Page 1
FortiGate 3000
ESC ENTER
Administration Guide
123
POWER
Hi-Temp 4/HA
INT EXT
FortiGate-3000 Administration Guide
CONSOLE 1 2 3 4/HA
Version 2.80 MR6
5 November 2004
01-28006-0010-20041105
INTERNAL
EXTERNAL
Page 2
© Copyright 2004 Fortinet Inc. All rights reserved.
No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Fortinet Inc.
FortiGate-3000 Administration Guide
Version 2.80 MR6
5 November 2004
01-28006-0010-20041105
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective
holders.
Regulatory Compliance
FCC Class A Part 15 CSA/CUS
CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE.
DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.
For technical support, please visit http://www.fortinet.com.
Send information about errors or omissions in this document or any Fortinet technical documentation to
techdoc@fortinet.com.
Page 3
Table of Contents
System status....................................................................................................... 17
Console access................................................................................................................. 17
Status................................................................................................................................ 17
Viewing system status .................................................................................................. 18
Changing unit information ............................................................................................. 20
To change FortiGate host name ................................................................................ 20
To update the firmware version.................................................................................. 20
To update the antivirus definitions manually .............................................................. 20
To update the attack definitions manually.................................................................. 21
Changing operation mode............................................................................................. 21
To change to Transparent mode................................................................................ 21
To change to NAT/Route mode ................................................................................. 22
Session list........................................................................................................................ 22
Viewing the session list................................................................................................. 22
To view the session list .............................................................................................. 23
Changing the FortiGate firmware...................................................................................... 23
Upgrading to a new firmware version ........................................................................... 24
To upgrade the firmware using the web-based manager........................................... 24
To upgrade the firmware using the CLI...................................................................... 24
Reverting to a previous firmware version...................................................................... 25
To revert to a previous firmware version using the web-based manager .................. 26
To revert to a previous firmware version using the CLI.............................................. 27
Installing firmware images from a system reboot using the CLI ................................... 28
To install firmware from a system reboot ................................................................... 29
Testing a new firmware image before installing it ......................................................... 32
To test a new firmware image .................................................................................... 32
Installing and using a backup firmware image .............................................................. 34
To install a backup firmware image............................................................................ 34
To switch to the backup firmware image.................................................................... 35
To switch back to the default firmware image ............................................................ 36
Contents
System network ................................................................................................... 39
Interface............................................................................................................................ 39
Interface settings........................................................................................................... 40
Configuring interfaces ................................................................................................... 44
To add a VLAN subinterface ...................................................................................... 44
To bring down an interface that is administratively up ............................................... 45
To start up an interface that is administratively down ................................................ 45
To add interfaces to a zone........................................................................................ 45
To add an interface to a virtual domain...................................................................... 45
To change the static IP address of an interface......................................................... 45
FortiGate-3000 Administration Guide 01-28006-0010-20041105 3
Page 4
Contents
To configure an interface for DHCP ........................................................................... 46
To configure an interface for PPPoE.......................................................................... 46
To add a secondary IP address ................................................................................. 47
To add a ping server to an interface .......................................................................... 47
To control administrative access to an interface ........................................................ 47
To change the MTU size of the packets leaving an interface .................................... 48
To configure traffic logging for connections to an interface........................................ 48
Zone.................................................................................................................................. 48
Zone settings ................................................................................................................ 49
To add a zone ............................................................................................................ 49
To delete a zone ........................................................................................................ 49
To edit a zone ............................................................................................................ 50
Management..................................................................................................................... 50
Management interface .................................................................................................. 50
To configure the management interface .................................................................... 51
DNS .................................................................................................................................. 51
DNS configuration......................................................................................................... 51
To add DNS server IP addresses .............................................................................. 51
Routing table (Transparent Mode) .................................................................................... 51
Routing table list ........................................................................................................... 51
Transparent mode route settings .................................................................................. 52
To add a Transparent mode route ............................................................................. 52
VLAN overview ................................................................................................................. 52
FortiGate units and VLANs ........................................................................................... 53
VLANs in NAT/Route mode .............................................................................................. 53
Rules for VLAN IDs....................................................................................................... 54
Rules for VLAN IP addresses ....................................................................................... 54
Adding VLAN subinterfaces .......................................................................................... 54
To add a VLAN subinterface in NAT/Route mode ..................................................... 54
To add firewall policies for VLAN subinterfaces......................................................... 55
VLANs in Transparent mode............................................................................................. 55
Rules for VLAN IDs....................................................................................................... 56
Transparent mode virtual domains and VLANs ............................................................ 56
Transparent mode VLAN list......................................................................................... 56
Transparent mode VLAN settings................................................................................. 57
To add a VLAN subinterface in Transparent mode.................................................... 57
To add firewall policies for VLAN subinterfaces......................................................... 57
FortiGate IPv6 support...................................................................................................... 58
System DHCP ....................................................................................................... 59
Service.............................................................................................................................. 59
DHCP service settings .................................................................................................. 59
To configure an interface as a regular DHCP relay agent ......................................... 60
To configure an interface to be a DHCP server ......................................................... 60
4 01-28006-0010-20041105 Fortinet Inc.
Page 5
Server ............................................................................................................................... 60
DHCP server settings ................................................................................................... 61
To configure a DHCP server for an interface ............................................................. 61
To configure multiple DHCP servers for an interface................................................. 62
Exclude range ................................................................................................................... 62
DHCP exclude range settings....................................................................................... 62
To add an exclusion range......................................................................................... 63
IP/MAC binding ................................................................................................................. 63
DHCP IP/MAC binding settings .................................................................................... 63
To add a DHCP IP/MAC binding pair......................................................................... 63
Dynamic IP........................................................................................................................ 64
Dynamic IP list .............................................................................................................. 64
To view the dynamic IP list......................................................................................... 64
System config ...................................................................................................... 65
System time ...................................................................................................................... 65
System time configuration............................................................................................. 66
To manually set the FortiGate date and time ............................................................. 66
To use NTP to set the FortiGate date and time ......................................................... 66
Options.............................................................................................................................. 67
Options configuration .................................................................................................... 67
To set the system idle timeout ................................................................................... 67
To set the Auth timeout .............................................................................................. 67
To select a language for the web-based manager..................................................... 68
To modify the dead gateway detection settings ......................................................... 68
HA..................................................................................................................................... 68
HA configuration ........................................................................................................... 69
Configuring an HA cluster ............................................................................................. 75
To configure a FortiGate unit for HA operation .......................................................... 75
To connect a FortiGate HA cluster............................................................................. 76
To add a new unit to a functioning cluster.................................................................. 76
To configure weighted-round-robin weights............................................................... 77
Managing an HA cluster................................................................................................ 77
To view the status of each cluster member................................................................ 78
To view and manage logs for individual cluster units................................................. 79
To monitor cluster units for failover ............................................................................ 79
To manage individual cluster units............................................................................. 80
SNMP................................................................................................................................ 80
Configuring SNMP ........................................................................................................ 81
SNMP community ......................................................................................................... 81
To configure SNMP access to an interface in NAT/Route mode ............................... 82
To configure SNMP access to an interface in Transparent mode.............................. 82
To enable SNMP and configure basic SNMP settings............................................... 83
Contents
FortiGate-3000 Administration Guide 01-28006-0010-20041105 5
Page 6
Contents
To add an SNMP community ..................................................................................... 83
FortiGate MIBs.............................................................................................................. 83
FortiGate traps .............................................................................................................. 84
Fortinet MIB fields ......................................................................................................... 86
Replacement messages ................................................................................................... 88
Replacement messages list .......................................................................................... 88
To change a replacement message........................................................................... 89
Changing replacement messages ................................................................................ 89
FortiManager..................................................................................................................... 90
System administration .......................................................................................... 1
Administrators ..................................................................................................................... 1
Administrators list............................................................................................................ 1
Administrators options .................................................................................................... 2
To configure an administrator account......................................................................... 2
To change an administrator password ......................................................................... 2
Access profiles.................................................................................................................... 3
Access profile list ............................................................................................................ 3
Access profile options ..................................................................................................... 3
To configure an access profile ..................................................................................... 3
System maintenance ............................................................................................. 5
Backup and restore............................................................................................................. 5
Backing up and Restoring............................................................................................... 6
To back up all configuration files.................................................................................. 6
To restore all configuration files ................................................................................... 6
To back up individual categories.................................................................................. 6
To restore individual categories ................................................................................... 6
To back up VPN certificates......................................................................................... 7
To restore VPN certificates .......................................................................................... 7
Update center ..................................................................................................................... 7
Updating antivirus and attack definitions ........................................................................ 9
To make sure the FortiGate unit can connect to the FDN............................................ 9
To update antivirus and attack definitions.................................................................... 9
To enable scheduled updates .................................................................................... 10
To add an override server.......................................................................................... 10
To enable scheduled updates through a proxy server ............................................... 11
Enabling push updates ................................................................................................. 11
To enable push updates............................................................................................. 12
General procedure ..................................................................................................... 13
To add a port forwarding virtual IP to the FortiGate NAT device ............................... 13
To add a firewall policy to the FortiGate NAT device ................................................. 14
To configure the FortiGate unit on the internal network ............................................. 14
6 01-28006-0010-20041105 Fortinet Inc.
Page 7
Support ............................................................................................................................. 14
Sending a bug report .................................................................................................... 14
To report a bug........................................................................................................... 15
To configure a customized mail relay......................................................................... 15
Registering a FortiGate unit .......................................................................................... 15
To register a FortiGate unit ........................................................................................ 16
Shutdown.......................................................................................................................... 17
System shutdown.......................................................................................................... 17
To log out of the system............................................................................................. 17
To restart the system ................................................................................................. 17
To shut down the system ........................................................................................... 17
To reset the FortiGate unit to factory defaults............................................................ 17
System virtual domain........................................................................................... 1
Virtual domain properties .................................................................................................... 2
Exclusive virtual domain properties ................................................................................ 2
Shared configuration settings ......................................................................................... 3
Administration and management .................................................................................... 4
Virtual domains ................................................................................................................... 4
Adding a virtual domain .................................................................................................. 5
To add a virtual domain................................................................................................ 5
Selecting a virtual domain............................................................................................... 5
To select a virtual domain to configure ........................................................................ 5
Selecting a management virtual domain......................................................................... 5
To select a management virtual domain ...................................................................... 6
To select a management virtual domain and add a management IP........................... 6
Configuring virtual domains ................................................................................................ 6
Adding interfaces, VLAN subinterfaces, and zones to a virtual domain ......................... 6
To add physical interfaces to a virtual domain ............................................................. 6
To add VLAN subinterfaces to a virtual domain........................................................... 7
To view the interfaces in a virtual domain .................................................................... 7
To add zones to a virtual domain................................................................................. 8
Configuring routing for a virtual domain .......................................................................... 8
To configure routing for a virtual domain in NAT/Route mode ..................................... 8
To configure the routing table for a virtual domain in Transparent mode..................... 8
Configuring firewall policies for a virtual domain............................................................. 8
To add firewall policies to a virtual domain .................................................................. 9
To add firewall addresses to a virtual domain.............................................................. 9
To add IP pools to a virtual domain.............................................................................. 9
To add Virtual IPs to a virtual domain .......................................................................... 9
Configuring IPSec VPN for a virtual domain ................................................................. 10
To configure VPN for a virtual domain ....................................................................... 10
Contents
FortiGate-3000 Administration Guide 01-28006-0010-20041105 7
Page 8
Contents
Router ..................................................................................................................... 1
Static................................................................................................................................... 1
Static route list ................................................................................................................ 2
Static route options ......................................................................................................... 2
To add or edit a static route ......................................................................................... 2
To move static routes................................................................................................... 2
Policy .................................................................................................................................. 3
Policy route list................................................................................................................ 3
Policy route options......................................................................................................... 3
To add a policy route.................................................................................................... 3
RIP...................................................................................................................................... 4
General ........................................................................................................................... 4
To configure RIP general settings................................................................................ 5
To configure RIP route redistribution ........................................................................... 5
Networks list.................................................................................................................... 5
Networks options ............................................................................................................ 6
To configure a RIP network.......................................................................................... 6
Interface list..................................................................................................................... 6
Interface options ............................................................................................................. 6
To configure a RIP interface ........................................................................................ 7
Distribute list ................................................................................................................... 7
Distribute list options....................................................................................................... 8
To configure a distribute list ......................................................................................... 8
Offset list ......................................................................................................................... 8
Offset list options ............................................................................................................ 9
To configure an offset list............................................................................................. 9
Router objects................................................................................................................... 10
Access list ..................................................................................................................... 10
New access list ............................................................................................................. 10
To add an access list name ....................................................................................... 10
New access list entry .................................................................................................... 11
To configure an access list entry................................................................................ 11
Prefix list ....................................................................................................................... 11
New Prefix list ............................................................................................................... 11
To add a prefix list name............................................................................................ 11
New prefix list entry....................................................................................................... 12
To configure a prefix list entry .................................................................................... 12
Route-map list............................................................................................................... 12
New Route-map ............................................................................................................ 13
To add a route map name.......................................................................................... 13
Route-map list entry...................................................................................................... 13
8 01-28006-0010-20041105 Fortinet Inc.
Page 9
To configure a route map entry .................................................................................. 13
Key chain list................................................................................................................. 14
New key chain............................................................................................................... 14
To add a key chain name........................................................................................... 14
Key chain list entry........................................................................................................ 14
To configure a key chain entry ................................................................................... 14
Monitor.............................................................................................................................. 15
Routing monitor list ....................................................................................................... 15
To filter the routing monitor display............................................................................ 15
CLI configuration............................................................................................................... 16
get router info ospf ........................................................................................................ 16
get router info protocols ................................................................................................ 16
get router info rip........................................................................................................... 17
config router ospf ......................................................................................................... 17
config router static6....................................................................................................... 39
Firewall.................................................................................................................. 41
Policy ................................................................................................................................ 42
How policy matching works........................................................................................... 42
Policy list ....................................................................................................................... 42
Policy options................................................................................................................ 43
Advanced policy options ............................................................................................... 45
Configuring firewall policies .......................................................................................... 46
To add a firewall policy............................................................................................... 46
To delete a policy ....................................................................................................... 47
To edit a policy ........................................................................................................... 47
To change the position of a policy in the list .............................................................. 47
To disable a policy ..................................................................................................... 47
To enable a policy ...................................................................................................... 47
Policy CLI configuration ................................................................................................ 47
Address............................................................................................................................. 48
Address list ................................................................................................................... 49
Address options ............................................................................................................ 49
Configuring addresses .................................................................................................. 50
To add an address ..................................................................................................... 50
To edit an address ..................................................................................................... 50
To delete an address ................................................................................................. 50
Address group list ......................................................................................................... 51
Address group options .................................................................................................. 51
Configuring address groups.......................................................................................... 51
To organize addresses into an address group........................................................... 51
To delete an address group ....................................................................................... 51
To edit an address group ........................................................................................... 52
Contents
FortiGate-3000 Administration Guide 01-28006-0010-20041105 9
Page 10
Contents
Service.............................................................................................................................. 52
Predefined service list................................................................................................... 52
Custom service list........................................................................................................ 52
Custom service options................................................................................................. 53
Configuring custom services......................................................................................... 53
To add a custom TCP or UDP service....................................................................... 53
To add a custom ICMP service .................................................................................. 53
To add a custom IP service........................................................................................ 54
To delete a custom service ........................................................................................ 54
To edit a custom service ............................................................................................ 54
Service group list .......................................................................................................... 54
Service group options ................................................................................................... 55
Configuring service groups ........................................................................................... 55
To organize services into a service group.................................................................. 55
To delete a service group........................................................................................... 55
To edit a service group............................................................................................... 55
Schedule........................................................................................................................... 55
One-time schedule list .................................................................................................. 56
One-time schedule options ........................................................................................... 56
Configuring one-time schedules ................................................................................... 56
To add a one-time schedule....................................................................................... 56
To delete a one-time schedule................................................................................... 57
To edit a one-time schedule....................................................................................... 57
Recurring schedule list.................................................................................................. 57
Recurring schedule options .......................................................................................... 57
Configuring recurring schedules ................................................................................... 58
To add a recurring schedule ...................................................................................... 58
To delete a recurring schedule................................................................................. 58
To edit a recurring schedule..................................................................................... 58
Virtual IP ........................................................................................................................... 58
Virtual IP list .................................................................................................................. 59
Virtual IP options........................................................................................................... 59
Configuring virtual IPs................................................................................................... 60
To add a static NAT virtual IP .................................................................................... 60
To add port forwarding virtual IPs .............................................................................. 61
To add a dynamic port forwarding virtual IP............................................................... 62
To delete a virtual IP .................................................................................................. 62
To edit a virtual IP ...................................................................................................... 62
IP pool............................................................................................................................... 63
IP pool list ..................................................................................................................... 63
IP pool options .............................................................................................................. 63
Configuring IP pools...................................................................................................... 63
To add an IP pool....................................................................................................... 63
To delete an IP pool................................................................................................... 64
10 01-28006-0010-20041105 Fortinet Inc.
Page 11
To edit a IP pool ......................................................................................................... 64
IP Pools for firewall policies that use fixed ports ........................................................... 64
IP pools and dynamic NAT ........................................................................................... 64
Protection profile ............................................................................................................... 65
Protection profile list...................................................................................................... 65
Default protection profiles ............................................................................................. 65
Protection profile options .............................................................................................. 66
Configuring protection profiles ...................................................................................... 68
To add a protection profile ......................................................................................... 68
To delete a protection profile................................................................................... 69
To edit a protection profile....................................................................................... 69
To add a protection profile to a policy ........................................................................ 69
CLI configuration........................................................................................................... 69
Users and authentication ...................................................................................... 1
Setting authentication timeout............................................................................................. 2
Local ................................................................................................................................... 2
Local user list .................................................................................................................. 2
Contents
Local user options........................................................................................................... 2
To add a user name and configure authentication....................................................... 2
To delete a user name from the internal database ...................................................... 3
RADIUS .............................................................................................................................. 3
RADIUS server list .......................................................................................................... 3
RADIUS server options................................................................................................... 3
To configure the FortiGate unit for RADIUS authentication ......................................... 3
To delete a RADIUS server.......................................................................................... 4
LDAP................................................................................................................................... 4
LDAP server list .............................................................................................................. 4
LDAP server options ....................................................................................................... 4
To configure the FortiGate unit for LDAP authentication: ............................................ 5
To delete an LDAP server............................................................................................ 5
User group .......................................................................................................................... 6
User group list................................................................................................................. 6
User group options.......................................................................................................... 6
To configure a user group ............................................................................................ 6
To delete a user group................................................................................................. 7
CLI configuration................................................................................................................. 7
peer................................................................................................................................. 7
peergrp............................................................................................................................ 8
FortiGate-3000 Administration Guide 01-28006-0010-20041105 11
Page 12
Contents
VPN........................................................................................................................ 11
Phase 1............................................................................................................................. 12
Phase 1 list ................................................................................................................... 12
Phase 1 basic settings .................................................................................................. 12
Phase 1 advanced options............................................................................................ 14
Configuring XAuth......................................................................................................... 15
Phase 2............................................................................................................................. 16
Phase 2 list ................................................................................................................... 17
Phase 2 basic settings .................................................................................................. 17
Phase 2 advanced options............................................................................................ 17
Manual key........................................................................................................................ 19
Manual key list .............................................................................................................. 19
Manual key options ....................................................................................................... 20
Concentrator ..................................................................................................................... 20
Concentrator list............................................................................................................ 21
Concentrator options..................................................................................................... 21
Ping Generator.................................................................................................................. 21
Ping generator options.................................................................................................. 22
Monitor.............................................................................................................................. 22
Dialup monitor............................................................................................................... 22
Static IP and dynamic DNS monitor.............................................................................. 23
PPTP................................................................................................................................. 23
Setting up a PPTP-based VPN ..................................................................................... 24
Enabling PPTP and specifying a PPTP range .............................................................. 24
Configuring a Windows 2000 client for PPTP ............................................................... 25
To configure a PPTP dialup connection..................................................................... 25
To connect to the PPTP VPN..................................................................................... 25
Configuring a Windows XP client for PPTP .................................................................. 25
To configure a PPTP dialup connection..................................................................... 25
To configure the VPN connection .............................................................................. 26
To connect to the PPTP VPN..................................................................................... 26
PPTP passthrough........................................................................................................ 26
To configure a dynamic port forwarding virtual IP for port 1723 ................................ 27
To configure the firewall policy................................................................................... 27
L2TP ................................................................................................................................ 28
Setting up a L2TP-based VPN...................................................................................... 28
Enabling L2TP and specifying an L2TP range.............................................................. 29
Configuring a Windows 2000 client for L2TP................................................................ 29
To configure an L2TP dialup connection.................................................................... 29
To disable IPSec........................................................................................................ 30
To connect to the L2TP VPN ..................................................................................... 30
Configuring a Windows XP client for L2TP ................................................................... 30
To configure an L2TP VPN dialup connection ........................................................... 30
12 01-28006-0010-20041105 Fortinet Inc.
Page 13
To configure the VPN connection .............................................................................. 31
To disable IPSec........................................................................................................ 31
To connect to the L2TP VPN ..................................................................................... 32
Certificates ........................................................................................................................ 32
Viewing the certificate list.............................................................................................. 33
Generating a certificate request.................................................................................... 33
Installing a signed certificate ........................................................................................ 34
Enabling VPN access for specific certificate holders ................................................... 35
CLI configuration............................................................................................................... 36
ipsec phase1................................................................................................................. 36
ipsec phase2................................................................................................................. 38
ipsec vip ........................................................................................................................ 38
Authenticating peers with preshared keys ........................................................................ 40
Gateway-to-gateway VPN................................................................................................. 40
Dialup VPN ....................................................................................................................... 41
Dynamic DNS VPN ........................................................................................................... 41
Manual key IPSec VPN..................................................................................................... 42
Adding firewall policies for IPSec VPN tunnels................................................................. 42
Setting the encryption policy direction .......................................................................... 42
Setting the source address for encrypted traffic ........................................................... 42
Setting the destination address for encrypted traffic ..................................................... 43
Adding an IPSec firewall encryption policy ................................................................... 43
Internet browsing through a VPN tunnel ........................................................................... 43
Configuring Internet browsing through a VPN tunnel.................................................... 44
IPSec VPN in Transparent mode...................................................................................... 45
Special rules ................................................................................................................. 45
Hub and spoke VPNs........................................................................................................ 46
Configuring the hub....................................................................................................... 46
Configuring spokes ....................................................................................................... 47
Redundant IPSec VPNs.................................................................................................... 48
Configuring redundant IPSec VPNs.............................................................................. 49
Configuring IPSec virtual IP addresses ............................................................................ 50
Troubleshooting ................................................................................................................ 51
Contents
IPS ......................................................................................................................... 53
Signature........................................................................................................................... 54
Predefined..................................................................................................................... 54
To enable or disable predefined signature groups..................................................... 56
To configure predefined signature settings ................................................................ 56
To restore the recommended settings of a signature................................................. 56
Custom.......................................................................................................................... 57
To add a custom signature......................................................................................... 58
Anomaly............................................................................................................................ 59
To configure the settings of an anomaly .................................................................... 60
FortiGate-3000 Administration Guide 01-28006-0010-20041105 13
Page 14
Contents
To restore the default settings of an anomaly ............................................................ 61
Anomaly CLI configuration............................................................................................ 61
Configuring IPS logging and alert email............................................................................ 62
Default fail open setting .................................................................................................... 62
Antivirus ............................................................................................................... 65
File block........................................................................................................................... 66
File block list ................................................................................................................. 67
Configuring the file block list ......................................................................................... 67
To add a file name or file pattern to the file block list................................................. 67
Quarantine ........................................................................................................................ 68
Quarantined files list ..................................................................................................... 68
Quarantined files list options......................................................................................... 68
AutoSubmit list .............................................................................................................. 69
AutoSubmit list options ................................................................................................. 69
Configuring the AutoSubmit list..................................................................................... 69
To add a file pattern to the AutoSubmit list ................................................................ 69
Config............................................................................................................................ 70
Config................................................................................................................................ 70
Virus list ........................................................................................................................ 71
Config............................................................................................................................ 71
Grayware ...................................................................................................................... 71
Grayware options.......................................................................................................... 71
CLI configuration............................................................................................................... 72
system global av_failopen............................................................................................. 72
system global optimize.................................................................................................. 73
heuristic......................................................................................................................... 74
quarantine ..................................................................................................................... 75
service http.................................................................................................................... 75
service ftp...................................................................................................................... 76
service pop3.................................................................................................................. 77
service imap.................................................................................................................. 78
service smtp.................................................................................................................. 79
Web filter............................................................................................................... 81
Content block.................................................................................................................... 82
Web content block list ................................................................................................... 83
Web content block options............................................................................................ 83
Configuring the web content block list .......................................................................... 83
To add or edit a banned word .................................................................................... 83
URL block ......................................................................................................................... 84
Web URL block list........................................................................................................ 84
Web URL block options ................................................................................................ 85
Configuring the web URL block list ............................................................................... 85
14 01-28006-0010-20041105 Fortinet Inc.
Page 15
To add a URL to the web URL block list .................................................................... 85
Web pattern block list.................................................................................................... 85
Web pattern block options ............................................................................................ 86
Configuring web pattern block ...................................................................................... 86
To add a pattern to the web pattern block list ............................................................ 86
URL exempt...................................................................................................................... 86
URL exempt list............................................................................................................. 86
URL exempt list options ................................................................................................ 87
Configuring URL exempt............................................................................................... 87
To add a URL to the URL exempt list ........................................................................ 87
Category block .................................................................................................................. 87
FortiGuard managed web filtering service .................................................................... 87
Category block configuration options ............................................................................ 88
Configuring web category block.................................................................................... 89
To enable FortiGuard web filtering............................................................................. 89
Category block reports.................................................................................................. 89
Category block reports options ..................................................................................... 89
Generating a category block report............................................................................... 90
To generate a category block report .......................................................................... 90
Category block CLI configuration.................................................................................. 90
Script filter ......................................................................................................................... 91
Web script filter options................................................................................................. 91
Contents
Spam filter ............................................................................................................ 93
IP address......................................................................................................................... 95
IP address list ............................................................................................................... 96
IP address options ........................................................................................................ 96
Configuring the IP address list ...................................................................................... 96
To add an IP address to the IP address list ............................................................... 96
RBL & ORDBL .................................................................................................................. 97
RBL & ORDBL list......................................................................................................... 97
RBL & ORDBL options.................................................................................................. 97
Configuring the RBL & ORDBL list ............................................................................... 97
To add a server to the RBL & ORDBL list.................................................................. 97
Email address ................................................................................................................... 98
Email address list.......................................................................................................... 98
Email address options................................................................................................... 98
Configuring the email address list................................................................................. 98
To add an email address or domain to the list ........................................................... 98
MIME headers................................................................................................................... 99
MIME headers list ......................................................................................................... 99
MIME headers options .................................................................................................. 99
Configuring the MIME headers list.............................................................................. 100
To add a MIME header to the list............................................................................. 100
FortiGate-3000 Administration Guide 01-28006-0010-20041105 15
Page 16
Contents
Banned word................................................................................................................... 100
Banned word list ......................................................................................................... 101
Banned word options .................................................................................................. 101
Configuring the banned word list ................................................................................ 101
To add or edit a banned word .................................................................................. 101
Using Perl regular expressions....................................................................................... 102
To block any word in a phrase ................................................................................. 104
To block purposely misspelled words ...................................................................... 104
To block common spam phrases ............................................................................. 104
Log & Report ...................................................................................................... 105
Log config ....................................................................................................................... 106
Log Setting options ..................................................................................................... 106
To configure Log Setting .......................................................................................... 107
To configure log file uploading ................................................................................. 109
Alert E-mail options..................................................................................................... 110
To configure alert email............................................................................................ 110
Log filter options.......................................................................................................... 111
Configuring log filters .................................................................................................. 113
To configure log filters.............................................................................................. 113
Enabling traffic logging................................................................................................ 113
To enable traffic logging for an interface or VLAN subinterface............................... 113
To enable traffic logging for a firewall policy ............................................................ 113
Log access...................................................................................................................... 114
Disk log file access ..................................................................................................... 114
To access log files on the FortiGate disk ................................................................. 114
To download log files from the FortiGate disk.......................................................... 114
To view and search log messages on the FortiGate disk ........................................ 115
Viewing log messages ................................................................................................ 115
To view log messages in the FortiGate memory buffer............................................ 115
To view log messages in FortiGate disk drive files .................................................. 116
The Detailed Information column provides the entire raw log entry and is not needed unless the
log contains information not available in any of the other, more specific columns... 116
To change the columns in the log message display ................................................ 116
Searching log messages............................................................................................. 117
To perform a simple keyword search ....................................................................... 117
To perform an advanced search .............................................................................. 117
CLI configuration............................................................................................................. 117
fortilog setting.............................................................................................................. 117
syslogd setting ............................................................................................................ 119
16 01-28006-0010-20041105 Fortinet Inc.
Page 17
FortiGuard categories ....................................................................................... 121
FortiGate maximum values ............................................................................... 127
Glossary ............................................................................................................. 131
Index.................................................................................................................... 135
Contents
FortiGate-3000 Administration Guide 01-28006-0010-20041105 17
Page 18
Contents
18 01-28006-0010-20041105 Fortinet Inc.
Page 19
FortiGate-3000 Administration Guide Version 2.80 MR6
Introduction
FortiGate Antivirus Firewalls support network-based deployment of application-level
services, including antivirus protection and full-scan content filtering. FortiGate
Antivirus Firewalls improve network security, reduce network misuse and abuse, and
help you use communications resources more efficiently without compromising the
performance of your network. FortiGate Antivirus Firewalls are ICSA-certified for
firewall, IPSec, and antivirus services.
This chapter introduces you to FortiGate Antivirus Firewalls and the following topics:
• About FortiGate Antivirus Firewalls
• Document conventions
• FortiGate documentation
• Related documentation
• Customer service and technical support
About FortiGate Antivirus Firewalls
The FortiGate Antivirus Firewall is a dedicated easily managed security device that
delivers a full suite of capabilities that include:
• application-level services such as virus protection and content filtering,
• network-level services such as firewall, intrusion detection, VPN, and traffic
shaping.
The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content
Analysis System (ABACAS™) technology, which leverages breakthroughs in chip
design, networking, security, and content analysis. The unique ASIC-based
architecture analyzes content and behavior in real-time, enabling key applications to
be deployed right at the network edge, where they are most effective at protecting
your networks. The FortiGate series complements existing solutions, such as hostbased antivirus protection, and enables new applications and services while greatly
lowering costs for equipment, administration, and maintenance.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 19
Page 20
About FortiGate Antivirus Firewalls Introduction
The FortiGate-3000 model provides the
POWER
12
carrier-class levels of performance and
reliability demanded by large enterprises
and service providers. The
Esc Enter
123 4/HA INTERNAL EXTERNAL
3
INT
Hi-Temp
4/HA
EXT
FortiGate-3000 uses multiple CPUs and
FortiASIC chips to deliver throughput of 3Gbps, meeting the needs of the most
demanding applications. Each FortiGate-3000 unit includes redundant power supplies
to minimize single-point failures, and also supports load-balanced operation and
redundant failover with no interruption in service. The FortiGate-3000 includes three
10/100 BaseTX ports, one Gigabit ethernet port, and two Gigabit fibre ports. The high
capacity, reliability, and easy management of the FortiGate-3000 makes it a natural
choice for managed service offerings.
Antivirus protection
FortiGate ICSA-certified antivirus protection scans web (HTTP), file transfer (FTP),
and email (SMTP, POP3, and IMAP) content as it passes through the FortiGate unit.
FortiGate antivirus protection uses pattern matching and heuristics to find viruses. If a
virus is found, antivirus protection removes the file containing the virus from the
content stream and forwards a replacement message to the intended recipient.
For extra protection, you can configure antivirus protection to block specified file types
from passing through the FortiGate unit. You can use the feature to stop files that
might contain new viruses.
FortiGate antivirus protection can also identify and remove known grayware
programs. Grayware programs are usually unsolicited commercial software programs
that get installed on PCs, often without the user’s consent or knowledge. Grayware
programs are generally considered an annoyance, but these programs can cause
system performance problems or be used for malicious means.
If the FortiGate unit contains a hard disk, infected or blocked files and grayware files
can be quarantined. The FortiGate administrator can download quarantined files so
that they can be virus scanned, cleaned, and forwarded to the intended recipient. You
can also configure the FortiGate unit to automatically delete quarantined files after a
specified time.
The FortiGate unit can send email alerts to system administrators when it detects and
removes a virus from a content stream. The web and email content can be in normal
network traffic or encrypted IPSec VPN traffic.
ICSA Labs has certified that FortiGate Antivirus Firewalls:
• detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),
• detect viruses in compressed files using the PKZip format,
• detect viruses in email that has been encoded using uuencode format,
• detect viruses in email that has been encoded using MIME encoding,
• log all actions taken while scanning.
20 01-28006-0010-20041105 Fortinet Inc.
Page 21
Introduction About FortiGate Antivirus Firewalls
Web content filtering
FortiGate web content filtering can scan all HTTP content protocol streams for URLs,
URL patterns, and web page content. If there is a match between a URL on the URL
block list, or a web page contains a word or phrase that is in the content block list, the
FortiGate unit blocks the web page. The blocked web page is replaced with a
message that you can edit using the FortiGate web-based manager.
FortiGate web content filtering also supports FortiGuard web category blocking. Using
web category blocking you can restrict or allow access to web pages based on
content ratings of web pages.
You can configure URL blocking to block all or some of the pages on a web site. Using
this feature, you can deny access to parts of a web site without denying access to it
completely.
To prevent unintentionally blocking legitimate web pages, you can add URLs to an
exempt list that overrides the URL blocking and content blocking lists. The exempt list
also exempts web traffic this address from virus scanning.
Web content filtering also includes a script filter feature that can block unsecure web
content such as Java applets, cookies, and ActiveX.
Spam filtering
Firewall
FortiGate spam filtering can scan all POP3, SMTP, and IMAP email content for spam.
You can configure spam filtering to filter mail according to IP address, email address,
mime headers, and content. Mail messages can be identified as spam or clear.
You can also add the names of known Real-time Blackhole List (RBL) and Open
Relay Database List (ORDBL) servers. These services contain lists of known spam
sources.
If an email message is found to be spam, the FortiGate adds an email tag to the
subject line of the email. The recipient can use the mail client software to filter
messages based on the email tag. Spam filtering can also be configured to delete
SMTP email messages identified as spam.
The FortiGate ICSA-certified firewall protects your computer networks from Internet
threats. ICSA has granted FortiGate firewalls version 4.0 firewall certification,
providing assurance that FortiGate firewalls successfully screen and secure corporate
networks against a range of threats from public or other untrusted networks.
After basic installation of the FortiGate unit, the firewall allows users on the protected
network to access the Internet while blocking Internet access to internal networks. You
can configure the firewall to put controls on access to the Internet from the protected
networks and to allow controlled access to internal networks.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 21
Page 22
About FortiGate Antivirus Firewalls Introduction
FortiGate policies include a range of options that:
• control all incoming and outgoing network traffic,
• control encrypted VPN traffic,
• apply antivirus protection and web content filtering,
• block or allow access for all policy options,
• control when individual policies are in effect,
• accept or deny traffic to and from individual addresses,
• control standard and user defined network services individually or in groups,
• require users to authenticate before gaining access,
• include traffic shaping to set access priorities and guarantee or limit bandwidth for
each policy,
• include logging to track connections for individual policies,
• include Network Address Translation (NAT) mode and Route mode policies,
• include mixed NAT and Route mode policies.
The FortiGate firewall can operate in NAT/Route mode or Transparent mode.
NAT/Route mode
In NAT/Route mode, the FortiGate unit is a Layer 3 device. This means that each of its
interfaces is associated with a different IP subnet and that it appears to other devices
as a router. This is how a firewall is normally deployed.
In NAT/Route mode, you can create NAT mode policies and Route mode policies.
• NAT mode policies use network address translation to hide the addresses in a
more secure network from users in a less secure network.
• Route mode policies accept or deny connections between networks without
performing address translation.
Transparent mode
In Transparent mode, the FortiGate unit does not change the Layer 3 topology. This
means that all of its interfaces are on the same IP subnet and that it appears to other
devices as a bridge. Typically, the FortiGate unit is deployed in Transparent mode to
provide antivirus and content filtering behind an existing firewall solution.
Transparent mode provides the same basic firewall protection as NAT mode. The
FortiGate unit passes or blocks the packets it receives according to firewall policies.
The FortiGate unit can be inserted in the network at any point without having to make
changes to your network or its components. However, some advanced firewall
features are available only in NAT/Route mode.
22 01-28006-0010-20041105 Fortinet Inc.
Page 23
Introduction About FortiGate Antivirus Firewalls
VLANs and virtual domains
Fortigate Antivirus Firewalls support IEEE 802.1Q-compliant virtual LAN (VLAN) tags.
Using VLAN technology, a single FortiGate unit can provide security services to, and
control connections between, multiple security domains according to the VLAN IDs
added to VLAN packets. The FortiGate unit can recognize VLAN IDs and apply
security policies to secure network and IPSec VPN traffic between each security
domain. The FortiGate unit can also apply authentication, content filtering, and
antivirus protection to VLAN-tagged network and VPN traffic.
The FortiGate unit supports VLANs in NAT/Route and Transparent mode. In
NAT/Route mode, you enter VLAN subinterfaces to receive and send VLAN packets.
FortiGate virtual domains provide multiple logical firewalls and routers in a single
FortiGate unit. Using virtual domains, one FortiGate unit can provide exclusive firewall
and routing services to multiple networks so that traffic from each network is
effectively separated from every other network.
You can develop and manage interfaces, VLAN subinterfaces, zones, firewall policies,
routing, and VPN configuration for each virtual domain separately. For these
configuration settings, each virtual domain is functionally similar to a single FortiGate
unit. This separation simplifies configuration because you do not have to manage as
many routes or firewall policies at one time.
Intrusion Prevention System (IPS)
The FortiGate Intrusion Prevention System (IPS) combines signature and anomaly
based intrusion detection and prevention. The FortiGate unit can record suspicious
traffic in logs, can send alert email to system administrators, and can log, pass, drop,
reset, or clear suspicious packets or sessions. Both the IPS predefined signatures and
the IPS engine are upgradeable through the FortiProtect Distribution Network (FDN).
You can also create custom signatures.
VPN
Using FortiGate virtual private networking (VPN), you can provide a secure
connection between widely separated office networks or securely link telecommuters
or travellers to an office network.
• PPTP for easy connectivity with the VPN standard supported by the most popular
operating systems.
• L2TP for easy connectivity with a more secure VPN standard, also supported by
many popular operating systems.
• Firewall policy based control of IPSec VPN traffic.
• IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT
can connect to an IPSec VPN tunnel.
• VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from
one tunnel to another through the FortiGate unit.
• IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a
remote network.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 23
Page 24
About FortiGate Antivirus Firewalls Introduction
FortiGate VPN features include the following:
• Industry standard and ICSA-certified IPSec VPN, including:
• IPSec VPN in NAT/Route and Transparent mode,
• IPSec, ESP security in tunnel mode,
• DES, 3DES (triple-DES), and AES hardware accelerated encryption,
• HMAC MD5 and HMAC SHA1 authentication and data integrity,
• AutoIKE key based on pre-shared key tunnels,
• IPSec VPN using local or CA certificates,
• Manual Keys tunnels,
• Diffie-Hellman groups 1, 2, and 5,
• Aggressive and Main Mode,
• Replay Detection,
• Perfect Forward Secrecy,
• XAuth authentication,
• Dead peer detection,
• DHCP over IPSec,
• Secure Internet browsing.
High availability
Fortinet achieves high availability (HA) using redundant hardware and the FortiGate
Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same
overall security policy and shares the same configuration settings. You can add up to
32 FortiGate units to an HA cluster. Each FortiGate unit in an HA cluster must be the
same model and must be running the same FortiOS firmware image.
FortiGate HA supports link redundancy and device redundancy.
FortiGate units can be configured to operate in active-passive (A-P) or active-active
(A-A) HA mode. Active-active and active-passive clusters can run in either NAT/Route
or Transparent mode.
An active-passive (A-P) HA cluster, also referred to as hot standby HA, consists of a
primary FortiGate unit that processes traffic, and one or more subordinate FortiGate
units. The subordinate FortiGate units are connected to the network and to the
primary FortiGate unit but do not process traffic.
Active-active (A-A) HA load balances virus scanning among all the FortiGate units in
the cluster. An active-active HA cluster consists of a primary FortiGate unit that
processes traffic and one or more secondary units that also process traffic. The
primary FortiGate unit uses a load balancing algorithm to distribute virus scanning to
all the FortiGate units in the HA cluster.
Secure installation, configuration, and management
The first time you power on the FortiGate unit, it is already configured with default IP
addresses and security policies. Connect to the web-based manager, set the
operating mode, and use the Setup wizard to customize FortiGate IP addresses for
your network, and the FortiGate unit is ready to protect your network. You can then
use the web-based manager to customize advanced FortiGate features.
You can also create a basic configuration using the FortiGate front panel control
buttons and LCD.
24 01-28006-0010-20041105 Fortinet Inc.
Page 25
Introduction About FortiGate Antivirus Firewalls
Web-based manager
Using HTTP or a secure HTTPS connection from any computer running Internet
Explorer, you can configure and manage the FortiGate unit. The web-based manager
supports multiple languages. You can configure the FortiGate unit for HTTP and
HTTPS administration from any FortiGate interface.
You can use the web-based manager to configure most FortiGate settings. You can
also use the web-based manager to monitor the status of the FortiGate unit.
Configuration changes made using the web-based manager are effective immediately
without resetting the firewall or interrupting service. Once you are satisfied with a
configuration, you can download and save it. The saved configuration can be restored
at any time.
Command line interface
You can access the FortiGate command line interface (CLI) by connecting a
management computer serial port to the FortiGate RS-232 serial console connector.
You can also use Telnet or a secure SSH connection to connect to the CLI from any
network that is connected to the FortiGate unit, including the Internet.
The CLI supports the same configuration and monitoring functionality as the
web-based manager. In addition, you can use the CLI for advanced configuration
options that are not available from the web-based manager.
This Administration Guide contains information about basic and advanced CLI
commands. For a more complete description about connecting to and using the
FortiGate CLI, see the FortiGate CLI Reference Guide.
Logging and reporting
The FortiGate unit supports logging for various categories of traffic and configuration
changes. You can configure logging to:
• report traffic that connects to the firewall,
• report network services used,
• report traffic that was permitted by firewall policies,
• report traffic that was denied by firewall policies,
• report events such as configuration changes and other management events, IPSec
tunnel negotiation, virus detection, attacks, and web page blocking,
• report attacks detected by the IPS,
• send alert email to system administrators to report virus incidents, intrusions, and
firewall or VPN events or violations.
Logs can be sent to a remote syslog server or a WebTrends NetIQ Security Reporting
Center and Firewall Suite server using the WebTrends enhanced log format. Some
models can also save logs to an optional internal hard drive. If a hard drive is not
installed, you can configure most FortiGate units to log the most recent events and
attacks detected by the IPS to the system memory.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 25
Page 26
Document conventions Introduction
Document conventions
This guide uses the following conventions to describe CLI command syntax.
• Angle brackets < > to indicate variables.
For example:
execute restore config <filename_str>
You enter:
execute restore config myfile.bak
<xxx_str> indicates an ASCII string that does not contain new-lines or carriage
returns.
<xxx_integer> indicates an integer string that is a decimal (base 10) number.
<xxx_octet> indicates a hexadecimal string that uses the digits 0-9 and letters
A-F.
<xxx_ipv4> indicates a dotted decimal IPv4 address.
<xxx_v4mask> indicates a dotted decimal IPv4 netmask.
<xxx_ipv4mask> indicates a dotted decimal IPv4 address followed by a dotted
decimal IPv4 netmask.
<xxx_ipv6> indicates a dotted decimal IPv6 address.
<xxx_v6mask> indicates a dotted decimal IPv6 netmask.
<xxx_ipv6mask> indicates a dotted decimal IPv6 address followed by a dotted
decimal IPv6 netmask.
• Vertical bar and curly brackets {|} to separate alternative, mutually exclusive
required keywords.
For example:
set opmode {nat | transparent}
You can enter set opmode nat or set opmode transparent.
• Square brackets [ ] to indicate that a keyword or variable is optional.
For example:
show system interface [<name_str>]
To show the settings for all interfaces, you can enter show system interface.
To show the settings for the internal interface, you can enter show system
interface internal.
26 01-28006-0010-20041105 Fortinet Inc.
Page 27
Introduction FortiGate documentation
• A space to separate options that can be entered in any combination and must be
separated by spaces.
For example:
set allowaccess {ping https ssh snmp http telnet}
You can enter any of the following:
set allowaccess ping
set allowaccess ping https ssh
set allowaccess https ping ssh
set allowaccess snmp
In most cases to make changes to lists that contain options separated by spaces,
you need to retype the whole list including all the options you want to apply and
excluding all the options you want to remove.
FortiGate documentation
Information about FortiGate products is available from the following guides:
• FortiGate QuickStart Guide
Provides basic information about connecting and installing a FortiGate unit.
• FortiGate Installation Guide
Describes how to install a FortiGate unit. Includes a hardware reference, default
configuration information, installation procedures, connection procedures, and
basic configuration procedures. Choose the guide for your product model number.
• FortiGate Administration Guide
Provides basic information about how to configure a FortiGate unit, including how
to define FortiGate protection profiles and firewall policies; how to apply intrusion
prevention, antivirus protection, web content filtering, and spam filtering; and how
to configure a VPN.
• FortiGate online help
Provides a context-sensitive and searchable version of the Administration Guide in
HTML format. You can access online help from the web-based manager as you
work.
• FortiGate CLI Reference Guide
Describes how to use the FortiGate CLI and contains a reference to all FortiGate
CLI commands.
• FortiGate Log Message Reference Guide
Describes the structure of FortiGate log messages and provides information about
the log messages that are generated by FortiGate units.
• FortiGate High Availability Guide
Contains in-depth information about the FortiGate high availability feature and the
FortiGate clustering protocol.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 27
Page 28
Related documentation Introduction
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to techdoc@fortinet.com.
Related documentation
Additional information about Fortinet products is available from the following related
documentation.
FortiManager documentation
• FortiManager QuickStart Guide
Explains how to install the FortiManager Console, set up the FortiManager Server,
and configure basic settings.
• FortiManager System Administration Guide
Describes how to use the FortiManager System to manage FortiGate devices.
• FortiManager System online help
Provides a searchable version of the Administration Guide in HTML format. You
can access online help from the FortiManager Console as you work.
FortiClient documentation
• FortiClient Host Security User Guide
Describes how to use FortiClient Host Security software to set up a VPN
connection from your computer to remote networks, scan your computer for
viruses, and restrict access to your computer and applications by setting up firewall
policies.
• FortiClient Host Security online help
Provides information and procedures for using and configuring the FortiClient
software.
FortiMail documentation
• FortiMail Administration Guide
Describes how to install, configure, and manage a FortiMail unit in gateway mode
and server mode, including how to configure the unit; create profiles and policies;
configure antispam and antivirus filters; create user accounts; and set up logging
and reporting.
• FortiMail online help
Provides a searchable version of the Administration Guide in HTML format. You
can access online help from the web-based manager as you work.
• FortiMail Web Mail Online Help
Describes how to use the FortiMail web-based email client, including how to send
and receive email; how to add, import, and export addresses; and how to configure
message display preferences.
28 01-28006-0010-20041105 Fortinet Inc.
Page 29
Introduction Related documentation
FortiLog documentation
• FortiLog Administration Guide
Describes how to install and configure a FortiLog unit to collect FortiGate and
FortiMail log files. It also describes how to view FortiGate and FortiMail log files,
generate and view log reports, and use the FortiLog unit as a NAS server.
• FortiLog online help
Provides a searchable version of the Administration Guide in HTML format. You
can access online help from the web-based manager as you work.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 29
Page 30
Customer service and technical support Introduction
Customer service and technical support
For antivirus and attack definition updates, firmware updates, updated product
documentation, technical support information, and other resources, please visit the
Fortinet Technical Support web site at http://support.fortinet.com.
You can also register Fortinet products and service contracts from
http://support.fortinet.com and change your registration information at any time.
Technical support is available through email from any of the following addresses.
Choose the email address for your region:
amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin
apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,
eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland
America and South America.
Malaysia, all other Asian countries, and Australia.
Europe, Africa, and the Middle East.
For information about our priority support hotline (live support), see
http://support.fortinet.com.
When requesting technical support, please provide the following information:
• your name
• your company’s name and location
• your email address
• your telephone number
• your support contract number (if applicable)
• the product name and model number
• the product serial number (if applicable)
• the software or firmware version number
• a detailed description of the problem
30 01-28006-0010-20041105 Fortinet Inc.
Page 31
FortiGate-3000 Administration Guide Version 2.80 MR6
System status
You can connect to the web-based manager and view the current system status of the
FortiGate unit. The status information that is displayed includes the system status, unit
information, system resources, and session log.
This chapter includes:
• Console access
• Status
• Session list
• Changing the FortiGate firmware
Console access
An alternative to the web-based manager discussed in this manual is text-based
Console Access, using the FortiGate command line interface (CLI). You can get
console access by selecting Console Access button in the upper right corner of the
web-based manager. The management computer must have Java version 1.3 or
higher installed.
For information on how to use the CLI, see the FortiGate CLI Reference Guide.
Figure 1: Console access
FortiGate-3000 Administration Guide 01-28006-0010-20041105 31
Page 32
Status System status
Connect Select Connect to connect to the CLI.
Disconnect Select Disconnect to disconnect from the CLI.
Clear screen Select Clear screen to start a new page.
Status
View the system status page for a snap shot of the current operating status of the
FortiGate unit. All FortiGate administrators with read access to system configuration
can view system status information.
FortiGate administrators whose access profiles contain system configuration write
privileges can change or update FortiGate unit information. For information on access
profiles, see “Access profiles” on page 119.
• Viewing system status
• Changing unit information
Viewing system status
Figure 2: System status
Automatic Refresh
Interval
Go Select to set the selected automatic refresh interval.
Refresh Select to manually update the system status display.
32 01-28006-0010-20041105 Fortinet Inc.
Select to control how often the web-based manager updates the system
status display.
Page 33
System status Status
System status
UP Time The time in days, hours, and minutes since the FortiGate unit was last
System Time The current time according to the FortiGate unit internal clock.
Log Disk Displays hard disk capacity and free space if the FortiGate unit contains a
Notification Contains reminders such as “Change Password” or “Product Registration”.
started.
hard disk or Not Available if no hard disk is installed. The FortiGate unit uses
the hard disk to store log messages and quarantine files infected with a virus
or blocked by antivirus file blocking.
Select the reminder to see the detailed reminder message.
Unit Information
Admin users and administrators whose access profiles contain system configuration
read and write privileges can change or update the unit information. For information
on access profiles, see “Access profiles” on page 119.
Host Name The host name of the current FortiGate unit.
Firmware Version The version of the firmware installed on the current FortiGate unit.
Antivirus Definitions The current installed version of the FortiGate Antivirus Definitions.
Attack Definitions The current installed version of the FortiGate Attack Definitions used by
Serial Number The serial number of the current FortiGate unit.
Operation Mode The operation mode of the current FortiGate unit.
the Intrusion Prevention System (IPS).
The serial number is
specific to the FortiGate unit and does not change with firmware
upgrades.
Recent Virus Detections
Time The time at which the recent virus was detected.
Src / Dst The source and destination addresses of the virus.
Service The service from which the virus was delivered; HTTP, FTP, IMAP,
Virus Detected The name of the virus detected.
POP3, or SMTP.
Interface Status
All interfaces in the FortiGate unit are listed in the table.
Interface The name of the interface.
IP / Netmask The IP address and netmask of the interface (NAT/Route mode only).
Status The status of the interface; either up (green up arrow) or down (red
down arrow).
FortiGate-3000 Administration Guide 01-28006-0010-20041105 33
Page 34
Status System status
System Resources
CPU Usage The current CPU status. The web-based manager displays CPU usage
Memory Usage The current memory status. The web-based manager displays memory
Hard Disk Usage The current hard disk (local disk) status. The web-based manager
Active Sessions The number of communications sessions being processed by the
Network Utilization The total network bandwidth being used through all FortiGate interfaces
History Select History to view a graphical representation of the last minute of
Figure 3: Sample system resources history
for core processes only. CPU usage for management processes (for
example, for HTTPS connections to the web-based manager) is
excluded.
usage for core processes only. Memory usage for management
processes (for example, for HTTPS connections to the web-based
manager) is excluded.
displays hard disk usage for core processes only. CPU usage for
management processes (for example, for HTTPS connections to the
web-based manager) is excluded.
FortiGate unit.
and the percentage of the maximum network bandwidth that can be
processed by the FortiGate unit.
CPU, memory, sessions, and network usage. This page also shows the
virus and intrusion detections over the last 20 hours.
History
The history page displays 6 graphs representing the following system resources and
protection:
CPU Usage History CPU usage for the previous minute.
Memory Usage History Memory usage for the previous minute.
Session History Session history for the previous minute.
Network Utilization
History
Virus History The virus detection history over the last 20 hours.
Intrusion History The intrusion detection history over the last 20 hours.
34 01-28006-0010-20041105 Fortinet Inc.
Network utilization for the previous minute.
Page 35
System status Status
Recent Intrusion Detections
Time The time at which the recent intrusion was detected.
Src / Dst The source and destination addresses of the attack.
Service The service from which the attack was delivered; HTTP, FTP, IMAP,
Attack Name The name of the attack.
POP3, or SMTP.
Changing unit information
Administrators with system configuration write access can use the unit information
area of the System Status page:
• To change FortiGate host name
• To update the firmware version
• To update the antivirus definitions manually
• To update the attack definitions manually
• To change to Transparent mode
• To change to NAT/Route mode
To change FortiGate host name
The FortiGate host name appears on the Status page and in the FortiGate CLI
prompt. The host name is also used as the SNMP system name. For information
about the SNMP system name, see “SNMP” on page 104.
The default host name is FortiGate-3000.
Note: If the FortiGate unit is part of an HA cluster, you should set a unique name to distinguish
the unit from others in the cluster.
1 Go to System > Status > Status.
2 In the Host Name field of the Unit Information section, select Change.
3 In the New Name field, type a new host name.
4 Select OK.
The new host name is displayed in the Host Name field, and in the CLI prompt, and is
added to the SNMP System Name.
To update the firmware version
For information on updating the firmware, see “Changing the FortiGate firmware” on
page 38.
To update the antivirus definitions manually
Note: For information about configuring the FortiGate unit for automatic antivirus definitions
updates, see “Update center” on page 126.
1 Download the latest antivirus definitions update file from Fortinet and copy it to the
computer that you use to connect to the web-based manager.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 35
Page 36
Status System status
2 Start the web-based manager and go to System > Status > Status.
3 In the Antivirus Definitions field of the Unit Information section, select Update.
4 In the Update File field, type the path and filename for the antivirus definitions update
file, or select Browse and locate the antivirus definitions update file.
5 Select OK to copy the antivirus definitions update file to the FortiGate unit.
The FortiGate unit updates the antivirus definitions. This takes about 1 minute.
6 Go to System > Status to confirm that the Antivirus Definitions Version information
has updated.
To update the attack definitions manually
Note: For information about configuring the FortiGate unit for automatic attack definitions
updates, see “Update center” on page 126.
1 Download the latest attack definitions update file from Fortinet and copy it to the
computer that you use to connect to the web-based manager.
2 Start the web-based manager and go to System > Status > Status.
3 In the Attack Definitions field of the Unit Information section, select Update.
The Intrusion Detection System Definitions Update dialog box appears.
4 In the Update File field, type the path and filename for the attack definitions update
file, or select Browse and locate the attack definitions update file.
5 Select OK to copy the attack definitions update file to the FortiGate unit.
The FortiGate unit updates the attack definitions. This takes about 1 minute.
6 Go to System > Status > Status to confirm that the Attack Definitions Version
information has updated.
To change to Transparent mode
After you change the FortiGate unit from the NAT/Route mode to Transparent mode,
most of the configuration resets to Transparent mode factory defaults, except for HA
settings (see “HA” on page 90).
To change to Transparent mode:
1 Go to System > Status > Status.
2 In the Operation Mode field of the Unit Information section, select Change.
3 In the Operation Mode field, select Transparent.
4 Select OK.
The FortiGate unit changes operation mode.
5 To reconnect to the web-based manager, connect to the interface configured for
Transparent mode management access and browse to https:// followed by the
Transparent mode management IP address.
By default in Transparent mode, you can connect to the internal interface. The default
Transparent mode management IP address is 10.10.10.1.
36 01-28006-0010-20041105 Fortinet Inc.
Page 37
System status Session list
Note: If the web-based manager IP address was on a different subnet in NAT/Route mode, you
may have to change the IP address of your computer to the same subnet as the management
IP address.
To change to NAT/Route mode
After you change the FortiGate unit from the NAT/Route mode to Transparent mode,
most of the configuration resets to Transparent mode factory defaults, except for HA
settings (see “HA” on page 90).
To change to NAT/Route mode:
1 Go to System > Status > Status.
2 In the Operation Mode field of the Unit Information section, select Change.
3 In the Operation Mode field, select NAT/Route.
4 Select OK.
The FortiGate unit changes operation mode.
5 To reconnect to the web-based manager, you must connect to the interface
configured by default for management access.
By default in NAT/Route mode, you can connect to the internal interface. The default
internal interface IP address is 192.168.1.99.
Session list
Note: If the management IP address was on a different subnet in Transparent mode, you may
have to change the IP address of your computer to the same subnet as the interface configured
for management access.
The session list displays information about the communications sessions currently
being processed by the FortiGate unit. You can use the session list to view current
sessions.
Figure 4: Sample session list
From IP Set source IP address for list filtering
From Port Set source port for list filtering
To IP Set destination IP address for list filtering
To Port Set destination port for list filtering
Apply Filter Select to filter session list
Virtual Domain Select a virtual domain to list the sessions being processed by that virtual
domain. Select All to view sessions being processed by all virtual domains.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 37
Page 38
Changing the FortiGate firmware System status
Total Number of
Sessions
Protocol The service protocol of the connection, for example, udp, tcp, or icmp.
From IP The source IP address of the connection.
From Port The source port of the connection.
To IP The destination IP address of the connection.
To Port The destination port of the connection.
Expire The time, in seconds, before the connection expires.
Total number of sessions currently being conducted through the FortiGate
unit.
Refresh icon. Select to update the session list
Page up icon. Select to view previous page in the session list
Page down icon. Select to view the next page in the session list.
Delete icon. Select to stop an active communication session.
To view the session list
1 Go to System > Status > Session.
The web-based manager displays the total number of active sessions in the FortiGate
unit session table and lists the top 16.
2 To navigate the list of sessions, select Page Up or Page Down.
3 Select Refresh to update the session list.
4 If you are logged in as an administrative user with read and write privileges or as the
admin user, you can select Clear to stop an active session.
Changing the FortiGate firmware
FortiGate administrators whose access profiles contain system configuration read and
write privileges and the FortiGate admin user can change the FortiGate firmware.
After you download a FortiGate firmware image from Fortinet, you can use the
procedures listed in Table 1 to install the firmware image on your FortiGate unit.
38 01-28006-0010-20041105 Fortinet Inc.
Page 39
System status Changing the FortiGate firmware
Table 1: Firmware upgrade procedures
Procedure Description
Upgrading to a new
firmware version
Reverting to a
previous firmware
version
Installing firmware
images from a system
reboot using the CLI
Testing a new
firmware image before
installing it
Installing and using a
backup firmware
image
Use the web-based manager or CLI procedure to upgrade to a new
FortiOS firmware version or to a more recent build of the same
firmware version.
Use the web-based manager or CLI procedure to revert to a
previous firmware version. This procedure reverts the FortiGate
unit to its factory default configuration.
Use this procedure to install a new firmware version or revert to a
previous firmware version. To use this procedure you must connect
to the CLI using the FortiGate console port and a null-modem
cable. This procedure reverts the FortiGate unit to its factory
default configuration.
Use this procedure to test a new firmware image before installing it.
To use this procedure you must connect to the CLI using the
FortiGate console port and a null-modem cable. This procedure
temporarily installs a new firmware image using your current
configuration. You can test the firmware image before installing it
permanently. If the firmware image works correctly you can use
one of the other procedures listed in this table to install it
permanently.
If the FortiGate unit is running BIOS version v3.x, you can install a
backup firmware image. Once the backup firmware image is
installed you can switch to this backup image when required.
Upgrading to a new firmware version
Use the following procedures to upgrade the FortiGate unit to a newer firmware
version.
Upgrading the firmware using the web-based manager
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions
included with the firmware release that you are installing. After you install new firmware, use the
procedure “To update antivirus and attack definitions” on page 129 to make sure that antivirus
and attack definitions are up to date.
To upgrade the firmware using the web-based manager
1 Copy the firmware image file to your management computer.
2 Log into the web-based manager as the admin administrative user.
Note: To use this procedure you must login using the admin administrator account, or an
administrator account that has system configuration read and write privileges.
3 Go to System > Status.
4 Under Unit Information > Firmware Version, select Update.
5 Type the path and filename of the firmware image file, or select Browse and locate the
file.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 39
Page 40
Changing the FortiGate firmware System status
6 Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, restarts, and displays the FortiGate login. This process takes a few minutes.
7 Log into the web-based manager.
8 Go to System > Status and check the Firmware Version to confirm that the firmware
upgrade is successfully installed.
9 Update antivirus and attack definitions. For information about updating antivirus and
attack definitions, see “Update center” on page 126.
Upgrading the firmware using the CLI
To use the following procedure you must have a TFTP server that the FortiGate unit
can connect to.
Note: Installing firmware replaces your current antivirus and attack definitions with the
definitions included with the firmware release that you are installing. After you install new
firmware, use the procedure “To update antivirus and attack definitions” on page 129 to make
sure that antivirus and attack definitions are up to date. You can also use the CLI command
execute update_now to update the antivirus and attack definitions.
To upgrade the firmware using the CLI
1 Make sure that the TFTP server is running.
2 Copy the new firmware image file to the root directory of the TFTP server.
3 Log into the CLI.
Note: To use this procedure you must login using the admin administrator account, or an
administrator account that has system configuration read and write privileges.
4 Make sure the FortiGate unit can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP server.
For example, if the IP address of the TFTP server is 192.168.1.168:
execute ping 192.168.1.168
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execute restore image <name_str> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP
address of the TFTP server. For example, if the firmware image file name is
FGT_300-v280-build183-FORTINET.out and the IP address of the TFTP server
is 192.168.1.168, enter:
execute restore image FGT_300-v280-build183-FORTINET.out
192.168.1.168
The FortiGate unit responds with the message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
6 Type y.
40 01-28006-0010-20041105 Fortinet Inc.
Page 41
System status Changing the FortiGate firmware
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, and restarts. This process takes a few minutes.
7 Reconnect to the CLI.
8 To confirm that the new firmware image is successfully installed, enter:
get system status
9 Use the procedure “To update antivirus and attack definitions” on page 129 to update
antivirus and attack definitions, or from the CLI, enter:
execute update_now
Reverting to a previous firmware version
Use the following procedures to revert your FortiGate unit to a previous firmware
version.
Reverting to a previous firmware version using the web-based
manager
The following procedures revert the FortiGate unit to its factory default configuration
and deletes IPS custom signatures, web content lists, email filtering lists, and changes
to replacement messages.
Before beginning this procedure you can:
• Back up the FortiGate unit configuration.
• Back up the IPS custom signatures.
• Back up web content and email filtering lists.
For information, see “Backing up and Restoring” on page 124.
If you are reverting to a previous FortiOS version (for example, reverting from FortiOS
v2.80 to FortiOS v2.50), you might not be able to restore the previous configuration
from the backup configuration file.
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions
included with the firmware release that you are installing. After you install new firmware, use the
procedure “To update antivirus and attack definitions” on page 129 to make sure that antivirus
and attack definitions are up to date.
To revert to a previous firmware version using the web-based manager
1 Copy the firmware image file to the management computer.
2 Log into the FortiGate web-based manager.
Note: To use this procedure you must login using the admin administrator account, or an
administrator account that has system configuration read and write privileges.
3 Go to System > Status.
4 Under Unit Information > Firmware Version, select Update.
5 Type the path and filename of the firmware image file, or select Browse and locate the
file.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 41
Page 42
Changing the FortiGate firmware System status
6 Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware version,
resets the configuration, restarts, and displays the FortiGate login. This process takes
a few minutes.
7 Log into the web-based manager.
8 Go to System > Status and check the Firmware Version to confirm that the firmware
is successfully installed.
9 Restore your configuration.
For information about restoring your configuration, see “Backup and restore” on
page 123.
10 Update antivirus and attack definitions.
For information about antivirus and attack definitions, see “To update antivirus and
attack definitions” on page 129.
Reverting to a previous firmware version using the CLI
This procedure reverts the FortiGate unit to its factory default configuration and
deletes IPS custom signatures, web content lists, email filtering lists, and changes to
replacement messages.
Before beginning this procedure you can:
• Back up the FortiGate unit system configuration using the command execute
backup config.
• Back up the IPS custom signatures using the command execute backup
ipsuserdefsig
• Back up web content and email filtering lists.
For information, see “Backing up and Restoring” on page 124.
If you are reverting to a previous FortiOS version (for example, reverting from FortiOS
v2.80 to FortiOS v2.50), you might not be able to restore your previous configuration
from the backup configuration file.
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions
included with the firmware release that you are installing. After you install new firmware, use the
procedure “To update antivirus and attack definitions” on page 129 to make sure that antivirus
and attack definitions are up to date. You can also use the CLI command
update_now
to update the antivirus and attack definitions.
execute
To use the following procedure you must have a TFTP server that the FortiGate unit
can connect to.
To revert to a previous firmware version using the CLI
1 Make sure that the TFTP server is running.
2 Copy the firmware image file to the root directory of the TFTP server.
3 Log into the FortiGate CLI.
Note: To use this procedure you must login using the admin administrator account, or an
administrator account that has system configuration read and write privileges.
42 01-28006-0010-20041105 Fortinet Inc.
Page 43
System status Changing the FortiGate firmware
4 Make sure the FortiGate unit can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP server.
For example, if the TFTP server's IP address is 192.168.1.168:
execute ping 192.168.1.168
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execute restore image <name_str> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP
address of the TFTP server. For example, if the firmware image file name is
FGT_300-v280-build158-FORTINET.out and the IP address of the TFTP server
is 192.168.1.168, enter:
execute restore image FGT_300-v280-build158-FORTINET.out
192.168.1.168
The FortiGate unit responds with the message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
6 Type y.
The FortiGate unit uploads the firmware image file. After the file uploads, a message
similar to the following is displayed:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
7 Type y.
The FortiGate unit reverts to the old firmware version, resets the configuration to
factory defaults, and restarts. This process takes a few minutes.
8 Reconnect to the CLI.
9 To confirm that the new firmware image has been loaded, enter:
get system status
10 To restore your previous configuration if needed, use the command:
execute restore config <name_str> <tftp_ipv4>
11 Update antivirus and attack definitions.
For information, see “To update antivirus and attack definitions” on page 129, or from
the CLI, enter:
execute update_now
Installing firmware images from a system reboot using the CLI
This procedure installs a specified firmware image and resets the FortiGate unit to
default settings. You can use this procedure to upgrade to a new firmware version,
revert to an older firmware version, or re-install the current firmware version.
Note: This procedure varies for different FortiGate BIOS versions. These variations are
explained in the procedure steps that are affected. The version of the BIOS running on the
FortiGate unit is displayed when you restart the FortiGate unit using the CLI through a console
connection.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 43
Page 44
Changing the FortiGate firmware System status
For this procedure you:
• access the CLI by connecting to the FortiGate console port using a null-modem
cable,
• install a TFTP server that you can connect to from port1. The TFTP server should
be on the same subnet as port1.
Before beginning this procedure you can:
• Back up the FortiGate unit configuration.
For information, see “Backing up and Restoring” on page 124.
• Back up the IPS custom signatures.
For information, see “Backing up and restoring custom signature files” on
page 305.
• Back up web content and email filtering lists.
For information, see “Web filter” on page 329 and “Spam filter” on page 343.
If you are reverting to a previous FortiOS version (for example, reverting from FortiOS
v2.80 to FortiOS v2.50), you might not be able to restore your previous configuration
from the backup configuration file.
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions
included with the firmware release that you are installing. After you install new firmware, use the
procedure “To update antivirus and attack definitions” on page 129 to make sure that antivirus
and attack definitions are up to date.
To install firmware from a system reboot
1 Connect to the CLI using the null-modem cable and FortiGate console port.
2 Make sure that the TFTP server is running.
3 Copy the new firmware image file to the root directory of the TFTP server.
4 Make sure that port1 is connected to the same network as the TFTP server.
5 To confirm that the FortiGate unit can connect to the TFTP server, use the following
command to ping the computer running the TFTP server. For example, if the IP
address of the TFTP server is 192.168.1.168, enter:
execute ping 192.168.1.168
6 Enter the following command to restart the FortiGate unit:
execute reboot
The FortiGate unit responds with the following message:
This operation will reboot the system !
Do you want to continue? (y/n)
44 01-28006-0010-20041105 Fortinet Inc.
Page 45
System status Changing the FortiGate firmware
7 Type y.
As the FortiGate units starts, a series of system startup messages is displayed.
When one of the following messages appears:
• FortiGate unit running v2.x BIOS
Press Any Key To Download Boot Image.
...
• FortiGate unit running v3.x BIOS
Press any key to display configuration menu.....
......
Immediately press any key to interrupt the system startup.
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the
FortiGate unit reboots and you must log in and repeat the
execute reboot command.
If you successfully interrupt the startup process, one of the following messages
appears:
• FortiGate unit running v2.x BIOS
Enter TFTP Server Address [192.168.1.168]:
Go to step 9.
• FortiGate unit running v3.x BIOS
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,B,Q,or H:
8 Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
9 Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.188]:
10 Type an IP address that the FortiGate unit can use to connect to the TFTP server.
The IP address can be any IP address that is valid for the network that the interface is
connected to. Make sure you do not enter the IP address of another device on this
network.
The following message appears:
Enter File Name [image.out]:
FortiGate-3000 Administration Guide 01-28006-0010-20041105 45
Page 46
Changing the FortiGate firmware System status
11 Enter the firmware image filename and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and messages
similar to the following are displayed:
• FortiGate unit running v2.x BIOS
Do You Want To Save The Image? [Y/n]
Type Y.
• FortiGate unit running v3.x BIOS
Save as Default firmware/Run image without saving:[D/R]
or
Save as Default firmware/Backup firmware/Run image without
saving:[D/B/R]
12 Type D.
The FortiGate unit installs the new firmware image and restarts. The installation might
take a few minutes to complete.
Restoring the previous configuration
Change the internal interface address if required. You can do this from the CLI using
the command:
config system interface
edit internal
set ip <address_ipv4mask>
set allowaccess {ping https ssh telnet http}
end
After changing the interface address, you can access the FortiGate unit from the
web-based manager and restore the configuration.
• To restore the FortiGate unit configuration, see “Backup and restore” on page 123.
• To restore IPS custom signatures, see “Backing up and restoring custom signature
files” on page 305.
• To restore web content filtering lists, see “Backup and restore” on page 123.
• To restore email filtering lists, see “Backup and restore” on page 123.
• To update the virus and attack definitions to the most recent version, see
“Updating antivirus and attack definitions” on page 128.
If you are reverting to a previous firmware version (for example, reverting from
FortiOS v2.80 to FortiOS v2.50), you might not be able to restore your previous
configuration from the backup up configuration file.
Testing a new firmware image before installing it
You can test a new firmware image by installing the firmware image from a system
reboot and saving it to system memory. After completing this procedure the FortiGate
unit operates using the new firmware image with the current configuration. This new
firmware image is not permanently installed. The next time the FortiGate unit restarts,
it operates with the originally installed firmware image using the current configuration.
If the new firmware image operates successfully, you can install it permanently using
the procedure “Upgrading to a new firmware version” on page 39.
46 01-28006-0010-20041105 Fortinet Inc.
Page 47
System status Changing the FortiGate firmware
For this procedure you:
• access the CLI by connecting to the FortiGate console port using a null-modem
cable,
• install a TFTP server that you can connect to from port1. The TFTP server should
be on the same subnet as port1.
To test a new firmware image
1 Connect to the CLI using a null-modem cable and FortiGate console port.
2 Make sure the TFTP server is running.
3 Copy the new firmware image file to the root directory of the TFTP server.
4 Make sure that port1 is connected to the same network as the TFTP server.
You can use the following command to ping the computer running the TFTP server.
For example, if the TFTP server's IP address is 192.168.1.168:
execute ping 192.168.1.168
5 Enter the following command to restart the FortiGate unit:
execute reboot
6 As the FortiGate unit reboots, press any key to interrupt the system startup.
As the FortiGate units starts, a series of system startup messages are displayed.
When one of the following messages appears:
• FortiGate unit running v2.x BIOS
Press Any Key To Download Boot Image.
...
• FortiGate unit running v3.x BIOS
Press any key to display configuration menu.....
......
7 Immediately press any key to interrupt the system startup.
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the
FortiGate unit reboots and you must log in and repeat the
execute reboot command.
If you successfully interrupt the startup process, one of the following messages
appears:
• FortiGate unit running v2.x BIOS
Enter TFTP Server Address [192.168.1.168]:
Go to step 9.
• FortiGate unit running v3.x BIOS
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,Q,or H:
FortiGate-3000 Administration Guide 01-28006-0010-20041105 47
Page 48
Changing the FortiGate firmware System status
8 Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
9 Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.188]:
10 Type an IP address that can be used by the FortiGate unit to connect to the FTP
server.
The IP address must be on the same network as the TFTP server, but make sure you
do not use the IP address of another device on this network.
The following message appears:
Enter File Name [image.out]:
11 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and messages
similar to the following appear.
• FortiGate unit running v2.x BIOS
Do You Want To Save The Image? [Y/n]
Type N.
• FortiGate unit running v3.x BIOS
Save as Default firmware/Run image without saving:[D/R]
or
Save as Default firmware/Backup firmware/Run image without
saving:[D/B/R]
12 Type R.
The FortiGate image is installed to system memory and the FortiGate unit starts
running the new firmware image but with its current configuration.
13 You can log into the CLI or the web-based manager using any administrative account.
14 To confirm that the new firmware image has been loaded, from the CLI enter:
get system status
You can test the new firmware image as required.
Installing and using a backup firmware image
If the FortiGate unit is running BIOS version v3.x, you can install a backup firmware
image. Once the backup firmware image is installed you can switch to this backup
image when required.
• Installing a backup firmware image
• Switching to the backup firmware image
• Switching back to the default firmware image
48 01-28006-0010-20041105 Fortinet Inc.
Page 49
System status Changing the FortiGate firmware
Installing a backup firmware image
To run this procedure you:
• access the CLI by connecting to the FortiGate console port using a null-modem
cable,
• install a TFTP server that you can connect to from the FortiGate as described in
the procedure “Installing firmware images from a system reboot using the CLI” on
page 43.
To install a backup firmware image
1 Connect to the CLI using the null-modem cable and FortiGate console port.
2 Make sure that the TFTP server is running.
3 Copy the new firmware image file to the root directory of your TFTP server.
4 To confirm that the FortiGate unit can connect to the TFTP server, use the following
command to ping the computer running the TFTP server. For example, if the IP
address of the TFTP server is 192.168.1.168:
execute ping 192.168.1.168
5 Enter the following command to restart the FortiGate unit:
execute reboot
As the FortiGate unit starts, a series of system startup messages are displayed.
When of the following message appears:
Press any key to enter configuration menu.....
......
6 Immediately press any key to interrupt the system startup.
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the
FortiGate unit reboots and you must log in and repeat the
execute reboot command.
If you successfully interrupt the startup process, the following message appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,B,Q,or H:
7 Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
8 Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.188]:
FortiGate-3000 Administration Guide 01-28006-0010-20041105 49
Page 50
Changing the FortiGate firmware System status
9 Type an IP address that can be used by the FortiGate unit to connect to the FTP
server.
The IP address can be any IP address that is valid for the network that the interface is
connected to. Make sure you do not enter the IP address of another device on this
network.
The following message appears:
Enter File Name [image.out]:
10 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and the
following message is displayed.
Save as Default firmware/Backup firmware/Run image without
saving:[D/B/R]
11 Type B.
The FortiGate unit saves the backup firmware image and restarts. When the FortiGate
unit restarts it is running the previously installed firmware version.
Switching to the backup firmware image
Use this procedure to switch the FortiGate unit to operating with a backup firmware
image that you previously installed. When you switch the FortiGate unit to the backup
firmware image, the FortiGate unit operates using the configuration that was saved
with that firmware image.
If you install a new backup image from a reboot, the configuration saved with this
firmware image is the factory default configuration. If you use the procedure
“Switching back to the default firmware image” on page 51 to switch to a backup
firmware image that was previously running as the default firmware image, the
configuration saved with this firmware image is restored.
To switch to the backup firmware image
1 Connect to the CLI using the null-modem cable and FortiGate console port.
2 Enter the following command to restart the FortiGate unit:
execute reboot
As the FortiGate units starts, a series of system startup messages are displayed.
When the following message appears:
Press any key to enter configuration menu.....
......
3 Immediately press any key to interrupt the system startup.
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the
FortiGate unit reboots and you must log in and repeat the
execute reboot command.
50 01-28006-0010-20041105 Fortinet Inc.
Page 51
System status Changing the FortiGate firmware
If you successfully interrupt the startup process, the following message appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,B,Q,or H:
4 Type B to load the backup firmware image.
The FortiGate unit loads the backup firmware image and restarts. When the FortiGate
unit restarts, it is running the backup firmware version and the configuration is set to
factory default.
Switching back to the default firmware image
Use this procedure to switch the FortiGate unit to operating with the backup firmware
image that had been running as the default firmware image. When you switch to this
backup firmware image, the configuration saved with this firmware image is restored.
To switch back to the default firmware image
1 Connect to the CLI using the null-modem cable and FortiGate console port.
2 Enter the following command to restart the FortiGate unit:
execute reboot
As the FortiGate units starts, a series of system startup messages are displayed.
When the following message appears:
Press any key to enter configuration menu.....
......
3 Immediately press any key to interrupt the system startup.
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the
FortiGate unit reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, the following message appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G,F,B,Q,or H:
4 Type B to load the backup firmware image.
The FortiGate unit loads the backup firmware image and restarts. When the FortiGate
unit restarts it is running the backup firmware version with a restored configuration.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 51
Page 52
Changing the FortiGate firmware System status
52 01-28006-0010-20041105 Fortinet Inc.
Page 53
FortiGate-3000 Administration Guide Version 2.80 MR6
System network
System network settings control how the FortiGate unit connects to and interacts with
your network. Basic network settings start with configuring FortiGate interfaces to
connect to your network and configuring the FortiGate DNS settings.
More advanced network settings include adding VLAN subinterfaces and zones to the
FortiGate network configuration.
• Interface
• Zone
• Management
• DNS
• Routing table (Transparent Mode)
• VLAN overview
• VLANs in NAT/Route mode
• VLANs in Transparent mode
• FortiGate IPv6 support
Interface
In NAT/Route mode, go to System > Network > Interface to configure FortiGate
interfaces and to add and configure VLAN subinterfaces.
Note: Unless stated otherwise, in this section the term interface can refer to a physical
FortiGate interface or to a FortiGate VLAN subinterface.
• For information about VLANs in NAT/Route mode, see “VLANs in NAT/Route
mode” on page 69.
• For information about VLANs in Transparent mode, see “VLANs in Transparent
mode” on page 72.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 53
Page 54
Interface System network
Figure 5: Interface list
Create New Select Create New to create a VLAN.
Virtual Domain Select a virtual domain to display the interfaces added to this virtual domain.
Name The names of the physical interfaces available to your FortiGate unit.
IP The current IP address of the interface.
Netmask The netmask of the interface.
Access The administrative access configuration for the interface.
Status The administrative status for the interface.
Only available if you have added a virtual domain.
• Interface names indicate the default function of the interface (for
example, internal and external)
• Interface names indicate that the interface can be connected to any
network (for example, port1, port2, and portx)
• By default, interface names that include ha are configured with an HA
heartbeat device priority (see “Priorities of Heartbeat Device” on page 95)
If you have added VLAN subinterfaces, they also appear in the name list,
below the physical interface that they have been added to. See “VLAN
overview” on page 68.
See “To control administrative access to an interface” on page 62 for
information about administrative access options.
If the administrative status is a green arrow, the interface is up and can
accept network traffic. If the administrative status is a red arrow, the
interface is administratively down and cannot accept traffic. To change the
administrative status, select Bring Down or Bring Up. For more information,
see “To bring down an interface that is administratively up” on page 60 and
“To start up an interface that is administratively down” on page 60.
Delete, edit, and view icons.
Interface settings
Interface settings displays the current configuration of a selected FortiGate interface
or VLAN subinterface. Use interface settings to configure a new VLAN subinterface or
to change the configuration of a FortiGate interface or VLAN subinterface.
54 01-28006-0010-20041105 Fortinet Inc.
Page 55
System network Interface
Figure 6: Interface settings
See the following procedures for configuring interfaces:
• To bring down an interface that is administratively up
• To start up an interface that is administratively down
• To add interfaces to a zone
• To add an interface to a virtual domain
• To change the static IP address of an interface
• To configure an interface for DHCP
• To configure an interface for PPPoE
• To add a secondary IP address
• To add a ping server to an interface
• To control administrative access to an interface
• To change the MTU size of the packets leaving an interface
• To configure traffic logging for connections to an interface
Name
The name of the Interface.
Interface
Select the name of the physical interface to add the VLAN subinterface to. All VLAN
subinterfaces must be associated with a physical interface. Once created, the VLAN is
listed below its physical interface in the Interface list.
VLAN ID
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface. You cannot change the VLAN ID of an existing VLAN
subinterface.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 55
Page 56
Interface System network
The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID
added by the IEEE 802.1Q-compliant router or switch connected to the VLAN
subinterface.
For more information on VLANs, see “VLAN overview” on page 68.
Virtual Domain
Select a virtual domain to add the interface or VLAN subinterface to this virtual
domain. Virtual domain is only available if you have added a virtual domain.
For more information on virtual domains, see “System virtual domain” on page 139.
Addressing mode
Select Manual, DHCP, or PPPoE to set the addressing mode for this interface.
Manual
Select Manual and enter an IP address and netmask for the interface. The IP address
of the interface must be on the same subnet as the network the interface is connecting
to.
Note: Where you can enter both an IP address and a netmask in the same field, you can use
the short form of the netmask. For example, 192.168.1.100/255.255.255.0 can also be entered
as 192.168.1.100/24.
Two interfaces cannot have the same IP address and cannot have IP addresses on
the same subnet.
DHCP
If you configure the interface to use DHCP, the FortiGate unit automatically
broadcasts a DHCP request. You can disable Connect to server if you are configuring
the FortiGate unit offline and you do not want the FortiGate unit to send the DHCP
request.
Distance Enter the administrative distance for the default gateway retrieved from
Retrieve default
gateway from server
Override internal DNS Enable Override internal DNS to use the DNS addresses retrieved
Connect to server Enable Connect to Server so that the interface automatically attempts
Status Displays DHCP status messages as the FortiGate unit connects to the
initializing No activity.
the DHCP server. The administrative distance, an integer from 1-255,
specifies the relative priority of a route when there are multiple routes
to the same destination. A lower administrative distance indicates a
more preferred route. The default distance for the default gateway is 1.
Enable Retrieve default gateway from server to retrieve a default
gateway IP address from the DHCP server. The default gateway is
added to the static routing table.
from the DHCP server instead of the DNS server IP addresses on the
DNS page.
to connect to a DHCP server. Disable this option if you are configuring
the interface offline.
DHCP server and gets addressing information. Select Status to refresh
the addressing mode status message.
56 01-28006-0010-20041105 Fortinet Inc.
Page 57
System network Interface
connecting The interface is attempting to connect to the DHCP server.
connected The interface retrieves an IP address, netmask, and other settings
failed The interface was unable to retrieve an IP address and other
from the DHCP server.
information from the DHCP server.
PPPoE
If you configure the interface to use PPPoE, the FortiGate unit automatically
broadcasts a PPPoE request. You can disable connect to server if you are configuring
the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE
request.
FortiGate units support many of the PPPoE RFC features (RFC 2516) including
unnumbered IPs, initial discovery timeout that times and PPPoE Active Discovery
Terminate (PADT).
Figure 7: PPPoE settings
User Name The PPPoE account user name.
Password The PPPoE account password.
Unnumbered IP Specify the IP address for the interface. If your ISP has assigned you a
Initial Disc
Timeout
Initial PADT
timeout
Distance Enter the administrative distance for the default gateway retrieved from the
Retrieve default
gateway from
server
Override internal
DNS
block of IP addresses, use one of them. Otherwise, this IP address can be
the same as the IP address of another interface or can be any IP address.
Initial discovery timeout. The time to wait before retrying to start a PPPoE
discovery. Set Initial Disc to 0 to disable.
Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. Use
this timeout to shut down the PPPoE session if it is idle for this number of
seconds. PADT must be supported by your ISP. Set initial PADT timeout to
0 to disable.
PPPoE server. The administrative distance, an integer from 1-255,
specifies the relative priority of a route when there are multiple routes to the
same destination. A lower administrative distance indicates a more
preferred route. The default distance for the default gateway is 1.
Enable Retrieve default gateway from server to retrieve a default gateway
IP address from a PPPoE server. The default gateway is added to the static
routing table.
Enable Override internal DNS to replace the DNS server IP addresses on
the DNS page with the DNS addresses retrieved from the PPPoE server.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 57
Page 58
Interface System network
Connect to server Enable Connect to Server so that the interface automatically attempts to
Status Displays PPPoE status messages as the FortiGate unit connects to the
initializing No activity.
connecting The interface is attempting to connect to the PPPoE server.
connected The interface retrieves an IP address, netmask, and other settings from the
failed The interface was unable to retrieve an IP address and other information
connect to a PPPoE server. Disable this option if you are configuring the
interface offline.
PPPoE server and gets addressing information. Select Status to refresh the
addressing mode status message.
PPPoE server.
from the PPPoE server.
DDNS
Enable or disable updates to a Dynamic DNS (DDNS) service. When the FortiGate
unit has a static domain name and a dynamic public IP address, select DDNS Enable
to force the unit to update the DDNS server each time the address changes. In turn,
the DDNS service updates Internet DNS servers with the new IP address for the
domain.
Dynamic DNS is available only in NAT/Route mode.
Server Select a DDNS server to use. The client software for these services is built into the
Domain The domain name to use for the DDNS service.
Username The user name to use when connecting to the DDNS server.
Password The password to use when connecting to the DDNS server.
FortiGate firmware. The FortiGate unit can only connect automatically to a DDNS
server for the supported clients.
Ping server
Add a ping server to an interface if you want the FortiGate unit to confirm connectivity
with the next hop router on the network connected to the interface. Adding a ping
server is required for routing failover. See “To add or edit a static route” on page 152.
The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to
make sure that the FortiGate unit can connect to this IP address. To configure dead
gateway detection, see “To modify the dead gateway detection settings” on page 90.
Administrative access
Configure administrative access to an interface to control how administrators access
the FortiGate unit and the FortiGate interfaces to which administrators can connect.
You can select the following administrative access options:
HTTPS To allow secure HTTPS connections to the web-based manager through this
PING If you want this interface to respond to pings. Use this setting to verify your
HTTP To allow HTTP connections to the web-based manager through this interface.
interface.
installation and for testing.
HTTP connections are not secure and can be intercepted by a third party.
58 01-28006-0010-20041105 Fortinet Inc.
Page 59
System network Interface
SSH To allow SSH connections to the CLI through this interface.
SNMP To allow a remote SNMP manager to request SNMP information by connecting to
TELNET To allow Telnet connections to the CLI through this interface. Telnet connections
this interface. See “Configuring SNMP” on page 104.
are not secure and can be intercepted by a third party.
MTU
To improve network performance, you can change the maximum transmission unit
(MTU) of the packets that the FortiGate unit transmits from any interface. Ideally, this
MTU should be the same as the smallest MTU of all the networks between the
FortiGate unit and the destination of the packets. If the packets that the FortiGate unit
sends are larger, they are broken up or fragmented, which slows down transmission.
Experiment by lowering the MTU to find an MTU size for best network performance.
To change the MTU, select Override default MTU value (1500) and enter the
maximum packet size. For manual and DHCP addressing mode the MTU size can be
from 576 to 1500 bytes. For PPPoE addressing mode the MTU size can be from 576
to 1492 bytes.
Note: In Transparent mode, if you change the MTU of an interface, you must change the MTU
of all interfaces to match the new MTU.
Log
Select Log to record logs for any traffic to or from the interface. To record logs you
must also enable traffic log for a logging location and set the logging severity level to
Notification or lower. Go to Log & Report > Log Config to configure logging locations
and types. For information about logging see “Log & Report” on page 357.
Configuring interfaces
Use the following procedures to configure FortiGate interfaces and VLAN
subinterfaces.
• To bring down an interface that is administratively up
• To add interfaces to a zone
• To add an interface to a virtual domain
• To change the static IP address of an interface
• To configure an interface for DHCP
• To configure an interface for PPPoE
• To add a secondary IP address
• To add a ping server to an interface
• To control administrative access to an interface
• To change the MTU size of the packets leaving an interface
• To configure traffic logging for connections to an interface
To add a VLAN subinterface
See “To add a VLAN subinterface in NAT/Route mode” on page 71.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 59
Page 60
Interface System network
To bring down an interface that is administratively up
You can bring down physical interfaces or VLAN subinterfaces. Bringing down a
physical interface also brings down the VLAN subinterfaces associated with it.
1 Go to System > Network > Interface.
The interface list is displayed.
2 Select Bring Down for the interface that you want to stop.
To start up an interface that is administratively down
You can start up physical interfaces and VLAN subinterfaces. Starting a physical
interface does not start the VLAN subinterfaces added to it.
1 Go to System > Network > Interface.
The interface list is displayed.
2 Select Bring Up for the interface that you want to start.
To add interfaces to a zone
If you have added zones to the FortiGate unit, you can use this procedure to add
interfaces or VLAN subinterfaces to the zone. To add a zone, see “To add a zone” on
page 64. You cannot add an interface to a zone if you have added firewall policies for
the interface. Delete firewall policies for the interface and then add the interface to the
zone.
1 Go to System > Network > Zone.
2 Choose the zone to add the interface or VLAN subinterface to and select Edit.
3 Select the names of the interfaces or VLAN subinterfaces to add to the zone.
4 Select OK to save the changes.
To add an interface to a virtual domain
If you have added virtual domains to the FortiGate unit, you can use this procedure to
add an interface or VLAN subinterface to a virtual domain. To add a virtual domain,
see “To add a virtual domain” on page 143. You cannot add an interface to a virtual
domain if you have added firewall policies for the interface. Delete firewall policies for
the interface and then add the interface to the virtual domain.
1 Go to System > Network > Interface.
2 Choose the interface or VLAN subinterface to add to a virtual domain and select Edit.
3 From the Virtual Domain list, select the virtual domain that you want to add the
interface to.
4 Select OK to save the changes.
5 Repeat these steps to add more interfaces or VLAN subinterfaces to virtual domains.
To change the static IP address of an interface
You can change the static IP address of any FortiGate interface.
1 Go to System > Network > Interface.
2 Choose an interface and select Edit.
60 01-28006-0010-20041105 Fortinet Inc.
Page 61
System network Interface
3 Set Addressing Mode to Manual.
4 Change the IP address and Netmask as required.
5 Select OK to save your changes.
If you changed the IP address of the interface to which you are connecting to manage
the FortiGate unit, you must reconnect to the web-based manager using the new
interface IP address.
To configure an interface for DHCP
You can configure any FortiGate interface to use DHCP.
1 Go to System > Network > Interface.
2 Choose an interface and select Edit.
3 In the Addressing Mode section, select DHCP.
4 Select the Retrieve default gateway and DNS from server check box if you want the
FortiGate unit to obtain a default gateway IP address and DNS server IP addresses
from the DHCP server.
5 Select the Connect to Server check box if you want the FortiGate unit to connect to
the DHCP server.
6 Select Apply.
The FortiGate unit attempts to contact the DHCP server from the interface to set the
IP address, netmask, and optionally the default gateway IP address, and DNS server
IP addresses.
7 Select Status to refresh the addressing mode status message.
8 Select OK.
To configure an interface for PPPoE
Use this procedure to configure any FortiGate interface to use PPPoE. See “PPPoE”
on page 57 for information on PPPoE settings.
1 Go to System > Network > Interface.
2 Choose an interface and select Edit.
3 In the Addressing Mode section, select PPPoE.
4 Enter your PPPoE account User Name and Password.
5 Enter an Unnumbered IP if required by your PPPoE service.
6 Set the Initial Disc Timeout and Initial PADT Timeout if supported by your ISP.
7 Select the Retrieve default gateway from server check box if you want the FortiGate
unit to obtain a default gateway IP address from the PPPoE server.
8 Select the Override Internal DNS check box if you want the FortiGate unit to obtain a
DNS server IP address from the PPPoE server.
9 Select the Connect to Server check box if you want the FortiGate unit to connect to
the PPPoE server.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 61
Page 62
Interface System network
10 Select Apply.
The FortiGate unit attempts to contact the PPPoE server from the interface to set the
IP address, netmask, and optionally default gateway IP address and DNS server IP
addresses.
11 Select Status to refresh the addressing mode status message.
12 Select OK.
To add a secondary IP address
You can use the CLI to add a secondary IP address to any FortiGate interface. The
secondary IP address cannot be the same as the primary IP address but it can be on
the same subnet.
From the FortiGate CLI, enter the following commands:
config system interface
edit <intf_str>
config secondaryip
edit 0
set ip <second_ip> <netmask_ip>
Optionally, you can also configure management access and add a ping server to the
secondary IP address:
set allowaccess ping https ssh snmp http telnet
set gwdetect enable
Save the changes:
end
To add a ping server to an interface
1 Go to System > Network > Interface.
2 Choose an interface and select Edit.
3 Set Ping Server to the IP address of the next hop router on the network connected to
the interface.
4 Select the Enable check box.
5 Select OK to save the changes.
To control administrative access to an interface
For a FortiGate unit running in NAT/Route mode, you can control administrative
access to an interface to control how administrators access the FortiGate unit and the
FortiGate interfaces to which administrators can connect.
62 01-28006-0010-20041105 Fortinet Inc.
Page 63
System network Zone
Controlling administrative access for an interface connected to the Internet allows
remote administration of the FortiGate unit from any location on the Internet. However,
allowing remote administration from the Internet could compromise the security of
your FortiGate unit. You should avoid allowing administrative access for an interface
connected to the Internet unless this is required for your configuration. To improve the
security of a FortiGate unit that allows remote administration from the Internet:
• Use secure administrative user passwords,
• Change these passwords regularly,
• Enable secure administrative access to this interface using only HTTPS or SSH,
• Do not change the system idle timeout from the default value of 5 minutes (see “To
set the system idle timeout” on page 89).
To configure administrative access in Transparent mode, see “To configure the
management interface” on page 66.
1 Go to System > Network > Interface.
2 Choose an interface and select Edit.
3 Select the Administrative Access methods for the interface.
4 Select OK to save the changes.
To change the MTU size of the packets leaving an interface
1 Go to System > Network > Interface.
2 Choose an interface and select Edit.
Zone
3 Select Override default MTU value (1500).
4 Set the MTU size.
Note: You cannot set the MTU of a VLAN larger than the MTU of its physical interface. Nor can
you set the MTU of a physical interface smaller than the MTU of any VLAN on that interface.
To configure traffic logging for connections to an interface
1 Go to System > Network > Interface.
2 Choose an interface and select Edit.
3 Select the Log check box to record log messages whenever a firewall policy accepts a
connection to this interface.
4 Select OK to save the changes.
You can use zones to group related interfaces and VLAN subinterfaces. Grouping
interfaces and VLAN subinterfaces into zones simplifies policy creation. If you group
interfaces and VLAN subinterfaces into a zone, you can configure policies for
connections to and from this zone, rather than to and from each interface and VLAN
subinterface.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 63
Page 64
Zone System network
You can add zones, rename and edit zones, and delete zones from the zone list.
When you add a zone, you select the names of the interfaces and VLAN subinterfaces
to add to the zone.
Zones are added to virtual domains. If you have added multiple virtual domains to
your FortiGate configuration, make sure you are configuring the correct virtual domain
before adding or editing zones.
Figure 8: Zone list
Create New Select Create New to create a zone.
Name The names of the zones that you have added.
Block intra-zone
traffic
Interface Members The names of the interfaces added to the zone.
Displays Yes if traffic between interfaces in the same zone is blocked and
No if traffic between interfaces in the same zone is not blocked.
Edit/View icons. Select to edit or view a zone.
Delete icon. Select to remove a zone.
Zone settings
1 If you have added a virtual domain, go to System > Virtual Domain > Current
2 Go to System > Network > Zone.
3 Select Create New.
Figure 9: Zone options
Name Enter the name to identify the zone.
Block intra-zone
traffic
Interface members Enable check boxes to select the interfaces that are part of this zone.
Select Block intra-zone traffic to block traffic between interfaces or VLAN
subinterfaces in the same zone.
To add a zone
Virtual Domain and select the virtual domain to which you want to add the zone.
4 In the New Zone dialog box, type a name for the zone.
64 01-28006-0010-20041105 Fortinet Inc.
Page 65
System network Management
5 Select the Block intra-zone traffic check box if you want to block traffic between
interfaces or VLAN subinterfaces in the same zone.
6 Select the names of the interfaces or VLAN subinterfaces to add to the zone.
7 Select OK.
To delete a zone
You can only delete zones that have the Delete icon beside them in the zone list.
1 If you have added a virtual domain, go to System > Virtual Domain > Current
Virtual Domain and select the virtual domain from which to delete the zone.
2 Go to System > Network > Zone.
3 Select Delete to remove a zone from the list.
4 Select OK to delete the zone.
To edit a zone
1 If you have added a virtual domain, go to System > Virtual Domain > Current
Virtual Domain and select the virtual domain in which to edit the zone.
2 Go to System > Network > Zone.
3 Select Edit to modify a zone.
4 Select or deselect Block intra-zone traffic.
5 Select the names of the interfaces or VLAN subinterfaces to add to the zone.
Management
6 Clear the check box for the names of the interfaces or VLAN subinterfaces to remove
from the zone.
7 Select OK.
Configure the management interface in Transparent mode to set the management IP
address of the FortiGate unit. Administrators connect to this IP address to administer
the FortiGate unit. The FortiGate also uses this IP address to connect to the FDN for
virus and attack updates (see “Update center” on page 126).
You can also configure interfaces to control how administrators connect to the
FortiGate unit for administration. See “To control administrative access to an
interface” on page 62.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 65
Page 66
DNS System network
Controlling administrative access to a FortiGate interface connected to the Internet
allows remote administration of the FortiGate unit from any location on the Internet.
However, allowing remote administration from the Internet could compromise the
security of the FortiGate unit. You should avoid allowing administrative access for an
interface connected to the Internet unless this is required for your configuration. To
improve the security of a FortiGate unit that allows remote administration from the
Internet:
• Use secure administrative user passwords,
• Change these passwords regularly,
• Enable secure administrative access to this interface using only HTTPS or SSH,
• Do not change the system idle timeout from the default value of 5 minutes (see “To
set the system idle timeout” on page 89).
Figure 10: Management
DNS
Management
IP/Netmask
Default
Gateway
Management
Virtual Domain
Enter the management IP address and netmask. This must be a valid IP
address for the network that you want to manage the FortiGate unit
from.
Enter the default gateway address.
Select the virtual domain from which you want to perform system
management.
To configure the management interface
1 Go to System > Network > Management.
2 Enter the Management IP/Netmask.
3 Enter the Default Gateway.
4 Select the Management Virtual Domain.
5 Select Apply.
The FortiGate unit displays the following message:
Management IP address was changed. Click here to redirect.
6 Click on the message to connect to the new Management IP.
Several FortiGate functions, including Alert E-mail and URL blocking, use DNS. You
can add the IP addresses of the DNS servers to which your FortiGate unit can
connect. DNS server IP addresses are usually supplied by your ISP.
66 01-28006-0010-20041105 Fortinet Inc.
Page 67
System network Routing table (Transparent Mode)
Figure 11: DNS
Primary DNS Server Enter the primary DNS server IP address.
Secondary DNS Server Enter the secondary DNS server IP address.
To add DNS server IP addresses
1 Go to System > Network > DNS.
2 Change the primary and secondary DNS server IP addresses as required.
3 Select Apply to save the changes.
Routing table (Transparent Mode)
In Transparent mode, you can configure routing to add static routes from the
FortiGate unit to local routers.
Routing table list
Figure 12: Routing table
Create New Select Create New to add a new route.
# Route number.
IP The destination IP address for this route.
Mask The netmask for this route.
Gateway The IP address of the next hop router to which this route directs traffic.
Distance The the relative preferability of this route. 1 is most preferred.
Delete icon. Select to remove a route.
View/edit icon. Select to view or edit a route.
Move To icon. Select to change the order of a route in the list.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 67
Page 68
VLAN overview System network
Transparent mode route settings
Figure 13: Transparent mode route options
1 Go to System > Network > Routing Table.
2 Select Create New to add a new route.
3 Set the Destination IP and Mask to 0.0.0.0.
4 Set Gateway to the IP address of the next hop routing gateway.
5 Select OK to save the route.
VLAN overview
Destination IP
/Mask
Gateway Enter the IP address of the next hop router to which this route directs traffic
Distance The the relative preferability of this route. 1 is most preferred.
Enter the destination IP address and netmask for this route.
To add a Transparent mode route
For the default route, set the Destination IP and Mask to 0.0.0.0.
Note: Only one default route can be active at a time. If two default routes are added to the
routing table, only the default route closest to the top of the routing table is active.
For an Internet connection, the next hop routing gateway routes traffic to the Internet.
A VLAN is group of PCs, servers, and other network devices that communicate as if
they were on the same LAN segment, even though they may not be. For example, the
workstations and servers for an accounting department could be scattered throughout
an office, connected to numerous network segments, but they can still belong to the
same VLAN.
A VLAN segregates devices logically instead of physically. Each VLAN is treated as a
broadcast domain. Devices in VLAN 1 can connect with other devices in VLAN 1, but
cannot connect with devices in other VLANs. The communication among devices on a
VLAN is independent of the physical network.
A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent
and received by the devices in the VLAN. VLAN tags are 4-byte frame extensions that
contain a VLAN identifier as well as other information.
VLANs allow highly flexible, efficient network segmentation, enabling users and
resources to be grouped logically, regardless of physical locations.
68 01-28006-0010-20041105 Fortinet Inc.
Page 69
System network VLANs in NAT/Route mode
Figure 14: Basic VLAN topology
Internet
Untagged
packets
Esc Enter
VLAN trunk
VLAN 1
VLAN 2
Firewall or
Router
VLAN 1 network VLAN 2 network
FortiGate units and VLANs
In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3
routers or firewalls add VLAN tags to packets. Packets passing between devices in
the same VLAN can be handled by layer 2 switches. Packets passing between
devices in different VLANs must be handled by a layer 3 device such as router,
firewall, or layer 3 switch.
Using VLANs, a single FortiGate unit can provide security services and control
connections between multiple security domains. Traffic from each security domain is
given a different VLAN ID. The FortiGate unit can recognize VLAN IDs and apply
security policies to secure network and IPSec VPN traffic between security domains.
The FortiGate unit can also apply authentication, protection profiles, and other firewall
policy features for network and VPN traffic that is allowed to pass between security
domains.
POWER
VLAN 1
VLAN Switch or router
VLAN 2
VLANs in NAT/Route mode
Operating in NAT/Route mode, the FortiGate unit functions as a layer 3 device to
control the flow of packets between VLANs. The FortiGate unit can also remove VLAN
tags from incoming VLAN packets and forward untagged packets to other networks,
such as the Internet.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 69
Page 70
VLANs in NAT/Route mode System network
In NAT/Route mode, the FortiGate units support VLANs for constructing VLAN trunks
between an IEEE 802.1Q-compliant switch (or router) and the FortiGate unit. Normally
the FortiGate unit internal interface connects to a VLAN trunk on an internal switch,
and the external interface connects to an upstream Internet router untagged. The
FortiGate unit can then apply different policies for traffic on each VLAN that connects
to the internal interface.
In this configuration, you add VLAN subinterfaces to the FortiGate internal interface
that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk. The
FortiGate unit directs packets with VLAN IDs, to subinterfaces with matching VLAN
IDs.
You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate
unit can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags
from incoming packets and add a different VLAN tags to outgoing packets.
Rules for VLAN IDs
In NAT/Route mode, two VLAN subinterfaces added to the same physical interface
cannot have the same VLAN ID. However, you can add two or more VLAN
subinterfaces with the same VLAN IDs to different physical interfaces. There is no
internal connection or link between two VLAN subinterfaces with same VLAN ID. Their
relationship is the same as the relationship between any two FortiGate network
interfaces.
Rules for VLAN IP addresses
IP addresses of all FortiGate interfaces cannot overlap. That is, the IP addresses of all
interfaces must be on different subnets. This rule applies to both physical interfaces
and to VLAN subinterfaces.
Note: If you are unable to change your existing configurations to prevent IP overlap, enter the
CLI command config system global and set ip-overlap enable to allow IP address
overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is
part of a subnet used by another interface. This command is recommended for advanced users
only.
Figure 15 shows a simplified NAT/Route mode VLAN configuration. In this example,
FortiGate internal interface connects to a VLAN switch using an 802.1Q trunk and is
configured with two VLAN subinterfaces (VLAN 100 and VLAN 200). The external
interface connects to the Internet. The external interface is not configured with VLAN
subinterfaces.
When the VLAN switch receives packets from VLAN 100 and VLAN 200, it applies
VLAN tags and forwards the packets to local ports and across the trunk to the
FortiGate unit. The FortiGate unit is configured with policies that allow traffic to flow
between the VLANs and from the VLANs to the external network.
70 01-28006-0010-20041105 Fortinet Inc.
Page 71
System network VLANs in NAT/Route mode
Figure 15: FortiGate unit in Nat/Route mode
POWER
Fa0/3 Fa0/9 Fa0/24
VLAN 100 VLAN 200
VLAN switch
802.1Q Trunk
FortiGate
Esc Enter
Internal
192.168.110.126
External
172.16.21.2
VLAN 100 network
10.1.1.0
10.1.1.2
Adding VLAN subinterfaces
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE
802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096.
Each VLAN subinterface must also be configured with its own IP address and
netmask.
Note: A VLAN must not have the same name as a virtual domain or zone.
You add VLAN subinterfaces to the physical interface that receives VLAN-tagged
packets.
To add a VLAN subinterface in NAT/Route mode
1 Go to System > Network > Interface.
2 Select Create New to add a VLAN subinterface.
3 Enter a Name to identify the VLAN subinterface.
4 Select the physical interface that receives the VLAN packets intended for this VLAN
subinterface.
5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
VLAN 200 network
10.1.2.0
10.1.2.2
Internet
6 Select the virtual domain to which to add this VLAN subinterface.
See “System virtual domain” on page 139 for information about virtual domains.
7 Select the name of a zone if you want this VLAN subinterface to belong to a zone.
You can only select a zone that has been added to the virtual domain selected in the
previous step. See “Zone” on page 63 for information about zones.
8 Configure the VLAN subinterface settings as you would for any FortiGate interface.
See “Interface settings” on page 54.
9 Select OK to save your changes.
The FortiGate unit adds the new VLAN subinterface to the interface that you selected
in step 4.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 71
Page 72
VLANs in Transparent mode System network
To add firewall policies for VLAN subinterfaces
Once you have added VLAN subinterfaces you can add firewall policies for
connections between VLAN subinterfaces or from a VLAN subinterface to a physical
interface.
1 Go to Firewall > Address.
2 Select Create New to add firewall addresses that match the source and destination IP
addresses of VLAN packets.
See “Address” on page 206.
3 Go to Firewall > Policy.
4 Add firewall policies as required.
VLANs in Transparent mode
In Transparent mode, the FortiGate unit can apply firewall policies and services, such
as authentication, protection profiles, and other firewall features, to traffic on an IEEE
802.1 VLAN trunk. You can insert the FortiGate unit operating in Transparent mode
into the trunk without making changes to your network. In a typical configuration, the
FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN
switch or router connected to internal VLANs. The FortiGate external interface
forwards tagged packets through the trunk to an external VLAN switch or router which
could be connected to the Internet. The FortiGate unit can be configured to apply
different policies for traffic on each VLAN in the trunk.
For VLAN traffic to be able to pass between the FortiGate Internal and external
interface you would add a VLAN subinterface to the internal interface and another
VLAN subinterface to the external interface. If these VLAN subinterfaces have the
same VLAN IDs, the FortiGate unit applies firewall policies to the traffic on this VLAN.
If these VLAN subinterfaces have different VLAN IDs, or if you add more than two
VLAN subinterfaces, you can also use firewall policies to control connections between
VLANs.
If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you can
configure a FortiGate unit operating in Transparent mode to provide security for
network traffic passing between different VLANs. To support VLAN traffic in
Transparent mode, you add virtual domains to the FortiGate unit configuration. A
virtual domain consists of two or more VLAN subinterfaces or zones. In a virtual
domain, a zone can contain one or more VLAN subinterfaces.
When the FortiGate unit receives a VLAN tagged packet at an interface, the packet is
directed to the VLAN subinterface with matching VLAN ID. The VLAN subinterface
removes the VLAN tag and assigns a destination interface to the packet based on its
destination MAC address. The firewall policies for this source and destination VLAN
subinterface pair are applied to the packet. If the packet is accepted by the firewall,
the FortiGate unit forwards the packet to the destination VLAN subinterface. The
destination VLAN ID is added to the packet by the FortiGate unit and the packet is
sent to the VLAN trunk.
72 01-28006-0010-20041105 Fortinet Inc.
Page 73
System network VLANs in Transparent mode
Figure 16: FortiGate unit with two virtual domains in Transparent mode
VLAN Switch or router
FortiGate unit
VLAN1
External
VLAN trunk
VLAN1
VLAN2
VLAN3
VLAN Switch
or router
Internet
VLAN2
VLAN3
Internal
VLAN1
VLAN2
VLAN3
VLAN trunk
root virtual domain
VLAN1
New virtual domain
VLAN2
VLAN3
VLAN1
VLAN2
VLAN3
Figure 17 shows a FortiGate unit operating in Transparent mode and configured with
three VLAN subinterfaces. In this configuration the FortiGate unit could be added to
this network to provide virus scanning, web content filtering, and other services to
each VLAN.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 73
Page 74
VLANs in Transparent mode System network
Figure 17: FortiGate unit in Transparent mode
VLAN 1
VLAN ID = 100
FortiGate unit
operating in
Transparent mode
VLAN
switch
VLAN 2
VLAN ID = 200
POWER
Esc Enter
VLAN
switch
POWER
VLAN
Trunk
Internal
External
VLAN 1
VLAN 2
VLAN 3
VLAN
Trunk
Untagged
packets
Router
VLAN 3
VLAN ID = 300
VLAN 1
VLAN 2
VLAN 3
Internet
Rules for VLAN IDs
In Transparent mode two VLAN subinterfaces added to the same physical interface
cannot have the same VLAN ID. However, you can add two or more VLAN
subinterfaces with the same VLAN IDs to different physical interfaces. There is no
internal connection or link between two VLAN subinterfaces with same VLAN ID. Their
relationship is the same as the relationship between any two FortiGate network
interfaces.
Transparent mode virtual domains and VLANs
VLAN subinterfaces are added to and associated with virtual domains. By default the
FortiGate configuration includes one virtual domain, named root, and you can add as
many VLAN subinterfaces as you require to this virtual domain.
You can add more virtual domains if you want to separate groups of VLAN
subinterfaces into virtual domains. For information on adding and configuring virtual
domains, see “System virtual domain” on page 139
74 01-28006-0010-20041105 Fortinet Inc.
Page 75
System network VLANs in Transparent mode
Transparent mode VLAN list
In Transparent mode, go to System > Network > Interface to add VLAN
subinterfaces.
Figure 18: Sample Transparent mode VLAN list
Create New Select Create New to add a VLAN subinterface to a FortiGate interface.
Virtual Domain Select a virtual domain to display the VLAN interfaces added to this virtual
Name The name of the interface or VLAN subinterface.
Access The administrative access configuration for the interface. See “To control
Status The administrative status for the interface.
domain.
administrative access to an interface” on page 62 for information about
administrative access options.
If the administrative status is a green arrow, the interface is up and can accept
network traffic. If the administrative status is a red arrow, the interface is
administratively down and cannot accept traffic. To change the administrative
status, see “To bring down an interface that is administratively up” on page 60
and “To start up an interface that is administratively down” on page 60.
Delete icon. Select to delete a VLAN subinterface.
View/Edit icon. Select to view or edit an interface or VLAN subinterface.
Transparent mode VLAN settings
VLAN settings displays the current configuration of a selected FortiGate interface or
VLAN subinterface. Use VLAN settings to configure a new VLAN subinterface or to
change the configuration of a FortiGate interface or VLAN subinterface.
Figure 19: VLAN settings
See “Interface settings” on page 54 for descriptions of all VLAN settings.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 75
Page 76
VLANs in Transparent mode System network
To add a VLAN subinterface in Transparent mode
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE
802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and
4096. You add VLAN subinterfaces to the physical interface that receives VLAN-
tagged packets.
Note: A VLAN must not have the same name as a virtual domain or zone.
1 Go to System > Network > Interface.
2 Select Create New to add a VLAN subinterface.
3 Enter a Name to identify the VLAN subinterface.
4 Select the physical interface that receives the VLAN packets intended for this VLAN
subinterface.
5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
6 Select the virtual domain to which to add this VLAN subinterface.
See “System virtual domain” on page 139 for information about virtual domains.
7 Enable or disable using a Dynamic DNS service (DDNS). If the FortiGate unit uses a
dynamic IP address, you can arrange with a DDNS service provider to use a domain
name to provide redirection of traffic to your network whenever the IP address
changes.
8 Configure the administrative access, MTU, and log settings as you would for any
FortiGate interface.
See “Interface settings” on page 54 for more descriptions of these settings.
9 Select OK to save your changes.
The FortiGate unit adds the new subinterface to the interface that you selected.
10 Select Bring up to start the VLAN subinterface.
To add firewall policies for VLAN subinterfaces
Once you have added VLAN subinterfaces you can add firewall policies for
connections between VLAN subinterfaces or from a VLAN subinterface to a physical
interface.
1 Go to Firewall > Address.
2 Select Create New to add firewall addresses that match the source and destination IP
addresses of VLAN packets.
See “Address” on page 206.
3 Go to Firewall > Policy.
4 Add firewall policies as required.
76 01-28006-0010-20041105 Fortinet Inc.
Page 77
System network FortiGate IPv6 support
FortiGate IPv6 support
You can assign both an IPv4 and an IPv6 address to any interface on a FortiGate unit.
The interface functions as two interfaces, one for IPv4-addressed packets and
another for IPv6-addressed packets.
FortiGate units support static routing, periodic router advertisements, and tunneling of
IPv6-addressed traffic over an IPv4-addressed network. All of these features must be
configured through the Command Line Interface (CLI). See the FortiGate CLI
Reference Guide for information on the following commands:
Table 2: IPv6 CLI commands
Feature CLI Command
Interface configuration, including periodic
router advertisements
Static routing config router static6
IPv6 tunneling config system ipv6_tunnel
config system interface
See the keywords beginning with “ip6”.
config ip6-prefix-list
FortiGate-3000 Administration Guide 01-28006-0010-20041105 77
Page 78
FortiGate IPv6 support System network
78 01-28006-0010-20041105 Fortinet Inc.
Page 79
FortiGate-3000 Administration Guide Version 2.80 MR6
System DHCP
You can configure DHCP server or DHCP relay agent functionality on any FortiGate
interface or VLAN subinterface.
A FortiGate interface can act as either a DHCP server or as a DHCP relay agent. An
interface cannot provide both functions at the same time.
Note: To configure DHCP server or DHCP relay functionality on an interface, the FortiGate unit
must be in NAT/Route mode and the interface must have a static IP address.
This section describes:
• Service
• Server
• Exclude range
• IP/MAC binding
• Dynamic IP
Service
Go to System > DHCP > Service to configure the DHCP service provided by each
FortiGate interface. You can configure each interface to be a DHCP relay or a DHCP
server or you can turn off DHCP services.
Figure 20: DHCP service list
FortiGate-3000 Administration Guide 01-28006-0010-20041105 79
Page 80
Service System DHCP
Interface List of FortiGate interfaces.
Service The DHCP service provided by the interface (none, DHCP Relay, or DHCP
Server).
Edit/View icon. Select to view or modify the DHCP service configuration for
an interface.
DHCP service settings
Go to System > DHCP > Service and select an edit or view icon to view to modify the
DHCP service configuration for an interface.
Figure 21: View or edit DHCP service settings for an interface
Interface The name of the interface.
None No DHCP services provided by the interface.
DHCP Relay Agent Select to configure the interface to be a DHCP relay agent.
Type Select the type of DHCP relay agent.
Regular Configure the interface to be a DHCP relay agent for computers on the
IPSEC Configure the interface to be a DHCP relay agent only for remote VPN
DHCP Server IP If you select DHCP Relay Agent, enter the IP address of the DHCP server
DHCP Server Select DHCP Server if you want the FortiGate unit to be the DHCP server.
network connected to this interface. See “To configure an interface as a
regular DHCP relay agent” on page 80.
clients with an IPSec VPN connection to this interface that uses DHCP
over IPSec.
used by the computers on the network connected to the interface.
See “To configure an interface to be a DHCP server” on page 81.
To configure an interface as a regular DHCP relay agent
In a DHCP relay configuration, the FortiGate interface configured for DHCP relay
forwards DHCP requests from DHCP clients through the FortiGate unit to a DHCP
server. The FortiGate unit also returns responses from the DHCP server to the DHCP
clients. The DHCP server must have a route to the FortiGate unit that is configured as
the DHCP relay so that the packets sent by the DHCP server to the DHCP client arrive
at the FortiGate performing DHCP relay.
1 Go to System > DHCP > Service.
2 Select Edit for the interface that you want to be a DHCP relay agent.
3 Select DHCP Relay Agent.
80 01-28006-0010-20041105 Fortinet Inc.
Page 81
System DHCP Server
4 Set type to Regular.
5 Enter the DHCP Server IP address.
6 Select OK.
To configure an interface to be a DHCP server
You can configure a DHCP server for any FortiGate interface. As a DHCP server, the
interface dynamically assigns IP addresses to hosts on the network connected to the
interface. You can also configure a DHCP server for more than one FortiGate
interface.
1 Go to System > DHCP > Service.
2 Select Edit beside the interface to which you want to add a DHCP server.
3 Select DHCP Server.
4 Select OK.
5 Add a DHCP server configuration for this interface.
See “To configure a DHCP server for an interface” on page 82.
Server
You can configure one or more DHCP servers for any FortiGate interface. As a DHCP
server, the interface dynamically assigns IP addresses to hosts on a network
connected to the interface.
You can add more than one DHCP server to a single interface to be able to provide
DHCP services to multiple networks. For more information, see “To configure multiple
DHCP servers for an interface” on page 83.
Figure 22: DHCP Server list
Create New Add a new DHCP server.
Name Name of the DHCP server.
Interface The interface for which the DHCP server is configured.
Default Gateway The DHCP server configuration default gateway
Delete Delete a DHCP server configuration.
Edit/View icon View or modify a DHCP server configuration.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 81
Page 82
Server System DHCP
DHCP server settings
Figure 23: Server options
Name Enter a name for the DHCP server configuration.
Interface Select the interface for which to configure the DHCP server.
Domain Enter the domain that the DHCP server assigns to DHCP clients.
Default Gateway Enter the IP address of the default gateway that the DHCP server
IP Range Enter the starting IP and ending IP for the range of IP addresses that this
Network Mask Enter the netmask that the DHCP server assigns to DHCP clients.
Lease Time Select Unlimited for an unlimited lease time or enter the interval in days,
DNS Server Enter the IP addresses of up to 3 DNS servers that the DHCP server
WINS Server Add the IP addresses of one or two WINS servers that the DHCP server
Option Up to three custom DHCP options that can be sent by the DHCP server.
assigns to DHCP clients.
DHCP server assigns to DHCP clients.
hours, and minutes after which a DHCP client must ask the DHCP server
for new settings. The lease time can range from 5 minutes to 100 days.
assigns to DHCP clients.
assigns to DHCP clients.
Code is the DHCP option code in the range 1 to 255. Option is an even
number of hexadecimal characters and is not required for some option
codes. For detailed information about DHCP options, see RFC 2132,
DHCP Options and BOOTP Vendor Extensions.
To configure a DHCP server for an interface
After configuring an interface to be a DHCP server (using the procedure “To configure
an interface to be a DHCP server” on page 81), you must configure a DHCP server for
the interface.
1 Go to System > DHCP > Server.
2 Select Create New.
82 01-28006-0010-20041105 Fortinet Inc.
Page 83
System DHCP Exclude range
3 Add a name for the DHCP server.
4 Select the interface
5 Configure the DHCP server.
The IP range must match the subnet address of the network from which the DHCP
request was received. Usually this would be the subnet connected to the interface for
which you are added the DHCP server.
6 Select OK to save the DHCP server configuration.
To configure multiple DHCP servers for an interface
If an interface is connected to a network that includes routers connected to different
subnets, you can:
1 Configure computers on the subnets to get their IP configuration using DHCP.
The IP range of each DHCP server must match the subnet addresses.
2 Configure the routers for DHCP relay.
3 Add multiple DHCP servers to the interface, one for each subnet.
When a computer on one of the connected subnets sends a DHCP request it is
relayed to the FortiGate interface by the router, using DHCP relay. The FortiGate unit
selects the DHCP server configuration with an IP range that matches the subnet
address from which the DHCP request was received and uses this DHCP server to
assign an IP configuration to the computer that made the DHCP request. The DHCP
configuration packets are sent back to the router and the router relays them to the
DHCP client.
Exclude range
Add up to 16 exclude ranges of IP addresses that FortiGate DHCP servers cannot
assign to DHCP clients. Exclude ranges apply to all FortiGate DHCP servers.
Figure 24: Exclude range list
Create New Select Create New to add an exclude range.
# The ID number of each exclude range. ID numbers are assigned
sequentially by the web-based manager. When you add or edit exclude
ranges from the CLI you must specify the ID number.
Starting IP The starting IP of the exclude range.
Ending IP The ending IP of the exclude range.
Delete Delete an exclude range.
Edit/View icon View or modify an exclude range.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 83
Page 84
IP/MAC binding System DHCP
DHCP exclude range settings
The range cannot exceed 65536 IP addresses.
Figure 25: Exclude range settings
Starting IP Enter the starting IP of an exclude range.
Ending IP Enter the ending IP of an exclude range.
To add an exclusion range
1 Go to System > DHCP > Exclude Range.
2 Select Create New.
3 Add the starting IP and ending IP.
4 Select OK to save the exclusion range.
IP/MAC binding
If you have added DHCP servers, you can use DHCP IP/MAC binding to reserve an
IP address for a particular device on the network according to the MAC address of the
device. When you add the MAC address and an IP address to the IP/MAC binding list,
the DHCP server always assigns this IP address to the MAC address. IP/MAC binding
pairs apply to all FortiGate DHCP servers.
Figure 26: IP/MAC binding list
Create New Select Create New to add a DHCP IP/MAC binding pair.
Name The name for the IP and MAC address pair.
IP Address The IP address for the IP and MAC address pair. The IP address must be
within the configured IP range.
MAC Address The MAC address of the device.
Delete icon. Delete an IP/MAC binding pair.
Edit/View icon. View or modify an IP/MAC binding pair.
84 01-28006-0010-20041105 Fortinet Inc.
Page 85
System DHCP Dynamic IP
DHCP IP/MAC binding settings
Figure 27: IP/MAC binding options
Name Enter a name for the IP/MAC address pair.
IP Address Enter the IP address for the IP and MAC address pair. The IP address must
MAC Address Enter the MAC address of the device.
To add a DHCP IP/MAC binding pair
1 Go to System > DHCP > IP/MAC Binding.
2 Select Create New.
3 Add a name for the IP/MAC pair.
4 Add the IP address and MAC address.
5 Select OK to save the IP/MAC pair.
be within the configured IP range.
Dynamic IP
You can view the list of IP addresses that the DHCP server has assigned, their
corresponding MAC addresses, and the expiry time and date for these addresses.
Interface Select to display its dynamic IP list.
IP The IP addresses that the DHCP server has assigned.
MAC The corresponding MAC addresses for the dynamic IP addresses.
Expire The expiry time and date for the dynamic IP addresses and their corresponding
MAC addresses.
To view the dynamic IP list
1 Go to System > DHCP > Dynamic IP.
2 Select the interface for which you want to view the list.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 85
Page 86
Dynamic IP System DHCP
86 01-28006-0010-20041105 Fortinet Inc.
Page 87
FortiGate-3000 Administration Guide Version 2.80 MR6
System config
Use the System Config page to make any of the following changes to the FortiGate
system configuration:
• System time
• Options
• HA
• SNMP
• Replacement messages
• FortiManager
System time
Go to System > Config > Time to set the FortiGate system time.
For effective scheduling and logging, the FortiGate system time must be accurate.
You can either manually set the FortiGate system time or you can configure the
FortiGate unit to automatically keep its system time correct by synchronizing with a
Network Time Protocol (NTP) server.
Figure 28: System time
System Time The current FortiGate system date and time.
Refresh Select Refresh to update the display of the current FortiGate system date
Time Zone Select the current FortiGate system time zone.
and time.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 87
Page 88
Options System config
Automatically
adjust clock for
daylight saving
changes
Set Time Select Set Time to set the FortiGate system date and time to the correct
Synchronize with
NTP Server
Server Enter the IP address or domain name of the NTP server that the
Syn Interval Specify how often the FortiGate unit should synchronize its time with the
Select the Automatically adjust clock for daylight saving changes check
box if you want the FortiGate system clock to be adjusted automatically
when your time zone changes to daylight saving time and back to
standard time.
date and time.
Select Synchronize with NTP Server to configure the FortiGate unit to
use NTP to automatically set the system date and time. For more
information about NTP and to find the IP address of an NTP server that
you can use, see http://www.ntp.org.
FortiGate unit can use to set its time and date.
NTP server. A typical Syn Interval would be 1440 minutes for the
FortiGate unit to synchronize its time once a day.
To manually set the FortiGate date and time
1 Go to System > Config > Time.
2 Select Refresh to display the current FortiGate system date and time.
3 Select your Time Zone from the list.
4 Optionally, select Automatically adjust clock for daylight saving changes check box.
5 Select Set Time and set the FortiGate system date and time.
6 Set the hour, minute, second, month, day, and year as required.
7 Select Apply.
Options
To use NTP to set the FortiGate date and time
1 Go to System > Config > Time.
2 Select Synchronize with NTP Server to configure the FortiGate unit to use NTP to
automatically set the system time and date.
3 Enter the IP address or domain name of the NTP server that the FortiGate unit can
use to set its time and date.
4 Specify how often the FortiGate unit should synchronize its time with the NTP server.
5 Select Apply.
Go to System > Config > Options to set the following options:
• Timeout settings including the idle timeout and authentication timeout
• The language displayed by the web-based manager
• Front control buttons and LCD PIN protection
• Dead gateway detection interval and failover detection
88 01-28006-0010-20041105 Fortinet Inc.
Page 89
System config Options
Figure 29: System config options
Idle Timeout Set the idle time out to control the amount of inactive time before the
Auth Timeout Set the firewall user authentication timeout to control how long an
Language Select a language for the web-based manager to use. Choose from
LCD Panel Select the PIN Protection check box and type a 6-digit PIN.
Detection Interval Set the dead gateway detection failover interval. Enter a number in
Fail-over Detection Set the ping server dead gateway detection failover number. Enter the
administrator must log in again. The maximum admintimeout is 480
minutes (8 hours). To improve security keep the idle timeout at the default
value of 5 minutes.
authenticated connection can be idle before the user must authenticate
again. The maximum authtimeout is 480 minutes (8 hours). The
default Auth Timeout is 15 minutes.
For more information, see “Setting authentication timeout” on page 242.
English, Simplified Chinese, Japanese, Korean, or French.
Administrators must enter the PIN to use the control buttons and LCD.
See “To set PIN protection for the LCD panel” on page 90.
seconds to specify how often the FortiGate unit pings the target.
number of times that ping fails before the FortiGate unit assumes that the
gateway is no longer functioning.
To set the system idle timeout
1 Go to System > Config > Options.
2 For Idle Timeout, type a number in minutes.
3 Select Apply.
To set the Auth timeout
1 Go to System > Config > Options.
2 For Auth Timeout, type a number in minutes.
3 Select Apply.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 89
Page 90
HA System config
To select a language for the web-based manager
1 Go to System > Config > Options.
2 From the Languages list, select a language for the web-based manager to use.
3 Select Apply.
Note: You should select the language that the management computer operating system uses.
To set PIN protection for the LCD panel
1 Go to System > Config > Options.
2 In the LCD Panel section, select the PIN Protection check box.
3 Type a 6-digit PIN.
4 Select Apply.
To modify the dead gateway detection settings
Modify dead gateway detection to control how the FortiGate unit confirms connectivity
with a ping server added to an interface configuration. For information about adding a
ping server to an interface, see “To add a ping server to an interface” on page 62.
HA
1 Go to System > Config > Options.
2 For Detection Interval, type a number in seconds to specify how often the FortiGate
unit tests the connection to the ping target.
3 For Fail-over Detection, type a number of times that the connection test fails before
the FortiGate unit assumes that the gateway is no longer functioning.
4 Select Apply.
Fortinet achieves high availability (HA) using redundant hardware and the FortiGate
Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same
overall security policy and shares the same configuration settings. You can add up to
32 FortiGate units to an HA cluster. Each FortiGate unit in an HA cluster must be the
same model and must be running the same FortiOS firmware image.
The FortiGate units in the cluster use cluster ethernet interfaces to communicate
cluster session information, synchronize the cluster configuration, synchronize the
cluster routing table, and report individual cluster member status. The units in the
cluster are constantly communicating HA status information to make sure that the
cluster is operating properly. This communication is called the HA heartbeat.
FortiGate HA supports link failover, device failover, and HA heartbeat failover.
90 01-28006-0010-20041105 Fortinet Inc.
Page 91
System config HA
Link failover If one of the links to a FortiGate unit in an HA cluster fails, all functions, all
Device failover If one of the FortiGate units in an HA cluster fails, all functions, all established
HA heartbeat
failover
a.HA does not provide session failover for PPPoE, DHCP, PPTP, and L2TP services.
established firewall connections, and all IPSec VPN sessionsa are maintained
by the other FortiGate units in the HA cluster. For information about link
failover, see “Monitor priorities” on page 96.
firewall connections, and all IPSec VPN sessions are maintained by the other
FortiGate units in the HA cluster.
You can configure multiple interfaces to be HA heartbeat devices. If an
interface functioning as an HA heartbeat device fails, the HA heartbeat is
transferred to another interface also configured as an HA heartbeat device.
FortiGate units can be configured to operate in active-passive (A-P) or active-active
(A-A) HA mode. Active-active and active-passive clusters can run in either NAT/Route
or Transparent mode.
An active-passive (A-P) HA cluster, also referred to as hot standby HA, consists of a
primary FortiGate unit that processes traffic, and one or more subordinate FortiGate
units. The subordinate FortiGate units are connected to the network and to the
primary FortiGate unit but do not process traffic.
Active-active (A-A) HA load balances network traffic all the FortiGate units in the
cluster. An active-active HA cluster consists of a primary FortiGate unit that processes
traffic and one or more subordinate units that also process traffic. The primary
FortiGate unit uses a load balancing algorithm to distribute virus scanning to all the
FortiGate units in the HA cluster.
By default the FortiGate unit load balances virus scanning among all of the FortiGate
units in the cluster. Using the CLI, you can configure the FortiGate unit to load balance
all network traffic among the FortiGate units in the cluster. See the FortiGate CLI
Reference Guide for more information.
• HA configuration
• Configuring an HA cluster
• Managing an HA cluster
For more information about FortiGate HA and the FGCP, see the FortiGate High
Availability Guide.
HA configuration
Go to System > Config > HA and use the options described below to configure HA.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 91
Page 92
HA System config
Figure 30: HA configuration
Standalone Mode
Standalone mode is the default operation mode. If Standalone mode is selected the
FortiGate unit is not operating in HA mode.
Select Standalone Mode if you want to stop a cluster unit from operating in HA mode.
High Availability
Select High Availability to operate the FortiGate unit in HA mode. After selecting High
Availability, complete the remainder of the HA configuration.
Cluster Members
When the cluster is operating, you can select Cluster Members to view the status of all
FortiGate units in the cluster. Status information includes the cluster ID, status, up
time, weight, and monitor information. For more information, see “To view the status of
each cluster member” on page 101.
Mode
All members of the HA cluster must be set to the same HA mode.
Active-Active Load balancing and failover HA. Each cluster unit actively processes
Active-Passive Failover HA. The primary FortiGate unit in the cluster processes all
connections and monitors the status of the other FortiGate units in the cluster.
The primary FortiGate unit in the cluster controls load balancing among all of
the cluster units.
connections. All other FortiGate units in the cluster passively monitor the
cluster status and remain synchronized with the primary FortiGate unit.
92 01-28006-0010-20041105 Fortinet Inc.
Page 93
System config HA
Group ID
The group ID range is from 0 to 63. All members of the HA cluster must have the
same group ID.
When the FortiGate units in the cluster are switched to HA mode, all of the interfaces
of all of the units in the cluster acquire the same virtual MAC address. This virtual
MAC address is set according to the group ID. Table 3 lists the virtual MAC address
set for each group ID.
Table 3: HA group ID and MAC address
Group ID MAC Address
0 00-09-0f-06-ff-00
1 00-09-0f-06-ff-01
2 00-09-0f-06-ff-02
3 00-09-0f-06-ff-03
… ...
63 00-09-0f-06-ff-3f
If you have more than one HA cluster on the same network, each cluster should have
a different group ID. If two clusters on the same network have the same group ID, the
duplicate MAC addresses cause addressing conflicts on the network.
Unit Priority
Optionally set the unit priority of the cluster unit. Each cluster unit can have a different
unit priority (the unit priority is not synchronized among cluster members). During HA
negotiation, the unit with the highest unit priority becomes the primary cluster unit. The
unit priority range is 0 to 255. The default unit priority is 128.
You can use the unit priority to control the order in which cluster units become the
primary cluster unit when a cluster unit fails. For example, if you have three
FortiGate-3600s in a cluster you can set the unit priorities as shown in Table 4.
Cluster unit A will always be the primary cluster unit because it has the highest priority.
If cluster unit A fails, cluster unit B becomes the primary cluster unit because cluster
unit B has a higher unit priority than cluster unit C.
Table 4: Example unit priorities for a cluster of three cluster units
Cluster unit Unit priority
A200
B100
C50
The unit priority is not synchronized to all cluster units. Each cluster unit can have a
different unit priority.
In a functioning cluster, if you change the unit priority of the current primary cluster unit
to a lower priority, when the cluster renegotiates a different cluster unit becomes the
primary cluster unit.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 93
Page 94
HA System config
Override Master
Configure a cluster unit to always override the current primary cluster unit and become
the primary cluster unit. Enable override master for the cluster unit that you have given
the highest unit priority. Enabling Override Master means that this cluster unit always
becomes the primary cluster unit.
In a typical FortiGate cluster configuration, the primary unit is selected automatically.
In some situations, you might want to control which unit becomes the primary unit. You
can configure a FortiGate unit as the permanent primary unit by setting a high unit
priority and by selecting override master. With this configuration, the same cluster unit
always becomes the primary cluster unit.
If override master is enabled and the primary cluster unit fails another cluster unit
becomes the primary unit. When the cluster unit with override master enabled rejoins
the cluster it overrides the current primary unit and becomes the new primary unit.
When this override occurs, all communication sessions through the cluster are lost
and must be re-established.
Override master is not synchronized to all cluster units.
In a functioning cluster, if you select override master for a cluster unit the cluster
negotiates and may select a new primary cluster unit.
Password
Enter a password for the HA cluster. The password must be the same for all FortiGate
units in the HA cluster. The maximum password length is 15 characters.
If you have more than one FortiGate HA cluster on the same network, each cluster
should have a different password.
Schedule
If you are configuring an active-active cluster, select a load balancing schedule.
None No load balancing. Select None when the cluster interfaces are connected
Hub Load balancing if the cluster interfaces are connected to a hub. Traffic is
LeastConnection
Round-Robin Round robin load balancing. If the cluster units are connected using
Weighted
Round-Robin
Random Random load balancing. If the cluster units are connected using switches,
to load balancing switches.
distributed to cluster units based on the Source IP and Destination IP of the
packet.
Least connection load balancing. If the cluster units are connected using
switches, select Least Connection to distribute network traffic to the cluster
unit currently processing the fewest connections.
switches, select Round-Robin to distribute network traffic to the next
available cluster unit.
Weighted round robin load balancing. Similar to round robin, but weighted
values are assigned to each of the units in a cluster based on their capacity
and on how many connections they are currently processing. For example,
the primary unit should have a lower weighted value because it handles
scheduling and forwards traffic. Weighted round robin distributes traffic more
evenly because units that are not processing traffic will be more likely to
receive new connections than units that are very busy.
select Random to randomly distribute traffic to cluster units.
94 01-28006-0010-20041105 Fortinet Inc.
Page 95
System config HA
IP Load balancing according to IP address. If the cluster units are connected
IP Port Load balancing according to IP address and port. If the cluster units are
using switches, select IP to distribute traffic to units in a cluster based on the
Source IP and Destination IP of the packet.
connected using switches, select IP Port to distribute traffic to units in a
cluster based on the source IP, source port, destination IP, and destination
port of the packet.
Priorities of Heartbeat Device
Enable or disable HA heartbeat communication and set the heartbeat priority for each
interface in the cluster.
By default HA heartbeat communication is set for two interfaces. You can disable HA
heartbeat communication for either of these interfaces or enable HA heartbeat for
other interfaces. In most cases you can maintain the default heartbeat device
configuration as long as you can connect the heartbeat device interfaces together.
To enable HA heartbeat communication for an interface, enter a priority for the
interface. To disable HA heartbeat communication for an interface, delete the priority
for the interface.
The HA heartbeat priority range is 0 to 512. The interface with the highest priority
handles all HA heartbeat traffic. If this interface fails or becomes disconnected, the
interface with the next highest priority handles all HA heartbeat traffic.
The cluster units use the ethernet interfaces configured with HA heartbeat priorities for
HA heartbeat communication. The HA heartbeat communicates cluster session
information, synchronizes the cluster configuration, synchronizes the cluster routing
table, and reports individual cluster member status. The HA heartbeat constantly
communicates HA status information to make sure that the cluster is operating
properly.
You can enable heartbeat communications for physical interfaces, but not for VLAN
subinterfaces.
Enabling the HA heartbeat for more interfaces increases reliability. If an interface fails,
the HA heartbeat can be diverted to another interface.
HA heartbeat traffic can use a considerable amount of network bandwidth. If possible,
enable HA heartbeat traffic on interfaces only used for HA heartbeat traffic or on
interfaces connected to less busy networks.
Table 5: Default heartbeat device configuration
FortiGate model Default heartbeat device Default priority
FortiGate-3000 Port 3 50
Port 4/HA 100
Change the heartbeat device priorities as required to control the interface that is used
for heartbeat traffic and the interface to which heartbeat traffic reverts if the interface
with the highest heartbeat priority fails or is disconnected.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 95
Page 96
HA System config
Setting the heartbeat priority for more interfaces increases the reliability of the cluster.
To optimize bandwidth use, you can route most heartbeat traffic to interfaces that
handle less network traffic. You can also create a failover path by setting heartbeat
priorities so that you can control the order in which interfaces are used for heartbeat
traffic.
The heartbeat priority must be set for at least one cluster interface. If heartbeat
communication is interrupted the cluster stops processing traffic.
Heartbeat device IP addresses
You do not need to assign IP addresses to the heartbeat device interfaces for them to
be able to process heartbeat packets. In HA mode the cluster assigns virtual IP
addresses to the heartbeat device interfaces. The primary cluster unit heartbeat
device interface is assigned the IP address 10.0.0.1 and the subordinate unit is
assigned the IP address 10.0.0.2. A third cluster unit would be assigned the IP
address 10.0.0.3 and so on.
For best results, isolate each heartbeat device on its own network. Heartbeat packets
contain sensitive information about the cluster configuration. Also, heartbeat packets
may use a considerable amount of network bandwidth and it is preferable to isolate
this traffic from your user networks. The extra bandwidth used by heartbeat packets
could also reduce the capacity of the interface to process network traffic.
For most FortiGate models if you do not change the heartbeat device configuration,
you would isolate the HA interfaces of all of the cluster units by connecting them all to
the same switch. If the cluster consists of two FortiGate units you can connect the
heartbeat device interfaces directly using a crossover cable.
HA heartbeat and data traffic are supported on the same FortiGate interface. In
NAT/Route mode, if you decide to use the heartbeat device interfaces for processing
network traffic or for a management connection, you can assign the interface any IP
address. This IP address does not affect the heartbeat traffic. In Transparent mode,
you can connect the interface to your network.
Monitor priorities
Enable or disable monitoring a FortiGate interface to verify that the interface is
functioning properly and connected to its network. If a monitored interface fails or is
disconnected from its network the interface leaves the cluster. The cluster reroutes
the traffic being processed by that interface to the same interface of another cluster
unit in the cluster that still has a connection to the network. This other cluster unit
becomes the new primary cluster unit.
If you can re-establish traffic flow through the interface (for example, if you re-connect
a disconnected network cable) the interface rejoins the cluster. If Override Master is
enabled for this FortiGate unit (see “Override Master” on page 94), this FortiGate unit
becomes the primary unit in the cluster again.
Note: Only monitor interfaces that are connected to networks.
96 01-28006-0010-20041105 Fortinet Inc.
Page 97
System config HA
Note: You can monitor physical interfaces, but not VLAN subinterfaces.
Increase the priority of interfaces connected to higher priority networks or networks
with more traffic. The monitor priority range is 0 to 512.
If a high priority interface on the primary cluster unit fails, one of the other units in the
cluster becomes the new primary unit to provide better service to the high priority
network.
If a low priority interface fails on one cluster unit and a high priority interface fails on
another cluster unit, a unit in the cluster with a working connection to the high priority
interface would, if it becomes necessary to negotiate a new primary unit, be selected
instead of a unit with a working connection to the low priority interface.
• Configuring an HA cluster
• Managing an HA cluster
Configuring an HA cluster
Use the following procedures to create an HA cluster consisting of two or more
FortiGate units. These procedures describe how to configure each of the FortiGate
units for HA operation and then how to connect the FortiGate units to form a cluster.
Once the cluster is connected you can configure it in the same way as you would
configure a standalone FortiGate unit.
• To configure a FortiGate unit for HA operation
• To connect a FortiGate HA cluster
• To add a new unit to a functioning cluster
• To configure weighted-round-robin weights
To configure a FortiGate unit for HA operation
Each FortiGate unit in the cluster must have the same HA configuration. Use the
following procedure to configure each FortiGate unit for HA operation.
Note: The following procedure does not include steps for configuring interface heartbeat
devices and interface monitoring. Both of these HA settings should be configured after the
cluster is up and running.
1 Power on the FortiGate unit to be configured.
2 Connect to the web-based manager.
3 Give the FortiGate unit a unique host name.
See “To change FortiGate host name” on page 35. Use host names to identify
individual cluster units.
4 Go to System > Config > HA.
5 Select HA.
6 Select the HA mode.
7 Select a Group ID for the cluster.
The Group ID must be the same for all FortiGate units in the HA cluster.
FortiGate-3000 Administration Guide 01-28006-0010-20041105 97
Page 98
HA System config
8 Optionally change the Unit Priority.
See “Unit Priority” on page 93.
9 If required, select Override master.
See “Override Master” on page 94.
10 Enter and confirm a password for the HA cluster.
11 If you are configuring Active-Active HA, select a schedule.
See “Schedule” on page 94.
12 Select Apply.
The FortiGate unit negotiates to establish an HA cluster. When you select apply you
may temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates.
13 If you are configuring a NAT/Route mode cluster, power off the FortiGate unit and
then repeat this procedure for all the FortiGate units in the cluster. Once all of the units
are configured, continue with “To connect a FortiGate HA cluster” on page 98.
14 If you are configuring a Transparent mode cluster, reconnect to the web-based
manager.
You may have to wait a few minutes before you can reconnect.
15 Go to System > Status.
16 Select Change to Transparent Mode and select OK to switch the FortiGate unit to
Transparent mode.
17 Power off the FortiGate unit.
18 Repeat this procedure for all of the FortiGate units in the cluster then continue with
“To connect a FortiGate HA cluster” on page 98.
To connect a FortiGate HA cluster
Use the following procedure to connect a cluster operating in NAT/Route mode or
Transparent mode. Connect the FortiGate units in the cluster to each other and to
your network. You must connect all matching interfaces in the cluster to the same hub
or switch. Then you must connect these interfaces to their networks using the same
hub or switch.
Fortinet recommends using switches for all cluster connections for the best
performance.
The FortiGate units in the cluster use cluster ethernet interfaces to communicate
cluster session information, synchronize the cluster configuration, and report
individual cluster member status. The units in the cluster are constantly
communicating HA status information to make sure that the cluster is operating
properly. This cluster communication is also called the cluster heartbeat.
98 01-28006-0010-20041105 Fortinet Inc.
Page 99
System config HA
Inserting an HA cluster into your network temporarily interrupts communications on
the network because new physical connections are being made to route traffic through
the cluster. Also, starting the cluster interrupts network traffic until the individual
FortiGate units in the cluster are functioning and the cluster completes negotiation.
Cluster negotiation normally takes just a few seconds. During system startup and
negotiation all network traffic is dropped.
1 Connect the cluster units.
• Connect the internal interfaces of each FortiGate unit to a switch or hub connected
to your internal network.
• Connect the external interfaces of each FortiGate unit to a switch or hub connected
to your external network.
• Optionally connect ports 1, 2, and 3 of each FortiGate unit to switches or hubs
connected to other networks.
• Connect the 4/HA interfaces of the FortiGate units to another switch or hub.
Figure 31: HA network configuration
Internal
Esc Enter
123 4/HA INTERNAL EXTERNAL
Hub or
POWER
Hi-Temp
12
4/HA
HA
External
3
INT
EXT
Switch
Hub or
Switch
HA
POWER
12
Esc Enter
123 4/HA INTERNAL EXTERNAL
Internal
Hi-Temp
3
INT
4/HA
EXT
External
Internet
2 Power on all the FortiGate units in the cluster.
As the units start, they negotiate to choose the primary cluster unit and the
subordinate units. This negotiation occurs with no user intervention and normally just
takes a few seconds.
You can now configure the cluster as if it is a single FortiGate unit.
Router
FortiGate-3000 Administration Guide 01-28006-0010-20041105 99
Page 100
HA System config
To add a new unit to a functioning cluster
1 Configure the new FortiGate unit for HA operation with the same HA configuration as
the other units in the cluster.
2 If the cluster is running in Transparent mode, change the operating mode of the new
FortiGate unit to Transparent mode.
3 Connect the new FortiGate unit to the cluster.
4 Power on the new FortiGate unit.
When the unit starts it negotiates to join the cluster. After it joins the cluster, the cluster
synchronizes the new unit configuration with the configuration of the primary unit.
To configure weighted-round-robin weights
By default, in active-active HA mode the weighted round-robin schedule assigns the
same weight to each FortiGate unit in the cluster. If you configure a cluster to use the
weighted round-robin schedule, from the CLI you can use config system ha
weight to configure a weight value for each cluster unit. The weight value sets the
maximum number of connections that are sent to a cluster unit before a connection
can be sent to the next cluster unit. You can set weight values to control the number of
connections processed by each cluster unit. For example, you might want to reduce
the number of connections processed by the primary cluster unit by increasing the
weight assigned to the subordinate cluster units.
Weight values are entered as two values; the priority order of the unit in the cluster (in
the range 0 to 31) followed by its weight (also in the range 0 to 31). For example, if
you have a cluster of three FortiGate units, you can enter the following command to
configure the weight values for each unit:
config system ha
set ha weight 0 1 1 3 2 3
end
This command has the following results:
• The first connection is processed by the primary unit (priority 0, weight 1)
• The next three connections are processed by the first subordinate unit (priority 1,
weight 3)
• The next three connections are processed by the second subordinate unit (priority
2, weight 3)
The subordinate units process more connections than the primary unit, and both
subordinate units, on average, process the same number of connections.
Managing an HA cluster
The configurations of all of the FortiGate units in the cluster are synchronized so that
the FortiGate units can function as a cluster. Because of this synchronization, you
manage the HA cluster instead of managing the individual FortiGate units in the
cluster. You manage the cluster by connecting to the web-based manager using any
cluster interface configured for HTTPS administrative access. You can also manage
the cluster by connecting to the CLI using any cluster interface configured for SSH
administrative access.
100 01-28006-0010-20041105 Fortinet Inc.
Loading...