-performance antivirus firewall that supports high-end features including 802.1Q VLANs and multiple virtual domains. Two or more FortiGate-5001 modules also support stateful failover HA. Each FortiGate-5001 module includes four Gigabit fibre interfaces, and four Gigabit ethernet interfaces.

• The FortiGate-5020 system, the first in the FortiGate-5000 series, scales from 1 to 2 FortiGate-5001 modules enabling customers to add incremental performance and to operate the FortiGate-5020 in HA mode.

Antivirus protection

FortiGate ICSA-certified antivirus protection scans web (HTTP), file transfer (FTP), and email (SMTP, POP3, and IMAP) content as it passes through the FortiGate unit. FortiGate antivirus protection uses pattern matching and heuristics to find viruses. If a virus is found, antivirus protection removes the file containing the virus from the content stream and forwards a replacement message to the intended recipient.

For extra protection, you can configure antivirus protection to block specified file types from passing through the FortiGate unit. You can use the feature to stop files that might contain new viruses.

FortiGate antivirus protection can also identify and remove known grayware programs. Grayware programs are usually unsolicited commercial software programs that get installed on PCs, often without the user’s consent or knowledge. Grayware programs are generally considered an annoyance, but these programs can cause system performance problems or be used for malicious means.

If the FortiGate unit contains a hard disk, infected or blocked files and grayware files can be quarantined. The FortiGate administrator can download quarantined files so that they can be virus scanned, cleaned, and forwarded to the intended recipient. You can also configure the FortiGate unit to automatically delete quarantined files after a specified time.

The FortiGate unit can send email alerts to system administrators when it detects and removes a virus from a content stream. The web and email content can be in normal network traffic or encrypted IPSec VPN traffic.

14 01-28008-0013-20050204 Fortinet Inc.

Page 15

Introduction About FortiGate Antivirus Firewalls

ICSA Labs has certified that FortiGate Antivirus Firewalls:

• detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),

• detect viruses in compressed files using the PKZip format,

• detect viruses in email that has been encoded using uuencode format,

• detect viruses in email that has been encoded using MIME encoding,

• log all actions taken while scanning.

Web content filtering

FortiGate web content filtering can scan all HTTP content protocol streams for URLs, URL patterns, and web page content. If there is a match between a URL on the URL block list, or a web page contains a word or phrase that is in the content block list, the FortiGate unit blocks the web page. The blocked web page is replaced with a message that you can edit using the FortiGate web-based manager.

FortiGate web content filtering also supports FortiGuard web category blocking. Using web category blocking you can restrict or allow access to web pages based on content ratings of web pages.

You can configure URL blocking to block all or some of the pages on a web site. Using this feature, you can deny access to parts of a web site without denying access to it completely.

To prevent unintentionally blocking legitimate web pages, you can add URLs to an exempt list that overrides the URL blocking and content blocking lists. The exempt list also exempts web traffic this address from virus scanning.

Web content filtering also includes a script filter feature that can block unsecure web content such as Java applets, cookies, and ActiveX.

Spam filtering

FortiGate spam filtering can scan all POP3, SMTP, and IMAP email content for spam. You can configure spam filtering to filter mail according to IP address, email address, mime headers, and content. Mail messages can be identified as spam or clear.

FortiShield is an antispam system from Fortinet that includes an IP address black list, a URL black list, and spam filtering tools. The IP address black list contains IP addresses of email servers known to be used to generate Spam. The URL black list contains URLs of websites found in Spam email.

You can also add the names of known third-party DNS-based Blackhole List (DNSBL) and Open Relay Database List (ORDBL) servers. These services contain lists of known spam sources.

If an email message is found to be spam, the FortiGate unit adds an email tag to the subject line of the email. The recipient can use their mail client software to filter messages based on the email tag. Spam filtering can also be configured to delete SMTP email messages identified as spam.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 15

Page 16

About FortiGate Antivirus Firewalls Introduction

Firewall

The FortiGate ICSA-certified firewall protects your computer networks from Internet threats. ICSA has granted FortiGate firewalls version 4.0 firewall certification, providing assurance that FortiGate firewalls successfully screen and secure corporate networks against a range of threats from public or other untrusted networks.

After basic installation of the FortiGate unit, the firewall allows users on the protected network to access the Internet while blocking Internet access to internal networks. You can configure the firewall to put controls on access to the Internet from the protected networks and to allow controlled access to internal networks.

FortiGate policies include a range of options that:

• control all incoming and outgoing network traffic,

• control encrypted VPN traffic,

• apply antivirus protection and web content filtering,

• block or allow access for all policy options,

• control when individual policies are in effect,

• accept or deny traffic to and from individual addresses,

• control standard and user defined network services individually or in groups,

• require users to authenticate before gaining access,

• include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy,

• include logging to track connections for individual policies,

• include Network Address Translation (NAT) mode and Route mode policies,

• include mixed NAT and Route mode policies.

The FortiGate firewall can operate in NAT/Route mode or Transparent mode.

NAT/Route mode

In NAT/Route mode, the FortiGate unit is a Layer 3 device. This means that each of its interfaces is associated with a different IP subnet and that it appears to other devices as a router. This is how a firewall is normally deployed.

In NAT/Route mode, you can create NAT mode policies and Route mode policies.

• NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network.

• Route mode policies accept or deny connections between networks without performing address translation.

Transparent mode

In Transparent mode, the FortiGate unit does not change the Layer 3 topology. This means that all of its interfaces are on the same IP subnet and that it appears to other devices as a bridge. Typically, the FortiGate unit is deployed in Transparent mode to provide antivirus and content filtering behind an existing firewall solution.

16 01-28008-0013-20050204 Fortinet Inc.

Page 17

Introduction About FortiGate Antivirus Firewalls

Transparent mode provides the same basic firewall protection as NAT mode. The FortiGate unit passes or blocks the packets it receives according to firewall policies. The FortiGate unit can be inserted in the network at any point without having to make changes to your network or its components. However, some advanced firewall features are available only in NAT/Route mode.

VLANs and virtual domains

Fortigate Antivirus Firewalls support IEEE 802.1Q-compliant virtual LAN (VLAN) tags. Using VLAN technology, a single FortiGate unit can provide security services to, and control connections between, multiple security domains according to the VLAN IDs added to VLAN packets. The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between each security domain. The FortiGate unit can also apply authentication, content filtering, and antivirus protection to VLAN-tagged network and VPN traffic.

The FortiGate unit supports VLANs in NAT/Route and Transparent mode. In NAT/Route mode, you enter VLAN subinterfaces to receive and send VLAN packets.

FortiGate virtual domains provide multiple logical firewalls and routers in a single FortiGate unit. Using virtual domains, one FortiGate unit can provide exclusive firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network.

You can develop and manage interfaces, VLAN subinterfaces, zones, firewall policies, routing, and VPN configuration for each virtual domain separately. For these configuration settings, each virtual domain is functionally similar to a single FortiGate unit. This separation simplifies configuration because you do not have to manage as many routes or firewall policies at one time.

Intrusion Prevention System (IPS)

The FortiGate Intrusion Prevention System (IPS) combines signature and anomaly based intrusion detection and prevention. The FortiGate unit can record suspicious traffic in logs, can send alert email to system administrators, and can log, pass, drop, reset, or clear suspicious packets or sessions. Both the IPS predefined signatures and the IPS engine are upgradeable through the FortiProtect Distribution Network (FDN). You can also create custom signatures.

VPN

Using FortiGate virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 17

Page 18

About FortiGate Antivirus Firewalls Introduction

FortiGate VPN features include the following:

• Industry standard and ICSA-certified IPSec VPN, including:

• IPSec VPN in NAT/Route and Transparent mode,

• IPSec, ESP security in tunnel mode,

• DES, 3DES (triple-DES), and AES hardware accelerated encryption,

• HMAC MD5 and HMAC SHA1 authentication and data integrity,

• AutoIKE key based on pre-shared key tunnels,

• IPSec VPN using local or CA certificates,

• Manual Keys tunnels,

• Diffie-Hellman groups 1, 2, and 5,

• Aggressive and Main Mode,

• Replay Detection,

• Perfect Forward Secrecy,

• XAuth authentication,

• Dead peer detection,

• DHCP over IPSec,

• Secure Internet browsing.

• PPTP for easy connectivity with the VPN standard supported by the most popular operating systems.

• L2TP for easy connectivity with a more secure VPN standard, also supported by many popular operating systems.

• Firewall policy based control of IPSec VPN traffic.

• IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel.

• VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another through the FortiGate unit.

• IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network.

High availability

Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster. Each FortiGate unit in an HA cluster must be the same model and must be running the same FortiOS firmware image.

FortiGate HA supports link redundancy and device redundancy.

FortiGate units can be configured to operate in active-passive (A-P) or active-active (A-A) HA mode. Active-active and active-passive clusters can run in either NAT/Route or Transparent mode.

An active-passive (A-P) HA cluster, also referred to as hot standby HA, consists of a primary FortiGate unit that processes traffic, and one or more subordinate FortiGate units. The subordinate FortiGate units are connected to the network and to the primary FortiGate unit but do not process traffic.

18 01-28008-0013-20050204 Fortinet Inc.

Page 19

Introduction About FortiGate Antivirus Firewalls

Active-active (A-A) HA load balances virus scanning among all the FortiGate units in the cluster. An active-active HA cluster consists of a primary FortiGate unit that processes traffic and one or more secondary units that also process traffic. The primary FortiGate unit uses a load balancing algorithm to distribute virus scanning to all the FortiGate units in the HA cluster.

Secure installation, configuration, and management

The first time you power on the FortiGate unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the Setup wizard to customize FortiGate IP addresses for your network, and the FortiGate unit is ready to protect your network. You can then use the web-based manager to customize advanced FortiGate features.

Web-based manager

Using HTTP or a secure HTTPS connection from any computer running Internet Explorer, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages. You can configure the FortiGate unit for HTTP and HTTPS administration from any FortiGate interface.

You can use the web-based manager to configure most FortiGate settings. You can also use the web-based manager to monitor the status of the FortiGate unit. Configuration changes made using the web-based manager are effective immediately without resetting the firewall or interrupting service. Once you are satisfied with a configuration, you can download and save it. The saved configuration can be restored at any time.

Command line interface

You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network that is connected to the FortiGate unit, including the Internet.

The CLI supports the same configuration and monitoring functionality as the web-based manager. In addition, you can use the CLI for advanced configuration options that are not available from the web-based manager.

This Administration Guide contains information about basic and advanced CLI commands. For a more complete description about connecting to and using the FortiGate CLI, see the FortiGate CLI Reference Guide.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 19

Page 20

Document conventions Introduction

Logging and reporting

The FortiGate unit supports logging for various categories of traffic and configuration changes. You can configure logging to:

• report traffic that connects to the firewall,

• report network services used,

• report traffic that was permitted by firewall policies,

• report traffic that was denied by firewall policies,

• report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks, and web page blocking,

• report attacks detected by the IPS,

• send alert email to system administrators to report virus incidents, intrusions, and firewall or VPN events or violations.

Logs can be sent to a remote syslog server or a WebTrends NetIQ Security Reporting Center and Firewall Suite server using the WebTrends enhanced log format. Some models can also save logs to an optional internal hard drive. If a hard drive is not installed, you can configure most FortiGate units to log the most recent events and attacks detected by the IPS to the system memory.

Document conventions

This guide uses the following conventions to describe CLI command syntax.

• Angle brackets < > to indicate variables. For example:

execute restore config <filename_str>

You enter:

execute restore config myfile.bak

<xxx_str> indicates an ASCII string that does not contain new-lines or carriage

returns.

<xxx_integer> indicates an integer string that is a decimal (base 10) number. <xxx_octet> indicates a hexadecimal string that uses the digits 0-9 and letters

A-F.

<xxx_ipv4> indicates a dotted decimal IPv4 address. <xxx_v4mask> indicates a dotted decimal IPv4 netmask. <xxx_ipv4mask> indicates a dotted decimal IPv4 address followed by a dotted

decimal IPv4 netmask.

<xxx_ipv6> indicates a dotted decimal IPv6 address. <xxx_v6mask> indicates a dotted decimal IPv6 netmask. <xxx_ipv6mask> indicates a dotted decimal IPv6 address followed by a dotted

decimal IPv6 netmask.

20 01-28008-0013-20050204 Fortinet Inc.

Page 21

Introduction FortiGate documentation

• Vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords.

For example:

set opmode {nat | transparent}

You can enter set opmode nat or set opmode transparent.

• Square brackets [ ] to indicate that a keyword or variable is optional. For example:

show system interface [<name_str>]

To show the settings for all interfaces, you can enter show system interface. To show the settings for the internal interface, you can enter show system interface internal.

• A space to separate options that can be entered in any combination and must be separated by spaces.

For example:

set allowaccess {ping https ssh snmp http telnet}

You can enter any of the following:

set allowaccess ping

set allowaccess ping https ssh

set allowaccess https ping ssh

set allowaccess snmp

In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.

FortiGate documentation

Information about FortiGate products is available from the following guides:

• FortiGate QuickStart Guide

Provides basic information about connecting and installing a FortiGate unit.

• FortiGate Installation Guide

Describes how to install a FortiGate unit. Includes a hardware reference, default configuration information, installation procedures, connection procedures, and basic configuration procedures. Choose the guide for your product model number.

• FortiGate Administration Guide

Provides basic information about how to configure a FortiGate unit, including how to define FortiGate protection profiles and firewall policies; how to apply intrusion prevention, antivirus protection, web content filtering, and spam filtering; and how to configure a VPN.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 21

Page 22

Related documentation

Additional information about Fortinet products is available from the following related documentation.

FortiManager documentation

• FortiManager QuickStart Guide

Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings.

• FortiManager System Administration Guide Describes how to use the FortiManager System to manage FortiGate devices.

• FortiManager System online help Provides a searchable version of the Administration Guide in HTML format. You

can access online help from the FortiManager Console as you work.

22 01-28008-0013-20050204 Fortinet Inc.

Page 23

Introduction Related documentation

FortiClient documentation

• FortiClient Host Security User Guide

Describes how to use FortiClient Host Security software to set up a VPN connection from your computer to remote networks, scan your computer for viruses, and restrict access to your computer and applications by setting up firewall policies.

• FortiClient Host Security online help Provides information and procedures for using and configuring the FortiClient

software.

FortiMail documentation

• FortiMail Administration Guide

Describes how to install, configure, and manage a FortiMail unit in gateway mode and server mode, including how to configure the unit; create profiles and policies; configure antispam and antivirus filters; create user accounts; and set up logging and reporting.

• FortiMail online help Provides a searchable version of the Administration Guide in HTML format. You

can access online help from the web-based manager as you work.

• FortiMail Web Mail Online Help

Describes how to use the FortiMail web-based email client, including how to send and receive email; how to add, import, and export addresses; and how to configure message display preferences.

FortiLog documentation

• FortiLog Administration Guide

Describes how to install and configure a FortiLog unit to collect FortiGate and FortiMail log files. It also describes how to view FortiGate and FortiMail log files, generate and view log reports, and use the FortiLog unit as a NAS server.

• FortiLog online help Provides a searchable version of the Administration Guide in HTML format. You

can access online help from the web-based manager as you work.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 23

Page 24

Customer service and technical support Introduction

Customer service and technical support

For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet Technical Support web site at http://support.fortinet.com.

You can also register Fortinet products and service contracts from http://support.fortinet.com and change your registration information at any time.

Technical support is available through email from any of the following addresses. Choose the email address for your region:

amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin

apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,

eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland

America and South America.

Malaysia, all other Asian countries, and Australia.

Europe, Africa, and the Middle East.

For information about our priority support hotline (live support), see http://support.fortinet.com.

When requesting technical support, please provide the following information:

• your name

• your company’s name and location

• your email address

• your telephone number

• your support contract number (if applicable)

• the product name and model number

• the product serial number (if applicable)

• the software or firmware version number

• a detailed description of the problem

24 01-28008-0013-20050204 Fortinet Inc.

Page 25

FortiGate-5000 series Administration Guide Version 2.80 MR8

Web-based manager

Using HTTP or a secure HTTPS connection from any computer running a web browser, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages. You can configure the FortiGate unit for HTTP and HTTPS administration from any FortiGate interface.

Figure 1: Web-based manager screen

You can use the web-based manager to configure most FortiGate settings. You can also use the web-based manager to monitor the status of the FortiGate unit. Configuration changes made using the web-based manager are effective immediately without resetting the firewall or interrupting service. Once you are satisfied with a configuration, you can back it up. The saved configuration can be restored at any time.

For information about connecting to the web-based manager, see “Connecting to the web-based manager” in the Installation Guide for your unit.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 25

Page 26

Button bar features Web-based manager

This chapter includes:

• Button bar features

• Web-based manager pages

Button bar features

The button bar in the upper right corner of the web-based manager provides access to several important FortiGate features.

Figure 2: Web-based manager button bar

Contact Customer Support

Online Help

Easy Setup Wizard

Contact Customer Support

The Contact Customer Support button opens the Fortinet support web page in a new browser window. From this page you can

• Register your FortiGate unit (Product Registration). Fortinet will email you your username and password to log in to the customer support center.

• Log in to the Customer Support Center.

• Visit the FortiProtect Center.

• Download virus and attack definition updates.

• Find out about training and certification programs.

• Read about Fortinet and its products.

Console Access

Logout

26 01-28008-0013-20050204 Fortinet Inc.

Page 27

Web-based manager Button bar features

Online Help

The Online Help button opens web-based help for the current web-based manager page. There are hyperlinks to related topics and procedures related to the controls on the current web-based manager page.

Figure 3: Online Help window

You can view other parts of the help system as you like. The help system includes a navigation pane with table of contents, index and a text search function.

Easy Setup Wizard

The FortiGate setup wizard provides an easy way to configure basic initial settings for the FortiGate unit. The wizard walks through the configuration of a new administrator password, FortiGate interfaces, DHCP server settings, internal servers (web, FTP, etc.), and basic antivirus settings. For detailed instructions on the initial setup of your FortiGate unit, see the Installation Guide for your unit.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 27

Page 28

Button bar features Web-based manager

Console Access

An alternative to the web-based manager user interface is the text-based command line interface (CLI). There are some options that are configurable only from the CLI.

The Console Access button opens a Java-based terminal application. The management computer must have Java version 1.3 or higher installed.

For information on how to use the CLI, see the FortiGate CLI Reference Guide.

Figure 4: Console access

Logout

Connect Connect to the FortiGate unit using the CLI. Disconnect Disconnect from the FortiGate unit. Clear screen Clear the screen.

The Logout button immediately logs you out of the web-based manager. Log out before you close the browser window. If you simply close the browser or leave the web-based manager, you remain logged-in until the idle timeout (default 5 minutes) expires.

28 01-28008-0013-20050204 Fortinet Inc.

Page 29

Web-based manager Web-based manager pages

Web-based manager pages

The web-based manager interface consists of a menu and pages, many of which have multiple tabs. When you select a menu item, such as System, it expands to reveal a submenu. When you select one of the submenu items, the associated page opens at its first tab. To view a different tab, select the tab.

The procedures in this manual direct you to a page by specifying the menu item, the submenu item and the tab, like this:

1 Go to System > Network > Interface.

Figure 5: Parts of the web-based manager

Status

bar

Web-based manager menu

Ta bs

Page Button bar

The menu provides access to configuration options for all major features of the FortiGate unit.

System Configure system facilities, such as network interfaces, virtual domains,

Router Configure the router. Firewall Configure firewall policies and protection profiles that apply the network

User Configure user accounts for use with firewall policies that require user

VPN Configure virtual private networks. IPS Configure the intrusion prevention system.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 29

DHCP services, time and set system options.

protection features. Also configure virtual IP addresses and IP pools.

authentication. Also configure external authentication servers.

Page 30

Web-based manager pages Web-based manager

Antivirus Configure antivirus protection. Web Filter Configure web filtering. Spam Filter Configure email spam filtering. Log & Report Configure logging. View log messages.

Lists

Many of the web-based manager pages are lists. There are lists of network interfaces, firewall policies, administrators, users, and so on.

Figure 6: Example of a web-based manager list

Delete

Edit

The list shows some information about each item and the icons in the rightmost column enable you to take action on the item. In this example, you can select Delete to remove the item or select Edit to modify the item.

Icons

To add another item to the list, you select Create New. This opens a dialog box in which you define the new item. The dialog box for creating a new item is similar to the one for editing an existing item.

The web-based manager has icons in addition to buttons to enable you to interact with the system. There are tooltips to assist you in understanding the function of the icon. Pause the mouse pointer over the icon to view the tooltip. The following table describes the icons that you will see in the web-based manager.

Icon Name Description

Change Password

Clear Clear a log file.

Column Settings

Delete Delete an item. This icon appears in lists where the item is

Change the administrator password. This icon appears in the Administrators list if your access profile enables write permission on Admin Users.

Select log columns to display.

deletable and you have write permission on the page.

30 01-28008-0013-20050204 Fortinet Inc.

Page 31

Web-based manager Web-based manager pages

Download or Backup

Edit Edit a configuration. This icon appears in lists where you have

Go Do a search.

Insert Policy before

Move to Move item in list.

Next page View next page of list.

Restore Restore a configuration from a file.

View View a configuration. This icon appears in lists instead of the

Download a log file or back up a configuration file.

write permission on the page.

Create a new policy to precede the current one.

View previous page of list.

Edit icon when you do not have write permission on that page.

Status bar

The status bar is at the bottom of the web-based manager screen.

Figure 7: Status bar

The status bar shows

• how long the FortiGate unit has been operating since the last time it was restarted

• the virtual domain to which the current page applies Virtual domain information is not shown if there is only one virtual domain. For

information about virtual domains, see “System Virtual Domain” on page 141.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 31

Page 32

Organization of this manual Web-based manager

Organization of this manual

This manual describes the web-based manager pages in the same order as the webbased manager menu. There is a chapter for each item in the System menu, followed by a chapter for each of the remaining top-level menu items.

System Status System Network System DHCP System Config System Admin System Maintenance System Virtual Domain

Router Firewall User

VPN

IPS Antivirus

Web filter

Spam filter Log & Report FortiGuard categories

32 01-28008-0013-20050204 Fortinet Inc.

Page 33

FortiGate-5000 series Administration Guide Version 2.80 MR8

System Status

You can connect to the web-based manager and view the current system status of the FortiGate unit. The status information that is displayed includes the system status, unit information, system resources, and session log.

This chapter includes:

• Status

• Session list

• Changing the FortiGate firmware

Status

View the system status page, also known as the system dashboard, for a snap shot of the current operating status of the FortiGate unit. All FortiGate administrators with read access to system configuration can view system status information.

On HA clusters, the Status page shows the status of the primary unit. To view status information for all members of the cluster, go to System > Config > HA and select Cluster Members. For more information, see “HA configuration” on page 92.

FortiGate administrators whose access profiles contain system configuration write privileges can change or update FortiGate unit information. For information on access profiles, see “Access profiles” on page 123.

• Viewing system status

• Changing unit information

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 33

Page 34

Status System Status

Viewing system status

Figure 8: System status

Automatic Refresh Interval

Go Select to set the selected automatic refresh interval. Refresh Select to manually update the system status display.

Select to control how often the web-based manager updates the system status display.

System status

UP Time The time in days, hours, and minutes since the FortiGate unit was last

System Time The current time according to the FortiGate unit internal clock. Log Disk Displays hard disk capacity and free space if the FortiGate unit contains a

Notification Contains reminders such as “Change Password” or “Product Registration”.

started.

hard disk or Not Available if no hard disk is installed. The FortiGate unit uses the hard disk to store log messages and quarantine files infected with a virus or blocked by antivirus file blocking.

Select the reminder to see the detailed reminder message.

Unit Information

Admin users and administrators whose access profiles contain system configuration read and write privileges can change or update the unit information. For information on access profiles, see “Access profiles” on page 123.

34 01-28008-0013-20050204 Fortinet Inc.

Page 35

System Status Status

Host Name The host name of the current FortiGate unit. Firmware Version The version of the firmware installed on the current FortiGate unit. Antivirus Definitions The current installed version of the FortiGate Antivirus Definitions. Attack Definitions The current installed version of the FortiGate Attack Definitions used by

Serial Number The serial number of the current FortiGate unit.

the Intrusion Prevention System (IPS).

The serial number is specific to the FortiGate unit and does not change with firmware upgrades.

Operation Mode The operation mode of the current FortiGate unit.

Recent Virus Detections

Time The time at which the recent virus was detected. Src / Dst The source and destination addresses of the virus. Service The service from which the virus was delivered; HTTP, FTP, IMAP,

Virus Detected The name of the virus detected.

POP3, or SMTP.

Content Summary

The Content Summary shows information about Content Archiving, configured in firewall protection profiles. The Details pages provide a link to either the FortiLog unit or to the Log & Report > Log Config > Log Setting page where you can configure logging to a FortiLog unit.

Reset Select to reset the count values in the table to zero. HTTP The number of URLs visited. Select Details to see the list of URLs, the

Email The number of email sent and received. Select Details to see the date

FTP The number of URLs visited and the number of files uploaded and

time they were accessed and the IP address of the host that accessed them.

and time, the sender, the recipient and the subject of each email.

downloaded. Select Details to see the FTP site URL, date, time, user and lists of files uploaded and downloaded.

Interface Status

All interfaces in the FortiGate unit are listed in the table.

Interface The name of the interface. IP / Netmask The IP address and netmask of the interface (NAT/Route mode only). Status The status of the interface; either up (green up arrow) or down (red

down arrow).

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 35

Page 36

Status System Status

System Resources

CPU Usage The current CPU status. The web-based manager displays CPU usage

Memory Usage The current memory status. The web-based manager displays memory

Hard Disk Usage The current hard disk (local disk) status. The web-based manager

Active Sessions The number of communications sessions being processed by the

Network Utilization The total network bandwidth being used through all FortiGate interfaces

History Select History to view a graphical representation of the last minute of

Figure 9: Sample system resources history

for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.

usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.

displays hard disk usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.

FortiGate unit.

and the percentage of the maximum network bandwidth that can be processed by the FortiGate unit.

CPU, memory, sessions, and network usage. This page also shows the virus and intrusion detections over the last 20 hours.

History

The history page displays 6 graphs representing the following system resources and protection:

CPU Usage History CPU usage for the previous minute. Memory Usage History Memory usage for the previous minute. Session History Session history for the previous minute. Network Utilization

History Virus History The virus detection history over the last 20 hours. Intrusion History The intrusion detection history over the last 20 hours.

36 01-28008-0013-20050204 Fortinet Inc.

Network utilization for the previous minute.

Page 37

System Status Status

Recent Intrusion Detections

Time The time at which the recent intrusion was detected. Src / Dst The source and destination addresses of the attack. Service The service from which the attack was delivered; HTTP, FTP, IMAP,

Attack Name The name of the attack.

POP3, or SMTP.

Changing unit information

Administrators with system configuration write access can use the unit information area of the System Status page:

• To change FortiGate host name

• To update the firmware version

• To update the antivirus definitions manually

• To update the attack definitions manually

• To change to Transparent mode

• To change to NAT/Route mode

To change FortiGate host name

The FortiGate host name appears on the Status page and in the FortiGate CLI prompt. The host name is also used as the SNMP system name. For information about the SNMP system name, see “SNMP” on page 105.

The default host name is FortiGate-5000.

Note: If the FortiGate unit is part of an HA cluster, you should set a unique name to distinguish the unit from others in the cluster.

1 Go to System > Status > Status. 2 In the Host Name field of the Unit Information section, select Change. 3 In the New Name field, type a new host name. 4 Select OK.

The new host name is displayed in the Host Name field, and in the CLI prompt, and is added to the SNMP System Name.

To update the firmware version

For information on updating the firmware, see “Changing the FortiGate firmware” on

page 40.

To update the antivirus definitions manually

Note: For information about configuring the FortiGate unit for automatic antivirus definitions

updates, see “Update center” on page 128.

1 Download the latest antivirus definitions update file from Fortinet and copy it to the

computer that you use to connect to the web-based manager.

2 Start the web-based manager and go to System > Status > Status.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 37

Page 38

Status System Status

3 In the Antivirus Definitions field of the Unit Information section, select Update. 4 In the Update File field, type the path and filename for the antivirus definitions update

file, or select Browse and locate the antivirus definitions update file.

5 Select OK to copy the antivirus definitions update file to the FortiGate unit.

The FortiGate unit updates the antivirus definitions. This takes about 1 minute.

6 Go to System > Status to confirm that the Antivirus Definitions Version information

has updated.

To update the attack definitions manually

Note: For information about configuring the FortiGate unit for automatic attack definitions

updates, see “Update center” on page 128.

1 Download the latest attack definitions update file from Fortinet and copy it to the

computer that you use to connect to the web-based manager.

2 Start the web-based manager and go to System > Status > Status. 3 In the Attack Definitions field of the Unit Information section, select Update.

The Intrusion Detection System Definitions Update dialog box appears.

4 In the Update File field, type the path and filename for the attack definitions update

file, or select Browse and locate the attack definitions update file.

5 Select OK to copy the attack definitions update file to the FortiGate unit.

The FortiGate unit updates the attack definitions. This takes about 1 minute.

6 Go to System > Status > Status to confirm that the Attack Definitions Version

information has updated.

To change to Transparent mode

After you change the FortiGate unit from the NAT/Route mode to Transparent mode, most of the configuration resets to Transparent mode factory defaults, except for HA settings (see “HA” on page 90).

To change to Transparent mode:

1 Go to System > Status > Status. 2 In the Operation Mode field of the Unit Information section, select Change. 3 In the Operation Mode field, select Transparent. 4 Select OK.

The FortiGate unit changes operation mode.

5 To reconnect to the web-based manager, connect to the interface configured for

Transparent mode management access and browse to https:// followed by the Transparent mode management IP address.

By default in Transparent mode, you can connect to port1. The default Transparent mode management IP address is 10.10.10.1.

Note: If the web-based manager IP address was on a different subnet in NAT/Route mode, you may have to change the IP address of your computer to the same subnet as the management IP address.

38 01-28008-0013-20050204 Fortinet Inc.

Page 39

System Status Session list

To change to NAT/Route mode

To change to NAT/Route mode:

1 Go to System > Status > Status. 2 In the Operation Mode field of the Unit Information section, select Change. 3 In the Operation Mode field, select NAT/Route. 4 Select OK.

The FortiGate unit changes operation mode.

5 To reconnect to the web-based manager, you must connect to the interface

configured by default for management access. By default in NAT/Route mode, you can connect to port1. The default port1 IP address

is 192.168.1.99.

Note: If the management IP address was on a different subnet in Transparent mode, you may have to change the IP address of your computer to the same subnet as the interface configured for management access.

Session list

The session list displays information about the communications sessions currently being processed by the FortiGate unit. You can use the session list to view current sessions.

Figure 10: Sample session list

From IP Set source IP address for list filtering From Port Set source port for list filtering To IP Set destination IP address for list filtering To Port Set destination port for list filtering Apply Filter Select to filter session list Virtual Domain Select a virtual domain to list the sessions being processed by that virtual

Total Number of Sessions

domain. Select All to view sessions being processed by all virtual domains. Total number of sessions currently being conducted through the FortiGate

unit. Refresh icon. Select to update the session list

Page up icon. Select to view previous page in the session list Page down icon. Select to view the next page in the session list.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 39

Page 40

Changing the FortiGate firmware System Status

Protocol The service protocol of the connection, for example, udp, tcp, or icmp. From IP The source IP address of the connection. From Port The source port of the connection. To IP The destination IP address of the connection. To Port The destination port of the connection. Expire The time, in seconds, before the connection expires. Policy ID The number of the firewall policy allowing this session or blank if the session

involves only one FortiGate interface (admin session, for example). Delete icon. Select to stop an active communication session.

To view the session list

1 Go to System > Status > Session.

The web-based manager displays the total number of active sessions in the FortiGate unit session table and lists the top 16.

2 To navigate the list of sessions, select Page Up or Page Down. 3 Select Refresh to update the session list. 4 If you are logged in as an administrative user with read and write privileges or as the

admin user, you can select Delete to stop an active session.

Changing the FortiGate firmware

FortiGate administrators whose access profiles contain system configuration read and write privileges and the FortiGate admin user can change the FortiGate firmware.

After you download a FortiGate firmware image from Fortinet, you can use the procedures listed in Tab le 1 to install the firmware image on your FortiGate unit.

40 01-28008-0013-20050204 Fortinet Inc.

Page 41

System Status Changing the FortiGate firmware

Table 1: Firmware upgrade procedures

Procedure Description

Upgrading to a new firmware version

Reverting to a previous firmware version

Installing firmware images from a system reboot using the CLI

Testing a new firmware image before installing it

Installing and using a backup firmware image

Use the web-based manager or CLI procedure to upgrade to a new FortiOS firmware version or to a more recent build of the same firmware version.

Use the web-based manager or CLI procedure to revert to a previous firmware version. This procedure reverts the FortiGate unit to its factory default configuration.

Use this procedure to install a new firmware version or revert to a previous firmware version. To use this procedure you must connect to the CLI using the FortiGate console port and a null-modem cable. This procedure reverts the FortiGate unit to its factory default configuration.

Use this procedure to test a new firmware image before installing it. To use this procedure you must connect to the CLI using the FortiGate console port and a null-modem cable. This procedure temporarily installs a new firmware image using your current configuration. You can test the firmware image before installing it permanently. If the firmware image works correctly you can use one of the other procedures listed in this table to install it permanently.

If the FortiGate unit is running BIOS version v3.x, you can install a backup firmware image. Once the backup firmware image is installed you can switch to this backup image when required.

Upgrading to a new firmware version

Use the following procedures to upgrade the FortiGate unit to a newer firmware version.

Upgrading the firmware using the web-based manager

Note: Installing firmware replaces the current antivirus and attack definitions with the definitions

included with the firmware release that you are installing. After you install new firmware, use the procedure “To update antivirus and attack definitions” on page 131 to make sure that antivirus and attack definitions are up to date.

To upgrade the firmware using the web-based manager 1 Copy the firmware image file to your management computer. 2 Log into the web-based manager as the admin administrative user.

Note: To use this procedure you must login using the admin administrator account, or an

administrator account that has system configuration read and write privileges.

3 Go to System > Status. 4 Under Unit Information > Firmware Version, select Update. 5 Type the path and filename of the firmware image file, or select Browse and locate the

file.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 41

Page 42

Changing the FortiGate firmware System Status

6 Select OK.

The FortiGate unit uploads the firmware image file, upgrades to the new firmware

version, restarts, and displays the FortiGate login. This process takes a few minutes.

7 Log into the web-based manager. 8 Go to System > Status and check the Firmware Version to confirm that the firmware

upgrade is successfully installed. 9 Update antivirus and attack definitions. For information about updating antivirus and

attack definitions, see “Update center” on page 128.

Upgrading the firmware using the CLI

To use the following procedure you must have a TFTP server that the FortiGate unit

can connect to.

Note: Installing firmware replaces your current antivirus and attack definitions with the

definitions included with the firmware release that you are installing. After you install new

firmware, use the procedure “To update antivirus and attack definitions” on page 131 to make

sure that antivirus and attack definitions are up to date. You can also use the CLI command

execute update_now to update the antivirus and attack definitions.

To upgrade the firmware using the CLI 1 Make sure that the TFTP server is running. 2 Copy the new firmware image file to the root directory of the TFTP server. 3 Log into the CLI.

Note: To use this procedure you must login using the admin administrator account, or an

administrator account that has system configuration read and write privileges.

4 Make sure the FortiGate unit can connect to the TFTP server.

You can use the following command to ping the computer running the TFTP server.

For example, if the IP address of the TFTP server is 192.168.1.168:

execute ping 192.168.1.168

5 Enter the following command to copy the firmware image from the TFTP server to the

FortiGate unit:

execute restore image <name_str> <tftp_ipv4>

Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP

address of the TFTP server. For example, if the firmware image file name is

FGT_300-v280-build183-FORTINET.out and the IP address of the TFTP server

is 192.168.1.168, enter:

execute restore image FGT_300-v280-build183-FORTINET.out

192.168.1.168

The FortiGate unit responds with the message:

This operation will replace the current firmware version!

Do you want to continue? (y/n)

6 Type y.

The FortiGate unit uploads the firmware image file, upgrades to the new firmware

version, and restarts. This process takes a few minutes.

42 01-28008-0013-20050204 Fortinet Inc.

Page 43

System Status Changing the FortiGate firmware

7 Reconnect to the CLI. 8 To confirm that the new firmware image is successfully installed, enter:

get system status

9 Use the procedure “To update antivirus and attack definitions” on page 131 to update

antivirus and attack definitions, or from the CLI, enter:

execute update_now

Reverting to a previous firmware version

Use the following procedures to revert your FortiGate unit to a previous firmware

version.

Reverting to a previous firmware version using the web-based

manager

The following procedures revert the FortiGate unit to its factory default configuration

and deletes IPS custom signatures, web content lists, email filtering lists, and changes

to replacement messages.

Before beginning this procedure you can:

• Back up the FortiGate unit configuration.

• Back up the IPS custom signatures.

• Back up web content and email filtering lists.

For information, see “Backing up and Restoring” on page 126.

If you are reverting to a previous FortiOS version (for example, reverting from FortiOS

v2.80 to FortiOS v2.50), you might not be able to restore the previous configuration

from the backup configuration file.

Note: Installing firmware replaces the current antivirus and attack definitions with the definitions

included with the firmware release that you are installing. After you install new firmware, use the

procedure “To update antivirus and attack definitions” on page 131 to make sure that antivirus

and attack definitions are up to date.

To revert to a previous firmware version using the web-based manager 1 Copy the firmware image file to the management computer. 2 Log into the FortiGate web-based manager.

Note: To use this procedure you must login using the admin administrator account, or an

administrator account that has system configuration read and write privileges.

3 Go to System > Status. 4 Under Unit Information > Firmware Version, select Update. 5 Type the path and filename of the firmware image file, or select Browse and locate the

file. 6 Select OK.

The FortiGate unit uploads the firmware image file, reverts to the old firmware version,

resets the configuration, restarts, and displays the FortiGate login. This process takes

a few minutes.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 43

Page 44

Changing the FortiGate firmware System Status

7 Log into the web-based manager. 8 Go to System > Status and check the Firmware Version to confirm that the firmware

is successfully installed. 9 Restore your configuration.

For information about restoring your configuration, see “Backup and restore” on

page 125.

10 Update antivirus and attack definitions.

For information about antivirus and attack definitions, see “To update antivirus and

attack definitions” on page 131.

Reverting to a previous firmware version using the CLI

This procedure reverts the FortiGate unit to its factory default configuration and

deletes IPS custom signatures, web content lists, email filtering lists, and changes to

replacement messages.

Before beginning this procedure you can:

• Back up the FortiGate unit system configuration using the command execute backup config.

• Back up the IPS custom signatures using the command execute backup

ipsuserdefsig

• Back up web content and email filtering lists.

For information, see “Backing up and Restoring” on page 126. If you are reverting to a previous FortiOS version (for example, reverting from FortiOS

v2.80 to FortiOS v2.50), you might not be able to restore your previous configuration from the backup configuration file.

Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure “To update antivirus and attack definitions” on page 131 to make sure that antivirus and attack definitions are up to date. You can also use the CLI command execute

update_now

to update the antivirus and attack definitions.

To use the following procedure you must have a TFTP server that the FortiGate unit can connect to.

To revert to a previous firmware version using the CLI 1 Make sure that the TFTP server is running. 2 Copy the firmware image file to the root directory of the TFTP server. 3 Log into the FortiGate CLI.

Note: To use this procedure you must login using the admin administrator account, or an

administrator account that has system configuration read and write privileges.

4 Make sure the FortiGate unit can connect to the TFTP server.

You can use the following command to ping the computer running the TFTP server.

For example, if the TFTP server's IP address is 192.168.1.168:

execute ping 192.168.1.168

44 01-28008-0013-20050204 Fortinet Inc.

Page 45

System Status Changing the FortiGate firmware

5 Enter the following command to copy the firmware image from the TFTP server to the

FortiGate unit:

execute restore image <name_str> <tftp_ipv4>

Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP

address of the TFTP server. For example, if the firmware image file name is

FGT_300-v280-build158-FORTINET.out and the IP address of the TFTP server

is 192.168.1.168, enter:

execute restore image FGT_300-v280-build158-FORTINET.out

192.168.1.168

The FortiGate unit responds with the message:

This operation will replace the current firmware version!

Do you want to continue? (y/n)

6 Type y.

The FortiGate unit uploads the firmware image file. After the file uploads, a message

similar to the following is displayed:

Get image from tftp server OK.

Check image OK.

This operation will downgrade the current firmware version!

Do you want to continue? (y/n)

7 Type y.

The FortiGate unit reverts to the old firmware version, resets the configuration to

factory defaults, and restarts. This process takes a few minutes.

8 Reconnect to the CLI. 9 To confirm that the new firmware image has been loaded, enter:

get system status

10 To restore your previous configuration if needed, use the command:

execute restore config <name_str> <tftp_ipv4>

11 Update antivirus and attack definitions.

For information, see “To update antivirus and attack definitions” on page 131, or from

the CLI, enter:

execute update_now

Installing firmware images from a system reboot using the CLI

This procedure installs a specified firmware image and resets the FortiGate unit to

default settings. You can use this procedure to upgrade to a new firmware version,

revert to an older firmware version, or re-install the current firmware version.

Note: This procedure varies for different FortiGate BIOS versions. These variations are

explained in the procedure steps that are affected. The version of the BIOS running on the

FortiGate unit is displayed when you restart the FortiGate unit using the CLI through a console

connection.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 45

Page 46

Changing the FortiGate firmware System Status

For this procedure you:

• access the CLI by connecting to the FortiGate console port using a null-modem cable,

• install a TFTP server that you can connect to from port8. The TFTP server should be on the same subnet as port8.

Note: The default interface for TFTP server firmware downloads is port8. You can specify a different interface after you restart the FortiGate unit as described in the following procedure.

Before beginning this procedure you can:

• Back up the FortiGate unit configuration. For information, see “Backing up and Restoring” on page 126.

• Back up the IPS custom signatures. For information, see “Backing up and restoring custom signature files” on

page 291.

• Back up web content and email filtering lists. For information, see “Web filter” on page 319 and “Spam filter” on page 333.

If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.80 to FortiOS v2.50), you might not be able to restore your previous configuration from the backup configuration file.

To install firmware from a system reboot 1 Connect to the CLI using the null-modem cable and FortiGate console port. 2 Make sure that the TFTP server is running. 3 Copy the new firmware image file to the root directory of the TFTP server. 4 Make sure that port8 is connected to the same network as the TFTP server. This is the

default interface for TFTP server firmware downloads.

Note: The default interface for TFTP server firmware downloads is port8. You can specify a

different interface after you restart the FortiGate unit as described below.

5 To confirm that the FortiGate unit can connect to the TFTP server, use the following

command to ping the computer running the TFTP server. For example, if the IP

address of the TFTP server is 192.168.1.168, enter:

execute ping 192.168.1.168

6 Enter the following command to restart the FortiGate unit:

execute reboot

The FortiGate unit responds with the following message:

This operation will reboot the system !

Do you want to continue? (y/n)

46 01-28008-0013-20050204 Fortinet Inc.

Page 47

System Status Changing the FortiGate firmware

7 Type y.

As the FortiGate units starts, a series of system startup messages is displayed.

When one of the following messages appears:

• FortiGate unit running v2.x BIOS

Press Any Key To Download Boot Image. ...

• FortiGate unit running v3.x BIOS

Press any key to display configuration menu.....

......

Immediately press any key to interrupt the system startup.

Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the

FortiGate unit reboots and you must log in and repeat the

execute reboot command.

If you successfully interrupt the startup process, one of the following messages

appears:

• FortiGate unit running v2.x BIOS

Enter TFTP Server Address [192.168.1.168]:

Go to step 10.

• FortiGate unit running v3.x BIOS

[G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options.

Enter G,F,B,Q,or H:

8 Type G to get the new firmware image from the TFTP server.

The following message appears:

Enter image download port number[8]:

9 Type the number of the interface that connects to the same network as the TFTP

server.

The default interface is port8. To accept the default interface, press Enter.

The following message appears:

Enter TFTP server address [192.168.1.168]:

10 Type the address of the TFTP server and press Enter.

The following message appears:

Enter Local Address [192.168.1.188]:

11 Type an IP address that the FortiGate unit can use to connect to the TFTP server.

The IP address can be any IP address that is valid for the network that the interface is

connected to. Make sure you do not enter the IP address of another device on this

network.

The following message appears:

Enter File Name [image.out]:

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 47

Page 48

Changing the FortiGate firmware System Status

12 Enter the firmware image filename and press Enter.

The TFTP server uploads the firmware image file to the FortiGate unit and messages

similar to the following are displayed:

• FortiGate unit running v2.x BIOS

Do You Want To Save The Image? [Y/n]

Type Y.

• FortiGate unit running v3.x BIOS

Save as Default firmware/Run image without saving:[D/R]

Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]

13 Type D.

The FortiGate unit installs the new firmware image and restarts. The installation might

take a few minutes to complete.

Restoring the previous configuration

Change the internal interface address if required. You can do this from the CLI using

the command:

config system interface

edit internal

set ip <address_ipv4mask> set allowaccess {ping https ssh telnet http}

end

After changing the interface address, you can access the FortiGate unit from the

web-based manager and restore the configuration.

• To restore the FortiGate unit configuration, see “Backup and restore” on page 125.

• To restore IPS custom signatures, see “Backing up and restoring custom signature

files” on page 291.

• To restore web content filtering lists, see “Backup and restore” on page 125.

• To restore email filtering lists, see “Backup and restore” on page 125.

• To update the virus and attack definitions to the most recent version, see “Updating

antivirus and attack definitions” on page 130.

If you are reverting to a previous firmware version (for example, reverting from FortiOS v2.80 to FortiOS v2.50), you might not be able to restore your previous configuration from the backup up configuration file.

Testing a new firmware image before installing it

You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit restarts, it operates with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure “Upgrading to a new firmware version” on page 41.

48 01-28008-0013-20050204 Fortinet Inc.

Page 49

System Status Changing the FortiGate firmware

For this procedure you:

• access the CLI by connecting to the FortiGate console port using a null-modem cable,

• install a TFTP server that you can connect to from port8. The TFTP server should be on the same subnet as port8.

Note: The default interface for TFTP server firmware downloads is port8. You can specify a different interface after you restart the FortiGate unit as described in the following procedure.

To test a new firmware image 1 Connect to the CLI using a null-modem cable and FortiGate console port. 2 Make sure the TFTP server is running. 3 Copy the new firmware image file to the root directory of the TFTP server. 4 Make sure that port8 is connected to the same network as the TFTP server.

Note: The default interface for TFTP server firmware downloads is port8. You can specify a

different interface after you restart the FortiGate unit as described in the following procedure.

You can use the following command to ping the computer running the TFTP server.

For example, if the TFTP server's IP address is 192.168.1.168:

execute ping 192.168.1.168

5 Enter the following command to restart the FortiGate unit:

execute reboot

6 As the FortiGate unit reboots, press any key to interrupt the system startup.

As the FortiGate units starts, a series of system startup messages are displayed.

When one of the following messages appears:

• FortiGate unit running v2.x BIOS

Press Any Key To Download Boot Image. ...

• FortiGate unit running v3.x BIOS

Press any key to display configuration menu.....

......

7 Immediately press any key to interrupt the system startup.

Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the

FortiGate unit reboots and you must log in and repeat the execute reboot command.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 49

Page 50

Changing the FortiGate firmware System Status

If you successfully interrupt the startup process, one of the following messages

appears:

• FortiGate unit running v2.x BIOS

Enter TFTP Server Address [192.168.1.168]:

Go to step 10.

• FortiGate unit running v3.x BIOS

[G]: Get firmware image from TFTP server. [F]: Format boot device. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options.

Enter G,F,Q,or H:

8 Type G to get the new firmware image from the TFTP server.

The following message appears:

Enter image download port number[8]:

9 Type the number of the interface that connects to the same network as the TFTP

server.

The default interface is port8. To accept the default interface, press Enter.

The following message appears:

Enter TFTP server address [192.168.1.168]:

10 Type the address of the TFTP server and press Enter.

The following message appears:

Enter Local Address [192.168.1.188]:

11 Type an IP address that can be used by the FortiGate unit to connect to the FTP

server.

The IP address must be on the same network as the TFTP server, but make sure you

do not use the IP address of another device on this network.

The following message appears:

Enter File Name [image.out]:

12 Enter the firmware image file name and press Enter.

The TFTP server uploads the firmware image file to the FortiGate unit and messages

similar to the following appear.

• FortiGate unit running v2.x BIOS

Do You Want To Save The Image? [Y/n]

Type N.

• FortiGate unit running v3.x BIOS

Save as Default firmware/Run image without saving:[D/R]

Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]

13 Type R.

The FortiGate image is installed to system memory and the FortiGate unit starts

running the new firmware image but with its current configuration.

50 01-28008-0013-20050204 Fortinet Inc.

Page 51

System Status Changing the FortiGate firmware

14 You can log into the CLI or the web-based manager using any administrative account. 15 To confirm that the new firmware image has been loaded, from the CLI enter:

get system status

You can test the new firmware image as required.

Installing and using a backup firmware image

If the FortiGate unit is running BIOS version v3.x, you can install a backup firmware

image. Once the backup firmware image is installed you can switch to this backup

image when required.

• Installing a backup firmware image

• Switching to the backup firmware image

• Switching back to the default firmware image

Installing a backup firmware image

To run this procedure you:

• access the CLI by connecting to the FortiGate console port using a null-modem cable,

• install a TFTP server that you can connect to from the FortiGate as described in the procedure “Installing firmware images from a system reboot using the CLI” on

page 45.

To install a backup firmware image 1 Connect to the CLI using the null-modem cable and FortiGate console port. 2 Make sure that the TFTP server is running. 3 Copy the new firmware image file to the root directory of your TFTP server. 4 To confirm that the FortiGate unit can connect to the TFTP server, use the following

command to ping the computer running the TFTP server. For example, if the IP

address of the TFTP server is 192.168.1.168:

execute ping 192.168.1.168

5 Enter the following command to restart the FortiGate unit:

execute reboot

As the FortiGate unit starts, a series of system startup messages are displayed.

When of the following message appears:

Press any key to enter configuration menu.....

......

6 Immediately press any key to interrupt the system startup.

Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the

FortiGate unit reboots and you must log in and repeat the execute reboot command.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 51

Page 52

Changing the FortiGate firmware System Status

If you successfully interrupt the startup process, the following message appears:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[B]: Boot with backup firmware and set as default.

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options.

Enter G,F,B,Q,or H:

7 Type G to get the new firmware image from the TFTP server.

The following message appears:

Enter TFTP server address [192.168.1.168]:

8 Type the address of the TFTP server and press Enter.

The following message appears:

Enter Local Address [192.168.1.188]:

9 Type an IP address that can be used by the FortiGate unit to connect to the FTP

server.

The IP address can be any IP address that is valid for the network that the interface is

connected to. Make sure you do not enter the IP address of another device on this

network.

The following message appears:

Enter File Name [image.out]:

10 Enter the firmware image file name and press Enter.

The TFTP server uploads the firmware image file to the FortiGate unit and the

following message is displayed.

Save as Default firmware/Backup firmware/Run image without

saving:[D/B/R]

11 Type B.

The FortiGate unit saves the backup firmware image and restarts. When the FortiGate

unit restarts it is running the previously installed firmware version.

Switching to the backup firmware image

Use this procedure to switch the FortiGate unit to operating with a backup firmware

image that you previously installed. When you switch the FortiGate unit to the backup

firmware image, the FortiGate unit operates using the configuration that was saved

with that firmware image.

If you install a new backup image from a reboot, the configuration saved with this

firmware image is the factory default configuration. If you use the procedure

“Switching back to the default firmware image” on page 53 to switch to a backup

firmware image that was previously running as the default firmware image, the

configuration saved with this firmware image is restored.

To switch to the backup firmware image 1 Connect to the CLI using the null-modem cable and FortiGate console port.

52 01-28008-0013-20050204 Fortinet Inc.

Page 53

System Status Changing the FortiGate firmware

2 Enter the following command to restart the FortiGate unit:

execute reboot

As the FortiGate units starts, a series of system startup messages are displayed.

When the following message appears:

Press any key to enter configuration menu.....

......

3 Immediately press any key to interrupt the system startup.

Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the

FortiGate unit reboots and you must log in and repeat the execute reboot command.

If you successfully interrupt the startup process, the following message appears:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[B]: Boot with backup firmware and set as default.

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options.

Enter G,F,B,Q,or H:

4 Type B to load the backup firmware image.

The FortiGate unit loads the backup firmware image and restarts. When the FortiGate

unit restarts, it is running the backup firmware version and the configuration is set to

factory default.

Switching back to the default firmware image

Use this procedure to switch the FortiGate unit to operating with the backup firmware

image that had been running as the default firmware image. When you switch to this

backup firmware image, the configuration saved with this firmware image is restored.

To switch back to the default firmware image 1 Connect to the CLI using the null-modem cable and FortiGate console port. 2 Enter the following command to restart the FortiGate unit:

execute reboot

As the FortiGate units starts, a series of system startup messages are displayed.

When the following message appears:

Press any key to enter configuration menu.....

......

3 Immediately press any key to interrupt the system startup.

Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the

FortiGate unit reboots and you must log in and repeat the execute reboot command.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 53

Page 54

Changing the FortiGate firmware System Status

If you successfully interrupt the startup process, the following message appears:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[B]: Boot with backup firmware and set as default.

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options.

Enter G,F,B,Q,or H:

4 Type B to load the backup firmware image.

The FortiGate unit loads the backup firmware image and restarts. When the FortiGate

unit restarts it is running the backup firmware version with a restored configuration.

54 01-28008-0013-20050204 Fortinet Inc.

Page 55

FortiGate-5000 series Administration Guide Version 2.80 MR8

System Network

System network settings control how the FortiGate unit connects to and interacts with

your network. Basic network settings start with configuring FortiGate interfaces to

connect to your network and configuring the FortiGate DNS settings.

More advanced network settings include adding VLAN subinterfaces and zones to the

FortiGate network configuration.

• Interface

• Zone

• Management

• DNS

• Routing table (Transparent Mode)

• VLAN overview

• VLANs in NAT/Route mode

• VLANs in Transparent mode

• FortiGate IPv6 support

Interface

In NAT/Route mode, go to System > Network > Interface to configure FortiGate

interfaces and to add and configure VLAN subinterfaces.

Note: Unless stated otherwise, in this section the term interface can refer to a physical

FortiGate interface or to a FortiGate VLAN subinterface.

• For information about VLANs in NAT/Route mode, see “VLANs in NAT/Route

mode” on page 71.

• For information about VLANs in Transparent mode, see “VLANs in Transparent

mode” on page 74.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 55

Page 56

Interface System Network

Figure 11: Interface list

Create New Select Create New to create a VLAN. Virtual Domain Select a virtual domain to display the interfaces added to this virtual domain.

Name The names of the physical interfaces available to your FortiGate unit.

IP The current IP address of the interface. Netmask The netmask of the interface. Access The administrative access configuration for the interface.

Status The administrative status for the interface.

Only available if you have added a virtual domain.

• Interface names indicate that the interface can be connected to any network (for example, port1, port2, and portx)

If you have added VLAN subinterfaces, they also appear in the name list, below the physical interface that they have been added to. See “VLAN

overview” on page 70.

See “To control administrative access to an interface” on page 65 for information about administrative access options.

If the administrative status is a green arrow, the interface is up and can accept network traffic. If the administrative status is a red arrow, the interface is administratively down and cannot accept traffic. To change the administrative status, select Bring Down or Bring Up. For more information, see “To bring down an interface that is administratively up” on page 62 and

“To start up an interface that is administratively down” on page 62.

Delete, edit, and view icons.

Interface settings

Interface settings displays the current configuration of a selected FortiGate interface or VLAN subinterface. Use interface settings to configure a new VLAN subinterface or to change the configuration of a FortiGate interface or VLAN subinterface.

You cannot change the name, interface or VLAN ID of an existing interface.

56 01-28008-0013-20050204 Fortinet Inc.

Page 57

System Network Interface

Figure 12: Interface settings

See the following procedures for configuring interfaces:

• To bring down an interface that is administratively up

• To start up an interface that is administratively down

• To add interfaces to a zone

• To add an interface to a virtual domain

• To change the static IP address of an interface

• To configure an interface for DHCP

• To configure an interface for PPPoE

• To configure support for dynamic DNS services

• To add a secondary IP address

• To add a ping server to an interface

• To control administrative access to an interface

• To change the MTU size of the packets leaving an interface

• To configure traffic logging for connections to an interface

Name

The name of the Interface.

Interface

Select the name of the physical interface to add the VLAN subinterface to. All VLAN subinterfaces must be associated with a physical interface. Once created, the VLAN is listed below its physical interface in the Interface list.

VLAN ID

Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. You cannot change the VLAN ID of an existing VLAN subinterface.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 57

Page 58

Interface System Network

The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN subinterface.

For more information on VLANs, see “VLAN overview” on page 70.

Virtual Domain

Select a virtual domain to add the interface or VLAN subinterface to this virtual domain. Virtual domain is only available if you have added a virtual domain.

For more information on virtual domains, see “System Virtual Domain” on page 141.

Addressing mode

Select Manual, DHCP, or PPPoE to set the addressing mode for this interface.

Manual

Select Manual and enter an IP address and netmask for the interface. The IP address of the interface must be on the same subnet as the network the interface is connecting to.

Note: Where you can enter both an IP address and a netmask in the same field, you can use the short form of the netmask. For example, 192.168.1.100/255.255.255.0 can also be entered as 192.168.1.100/24.

Two interfaces cannot have the same IP address and cannot have IP addresses on the same subnet.

DHCP

If you configure the interface to use DHCP, the FortiGate unit automatically broadcasts a DHCP request. You can disable Connect to server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the DHCP request.

Distance Enter the administrative distance for the default gateway retrieved from

Retrieve default gateway from server

Override internal DNS Enable Override internal DNS to use the DNS addresses retrieved

Connect to server Enable Connect to Server so that the interface automatically attempts

Status Displays DHCP status messages as the FortiGate unit connects to the

initializing No activity.

the DHCP server. The administrative distance, an integer from 1-255, specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route. The default distance for the default gateway is 1.

Enable Retrieve default gateway from server to retrieve a default gateway IP address from the DHCP server. The default gateway is added to the static routing table.

from the DHCP server instead of the DNS server IP addresses on the DNS page.

to connect to a DHCP server. Disable this option if you are configuring the interface offline.

DHCP server and gets addressing information. Select Status to refresh the addressing mode status message.

58 01-28008-0013-20050204 Fortinet Inc.

Page 59

System Network Interface

connecting The interface is attempting to connect to the DHCP server. connected The interface retrieves an IP address, netmask, and other settings

failed The interface was unable to retrieve an IP address and other

from the DHCP server.

information from the DHCP server.

PPPoE

If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoE request. You can disable connect to server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE request.

FortiGate units support many of the PPPoE RFC features (RFC 2516) including unnumbered IPs, initial discovery timeout that times and PPPoE Active Discovery Terminate (PADT).

Figure 13: PPPoE settings

User Name The PPPoE account user name. Password The PPPoE account password. Unnumbered IP Specify the IP address for the interface. If your ISP has assigned you a

Initial Disc Timeout

Initial PADT timeout

Distance Enter the administrative distance for the default gateway retrieved from the

Retrieve default gateway from server

Override internal DNS

block of IP addresses, use one of them. Otherwise, this IP address can be the same as the IP address of another interface or can be any IP address.

Initial discovery timeout. The time to wait before retrying to start a PPPoE discovery. Set Initial Disc to 0 to disable.

Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. PADT must be supported by your ISP. Set initial PADT timeout to 0 to disable.

PPPoE server. The administrative distance, an integer from 1-255, specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route. The default distance for the default gateway is 1.

Enable Retrieve default gateway from server to retrieve a default gateway IP address from a PPPoE server. The default gateway is added to the static routing table.

Enable Override internal DNS to replace the DNS server IP addresses on the DNS page with the DNS addresses retrieved from the PPPoE server.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 59

Page 60

Interface System Network

Connect to server Enable Connect to Server so that the interface automatically attempts to

Status Displays PPPoE status messages as the FortiGate unit connects to the

initializing No activity. connecting The interface is attempting to connect to the PPPoE server. connected The interface retrieves an IP address, netmask, and other settings from the

failed The interface was unable to retrieve an IP address and other information

connect to a PPPoE server. Disable this option if you are configuring the interface offline.

PPPoE server and gets addressing information. Select Status to refresh the addressing mode status message.

PPPoE server.

from the PPPoE server.

DDNS

Enable or disable updates to a Dynamic DNS (DDNS) service. When the FortiGate unit has a static domain name and a dynamic public IP address, select DDNS Enable to force the unit to update the DDNS server each time the address changes. In turn, the DDNS service updates Internet DNS servers with the new IP address for the domain.

Dynamic DNS is available only in NAT/Route mode.

Server Select a DDNS server to use. The client software for these services is built into the

Domain The domain name to use for the DDNS service. Username The user name to use when connecting to the DDNS server. Password The password to use when connecting to the DDNS server.

FortiGate firmware. The FortiGate unit can only connect automatically to a DDNS server for the supported clients.

Ping server

Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface. Adding a ping server is required for routing failover. See “To add a ping server to an interface” on

page 64.

The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to make sure that the FortiGate unit can connect to this IP address. To configure dead gateway detection, see “To modify the dead gateway detection settings” on page 90.

Administrative access

Configure administrative access to an interface to control how administrators access the FortiGate unit and the FortiGate interfaces to which administrators can connect. You can select the following administrative access options:

HTTPS To allow secure HTTPS connections to the web-based manager through this

PING If you want this interface to respond to pings. Use this setting to verify your

HTTP To allow HTTP connections to the web-based manager through this interface.

interface.

installation and for testing.

HTTP connections are not secure and can be intercepted by a third party.

60 01-28008-0013-20050204 Fortinet Inc.

Page 61

System Network Interface

SSH To allow SSH connections to the CLI through this interface. SNMP To allow a remote SNMP manager to request SNMP information by connecting to

TELNET To allow Telnet connections to the CLI through this interface. Telnet connections

this interface. See “Configuring SNMP” on page 106.

are not secure and can be intercepted by a third party.

MTU

To improve network performance, you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits from any interface. Ideally, this MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets. If the packets that the FortiGate unit sends are larger, they are broken up or fragmented, which slows down transmission. Experiment by lowering the MTU to find an MTU size for best network performance.

To change the MTU, select Override default MTU value (1500) and enter the maximum packet size. For manual and DHCP addressing mode the MTU size can be from 576 to 1500 bytes. For PPPoE addressing mode the MTU size can be from 576 to 1492 bytes.

Note: In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces to match the new MTU.

Log

Select Log to record logs for any traffic to or from the interface. To record logs you must also enable traffic log for a logging location and set the logging severity level to Notification or lower. Go to Log & Report > Log Config to configure logging locations and types. For information about logging see “Log & Report” on page 351.

Configuring interfaces

Use the following procedures to configure FortiGate interfaces and VLAN subinterfaces.

• To bring down an interface that is administratively up

• To add interfaces to a zone

• To add an interface to a virtual domain

• To change the static IP address of an interface

• To configure an interface for DHCP

• To configure an interface for PPPoE

• To add a secondary IP address

• To configure support for dynamic DNS services

• To add a ping server to an interface

• To control administrative access to an interface

• To change the MTU size of the packets leaving an interface

• To configure traffic logging for connections to an interface

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 61

Page 62

Interface System Network

To add a VLAN subinterface

See “To add a VLAN subinterface in NAT/Route mode” on page 73.

To bring down an interface that is administratively up

You can bring down physical interfaces or VLAN subinterfaces. Bringing down a physical interface also brings down the VLAN subinterfaces associated with it.

1 Go to System > Network > Interface.

The interface list is displayed.

2 Select Bring Down for the interface that you want to stop.

To start up an interface that is administratively down

You can start up physical interfaces and VLAN subinterfaces. Starting a physical interface does not start the VLAN subinterfaces added to it.

1 Go to System > Network > Interface.

The interface list is displayed.

2 Select Bring Up for the interface that you want to start.

To add interfaces to a zone

If you have added zones to the FortiGate unit, you can use this procedure to add interfaces or VLAN subinterfaces to the zone. To add a zone, see “To add a zone” on

page 67. You cannot add an interface to a zone if you have added firewall policies for

the interface. Delete firewall policies for the interface and then add the interface to the zone.

1 Go to System > Network > Zone. 2 Choose the zone to add the interface or VLAN subinterface to and select Edit. 3 Select the names of the interfaces or VLAN subinterfaces to add to the zone. 4 Select OK to save the changes.

To add an interface to a virtual domain

If you have added virtual domains to the FortiGate unit, you can use this procedure to add an interface or VLAN subinterface to a virtual domain. To add a virtual domain, see “To add a virtual domain” on page 145. You cannot add an interface to a virtual domain if you have added firewall policies for the interface. Delete firewall policies for the interface and then add the interface to the virtual domain.

1 Go to System > Network > Interface. 2 Choose the interface or VLAN subinterface to add to a virtual domain and select Edit. 3 From the Virtual Domain list, select the virtual domain that you want to add the

interface to.

4 Select OK to save the changes. 5 Repeat these steps to add more interfaces or VLAN subinterfaces to virtual domains.

62 01-28008-0013-20050204 Fortinet Inc.

Page 63

System Network Interface

To change the static IP address of an interface

You can change the static IP address of any FortiGate interface.

1 Go to System > Network > Interface. 2 Choose an interface and select Edit. 3 Set Addressing Mode to Manual. 4 Change the IP address and Netmask as required. 5 Select OK to save your changes.

If you changed the IP address of the interface to which you are connecting to manage the FortiGate unit, you must reconnect to the web-based manager using the new interface IP address.

To configure an interface for DHCP

You can configure any FortiGate interface to use DHCP.

1 Go to System > Network > Interface. 2 Choose an interface and select Edit. 3 In the Addressing Mode section, select DHCP. 4 Select the Retrieve default gateway and DNS from server check box if you want the

FortiGate unit to obtain a default gateway IP address and DNS server IP addresses from the DHCP server.

5 Select the Connect to Server check box if you want the FortiGate unit to connect to

the DHCP server.

6 Select Apply.

The FortiGate unit attempts to contact the DHCP server from the interface to set the IP address, netmask, and optionally the default gateway IP address, and DNS server IP addresses.

7 Select Status to refresh the addressing mode status message. 8 Select OK.

To configure an interface for PPPoE

Use this procedure to configure any FortiGate interface to use PPPoE. See “PPPoE”

on page 59 for information on PPPoE settings.

1 Go to System > Network > Interface. 2 Choose an interface and select Edit. 3 In the Addressing Mode section, select PPPoE. 4 Enter your PPPoE account User Name and Password. 5 Enter an Unnumbered IP if required by your PPPoE service. 6 Set the Initial Disc Timeout and Initial PADT Timeout if supported by your ISP. 7 Select the Retrieve default gateway from server check box if you want the FortiGate

unit to obtain a default gateway IP address from the PPPoE server.

8 Select the Override Internal DNS check box if you want the FortiGate unit to obtain a

DNS server IP address from the PPPoE server.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 63

Page 64

Interface System Network

9 Select the Connect to Server check box if you want the FortiGate unit to connect to

the PPPoE server.

10 Select Apply.

The FortiGate unit attempts to contact the PPPoE server from the interface to set the IP address, netmask, and optionally default gateway IP address and DNS server IP addresses.

11 Select Status to refresh the addressing mode status message. 12 Select OK.

To add a secondary IP address

You can use the CLI to add a secondary IP address to any FortiGate interface. The secondary IP address cannot be on the same subnet as the primary interface, any other interface or any other secondary IP address.

From the FortiGate CLI, enter the following commands:

config system interface edit <intf_str> config secondaryip edit 0 set ip <second_ip> <netmask_ip>

Optionally, you can also configure management access and add a ping server to the secondary IP address:

set allowaccess ping https ssh snmp http telnet set gwdetect enable

Save the changes:

end

To configure support for dynamic DNS services 1 Go to System > Network > Interface. 2 Select the interface to the Internet and then select Edit. 3 Select DDNS Enable. 4 From the Server list, select one of the supported dynamic DNS services. 5 In the Domain field, type the fully qualified domain name of the FortiGate unit. 6 In the Username field, type the user name that the FortiGate unit must send when it

connects to the dynamic DNS server.

7 In the Password field, type the associated password. 8 Select OK.

To add a ping server to an interface 1 Go to System > Network > Interface. 2 Choose an interface and select Edit.

64 01-28008-0013-20050204 Fortinet Inc.

Page 65

System Network Interface

3 Set Ping Server to the IP address of the next hop router on the network connected to

the interface.

4 Select the Enable check box. 5 Select OK to save the changes.

To control administrative access to an interface

For a FortiGate unit running in NAT/Route mode, you can control administrative

access to an interface to control how administrators access the FortiGate unit and the

FortiGate interfaces to which administrators can connect.

Controlling administrative access for an interface connected to the Internet allows

remote administration of the FortiGate unit from any location on the Internet. However,

allowing remote administration from the Internet could compromise the security of

your FortiGate unit. You should avoid allowing administrative access for an interface

connected to the Internet unless this is required for your configuration. To improve the

security of a FortiGate unit that allows remote administration from the Internet:

• Use secure administrative user passwords,

• Change these passwords regularly,

• Enable secure administrative access to this interface using only HTTPS or SSH,

• Do not change the system idle timeout from the default value of 5 minutes (see “To

set the system idle timeout” on page 89).

To configure administrative access in Transparent mode, see “To configure the

management interface” on page 68.

1 Go to System > Network > Interface. 2 Choose an interface and select Edit. 3 Select the Administrative Access methods for the interface. 4 Select OK to save the changes.

To change the MTU size of the packets leaving an interface 1 Go to System > Network > Interface. 2 Choose an interface and select Edit. 3 Select Override default MTU value (1500). 4 Set the MTU size.

Note: You cannot set the MTU of a VLAN larger than the MTU of its physical interface. Nor can

you set the MTU of a physical interface smaller than the MTU of any VLAN on that interface.

To configure traffic logging for connections to an interface 1 Go to System > Network > Interface. 2 Choose an interface and select Edit. 3 Select the Log check box to record log messages whenever a firewall policy accepts a

connection to this interface. 4 Select OK to save the changes.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 65

Page 66

Zone System Network

Zone

You can use zones to group related interfaces and VLAN subinterfaces. Grouping

interfaces and VLAN subinterfaces into zones simplifies policy creation. If you group

interfaces and VLAN subinterfaces into a zone, you can configure policies for

connections to and from this zone, rather than to and from each interface and VLAN

subinterface.

You can add zones, rename and edit zones, and delete zones from the zone list.

When you add a zone, you select the names of the interfaces and VLAN subinterfaces

to add to the zone.

Zones are added to virtual domains. If you have added multiple virtual domains to

your FortiGate configuration, make sure you are configuring the correct virtual domain

before adding or editing zones.

Figure 14: Zone list

Zone settings

Create New Select Create New to create a zone.

Name The names of the zones that you have added.

Block intra-zone

traffic

Interface Members The names of the interfaces added to the zone.

Figure 15: Zone options

Name Enter the name to identify the zone.

Block intra-zone

traffic

Interface members Enable check boxes to select the interfaces that are part of this zone.

Displays Yes if traffic between interfaces in the same zone is blocked and No if traffic between interfaces in the same zone is not blocked.

Edit/View icons. Select to edit or view a zone. Delete icon. Select to remove a zone.

Select Block intra-zone traffic to block traffic between interfaces or VLAN subinterfaces in the same zone.

66 01-28008-0013-20050204 Fortinet Inc.

Page 67

System Network Management

To add a zone 1 If you have added a virtual domain, go to System > Virtual Domain > Current

Virtual Domain and select the virtual domain to which you want to add the zone. 2 Go to System > Network > Zone. 3 Select Create New. 4 In the New Zone dialog box, type a name for the zone. 5 Select the Block intra-zone traffic check box if you want to block traffic between

interfaces or VLAN subinterfaces in the same zone.

6 Select the names of the interfaces or VLAN subinterfaces to add to the zone. 7 Select OK.

To delete a zone

You can only delete zones that have the Delete icon beside them in the zone list.

1 If you have added a virtual domain, go to System > Virtual Domain > Current

Virtual Domain and select the virtual domain from which to delete the zone. 2 Go to System > Network > Zone. 3 Select Delete to remove a zone from the list.

Management

4 Select OK to delete the zone.

To edit a zone 1 If you have added a virtual domain, go to System > Virtual Domain > Current

Virtual Domain and select the virtual domain in which to edit the zone. 2 Go to System > Network > Zone. 3 Select Edit to modify a zone. 4 Select or deselect Block intra-zone traffic. 5 Select the names of the interfaces or VLAN subinterfaces to add to the zone. 6 Clear the check box for the names of the interfaces or VLAN subinterfaces to remove

from the zone. 7 Select OK.

Configure the management interface in Transparent mode to set the management IP

address of the FortiGate unit. Administrators connect to this IP address to administer

the FortiGate unit. The FortiGate also uses this IP address to connect to the FDN for

virus and attack updates (see “Update center” on page 128).

You can also configure interfaces to control how administrators connect to the

FortiGate unit for administration. See “To control administrative access to an interface”

on page 65.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 67

Page 68

DNS System Network

Controlling administrative access to a FortiGate interface connected to the Internet

allows remote administration of the FortiGate unit from any location on the Internet.

However, allowing remote administration from the Internet could compromise the

security of the FortiGate unit. You should avoid allowing administrative access for an

interface connected to the Internet unless this is required for your configuration. To

improve the security of a FortiGate unit that allows remote administration from the

Internet:

• Use secure administrative user passwords,

• Change these passwords regularly,

• Enable secure administrative access to this interface using only HTTPS or SSH,

• Do not change the system idle timeout from the default value of 5 minutes (see “To

set the system idle timeout” on page 89).

Figure 16: Management

DNS

Management IP/Netmask

Default Gateway

Management Virtual Domain

Enter the management IP address and netmask. This must be a valid IP

address for the network that you want to manage the FortiGate unit from.

Enter the default gateway address.

Select the virtual domain from which you want to perform system management.

To configure the management interface 1 Go to System > Network > Management. 2 Enter the Management IP/Netmask. 3 Enter the Default Gateway. 4 Select the Management Virtual Domain. 5 Select Apply.

The FortiGate unit displays the following message:

Management IP address was changed. Click here to redirect. 6 Click on the message to connect to the new Management IP.

Several FortiGate functions, including Alert E-mail and URL blocking, use DNS. You

can add the IP addresses of the DNS servers to which your FortiGate unit can

connect. DNS server IP addresses are usually supplied by your ISP.

68 01-28008-0013-20050204 Fortinet Inc.

Page 69

System Network Routing table (Transparent Mode)

Figure 17: DNS

Primary DNS Server Enter the primary DNS server IP address.

Secondary DNS Server Enter the secondary DNS server IP address.

To add DNS server IP addresses 1 Go to System > Network > DNS. 2 Change the primary and secondary DNS server IP addresses as required. 3 Select Apply to save the changes.

Routing table (Transparent Mode)

In Transparent mode, you can configure routing to add static routes from the

FortiGate unit to local routers.

Routing table list

Figure 18: Routing table

Create New Select Create New to add a new route.

# Route number.

IP The destination IP address for this route.

Mask The netmask for this route.

Gateway The IP address of the next hop router to which this route directs traffic.

Distance The the relative preferability of this route. 1 is most preferred.

Delete icon. Select to remove a route. View/edit icon. Select to view or edit a route. Move To icon. Select to change the order of a route in the list.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 69

Page 70

VLAN overview System Network

Transparent mode route settings

Figure 19: Transparent mode route options

1 Go to System > Network > Routing Table. 2 Select Create New to add a new route. 3 Set the Destination IP and Mask to 0.0.0.0.

4 Set Gateway to the IP address of the next hop routing gateway.

5 Select OK to save the route.

VLAN overview

Destination IP

/Mask

Gateway Enter the IP address of the next hop router to which this route directs traffic

Distance The the relative preferability of this route. 1 is most preferred.

Enter the destination IP address and netmask for this route.

To add a Transparent mode route

For the default route, set the Destination IP and Mask to 0.0.0.0.

Note: Only one default route can be active at a time. If two default routes are added to the

routing table, only the default route closest to the top of the routing table is active.

For an Internet connection, the next hop routing gateway routes traffic to the Internet.

A VLAN is group of PCs, servers, and other network devices that communicate as if

they were on the same LAN segment, even though they may not be. For example, the

workstations and servers for an accounting department could be scattered throughout

an office, connected to numerous network segments, but they can still belong to the

same VLAN.

A VLAN segregates devices logically instead of physically. Each VLAN is treated as a

broadcast domain. Devices in VLAN 1 can connect with other devices in VLAN 1, but

cannot connect with devices in other VLANs. The communication among devices on a

VLAN is independent of the physical network.

A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent

and received by the devices in the VLAN. VLAN tags are 4-byte frame extensions that

contain a VLAN identifier as well as other information.

VLANs allow highly flexible, efficient network segmentation, enabling users and

resources to be grouped logically, regardless of physical locations.

70 01-28008-0013-20050204 Fortinet Inc.

Page 71

System Network VLANs in NAT/Route mode

Figure 20: Basic VLAN topology

Internet

Untagged

packets

Esc Enter

VLAN trunk

VLAN 1 VLAN 2

Firewall or

Router

VLAN 1 network VLAN 2 network

FortiGate units and VLANs

In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3

routers or firewalls add VLAN tags to packets. Packets passing between devices in

the same VLAN can be handled by layer 2 switches. Packets passing between

devices in different VLANs must be handled by a layer 3 device such as router,

firewall, or layer 3 switch.

Using VLANs, a single FortiGate unit can provide security services and control

connections between multiple security domains. Traffic from each security domain is

given a different VLAN ID. The FortiGate unit can recognize VLAN IDs and apply

security policies to secure network and IPSec VPN traffic between security domains.

The FortiGate unit can also apply authentication, protection profiles, and other firewall

policy features for network and VPN traffic that is allowed to pass between security

domains.

POWER

VLAN 1

VLAN Switch or router

VLAN 2

VLANs in NAT/Route mode

Operating in NAT/Route mode, the FortiGate unit functions as a layer 3 device to

control the flow of packets between VLANs. The FortiGate unit can also remove VLAN

tags from incoming VLAN packets and forward untagged packets to other networks,

such as the Internet.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 71

Page 72

VLANs in NAT/Route mode System Network

In NAT/Route mode, the FortiGate units support VLANs for constructing VLAN trunks

between an IEEE 802.1Q-compliant switch (or router) and the FortiGate unit. Normally

the FortiGate unit internal interface connects to a VLAN trunk on an internal switch,

and the external interface connects to an upstream Internet router untagged. The

FortiGate unit can then apply different policies for traffic on each VLAN that connects

to the internal interface.

In this configuration, you add VLAN subinterfaces to the FortiGate internal interface

that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk. The

FortiGate unit directs packets with VLAN IDs, to subinterfaces with matching VLAN

IDs.

You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate

unit can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags

from incoming packets and add a different VLAN tags to outgoing packets.

Rules for VLAN IDs

In NAT/Route mode, two VLAN subinterfaces added to the same physical interface

cannot have the same VLAN ID. However, you can add two or more VLAN

subinterfaces with the same VLAN IDs to different physical interfaces. There is no

internal connection or link between two VLAN subinterfaces with same VLAN ID. Their

relationship is the same as the relationship between any two FortiGate network

interfaces.

Rules for VLAN IP addresses

IP addresses of all FortiGate interfaces cannot overlap. That is, the IP addresses of all

interfaces must be on different subnets. This rule applies to both physical interfaces

and to VLAN subinterfaces.

Note: If you are unable to change your existing configurations to prevent IP overlap, enter the

CLI command config system global and set ip-overlap enable to allow IP address

overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is

part of a subnet used by another interface. This command is recommended for advanced users

only.

Figure 21 shows a simplified NAT/Route mode VLAN configuration. In this example,

FortiGate internal interface connects to a VLAN switch using an 802.1Q trunk and is

configured with two VLAN subinterfaces (VLAN 100 and VLAN 200). The external

interface connects to the Internet. The external interface is not configured with VLAN

subinterfaces.

When the VLAN switch receives packets from VLAN 100 and VLAN 200, it applies

VLAN tags and forwards the packets to local ports and across the trunk to the

FortiGate unit. The FortiGate unit is configured with policies that allow traffic to flow

between the VLANs and from the VLANs to the external network.

72 01-28008-0013-20050204 Fortinet Inc.

Page 73

System Network VLANs in NAT/Route mode

Figure 21: FortiGate unit in Nat/Route mode

POWER

Fa0/3 Fa0/9 Fa0/24

VLAN 100 VLAN 200

VLAN switch

802.1Q Trunk

FortiGate

Esc Enter

Internal

192.168.110.126

External

172.16.21.2

VLAN 100 network

10.1.1.0

10.1.1.2

Adding VLAN subinterfaces

The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE

802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096.

Each VLAN subinterface must also be configured with its own IP address and

netmask.

Note: A VLAN must not have the same name as a virtual domain or zone.

You add VLAN subinterfaces to the physical interface that receives VLAN-tagged

packets.

To add a VLAN subinterface in NAT/Route mode 1 Go to System > Network > Interface. 2 Select Create New to add a VLAN subinterface. 3 Enter a Name to identify the VLAN subinterface. 4 Select the physical interface that receives the VLAN packets intended for this VLAN

subinterface. 5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this

VLAN subinterface. 6 Select the virtual domain to which to add this VLAN subinterface.

See “System Virtual Domain” on page 141 for information about virtual domains. 7 Select the name of a zone if you want this VLAN subinterface to belong to a zone.

You can only select a zone that has been added to the virtual domain selected in the

previous step. See “Zone” on page 66 for information about zones. 8 Configure the VLAN subinterface settings as you would for any FortiGate interface.

See “Interface settings” on page 56.

VLAN 200 network

10.1.2.0

10.1.2.2

Internet

9 Select OK to save your changes.

The FortiGate unit adds the new VLAN subinterface to the interface that you selected

in step 4.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 73

Page 74

VLANs in Transparent mode System Network

To add firewall policies for VLAN subinterfaces

Once you have added VLAN subinterfaces you can add firewall policies for

connections between VLAN subinterfaces or from a VLAN subinterface to a physical

interface.

1 Go to Firewall > Address. 2 Select Create New to add firewall addresses that match the source and destination IP

addresses of VLAN packets.

See “Address” on page 209.

3 Go to Firewall > Policy. 4 Add firewall policies as required.

VLANs in Transparent mode

In Transparent mode, the FortiGate unit can apply firewall policies and services, such

as authentication, protection profiles, and other firewall features, to traffic on an IEEE

802.1 VLAN trunk. You can insert the FortiGate unit operating in Transparent mode

into the trunk without making changes to your network. In a typical configuration, the

FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN

switch or router connected to internal VLANs. The FortiGate external interface

forwards tagged packets through the trunk to an external VLAN switch or router which

could be connected to the Internet. The FortiGate unit can be configured to apply

different policies for traffic on each VLAN in the trunk.

For VLAN traffic to be able to pass between the FortiGate Internal and external

interface you would add a VLAN subinterface to the internal interface and another

VLAN subinterface to the external interface. If these VLAN subinterfaces have the

same VLAN IDs, the FortiGate unit applies firewall policies to the traffic on this VLAN.

If these VLAN subinterfaces have different VLAN IDs, or if you add more than two

VLAN subinterfaces, you can also use firewall policies to control connections between

VLANs.

If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you can

configure a FortiGate unit operating in Transparent mode to provide security for

network traffic passing between different VLANs. To support VLAN traffic in

Transparent mode, you add virtual domains to the FortiGate unit configuration. A

virtual domain consists of two or more VLAN subinterfaces or zones. In a virtual

domain, a zone can contain one or more VLAN subinterfaces.

When the FortiGate unit receives a VLAN tagged packet at an interface, the packet is

directed to the VLAN subinterface with matching VLAN ID. The VLAN subinterface

removes the VLAN tag and assigns a destination interface to the packet based on its

destination MAC address. The firewall policies for this source and destination VLAN

subinterface pair are applied to the packet. If the packet is accepted by the firewall,

the FortiGate unit forwards the packet to the destination VLAN subinterface. The

destination VLAN ID is added to the packet by the FortiGate unit and the packet is

sent to the VLAN trunk.

74 01-28008-0013-20050204 Fortinet Inc.

Page 75

System Network VLANs in Transparent mode

Figure 22: FortiGate unit with two virtual domains in Transparent mode

VLAN Switch or router

FortiGate unit

VLAN1

External

VLAN trunk

VLAN1 VLAN2 VLAN3

VLAN Switch

or router

Internet

VLAN2

VLAN3

Internal

VLAN1 VLAN2 VLAN3

VLAN trunk

root virtual domain

VLAN1

New virtual domain

VLAN2 VLAN3

VLAN1

VLAN2 VLAN3

Figure 23 shows a FortiGate unit operating in Transparent mode and configured with

three VLAN subinterfaces. In this configuration the FortiGate unit could be added to

this network to provide virus scanning, web content filtering, and other services to

each VLAN.

Figure 23: FortiGate unit in Transparent mode

VLAN 1

VLAN ID = 100

FortiGate unit

operating in

Transparent mode

VLAN

switch

VLAN 2

VLAN ID = 200

POWER

Esc Enter

VLAN

POWER

switch

VLAN Trunk

Internal

External

VLAN 1 VLAN 2 VLAN 3

VLAN Trunk

Untagged

packets

Router

VLAN 3

VLAN ID = 300

VLAN 1 VLAN 2 VLAN 3

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 75

Internet

Page 76

VLANs in Transparent mode System Network

Rules for VLAN IDs

In Transparent mode two VLAN subinterfaces added to the same physical interface

cannot have the same VLAN ID. However, you can add two or more VLAN

subinterfaces with the same VLAN IDs to different physical interfaces. There is no

internal connection or link between two VLAN subinterfaces with same VLAN ID. Their

relationship is the same as the relationship between any two FortiGate network

interfaces.

Transparent mode virtual domains and VLANs

VLAN subinterfaces are added to and associated with virtual domains. By default the

FortiGate configuration includes one virtual domain, named root, and you can add as

many VLAN subinterfaces as you require to this virtual domain.

You can add more virtual domains if you want to separate groups of VLAN

subinterfaces into virtual domains. For information on adding and configuring virtual

domains, see “System Virtual Domain” on page 141

Transparent mode VLAN list

In Transparent mode, go to System > Network > Interface to add VLAN

subinterfaces.

Figure 24: Sample Transparent mode VLAN list

Create New Select Create New to add a VLAN subinterface to a FortiGate interface.

Virtual Domain Select a virtual domain to display the VLAN interfaces added to this virtual

Name The name of the interface or VLAN subinterface.

Access The administrative access configuration for the interface. See “To control

Status The administrative status for the interface.

domain.

administrative access to an interface” on page 65 for information about

administrative access options.

If the administrative status is a green arrow, the interface is up and can accept network traffic. If the administrative status is a red arrow, the interface is administratively down and cannot accept traffic. To change the administrative status, see “To bring down an interface that is administratively up” on page 62 and “To start up an interface that is administratively down” on page 62.

Delete icon. Select to delete a VLAN subinterface. View/Edit icon. Select to view or edit an interface or VLAN subinterface.

Transparent mode VLAN settings

VLAN settings displays the current configuration of a selected FortiGate interface or

VLAN subinterface. Use VLAN settings to configure a new VLAN subinterface or to

change the configuration of a FortiGate interface or VLAN subinterface.

76 01-28008-0013-20050204 Fortinet Inc.

Page 77

System Network VLANs in Transparent mode

Figure 25: VLAN settings

See “Interface settings” on page 56 for descriptions of all VLAN settings.

To add a VLAN subinterface in Transparent mode

The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE

802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and

4096. You add VLAN subinterfaces to the physical interface that receives VLAN-

tagged packets.

Note: A VLAN must not have the same name as a virtual domain or zone.

1 Go to System > Network > Interface. 2 Select Create New to add a VLAN subinterface. 3 Enter a Name to identify the VLAN subinterface. 4 Select the physical interface that receives the VLAN packets intended for this VLAN

subinterface. 5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this

VLAN subinterface. 6 Select the virtual domain to which to add this VLAN subinterface.

See “System Virtual Domain” on page 141 for information about virtual domains. 7 Enable or disable using a Dynamic DNS service (DDNS). If the FortiGate unit uses a

dynamic IP address, you can arrange with a DDNS service provider to use a domain

name to provide redirection of traffic to your network whenever the IP address

changes. 8 Configure the administrative access, MTU, and log settings as you would for any

FortiGate interface.

See “Interface settings” on page 56 for more descriptions of these settings. 9 Select OK to save your changes.

The FortiGate unit adds the new subinterface to the interface that you selected.

10 Select Bring up to start the VLAN subinterface.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 77

Page 78

FortiGate IPv6 support System Network

To add firewall policies for VLAN subinterfaces

Once you have added VLAN subinterfaces you can add firewall policies for

connections between VLAN subinterfaces or from a VLAN subinterface to a physical

interface.

1 Go to Firewall > Address. 2 Select Create New to add firewall addresses that match the source and destination IP

addresses of VLAN packets.

See “Address” on page 209.

3 Go to Firewall > Policy. 4 Add firewall policies as required.

FortiGate IPv6 support

You can assign both an IPv4 and an IPv6 address to any interface on a FortiGate unit.

The interface functions as two interfaces, one for IPv4-addressed packets and

another for IPv6-addressed packets.

FortiGate units support static routing, periodic router advertisements, and tunneling of

IPv6-addressed traffic over an IPv4-addressed network. All of these features must be

configured through the Command Line Interface (CLI). See the FortiGate CLI

Reference Guide for information on the following commands:

Table 2: IPv6 CLI commands

Feature CLI Command

Interface configuration, including periodic router advertisements

Static routing config router static6 IPv6 tunneling config system ipv6_tunnel

config system interface

See the keywords beginning with “ip6”.

config ip6-prefix-list

78 01-28008-0013-20050204 Fortinet Inc.

Page 79

FortiGate-5000 series Administration Guide Version 2.80 MR8

System DHCP

You can configure DHCP server or DHCP relay agent functionality on any FortiGate

interface or VLAN subinterface.

A FortiGate interface can act as either a DHCP server or as a DHCP relay agent. An

interface cannot provide both functions at the same time.

Note: To configure DHCP server or DHCP relay functionality on an interface, the FortiGate unit

must be in NAT/Route mode and the interface must have a static IP address.

This section describes:

• Service

• Server

• Exclude range

• IP/MAC binding

• Dynamic IP

Service

Go to System > DHCP > Service to configure the DHCP service provided by each

FortiGate interface. You can configure each interface to be a DHCP relay or a DHCP

server or you can turn off DHCP services.

Figure 26: DHCP service list

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 79

Page 80

Service System DHCP

Interface List of FortiGate interfaces.

Service The DHCP service provided by the interface (none, DHCP Relay, or DHCP

Server). Edit/View icon. Select to view or modify the DHCP service configuration for

an interface.

DHCP service settings

Go to System > DHCP > Service and select an edit or view icon to view to modify the

DHCP service configuration for an interface.

Figure 27: View or edit DHCP service settings for an interface

Interface The name of the interface.

None No DHCP services provided by the interface.

DHCP Relay Agent Select to configure the interface to be a DHCP relay agent.

Type Select the type of DHCP relay agent.

Regular Configure the interface to be a DHCP relay agent for computers on the

IPSEC Configure the interface to be a DHCP relay agent only for remote VPN

DHCP Server IP If you select DHCP Relay Agent, enter the IP address of the DHCP server

DHCP Server Select DHCP Server if you want the FortiGate unit to be the DHCP server.

network connected to this interface. See “To configure an interface as a

regular DHCP relay agent” on page 80.

clients with an IPSec VPN connection to this interface that uses DHCP over IPSec.

used by the computers on the network connected to the interface.

See “To configure an interface to be a DHCP server” on page 81.

To configure an interface as a regular DHCP relay agent

In a DHCP relay configuration, the FortiGate interface configured for DHCP relay

forwards DHCP requests from DHCP clients through the FortiGate unit to a DHCP

server. The FortiGate unit also returns responses from the DHCP server to the DHCP

clients. The DHCP server must have a route to the FortiGate unit that is configured as

the DHCP relay so that the packets sent by the DHCP server to the DHCP client arrive

at the FortiGate performing DHCP relay.

1 Go to System > DHCP > Service. 2 Select Edit for the interface that you want to be a DHCP relay agent. 3 Select DHCP Relay Agent.

80 01-28008-0013-20050204 Fortinet Inc.

Page 81

System DHCP Server

4 Set type to Regular. 5 Enter the DHCP Server IP address. 6 Select OK.

To configure an interface to be a DHCP server

You can configure a DHCP server for any FortiGate interface. As a DHCP server, the

interface dynamically assigns IP addresses to hosts on the network connected to the

interface. You can also configure a DHCP server for more than one FortiGate

interface.

1 Go to System > DHCP > Service. 2 Select Edit beside the interface to which you want to add a DHCP server. 3 Select DHCP Server. 4 Select OK. 5 Add a DHCP server configuration for this interface.

See “To configure a DHCP server for an interface” on page 83.

Server

You can configure one or more DHCP servers for any FortiGate interface. As a DHCP

server, the interface dynamically assigns IP addresses to hosts on a network

connected to the interface.

You can add more than one DHCP server to a single interface to be able to provide

DHCP services to multiple networks. For more information, see “To configure multiple

DHCP servers for an interface” on page 83.

Figure 28: DHCP Server list

Create New Add a new DHCP server.

Name Name of the DHCP server.

Interface The interface for which the DHCP server is configured.

Default Gateway The DHCP server configuration default gateway

Delete Delete a DHCP server configuration.

Edit/View icon View or modify a DHCP server configuration.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 81

Page 82

Server System DHCP

DHCP server settings

Figure 29: Server options

Name Enter a name for the DHCP server configuration.

Interface Select the interface for which to configure the DHCP server.

Domain Enter the domain that the DHCP server assigns to DHCP clients.

Default Gateway Enter the IP address of the default gateway that the DHCP server

IP Range Enter the starting IP and ending IP for the range of IP addresses that this

Network Mask Enter the netmask that the DHCP server assigns to DHCP clients.

Lease Time Select Unlimited for an unlimited lease time or enter the interval in days,

DNS Server Enter the IP addresses of up to 3 DNS servers that the DHCP server

WINS Server Add the IP addresses of one or two WINS servers that the DHCP server

Option Up to three custom DHCP options that can be sent by the DHCP server.

assigns to DHCP clients.

DHCP server assigns to DHCP clients.

hours, and minutes after which a DHCP client must ask the DHCP server for new settings. The lease time can range from 5 minutes to 100 days.

assigns to DHCP clients.

Code is the DHCP option code in the range 1 to 255. Option is an even number of hexadecimal characters and is not required for some option codes. For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions.

82 01-28008-0013-20050204 Fortinet Inc.

Page 83

System DHCP Exclude range

To configure a DHCP server for an interface

After configuring an interface to be a DHCP server (using the procedure “To configure

an interface to be a DHCP server” on page 81), you must configure a DHCP server for

the interface.

1 Go to System > DHCP > Server. 2 Select Create New. 3 Add a name for the DHCP server. 4 Select the interface 5 Configure the DHCP server.

The IP range must match the subnet address of the network from which the DHCP

request was received. Usually this would be the subnet connected to the interface for

which you are added the DHCP server.

6 Select OK to save the DHCP server configuration.

To configure multiple DHCP servers for an interface

If an interface is connected to a network that includes routers connected to different

subnets, you can: 1 Configure computers on the subnets to get their IP configuration using DHCP.

The IP range of each DHCP server must match the subnet addresses.

2 Configure the routers for DHCP relay. 3 Add multiple DHCP servers to the interface, one for each subnet.

Exclude range

When a computer on one of the connected subnets sends a DHCP request it is

relayed to the FortiGate interface by the router, using DHCP relay. The FortiGate unit

selects the DHCP server configuration with an IP range that matches the subnet

address from which the DHCP request was received and uses this DHCP server to

assign an IP configuration to the computer that made the DHCP request. The DHCP

configuration packets are sent back to the router and the router relays them to the

DHCP client.

Add up to 16 exclude ranges of IP addresses that FortiGate DHCP servers cannot

assign to DHCP clients. Exclude ranges apply to all FortiGate DHCP servers.

Figure 30: Exclude range list

Create New Select Create New to add an exclude range.

# The ID number of each exclude range. ID numbers are assigned

sequentially by the web-based manager. When you add or edit exclude ranges from the CLI you must specify the ID number.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 83

Page 84

IP/MAC binding System DHCP

Starting IP The starting IP of the exclude range.

Ending IP The ending IP of the exclude range.

Delete Delete an exclude range.

Edit/View icon View or modify an exclude range.

DHCP exclude range settings

The range cannot exceed 65536 IP addresses.

Figure 31: Exclude range settings

Starting IP Enter the starting IP of an exclude range.

Ending IP Enter the ending IP of an exclude range.

To add an exclusion range 1 Go to System > DHCP > Exclude Range. 2 Select Create New. 3 Add the starting IP and ending IP. 4 Select OK to save the exclusion range.

IP/MAC binding

If you have added DHCP servers, you can use DHCP IP/MAC binding to reserve an

IP address for a particular device on the network according to the MAC address of the

device. When you add the MAC address and an IP address to the IP/MAC binding list,

the DHCP server always assigns this IP address to the MAC address. IP/MAC binding

pairs apply to all FortiGate DHCP servers.

Figure 32: IP/MAC binding list

Create New Select Create New to add a DHCP IP/MAC binding pair.

Name The name for the IP and MAC address pair.

IP Address The IP address for the IP and MAC address pair. The IP address must be

within the configured IP range.

MAC Address The MAC address of the device.

84 01-28008-0013-20050204 Fortinet Inc.

Page 85

System DHCP Dynamic IP

Delete icon. Delete an IP/MAC binding pair. Edit/View icon. View or modify an IP/MAC binding pair.

DHCP IP/MAC binding settings

Figure 33: IP/MAC binding options

Name Enter a name for the IP/MAC address pair.

IP Address Enter the IP address for the IP and MAC address pair. The IP address must

MAC Address Enter the MAC address of the device.

To add a DHCP IP/MAC binding pair 1 Go to System > DHCP > IP/MAC Binding. 2 Select Create New.

be within the configured IP range.

Dynamic IP

3 Add a name for the IP/MAC pair. 4 Add the IP address and MAC address. 5 Select OK to save the IP/MAC pair.

You can view the list of IP addresses that the DHCP server has assigned, their

corresponding MAC addresses, and the expiry time and date for these addresses.

Interface Select to display its dynamic IP list.

IP The IP addresses that the DHCP server has assigned.

MAC The corresponding MAC addresses for the dynamic IP addresses.

Expire The expiry time and date for the dynamic IP addresses and their corresponding

MAC addresses.

To view the dynamic IP list 1 Go to System > DHCP > Dynamic IP. 2 Select the interface for which you want to view the list.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 85

Page 86

Dynamic IP System DHCP

86 01-28008-0013-20050204 Fortinet Inc.

Page 87

FortiGate-5000 series Administration Guide Version 2.80 MR8

System Config

Use the System Config page to make any of the following changes to the FortiGate

system configuration:

• System time

• Options

• HA

• SNMP

• Replacement messages

• FortiManager

System time

Go to System > Config > Time to set the FortiGate system time.

For effective scheduling and logging, the FortiGate system time must be accurate.

You can either manually set the FortiGate system time or you can configure the

FortiGate unit to automatically keep its system time correct by synchronizing with a

Network Time Protocol (NTP) server.

Figure 34: System time

System Time The current FortiGate system date and time.

Refresh Select Refresh to update the display of the current FortiGate system date

Time Zone Select the current FortiGate system time zone.

and time.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 87

Page 88

Options System Config

Automatically

adjust clock for

daylight saving

changes

Set Time Select Set Time to set the FortiGate system date and time to the correct

Synchronize with

NTP Server

Server Enter the IP address or domain name of the NTP server that the

Syn Interval Specify how often the FortiGate unit should synchronize its time with the

Select the Automatically adjust clock for daylight saving changes check box if you want the FortiGate system clock to be adjusted automatically when your time zone changes to daylight saving time and back to standard time.

date and time. Select Synchronize with NTP Server to configure the FortiGate unit to

use NTP to automatically set the system date and time. For more information about NTP and to find the IP address of an NTP server that you can use, see http://www.ntp.org.

FortiGate unit can use to set its time and date.

NTP server. A typical Syn Interval would be 1440 minutes for the FortiGate unit to synchronize its time once a day.

To manually set the FortiGate date and time 1 Go to System > Config > Time. 2 Select Refresh to display the current FortiGate system date and time. 3 Select your Time Zone from the list. 4 Optionally, select Automatically adjust clock for daylight saving changes check box. 5 Select Set Time and set the FortiGate system date and time. 6 Set the hour, minute, second, month, day, and year as required. 7 Select Apply.

Options

To use NTP to set the FortiGate date and time 1 Go to System > Config > Time. 2 Select Synchronize with NTP Server to configure the FortiGate unit to use NTP to

automatically set the system time and date. 3 Enter the IP address or domain name of the NTP server that the FortiGate unit can

use to set its time and date.

4 Specify how often the FortiGate unit should synchronize its time with the NTP server. 5 Select Apply.

Go to System > Config > Options to set the following options:

• Timeout settings including the idle timeout and authentication timeout

• The language displayed by the web-based manager

• Dead gateway detection interval and failover detection

88 01-28008-0013-20050204 Fortinet Inc.

Page 89

System Config Options

Figure 35: System config options

Idle Timeout Set the idle time out to control the amount of inactive time before the

Auth Timeout Set the firewall user authentication timeout to control how long an

Language Select a language for the web-based manager to use. Choose from

Detection Interval Set the dead gateway detection failover interval. Enter a number in

Fail-over Detection Set the ping server dead gateway detection failover number. Enter the

administrator must log in again. The maximum admintimeout is 480 minutes (8 hours). To improve security keep the idle timeout at the default value of 5 minutes.

authenticated connection can be idle before the user must authenticate again. The maximum authtimeout is 480 minutes (8 hours). The default Auth Timeout is 15 minutes.

For more information, see “Setting authentication timeout” on page 244.

English, Simplified Chinese, Japanese, Korean, or French.

seconds to specify how often the FortiGate unit pings the target.

number of times that ping fails before the FortiGate unit assumes that the gateway is no longer functioning.

To set the system idle timeout 1 Go to System > Config > Options. 2 For Idle Timeout, type a number in minutes. 3 Select Apply.

To set the Auth timeout 1 Go to System > Config > Options. 2 For Auth Timeout, type a number in minutes. 3 Select Apply.

To select a language for the web-based manager 1 Go to System > Config > Options. 2 From the Languages list, select a language for the web-based manager to use. 3 Select Apply.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 89

Page 90

HA System Config

Note: You should select the language that the management computer operating system uses.

To modify the dead gateway detection settings

Modify dead gateway detection to control how the FortiGate unit confirms connectivity

with a ping server added to an interface configuration. For information about adding a

ping server to an interface, see “To add a ping server to an interface” on page 64.

1 Go to System > Config > Options. 2 For Detection Interval, type a number in seconds to specify how often the FortiGate

unit tests the connection to the ping target. 3 For Fail-over Detection, type a number of times that the connection test fails before

the FortiGate unit assumes that the gateway is no longer functioning.

4 Select Apply.

Go to System > Config > HA to configure the FortiGate unit for High Availability (HA)

mode operation.

HA overview

• HA overview

• HA configuration

• Configuring an HA cluster

• Managing an HA cluster

FortiGate HA consists of two or more FortiGate units operating as an HA cluster. To

the network, the HA cluster appears to function as a single FortiGate unit, processing

network traffic and providing normal security services such as firewalling, VPN, IPS,

virus scanning, web filtering, and spam filtering services.

Inside the cluster the individual FortiGate units are called cluster units. These cluster

units share state and configuration information. If one cluster unit fails, the other units

in the cluster automatically replace that unit, taking over the work that the failed unit

was doing. The cluster continues to process network traffic and provide normal

FortiGate services with virtually no interruption.

Every cluster contains one primary cluster unit (also called primary units) and one or

more subordinate cluster units (also called subordinate units). The primary unit

controls how the cluster operates. The roles that the primary and subordinate units

play in the cluster depend on the mode in which the cluster operates. See “HA modes”

on page 91.

The ability of an HA cluster to continue providing firewall services after a failure, is

called failover. FortiGate HA failover means that your network does not have to rely on

one FortiGate unit to continue functioning. You can install additional units and form an

HA cluster. Other units in the cluster will take over if one of the units fails.

90 01-28008-0013-20050204 Fortinet Inc.

Page 91

System Config HA

A second HA feature, called load balancing, can be used to increase firewall

performance. A cluster of FortiGate units can increase overall network performance

by sharing the load of processing network traffic and providing security services. The

cluster appears to your network to be a single device, adding increased performance

without changing your network configuration.

The FortiGate Clustering Protocol (FGCP)

Fortinet achieves high availability (HA) using redundant hardware and the FortiGate

Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same

overall security policy and shares the same configuration settings. You can add up to

32 FortiGate units to an HA cluster. Each FortiGate unit in an HA cluster must be the

same model and must be running the same FortiOS firmware image.

The FortiGate units in the cluster use ethernet interfaces to communicate cluster

session information, synchronize the cluster configuration, synchronize the cluster

routing table, and report individual cluster member status. In the cluster, these

ethernet interfaces are called heartbeat devices and the communication between

cluster units is called the HA heartbeat. Using the HA heartbeat, cluster units are

constantly communicating HA status information to make sure that the cluster is

operating properly.

FortiGate HA and the FGCP support link failover, device failover, and HA heartbeat

failover.

Link failover If one of the links to a FortiGate unit in an HA cluster fails, all functions, all

Device failover If one of the FortiGate units in an HA cluster fails, all functions, all established

HA heartbeat

failover

a.HA does not provide session failover for PPPoE, DHCP, PPTP, and L2TP services.

established firewall connections, and all IPSec VPN sessionsa are maintained by the other FortiGate units in the HA cluster. For information about link failover, see “Monitor priorities” on page 98.

firewall connections, and all IPSec VPN sessions are maintained by the other FortiGate units in the HA cluster.

You can configure multiple interfaces to be HA heartbeat devices. If an interface functioning as an HA heartbeat device fails, the HA heartbeat is transferred to another interface also configured as an HA heartbeat device.

HA modes

FortiGate units can be configured to operate in active-passive (A-P) or active-active

(A-A) HA mode. Active-active and active-passive clusters can run in either NAT/Route

or Transparent mode.

An active-passive (A-P) HA cluster, also referred to as failover HA, consists of a

primary unit that processes traffic, and one or more subordinate units. The

subordinate units are connected to the network and to the primary unit but do not

process traffic.

Active-active (A-A) HA load balances network traffic to all of the cluster units. An

active-active HA cluster consists of a primary unit that processes traffic and one or

more subordinate units that also process traffic. The primary unit uses a load

balancing algorithm to distribute processing to all of the cluster units in the HA cluster.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 91

Page 92

HA System Config

By default a FortiGate HA active-active cluster load balances virus scanning sessions

among all cluster units. All other traffic is processed by the primary unit. Using the CLI,

you can configure the cluster to load balance all network traffic among all cluster units.

See “To switch between load balancing virus scanning sessions and all sessions” on

page 102.

For more information about FortiGate HA and the FGCP, see the FortiGate High

Availability Guide and the Fortinet Knowledge Center.

FortiGate HA compatibility with DHCP and PPPoE

FortiGate HA is not compatible with PPP protocols such as DHCP or PPPoE. If one or

more FortiGate unit interfaces is dynamically configured using DHCP or PPPoE you

cannot switch to operating in HA mode. Also, if you are operating a FortiGate HA

cluster, you cannot change a FortiGate interface in the cluster to be configured

dynamically using DHCP or PPPoE.

Configuring a FortiGate interface to be a DHCP server or a DHCP relay agent is not

affect by HA operation. For information about DHCP server and relay, see “System

DHCP” on page 79.

PPTP and L2TP are supported in HA mode. You can configure PPTP and L2TP

settings (see “PPTP range” on page 270 and “L2TP range” on page 271) you can also

add firewall policies to allow PPTP and L2TP pass through. However, during an HA

failover event, any active PPTP and L2TP sessions are lost and must be restarted

after the failover.

HA configuration

Go to System > Config > HA and use the options described below to configure HA.

• Standalone Mode

• High Availability

• Cluster Members

• Mode

• Group ID

• Unit Priority

• Override Master

• Password

• Schedule

• Priorities of Heartbeat Device

• Heartbeat device IP addresses

• Monitor priorities

92 01-28008-0013-20050204 Fortinet Inc.

Page 93

System Config HA

Figure 36: HA configuration

Standalone Mode

Standalone mode is the default operation mode. If Standalone mode is selected the

FortiGate unit is not operating in HA mode.

Select Standalone Mode if you want to stop a cluster unit from operating in HA mode.

High Availability

Select High Availability to operate the FortiGate unit in HA mode. After selecting High

Availability, complete the remainder of the HA configuration.

Cluster Members

When the cluster is operating, you can select Cluster Members to view the status of all

FortiGate units in the cluster. Status information includes the cluster ID, status, up

time, weight, and monitor information. For more information, see “To view the status of

each cluster member” on page 103.

Mode

All members of the HA cluster must be set to the same HA mode.

Active-Active Load balancing and failover HA. Each cluster unit actively processes

Active-Passive Failover HA. The primary unit processes all connections. All other cluster units

connections and monitors the status of the other cluster units. The primary unit controls load balancing among all of the cluster units.

passively monitor the cluster status and remain synchronized with the primary unit.

For more information about HA mode, see “HA modes” on page 91.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 93

Page 94

HA System Config

Group ID

The group ID range is from 0 to 63. All cluster units must have the same group ID.

When the FortiGate units are switched to HA mode, all of the interfaces of all of the

cluster units acquire the same virtual MAC address. This virtual MAC address is set

according to the group ID. Table 3 lists the virtual MAC address set for each group ID.

Table 3: HA group ID and MAC address

Group ID MAC Address

0 00-09-0f-06-ff-00 1 00-09-0f-06-ff-01 2 00-09-0f-06-ff-02 3 00-09-0f-06-ff-03 … ... 63 00-09-0f-06-ff-3f

If you have more than one HA cluster on the same network, each cluster should have

a different group ID. If two clusters on the same network have the same group ID, the

duplicate MAC addresses can cause addressing conflicts on the network.

Unit Priority

Optionally set the unit priority of the cluster unit. Each cluster unit can have a different

unit priority. The unit priority is not synchronized among cluster members. Each

cluster unit can have a different unit priority. During HA negotiation, the unit with the

highest unit priority becomes the primary unit. The unit priority range is 0 to 255. The

default unit priority is 128.

You can use the unit priority to control the order in which cluster units become the

primary unit when a cluster unit fails. For example, if you have three FortiGate units in

a cluster you can set the unit priorities as shown in Table 4. Cluster unit A will always

be the primary unit because it has the highest priority. If cluster unit A fails, cluster

unit B becomes the primary unit because cluster unit B has a higher unit priority than

cluster unit C.

Table 4: Example unit priorities for a cluster of three cluster units

Cluster unit Unit priority

A200 B100 C50

In a functioning cluster, if you change the unit priority of the current primary unit to a

lower priority, when the cluster renegotiates a different cluster unit becomes the

primary unit.

94 01-28008-0013-20050204 Fortinet Inc.

Page 95

System Config HA

Override Master

Configure a cluster unit to always override the current primary unit and become the

primary unit. Enable override master for the cluster unit that you have given the

highest unit priority. Enabling override master means that this cluster unit always

becomes the primary unit.

In a typical FortiGate cluster configuration, the primary unit is selected automatically.

In some situations, you might want to control which unit becomes the primary unit.

You can configure a FortiGate unit as the permanent primary unit by setting a high

unit priority and by selecting override master. With this configuration, the same cluster

unit always becomes the primary unit.

If override master is enabled and the primary unit fails, another cluster unit becomes

the primary unit. When the cluster unit with override master enabled rejoins the cluster

it overrides the current primary unit and becomes the new primary unit. When this

override occurs, all communication sessions through the cluster are lost and must be

re-established.

Override master is not synchronized to all cluster units.

In a functioning cluster, if you select override master for a cluster unit the cluster re-

negotiates and may select a new primary cluster unit.

Password

Enter a password for the HA cluster. The password must be the same for all cluster

units. The maximum password length is 15 characters.

If you have more than one FortiGate HA cluster on the same network, each cluster

must have a different password.

Schedule

If you are configuring an active-active cluster, select a load balancing schedule.

None No load balancing. Select None when the cluster interfaces are connected

Hub Load balancing if the cluster interfaces are connected to a hub. Traffic is

Least-

Connection

Round-Robin Round robin load balancing. If the cluster units are connected using

Weighted

Round-Robin

Random Random load balancing. If the cluster units are connected using switches,

to load balancing switches.

distributed to cluster units based on the Source IP and Destination IP of each packet processed by the cluster.

Least connection load balancing. If the cluster units are connected using switches, select Least Connection to distribute network traffic to the cluster unit currently processing the fewest connections.

switches, select Round-Robin to distribute network traffic to the next available cluster unit.

Weighted round robin load balancing. Similar to round robin, but weighted values are assigned to each of the units in a cluster based on their capacity and on how many connections they are currently processing. For example, the primary unit should have a lower weighted value because it handles scheduling and forwards traffic. Weighted round robin distributes traffic more evenly because units that are not processing traffic will be more likely to receive new connections than units that are very busy. To configure weighted round robin weights, see “To configure weighted-round-robin

weights” on page 101.

select Random to randomly distribute traffic to cluster units.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 95

Page 96

HA System Config

IP Load balancing according to IP address. If the cluster units are connected

IP Port Load balancing according to IP address and port. If the cluster units are

using switches, select IP to distribute traffic to cluster units based on the Source IP and Destination IP of the packet.

connected using switches, select IP Port to distribute traffic to cluster units based on the source IP, source port, destination IP, and destination port of the packet.

By default a FortiGate HA active-active cluster load balances virus scanning sessions

among all cluster units. All other traffic is processed by the primary unit. Using the CLI,

you can configure the cluster to load balance all network traffic among all cluster units.

See “To switch between load balancing virus scanning sessions and all sessions” on

page 102.

Priorities of Heartbeat Device

Enable or disable HA heartbeat communication and set the heartbeat priority for each

interface in the cluster.

By default, HA heartbeat communication is set for two interfaces. You can disable the

HA heartbeat for either of these interfaces or enable HA heartbeat for other interfaces.

In most cases you can maintain the default heartbeat device configuration as long as

you can connect the heartbeat device interfaces together.

The heartbeat priority must be set for at least one cluster interface. If heartbeat

communication is interrupted the cluster stops processing traffic.

To enable HA heartbeat communication for an interface, enter a priority for the

interface. To disable HA heartbeat communication for an interface, delete the priority

for the interface.

The HA heartbeat priority range is 0 to 512. The interface with the highest priority

handles all HA heartbeat traffic. If this interface fails or becomes disconnected, the

interface with the next highest priority handles all HA heartbeat traffic.

The cluster units use the ethernet interfaces configured with HA heartbeat priorities for

HA heartbeat communication. The HA heartbeat communicates cluster session

information, synchronizes the cluster configuration, synchronizes the cluster routing

table, and reports individual cluster member status. The HA heartbeat constantly

communicates HA status information to make sure that the cluster is operating

properly.

You can enable heartbeat communications for physical interfaces, but not for VLAN

subinterfaces.

Enabling the HA heartbeat for more interfaces increases reliability. If an interface fails,

the HA heartbeat can be diverted to another interface.

HA heartbeat traffic can use a considerable amount of network bandwidth. If possible,

enable HA heartbeat traffic on interfaces only used for HA heartbeat traffic or on

interfaces connected to less busy networks.

96 01-28008-0013-20050204 Fortinet Inc.

Page 97

System Config HA

Table 5: Default heartbeat device configuration

FortiGate model Default heartbeat device Default priority

FortiGate-5000 Port 9 50

Port 10 100

By default a FortiGate-5000 HA cluster uses Port 9 and Port 10 for heartbeat

communication. Port 9 and Port 10 are not visible on the FortiGate-5000 faceplate or

on the web-based manager, but they are visible on the CLI. You can use the CLI to

view and change the heartbeat priority configuration for Port 9 and Port 10. You can

use the web-based manager or the CLI to set the heartbeat priority for other

interfaces.

Change the heartbeat device priorities as required to control the interface that is used

for heartbeat traffic and the interface to which heartbeat traffic reverts if the interface

with the highest heartbeat priority fails or is disconnected.

Setting the heartbeat priority for more interfaces increases the reliability of the cluster.

To optimize bandwidth use, you can route most heartbeat traffic to interfaces that

handle less network traffic. You can also create a failover path by setting heartbeat

priorities so that you can control the order in which interfaces are used for heartbeat

traffic.

Heartbeat device IP addresses

You do not need to assign IP addresses to heartbeat device interfaces for them to be

able to process heartbeat packets. The cluster assigns virtual IP addresses to the

heartbeat device interfaces. The primary cluster unit heartbeat device interface is

assigned the IP address 10.0.0.1 and the subordinate unit heartbeat device interface

is assigned the IP address 10.0.0.2. A third cluster unit would be assigned the IP

address 10.0.0.3 and so on.

For best results, isolate each heartbeat device on its own network. Heartbeat packets

contain sensitive information about the cluster configuration. Also, heartbeat packets

may use a considerable amount of network bandwidth and it is preferable to isolate

this traffic from your user networks. The extra bandwidth used by heartbeat packets

could also reduce the capacity of the interface to process network traffic.

For most FortiGate models if you do not change the heartbeat device configuration,

you would isolate the HA interfaces of all of the cluster units by connecting them all to

the same switch. If the cluster consists of two FortiGate units you can connect the

heartbeat device interfaces directly using a crossover cable.

HA heartbeat and data traffic are supported on the same FortiGate interface. In

NAT/Route mode, if you decide to use the heartbeat device interfaces for processing

network traffic or for a management connection, you can assign the interface any IP

address. This IP address does not affect the heartbeat traffic.

In Transparent mode, you can connect the interface to your network and enable

management access. You would then establish a management connection to the

interface using the Transparent mode management IP address.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 97

Page 98

HA System Config

Monitor priorities

Enable or disable monitoring a FortiGate interface to verify that the interface is

functioning properly and connected to its network. If a monitored interface fails or is

disconnected from its network the interface leaves the cluster. The cluster reroutes

the traffic being processed by that interface to the same interface of another cluster

unit that still has a connection to the network. This other cluster unit becomes the new

primary cluster unit.

If you can re-establish traffic flow through the interface (for example, if you re-connect

a disconnected network cable) the interface rejoins the cluster. If Override Master is

enabled for this FortiGate unit (see “Override Master” on page 95), this FortiGate unit

becomes the primary unit in the cluster again.

Note: Only monitor interfaces that are connected to networks.

Note: You can monitor physical interfaces, but not VLAN subinterfaces.

Increase the priority of interfaces connected to higher priority networks or networks

with more traffic. The monitor priority range is 0 to 512.

If a high priority interface on the primary unit fails, one of the other cluster units

becomes the new primary unit to provide better service to the high priority network.

If a low priority interface fails on one cluster unit and a high priority interface fails on

another cluster unit, a unit in the cluster with a working connection to the high priority

interface would, if it becomes necessary to negotiate a new primary unit, be selected

instead of a unit with a working connection to the low priority interface.

• Configuring an HA cluster

• Managing an HA cluster

Configuring an HA cluster

Use the following procedures to create an HA cluster consisting of two or more

FortiGate units. These procedures describe how to configure each of the FortiGate

units for HA operation and then how to connect the FortiGate units to form a cluster.

Once the cluster is connected you can configure it in the same way as you would

configure a standalone FortiGate unit.

• To configure a FortiGate unit for HA operation

• To connect a FortiGate HA cluster

• To add a new unit to a functioning cluster

• To configure weighted-round-robin weights

• To switch between load balancing virus scanning sessions and all sessions

To configure a FortiGate unit for HA operation

Each FortiGate unit in the cluster must have the same HA configuration. Use the

following procedure to configure each FortiGate unit for HA operation.

98 01-28008-0013-20050204 Fortinet Inc.

Page 99

System Config HA

Note: The following procedure does not include steps for configuring heartbeat devices and

interface monitoring. Both of these HA settings should be configured after the cluster is up and

running.

Note: By default, port 9 and port 10 are configured as heartbeat devices. These interfaces are

only used for HA cluster communication and are not physically accessible. These interfaces are

not visible on the web-based manager, but they are visible on the CLI.

1 Power on the FortiGate unit to be configured. 2 Connect to the web-based manager. 3 Give the FortiGate unit a unique host name.

See “To change FortiGate host name” on page 37. Use host names to identify

individual cluster units.

4 Go to System > Config > HA. 5 Select HA. 6 Select the HA mode. 7 Select a Group ID for the cluster.

The Group ID must be the same for all FortiGate units in the HA cluster. 8 Optionally change the Unit Priority.

See “Unit Priority” on page 94. 9 If required, select Override master.

See “Override Master” on page 95.

10 Enter and confirm a password for the HA cluster. 11 If you are configuring Active-Active HA, select a schedule.

See “Schedule” on page 95.

12 Select Apply.

The FortiGate unit negotiates to establish an HA cluster. When you select apply you

may temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates

and because the FGCP changes the MAC address of the FortiGate unit interfaces

(see “Group ID” on page 94). To be able to reconnect sooner, you can update the ARP

table of your management PC by deleting the ARP table entry for the FortiGate unit.

13 If you are configuring a NAT/Route mode cluster, power off the FortiGate unit and

then repeat this procedure for all the FortiGate units in the cluster. Once all of the units

are configured, continue with “To connect a FortiGate HA cluster” on page 100.

14 If you are configuring a Transparent mode cluster, reconnect to the web-based

manager.

You may have to wait a few minutes before you can reconnect.

15 Go to System > Status. 16 Select Change to Transparent Mode and select OK to switch the FortiGate unit to

Transparent mode.

17 Power off the FortiGate unit.

FortiGate-5000 series Administration Guide 01-28008-0013-20050204 99

Page 100

HA System Config

18 Repeat this procedure for all of the FortiGate units in the cluster then continue with “To

connect a FortiGate HA cluster” on page 100.

To connect a FortiGate HA cluster

Use the following procedure to connect a cluster operating in NAT/Route mode or

Transparent mode. Connect the cluster units to each other and to your network. You

must connect all matching interfaces in the cluster to the same hub or switch. Then

you must connect these interfaces to their networks using the same hub or switch.

Fortinet recommends using switches for all cluster connections for the best

performance.

Inserting an HA cluster into your network temporarily interrupts communications on

the network because new physical connections are being made to route traffic through

the cluster. Also, starting the cluster interrupts network traffic until the individual

cluster units are functioning and the cluster completes negotiation. Cluster negotiation

normally takes just a few seconds. During system startup and negotiation all network

traffic is dropped. 1 Connect the cluster units.

Connect the matching interfaces of each FortiGate-5001 blade to the same switch and

connect that switch to a network. In HA mode, you can connect all 8 FortiGate-5001

interfaces to networks

Figure 37: HA network configuration

Internal Network

Port 1

USB

1 2 3 4 5 6 7 8

CONSOLE

PWRACC

USB

1 2 3 4 5 6 7 8

Hub or Switch

PWRACC

Port 1

CONSOLE

Port 3

PSU A

PSU B

STA IPM

Hub or Switch

Router

Internet

100 01-28008-0013-20050204 Fortinet Inc.