Fortinet FortiGate 50A User Manual
FortiGate 50A
Installation and
Configuration Guide
STATUS
PWR
A
INTERNAL EXTERNAL
LINK 100 LINK 100
FortiGate User Manual Volume 1
Version 2.50
29 February 2004
© Copyright 2004 Fortinet Inc. All rights reserved.
No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Fortinet Inc.
FortiGate-50A Installation and Configuration Guide
Version 2.50
29 February 2004
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective
holders.
Regulatory Compliance
FCC Class A Part 15 CSA/CUS
CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE.
DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.
For technical support, please visit http://www.fortinet.com.
Send information about errors or omissions in this document or any Fortinet technical documentation to
techdoc@fortinet.com.
Table of Contents
Introduction .......................................................................................................... 13
NAT/Route mode and Transparent mode......................................................................... 13
NAT/Route mode .......................................................................................................... 13
Transparent mode......................................................................................................... 13
Document conventions ..................................................................................................... 14
Fortinet documentation ..................................................................................................... 15
Comments on Fortinet technical documentation........................................................... 15
Customer service and technical support........................................................................... 16
Getting started ..................................................................................................... 17
Package contents ............................................................................................................. 18
Mounting ........................................................................................................................... 18
Powering on...................................................................................................................... 19
Connecting to the web-based manager............................................................................ 19
Connecting to the command line interface (CLI)............................................................... 20
Factory default FortiGate configuration settings ............................................................... 22
Factory default DHCP configuration ............................................................................. 22
Factory default NAT/Route mode network configuration .............................................. 23
Factory default Transparent mode network configuration............................................. 23
Factory default firewall configuration ............................................................................ 23
Factory default content profiles..................................................................................... 25
Planning the FortiGate configuration ................................................................................ 27
NAT/Route mode .......................................................................................................... 27
Transparent mode......................................................................................................... 28
Configuration options .................................................................................................... 28
FortiGate model maximum values matrix ......................................................................... 30
Next steps......................................................................................................................... 31
Contents
NAT/Route mode installation.............................................................................. 33
Installing the FortiGate unit using the default configuration .............................................. 33
Changing the default configuration ............................................................................... 34
Preparing to configure NAT/Route mode.......................................................................... 34
Advanced NAT/Route mode settings............................................................................ 35
Using the setup wizard...................................................................................................... 35
Starting the setup wizard .............................................................................................. 35
Reconnecting to the web-based manager .................................................................... 35
Using the command line interface..................................................................................... 36
Configuring the FortiGate unit to operate in NAT/Route mode ..................................... 36
Connecting the FortiGate unit to your networks................................................................ 37
Configuring your networks ................................................................................................ 38
FortiGate-50A Installation and Configuration Guide 3
Contents
Completing the configuration ............................................................................................ 38
Setting the date and time .............................................................................................. 38
Changing antivirus protection ....................................................................................... 38
Registering your FortiGate unit ..................................................................................... 39
Configuring virus and attack definition updates ............................................................ 39
Transparent mode installation............................................................................ 41
Preparing to configure Transparent mode ........................................................................ 41
Using the setup wizard...................................................................................................... 42
Changing to Transparent mode .................................................................................... 42
Starting the setup wizard .............................................................................................. 42
Reconnecting to the web-based manager .................................................................... 42
Using the command line interface..................................................................................... 42
Changing to Transparent mode .................................................................................... 43
Configuring the Transparent mode management IP address ....................................... 43
Configure the Transparent mode default gateway........................................................ 43
Connecting the FortiGate unit to your networks................................................................ 43
Completing the configuration ............................................................................................ 45
Setting the date and time .............................................................................................. 45
Enabling antivirus protection......................................................................................... 45
Registering your FortiGate............................................................................................ 45
Configuring virus and attack definition updates ............................................................ 45
Transparent mode configuration examples....................................................................... 46
Default routes and static routes .................................................................................... 46
Example default route to an external network............................................................... 47
Example static route to an external destination ............................................................ 48
Example static route to an internal destination ............................................................. 51
System status....................................................................................................... 53
Changing the FortiGate host name................................................................................... 54
Changing the FortiGate firmware...................................................................................... 54
Upgrading to a new firmware version ........................................................................... 55
Reverting to a previous firmware version...................................................................... 56
Installing firmware images from a system reboot using the CLI ................................... 59
Testing a new firmware image before installing it ......................................................... 61
Manual virus definition updates ........................................................................................ 63
Manual attack definition updates ...................................................................................... 63
Displaying the FortiGate serial number............................................................................. 64
Displaying the FortiGate up time....................................................................................... 64
Backing up system settings .............................................................................................. 64
Restoring system settings................................................................................................. 64
Restoring system settings to factory defaults ................................................................... 65
Changing to Transparent mode ........................................................................................ 65
Changing to NAT/Route mode.......................................................................................... 66
Restarting the FortiGate unit............................................................................................. 66
4 Fortinet Inc.
Shutting down the FortiGate unit ...................................................................................... 66
System status ................................................................................................................... 67
Viewing CPU and memory status ................................................................................. 67
Viewing sessions and network status ........................................................................... 68
Viewing virus and intrusions status............................................................................... 69
Session list........................................................................................................................ 70
Virus and attack definitions updates and registration ..................................... 73
Updating antivirus and attack definitions .......................................................................... 73
Connecting to the FortiResponse Distribution Network ................................................ 74
Manually initiating antivirus and attack definitions updates .......................................... 75
Configuring update logging ........................................................................................... 76
Scheduling updates .......................................................................................................... 76
Enabling scheduled updates......................................................................................... 76
Adding an override server............................................................................................. 77
Enabling scheduled updates through a proxy server.................................................... 78
Enabling push updates ..................................................................................................... 78
Enabling push updates ................................................................................................. 79
Push updates when FortiGate IP addresses change.................................................... 79
Enabling push updates through a NAT device.............................................................. 79
Registering FortiGate units ............................................................................................... 83
FortiCare Service Contracts.......................................................................................... 84
Registering the FortiGate unit ....................................................................................... 85
Updating registration information ...................................................................................... 86
Recovering a lost Fortinet support password................................................................ 86
Viewing the list of registered FortiGate units ................................................................ 87
Registering a new FortiGate unit .................................................................................. 88
Adding or changing a FortiCare Support Contract number........................................... 88
Changing your Fortinet support password .................................................................... 89
Changing your contact information or security question ............................................... 89
Downloading virus and attack definitions updates ........................................................ 90
Registering a FortiGate unit after an RMA........................................................................ 91
Contents
FortiGate-50A Installation and Configuration Guide 5
Contents
Network configuration......................................................................................... 93
Configuring interfaces ....................................................................................................... 93
Viewing the interface list ............................................................................................... 94
Changing the administrative status of an interface ....................................................... 94
Configuring an interface with a manual IP address ...................................................... 94
Configuring an interface for DHCP ............................................................................... 95
Configuring an interface for PPPoE .............................................................................. 96
Adding a secondary IP address to an interface ............................................................ 96
Adding a ping server to an interface ............................................................................. 97
Controlling administrative access to an interface.......................................................... 97
Changing the MTU size to improve network performance ............................................ 98
Configuring traffic logging for connections to an interface ............................................ 98
Configuring the management interface in Transparent mode....................................... 99
Adding DNS server IP addresses ................................................................................... 100
Configuring routing.......................................................................................................... 100
Adding a default route................................................................................................. 100
Adding destination-based routes to the routing table.................................................. 101
Adding routes in Transparent mode............................................................................ 102
Configuring the routing table....................................................................................... 102
Policy routing .............................................................................................................. 103
Configuring DHCP services ............................................................................................ 104
Configuring a DHCP relay agent................................................................................. 104
Configuring a DHCP server ........................................................................................ 105
Configuring the modem interface.................................................................................... 107
Connecting a modem to the FortiGate unit ................................................................. 108
Configuring modem settings ....................................................................................... 108
Connecting to a dialup account................................................................................... 109
Disconnecting the modem .......................................................................................... 109
Viewing modem status................................................................................................ 110
Backup mode configuration ........................................................................................ 110
Standalone mode configuration .................................................................................. 110
Adding firewall policies for modem connections ......................................................... 111
RIP configuration ............................................................................................... 113
RIP settings..................................................................................................................... 113
Configuring RIP for FortiGate interfaces......................................................................... 115
Adding RIP filters ............................................................................................................ 117
Adding a RIP filter list.................................................................................................. 117
Assigning a RIP filter list to the neighbors filter........................................................... 118
Assigning a RIP filter list to the incoming filter ............................................................ 118
Assigning a RIP filter list to the outgoing filter............................................................. 119
System configuration ........................................................................................ 121
Setting system date and time.......................................................................................... 121
6 Fortinet Inc.
Changing system options................................................................................................ 122
Adding and editing administrator accounts..................................................................... 123
Adding new administrator accounts ............................................................................ 124
Editing administrator accounts.................................................................................... 124
Configuring SNMP .......................................................................................................... 125
Configuring the FortiGate unit for SNMP monitoring .................................................. 126
Configuring FortiGate SNMP support ......................................................................... 126
FortiGate MIBs............................................................................................................ 128
FortiGate traps ............................................................................................................ 129
Fortinet MIB fields ....................................................................................................... 130
Replacement messages ................................................................................................. 133
Customizing replacement messages .......................................................................... 133
Customizing alert emails............................................................................................. 134
Firewall configuration........................................................................................ 137
Default firewall configuration........................................................................................... 138
Addresses ................................................................................................................... 138
Services ...................................................................................................................... 139
Schedules ................................................................................................................... 139
Content profiles........................................................................................................... 139
Adding firewall policies.................................................................................................... 140
Firewall policy options................................................................................................. 140
Configuring policy lists .................................................................................................... 144
Policy matching in detail ............................................................................................. 145
Changing the order of policies in a policy list.............................................................. 145
Enabling and disabling policies................................................................................... 146
Addresses ....................................................................................................................... 146
Adding addresses ....................................................................................................... 147
Editing addresses ....................................................................................................... 148
Deleting addresses ..................................................................................................... 148
Organizing addresses into address groups ................................................................ 148
Services .......................................................................................................................... 149
Predefined services .................................................................................................... 149
Adding custom TCP and UDP services ...................................................................... 152
Adding custom ICMP services .................................................................................... 153
Adding custom IP services.......................................................................................... 153
Grouping services ....................................................................................................... 153
Schedules ....................................................................................................................... 154
Creating one-time schedules ...................................................................................... 155
Creating recurring schedules ...................................................................................... 155
Adding schedules to policies....................................................................................... 156
Contents
FortiGate-50A Installation and Configuration Guide 7
Contents
Virtual IPs........................................................................................................................ 157
Adding static NAT virtual IPs ...................................................................................... 158
Adding port forwarding virtual IPs ............................................................................... 159
Adding policies with virtual IPs.................................................................................... 161
IP pools........................................................................................................................... 161
Adding an IP pool........................................................................................................ 162
IP Pools for firewall policies that use fixed ports ......................................................... 162
IP pools and dynamic NAT ......................................................................................... 162
IP/MAC binding ............................................................................................................... 163
Configuring IP/MAC binding for packets going through the firewall ............................ 163
Configuring IP/MAC binding for packets going to the firewall ..................................... 164
Adding IP/MAC addresses.......................................................................................... 165
Viewing the dynamic IP/MAC list ................................................................................ 165
Enabling IP/MAC binding ............................................................................................ 165
Content profiles............................................................................................................... 166
Default content profiles ............................................................................................... 167
Adding content profiles ............................................................................................... 167
Adding content profiles to policies .............................................................................. 169
Users and authentication .................................................................................. 171
Setting authentication timeout......................................................................................... 172
Adding user names and configuring authentication ........................................................ 172
Adding user names and configuring authentication .................................................... 172
Deleting user names from the internal database ........................................................ 173
Configuring RADIUS support .......................................................................................... 174
Adding RADIUS servers ............................................................................................. 174
Deleting RADIUS servers ........................................................................................... 174
Configuring LDAP support .............................................................................................. 175
Adding LDAP servers.................................................................................................. 175
Deleting LDAP servers................................................................................................ 176
Configuring user groups.................................................................................................. 177
Adding user groups..................................................................................................... 177
Deleting user groups................................................................................................... 178
IPSec VPN........................................................................................................... 179
Key management............................................................................................................ 180
Manual Keys ............................................................................................................... 180
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... 180
Manual key IPSec VPNs................................................................................................. 181
General configuration steps for a manual key VPN .................................................... 181
Adding a manual key VPN tunnel ............................................................................... 181
8 Fortinet Inc.
AutoIKE IPSec VPNs ...................................................................................................... 182
General configuration steps for an AutoIKE VPN ....................................................... 183
Adding a phase 1 configuration for an AutoIKE VPN.................................................. 183
Adding a phase 2 configuration for an AutoIKE VPN.................................................. 188
Managing digital certificates............................................................................................ 190
Obtaining a signed local certificate ............................................................................. 190
Obtaining CA certificates ............................................................................................ 192
Configuring encrypt policies............................................................................................ 193
Adding a source address ............................................................................................ 194
Adding a destination address...................................................................................... 194
Adding an encrypt policy............................................................................................. 195
IPSec VPN concentrators ............................................................................................... 196
VPN concentrator (hub) general configuration steps .................................................. 197
Adding a VPN concentrator ........................................................................................ 198
VPN spoke general configuration steps...................................................................... 199
Monitoring and Troubleshooting VPNs ........................................................................... 201
Viewing VPN tunnel status.......................................................................................... 201
Viewing dialup VPN connection status ....................................................................... 201
Testing a VPN............................................................................................................. 202
Contents
PPTP and L2TP VPN .......................................................................................... 203
Configuring PPTP ........................................................................................................... 203
Configuring the FortiGate unit as a PPTP gateway .................................................... 203
Configuring a Windows 98 client for PPTP ................................................................. 206
Configuring a Windows 2000 client for PPTP ............................................................. 207
Configuring a Windows XP client for PPTP ................................................................ 207
Configuring L2TP............................................................................................................ 209
Configuring the FortiGate unit as an L2TP gateway ................................................... 209
Configuring a Windows 2000 client for L2TP.............................................................. 211
Configuring a Windows XP client for L2TP ................................................................. 213
Network Intrusion Detection System (NIDS) ................................................... 215
Detecting attacks ............................................................................................................ 215
Selecting the interfaces to monitor.............................................................................. 216
Disabling monitoring interfaces................................................................................... 216
Configuring checksum verification .............................................................................. 216
Viewing the signature list ............................................................................................ 217
Viewing attack descriptions......................................................................................... 217
Disabling NIDS attack signatures ............................................................................... 218
Adding user-defined signatures .................................................................................. 218
Preventing attacks .......................................................................................................... 220
Enabling NIDS attack prevention ................................................................................ 220
Enabling NIDS attack prevention signatures .............................................................. 220
Setting signature threshold values.............................................................................. 221
FortiGate-50A Installation and Configuration Guide 9
Contents
Logging attacks............................................................................................................... 222
Logging attack messages to the attack log................................................................. 222
Reducing the number of NIDS attack log and email messages.................................. 222
Antivirus protection........................................................................................... 225
General configuration steps............................................................................................ 225
Antivirus scanning........................................................................................................... 226
File blocking.................................................................................................................... 227
Blocking files in firewall traffic ..................................................................................... 227
Adding file patterns to block........................................................................................ 227
Blocking oversized files and emails ................................................................................ 228
Configuring limits for oversized files and email........................................................... 228
Exempting fragmented email from blocking.................................................................... 228
Viewing the virus list ....................................................................................................... 229
Web filtering ....................................................................................................... 231
General configuration steps............................................................................................ 231
Content blocking ............................................................................................................. 232
Adding words and phrases to the Banned Word list ................................................... 232
Clearing the Banned Word list .................................................................................... 233
Backing up the Banned Word list................................................................................ 233
Restoring the Banned Word list .................................................................................. 233
URL blocking................................................................................................................... 235
Configuring FortiGate Web URL blocking ................................................................... 235
Configuring FortiGate Web pattern blocking............................................................... 237
Configuring Cerberian URL filtering ................................................................................ 238
Installing a Cerberian license key ............................................................................... 238
Adding a Cerberian user ............................................................................................. 238
Configuring Cerberian web filter ................................................................................. 239
Enabling Cerberian URL filtering ................................................................................ 239
Script filtering .................................................................................................................. 240
Enabling script filtering................................................................................................ 240
Selecting script filter options ....................................................................................... 240
Exempt URL list .............................................................................................................. 241
Adding URLs to the URL Exempt list .......................................................................... 241
Downloading the URL Exempt List ............................................................................. 242
Uploading a URL Exempt List..................................................................................... 242
Email filter........................................................................................................... 245
General configuration steps............................................................................................ 245
Email banned word list.................................................................................................... 246
Adding words and phrases to the email banned word list........................................... 246
Downloading the email banned word list .................................................................... 247
Uploading the email banned word list ......................................................................... 247
10 Fortinet Inc.
Email block list ................................................................................................................ 248
Adding address patterns to the email block list........................................................... 248
Downloading the email block list................................................................................. 248
Uploading an email block list ...................................................................................... 249
Email exempt list............................................................................................................. 249
Adding address patterns to the email exempt list ....................................................... 250
Adding a subject tag ....................................................................................................... 250
Logging and reporting....................................................................................... 251
Recording logs................................................................................................................ 251
Recording logs on a remote computer ........................................................................ 251
Recording logs on a NetIQ WebTrends server ........................................................... 252
Log message levels .................................................................................................... 253
Filtering log messages .................................................................................................... 253
Configuring traffic logging ............................................................................................... 254
Enabling traffic logging................................................................................................ 255
Configuring traffic filter settings................................................................................... 255
Adding traffic filter entries ........................................................................................... 256
Configuring alert email .................................................................................................... 257
Adding alert email addresses...................................................................................... 257
Testing alert email....................................................................................................... 258
Enabling alert email .................................................................................................... 258
Contents
Glossary ............................................................................................................. 259
Index .................................................................................................................... 263
FortiGate-50A Installation and Configuration Guide 11
Contents
12 Fortinet Inc.
FortiGate-50A Installation and Configuration Guide Version 2.50
Introduction
The FortiGate-50A Antivirus Firewall is
an easy-to-deploy and easy-toadminister solution that delivers
exceptional value and performance for
small office and home office (SOHO)
applications.
Your FortiGate-50A is a dedicated easily managed security device that delivers a full
suite of capabilities that include:
• application-level services such as virus protection and content filtering,
• network-level services such as firewall, intrusion detection, VPN, and traffic
shaping.
PWR
STATUS
A
INTERNAL EXTERNAL
LINK 100 LINK 100
NAT/Route mode and Transparent mode
The FortiGate can operate in NAT/Route mode or Transparent mode.
NAT/Route mode
In NAT/Route mode, the FortiGate-50A is installed as a privacy barrier between the
internal network and the Internet. The firewall provides network address translation
(NAT) to protect the internal private network. You can control whether firewall policies
run in NAT mode or route mode. NAT mode policies route allowed connections
between firewall interfaces, performing network address translation to hide addresses
on the protected internal networks. Route mode policies route allowed connections
between firewall interfaces without performing network address translation.
Transparent mode
Transparent Mode provides firewall protection to a pre-existing network with public
addresses. The internal and external network interfaces of the FortiGate unit must be
in the same subnet and the FortiGate unit can be inserted into your network at any
point without the need to make any changes to your network.
FortiGate-50A Installation and Configuration Guide 13
Document conventions Introduction
Document conventions
This guide uses the following conventions to describe CLI command syntax.
• angle brackets < > to indicate variable keywords
For example:
execute restore config <filename_str>
You enter restore config myfile.bak
<xxx_str> indicates an ASCII string variable keyword.
<xxx_integer> indicates an integer variable keyword.
<xxx_ip> indicates an IP address variable keyword.
• vertical bar and curly brackets {|} to separate alternative, mutually exclusive
required keywords
For example:
set system opmode {nat | transparent}
You can enter set system opmode nat or set system opmode
transparent
• square brackets [ ] to indicate that a keyword is optional
For example:
get firewall ipmacbinding [dhcpipmac]
You can enter get firewall ipmacbinding or
get firewall ipmacbinding dhcpipmac
14 Fortinet Inc.
Introduction Fortinet documentation
Fortinet documentation
Information about FortiGate products is available from the following FortiGate User
Manual volumes:
• Volume 1: FortiGate Installation and Configuration Guide
Describes installation and basic configuration for the FortiGate unit. Also describes
how to use FortiGate firewall policies to control traffic flow through the FortiGate
unit and how to use firewall policies to apply antivirus protection, web content
filtering, and email filtering to HTTP, FTP and email content passing through the
FortiGate unit.
• Volume 2: FortiGate VPN Guide
Contains in-depth information about FortiGate IPSec VPN using certificates, preshared keys and manual keys for encryption. Also contains basic configuration
information for the Fortinet Remote VPN Client, detailed configuration information
for FortiGate PPTP and L2TP VPN, and VPN configuration examples.
• Volume 3: FortiGate Content Protection Guide
Describes how to configure antivirus protection, web content filtering, and email
filtering to protect content as it passes through the FortiGate unit.
• Volume 4: FortiGate NIDS Guide
Describes how to configure the FortiGate NIDS to detect and protect the FortiGate
unit from network-based attacks.
• Volume 5: FortiGate Logging and Message Reference Guide
Describes how to configure FortiGate logging and alert email. Also contains the
FortiGate log message reference.
• Volume 6: FortiGate CLI Reference Guide
Describes the FortiGate CLI and contains a reference to all FortiGate CLI
commands.
The FortiGate online help also contains procedures for using the FortiGate web-based
manager to configure and manage your FortiGate unit.
Comments on Fortinet technical documentation
You can send information about errors or omissions in this document or any Fortinet
technical documentation to techdoc@fortinet.com.
FortiGate-50A Installation and Configuration Guide 15
Customer service and technical support Introduction
Customer service and technical support
For antivirus and attack definition updates, firmware updates, updated product
documentation, technical support information, and other resources, please visit the
Fortinet technical support web site at http://support.fortinet.com.
You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and
modify your registration information at any time.
Fortinet email support is available from the following addresses:
amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin
apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,
eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland
For information on Fortinet telephone support, see http://support.fortinet.com.
When requesting technical support, please provide the following information:
• Your name
• Company name
•Location
• Email address
• Telephone number
• FortiGate unit serial number
• FortiGate model
• FortiGate FortiOS firmware version
• Detailed description of the problem
America and South America.
Malaysia, all other Asian countries, and Australia.
Europe, Africa, and the Middle East.
16 Fortinet Inc.
FortiGate-50A Installation and Configuration Guide Version 2.50
Getting started
This chapter describes unpacking, setting up, and powering on a FortiGate Antivirus
Firewall unit. When you have completed the procedures in this chapter, you can
proceed to one of the following:
• If you are going to operate the FortiGate unit in NAT/Route mode, go to
“NAT/Route mode installation” on page 33.
• If you are going to operate the FortiGate unit in Transparent mode, go to
“Transparent mode installation” on page 41.
This chapter describes:
• Package contents
• Mounting
• Powering on
• Connecting to the web-based manager
• Connecting to the command line interface (CLI)
• Factory default FortiGate configuration settings
• Planning the FortiGate configuration
• FortiGate model maximum values matrix
• Next steps
FortiGate-50A Installation and Configuration Guide 17
Package contents Getting started
Package contents
The FortiGate-50A package contains the following items:
• the FortiGate-50A Antivirus Firewall
• one orange cross-over ethernet cable
• one gray regular ethernet cable
• one null-modem cable
• FortiGate-50A QuickStart Guide
• A CD containing the FortiGate user documentation
• one AC adapter
Figure 1: FortiGate-50A package contents
Front
Ethernet Cables:
Orange - Crossover
PWR STATUS
PWR
A
Power
LED
STATUS
Status
LED
Back
INTERNAL EXTERNAL
LINK 100 LINK 100
Internal
Interface
External
Interface
Grey - Straight-through
Null-Modem Cable
(RS-232)
Mounting
Power Cable Power Supply
FortiGate-50A
InternalExternal
PWR STATUS
USER MANUAL
QuickStart Guide
Copyright 2004 Fortinet Incorporated. All rights reserved.
Trademarks
Products mentioned in this document are trademarks.
LINK 100 LINK 100
Documentation
Power
ConsoleDC+12V
RS-232 Serial
Connection
USB
USB
External
Internal
External
Internal
The FortiGate-50A unit can be installed on any stable surface. Make sure that the
appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for
adequate air flow and cooling.
Dimensions
• 8.63 x 6.13 x 1.38 in. (21.9 x 15.6 x 3.5 cm)
Weight
• 1.5 lb. (0.68 kg)
Power requirements
• DC input voltage: 5 V
• DC input current: 3 A
18 Fortinet Inc.
Getting started Powering on
Environmental specifications
• Operating temperature: 32 to 104°F (0 to 40°C)
• Storage temperature: -13 to 158°F (-25 to 70°C)
• Humidity: 5 to 95% non-condensing
Powering on
To power on the FortiGate-50A unit
1 Connect the AC adapter to the power connection at the back of the FortiGate-50 unit.
2 Connect the AC adapter to a power outlet.
The FortiGate-50A starts up. The Power and Status lights light. The Status light
flashes while the unit is starting up and turns off when the system is up and running.
Table 1: FortiGate-50A LED indicators
Power Green The FortiGate unit is powered on.
Off The FortiGate unit is powered off.
Status Green The FortiGate unit is starting.
Off The FortiGate unit is operating normally.
Link
(Internal External)
100
(Internal External)
Green The correct cable is in use and the connected
equipment has power.
Flashing Green Network activity at this interface.
Off No link established.
Green The interface is connected at 100 Mbps.
Connecting to the web-based manager
Use the following procedure to connect to the web-based manager for the first time.
Configuration changes made with the web-based manager are effective immediately
without resetting the firewall or interrupting service.
To connect to the web-based manager, you need:
• a computer with an ethernet connection,
• Internet Explorer version 4.0 or higher,
• a crossover cable or an ethernet hub and two ethernet cables.
Note: You can use the web-based manager with recent versions of most popular web browsers.
The web-based manager is fully supported for Internet Explorer version 4.0 or higher.
FortiGate-50A Installation and Configuration Guide 19
Connecting to the command line interface (CLI) Getting started
To connect to the web-based manager
1 Set the IP address of the computer with an ethernet connection to the static IP
address 192.168.1.2 and a netmask of 255.255.255.0.
You can also configure the management computer to obtain an IP address
automatically using DHCP. The FortiGate DHCP server assigns the management
computer an IP address in the range 192.168.1.1 to 192.168.1.254.
2 Using the crossover cable or the ethernet hub and cables, connect the internal
interface of the FortiGate unit to the computer ethernet connection.
3 Start Internet Explorer and browse to the address https://192.168.1.99.
The FortiGate login is displayed.
4 Type admin in the Name field and select Login.
The Register Now window is displayed. Use the information in this window to register
your FortiGate unit so that Fortinet can contact you for firmware updates. You must
also register to receive updates to the FortiGate virus and attack definitions.
Figure 2: FortiGate login
Connecting to the command line interface (CLI)
As an alternative to the web-based manager, you can install and configure the
FortiGate unit using the CLI. Configuration changes made with the CLI are effective
immediately without resetting the firewall or interrupting service.
To connect to the FortiGate CLI, you need:
• a computer with an available communications port,
• the null modem cable included in your FortiGate package,
• terminal emulation software such as HyperTerminal for Windows.
20 Fortinet Inc.
Getting started Connecting to the command line interface (CLI)
Note: The following procedure describes how to connect to the CLI using Windows
HyperTerminal software. You can use any terminal emulation program.
To connect to the CLI
1 Connect the null modem cable to the communications port of your computer and to
the FortiGate Console port.
2 Make sure that the FortiGate unit is powered on.
3 Start HyperTerminal, enter a name for the connection, and select OK.
4 Configure HyperTerminal to connect directly to the communications port on the
computer to which you have connected the null modem cable and select OK.
5 Select the following port settings and select OK.
Bits per second 9600
Data bits 8
Parity None
Stop bits 1
Flow control None
6 Press Enter to connect to the FortiGate CLI.
The following prompt is displayed:
FortiGate-50A login:
7 Type admin and press Enter twice.
The following prompt is displayed:
Type ? for a list of commands.
For information about how to use the CLI, see the FortiGate CLI Reference Guide.
FortiGate-50A Installation and Configuration Guide 21
Factory default FortiGate configuration settings Getting started
Factory default FortiGate configuration settings
The FortiGate unit is shipped with a factory default configuration. The default
configuration allows you to connect to and use the FortiGate web-based manager to
configure the FortiGate unit onto the network. To configure the FortiGate unit onto the
network you add an administrator password, change network interface IP addresses,
add DNS server IP addresses, and configure routing, if required.
If you plan to operate the FortiGate unit in Transparent mode, you can switch to
Transparent mode from the factory default configuration and then configure the
FortiGate unit onto the network in Transparent mode.
Once the network configuration is complete, you can perform additional configuration
tasks such as setting system time, configuring virus and attack definition updates, and
registering the FortiGate unit.
The factory default firewall configuration includes a single network address translation
(NAT) policy that allows users on your internal network to connect to the external
network, and stops users on the external network from connecting to the internal
network. You can add more policies to provide more control of the network traffic
passing through the FortiGate unit.
The factory default content profiles can be used to apply different levels of antivirus
protection, web content filtering, and email filtering to the network traffic that is
controlled by firewall policies.
• Factory default DHCP configuration
• Factory default NAT/Route mode network configuration
• Factory default Transparent mode network configuration
• Factory default firewall configuration
• Factory default content profiles
Factory default DHCP configuration
When the FortiGate unit is first powered on, the external interface is configured to
receive its IP address by connecting to a DHCP server. If your ISP provides IP
addresses using DHCP, no other configuration is required for this interface.
The FortiGate unit can also function as a DHCP server for your internal network. You
can configure the TCP/IP settings of the computers on your internal network to obtain
an IP address automatically from the FortiGate unit DHCP server. For more
information about the FortiGate DHCP server, see “Configuring DHCP services” on
page 104.
Table 2: FortiGate DHCP Server default configuration
Enable DHCP ;
Starting IP 192.168.1.1
Ending IP 192.168.1.254
Netmask 255.255.255.0
Lease Duration 604800 seconds
Default Route 192.168.1.99
Exclusion Range 192.168.1.99 - 192.168.1.99
22 Fortinet Inc.
Getting started Factory default FortiGate configuration settings
Factory default NAT/Route mode network configuration
When the FortiGate unit is first powered on, it is running in NAT/Route mode and has
the basic network configuration listed in Ta bl e 3. This configuration allows you to
connect to the FortiGate unit web-based manager and establish the configuration
required to connect the FortiGate unit to the network. In Tab le 3 HTTPS management
access means you can connect to the web-based manager using this interface. Ping
management access means this interface responds to ping requests.
Table 3: Factory default NAT/Route mode network configuration
Administrator
account
Internal interface
External interface
User name: admin
Password: (none)
IP: 192.168.1.99
Netmask: 255.255.255.0
Management Access: HTTPS, Ping
Addressing Mode: DHCP
Management Access: Ping
Factory default Transparent mode network configuration
If you switch the FortiGate unit to Transparent mode, it has the default network
configuration listed in Ta bl e 4.
Table 4: Factory default Transparent mode network configuration
Administrator
account
Management IP
DNS
Management access
User name: admin
Password: (none)
IP: 10.10.10.1
Netmask: 255.255.255.0
Primary DNS Server: 207.194.200.1
Secondary DNS Server: 207.194.200.129
Internal HTTPS, Ping
External Ping
Factory default firewall configuration
The factory default firewall configuration is the same in NAT/Route and Transparent
mode.
Table 5: Factory default firewall configuration
Internal
Address
External
Address
FortiGate-50A Installation and Configuration Guide 23
Internal_All
External_All
IP: 0.0.0.0 Represents all of the IP addresses on the internal
Mask: 0.0.0.0
IP: 0.0.0.0 Represents all of the IP addresses on the external
Mask: 0.0.0.0
network.
network.
Factory default FortiGate configuration settings Getting started
Table 5: Factory default firewall configuration (Continued)
Recurring
Schedule
Firewall
Policy
Always The schedule is valid at all times. This means that
Int->Ext Firewall policy for connections from the internal
Source Internal_All The policy source address. Internal_All means that
Destination External_All The policy destination address. External_All means
Schedule Always The policy schedule. Always means that the policy
Service ANY The policy service. ANY means that this policy
Action ACCEPT The policy action. ACCEPT means that the policy
; NAT NAT is selected for the NAT/Route mode default
Traffic Shaping Traffic shaping is not selected. The policy does not
Authentication Authentication is not selected. Users do not have to
; Antivirus & Web Filter Antivirus & Web Filter is selected.
Content
Profile
Log Traffic Log Traffic is not selected. This policy does not
Scan The scan content profile is selected. The policy
the firewall policy is valid at all times.
network to the external network.
the policy accepts connections from any internal IP
address.
that the policy accepts connections with a
destination address to any IP address on the
external network.
is valid at any time.
processes connections for all services.
allows connections.
policy so that the policy applies network address
translation to the traffic processed by the policy.
NAT is not available for Transparent mode policies.
apply traffic shaping to the traffic controlled by the
policy. You can select this option to control the
maximum or minimum amount of bandwidth
available to traffic processed by the policy.
authenticate with the firewall before connecting to
their destination address. You can configure user
groups and select this option to require users to
authenticate with the firewall before they can
connect through the firewall.
scans all HTTP, FTP, SMTP, POP3, and IMAP
traffic for viruses. See “Scan content profile” on
page 26 for more information about the scan
content profile. You can select one of the other
content profiles to apply different levels of content
protection to traffic processed by this policy.
record messages to the traffic log for the traffic
processed by this policy. You can configure
FortiGate logging and select Log Traffic to record all
connections through the firewall that are accepted
by this policy.
24 Fortinet Inc.
Getting started Factory default FortiGate configuration settings
Factory default content profiles
You can use content profiles to apply different protection settings for content traffic
that is controlled by firewall policies. You can use content profiles for:
• Antivirus protection of HTTP, FTP, IMAP, POP3, and SMTP network traffic
• Web content filtering for HTTP network traffic
• Email filtering for IMAP and POP3 network traffic
• Oversized file and email blocking for HTTP, FTP, POP3, SMTP, and IMAP network
traffic
• Passing fragmented emails in IMAP, POP3, and SMTP email traffic
Using content profiles, you can build protection configurations that can be applied to
different types of firewall policies. This allows you to customize types and levels of
protection for different firewall policies.
For example, while traffic between internal and external addresses might need strict
protection, traffic between trusted internal addresses might need moderate protection.
You can configure policies for different traffic services to use the same or different
content profiles.
Content profiles can be added to NAT/Route mode and Transparent mode policies.
Strict content profile
Use the strict content profile to apply maximum content protection to HTTP, FTP,
IMAP, POP3, and SMTP content traffic. You do not need to use the strict content
profile under normal circumstances, but it is available if you have extreme problems
with viruses and require maximum content screening protection.
Table 6: Strict content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan ;;;;;
File Block ;;;;;
Web URL Block ;
Web Content Block ;
Web Script Filter ;
Web Exempt List ;
Email Block List ;;
Email Exempt List ;;
Email Content Block ;;
Oversized File/Email Block block block block block block
Pass Fragmented Emails
FortiGate-50A Installation and Configuration Guide 25
Factory default FortiGate configuration settings Getting started
Scan content profile
Use the scan content profile to apply antivirus scanning to HTTP, FTP, IMAP, POP3,
and SMTP content traffic.
Table 7: Scan content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan ;;;;;
File Block
Web URL Block
Web Content Block
Web Script Filter
Web Exempt List
Email Block List
Email Exempt List
Email Content Block
Oversized File/Email Block pass pass pass pass pass
Pass Fragmented Emails
Web content profile
Use the web content profile to apply antivirus scanning and web content blocking to
HTTP content traffic. You can add this content profile to firewall policies that control
HTTP traffic.
Table 8: Web content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan ;
File Block
Web URL Block ;
Web Content Block ;
Web Script Filter
Web Exempt List
Email Block List
Email Exempt List
Email Content Block
Oversized File/Email Block pass pass pass pass pass
Pass Fragmented Emails
26 Fortinet Inc.
Getting started Planning the FortiGate configuration
Unfiltered content profile
Use the unfiltered content profile if you do not want to apply content protection to
traffic. You can add this content profile to firewall policies for connections between
highly trusted or highly secure networks where content does not need to be protected.
Table 9: Unfiltered content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan
File Block
Web URL Block
Web Content Block
Web Script Filter
Web Exempt List ;
Email Block List
Email Exempt List ;;
Email Content Block
Oversized File/Email Block pass pass pass pass pass
Pass Fragmented Emails ;;;
Planning the FortiGate configuration
Before you configure the FortiGate unit, you need to plan how to integrate the unit into
the network. Among other things, you must decide whether you want the unit to be
visible to the network, which firewall functions you want it to provide, and how you
want it to control the traffic flowing between its interfaces.
Your configuration plan depends on the operating mode that you select. The FortiGate
unit can be configured in one of two modes: NAT/Route mode (the default) or
Transparent mode.
NAT/Route mode
In NAT/Route mode, the unit is visible to the network. Like a router, all its interfaces
are on different subnets. The following interfaces are available in NAT/Route mode:
• External is the interface to the external network (usually the Internet).
• Internal is the interface to the internal network.
You can add security policies to control whether communications through the
FortiGate unit operate in NAT or Route mode. Security policies control the flow of
traffic based on the source address, destination address, and service of each packet.
In NAT mode, the FortiGate unit performs network address translation before it sends
the packet to the destination network. In Route mode, there is no translation.
By default, the FortiGate unit has a NAT mode security policy that allows users on the
internal network to securely download content from the external network. No other
traffic is possible until you have configured further security policies.
FortiGate-50A Installation and Configuration Guide 27
Planning the FortiGate configuration Getting started
You typically use NAT/Route mode when the FortiGate unit is operating as a gateway
between private and public networks. In this configuration, you would create NAT
mode policies to control traffic flowing between the internal, private network and the
external, public network (usually the Internet).
Figure 3: Example NAT/Route mode network configuration
Internet
Transparent mode
In Transparent mode, the FortiGate unit is invisible to the network. Similar to a
network bridge, all FortiGate interfaces must be on the same subnet. You only have to
configure a management IP address so that you can make configuration changes.
The management IP address is also used for antivirus and attack definition updates.
You typically use the FortiGate unit in Transparent mode on a private network behind
an existing firewall or behind a router. The FortiGate unit performs firewall functions as
well as antivirus and content scanning but not VPN.
Figure 4: Example Transparent mode network configuration
Internet
Gateway to
public network
204.23.1.5
(firewall, router)
External
204.23.1.5
10.10.10.2
External
FortiGate-50A Unit
in NAT/Route mode
PWR
STATUS
A
NAT mode policies controlling
traffic between internal and
external networks.
INTERNAL EXTERNAL
LINK 100 LINK 100
POWER
FortiGate-50A Unit
in Transparent mode
PWR
STATUS
INTERNAL EXTERNAL
A
10.10.10.1
Management IP
LINK 100 LINK 100
Internal
192.168.1.99
Internal
Internal network
192.168.1.3
Internal network
10.10.10.3
Transparent mode policies
controlling traffic between
internal and external networks
Configuration options
Once you have selected Transparent or NAT/Route mode operation, you can
complete the configuration plan and begin to configure the FortiGate unit.
You can use the web-based manager setup wizard or the command line interface
(CLI) for the basic configuration of the FortiGate unit.
Setup wizard
If you are configuring the FortiGate unit to operate in NAT/Route mode (the default),
the setup wizard prompts you to add the administration password and internal
interface address. The setup wizard also prompts you to choose either a manual
(static) or a dynamic (DHCP or PPPoE) address for the external interface. Using the
wizard, you can also add DNS server IP addresses and a default route for the external
interface.
28 Fortinet Inc.
Getting started Planning the FortiGate configuration
In NAT/Route mode you can also change the configuration of the FortiGate DHCP
server to supply IP addresses for the computers on your internal network. You can
also configure the FortiGate to allow Internet access to your internal Web, FTP, or
email servers.
If you are configuring the FortiGate unit to operate in Transparent mode, you can
switch to Transparent mode from the web-based manager and then use the setup
wizard to add the administration password, the management IP address and gateway,
and the DNS server addresses.
CLI
If you are configuring the FortiGate unit to operate in NAT/Route mode, you can add
the administration password and the Internal interface address. You can also use the
CLI to configure the external interface for either a manual (static) or a dynamic (DHCP
or PPPoE) address. Using the CLI, you can also add DNS server IP addresses and a
default route for the external interface.
In NAT/Route mode you can also change the configuration of the FortiGate DHCP
server to supply IP addresses for the computers on your internal network.
If you are configuring the FortiGate unit to operate in Transparent mode, you can use
the CLI to switch to Transparent mode, Then you can add the administration
password, the management IP address and gateway, and the DNS server addresses.
FortiGate-50A Installation and Configuration Guide 29
FortiGate model maximum values matrix Getting started
FortiGate model maximum values matrix
Table 10: FortiGate maximum values matrix
FortiGate model
50A 60 100 200 300 400 500 800 1000 3000 3600 4000
Routes 500 500 500 500 500 500 500 500 500 500 500 500
Policy routing
gateways
Administrative
users
VLAN
subinterfaces
Zones N/A N/A N/A 100 100 100 100 100 200 300 500 500
Virtual domains N/AN/AN/A1632646464128512512512
DHCP address
scopes
DHCP reserved
IP/MAC pairs
Firewall policies 200 500 1000 2000 5000 5000 20000 20000 50000 50000 50000 50000
Firewall
addresses
Firewall address
groups
Firewall custom
services
Firewall service
groups
Firewall recurring
schedules
Firewall onetime
schedules
Firewall virtual
IPs
Firewall IP pools 50 50 50 50 50 50 50 50 50 50 50 50
IP/MAC binding
table entries
Firewall content
profiles
User names 20 500 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000
Radius servers 666666666666
LDAP servers 666666666666
User groups 100 100 100 100 100 100 100 100 100 100 100 100
Tota l numbe r o f
user group
members
* Includes the number of physical interfaces.
500 500 500 500 500 500 500 500 500 500 500 500
500 500 500 500 500 500 500 500 500 500 500 500
N/A N/A N/A 4096* 4096* 4096* 4096* 4096* 4096* 4096* 4096* 4096*
32 32 32 32 32 32 32 32 32 32 32 32
10 20 30 30 50 50 100 100 200 200 200 200
500 500 500 500 3000 3000 6000 6000 10000 10000 10000 10000
500 500 500 500 500 500 500 500 500 500 500 500
500 500 500 500 500 500 500 500 500 500 500 500
500 500 500 500 500 500 500 500 500 500 500 500
256 256 256 256 256 256 256 256 256 256 256 256
256 256 256 256 256 256 256 256 256 256 256 256
500 500 500 500 500 500 500 500 500 500 500 500
500 500 500 500 500 500 500 500 500 500 500 500
32 32 32 32 32 32 32 32 32 32 32 32
300 300 300 300 300 300 300 300 300 300 300 300
30 Fortinet Inc.
Loading...