Fortinet FortiGate FortiGate-1000A, FortiGate FortiGate-1000AFA2, FortiGate 1000A, FortiGate 1000AFA2 Administration Manual

FortiGate 1000A
FortiGate 1000AFA2

Administration Guide

FortiGate-1000A/FA2 Administration Guide

Version 2.80 MR11

15 November 2005

01-28011-0254-20051115

CONSOLE

USB

A2A1

© Copyright 2005 Fortinet Inc. All rights reserved.

No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Fortinet Inc.

FortiGate-1000A/FA2 Administration Guide

Version 2.80 MR11
15 November 2005
01-28011-0254-20051115

Trademarks

Products mentioned in this document are trademarks or registered trademarks of their respective
holders.

Regulatory Compliance

FCC Class A Part 15 CSA/CUS

CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE.
DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.

For technical support, please visit http://www.fortinet.com.

Send information about errors or omissions in this document or any Fortinet technical documentation to
techdoc@fortinet.com.

Table of Contents

Introduction.......................................................................................................... 13

About FortiGate Antivirus Firewalls................................................................................... 13

Antivirus protection ....................................................................................................... 14

Web content filtering ..................................................................................................... 15

Spam filtering ................................................................................................................ 15

Firewall.......................................................................................................................... 16

VLANs and virtual domains........................................................................................... 17

Intrusion Prevention System (IPS)................................................................................ 17

VPN............................................................................................................................... 17

High availability ............................................................................................................. 18

Secure installation, configuration, and management .................................................... 19

About the FortiOS International and US Domestic distributions ....................................... 20

US Domestic distribution changes ................................................................................ 20

Document conventions ..................................................................................................... 22

Fortinet documentation .................................................................................................... 23

Fortinet Knowledge Center .......................................................................................... 24

Comments on Fortinet technical documentation .......................................................... 24

Customer service and technical support........................................................................... 24

Contents

Web-based manager............................................................................................ 25

Button bar features ........................................................................................................... 26

Contact Customer Support ........................................................................................... 26

Online Help ................................................................................................................... 27

Easy Setup Wizard ....................................................................................................... 27

Console Access ............................................................................................................ 28

Logout ........................................................................................................................... 28

Web-based manager pages.............................................................................................. 29

Web-based manager menu .......................................................................................... 29

Lists............................................................................................................................... 30

Icons ............................................................................................................................. 30

Status bar...................................................................................................................... 31

Organization of this manual .............................................................................................. 32

System Status ...................................................................................................... 33

Status................................................................................................................................ 33

Viewing system status .................................................................................................. 34

Changing unit information ............................................................................................. 38

Session list........................................................................................................................ 40

FortiGate-1000A/FA2 Administration Guide 01-28011-0254-20051115 3

Contents

Changing the FortiGate firmware...................................................................................... 41

Upgrading to a new firmware version ........................................................................... 42

Reverting to a previous firmware version...................................................................... 44

Installing firmware images from a system reboot using the CLI ................................... 47

Testing a new firmware image before installing it ......................................................... 50

Installing and using a backup firmware image .............................................................. 52

System Network................................................................................................... 55

Interface............................................................................................................................ 55

Interface settings........................................................................................................... 56

Configuring interfaces ................................................................................................... 62

Zone.................................................................................................................................. 66

Zone settings ................................................................................................................ 67

Management..................................................................................................................... 68

DNS .................................................................................................................................. 69

Routing table (Transparent Mode).................................................................................... 70

Routing table list ........................................................................................................... 70

Transparent mode route settings .................................................................................. 70

VLAN overview ................................................................................................................. 71

FortiGate units and VLANs ........................................................................................... 72

VLANs in NAT/Route mode .............................................................................................. 72

Rules for VLAN IDs....................................................................................................... 72

Rules for VLAN IP addresses ....................................................................................... 72

Adding VLAN subinterfaces .......................................................................................... 73

VLANs in Transparent mode............................................................................................. 74

Rules for VLAN IDs....................................................................................................... 76

Transparent mode virtual domains and VLANs ............................................................ 76

Transparent mode VLAN list......................................................................................... 77

Transparent mode VLAN settings................................................................................. 77

FortiGate IPv6 support...................................................................................................... 79

System DHCP ....................................................................................................... 81

Service.............................................................................................................................. 81

DHCP service settings .................................................................................................. 82

Server ............................................................................................................................... 83

DHCP server settings ................................................................................................... 84

Exclude range................................................................................................................... 85

DHCP exclude range settings....................................................................................... 86

IP/MAC binding................................................................................................................. 86

DHCP IP/MAC binding settings .................................................................................... 87

Dynamic IP........................................................................................................................ 87

System Config...................................................................................................... 89

System time ...................................................................................................................... 89

4 01-28011-0254-20051115 Fortinet Inc.

Options.............................................................................................................................. 90

HA..................................................................................................................................... 92

HA overview.................................................................................................................. 92

HA configuration ........................................................................................................... 95

Configuring an HA cluster ........................................................................................... 101

Managing an HA cluster.............................................................................................. 105

SNMP.............................................................................................................................. 108

Configuring SNMP ...................................................................................................... 108

SNMP community ....................................................................................................... 109

FortiGate MIBs............................................................................................................ 112

FortiGate traps ............................................................................................................ 112

Fortinet MIB fields ....................................................................................................... 114

Replacement messages ................................................................................................. 117

Replacement messages list ........................................................................................ 118

Changing replacement messages .............................................................................. 119

FortiManager................................................................................................................... 120

System Admin .................................................................................................... 123

Contents

Administrators................................................................................................................. 125

Administrators list........................................................................................................ 125

Administrators options ................................................................................................ 125

Access profiles................................................................................................................ 127

Access profile list ........................................................................................................ 127

Access profile options ................................................................................................. 128

System Maintenance ......................................................................................... 129

Backup and restore......................................................................................................... 129

Backing up and Restoring........................................................................................... 130

Update center ................................................................................................................. 132

Updating antivirus and attack definitions .................................................................... 134

Enabling push updates ............................................................................................... 137

Support ........................................................................................................................... 140

Sending a bug report .................................................................................................. 140

Registering a FortiGate unit ........................................................................................ 141

Shutdown........................................................................................................................ 143

System Virtual Domain...................................................................................... 145

Virtual domain properties................................................................................................ 146

Exclusive virtual domain properties ............................................................................ 146

Shared configuration settings ..................................................................................... 147

Administration and management ................................................................................ 148

FortiGate-1000A/FA2 Administration Guide 01-28011-0254-20051115 5

Contents

Virtual domains ............................................................................................................... 148

Adding a virtual domain .............................................................................................. 149

Selecting a virtual domain........................................................................................... 149

Selecting a management virtual domain..................................................................... 149

Configuring virtual domains ............................................................................................ 150

Adding interfaces, VLAN subinterfaces, and zones to a virtual domain ..................... 150

Configuring routing for a virtual domain ...................................................................... 152

Configuring firewall policies for a virtual domain......................................................... 152

Configuring IPSec VPN for a virtual domain ............................................................... 154

Router ................................................................................................................. 155

Static............................................................................................................................... 155

Static route list ............................................................................................................ 157

Static route options ..................................................................................................... 158

Policy .............................................................................................................................. 159

Policy route list............................................................................................................ 159

Policy route options..................................................................................................... 160

RIP.................................................................................................................................. 160

General ....................................................................................................................... 161

Networks list................................................................................................................ 162

Networks options ........................................................................................................ 163

Interface list................................................................................................................. 163

Interface options ......................................................................................................... 164

Distribute list ............................................................................................................... 165

Distribute list options................................................................................................... 166

Offset list ..................................................................................................................... 167

Offset list options ........................................................................................................ 167

Router objects................................................................................................................. 168

Access list ................................................................................................................... 168

New access list ........................................................................................................... 169

New access list entry .................................................................................................. 169

Prefix list ..................................................................................................................... 170

New Prefix list ............................................................................................................. 170

New prefix list entry..................................................................................................... 171

Route-map list............................................................................................................. 171

New Route-map .......................................................................................................... 172

Route-map list entry.................................................................................................... 173

Key chain list............................................................................................................... 174

New key chain............................................................................................................. 174

Key chain list entry...................................................................................................... 175

Monitor............................................................................................................................ 176

Routing monitor list ..................................................................................................... 176

6 01-28011-0254-20051115 Fortinet Inc.

CLI configuration............................................................................................................. 177

get router info ospf ...................................................................................................... 177

get router info protocols .............................................................................................. 177

get router info rip......................................................................................................... 178

config router ospf ....................................................................................................... 178

config router static6..................................................................................................... 201

Firewall................................................................................................................ 203

Policy .............................................................................................................................. 204

How policy matching works......................................................................................... 204

Policy list ..................................................................................................................... 204

Policy options.............................................................................................................. 205

Advanced policy options ............................................................................................. 208

Configuring firewall policies ........................................................................................ 211

Policy CLI configuration .............................................................................................. 212

Address........................................................................................................................... 213

Address list ................................................................................................................. 214

Address options .......................................................................................................... 214

Configuring addresses ................................................................................................ 215

Address group list ....................................................................................................... 216

Address group options ................................................................................................ 216

Configuring address groups........................................................................................ 217

Service............................................................................................................................ 218

Predefined service list................................................................................................. 218

Custom service list...................................................................................................... 221

Custom service options............................................................................................... 222

Configuring custom services....................................................................................... 223

Service group list ........................................................................................................ 224

Service group options ................................................................................................. 225

Configuring service groups ......................................................................................... 225

Schedule......................................................................................................................... 226

One-time schedule list ................................................................................................ 226

One-time schedule options ......................................................................................... 227

Configuring one-time schedules ................................................................................. 227

Recurring schedule list................................................................................................ 228

Recurring schedule options ........................................................................................ 229

Configuring recurring schedules ................................................................................. 229

Virtual IP ......................................................................................................................... 230

Virtual IP list ................................................................................................................ 230

Virtual IP options......................................................................................................... 231

Configuring virtual IPs................................................................................................. 232

Contents

FortiGate-1000A/FA2 Administration Guide 01-28011-0254-20051115 7

Contents

IP pool............................................................................................................................. 234

IP pool list ................................................................................................................... 235

IP pool options ............................................................................................................ 236

Configuring IP pools.................................................................................................... 236

IP Pools for firewall policies that use fixed ports ......................................................... 237

IP pools and dynamic NAT ......................................................................................... 237

Protection profile............................................................................................................. 237

Protection profile list.................................................................................................... 238

Default protection profiles ........................................................................................... 238

Protection profile options ............................................................................................ 239

Configuring protection profiles .................................................................................... 244

Profile CLI configuration.............................................................................................. 245

User..................................................................................................................... 249

Setting authentication timeout......................................................................................... 250

Local ............................................................................................................................... 250

Local user list .............................................................................................................. 250

Local user options....................................................................................................... 250

RADIUS .......................................................................................................................... 251

RADIUS server list ...................................................................................................... 251

RADIUS server options............................................................................................... 252

LDAP............................................................................................................................... 252

LDAP server list .......................................................................................................... 253

LDAP server options ................................................................................................... 253

User group ...................................................................................................................... 255

User group list............................................................................................................. 255

User group options...................................................................................................... 256

CLI configuration............................................................................................................. 257

peer............................................................................................................................. 257

peergrp........................................................................................................................ 258

VPN...................................................................................................................... 261

Phase 1........................................................................................................................... 262

Phase 1 list ................................................................................................................. 262

Phase 1 basic settings ................................................................................................ 263

Phase 1 advanced settings......................................................................................... 265

Phase 2........................................................................................................................... 266

Phase 2 list ................................................................................................................. 267

Phase 2 basic settings ................................................................................................ 268

Phase 2 advanced options.......................................................................................... 268

Manual key...................................................................................................................... 270

Manual key list ............................................................................................................ 271

Manual key options ..................................................................................................... 271

8 01-28011-0254-20051115 Fortinet Inc.

Concentrator ................................................................................................................... 272

Concentrator list.......................................................................................................... 273

Concentrator options................................................................................................... 273

Ping Generator................................................................................................................ 274

Ping generator options................................................................................................ 275

Monitor............................................................................................................................ 275

Dialup monitor............................................................................................................. 275

Static IP and dynamic DNS monitor............................................................................ 277

PPTP............................................................................................................................... 277

PPTP range ................................................................................................................ 278

L2TP .............................................................................................................................. 278

L2TP range ................................................................................................................. 278

Certificates...................................................................................................................... 279

Local certificate list...................................................................................................... 279

Certificate request....................................................................................................... 280

Importing signed certificates ...................................................................................... 281

CA certificate list ......................................................................................................... 282

Importing CA certificates............................................................................................. 282

VPN configuration procedures........................................................................................ 283

IPSec configuration procedures.................................................................................. 283

PPTP configuration procedures .................................................................................. 285

L2TP configuration procedures................................................................................... 285

CLI configuration............................................................................................................. 286

ipsec phase1............................................................................................................... 286

ipsec phase2............................................................................................................... 288

ipsec vip ...................................................................................................................... 289

Contents

IPS ....................................................................................................................... 293

Signature......................................................................................................................... 294

Predefined signatures ................................................................................................. 295

Predefined signature list ............................................................................................. 295

Configuring predefined signatures .............................................................................. 296

Configuring parameters for dissector signatures ........................................................ 298

Custom signatures ...................................................................................................... 298

Custom signature list .................................................................................................. 299

Adding custom signatures........................................................................................... 300

Backing up and restoring custom signature files ........................................................ 300

Anomaly.......................................................................................................................... 300

Anomaly list................................................................................................................. 301

Configuring an anomaly .............................................................................................. 301

IPS CLI configuration...................................................................................................... 303

Configuring system settings........................................................................................ 304

Configuring anomaly settings...................................................................................... 305

FortiGate-1000A/FA2 Administration Guide 01-28011-0254-20051115 9

Contents

Antivirus ............................................................................................................. 307

File block......................................................................................................................... 308

File block list ............................................................................................................... 309

Configuring the file block list ....................................................................................... 310

Quarantine ...................................................................................................................... 310

Quarantined files list ................................................................................................... 310

Quarantined files list options....................................................................................... 311

AutoSubmit list ............................................................................................................ 312

AutoSubmit list options ............................................................................................... 312

Configuring the AutoSubmit list................................................................................... 312

Config.......................................................................................................................... 313

Config.............................................................................................................................. 314

Virus list ...................................................................................................................... 314

Config.......................................................................................................................... 314

Grayware .................................................................................................................... 315

Grayware options........................................................................................................ 315

CLI configuration............................................................................................................. 317

system global av_failopen........................................................................................... 317

system global optimize................................................................................................ 318

config antivirus heuristic.............................................................................................. 319

config antivirus quarantine .......................................................................................... 320

config antivirus service http......................................................................................... 320

config antivirus service ftp........................................................................................... 322

config antivirus service pop3....................................................................................... 324

config antivirus service imap....................................................................................... 325

config antivirus service smtp....................................................................................... 327

Web filter............................................................................................................. 329

Content block.................................................................................................................. 331

Web content block list ................................................................................................. 331

Web content block options.......................................................................................... 331

Configuring the web content block list ........................................................................ 332

URL block ....................................................................................................................... 332

Web URL block list...................................................................................................... 333

Web URL block options .............................................................................................. 333

Configuring the web URL block list ............................................................................. 334

Web pattern block list.................................................................................................. 334

Web pattern block options .......................................................................................... 335

Configuring web pattern block .................................................................................... 335

URL exempt.................................................................................................................... 335

URL exempt list........................................................................................................... 336

URL exempt list options .............................................................................................. 336

Configuring URL exempt............................................................................................. 336

10 01-28011-0254-20051115 Fortinet Inc.

Category block................................................................................................................ 337

FortiGuard-Web Filtering service ................................................................................ 337

Category block configuration options.......................................................................... 338

Configuring web category block.................................................................................. 339

Category block reports................................................................................................ 339

Category block reports options ................................................................................... 340

Generating a category block report............................................................................. 340

Category block CLI configuration................................................................................ 340

Script filter....................................................................................................................... 341

Web script filter options............................................................................................... 342

Spam filter .......................................................................................................... 343

Order of spam filter operations ....................................................................................... 345

FortiGuard-Antispam Service.......................................................................................... 346

FortiGuard-Antispam Service Spam filtering............................................................... 346

FortiGuard-Antispam Service options ......................................................................... 347

Configuring the FortiGuard-Antispam Service ............................................................ 348

FortiGuard-Antispam Service CLI configuration ......................................................... 349

IP address....................................................................................................................... 350

IP address list ............................................................................................................. 350

IP address options ...................................................................................................... 350

Configuring the IP address list .................................................................................... 350

DNSBL & ORDBL ........................................................................................................... 351

DNSBL & ORDBL list.................................................................................................. 352

DNSBL & ORDBL options........................................................................................... 352

Configuring the DNSBL & ORDBL list ........................................................................ 352

Email address ................................................................................................................. 353

Email address list........................................................................................................ 353

Email address options................................................................................................. 353

Configuring the email address list............................................................................... 353

MIME headers................................................................................................................. 354

MIME headers list ....................................................................................................... 355

MIME headers options ................................................................................................ 355

Configuring the MIME headers list.............................................................................. 355

Banned word................................................................................................................... 356

Banned word list ......................................................................................................... 356

Banned word options .................................................................................................. 357

Configuring the banned word list ................................................................................ 357

Using Perl regular expressions....................................................................................... 358

Contents

FortiGate-1000A/FA2 Administration Guide 01-28011-0254-20051115 11

Contents

Log & Report ...................................................................................................... 361

Log config ....................................................................................................................... 362

Log Setting options ..................................................................................................... 362

Alert E-mail options..................................................................................................... 366

Log filter options.......................................................................................................... 367

Configuring log filters .................................................................................................. 370

Enabling traffic logging................................................................................................ 370

High Availability cluster logging ...................................................................................... 371

Log access...................................................................................................................... 371

Disk log file access ..................................................................................................... 371

Viewing log messages ................................................................................................ 373

Searching log messages............................................................................................. 375

CLI configuration............................................................................................................. 376

fortilog setting.............................................................................................................. 376

syslogd setting ............................................................................................................ 377

FortiGuard categories ....................................................................................... 381

Glossary ............................................................................................................. 387

Index .................................................................................................................... 393

12 01-28011-0254-20051115 Fortinet Inc.

FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11

Introduction

FortiGate Antivirus Firewalls support network-based deployment of application-level
services, including antivirus protection and full-scan content filtering. FortiGate
Antivirus Firewalls improve network security, reduce network misuse and abuse, and
help you use communications resources more efficiently without compromising the
performance of your network. FortiGate Antivirus Firewalls are ICSA-certified for
firewall, IPSec, and antivirus services.

This chapter introduces you to FortiGate Antivirus Firewalls and the following topics:

• About FortiGate Antivirus Firewalls

• About the FortiOS International and US Domestic distributions

• Document conventions

• Fortinet documentation

• Customer service and technical support

About FortiGate Antivirus Firewalls

The FortiGate Antivirus Firewall is a dedicated easily managed security device that
delivers a full suite of capabilities that include:

• application-level services such as virus protection and content filtering,

• network-level services such as firewall, intrusion detection, VPN, and traffic
shaping.

The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content
Analysis System (ABACAS™) technology, which leverages breakthroughs in chip
design, networking, security, and content analysis. The unique ASIC-based
architecture analyzes content and behavior in real-time, enabling key applications to
be deployed right at the network edge, where they are most effective at protecting
your networks. The FortiGate series complements existing solutions, such as host­based antivirus protection, and enables new applications and services while greatly
lowering costs for equipment, administration, and maintenance.

FortiGate-1000A/FA2 Administration Guide 01-28011-0254-20051115 13

About FortiGate Antivirus Firewalls Introduction

Figure 1: FortiGate-1000A (top) and FortiGate-1000AFA2 (bottom)

CONSOLE

USB

A2A1

The FortiGate-1000A is a high performance solution that delivers gigabit throughput
with exceptional reliability for the most demanding large enterprise and service
provider environments. The FortiGate-1000AFA2 optionally provides 2 ports featuring
FortiAccel technology enhancing small packet performance. All FortiGate-1000A
products deploy easily in existing networks and can be used for antivirus and content
filtering only or can be deployed as a complete network protection solution. High
Availability (HA) operation and redundant hot-swappable power supplies ensure non­stop operation in mission-critical applications. The FortiGate-1000A is kept up to date
automatically by Fortinet’s FortiGuard network, which provides continuous updates for
FortiGuard Subscription Services that ensure protection against the latest viruses,
worms, trojans and other threats around the clock.

Antivirus protection

FortiGate ICSA-certified antivirus protection scans web (HTTP), file transfer (FTP),
and email (SMTP, POP3, and IMAP) content as it passes through the FortiGate unit.
FortiGate antivirus protection uses pattern matching and heuristics to find viruses. If a
virus is found, antivirus protection removes the file containing the virus from the
content stream and forwards a replacement message to the intended recipient.

For extra protection, you can configure antivirus protection to block specified file types
from passing through the FortiGate unit. You can use the feature to stop files that
might contain new viruses.

FortiGate antivirus protection can also identify and remove known grayware
programs. Grayware programs are usually unsolicited commercial software programs
that get installed on PCs, often without the user’s consent or knowledge. Grayware
programs are generally considered an annoyance, but these programs can cause
system performance problems or be used for malicious means.

14 01-28011-0254-20051115 Fortinet Inc.

Introduction About FortiGate Antivirus Firewalls

If the FortiGate unit contains a hard disk, infected or blocked files and grayware files
can be quarantined. The FortiGate administrator can download quarantined files so
that they can be virus scanned, cleaned, and forwarded to the intended recipient. You
can also configure the FortiGate unit to automatically delete quarantined files after a
specified time.

The FortiGate unit can send email alerts to system administrators when it detects and
removes a virus from a content stream. The web and email content can be in normal
network traffic or encrypted IPSec VPN traffic.

ICSA Labs has certified that FortiGate Antivirus Firewalls:

• detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),

• detect viruses in compressed files using the PKZip format,

• detect viruses in email that has been encoded using uuencode format,

• detect viruses in email that has been encoded using MIME encoding,

• log all actions taken while scanning.

Web content filtering

FortiGate web content filtering can scan all HTTP content protocol streams for URLs,
URL patterns, and web page content. If there is a match between a URL on the URL
block list, or a web page contains a word or phrase that is in the content block list, the
FortiGate unit blocks the web page. The blocked web page is replaced with a
message that you can edit using the FortiGate web-based manager.

FortiGate web content filtering also supports FortiGuard web category blocking. Using
web category blocking you can restrict or allow access to web pages based on
content ratings of web pages.

You can configure URL blocking to block all or some of the pages on a web site. Using
this feature, you can deny access to parts of a web site without denying access to it
completely.

To prevent unintentionally blocking legitimate web pages, you can add URLs to an
exempt list that overrides the URL blocking and content blocking lists. The exempt list
also exempts web traffic this address from virus scanning.

Web content filtering also includes a script filter feature that can block unsecure web
content such as Java applets, cookies, and ActiveX.

Spam filtering

FortiGate spam filtering can scan all POP3, SMTP, and IMAP email content for spam.
You can configure spam filtering to filter mail according to IP address, email address,
mime headers, and content. Mail messages can be identified as spam or clear.

FortiShield is an antispam system from Fortinet that includes an IP address black list,
a URL black list, and spam filtering tools. The IP address black list contains IP
addresses of email servers known to be used to generate Spam. The URL black list
contains URLs of website found in Spam email.

You can also add the names of known third-party DNS-based Blackhole List (DNSBL)
and Open Relay Database List (ORDBL) servers. These services contain lists of
known spam sources.

FortiGate-1000A/FA2 Administration Guide 01-28011-0254-20051115 15

About FortiGate Antivirus Firewalls Introduction

If an email message is found to be spam, the FortiGate unit adds an email tag to the
subject line of the email. The recipient can use their mail client software to filter
messages based on the email tag. Spam filtering can also be configured to delete
SMTP email messages identified as spam.

Firewall

The FortiGate ICSA-certified firewall protects your computer networks from Internet
threats. ICSA has granted FortiGate firewalls version 4.0 firewall certification,
providing assurance that FortiGate firewalls successfully screen and secure corporate
networks against a range of threats from public or other untrusted networks.

After basic installation of the FortiGate unit, the firewall allows users on the protected
network to access the Internet while blocking Internet access to internal networks.
You can configure the firewall to put controls on access to the Internet from the
protected networks and to allow controlled access to internal networks.

FortiGate policies include a range of options that:

• control all incoming and outgoing network traffic,

• control encrypted VPN traffic,

• apply antivirus protection and web content filtering,

• block or allow access for all policy options,

• control when individual policies are in effect,

• accept or deny traffic to and from individual addresses,

• control standard and user defined network services individually or in groups,

• require users to authenticate before gaining access,

• include traffic shaping to set access priorities and guarantee or limit bandwidth for
each policy,

• include logging to track connections for individual policies,

• include Network Address Translation (NAT) mode and Route mode policies,

• include mixed NAT and Route mode policies.

The FortiGate firewall can operate in NAT/Route mode or Transparent mode.

NAT/Route mode

In NAT/Route mode, the FortiGate unit is a Layer 3 device. This means that each of its
interfaces is associated with a different IP subnet and that it appears to other devices
as a router. This is how a firewall is normally deployed.

In NAT/Route mode, you can create NAT mode policies and Route mode policies.

• NAT mode policies use network address translation to hide the addresses in a
more secure network from users in a less secure network.

• Route mode policies accept or deny connections between networks without
performing address translation.

16 01-28011-0254-20051115 Fortinet Inc.

Introduction About FortiGate Antivirus Firewalls

Transparent mode

In Transparent mode, the FortiGate unit does not change the Layer 3 topology. This
means that all of its interfaces are on the same IP subnet and that it appears to other
devices as a bridge. Typically, the FortiGate unit is deployed in Transparent mode to
provide antivirus and content filtering behind an existing firewall solution.

Transparent mode provides the same basic firewall protection as NAT mode. The
FortiGate unit passes or blocks the packets it receives according to firewall policies.
The FortiGate unit can be inserted in the network at any point without having to make
changes to your network or its components. However, some advanced firewall
features are available only in NAT/Route mode.

VLANs and virtual domains

Fortigate Antivirus Firewalls support IEEE 802.1Q-compliant virtual LAN (VLAN) tags.
Using VLAN technology, a single FortiGate unit can provide security services to, and
control connections between, multiple security domains according to the VLAN IDs
added to VLAN packets. The FortiGate unit can recognize VLAN IDs and apply
security policies to secure network and IPSec VPN traffic between each security
domain. The FortiGate unit can also apply authentication, content filtering, and
antivirus protection to VLAN-tagged network and VPN traffic.

The FortiGate unit supports VLANs in NAT/Route and Transparent mode. In
NAT/Route mode, you enter VLAN subinterfaces to receive and send VLAN packets.

FortiGate virtual domains provide multiple logical firewalls and routers in a single
FortiGate unit. Using virtual domains, one FortiGate unit can provide exclusive firewall
and routing services to multiple networks so that traffic from each network is
effectively separated from every other network.

You can develop and manage interfaces, VLAN subinterfaces, zones, firewall policies,
routing, and VPN configuration for each virtual domain separately. For these
configuration settings, each virtual domain is functionally similar to a single FortiGate
unit. This separation simplifies configuration because you do not have to manage as
many routes or firewall policies at one time.

Intrusion Prevention System (IPS)

The FortiGate Intrusion Prevention System (IPS) combines signature and anomaly
based intrusion detection and prevention. The FortiGate unit can record suspicious
traffic in logs, can send alert email to system administrators, and can log, pass, drop,
reset, or clear suspicious packets or sessions. Both the IPS predefined signatures and
the IPS engine are upgradeable through the FortiProtect Distribution Network (FDN).
You can also create custom signatures.

VPN

Using FortiGate virtual private networking (VPN), you can provide a secure
connection between widely separated office networks or securely link telecommuters
or travellers to an office network.

FortiGate-1000A/FA2 Administration Guide 01-28011-0254-20051115 17

About FortiGate Antivirus Firewalls Introduction

FortiGate VPN features include the following:

• Industry standard and ICSA-certified IPSec VPN, including:

• IPSec VPN in NAT/Route and Transparent mode,

• IPSec, ESP security in tunnel mode,

• DES, 3DES (triple-DES), and AES hardware accelerated encryption,

• HMAC MD5 and HMAC SHA1 authentication and data integrity,

• AutoIKE key based on pre-shared key tunnels,

• IPSec VPN using local or CA certificates,

• Manual Keys tunnels,

• Diffie-Hellman groups 1, 2, and 5,

• Aggressive and Main Mode,

• Replay Detection,

• Perfect Forward Secrecy,

• XAuth authentication,

• Dead peer detection,

• DHCP over IPSec,

• Secure Internet browsing.

• PPTP for easy connectivity with the VPN standard supported by the most popular
operating systems.

• L2TP for easy connectivity with a more secure VPN standard, also supported by
many popular operating systems.

• Firewall policy based control of IPSec VPN traffic.

• IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT
can connect to an IPSec VPN tunnel.

• VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from
one tunnel to another through the FortiGate unit.

• IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a
remote network.

High availability

Fortinet achieves high availability (HA) using redundant hardware and the FortiGate
Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same
overall security policy and shares the same configuration settings. You can add up to
32 FortiGate units to an HA cluster. Each FortiGate unit in an HA cluster must be the
same model and must be running the same FortiOS firmware image.

FortiGate HA supports link redundancy and device redundancy.

FortiGate units can be configured to operate in active-passive (A-P) or active-active
(A-A) HA mode. Active-active and active-passive clusters can run in either NAT/Route
or Transparent mode.

An active-passive (A-P) HA cluster, also referred to as hot standby HA, consists of a
primary FortiGate unit that processes traffic, and one or more subordinate FortiGate
units. The subordinate FortiGate units are connected to the network and to the
primary FortiGate unit but do not process traffic.

18 01-28011-0254-20051115 Fortinet Inc.

Introduction About FortiGate Antivirus Firewalls

Active-active (A-A) HA load balances virus scanning among all the FortiGate units in
the cluster. An active-active HA cluster consists of a primary FortiGate unit that
processes traffic and one or more secondary units that also process traffic. The
primary FortiGate unit uses a load balancing algorithm to distribute virus scanning to
all the FortiGate units in the HA cluster.

Secure installation, configuration, and management

The first time you power on the FortiGate unit, it is already configured with default IP
addresses and security policies. Connect to the web-based manager, set the
operating mode, and use the Setup wizard to customize FortiGate IP addresses for
your network, and the FortiGate unit is ready to protect your network. You can then
use the web-based manager to customize advanced FortiGate features.

You can also create a basic configuration using the FortiGate front panel control
buttons and LCD.

Web-based manager

Using HTTP or a secure HTTPS connection from any computer running Internet
Explorer, you can configure and manage the FortiGate unit. The web-based manager
supports multiple languages. You can configure the FortiGate unit for HTTP and
HTTPS administration from any FortiGate interface.

You can use the web-based manager to configure most FortiGate settings. You can
also use the web-based manager to monitor the status of the FortiGate unit.
Configuration changes made using the web-based manager are effective immediately
without resetting the firewall or interrupting service. Once you are satisfied with a
configuration, you can download and save it. The saved configuration can be restored
at any time.

Command line interface

You can access the FortiGate command line interface (CLI) by connecting a
management computer serial port to the FortiGate RS-232 serial console connector.
You can also use Telnet or a secure SSH connection to connect to the CLI from any
network that is connected to the FortiGate unit, including the Internet.

The CLI supports the same configuration and monitoring functionality as the
web-based manager. In addition, you can use the CLI for advanced configuration
options that are not available from the web-based manager.

This Administration Guide contains information about basic and advanced CLI
commands. For a more complete description about connecting to and using the
FortiGate CLI, see the FortiGate CLI Reference Guide.

FortiGate-1000A/FA2 Administration Guide 01-28011-0254-20051115 19

About the FortiOS International and US Domestic distributions Introduction

Logging and reporting

The FortiGate unit supports logging for various categories of traffic and configuration
changes. You can configure logging to:

• report traffic that connects to the firewall,

• report network services used,

• report traffic that was permitted by firewall policies,

• report traffic that was denied by firewall policies,

• report events such as configuration changes and other management events,
IPSec tunnel negotiation, virus detection, attacks, and web page blocking,

• report attacks detected by the IPS,

• send alert email to system administrators to report virus incidents, intrusions, and
firewall or VPN events or violations.

Logs can be sent to a remote syslog server or a WebTrends NetIQ Security Reporting
Center and Firewall Suite server using the WebTrends enhanced log format. Some
models can also save logs to an optional internal hard drive. If a hard drive is not
installed, you can configure most FortiGate units to log the most recent events and
attacks detected by the IPS to the system memory.

About the FortiOS International and US Domestic distributions

Fortinet produces two distributions of FortiOS v3.0, an International distribution and a
US Domestic distribution. The International distribution is available to users outside of
the United States and the US Domestic distribution is available to all users, including
users in the United States.

The main difference between the US Domestic and International distributions of
FortiOS is the Antivirus engine. The US Domestic Antivirus engine processes SMTP
traffic in streaming mode with object based scanning. The US Domestic Antivirus
engine also uses a new hot list antivirus scanning technique for all protocols (HTTP,
FTP, IMAP, POP3, SMTP, and IM). Streaming mode is also called splice mode.

US Domestic distribution changes

If you are operating your FortiGate unit with the US Domestic distribution, on the
web-based manager System Status page unit Unit Information, Distribution is set to
US Domestic (see “System Status” on page 33). In addition the US Domestic
distribution firmware has the following changes:

• SMTP virus scanning only operates in streaming mode

• Spam filter email tagging for SMTP is not supported

• SMTP quarantine file name system generated

• The default mail virus replacement message (splice mode) is changed

20 01-28011-0254-20051115 Fortinet Inc.

Introduction About the FortiOS International and US Domestic distributions

SMTP virus scanning only operates in streaming mode

SMTP virus scanning operates in streaming in mode (also called splice mode) only. In
streaming mode the FortiGate unit simultaneously scans an email and sends it to the
SMTP server. If the FortiGate unit detects a virus, the FortiGate unit terminates the
server connection and returns an error message to the sender, listing the virus name
and system generated quarantine file name. If SMTP quarantine is not enabled, the
quarantine filename is blank. The SMTP server is not able to deliver the email if it was
sent with an infected attachment. An error message is returned to the sender if an
attachment is infected. The receiver does not receive the email or the attachment.

Spam filter email tagging for SMTP is not supported

Because SMTP virus scanning operates in streaming mode the FortiGate unit
discards spam email and immediately drops the connection. In the US Domestic
distribution, spam filter email tagging is not supported.

SMTP quarantine file name system generated

When the FortiGate unit quarantines files from an SMTP email the file name of the
quarantined file is changed to a system generated file name. The system generated
file name consists of the name of the of the sender email address and the name of the
receiver email address separated with an underscore. The system generated file
name does not include a file name extension.

For example, if the file test.doc was quarantined in an email being sent from
user@address.com to info@fortinet.com the file name of the quarantined file would be
user_info.

The default mail virus replacement message (splice mode) is
changed

The default mail virus message (splice mode) replacement message is changed from:
The file %%FILE%% has been infected with the virus %%VIRUS%% File quarantined

as %%QUARFILENAME%%
to
An email has been infected with the virus %%VIRUS%% File quarantined as

%%QUARFILENAME%%
This change removes the name of the infected file from the replacement message.

The replacement message now only contains the name of the virus that the file is
infected with, and the quarantine filename.

For SMTP email, %%QUARFILENAME%% is the system-generated quarantine file
name. For other email protocols %%QUARFILENAME%% is the original file name. If
quarantine is not enabled for the email protocol, %%QUARFILENAME%% will be
blank.

The %%FILE%% variable is still available. If you add %%FILE%% to the mail virus
message (splice mode) replacement message, %%FILE%% will always add
<no filename> to replacement messages generated for viruses found in SMTP email.
For other email protocols, %%FILE%% adds the name of the infected file to the
replacement message.

FortiGate-1000A/FA2 Administration Guide 01-28011-0254-20051115 21

Document conventions Introduction

Document conventions

This guide uses the following conventions to describe CLI command syntax.

• Angle brackets < > to indicate variables.
For example:

execute restore config <filename_str>

You enter:

execute restore config myfile.bak
<xxx_str> indicates an ASCII string that does not contain new-lines or carriage

returns.

<xxx_integer> indicates an integer string that is a decimal (base 10) number.
<xxx_octet> indicates a hexadecimal string that uses the digits 0-9 and letters

A-F.

<xxx_ipv4> indicates a dotted decimal IPv4 address.
<xxx_v4mask> indicates a dotted decimal IPv4 netmask.
<xxx_ipv4mask> indicates a dotted decimal IPv4 address followed by a dotted

decimal IPv4 netmask.

<xxx_ipv6> indicates a dotted decimal IPv6 address.
<xxx_v6mask> indicates a dotted decimal IPv6 netmask.
<xxx_ipv6mask> indicates a dotted decimal IPv6 address followed by a dotted

decimal IPv6 netmask.

• Vertical bar and curly brackets {|} to separate alternative, mutually exclusive
required keywords.

For example:

set opmode {nat | transparent}

You can enter set opmode nat or set opmode transparent.

• Square brackets [ ] to indicate that a keyword or variable is optional.
For example:

show system interface [<name_str>]

To show the settings for all interfaces, you can enter show system interface.
To show the settings for the internal interface, you can enter show system
interface internal.

• A space to separate options that can be entered in any combination and must be
separated by spaces.

For example:

set allowaccess {ping https ssh snmp http telnet}

You can enter any of the following:

set allowaccess ping

set allowaccess ping https ssh

set allowaccess https ping ssh

22 01-28011-0254-20051115 Fortinet Inc.

Introduction Fortinet documentation

set allowaccess snmp

In most cases to make changes to lists that contain options separated by spaces,
you need to retype the whole list including all the options you want to apply and
excluding all the options you want to remove.

Fortinet documentation

The most up-to-date publications and previous releases of Fortinet product
documentation are available from the Fortinet Technical Documentation web site at

http://docs.forticare.com.

The following FortiGate product documentation is available:

• FortiGate QuickStart Guide

Provides basic information about connecting and installing a FortiGate unit.

• FortiGate Installation Guide

Describes how to install a FortiGate unit. Includes a hardware reference, default
configuration information, installation procedures, connection procedures, and
basic configuration procedures. Choose the guide for your product model number.

• FortiGate Administration Guide

Provides basic information about how to configure a FortiGate unit, including how
to define FortiGate protection profiles and firewall policies; how to apply intrusion
prevention, antivirus protection, web content filtering, and spam filtering; and how
to configure a VPN.

• FortiGate online help

Provides a context-sensitive and searchable version of the Administration Guide in
HTML format. You can access online help from the web-based manager as you
work.

• FortiGate CLI Reference

Describes how to use the FortiGate CLI and contains a reference to all FortiGate
CLI commands.

• FortiGate Log Message Reference

Available exclusively from the Fortinet Knowledge Center, the FortiGate Log
Message Reference describes the structure of FortiGate log messages and
provides information about the log messages that are generated by FortiGate
units.

• FortiGate High Availability User Guide

Contains in-depth information about the FortiGate high availability feature and the
FortiGate clustering protocol.

• FortiGate IPS User Guide

Describes how to configure the FortiGate Intrusion Prevention System settings and
how the FortiGate IPS deals with some common attacks.

FortiGate-1000A/FA2 Administration Guide 01-28011-0254-20051115 23

Customer service and technical support Introduction

• FortiGate IPSec VPN User Guide

Provides step-by-step instructions for configuring IPSec VPNs using the web­based manager.

• FortiGate SSL VPN User Guide

Compares FortiGate IPSec VPN and FortiGate SSL VPN technology, and
describes how to configure web-only mode and tunnel-mode SSL VPN access for
remote users through the web-based manager.

• FortiGate PPTP VPN User Guide

Explains how to configure a PPTP VPN using the web-based manager.

• FortiGate Certificate Management User Guide

Contains procedures for managing digital certificates including generating
certificate requests, installing signed certificates, importing CA root certificates and
certificate revocation lists, and backing up and restoring installed certificates and
private keys.

• FortiGate VLANs and VDOMs User Guide

Describes how to configure VLANs and VDOMS in both NAT/Route and
Transparent mode. Includes detailed examples.

Fortinet Knowledge Center

Additional Fortinet technical documentation is available from the Fortinet Knowledge
Center. The knowledge center contains troubleshooting and how-to articles, FAQs,
technical notes, and more. Visit the Fortinet Knowledge Center at

http://kc.forticare.com.

Comments on Fortinet technical documentation

Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to techdoc@fortinet.com.

Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your Fortinet
systems install quickly, configure easily, and operate reliably in your network.

Please visit the Fortinet Technical Support web site at http://support.fortinet.com to
learn about the technical support services that Fortinet provides.

24 01-28011-0254-20051115 Fortinet Inc.

FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11

Web-based manager

Using HTTP or a secure HTTPS connection from any computer running a web
browser, you can configure and manage the FortiGate unit. The web-based manager
supports multiple languages. You can configure the FortiGate unit for HTTP and
HTTPS administration from any FortiGate interface.

Figure 1: Web-based manager screen

You can use the web-based manager to configure most FortiGate settings. You can
also use the web-based manager to monitor the status of the FortiGate unit.
Configuration changes made using the web-based manager are effective immediately
without resetting the firewall or interrupting service. Once you are satisfied with a
configuration, you can back it up. The saved configuration can be restored at any
time.

For information about connecting to the web-based manager, see “Connecting to the
web-based manager” in the Installation Guide for your unit.

FortiGate-1000A/FA2 Administration Guide 01-28011-0254-20051115 25

Button bar features Web-based manager

This chapter includes:

• Button bar features

• Web-based manager pages

Button bar features

The button bar in the upper right corner of the web-based manager provides access to
several important FortiGate features.

Figure 2: Web-based manager button bar

Contact Customer Support

Online Help

Easy Setup Wizard

Contact Customer Support

The Contact Customer Support button opens the Fortinet support web page in a new
browser window. From this page you can

• Register your FortiGate unit (Product Registration). Fortinet will email you your
username and password to log in to the customer support center.

• Log in to the Customer Support Center.

• Visit the FortiProtect Center.

• Download virus and attack definition updates.

• Find out about training and certification programs.

• Read about Fortinet and its products.

Console Access

Logout

26 01-28011-0254-20051115 Fortinet Inc.

Web-based manager Button bar features

Online Help

The Online Help button opens web-based help for the current web-based manager
page. There are hyperlinks to related topics and procedures related to the controls on
the current web-based manager page.

Figure 3: Online Help window

You can view other parts of the help system as you like. The help system includes a
navigation pane with table of contents, index and a text search function.

Easy Setup Wizard

The FortiGate setup wizard provides an easy way to configure basic initial settings for
the FortiGate unit. The wizard walks through the configuration of a new administrator
password, FortiGate interfaces, DHCP server settings, internal servers (web, FTP,
etc.), and basic antivirus settings. For detailed instructions on the initial setup of your
FortiGate unit, see the Installation Guide for your unit.

FortiGate-1000A/FA2 Administration Guide 01-28011-0254-20051115 27

Button bar features Web-based manager

Console Access

An alternative to the web-based manager user interface is the text-based command
line interface (CLI). There are some options that are configurable only from the CLI.

The Console Access button opens a Java-based terminal application. The
management computer must have Java version 1.3 or higher installed.

For information on how to use the CLI, see the FortiGate CLI Reference Guide.

Figure 4: Console access

Logout

Connect Connect to the FortiGate unit using the CLI.
Disconnect Disconnect from the FortiGate unit.
Clear screen Clear the screen.

The Logout button immediately logs you out of the web-based manager. Log out
before you close the browser window. If you simply close the browser or leave the
web-based manager, you remain logged-in until the idle timeout (default 5 minutes)
expires.

28 01-28011-0254-20051115 Fortinet Inc.

Web-based manager Web-based manager pages

Web-based manager pages

The web-based manager interface consists of a menu and pages, many of which have
multiple tabs. When you select a menu item, such as System, it expands to reveal a
submenu. When you select one of the submenu items, the associated page opens at
its first tab. To view a different tab, select the tab.

The procedures in this manual direct you to a page by specifying the menu item, the
submenu item and the tab, like this:

1 Go to System > Network > Interface.

Figure 5: Parts of the web-based manager

Menu

Status

bar

Ta bs

Page Button bar

Web-based manager menu

The menu provides access to configuration options for all major features of the
FortiGate unit.

System Configure system facilities, such as network interfaces, virtual domains,

Router Configure the router.
Firewall Configure firewall policies and protection profiles that apply the network

User Configure user accounts for use with firewall policies that require user

VPN Configure virtual private networks.

FortiGate-1000A/FA2 Administration Guide 01-28011-0254-20051115 29

DHCP services, time and set system options.

protection features. Also configure virtual IP addresses and IP pools.

authentication. Also configure external authentication servers.

Web-based manager pages Web-based manager

IPS Configure the intrusion prevention system.
Antivirus Configure antivirus protection.
Web Filter Configure web filtering.
Spam Filter Configure email spam filtering.
Log & Report Configure logging. View log messages.

Lists

Many of the web-based manager pages are lists. There are lists of network interfaces,
firewall policies, administrators, users, and so on.

Figure 6: Example of a web-based manager list

Delete

Edit

Icons

The list shows some information about each item and the icons in the rightmost
column enable you to take action on the item. In this example, you can select Delete
to remove the item or select Edit to modify the item.

To add another item to the list, you select Create New. This opens a dialog box in
which you define the new item. The dialog box for creating a new item is similar to the
one for editing an existing item.

The web-based manager has icons in addition to buttons to enable you to interact with
the system. There are tooltips to assist you in understanding the function of the icon.
Pause the mouse pointer over the icon to view the tooltip. The following table
describes the icons that you will see in the web-based manager.

Icon Name Description

Change
Password

Clear Clear a log file.

Column
Settings

Change the administrator password. This icon appears in the
Administrators list if your access profile enables write permission
on Admin Users.

Select log columns to display.

30 01-28011-0254-20051115 Fortinet Inc.

Delete Delete an item. This icon appears in lists where the item is

deletable and you have write permission on the page.