Fortinet FortiGate FortiGate-60R, FortiGate 60R Installation And Configuration Manual

FortiGate 60R
Installation and
Configuration Guide
INTERNAL
PWR STATUS
LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100
Version 2.50 MR2
18 August 2003
DMZ4321
WAN1 WAN2
© Copyright 2003 Fortinet Inc. All rights reserved.
No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc.
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 18 August 2003
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective holders.
Regulatory Compliance
FCC Class A Part 15 CSA/CUS
For technical support, please visit http://www.fortinet.com.
Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
Table of Contents
Introduction .......................................................................................................... 13
Antivirus protection ........................................................................................................... 13
Web content filtering ......................................................................................................... 14
Email filtering .................................................................................................................... 14
Firewall.............................................................................................................................. 15
NAT/Route mode .......................................................................................................... 15
Transparent mode......................................................................................................... 16
Network intrusion detection............................................................................................... 16
VPN................................................................................................................................... 16
Secure installation, configuration, and management ........................................................ 17
Web-based manager .................................................................................................... 17
Command line interface ................................................................................................ 18
Logging and reporting ................................................................................................... 19
What’s new in Version 2.50 .............................................................................................. 19
System administration................................................................................................... 19
Firewall.......................................................................................................................... 20
Users and authentication .............................................................................................. 20
VPN............................................................................................................................... 20
NIDS ............................................................................................................................. 21
Antivirus ........................................................................................................................ 21
Web Filter...................................................................................................................... 21
Email filter ..................................................................................................................... 21
Logging and Reporting.................................................................................................. 21
About this document ......................................................................................................... 22
Document conventions ..................................................................................................... 23
Fortinet documentation ..................................................................................................... 24
Comments on Fortinet technical documentation........................................................... 24
Customer service and technical support........................................................................... 25
Contents
Getting started ..................................................................................................... 27
Package contents ............................................................................................................. 28
Mounting ........................................................................................................................... 28
Powering on...................................................................................................................... 29
Connecting to the web-based manager............................................................................ 30
Connecting to the command line interface (CLI)............................................................... 31
Factory default FortiGate configuration settings ............................................................... 31
Factory Default DHCP configuration............................................................................. 32
Factory default NAT/Route mode network configuration .............................................. 33
Factory default Transparent mode network configuration............................................. 33
Factory default firewall configuration ............................................................................ 34
Factory default content profiles..................................................................................... 35
FortiGate-60R Installation and Configuration Guide 3
Contents
Planning your FortiGate configuration .............................................................................. 37
NAT/Route mode .......................................................................................................... 37
Transparent mode......................................................................................................... 38
Configuration options .................................................................................................... 39
FortiGate model maximum values matrix ......................................................................... 40
Next steps......................................................................................................................... 41
NAT/Route mode installation.............................................................................. 43
Installing the FortiGate unit using the default configuration .............................................. 43
Changing the default configuration ............................................................................... 44
Preparing to configure NAT/Route mode.......................................................................... 44
Advanced NAT/Route mode settings............................................................................ 45
DMZ interface ............................................................................................................... 45
Using the setup wizard...................................................................................................... 46
Starting the setup wizard .............................................................................................. 46
Reconnecting to the web-based manager .................................................................... 46
Using the command line interface..................................................................................... 46
Configuring the FortiGate unit to operate in NAT/Route mode ..................................... 46
Connecting the FortiGate unit to your networks................................................................ 48
Configuring your networks ................................................................................................ 49
Completing the configuration ............................................................................................ 50
Configuring the DMZ interface ...................................................................................... 50
Configuring the WAN2 interface ................................................................................... 50
Setting the date and time .............................................................................................. 50
Changing antivirus protection ....................................................................................... 50
Registering your FortiGate............................................................................................ 51
Configuring virus and attack definition updates ............................................................ 51
Configuration example: Multiple connections to the Internet ............................................ 51
Configuring Ping servers............................................................................................... 52
Destination based routing examples............................................................................. 53
Policy routing examples ................................................................................................ 56
Firewall policy example................................................................................................. 57
Transparent mode installation............................................................................ 59
Preparing to configure Transparent mode ........................................................................ 59
Using the setup wizard...................................................................................................... 60
Changing to Transparent mode .................................................................................... 60
Starting the setup wizard .............................................................................................. 60
Reconnecting to the web-based manager .................................................................... 60
Using the command line interface..................................................................................... 61
Changing to Transparent mode .................................................................................... 61
Configuring the Transparent mode management IP address ....................................... 61
Configure the Transparent mode default gateway........................................................ 61
Connecting the FortiGate unit to your networks................................................................ 62
4 Fortinet Inc.
Completing the configuration ............................................................................................ 63
Setting the date and time .............................................................................................. 63
Enabling antivirus protection......................................................................................... 63
Registering your FortiGate............................................................................................ 63
Configuring virus and attack definition updates ............................................................ 64
Transparent mode configuration examples....................................................................... 64
Default routes and static routes .................................................................................... 64
Example default route to an external network............................................................... 65
Example static route to an external destination ............................................................ 66
Example static route to an internal destination ............................................................. 69
System status....................................................................................................... 71
Changing the FortiGate host name................................................................................... 72
Changing the FortiGate firmware...................................................................................... 72
Upgrade to a new firmware version .............................................................................. 73
Revert to a previous firmware version .......................................................................... 74
Install a firmware image from a system reboot using the CLI ....................................... 77
Test a new firmware image before installing it .............................................................. 79
Manual virus definition updates ........................................................................................ 81
Manual attack definition updates ...................................................................................... 82
Displaying the FortiGate serial number............................................................................. 82
Displaying the FortiGate up time....................................................................................... 82
Backing up system settings .............................................................................................. 82
Restoring system settings................................................................................................. 83
Restoring system settings to factory defaults ................................................................... 83
Changing to Transparent mode ........................................................................................ 83
Changing to NAT/Route mode.......................................................................................... 84
Restarting the FortiGate unit............................................................................................. 84
Shutting down the FortiGate unit ...................................................................................... 84
System status ................................................................................................................... 85
Viewing CPU and memory status ................................................................................. 85
Viewing sessions and network status ........................................................................... 86
Viewing virus and intrusions status............................................................................... 87
Session list........................................................................................................................ 88
Contents
Virus and attack definitions updates and registration ..................................... 89
Updating antivirus and attack definitions .......................................................................... 89
Connecting to the FortiResponse Distribution Network ................................................ 90
Configuring scheduled updates .................................................................................... 91
Configuring update logging ........................................................................................... 92
Adding an override server............................................................................................. 93
Manually updating antivirus and attack definitions........................................................ 93
Configuring push updates ............................................................................................. 93
Push updates through a NAT device ............................................................................ 94
Scheduled updates through a proxy server .................................................................. 98
FortiGate-60R Installation and Configuration Guide 5
Contents
Registering FortiGate units ............................................................................................... 99
FortiCare Service Contracts.......................................................................................... 99
Registering the FortiGate unit ..................................................................................... 100
Updating registration information .................................................................................... 102
Recovering a lost Fortinet support password.............................................................. 102
Viewing the list of registered FortiGate units .............................................................. 102
Registering a new FortiGate unit ................................................................................ 103
Adding or changing a FortiCare Support Contract number......................................... 103
Changing your Fortinet support password .................................................................. 104
Changing your contact information or security question ............................................. 104
Downloading virus and attack definitions updates ...................................................... 104
Registering a FortiGate unit after an RMA...................................................................... 105
Network configuration....................................................................................... 107
Configuring interfaces ..................................................................................................... 107
Viewing the interface list ............................................................................................. 108
Bringing up an interface .............................................................................................. 108
Changing an interface static IP address ..................................................................... 108
Adding a secondary IP address to an interface .......................................................... 108
Adding a ping server to an interface ........................................................................... 109
Controlling management access to an interface ......................................................... 109
Configuring traffic logging for connections to an interface .......................................... 110
Configuring the wan1 and wan2 interfaces with a static IP address........................... 110
Configuring the wan1 or wan2 interfaces for DHCP ................................................... 110
Configuring the wan1 and wan2 interfaces for PPPoE ............................................... 111
Changing the wan1 and wan2 interface MTU size to improve network performance. 111
Configuring the management interface (Transparent mode) ...................................... 112
Adding DNS server IP addresses ................................................................................... 113
Configuring routing.......................................................................................................... 113
Adding a default route................................................................................................. 114
Adding destination-based routes to the routing table.................................................. 114
Adding routes in Transparent mode............................................................................ 115
Configuring the routing table....................................................................................... 116
Policy routing .............................................................................................................. 116
Providing DHCP services to your internal network ......................................................... 117
RIP configuration ............................................................................................... 119
RIP settings..................................................................................................................... 120
Configuring RIP for FortiGate interfaces......................................................................... 122
Adding RIP neighbors..................................................................................................... 123
6 Fortinet Inc.
Adding RIP filters ............................................................................................................ 124
Adding a single RIP filter............................................................................................. 124
Adding a RIP filter list.................................................................................................. 125
Adding a neighbors filter ............................................................................................. 126
Adding a routes filter ................................................................................................... 126
System configuration ........................................................................................ 127
Setting system date and time.......................................................................................... 127
Changing web-based manager options .......................................................................... 128
Adding and editing administrator accounts..................................................................... 130
Adding new administrator accounts ............................................................................ 130
Editing administrator accounts.................................................................................... 131
Configuring SNMP .......................................................................................................... 132
Configuring the FortiGate unit for SNMP monitoring .................................................. 132
Configuring FortiGate SNMP support ......................................................................... 132
FortiGate MIBs............................................................................................................ 133
FortiGate traps ............................................................................................................ 134
Customizing replacement messages.............................................................................. 134
Customizing replacement messages .......................................................................... 135
Customizing alert emails............................................................................................. 136
Contents
Firewall configuration........................................................................................ 139
Default firewall configuration........................................................................................... 140
Interfaces .................................................................................................................... 140
Addresses ................................................................................................................... 140
Services ...................................................................................................................... 141
Schedules ................................................................................................................... 141
Content profiles........................................................................................................... 141
Adding firewall policies.................................................................................................... 142
Firewall policy options................................................................................................. 143
Configuring policy lists .................................................................................................... 147
Policy matching in detail ............................................................................................. 147
Changing the order of policies in a policy list.............................................................. 147
Enabling and disabling policies................................................................................... 148
Addresses ....................................................................................................................... 148
Adding addresses ....................................................................................................... 149
Editing addresses ....................................................................................................... 150
Deleting addresses ..................................................................................................... 150
Organizing addresses into address groups ................................................................ 150
Services .......................................................................................................................... 151
Predefined services .................................................................................................... 151
Providing access to custom services .......................................................................... 154
Grouping services ....................................................................................................... 154
FortiGate-60R Installation and Configuration Guide 7
Contents
Schedules ....................................................................................................................... 155
Creating one-time schedules ...................................................................................... 155
Creating recurring schedules ...................................................................................... 156
Adding a schedule to a policy ..................................................................................... 157
Virtual IPs........................................................................................................................ 158
Adding static NAT virtual IPs ...................................................................................... 158
Adding port forwarding virtual IPs ............................................................................... 159
Adding policies with virtual IPs.................................................................................... 161
IP pools........................................................................................................................... 162
Adding an IP pool........................................................................................................ 162
IP Pools for firewall policies that use fixed ports ......................................................... 163
IP pools and dynamic NAT ......................................................................................... 163
IP/MAC binding ............................................................................................................... 164
Configuring IP/MAC binding for packets going through the firewall ............................ 164
Configuring IP/MAC binding for packets going to the firewall ..................................... 165
Adding IP/MAC addresses.......................................................................................... 165
Viewing the dynamic IP/MAC list ................................................................................ 166
Enabling IP/MAC binding ............................................................................................ 166
Content profiles............................................................................................................... 167
Default content profiles ............................................................................................... 168
Adding a content profile .............................................................................................. 168
Adding a content profile to a policy ............................................................................. 169
Users and authentication .................................................................................. 171
Setting authentication timeout......................................................................................... 172
Adding user names and configuring authentication ........................................................ 172
Adding user names and configuring authentication .................................................... 172
Deleting user names from the internal database ........................................................ 173
Configuring RADIUS support .......................................................................................... 174
Adding RADIUS servers ............................................................................................. 174
Deleting RADIUS servers ........................................................................................... 174
Configuring LDAP support .............................................................................................. 175
Adding LDAP servers.................................................................................................. 175
Deleting LDAP servers................................................................................................ 176
Configuring user groups.................................................................................................. 177
Adding user groups..................................................................................................... 177
Deleting user groups................................................................................................... 178
IPSec VPN........................................................................................................... 179
Key management............................................................................................................ 180
Manual Keys ............................................................................................................... 180
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... 180
8 Fortinet Inc.
Manual key IPSec VPNs................................................................................................. 181
General configuration steps for a manual key VPN .................................................... 181
Adding a manual key VPN tunnel ............................................................................... 181
AutoIKE IPSec VPNs ...................................................................................................... 183
General configuration steps for an AutoIKE VPN ....................................................... 183
Adding a phase 1 configuration for an AutoIKE VPN.................................................. 183
Adding a phase 2 configuration for an AutoIKE VPN.................................................. 187
Managing digital certificates............................................................................................ 189
Obtaining a signed local certificate ............................................................................. 189
Obtaining a CA certificate ........................................................................................... 193
Configuring encrypt policies............................................................................................ 194
Adding a source address ............................................................................................ 195
Adding a destination address...................................................................................... 195
Adding an encrypt policy............................................................................................. 195
IPSec VPN concentrators ............................................................................................... 197
VPN concentrator (hub) general configuration steps .................................................. 197
Adding a VPN concentrator ........................................................................................ 199
VPN spoke general configuration steps...................................................................... 200
Redundant IPSec VPNs.................................................................................................. 201
Configuring redundant IPSec VPN ............................................................................. 201
Monitoring and Troubleshooting VPNs ........................................................................... 203
Viewing VPN tunnel status.......................................................................................... 203
Viewing dialup VPN connection status ....................................................................... 203
Testing a VPN............................................................................................................. 204
Contents
PPTP and L2TP VPN .......................................................................................... 205
Configuring PPTP ........................................................................................................... 205
Configuring the FortiGate unit as a PPTP gateway .................................................... 206
Configuring a Windows 98 client for PPTP ................................................................. 208
Configuring a Windows 2000 client for PPTP ............................................................. 209
Configuring a Windows XP client for PPTP ................................................................ 210
Configuring L2TP............................................................................................................ 211
Configuring the FortiGate unit as a L2TP gateway ..................................................... 212
Configuring a Windows 2000 client for L2TP.............................................................. 215
Configuring a Windows XP client for L2TP ................................................................. 216
FortiGate-60R Installation and Configuration Guide 9
Contents
Network Intrusion Detection System (NIDS) ................................................... 219
Detecting attacks ............................................................................................................ 219
Selecting the interfaces to monitor.............................................................................. 220
Disabling the NIDS...................................................................................................... 220
Configuring checksum verification .............................................................................. 220
Viewing the signature list ............................................................................................ 221
Viewing attack descriptions......................................................................................... 221
Enabling and disabling NIDS attack signatures .......................................................... 222
Adding user-defined signatures .................................................................................. 222
Preventing attacks .......................................................................................................... 223
Enabling NIDS attack prevention ................................................................................ 223
Enabling NIDS attack prevention signatures .............................................................. 224
Setting signature threshold values.............................................................................. 224
Configuring synflood signature values ........................................................................ 226
Logging attacks............................................................................................................... 226
Logging attack messages to the attack log................................................................. 226
Reducing the number of NIDS attack log and email messages.................................. 227
Antivirus protection........................................................................................... 229
General configuration steps............................................................................................ 229
Antivirus scanning........................................................................................................... 230
File blocking.................................................................................................................... 231
Blocking files in firewall traffic ..................................................................................... 231
Adding file patterns to block........................................................................................ 231
Blocking oversized files and emails ................................................................................ 232
Configuring limits for oversized files and email........................................................... 232
Exempting fragmented email from blocking.................................................................... 232
Viewing the virus list ....................................................................................................... 232
Web filtering ....................................................................................................... 233
General configuration steps............................................................................................ 233
Content blocking ............................................................................................................. 234
Adding words and phrases to the banned word list .................................................... 234
URL blocking................................................................................................................... 235
Using the FortiGate web filter ..................................................................................... 235
Using the Cerberian web filter..................................................................................... 238
Script filtering .................................................................................................................. 240
Enabling the script filter............................................................................................... 240
Selecting script filter options ....................................................................................... 240
Exempt URL list .............................................................................................................. 241
Adding URLs to the exempt URL list .......................................................................... 241
Email filter........................................................................................................... 243
General configuration steps............................................................................................ 243
10 Fortinet Inc.
Email banned word list.................................................................................................... 244
Adding words and phrases to the banned word list .................................................... 244
Email block list ................................................................................................................ 245
Adding address patterns to the email block list........................................................... 245
Email exempt list............................................................................................................. 245
Adding address patterns to the email exempt list ....................................................... 246
Adding a subject tag ....................................................................................................... 246
Logging and reporting....................................................................................... 247
Recording logs................................................................................................................ 247
Recording logs on a remote computer ........................................................................ 248
Recording logs on a NetIQ WebTrends server ........................................................... 248
Recording logs in system memory.............................................................................. 249
Filtering log messages .................................................................................................... 249
Configuring traffic logging ............................................................................................... 251
Enabling traffic logging................................................................................................ 251
Configuring traffic filter settings................................................................................... 252
Adding traffic filter entries ........................................................................................... 252
Viewing logs saved to memory ....................................................................................... 253
Viewing logs................................................................................................................ 253
Searching logs ............................................................................................................ 254
Configuring alert email .................................................................................................... 254
Adding alert email addresses...................................................................................... 254
Testing alert email....................................................................................................... 255
Enabling alert email .................................................................................................... 255
Contents
Glossary ............................................................................................................. 257
Index .................................................................................................................... 261
FortiGate-60R Installation and Configuration Guide 11
Contents
12 Fortinet Inc.
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2
Introduction
The FortiGate Antivirus Firewall supports network-based deployment of application-level services—including antivirus protection and full-scan content filtering. FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate Antivirus Firewalls are ICSA-certified for firewall, IPSec and antivirus services.
Your FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include:
application-level services such as virus protection and content filtering,
network-level services such as firewall, intrusion detection, VPN, and traffic shaping.
Your FortiGate Antivirus Firewall employs Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks. The FortiGate series complements existing solutions, such as host-based antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration and maintenance.
The FortiGate-60 model is ideally suited for small businesses, remote offices, retail stores, and broadband telecommuter sites. The FortiGate-60 Antivirus Firewall features dual WAN link support for redundant internet connections, and an integrated 4-port switch that eliminates the need for an external hub or switch. Networked devices connect directly to the FortiGate-60 unit.
The FortiGate-60R is limited to a maximum of 12 users.
Antivirus protection
FortiGate ICSA-certified antivirus protection virus scans web (HTTP), file transfer (FTP), and email (SMTP, POP3, and IMAP) content as it passes through the FortiGate. If a virus is found, antivirus protection removes the file containing the virus from the content stream and forwards an replacement message to the intended recipient.
FortiGate-60R Installation and Configuration Guide 13
Web content filtering Introduction
For extra protection, you also configure antivirus protection to block files of specified file types from passing through the FortiGate unit. You can use the feature to stop files that may contain new viruses.
If the FortiGate unit contains a hard disk, infected or blocked files can be quarantined. The FortiGate administrator can download quarantined files, so that they can be virus scanned, cleaned, and forwarded to the intended recipient. You can also configure the FortiGate unit to automatically delete quarantined files after a specified time period.
The FortiGate unit can send email alerts to system administrators when it detects and removes a virus from a content stream. The web and email content can be in normal network traffic or in encrypted IPSec VPN traffic.
ICSA Labs has certified that FortiGate Antivirus Firewalls:
detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),
detect viruses in compressed files using the PKZip format,
detect viruses in e-mail that has been encoded using uuencode format,
detect viruses in e-mail that has been encoded using MIME encoding,
log all actions taken while scanning.
Web content filtering
FortiGate web content filtering can be configured to scan all HTTP content protocol streams for URLs or for web page content. If a match is found between a URL on the URL block list, or if a web page is found to contain a word or phrase in the content block list, the FortiGate blocks the web page. The blocked web page is replaced with a message that you can edit using the FortiGate web-based manager.
You can configure URL blocking to block all or just some of the pages on a web site. Using this feature you can deny access to parts of a web site without denying access to it completely.
To prevent unintentional blocking of legitimate web pages, you can add URLs to an Exempt List that overrides the URL blocking and content blocking lists.
Web content filtering also includes a script filter feature that can be configured to block unsecure web content such as Java Applets, Cookies, and ActiveX.
You can also use the Cerberian URL blocking to block unwanted URLs.
Email filtering
FortiGate Email filtering can be configured to scan all IMAP and POP3 email content for unwanted senders or for unwanted content. If a match is found between a sender address pattern on the Email block list, or if an email is found to contain a word or phrase in the banned word list, the FortiGate adds a Email tag to subject line of the email. Receivers can then use their mail client software to filter messages based on the Email tag.
14 Fortinet Inc.
Introduction Firewall
You can configure Email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentional tagging of email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned word lists.
Firewall
The FortiGate ICSA-certified firewall protects your computer networks from the hostile environment of the Internet. ICSA has granted FortiGate firewalls version 4.0 firewall certification, providing assurance that FortiGate firewalls successfully screen for and secure corporate networks against a wide range of threats from public or other untrusted networks.
After basic installation of the FortiGate unit, the firewall allows users on the protected network to access the Internet while blocking Internet access to internal networks. You can modify this firewall configuration to place controls on access to the Internet from the protected networks and to allow controlled access to internal networks.
FortiGate policies include a complete range of options that:
control all incoming and outgoing network traffic,
control encrypted VPN traffic,
apply antivirus protection and web content filtering,
block or allow access for all policy options,
control when individual policies are in effect,
accept or deny traffic to and from individual addresses,
control standard and user defined network services individually or in groups,
require users to authenticate before gaining access,
include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy,
include logging to track connections for individual policies,
include Network address translation (NAT) mode and Route mode policies,
include Mixed NAT and Route mode policies.
The FortiGate firewall can operate in NAT/Route mode or Transparent mode.
NAT/Route mode
In NAT/Route mode, you can create NAT mode policies and Route mode policies.
NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network.
Route mode policies accept or deny connections between networks without performing address translation.
FortiGate-60R Installation and Configuration Guide 15
Network intrusion detection Introduction
Transparent mode
Transparent mode provides the same basic firewall protection as NAT mode. Packets received by the FortiGate unit are intelligently forwarded or blocked according to firewall policies. The FortiGate unit can be inserted in your network at any point without the need to make changes to your network or any of its components. However, VPN and some advanced firewall features are only available in NAT/Route mode.
Network intrusion detection
The FortiGate Network Intrusion Detection System (NIDS) is a real-time network intrusion detection sensor that detects and prevents a wide variety of suspicious network activity. NIDS detection uses attack signatures to identify over 1000 attacks. You can enable and disable the attacks that the NIDS detects. You can also write your own user-defined detection attack signatures.
NIDS prevention detects and prevents many common denial of service and packet­based attacks. You can enable and disable prevention attack signatures and customize attack signature thresholds and other parameters.
To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log and can be configured to send alert emails.
VPN
Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually, or you can configure the FortiGate to automatically check for and download attack definition updates.
Using FortiGate virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network.
FortiGate VPN features include the following:
Industry standard and ICSA-certified IPSec VPN including:
IPSec, ESP security in tunnel mode,
DES, 3DES (triple-DES), and AES hardware accelerated encryption,
HMAC MD5 and HMAC SHA1 authentication and data integrity,
AutoIKE key based on pre-shared key tunnels,
IPSec VPN using local or CA certificates,
Manual Keys tunnels,
Diffie-Hellman groups 1, 2, and 5,
Aggressive and Main Mode,
Replay Detection,
Perfect Forward Secrecy,
XAuth authentication,
Dead peer detection.
16 Fortinet Inc.
Introduction Secure installation, configuration, and management
PPTP for easy connectivity with the VPN standard supported by the most popular operating systems.
L2TP for easy connectivity with a more secure VPN standard also supported by many popular operating systems.
Firewall policy based control of IPSec VPN traffic.
IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel.
VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another tunnel through the FortiGate unit.
IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network.
Secure installation, configuration, and management
Installation is quick and simple. The first time you turn on the FortiGate unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the setup wizard to customize FortiGate IP addresses for your network, and the FortiGate unit is set to protect your network. You can then use the web-based manager to customize advanced FortiGate features to meet your needs.
You can also create a basic configuration using the FortiGate command line interface (CLI).
Web-based manager
Using HTTP or a secure HTTPS connection from any computer running Internet Explorer, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages. You can configure the FortiGate unit for HTTP and HTTPs administration from any FortiGate interface.
You can use the web-based manager for most FortiGate configuration settings. You can also use the web-based manager to monitor the status of the FortiGate unit. Configuration changes made with the web-based manager are effective immediately without the need to reset the firewall or interrupt service. Once a satisfactory configuration has been established, it can be downloaded and saved. The saved configuration can be restored at any time.
FortiGate-60R Installation and Configuration Guide 17
Secure installation, configuration, and management Introduction
Figure 1: The FortiGate web-based manager and setup wizard
Command line interface
You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial Console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network connected to the FortiGate, including the Internet.
The CLI supports the same configuration and monitoring functionality as the web-based manager. In addition, you can use the CLI for advanced configuration options not available from the web-based manager. This Installation and Configuration Guide contains information about basic and advanced CLI commands. You can find a more complete description of connecting to and using the FortiGate CLI in the FortiGate CLI Reference Guide.
18 Fortinet Inc.
Introduction What’s new in Version 2.50
Logging and reporting
The FortiGate supports logging of various categories of traffic and of configuration changes. You can configure logging to:
report traffic that connects to the firewall,
report network services used,
report traffic permitted by firewall policies,
report traffic that was denied by firewall policies,
report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks, and web page blocking,
report attacks detected by the NIDS,
send alert email to system administrators to report virus incidents, intrusions, and firewall or VPN events or violations.
Logs can be sent to a remote syslog server or to a WebTrends NetIQ Security Reporting Center and Firewall Suite server using the WebTrends enhanced log format. Some models can also save logs to an optional internal hard drive. If a hard drive is not installed, you can configure most FortiGates to log the most recent events and attacks detected by the NIDS to shared system memory.
What’s new in Version 2.50
This section presents a brief summary of some of the new features in FortiOS v2.50:
System administration
Improved graphical FortiGate system health monitoring that includes CPU and memory usage, session number and network bandwidth usage, and the number of viruses and intrusions detected. See “System status” on page 85.
Revised antivirus and attack definition update functionality that connects to a new version of the FortiResponse Distribution network. Updates can now be scheduled hourly and the System > Update page displays more information about the current update status. See “Updating antivirus and attack definitions” on page 89.
Direct connection to the Fortinet tech support web page from the web-based manager. You can register your FortiGate unit and get access to other technical support resources. See “Registering FortiGate units” on page 99.
Network configuration
New interface configuration options. See “Configuring interfaces” on page 107.
Ping server and dead gateway detection for all interfaces.
HTTP and Telnet administrative access to any interface.
Secondary IP addresses for all FortiGate interfaces.
Routing
Simplified direction-based routing configuration.
Advanced policy routing (CLI only).
FortiGate-60R Installation and Configuration Guide 19
What’s new in Version 2.50 Introduction
DHCP server
Addition of a WINS server to DHCP configuration.
Reserve IP/MAC pair combinations for DHCP servers (CLI only).
RIP
New RIP v1 and v2 functionality. See “RIP configuration” on page 119.
SNMP
SNMP v1 and v2 support.
Support for RFC 1213 and RFC 2665
Monitoring of all FortiGate configuration and functionality
•See “Configuring SNMP” on page 132
Replacement messages
You can customize messages sent by the FortiGate unit:
When a virus is detected,
When a file is blocked,
When a fragmented email is blocked
When an alert email is sent
See “Customizing replacement messages” on page 134.
Firewall
The firewall default configuration has changed. See “Default firewall configuration”
on page 140.
Add virtual IPs to all interfaces. See “Virtual IPs” on page 158.
Add content profiles to firewall policies to configure blocking, scanning, quarantine, web content blocking, and email filtering. See “Content profiles” on page 167.
Users and authentication
LDAP authentication. See “Configuring LDAP support” on page 175.
VPN
See the FortiGate VPN Guide for a complete description of FortiGate VPN functionality. New features include:
•Phase 1
AES encryption
Certificates
Advanced options including Dialup Group, Peer, XAUTH, NAT Traversal, DPD
•Phase 2
AES encryption
Encryption policies select service
Generate and import local certificates
Import CA certificates
20 Fortinet Inc.
Introduction What’s new in Version 2.50
NIDS
See the FortiGate NIDS Guide for a complete description of FortiGate NIDS functionality. New features include:
Attack detection signature groups
User-configuration attack prevention
Monitor multiple interfaces for attacks
User-defined attack detection signatures
Antivirus
See the FortiGate Content Protection Guide for a complete description of FortiGate antivirus functionality. New features include:
Content profiles
Blocking oversized files
Web Filter
See the FortiGate Content Protection Guide for a complete description of FortiGate web filtering functionality. New features include:
Cerberian URL Filtering
Email filter
See the FortiGate Content Protection Guide for a complete description of FortiGate email filtering functionality.
Logging and Reporting
See the FortiGate Logging and Message Reference Guide for a complete description of FortiGate logging.
Log to remote host CSV format
Log message levels: Emergency, Alert, critical, error, Warning, notification, information
Log level policies
Traffic log filter
New antivirus, web filter, and email filter logs
Alert email supports authentication
Suppress email flooding
Extended WebTrends support for graphing activity
FortiGate-60R Installation and Configuration Guide 21
About this document Introduction
About this document
This installation and configuration guide describes how to install and configure the FortiGate-60. This document contains the following information:
Getting started describes unpacking, mounting, and powering on the FortiGate.
NAT/Route mode installation describes how to install the FortiGate if you are planning on running it in NAT/Route mode.
Transparent mode installation describes how to install the FortiGate if you are planning on running it in Transparent mode.
System status describes how to view the current status of your FortiGate unit and related status procedures including installing updated FortiGate firmware, backing up and restoring system settings, and switching between Transparent and NAT/Route mode.
Virus and attack definitions updates and registration describes configuring automatic virus and attack definition updates. This chapter also contains procedures for connecting to the FortiGate tech support webs site and for registering your FortiGate unit.
Network configuration describes configuring interfaces, configuring routing, and configuring the FortiGate as a DHCP server for your internal network.
RIP configuration describes the FortiGate RIP2 implementation and how to configure RIP settings.
System configuration describes system administration tasks available from the System > Config web-based manager pages. This chapter describes setting system time, adding and changed administrative users, configuring SNMP, and editing replacement messages.
Firewall configuration describes how to configure firewall policies to control traffic through the FortiGate unit and apply content protection profiles to content traffic.
Users and authentication describes how to add user names to the FortiGate user database and how to configure the FortiGate to connect to a RADIUS server to authenticate users.
IPSec VPN describes how to configure FortiGate IPSec VPN.
PPTP and L2TP VPN describes how to configure PPTP and L2TP VPNs between the FortiGate and a windows client.
Network Intrusion Detection System (NIDS) describes how to configure the FortiGate NIDS to detect and prevent network attacks.
Antivirus protection describes how use the FortiGate to protect your network from viruses and worms.
Web filtering describes how to configure web content filtering to prevent unwanted Web content from passing through the FortiGate.
Email filter describes how to configure email filtering to screen unwanted email content.
Logging and reporting describes how to configure logging and alert email to track activity through the FortiGate.
•The Glossary defines many of the terms used in this document.
22 Fortinet Inc.
Introduction Document conventions
Document conventions
This guide uses the following conventions to describe CLI command syntax.
angle brackets < > to indicate variable keywords For example:
execute restore config <filename_str> You enter restore config myfile.bak
<xxx_str> indicates an ASCII string variable keyword. <xxx_integer> indicates an integer variable keyword. <xxx_ip> indicates an IP address variable keyword.
vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords
For example:
set system opmode {nat | transparent} You can enter set system opmode nat or set system opmode
transparent
square brackets [ ] to indicate that a keyword is optional For example:
get firewall ipmacbinding [dhcpipmac] You can enter get firewall ipmacbinding or
get firewall ipmacbinding dhcpipmac
FortiGate-60R Installation and Configuration Guide 23
Fortinet documentation Introduction
Fortinet documentation
Information about FortiGate products is available from the following FortiGate User Manual volumes:
Volume 1: FortiGate Installation and Configuration Guide
Describes installation and basic configuration for the FortiGate unit. Also describes how to use FortiGate firewall policies to control traffic flow through the FortiGate unit and how to use firewall policies to apply antivirus protection, web content filtering, and email filtering to HTTP, FTP and email content passing through the FortiGate unit.
Volume 2: FortiGate VPN Guide
Contains in-depth information about FortiGate IPSec VPN using certificates, pre­shared keys and manual keys for encryption. Also contains basic configuration information for the Fortinet Remote VPN Client, detailed configuration information for FortiGate PPTP and L2TP VPN, and VPN configuration examples.
Volume 3: FortiGate Content Protection Guide
Describes how to configure antivirus protection, web content filtering, and email filtering to protect content as it passes through the FortiGate unit.
Volume 4: FortiGate NIDS Guide
Describes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from network-based attacks.
Volume 5: FortiGate Logging and Message Reference Guide
Describes how to configure FortiGate logging and alert email. Also contains the FortiGate log message reference.
Volume 6: FortiGate CLI Reference Guide
Describes the FortiGate CLI and contains a reference to all FortiGate CLI commands.
The FortiGate online help also contains procedures for using the FortiGate web-based manager to configure and manage your FortiGate unit.
Comments on Fortinet technical documentation
You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
24 Fortinet Inc.
Introduction Customer service and technical support
Customer service and technical support
For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com.
You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and modify your registration information at any time.
Fortinet email support is available from the following addresses:
amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin
apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,
eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland
America and South America.
Malaysia, all other Asian countries, and Australia.
Europe, Africa, and the Middle East.
For information on Fortinet telephone support, see http://support.fortinet.com.
When requesting technical support, please provide the following information:
Your name
Company name
•Location
Email address
Telephone number
FortiGate unit serial number
FortiGate model
FortiGate FortiOS firmware version
Detailed description of the problem
FortiGate-60R Installation and Configuration Guide 25
Customer service and technical support Introduction
26 Fortinet Inc.
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2
Getting started
This chapter describes unpacking, setting up, and powering on your FortiGate Antivirus Firewall. When you have completed the procedures in this chapter, you can proceed to one of the following:
If you are going to operate the FortiGate unit in NAT/Route mode, go to
“NAT/Route mode installation” on page 43.
If you are going to operate the FortiGate unit in Transparent mode, go to
“Transparent mode installation” on page 59.
This chapter describes:
Package contents
Mounting
Powering on
Connecting to the web-based manager
Connecting to the command line interface (CLI)
Factory default FortiGate configuration settings
Planning your FortiGate configuration
FortiGate model maximum values matrix
Next steps
FortiGate-60R Installation and Configuration Guide 27
Package contents Getting started
Package contents
The FortiGate-60 package contains the following items:
FortiGate-60 Antivirus Firewall
one orange crossover ethernet cable
one gray regular ethernet cable
one null modem cable
FortiGate-60 Quick Start Guide
CD containing the FortiGate user documentation
one power cable and AC adapter
Figure 2: FortiGate-60 package contents
Front
Mounting
Ethernet Cables:
Orange - Crossover
Grey - Straight-through
Null-Modem Cable
(RS-232)
PWR STATUS
Power
LED
INTERNAL
LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100
Status
LED
Internal
Interface
DMZ
Interface
DMZ4321
WAN1 WAN2
WAN 1,2 Interface
Back
Power Cable Power Supply
FortiGate-60
INTERNAL
DMZ4321
WAN1 WAN2
PWR STATUS
USER MANUAL
LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100
QuickStart Guide
Copyright 2003 Fortinet Incorporated. All rights reserved. Trademarks Products mentioned in this document are trademarks.
Documentation
DC+12V
Power
Connection
RS-232 Serial
Connection
Console
USB
USB
(future)
WAN2 WAN1 DMZ
WAN2
WAN1
DMZ
1234
Internal
Internal Interface, switch connectors
1,2,3,4
The FortiGate-60 unit can be installed on any stable surface. Make sure that the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling.
Dimensions
8.63 x 6.13 x 1.38 in. (21.9 x 15.6 x 3.5 cm)
Weight
1.5 lb. (0.68 kg)
28 Fortinet Inc.
Getting started Powering on
Power requirements
DC input voltage: 12 V
DC input current: 3 A
Environmental specifications
Operating temperature: 32 to 104°F (0 to 40°C)
Storage temperature: -13 to 158°F (-25 to 70°C)
Humidity: 5 to 95% non-condensing
Powering on
To power on the FortiGate-60 unit:
1 Connect the AC adapter to the power connection at the back of the FortiGate-60 unit.
2 Connect the AC adapter to the power cable.
3 Connect the power cable to a power outlet.
The FortiGate-60 unit starts up. The Power and Status lights light.
Table 1: FortiGate-60 LED indicators
LED State Description
Power Green The FortiGate unit is powered on.
Off The FortiGate unit is powered off.
Status Red The FortiGate unit is starting up.
Off The FortiGate unit is running normally.
Off The FortiGate unit is powered off.
Link
(Internal DMZ WAN1 WAN2)
100
(Internal DMZ WAN1 WAN2)
Green The correct cable is in use and the connected
equipment has power.
Flashing Green Network activity at this interface.
Off No link established.
Green The interface is connected at 100 Mbps.
FortiGate-60R Installation and Configuration Guide 29
Connecting to the web-based manager Getting started
Connecting to the web-based manager
Use the following procedure to connect to the web-based manager for the first time. Configuration changes made with the web-based manager are effective immediately without the need to reset the firewall or interrupt service.
To connect to the web-based manager, you need:
a computer with an ethernet connection,
Internet Explorer version 4.0 or higher,
an ethernet cable.
a crossover cable or an ethernet hub and two ethernet cables.
Note: You can use the web-based manager with recent versions of most popular web browsers. The web-based manager is fully supported for Internet Explorer version 4.0 or higher.
Connecting to the web-based manager
1 Set the IP address of the computer with an ethernet connection to the static IP
address 192.168.1.2 and a netmask of 255.255.255.0. You can also configure the management computer to obtain an IP address
automatically using DHCP. The FortiGate DHCP server assigns the management computer an IP address in the range 192.168.1.1 to 192.168.1.254.
2 Using the ethernet cable, connect the Internal interface of the FortiGate unit to the
computer ethernet connection.
3 Start Internet Explorer and browse to the address https://192.168.1.99 (remember to
include the “s” in https://). The FortiGate login is displayed.
4 Type admin in the Name field and select Login.
The Register Now window is displayed. Use the information on this window to register your FortiGate unit so that Fortinet can contact you for firmware updates. You must also register to receive updates to the FortiGate virus and attack definitions.
Figure 3: FortiGate login
30 Fortinet Inc.
Getting started Connecting to the command line interface (CLI)
Connecting to the command line interface (CLI)
As an alternative to the web-based manager, you can install and configure the FortiGate unit using the CLI. Configuration changes made with the CLI are effective immediately without the need to reset the firewall or interrupt service.
To connect to the FortiGate CLI, you need:
a computer with an available communications port,
the null modem cable included in your FortiGate package,
terminal emulation software such as HyperTerminal for Windows.
Note: The following procedure describes how to connect to the CLI using Windows HyperTerminal software. You can use any terminal emulation program.
To connect to the CLI:
1 Connect the null modem cable to the communications port of your computer and to
the FortiGate Console port.
2 Make sure that the FortiGate unit is powered on.
3 Start HyperTerminal, enter a name for the connection, and select OK.
4 Configure HyperTerminal to connect directly to the communications port on the
computer to which you have connected the null modem cable and select OK.
5 Select the following port settings and select OK.
Bits per second 9600
Data bits 8
Parity None
Stop bits 1
Flow control None
6 Press Enter to connect to the FortiGate CLI.
The following prompt appears:
FortiGate-60 login:
7 Type admin and press Enter twice.
The following prompt appears:
Type ? for a list of commands.
For information on how to use the CLI, see the FortiGate CLI Reference Guide.
Factory default FortiGate configuration settings
The FortiGate unit is shipped with a factory default configuration. This default configuration allows you to connect to and use the FortiGate web-based manager to configure the FortiGate unit onto your network. To configure the FortiGate unit onto your network you add an administrator password, change network interface IP addresses, add DNS server IP addresses, and configuring routing if required.
FortiGate-60R Installation and Configuration Guide 31
Factory default FortiGate configuration settings Getting started
If you are planning on operating the FortiGate unit in Transparent mode, you can switch to transparent mode from the factory default configuration and then configure the FortiGate unit onto your network in Transparent mode.
Once the network configuration is complete, you can perform additional configuration tasks such as setting system time, configuring virus and attack definition updates, and registering the FortiGate unit.
The factory default firewall configuration includes a single network address translation (NAT) policy that allows users on your internal network to connect to the external network, and stops users on the external network from connecting to the internal network. You can add more policies to provide more control of the network traffic passing through the FortiGate unit.
The factory default content profiles can be used to quickly apply different levels of antivirus protection, web content filtering, and email filtering to the network traffic controlled by firewall policies.
Factory Default DHCP configuration
Factory default NAT/Route mode network configuration
Factory default Transparent mode network configuration
Factory default firewall configuration
Factory default content profiles
Factory Default DHCP configuration
When the FortiGate unit is first powered on, the WAN1 interface is configured to receive its IP address by connecting to a DHCP server. If your ISP provides IP addresses using DHCP, no other configuration is required for this interface.
The FortiGate unit can also function as a DHCP server for your internal network. You can configure the TCP/IP settings of the computers on your internal network to obtain an IP address automatically from the FortiGate unit DHCP server. For more information about the FortiGate DHCP server, see “Providing DHCP services to your
internal network” on page 117.
Table 2: FortiGate DHCP Server default configuration
Enable DHCP ;
Starting IP 192.168.1.1
Ending IP 192.168.1.254
Netmask 255.255.255.0
Lease Duration 604800 seconds
Default Route 192.168.1.99
Exclusion Range 192.168.1.99 - 192.168.1.99
32 Fortinet Inc.
Getting started Factory default FortiGate configuration settings
Factory default NAT/Route mode network configuration
When the FortiGate unit is first powered on, it is running in NAT/Route mode and has the basic network configuration listed in Ta bl e 3. This configuration allows you to connect to the FortiGate unit web-based manager and establish the configuration required to connect the FortiGate unit to your network. In Table 3 HTTPS management access means you can connect to the web-based manager using this interface. Ping management access means this interface responds to ping requests.
Table 3: Factory default NAT/Route mode network configuration
Administrator account
Internal interface
WAN1 interface
WAN2 interface
DMZ interface
User name: admin
Password: (none)
IP: 192.168.1.99
Netmask: 255.255.255.0
Management Access: HTTPS, Ping
Addressing Mode: DHCP
Management Access: Ping
IP: 192.168.101.99
Netmask: 255.255.255.0
Management Access: Ping
IP: 10.10.10.1
Netmask: 255.255.255.0
Management Access: HTTPS, Ping
Factory default Transparent mode network configuration
If you switch the FortiGate unit to Transparent mode, it has the default network configuration listed in Ta bl e 4 .
Table 4: Factory default Transparent mode network configuration
Administrator account
Management IP
DNS
Management access
User name: admin
Password: (none)
IP: 10.10.10.1
Netmask: 255.255.255.0
Primary DNS Server: 207.194.200.1
Secondary DNS Server: 207.194.200.129
Internal HTTPS, Ping
WAN1 Ping
WAN2 Ping
DMZ HTTPS, Ping
FortiGate-60R Installation and Configuration Guide 33
Factory default FortiGate configuration settings Getting started
Factory default firewall configuration
The factory default firewall configuration is the same in NAT/Route and Transparent mode.
Table 5: Factory default firewall configuration
Internal Address
WAN1 Address
DMZ Address
Recurring Schedule
Firewall Policy
Internal_All
WAN1_All
DMZ_All
Always The schedule is valid at all times. This means that
Internal->WAN1 Firewall policy for connections from the internal
Source Internal_All The policy source address. Internal_All means that
Destination WAN1_All The policy destination address. WAN1_All means
Schedule Always The policy schedule. Always means that the policy
Service ANY The policy service. ANY means that this policy
Action ACCEPT The policy action. ACCEPT means that the policy
; NAT NAT is selected for the NAT/Route mode default
Traffic Shaping Traffic shaping is not selected. The policy does not
Authentication Authentication is not selected. Users do not have to
; Antivirus & Web Filter Antivirus & Web Filter is selected.
Content Profile
Log Traffic Log Traffic is not selected. This policy does not
IP: 0.0.0.0 Represents all of the IP addresses on the internal Mask: 0.0.0.0 IP: 0.0.0.0 Represents all of the IP addresses on the network Mask: 0.0.0.0 IP: 0.0.0.0 Represents all of the IP addresses on the network Mask: 0.0.0.0
Scan The scan content profile is selected. The policy
network.
connected to the WAN1 interface.
connected to the DMZ interface.
the firewall policy is valid at all times.
network to the external network.
the policy accepts connections from any internal IP address.
that the policy accepts connections with a destination address to any IP address on the external (WAN1) network.
is valid at any time.
processes connections for all services.
allows connections.
policy so that the policy applies network address translation to the traffic processed by the policy. NAT is not available for Transparent mode policies.
apply traffic shaping to the traffic controlled by the policy. You can select this option to control the maximum or minimum amount of bandwidth available to traffic processed by the policy.
authenticate with the firewall before connecting to their destination address. You can configure user groups and select this option to require users to authenticate with the firewall before they can connect through the firewall.
scans all HTTP, FTP, SMTP, POP3, and IMAP traffic for viruses. See “Scan content profile” on
page 36 for more information about the scan
content profile. You can select one of the other content profiles to apply different levels of content protection to traffic processed by this policy.
record messages to the traffic log for the traffic processed by this policy. You can configure FortiGate logging and select Log Traffic to record all connections through the firewall that are accepted by this policy.
34 Fortinet Inc.
Getting started Factory default FortiGate configuration settings
Factory default content profiles
You can use content profiles to apply different protection settings for content traffic controlled by firewall policies. You can use content profiles for:
Antivirus protection of HTTP, FTP, IMAP, POP3, and SMTP network traffic
Web content filtering for HTTP network traffic
Email filtering for IMAP and POP3 network traffic
Oversized file and email blocking for HTTP, FTP, POP3, SMTP, and IMAP network traffic
Passing fragmented emails in IMAP, POP3, and SMTP email traffic
Using content profiles you can build up protection configurations that can be easily applied to different types of Firewall policies. This allows you to customize different types and different levels of protection for different firewall policies.
For example, while traffic between internal and external addresses might need strict protection, traffic between trusted internal addresses might need moderate protection. You can configure policies for different traffic services to use the same or different content profiles.
Content profiles can be added to NAT/Route mode and Transparent mode policies.
Strict content profile
Use the strict content profile to apply maximum content protection to HTTP, FTP, IMAP, POP3, and SMTP content traffic. You would not use the strict content profile under normal circumstances, but it is available if you are having extreme problems with viruses and require maximum content screening protection.
Table 6: Strict content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan ;;;;;
File Block ;;;;;
Web URL Block ;
Web Content Block ;
Web Script Filter ;
Web Exempt List ;
Email Block List ;;
Email Exempt List ;;
Email Content Block ;;
Oversized File/Email Block block block block block block
Pass Fragmented Emails 
FortiGate-60R Installation and Configuration Guide 35
Factory default FortiGate configuration settings Getting started
Scan content profile
Use the scan content profile to apply antivirus scanning to HTTP, FTP, IMAP, POP3, and SMTP content traffic.
Table 7: Scan content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan ;;;;;
File Block 
Web URL Block
Web Content Block
Web Script Filter
Web Exempt List
Email Block List 
Email Exempt List 
Email Content Block 
Oversized File/Email Block pass pass pass pass pass
Pass Fragmented Emails 
Web content profile
Use the web content profile to apply antivirus scanning and Web content blocking to HTTP content traffic. You can add this content profile to firewall policies that control HTTP traffic.
Table 8: Web content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan ;
File Block 
Web URL Block ;
Web Content Block ;
Web Script Filter
Web Exempt List
Email Block List 
Email Exempt List 
Email Content Block 
Oversized File/Email Block pass pass pass pass pass
Pass Fragmented Emails 
36 Fortinet Inc.
Getting started Planning your FortiGate configuration
Unfiltered content profile
Use the unfiltered content profile if you do not want to apply any content protection to content traffic. You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected.
Table 9: Unfiltered content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan 
File Block 
Web URL Block
Web Content Block
Web Script Filter
Web Exempt List ;
Email Block List 
Email Exempt List ;;
Email Content Block 
Oversized File/Email Block pass pass pass pass pass
Pass Fragmented Emails ;;;
Planning your FortiGate configuration
Before beginning to configure the FortiGate unit, you need to plan how to integrate the unit into your network. Among other things, you have to decide whether or not the unit will be visible to the network, which firewall functions it will provide, and how it will control the traffic flowing between its interfaces.
Your configuration plan is dependent upon the operating mode that you select. The FortiGate unit can be configured in either of two modes: NAT/Route mode (the default) or Transparent mode.
NAT/Route mode
In NAT/Route mode, the unit is visible to the network. Like a router, all of its interfaces are on different subnets. The following interfaces are available in NAT/Route mode:
WAN1 is the default interface to the external network (usually the Internet).
WAN2 is the redundant interface to the external network.
Internal is the interface to the internal network.
DMZ is the interface to the DMZ network.
You must configure routing to support the redundant WAN1 and WAN2 internet connections. Routing can be used to automatically re-direct connections from an interface if its connection to the external network fails.
FortiGate-60R Installation and Configuration Guide 37
Planning your FortiGate configuration Getting started
You can add security policies to control whether communications through the FortiGate unit operate in NAT mode or in route mode. Security policies control the flow of traffic based on each packet’s source address, destination address and service. In NAT mode, the FortiGate performs network address translation before the packet is sent to the destination network. In route mode, no translation takes place.
By default, the FortiGate unit has a NAT mode security policy that allows users on the internal network to securely download content from the external network. No other traffic is possible until you have configured more security policies.
You would typically use NAT/Route mode when the FortiGate unit is used as a gateway between private and public networks. In this configuration, you would create NAT mode policies to control traffic flowing between the internal, private network and the external, public network (usually the Internet).
If you have multiple internal networks, such as a DMZ network in addition to the internal, private network, you could create route mode policies for traffic flowing between them.
Figure 4: Example NAT/Route mode network configuration
Transparent mode
In Transparent mode, the FortiGate unit is invisible to the network. Similar to a network bridge, all of FortiGate interfaces must be on the same subnet. You only have to configure a management IP address so that you can make configuration changes. The management IP address is also used for antivirus and attack definition updates.
You would typically use the FortiGate unit in Transparent mode on a private network behind an existing firewall or behind a router. The FortiGate unit performs firewalling as well as antivirus and content scanning but not VPN.
38 Fortinet Inc.
Getting started Planning your FortiGate configuration
Figure 5: Example Transparent mode network configuration
You can connect up to four network segments to the FortiGate unit to control traffic between these network segments.
WAN1 can connect to the external firewall or router.
Internal can connect to the internal network.
DMZ and WAN2 can connect to other network segments.
Configuration options
Once you have selected Transparent or NAT/Route mode operation, you can complete your configuration plan, and begin configuring the FortiGate unit.
You can use the web-based manager setup wizard or the command line interface (CLI) for the basic configuration of the FortiGate unit.
Setup Wizard
If you are configuring the FortiGate unit to operate in NAT/Route mode (the default), the Setup Wizard prompts you to add the administration password and the internal interface address. The Setup Wizard also prompts you to choose either a manual (static) or a dynamic (DHCP or PPPoE) address for the WAN1 interface. Using the wizard, you can also add DNS server IP addresses and a default route for the WAN1 interface.
In NAT/Route mode you can also change the configuration of the FortiGate DHCP server to supply IP addresses for the computers on your internal network. You can also configure the FortiGate to allow Internet access to your internal Web, FTP, or email servers.
If you are configuring the FortiGate unit to operate in Transparent mode, you can switch to Transparent mode from the web-based manager and then use the Setup Wizard to add the administration password, the management IP address and gateway, and the DNS server addresses.
CLI
If you are configuring the FortiGate unit to operate in NAT/Route mode, you can add the administration password and all interface addresses. You can also use the CLI to configure the WAN1 interface for either a manual (static) or a dynamic (DHCP or PPPoE) address. Using the CLI, you can also add DNS server IP addresses and a default route for the WAN1 interface.
FortiGate-60R Installation and Configuration Guide 39
FortiGate model maximum values matrix Getting started
In NAT/Route mode you can also change the configuration of the FortiGate DHCP server to supply IP addresses for the computers on your internal network.
If you are configuring the FortiGate unit to operate in Transparent mode, you can use the CLI to switch to Transparent mode, Then you can add the administration password, the management IP address and gateway, and the DNS server addresses.
FortiGate model maximum values matrix
Table 10: FortiGate maximum values matrix
FortiGate model
50 60 100 200 300 400 500 1000 2000 3000 3600
Policy 200 500 1000 2000 5000 5000 20000 50000 50000 50000 50000
Address 500 500 500 500 3000 3000 6000 10000 10000 10000 10000
Address group 500 500 500 500 500 500 500 500 500 500 500
Service 500 500 500 500 500 500 500 500 500 500 500
Service group 500 500 500 500 500 500 500 500 500 500 500
Recurring schedule 256 256 256 256 256 256 256 256 256 256 256
Onetime schedule 256 256 256 256 256 256 256 256 256 256 256
User 20 500 1000 1000 1000 1000 1000 1000 1000 1000 1000
User group 100 100 100 100 100 100 100 100 100 100 100
Group members 300 300 300 300 300 300 300 300 300 300 300
Virtual IPs 500 500 500 500 500 500 500 500 500 500 500
IP/MAC binding 50 100 1000 1000 2000 2000 2000 5000 5000 5000 5000
Route 500 500 500 500 500 500 500 500 500 500 500
Policy route gateway 500 500 500 500 500 500 500 500 500 500 500
Admin user 500 500 500 500 500 500 500 500 500 500 500
IPsec Phase 1 20 50 80 200 1500 1500 3000 5000 5000 5000 5000
VPN concentrator 500 500 500 500 500 500 500 500 500 500 500
VLAN subinterface N/A N/A N/A N/A N/A 1024* 1024* 2048* 2048* 8192* 8192*
Zone N/A N/A N/A N/A N/A 100 100 200 200 300 500
IP pool 50 50 50 50 50 50 50 50 50 50 50
RADIUS server 66666666666
File pattern 56 56 56 56 56 56 56 56 56 56 56
PPTP user 500 500 500 500 500 500 500 500 500 500 500
L2TP user 500 500 500 500 500 500 500 500 500 500 500
URL block no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit
Content block no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit
Exempt URL no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit
40 Fortinet Inc.
Getting started Next steps
Next steps
Now that your FortiGate unit is operating, you can proceed to configure it to connect to networks:
If you are going to operate the FortiGate unit in NAT/Route mode, go to
“NAT/Route mode installation” on page 43.
If you are going to operate the FortiGate unit in Transparent mode, go to
“Transparent mode installation” on page 59.
FortiGate-60R Installation and Configuration Guide 41
Next steps Getting started
42 Fortinet Inc.
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2
NAT/Route mode installation
This chapter describes how to install the FortiGate unit in NAT/Route mode. To install the FortiGate unit in Transparent mode, see “Transparent mode installation” on
page 59.
This chapter describes:
Installing the FortiGate unit using the default configuration
Preparing to configure NAT/Route mode
Using the setup wizard
Using the command line interface
Connecting the FortiGate unit to your networks
Configuring your networks
Completing the configuration
Configuration example: Multiple connections to the Internet
Installing the FortiGate unit using the default configuration
Depending on your requirements, you may be able to deploy the FortiGate unit without changing its factory default configuration. If the factory default settings in
Ta bl e 11 are compatible with your requirements, all you need to do is configure your
internal network and then connect the FortiGate unit.
Table 11: FortiGate unit factory default configuration
Operating Mode NAT/Route mode.
Firewall Policy One NAT mode policy that allows users on the internal network to access
WAN1 interface The WAN1 interface receives its IP address by DHCP from your Internet
DHCP Server on internal network
any Internet service. No other traffic is allowed. All web and email traffic is scanned for viruses.
Service Provider (ISP).
The FortiGate unit functions as a DHCP server for your internal network. If you configure the computers on your internal network to obtain an IP address automatically using DHCP, the FortiGate unit automatically sets the IP addresses of the computers in this range:
Starting IP: 192.168.1.1 Ending IP: 192.168.1.254 One IP address is reserved for the FortiGate internal interface:
192.168.1.99.
FortiGate-60R Installation and Configuration Guide 43
Preparing to configure NAT/Route mode NAT/Route mode installation
To use the factory default configuration, follow these steps to install the FortiGate unit:
1 Configure the TCP/IP settings of the computers on your internal network to obtain an
IP address automatically using DHCP. Refer to your computer documentation for assistance.
2 Complete the procedure in the section “Connecting the FortiGate unit to your
networks” on page 48.
Changing the default configuration
You can use the procedures in this chapter to change the default configuration. For example, if your ISP assigns IP addresses using PPPoE instead of DHCP, you only need to change the configuration of the WAN1 interface. Use the information in the rest of this chapter to change the default configuration as required.
Preparing to configure NAT/Route mode
Use Tab le 12 to gather the information that you need to customize NAT/Route mode settings.
Table 12: NAT/Route mode settings
Administrator password:
Internal interface
WAN1 interface
WAN2 interface
Internal servers
If you provide access from the Internet to a web server, mail server, IMAP server, or FTP server installed on an internal network, add the IP addresses of the servers here.
IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ Default Gateway: _____._____._____._____ Primary DNS Server: _____._____._____._____ Secondary DNS Server: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ Web Server: _____._____._____._____ SMTP Server: _____._____._____._____ POP3 Server: _____._____._____._____ IMAP Server: _____._____._____._____ FTP Server: _____._____._____._____
44 Fortinet Inc.
NAT/Route mode installation Preparing to configure NAT/Route mode
Advanced NAT/Route mode settings
Use Tab le 13 to gather the information that you need to customize advanced FortiGate NAT/Route mode settings.
Table 13: Advanced FortiGate NAT/Route mode settings
WAN1 interface
WAN2 interface
DHCP server
DHCP:
PPPoE:
If your ISP supplies you with an IP address using PPPoE, record your PPPoE user name and password.
DHCP:
PPPoE:
If your ISP supplies you with an IP address using PPPoE, record your PPPoE user name and password.
The FortiGate unit contains a DHCP server that you can configure to automatically set the addresses of the computers on your internal network.
If your Internet Service Provider (ISP) supplies you with an IP address using DHCP, no further information is required.
User name:
Password:
If your Internet Service Provider (ISP) supplies you with an IP address using DHCP, no further information is required.
User name:
Password:
Starting IP: _____._____._____._____ Ending IP: _____._____._____._____ Netmask: _____._____._____._____ Default Route: _____._____._____._____ DNS IP: _____._____._____._____
DMZ interface
Use Tab le 14 to record the IP address and netmask of the FortiGate DMZ interface if you are configuring it during installation.
.
Table 14: DMZ interface (Optional)
DMZ IP: _____._____._____._____ Netmask: _____._____._____._____
FortiGate-60R Installation and Configuration Guide 45
Using the setup wizard NAT/Route mode installation
Using the setup wizard
From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiGate unit. To connect to the web-based manager, see
“Connecting to the web-based manager” on page 30.
Starting the setup wizard
1 Select Easy Setup Wizard (the middle button in the upper-right corner of the
web-based manager).
2 Use the information that you gathered in Table 12 on page 44 to fill in the wizard fields.
Select the Next button to step through the wizard pages.
3 Confirm your configuration settings and then select Finish and Close.
Note: If you use the setup wizard to configure internal server settings, the FortiGate unit adds
port forwarding virtual IPs and firewall policies for each server. For each server located on your internal network the FortiGate unit adds a WAN1->Internal policy. For each server located on your DMZ network, the FortiGate unit adds a WAN1->DMZ policy.
Reconnecting to the web-based manager
If you used the setup wizard to change the IP address of the internal interface, you must reconnect to the web-based manager using a new IP address. Browse to https:// followed by the new IP address of the internal interface. Otherwise, you can reconnect to the web-based manager by browsing to https://192.168.1.99.
You have now completed the initial configuration of your FortiGate unit, and you can proceed to “Connecting the FortiGate unit to your networks” on page 48.
Using the command line interface
As an alternative to using the setup wizard, you can configure the FortiGate unit using the command line interface (CLI). To connect to the CLI, see “Connecting to the
command line interface (CLI)” on page 31.
Configuring the FortiGate unit to operate in NAT/Route mode
Use the information that you gathered in Table 12 on page 44 to complete the following procedures.
Configuring NAT/Route mode IP addresses
1 Log into the CLI if you are not already logged in.
2 Set the IP address and netmask of the internal interface to the internal IP address and
netmask that you recorded in Table 12 on page 44. Enter:
set system interface internal mode static ip <IP address> <netmask>
Example
set system interface internal mode static ip 192.168.1.1
255.255.255.0
46 Fortinet Inc.
NAT/Route mode installation Using the command line interface
3 Set the IP address and netmask of the WAN1 interface to the IP address and netmask
that you recorded in Table 12 on page 44. To set the manual IP address and netmask, enter:
set system interface wan1 mode static ip <IP address> <netmask>
Example
set system interface wan1 mode
static
ip 204.23.1.5 255.255.255.0
To set the WAN1 interface to use DHCP, enter:
set system interface wan1 mode dhcp connection enable
To set the WAN1 interface to use PPPoE, enter:
set system interface wan1 mode pppoe password
<password>
connection
enable
username
<user name>
Example
set system interface wan1 mode pppoe username user@domain.com password mypass connection enable
4 Optionally set the IP address and netmask of the WAN2 interface to the IP address
and netmask that you recorded in Table 12 on page 44. To set the manual IP address and netmask, enter:
set system interface wan2 mode static ip <IP address> <netmask>
Example
set system interface wan2 mode
static
ip 34.3.21.35 255.255.255.0
To set the WAN2 interface to use DHCP, enter:
set system interface wan2 mode dhcp connection enable
To set the WAN2 interface to use PPPoE, enter:
set system interface wan2 mode pppoe password
<password>
connection
enable
username
<user name>
Example
set system interface wan2 mode pppoe username user@domain.com password mypass connection enable
5 Optionally set the IP address and netmask of the DMZ interface to the DMZ IP
address and netmask that you recorded in Table 14 on page 45. Enter:
set system interface dmz mode static ip <IP address> <netmask>
Example
set system interface dmz mode static ip 10.10.10.2
255.255.255.0
6 Confirm that the addresses are correct. Enter:
get system interface
The CLI lists the IP address, netmask and other settings for each of the FortiGate interfaces.
7 Set the primary DNS server IP addresses. Enter
set system dns primary <IP address>
Example
set system dns primary 293.44.75.21
FortiGate-60R Installation and Configuration Guide 47
Connecting the FortiGate unit to your networks NAT/Route mode installation
8 Optionally, set the secondary DNS server IP addresses. Enter
set system dns secondary <IP address>
Example
set system dns secondary 293.44.75.22
9 Set the default route to the Default Gateway IP address (not required for DHCP and
PPPoE).
set system route number <route_no> dst 0.0.0.0 0.0.0.0 gw1 <gateway_ip>
Example
set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 204.23.1.2
Connecting the FortiGate unit to your networks
When you have completed the initial configuration, you can connect the FortiGate unit between your internal network and the Internet.
There are seven 10/100 BaseTX connectors on the back of the FortiGate-60 unit:
Four Internal ports for connecting to your internal network,
One WAN1 port for connecting to your public switch or router and the Internet,
One WAN 2 port for connecting to a second public switch or router and the Internet for a redundant Internet connection,
One DMZ port for connecting to a DMZ network.
Note: You can also connect the WAN1 and WAN2 interfaces to different Internet connections to provide a redundant connection to the Internet.
To connect the FortiGate unit:
1 Connect the Internal interface connectors to PCs and other network devices in your
internal network. The Internal interface functions as a switch, allowing up to four devices to be
connected to the internal network and the internal interface.
2 Connect the WAN1 interface to the Internet.
Connect to the public switch or router provided by your Internet Service Provider. If you are a DSL or cable subscriber, connect the WAN1 interface to the internal or LAN connection of your DSL or cable modem.
3 Optionally connect the WAN2 interface to the Internet.
Connect to the public switch or router, usually provided by a different Internet Service Provider. If you are a DSL or cable subscriber, connect the WAN2 interface to the internal or LAN connection of your DSL or cable modem.
4 Optionally, connect the DMZ interface to your DMZ network.
You can use a DMZ network to provide access from the Internet to a web server or other server without installing the servers on your internal network.
48 Fortinet Inc.
NAT/Route mode installation Configuring your networks
Figure 6: FortiGate-60 NAT/Route mode connections
Configuring your networks
If you are operating the FortiGate unit in NAT/Route mode, your networks must be configured to route all Internet traffic to the IP address of the FortiGate interface to which they are connected. For your internal network, change the default gateway address of all computers and routers connected directly to your internal network to the IP address of the FortiGate internal interface. For your DMZ network, change the default gateway address of all computers and routers connected directly to your DMZ network to the IP address of the FortiGate DMZ interface. For the external network, route all packets to the FortiGate WAN1 or WAN 2 interface.
If you are using the FortiGate unit as the DHCP server for your internal network, configure the computers on your internal network for DHCP.
Make sure that the connected FortiGate unit is functioning properly by connecting to the Internet from a computer on your internal network. You should be able to connect to any Internet address.
FortiGate-60R Installation and Configuration Guide 49
Completing the configuration NAT/Route mode installation
Completing the configuration
Use the information in this section to complete the initial configuration of the FortiGate unit.
Configuring the DMZ interface
If you are planning to configure a DMZ network, you might want to change the IP address of the DMZ interface. Use the following procedure to configure the DMZ interface using the web-based manager.
1 Log into the web-based manager.
2 Go to System > Network > Interface.
3 For the dmz interface, select Modify .
4 Change the IP address and Netmask as required.
5 Select Apply.
Configuring the WAN2 interface
If you are planning to configure a second internet connection using the WAN2 interface, you might want to change the IP address of the WAN2 interface. Use the following procedure to configure the WAN2 interface using the web-based manager.
1 Log into the web-based manager.
2 Go to System > Network > Interface.
3 For the wan2 interface, select Modify .
4 Change the IP address and Netmask as required.
5 Select Apply.
Setting the date and time
For effective scheduling and logging, the FortiGate system date and time should be accurate. You can either manually set the system date and time or you can configure the FortiGate unit to automatically keep its time correct by synchronizing with a Network Time Protocol (NTP) server.
To set the FortiGate system date and time, see “Setting system date and time” on
page 127.
Changing antivirus protection
By default, the FortiGate unit scans all web and email content for viruses. You can use the following procedure to change the antivirus configuration. To change the antivirus configuration:
1 Go to Firewall > Policy > Internal->WAN1.
2 Select Edit to edit this policy.
3 For Anti-Virus & Web Filter you can select a different Content Profile.
See “Factory default content profiles” on page 35 for descriptions of the default content profiles.
50 Fortinet Inc.
NAT/Route mode installation Configuration example: Multiple connections to the Internet
4 Select OK to save your changes.
You can also add you own content profiles. See “Adding a content profile” on
page 168.
Registering your FortiGate
After purchasing and installing a new FortiGate unit, you can register the unit by going to System > Update > Support, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration.
Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased. Registration is quick and easy. You can register multiple FortiGate units in a single session without re-entering your contact information.
For more information about registration, see “Registering FortiGate units” on page 99.
Configuring virus and attack definition updates
You can go to System > Update to configure the FortiGate unit to automatically check to see if new versions of the virus definitions and attack definitions are available. If it finds new versions, the FortiGate unit automatically downloads and installs the updated definitions.
The FortiGate unit uses HTTPS on port 8890 to check for updates. The FortiGate WAN1 interface must have a path to the FortiResponse Distribution Network (FDN) using port 8890.
To configure automatic virus and attack updates, see “Updating antivirus and attack
definitions” on page 89.
Configuration example: Multiple connections to the Internet
This section describes some basic routing and firewall policy configuration examples for a FortiGate unit with multiple connections to the Internet (see Figure 7). In this topology, the organization operating the FortiGate unit uses two Internet service providers to connect to the Internet. The FortiGate unit is connected to the Internet using the WAN1 and WAN2 interfaces. The WAN1 interface connects to gateway 1, operated by ISP1 and the WAN2 interface connects to gateway 2, operated by ISP2.
By adding ping servers to interfaces, and by configuring routing you can control how traffic uses each Internet connection. With this routing configuration is place you can proceed to create firewall policies to support multiple internet connections.
This section provides some examples of routing and firewall configurations to configure the FortiGate unit for multiple internet connections. To use the information in this section you should be familiar with FortiGate routing (see “Configuring routing” on
page 113) and FortiGate firewall configuration (see “Firewall configuration” on page 139).
FortiGate-60R Installation and Configuration Guide 51
Configuration example: Multiple connections to the Internet NAT/Route mode installation
The examples below show how to configure destination-based routing and policy routing to control different traffic patterns.
Configuring Ping servers
Destination based routing examples
Policy routing examples
Firewall policy example
Figure 7: Example multiple Internet connection configuration
Configuring Ping servers
Use the following procedure to make Gateway 1 the ping server for the WAN1 interface and Gateway 2 the ping server for the WAN2 interface.
1 Go to System > Network > Interface.
52 Fortinet Inc.
NAT/Route mode installation Configuration example: Multiple connections to the Internet
2 For the WAN1 interface, select Modify .
Ping Server: 1.1.1.1
Select Enable Ping Server
•Select OK
3 For the WAN2 interface, select Modify .
Ping Server: 2.2.2.1
Select Enable Ping Server
•Select OK
Using the CLI
1 Add a ping server to the WAN1 interface.
set system interface wan1 config detectserver 1.1.1.1 gwdetect enable
2 Add a ping server to the WAN2 interface.
set system interface wan2 config detectserver 2.2.2.1 gwdetect enable
Destination based routing examples
This section describes the following destination-based routing examples:
Primary and backup links to the Internet
Load sharing
Load sharing and primary and secondary connections
Primary and backup links to the Internet
Use the following procedure to add a default destination-based route that directs all outgoing traffic to Gateway 1. If Gateway 1 fails, all connections are re-directed to Gateway 2. Gateway 1 is the primary link to the Internet and Gateway 2 is the backup link.
1 Go to System > Network > Routing Table.
2 Select New.
Destination IP: 0.0.0.0
Mask: 0.0.0.0
Gateway #1: 1.1.1.1
Gateway #2: 2.2.2.1
Device #1: wan1
Device #2: wan2
•Select OK.
Using the CLI
1 Add the route to the routing table.
set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1 dev1 wan1 gw2 2.2.2.1 dev2 wan2
FortiGate-60R Installation and Configuration Guide 53
Configuration example: Multiple connections to the Internet NAT/Route mode installation
Table 15: Route for primary and backup links
Destination IP‘ Mask Gateway #1 Device #1 Gateway #2 Device #2
0.0.0.0 0.0.0.0 1.1.1.1 wan1 2.2.2.1 wan2
Load sharing
You can also configure destination routing to direct traffic through both gateways at the same time. If users on your internal network connect to the networks of ISP1 and ISP2, you can add routes for each of these destinations. Each route can include a backup destination to the network of the other ISP.
Table 16: Load sharing routes
Destination IP‘ Mask Gateway #1 Device #1 Gateway #2 Device #2
100.100.100.0 255.255.255.0 1.1.1.1 wan1 2.2.2.1 wan2
200.200.200.0 255.255.255.0 2.2.2.1 wan2 1.1.1.1 wan1
The first route directs all traffic destined for the 100.100.100.0 network to gateway 1 with the IP address 1.1.1.1. If this router is down, traffic destined for the 100.100.100.0 network is re-directed to gateway 2 with the IP address 2.2.2.1.
Load sharing and primary and secondary connections
You can combine these routes into a more complete multiple internet connection configuration. In the topology shown in Figure 7 on page 52, users on the Internal network would connect to the Internet to access web pages and other Internet resources. However, they may also connect to services, such as email, provided by their ISPs. You can combine the routes described in the previous examples to provide users with a primary and backup connection to the Internet, while at the same time routing traffic to each ISP network as required.
The routing described below allows a user on the internal network to connect to the Internet through gateway 1 and ISP1. At the same time, this user can also connect through the DMZ interface to gateway 2 to access a mail server maintained by ISP2.
Adding the routes using the web-based manager
1 Go to System > Network > Routing Table.
2 Select New to add the default route for primary and backup links to the Internet.
Destination IP: 0.0.0.0
Mask: 0.0.0.0
Gateway #1: 1.1.1.1
Gateway #2: 2.2.2.1
Device #1: wan1
Device #2: wan2
•Select OK.
54 Fortinet Inc.
NAT/Route mode installation Configuration example: Multiple connections to the Internet
3 Select New to add a route for connections to the network of ISP1.
Destination IP: 100.100.100.0
Mask: 255.255.255.0
Gateway #1: 1.1.1.1
Gateway #2: 2.2.2.1
Device #1: wan1
Device #2: wan2
4 Select New to add a route for connections to the network of ISP2.
Destination IP: 200.200.200.0
Mask: 255.255.255.0
Gateway #1: 2.2.2.1
Gateway #2: 1.1.1.1
Device #1: wan1
Device #2: wan2
•Select OK.
5 Change the order of the routes in the routing table to move the default route below the
other two routes.
For the default route select Move to .
Type a number in the Move to field to move this route to the bottom of the list. If there are only 3 routes, type 3.
•Select OK.
Adding the routes using the CLI
1 Add the route for connections to the network of ISP2.
set system route number 1 dst 100.100.100.0 255.255.255.0 gw1
1.1.1.1 dev1 wan1 gw2 2.2.2.1 dev2 wan2
1 Add the route for connections to the network of ISP1.
set system route number 2 dst 200.200.200.0 255.255.255.0 gw1
2.2.2.1 dev1 wan2 gw2 1.1.1.1 dev2 wan1
2 Add the default route for primary and backup links to the Internet.
set system route number 3 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1 dev1 wan1 gw2 2.2.2.1 dev2 wan2
The routing table should have routes arranged as shown in Tab le 1 7.
Table 17: Example combined routing table
Destination IP‘ Mask Gateway #1 Device #1 Gateway #2 Device #2
100.100.100.0 255.255.255.0 1.1.1.1 wan1 2.2.2.1 wan2
200.200.200.0 255.255.255.0 2.2.2.1 wan2 1.1.1.1 wan1
0.0.0.0 0.0.0.0 1.1.1.1 wan1 2.2.2.1 wan2
FortiGate-60R Installation and Configuration Guide 55
Configuration example: Multiple connections to the Internet NAT/Route mode installation
Policy routing examples
Policy routing can be added to increase the control you have over how packets are routed. Policy routing works on top of destination-based routing. This means you should configure destination-based routing first and then build policy routing on top to increase the control provided by destination-based routing.
For example, if you have used destination-based routing to configure routing for dual internet connections, you can use policy routing to apply more control to which traffic is sent to which destination route. This section describes the following policy routing examples, based on topology similar to that shown in Figure 7 on page 52. Differences are noted in each example.
The policy routes described in these examples only work if you have already defined destination routes similar to those described in the previous section.
Routing traffic from internal subnets to different external networks
Routing a service to an external network
For more information about policy routing, see “Policy routing” on page 116.
Routing traffic from internal subnets to different external networks
If the FortiGate unit provides internet access for multiple internal subnets, you can use policy routing to control the route that traffic from each network takes to the Internet. For example, if the internal network includes the subnets 192.168.10.0 and
192.168.20.0 you can enter the following policy routes:
1 Enter the following command to route traffic from the 192.168.10.0 subnet to the
100.100.100.0 external network:
set system route policy 1 src 192.168.10.0 255.255.255.0 dst
100.100.100.0 255.255.255.0 gw 1.1.1.1
2 Enter the following command to route traffic from the 192.168.20.0 subnet to the
200.200.200.0 external network:
set system route policy 2 src 192.168.20.0 255.255.255.0 dst
200.200.200.0 255.255.255.0 gw 2.2.2.1
Routing a service to an external network
You can use the following policy routes to direct all HTTP traffic (using port 80) to one external network and all other traffic to the other external network.
1 Enter the following command to route all HTTP traffic using port 80 to the next hop
gateway with IP address 1.1.1.1.
set system route policy 1 src 0.0.0.0 0.0.0.0 dst 0.0.0.0
0.0.0.0 protocol 6 port 1 1000 gw 1.1.1.1
2 Enter the following command to route all other traffic to the next hop gateway with IP
address 2.2.2.1.
Set system route policy 2 src 0.0.0.0 0.0.0.0 dst 0.0.0.0
0.0.0.0 gw 2.2.2.1
56 Fortinet Inc.
NAT/Route mode installation Configuration example: Multiple connections to the Internet
Firewall policy example
Firewall policies control how traffic flows through the FortiGate unit. Once routing for multiple internet connections has been configured you must create firewall policies to control which traffic is allowed through the FortiGate unit and the interfaces through which this traffic can connect.
For traffic originating on the Internal network to be able to connect to the Internet through both Internet connections, you must add redundant policies from the internal interface to each interface that connects to the Internet. Once these policies have been added, the routing configuration controls which internet connection is actually used.
Adding a redundant default policy
Figure 7 on page 52 shows a FortiGate unit connected to the Internet using its internal
and DMZ interfaces. The default policy allows all traffic from the internal network to connect to the Internet through the WAN1 interface. If you add a similar policy to the internal to WAN2 policy list, this policy will allow all traffic from the internal network to connect to the Internet through the WAN2 interface. With both of these policies added to the firewall configuration, the routing configuration will determine which Internet connection the traffic from the internal network actually uses. For more information about the default policy, see “Default firewall configuration” on page 140.
To add a redundant default policy
1 Go to Firewall > Policy > Int->WAN2.
2 Select New.
3 Configure the policy to match the default policy.
Source Internal_All
Destination WAN2_All
Schedule Always
Service ANY
Action Accept
NAT Select NAT.
4 Select OK to save your changes.
Adding more firewall policies
In most cases your firewall configuration includes more than just the default policy. However, the basic premise of creating redundant policies applies even as the firewall configuration becomes more complex. To configure the FortiGate unit to use multiple Internet connections you must add duplicate policies for connections between the internal network and both interfaces connected to the Internet. As well, as you add redundant policies, you must arrange them in both policy lists in the same order.
FortiGate-60R Installation and Configuration Guide 57
Configuration example: Multiple connections to the Internet NAT/Route mode installation
Restricting access to a single Internet connection
In some cases you might want to limit some traffic to only being able to use one Internet connection. For example, in the topology shown in Figure 7 on page 52 the organization might want its mail server to only be able to connect to the SMTP mail server of ISP1. To do this, you add a single Internal->WAN1 firewall policy for SMTP connections. Because redundant policies have not been added, SMTP traffic from the Internet network is always connected to ISP1. If the connection to ISP1 fails the SMTP connection is not available.
58 Fortinet Inc.
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2
Transparent mode installation
This chapter describes how to install your FortiGate unit in Transparent mode. If you want to install the FortiGate unit in NAT/Route mode, see “NAT/Route mode
installation” on page 43.
This chapter describes:
Preparing to configure Transparent mode
Using the setup wizard
Using the command line interface
Connecting the FortiGate unit to your networks
Completing the configuration
Transparent mode configuration examples
Preparing to configure Transparent mode
Use Ta bl e 1 8 to gather the information that you need to customize Transparent mode settings.
Table 18: Transparent mode settings
Administrator Password:
IP: _____._____._____._____ Netmask: _____._____._____._____
Management IP
The management IP address and netmask must be valid for the network from which you will manage the FortiGate unit. Add a default gateway if the FortiGate unit must connect to a router to reach the management computer.
DNS Settings
Default Gateway: _____._____._____._____
Primary DNS Server: _____._____._____._____ Secondary DNS Server: _____._____._____._____
FortiGate-60R Installation and Configuration Guide 59
Using the setup wizard Transparent mode installation
Using the setup wizard
From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiGate unit. To connect to the web-based manager, see
“Connecting to the web-based manager” on page 30.
Changing to Transparent mode
The first time that you connect to the FortiGate unit, it is configured to run in NAT/Route mode. To switch to Transparent mode using the web-based manager:
1 Go to System > Status.
2 Select Change to Transparent Mode.
3 Select Transparent in the Operation Mode list.
4 Select OK.
The FortiGate unit changes to Transparent mode.
To reconnect to the web-based manager, change the IP address of your management computer to 10.10.10.2. Connect to the internal or DMZ interface and browse to https:// followed by the Transparent mode management IP address. The default FortiGate Transparent mode management IP address is 10.10.10.1.
Starting the setup wizard
1 Select Easy Setup Wizard (the middle button in upper-right corner of the web-based
manager).
2 Use the information that you gathered in Table 18 on page 59 to fill in the wizard fields.
Select the Next button to step through the wizard pages.
3 Confirm your configuration settings and then select Finish and Close.
Reconnecting to the web-based manager
If you changed the IP address of the management interface while you were using the setup wizard, you must reconnect to the web-based manager using the new IP address. Browse to https:// followed by the new IP address of the management interface. Otherwise, you can reconnect to the web-based manager by browsing to https://10.10.10.1. If you connect to the management interface through a router, make sure that you have added a default gateway for that router to the management IP default gateway field.
60 Fortinet Inc.
Transparent mode installation Using the command line interface
Using the command line interface
As an alternative to the setup wizard, you can configure the FortiGate unit using the command line interface (CLI). To connect to the CLI, see “Connecting to the command
line interface (CLI)” on page 31. Use the information that you gathered in Table 18 on page 59 to complete the following procedures.
Changing to Transparent mode
1 Log into the CLI if you are not already logged in.
2 Switch to Transparent mode. Enter:
set system opmode transparent
After a few seconds, the login prompt appears.
3 Type admin and press Enter.
The following prompt appears:
Type ? for a list of commands.
4 Confirm that the FortiGate unit has switched to Transparent mode. Enter:
get system status
The CLI displays the status of the FortiGate unit. The last line shows the current operation mode.
Operation mode: Transparent
Configuring the Transparent mode management IP address
1 Log into the CLI if you are not already logged in.
2 Set the management IP address and netmask to the IP address and netmask that you
recorded in Table 18 on page 59. Enter:
set system management ip <IP address> <netmask>
Example
set system management ip 10.10.10.2 255.255.255.0
3 Confirm that the address is correct. Enter:
get system management
The CLI lists the management IP address and netmask.
Configure the Transparent mode default gateway
1 Log into the CLI if you are not already logged in.
2 Set the default route to the default gateway that you recorded in Table 18 on page 59.
Enter:
set system route number <number> gateway <IP address>
Example
set system route
You have now completed the initial configuration of the FortiGate unit.
number 1 gw1
204.23.1.2
FortiGate-60R Installation and Configuration Guide 61
Connecting the FortiGate unit to your networks Transparent mode installation
Connecting the FortiGate unit to your networks
When you have completed the initial configuration, you can connect the FortiGate unit between your internal network and the Internet using the Internal and WAN1 interfaces. You can also connect networks to the DMZ interface and the WAN2 interface.
There are seven 10/100Base-TX connectors on the FortiGate-60:
Four Internal ports for connecting to your internal network,
WAN1 for connecting to the Internet,
DMZ and WAN2 which can be connected to networks.
To connect the FortiGate unit running in Transparent mode:
1 Connect the Internal interface connectors to PCs and other network devices in your
internal network. The Internal interface functions as a switch, allowing up to four devices to be
connected to the internal network and the internal interface.
2 Connect the WAN1 interface to the Internet.
Connect to the public switch or router provided by your Internet Service Provider. If you are a DSL or cable subscriber, connect the WAN1 interface to the internal or LAN connection of your DSL or cable modem.
3 Optionally connect the WAN2 and DMZ interfaces to other networks.
Figure 8: FortiGate-60 Transparent mode connections
62 Fortinet Inc.
Transparent mode installation Completing the configuration
In Transparent mode, the FortiGate unit does not change the layer 3 topology. This means that all of its interfaces are on the same IP subnet and that it appears to other devices as a bridge. Typically, the FortiGate unit would be deployed in Transparent mode when it is intended to provide antivirus and content scanning behind an existing firewall solution.
A FortiGate unit in Transparent mode can also perform firewalling. Even though it takes no part in the layer 3 topology, it can examine layer 3 header information and make decisions on whether to block or pass traffic.
Completing the configuration
Use the information in this section to complete the initial configuration of the FortiGate unit.
Setting the date and time
For effective scheduling and logging, the FortiGate system date and time should be accurate. You can either manually set the date and time or you can configure the FortiGate unit to automatically keep its date and time correct by synchronizing with a Network Time Protocol (NTP) server.
To set the FortiGate system date and time, see “Setting system date and time” on
page 127.
Enabling antivirus protection
To enable antivirus protection to protect users on your internal network from downloading a virus from the Internet:
1 Go to Firewall > Policy > Internal->WAN1.
2 Select Edit to edit this policy.
3 Select Anti-Virus & Web filter to enable antivirus protection for this policy.
4 Select the Scan Content Profile.
5 Select OK to save your changes.
Registering your FortiGate
After purchasing and installing a new FortiGate unit, you can register the unit by going to System > Update > Support, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration.
Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased. Registration is quick and easy. You can register multiple FortiGate units in a single session without re-entering your contact information.
For more information about registration, see “Registering FortiGate units” on page 99.
FortiGate-60R Installation and Configuration Guide 63
Transparent mode configuration examples Transparent mode installation
Configuring virus and attack definition updates
You can configure the FortiGate unit to automatically check to see if new versions of the virus definitions and attack definitions are available. If it finds new versions, the FortiGate unit automatically downloads and installs the updated definitions.
The FortiGate unit uses HTTPS on port 8890 to check for updates. The FortiGate WAN1 interface must have a path to the FortiResponse Distribution Network (FDN) using port 8890.
To configure automatic virus and attack updates, see “Updating antivirus and attack
definitions” on page 89.
Transparent mode configuration examples
A FortiGate unit operating in Transparent mode still requires a basic configuration to operate as a node on the IP network. As a minimum, the FortiGate unit must be configured with an IP address and subnet mask. These are used for management access and to allow the unit to receive antivirus and definitions updates. Also, the unit must have sufficient route information to reach:
the management computer,
The FortiResponse Distribution Network (FDN),
a DNS server.
A route is required whenever the FortiGate unit connects to a router to reach a destination. If all of the destinations are located on the external network, you may be required to enter only a single default route. If, however, the network topology is more complex, you may be required to enter one or more static routes in addition to the default route.
This section describes:
Default routes and static routes
Example default route to an external network
Example static route to an external destination
Example static route to an internal destination
Default routes and static routes
To create a route to a destination, you need to define an IP prefix which consists of an IP network address and a corresponding netmask value. A default route matches any prefix and forwards traffic to the next hop router (otherwise known as the default gateway). A static route matches a more specific prefix and forwards traffic to the next hop router.
Default route example:
IP Prefix 0.0.0.0 (IP address)
0.0.0.0 (Netmask)
Next Hop 192.168.1.2
64 Fortinet Inc.
Transparent mode installation Transparent mode configuration examples
Static Route example:
IP Prefix 172.100.100.0 (IP address)
255.255.255.0 (Netmask)
Next Hop 192.168.1.2
Note: When adding routes to the FortiGate unit, add the default route last so that it
appears on the bottom of the route list. This ensures that the unit will attempt to match more specific routes before selecting the default route.
Example default route to an external network
Figure 9 shows a FortiGate unit where all destinations, including the management
computer, are located on the external network. To reach these destinations, the FortiGate unit must connect to the “upstream” router leading to the external network. To facilitate this connection, you must enter a single default route that points to the upstream router as the next hop/default gateway.
Figure 9: Default route to an external network
FortiGate-60R Installation and Configuration Guide 65
Transparent mode configuration examples Transparent mode installation
General configuration steps
1 Set the FortiGate unit to operate in Transparent mode.
2 Configure the Management IP address and Netmask of the FortiGate unit.
3 Configure the default route to the external network.
Web-based manager example configuration steps
To configure basic Transparent mode settings and a default route using the web-based manager:
1 Go to System > Status.
Select Change to Transparent Mode.
Select Transparent in the Operation Mode list.
•Select OK. The FortiGate unit changes to Transparent mode.
2 Go to System > Network > Management.
Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.0
Select Apply.
3 Go to System > Network > Routing.
Select New to add the default route to the external network. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2
•Select OK.
CLI configuration steps
To configure the Fortinet basic settings and a default route using the CLI:
1 Change the system to operate in Transparent Mode.
set system opmode transparent
2 Add the Management IP address and Netmask.
set system management ip 192.168.1.1 255.255.255.0
3 Add the default route to the external network.
set system route number 1 gw1 192.168.1.2
Example static route to an external destination
Figure 10 shows a FortiGate unit that requires routes to the FDN located on the
external network. The Fortigate unit does not require routes to the DNS servers or management computer because they are located on the internal network.
66 Fortinet Inc.
Transparent mode installation Transparent mode configuration examples
To connect to the FDN, you would typically enter a single default route to the external network. However, to provide an extra degree of security, you could enter static routes to a specific FortiResponse server in addition to a default route to the external network. If the static route becomes unavailable (perhaps because the IP address of the FortiResponse server changes) the FortiGate unit will still be able to receive antivirus and NIDS updates from the FDN using the default route.
Note: This is an example configuration only. To configure a static route, you require a destination IP address.
Figure 10: Static route to an external destination
General configuration steps
1 Set the FortiGate unit to operate in Transparent mode.
2 Configure the Management IP address and Netmask of the FortiGate unit.
3 Configure the static route to the FortiResponse server.
4 Configure the default route to the external network.
FortiGate-60R Installation and Configuration Guide 67
Transparent mode configuration examples Transparent mode installation
Web-based manager example configuration steps
To configure the basic FortiGate settings and a static route using the web-based manager:
1 Go to System > Status.
Select Change to Transparent Mode.
Select Transparent in the Operation Mode list.
•Select OK. The FortiGate unit changes to Transparent mode.
2 Go to System > Network > Management.
Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.0
Select Apply.
3 Go to System > Network > Routing.
Select New to add the static route to the FortiResponse server. Destination IP: 24.102.233.5 Mask: 255.255.255.0 Gateway: 192.168.1.2
•Select OK.
Select New to add the default route to the external network. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2
•Select OK.
CLI configuration steps
To configure the Fortinet basic settings and a static route using the CLI:
1 Set the system to operate in Transparent Mode.
set system opmode transparent
2 Add the Management IP address and Netmask.
set system management ip 192.168.1.1 255.255.255.0
3 Add the static route to the primary FortiResponse server.
set system route number 1 dst 24.102.233.5 255.255.255.0 gw1
192.168.1.2
4 Add the default route to the external network.
set system route number 2 gw1 192.168.1.2
68 Fortinet Inc.
Transparent mode installation Transparent mode configuration examples
Example static route to an internal destination
Figure 11 shows a FortiGate unit where the FDN is located on an external subnet and
the management computer is located on a remote, internal subnet. To reach the FDN, you need to enter a single default route that points to the upstream router as the next hop/default gateway. To reach the management computer, you need to enter a single static route that leads directly to it. This route will point to the internal router as the next hop. (No route is required for the DNS servers because they are on the same layer 3 subnet as the FortiGate unit.)
Figure 11: Static route to an internal destination
General configuration steps
1 Set the unit to operate in Transparent mode. 2 Configure the Management IP address and Netmask of the FortiGate unit. 3 Configure the static route to the management computer on the internal network. 4 Configure the default route to the external network.
FortiGate-60R Installation and Configuration Guide 69
Transparent mode configuration examples Transparent mode installation
Web-based manager example configuration steps
To configure the FortiGate basic settings, a static route, and a default route using the web-based manager:
1 Go to System > Status.
Select Change to Transparent Mode.
Select Transparent in the Operation Mode list.
•Select OK. The FortiGate unit changes to Transparent mode.
2 Go to System > Network > Management.
Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.0
Select Apply.
3 Go to System > Network > Routing.
Select New to add the static route to the management computer. Destination IP: 172.16.1.11 Mask: 255.255.255.0 Gateway: 192.168.1.3
•Select OK.
Select New to add the default route to the external network. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2
•Select OK.
CLI configuration steps
To configure the FortiGate basic settings, a static route, and a default route using the CLI:
1 Set the system to operate in Transparent Mode.
set system opmode transparent
2 Add the Management IP address and Netmask.
set system management ip 192.168.1.1 255.255.255.0
3 Add the static route to the management computer.
set system route number 1 dst 172.16.1.11 255.255.255.0 gw1
192.168.1.3
4 Add the default route to the external network.
set system route number 2 gw1 192.168.1.2
70 Fortinet Inc.
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2
System status
You can connect to the web-based manager and go to System > Status to view the current status of your FortiGate unit. The status information that is displayed includes the current firmware version, the current virus and attack definitions, and the FortiGate unit serial number.
If you have logged into the web-based manager using the admin administrator account, you can use System Status to make any of the following changes to the FortiGate system settings:
Changing the FortiGate host name
Changing the FortiGate firmware
Manual virus definition updates
Manual attack definition updates
Backing up system settings
Restoring system settings
Restoring system settings to factory defaults
Changing to Transparent mode
Changing to NAT/Route mode
Restarting the FortiGate unit
Shutting down the FortiGate unit
If you log into the web-based manager with any other administrator account, you can go to System > Status to view the system settings including:
Displaying the FortiGate serial number
Displaying the FortiGate up time
All administrative users can also go to System > Status > Monitor and view FortiGate system status. System status displays FortiGate health monitoring information including CPU and memory status, Session and network status.
System status
All administrative users can also go to System > Status > Session and view the active communication sessions to and through the FortiGate unit.
Session list
FortiGate-60R Installation and Configuration Guide 71
Changing the FortiGate host name System status
Changing the FortiGate host name
The FortiGate host name appears on the System > Status page and on the FortiGate CLI prompt. The host name is also used as the SNMP System Name (see
“Configuring SNMP” on page 132).
The default host name is FortiGate-60.
To change the FortiGate host name:
1 Go to System > Status.
2 Select Edit Host Name .
3 Enter a new host name.
4 Select OK.
The new host name appears on the System Status page and is added to the SNMP System Name.
Changing the FortiGate firmware
After you download a FortiGate firmware image from Fortinet, you can use the procedures in Tab le 1 to install the firmware image on your FortiGate unit.
Table 1: Firmware upgrade procedures
Procedure Description
Upgrade to a new firmware version
Revert to a previous firmware version
Install a firmware image from a system reboot using the CLI
Test a new firmware image before installing it
Commonly-used web-based manager and CLI procedures to upgrade to a new FortiOS firmware version or to a more recent build of the same firmware version.
Use the web-based manager or CLI procedure to revert to a previous firmware version. This procedure reverts your FortiGate unit to its factory default configuration.
Use this procedure to install a new firmware version or revert to a previous firmware version. You must run this procedure by connecting to the CLI using the FortiGate console port and a null­modem cable. This procedure reverts your FortiGate unit to its factory default configuration.
Use this procedure to test a new firmware image before installing it. You must run this procedure by connecting to the CLI using the FortiGate console port and a null-modem cable. This procedure temporarily installs a new firmware image using your current configuration. You can test the firmware image before installing it permanently. If the firmware image works correctly you can use one of the other procedures listed in this table to install it permanently.
72 Fortinet Inc.
System status Changing the FortiGate firmware
Upgrade to a new firmware version
Use the following procedures to upgrade your FortiGate to a newer firmware version.
Upgrading the firmware using the web-based manager
Note: Installing firmware replaces your current antivirus and attack definitions with the
definitions included with the firmware release that you are installing. When you have installed new firmware, use the procedure “Manually updating antivirus and attack definitions” on
page 93 to make sure that antivirus and attack definitions are up-to-date.
1 Copy the firmware image file to your management computer.
2 Login to the FortiGate web-based manager as the admin administrative user.
3 Go to System > Status.
4 Select Firmware Upgrade .
5 Enter the path and filename of the firmware image file, or select Browse and locate the
file.
6 Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process takes a few minutes.
7 Login to the web-based manager.
8 Go to System > Status and check the Firmware Version to confirm that the firmware
upgrade has been installed successfully.
9 Use the procedure “Manually updating antivirus and attack definitions” on page 93 to
update antivirus and attack definitions.
Upgrading the firmware using the CLI
To use the following procedure you must have a TFTP server that you can connect to from the FortiGate unit.
Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. When you have installed new firmware, use the procedure “Manually updating antivirus and attack definitions” on
page 93 to make sure that antivirus and attack definitions are up-to-date. You can also use the
CLI command definitions.
1 Make sure that the TFTP server is running.
2 Copy the new firmware image file to the root directory of the TFTP server.
3 Log into the CLI as the admin administrative user.
4 Make sure the FortiGate unit can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168:
execute ping 192.168.1.168
execute updatecenter updatenow to update the antivirus and attack
FortiGate-60R Installation and Configuration Guide 73
Changing the FortiGate firmware System status
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiGate:
execute restore image <name_str> <tftp_ip> Where <name_str> is the name of the firmware image file on the TFTP server and
<tftp_ip> is the IP address of the TFTP server. For example, if the firmware image
file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image FGT_300-v250-build045-FORTINET.out
192.168.1.168
The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes.
6 Reconnect to the CLI.
7 To confirm that the new firmware image has been loaded, enter:
get system status
8 Use the procedure “Manually updating antivirus and attack definitions” on page 93 to
update antivirus and attack definitions, or from the CLI, enter:
execute updatecenter updatenow
9 To confirm that the antivirus and attack definitions have been updated, enter the
following command to display the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information.
get system objver
Revert to a previous firmware version
Use the following procedures to revert your FortiGate unit to a previous firmware version.
Reverting to a previous firmware version using the web-based manager
The following procedures return your FortiGate unit to its factory default configuration and delete NIDS user-defined signatures, web content lists, email filtering lists, and changes to replacement messages.
Before running this procedure you can:
Backup the FortiGate unit configuration, use the procedure “Backing up system
settings” on page 82.
Backup the NIDS user defined signatures, see the FortiGate NIDS Guide
Backup web content and email filtering lists, see the FortiGate Content Protection Guide.
If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you may not be able to restore your previous configuration from the backup configuration file.
1 Copy the firmware image file to your management computer.
2 Login to the FortiGate web-based manager as the admin administrative user.
74 Fortinet Inc.
System status Changing the FortiGate firmware
Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. When you have installed new firmware, use the procedure “Manually updating antivirus and attack definitions” on
page 93 to make sure that antivirus and attack definitions are up-to-date.
3 Go to System > Status.
4 Select Firmware Upgrade .
5 Enter the path and filename of the previous firmware image file, or select Browse and
locate the file.
6 Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes.
7 Login to the web-based manager.
For information about logging into the web-based manager when the FortiGate unit is set to factory defaults, see “Connecting to the web-based manager” on page 30.
8 Go to System > Status and check the Firmware Version to confirm that the firmware
has been installed successfully.
9 Restore your configuration.
See “Restoring system settings” on page 83 to restore your previous configuration.
10 Use the procedure “Manually updating antivirus and attack definitions” on page 93 to
update antivirus and attack definitions.
Reverting to a previous firmware version using the CLI
This procedure reverts your FortiGate unit to its factory default configuration and deletes NIDS user-defined signatures, web content lists, email filtering lists, and changes to replacement messages.
Before running this procedure you can:
Backup the FortiGate unit configuration using the command execute backup config.
Backup the NIDS user defined signatures using the command execute backup
nidsuserdefsig
Backup web content and email filtering lists, see the FortiGate Content Protection Guide.
If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you may not be able to restore your previous configuration from the backup configuration file.
Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. When you have installed new firmware, use the procedure “Manually updating antivirus and attack definitions” on
page 93 to make sure that antivirus and attack definitions are up-to-date. You can also use the
CLI command execute updatecenter updatenow to update the antivirus and attack definitions.
FortiGate-60R Installation and Configuration Guide 75
Changing the FortiGate firmware System status
To use the following procedure you must have a TFTP server that you can connect to from the FortiGate unit.
1 Make sure that the TFTP server is running.
2 Copy the new firmware image file to the root directory of the TFTP server.
3 Login to the FortiGate CLI as the admin administrative user.
4 Make sure the FortiGate unit can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168:
execute ping 192.168.1.168
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execute restore image <name_str> <tftp_ip> Where <name_str> is the name of the firmware image file on the TFTP server and
<tftp_ip> is the IP address of the TFTP server. For example, if the firmware image
file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image FGT_300-v250-build045-FORTINET.out
192.168.1.168
The FortiGate unit uploads the firmware image file. Once the file has been uploaded a message similar to the following is displayed:
Get image from tftp server OK. This operation will downgarde the current firmware version! Do you want to continue? (y/n)
6 Type Y
7 The FortiGate unit reverts to the old firmware version, resets the configuration to
factory defaults, and restarts. This process takes a few minutes.
8 Reconnect to the CLI.
For information about logging into the web-based manager when the FortiGate unit is set to factory defaults, see “Connecting to the command line interface (CLI)” on
page 31.
9 To confirm that the new firmware image has been loaded, enter:
get system status
10 Restore your previous configuration. Use the following command:
execute restore config
11 Use the procedure “Manually updating antivirus and attack definitions” on page 93 to
update antivirus and attack definitions, or from the CLI, enter:
execute updatecenter updatenow
12 To confirm that the antivirus and attack definitions have been updated, enter the
following command to display the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information.
get system objver
76 Fortinet Inc.
System status Changing the FortiGate firmware
Install a firmware image from a system reboot using the CLI
This procedure installs a specified firmware image and resets the FortiGate unit to default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or to re-install the current firmware.
Note: There are a few variations on this procedure for different FortiGate BIOS versions. These variations are explained in the procedure steps that are affected. The version of the BIOS running on your FortiGate unit is displayed when you restart the FortiGate unit while accessing the CLI by connecting to the FortiGate console port using a null-modem cable.
To run this procedure you:
access the CLI by connecting to the FortiGate console port using a null-modem cable,
install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.
Before running this procedure you can:
Backup the FortiGate unit configuration, use the procedure “Backing up system
settings” on page 82.
Backup the NIDS user defined signatures, see the FortiGate NIDS Guide
Backup web content and email filtering lists, see the FortiGate Content Protection Guide.
If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you may not be able to restore your previous configuration from the backup configuration file.
Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. When you have installed new firmware, use the procedure “Manually updating antivirus and attack definitions” on
page 93 to make sure that antivirus and attack definitions are up-to-date.
To install firmware from a system reboot
1 Connect to the CLI using the null modem cable and FortiGate console port.
2 Make sure that the TFTP server is running.
3 Copy the new firmware image file to the root directory of your TFTP server.
4 To confirm that the FortiGate unit can connect to the TFTP server, use the following
command to ping the computer running the TFTP server. For example, if the TFTP server’s IP address is 192.168.1.168:
execute ping 192.168.1.168
FortiGate-60R Installation and Configuration Guide 77
Changing the FortiGate firmware System status
5 Enter the following command to restart the FortiGate unit:
execute reboot
As the FortiGate units starts, a series of system startup messages are displayed. When one of the following messages appears:
FortiGate unit running v2.x BIOS
Press Any Key To Download Boot Image. ...
FortiGate unit running v3.x BIOS
Press any key to enter configuration menu.....
......
6 Immediately press any key to interrupt the system startup.
I
Note: You only have 3 seconds to press any key. If you do not press any key soon enough, the FortiGate unit reboots and you must log in and repeat the
execute reboot command.
If you successfully interrupt the startup process, one of the following messages appears:
FortiGate unit running v2.x BIOS
Enter TFTP Server Address [192.168.1.168]:
Go to step 8.
FortiGate unit running v3.x BIOS
[G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options.
Enter G,F,B,Q,or H:
7 Type G to get the new firmware image from the TFTP server.
8 Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.188]:
9 Type the address of the internal interface of the FortiGate unit and press Enter.
Note: The local IP address is only used to download the firmware image. After the firmware is
installed the address of this interface is changed back to the default IP address for this interface.
The following message appears:
Enter File Name [image.out]:
78 Fortinet Inc.
System status Changing the FortiGate firmware
10 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear.
FortiGate unit running v2.x BIOS
Do You Want To Save The Image? [Y/n]
Type Y.
FortiGate unit running v3.x BIOS
Save as Default firmware/Run image without saving:[D/R] Save as Default firmware/Backup firmware/Run image without
saving:[D/B/R]
Type D.
The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete.
Restoring your previous configuration
You can then restore your previous configuration. Begin by changing the interface addresses if required. You can do this from the CLI using the command:
set system interface
After changing the interface addresses, you can access the FortiGate unit from the web-based manager and restore your configuration.
To restore your FortiGate unit configuration, see “Restoring system settings” on
page 83. To restore NIDS user defined signatures, see the FortiGate NIDS Guide. To
restore web content and email filtering lists, see the FortiGate Content Protection Guide.
If you are reverting to a previous firmware version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you may not be able to restore your previous configuration from the backup up configuration file.
11 Update the virus and attack definitions to the most recent version, see “Manually
updating antivirus and attack definitions” on page 93.
Test a new firmware image before installing it
You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit restarts it will be operating with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure “Upgrade to a new firmware version” on page 73.
To run this procedure you:
access the CLI by connecting to the FortiGate console port using a null-modem cable,
install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.
FortiGate-60R Installation and Configuration Guide 79
Changing the FortiGate firmware System status
To test a new firmware image:
1 Connect to the CLI using a null modem cable and FortiGate console port.
2 Make sure the TFTP server is running.
3 Copy the new firmware image file to the root directory of the TFTP server.
You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168:
execute ping 192.168.1.168
4 Enter the following command to restart the FortiGate unit:
execute reboot
5 As the FortiGate unit reboots, press any key to interrupt the system startup.
As the FortiGate units starts, a series of system startup messages are displayed. When one of the following messages appears:
FortiGate unit running v2.x BIOS
Press Any Key To Download Boot Image. ...
FortiGate unit running v3.x BIOS
Press any key to enter configuration menu.....
......
6 Immediately press any key to interrupt the system startup.
I
Note: You only have 3 seconds to press any key. If you do not press any key soon enough, the FortiGate unit reboots and you must log in and repeat the
execute reboot command.
If you successfully interrupt the startup process, one of the following messages appears:
FortiGate unit running v2.x BIOS
Enter TFTP Server Address [192.168.1.168]:
Go to step 8.
FortiGate unit running v3.x BIOS
[G]: Get firmware image from TFTP server. [F]: Format boot device. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options.
Enter G,F,Q,or H:
7 Type G to get the new firmware image from the TFTP server.
8 Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.188]:
9 Type the address of the internal interface of the FortiGate unit and press Enter.
80 Fortinet Inc.
System status Manual virus definition updates
Note: The local IP address is only used to download the firmware image. After the firmware is installed the address of this interface is changed back to the default IP address for this interface.
The following message appears:
Enter File Name [image.out]:
10 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear.
FortiGate unit running v2.x BIOS
Do You Want To Save The Image? [Y/n]
Type N.
FortiGate unit running v3.x BIOS
Save as Default firmware/Run image without saving:[D/R]
Type R.
The FortiGate image is installed to system memory and the FortiGate starts running the new firmware image but with its current configuration.
11 You can login to the CLI or the web-based manager using any administrative account.
12 To confirm that the new firmware image has been loaded, from the CLI enter:
get system status
You can test the new firmware image as required.
Manual virus definition updates
The System > Status page of the FortiGate web-based manager displays the current installed versions of the FortiGate Antivirus Definitions. You can use the following procedure to update the antivirus definitions manually.
Note: To configure the FortiGate unit for automatic antivirus definitions updates, see “Virus and
attack definitions updates and registration” on page 89. You can also manually initiate an
antivirus definitions update by going to System > Update and selecting Update Now.
1 Download the latest antivirus definitions update file from Fortinet and copy it to the
computer that you use to connect to the web-based manager.
2 Start the web-based manager and go to System > Status.
3 To the right of the Antivirus Definitions Version, select Definitions Update .
4 Enter the path and filename for the antivirus definitions update file, or select Browse
and locate the antivirus definitions update file.
5 Select OK to copy the antivirus definitions update file to the FortiGate unit.
The FortiGate unit updates the antivirus definitions. This takes about 1 minute.
6 Go to System > Status to confirm that the Antivirus Definitions Version information
has been updated.
FortiGate-60R Installation and Configuration Guide 81
Manual attack definition updates System status
Manual attack definition updates
The System > Status page of the FortiGate web-based manager displays the current installed versions of the FortiGate Attack Definitions used by the Network Intrusion Detection System (NIDS). You can use the following procedure to update the attack definitions manually.
Note: To configure the FortiGate unit for automatic attack definitions updates, see “Virus and
attack definitions updates and registration” on page 89. You can also manually initiate an attack
definitions update by going to System > Update and selecting Update Now.
1 Download the latest attack definitions update file from Fortinet and copy it to the
computer that you use to connect to the web-based manager.
2 Start the web-based manager and go to System > Status.
3 To the right of the Attack Definitions Version, select Definitions Update .
4 Enter the path and filename for the attack definitions update file, or select Browse and
locate the attack definitions update file.
5 Select OK to copy the attack definitions update file to the FortiGate unit.
The FortiGate unit updates the attack definitions. This takes about 1 minute.
6 Go to System > Status to confirm that the Attack Definitions Version information has
been updated.
Displaying the FortiGate serial number
1 Go to System > Status.
The serial number is displayed in the System Status page of the web-based manager. The serial number is specific to the FortiGate unit and does not change with firmware upgrades.
Displaying the FortiGate up time
1 Go to System > Status.
The FortiGate up time displays the time in days, hours, and minutes since the FortiGate unit was last started.
Backing up system settings
You can back up system settings by downloading them to a text file on the management computer:
1 Go to System > Status.
2 Select System Settings Backup.
3 Select Backup System Settings.
4 Type a name and location for the file.
The system settings file is backed up to the management computer.
5 Select Return to go back to the Status page.
82 Fortinet Inc.
System status Restoring system settings
!
Restoring system settings
You can restore system settings by uploading a previously downloaded system settings text file:
1 Go to System > Status.
2 Select System Settings Restore.
3 Enter the path and filename of the system settings file, or select Browse and locate
the file.
4 Select OK to restore the system settings file to the FortiGate unit.
The FortiGate unit restarts, loading the new system settings.
5 Reconnect to the web-based manager and review your configuration to confirm that
the uploaded system settings have taken effect.
Restoring system settings to factory defaults
Use the following procedure to restore system settings to the values set at the factory. This procedure does not change the firmware version or the antivirus or attack definitions.
Caution: This procedure deletes all changes that you have made to the FortiGate configuration and reverts the system to its original configuration, including resetting interface addresses.
1 Go to System > Status.
2 Select Restore Factory Defaults.
3 Select OK to confirm.
The FortiGate unit restarts with the configuration that it had when it was first powered on.
4 Reconnect to the web-based manager and review the system configuration to confirm
that it has been reset to the default settings. To restore your system settings, see “Restoring system settings” on page 83.
Changing to Transparent mode
Use the following procedure to switch the FortiGate unit from NAT/Route mode to Transparent mode. When the FortiGate unit has changed to Transparent mode its configuration resets to Transparent mode factory defaults.
1 Go to System > Status.
2 Select Change to Transparent Mode.
3 Select Transparent in the operation mode list.
4 Select OK.
The FortiGate unit changes operation mode.
FortiGate-60R Installation and Configuration Guide 83
Changing to NAT/Route mode System status
5 To reconnect to the web-based manager, connect to the interface configured for
Transparent mode management access and browse to https:// followed by the Transparent mode management IP address.
By default in Transparent mode, you can connect to the internal or DMZ interface. The default Transparent mode management IP address is 10.10.10.1.
Changing to NAT/Route mode
Use the following procedure to switch the FortiGate unit from Transparent mode to NAT/Route mode. When the FortiGate unit has changed to NAT/Route mode its configuration resets to NAT/Route mode factory defaults.
1 Go to System > Status.
2 Select Change to NAT Mode.
3 Select NAT/Route in the operation mode list.
4 Select OK.
The FortiGate unit changes operation mode.
5 To reconnect to the web-based manager you must connect to the interface configured
by default for management access. By default in NAT/Route mode, you can connect to the internal or DMZ interface. The
default Transparent mode management IP address is 192.168.1.99. See “Connecting to the web-based manager” on page 30 or “Connecting to the
command line interface (CLI)” on page 31.
Restarting the FortiGate unit
1 Go to System > Status.
2 Select Restart.
The FortiGate unit restarts.
Shutting down the FortiGate unit
1 Go to System > Status.
2 Select Shutdown.
The FortiGate unit shuts down and all traffic flow stops. The FortiGate unit can only be restarted after shutdown by turning the power off, then
on.
84 Fortinet Inc.
System status System status
System status
You can use the system status monitor to display FortiGate system health information. The system health information includes memory usage, the number of active communication sessions, and the amount of network bandwidth currently in use. The web-based manager displays current statistics as well as statistics for the previous minute.
You can also view current virus and intrusion status. The web-based manager displays the current number of viruses and attacks as well as a graph of virus and attack levels over the previous 20 hours.
In each case you can set an automatic refresh interval that updates the display every 5 to 30 seconds. You can also refresh the display manually.
Viewing CPU and memory status
Viewing sessions and network status
Viewing virus and intrusions status
Viewing CPU and memory status
Current CPU and memory status indicates how close the FortiGate unit is to running at full capacity. The web-based manager displays CPU and memory usage for core processes only. CPU and memory use for management processes (for example, for HTTPS connections to the web-based manager) is excluded.
If CPU and memory use is low, the FortiGate unit is able to process much more network traffic than is currently running. If CPU and memory use is high, the FortiGate unit is performing near its full capacity. Placing additional demands on the system could lead to traffic processing delays.
Figure 1: CPU and memory status monitor
CPU and memory intensive processes such as encrypting and decrypting IPSec VPN traffic, virus scanning, and processing high levels of network traffic containing small packets will increase CPU and memory usage.
FortiGate-60R Installation and Configuration Guide 85
System status System status
1 Go to System > Status > Monitor.
CPU & Memory status is displayed. The display includes bar graphs of current CPU and memory usage as well as line graphs of CPU and memory usage for the last minute.
2 Set the automatic refresh interval and select Go to control how often the web-based
manager updates the display. More frequent updates use system resources and increase network traffic. However,
this only occurs when you are viewing the display using the web-based manager.
3 Select Refresh to manually update the information displayed.
Viewing sessions and network status
Use the session and network status display to track how many network sessions the FortiGate unit is processing and to see what effect the number of sessions has on the available network bandwidth. Also, by comparing CPU and memory usage with session and network status you can see how much demand network traffic is placing on system resources.
Sessions displays the total number of sessions being processed by the FortiGate unit on all interfaces. Sessions also displays the sessions as a percentage of the maximum number of sessions that the FortiGate unit is designed to support.
Network utilization displays the total network bandwidth being used through all FortiGate interfaces. Network utilization also displays network utilization as a percentage of the maximum network bandwidth that can be processed by the FortiGate unit.
1 Go to System > Status > Monitor.
2 Select Sessions & Network.
Sessions and network status is displayed. The display includes bar graphs of the current number of sessions and current network utilization as well as line graphs of session and network utilization usage for the last minute. The line graph scales are shown in the upper left corner of the graph.
Figure 2: Sessions and network status monitor
86 Fortinet Inc.
System status System status
3 Set the automatic refresh interval and select Go to control how often the web-based
manager updates the display. More frequent updates use system resources and increase network traffic. However,
this only occurs when you are viewing the display using the web-based manager.
4 Select Refresh to manually update the information displayed.
Viewing virus and intrusions status
Use the virus and intrusions status display to track when viruses are found by the FortiGate antivirus system and to track when the NIDS detects a network-based attack.
1 Go to System > Status > Monitor.
2 Select Virus & Intrusions.
Virus and intrusions status is displayed. The display includes bar graphs of the number viruses and intrusions detected per hour as well as line graphs of the number of viruses and intrusions detected for the last 20 hours.
Figure 3: Sessions and network status monitor
3 Set the automatic refresh interval and select Go to control how often the web-based
manager updates the display. More frequent updates use system resources and increase network traffic. However,
this only occurs when you are viewing the display using the web-based manager. The line graph scales are shown on the upper right corner of the graph.
4 Select Refresh to manually update the information displayed.
FortiGate-60R Installation and Configuration Guide 87
Session list System status
Session list
The session list displays information about the communications sessions currently being processed by the FortiGate unit. You can use the session list to view current sessions. FortiGate administrators with read and write permission, and the FortiGate admin user can also stop active communication sessions.
Viewing the session list
1 Go to System > Status > Session.
The web-based manager displays the total number of active sessions in the FortiGate unit session table and lists the top 16.
2 To page through the list of sessions, select Page Up or Page Down .
3 Select Refresh to update the session list.
4 If you have logged in as an administrative user with read and write privileges or as the
admin user, you can select Clear to stop any active session.
Each line of the session list displays the following information:
Protocol The service protocol of the connection, for example, udp, tcp, or icmp. From IP The source IP address of the connection. From Port The source port of the connection. To IP The destination IP address of the connection. To Po r t The destination port of the connection. Expire The time, in seconds, before the connection expires. Clear Stop an active communication session.
Figure 4: Example session list
88 Fortinet Inc.
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2
Virus and attack definitions updates and registration
You can configure the FortiGate unit to connect to the FortiResponse Distribution Network (FDN) to update the antivirus and attack definitions and antivirus engine. You have the following update options:
Request updates from the FDN manually,
Schedule updates to automatically request the latest versions hourly, daily, or weekly
Push updates so that the FDN contacts your FortiGate unit when a new update is available.
To receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet Support web page.
This chapter describes:
Updating antivirus and attack definitions
Registering FortiGate units
Updating registration information
Registering a FortiGate unit after an RMA
Updating antivirus and attack definitions
You can configure the FortiGate unit to connect to the FortiResponse Distribution Network (FDN) to automatically receive the latest antivirus and attack definitions and antivirus engine updates. The FortiGate unit supports the following antivirus and attack definition update features:
User-initiated manual updates from the FDN,
Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus engine updates from the FDN,
Push updates from the FDN,
View the update status including version numbers, expiry dates, and update dates and times,
Push updates through a NAT device.
FortiGate-60R Installation and Configuration Guide 89
Updating antivirus and attack definitions Virus and attack definitions updates and registration
The System > Update page web-based manager displays the following antivirus and attack definition update information:
Version Displays the current antivirus engine, virus definition, and attack definition
Expiry date Displays the expiry date of your license for antivirus engine, virus definition,
Last update attempt
Last update status
version numbers.
and attack definition updates.
Displays the date and time on which the FortiGate unit last attempted to download antivirus engine, virus definition, and attack definition updates.
Displays the success or failure of the last update attempt. No updates means the last update attempt was successful but no new updates are available. Update succeeded or similar messages mean the last update attempt was successful and new updates were installed. Other messages can indicate that the FortiGate was not able to connect to the FDN and other error conditions.
This section describes:
Connecting to the FortiResponse Distribution Network
Configuring scheduled updates
Configuring update logging
Adding an override server
Manually updating antivirus and attack definitions
Configuring push updates
Push updates through a NAT device
Scheduled updates through a proxy server
Connecting to the FortiResponse Distribution Network
Before the FortiGate unit can receive antivirus and attack updates, it must be able to connect to the FortiResponse Distribution Network (FDN). The FortiGate unit uses HTTPS on port 8890 to connect to the FDN. The FortiGate WAN1 interface must have a path to the internet using port 8890. To configure scheduled updates, see
“Configuring scheduled updates” on page 91.
You can also configure the FortiGate unit to allow push updates. Push updates are provided to the FortiGate unit from the FDN using HTTPS on UDP port 9443. To receive push updates, the FDN must have a path to the FortiGate WAN1 interface using UDP port 9443. To configure push updates, see “Configuring push updates” on
page 93.
The FDN is a world-wide network of FortiResponse Distribution Servers (FDSs). When your FortiGate unit connects to the FDN it actually connects to the nearest FDS. To do this, all FortiGate units are programmed with a list of FDS addresses sorted by nearest time zone according to the time zone configured for the FortiGate unit. To make sure the FortiGate unit receives updates from the nearest FDS, go to System > Config > Time and make sure you have selected the correct time zone for your area.
90 Fortinet Inc.
Virus and attack definitions updates and registration Updating antivirus and attack definitions
To make sure the FortiGate unit can connect to the FDN:
1 Go to System > Config > Time and make sure the time zone is set to the correct time
zone for your area.
2 Go to System > Update.
3 Select Refresh.
The FortiGate unit tests its connection to the FDN. The test results are displayed at the top of the System Update page.
Table 1: Connections to the FDN
Connections Status Comments
Available The FortiGate unit can connect to the FDN. You can
Not available The FortiGate unit cannot connect to the FDN. You
FortiResponse Distribution Network
Available The FDN can connect to the FortiGate unit to send
Not available The FDN cannot connect to the FortiGate unit to send
Push Update
configure the FortiGate unit for scheduled updates. See “Configuring scheduled updates” on page 91.
must configure your FortiGate unit and your network so that the FortiGate unit can connect to the Internet and to the FDN. For example, you may need to add routes to the FortiGate routing table or configure your network to allow the FortiGate unit to use HTTPS on port 8890 to connect to the Internet.
You may also have to connect to an override FortiResponse server to receive updates. See
“Configuring update logging” on page 92.
push updates. You can configure the FortiGate unit to receive push updates. See “Configuring push updates”
on page 93.
push updates. Push updates may not be available if you have not registered the FortiGate unit (see
“Registering the FortiGate unit” on page 100), if there is
a NAT device installed between the FortiGate unit and the FDN (see “Push updates through a NAT device” on
page 94), or if your FortiGate unit connects to the
Internet using a proxy server (see “Scheduled updates
through a proxy server” on page 98).
Configuring scheduled updates
You can configure the FortiGate unit to check for and download updated definitions hourly, daily, or weekly according to the schedule you specify.
1 Go to System > Update.
2 Select Scheduled Update.
3 Select whether to check for and download updates hourly, daily, or weekly:
Hourly Once every 1 to 23 hours. Select the number of hours and minutes between
Daily Once a day. You can specify the time of day to check for updates.
Weekly Once a week. You can specify the day of the week and the time of day to check
FortiGate-60R Installation and Configuration Guide 91
each update request.
for updates.
Updating antivirus and attack definitions Virus and attack definitions updates and registration
4 Select Apply.
The FortiGate unit starts the next scheduled update according to the new update schedule.
Whenever a scheduled update is run, the event is recorded in the FortiGate event log.
Figure 1: Configuring automatic antivirus and attack definitions updates
Configuring update logging
Use the following procedure to configure FortiGate logging to record log messages when the FortiGate unit updates antivirus and attack definitions. Update log messages are recorded on the FortiGate Event log.
1 Go to Log&Report > Log Setting.
2 Select Config Policy for the type of logs that the FortiGate unit is configured to record.
See “Recording logs” on page 247.
3 Select Update to record log messages when the FortiGate unit updates antivirus and
attack definitions.
4 Select the following update log options:
Failed Update The FortiGate unit records a log message whenever and update attempt
Successful Update
FDN error The FortiGate unit records a log messages whenever it cannot connect to
fails.
The Fortigate unit records a log message whenever an update attempt is successful.
the FDN or whenever it receives an error message from the FDN.
5 Select OK.
92 Fortinet Inc.
Virus and attack definitions updates and registration Updating antivirus and attack definitions
Adding an override server
If you cannot connect to the FDN or if your organization provides antivirus and attack updates using their own FortiResponse server, you can use the following procedure to add the IP address of an override FortiResponse server.
1 Go to System > Update.
2 Select Use override server address and add the IP address of a FortiResponse
server.
3 Select Apply.
The FortiGate unit tests the connection to the override server. If the FortiResponse Distribution Network setting changes to available, the FortiGate
unit has successfully connected to the override server. If the FortiResponse Distribution Network stays set to not available, the FortiGate unit
cannot connect to the override server. Check the FortiGate configuration and the network configuration to make sure you can connect to the override FortiResponse server from the FortiGate unit.
Manually updating antivirus and attack definitions
You can use the following procedure to update the antivirus and attack definitions at any time. To run this procedure the FortiGate unit must be able to connect to the FDN or to an override FortiResponse server.
1 Go to System > Update.
2 Select Update Now to update the antivirus and attack definitions.
If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following:
Your update request has been sent. Your database will be updated in a few minutes. Please check your update page for the status of the update.
After a few minutes, if an update is available, the System Update page lists new version information for antivirus definitions, the antivirus engine, or for attack definitions. The System Status page will also displays new dates and version numbers for antivirus and attack definitions. Messages are recorded to the event log indicating whether the update was successful or not.
Configuring push updates
The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. You must register the FortiGate unit before it can receive push updates. See “Registering the FortiGate unit” on page 100.
If the FDN must connect to the FortiGate unit through a NAT device, see “Push
updates through a NAT device” on page 94.
Push updates are not supported if the FortiGate unit must use a proxy server to connect to the FDN. See “Scheduled updates through a proxy server” on page 98 for more information.
FortiGate-60R Installation and Configuration Guide 93
Updating antivirus and attack definitions Virus and attack definitions updates and registration
To enable push updates
1 Go to System > Update.
2 Select Allow Push Update.
3 Select Apply.
About push updates
When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a SETUP message to the FDN. The next time a new antivirus engine, new antivirus definitions, or new attack definitions are released, the FDN notifies all FortiGate units configured for push updates that a new update is available. Within 60 seconds of receiving a push notification, the FortiGate unit attempts to request an update from the FDN.
If available for your network configuration, configuring push updates is recommended in addition to configuring scheduled updates. Push updates mean that on average the FortiGate unit receives new updates sooner than if the FortiGate just receives scheduled updates. However, scheduled updates make sure that the FortiGate unit does eventually receives the latest updates.
Enabling push updates is not recommended as the only method for obtaining updates. The push notification may not be received by the FortiGate unit. Also, when the FortiGate unit receives a push notification it will only make one attempt to connect to the FDN and download updates.
Push updates and WAN1 dynamic IP addresses
If the WAN1 interface of the FortiGate unit is configured with a dynamic IP address (using PPPoE or DHCP), whenever the IP address of the WAN1 interface changes, a SETUP message is sent to the FDN to notify it of the change. As long as this SETUP message is sent, the FDN will have the most up-to-date IP address and the next push notification is sent to this IP address.
Push updates through a NAT device
If the FDN can only connect to the FortiGate unit through a NAT device, you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration. Using port forwarding, the FDN connects to the FortiGate unit using either port 9443 or an override push port that you assign.
Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic (for example, set using PPPoE or DHCP).
94 Fortinet Inc.
Virus and attack definitions updates and registration Updating antivirus and attack definitions
Example: push updates through a NAT device
This example describes how to configure a FortiGate NAT device to forward push updates to a FortiGate unit installed on its internal network. For the FortiGate unit on the internal network to receive push updates, the FortiGate NAT device must be configured with a port forwarding virtual IP. This virtual IP maps the IP address of the external interface of the FortiGate NAT device and a custom port to the IP address of the FortiGate unit on the internal network. This IP address can either be the external IP address of the FortiGate unit if it is operating in NAT/Route mode or the Management IP address of the FortiGate unit if it is operating in Transparent mode.
Note: This example describes the configuration for a FortiGate NAT device. However, any NAT device with a static external IP address that can be configured for port forwarding can be used.
Figure 2: Example network topology: Push updates through a NAT device
FortiGate-60R Installation and Configuration Guide 95
Updating antivirus and attack definitions Virus and attack definitions updates and registration
General procedure
Use the following steps to configure the FortiGate NAT device and the FortiGate unit on the Internal network so that the FortiGate unit on the Internal network can receive push updates:
1 Add a port forwarding virtual IP to the FortiGate NAT device.
2 Add a firewall policy to the FortiGate NAT device that includes the port forwarding
virtual IP.
3 Configure the FortiGate unit on the internal network with an override push IP and port.
Note: Before completing the following procedure you should register the FortiGate unit on the
internal network so that it can receive push updates.
Adding a port forwarding virtual IP to the FortiGate NAT device
Use the following procedure to configure a FortiGate NAT device to use port forwarding to forward push update connections from the FDN to a FortiGate unit on the internal network.
To configure the FortiGate NAT device:
1 Go to Firewall > Virtual IP.
2 Select New.
3 Add a name for the virtual IP.
4 Select the External interface that the FDN connects to.
For the example topology, select the external interface.
5 Select Port Forwarding.
6 Enter the External IP address that the FDN connects to.
For the example topology, enter 64.230.123.149.
7 Enter the External Service Port that the FDN connects to.
For the example topology, enter 45001.
8 Set Map to IP to the IP address of the FortiGate unit on the internal network.
If the FortiGate unit is operating in NAT/Route mode, enter the IP address of the external interface.
If the FortiGate unit is operating in Transparent mode, enter the management IP address.
For the example topology, enter 192.168.1.99.
9 Set the Map to Port to 9443.
10 Set Protocol to UDP.
11 Select OK.
96 Fortinet Inc.
Virus and attack definitions updates and registration Updating antivirus and attack definitions
Figure 3: Push update port forwarding virtual IP
Adding a firewall policy for the port forwarding virtual IP
To configure the FortiGate NAT device:
1 Add a new external to internal firewall policy.
2 Configure the policy with the following settings:
Source External_All
Destination The virtual IP added above.
Schedule Always
Service ANY
Action Accept
NAT Selected.
3 Select OK.
Configure the FortiGate unit with an override push IP and port
To configure the FortiGate unit on the internal network:
1 Go to System > Update.
2 Select Allow Push Update.
3 Select Use override push.
4 Set IP to the External IP Address added to the virtual IP.
For the example topology, enter 64.230.123.149.
FortiGate-60R Installation and Configuration Guide 97
Updating antivirus and attack definitions Virus and attack definitions updates and registration
5 Set Port to the External Service Port added to the virtual IP.
For the example topology, enter 45001.
6 Select Apply.
The FortiGate unit sends the override push IP address and Port to the FDN. The FDN will now use this IP address and port for push updates to the FortiGate unit on the internal network.
If the External IP Address or External Service Port change, add the changes to the Use override push configuration and select Apply to update the push information on the FDN.
Figure 4: Example push update configuration
7 Select Apply.
8 You can select Refresh to make sure that push updates work.
Push Update should change to Available.
Scheduled updates through a proxy server
If your FortiGate unit must connect to the Internet through a proxy server, you can use the set system autoupdate tunneling command to allow the FortiGate unit to connect (or tunnel) to the FDN using the proxy server. Using the command you can specify the IP address and port of the proxy server. As well, if the proxy server requires authentication, you can add the user name and password required for the proxy server to the autoupdate configuration. The full syntax for enabling updates through a proxy server is:
set system autouopdate tunneling enable [address <proxy-address_ip> [port <proxy-port> [username <username_str> [password <password_str>]]]]
For example, if the IP address of the proxy server is 64.23.6.89 and its port is 8080, enter the following command:
set system autouopdate tunneling enable address 64.23.6.89 port 8080
For more information about the set system autoupdate command, see Volume 6, FortiGate CLI Reference Guide.
The FortiGate unit connects to the proxy server using the HTTP CONNECT method, as described in RFC 2616. The FortiGate unit sends an HTTP CONNECT request to the proxy server (optionally with authentication information) specifying the IP address and port required to connect to the FDN. The proxy server establishes the connection to the FDN and passes information between the FortiGate unit and the FDN.
The CONNECT method is used mostly for tunneling SSL traffic. Some proxy servers won't allow the CONNECT to connect to just any port; they restrict the allowed ports to the well known ports for HTTPS and perhaps some other similar services. Because FortiGate autoupdates use HTTPS on port 8890 to connect to the FDN, your proxy server may have to be configured to allow connections on this port.
98 Fortinet Inc.
Virus and attack definitions updates and registration Registering FortiGate units
There are no special tunneling requirements if you have configured an override server address to connect to the FDN.
Push updates are not supported if the FortiGate must connect to the Internet through a proxy server.
Registering FortiGate units
After purchasing and installing a new FortiGate unit, you can register the unit using the web-based manager by going to System > Update > Support, or by using a web browser to connect to http://support.fortinet.com and selecting Product Registration.
Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased. Registration is quick and easy. You can register multiple FortiGate units in a single session without re-entering your contact information.
Once registration is completed, Fortinet sends a Support Login user name and password to your email address. You can use this user name and password to log on to the Fortinet support web site to:
View your list of registered FortiGate units
Register additional FortiGate units
Add or change FortiCare Support Contract numbers for each FortiGate unit
View and change registration information
Download virus and attack definitions updates
Download firmware upgrades
Modify registration information after an RMA
Soon you will also be able to:
Access Fortinet user documentation
Access the Fortinet knowledge base
All registration information is stored in the Fortinet Customer Support database. This information is used to make sure that your registered FortiGate units can be kept up to date. All information is strictly confidential. Fortinet does not share this information with any third party organizations for any reason.
This section describes:
FortiCare Service Contracts
Registering the FortiGate unit
FortiCare Service Contracts
Owners of a new FortiGate unit are entitled to 90 days of technical support services. To continue receiving support services after the 90 day expiry date, you must purchase a FortiCare Support Contract from an authorized Fortinet reseller or distributor. Different levels of service are available so you can purchase the support that you need. For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing.
FortiGate-60R Installation and Configuration Guide 99
Registering FortiGate units Virus and attack definitions updates and registration
To activate the FortiCare Support Contract, you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information. You can also register the FortiGate unit without purchasing a FortiCare Support Contract. In this case, when you do purchase a FortiCare Support Contract you can update the registration information to add the support contract number.
A single FortiCare Support Contract can cover multiple FortiGate units. You must enter the same service contract number for each of the FortiGate models covered by the service contract.
Registering the FortiGate unit
Before registering a FortiGate unit, you require the following information:
Your contact information including:
First and last name
Company name
Email address (Your Fortinet support login user name and password will be
sent to this email address.)
•Address
Contact phone number
A security question and an answer to the security question. This information is used for password recovery. The security question should be a
simple question that only you know the answer to. The answer should not be easy to guess.
The product model and serial number for each FortiGate unit to be registered. The serial number is located on a label on the bottom of the FortiGate unit. You can view the Serial number from the web-based manager by going to
System > Status. The serial number is also available from the CLI using the get system status
command.
FortiCare Support Contract numbers if you have purchased FortiCare Support Contracts for the FortiGate units to be registered.
To register one or more FortiGate units
1 Go to System > Update > Support.
2 Enter your contact information into the product registration form.
100 Fortinet Inc.
Loading...