FortiGate 50A
Installation and
Configuration Guide
STATUS
PWR
A
INTERNAL EXTERNAL
LINK 100 LINK 100
FortiGate User Manual Volume 1
Version 2.50
29 February 2004
© Copyright 2004 Fortinet Inc. All rights reserved.
No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Fortinet Inc.
FortiGate-50A Installation and Configuration Guide
Version 2.50
29 February 2004
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective
holders.
Regulatory Compliance
FCC Class A Part 15 CSA/CUS
CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE.
DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.
For technical support, please visit http://www.fortinet.com.
Send information about errors or omissions in this document or any Fortinet technical documentation to
techdoc@fortinet.com.
Table of Contents
Introduction .......................................................................................................... 13
NAT/Route mode and Transparent mode......................................................................... 13
NAT/Route mode .......................................................................................................... 13
Transparent mode......................................................................................................... 13
Document conventions ..................................................................................................... 14
Fortinet documentation ..................................................................................................... 15
Comments on Fortinet technical documentation........................................................... 15
Customer service and technical support........................................................................... 16
Getting started ..................................................................................................... 17
Package contents ............................................................................................................. 18
Mounting ........................................................................................................................... 18
Powering on...................................................................................................................... 19
Connecting to the web-based manager............................................................................ 19
Connecting to the command line interface (CLI)............................................................... 20
Factory default FortiGate configuration settings ............................................................... 22
Factory default DHCP configuration ............................................................................. 22
Factory default NAT/Route mode network configuration .............................................. 23
Factory default Transparent mode network configuration............................................. 23
Factory default firewall configuration ............................................................................ 23
Factory default content profiles..................................................................................... 25
Planning the FortiGate configuration ................................................................................ 27
NAT/Route mode .......................................................................................................... 27
Transparent mode......................................................................................................... 28
Configuration options .................................................................................................... 28
FortiGate model maximum values matrix ......................................................................... 30
Next steps......................................................................................................................... 31
Contents
NAT/Route mode installation.............................................................................. 33
Installing the FortiGate unit using the default configuration .............................................. 33
Changing the default configuration ............................................................................... 34
Preparing to configure NAT/Route mode.......................................................................... 34
Advanced NAT/Route mode settings............................................................................ 35
Using the setup wizard...................................................................................................... 35
Starting the setup wizard .............................................................................................. 35
Reconnecting to the web-based manager .................................................................... 35
Using the command line interface..................................................................................... 36
Configuring the FortiGate unit to operate in NAT/Route mode ..................................... 36
Connecting the FortiGate unit to your networks................................................................ 37
Configuring your networks ................................................................................................ 38
FortiGate-50A Installation and Configuration Guide 3
Contents
Completing the configuration ............................................................................................ 38
Setting the date and time .............................................................................................. 38
Changing antivirus protection ....................................................................................... 38
Registering your FortiGate unit ..................................................................................... 39
Configuring virus and attack definition updates ............................................................ 39
Transparent mode installation............................................................................ 41
Preparing to configure Transparent mode ........................................................................ 41
Using the setup wizard...................................................................................................... 42
Changing to Transparent mode .................................................................................... 42
Starting the setup wizard .............................................................................................. 42
Reconnecting to the web-based manager .................................................................... 42
Using the command line interface..................................................................................... 42
Changing to Transparent mode .................................................................................... 43
Configuring the Transparent mode management IP address ....................................... 43
Configure the Transparent mode default gateway........................................................ 43
Connecting the FortiGate unit to your networks................................................................ 43
Completing the configuration ............................................................................................ 45
Setting the date and time .............................................................................................. 45
Enabling antivirus protection......................................................................................... 45
Registering your FortiGate............................................................................................ 45
Configuring virus and attack definition updates ............................................................ 45
Transparent mode configuration examples....................................................................... 46
Default routes and static routes .................................................................................... 46
Example default route to an external network............................................................... 47
Example static route to an external destination ............................................................ 48
Example static route to an internal destination ............................................................. 51
System status....................................................................................................... 53
Changing the FortiGate host name................................................................................... 54
Changing the FortiGate firmware...................................................................................... 54
Upgrading to a new firmware version ........................................................................... 55
Reverting to a previous firmware version...................................................................... 56
Installing firmware images from a system reboot using the CLI ................................... 59
Testing a new firmware image before installing it ......................................................... 61
Manual virus definition updates ........................................................................................ 63
Manual attack definition updates ...................................................................................... 63
Displaying the FortiGate serial number............................................................................. 64
Displaying the FortiGate up time....................................................................................... 64
Backing up system settings .............................................................................................. 64
Restoring system settings................................................................................................. 64
Restoring system settings to factory defaults ................................................................... 65
Changing to Transparent mode ........................................................................................ 65
Changing to NAT/Route mode.......................................................................................... 66
Restarting the FortiGate unit............................................................................................. 66
4 Fortinet Inc.
Shutting down the FortiGate unit ...................................................................................... 66
System status ................................................................................................................... 67
Viewing CPU and memory status ................................................................................. 67
Viewing sessions and network status ........................................................................... 68
Viewing virus and intrusions status............................................................................... 69
Session list........................................................................................................................ 70
Virus and attack definitions updates and registration ..................................... 73
Updating antivirus and attack definitions .......................................................................... 73
Connecting to the FortiResponse Distribution Network ................................................ 74
Manually initiating antivirus and attack definitions updates .......................................... 75
Configuring update logging ........................................................................................... 76
Scheduling updates .......................................................................................................... 76
Enabling scheduled updates......................................................................................... 76
Adding an override server............................................................................................. 77
Enabling scheduled updates through a proxy server.................................................... 78
Enabling push updates ..................................................................................................... 78
Enabling push updates ................................................................................................. 79
Push updates when FortiGate IP addresses change.................................................... 79
Enabling push updates through a NAT device.............................................................. 79
Registering FortiGate units ............................................................................................... 83
FortiCare Service Contracts.......................................................................................... 84
Registering the FortiGate unit ....................................................................................... 85
Updating registration information ...................................................................................... 86
Recovering a lost Fortinet support password................................................................ 86
Viewing the list of registered FortiGate units ................................................................ 87
Registering a new FortiGate unit .................................................................................. 88
Adding or changing a FortiCare Support Contract number........................................... 88
Changing your Fortinet support password .................................................................... 89
Changing your contact information or security question ............................................... 89
Downloading virus and attack definitions updates ........................................................ 90
Registering a FortiGate unit after an RMA........................................................................ 91
Contents
FortiGate-50A Installation and Configuration Guide 5
Contents
Network configuration......................................................................................... 93
Configuring interfaces ....................................................................................................... 93
Viewing the interface list ............................................................................................... 94
Changing the administrative status of an interface ....................................................... 94
Configuring an interface with a manual IP address ...................................................... 94
Configuring an interface for DHCP ............................................................................... 95
Configuring an interface for PPPoE .............................................................................. 96
Adding a secondary IP address to an interface ............................................................ 96
Adding a ping server to an interface ............................................................................. 97
Controlling administrative access to an interface.......................................................... 97
Changing the MTU size to improve network performance ............................................ 98
Configuring traffic logging for connections to an interface ............................................ 98
Configuring the management interface in Transparent mode....................................... 99
Adding DNS server IP addresses ................................................................................... 100
Configuring routing.......................................................................................................... 100
Adding a default route................................................................................................. 100
Adding destination-based routes to the routing table.................................................. 101
Adding routes in Transparent mode............................................................................ 102
Configuring the routing table....................................................................................... 102
Policy routing .............................................................................................................. 103
Configuring DHCP services ............................................................................................ 104
Configuring a DHCP relay agent................................................................................. 104
Configuring a DHCP server ........................................................................................ 105
Configuring the modem interface.................................................................................... 107
Connecting a modem to the FortiGate unit ................................................................. 108
Configuring modem settings ....................................................................................... 108
Connecting to a dialup account................................................................................... 109
Disconnecting the modem .......................................................................................... 109
Viewing modem status................................................................................................ 110
Backup mode configuration ........................................................................................ 110
Standalone mode configuration .................................................................................. 110
Adding firewall policies for modem connections ......................................................... 111
RIP configuration ............................................................................................... 113
RIP settings..................................................................................................................... 113
Configuring RIP for FortiGate interfaces......................................................................... 115
Adding RIP filters ............................................................................................................ 117
Adding a RIP filter list.................................................................................................. 117
Assigning a RIP filter list to the neighbors filter........................................................... 118
Assigning a RIP filter list to the incoming filter ............................................................ 118
Assigning a RIP filter list to the outgoing filter............................................................. 119
System configuration ........................................................................................ 121
Setting system date and time.......................................................................................... 121
6 Fortinet Inc.
Changing system options................................................................................................ 122
Adding and editing administrator accounts..................................................................... 123
Adding new administrator accounts ............................................................................ 124
Editing administrator accounts.................................................................................... 124
Configuring SNMP .......................................................................................................... 125
Configuring the FortiGate unit for SNMP monitoring .................................................. 126
Configuring FortiGate SNMP support ......................................................................... 126
FortiGate MIBs............................................................................................................ 128
FortiGate traps ............................................................................................................ 129
Fortinet MIB fields ....................................................................................................... 130
Replacement messages ................................................................................................. 133
Customizing replacement messages .......................................................................... 133
Customizing alert emails............................................................................................. 134
Firewall configuration........................................................................................ 137
Default firewall configuration........................................................................................... 138
Addresses ................................................................................................................... 138
Services ...................................................................................................................... 139
Schedules ................................................................................................................... 139
Content profiles........................................................................................................... 139
Adding firewall policies.................................................................................................... 140
Firewall policy options................................................................................................. 140
Configuring policy lists .................................................................................................... 144
Policy matching in detail ............................................................................................. 145
Changing the order of policies in a policy list.............................................................. 145
Enabling and disabling policies................................................................................... 146
Addresses ....................................................................................................................... 146
Adding addresses ....................................................................................................... 147
Editing addresses ....................................................................................................... 148
Deleting addresses ..................................................................................................... 148
Organizing addresses into address groups ................................................................ 148
Services .......................................................................................................................... 149
Predefined services .................................................................................................... 149
Adding custom TCP and UDP services ...................................................................... 152
Adding custom ICMP services .................................................................................... 153
Adding custom IP services.......................................................................................... 153
Grouping services ....................................................................................................... 153
Schedules ....................................................................................................................... 154
Creating one-time schedules ...................................................................................... 155
Creating recurring schedules ...................................................................................... 155
Adding schedules to policies....................................................................................... 156
Contents
FortiGate-50A Installation and Configuration Guide 7
Contents
Virtual IPs........................................................................................................................ 157
Adding static NAT virtual IPs ...................................................................................... 158
Adding port forwarding virtual IPs ............................................................................... 159
Adding policies with virtual IPs.................................................................................... 161
IP pools........................................................................................................................... 161
Adding an IP pool........................................................................................................ 162
IP Pools for firewall policies that use fixed ports ......................................................... 162
IP pools and dynamic NAT ......................................................................................... 162
IP/MAC binding ............................................................................................................... 163
Configuring IP/MAC binding for packets going through the firewall ............................ 163
Configuring IP/MAC binding for packets going to the firewall ..................................... 164
Adding IP/MAC addresses.......................................................................................... 165
Viewing the dynamic IP/MAC list ................................................................................ 165
Enabling IP/MAC binding ............................................................................................ 165
Content profiles............................................................................................................... 166
Default content profiles ............................................................................................... 167
Adding content profiles ............................................................................................... 167
Adding content profiles to policies .............................................................................. 169
Users and authentication .................................................................................. 171
Setting authentication timeout......................................................................................... 172
Adding user names and configuring authentication ........................................................ 172
Adding user names and configuring authentication .................................................... 172
Deleting user names from the internal database ........................................................ 173
Configuring RADIUS support .......................................................................................... 174
Adding RADIUS servers ............................................................................................. 174
Deleting RADIUS servers ........................................................................................... 174
Configuring LDAP support .............................................................................................. 175
Adding LDAP servers.................................................................................................. 175
Deleting LDAP servers................................................................................................ 176
Configuring user groups.................................................................................................. 177
Adding user groups..................................................................................................... 177
Deleting user groups................................................................................................... 178
IPSec VPN........................................................................................................... 179
Key management............................................................................................................ 180
Manual Keys ............................................................................................................... 180
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... 180
Manual key IPSec VPNs................................................................................................. 181
General configuration steps for a manual key VPN .................................................... 181
Adding a manual key VPN tunnel ............................................................................... 181
8 Fortinet Inc.
AutoIKE IPSec VPNs ...................................................................................................... 182
General configuration steps for an AutoIKE VPN ....................................................... 183
Adding a phase 1 configuration for an AutoIKE VPN.................................................. 183
Adding a phase 2 configuration for an AutoIKE VPN.................................................. 188
Managing digital certificates............................................................................................ 190
Obtaining a signed local certificate ............................................................................. 190
Obtaining CA certificates ............................................................................................ 192
Configuring encrypt policies............................................................................................ 193
Adding a source address ............................................................................................ 194
Adding a destination address...................................................................................... 194
Adding an encrypt policy............................................................................................. 195
IPSec VPN concentrators ............................................................................................... 196
VPN concentrator (hub) general configuration steps .................................................. 197
Adding a VPN concentrator ........................................................................................ 198
VPN spoke general configuration steps...................................................................... 199
Monitoring and Troubleshooting VPNs ........................................................................... 201
Viewing VPN tunnel status.......................................................................................... 201
Viewing dialup VPN connection status ....................................................................... 201
Testing a VPN............................................................................................................. 202
Contents
PPTP and L2TP VPN .......................................................................................... 203
Configuring PPTP ........................................................................................................... 203
Configuring the FortiGate unit as a PPTP gateway .................................................... 203
Configuring a Windows 98 client for PPTP ................................................................. 206
Configuring a Windows 2000 client for PPTP ............................................................. 207
Configuring a Windows XP client for PPTP ................................................................ 207
Configuring L2TP............................................................................................................ 209
Configuring the FortiGate unit as an L2TP gateway ................................................... 209
Configuring a Windows 2000 client for L2TP.............................................................. 211
Configuring a Windows XP client for L2TP ................................................................. 213
Network Intrusion Detection System (NIDS) ................................................... 215
Detecting attacks ............................................................................................................ 215
Selecting the interfaces to monitor.............................................................................. 216
Disabling monitoring interfaces................................................................................... 216
Configuring checksum verification .............................................................................. 216
Viewing the signature list ............................................................................................ 217
Viewing attack descriptions......................................................................................... 217
Disabling NIDS attack signatures ............................................................................... 218
Adding user-defined signatures .................................................................................. 218
Preventing attacks .......................................................................................................... 220
Enabling NIDS attack prevention ................................................................................ 220
Enabling NIDS attack prevention signatures .............................................................. 220
Setting signature threshold values.............................................................................. 221
FortiGate-50A Installation and Configuration Guide 9
Contents
Logging attacks............................................................................................................... 222
Logging attack messages to the attack log................................................................. 222
Reducing the number of NIDS attack log and email messages.................................. 222
Antivirus protection........................................................................................... 225
General configuration steps............................................................................................ 225
Antivirus scanning........................................................................................................... 226
File blocking.................................................................................................................... 227
Blocking files in firewall traffic ..................................................................................... 227
Adding file patterns to block........................................................................................ 227
Blocking oversized files and emails ................................................................................ 228
Configuring limits for oversized files and email........................................................... 228
Exempting fragmented email from blocking.................................................................... 228
Viewing the virus list ....................................................................................................... 229
Web filtering ....................................................................................................... 231
General configuration steps............................................................................................ 231
Content blocking ............................................................................................................. 232
Adding words and phrases to the Banned Word list ................................................... 232
Clearing the Banned Word list .................................................................................... 233
Backing up the Banned Word list................................................................................ 233
Restoring the Banned Word list .................................................................................. 233
URL blocking................................................................................................................... 235
Configuring FortiGate Web URL blocking ................................................................... 235
Configuring FortiGate Web pattern blocking............................................................... 237
Configuring Cerberian URL filtering ................................................................................ 238
Installing a Cerberian license key ............................................................................... 238
Adding a Cerberian user ............................................................................................. 238
Configuring Cerberian web filter ................................................................................. 239
Enabling Cerberian URL filtering ................................................................................ 239
Script filtering .................................................................................................................. 240
Enabling script filtering................................................................................................ 240
Selecting script filter options ....................................................................................... 240
Exempt URL list .............................................................................................................. 241
Adding URLs to the URL Exempt list .......................................................................... 241
Downloading the URL Exempt List ............................................................................. 242
Uploading a URL Exempt List..................................................................................... 242
Email filter........................................................................................................... 245
General configuration steps............................................................................................ 245
Email banned word list.................................................................................................... 246
Adding words and phrases to the email banned word list........................................... 246
Downloading the email banned word list .................................................................... 247
Uploading the email banned word list ......................................................................... 247
10 Fortinet Inc.
Email block list ................................................................................................................ 248
Adding address patterns to the email block list........................................................... 248
Downloading the email block list................................................................................. 248
Uploading an email block list ...................................................................................... 249
Email exempt list............................................................................................................. 249
Adding address patterns to the email exempt list ....................................................... 250
Adding a subject tag ....................................................................................................... 250
Logging and reporting....................................................................................... 251
Recording logs................................................................................................................ 251
Recording logs on a remote computer ........................................................................ 251
Recording logs on a NetIQ WebTrends server ........................................................... 252
Log message levels .................................................................................................... 253
Filtering log messages .................................................................................................... 253
Configuring traffic logging ............................................................................................... 254
Enabling traffic logging................................................................................................ 255
Configuring traffic filter settings................................................................................... 255
Adding traffic filter entries ........................................................................................... 256
Configuring alert email .................................................................................................... 257
Adding alert email addresses...................................................................................... 257
Testing alert email....................................................................................................... 258
Enabling alert email .................................................................................................... 258
Contents
Glossary ............................................................................................................. 259
Index .................................................................................................................... 263
FortiGate-50A Installation and Configuration Guide 11
Contents
12 Fortinet Inc.
FortiGate-50A Installation and Configuration Guide Version 2.50
Introduction
The FortiGate-50A Antivirus Firewall is
an easy-to-deploy and easy-toadminister solution that delivers
exceptional value and performance for
small office and home office (SOHO)
applications.
Your FortiGate-50A is a dedicated easily managed security device that delivers a full
suite of capabilities that include:
• application-level services such as virus protection and content filtering,
• network-level services such as firewall, intrusion detection, VPN, and traffic
shaping.
PWR
STATUS
A
INTERNAL EXTERNAL
LINK 100 LINK 100
NAT/Route mode and Transparent mode
The FortiGate can operate in NAT/Route mode or Transparent mode.
NAT/Route mode
In NAT/Route mode, the FortiGate-50A is installed as a privacy barrier between the
internal network and the Internet. The firewall provides network address translation
(NAT) to protect the internal private network. You can control whether firewall policies
run in NAT mode or route mode. NAT mode policies route allowed connections
between firewall interfaces, performing network address translation to hide addresses
on the protected internal networks. Route mode policies route allowed connections
between firewall interfaces without performing network address translation.
Transparent mode
Transparent Mode provides firewall protection to a pre-existing network with public
addresses. The internal and external network interfaces of the FortiGate unit must be
in the same subnet and the FortiGate unit can be inserted into your network at any
point without the need to make any changes to your network.
FortiGate-50A Installation and Configuration Guide 13
Document conventions Introduction
Document conventions
This guide uses the following conventions to describe CLI command syntax.
• angle brackets < > to indicate variable keywords
For example:
execute restore config <filename_str>
You enter restore config myfile.bak
<xxx_str> indicates an ASCII string variable keyword.
<xxx_integer> indicates an integer variable keyword.
<xxx_ip> indicates an IP address variable keyword.
• vertical bar and curly brackets {|} to separate alternative, mutually exclusive
required keywords
For example:
set system opmode {nat | transparent}
You can enter set system opmode nat or set system opmode
transparent
• square brackets [ ] to indicate that a keyword is optional
For example:
get firewall ipmacbinding [dhcpipmac]
You can enter get firewall ipmacbinding or
get firewall ipmacbinding dhcpipmac
14 Fortinet Inc.
Introduction Fortinet documentation
Fortinet documentation
Information about FortiGate products is available from the following FortiGate User
Manual volumes:
• Volume 1: FortiGate Installation and Configuration Guide
Describes installation and basic configuration for the FortiGate unit. Also describes
how to use FortiGate firewall policies to control traffic flow through the FortiGate
unit and how to use firewall policies to apply antivirus protection, web content
filtering, and email filtering to HTTP, FTP and email content passing through the
FortiGate unit.
• Volume 2: FortiGate VPN Guide
Contains in-depth information about FortiGate IPSec VPN using certificates, preshared keys and manual keys for encryption. Also contains basic configuration
information for the Fortinet Remote VPN Client, detailed configuration information
for FortiGate PPTP and L2TP VPN, and VPN configuration examples.
• Volume 3: FortiGate Content Protection Guide
Describes how to configure antivirus protection, web content filtering, and email
filtering to protect content as it passes through the FortiGate unit.
• Volume 4: FortiGate NIDS Guide
Describes how to configure the FortiGate NIDS to detect and protect the FortiGate
unit from network-based attacks.
• Volume 5: FortiGate Logging and Message Reference Guide
Describes how to configure FortiGate logging and alert email. Also contains the
FortiGate log message reference.
• Volume 6: FortiGate CLI Reference Guide
Describes the FortiGate CLI and contains a reference to all FortiGate CLI
commands.
The FortiGate online help also contains procedures for using the FortiGate web-based
manager to configure and manage your FortiGate unit.
Comments on Fortinet technical documentation
You can send information about errors or omissions in this document or any Fortinet
technical documentation to techdoc@fortinet.com.
FortiGate-50A Installation and Configuration Guide 15
Customer service and technical support Introduction
Customer service and technical support
For antivirus and attack definition updates, firmware updates, updated product
documentation, technical support information, and other resources, please visit the
Fortinet technical support web site at http://support.fortinet.com.
You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and
modify your registration information at any time.
Fortinet email support is available from the following addresses:
amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin
apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,
eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland
For information on Fortinet telephone support, see http://support.fortinet.com.
When requesting technical support, please provide the following information:
• Your name
• Company name
•Location
• Email address
• Telephone number
• FortiGate unit serial number
• FortiGate model
• FortiGate FortiOS firmware version
• Detailed description of the problem
America and South America.
Malaysia, all other Asian countries, and Australia.
Europe, Africa, and the Middle East.
16 Fortinet Inc.
FortiGate-50A Installation and Configuration Guide Version 2.50
Getting started
This chapter describes unpacking, setting up, and powering on a FortiGate Antivirus
Firewall unit. When you have completed the procedures in this chapter, you can
proceed to one of the following:
• If you are going to operate the FortiGate unit in NAT/Route mode, go to
“NAT/Route mode installation” on page 33.
• If you are going to operate the FortiGate unit in Transparent mode, go to
“Transparent mode installation” on page 41.
This chapter describes:
• Package contents
• Mounting
• Powering on
• Connecting to the web-based manager
• Connecting to the command line interface (CLI)
• Factory default FortiGate configuration settings
• Planning the FortiGate configuration
• FortiGate model maximum values matrix
• Next steps
FortiGate-50A Installation and Configuration Guide 17
Package contents Getting started
Package contents
The FortiGate-50A package contains the following items:
• the FortiGate-50A Antivirus Firewall
• one orange cross-over ethernet cable
• one gray regular ethernet cable
• one null-modem cable
• FortiGate-50A QuickStart Guide
• A CD containing the FortiGate user documentation
• one AC adapter
Figure 1: FortiGate-50A package contents
Front
Ethernet Cables:
Orange - Crossover
PWR STATUS
PWR
A
Power
LED
STATUS
Status
LED
Back
INTERNAL EXTERNAL
LINK 100 LINK 100
Internal
Interface
External
Interface
Grey - Straight-through
Null-Modem Cable
(RS-232)
Mounting
Power Cable Power Supply
FortiGate-50A
InternalExternal
PWR STATUS
USER MANUAL
QuickStart Guide
Copyright 2004 Fortinet Incorporated. All rights reserved.
Trademarks
Products mentioned in this document are trademarks.
LINK 100 LINK 100
Documentation
Power
ConsoleDC+12V
RS-232 Serial
Connection
USB
USB
External
Internal
External
Internal
The FortiGate-50A unit can be installed on any stable surface. Make sure that the
appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for
adequate air flow and cooling.
Dimensions
• 8.63 x 6.13 x 1.38 in. (21.9 x 15.6 x 3.5 cm)
Weight
• 1.5 lb. (0.68 kg)
Power requirements
• DC input voltage: 5 V
• DC input current: 3 A
18 Fortinet Inc.
Getting started Powering on
Environmental specifications
• Operating temperature: 32 to 104°F (0 to 40°C)
• Storage temperature: -13 to 158°F (-25 to 70°C)
• Humidity: 5 to 95% non-condensing
Powering on
To power on the FortiGate-50A unit
1 Connect the AC adapter to the power connection at the back of the FortiGate-50 unit.
2 Connect the AC adapter to a power outlet.
The FortiGate-50A starts up. The Power and Status lights light. The Status light
flashes while the unit is starting up and turns off when the system is up and running.
Table 1: FortiGate-50A LED indicators
Power Green The FortiGate unit is powered on.
Off The FortiGate unit is powered off.
Status Green The FortiGate unit is starting.
Off The FortiGate unit is operating normally.
Link
(Internal External)
100
(Internal External)
Green The correct cable is in use and the connected
equipment has power.
Flashing Green Network activity at this interface.
Off No link established.
Green The interface is connected at 100 Mbps.
Connecting to the web-based manager
Use the following procedure to connect to the web-based manager for the first time.
Configuration changes made with the web-based manager are effective immediately
without resetting the firewall or interrupting service.
To connect to the web-based manager, you need:
• a computer with an ethernet connection,
• Internet Explorer version 4.0 or higher,
• a crossover cable or an ethernet hub and two ethernet cables.
Note: You can use the web-based manager with recent versions of most popular web browsers.
The web-based manager is fully supported for Internet Explorer version 4.0 or higher.
FortiGate-50A Installation and Configuration Guide 19
Connecting to the command line interface (CLI) Getting started
To connect to the web-based manager
1 Set the IP address of the computer with an ethernet connection to the static IP
address 192.168.1.2 and a netmask of 255.255.255.0.
You can also configure the management computer to obtain an IP address
automatically using DHCP. The FortiGate DHCP server assigns the management
computer an IP address in the range 192.168.1.1 to 192.168.1.254.
2 Using the crossover cable or the ethernet hub and cables, connect the internal
interface of the FortiGate unit to the computer ethernet connection.
3 Start Internet Explorer and browse to the address https://192.168.1.99.
The FortiGate login is displayed.
4 Type admin in the Name field and select Login.
The Register Now window is displayed. Use the information in this window to register
your FortiGate unit so that Fortinet can contact you for firmware updates. You must
also register to receive updates to the FortiGate virus and attack definitions.
Figure 2: FortiGate login
Connecting to the command line interface (CLI)
As an alternative to the web-based manager, you can install and configure the
FortiGate unit using the CLI. Configuration changes made with the CLI are effective
immediately without resetting the firewall or interrupting service.
To connect to the FortiGate CLI, you need:
• a computer with an available communications port,
• the null modem cable included in your FortiGate package,
• terminal emulation software such as HyperTerminal for Windows.
20 Fortinet Inc.
Getting started Connecting to the command line interface (CLI)
Note: The following procedure describes how to connect to the CLI using Windows
HyperTerminal software. You can use any terminal emulation program.
To connect to the CLI
1 Connect the null modem cable to the communications port of your computer and to
the FortiGate Console port.
2 Make sure that the FortiGate unit is powered on.
3 Start HyperTerminal, enter a name for the connection, and select OK.
4 Configure HyperTerminal to connect directly to the communications port on the
computer to which you have connected the null modem cable and select OK.
5 Select the following port settings and select OK.
Bits per second 9600
Data bits 8
Parity None
Stop bits 1
Flow control None
6 Press Enter to connect to the FortiGate CLI.
The following prompt is displayed:
FortiGate-50A login:
7 Type admin and press Enter twice.
The following prompt is displayed:
Type ? for a list of commands.
For information about how to use the CLI, see the FortiGate CLI Reference Guide.
FortiGate-50A Installation and Configuration Guide 21
Factory default FortiGate configuration settings Getting started
Factory default FortiGate configuration settings
The FortiGate unit is shipped with a factory default configuration. The default
configuration allows you to connect to and use the FortiGate web-based manager to
configure the FortiGate unit onto the network. To configure the FortiGate unit onto the
network you add an administrator password, change network interface IP addresses,
add DNS server IP addresses, and configure routing, if required.
If you plan to operate the FortiGate unit in Transparent mode, you can switch to
Transparent mode from the factory default configuration and then configure the
FortiGate unit onto the network in Transparent mode.
Once the network configuration is complete, you can perform additional configuration
tasks such as setting system time, configuring virus and attack definition updates, and
registering the FortiGate unit.
The factory default firewall configuration includes a single network address translation
(NAT) policy that allows users on your internal network to connect to the external
network, and stops users on the external network from connecting to the internal
network. You can add more policies to provide more control of the network traffic
passing through the FortiGate unit.
The factory default content profiles can be used to apply different levels of antivirus
protection, web content filtering, and email filtering to the network traffic that is
controlled by firewall policies.
• Factory default DHCP configuration
• Factory default NAT/Route mode network configuration
• Factory default Transparent mode network configuration
• Factory default firewall configuration
• Factory default content profiles
Factory default DHCP configuration
When the FortiGate unit is first powered on, the external interface is configured to
receive its IP address by connecting to a DHCP server. If your ISP provides IP
addresses using DHCP, no other configuration is required for this interface.
The FortiGate unit can also function as a DHCP server for your internal network. You
can configure the TCP/IP settings of the computers on your internal network to obtain
an IP address automatically from the FortiGate unit DHCP server. For more
information about the FortiGate DHCP server, see “Configuring DHCP services” on
page 104.
Table 2: FortiGate DHCP Server default configuration
Enable DHCP ;
Starting IP 192.168.1.1
Ending IP 192.168.1.254
Netmask 255.255.255.0
Lease Duration 604800 seconds
Default Route 192.168.1.99
Exclusion Range 192.168.1.99 - 192.168.1.99
22 Fortinet Inc.
Getting started Factory default FortiGate configuration settings
Factory default NAT/Route mode network configuration
When the FortiGate unit is first powered on, it is running in NAT/Route mode and has
the basic network configuration listed in Ta bl e 3. This configuration allows you to
connect to the FortiGate unit web-based manager and establish the configuration
required to connect the FortiGate unit to the network. In Tab le 3 HTTPS management
access means you can connect to the web-based manager using this interface. Ping
management access means this interface responds to ping requests.
Table 3: Factory default NAT/Route mode network configuration
Administrator
account
Internal interface
External interface
User name: admin
Password: (none)
IP: 192.168.1.99
Netmask: 255.255.255.0
Management Access: HTTPS, Ping
Addressing Mode: DHCP
Management Access: Ping
Factory default Transparent mode network configuration
If you switch the FortiGate unit to Transparent mode, it has the default network
configuration listed in Ta bl e 4.
Table 4: Factory default Transparent mode network configuration
Administrator
account
Management IP
DNS
Management access
User name: admin
Password: (none)
IP: 10.10.10.1
Netmask: 255.255.255.0
Primary DNS Server: 207.194.200.1
Secondary DNS Server: 207.194.200.129
Internal HTTPS, Ping
External Ping
Factory default firewall configuration
The factory default firewall configuration is the same in NAT/Route and Transparent
mode.
Table 5: Factory default firewall configuration
Internal
Address
External
Address
FortiGate-50A Installation and Configuration Guide 23
Internal_All
External_All
IP: 0.0.0.0 Represents all of the IP addresses on the internal
Mask: 0.0.0.0
IP: 0.0.0.0 Represents all of the IP addresses on the external
Mask: 0.0.0.0
network.
network.
Factory default FortiGate configuration settings Getting started
Table 5: Factory default firewall configuration (Continued)
Recurring
Schedule
Firewall
Policy
Always The schedule is valid at all times. This means that
Int->Ext Firewall policy for connections from the internal
Source Internal_All The policy source address. Internal_All means that
Destination External_All The policy destination address. External_All means
Schedule Always The policy schedule. Always means that the policy
Service ANY The policy service. ANY means that this policy
Action ACCEPT The policy action. ACCEPT means that the policy
; NAT NAT is selected for the NAT/Route mode default
Traffic Shaping Traffic shaping is not selected. The policy does not
Authentication Authentication is not selected. Users do not have to
; Antivirus & Web Filter Antivirus & Web Filter is selected.
Content
Profile
Log Traffic Log Traffic is not selected. This policy does not
Scan The scan content profile is selected. The policy
the firewall policy is valid at all times.
network to the external network.
the policy accepts connections from any internal IP
address.
that the policy accepts connections with a
destination address to any IP address on the
external network.
is valid at any time.
processes connections for all services.
allows connections.
policy so that the policy applies network address
translation to the traffic processed by the policy.
NAT is not available for Transparent mode policies.
apply traffic shaping to the traffic controlled by the
policy. You can select this option to control the
maximum or minimum amount of bandwidth
available to traffic processed by the policy.
authenticate with the firewall before connecting to
their destination address. You can configure user
groups and select this option to require users to
authenticate with the firewall before they can
connect through the firewall.
scans all HTTP, FTP, SMTP, POP3, and IMAP
traffic for viruses. See “Scan content profile” on
page 26 for more information about the scan
content profile. You can select one of the other
content profiles to apply different levels of content
protection to traffic processed by this policy.
record messages to the traffic log for the traffic
processed by this policy. You can configure
FortiGate logging and select Log Traffic to record all
connections through the firewall that are accepted
by this policy.
24 Fortinet Inc.
Getting started Factory default FortiGate configuration settings
Factory default content profiles
You can use content profiles to apply different protection settings for content traffic
that is controlled by firewall policies. You can use content profiles for:
• Antivirus protection of HTTP, FTP, IMAP, POP3, and SMTP network traffic
• Web content filtering for HTTP network traffic
• Email filtering for IMAP and POP3 network traffic
• Oversized file and email blocking for HTTP, FTP, POP3, SMTP, and IMAP network
traffic
• Passing fragmented emails in IMAP, POP3, and SMTP email traffic
Using content profiles, you can build protection configurations that can be applied to
different types of firewall policies. This allows you to customize types and levels of
protection for different firewall policies.
For example, while traffic between internal and external addresses might need strict
protection, traffic between trusted internal addresses might need moderate protection.
You can configure policies for different traffic services to use the same or different
content profiles.
Content profiles can be added to NAT/Route mode and Transparent mode policies.
Strict content profile
Use the strict content profile to apply maximum content protection to HTTP, FTP,
IMAP, POP3, and SMTP content traffic. You do not need to use the strict content
profile under normal circumstances, but it is available if you have extreme problems
with viruses and require maximum content screening protection.
Table 6: Strict content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan ;;;;;
File Block ;;;;;
Web URL Block ;
Web Content Block ;
Web Script Filter ;
Web Exempt List ;
Email Block List ;;
Email Exempt List ;;
Email Content Block ;;
Oversized File/Email Block block block block block block
Pass Fragmented Emails
FortiGate-50A Installation and Configuration Guide 25
Factory default FortiGate configuration settings Getting started
Scan content profile
Use the scan content profile to apply antivirus scanning to HTTP, FTP, IMAP, POP3,
and SMTP content traffic.
Table 7: Scan content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan ;;;;;
File Block
Web URL Block
Web Content Block
Web Script Filter
Web Exempt List
Email Block List
Email Exempt List
Email Content Block
Oversized File/Email Block pass pass pass pass pass
Pass Fragmented Emails
Web content profile
Use the web content profile to apply antivirus scanning and web content blocking to
HTTP content traffic. You can add this content profile to firewall policies that control
HTTP traffic.
Table 8: Web content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan ;
File Block
Web URL Block ;
Web Content Block ;
Web Script Filter
Web Exempt List
Email Block List
Email Exempt List
Email Content Block
Oversized File/Email Block pass pass pass pass pass
Pass Fragmented Emails
26 Fortinet Inc.
Getting started Planning the FortiGate configuration
Unfiltered content profile
Use the unfiltered content profile if you do not want to apply content protection to
traffic. You can add this content profile to firewall policies for connections between
highly trusted or highly secure networks where content does not need to be protected.
Table 9: Unfiltered content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan
File Block
Web URL Block
Web Content Block
Web Script Filter
Web Exempt List ;
Email Block List
Email Exempt List ;;
Email Content Block
Oversized File/Email Block pass pass pass pass pass
Pass Fragmented Emails ;;;
Planning the FortiGate configuration
Before you configure the FortiGate unit, you need to plan how to integrate the unit into
the network. Among other things, you must decide whether you want the unit to be
visible to the network, which firewall functions you want it to provide, and how you
want it to control the traffic flowing between its interfaces.
Your configuration plan depends on the operating mode that you select. The FortiGate
unit can be configured in one of two modes: NAT/Route mode (the default) or
Transparent mode.
NAT/Route mode
In NAT/Route mode, the unit is visible to the network. Like a router, all its interfaces
are on different subnets. The following interfaces are available in NAT/Route mode:
• External is the interface to the external network (usually the Internet).
• Internal is the interface to the internal network.
You can add security policies to control whether communications through the
FortiGate unit operate in NAT or Route mode. Security policies control the flow of
traffic based on the source address, destination address, and service of each packet.
In NAT mode, the FortiGate unit performs network address translation before it sends
the packet to the destination network. In Route mode, there is no translation.
By default, the FortiGate unit has a NAT mode security policy that allows users on the
internal network to securely download content from the external network. No other
traffic is possible until you have configured further security policies.
FortiGate-50A Installation and Configuration Guide 27
Planning the FortiGate configuration Getting started
You typically use NAT/Route mode when the FortiGate unit is operating as a gateway
between private and public networks. In this configuration, you would create NAT
mode policies to control traffic flowing between the internal, private network and the
external, public network (usually the Internet).
Figure 3: Example NAT/Route mode network configuration
Internet
Transparent mode
In Transparent mode, the FortiGate unit is invisible to the network. Similar to a
network bridge, all FortiGate interfaces must be on the same subnet. You only have to
configure a management IP address so that you can make configuration changes.
The management IP address is also used for antivirus and attack definition updates.
You typically use the FortiGate unit in Transparent mode on a private network behind
an existing firewall or behind a router. The FortiGate unit performs firewall functions as
well as antivirus and content scanning but not VPN.
Figure 4: Example Transparent mode network configuration
Internet
Gateway to
public network
204.23.1.5
(firewall, router)
External
204.23.1.5
10.10.10.2
External
FortiGate-50A Unit
in NAT/Route mode
PWR
STATUS
A
NAT mode policies controlling
traffic between internal and
external networks.
INTERNAL EXTERNAL
LINK 100 LINK 100
POWER
FortiGate-50A Unit
in Transparent mode
PWR
STATUS
INTERNAL EXTERNAL
A
10.10.10.1
Management IP
LINK 100 LINK 100
Internal
192.168.1.99
Internal
Internal network
192.168.1.3
Internal network
10.10.10.3
Transparent mode policies
controlling traffic between
internal and external networks
Configuration options
Once you have selected Transparent or NAT/Route mode operation, you can
complete the configuration plan and begin to configure the FortiGate unit.
You can use the web-based manager setup wizard or the command line interface
(CLI) for the basic configuration of the FortiGate unit.
Setup wizard
If you are configuring the FortiGate unit to operate in NAT/Route mode (the default),
the setup wizard prompts you to add the administration password and internal
interface address. The setup wizard also prompts you to choose either a manual
(static) or a dynamic (DHCP or PPPoE) address for the external interface. Using the
wizard, you can also add DNS server IP addresses and a default route for the external
interface.
28 Fortinet Inc.
Getting started Planning the FortiGate configuration
In NAT/Route mode you can also change the configuration of the FortiGate DHCP
server to supply IP addresses for the computers on your internal network. You can
also configure the FortiGate to allow Internet access to your internal Web, FTP, or
email servers.
If you are configuring the FortiGate unit to operate in Transparent mode, you can
switch to Transparent mode from the web-based manager and then use the setup
wizard to add the administration password, the management IP address and gateway,
and the DNS server addresses.
CLI
If you are configuring the FortiGate unit to operate in NAT/Route mode, you can add
the administration password and the Internal interface address. You can also use the
CLI to configure the external interface for either a manual (static) or a dynamic (DHCP
or PPPoE) address. Using the CLI, you can also add DNS server IP addresses and a
default route for the external interface.
In NAT/Route mode you can also change the configuration of the FortiGate DHCP
server to supply IP addresses for the computers on your internal network.
If you are configuring the FortiGate unit to operate in Transparent mode, you can use
the CLI to switch to Transparent mode, Then you can add the administration
password, the management IP address and gateway, and the DNS server addresses.
FortiGate-50A Installation and Configuration Guide 29
FortiGate model maximum values matrix Getting started
FortiGate model maximum values matrix
Table 10: FortiGate maximum values matrix
FortiGate model
50A 60 100 200 300 400 500 800 1000 3000 3600 4000
Routes 500 500 500 500 500 500 500 500 500 500 500 500
Policy routing
gateways
Administrative
users
VLAN
subinterfaces
Zones N/A N/A N/A 100 100 100 100 100 200 300 500 500
Virtual domains N/AN/AN/A1632646464128512512512
DHCP address
scopes
DHCP reserved
IP/MAC pairs
Firewall policies 200 500 1000 2000 5000 5000 20000 20000 50000 50000 50000 50000
Firewall
addresses
Firewall address
groups
Firewall custom
services
Firewall service
groups
Firewall recurring
schedules
Firewall onetime
schedules
Firewall virtual
IPs
Firewall IP pools 50 50 50 50 50 50 50 50 50 50 50 50
IP/MAC binding
table entries
Firewall content
profiles
User names 20 500 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000
Radius servers 666666666666
LDAP servers 666666666666
User groups 100 100 100 100 100 100 100 100 100 100 100 100
Tota l numbe r o f
user group
members
* Includes the number of physical interfaces.
500 500 500 500 500 500 500 500 500 500 500 500
500 500 500 500 500 500 500 500 500 500 500 500
N/A N/A N/A 4096* 4096* 4096* 4096* 4096* 4096* 4096* 4096* 4096*
32 32 32 32 32 32 32 32 32 32 32 32
10 20 30 30 50 50 100 100 200 200 200 200
500 500 500 500 3000 3000 6000 6000 10000 10000 10000 10000
500 500 500 500 500 500 500 500 500 500 500 500
500 500 500 500 500 500 500 500 500 500 500 500
500 500 500 500 500 500 500 500 500 500 500 500
256 256 256 256 256 256 256 256 256 256 256 256
256 256 256 256 256 256 256 256 256 256 256 256
500 500 500 500 500 500 500 500 500 500 500 500
500 500 500 500 500 500 500 500 500 500 500 500
32 32 32 32 32 32 32 32 32 32 32 32
300 300 300 300 300 300 300 300 300 300 300 300
30 Fortinet Inc.
Getting started Next steps
Table 10: FortiGate maximum values matrix
FortiGate model
50A 60 100 200 300 400 500 800 1000 3000 3600 4000
IPSec remote
gateways
(Phase 1)
IPSec VPN
tunnels (Phase 2)
IPSec VPN
concentrators
PPTP users 500 500 500 500 500 500 500 500 500 500 500 500
L2TP users 500 500 500 500 500 500 500 500 500 500 500 500
NIDS user-defined
signatures
Antivirus file
block patterns
Web filter and
email filter lists
Log setting traffic
filter entries
* Includes the number of physical interfaces.
20 50 80 200 1500 1500 3000 3000 5000 5000 5000 5000
20 50 80 200 1500 1500 3000 3000 5000 5000 5000 5000
500 500 500 500 500 500 500 500 500 500 500 500
100 100 100 100 100 100 100 100 100 100 100 100
56 56 56 56 56 56 56 56 56 56 56 56
Limit varies depending on available system memory. Fortinet recommends limiting total size of web and
email filter lists to 4 Mbytes or less. If you want to use larger web filter lists, consider using Cerberian web
filtering.
50 50 50 50 50 50 50 50 50 50 50 50
Next steps
Now that your FortiGate unit is operating, you can proceed to configure it to connect to
networks:
• If you are going to operate the FortiGate unit in NAT/Route mode, go to
“NAT/Route mode installation” on page 33.
• If you are going to operate the FortiGate unit in Transparent mode, go to
“Transparent mode installation” on page 41.
FortiGate-50A Installation and Configuration Guide 31
Next steps Getting started
32 Fortinet Inc.
FortiGate-50A Installation and Configuration Guide Version 2.50
NAT/Route mode installation
This chapter describes how to install the FortiGate unit in NAT/Route mode. To install
the FortiGate unit in Transparent mode, see “Transparent mode installation” on
page 41.
This chapter describes:
• Installing the FortiGate unit using the default configuration
• Preparing to configure NAT/Route mode
• Using the setup wizard
• Using the command line interface
• Connecting the FortiGate unit to your networks
• Configuring your networks
• Completing the configuration
Installing the FortiGate unit using the default configuration
Depending on your requirements, you may be able to deploy the FortiGate unit
without changing its factory default configuration. If the factory default settings in
Ta bl e 11 are compatible with your requirements, all you need to do is configure your
internal network and then connect the FortiGate unit.
Table 11: FortiGate unit factory default configuration
Operating Mode NAT/Route mode.
Firewall Policy One NAT mode policy that allows users on the internal network to access
External
interface
DHCP Server
on internal
network
any Internet service. No other traffic is allowed. All web and email traffic
is scanned for viruses.
The External interface receives its IP address by DHCP from your
Internet Service Provider (ISP).
The FortiGate unit functions as a DHCP server for your internal network.
If you configure the computers on your internal network to obtain an IP
address automatically using DHCP, the FortiGate unit automatically sets
the IP addresses of the computers in this range:
Starting IP: 192.168.1.1
Ending IP: 192.168.1.254
One IP address is reserved for the FortiGate internal interface:
192.168.1.99.
FortiGate-50A Installation and Configuration Guide 33
Preparing to configure NAT/Route mode NAT/Route mode installation
To use the factory default configuration, follow these steps to install the FortiGate unit:
1 Configure the TCP/IP settings of the computers on your internal network to obtain an
IP address automatically using DHCP. Refer to your computer documentation for
assistance.
2 Complete the procedure in the section “Connecting the FortiGate unit to your
networks” on page 37.
Changing the default configuration
You can use the procedures in this chapter to change the default configuration. For
example, if your ISP assigns IP addresses using PPPoE instead of DHCP, you only
need to change the configuration of the external interface. Use the information in the
rest of this chapter to change the default configuration as required.
Preparing to configure NAT/Route mode
Use Tab le 1 2 to gather the information that you need to customize NAT/Route mode
settings.
Table 12: NAT/Route mode settings
Administrator password:
Internal
interface
External
interface
Internal servers
If you provide access from the Internet to a web server, mail server, IMAP
server, or FTP server installed on an internal network, add the IP
addresses of the servers here.
IP: _____._____._____._____
Netmask: _____._____._____._____
IP: _____._____._____._____
Netmask: _____._____._____._____
Default Gateway: _____._____._____._____
Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____
Web Server: _____._____._____._____
SMTP Server: _____._____._____._____
POP3 Server: _____._____._____._____
IMAP Server: _____._____._____._____
FTP Server: _____._____._____._____
34 Fortinet Inc.
NAT/Route mode installation Using the setup wizard
Advanced NAT/Route mode settings
Use Tab le 1 3 to gather the information that you need to customize advanced
FortiGate NAT/Route mode settings.
Table 13: Advanced FortiGate NAT/Route mode settings
Starting IP: _____._____._____._____
Ending IP: _____._____._____._____
Netmask: _____._____._____._____
DHCP server
The FortiGate unit contains a DHCP server that you can configure to
automatically set the addresses of the computers on your internal network.
Default Route: _____._____._____._____
DNS IP: _____._____._____._____
Using the setup wizard
From the web-based manager, you can use the setup wizard to create the initial
configuration of your FortiGate unit. To connect to the web-based manager, see
“Connecting to the web-based manager” on page 19.
Starting the setup wizard
1 Select Easy Setup Wizard (the middle button in the upper-right corner of the
web-based manager).
2 Use the information that you gathered in Table 12 on page 34 to fill in the wizard fields.
Select the Next button to step through the wizard pages.
3 Confirm your configuration settings and then select Finish and Close.
Note: If you use the setup wizard to configure internal server settings, the FortiGate unit adds
port forwarding virtual IPs and firewall policies for each server. For each server located on your
internal network the FortiGate unit adds an Ext->Int policy.
Reconnecting to the web-based manager
If you used the setup wizard to change the IP address of the internal interface, you
must reconnect to the web-based manager using a new IP address. Browse to https://
followed by the new IP address of the internal interface. Otherwise, you can reconnect
to the web-based manager by browsing to https://192.168.1.99.
You have now completed the initial configuration of your FortiGate unit, and you can
proceed to “Connecting the FortiGate unit to your networks” on page 37.
FortiGate-50A Installation and Configuration Guide 35
Using the command line interface NAT/Route mode installation
Using the command line interface
As an alternative to using the setup wizard, you can configure the FortiGate unit using
the command line interface (CLI). To connect to the CLI, see “Connecting to the
command line interface (CLI)” on page 20.
Configuring the FortiGate unit to operate in NAT/Route mode
Use the information that you gathered in Table 12 on page 34 to complete the
following procedures.
Configuring NAT/Route mode IP addresses
1 Log into the CLI if you are not already logged in.
2 Set the IP address and netmask of the internal interface to the internal IP address and
netmask that you recorded in Table 12 on page 34. Enter:
set system interface internal mode static ip <IP address>
<netmask>
Example
set system interface internal mode static ip 192.168.1.1
255.255.255.0
3 Set the IP address and netmask of the external interface to the external IP address
and netmask that you recorded in Table 12 on page 34.
To set the manual IP address and netmask, enter:
set system interface external static ip <IP address> <netmask>
Example
set system interface external mode
255.255.255.0
To set the external interface to use DHCP, enter:
set system interface external mode dhcp connection enable
To set the external interface to use PPPoE, enter:
set system interface external mode pppoe
password
Example
set system interface external mode pppoe username
user@domain.com password mypass connection enable
4 Confirm that the addresses are correct. Enter:
get system interface
The CLI lists the IP address, netmask and other settings for each of the FortiGate
interfaces.
5 Set the primary DNS server IP addresses. Enter
set system dns primary <IP address>
Example
set system dns primary 293.44.75.21
<password>
connection
static
enable
ip 204.23.1.5
username
<user name>
36 Fortinet Inc.
NAT/Route mode installation Connecting the FortiGate unit to your networks
6 Optionally, set the secondary DNS server IP addresses. Enter
set system dns secondary <IP address>
Example
set system dns secondary 293.44.75.22
7 Set the default route to the Default Gateway IP address (not required for DHCP and
PPPoE).
set system route number <route_no> dst 0.0.0.0 0.0.0.0 gw1
<gateway_ip>
Example
set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 204.23.1.2
Figure 5: FortiGate-50A network connections
Internal Network
Management
Hub, Switch
or Router
Computer
Internal
STATUS
PWR
A
FortiGate-50A
INTERNAL EXTERNAL
LINK 100 LINK 100
External
Public Switch
or Router
Internet
Connecting the FortiGate unit to your networks
When you have completed the initial configuration, you can connect the FortiGate unit
between your internal network and the Internet.
There are two 10/100 BaseTX connectors on the FortiGate-50A:
• Internal for connecting to your internal network,
• External for connecting to the Internet.
FortiGate-50A Installation and Configuration Guide 37
Configuring your networks NAT/Route mode installation
To connect the FortiGate-50A unit:
1 Connect the Internal interface to the hub or switch connected to your internal network.
2 Connect the External interface to the Internet.
Connect to the public switch or router provided by your Internet Service Provider. If
you are a DSL or cable subscriber, connect the External interface to the internal or
LAN connection of your DSL or cable modem.
Configuring your networks
If you are operating the FortiGate unit in NAT/Route mode, your internal network must
be configured to route all Internet traffic to the FortiGate internal interface. Change the
default gateway address of all computers and routers connected directly to your
internal network to the IP address of the FortiGate internal interface. For the external
network, route all packets to the FortiGate external interface.
If you are using the FortiGate unit as the DHCP server for your internal network,
configure the computers on your internal network for DHCP.
Make sure that the connected FortiGate unit is functioning properly by connecting to
the Internet from a computer on your internal network. You should be able to connect
to any Internet address.
Completing the configuration
Use the information in this section to complete the initial configuration of the FortiGate
unit.
Setting the date and time
For effective scheduling and logging, the FortiGate system date and time should be
accurate. You can either manually set the system date and time or you can configure
the FortiGate unit to automatically keep its time correct by synchronizing with a
Network Time Protocol (NTP) server.
To set the FortiGate system date and time, see “Setting system date and time” on
page 121.
Changing antivirus protection
By default, the FortiGate unit scans all web and email content for viruses. You can use
the following procedure to change the antivirus configuration. To change the antivirus
configuration:
1 Select Edit to edit this policy.
2 For Anti-Virus & Web Filter you can select a different Content Profile.
See “Factory default content profiles” on page 25 for descriptions of the default
content profiles.
3 Select OK to save your changes.
You can also add you own content profiles. See “Adding content profiles” on
page 167.
38 Fortinet Inc.
NAT/Route mode installation Completing the configuration
Registering your FortiGate unit
After purchasing and installing a new FortiGate unit, you can register the unit by going
to System > Update > Support, or using a web browser to connect to
http://support.fortinet.com and selecting Product Registration.
Registration consists of entering your contact information and the serial numbers of
the FortiGate units you or your organization have purchased. Registration is quick and
easy. You can register multiple FortiGate units in a single session without re-entering
your contact information.
For more information about registration, see “Registering FortiGate units” on page 83.
Configuring virus and attack definition updates
You can go to System > Update to configure the FortiGate unit to automatically check
to see if new versions of the virus definitions and attack definitions are available. If it
finds new versions, the FortiGate unit automatically downloads and installs the
updated definitions.
The FortiGate unit uses HTTPS on port 8890 to check for updates. The FortiGate
external interface must have a path to the FortiResponse Distribution Network (FDN)
using port 8890.
To configure automatic virus and attack updates, see “Updating antivirus and attack
definitions” on page 73.
FortiGate-50A Installation and Configuration Guide 39
Completing the configuration NAT/Route mode installation
40 Fortinet Inc.
FortiGate-50A Installation and Configuration Guide Version 2.50
Transparent mode installation
This chapter describes how to install your FortiGate unit in Transparent mode. If you
want to install the FortiGate unit in NAT/Route mode, see “NAT/Route mode
installation” on page 33.
This chapter describes:
• Preparing to configure Transparent mode
• Using the setup wizard
• Using the command line interface
• Connecting the FortiGate unit to your networks
• Completing the configuration
• Transparent mode configuration examples
Preparing to configure Transparent mode
Use Ta bl e 14 to gather the information that you need to customize Transparent mode
settings.
Table 14: Transparent mode settings
Administrator Password:
IP: _____._____._____._____
Netmask: _____._____._____._____
Management IP
The management IP address and netmask must be valid for the network
from which you will manage the FortiGate unit. Add a default gateway if the
FortiGate unit must connect to a router to reach the management
computer.
DNS Settings
Default Gateway: _____._____._____._____
Primary DNS Server: _____._____._____._____
Secondary DNS Server: _____._____._____._____
FortiGate-50A Installation and Configuration Guide 41
Using the setup wizard Transparent mode installation
Using the setup wizard
From the web-based manager, you can use the setup wizard to create the initial
configuration of your FortiGate unit. To connect to the web-based manager, see
“Connecting to the web-based manager” on page 19.
Changing to Transparent mode
The first time that you connect to the FortiGate unit, it is configured to run in
NAT/Route mode. To switch to Transparent mode using the web-based manager:
1 Go to System > Status.
2 Select Change to Transparent Mode.
3 Select Transparent in the Operation Mode list.
4 Select OK.
The FortiGate unit changes to Transparent mode.
To reconnect to the web-based manager, change the IP address of your management
computer to 10.10.10.2. Connect to the internal or DMZ interface and browse to
https:// followed by the Transparent mode management IP address. The default
FortiGate Transparent mode management IP address is 10.10.10.1.
Starting the setup wizard
1 Select Easy Setup Wizard (the middle button in upper-right corner of the web-based
manager).
2 Use the information that you gathered in Table 14 on page 41 to fill in the wizard fields.
Select the Next button to step through the wizard pages.
3 Confirm your configuration settings and then select Finish and Close.
Reconnecting to the web-based manager
If you changed the IP address of the management interface while you were using the
setup wizard, you must reconnect to the web-based manager using the new IP
address. Browse to https:// followed by the new IP address of the management
interface. Otherwise, you can reconnect to the web-based manager by browsing to
https://10.10.10.1. If you connect to the management interface through a router, make
sure that you have added a default gateway for that router to the management IP
default gateway field.
Using the command line interface
As an alternative to the setup wizard, you can configure the FortiGate unit using the
command line interface (CLI). To connect to the CLI, see “Connecting to the command
line interface (CLI)” on page 20. Use the information that you gathered in Table 14 on
page 41 to complete the following procedures.
42 Fortinet Inc.
Transparent mode installation Connecting the FortiGate unit to your networks
Changing to Transparent mode
1 Log into the CLI if you are not already logged in.
2 Switch to Transparent mode. Enter:
set system opmode transparent
After a few seconds, the login prompt appears.
3 Ty pe admin and press Enter.
The following prompt appears:
Type ? for a list of commands.
4 Confirm that the FortiGate unit has switched to Transparent mode. Enter:
get system status
The CLI displays the status of the FortiGate unit. The last line shows the current
operation mode.
Operation mode: Transparent
Configuring the Transparent mode management IP address
1 Log into the CLI if you are not already logged in.
2 Set the management IP address and netmask to the IP address and netmask that you
recorded in Table 14 on page 41. Enter:
set system management ip <IP address> <netmask>
Example
set system management ip 10.10.10.2 255.255.255.0
3 Confirm that the address is correct. Enter:
get system management
The CLI lists the management IP address and netmask.
Configure the Transparent mode default gateway
1 Log into the CLI if you are not already logged in.
2 Set the default route to the default gateway that you recorded in Table 14 on page 41.
Enter:
set system route number <number> gateway <IP address>
Example
set system route
You have now completed the initial configuration of the FortiGate unit.
number 1 gw1
204.23.1.2
Connecting the FortiGate unit to your networks
When you have completed the initial configuration, you can connect the FortiGate unit
between your internal network and the Internet.
There are two 10/100 BaseTX connectors on the FortiGate-50A unit:
• Internal for connecting to your internal network,
• External for connecting to the Internet.
FortiGate-50A Installation and Configuration Guide 43
Connecting the FortiGate unit to your networks Transparent mode installation
To connect the FortiGate unit:
1 Connect the Internal interface to the hub or switch connected to your internal network.
2 Connect the External interface to the Internet.
Connect to the public switch or router provided by your Internet Service Provider.
Figure 6: FortiGate-50A network connections
Internal Network
Management
Hub, Switch
or Router
Computer
Internal
STATUS
PWR
A
INTERNAL EXTERNAL
LINK 100 LINK 100
FortiGate-50A
External
Public Switch
or Router
Internet
In Transparent mode, the FortiGate unit does not change the layer 3 topology. This
means that all of its interfaces are on the same IP subnet and that it appears to other
devices as a bridge. Typically, the FortiGate unit would be deployed in Transparent
mode when it is intended to provide antivirus and content scanning behind an existing
firewall solution.
A FortiGate unit in Transparent mode can also perform firewalling. Even though it
takes no part in the layer 3 topology, it can examine layer 3 header information and
make decisions on whether to block or pass traffic.
44 Fortinet Inc.
Transparent mode installation Completing the configuration
Completing the configuration
Use the information in this section to complete the initial configuration of the FortiGate
unit.
Setting the date and time
For effective scheduling and logging, the FortiGate system date and time should be
accurate. You can either manually set the date and time or you can configure the
FortiGate unit to automatically keep its date and time correct by synchronizing with a
Network Time Protocol (NTP) server.
To set the FortiGate system date and time, see “Setting system date and time” on
page 121.
Enabling antivirus protection
To enable antivirus protection to protect users on your internal network from
downloading a virus from the Internet:
1 Go to Firewall > Policy > Int->Ext.
2 Select Edit to edit this policy.
3 Select Anti-Virus & Web filter to enable antivirus protection for this policy.
4 Select the Scan Content Profile.
5 Select OK to save your changes.
Registering your FortiGate
After purchasing and installing a new FortiGate unit, you can register the unit by going
to System > Update > Support, or using a web browser to connect to
http://support.fortinet.com and selecting Product Registration.
Registration consists of entering your contact information and the serial numbers of
the FortiGate units you or your organization have purchased. Registration is quick and
easy. You can register multiple FortiGate units in a single session without re-entering
your contact information.
For more information about registration, see “Registering FortiGate units” on page 83.
Configuring virus and attack definition updates
You can configure the FortiGate unit to automatically check to see if new versions of
the virus definitions and attack definitions are available. If it finds new versions, the
FortiGate unit automatically downloads and installs the updated definitions.
The FortiGate unit uses HTTPS on port 8890 to check for updates. The FortiGate
external interface must have a path to the FortiResponse Distribution Network (FDN)
using port 8890.
To configure automatic virus and attack updates, see “Updating antivirus and attack
definitions” on page 73.
FortiGate-50A Installation and Configuration Guide 45
Transparent mode configuration examples Transparent mode installation
Transparent mode configuration examples
A FortiGate unit operating in Transparent mode still requires a basic configuration to
operate as a node on the IP network. As a minimum, the FortiGate unit must be
configured with an IP address and subnet mask. These are used for management
access and to allow the unit to receive antivirus and definitions updates. Also, the unit
must have sufficient route information to reach:
• the management computer,
• The FortiResponse Distribution Network (FDN),
• a DNS server.
A route is required whenever the FortiGate unit connects to a router to reach a
destination. If all of the destinations are located on the external network, you may be
required to enter only a single default route. If, however, the network topology is more
complex, you may be required to enter one or more static routes in addition to the
default route.
This section describes:
• Default routes and static routes
• Example default route to an external network
• Example static route to an external destination
• Example static route to an internal destination
Default routes and static routes
To create a route to a destination, you need to define an IP prefix which consists of an
IP network address and a corresponding netmask value. A default route matches any
prefix and forwards traffic to the next hop router (otherwise known as the default
gateway). A static route matches a more specific prefix and forwards traffic to the next
hop router.
Default route example:
IP Prefix 0.0.0.0 (IP address)
0.0.0.0 (Netmask)
Next Hop 192.168.1.2
Static Route example:
IP Prefix 172.100.100.0 (IP address)
255.255.255.0 (Netmask)
Next Hop 192.168.1.2
Note: When adding routes to the FortiGate unit, add the default route last so that it
appears on the bottom of the route list. This ensures that the unit will attempt to match
more specific routes before selecting the default route.
46 Fortinet Inc.
Transparent mode installation Transparent mode configuration examples
Example default route to an external network
Figure 7 shows a FortiGate unit where all destinations, including the management
computer, are located on the external network. To reach these destinations, the
FortiGate unit must connect to the “upstream” router leading to the external network.
To facilitate this connection, you must enter a single default route that points to the
upstream router as the next hop/default gateway.
Figure 7: Default route to an external network
DNS
Gateway IP 192.168.1.2
Management IP 192.168.1.1
FortiGate-50A
Internal Network
Internet
PWR
STATUS
A
Upstream
Router
INTERNAL EXTERNAL
LINK 100 LINK 100
FortiResponse
Distribution
Network (FDN)
Management
Computer
DMZ
General configuration steps
1 Set the FortiGate unit to operate in Transparent mode.
2 Configure the Management IP address and Netmask of the FortiGate unit.
3 Configure the default route to the external network.
FortiGate-50A Installation and Configuration Guide 47
Transparent mode configuration examples Transparent mode installation
Web-based manager example configuration steps
To configure basic Transparent mode settings and a default route using the
web-based manager:
1 Go to System > Status.
• Select Change to Transparent Mode.
• Select Transparent in the Operation Mode list.
•Select OK.
The FortiGate unit changes to Transparent mode.
2 Go to System > Network > Management.
• Change the Management IP and Netmask:
IP: 192.168.1.1
Mask: 255.255.255.0
• Select Apply.
3 Go to System > Network > Routing.
• Select New to add the default route to the external network.
Destination IP: 0.0.0.0
Mask: 0.0.0.0
Gateway: 192.168.1.2
•Select OK.
CLI configuration steps
To configure the Fortinet basic settings and a default route using the CLI:
1 Change the system to operate in Transparent Mode.
set system opmode transparent
2 Add the Management IP address and Netmask.
set system management ip 192.168.1.1 255.255.255.0
3 Add the default route to the external network.
set system route number 1 gw1 192.168.1.2
Example static route to an external destination
Figure 8 shows a FortiGate unit that requires routes to the FDN located on the
external network. The Fortigate unit does not require routes to the DNS servers or
management computer because they are located on the internal network.
To connect to the FDN, you would typically enter a single default route to the external
network. However, to provide an extra degree of security, you could enter static routes
to a specific FortiResponse server in addition to a default route to the external
network. If the static route becomes unavailable (perhaps because the IP address of
the FortiResponse server changes) the FortiGate unit will still be able to receive
antivirus and NIDS updates from the FDN using the default route.
48 Fortinet Inc.
Transparent mode installation Transparent mode configuration examples
Note: This is an example configuration only. To configure a static route, you require a
destination IP address.
Figure 8: Static route to an external destination
24.102.233.5
FortiResponse
Distribution
Internet
Network (FDN)
Gateway IP 192.168.1.2
Upstream
Router
DNS
DMZ
Management IP 192.168.1.1
STATUS
FortiGate-50A
PWR
A
INTERNAL EXTERNAL
LINK 100 LINK 100
Internal Network
Management
Computer
General configuration steps
1 Set the FortiGate unit to operate in Transparent mode.
2 Configure the Management IP address and Netmask of the FortiGate unit.
3 Configure the static route to the FortiResponse server.
4 Configure the default route to the external network.
FortiGate-50A Installation and Configuration Guide 49
Transparent mode configuration examples Transparent mode installation
Web-based manager example configuration steps
To configure the basic FortiGate settings and a static route using the web-based
manager:
1 Go to System > Status.
• Select Change to Transparent Mode.
• Select Transparent in the Operation Mode list.
•Select OK.
The FortiGate unit changes to Transparent mode.
2 Go to System > Network > Management.
• Change the Management IP and Netmask:
IP: 192.168.1.1
Mask: 255.255.255.0
• Select Apply.
3 Go to System > Network > Routing.
• Select New to add the static route to the FortiResponse server.
Destination IP: 24.102.233.5
Mask: 255.255.255.0
Gateway: 192.168.1.2
•Select OK.
• Select New to add the default route to the external network.
Destination IP: 0.0.0.0
Mask: 0.0.0.0
Gateway: 192.168.1.2
•Select OK.
CLI configuration steps
To configure the Fortinet basic settings and a static route using the CLI:
1 Set the system to operate in Transparent Mode.
set system opmode transparent
2 Add the Management IP address and Netmask.
set system management ip 192.168.1.1 255.255.255.0
3 Add the static route to the primary FortiResponse server.
set system route number 1 dst 24.102.233.5 255.255.255.0 gw1
192.168.1.2
4 Add the default route to the external network.
set system route number 2 gw1 192.168.1.2
50 Fortinet Inc.
Transparent mode installation Transparent mode configuration examples
Example static route to an internal destination
Figure 9 shows a FortiGate unit where the FDN is located on an external subnet and
the management computer is located on a remote, internal subnet. To reach the FDN,
you need to enter a single default route that points to the upstream router as the next
hop/default gateway. To reach the management computer, you need to enter a single
static route that leads directly to it. This route will point to the internal router as the
next hop. (No route is required for the DNS servers because they are on the same
layer 3 subnet as the FortiGate unit.)
Figure 9: Static route to an internal destination
FortiResponse
Internet
Distribution
Network (FDN)
Gateway IP 192.168.1.2
Management IP 192.168.1.1
FortiGate-50A
Internal Network A
Upstream
Router
DNS
DMZ
STATUS
PWR
A
INTERNAL EXTERNAL
LINK 100 LINK 100
Gateway IP
192.168.1.3
Internal
Router
Internal Network B
Management Computer
172.16.1.11
General configuration steps
1 Set the unit to operate in Transparent mode.
2 Configure the Management IP address and Netmask of the FortiGate unit.
3 Configure the static route to the management computer on the internal network.
FortiGate-50A Installation and Configuration Guide 51
Transparent mode configuration examples Transparent mode installation
4 Configure the default route to the external network.
Web-based manager example configuration steps
To configure the FortiGate basic settings, a static route, and a default route using the
web-based manager:
1 Go to System > Status.
• Select Change to Transparent Mode.
• Select Transparent in the Operation Mode list.
•Select OK.
The FortiGate unit changes to Transparent mode.
2 Go to System > Network > Management.
• Change the Management IP and Netmask:
IP: 192.168.1.1
Mask: 255.255.255.0
• Select Apply.
3 Go to System > Network > Routing.
• Select New to add the static route to the management computer.
Destination IP: 172.16.1.11
Mask: 255.255.255.0
Gateway: 192.168.1.3
•Select OK.
• Select New to add the default route to the external network.
Destination IP: 0.0.0.0
Mask: 0.0.0.0
Gateway: 192.168.1.2
•Select OK.
CLI configuration steps
To configure the FortiGate basic settings, a static route, and a default route using the
CLI:
1 Set the system to operate in Transparent Mode.
set system opmode transparent
2 Add the Management IP address and Netmask.
set system management ip 192.168.1.1 255.255.255.0
3 Add the static route to the management computer.
set system route number 1 dst 172.16.1.11 255.255.255.0 gw1
192.168.1.3
4 Add the default route to the external network.
set system route number 2 gw1 192.168.1.2
52 Fortinet Inc.
FortiGate-50A Installation and Configuration Guide Version 2.50
System status
You can connect to the web-based manager and view the current system status of the
FortiGate unit. The status information that is displayed includes the current firmware
version, the current virus and attack definitions, and the FortiGate unit serial number.
If you log into the web-based manager using the admin administrator account, you
can make any of the following changes to the FortiGate system settings:
• Changing the FortiGate host name
• Changing the FortiGate firmware
• Manual virus definition updates
• Manual attack definition updates
• Backing up system settings
• Restoring system settings
• Restoring system settings to factory defaults
• Changing to Transparent mode
• Changing to NAT/Route mode
• Restarting the FortiGate unit
• Shutting down the FortiGate unit
If you log into the web-based manager with another administrator account, you can
view the system settings including:
• Displaying the FortiGate serial number
• Displaying the FortiGate up time
All administrative users can also go to the Monitor page and view FortiGate system
status. System status displays FortiGate system health monitoring information,
including CPU and memory status, session and network status.
• System status
All administrative users can also go to the Session page and view the active
communication sessions to and through the FortiGate unit.
• Session list
FortiGate-50A Installation and Configuration Guide 53
Changing the FortiGate host name System status
Changing the FortiGate host name
The FortiGate host name appears on the Status page and in the FortiGate CLI
prompt. The host name is also used as the SNMP system name. For information
about the SNMP system name, see “Configuring SNMP” on page 125.
The default host name is FortiGate-50A.
To change the FortiGate host name
1 Go to System > Status.
2 Select Edit Host Name .
3 Type a new host name.
4 Select OK.
The new host name is displayed on the Status page, and in the CLI prompt, and is
added to the SNMP System Name.
Changing the FortiGate firmware
After you download a FortiGate firmware image from Fortinet, you can use the
procedures listed in Tab le 1 to install the firmware image on your FortiGate unit.
Table 1: Firmware upgrade procedures
Procedure Description
Upgrading to a new
firmware version
Reverting to a
previous firmware
version
Installing firmware
images from a system
reboot using the CLI
Testing a new
firmware image before
installing it
Commonly-used web-based manager and CLI procedures to
upgrade to a new FortiOS firmware version or to a more recent
build of the same firmware version.
Use the web-based manager or CLI procedure to revert to a
previous firmware version. This procedure reverts the FortiGate
unit to its factory default configuration.
Use this procedure to install a new firmware version or revert to a
previous firmware version. You must run this procedure by
connecting to the CLI using the FortiGate console port and a
null-modem cable. This procedure reverts the FortiGate unit to its
factory default configuration.
Use this procedure to test a new firmware image before installing it.
You must run this procedure by connecting to the CLI using the
FortiGate console port and a null-modem cable. This procedure
temporarily installs a new firmware image using your current
configuration. You can test the firmware image before installing it
permanently. If the firmware image works correctly you can use
one of the other procedures listed in this table to install it
permanently.
54 Fortinet Inc.
System status Changing the FortiGate firmware
Upgrading to a new firmware version
Use the following procedures to upgrade the FortiGate unit to a newer firmware
version.
Upgrading the firmware using the web-based manager
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions
included with the firmware release that you are installing. After you install new firmware, use the
procedure “Manually initiating antivirus and attack definitions updates” on page 75 to make sure
that antivirus and attack definitions are up to date.
To upgrade the firmware using the web-based manager
1 Copy the firmware image file to your management computer.
2 Log into the web-based manager as the admin administrative user.
3 Go to System > Status.
4 Select Firmware Upgrade .
5 Type the path and filename of the firmware image file, or select Browse and locate the
file.
6 Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, restarts, and displays the FortiGate login. This process takes a few minutes.
7 Log into the web-based manager.
8 Go to System > Status and check the Firmware Version to confirm that the firmware
upgrade is successfully installed.
9 Update antivirus and attack definitions. For information about antivirus and attack
definitions, see “Manually initiating antivirus and attack definitions updates” on
page 75.
Upgrading the firmware using the CLI
To use the following procedure you must have a TFTP server that the FortiGate unit
can connect to.
Note: Installing firmware replaces your current antivirus and attack definitions with the
definitions included with the firmware release that you are installing. After you install new
firmware, use the procedure “Manually initiating antivirus and attack definitions updates” on
page 75 to make sure that antivirus and attack definitions are up to date. You can also use the
CLI command execute updatecenter updatenow to update the antivirus and attack
definitions.
To upgrade the firmware using the CLI
1 Make sure that the TFTP server is running.
2 Copy the new firmware image file to the root directory of the TFTP server.
3 Log into the CLI as the admin administrative user.
FortiGate-50A Installation and Configuration Guide 55
Changing the FortiGate firmware System status
4 Make sure the FortiGate unit can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP server.
For example, if the IP address of the TFTP server is 192.168.1.168:
execute ping 192.168.1.168
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execute restore image <name_str> <tftp_ip>
Where <name_str> is the name of the firmware image file on the TFTP server and
<tftp_ip> is the IP address of the TFTP server. For example, if the firmware image
file name is FGT_300-v250-build045-FORTINET.out and the IP address of the
TFTP server is 192.168.1.168, enter:
execute restore image FGT_300-v250-build045-FORTINET.out
192.168.1.168
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, and restarts. This process takes a few minutes.
6 Reconnect to the CLI.
7 To confirm that the new firmware image is successfully installed, enter:
get system status
8 Use the procedure “Manually initiating antivirus and attack definitions updates” on
page 75 to update antivirus and attack definitions, or from the CLI, enter:
execute updatecenter updatenow
9 To confirm that the antivirus and attack definitions are successfully updated, enter the
following command to display the antivirus engine, virus and attack definitions version,
contract expiry, and last update attempt information.
get system objver
Reverting to a previous firmware version
Use the following procedures to revert your FortiGate unit to a previous firmware
version.
Reverting to a previous firmware version using the web-based manager
The following procedures revert the FortiGate unit to its factory default configuration
and delete NIDS user-defined signatures, web content lists, email filtering lists, and
changes to replacement messages.
Before beginning this procedure you can:
• Back up the FortiGate unit configuration. For information, see “Backing up system
settings” on page 64.
• Back up the NIDS user-defined signatures. For information, see the FortiGate
NIDS Guide
• Back up web content and email filtering lists. For information, see the FortiGate
Content Protection Guide.
56 Fortinet Inc.
System status Changing the FortiGate firmware
If you are reverting to a previous FortiOS version (for example, reverting from FortiOS
v2.50 to FortiOS v2.36) you might not be able to restore the previous configuration
from the backup configuration file.
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions
included with the firmware release that you are installing. After you install new firmware, use the
procedure “Manually initiating antivirus and attack definitions updates” on page 75 to make sure
that antivirus and attack definitions are up to date.
To revert to a previous firmware version using the web-based manager
1 Copy the firmware image file to your management computer.
2 Log into the FortiGate web-based manager as the admin administrative user.
3 Go to System > Status.
4 Select Firmware Upgrade .
5 Type the path and filename of the previous firmware image file, or select Browse and
locate the file.
6 Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware version,
resets the configuration, restarts, and displays the FortiGate login. This process takes
a few minutes.
7 Log into the web-based manager.
8 Go to System > Status and check the Firmware Version to confirm that the firmware
is successfully installed.
9 Restore your configuration.
For information about restoring your configuration, see “Restoring system settings” on
page 64.
10 Update antivirus and attack definitions. For information about antivirus and attack
definitions, see “Manually initiating antivirus and attack definitions updates” on
page 75.
Reverting to a previous firmware version using the CLI
This procedure reverts your FortiGate unit to its factory default configuration and
deletes NIDS user-defined signatures, web content lists, email filtering lists, and
changes to replacement messages.
Before beginning this procedure you can:
• Back up the FortiGate unit configuration using the command execute backup
config.
• Back up the NIDS user defined signatures using the command execute backup
nidsuserdefsig
• Back up web content and email filtering lists. For information, see the FortiGate
Content Protection Guide.
If you are reverting to a previous FortiOS version (for example, reverting from FortiOS
v2.50 to FortiOS v2.36) you might not be able to restore your previous configuration
from the backup configuration file.
FortiGate-50A Installation and Configuration Guide 57
Changing the FortiGate firmware System status
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions
included with the firmware release that you are installing. After you install new firmware, use the
procedure “Manually initiating antivirus and attack definitions updates” on page 75 to make sure
that antivirus and attack definitions are up to date. You can also use the CLI command
execute updatecenter updatenow to update the antivirus and attack definitions.
To use the following procedure you must have a TFTP server that the FortiGate unit
can connect to.
To revert to a previous firmware version using the CLI
1 Make sure that the TFTP server is running.
2 Copy the new firmware image file to the root directory of the TFTP server.
3 Log into the FortiGate CLI as the admin administrative user.
4 Make sure the FortiGate unit can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP server.
For example, if the TFTP server's IP address is 192.168.1.168:
execute ping 192.168.1.168
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execute restore image <name_str> <tftp_ip>
Where <name_str> is the name of the firmware image file on the TFTP server and
<tftp_ip> is the IP address of the TFTP server. For example, if the firmware image
file name is FGT_300-v250-build045-FORTINET.out and the IP address of the
TFTP server is 192.168.1.168, enter:
execute restore image FGT_300-v250-build045-FORTINET.out
192.168.1.168
The FortiGate unit uploads the firmware image file. After the file uploads, a message
similar to the following is displayed:
Get image from tftp server OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
6 Ty pe Y.
7 The FortiGate unit reverts to the old firmware version, resets the configuration to
factory defaults, and restarts. This process takes a few minutes.
8 Reconnect to the CLI.
9 To confirm that the new firmware image has been loaded, enter:
get system status
10 Restore your previous configuration. Use the following command:
execute restore config
11 Update antivirus and attack definitions. For information, see “Manually initiating
antivirus and attack definitions updates” on page 75, or from the CLI, enter:
execute updatecenter updatenow
58 Fortinet Inc.
System status Changing the FortiGate firmware
12 To confirm that the antivirus and attack definitions have been updated, enter the
following command to display the antivirus engine, virus and attack definitions version,
contract expiry, and last update attempt information.
get system objver
Installing firmware images from a system reboot using the CLI
This procedure installs a specified firmware image and resets the FortiGate unit to
default settings. You can use this procedure to upgrade to a new firmware version,
revert to an older firmware version, or re-install the current firmware version.
To perform this procedure you:
• access the CLI by connecting to the FortiGate console port using a null-modem
cable,
• install a TFTP server that you can connect to from the FortiGate internal interface.
The TFTP server should be on the same subnet as the internal interface.
Before beginning this procedure you can:
• Back up the FortiGate unit configuration. For information, see “Backing up system
settings” on page 64.
• Back up the NIDS user defined signatures. For information, see the FortiGate
NIDS Guide.
• Back up web content and email filtering lists. For information, see the FortiGate
Content Protection Guide.
If you are reverting to a previous FortiOS version (for example, reverting from FortiOS
v2.50 to FortiOS v2.36) you might not be able to restore your previous configuration
from the backup configuration file.
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions
included with the firmware release that you are installing. After you install new firmware, use the
procedure “Manually initiating antivirus and attack definitions updates” on page 75 to make sure
that antivirus and attack definitions are up to date.
To install firmware from a system reboot
1 Connect to the CLI using the null-modem cable and FortiGate console port.
2 Make sure that the TFTP server is running.
3 Copy the new firmware image file to the root directory of the TFTP server.
4 Make sure that the internal interface is connected to the same network as the TFTP
server.
5 To confirm that the FortiGate unit can connect to the TFTP server, use the following
command to ping the computer running the TFTP server. For example, if the IP
address of the TFTP server is 192.168.1.168, enter:
execute ping 192.168.1.168
FortiGate-50A Installation and Configuration Guide 59
Changing the FortiGate firmware System status
6 Enter the following command to restart the FortiGate unit:
execute reboot
As the FortiGate units starts, a series of system startup messages is displayed.
When one of the following messages appears:
Press any key to enter configuration menu.....
......
7 Immediately press any key to interrupt the system startup.
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the
FortiGate unit reboots and you must log in and repeat the
execute reboot command.
If you successfully interrupt the startup process, one of the following messages
appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,B,Q,or H:
8 Type G to get the new firmware image from the TFTP server.
9 Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.188]:
10 Type the address of the internal interface of the FortiGate unit and press Enter.
Note: The local IP address is used only to download the firmware image. After the firmware is
installed, the address of this interface is changed back to the default IP address for this
interface.
The following message appears:
Enter File Name [image.out]:
11 Enter the firmware image filename and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and messages
similar to the following are displayed:
Save as Default firmware/Run image without saving:[D/R]
Save as Default firmware/Backup firmware/Run image without
saving:[D/B/R]
12 Ty pe D.
The FortiGate unit installs the new firmware image and restarts. The installation might
take a few minutes to complete.
60 Fortinet Inc.
System status Changing the FortiGate firmware
Restoring the previous configuration
Change the internal interface addresses if required. You can do this from the CLI
using the command:
set system interface
After changing the interface addresses, you can access the FortiGate unit from the
web-based manager and restore the configuration.
• To restore the FortiGate unit configuration, see “Restoring system settings” on
page 64.
• To restore NIDS user defined signatures, see “Adding user-defined signatures” on
page 218.
• To restore web content filtering lists, see “Restoring the Banned Word list” on
page 233 and “Uploading a URL block list” on page 236
• To restore email filtering lists, see “Uploading the email banned word list” on
page 247 and “Uploading an email block list” on page 249.
If you are reverting to a previous firmware version (for example, reverting from
FortiOS v2.50 to FortiOS v2.36) you might not be able to restore your previous
configuration from the backup up configuration file.
Update the virus and attack definitions to the most recent version, see “Manually
initiating antivirus and attack definitions updates” on page 75.
Testing a new firmware image before installing it
You can test a new firmware image by installing the firmware image from a system
reboot and saving it to system memory. After completing this procedure the FortiGate
unit operates using the new firmware image with the current configuration. This new
firmware image is not permanently installed. The next time the FortiGate unit restarts,
it operates with the originally installed firmware image using the current configuration.
If the new firmware image operates successfully, you can install it permanently using
the procedure “Upgrading to a new firmware version” on page 55.
To run this procedure you:
• access the CLI by connecting to the FortiGate console port using a null-modem
cable,
• install a TFTP server that you can connect to from the FortiGate internal interface.
The TFTP server should be on the same subnet as the internal interface.
To test a new firmware image
1 Connect to the CLI using a null-modem cable and FortiGate console port.
2 Make sure the TFTP server is running.
3 Copy the new firmware image file to the root directory of the TFTP server.
4 Make sure that the internal interface is connected to the same network as the TFTP
server.
You can use the following command to ping the computer running the TFTP server.
For example, if the TFTP server's IP address is 192.168.1.168:
execute ping 192.168.1.168
FortiGate-50A Installation and Configuration Guide 61
Changing the FortiGate firmware System status
5 Enter the following command to restart the FortiGate unit:
execute reboot
6 As the FortiGate unit reboots, press any key to interrupt the system startup.
As the FortiGate units starts, a series of system startup messages are displayed.
When one of the following messages appears:
Press any key to enter configuration menu.....
......
7 Immediately press any key to interrupt the system startup.
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the
FortiGate unit reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, one of the following messages
appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,Q,or H:
8 Type G to get the new firmware image from the TFTP server.
9 Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.188]:
10 Type the address of the internal interface of the FortiGate unit and press Enter.
Note: The local IP address is used only to download the firmware image. After the firmware is
installed, the address of this interface is changed back to the default IP address for this
interface.
The following message appears:
Enter File Name [image.out]:
11 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and messages
similar to the following appear.
Save as Default firmware/Run image without saving:[D/R]
12 Ty pe R.
The FortiGate image is installed to system memory and the FortiGate unit starts
running the new firmware image but with its current configuration.
13 You can log into the CLI or the web-based manager using any administrative account.
14 To confirm that the new firmware image has been loaded, from the CLI enter:
get system status
You can test the new firmware image as required.
62 Fortinet Inc.
System status Manual virus definition updates
Manual virus definition updates
The Status page of the FortiGate web-based manager displays the current installed
versions of the FortiGate antivirus definitions.
Note: For information about configuring the FortiGate unit for automatic antivirus definitions
updates, see “Virus and attack definitions updates and registration” on page 73. You can also
manually start an antivirus definitions update by going to System > Update and selecting
Update Now.
To update the antivirus definitions manually
1 Download the latest antivirus definitions update file from Fortinet and copy it to the
computer that you use to connect to the web-based manager.
2 Start the web-based manager and go to System > Status.
3 In the Antivirus Definitions Version section, select Definitions Update .
4 Type the path and filename for the antivirus definitions update file, or select Browse
and locate the antivirus definitions update file.
5 Select OK to copy the antivirus definitions update file to the FortiGate unit.
The FortiGate unit updates the antivirus definitions. This takes about 1 minute.
6 Go to System > Status to confirm that the Antivirus Definitions Version information
has updated.
Manual attack definition updates
The Status page of the FortiGate web-based manager displays the current installed
versions of the FortiGate Attack Definitions used by the Network Intrusion Detection
System (NIDS).
Note: For information about configuring the FortiGate unit for automatic attack definitions
updates, see “Virus and attack definitions updates and registration” on page 73. You can also
manually start an attack definitions update by going to System > Update and selecting Update
Now.
To update the attack definitions manually
1 Download the latest attack definitions update file from Fortinet and copy it to the
computer that you use to connect to the web-based manager.
2 Start the web-based manager and go to System > Status.
3 In the Attack Definitions Version section, select Definitions Update .
4 Type the path and filename for the attack definitions update file, or select Browse and
locate the attack definitions update file.
5 Select OK to copy the attack definitions update file to the FortiGate unit.
The FortiGate unit updates the attack definitions. This takes about 1 minute.
6 Go to System > Status to confirm that the Attack Definitions Version information has
updated.
FortiGate-50A Installation and Configuration Guide 63
Displaying the FortiGate serial number System status
Displaying the FortiGate serial number
1 Go to System > Status.
The serial number is displayed on the System Status page of the web-based
manager. The serial number is specific to the FortiGate unit and does not change with
firmware upgrades.
Displaying the FortiGate up time
1 Go to System > Status.
The FortiGate up time displays the time in days, hours, and minutes since the
FortiGate unit was last started.
Backing up system settings
You can back up system settings by downloading them to a text file on the
management computer.
To back up system settings
1 Go to System > Status.
2 Select System Settings Backup.
3 Select Backup System Settings.
4 Type a name and location for the file.
The system settings file is backed up to the management computer.
5 Select Return to go back to the Status page.
Restoring system settings
You can restore system settings by uploading a previously downloaded system
settings text file.
To restore system settings
1 Go to System > Status.
2 Select System Settings Restore.
3 Enter the path and filename of the system settings file, or select Browse and locate
the file.
4 Select OK to restore the system settings file to the FortiGate unit.
The FortiGate unit restarts, loading the new system settings.
5 Reconnect to the web-based manager and review your configuration to confirm that
the uploaded system settings have taken effect.
64 Fortinet Inc.
System status Restoring system settings to factory defaults
!
Restoring system settings to factory defaults
Use the following procedure to restore system settings to the values set at the factory.
This procedure does not change the firmware version or the antivirus or attack
definitions.
Caution: This procedure deletes all changes that you have made to the FortiGate configuration
and reverts the system to its original configuration, including resetting interface addresses.
To restore system settings to factory defaults
1 Go to System > Status.
2 Select Restore Factory Defaults.
3 Select OK to confirm.
The FortiGate unit restarts with the configuration that it had when it was first powered
on.
4 Reconnect to the web-based manager and review the system configuration to confirm
that it has been reset to the default settings.
For information about restoring system settings, see “Restoring system settings” on
page 64.
Changing to Transparent mode
Use the following procedure to change the FortiGate unit from NAT/Route mode to
Transparent mode. After you change the FortiGate unit to Transparent mode, most of
the configuration resets to Transparent mode factory defaults.
The following items are not set to Transparent mode factory defaults:
• The admin administrator account password (see “Adding and editing administrator
accounts” on page 123)
• Custom replacement messages (see “Replacement messages” on page 133)
To change to Transparent mode
1 Go to System > Status.
2 Select Change to Transparent Mode.
3 Select Transparent in the operation mode list.
4 Select OK.
The FortiGate unit changes operation mode.
5 To reconnect to the web-based manager, connect to the interface configured for
Transparent mode management access and browse to https:// followed by the
Transparent mode management IP address.
By default in Transparent mode, you can connect to the internal interface. The default
Transparent mode management IP address is 10.10.10.1.
FortiGate-50A Installation and Configuration Guide 65
Changing to NAT/Route mode System status
Changing to NAT/Route mode
Use the following procedure to change the FortiGate unit from Transparent mode to
NAT/Route mode. After you change the FortiGate unit to NAT/Route mode, most of
the configuration resets to NAT/Route mode factory defaults.
The following items are not set to NAT/Route mode factory defaults:
• The admin administrator account password (see “Adding and editing administrator
accounts” on page 123)
• Custom replacement messages (see “Replacement messages” on page 133)
To change to NAT/Route mode
1 Go to System > Status.
2 Select Change to NAT Mode.
3 Select NAT/Route in the operation mode list.
4 Select OK.
The FortiGate unit changes operation mode.
5 To reconnect to the web-based manager you must connect to the interface configured
by default for management access.
By default in NAT/Route mode, you can connect to the internal interface. The default
Transparent mode management IP address is 192.168.1.99.
Restarting the FortiGate unit
1 Go to System > Status.
2 Select Restart.
The FortiGate unit restarts.
Shutting down the FortiGate unit
You can restart the FortiGate unit after shutdown only by turning the power off and
then on.
1 Go to System > Status.
2 Select Shutdown.
The FortiGate unit shuts down and all traffic flow stops.
66 Fortinet Inc.
System status System status
System status
You can use the system status monitor to display FortiGate system health information.
The system health information includes memory usage, the number of active
communication sessions, and the amount of network bandwidth currently in use. The
web-based manager displays current statistics as well as statistics for the previous
minute.
You can also view current virus and intrusion status. The web-based manager
displays the current number of viruses and attacks as well as a graph of virus and
attack levels over the previous 20 hours.
In each case you can set an automatic refresh interval that updates the display every
5 to 30 seconds. You can also refresh the display manually.
• Viewing CPU and memory status
• Viewing sessions and network status
• Viewing virus and intrusions status
Viewing CPU and memory status
Current CPU and memory status indicates how close the FortiGate unit is to running
at full capacity. The web-based manager displays CPU and memory usage for core
processes only. CPU and memory use for management processes (for example, for
HTTPS connections to the web-based manager) is excluded.
If CPU and memory use is low, the FortiGate unit is able to process much more
network traffic than is currently running. If CPU and memory use is high, the FortiGate
unit is performing near its full capacity. Putting additional demands on the system
might cause traffic processing delays.
CPU and memory intensive processes, such as encrypting and decrypting IPSec VPN
traffic, virus scanning, and processing high levels of network traffic containing small
packets, increase CPU and memory usage.
To view CPU and memory status
1 Go to System > Status > Monitor.
CPU & Memory status is displayed. The display includes bar graphs of current CPU
and memory usage as well as line graphs of CPU and memory usage for the previous
minute.
2 Set the automatic refresh interval and select Go to control how often the web-based
manager updates the display.
More frequent updates use system resources and increase network traffic. However,
this occurs only when you are viewing the display using the web-based manager.
3 Select Refresh to manually update the information displayed.
FortiGate-50A Installation and Configuration Guide 67
System status System status
Figure 1: CPU and memory status monitor
Viewing sessions and network status
Use the session and network status display to track how many network sessions the
FortiGate unit is processing and to see what effect the number of sessions has on the
available network bandwidth. Also, by comparing CPU and memory usage with
session and network status you can see how much demand network traffic is putting
on system resources.
The Sessions section displays the total number of sessions being processed by the
FortiGate unit on all interfaces. It also displays the sessions as a percentage of the
maximum number of sessions that the FortiGate unit is designed to support.
The Network utilization section displays the total network bandwidth being used
through all FortiGate interfaces. It also displays network utilization as a percentage of
the maximum network bandwidth that can be processed by the FortiGate unit.
To view sessions and network status
1 Go to System > Status > Monitor.
2 Select Sessions & Network.
Sessions and network status is displayed. The display includes bar graphs of the
current number of sessions and current network utilization as well as line graphs of
session and network utilization usage for the last minute. The line graph scales are
shown in the upper left corner of the graph.
3 Set the automatic refresh interval and select Go to control how often the web-based
manager updates the display.
More frequent updates use system resources and increase network traffic. However,
this only occurs when you are viewing the display using the web-based manager.
68 Fortinet Inc.
System status System status
4 Select Refresh to manually update the information displayed.
Figure 2: Sessions and network status monitor
Viewing virus and intrusions status
Use the virus and intrusions status display to track when viruses are found by the
FortiGate antivirus system and to track when the NIDS detects a network-based
attack.
To view virus and intrusions status
1 Go to System > Status > Monitor.
2 Select Virus & Intrusions.
Virus and intrusions status is displayed. The display includes bar graphs of the
number viruses and intrusions detected per hour as well as line graphs of the number
of viruses and intrusions detected for the last 20 hours.
3 Set the automatic refresh interval and select Go to control how often the web-based
manager updates the display.
More frequent updates use system resources and increase network traffic. However,
this only occurs when you are viewing the display using the web-based manager. The
line graph scales are shown on the upper right corner of the graph.
4 Select Refresh to manually update the information displayed.
FortiGate-50A Installation and Configuration Guide 69
Session list System status
Figure 3: Sessions and network status monitor
Session list
The session list displays information about the communications sessions currently
being processed by the FortiGate unit. You can use the session list to view current
sessions. FortiGate administrators with read and write permission and the FortiGate
admin user can also stop active communication sessions.
To view the session list
1 Go to System > Status > Session.
The web-based manager displays the total number of active sessions in the FortiGate
unit session table and lists the top 16.
2 To navigate the list of sessions, select Page Up or Page Down .
3 Select Refresh to update the session list.
4 If you are logged in as an administrative user with read and write privileges or as the
admin user, you can select Clear to stop an active session.
70 Fortinet Inc.
System status Session list
Each line of the session list displays the following information.
Protocol The service protocol of the connection, for example, udp, tcp, or icmp.
From IP The source IP address of the connection.
From Port The source port of the connection.
To IP The destination IP address of the connection.
To Po r t The destination port of the connection.
Expire The time, in seconds, before the connection expires.
Clear Stop an active communication session.
Figure 4: Example session list
FortiGate-50A Installation and Configuration Guide 71
Session list System status
72 Fortinet Inc.
FortiGate-50A Installation and Configuration Guide Version 2.50
Virus and attack definitions updates and registration
You can configure the FortiGate unit to connect to the FortiResponse Distribution
Network (FDN) to update the antivirus and attack definitions and the antivirus engine.
You have the following update options:
• Request updates from the FDN,
• Schedule updates to automatically request the latest versions hourly, daily, or
weekly,
• Set Push updates so that the FDN contacts your FortiGate unit when a new update
is available.
To receive scheduled updates and push updates, you must register the FortiGate unit
on the Fortinet support web page.
This chapter describes:
• Updating antivirus and attack definitions
• Scheduling updates
• Enabling push updates
• Registering FortiGate units
• Updating registration information
• Registering a FortiGate unit after an RMA
Updating antivirus and attack definitions
You can configure the FortiGate unit to connect to the FortiResponse Distribution
Network (FDN) to automatically receive the latest antivirus and attack definitions and
antivirus engine updates. The FortiGate unit supports the following antivirus and
attack definition update features:
• User-initiated updates from the FDN,
• Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus
engine updates from the FDN,
• Push updates from the FDN,
• Update status including version numbers, expiry dates, and update dates and
times,
• Push updates through a NAT device.
FortiGate-50A Installation and Configuration Guide 73
Updating antivirus and attack definitions Virus and attack definitions updates and registration
The Update page on the web-based manager displays the following antivirus and
attack definition update information.
Versi on Current antivirus engine, virus definition, and attack definition version
Expiry date Expiry date of your license for antivirus engine, virus definition, and attack
Last update
attempt
Last update
status
numbers.
definition updates.
Date and time on which the FortiGate unit last attempted to download
antivirus engine, virus definition, and attack definition updates.
Success or failure of the last update attempt. No updates means the last
update attempt was successful but no new updates were available. Update
succeeded or similar messages mean the last update attempt was
successful and new updates were installed. Other messages can indicate
that the FortiGate was not able to connect to the FDN and other error
conditions.
This section describes:
• Connecting to the FortiResponse Distribution Network
• Manually initiating antivirus and attack definitions updates
• Configuring update logging
Connecting to the FortiResponse Distribution Network
Before the FortiGate unit can receive antivirus and attack updates, it must be able to
connect to the FortiResponse Distribution Network (FDN). The FortiGate unit uses
HTTPS on port 8890 to connect to the FDN. The FortiGate external interface must
have a path to the Internet using port 8890. For information about configuring
scheduled updates, see “Scheduling updates” on page 76.
You can also configure the FortiGate unit to allow push updates. Push updates are
provided to the FortiGate unit from the FDN using HTTPS on UDP port 9443. To
receive push updates, the FDN must have a path to the FortiGate external interface
using UDP port 9443. For information about configuring push updates, see “Enabling
push updates” on page 78.
The FDN is a world-wide network of FortiResponse Distribution Servers (FDSs).
When the FortiGate unit connects to the FDN it connects to the nearest FDS. To do
this, all FortiGate units are programmed with a list of FDS addresses sorted by
nearest time zone according to the time zone configured for the FortiGate unit. To
make sure the FortiGate unit receives updates from the nearest FDS, check that you
have selected the correct time zone for your area.
To make sure the FortiGate unit can connect to the FDN
1 Go to System > Config > Time and make sure the time zone is set to the time zone
for the region in which your FortiGate unit is located.
2 Go to System > Update.
3 Select Refresh.
The FortiGate unit tests its connection to the FDN. The test results are displayed at
the top of the System Update page.
74 Fortinet Inc.
Virus and attack definitions updates and registration Updating antivirus and attack definitions
Table 1: Connections to the FDN
Connections Status Comments
Available The FortiGate unit can connect to the FDN. You can
Not available The FortiGate unit cannot connect to the FDN. You
FortiResponse
Distribution
Network
Available The FDN can connect to the FortiGate unit to send
Not available The FDN cannot connect to the FortiGate unit to send
Push Update
configure the FortiGate unit for scheduled updates.
See “Scheduling updates” on page 76.
must configure your FortiGate unit and your network so
that the FortiGate unit can connect to the Internet and
to the FDN. For example, you may need to add routes
to the FortiGate routing table or configure your network
to allow the FortiGate unit to use HTTPS on port 8890
to connect to the Internet.
You may also have to connect to an override
FortiResponse server to receive updates. See “Adding
an override server” on page 77.
push updates. You can configure the FortiGate unit to
receive push updates. See “Enabling push updates” on
page 78.
push updates. Push updates may not be available if
you have not registered the FortiGate unit (see
“Registering the FortiGate unit” on page 85), if there is
a NAT device installed between the FortiGate unit and
the FDN (see “Enabling push updates through a NAT
device” on page 79), or if your FortiGate unit connects
to the Internet using a proxy server (see “Enabling
scheduled updates through a proxy server” on
page 78).
Manually initiating antivirus and attack definitions updates
You can use the following procedure to update the antivirus and attack definitions at
any time. The FortiGate unit must be able to connect to the FDN or to an override
FortiResponse server.
To update antivirus and attack definitions
1 Go to System > Update.
2 Select Update Now to update the antivirus and attack definitions.
If the connection to the FDN or override server is successful, the web-based manager
displays a message similar to the following:
Your update request has been sent. Your database will be updated
in a few minutes. Please check your update page for the status
of the update.
After a few minutes, if an update is available, the System Update page lists new
version information for antivirus definitions, the antivirus engine, or attack definitions.
The System Status page also displays new dates and version numbers for antivirus
and attack definitions. Messages are recorded to the event log indicating whether the
update was successful or not.
FortiGate-50A Installation and Configuration Guide 75
Scheduling updates Virus and attack definitions updates and registration
Configuring update logging
Use the following procedure to configure FortiGate logging to record log messages
when the FortiGate unit updates antivirus and attack definitions. The update log
messages are recorded on the FortiGate Event log.
To configure update logging
1 Go to Log&Report > Log Setting.
2 Select Config Policy for the type of logs that the FortiGate unit is configured to record.
For information about recording logs, see “Recording logs” on page 251.
3 Select Update to record log messages when the FortiGate unit updates antivirus and
attack definitions.
4 Select any of the following update log options.
Failed Update Records a log message whenever an update attempt fails.
Successful
Update
FDN error Records a log message whenever it cannot connect to the FDN or
5 Select OK.
Records a log message whenever an update attempt is successful.
whenever it receives an error message from the FDN.
Scheduling updates
The FortiGate unit can check for and download updated definitions hourly, daily, or
weekly, according to a schedule that you specify.
This section describes:
• Enabling scheduled updates
• Adding an override server
• Enabling scheduled updates through a proxy server
Enabling scheduled updates
To enable scheduled updates
1 Go to System > Update.
2 Select the Scheduled Update check box.
3 Select one of the following to check for and download updates.
Hourly Once every 1 to 23 hours. Select the number of hours and minutes between
Daily Once a day. You can specify the time of day to check for updates.
Weekly Once a week. You can specify the day of the week and the time of day to check
each update request.
for updates.
76 Fortinet Inc.
Virus and attack definitions updates and registration Scheduling updates
4 Select Apply.
The FortiGate unit starts the next scheduled update according to the new update
schedule.
Whenever the FortiGate unit runs a scheduled update, the event is recorded in the
FortiGate event log.
Figure 1: Configuring automatic antivirus and attack definitions updates
Adding an override server
If you cannot connect to the FDN, or if your organization provides antivirus and attack
updates using their own FortiResponse server, you can use the following procedure to
add the IP address of an override FortiResponse server.
To add an override server
1 Go to System > Update.
2 Select the Use override server address check box.
3 Type the IP address of a FortiResponse server.
4 Select Apply.
The FortiGate unit tests the connection to the override server.
If the FortiResponse Distribution Network setting changes to available, the FortiGate
unit has successfully connected to the override server.
If the FortiResponse Distribution Network stays set to not available, the FortiGate unit
cannot connect to the override server. Check the FortiGate configuration and network
configuration for settings that would prevent the FortiGate unit connecting to the
override FortiResponse server.
FortiGate-50A Installation and Configuration Guide 77
Enabling push updates Virus and attack definitions updates and registration
Enabling scheduled updates through a proxy server
If your FortiGate unit must connect to the Internet through a proxy server, you can use
the set system autoupdate tunneling command to allow the FortiGate unit to
connect (or tunnel) to the FDN using the proxy server. Using this command you can
specify the IP address and port of the proxy server. As well, if the proxy server
requires authentication, you can add the user name and password required for the
proxy server to the autoupdate configuration. The full syntax for enabling updates
through a proxy server is:
set system autoupdate tunneling enable [address
<proxy-address_ip> [port <proxy-port> [username <username_str>
[password <password_str>]]]]
For example, if the IP address of the proxy server is 64.23.6.89 and its port is 8080,
enter the following command:
set system autouopdate tunneling enable address 64.23.6.89
port 8080
For more information about the set system autoupdate command, see Volume 6,
FortiGate CLI Reference Guide.
The FortiGate unit connects to the proxy server using the HTTP CONNECT method,
as described in RFC 2616. The FortiGate unit sends an HTTP CONNECT request to
the proxy server (optionally with authentication information) specifying the IP address
and port required to connect to the FDN. The proxy server establishes the connection
to the FDN and passes information between the FortiGate unit and the FDN.
The CONNECT method is used mostly for tunneling SSL traffic. Some proxy servers
do not allow the CONNECT to connect to any port; they restrict the allowed ports to
the well known ports for HTTPS and perhaps some other similar services. Because
FortiGate autoupdates use HTTPS on port 8890 to connect to the FDN, your proxy
server might have to be configured to allow connections on this port.
There are no special tunneling requirements if you have configured an override server
address to connect to the FDN.
Enabling push updates
The FDN can push updates to FortiGate units to provide the fastest possible response
to critical situations. You must register the FortiGate unit before it can receive push
updates. See “Registering the FortiGate unit” on page 85.
When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a
SETUP message to the FDN. The next time a new antivirus engine, new antivirus
definitions, or new attack definitions are released, the FDN notifies all FortiGate units
that are configured for push updates that a new update is available. Within 60
seconds of receiving a push notification, the FortiGate unit requests an update from
the FDN.
Note: Push updates are not supported if the FortiGate unit must use a proxy server to connect
to the FDN. For more information, see “Enabling scheduled updates through a proxy server” on
page 78.
78 Fortinet Inc.
Virus and attack definitions updates and registration Enabling push updates
When the network configuration permits, configuring push updates is recommended in
addition to configuring scheduled updates. On average the FortiGate unit receives
new updates sooner through push updates than if the FortiGate unit receives only
scheduled updates. However, scheduled updates make sure that the FortiGate unit
receives the latest updates.
Enabling push updates is not recommended as the only method for obtaining updates.
The FortiGate unit might not receive the push notification. Also, when the FortiGate
unit receives a push notification it makes only one attempt to connect to the FDN and
download updates.
This section describes:
• Enabling push updates
• Push updates when FortiGate IP addresses change
• Enabling push updates through a NAT device
Enabling push updates
To enable push updates
1 Go to System > Update.
2 Select Allow Push Update.
3 Select Apply.
Push updates when FortiGate IP addresses change
The SETUP message that the FortiGate unit sends when you enable push updates
includes the IP address of the FortiGate interface that the FDN connects to. If your
FortiGate unit is running in NAT/Route mode, the SETUP message includes the
FortiGate external IP address. If your FortiGate unit is running in Transparent mode,
the SETUP message includes the FortiGate management IP address. The FDN must
be able to connect to this IP address for your FortiGate unit to be able to receive push
update messages. If your FortiGate unit is behind a NAT device, see “Enabling push
updates through a NAT device” on page 79.
Whenever the external IP address of the FortiGate unit changes, the FortiGate unit
sends a new SETUP message to notify the FDN of the address change. As long as
the FortiGate unit sends this SETUP message and the FDN receives it, the FDN can
maintain the most up-to-date external IP address for the FortiGate unit.
The FortiGate unit sends the SETUP message if you change the external IP address
manually or if you have set the external interface addressing mode to DHCP or
PPPoE and your DHCP or PPPoE server changes the IP address.
In Transparent mode if you change the management IP address, the FortiGate unit
also sends the SETUP message to notify the FDN of the address change.
Enabling push updates through a NAT device
If the FDN can connect to the FortiGate unit only through a NAT device, you must
configure port forwarding on the NAT device and add the port forwarding information
to the push update configuration. Using port forwarding, the FDN connects to the
FortiGate unit using either port 9443 or an override push port that you specify.
FortiGate-50A Installation and Configuration Guide 79
Enabling push updates Virus and attack definitions updates and registration
Note: You cannot receive push updates through a NAT device if the external IP address of the
NAT device is dynamic (for example, set using PPPoE or DHCP).
Example: push updates through a NAT device
This example describes how to configure a FortiGate NAT device to forward push
updates to a FortiGate unit installed on its internal network. For the FortiGate unit on
the internal network to receive push updates, the FortiGate NAT device must be
configured with a port forwarding virtual IP. This virtual IP maps the IP address of the
external interface of the FortiGate NAT device and a custom port to the IP address of
the FortiGate unit on the internal network. This IP address can either be the external
IP address of the FortiGate unit if it is operating in NAT/Route mode, or the
Management IP address of the FortiGate unit if it is operating in Transparent mode.
Note: This example describes the configuration for a FortiGate NAT device. However, you can
use any NAT device with a static external IP address that can be configured for port forwarding.
Figure 2: Example network topology: Push updates through a NAT device
FortiGate-300
NAT Device
FortiGate-50A
Internet
External IP
64.230.123.149
Esc Enter
External IP or
Management IP
192.168.1.99
STATUS
PWR
A
INTERNAL EXTERNAL
LINK 100 LINK 100
Internal Network
FortiResponse
Distribution
Network (FDN)
Push Update to
IP address 64.230.123.149
and port 45001
Virtual IP Maps
64.230.123.149:45001
to
192.168.1.99:9443
80 Fortinet Inc.
Virus and attack definitions updates and registration Enabling push updates
General procedure
Use the following steps to configure the FortiGate NAT device and the FortiGate unit
on the internal network so that the FortiGate unit on the internal network can receive
push updates:
1 Add a port forwarding virtual IP to the FortiGate NAT device.
2 Add a firewall policy to the FortiGate NAT device that includes the port forwarding
virtual IP.
3 Configure the FortiGate unit on the internal network with an override push IP and port.
Note: Before completing the following procedure, you should register the internal network
FortiGate unit so that it can receive push updates.
Adding a port forwarding virtual IP to the FortiGate NAT device
Use the following procedure to configure a FortiGate NAT device to use port
forwarding to forward push update connections from the FDN to a FortiGate unit on
the internal network.
To configure the FortiGate NAT device
1 Go to Firewall > Virtual IP.
2 Select New.
3 Type a name for the virtual IP.
4 In the External Interface section, select the external interface that the FDN connects
to.
For the example topology, select the external interface.
5 In the Type section, select Port Forwarding.
6 In the External IP Address section, type the external IP address that the FDN
connects to.
For the example topology, enter 64.230.123.149.
7 Type the External Service Port that the FDN connects to.
For the example topology, enter 45001.
8 In the Map to IP section, type the IP address of the FortiGate unit on the internal
network.
If the FortiGate unit is operating in NAT/Route mode, enter the IP address of the
external interface.
If the FortiGate unit is operating in Transparent mode, enter the management IP
address.
For the example topology, enter 192.168.1.99.
9 Set the Map to Port to 9443.
10 Set Protocol to UDP.
11 Select OK.
FortiGate-50A Installation and Configuration Guide 81
Enabling push updates Virus and attack definitions updates and registration
Figure 3: Push update port forwarding virtual IP
Adding a firewall policy for the port forwarding virtual IP
To configure the FortiGate NAT device
1 Add a new external to internal firewall policy.
2 Configure the policy with the following settings:
Source External_All
Destination The virtual IP added above.
Schedule Always
Service ANY
Action Accept
NAT Selected.
3 Select OK.
Configuring the FortiGate unit with an override push IP and port
To configure the FortiGate unit on the internal network
1 Go to System > Update.
2 Select the Allow Push Update check box.
3 Select the Use override push check box.
82 Fortinet Inc.
Virus and attack definitions updates and registration Registering FortiGate units
4 Set IP to the external IP address added to the virtual IP.
For the example topology, enter 64.230.123.149.
5 Set Port to the external service port added to the virtual IP.
For the example topology, enter 45001.
6 Select Apply.
The FortiGate unit sends the override push IP address and port to the FDN. The FDN
now uses this IP address and port for push updates to the FortiGate unit on the
internal network.
If the external IP address or external service port change, add the changes to the Use
override push configuration and select Apply to update the push information on the
FDN.
Figure 4: Example push update configuration
7 Select Apply.
8 You can select Refresh to make sure that push updates work.
Push Update changes to Available.
Registering FortiGate units
After purchasing and installing a new FortiGate unit, you can register the unit using
the web-based manager by going to System Update Support page, or by using a web
browser to connect to http://support.fortinet.com and selecting Product Registration.
Registration consists of entering your contact information and the serial numbers of
the FortiGate units that you or your organization purchased. You can register multiple
FortiGate units in a single session without re-entering your contact information.
Once registration is completed, Fortinet sends a Support Login user name and
password to your email address. You can use this user name and password to log on
to the Fortinet support web site to:
• View your list of registered FortiGate units
• Register additional FortiGate units
• Add or change FortiCare Support Contract numbers for each FortiGate unit
• View and change registration information
• Download virus and attack definitions updates
• Download firmware upgrades
• Modify registration information after an RMA
Soon you will also be able to:
• Access Fortinet user documentation
• Access the Fortinet knowledge base
FortiGate-50A Installation and Configuration Guide 83
Registering FortiGate units Virus and attack definitions updates and registration
All registration information is stored in the Fortinet Customer Support database. This
information is used to make sure that your registered FortiGate units can be kept up to
date. All information is strictly confidential. Fortinet does not share this information
with any third-party organizations for any reason.
This section describes:
• FortiCare Service Contracts
• Registering the FortiGate unit
FortiCare Service Contracts
Owners of a new FortiGate unit are entitled to 90 days of technical support services.
To continue receiving support services after the 90-day expiry date, you must
purchase a FortiCare Support Contract from an authorized Fortinet reseller or
distributor. Different levels of service are available so you can purchase the support
that you need. For maximum network protection, Fortinet strongly recommends that
all customers purchase a service contract that covers antivirus and attack definition
updates. See your Fortinet reseller or distributor for details of packages and pricing.
To activate the FortiCare Support Contract, you must register the FortiGate unit and
add the FortiCare Support Contract number to the registration information. You can
also register the FortiGate unit without purchasing a FortiCare Support Contract. In
that case, when you purchase a FortiCare Support Contract you can update the
registration information to add the support contract number.
A single FortiCare Support Contract can cover multiple FortiGate units. You must
enter the same service contract number for each of the FortiGate models covered by
the service contract.
84 Fortinet Inc.
Virus and attack definitions updates and registration Registering FortiGate units
Registering the FortiGate unit
Before registering a FortiGate unit, you require the following information:
• Your contact information including:
• First and last name
• Company name
• Email address (Your Fortinet support login user name and password will be
sent to this email address.)
•Address
• Contact phone number
• A security question and an answer to the security question.
This information is used for password recovery. The security question should be a
simple question that only you know the answer to. The answer should not be easy
to guess.
• The product model and serial number for each FortiGate unit that you want to
register.
The serial number is located on a label on the bottom of the FortiGate unit.
You can view the Serial number from the web-based manager by going to
System > Status.
The serial number is also available from the CLI using the get system status
command.
• FortiCare Support Contract numbers, if you purchased FortiCare Support
Contracts for the FortiGate units that you want to register.
To register one or more FortiGate units
1 Go to System > Update > Support.
2 Enter your contact information on the product registration form.
Figure 5: Registering a FortiGate unit (contact information and security question)
3 Provide a security question and an answer to the security question.
FortiGate-50A Installation and Configuration Guide 85
Updating registration information Virus and attack definitions updates and registration
4 Select the model number of the Product Model to register.
5 Enter the Serial Number of the FortiGate unit.
6 If you have purchased a FortiCare Support Contract for this FortiGate unit, enter the
support contract number.
Figure 6: Registering a FortiGate unit (product information)
7 Select Finish.
If you have not entered a FortiCare Support Contract number (SCN) you can return to
the previous page to enter the number. If you do not have a FortiCare Support
Contract, you can select Continue to complete the registration.
If you have entered a support contract number, a real-time validation is performed to
verify that the SCN information matches the FortiGate unit. If the information does not
match you can try entering it again.
A web page is displayed that contains detailed information about the Fortinet technical
support services available to you for the registered FortiGate unit.
Your Fortinet support user name and password is sent to the email address provided
with your contact information.
Updating registration information
You can use your Fortinet support user name and password to log on to the Fortinet
Support web site at any time to view or update your Fortinet support information.
This section describes:
• Recovering a lost Fortinet support password
• Viewing the list of registered FortiGate units
• Registering a new FortiGate unit
• Adding or changing a FortiCare Support Contract number
• Changing your Fortinet support password
• Changing your contact information or security question
• Downloading virus and attack definitions updates
Recovering a lost Fortinet support password
If you provided a security question and answer when you registered on the Fortinet
support web site, you can use the following procedure to receive a replacement
password. If you did not provide a security question and answer, contact Fortinet
technical support.
86 Fortinet Inc.
Virus and attack definitions updates and registration Updating registration information
To recover a lost Fortinet support password
1 Go to System > Update > Support.
2 Select Support Login.
3 Enter your Fortinet support user name.
4 Select Forgot your password?
5 Enter your email address and select Submit.
The security question that you entered when you registered is displayed.
6 Enter the answer to your security question and select Get Password.
If you entered the correct answer to the security question, an email containing a new
password is sent to your email address. You can use your current user name and this
password to log into the Fortinet support web site.
7 Select Support Login.
8 When you receive your new password, enter your user name and new password to
log into the Fortinet support web site.
Viewing the list of registered FortiGate units
To view the list of registered FortiGate units
1 Go to System > Update > Support.
2 Select Support Login.
3 Enter your Fortinet support user name and password.
4 Select Login.
5 Select View Products.
The list of FortiGate products that you have registered is displayed. For each
FortiGate unit, the list includes the serial number and current support options for that
unit.
FortiGate-50A Installation and Configuration Guide 87
Updating registration information Virus and attack definitions updates and registration
Figure 7: Sample list of registered FortiGate units
Registering a new FortiGate unit
To register a new FortiGate unit
1 Go to System > Update > Support.
2 Select Support Login.
3 Enter your Fortinet support user name and password.
4 Select Login.
5 Select Add Registration.
6 Select the model number of the product model that you want to register.
7 Enter the serial number of the FortiGate unit.
8 If you have purchased a FortiCare Support Contract for this FortiGate unit, enter the
support contract number.
9 Select Finish.
The list of FortiGate products that you have registered is displayed. The list now
includes the new FortiGate unit.
Adding or changing a FortiCare Support Contract number
To add or change a FortiCare Support Contract number
1 Go to System > Update > Support.
2 Select Support Login.
3 Enter your Fortinet support user name and password.
4 Select Login.
5 Select Add/Change Contract number.
88 Fortinet Inc.
Virus and attack definitions updates and registration Updating registration information
6 Select the Serial Number of the FortiGate unit for which to add or change a FortiCare
Support Contract number.
7 Add the new Support Contract number.
8 Select Finish.
The list of FortiGate products that you have registered is displayed. The list now
includes the new support contract information.
Changing your Fortinet support password
To change your Fortinet support password
1 Go to System > Update > Support.
2 Select Support Login.
3 Enter your Fortinet support user name and password.
4 Select Login.
5 Select My Profile.
6 Select Change Password.
7 Enter your current password.
8 Enter and confirm a new password.
An email is sent to your email address confirming that your password has been
changed. Use your current user name and new password the next time you log into
the Fortinet technical support web site.
Changing your contact information or security question
To change your contact information or security question
1 Go to System > Update > Support.
2 Select Support Login.
3 Enter your Fortinet support user name and password.
4 Select Login.
5 Select My Profile.
6 Select Edit Profile.
7 Make the required changes to your contact information.
8 Make the required changes to your security question and answer.
9 Select Update Profile.
Your changes are saved to the Fortinet technical support database. If you changed
your contact information, the changes are displayed.
FortiGate-50A Installation and Configuration Guide 89
Updating registration information Virus and attack definitions updates and registration
Downloading virus and attack definitions updates
Use the following procedure to manually download virus and attack definitions
updates. This procedure also describes how to install the attack definitions updates on
your FortiGate unit.
To download virus and attack definitions updates
1 Go to System > Update > Support.
2 Select Support Login.
3 Enter your Fortinet support user name and password.
4 Select Login.
5 Select Download Virus/Attack Update.
6 If required, select the FortiOS version.
7 Select the virus and attack definitions to download.
Figure 8: Downloading virus and attack definition updates
For information about how to install the downloaded files, see “Manual virus definition
updates” on page 63 and “Manual attack definition updates” on page 63.
90 Fortinet Inc.
Virus and attack definitions updates and registration Registering a FortiGate unit after an RMA
Registering a FortiGate unit after an RMA
The Return Material Authorization (RMA) process starts when a registered FortiGate
unit does not work properly because of a hardware failure. If this happens while the
FortiGate unit is protected by hardware coverage, you can return the FortiGate unit
that is not functioning to your reseller or distributor.
The RMA is recorded and you will receive a replacement unit. Fortinet adds the RMA
information to the Fortinet support database. When you receive the replacement unit
you can use the following procedure to update your product registration information.
To register a FortiGate unit after an RMA
1 Go to System > Update > Support.
2 Select Support Login.
3 Enter your Fortinet support user name and password to log in.
4 Select Add Registration.
5 Select the link to replace a unit with a new unit from an RMA.
6 Select Finish.
The list of FortiGate products that you have registered is displayed. The list now
includes the replacement FortiGate unit. All support levels are transferred to the
replacement unit.
FortiGate-50A Installation and Configuration Guide 91
Registering a FortiGate unit after an RMA Virus and attack definitions updates and registration
92 Fortinet Inc.
FortiGate-50A Installation and Configuration Guide Version 2.50
Network configuration
You can use the System Network page to change any of the following FortiGate
network settings:
• Configuring interfaces
• Adding DNS server IP addresses
• Configuring routing
• Configuring DHCP services
• Configuring the modem interface
Configuring interfaces
Use the following procedures to configure FortiGate interfaces:
• Viewing the interface list
• Changing the administrative status of an interface
• Configuring an interface with a manual IP address
• Configuring an interface for DHCP
• Configuring an interface for PPPoE
• Adding a secondary IP address to an interface
• Adding a ping server to an interface
• Controlling administrative access to an interface
• Changing the MTU size to improve network performance
• Configuring traffic logging for connections to an interface
• Configuring the management interface in Transparent mode
FortiGate-50A Installation and Configuration Guide 93
Configuring interfaces Network configuration
Viewing the interface list
To view the interface list
1 Go to System > Network > Interface.
The interface list is displayed. The interface list shows the following status information
for all the FortiGate interfaces and VLAN subinterfaces:
• The name of the interface
• The IP address of the interface
• The netmask of the interface
• The administrative access configuration for the interface
See “Controlling administrative access to an interface” on page 97 for information
about administrative access options.
• The administrative status for the interface
If the administrative status is a green arrow, the interface is up and can accept
network traffic. If the administrative status is a red arrow, the interface is
administratively down and cannot accept traffic. To change the administrative
status, see “Changing the administrative status of an interface” on page 94.
Changing the administrative status of an interface
You can use the following procedures to start an interface that is administratively
down and stop and interface that is administratively up.
To start up an interface that is administratively down
1 Go to System > Network > Interface.
The interface list is displayed.
2 Select Bring Up for the interface that you want to start.
To stop an interface that is administratively up
1 From the FortiGate CLI, enter the command:
set system interface <intf_str> config status down
You can only stop an interface that is administratively up from the FortiGate command
line interface (CLI).
Configuring an interface with a manual IP address
You can change the static IP address of any FortiGate interface.
To change an interface with a manual IP address
1 Go to System > Network > Interface.
2 Choose an interface and select Modify .
3 Set Addressing Mode to Manual.
94 Fortinet Inc.
Network configuration Configuring interfaces
4 Change the IP address and Netmask as required.
The IP address of the interface must be on the same subnet as the network the
interface is connecting to.
Two interfaces cannot have the same IP address and cannot have IP addresses on
the same subnet.
5 Select OK to save your changes.
If you changed the IP address of the interface to which you are connecting to manage
the FortiGate unit, you must reconnect to the web-based manager using the new
interface IP address.
Configuring an interface for DHCP
You can configure any FortiGate interface to use DHCP.
If you configure the interface to use DHCP, the FortiGate unit automatically broadcasts
a DHCP request. You can disable connect to server if you are configuring the
FortiGate unit offline and you do not want the FortiGate unit to send the DHCP
request.
By default, the FortiGate unit also retrieves a default gateway IP address and DNS
server IP addresses from the DHCP server. You can disable the option Retrieve
default gateway and DNS from server if you do not want the DHCP server to configure
these FortiGate settings.
To configure an interface for DHCP
1 Go to System > Network > Interface.
2 Choose an interface and select Modify .
3 In the Addressing Mode section, select DHCP.
4 Clear the Retrieve default gateway and DNS from server check box if you do not want
the FortiGate unit to obtain a default gateway IP address and DNS server IP
addresses from the DHCP server.
By default, this option is enabled.
5 Clear the Connect to Server check box if you do not want the FortiGate unit to connect
to the DHCP server.
By default, this option is enabled.
6 Select Apply.
The FortiGate unit attempts to contact the DHCP server from the interface to set the
IP address, netmask, default gateway IP address, and DNS server IP addresses.
7 Select Status to refresh the addressing mode status message.
initializing No activity
connecting The FortiGate unit is attempting to connect to the DHCP server.
connected The FortiGate unit retrieves an IP address, netmask, and other settings from
failed The FortiGate unit was unable to retrieve an IP address and other
the DHCP server.
information from the DHCP server.
8 Select OK.
FortiGate-50A Installation and Configuration Guide 95
Configuring interfaces Network configuration
Configuring an interface for PPPoE
Use the following procedure to configure any FortiGate interface to use PPPoE.
If you configure the interface to use PPPoE, the FortiGate unit automatically
broadcasts a PPPoE request. You can disable connect to server if you are configuring
the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE
request.
By default, the FortiGate unit also retrieves a default gateway IP address and DNS
server IP addresses from the PPPoE server. You can disable the option Retrieve
default gateway and DNS from server if you do not want the PPPoE server to
configure these FortiGate settings.
To configure an interface for PPPoE
1 Go to System > Network > Interface.
2 Choose an interface and select Modify .
3 In the Addressing Mode section, select PPPoE.
4 Enter your PPPoE account User Name and Password.
5 Clear the Retrieve default gateway and DNS from server check box if you do not want
the FortiGate unit to obtain a default gateway IP address and DNS server IP
addresses from the PPPoE server.
By default, this option is enabled.
6 Clear the Connect to Server check box if you do not want the FortiGate unit to connect
to the PPPoE server.
By default, this option is enabled.
7 Select Apply.
The FortiGate unit attempts to contact the PPPoE server from the interface to set the
IP address, netmask, default gateway IP address, and DNS server IP addresses.
8 Select Status: to refresh the addressing mode status message. Possible messages:
initializing No activity
connecting The FortiGate unit is attempting to connect to the DHCP server.
connected The FortiGate unit retrieves an IP address, netmask, and other settings from
failed The FortiGate unit was unable to retrieve an IP address and other
the PPPoE server.
information from the PPPoE server.
9 Select OK.
Adding a secondary IP address to an interface
You can use the CLI to add a secondary IP address to any FortiGate interface. The
secondary IP address cannot be the same as the primary IP address but it can be on
the same subnet.
To add a secondary IP address from the CLI enter the command:
set system interface <intf_str> config secip <second_ip>
<netmask_ip>
96 Fortinet Inc.
Network configuration Configuring interfaces
You can also configure management access and add a ping server to the secondary
IP address.
set system interface <intf_str> config secallowaccess ping
https ssh snmp http telnet
set system interface <intf_str> config secgwdetect enable
Adding a ping server to an interface
Add a ping server to an interface if you want the FortiGate unit to confirm connectivity
with the next hop router on the network connected to the interface. Adding a ping
server is required for routing failover. See “Adding destination-based routes to the
routing table” on page 101.
To add a ping server to an interface
1 Go to System > Network > Interface.
2 Choose an interface and select Modify .
3 Set Ping Server to the IP address of the next hop router on the network connected to
the interface.
4 Select the Enable check box.
The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to
make sure that the FortiGate unit can connect to this IP address. To configure dead
gateway detection, see “Modifying the Dead Gateway Detection settings” on
page 123.
5 Select OK to save the changes.
Controlling administrative access to an interface
For a FortiGate unit running in NAT/Route mode, you can control administrative
access to an interface to control how administrators access the FortiGate unit and the
FortiGate interfaces to which administrators can connect.
Controlling administrative access for an interface connected to the Internet allows
remote administration of the FortiGate unit from any location on the Internet. However,
allowing remote administration from the Internet could compromise the security of
your FortiGate unit. You should avoid allowing administrative access for an interface
connected to the Internet unless this is required for your configuration. To improve the
security of a FortiGate unit that allows remote administration from the Internet:
• Use secure administrative user passwords,
• Change these passwords regularly,
• Enable secure administrative access to this interface using only HTTPS or SSH,
• Do not change the system idle timeout from the default value of 5 minutes (see “To
set the system idle timeout” on page 122).
To configure administrative access in Transparent mode, see “Configuring the
management interface in Transparent mode” on page 99.
To control administrative access to an interface
1 Go to System > Network > Interface.
FortiGate-50A Installation and Configuration Guide 97
Configuring interfaces Network configuration
2 Choose an interface and select Modify .
3 Select the Administrative Access methods for the interface.
HTTPS To allow secure HTTPS connections to the web-based manager through this
PING If you want this interface to respond to pings. Use this setting to verify your
HTTP To allow HTTP connections to the web-based manager through this interface.
SSH To allow SSH connections to the CLI through this interface.
SNMP To allow a remote SNMP manager to request SNMP information by connecting to
TELNET To allow Telnet connections to the CLI through this interface. Telnet connections
interface.
installation and for testing.
HTTP connections are not secure and can be intercepted by a third party.
this interface. See “Configuring SNMP” on page 125.
are not secure and can be intercepted by a third party.
4 Select OK to save the changes.
Changing the MTU size to improve network performance
To improve network performance, you can change the maximum transmission unit
(MTU) of the packets that the FortiGate unit transmits from any interface. Ideally, this
MTU should be the same as the smallest MTU of all the networks between the
FortiGate unit and the destination of the packets. If the packets that the FortiGate unit
sends are larger, they are broken up or fragmented, which slows down transmission.
Experiment by lowering the MTU to find an MTU size for best network performance.
To change the MTU size of the packets leaving an interface
1 Go to System > Network > Interface.
2 Choose an interface and select Modify .
3 Select Override default MTU value (1500).
4 Set the MTU size.
Set the maximum packet size. For manual and DHCP addressing mode the MTU size
can be from 576 to 1500 bytes. For PPPoE addressing mode the MTU size can be
from 576 to 1492 bytes.
Configuring traffic logging for connections to an interface
To configure traffic logging for connections to an interface
1 Go to System > Network > Interface.
2 Choose an interface and select Modify .
3 Select the Log check box to record log messages whenever a firewall policy accepts a
connection to this interface.
4 Select OK to save the changes.
98 Fortinet Inc.
Network configuration Configuring interfaces
Configuring the management interface in Transparent mode
Configure the management interface in Transparent mode to set the management IP
address of the FortiGate unit. Administrators connect to this IP address to administer
the FortiGate unit. The FortiGate also uses this IP address to connect to the FDN for
virus and attack updates (see “Updating antivirus and attack definitions” on page 73).
You can also configure the management interface to control how administrators
connect to the FortiGate unit for administration and the FortiGate interfaces to which
administrators can connect.
Controlling administrative access to a FortiGate interface connected to the Internet
allows remote administration of the FortiGate unit from any location on the Internet.
However, allowing remote administration from the Internet could compromise the
security of the FortiGate unit. You should avoid allowing administrative access for an
interface connected to the Internet unless this is required for your configuration. To
improve the security of a FortiGate unit that allows remote administration from the
Internet:
• Use secure administrative user passwords,
• Change these passwords regularly,
• Enable secure administrative access to this interface using only HTTPS or SSH,
• Do not change the system idle timeout from the default value of 5 minutes (see “To
set the system idle timeout” on page 122).
To configure the management interface in Transparent mode
1 Go to System > Network > Management.
2 Change the Management IP and Netmask as required.
This must be a valid IP address for the network that you want to manage the FortiGate
unit from.
3 Add a default gateway IP address if the FortiGate unit must connect to a default
gateway to reach the management computer.
4 Select the administrative access methods for each interface.
HTTPS To allow secure HTTPS connections to the web-based manager through this
PING If you want this interface to respond to pings. Use this setting to verify your
HTTP To allow HTTP connections to the web-based manager through this interface.
SSH To allow SSH connections to the CLI through this interface.
SNMP To allow a remote SNMP manager to request SNMP information by connecting to
TELNET To allow Telnet connections to the CLI through this interface. Telnet connections
interface.
installation and for testing.
HTTP connections are not secure and can be intercepted by a third party.
this interface. See “Configuring SNMP” on page 125.
are not secure and can be intercepted by a third party.
5 Select Log for each interface that you want to record log messages whenever a
firewall policy accepts a connection to this interface.
6 Select Apply to save the changes.
FortiGate-50A Installation and Configuration Guide 99
Adding DNS server IP addresses Network configuration
Adding DNS server IP addresses
Several FortiGate functions, including sending email alerts and URL blocking, use
DNS. Use the following procedure to add the IP addresses of the DNS servers that
your FortiGate unit can connect to. DNS server IP addresses are usually supplied by
your ISP.
To add DNS server IP addresses
1 Go to System > Network > DNS.
2 Change the primary and secondary DNS server IP addresses as required.
3 Select Apply to save the changes.
Configuring routing
This section describes how to configure FortiGate routing. You can configure routing
to add static routes from the FortiGate unit to local routers. Using policy routing you
can increase the flexibility of FortiGate routing to support more advanced routing
functions.
You can also use routing to create a multiple Internet connection configuration that
supports redundancy and load sharing between the two Internet connections.
This section describes:
• Adding a default route
• Adding destination-based routes to the routing table
• Adding routes in Transparent mode
• Configuring the routing table
• Policy routing
Adding a default route
You can add a default route for network traffic leaving the external interface.
To add a default route
1 Go to System > Network > Routing Table.
2 Select New to add a new route.
3 Set the Source IP and Netmask to 0.0.0.0.
4 Set the Destination IP and Netmask to 0.0.0.0.
5 Set Gateway 1 to the IP address of the routing gateway that routes traffic to the
Internet.
6 Select OK to save the default route.
Note: Only one default route can be active at a time. If two default routes are added to the
routing table, only the default route closest to the top of the routing table is active.
100 Fortinet Inc.
Loading...