Fortinet FortiGate FortiGate-60R, FortiGate 60R Installation And Configuration Manual

FortiGate 60R

Installation and

Configuration Guide

FortiGate User Manual Volume 1

INTERNAL

PWR STATUS

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

Version 2.50 MR2

18 August 2003

DMZ4321

WAN1 WAN2

© Copyright 2003 Fortinet Inc. All rights reserved.

No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Fortinet Inc.

FortiGate-60R Installation and Configuration Guide
Version 2.50 MR2
18 August 2003

Trademarks

Products mentioned in this document are trademarks or registered trademarks of their respective
holders.

Regulatory Compliance

FCC Class A Part 15 CSA/CUS

For technical support, please visit http://www.fortinet.com.

Send information about errors or omissions in this document or any Fortinet technical documentation to
techdoc@fortinet.com.

Table of Contents

Introduction .......................................................................................................... 13

Antivirus protection ........................................................................................................... 13

Web content filtering ......................................................................................................... 14

Email filtering .................................................................................................................... 14

Firewall.............................................................................................................................. 15

NAT/Route mode .......................................................................................................... 15

Transparent mode......................................................................................................... 16

Network intrusion detection............................................................................................... 16

VPN................................................................................................................................... 16

Secure installation, configuration, and management ........................................................ 17

Web-based manager .................................................................................................... 17

Command line interface ................................................................................................ 18

Logging and reporting ................................................................................................... 19

What’s new in Version 2.50 .............................................................................................. 19

System administration................................................................................................... 19

Firewall.......................................................................................................................... 20

Users and authentication .............................................................................................. 20

VPN............................................................................................................................... 20

NIDS ............................................................................................................................. 21

Antivirus ........................................................................................................................ 21

Web Filter...................................................................................................................... 21

Email filter ..................................................................................................................... 21

Logging and Reporting.................................................................................................. 21

About this document ......................................................................................................... 22

Document conventions ..................................................................................................... 23

Fortinet documentation ..................................................................................................... 24

Comments on Fortinet technical documentation........................................................... 24

Customer service and technical support........................................................................... 25

Contents

Getting started ..................................................................................................... 27

Package contents ............................................................................................................. 28

Mounting ........................................................................................................................... 28

Powering on...................................................................................................................... 29

Connecting to the web-based manager............................................................................ 30

Connecting to the command line interface (CLI)............................................................... 31

Factory default FortiGate configuration settings ............................................................... 31

Factory Default DHCP configuration............................................................................. 32

Factory default NAT/Route mode network configuration .............................................. 33

Factory default Transparent mode network configuration............................................. 33

Factory default firewall configuration ............................................................................ 34

Factory default content profiles..................................................................................... 35

FortiGate-60R Installation and Configuration Guide 3

Contents

Planning your FortiGate configuration .............................................................................. 37

NAT/Route mode .......................................................................................................... 37

Transparent mode......................................................................................................... 38

Configuration options .................................................................................................... 39

FortiGate model maximum values matrix ......................................................................... 40

Next steps......................................................................................................................... 41

NAT/Route mode installation.............................................................................. 43

Installing the FortiGate unit using the default configuration .............................................. 43

Changing the default configuration ............................................................................... 44

Preparing to configure NAT/Route mode.......................................................................... 44

Advanced NAT/Route mode settings............................................................................ 45

DMZ interface ............................................................................................................... 45

Using the setup wizard...................................................................................................... 46

Starting the setup wizard .............................................................................................. 46

Reconnecting to the web-based manager .................................................................... 46

Using the command line interface..................................................................................... 46

Configuring the FortiGate unit to operate in NAT/Route mode ..................................... 46

Connecting the FortiGate unit to your networks................................................................ 48

Configuring your networks ................................................................................................ 49

Completing the configuration ............................................................................................ 50

Configuring the DMZ interface ...................................................................................... 50

Configuring the WAN2 interface ................................................................................... 50

Setting the date and time .............................................................................................. 50

Changing antivirus protection ....................................................................................... 50

Registering your FortiGate............................................................................................ 51

Configuring virus and attack definition updates ............................................................ 51

Configuration example: Multiple connections to the Internet ............................................ 51

Configuring Ping servers............................................................................................... 52

Destination based routing examples............................................................................. 53

Policy routing examples ................................................................................................ 56

Firewall policy example................................................................................................. 57

Transparent mode installation............................................................................ 59

Preparing to configure Transparent mode ........................................................................ 59

Using the setup wizard...................................................................................................... 60

Changing to Transparent mode .................................................................................... 60

Starting the setup wizard .............................................................................................. 60

Reconnecting to the web-based manager .................................................................... 60

Using the command line interface..................................................................................... 61

Changing to Transparent mode .................................................................................... 61

Configuring the Transparent mode management IP address ....................................... 61

Configure the Transparent mode default gateway........................................................ 61

Connecting the FortiGate unit to your networks................................................................ 62

4 Fortinet Inc.

Completing the configuration ............................................................................................ 63

Setting the date and time .............................................................................................. 63

Enabling antivirus protection......................................................................................... 63

Registering your FortiGate............................................................................................ 63

Configuring virus and attack definition updates ............................................................ 64

Transparent mode configuration examples....................................................................... 64

Default routes and static routes .................................................................................... 64

Example default route to an external network............................................................... 65

Example static route to an external destination ............................................................ 66

Example static route to an internal destination ............................................................. 69

System status....................................................................................................... 71

Changing the FortiGate host name................................................................................... 72

Changing the FortiGate firmware...................................................................................... 72

Upgrade to a new firmware version .............................................................................. 73

Revert to a previous firmware version .......................................................................... 74

Install a firmware image from a system reboot using the CLI ....................................... 77

Test a new firmware image before installing it .............................................................. 79

Manual virus definition updates ........................................................................................ 81

Manual attack definition updates ...................................................................................... 82

Displaying the FortiGate serial number............................................................................. 82

Displaying the FortiGate up time....................................................................................... 82

Backing up system settings .............................................................................................. 82

Restoring system settings................................................................................................. 83

Restoring system settings to factory defaults ................................................................... 83

Changing to Transparent mode ........................................................................................ 83

Changing to NAT/Route mode.......................................................................................... 84

Restarting the FortiGate unit............................................................................................. 84

Shutting down the FortiGate unit ...................................................................................... 84

System status ................................................................................................................... 85

Viewing CPU and memory status ................................................................................. 85

Viewing sessions and network status ........................................................................... 86

Viewing virus and intrusions status............................................................................... 87

Session list........................................................................................................................ 88

Contents

Virus and attack definitions updates and registration ..................................... 89

Updating antivirus and attack definitions .......................................................................... 89

Connecting to the FortiResponse Distribution Network ................................................ 90

Configuring scheduled updates .................................................................................... 91

Configuring update logging ........................................................................................... 92

Adding an override server............................................................................................. 93

Manually updating antivirus and attack definitions........................................................ 93

Configuring push updates ............................................................................................. 93

Push updates through a NAT device ............................................................................ 94

Scheduled updates through a proxy server .................................................................. 98

FortiGate-60R Installation and Configuration Guide 5

Contents

Registering FortiGate units ............................................................................................... 99

FortiCare Service Contracts.......................................................................................... 99

Registering the FortiGate unit ..................................................................................... 100

Updating registration information .................................................................................... 102

Recovering a lost Fortinet support password.............................................................. 102

Viewing the list of registered FortiGate units .............................................................. 102

Registering a new FortiGate unit ................................................................................ 103

Adding or changing a FortiCare Support Contract number......................................... 103

Changing your Fortinet support password .................................................................. 104

Changing your contact information or security question ............................................. 104

Downloading virus and attack definitions updates ...................................................... 104

Registering a FortiGate unit after an RMA...................................................................... 105

Network configuration....................................................................................... 107

Configuring interfaces ..................................................................................................... 107

Viewing the interface list ............................................................................................. 108

Bringing up an interface .............................................................................................. 108

Changing an interface static IP address ..................................................................... 108

Adding a secondary IP address to an interface .......................................................... 108

Adding a ping server to an interface ........................................................................... 109

Controlling management access to an interface ......................................................... 109

Configuring traffic logging for connections to an interface .......................................... 110

Configuring the wan1 and wan2 interfaces with a static IP address........................... 110

Configuring the wan1 or wan2 interfaces for DHCP ................................................... 110

Configuring the wan1 and wan2 interfaces for PPPoE ............................................... 111

Changing the wan1 and wan2 interface MTU size to improve network performance. 111

Configuring the management interface (Transparent mode) ...................................... 112

Adding DNS server IP addresses ................................................................................... 113

Configuring routing.......................................................................................................... 113

Adding a default route................................................................................................. 114

Adding destination-based routes to the routing table.................................................. 114

Adding routes in Transparent mode............................................................................ 115

Configuring the routing table....................................................................................... 116

Policy routing .............................................................................................................. 116

Providing DHCP services to your internal network ......................................................... 117

RIP configuration ............................................................................................... 119

RIP settings..................................................................................................................... 120

Configuring RIP for FortiGate interfaces......................................................................... 122

Adding RIP neighbors..................................................................................................... 123

6 Fortinet Inc.

Adding RIP filters ............................................................................................................ 124

Adding a single RIP filter............................................................................................. 124

Adding a RIP filter list.................................................................................................. 125

Adding a neighbors filter ............................................................................................. 126

Adding a routes filter ................................................................................................... 126

System configuration ........................................................................................ 127

Setting system date and time.......................................................................................... 127

Changing web-based manager options .......................................................................... 128

Adding and editing administrator accounts..................................................................... 130

Adding new administrator accounts ............................................................................ 130

Editing administrator accounts.................................................................................... 131

Configuring SNMP .......................................................................................................... 132

Configuring the FortiGate unit for SNMP monitoring .................................................. 132

Configuring FortiGate SNMP support ......................................................................... 132

FortiGate MIBs............................................................................................................ 133

FortiGate traps ............................................................................................................ 134

Customizing replacement messages.............................................................................. 134

Customizing replacement messages .......................................................................... 135

Customizing alert emails............................................................................................. 136

Contents

Firewall configuration........................................................................................ 139

Default firewall configuration........................................................................................... 140

Interfaces .................................................................................................................... 140

Addresses ................................................................................................................... 140

Services ...................................................................................................................... 141

Schedules ................................................................................................................... 141

Content profiles........................................................................................................... 141

Adding firewall policies.................................................................................................... 142

Firewall policy options................................................................................................. 143

Configuring policy lists .................................................................................................... 147

Policy matching in detail ............................................................................................. 147

Changing the order of policies in a policy list.............................................................. 147

Enabling and disabling policies................................................................................... 148

Addresses ....................................................................................................................... 148

Adding addresses ....................................................................................................... 149

Editing addresses ....................................................................................................... 150

Deleting addresses ..................................................................................................... 150

Organizing addresses into address groups ................................................................ 150

Services .......................................................................................................................... 151

Predefined services .................................................................................................... 151

Providing access to custom services .......................................................................... 154

Grouping services ....................................................................................................... 154

FortiGate-60R Installation and Configuration Guide 7

Contents

Schedules ....................................................................................................................... 155

Creating one-time schedules ...................................................................................... 155

Creating recurring schedules ...................................................................................... 156

Adding a schedule to a policy ..................................................................................... 157

Virtual IPs........................................................................................................................ 158

Adding static NAT virtual IPs ...................................................................................... 158

Adding port forwarding virtual IPs ............................................................................... 159

Adding policies with virtual IPs.................................................................................... 161

IP pools........................................................................................................................... 162

Adding an IP pool........................................................................................................ 162

IP Pools for firewall policies that use fixed ports ......................................................... 163

IP pools and dynamic NAT ......................................................................................... 163

IP/MAC binding ............................................................................................................... 164

Configuring IP/MAC binding for packets going through the firewall ............................ 164

Configuring IP/MAC binding for packets going to the firewall ..................................... 165

Adding IP/MAC addresses.......................................................................................... 165

Viewing the dynamic IP/MAC list ................................................................................ 166

Enabling IP/MAC binding ............................................................................................ 166

Content profiles............................................................................................................... 167

Default content profiles ............................................................................................... 168

Adding a content profile .............................................................................................. 168

Adding a content profile to a policy ............................................................................. 169

Users and authentication .................................................................................. 171

Setting authentication timeout......................................................................................... 172

Adding user names and configuring authentication ........................................................ 172

Adding user names and configuring authentication .................................................... 172

Deleting user names from the internal database ........................................................ 173

Configuring RADIUS support .......................................................................................... 174

Adding RADIUS servers ............................................................................................. 174

Deleting RADIUS servers ........................................................................................... 174

Configuring LDAP support .............................................................................................. 175

Adding LDAP servers.................................................................................................. 175

Deleting LDAP servers................................................................................................ 176

Configuring user groups.................................................................................................. 177

Adding user groups..................................................................................................... 177

Deleting user groups................................................................................................... 178

IPSec VPN........................................................................................................... 179

Key management............................................................................................................ 180

Manual Keys ............................................................................................................... 180

Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... 180

8 Fortinet Inc.

Manual key IPSec VPNs................................................................................................. 181

General configuration steps for a manual key VPN .................................................... 181

Adding a manual key VPN tunnel ............................................................................... 181

AutoIKE IPSec VPNs ...................................................................................................... 183

General configuration steps for an AutoIKE VPN ....................................................... 183

Adding a phase 1 configuration for an AutoIKE VPN.................................................. 183

Adding a phase 2 configuration for an AutoIKE VPN.................................................. 187

Managing digital certificates............................................................................................ 189

Obtaining a signed local certificate ............................................................................. 189

Obtaining a CA certificate ........................................................................................... 193

Configuring encrypt policies............................................................................................ 194

Adding a source address ............................................................................................ 195

Adding a destination address...................................................................................... 195

Adding an encrypt policy............................................................................................. 195

IPSec VPN concentrators ............................................................................................... 197

VPN concentrator (hub) general configuration steps .................................................. 197

Adding a VPN concentrator ........................................................................................ 199

VPN spoke general configuration steps...................................................................... 200

Redundant IPSec VPNs.................................................................................................. 201

Configuring redundant IPSec VPN ............................................................................. 201

Monitoring and Troubleshooting VPNs ........................................................................... 203

Viewing VPN tunnel status.......................................................................................... 203

Viewing dialup VPN connection status ....................................................................... 203

Testing a VPN............................................................................................................. 204

Contents

PPTP and L2TP VPN .......................................................................................... 205

Configuring PPTP ........................................................................................................... 205

Configuring the FortiGate unit as a PPTP gateway .................................................... 206

Configuring a Windows 98 client for PPTP ................................................................. 208

Configuring a Windows 2000 client for PPTP ............................................................. 209

Configuring a Windows XP client for PPTP ................................................................ 210

Configuring L2TP............................................................................................................ 211

Configuring the FortiGate unit as a L2TP gateway ..................................................... 212

Configuring a Windows 2000 client for L2TP.............................................................. 215

Configuring a Windows XP client for L2TP ................................................................. 216

FortiGate-60R Installation and Configuration Guide 9

Contents

Network Intrusion Detection System (NIDS) ................................................... 219

Detecting attacks ............................................................................................................ 219

Selecting the interfaces to monitor.............................................................................. 220

Disabling the NIDS...................................................................................................... 220

Configuring checksum verification .............................................................................. 220

Viewing the signature list ............................................................................................ 221

Viewing attack descriptions......................................................................................... 221

Enabling and disabling NIDS attack signatures .......................................................... 222

Adding user-defined signatures .................................................................................. 222

Preventing attacks .......................................................................................................... 223

Enabling NIDS attack prevention ................................................................................ 223

Enabling NIDS attack prevention signatures .............................................................. 224

Setting signature threshold values.............................................................................. 224

Configuring synflood signature values ........................................................................ 226

Logging attacks............................................................................................................... 226

Logging attack messages to the attack log................................................................. 226

Reducing the number of NIDS attack log and email messages.................................. 227

Antivirus protection........................................................................................... 229

General configuration steps............................................................................................ 229

Antivirus scanning........................................................................................................... 230

File blocking.................................................................................................................... 231

Blocking files in firewall traffic ..................................................................................... 231

Adding file patterns to block........................................................................................ 231

Blocking oversized files and emails ................................................................................ 232

Configuring limits for oversized files and email........................................................... 232

Exempting fragmented email from blocking.................................................................... 232

Viewing the virus list ....................................................................................................... 232

Web filtering ....................................................................................................... 233

General configuration steps............................................................................................ 233

Content blocking ............................................................................................................. 234

Adding words and phrases to the banned word list .................................................... 234

URL blocking................................................................................................................... 235

Using the FortiGate web filter ..................................................................................... 235

Using the Cerberian web filter..................................................................................... 238

Script filtering .................................................................................................................. 240

Enabling the script filter............................................................................................... 240

Selecting script filter options ....................................................................................... 240

Exempt URL list .............................................................................................................. 241

Adding URLs to the exempt URL list .......................................................................... 241

Email filter........................................................................................................... 243

General configuration steps............................................................................................ 243

10 Fortinet Inc.

Email banned word list.................................................................................................... 244

Adding words and phrases to the banned word list .................................................... 244

Email block list ................................................................................................................ 245

Adding address patterns to the email block list........................................................... 245

Email exempt list............................................................................................................. 245

Adding address patterns to the email exempt list ....................................................... 246

Adding a subject tag ....................................................................................................... 246

Logging and reporting....................................................................................... 247

Recording logs................................................................................................................ 247

Recording logs on a remote computer ........................................................................ 248

Recording logs on a NetIQ WebTrends server ........................................................... 248

Recording logs in system memory.............................................................................. 249

Filtering log messages .................................................................................................... 249

Configuring traffic logging ............................................................................................... 251

Enabling traffic logging................................................................................................ 251

Configuring traffic filter settings................................................................................... 252

Adding traffic filter entries ........................................................................................... 252

Viewing logs saved to memory ....................................................................................... 253

Viewing logs................................................................................................................ 253

Searching logs ............................................................................................................ 254

Configuring alert email .................................................................................................... 254

Adding alert email addresses...................................................................................... 254

Testing alert email....................................................................................................... 255

Enabling alert email .................................................................................................... 255

Contents

Glossary ............................................................................................................. 257

Index .................................................................................................................... 261

FortiGate-60R Installation and Configuration Guide 11

Contents

12 Fortinet Inc.

FortiGate-60R Installation and Configuration Guide Version 2.50 MR2

Introduction

The FortiGate Antivirus Firewall supports network-based deployment of
application-level services—including antivirus protection and full-scan content filtering.
FortiGate Antivirus Firewalls improve network security, reduce network misuse and
abuse, and help you use communications resources more efficiently without
compromising the performance of your network. FortiGate Antivirus Firewalls are
ICSA-certified for firewall, IPSec and antivirus services.

Your FortiGate Antivirus Firewall is a dedicated easily managed security device that
delivers a full suite of capabilities that include:

• application-level services such as virus protection and content filtering,

• network-level services such as firewall, intrusion detection, VPN, and traffic
shaping.

Your FortiGate Antivirus Firewall employs Fortinet’s Accelerated Behavior and
Content Analysis System (ABACAS™) technology, which leverages breakthroughs in
chip design, networking, security, and content analysis. The unique ASIC-based
architecture analyzes content and behavior in real-time, enabling key applications to
be deployed right at the network edge where they are most effective at protecting your
networks. The FortiGate series complements existing solutions, such as host-based
antivirus protection, and enables new applications and services while greatly lowering
costs for equipment, administration and maintenance.

The FortiGate-60 model is ideally suited
for small businesses, remote offices, retail
stores, and broadband telecommuter
sites. The FortiGate-60 Antivirus Firewall
features dual WAN link support for
redundant internet connections, and an integrated 4-port switch that eliminates the
need for an external hub or switch. Networked devices connect directly to the
FortiGate-60 unit.

The FortiGate-60R is limited to a maximum of 12 users.

Antivirus protection

FortiGate ICSA-certified antivirus protection virus scans web (HTTP), file transfer
(FTP), and email (SMTP, POP3, and IMAP) content as it passes through the
FortiGate. If a virus is found, antivirus protection removes the file containing the virus
from the content stream and forwards an replacement message to the intended
recipient.

FortiGate-60R Installation and Configuration Guide 13

Web content filtering Introduction

For extra protection, you also configure antivirus protection to block files of specified
file types from passing through the FortiGate unit. You can use the feature to stop files
that may contain new viruses.

If the FortiGate unit contains a hard disk, infected or blocked files can be quarantined.
The FortiGate administrator can download quarantined files, so that they can be virus
scanned, cleaned, and forwarded to the intended recipient. You can also configure the
FortiGate unit to automatically delete quarantined files after a specified time period.

The FortiGate unit can send email alerts to system administrators when it detects and
removes a virus from a content stream. The web and email content can be in normal
network traffic or in encrypted IPSec VPN traffic.

ICSA Labs has certified that FortiGate Antivirus Firewalls:

• detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),

• detect viruses in compressed files using the PKZip format,

• detect viruses in e-mail that has been encoded using uuencode format,

• detect viruses in e-mail that has been encoded using MIME encoding,

• log all actions taken while scanning.

Web content filtering

FortiGate web content filtering can be configured to scan all HTTP content protocol
streams for URLs or for web page content. If a match is found between a URL on the
URL block list, or if a web page is found to contain a word or phrase in the content
block list, the FortiGate blocks the web page. The blocked web page is replaced with a
message that you can edit using the FortiGate web-based manager.

You can configure URL blocking to block all or just some of the pages on a web site.
Using this feature you can deny access to parts of a web site without denying access
to it completely.

To prevent unintentional blocking of legitimate web pages, you can add URLs to an
Exempt List that overrides the URL blocking and content blocking lists.

Web content filtering also includes a script filter feature that can be configured to block
unsecure web content such as Java Applets, Cookies, and ActiveX.

You can also use the Cerberian URL blocking to block unwanted URLs.

Email filtering

FortiGate Email filtering can be configured to scan all IMAP and POP3 email content
for unwanted senders or for unwanted content. If a match is found between a sender
address pattern on the Email block list, or if an email is found to contain a word or
phrase in the banned word list, the FortiGate adds a Email tag to subject line of the
email. Receivers can then use their mail client software to filter messages based on
the Email tag.

14 Fortinet Inc.

Introduction Firewall

You can configure Email blocking to tag email from all or some senders within
organizations that are known to send spam email. To prevent unintentional tagging of
email from legitimate senders, you can add sender address patterns to an exempt list
that overrides the email block and banned word lists.

Firewall

The FortiGate ICSA-certified firewall protects your computer networks from the hostile
environment of the Internet. ICSA has granted FortiGate firewalls version 4.0 firewall
certification, providing assurance that FortiGate firewalls successfully screen for and
secure corporate networks against a wide range of threats from public or other
untrusted networks.

After basic installation of the FortiGate unit, the firewall allows users on the protected
network to access the Internet while blocking Internet access to internal networks. You
can modify this firewall configuration to place controls on access to the Internet from
the protected networks and to allow controlled access to internal networks.

FortiGate policies include a complete range of options that:

• control all incoming and outgoing network traffic,

• control encrypted VPN traffic,

• apply antivirus protection and web content filtering,

• block or allow access for all policy options,

• control when individual policies are in effect,

• accept or deny traffic to and from individual addresses,

• control standard and user defined network services individually or in groups,

• require users to authenticate before gaining access,

• include traffic shaping to set access priorities and guarantee or limit bandwidth for
each policy,

• include logging to track connections for individual policies,

• include Network address translation (NAT) mode and Route mode policies,

• include Mixed NAT and Route mode policies.

The FortiGate firewall can operate in NAT/Route mode or Transparent mode.

NAT/Route mode

In NAT/Route mode, you can create NAT mode policies and Route mode policies.

• NAT mode policies use network address translation to hide the addresses in a
more secure network from users in a less secure network.

• Route mode policies accept or deny connections between networks without
performing address translation.

FortiGate-60R Installation and Configuration Guide 15

Network intrusion detection Introduction

Transparent mode

Transparent mode provides the same basic firewall protection as NAT mode. Packets
received by the FortiGate unit are intelligently forwarded or blocked according to
firewall policies. The FortiGate unit can be inserted in your network at any point
without the need to make changes to your network or any of its components.
However, VPN and some advanced firewall features are only available in NAT/Route
mode.

Network intrusion detection

The FortiGate Network Intrusion Detection System (NIDS) is a real-time network
intrusion detection sensor that detects and prevents a wide variety of suspicious
network activity. NIDS detection uses attack signatures to identify over 1000 attacks.
You can enable and disable the attacks that the NIDS detects. You can also write your
own user-defined detection attack signatures.

NIDS prevention detects and prevents many common denial of service and packet­based attacks. You can enable and disable prevention attack signatures and
customize attack signature thresholds and other parameters.

To notify system administrators of the attack, the NIDS records the attack and any
suspicious traffic to the attack log and can be configured to send alert emails.

VPN

Fortinet updates NIDS attack definitions periodically. You can download and install
updated attack definitions manually, or you can configure the FortiGate to
automatically check for and download attack definition updates.

Using FortiGate virtual private networking (VPN), you can provide a secure
connection between widely separated office networks or securely link telecommuters
or travellers to an office network.

FortiGate VPN features include the following:

• Industry standard and ICSA-certified IPSec VPN including:

• IPSec, ESP security in tunnel mode,

• DES, 3DES (triple-DES), and AES hardware accelerated encryption,

• HMAC MD5 and HMAC SHA1 authentication and data integrity,

• AutoIKE key based on pre-shared key tunnels,

• IPSec VPN using local or CA certificates,

• Manual Keys tunnels,

• Diffie-Hellman groups 1, 2, and 5,

• Aggressive and Main Mode,

• Replay Detection,

• Perfect Forward Secrecy,

• XAuth authentication,

• Dead peer detection.

16 Fortinet Inc.

Introduction Secure installation, configuration, and management

• PPTP for easy connectivity with the VPN standard supported by the most popular
operating systems.

• L2TP for easy connectivity with a more secure VPN standard also supported by
many popular operating systems.

• Firewall policy based control of IPSec VPN traffic.

• IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT
can connect to an IPSec VPN tunnel.

• VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from
one tunnel to another tunnel through the FortiGate unit.

• IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a
remote network.

Secure installation, configuration, and management

Installation is quick and simple. The first time you turn on the FortiGate unit, it is
already configured with default IP addresses and security policies. Connect to the
web-based manager, set the operating mode, and use the setup wizard to customize
FortiGate IP addresses for your network, and the FortiGate unit is set to protect your
network. You can then use the web-based manager to customize advanced FortiGate
features to meet your needs.

You can also create a basic configuration using the FortiGate command line interface
(CLI).

Web-based manager

Using HTTP or a secure HTTPS connection from any computer running Internet
Explorer, you can configure and manage the FortiGate unit. The web-based manager
supports multiple languages. You can configure the FortiGate unit for HTTP and
HTTPs administration from any FortiGate interface.

You can use the web-based manager for most FortiGate configuration settings. You
can also use the web-based manager to monitor the status of the FortiGate unit.
Configuration changes made with the web-based manager are effective immediately
without the need to reset the firewall or interrupt service. Once a satisfactory
configuration has been established, it can be downloaded and saved. The saved
configuration can be restored at any time.

FortiGate-60R Installation and Configuration Guide 17

Secure installation, configuration, and management Introduction

Figure 1: The FortiGate web-based manager and setup wizard

Command line interface

You can access the FortiGate command line interface (CLI) by connecting a
management computer serial port to the FortiGate RS-232 serial Console connector.
You can also use Telnet or a secure SSH connection to connect to the CLI from any
network connected to the FortiGate, including the Internet.

The CLI supports the same configuration and monitoring functionality as the
web-based manager. In addition, you can use the CLI for advanced configuration
options not available from the web-based manager. This Installation and
Configuration Guide contains information about basic and advanced CLI commands.
You can find a more complete description of connecting to and using the FortiGate CLI
in the FortiGate CLI Reference Guide.

18 Fortinet Inc.

Introduction What’s new in Version 2.50

Logging and reporting

The FortiGate supports logging of various categories of traffic and of configuration
changes. You can configure logging to:

• report traffic that connects to the firewall,

• report network services used,

• report traffic permitted by firewall policies,

• report traffic that was denied by firewall policies,

• report events such as configuration changes and other management events, IPSec
tunnel negotiation, virus detection, attacks, and web page blocking,

• report attacks detected by the NIDS,

• send alert email to system administrators to report virus incidents, intrusions, and
firewall or VPN events or violations.

Logs can be sent to a remote syslog server or to a WebTrends NetIQ Security
Reporting Center and Firewall Suite server using the WebTrends enhanced log
format. Some models can also save logs to an optional internal hard drive. If a hard
drive is not installed, you can configure most FortiGates to log the most recent events
and attacks detected by the NIDS to shared system memory.

What’s new in Version 2.50

This section presents a brief summary of some of the new features in FortiOS v2.50:

System administration

• Improved graphical FortiGate system health monitoring that includes CPU and
memory usage, session number and network bandwidth usage, and the number of
viruses and intrusions detected. See “System status” on page 85.

• Revised antivirus and attack definition update functionality that connects to a new
version of the FortiResponse Distribution network. Updates can now be scheduled
hourly and the System > Update page displays more information about the current
update status. See “Updating antivirus and attack definitions” on page 89.

• Direct connection to the Fortinet tech support web page from the web-based
manager. You can register your FortiGate unit and get access to other technical
support resources. See “Registering FortiGate units” on page 99.

Network configuration

• New interface configuration options. See “Configuring interfaces” on page 107.

• Ping server and dead gateway detection for all interfaces.

• HTTP and Telnet administrative access to any interface.

• Secondary IP addresses for all FortiGate interfaces.

Routing

• Simplified direction-based routing configuration.

• Advanced policy routing (CLI only).

FortiGate-60R Installation and Configuration Guide 19

What’s new in Version 2.50 Introduction

DHCP server

• Addition of a WINS server to DHCP configuration.

• Reserve IP/MAC pair combinations for DHCP servers (CLI only).

RIP

• New RIP v1 and v2 functionality. See “RIP configuration” on page 119.

SNMP

• SNMP v1 and v2 support.

• Support for RFC 1213 and RFC 2665

• Monitoring of all FortiGate configuration and functionality

•See “Configuring SNMP” on page 132

Replacement messages

You can customize messages sent by the FortiGate unit:

• When a virus is detected,

• When a file is blocked,

• When a fragmented email is blocked

• When an alert email is sent

See “Customizing replacement messages” on page 134.

Firewall

• The firewall default configuration has changed. See “Default firewall configuration”

on page 140.

• Add virtual IPs to all interfaces. See “Virtual IPs” on page 158.

• Add content profiles to firewall policies to configure blocking, scanning, quarantine,
web content blocking, and email filtering. See “Content profiles” on page 167.

Users and authentication

• LDAP authentication. See “Configuring LDAP support” on page 175.

VPN

See the FortiGate VPN Guide for a complete description of FortiGate VPN
functionality. New features include:

•Phase 1

• AES encryption

• Certificates

• Advanced options including Dialup Group, Peer, XAUTH, NAT Traversal, DPD

•Phase 2

• AES encryption

• Encryption policies select service

• Generate and import local certificates

• Import CA certificates

20 Fortinet Inc.

Introduction What’s new in Version 2.50

NIDS

See the FortiGate NIDS Guide for a complete description of FortiGate NIDS
functionality. New features include:

• Attack detection signature groups

• User-configuration attack prevention

• Monitor multiple interfaces for attacks

• User-defined attack detection signatures

Antivirus

See the FortiGate Content Protection Guide for a complete description of FortiGate
antivirus functionality. New features include:

• Content profiles

• Blocking oversized files

Web Filter

See the FortiGate Content Protection Guide for a complete description of FortiGate
web filtering functionality. New features include:

• Cerberian URL Filtering

Email filter

See the FortiGate Content Protection Guide for a complete description of FortiGate
email filtering functionality.

Logging and Reporting

See the FortiGate Logging and Message Reference Guide for a complete description
of FortiGate logging.

• Log to remote host CSV format

• Log message levels: Emergency, Alert, critical, error, Warning, notification,
information

• Log level policies

• Traffic log filter

• New antivirus, web filter, and email filter logs

• Alert email supports authentication

• Suppress email flooding

• Extended WebTrends support for graphing activity

FortiGate-60R Installation and Configuration Guide 21

About this document Introduction

About this document

This installation and configuration guide describes how to install and configure the
FortiGate-60. This document contains the following information:

• Getting started describes unpacking, mounting, and powering on the FortiGate.

• NAT/Route mode installation describes how to install the FortiGate if you are
planning on running it in NAT/Route mode.

• Transparent mode installation describes how to install the FortiGate if you are
planning on running it in Transparent mode.

• System status describes how to view the current status of your FortiGate unit and
related status procedures including installing updated FortiGate firmware, backing
up and restoring system settings, and switching between Transparent and
NAT/Route mode.

• Virus and attack definitions updates and registration describes configuring
automatic virus and attack definition updates. This chapter also contains
procedures for connecting to the FortiGate tech support webs site and for
registering your FortiGate unit.

• Network configuration describes configuring interfaces, configuring routing, and
configuring the FortiGate as a DHCP server for your internal network.

• RIP configuration describes the FortiGate RIP2 implementation and how to
configure RIP settings.

• System configuration describes system administration tasks available from the
System > Config web-based manager pages. This chapter describes setting
system time, adding and changed administrative users, configuring SNMP, and
editing replacement messages.

• Firewall configuration describes how to configure firewall policies to control traffic
through the FortiGate unit and apply content protection profiles to content traffic.

• Users and authentication describes how to add user names to the FortiGate user
database and how to configure the FortiGate to connect to a RADIUS server to
authenticate users.

• IPSec VPN describes how to configure FortiGate IPSec VPN.

• PPTP and L2TP VPN describes how to configure PPTP and L2TP VPNs between
the FortiGate and a windows client.

• Network Intrusion Detection System (NIDS) describes how to configure the
FortiGate NIDS to detect and prevent network attacks.

• Antivirus protection describes how use the FortiGate to protect your network from
viruses and worms.

• Web filtering describes how to configure web content filtering to prevent unwanted
Web content from passing through the FortiGate.

• Email filter describes how to configure email filtering to screen unwanted email
content.

• Logging and reporting describes how to configure logging and alert email to track
activity through the FortiGate.

•The Glossary defines many of the terms used in this document.

22 Fortinet Inc.

Introduction Document conventions

Document conventions

This guide uses the following conventions to describe CLI command syntax.

• angle brackets < > to indicate variable keywords
For example:

execute restore config <filename_str>
You enter restore config myfile.bak

<xxx_str> indicates an ASCII string variable keyword.
<xxx_integer> indicates an integer variable keyword.
<xxx_ip> indicates an IP address variable keyword.

• vertical bar and curly brackets {|} to separate alternative, mutually exclusive
required keywords

For example:

set system opmode {nat | transparent}
You can enter set system opmode nat or set system opmode

transparent

• square brackets [ ] to indicate that a keyword is optional
For example:

get firewall ipmacbinding [dhcpipmac]
You can enter get firewall ipmacbinding or

get firewall ipmacbinding dhcpipmac

FortiGate-60R Installation and Configuration Guide 23

Fortinet documentation Introduction

Fortinet documentation

Information about FortiGate products is available from the following FortiGate User
Manual volumes:

• Volume 1: FortiGate Installation and Configuration Guide

Describes installation and basic configuration for the FortiGate unit. Also describes
how to use FortiGate firewall policies to control traffic flow through the FortiGate
unit and how to use firewall policies to apply antivirus protection, web content
filtering, and email filtering to HTTP, FTP and email content passing through the
FortiGate unit.

• Volume 2: FortiGate VPN Guide

Contains in-depth information about FortiGate IPSec VPN using certificates, pre­shared keys and manual keys for encryption. Also contains basic configuration
information for the Fortinet Remote VPN Client, detailed configuration information
for FortiGate PPTP and L2TP VPN, and VPN configuration examples.

• Volume 3: FortiGate Content Protection Guide

Describes how to configure antivirus protection, web content filtering, and email
filtering to protect content as it passes through the FortiGate unit.

• Volume 4: FortiGate NIDS Guide

Describes how to configure the FortiGate NIDS to detect and protect the FortiGate
unit from network-based attacks.

• Volume 5: FortiGate Logging and Message Reference Guide

Describes how to configure FortiGate logging and alert email. Also contains the
FortiGate log message reference.

• Volume 6: FortiGate CLI Reference Guide

Describes the FortiGate CLI and contains a reference to all FortiGate CLI
commands.

The FortiGate online help also contains procedures for using the FortiGate web-based
manager to configure and manage your FortiGate unit.

Comments on Fortinet technical documentation

You can send information about errors or omissions in this document or any Fortinet
technical documentation to techdoc@fortinet.com.

24 Fortinet Inc.

Introduction Customer service and technical support

Customer service and technical support

For antivirus and attack definition updates, firmware updates, updated product
documentation, technical support information, and other resources, please visit the
Fortinet technical support web site at http://support.fortinet.com.

You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and
modify your registration information at any time.

Fortinet email support is available from the following addresses:

amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin

apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,

eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland

America and South America.

Malaysia, all other Asian countries, and Australia.

Europe, Africa, and the Middle East.

For information on Fortinet telephone support, see http://support.fortinet.com.

When requesting technical support, please provide the following information:

• Your name

• Company name

•Location

• Email address

• Telephone number

• FortiGate unit serial number

• FortiGate model

• FortiGate FortiOS firmware version

• Detailed description of the problem

FortiGate-60R Installation and Configuration Guide 25

Customer service and technical support Introduction

26 Fortinet Inc.

FortiGate-60R Installation and Configuration Guide Version 2.50 MR2

Getting started

This chapter describes unpacking, setting up, and powering on your FortiGate
Antivirus Firewall. When you have completed the procedures in this chapter, you can
proceed to one of the following:

• If you are going to operate the FortiGate unit in NAT/Route mode, go to

“NAT/Route mode installation” on page 43.

• If you are going to operate the FortiGate unit in Transparent mode, go to

“Transparent mode installation” on page 59.

This chapter describes:

• Package contents

• Mounting

• Powering on

• Connecting to the web-based manager

• Connecting to the command line interface (CLI)

• Factory default FortiGate configuration settings

• Planning your FortiGate configuration

• FortiGate model maximum values matrix

• Next steps

FortiGate-60R Installation and Configuration Guide 27

Package contents Getting started

Package contents

The FortiGate-60 package contains the following items:

• FortiGate-60 Antivirus Firewall

• one orange crossover ethernet cable

• one gray regular ethernet cable

• one null modem cable

• FortiGate-60 Quick Start Guide

• CD containing the FortiGate user documentation

• one power cable and AC adapter

Figure 2: FortiGate-60 package contents

Front

Mounting

Ethernet Cables:

Orange - Crossover

Grey - Straight-through

Null-Modem Cable

(RS-232)

PWR STATUS

Power

LED

INTERNAL

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

Status

LED

Internal

Interface

DMZ

Interface

DMZ4321

WAN1 WAN2

WAN 1,2
Interface

Back

Power Cable Power Supply

FortiGate-60

INTERNAL

DMZ4321

WAN1 WAN2

PWR STATUS

USER MANUAL

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

QuickStart Guide

Copyright 2003 Fortinet Incorporated. All rights reserved.
Trademarks
Products mentioned in this document are trademarks.

Documentation

DC+12V

Power

Connection

RS-232 Serial

Connection

Console

USB

USB

(future)

WAN2 WAN1 DMZ

WAN2

WAN1

DMZ

1234

Internal

Internal Interface,
switch connectors

1,2,3,4

The FortiGate-60 unit can be installed on any stable surface. Make sure that the
appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for
adequate air flow and cooling.

Dimensions

• 8.63 x 6.13 x 1.38 in. (21.9 x 15.6 x 3.5 cm)

Weight

• 1.5 lb. (0.68 kg)

28 Fortinet Inc.

Getting started Powering on

Power requirements

• DC input voltage: 12 V

• DC input current: 3 A

Environmental specifications

• Operating temperature: 32 to 104°F (0 to 40°C)

• Storage temperature: -13 to 158°F (-25 to 70°C)

• Humidity: 5 to 95% non-condensing

Powering on

To power on the FortiGate-60 unit:

1 Connect the AC adapter to the power connection at the back of the FortiGate-60 unit.

2 Connect the AC adapter to the power cable.

3 Connect the power cable to a power outlet.

The FortiGate-60 unit starts up. The Power and Status lights light.

Table 1: FortiGate-60 LED indicators

LED State Description

Power Green The FortiGate unit is powered on.

Off The FortiGate unit is powered off.

Status Red The FortiGate unit is starting up.

Off The FortiGate unit is running normally.

Off The FortiGate unit is powered off.

Link

(Internal
DMZ
WAN1
WAN2)

100

(Internal
DMZ
WAN1
WAN2)

Green The correct cable is in use and the connected

equipment has power.

Flashing Green Network activity at this interface.

Off No link established.

Green The interface is connected at 100 Mbps.

FortiGate-60R Installation and Configuration Guide 29

Connecting to the web-based manager Getting started

Connecting to the web-based manager

Use the following procedure to connect to the web-based manager for the first time.
Configuration changes made with the web-based manager are effective immediately
without the need to reset the firewall or interrupt service.

To connect to the web-based manager, you need:

• a computer with an ethernet connection,

• Internet Explorer version 4.0 or higher,

• an ethernet cable.

• a crossover cable or an ethernet hub and two ethernet cables.

Note: You can use the web-based manager with recent versions of most popular web browsers.
The web-based manager is fully supported for Internet Explorer version 4.0 or higher.

Connecting to the web-based manager

1 Set the IP address of the computer with an ethernet connection to the static IP

address 192.168.1.2 and a netmask of 255.255.255.0.
You can also configure the management computer to obtain an IP address

automatically using DHCP. The FortiGate DHCP server assigns the management
computer an IP address in the range 192.168.1.1 to 192.168.1.254.

2 Using the ethernet cable, connect the Internal interface of the FortiGate unit to the

computer ethernet connection.

3 Start Internet Explorer and browse to the address https://192.168.1.99 (remember to

include the “s” in https://).
The FortiGate login is displayed.

4 Type admin in the Name field and select Login.

The Register Now window is displayed. Use the information on this window to register
your FortiGate unit so that Fortinet can contact you for firmware updates. You must
also register to receive updates to the FortiGate virus and attack definitions.

Figure 3: FortiGate login

30 Fortinet Inc.