Fortinet FortiGate FortiGate-5001FA2, FortiGate-5001SX, FortiGate-5002FB2, FortiGate-5020, FortiGate-5050 Installation Manual

...

FortiGate 5000 Series

13 11 9 7 5 3 1 2 4 6 8 10 12 14

PWR

ACC

CONSOLE

USB

1 2

3 4

5 6 7 8

STA IPM

ACC

CONSOLE

USB

1 2

3 4

5 6 7 8

STA IPM

ACC

STA IPM

CONSOLE

MANAGEMENT

CONSOLE

USB

SYSTEM

CONSOLE

1 2

3 4

5 6 7 8

ZRE

FLT

HOT SWAP

RESET

LED MODE

STA IPM

PWRACC

MANAGEMENT

SYSTEM

CONSOLE

1514

1312

1110

ZRE

OKCLK

INTEXT

FLT

HOT SWAP

RESET

LED MODE

STA IPM

CONSOLE

1 2 3 4 5 6 7 8

PWRACC

CONSOLE

USB

1 2 3 4 5 6 7 8

STA IPM

CONSOLE

1 2 3 4 5 6 7 8

PWRACC

CONSOLE

USB

1 2 3 4 5 6 7 8

STA IPM

CONSOLE

1 2 3 4 5 6 7 8

Installation Guide

5140

USB

CONSOLE

PWRACC

Crit. Maj. Min.

PWRACC

3 2 1

CONSOLE

Alarms

Rst

USB

1 2 3 4 5 6 7 8

Link

Act

100

ETH 0

Prim. ShMC

Stat.

Link

Act

100

ETH 0

STA IPM

Sec.

ShMC

Stat.

ShMC

PWRACC

RESET

MANAGEMENT

USB

CONSOLE

ETH

1 2 3 4 5 6 7 8

USB

1 2 3 4 5 6 7 8

USB

1 2 3 4 5 6 7 8

RS232ZRE0ZRE1ZRE2

SYSTEM

CONSOLE

RS232ZRE0ZRE1ZRE2

SYSTEM

CONSOLE

162

STATUS

PWR

162

STATUS

PWR

9876543210

1514

1312

1110

9876543210

1514

1312

1110

3 4 5 6

STA IPM

OKCLK

INTEXT

FLT

HOT SWAP

RESET

ZRE

LED MODE

FLT

OKCLK

INTEXT

FLT

HOT SWAP

RESET

ZRE

LED MODE

FLT

Critical

Major

Minor

Alarm

Console Ethernet

Reset

ALT

ON/OFF

IPM

ALT

ON/OFF

IPM

POWER

ShMC

Hot Swap Status

PSUA

PSU B

Version 2.80 MR11

9 February 2006

01-28011-0259-20060209

transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc.

FortiGate-5000 series Installation Guide

Version 2.80 MR11 8 February 2006 01-28011-0259-20060209

Trademarks

Products mentioned in this document are trademarks or registered trademarks of their respective holders.

Regulatory Compliance

FCC Class A Part 15 CSA/CUS CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE.

DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to

techdoc@fortinet.com.

Table of Contents

Introduction............................................................................................................ 5

About the FortiGate-5000 series Installation Guide............................................................ 5

About the FortiGate-5000 series Hardware Guide.............................................................. 6

About the FortiGate-5000 series chassis............................................................................ 6

FortiGate-5140 chassis................................................................................................... 6

FortiGate-5050 chassis................................................................................................... 6

FortiGate-5020 chassis................................................................................................... 6

About the FortiGate-5000 series modules.......................................................................... 7

FortiGate-5001SX module .................................................................... ... ... ... .... ... ... ... ... . 7

FortiGate-5001FA2 module ............................................................................................ 7

FortiGate-5002FB2 module ............................................................................................ 7

FortiSwitch-5003 module ................................................................................................ 7

Document conventions ....................................................................................................... 7

Fortinet documentation....................................................................................................... 9

Fortinet Knowledge Center ............................................................................................. 9

Comments on Fortinet technical documentation............................................................. 9

Customer service and technical support............................................................................. 9

Contents

Configuring the FortiGate for the Network........................................................ 11

Configuration options......................................... ............................................................... 14

Web-based manager and setup wizard ........................................................................ 14

CLI ................................................................................................................................ 14

Connecting to the web-based manager............................................................................ 14

Connecting to the command line interface (CLI)............................................................... 16

NAT/Route mode installation............................................................................................ 17

Preparing to configure the FortiGate module in NAT/Route mode ............................... 17

Using the web-based manager..................................................................................... 19

Using the command line interface................................................................................. 20

Using the setup wizard................... ... ... ... .... ... ... ... .... ..................................................... 23

Connecting the FortiGate unit to the network(s) ........................................................... 25

Configuring the networks .............................................................................................. 26

Transparent mode installation........................................................................................... 26

Preparing to configure Transparent mode .................................................................... 26

Using the web-based manager..................................................................................... 27

Using the command line interface................................................................................. 28

Using the setup wizard................... ... ... ... .... ... ... ... .... ..................................................... 30

Connecting the FortiGate module to your network ....................................................... 31

FortiGate-5000 series Installation Guide 01-28011-0259-20060210 3

Contents

High availability installation............................................................................................... 32

Priorities of heartbeat device and monitor priorities...................................................... 32

Configuring FortiGate-5000 modules for HA operation................................................. 32

Using the FortiSwitch-5003 in an HA cluster ................................................................ 37

Connecting the cluster to your networks....................................................................... 37

Installing and configuring the cluster............................................................................. 39

Clustering FortiGate-5000 series chassis..................................................................... 39

Next steps....................................... ... ... ... ... .... .................................................................. 40

Set the date and time.................................................................................................... 40

FortiGate Firmware.............................................................................................. 43

Upgrading to a new firmware version ........................................................................... 44

Reverting to a previous firmware version...................................................................... 45

Installing firmware images from a system reboot using the CLI ................. ... .... ... ... ... .. 48

Testing a new firmware image before installing it......................................................... 51

Installing and using a backup firmware image.............................................................. 53

Factory defaults................................................................................................... 57

NAT/Route mode network configuration....................................................................... 57

Transparent mode network configuration ..................................................................... 59

Firewall configuration.................................................................................................... 59

Protection profiles ......................................................................................................... 60

Restoring the default settings ........................................................................................... 61

Restoring the default settings using the web-based manager...................................... 61

Restoring the default settings using the CLI ................................................................. 61

Index ......................................................................................................................63

4 01-28011-0259-20060210 Fortinet Inc.

FortiGate-5000 series Installation Guide Version 2.80 MR11

Introduction

Welcome and thank you for selecting Fortinet products for your real-time network protection.

FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate Antivirus Firewalls are ICSA-certified for firewall, IPSec, and antivirus services.

The FortiGate Antivirus Firewall is a dedicated, easily managed security device that delivers a full suite of capabilities that include:

• application-level services such as virus protection and content filtering,

• network-level services such as firewall, intrusion detection, VPN and traffic shaping.

This chapter contains the following sections:

• About the FortiGate-5000 series Installation Guide

• About the FortiGate-5000 series Hardware Guide

• About the FortiGate-5000 series chassis

• About the FortiGate-5000 series modules

• Document conventions

• Fortinet documentation

• Customer service and technical support

About the FortiGate-5000 series Installation Guide

This installation guide provides the information you need to install the FortiGate-5000 chassis and modules, and configure the FortiGate unit for your network from start to finish.

This FortiGate-5000 series Installation Guide conta ins the following chapters:

• Configuring the FortiGate for the Network - Provides an overview of the operating modes of the FortiGate unit and how to integrate the unit into your network.

• FortiGate Firmware - Describes how to install, update, restore and test the firmware for the FortiGate device.

• Factory defaults - Provides the factory default settings for all FortiGate-5000 modules.

FortiGate-5000 series Installation Guide 01-28011-0259-20060210 5

About the FortiGate-5000 series Hardware Guide Introduction

About the FortiGate-5000 series Hardware Guide

Before using this installation guide you should read and follow the procedures in the

FortiGate-5000 series Hardware Guide, which is a detailed guide to all three

FortiGate-5000 series chassis and the FortiGate and FortiSwitch modules that you can install in them. The FortiGate-5000 series Hardware Guide describes each chassis and all its components and provides information about how to conn ec t pow er to each chassis. For each FortiGate and Fo rtiSwitch module, this document describes the module LEDs and connectors, describes how to install each module in a FortiGate-5000 series chassis, and contains a brief troubleshooting secti on to help you diagnose and fix problems with the module.

About the FortiGate-5000 series chassis

The FortiGate-5000 series Security Systems are chassis-based systems that MSSPs and large enterprises can use to provide subscriber secu rity se rvices such as firew all, VPN, antivirus protection, spam filtering, web filtering and intrusion prevention (IPS). The wide variety of system configurations available with FortiGate-5000 series provide flexibility to meet the changing needs of growing high performance networks. The FortiGate-5000 series chassis support multiple hot-swappable FortiGate-5000 series modules and power supplies. This modular approach provides a scalable, high-performance and failure-pr oof so lution.

FortiGate-5140 chassis

You can install up to 14 FortiGate-5000 series modules in the 14 slots of the FortiGate-5140 ATCA chassis. The FortiGate-5140 is a 12U chassis that contains two redundant hot swappable DC power entry modules that connect to -48 VDC Data Center DC power. The FortiGate-5140 chassis also includes three hot swappable cooling fan trays. For details about the FortiGate-5140 chassis see the

FortiGate-5000 series Hardware Guide.

FortiGate-5050 chassis

You can install up to five FortiGate-5000 series modules in the five slots of the FortiGate-5050 ATCA chassis. The FortiGate-5050 is a 5U chassis that contains two redundant DC power connections that connect to -48 VDC Data Center DC power. The FortiGate-5050 chassis also includes a hot swappable cooling fan tray. For details about the FortiGate-5050 chassis, see the FortiGate-5000 series Hardware

Guide.

FortiGate-5020 chassis

You can install one or two FortiGate-5000 series modules in the two slots of the FortiGate-5020 ATCA chassis. The FortiGate-5020 is a 4U chassis that contains two redundant AC to DC power supplies that connect to AC power. The FortiGate-5020 chassis also includes an internal cooling fan tray. For details abo ut the FortiGate-5020 chassis, see the FortiGate-5000 series Hardware Guide.

6 01-28011-0259-20060210 Fortinet Inc.

Introduction About the FortiGate-5000 series modules

About the FortiGate-5000 series modules

Each FortiGate-5000 series module is a standalone FortiGate security system that can also function as part of a FortiGate HA cluster . All FortiGate-5000 series mod ules are also hot swappable. All FortiGate-5000 series units are high capacity security systems with multiple gigabit interfaces, multiple virtual domain capacity, and other high end FortiGate features.

FortiGate-5001SX module

The FortiGate-5001SX module is an independent high-performance FortiGate security system with eight Gigabit ethernet interfaces. The FortiGate supports high-end features including 802.1Q VLANs and multiple virtual domains. F or details about the FortiGate-5001SX module, see the FortiGate-5000 ser ies Har dwar e

Guide.

FortiGate-5001FA2 module

The FortiGate-5001FA2 module is an independent high-performance FortiGate security system with six Gigabit ethernet interfaces. The FortiGate-5001FA2 module is similar to the FortiGate-5001SX module except that two of the FortiGate-5001FA2 interfaces include Fortinet technology to accelerate small packet performance. For details about the FortiGate-5001FA2 module, see the FortiGate-5000 series

Hardware Guide.

-5001SX module

FortiGate-5002FB2 module

The FortiGate-5002FB2 module is an independent high-performance FortiGate security system with a total of 6 Gigabit ethernet interfaces. Two of the FortiGate-5002FB2 interfaces include Fortinet technology to accelerate small packet performance. For details about the FortiGate-5002FB2 module, see the

FortiGate-5000 series Hardware Guide.

FortiSwitch-5003 module

The FortiSwitch-5003 module provides HA heartbeat communication between FortiGate security modules installed in FortiGate-5140 or FortiGate-5050 chassis. The FortiSwitch-5003 module can also provide HA heartbeat communication between chassis. The FortiSwitch-5003 module is only used in FortiGate-5140 and FortiGate5050 chassis. For details about the FortiGate-5002FB2 mod ule, see the

FortiGate-5000 series Hardware Guide.

Document conventions

This guide uses the following conventions to describe command syntax.

• Angle brackets < > to indicate variables. For example:

execute restore config <filename_str>

You enter:

FortiGate-5000 series Installation Guide 01-28011-0259-20060210 7

Document conventions Introduction

execute restore config myfile.bak <xxx_str> indicates an ASCII string that does not contain new-lines or carriage

returns.

<xxx_integer> indicates an integer string that is a decimal (base 10) nu m be r. <xxx_octet> indicates a hexadecimal string that uses the digits 0-9 and letters

A-F.

<xxx_ipv4> indicates a dotted decimal IPv4 address. <xxx_v4mask> indicates a dotted decimal IPv4 netmask. <xxx_ipv4mask> indicates a dotted decimal IPv4 address followed by a dotted

decimal IPv4 netmask.

<xxx_ipv6> indicates a dotted decimal IPv6 address. <xxx_v6mask> indicates a dotted decimal IPv6 netmask. <xxx_ipv6mask> indicates a dotted decimal IPv6 address followed by a dotted

decimal IPv6 netmask.

• Vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords.

For example:

set opmode {nat | transparent}

You can enter set opmode nat or set opmode transparent.

• Square brackets [ ] to indicate that a keyword or variable is optional. For example:

show system interface [<name_str>]

To show the settings for all interfaces, you can enter show system interface. To show the settings for the internal interface, you can enter show system interface internal.

• A space to separate options that can be entered in any combination and must be separated by spaces.

For example:

set allowaccess {ping https ssh snmp http telnet}

You can enter any of the following:

set allowaccess ping set allowaccess ping https ssh set allowaccess https ping ssh set allowaccess snmp

In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply an d excluding all the options you want to remove.

8 01-28011-0259-20060210 Fortinet Inc.

Introduction Fortinet documentation

Fortinet documentation

The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at

http://docs.forticare.com.

Fortinet Knowledge Center

Additional Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at

http://kc.forticare.com.

The FortiGate Log Message Reference is available exclusively from the Fortinet

Knowledge Center, the FortiGate Log Message Reference describes the structure of

FortiGate log messages and provides info rm a tio n ab o ut th e log me ssa ge s th at ar e generated by FortiGate units.

Comments on Fortinet technical documentation

Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.

Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network.

Please visit the Fortinet Technical Support web site at http://support.fortinet.com to learn about the technical support services that Fortinet provides.

FortiGate-5000 series Installation Guide 01-28011-0259-20060210 9

Customer service and technical support Introduction

10 01-28011-0259-20060210 Fortinet Inc.

FortiGate-5000 series Installation Guide Version 2.80 MR11

Configuring the FortiGate for the Network

This chapter provides an overview of the ope ra tin g mo de s of the F ort iG ate uni t. Before beginning to configure the FortiGate-5000 security system module, you need to plan how to integrate the unit into your network. Your configuration plan is dependent upon the operating mode that you select: NAT/Route mode or Transparent mode.

Note: Before using the information in this chapter to configure your FortiGate-5000 module refer to the FortiGate-5000 Series Hardware Guide to install and connect your FortiGate-5000 hardware components.

NAT/Route mode standalone configuration

In NAT/Route mode standalone configuration, each FortiGate-5000 module in the FortiGate chassis operates as a separate FortiGate antivirus firewall. Each of these FortiGate antivirus firewalls is visible to the networks that it is connected to.

For each FortiGate-5000 module, all interfaces are available for processing network traffic in NAT/Route mode. The IP address of each interface must be on a different subnet.

You can add firewall policies to control whether communications through the FortiGate-5000 module operate in NAT or Route mode. Firewall policies control the flow of traffic based on the source address, destination address, and service of each packet. In NAT mode, the FortiGate-5000 module performs network address translation before it sends the packet to the destination network. In Route mode, ther e is no translation.

By default, the FortiGate blocks all network traffic until you add firewall policies. You typically use NAT/Route mode when the FortiGate-5000 module is operating as a

gateway between private and public networks. In this configuration, you would create NAT mode firewall policies to control traffic flowing between the internal, private network and the external, public network (usually the Internet).

FortiGate-5000 series Installation Guide 01-28011-0259-20060210 11

Configuring the FortiGate for the Network

Figure 1: Example NAT/Route mode standalone network configuration

Internal network

Port 1

192.168.1.99

STA IPM

Internet

Port 2

204.23.1.5

FortiGate-5001SX Module

in NAT/Route mode

USB

1 2 3 4 5 6 7 8

CONSOLE

PWRACC

192.168.1.3

Route mode policies controlling traffic between internal networks.

NAT mode policies controlling

traffic between internal and

external networks.

Port 3

10.10.10.1

DMZ network

10.10.10.2

Transparent mode standalone configuration

In Transparent mode standalone configuration, each FortiGate-5000 antivirus firewall module in the FortiGate chassis operates as a separate Transparent mode FortiGate antivirus firewall. Each of these FortiGate-5000 modules is invisible to the network. Similar to a network bridge, the FortiGate interfaces must be on the same subnet. You only have to configure a management IP address so that you can make configuration changes. The management IP address is also used for antivirus and attack definition updates.

Y o u typically use a FortiGate-5 000 antivirus firewall module in Transparent mode on a private network behind an existing firewall or behind a router. The FortiGate-5000 module performs most of the same firewall functions in Transparent mode as in NAT/Route mode.

Figure 2: Example Transparent mode standalone network configuration

FortiGate-5001SX Module

in Transparent mode

USB

1 2 3 4 5 6 7 8

CONSOLE

PWRACC

192.168.1.2

Management IP

STA IPM

Port 2

Internal network

192.168.1.3

Internet

Gateway to

public network

204.23.1.5

(firewall, router)

192.168.1.1

Port 1

HA configuration

You can group two or more FortiGate-5000 modules in a FortiGate chassis into an HA cluster. The HA cluster can operate in active-active mode or active-passive mode.

Note: When clustering FortiGate units, you must cluster the same modules together, for example, two or more FortiGate-5002FB2 modules. You cannot cluster one FortiGate-5001SX module and one FortiGate-5002FB2 module together.

An active-active HA cluster can increase virus scanning throughput by using load balancing to distribute virus scanning to all of the FortiGate units in the cluster.

Both HA modes provide supports link redundancy and device r edundancy.

12 01-28011-0259-20060210 Fortinet Inc.

Transparent mode policies controlling traffic between

internal and external networks

Configuring the FortiGate for the Ne tw o r k

Link redundancy

Device redundancy

If one of the links to a FortiGate unit in an HA cluster fails, all functions, all established firewall connections, and all IPSec VPN sessionsa are maintained by the other FortiGate units in the HA cluster.

If one of the FortiGate units in an HA cluster fails, all functions, all established firewall connections, and all IPSec VPN sessions are maintained by the other FortiGate units in the HA cluster.

a.HA does not provide session failover for PPPoE, DHCP, PPTP, and L2TP services.

Once the FortiGate-5000 modules are added to the HA cluster, the cluster functions on your network as a single module with n interfaces where n is the number of FortiGate-5000 modules multiplied by the available interfaces on the module. The cluster manages communication and load balancing between the modules.

You can operate an HA cluster in NAT/Route or Transparent mode. For more information on HA, see “High availability installation” on page 32.

Figure 3: HA network configuration in NAT/Route mode

Internal network

192.168.1.3

Route mode policies controlling traffic between internal networks.

Internet

FortiGate-5001SX HA cluster in in NAT/Route

mode in a FortiGate-5020 chassis

Port2

204.23.1.5

USB

1 2 3 4 5 6 7 8

CONSOLE

ACC

PWR

USB

1 2 3 4 5 6 7 8

CONSOLE

PWRACC

Port1

192.168.1.99

PSUA

PSU B

STA IPM

NAT mode policies controlling

traffic between internal and

external networks.

Figure 4: HA network configuration in Transparent mode

FortiGate-5001SX HA Cluster in Transparent

mode in a FortiGate-5020 chassis

PSUA

PSU B

STA IPM

Internet

Gateway to

public network

204.23.1.5

(firewall, router)

192.168.1.1

Port1

USB

1 2 3 4 5 6 7 8

CONSOLE

PWRACC

USB

1 2 3 4 5 6 7 8

CONSOLE

PWRACC

192.168.1.2

Management IP

Transparent mode policies

controlling traffic between

internal and external networks

Port 3

10.10.10.1

DMZ network

Port2

10.10.10.2

Internal network

192.168.1.3

FortiGate-5000 series Installation Guide 01-28011-0259-20060210 13

Configuration options Configuring the FortiGate for the Network

Configuration options

Once you have selected Transparent or NAT/Route mode operation, you can complete the configuration plan and begin to configure the FortiGate unit. Choose among three different tools to configure the FortiGate modules.

Web-based manager and setup wizard

The FortiGate web-based manager is a full featured management tool. You can use the web-based manager to configure most FortiGate settings.

The web-based manager Setup Wizard guides you through the initial configuration steps. Use the Setup Wizard to configure the administrator password, the interface addresses, the default gateway address, and the DNS server addresses. Optionally, use the Setup Wizard to configure the internal server settings for NAT/Route mode.

To connect to the web-based manager you require:

• Ethernet conne ction be twe en th e FortiGa te mod ule and a mana gem ent computer.

• Internet Explorer version 6.0 or higher on the management computer.

CLI

The FortiGate CLI is a full-featured management tool. Use it to configure the administrator password, the interface addresses, the default gateway address, and the DNS server addresses. To connect to the CLI you require:

• Serial connection between the FortiGate module and a management computer.

• A terminal emulation application on the management computer.

If you are configuring the FortiGate antivirus firewall module to oper ate in T ransp arent mode, you can switch to Transparent mode from the web-based manager and then use the setup wizard to add the administr ation password, the manag ement IP address and gateway, and the DNS server addresses.

Connecting to the web-based manager

Use the following procedure to connect to the web-based manager for the first time. Configuration changes made with the web-based manager are effective immediately without resetting the firewall or interrupting service.

To connect to the web-based manager, you need:

• a computer with an ethernet connection

• Internet Explorer version 6.0 or higher

• an optical fiber patch or copper ethernet cable required to connect port 1 of the FortiGate-5000 module to your network

Note: You can use the web-based manager with recent versions of most popular web browsers. The web-based manager is fully supported for Internet Explorer version 6.0 or higher.

14 01-28011-0259-20060210 Fortinet Inc.

Configuring the FortiGate for the Network Connecting to the web-based manager

By default, you can connect to the web-based manager using the FortiGate-5000 module port 1. If you cannot connect port 1 to your network, you can use the FortiGate CLI to add an IP address to one of the other FortiGate module ports.

Note: You may not be able to connect port 1 to your network if port 1 is an optical interface and you do not have access to an optical network) you can change.

Connecting to the web-based manager using port 1

1 Set the IP address of the computer with an ethernet connection to the static IP

address 192.168.1.2 and a netmask of 255.255.255.0.

2 Connect the port 1 of the FortiGate unit to your optical network. 3 Connect the interface of the computer to the sam e net wor k. 4 Start Internet Explorer and browse to the address https://192.168.1.99 (remember to

include the “s” in https://). The FortiGate login is displayed.

5 Type admin in the Name field and select Login.

To connect to the web-based manager using interface 5

1 Connect to the FortiGate-5000 module command line interface (C LI) see, “Connecting

to the command line interface (CLI)” on page 16.

2 Set the IP address and netmask of port 1 to an IP address accessible by the computer

with an ethernet connection and configure port 1 to allow HTTPS management connections.

config system interface

edit port1

set ip <IP_address> <netmask> set allowaccess https

end

Example

To set the IP address of port 1 to 192.168.20.99 and netmask to 255.255.255.0, enter:

config system interface

edit port1

set ip 192.168.20.99 255.255.255.0 set allowaccess https

end

Note: The default IP address of the port 1 is 192.168.1.99 and the default IP address of the interface 2 is 192.168.100.99. You cannot set the IP address of interface 5 to be on the same subnets as port 1 and 2.

3 Set the IP address of the computer with an ethernet connection to a static IP address

on the same subnet as interface 5.

4 Connect port 1 to the same network as the management computer. 5 Star t Internet Explorer and browse to the address https://<IP_address> (remember to

include the “s” in https://). The FortiGate login is displayed.

FortiGate-5000 series Installation Guide 01-28011-0259-20060210 15

Connecting to the command line interface (CLI) Configuring th e FortiGate for the Network

Figure 5: FortiGate login

6 Type admin in the Name field and select Login.

Connecting to the command line interface (CLI)

As an alternative to the web-based manager, you can install and configure the FortiGate unit using the CLI. Configuration changes made with the CLI are effective immediately without resetting the firewall or interrupting service.

To connect to the FortiGate CLI, you need:

• a computer with an available communication s port

• the serial cable included in your FortiGate package

• terminal emulation software such as HyperTerminal for Windows

Note: The following procedure describes how to connect to the CLI using Windows HyperTerminal software. You can use any terminal emulation program.

To connect to the CLI

1 Connect the serial cable to the communications port of your computer and to the

FortiGate Console port.

Caution: Make sure that you do not accidentally open the extraction lever when connecting the serial cable to the FortiGate-5000 module. If this extraction lever is opened the module could power down or reboot.

2 Make sure that the FortiGate chassis is powered on. 3 Start HyperTerminal, enter a name for the connection, and select OK. 4 Configure HyperTerminal to connect directly to the communications port on your

computer and select OK.

5 Select the following port settings and select OK.

16 01-28011-0259-20060210 Fortinet Inc.

Configuring the FortiGate for the Network NAT/Route mode installation

Bits per second 9600 Data bits 8 Parity None Stop b its 1 Flow control None

6 Press Enter to connect to the FortiGate CLI.

A prompt similar to the following is displayed: FortiGate-5001 login:

7 Type admin and press Enter twice.

The following prompt is displayed:

Welcome ! Type ? to list available commands. For information about how to use the CLI, see the

FortiGate CLI Reference Guide.

NAT/Route mode installation

This section describes how to install the FortiGate-5000 module in NAT/Route mode. For information about installing a FortiGate-5000 module in Transparent mode, see

“NAT/Route mode installation” on page 17. For information about installing two or

more FortiGate-5000 module in HA mode, see “High availability installation” on

page 32. For more information about installing the FortiGate-5000 module in

NAT/Route mode, see “Configuring the FortiGate for the Network” on page 11. This section describes:

• Preparing to configure the FortiGate module in NAT/Route mode

• Using the web-based manager

• Using the command line interface

• Using the setup wizard

• Connecting the FortiGate unit to the network(s)

• Configuring the networks

• Next steps

Preparing to configure the FortiGate module in NAT/Route mode

Use Table 1 to gather the informa tio n th at yo u ne ed t o custo m ize NAT/Route mode settings.

You can configure the FortiGate-5000 module in seve ral ways:

• the web-based manager GUI is a complete inte rface for co nfigur ing most setting s. See “Using the web-based manager” on page 19.

• the command l ine interface (CLI) is a comp lete text-based interfa ce for configuring all settings. See “Using the command line interface” on page 20.

• the setup wizard provides easy, fast configuration of the most basic settings to get the unit up and running quickly. See “Using the setup wizard” on page 23.

FortiGate-5000 series Installation Guide 01-28011-0259-20060210 17

NAT/Route mode installation Configuring the FortiGate for the Network

The method that you choose depends on the complexity of the configuration, access and equipment, and the type of interface you are most comfortable using.

Table 1: NAT/Route mode settings

Administrator Password:

Port 1

Port 2

Port 3

Port 4

Port 5

Port 6

Port 7 (FortiGate-5001SX and FortiGate-5001FA2 only)

Port 8 (FortiGate-5001SX and FortiGate-5001FA2 only)

IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____

IP: _____._____._____._____ Netmask: _____._____._____._____

Default Gateway: _____._____._____._____ Interface connected to

external network (usually port2):

Network settings

18 01-28011-0259-20060210 Fortinet Inc.

A default route consists of a default gateway and the name of the interface connected to the external network (usually the Internet). The default gateway directs all non-local traffic to this interface and to the external network.

Primary DNS Server: _____._____._____._____ Secondary DNS Server: _____._____._____._____

Configuring the FortiGate for the Network NAT/Route mode installation

DHCP or PPPoE configuration

You can configure any FortiGate interface to acquire its IP address from a DHCP or PPPoE server. Your ISP may provide IP addresses using one of these protocols.

To use the FortiGate DHCP server, you need to configure an IP address range and default route for the server . No configuration information is required for inter faces that are configured to use DHCP.

PPPoE requires you to supply a user name and password. In addition, PPPoE unnumbered configurations require you to supply an IP address. Use Table 2 to record the information you require for your PPPoE configuration.

Table 2: PPPoE settings

User name: Password:

Using the web-based manager

Y ou ca n use the web-base d manager for the in itial configuration of the FortiGate-5000 module. You can also continue to use the web-based manager for all FortiGate unit settings.

For information about connecting to the web-based manager, see “Connecting to the

web-based manager” on page 14.

Configuring basic settings

After connecting to the web-based manager you can use the following procedures to complete the basic configuration of the FortiGate-5000 module.

To add/change the administrator password

1 Go to System > Admin > Administrators. 2 Select the Change Password icon for the admin administrator. 3 Enter the new password and enter it again to confirm. 4 Select OK.

To configure interfaces

1 Go to System > Network > Interface. 2 Select the edit icon for an interface.

FortiGate-5000 series Installation Guide 01-28011-0259-20060210 19

NAT/Route mode installation Configuring the FortiGate for the Network

3 Set the addressing mode for the interface.

Choose from manual, DHCP, or PPPoE.

4 Complete the addressing configuration.

• For manual addressing, enter the IP address and netmask for the interface.

• For DHCP addressing, select DHCP and any required settings.

• For PPPoE addressing, select PPPoE, and enter the username and password and any other required settings.

For information about how to configure these and other interface settings, see the FortiGate online help or the FortiGate Administration Guide.

5 Select OK. 6 Repeat this procedure for each interface.

Note: If you change the IP address of the interface you are connecting to, you must connect

through a web browser again using the new address. Browse to https:// followed by the new IP address of the interface. If the new IP address of the interface is on a different subnet, you may have to change the IP address of your computer to the same subnet.

To configure DNS server settings

1 Go to System > Network > DNS. 2 Enter the IP address of the primary DNS server. 3 Enter the IP address of the secondary DNS server. 4 Select OK.

To add a default route

Add a default route to configure where the FortiGate-5000 module sends traffic destined for an external network (usually the Internet). Adding the default route also defines which interface is connected to an external network. The default route is not required if the interface connected to the external network is configured using DHCP or PPPoE.

1 Go to System > Router > Static. 2 If the Static Route table contains a default route (IP and Mask set to 0.0.0.0), select

the Delete icon to delete this route.

3 Select Create New. 4 Set Destination IP to 0.0.0.0. 5 Set Mask to 0.0.0.0. 6 Set Gateway to the default gateway IP address. 7 Set Device to the interface connected to the external network. 8 Select OK.

Using the command line interface

You can also configure the FortiGate-5000 modu le using the command line interface (CLI). For information about connecting to the CLI, see “Connecting to the command

line interface (CLI)” on page 16.

20 01-28011-0259-20060210 Fortinet Inc.

+ 44 hidden pages

Fortinet FortiGate FortiGate-5001FA2, FortiGate-5001SX, FortiGate-5002FB2, FortiGate-5020, FortiGate-5050 Installation Manual

Specifications and Main Features

Frequently Asked Questions

User Manual