FortiGate 60R
Installation and
Configuration Guide
FortiGate User Manual Volume 1
INTERNAL
PWR STATUS
LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100
Version 2.50 MR2
18 August 2003
DMZ4321
WAN1 WAN2
© Copyright 2003 Fortinet Inc. All rights reserved.
No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Fortinet Inc.
FortiGate-60R Installation and Configuration Guide
Version 2.50 MR2
18 August 2003
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective
holders.
Regulatory Compliance
FCC Class A Part 15 CSA/CUS
For technical support, please visit http://www.fortinet.com.
Send information about errors or omissions in this document or any Fortinet technical documentation to
techdoc@fortinet.com.
Table of Contents
Introduction .......................................................................................................... 13
Antivirus protection ........................................................................................................... 13
Web content filtering ......................................................................................................... 14
Email filtering .................................................................................................................... 14
Firewall.............................................................................................................................. 15
NAT/Route mode .......................................................................................................... 15
Transparent mode......................................................................................................... 16
Network intrusion detection............................................................................................... 16
VPN................................................................................................................................... 16
Secure installation, configuration, and management ........................................................ 17
Web-based manager .................................................................................................... 17
Command line interface ................................................................................................ 18
Logging and reporting ................................................................................................... 19
What’s new in Version 2.50 .............................................................................................. 19
System administration................................................................................................... 19
Firewall.......................................................................................................................... 20
Users and authentication .............................................................................................. 20
VPN............................................................................................................................... 20
NIDS ............................................................................................................................. 21
Antivirus ........................................................................................................................ 21
Web Filter...................................................................................................................... 21
Email filter ..................................................................................................................... 21
Logging and Reporting.................................................................................................. 21
About this document ......................................................................................................... 22
Document conventions ..................................................................................................... 23
Fortinet documentation ..................................................................................................... 24
Comments on Fortinet technical documentation........................................................... 24
Customer service and technical support........................................................................... 25
Contents
Getting started ..................................................................................................... 27
Package contents ............................................................................................................. 28
Mounting ........................................................................................................................... 28
Powering on...................................................................................................................... 29
Connecting to the web-based manager............................................................................ 30
Connecting to the command line interface (CLI)............................................................... 31
Factory default FortiGate configuration settings ............................................................... 31
Factory Default DHCP configuration............................................................................. 32
Factory default NAT/Route mode network configuration .............................................. 33
Factory default Transparent mode network configuration............................................. 33
Factory default firewall configuration ............................................................................ 34
Factory default content profiles..................................................................................... 35
FortiGate-60R Installation and Configuration Guide 3
Contents
Planning your FortiGate configuration .............................................................................. 37
NAT/Route mode .......................................................................................................... 37
Transparent mode......................................................................................................... 38
Configuration options .................................................................................................... 39
FortiGate model maximum values matrix ......................................................................... 40
Next steps......................................................................................................................... 41
NAT/Route mode installation.............................................................................. 43
Installing the FortiGate unit using the default configuration .............................................. 43
Changing the default configuration ............................................................................... 44
Preparing to configure NAT/Route mode.......................................................................... 44
Advanced NAT/Route mode settings............................................................................ 45
DMZ interface ............................................................................................................... 45
Using the setup wizard...................................................................................................... 46
Starting the setup wizard .............................................................................................. 46
Reconnecting to the web-based manager .................................................................... 46
Using the command line interface..................................................................................... 46
Configuring the FortiGate unit to operate in NAT/Route mode ..................................... 46
Connecting the FortiGate unit to your networks................................................................ 48
Configuring your networks ................................................................................................ 49
Completing the configuration ............................................................................................ 50
Configuring the DMZ interface ...................................................................................... 50
Configuring the WAN2 interface ................................................................................... 50
Setting the date and time .............................................................................................. 50
Changing antivirus protection ....................................................................................... 50
Registering your FortiGate............................................................................................ 51
Configuring virus and attack definition updates ............................................................ 51
Configuration example: Multiple connections to the Internet ............................................ 51
Configuring Ping servers............................................................................................... 52
Destination based routing examples............................................................................. 53
Policy routing examples ................................................................................................ 56
Firewall policy example................................................................................................. 57
Transparent mode installation............................................................................ 59
Preparing to configure Transparent mode ........................................................................ 59
Using the setup wizard...................................................................................................... 60
Changing to Transparent mode .................................................................................... 60
Starting the setup wizard .............................................................................................. 60
Reconnecting to the web-based manager .................................................................... 60
Using the command line interface..................................................................................... 61
Changing to Transparent mode .................................................................................... 61
Configuring the Transparent mode management IP address ....................................... 61
Configure the Transparent mode default gateway........................................................ 61
Connecting the FortiGate unit to your networks................................................................ 62
4 Fortinet Inc.
Completing the configuration ............................................................................................ 63
Setting the date and time .............................................................................................. 63
Enabling antivirus protection......................................................................................... 63
Registering your FortiGate............................................................................................ 63
Configuring virus and attack definition updates ............................................................ 64
Transparent mode configuration examples....................................................................... 64
Default routes and static routes .................................................................................... 64
Example default route to an external network............................................................... 65
Example static route to an external destination ............................................................ 66
Example static route to an internal destination ............................................................. 69
System status....................................................................................................... 71
Changing the FortiGate host name................................................................................... 72
Changing the FortiGate firmware...................................................................................... 72
Upgrade to a new firmware version .............................................................................. 73
Revert to a previous firmware version .......................................................................... 74
Install a firmware image from a system reboot using the CLI ....................................... 77
Test a new firmware image before installing it .............................................................. 79
Manual virus definition updates ........................................................................................ 81
Manual attack definition updates ...................................................................................... 82
Displaying the FortiGate serial number............................................................................. 82
Displaying the FortiGate up time....................................................................................... 82
Backing up system settings .............................................................................................. 82
Restoring system settings................................................................................................. 83
Restoring system settings to factory defaults ................................................................... 83
Changing to Transparent mode ........................................................................................ 83
Changing to NAT/Route mode.......................................................................................... 84
Restarting the FortiGate unit............................................................................................. 84
Shutting down the FortiGate unit ...................................................................................... 84
System status ................................................................................................................... 85
Viewing CPU and memory status ................................................................................. 85
Viewing sessions and network status ........................................................................... 86
Viewing virus and intrusions status............................................................................... 87
Session list........................................................................................................................ 88
Contents
Virus and attack definitions updates and registration ..................................... 89
Updating antivirus and attack definitions .......................................................................... 89
Connecting to the FortiResponse Distribution Network ................................................ 90
Configuring scheduled updates .................................................................................... 91
Configuring update logging ........................................................................................... 92
Adding an override server............................................................................................. 93
Manually updating antivirus and attack definitions........................................................ 93
Configuring push updates ............................................................................................. 93
Push updates through a NAT device ............................................................................ 94
Scheduled updates through a proxy server .................................................................. 98
FortiGate-60R Installation and Configuration Guide 5
Contents
Registering FortiGate units ............................................................................................... 99
FortiCare Service Contracts.......................................................................................... 99
Registering the FortiGate unit ..................................................................................... 100
Updating registration information .................................................................................... 102
Recovering a lost Fortinet support password.............................................................. 102
Viewing the list of registered FortiGate units .............................................................. 102
Registering a new FortiGate unit ................................................................................ 103
Adding or changing a FortiCare Support Contract number......................................... 103
Changing your Fortinet support password .................................................................. 104
Changing your contact information or security question ............................................. 104
Downloading virus and attack definitions updates ...................................................... 104
Registering a FortiGate unit after an RMA...................................................................... 105
Network configuration....................................................................................... 107
Configuring interfaces ..................................................................................................... 107
Viewing the interface list ............................................................................................. 108
Bringing up an interface .............................................................................................. 108
Changing an interface static IP address ..................................................................... 108
Adding a secondary IP address to an interface .......................................................... 108
Adding a ping server to an interface ........................................................................... 109
Controlling management access to an interface ......................................................... 109
Configuring traffic logging for connections to an interface .......................................... 110
Configuring the wan1 and wan2 interfaces with a static IP address........................... 110
Configuring the wan1 or wan2 interfaces for DHCP ................................................... 110
Configuring the wan1 and wan2 interfaces for PPPoE ............................................... 111
Changing the wan1 and wan2 interface MTU size to improve network performance. 111
Configuring the management interface (Transparent mode) ...................................... 112
Adding DNS server IP addresses ................................................................................... 113
Configuring routing.......................................................................................................... 113
Adding a default route................................................................................................. 114
Adding destination-based routes to the routing table.................................................. 114
Adding routes in Transparent mode............................................................................ 115
Configuring the routing table....................................................................................... 116
Policy routing .............................................................................................................. 116
Providing DHCP services to your internal network ......................................................... 117
RIP configuration ............................................................................................... 119
RIP settings..................................................................................................................... 120
Configuring RIP for FortiGate interfaces......................................................................... 122
Adding RIP neighbors..................................................................................................... 123
6 Fortinet Inc.
Adding RIP filters ............................................................................................................ 124
Adding a single RIP filter............................................................................................. 124
Adding a RIP filter list.................................................................................................. 125
Adding a neighbors filter ............................................................................................. 126
Adding a routes filter ................................................................................................... 126
System configuration ........................................................................................ 127
Setting system date and time.......................................................................................... 127
Changing web-based manager options .......................................................................... 128
Adding and editing administrator accounts..................................................................... 130
Adding new administrator accounts ............................................................................ 130
Editing administrator accounts.................................................................................... 131
Configuring SNMP .......................................................................................................... 132
Configuring the FortiGate unit for SNMP monitoring .................................................. 132
Configuring FortiGate SNMP support ......................................................................... 132
FortiGate MIBs............................................................................................................ 133
FortiGate traps ............................................................................................................ 134
Customizing replacement messages.............................................................................. 134
Customizing replacement messages .......................................................................... 135
Customizing alert emails............................................................................................. 136
Contents
Firewall configuration........................................................................................ 139
Default firewall configuration........................................................................................... 140
Interfaces .................................................................................................................... 140
Addresses ................................................................................................................... 140
Services ...................................................................................................................... 141
Schedules ................................................................................................................... 141
Content profiles........................................................................................................... 141
Adding firewall policies.................................................................................................... 142
Firewall policy options................................................................................................. 143
Configuring policy lists .................................................................................................... 147
Policy matching in detail ............................................................................................. 147
Changing the order of policies in a policy list.............................................................. 147
Enabling and disabling policies................................................................................... 148
Addresses ....................................................................................................................... 148
Adding addresses ....................................................................................................... 149
Editing addresses ....................................................................................................... 150
Deleting addresses ..................................................................................................... 150
Organizing addresses into address groups ................................................................ 150
Services .......................................................................................................................... 151
Predefined services .................................................................................................... 151
Providing access to custom services .......................................................................... 154
Grouping services ....................................................................................................... 154
FortiGate-60R Installation and Configuration Guide 7
Contents
Schedules ....................................................................................................................... 155
Creating one-time schedules ...................................................................................... 155
Creating recurring schedules ...................................................................................... 156
Adding a schedule to a policy ..................................................................................... 157
Virtual IPs........................................................................................................................ 158
Adding static NAT virtual IPs ...................................................................................... 158
Adding port forwarding virtual IPs ............................................................................... 159
Adding policies with virtual IPs.................................................................................... 161
IP pools........................................................................................................................... 162
Adding an IP pool........................................................................................................ 162
IP Pools for firewall policies that use fixed ports ......................................................... 163
IP pools and dynamic NAT ......................................................................................... 163
IP/MAC binding ............................................................................................................... 164
Configuring IP/MAC binding for packets going through the firewall ............................ 164
Configuring IP/MAC binding for packets going to the firewall ..................................... 165
Adding IP/MAC addresses.......................................................................................... 165
Viewing the dynamic IP/MAC list ................................................................................ 166
Enabling IP/MAC binding ............................................................................................ 166
Content profiles............................................................................................................... 167
Default content profiles ............................................................................................... 168
Adding a content profile .............................................................................................. 168
Adding a content profile to a policy ............................................................................. 169
Users and authentication .................................................................................. 171
Setting authentication timeout......................................................................................... 172
Adding user names and configuring authentication ........................................................ 172
Adding user names and configuring authentication .................................................... 172
Deleting user names from the internal database ........................................................ 173
Configuring RADIUS support .......................................................................................... 174
Adding RADIUS servers ............................................................................................. 174
Deleting RADIUS servers ........................................................................................... 174
Configuring LDAP support .............................................................................................. 175
Adding LDAP servers.................................................................................................. 175
Deleting LDAP servers................................................................................................ 176
Configuring user groups.................................................................................................. 177
Adding user groups..................................................................................................... 177
Deleting user groups................................................................................................... 178
IPSec VPN........................................................................................................... 179
Key management............................................................................................................ 180
Manual Keys ............................................................................................................... 180
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... 180
8 Fortinet Inc.
Manual key IPSec VPNs................................................................................................. 181
General configuration steps for a manual key VPN .................................................... 181
Adding a manual key VPN tunnel ............................................................................... 181
AutoIKE IPSec VPNs ...................................................................................................... 183
General configuration steps for an AutoIKE VPN ....................................................... 183
Adding a phase 1 configuration for an AutoIKE VPN.................................................. 183
Adding a phase 2 configuration for an AutoIKE VPN.................................................. 187
Managing digital certificates............................................................................................ 189
Obtaining a signed local certificate ............................................................................. 189
Obtaining a CA certificate ........................................................................................... 193
Configuring encrypt policies............................................................................................ 194
Adding a source address ............................................................................................ 195
Adding a destination address...................................................................................... 195
Adding an encrypt policy............................................................................................. 195
IPSec VPN concentrators ............................................................................................... 197
VPN concentrator (hub) general configuration steps .................................................. 197
Adding a VPN concentrator ........................................................................................ 199
VPN spoke general configuration steps...................................................................... 200
Redundant IPSec VPNs.................................................................................................. 201
Configuring redundant IPSec VPN ............................................................................. 201
Monitoring and Troubleshooting VPNs ........................................................................... 203
Viewing VPN tunnel status.......................................................................................... 203
Viewing dialup VPN connection status ....................................................................... 203
Testing a VPN............................................................................................................. 204
Contents
PPTP and L2TP VPN .......................................................................................... 205
Configuring PPTP ........................................................................................................... 205
Configuring the FortiGate unit as a PPTP gateway .................................................... 206
Configuring a Windows 98 client for PPTP ................................................................. 208
Configuring a Windows 2000 client for PPTP ............................................................. 209
Configuring a Windows XP client for PPTP ................................................................ 210
Configuring L2TP............................................................................................................ 211
Configuring the FortiGate unit as a L2TP gateway ..................................................... 212
Configuring a Windows 2000 client for L2TP.............................................................. 215
Configuring a Windows XP client for L2TP ................................................................. 216
FortiGate-60R Installation and Configuration Guide 9
Contents
Network Intrusion Detection System (NIDS) ................................................... 219
Detecting attacks ............................................................................................................ 219
Selecting the interfaces to monitor.............................................................................. 220
Disabling the NIDS...................................................................................................... 220
Configuring checksum verification .............................................................................. 220
Viewing the signature list ............................................................................................ 221
Viewing attack descriptions......................................................................................... 221
Enabling and disabling NIDS attack signatures .......................................................... 222
Adding user-defined signatures .................................................................................. 222
Preventing attacks .......................................................................................................... 223
Enabling NIDS attack prevention ................................................................................ 223
Enabling NIDS attack prevention signatures .............................................................. 224
Setting signature threshold values.............................................................................. 224
Configuring synflood signature values ........................................................................ 226
Logging attacks............................................................................................................... 226
Logging attack messages to the attack log................................................................. 226
Reducing the number of NIDS attack log and email messages.................................. 227
Antivirus protection........................................................................................... 229
General configuration steps............................................................................................ 229
Antivirus scanning........................................................................................................... 230
File blocking.................................................................................................................... 231
Blocking files in firewall traffic ..................................................................................... 231
Adding file patterns to block........................................................................................ 231
Blocking oversized files and emails ................................................................................ 232
Configuring limits for oversized files and email........................................................... 232
Exempting fragmented email from blocking.................................................................... 232
Viewing the virus list ....................................................................................................... 232
Web filtering ....................................................................................................... 233
General configuration steps............................................................................................ 233
Content blocking ............................................................................................................. 234
Adding words and phrases to the banned word list .................................................... 234
URL blocking................................................................................................................... 235
Using the FortiGate web filter ..................................................................................... 235
Using the Cerberian web filter..................................................................................... 238
Script filtering .................................................................................................................. 240
Enabling the script filter............................................................................................... 240
Selecting script filter options ....................................................................................... 240
Exempt URL list .............................................................................................................. 241
Adding URLs to the exempt URL list .......................................................................... 241
Email filter........................................................................................................... 243
General configuration steps............................................................................................ 243
10 Fortinet Inc.
Email banned word list.................................................................................................... 244
Adding words and phrases to the banned word list .................................................... 244
Email block list ................................................................................................................ 245
Adding address patterns to the email block list........................................................... 245
Email exempt list............................................................................................................. 245
Adding address patterns to the email exempt list ....................................................... 246
Adding a subject tag ....................................................................................................... 246
Logging and reporting....................................................................................... 247
Recording logs................................................................................................................ 247
Recording logs on a remote computer ........................................................................ 248
Recording logs on a NetIQ WebTrends server ........................................................... 248
Recording logs in system memory.............................................................................. 249
Filtering log messages .................................................................................................... 249
Configuring traffic logging ............................................................................................... 251
Enabling traffic logging................................................................................................ 251
Configuring traffic filter settings................................................................................... 252
Adding traffic filter entries ........................................................................................... 252
Viewing logs saved to memory ....................................................................................... 253
Viewing logs................................................................................................................ 253
Searching logs ............................................................................................................ 254
Configuring alert email .................................................................................................... 254
Adding alert email addresses...................................................................................... 254
Testing alert email....................................................................................................... 255
Enabling alert email .................................................................................................... 255
Contents
Glossary ............................................................................................................. 257
Index .................................................................................................................... 261
FortiGate-60R Installation and Configuration Guide 11
Contents
12 Fortinet Inc.
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2
Introduction
The FortiGate Antivirus Firewall supports network-based deployment of
application-level services—including antivirus protection and full-scan content filtering.
FortiGate Antivirus Firewalls improve network security, reduce network misuse and
abuse, and help you use communications resources more efficiently without
compromising the performance of your network. FortiGate Antivirus Firewalls are
ICSA-certified for firewall, IPSec and antivirus services.
Your FortiGate Antivirus Firewall is a dedicated easily managed security device that
delivers a full suite of capabilities that include:
• application-level services such as virus protection and content filtering,
• network-level services such as firewall, intrusion detection, VPN, and traffic
shaping.
Your FortiGate Antivirus Firewall employs Fortinet’s Accelerated Behavior and
Content Analysis System (ABACAS™) technology, which leverages breakthroughs in
chip design, networking, security, and content analysis. The unique ASIC-based
architecture analyzes content and behavior in real-time, enabling key applications to
be deployed right at the network edge where they are most effective at protecting your
networks. The FortiGate series complements existing solutions, such as host-based
antivirus protection, and enables new applications and services while greatly lowering
costs for equipment, administration and maintenance.
The FortiGate-60 model is ideally suited
for small businesses, remote offices, retail
stores, and broadband telecommuter
sites. The FortiGate-60 Antivirus Firewall
features dual WAN link support for
redundant internet connections, and an integrated 4-port switch that eliminates the
need for an external hub or switch. Networked devices connect directly to the
FortiGate-60 unit.
The FortiGate-60R is limited to a maximum of 12 users.
Antivirus protection
FortiGate ICSA-certified antivirus protection virus scans web (HTTP), file transfer
(FTP), and email (SMTP, POP3, and IMAP) content as it passes through the
FortiGate. If a virus is found, antivirus protection removes the file containing the virus
from the content stream and forwards an replacement message to the intended
recipient.
FortiGate-60R Installation and Configuration Guide 13
Web content filtering Introduction
For extra protection, you also configure antivirus protection to block files of specified
file types from passing through the FortiGate unit. You can use the feature to stop files
that may contain new viruses.
If the FortiGate unit contains a hard disk, infected or blocked files can be quarantined.
The FortiGate administrator can download quarantined files, so that they can be virus
scanned, cleaned, and forwarded to the intended recipient. You can also configure the
FortiGate unit to automatically delete quarantined files after a specified time period.
The FortiGate unit can send email alerts to system administrators when it detects and
removes a virus from a content stream. The web and email content can be in normal
network traffic or in encrypted IPSec VPN traffic.
ICSA Labs has certified that FortiGate Antivirus Firewalls:
• detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),
• detect viruses in compressed files using the PKZip format,
• detect viruses in e-mail that has been encoded using uuencode format,
• detect viruses in e-mail that has been encoded using MIME encoding,
• log all actions taken while scanning.
Web content filtering
FortiGate web content filtering can be configured to scan all HTTP content protocol
streams for URLs or for web page content. If a match is found between a URL on the
URL block list, or if a web page is found to contain a word or phrase in the content
block list, the FortiGate blocks the web page. The blocked web page is replaced with a
message that you can edit using the FortiGate web-based manager.
You can configure URL blocking to block all or just some of the pages on a web site.
Using this feature you can deny access to parts of a web site without denying access
to it completely.
To prevent unintentional blocking of legitimate web pages, you can add URLs to an
Exempt List that overrides the URL blocking and content blocking lists.
Web content filtering also includes a script filter feature that can be configured to block
unsecure web content such as Java Applets, Cookies, and ActiveX.
You can also use the Cerberian URL blocking to block unwanted URLs.
Email filtering
FortiGate Email filtering can be configured to scan all IMAP and POP3 email content
for unwanted senders or for unwanted content. If a match is found between a sender
address pattern on the Email block list, or if an email is found to contain a word or
phrase in the banned word list, the FortiGate adds a Email tag to subject line of the
email. Receivers can then use their mail client software to filter messages based on
the Email tag.
14 Fortinet Inc.
Introduction Firewall
You can configure Email blocking to tag email from all or some senders within
organizations that are known to send spam email. To prevent unintentional tagging of
email from legitimate senders, you can add sender address patterns to an exempt list
that overrides the email block and banned word lists.
Firewall
The FortiGate ICSA-certified firewall protects your computer networks from the hostile
environment of the Internet. ICSA has granted FortiGate firewalls version 4.0 firewall
certification, providing assurance that FortiGate firewalls successfully screen for and
secure corporate networks against a wide range of threats from public or other
untrusted networks.
After basic installation of the FortiGate unit, the firewall allows users on the protected
network to access the Internet while blocking Internet access to internal networks. You
can modify this firewall configuration to place controls on access to the Internet from
the protected networks and to allow controlled access to internal networks.
FortiGate policies include a complete range of options that:
• control all incoming and outgoing network traffic,
• control encrypted VPN traffic,
• apply antivirus protection and web content filtering,
• block or allow access for all policy options,
• control when individual policies are in effect,
• accept or deny traffic to and from individual addresses,
• control standard and user defined network services individually or in groups,
• require users to authenticate before gaining access,
• include traffic shaping to set access priorities and guarantee or limit bandwidth for
each policy,
• include logging to track connections for individual policies,
• include Network address translation (NAT) mode and Route mode policies,
• include Mixed NAT and Route mode policies.
The FortiGate firewall can operate in NAT/Route mode or Transparent mode.
NAT/Route mode
In NAT/Route mode, you can create NAT mode policies and Route mode policies.
• NAT mode policies use network address translation to hide the addresses in a
more secure network from users in a less secure network.
• Route mode policies accept or deny connections between networks without
performing address translation.
FortiGate-60R Installation and Configuration Guide 15
Network intrusion detection Introduction
Transparent mode
Transparent mode provides the same basic firewall protection as NAT mode. Packets
received by the FortiGate unit are intelligently forwarded or blocked according to
firewall policies. The FortiGate unit can be inserted in your network at any point
without the need to make changes to your network or any of its components.
However, VPN and some advanced firewall features are only available in NAT/Route
mode.
Network intrusion detection
The FortiGate Network Intrusion Detection System (NIDS) is a real-time network
intrusion detection sensor that detects and prevents a wide variety of suspicious
network activity. NIDS detection uses attack signatures to identify over 1000 attacks.
You can enable and disable the attacks that the NIDS detects. You can also write your
own user-defined detection attack signatures.
NIDS prevention detects and prevents many common denial of service and packetbased attacks. You can enable and disable prevention attack signatures and
customize attack signature thresholds and other parameters.
To notify system administrators of the attack, the NIDS records the attack and any
suspicious traffic to the attack log and can be configured to send alert emails.
VPN
Fortinet updates NIDS attack definitions periodically. You can download and install
updated attack definitions manually, or you can configure the FortiGate to
automatically check for and download attack definition updates.
Using FortiGate virtual private networking (VPN), you can provide a secure
connection between widely separated office networks or securely link telecommuters
or travellers to an office network.
FortiGate VPN features include the following:
• Industry standard and ICSA-certified IPSec VPN including:
• IPSec, ESP security in tunnel mode,
• DES, 3DES (triple-DES), and AES hardware accelerated encryption,
• HMAC MD5 and HMAC SHA1 authentication and data integrity,
• AutoIKE key based on pre-shared key tunnels,
• IPSec VPN using local or CA certificates,
• Manual Keys tunnels,
• Diffie-Hellman groups 1, 2, and 5,
• Aggressive and Main Mode,
• Replay Detection,
• Perfect Forward Secrecy,
• XAuth authentication,
• Dead peer detection.
16 Fortinet Inc.
Introduction Secure installation, configuration, and management
• PPTP for easy connectivity with the VPN standard supported by the most popular
operating systems.
• L2TP for easy connectivity with a more secure VPN standard also supported by
many popular operating systems.
• Firewall policy based control of IPSec VPN traffic.
• IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT
can connect to an IPSec VPN tunnel.
• VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from
one tunnel to another tunnel through the FortiGate unit.
• IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a
remote network.
Secure installation, configuration, and management
Installation is quick and simple. The first time you turn on the FortiGate unit, it is
already configured with default IP addresses and security policies. Connect to the
web-based manager, set the operating mode, and use the setup wizard to customize
FortiGate IP addresses for your network, and the FortiGate unit is set to protect your
network. You can then use the web-based manager to customize advanced FortiGate
features to meet your needs.
You can also create a basic configuration using the FortiGate command line interface
(CLI).
Web-based manager
Using HTTP or a secure HTTPS connection from any computer running Internet
Explorer, you can configure and manage the FortiGate unit. The web-based manager
supports multiple languages. You can configure the FortiGate unit for HTTP and
HTTPs administration from any FortiGate interface.
You can use the web-based manager for most FortiGate configuration settings. You
can also use the web-based manager to monitor the status of the FortiGate unit.
Configuration changes made with the web-based manager are effective immediately
without the need to reset the firewall or interrupt service. Once a satisfactory
configuration has been established, it can be downloaded and saved. The saved
configuration can be restored at any time.
FortiGate-60R Installation and Configuration Guide 17
Secure installation, configuration, and management Introduction
Figure 1: The FortiGate web-based manager and setup wizard
Command line interface
You can access the FortiGate command line interface (CLI) by connecting a
management computer serial port to the FortiGate RS-232 serial Console connector.
You can also use Telnet or a secure SSH connection to connect to the CLI from any
network connected to the FortiGate, including the Internet.
The CLI supports the same configuration and monitoring functionality as the
web-based manager. In addition, you can use the CLI for advanced configuration
options not available from the web-based manager. This Installation and
Configuration Guide contains information about basic and advanced CLI commands.
You can find a more complete description of connecting to and using the FortiGate CLI
in the FortiGate CLI Reference Guide.
18 Fortinet Inc.
Introduction What’s new in Version 2.50
Logging and reporting
The FortiGate supports logging of various categories of traffic and of configuration
changes. You can configure logging to:
• report traffic that connects to the firewall,
• report network services used,
• report traffic permitted by firewall policies,
• report traffic that was denied by firewall policies,
• report events such as configuration changes and other management events, IPSec
tunnel negotiation, virus detection, attacks, and web page blocking,
• report attacks detected by the NIDS,
• send alert email to system administrators to report virus incidents, intrusions, and
firewall or VPN events or violations.
Logs can be sent to a remote syslog server or to a WebTrends NetIQ Security
Reporting Center and Firewall Suite server using the WebTrends enhanced log
format. Some models can also save logs to an optional internal hard drive. If a hard
drive is not installed, you can configure most FortiGates to log the most recent events
and attacks detected by the NIDS to shared system memory.
What’s new in Version 2.50
This section presents a brief summary of some of the new features in FortiOS v2.50:
System administration
• Improved graphical FortiGate system health monitoring that includes CPU and
memory usage, session number and network bandwidth usage, and the number of
viruses and intrusions detected. See “System status” on page 85.
• Revised antivirus and attack definition update functionality that connects to a new
version of the FortiResponse Distribution network. Updates can now be scheduled
hourly and the System > Update page displays more information about the current
update status. See “Updating antivirus and attack definitions” on page 89.
• Direct connection to the Fortinet tech support web page from the web-based
manager. You can register your FortiGate unit and get access to other technical
support resources. See “Registering FortiGate units” on page 99.
Network configuration
• New interface configuration options. See “Configuring interfaces” on page 107.
• Ping server and dead gateway detection for all interfaces.
• HTTP and Telnet administrative access to any interface.
• Secondary IP addresses for all FortiGate interfaces.
Routing
• Simplified direction-based routing configuration.
• Advanced policy routing (CLI only).
FortiGate-60R Installation and Configuration Guide 19
What’s new in Version 2.50 Introduction
DHCP server
• Addition of a WINS server to DHCP configuration.
• Reserve IP/MAC pair combinations for DHCP servers (CLI only).
RIP
• New RIP v1 and v2 functionality. See “RIP configuration” on page 119.
SNMP
• SNMP v1 and v2 support.
• Support for RFC 1213 and RFC 2665
• Monitoring of all FortiGate configuration and functionality
•See “Configuring SNMP” on page 132
Replacement messages
You can customize messages sent by the FortiGate unit:
• When a virus is detected,
• When a file is blocked,
• When a fragmented email is blocked
• When an alert email is sent
See “Customizing replacement messages” on page 134.
Firewall
• The firewall default configuration has changed. See “Default firewall configuration”
on page 140.
• Add virtual IPs to all interfaces. See “Virtual IPs” on page 158.
• Add content profiles to firewall policies to configure blocking, scanning, quarantine,
web content blocking, and email filtering. See “Content profiles” on page 167.
Users and authentication
• LDAP authentication. See “Configuring LDAP support” on page 175.
VPN
See the FortiGate VPN Guide for a complete description of FortiGate VPN
functionality. New features include:
•Phase 1
• AES encryption
• Certificates
• Advanced options including Dialup Group, Peer, XAUTH, NAT Traversal, DPD
•Phase 2
• AES encryption
• Encryption policies select service
• Generate and import local certificates
• Import CA certificates
20 Fortinet Inc.
Introduction What’s new in Version 2.50
NIDS
See the FortiGate NIDS Guide for a complete description of FortiGate NIDS
functionality. New features include:
• Attack detection signature groups
• User-configuration attack prevention
• Monitor multiple interfaces for attacks
• User-defined attack detection signatures
Antivirus
See the FortiGate Content Protection Guide for a complete description of FortiGate
antivirus functionality. New features include:
• Content profiles
• Blocking oversized files
Web Filter
See the FortiGate Content Protection Guide for a complete description of FortiGate
web filtering functionality. New features include:
• Cerberian URL Filtering
Email filter
See the FortiGate Content Protection Guide for a complete description of FortiGate
email filtering functionality.
Logging and Reporting
See the FortiGate Logging and Message Reference Guide for a complete description
of FortiGate logging.
• Log to remote host CSV format
• Log message levels: Emergency, Alert, critical, error, Warning, notification,
information
• Log level policies
• Traffic log filter
• New antivirus, web filter, and email filter logs
• Alert email supports authentication
• Suppress email flooding
• Extended WebTrends support for graphing activity
FortiGate-60R Installation and Configuration Guide 21
About this document Introduction
About this document
This installation and configuration guide describes how to install and configure the
FortiGate-60. This document contains the following information:
• Getting started describes unpacking, mounting, and powering on the FortiGate.
• NAT/Route mode installation describes how to install the FortiGate if you are
planning on running it in NAT/Route mode.
• Transparent mode installation describes how to install the FortiGate if you are
planning on running it in Transparent mode.
• System status describes how to view the current status of your FortiGate unit and
related status procedures including installing updated FortiGate firmware, backing
up and restoring system settings, and switching between Transparent and
NAT/Route mode.
• Virus and attack definitions updates and registration describes configuring
automatic virus and attack definition updates. This chapter also contains
procedures for connecting to the FortiGate tech support webs site and for
registering your FortiGate unit.
• Network configuration describes configuring interfaces, configuring routing, and
configuring the FortiGate as a DHCP server for your internal network.
• RIP configuration describes the FortiGate RIP2 implementation and how to
configure RIP settings.
• System configuration describes system administration tasks available from the
System > Config web-based manager pages. This chapter describes setting
system time, adding and changed administrative users, configuring SNMP, and
editing replacement messages.
• Firewall configuration describes how to configure firewall policies to control traffic
through the FortiGate unit and apply content protection profiles to content traffic.
• Users and authentication describes how to add user names to the FortiGate user
database and how to configure the FortiGate to connect to a RADIUS server to
authenticate users.
• IPSec VPN describes how to configure FortiGate IPSec VPN.
• PPTP and L2TP VPN describes how to configure PPTP and L2TP VPNs between
the FortiGate and a windows client.
• Network Intrusion Detection System (NIDS) describes how to configure the
FortiGate NIDS to detect and prevent network attacks.
• Antivirus protection describes how use the FortiGate to protect your network from
viruses and worms.
• Web filtering describes how to configure web content filtering to prevent unwanted
Web content from passing through the FortiGate.
• Email filter describes how to configure email filtering to screen unwanted email
content.
• Logging and reporting describes how to configure logging and alert email to track
activity through the FortiGate.
•The Glossary defines many of the terms used in this document.
22 Fortinet Inc.
Introduction Document conventions
Document conventions
This guide uses the following conventions to describe CLI command syntax.
• angle brackets < > to indicate variable keywords
For example:
execute restore config <filename_str>
You enter restore config myfile.bak
<xxx_str> indicates an ASCII string variable keyword.
<xxx_integer> indicates an integer variable keyword.
<xxx_ip> indicates an IP address variable keyword.
• vertical bar and curly brackets {|} to separate alternative, mutually exclusive
required keywords
For example:
set system opmode {nat | transparent}
You can enter set system opmode nat or set system opmode
transparent
• square brackets [ ] to indicate that a keyword is optional
For example:
get firewall ipmacbinding [dhcpipmac]
You can enter get firewall ipmacbinding or
get firewall ipmacbinding dhcpipmac
FortiGate-60R Installation and Configuration Guide 23
Fortinet documentation Introduction
Fortinet documentation
Information about FortiGate products is available from the following FortiGate User
Manual volumes:
• Volume 1: FortiGate Installation and Configuration Guide
Describes installation and basic configuration for the FortiGate unit. Also describes
how to use FortiGate firewall policies to control traffic flow through the FortiGate
unit and how to use firewall policies to apply antivirus protection, web content
filtering, and email filtering to HTTP, FTP and email content passing through the
FortiGate unit.
• Volume 2: FortiGate VPN Guide
Contains in-depth information about FortiGate IPSec VPN using certificates, preshared keys and manual keys for encryption. Also contains basic configuration
information for the Fortinet Remote VPN Client, detailed configuration information
for FortiGate PPTP and L2TP VPN, and VPN configuration examples.
• Volume 3: FortiGate Content Protection Guide
Describes how to configure antivirus protection, web content filtering, and email
filtering to protect content as it passes through the FortiGate unit.
• Volume 4: FortiGate NIDS Guide
Describes how to configure the FortiGate NIDS to detect and protect the FortiGate
unit from network-based attacks.
• Volume 5: FortiGate Logging and Message Reference Guide
Describes how to configure FortiGate logging and alert email. Also contains the
FortiGate log message reference.
• Volume 6: FortiGate CLI Reference Guide
Describes the FortiGate CLI and contains a reference to all FortiGate CLI
commands.
The FortiGate online help also contains procedures for using the FortiGate web-based
manager to configure and manage your FortiGate unit.
Comments on Fortinet technical documentation
You can send information about errors or omissions in this document or any Fortinet
technical documentation to techdoc@fortinet.com.
24 Fortinet Inc.
Introduction Customer service and technical support
Customer service and technical support
For antivirus and attack definition updates, firmware updates, updated product
documentation, technical support information, and other resources, please visit the
Fortinet technical support web site at http://support.fortinet.com.
You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and
modify your registration information at any time.
Fortinet email support is available from the following addresses:
amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin
apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,
eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland
America and South America.
Malaysia, all other Asian countries, and Australia.
Europe, Africa, and the Middle East.
For information on Fortinet telephone support, see http://support.fortinet.com.
When requesting technical support, please provide the following information:
• Your name
• Company name
•Location
• Email address
• Telephone number
• FortiGate unit serial number
• FortiGate model
• FortiGate FortiOS firmware version
• Detailed description of the problem
FortiGate-60R Installation and Configuration Guide 25
Customer service and technical support Introduction
26 Fortinet Inc.
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2
Getting started
This chapter describes unpacking, setting up, and powering on your FortiGate
Antivirus Firewall. When you have completed the procedures in this chapter, you can
proceed to one of the following:
• If you are going to operate the FortiGate unit in NAT/Route mode, go to
“NAT/Route mode installation” on page 43.
• If you are going to operate the FortiGate unit in Transparent mode, go to
“Transparent mode installation” on page 59.
This chapter describes:
• Package contents
• Mounting
• Powering on
• Connecting to the web-based manager
• Connecting to the command line interface (CLI)
• Factory default FortiGate configuration settings
• Planning your FortiGate configuration
• FortiGate model maximum values matrix
• Next steps
FortiGate-60R Installation and Configuration Guide 27
Package contents Getting started
Package contents
The FortiGate-60 package contains the following items:
• FortiGate-60 Antivirus Firewall
• one orange crossover ethernet cable
• one gray regular ethernet cable
• one null modem cable
• FortiGate-60 Quick Start Guide
• CD containing the FortiGate user documentation
• one power cable and AC adapter
Figure 2: FortiGate-60 package contents
Front
Mounting
Ethernet Cables:
Orange - Crossover
Grey - Straight-through
Null-Modem Cable
(RS-232)
PWR STATUS
Power
LED
INTERNAL
LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100
Status
LED
Internal
Interface
DMZ
Interface
DMZ4321
WAN1 WAN2
WAN 1,2
Interface
Back
Power Cable Power Supply
FortiGate-60
INTERNAL
DMZ4321
WAN1 WAN2
PWR STATUS
USER MANUAL
LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100
QuickStart Guide
Copyright 2003 Fortinet Incorporated. All rights reserved.
Trademarks
Products mentioned in this document are trademarks.
Documentation
DC+12V
Power
Connection
RS-232 Serial
Connection
Console
USB
USB
(future)
WAN2 WAN1 DMZ
WAN2
WAN1
DMZ
1234
Internal
Internal Interface,
switch connectors
1,2,3,4
The FortiGate-60 unit can be installed on any stable surface. Make sure that the
appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for
adequate air flow and cooling.
Dimensions
• 8.63 x 6.13 x 1.38 in. (21.9 x 15.6 x 3.5 cm)
Weight
• 1.5 lb. (0.68 kg)
28 Fortinet Inc.
Getting started Powering on
Power requirements
• DC input voltage: 12 V
• DC input current: 3 A
Environmental specifications
• Operating temperature: 32 to 104°F (0 to 40°C)
• Storage temperature: -13 to 158°F (-25 to 70°C)
• Humidity: 5 to 95% non-condensing
Powering on
To power on the FortiGate-60 unit:
1 Connect the AC adapter to the power connection at the back of the FortiGate-60 unit.
2 Connect the AC adapter to the power cable.
3 Connect the power cable to a power outlet.
The FortiGate-60 unit starts up. The Power and Status lights light.
Table 1: FortiGate-60 LED indicators
LED State Description
Power Green The FortiGate unit is powered on.
Off The FortiGate unit is powered off.
Status Red The FortiGate unit is starting up.
Off The FortiGate unit is running normally.
Off The FortiGate unit is powered off.
Link
(Internal
DMZ
WAN1
WAN2)
100
(Internal
DMZ
WAN1
WAN2)
Green The correct cable is in use and the connected
equipment has power.
Flashing Green Network activity at this interface.
Off No link established.
Green The interface is connected at 100 Mbps.
FortiGate-60R Installation and Configuration Guide 29
Connecting to the web-based manager Getting started
Connecting to the web-based manager
Use the following procedure to connect to the web-based manager for the first time.
Configuration changes made with the web-based manager are effective immediately
without the need to reset the firewall or interrupt service.
To connect to the web-based manager, you need:
• a computer with an ethernet connection,
• Internet Explorer version 4.0 or higher,
• an ethernet cable.
• a crossover cable or an ethernet hub and two ethernet cables.
Note: You can use the web-based manager with recent versions of most popular web browsers.
The web-based manager is fully supported for Internet Explorer version 4.0 or higher.
Connecting to the web-based manager
1 Set the IP address of the computer with an ethernet connection to the static IP
address 192.168.1.2 and a netmask of 255.255.255.0.
You can also configure the management computer to obtain an IP address
automatically using DHCP. The FortiGate DHCP server assigns the management
computer an IP address in the range 192.168.1.1 to 192.168.1.254.
2 Using the ethernet cable, connect the Internal interface of the FortiGate unit to the
computer ethernet connection.
3 Start Internet Explorer and browse to the address https://192.168.1.99 (remember to
include the “s” in https://).
The FortiGate login is displayed.
4 Type admin in the Name field and select Login.
The Register Now window is displayed. Use the information on this window to register
your FortiGate unit so that Fortinet can contact you for firmware updates. You must
also register to receive updates to the FortiGate virus and attack definitions.
Figure 3: FortiGate login
30 Fortinet Inc.
Loading...