Fortinet FortiGate FortiGate-300A Administration Manual

FortiGate 300A

Administration Guide

FortiGate-300A Administration Guide

Esc Enter

CONSOLE 10/100 10/100/1000USB

Version 2.80 MR6

5 November 2004

01-28006-0092-20041105

1 2 3 4 5 6

© Copyright 2004 Fortinet Inc. All rights reserved.

No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Fortinet Inc.

FortiGate-300A Administration Guide
Version 2.80 MR6
5 November 2004
01-28006-0092-20041105

Trademarks

Products mentioned in this document are trademarks or registered trademarks of their respective
holders.

Regulatory Compliance

FCC Class A Part 15 CSA/CUS

CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE.
DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.

For technical support, please visit http://www.fortinet.com.

Send information about errors or omissions in this document or any Fortinet technical documentation to
techdoc@fortinet.com.

Table of Contents

Introduction .......................................................................................................... 13

About FortiGate Antivirus Firewalls................................................................................... 13

Antivirus protection ....................................................................................................... 14

Web content filtering ..................................................................................................... 14

Spam filtering ................................................................................................................ 15

Firewall.......................................................................................................................... 15

VLANs and virtual domains........................................................................................... 17

Intrusion Prevention System (IPS)................................................................................ 17

VPN............................................................................................................................... 17

High availability ............................................................................................................. 18

Secure installation, configuration, and management .................................................... 19

Document conventions ..................................................................................................... 20

FortiGate documentation .................................................................................................. 22

Comments on Fortinet technical documentation........................................................... 22

Related documentation ..................................................................................................... 22

FortiManager documentation ........................................................................................ 23

FortiClient documentation ............................................................................................. 23

FortiMail documentation................................................................................................ 23

FortiLog documentation ................................................................................................ 23

Customer service and technical support........................................................................... 24

Contents

System status....................................................................................................... 25

Console access................................................................................................................. 25

Status................................................................................................................................ 26

Viewing system status .................................................................................................. 26

Changing unit information ............................................................................................. 29

Session list........................................................................................................................ 31

Changing the FortiGate firmware...................................................................................... 32

Upgrading to a new firmware version ........................................................................... 33

Reverting to a previous firmware version...................................................................... 35

Installing firmware images from a system reboot using the CLI ................................... 37

Testing a new firmware image before installing it ......................................................... 40

Installing and using a backup firmware image .............................................................. 42

System network ................................................................................................... 47

Interface............................................................................................................................ 47

Interface settings........................................................................................................... 48

Configuring interfaces ................................................................................................... 53

Zone.................................................................................................................................. 57

Zone settings ................................................................................................................ 58

Management..................................................................................................................... 59

FortiGate-300A Administration Guide 01-28006-0092-20041105 3

Contents

DNS .................................................................................................................................. 60

Routing table (Transparent Mode) .................................................................................... 61

Routing table list ........................................................................................................... 61

Transparent mode route settings .................................................................................. 62

VLAN overview ................................................................................................................. 62

FortiGate units and VLANs ........................................................................................... 63

VLANs in NAT/Route mode .............................................................................................. 63

Rules for VLAN IDs....................................................................................................... 64

Rules for VLAN IP addresses ....................................................................................... 64

Adding VLAN subinterfaces .......................................................................................... 65

VLANs in Transparent mode............................................................................................. 66

Rules for VLAN IDs....................................................................................................... 68

Transparent mode virtual domains and VLANs ............................................................ 68

Transparent mode VLAN list......................................................................................... 69

Transparent mode VLAN settings................................................................................. 69

FortiGate IPv6 support...................................................................................................... 71

System DHCP ....................................................................................................... 73

Service.............................................................................................................................. 73

DHCP service settings .................................................................................................. 74

Server ............................................................................................................................... 75

DHCP server settings ................................................................................................... 76

Exclude range ................................................................................................................... 77

DHCP exclude range settings....................................................................................... 78

IP/MAC binding ................................................................................................................. 78

DHCP IP/MAC binding settings .................................................................................... 79

Dynamic IP........................................................................................................................ 79

System config ...................................................................................................... 81

System time ...................................................................................................................... 81

Options.............................................................................................................................. 82

HA..................................................................................................................................... 84

HA configuration ........................................................................................................... 85

Configuring an HA cluster ............................................................................................. 91

Managing an HA cluster................................................................................................ 95

SNMP................................................................................................................................ 98

Configuring SNMP ........................................................................................................ 98

SNMP community ......................................................................................................... 99

FortiGate MIBs............................................................................................................ 102

FortiGate traps ............................................................................................................ 102

Fortinet MIB fields ....................................................................................................... 104

Replacement messages ................................................................................................. 106

Replacement messages list ........................................................................................ 107

Changing replacement messages .............................................................................. 108

4 01-28006-0092-20041105 Fortinet Inc.

FortiManager................................................................................................................... 109

System administration ...................................................................................... 111

Administrators ................................................................................................................. 111

Administrators list........................................................................................................ 112

Administrators options ................................................................................................ 112

Access profiles................................................................................................................ 113

Access profile list ........................................................................................................ 114

Access profile options ................................................................................................. 114

System maintenance ......................................................................................... 117

Backup and restore......................................................................................................... 117

Backing up and Restoring........................................................................................... 118

Update center ................................................................................................................. 120

Updating antivirus and attack definitions .................................................................... 122

Enabling push updates ............................................................................................... 125

Support ........................................................................................................................... 127

Sending a bug report .................................................................................................. 128

Registering a FortiGate unit ........................................................................................ 129

Shutdown........................................................................................................................ 131

Contents

System virtual domain....................................................................................... 133

Virtual domain properties ................................................................................................ 134

Exclusive virtual domain properties ............................................................................ 134

Shared configuration settings ..................................................................................... 135

Administration and management ................................................................................ 136

Virtual domains ............................................................................................................... 136

Adding a virtual domain .............................................................................................. 137

Selecting a virtual domain........................................................................................... 137

Selecting a management virtual domain..................................................................... 137

Configuring virtual domains ............................................................................................ 138

Adding interfaces, VLAN subinterfaces, and zones to a virtual domain ..................... 138

Configuring routing for a virtual domain ...................................................................... 140

Configuring firewall policies for a virtual domain......................................................... 140

Configuring IPSec VPN for a virtual domain ............................................................... 142

Router ................................................................................................................. 143

Static............................................................................................................................... 143

Static route list ............................................................................................................ 145

Static route options ..................................................................................................... 146

Policy .............................................................................................................................. 147

Policy route list............................................................................................................ 147

Policy route options..................................................................................................... 148

FortiGate-300A Administration Guide 01-28006-0092-20041105 5

Contents

RIP.................................................................................................................................. 148

General ....................................................................................................................... 149

Networks list................................................................................................................ 150

Networks options ........................................................................................................ 151

Interface list................................................................................................................. 151

Interface options ......................................................................................................... 152

Distribute list ............................................................................................................... 153

Distribute list options................................................................................................... 154

Offset list ..................................................................................................................... 155

Offset list options ........................................................................................................ 155

Router objects................................................................................................................. 156

Access list ................................................................................................................... 156

New access list ........................................................................................................... 156

New access list entry .................................................................................................. 157

Prefix list ..................................................................................................................... 157

New Prefix list ............................................................................................................. 158

New prefix list entry..................................................................................................... 159

Route-map list............................................................................................................. 159

New Route-map .......................................................................................................... 160

Route-map list entry.................................................................................................... 161

Key chain list............................................................................................................... 162

New key chain............................................................................................................. 162

Key chain list entry...................................................................................................... 163

Monitor............................................................................................................................ 164

Routing monitor list ..................................................................................................... 164

CLI configuration............................................................................................................. 165

get router info ospf ...................................................................................................... 165

get router info protocols .............................................................................................. 165

get router info rip......................................................................................................... 166

config router ospf ....................................................................................................... 166

config router static6..................................................................................................... 189

Firewall................................................................................................................ 191

Policy .............................................................................................................................. 192

How policy matching works......................................................................................... 192

Policy list ..................................................................................................................... 192

Policy options.............................................................................................................. 193

Advanced policy options ............................................................................................. 196

Configuring firewall policies ........................................................................................ 198

Policy CLI configuration .............................................................................................. 199

6 01-28006-0092-20041105 Fortinet Inc.

Address........................................................................................................................... 200

Address list ................................................................................................................. 201

Address options .......................................................................................................... 201

Configuring addresses ................................................................................................ 202

Address group list ....................................................................................................... 203

Address group options ................................................................................................ 203

Configuring address groups........................................................................................ 204

Service............................................................................................................................ 204

Predefined service list................................................................................................. 205

Custom service list...................................................................................................... 208

Custom service options............................................................................................... 208

Configuring custom services....................................................................................... 210

Service group list ........................................................................................................ 211

Service group options ................................................................................................. 211

Configuring service groups ......................................................................................... 212

Schedule......................................................................................................................... 212

One-time schedule list ................................................................................................ 213

One-time schedule options ......................................................................................... 213

Configuring one-time schedules ................................................................................. 214

Recurring schedule list................................................................................................ 214

Recurring schedule options ........................................................................................ 215

Configuring recurring schedules ................................................................................. 215

Virtual IP ......................................................................................................................... 216

Virtual IP list ................................................................................................................ 217

Virtual IP options......................................................................................................... 217

Configuring virtual IPs................................................................................................. 218

IP pool............................................................................................................................. 221

IP pool list ................................................................................................................... 221

IP pool options ............................................................................................................ 222

Configuring IP pools.................................................................................................... 222

IP Pools for firewall policies that use fixed ports ......................................................... 223

IP pools and dynamic NAT ......................................................................................... 223

Protection profile ............................................................................................................. 223

Protection profile list.................................................................................................... 224

Default protection profiles ........................................................................................... 224

Protection profile options ............................................................................................ 225

Configuring protection profiles .................................................................................... 229

CLI configuration......................................................................................................... 230

Contents

Users and authentication .................................................................................. 235

Setting authentication timeout......................................................................................... 236

Local ............................................................................................................................... 236

Local user list .............................................................................................................. 236

Local user options....................................................................................................... 236

FortiGate-300A Administration Guide 01-28006-0092-20041105 7

Contents

RADIUS .......................................................................................................................... 237

RADIUS server list ...................................................................................................... 237

RADIUS server options............................................................................................... 238

LDAP............................................................................................................................... 238

LDAP server list .......................................................................................................... 239

LDAP server options ................................................................................................... 239

User group ...................................................................................................................... 241

User group list............................................................................................................. 241

User group options...................................................................................................... 242

CLI configuration............................................................................................................. 243

peer............................................................................................................................. 243

peergrp........................................................................................................................ 244

VPN...................................................................................................................... 247

Phase 1........................................................................................................................... 248

Phase 1 list ................................................................................................................. 248

Phase 1 basic settings ................................................................................................ 249

Phase 1 advanced options.......................................................................................... 250

Configuring XAuth....................................................................................................... 251

Phase 2........................................................................................................................... 252

Phase 2 list ................................................................................................................. 252

Phase 2 basic settings ................................................................................................ 253

Phase 2 advanced options.......................................................................................... 254

Manual key...................................................................................................................... 255

Manual key list ............................................................................................................ 256

Manual key options ..................................................................................................... 256

Concentrator ................................................................................................................... 257

Concentrator list.......................................................................................................... 257

Concentrator options................................................................................................... 258

Ping Generator................................................................................................................ 258

Ping generator options................................................................................................ 259

Monitor............................................................................................................................ 259

Dialup monitor............................................................................................................. 260

Static IP and dynamic DNS monitor............................................................................ 260

PPTP............................................................................................................................... 261

Setting up a PPTP-based VPN ................................................................................... 261

Enabling PPTP and specifying a PPTP range ............................................................ 262

Configuring a Windows 2000 client for PPTP ............................................................. 263

Configuring a Windows XP client for PPTP ................................................................ 263

PPTP passthrough...................................................................................................... 264

8 01-28006-0092-20041105 Fortinet Inc.

L2TP .............................................................................................................................. 265

Setting up a L2TP-based VPN.................................................................................... 266

Enabling L2TP and specifying an L2TP range............................................................ 266

Configuring a Windows 2000 client for L2TP.............................................................. 267

Configuring a Windows XP client for L2TP ................................................................. 268

Certificates ...................................................................................................................... 270

Viewing the certificate list............................................................................................ 271

Generating a certificate request.................................................................................. 271

Installing a signed certificate ...................................................................................... 273

Enabling VPN access for specific certificate holders ................................................. 274

CLI configuration............................................................................................................. 275

ipsec phase1............................................................................................................... 275

ipsec phase2............................................................................................................... 277

ipsec vip ...................................................................................................................... 278

Authenticating peers with preshared keys ...................................................................... 280

Gateway-to-gateway VPN............................................................................................... 280

Dialup VPN ..................................................................................................................... 281

Dynamic DNS VPN ......................................................................................................... 281

Manual key IPSec VPN................................................................................................... 282

Adding firewall policies for IPSec VPN tunnels............................................................... 282

Setting the encryption policy direction ........................................................................ 282

Setting the source address for encrypted traffic ......................................................... 282

Setting the destination address for encrypted traffic ................................................... 283

Adding an IPSec firewall encryption policy ................................................................. 283

Internet browsing through a VPN tunnel ......................................................................... 283

Configuring Internet browsing through a VPN tunnel.................................................. 284

IPSec VPN in Transparent mode.................................................................................... 285

Special rules ............................................................................................................... 285

Hub and spoke VPNs...................................................................................................... 286

Configuring the hub..................................................................................................... 286

Configuring spokes ..................................................................................................... 288

Redundant IPSec VPNs.................................................................................................. 289

Configuring redundant IPSec VPNs............................................................................ 289

Configuring IPSec virtual IP addresses .......................................................................... 290

Troubleshooting .............................................................................................................. 292

Contents

IPS ....................................................................................................................... 293

Signature......................................................................................................................... 294

Predefined................................................................................................................... 294

Custom........................................................................................................................ 298

Anomaly.......................................................................................................................... 300

Anomaly CLI configuration.......................................................................................... 303

Configuring IPS logging and alert email.......................................................................... 304

Default fail open setting .................................................................................................. 304

FortiGate-300A Administration Guide 01-28006-0092-20041105 9

Contents

Antivirus ............................................................................................................. 305

File block......................................................................................................................... 306

File block list ............................................................................................................... 307

Configuring the file block list ....................................................................................... 308

Quarantine ...................................................................................................................... 308

Quarantined files list ................................................................................................... 308

Quarantined files list options....................................................................................... 309

AutoSubmit list ............................................................................................................ 310

AutoSubmit list options ............................................................................................... 310

Configuring the AutoSubmit list................................................................................... 310

Config.......................................................................................................................... 311

Config.............................................................................................................................. 312

Virus list ...................................................................................................................... 312

Config.......................................................................................................................... 312

Grayware .................................................................................................................... 313

Grayware options........................................................................................................ 313

CLI configuration............................................................................................................. 314

heuristic....................................................................................................................... 314

quarantine ................................................................................................................... 315

service http.................................................................................................................. 316

service ftp.................................................................................................................... 317

service pop3................................................................................................................ 318

service imap................................................................................................................ 319

service smtp................................................................................................................ 320

Web filter............................................................................................................. 323

Content block.................................................................................................................. 324

Web content block list ................................................................................................. 325

Web content block options.......................................................................................... 325

Configuring the web content block list ........................................................................ 326

URL block ....................................................................................................................... 326

Web URL block list...................................................................................................... 327

Web URL block options .............................................................................................. 327

Configuring the web URL block list ............................................................................. 327

Web pattern block list.................................................................................................. 328

Web pattern block options .......................................................................................... 329

Configuring web pattern block .................................................................................... 329

URL exempt.................................................................................................................... 329

URL exempt list........................................................................................................... 330

URL exempt list options .............................................................................................. 330

Configuring URL exempt............................................................................................. 330

10 01-28006-0092-20041105 Fortinet Inc.

Category block ................................................................................................................ 331

FortiGuard managed web filtering service .................................................................. 331

Category block configuration options .......................................................................... 332

Configuring web category block.................................................................................. 333

Category block reports................................................................................................ 333

Category block reports options ................................................................................... 334

Generating a category block report............................................................................. 334

Category block CLI configuration................................................................................ 334

Script filter ....................................................................................................................... 335

Web script filter options............................................................................................... 336

Spam filter .......................................................................................................... 337

IP address....................................................................................................................... 340

IP address list ............................................................................................................. 340

IP address options ...................................................................................................... 340

Configuring the IP address list .................................................................................... 340

RBL & ORDBL ................................................................................................................ 341

RBL & ORDBL list....................................................................................................... 342

RBL & ORDBL options................................................................................................ 342

Configuring the RBL & ORDBL list ............................................................................. 342

Email address ................................................................................................................. 343

Email address list........................................................................................................ 343

Email address options................................................................................................. 343

Configuring the email address list............................................................................... 343

MIME headers................................................................................................................. 344

MIME headers list ....................................................................................................... 345

MIME headers options ................................................................................................ 345

Configuring the MIME headers list.............................................................................. 345

Banned word................................................................................................................... 346

Banned word list ......................................................................................................... 346

Banned word options .................................................................................................. 347

Configuring the banned word list ................................................................................ 348

Using Perl regular expressions....................................................................................... 348

Contents

Log & Report ...................................................................................................... 351

Log config ....................................................................................................................... 352

Log Setting options ..................................................................................................... 352

Alert E-mail options..................................................................................................... 356

Log filter options.......................................................................................................... 357

Configuring log filters .................................................................................................. 360

Enabling traffic logging................................................................................................ 360

FortiGate-300A Administration Guide 01-28006-0092-20041105 11

Contents

Log access...................................................................................................................... 361

Disk log file access ..................................................................................................... 361

Viewing log messages ................................................................................................ 363

Searching log messages............................................................................................. 365

CLI configuration............................................................................................................. 366

fortilog setting.............................................................................................................. 366

syslogd setting ............................................................................................................ 367

FortiGuard categories ....................................................................................... 371

FortiGate maximum values ............................................................................... 377

Glossary ............................................................................................................. 381

Index .................................................................................................................... 385

12 01-28006-0092-20041105 Fortinet Inc.

FortiGate-300A Administration Guide Version 2.80 MR6

Introduction

FortiGate Antivirus Firewalls support network-based deployment of application-level
services, including antivirus protection and full-scan content filtering. FortiGate
Antivirus Firewalls improve network security, reduce network misuse and abuse, and
help you use communications resources more efficiently without compromising the
performance of your network. FortiGate Antivirus Firewalls are ICSA-certified for
firewall, IPSec, and antivirus services.

This chapter introduces you to FortiGate Antivirus Firewalls and the following topics:

• About FortiGate Antivirus Firewalls

• Document conventions

• FortiGate documentation

• Related documentation

• Customer service and technical support

About FortiGate Antivirus Firewalls

The FortiGate Antivirus Firewall is a dedicated easily managed security device that
delivers a full suite of capabilities that include:

• application-level services such as virus protection and content filtering,

• network-level services such as firewall, intrusion detection, VPN, and traffic
shaping.

The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content
Analysis System (ABACAS™) technology, which leverages breakthroughs in chip
design, networking, security, and content analysis. The unique ASIC-based
architecture analyzes content and behavior in real-time, enabling key applications to
be deployed right at the network edge, where they are most effective at protecting
your networks. The FortiGate series complements existing solutions, such as host­based antivirus protection, and enables new applications and services while greatly
lowering costs for equipment, administration, and maintenance.

FortiGate-300A Administration Guide 01-28006-0092-20041105 13

About FortiGate Antivirus Firewalls Introduction

The FortiGate-300A model meets
enterprise-class requirements for
performance, availability, and reliability.
The FortiGate-300A also supports
advanced features such as 802.1Q VLAN
support, virtual domains, high availability (HA), and the RIP and OSPF routing
protocols. High-availability features include automatic failover with no session loss,
making the FortiGate-300A the choice for mission critical applications.

Antivirus protection

FortiGate ICSA-certified antivirus protection scans web (HTTP), file transfer (FTP),
and email (SMTP, POP3, and IMAP) content as it passes through the FortiGate unit.
FortiGate antivirus protection uses pattern matching and heuristics to find viruses. If a
virus is found, antivirus protection removes the file containing the virus from the
content stream and forwards a replacement message to the intended recipient.

For extra protection, you can configure antivirus protection to block specified file types
from passing through the FortiGate unit. You can use the feature to stop files that
might contain new viruses.

FortiGate antivirus protection can also identify and remove known grayware
programs. Grayware programs are usually unsolicited commercial software programs
that get installed on PCs, often without the user’s consent or knowledge. Grayware
programs are generally considered an annoyance, but these programs can cause
system performance problems or be used for malicious means.

Esc Enter

CONSOLE 10/100 10/100/1000USB

1 2 3 4 5

If the FortiGate unit contains a hard disk, infected or blocked files and grayware files
can be quarantined. The FortiGate administrator can download quarantined files so
that they can be virus scanned, cleaned, and forwarded to the intended recipient. You
can also configure the FortiGate unit to automatically delete quarantined files after a
specified time.

The FortiGate unit can send email alerts to system administrators when it detects and
removes a virus from a content stream. The web and email content can be in normal
network traffic or encrypted IPSec VPN traffic.

ICSA Labs has certified that FortiGate Antivirus Firewalls:

• detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),

• detect viruses in compressed files using the PKZip format,

• detect viruses in email that has been encoded using uuencode format,

• detect viruses in email that has been encoded using MIME encoding,

• log all actions taken while scanning.

Web content filtering

FortiGate web content filtering can scan all HTTP content protocol streams for URLs,
URL patterns, and web page content. If there is a match between a URL on the URL
block list, or a web page contains a word or phrase that is in the content block list, the
FortiGate unit blocks the web page. The blocked web page is replaced with a
message that you can edit using the FortiGate web-based manager.

14 01-28006-0092-20041105 Fortinet Inc.

Introduction About FortiGate Antivirus Firewalls

FortiGate web content filtering also supports FortiGuard web category blocking. Using
web category blocking you can restrict or allow access to web pages based on
content ratings of web pages.

You can configure URL blocking to block all or some of the pages on a web site. Using
this feature, you can deny access to parts of a web site without denying access to it
completely.

To prevent unintentionally blocking legitimate web pages, you can add URLs to an
exempt list that overrides the URL blocking and content blocking lists. The exempt list
also exempts web traffic this address from virus scanning.

Web content filtering also includes a script filter feature that can block unsecure web
content such as Java applets, cookies, and ActiveX.

Spam filtering

FortiGate spam filtering can scan all POP3, SMTP, and IMAP email content for spam.
You can configure spam filtering to filter mail according to IP address, email address,
mime headers, and content. Mail messages can be identified as spam or clear.

You can also add the names of known Real-time Blackhole List (RBL) and Open
Relay Database List (ORDBL) servers. These services contain lists of known spam
sources.

If an email message is found to be spam, the FortiGate adds an email tag to the
subject line of the email. The recipient can use the mail client software to filter
messages based on the email tag. Spam filtering can also be configured to delete
SMTP email messages identified as spam.

Firewall

The FortiGate ICSA-certified firewall protects your computer networks from Internet
threats. ICSA has granted FortiGate firewalls version 4.0 firewall certification,
providing assurance that FortiGate firewalls successfully screen and secure corporate
networks against a range of threats from public or other untrusted networks.

After basic installation of the FortiGate unit, the firewall allows users on the protected
network to access the Internet while blocking Internet access to internal networks. You
can configure the firewall to put controls on access to the Internet from the protected
networks and to allow controlled access to internal networks.

FortiGate-300A Administration Guide 01-28006-0092-20041105 15

About FortiGate Antivirus Firewalls Introduction

FortiGate policies include a range of options that:

• control all incoming and outgoing network traffic,

• control encrypted VPN traffic,

• apply antivirus protection and web content filtering,

• block or allow access for all policy options,

• control when individual policies are in effect,

• accept or deny traffic to and from individual addresses,

• control standard and user defined network services individually or in groups,

• require users to authenticate before gaining access,

• include traffic shaping to set access priorities and guarantee or limit bandwidth for
each policy,

• include logging to track connections for individual policies,

• include Network Address Translation (NAT) mode and Route mode policies,

• include mixed NAT and Route mode policies.

The FortiGate firewall can operate in NAT/Route mode or Transparent mode.

NAT/Route mode

In NAT/Route mode, the FortiGate unit is a Layer 3 device. This means that each of its
interfaces is associated with a different IP subnet and that it appears to other devices
as a router. This is how a firewall is normally deployed.

In NAT/Route mode, you can create NAT mode policies and Route mode policies.

• NAT mode policies use network address translation to hide the addresses in a
more secure network from users in a less secure network.

• Route mode policies accept or deny connections between networks without
performing address translation.

Transparent mode

In Transparent mode, the FortiGate unit does not change the Layer 3 topology. This
means that all of its interfaces are on the same IP subnet and that it appears to other
devices as a bridge. Typically, the FortiGate unit is deployed in Transparent mode to
provide antivirus and content filtering behind an existing firewall solution.

Transparent mode provides the same basic firewall protection as NAT mode. The
FortiGate unit passes or blocks the packets it receives according to firewall policies.
The FortiGate unit can be inserted in the network at any point without having to make
changes to your network or its components. However, some advanced firewall
features are available only in NAT/Route mode.

16 01-28006-0092-20041105 Fortinet Inc.

Introduction About FortiGate Antivirus Firewalls

VLANs and virtual domains

Fortigate Antivirus Firewalls support IEEE 802.1Q-compliant virtual LAN (VLAN) tags.
Using VLAN technology, a single FortiGate unit can provide security services to, and
control connections between, multiple security domains according to the VLAN IDs
added to VLAN packets. The FortiGate unit can recognize VLAN IDs and apply
security policies to secure network and IPSec VPN traffic between each security
domain. The FortiGate unit can also apply authentication, content filtering, and
antivirus protection to VLAN-tagged network and VPN traffic.

The FortiGate unit supports VLANs in NAT/Route and Transparent mode. In
NAT/Route mode, you enter VLAN subinterfaces to receive and send VLAN packets.

FortiGate virtual domains provide multiple logical firewalls and routers in a single
FortiGate unit. Using virtual domains, one FortiGate unit can provide exclusive firewall
and routing services to multiple networks so that traffic from each network is
effectively separated from every other network.

You can develop and manage interfaces, VLAN subinterfaces, zones, firewall policies,
routing, and VPN configuration for each virtual domain separately. For these
configuration settings, each virtual domain is functionally similar to a single FortiGate
unit. This separation simplifies configuration because you do not have to manage as
many routes or firewall policies at one time.

Intrusion Prevention System (IPS)

The FortiGate Intrusion Prevention System (IPS) combines signature and anomaly
based intrusion detection and prevention. The FortiGate unit can record suspicious
traffic in logs, can send alert email to system administrators, and can log, pass, drop,
reset, or clear suspicious packets or sessions. Both the IPS predefined signatures and
the IPS engine are upgradeable through the FortiProtect Distribution Network (FDN).
You can also create custom signatures.

VPN

Using FortiGate virtual private networking (VPN), you can provide a secure
connection between widely separated office networks or securely link telecommuters
or travellers to an office network.

FortiGate-300A Administration Guide 01-28006-0092-20041105 17

About FortiGate Antivirus Firewalls Introduction

FortiGate VPN features include the following:

• Industry standard and ICSA-certified IPSec VPN, including:

• IPSec VPN in NAT/Route and Transparent mode,

• IPSec, ESP security in tunnel mode,

• DES, 3DES (triple-DES), and AES hardware accelerated encryption,

• HMAC MD5 and HMAC SHA1 authentication and data integrity,

• AutoIKE key based on pre-shared key tunnels,

• IPSec VPN using local or CA certificates,

• Manual Keys tunnels,

• Diffie-Hellman groups 1, 2, and 5,

• Aggressive and Main Mode,

• Replay Detection,

• Perfect Forward Secrecy,

• XAuth authentication,

• Dead peer detection,

• DHCP over IPSec,

• Secure Internet browsing.

• PPTP for easy connectivity with the VPN standard supported by the most popular
operating systems.

• L2TP for easy connectivity with a more secure VPN standard, also supported by
many popular operating systems.

• Firewall policy based control of IPSec VPN traffic.

• IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT
can connect to an IPSec VPN tunnel.

• VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from
one tunnel to another through the FortiGate unit.

• IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a
remote network.

High availability

Fortinet achieves high availability (HA) using redundant hardware and the FortiGate
Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same
overall security policy and shares the same configuration settings. You can add up to
32 FortiGate units to an HA cluster. Each FortiGate unit in an HA cluster must be the
same model and must be running the same FortiOS firmware image.

FortiGate HA supports link redundancy and device redundancy.

FortiGate units can be configured to operate in active-passive (A-P) or active-active
(A-A) HA mode. Active-active and active-passive clusters can run in either NAT/Route
or Transparent mode.

An active-passive (A-P) HA cluster, also referred to as hot standby HA, consists of a
primary FortiGate unit that processes traffic, and one or more subordinate FortiGate
units. The subordinate FortiGate units are connected to the network and to the
primary FortiGate unit but do not process traffic.

18 01-28006-0092-20041105 Fortinet Inc.

Introduction About FortiGate Antivirus Firewalls

Active-active (A-A) HA load balances virus scanning among all the FortiGate units in
the cluster. An active-active HA cluster consists of a primary FortiGate unit that
processes traffic and one or more secondary units that also process traffic. The
primary FortiGate unit uses a load balancing algorithm to distribute virus scanning to
all the FortiGate units in the HA cluster.

Secure installation, configuration, and management

The first time you power on the FortiGate unit, it is already configured with default IP
addresses and security policies. Connect to the web-based manager, set the
operating mode, and use the Setup wizard to customize FortiGate IP addresses for
your network, and the FortiGate unit is ready to protect your network. You can then
use the web-based manager to customize advanced FortiGate features.

You can also create a basic configuration using the FortiGate front panel control
buttons and LCD.

Web-based manager

Using HTTP or a secure HTTPS connection from any computer running Internet
Explorer, you can configure and manage the FortiGate unit. The web-based manager
supports multiple languages. You can configure the FortiGate unit for HTTP and
HTTPS administration from any FortiGate interface.

You can use the web-based manager to configure most FortiGate settings. You can
also use the web-based manager to monitor the status of the FortiGate unit.
Configuration changes made using the web-based manager are effective immediately
without resetting the firewall or interrupting service. Once you are satisfied with a
configuration, you can download and save it. The saved configuration can be restored
at any time.

Command line interface

You can access the FortiGate command line interface (CLI) by connecting a
management computer serial port to the FortiGate RS-232 serial console connector.
You can also use Telnet or a secure SSH connection to connect to the CLI from any
network that is connected to the FortiGate unit, including the Internet.

The CLI supports the same configuration and monitoring functionality as the
web-based manager. In addition, you can use the CLI for advanced configuration
options that are not available from the web-based manager.

This Administration Guide contains information about basic and advanced CLI
commands. For a more complete description about connecting to and using the
FortiGate CLI, see the FortiGate CLI Reference Guide.

FortiGate-300A Administration Guide 01-28006-0092-20041105 19

Document conventions Introduction

Logging and reporting

The FortiGate unit supports logging for various categories of traffic and configuration
changes. You can configure logging to:

• report traffic that connects to the firewall,

• report network services used,

• report traffic that was permitted by firewall policies,

• report traffic that was denied by firewall policies,

• report events such as configuration changes and other management events, IPSec
tunnel negotiation, virus detection, attacks, and web page blocking,

• report attacks detected by the IPS,

• send alert email to system administrators to report virus incidents, intrusions, and
firewall or VPN events or violations.

Logs can be sent to a remote syslog server or a WebTrends NetIQ Security Reporting
Center and Firewall Suite server using the WebTrends enhanced log format. Some
models can also save logs to an optional internal hard drive. If a hard drive is not
installed, you can configure most FortiGate units to log the most recent events and
attacks detected by the IPS to the system memory.

Document conventions

This guide uses the following conventions to describe CLI command syntax.

• Angle brackets < > to indicate variables.
For example:

execute restore config <filename_str>

20 01-28006-0092-20041105 Fortinet Inc.

Introduction Document conventions

You enter:

execute restore config myfile.bak

<xxx_str> indicates an ASCII string that does not contain new-lines or carriage

returns.

<xxx_integer> indicates an integer string that is a decimal (base 10) number.

<xxx_octet> indicates a hexadecimal string that uses the digits 0-9 and letters

A-F.

<xxx_ipv4> indicates a dotted decimal IPv4 address.

<xxx_v4mask> indicates a dotted decimal IPv4 netmask.

<xxx_ipv4mask> indicates a dotted decimal IPv4 address followed by a dotted

decimal IPv4 netmask.

<xxx_ipv6> indicates a dotted decimal IPv6 address.

<xxx_v6mask> indicates a dotted decimal IPv6 netmask.

<xxx_ipv6mask> indicates a dotted decimal IPv6 address followed by a dotted

decimal IPv6 netmask.

• Vertical bar and curly brackets {|} to separate alternative, mutually exclusive
required keywords.

For example:

set opmode {nat | transparent}

You can enter set opmode nat or set opmode transparent.

• Square brackets [ ] to indicate that a keyword or variable is optional.

For example:

show system interface [<name_str>]

To show the settings for all interfaces, you can enter show system interface.
To show the settings for the internal interface, you can enter show system
interface internal.

• A space to separate options that can be entered in any combination and must be
separated by spaces.

For example:

set allowaccess {ping https ssh snmp http telnet}

You can enter any of the following:

set allowaccess ping

set allowaccess ping https ssh

set allowaccess https ping ssh

set allowaccess snmp

In most cases to make changes to lists that contain options separated by spaces,
you need to retype the whole list including all the options you want to apply and
excluding all the options you want to remove.

FortiGate-300A Administration Guide 01-28006-0092-20041105 21

FortiGate documentation Introduction

FortiGate documentation

Information about FortiGate products is available from the following guides:

• FortiGate QuickStart Guide
Provides basic information about connecting and installing a FortiGate unit.

• FortiGate Installation Guide
Describes how to install a FortiGate unit. Includes a hardware reference, default

configuration information, installation procedures, connection procedures, and
basic configuration procedures. Choose the guide for your product model number.

• FortiGate Administration Guide
Provides basic information about how to configure a FortiGate unit, including how

to define FortiGate protection profiles and firewall policies; how to apply intrusion
prevention, antivirus protection, web content filtering, and spam filtering; and how
to configure a VPN.

• FortiGate online help
Provides a context-sensitive and searchable version of the Administration Guide in

HTML format. You can access online help from the web-based manager as you
work.

• FortiGate CLI Reference Guide
Describes how to use the FortiGate CLI and contains a reference to all FortiGate

CLI commands.

• FortiGate Log Message Reference Guide
Describes the structure of FortiGate log messages and provides information about

the log messages that are generated by FortiGate units.

• FortiGate High Availability Guide

Contains in-depth information about the FortiGate high availability feature and the
FortiGate clustering protocol.

Comments on Fortinet technical documentation

Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to techdoc@fortinet.com.

Related documentation

Additional information about Fortinet products is available from the following related
documentation.

22 01-28006-0092-20041105 Fortinet Inc.

Introduction Related documentation

FortiManager documentation

• FortiManager QuickStart Guide

Explains how to install the FortiManager Console, set up the FortiManager Server,
and configure basic settings.

• FortiManager System Administration Guide
Describes how to use the FortiManager System to manage FortiGate devices.

• FortiManager System online help
Provides a searchable version of the Administration Guide in HTML format. You

can access online help from the FortiManager Console as you work.

FortiClient documentation

• FortiClient Host Security User Guide

Describes how to use FortiClient Host Security software to set up a VPN
connection from your computer to remote networks, scan your computer for
viruses, and restrict access to your computer and applications by setting up firewall
policies.

• FortiClient Host Security online help
Provides information and procedures for using and configuring the FortiClient

software.

FortiMail documentation

• FortiMail Administration Guide

Describes how to install, configure, and manage a FortiMail unit in gateway mode
and server mode, including how to configure the unit; create profiles and policies;
configure antispam and antivirus filters; create user accounts; and set up logging
and reporting.

• FortiMail online help
Provides a searchable version of the Administration Guide in HTML format. You

can access online help from the web-based manager as you work.

• FortiMail Web Mail Online Help

Describes how to use the FortiMail web-based email client, including how to send
and receive email; how to add, import, and export addresses; and how to configure
message display preferences.

FortiLog documentation

• FortiLog Administration Guide

Describes how to install and configure a FortiLog unit to collect FortiGate and
FortiMail log files. It also describes how to view FortiGate and FortiMail log files,
generate and view log reports, and use the FortiLog unit as a NAS server.

• FortiLog online help
Provides a searchable version of the Administration Guide in HTML format. You

can access online help from the web-based manager as you work.

FortiGate-300A Administration Guide 01-28006-0092-20041105 23

Customer service and technical support Introduction

Customer service and technical support

For antivirus and attack definition updates, firmware updates, updated product
documentation, technical support information, and other resources, please visit the
Fortinet Technical Support web site at http://support.fortinet.com.

You can also register Fortinet products and service contracts from
http://support.fortinet.com and change your registration information at any time.

Technical support is available through email from any of the following addresses.
Choose the email address for your region:

amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin

apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,

eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland

America and South America.

Malaysia, all other Asian countries, and Australia.

Europe, Africa, and the Middle East.

For information about our priority support hotline (live support), see
http://support.fortinet.com.

When requesting technical support, please provide the following information:

• your name

• your company’s name and location

• your email address

• your telephone number

• your support contract number (if applicable)

• the product name and model number

• the product serial number (if applicable)

• the software or firmware version number

• a detailed description of the problem

24 01-28006-0092-20041105 Fortinet Inc.

FortiGate-300A Administration Guide Version 2.80 MR6

System status

You can connect to the web-based manager and view the current system status of the
FortiGate unit. The status information that is displayed includes the system status, unit
information, system resources, and session log.

This chapter includes:

• Console access

• Status

• Session list

• Changing the FortiGate firmware

Console access

An alternative to the web-based manager discussed in this manual is text-based
Console Access, using the FortiGate command line interface (CLI). You can get
console access by selecting Console Access button in the upper right corner of the
web-based manager. The management computer must have Java version 1.3 or
higher installed.

For information on how to use the CLI, see the FortiGate CLI Reference Guide.

Figure 1: Console access

FortiGate-300A Administration Guide 01-28006-0092-20041105 25

Status System status

Connect Select Connect to connect to the CLI.

Disconnect Select Disconnect to disconnect from the CLI.

Clear screen Select Clear screen to start a new page.

Status

View the system status page for a snap shot of the current operating status of the
FortiGate unit. All FortiGate administrators with read access to system configuration
can view system status information.

FortiGate administrators whose access profiles contain system configuration write
privileges can change or update FortiGate unit information. For information on access
profiles, see “Access profiles” on page 113.

• Viewing system status

• Changing unit information

Viewing system status

Figure 2: System status

Automatic Refresh
Interval

Go Select to set the selected automatic refresh interval.
Refresh Select to manually update the system status display.

26 01-28006-0092-20041105 Fortinet Inc.

Select to control how often the web-based manager updates the system
status display.

System status Status

System status

UP Time The time in days, hours, and minutes since the FortiGate unit was last

System Time The current time according to the FortiGate unit internal clock.
Log Disk Displays hard disk capacity and free space if the FortiGate unit contains a

Notification Contains reminders such as “Change Password” or “Product Registration”.

started.

hard disk or Not Available if no hard disk is installed. The FortiGate unit uses
the hard disk to store log messages and quarantine files infected with a virus
or blocked by antivirus file blocking.

Select the reminder to see the detailed reminder message.

Unit Information

Admin users and administrators whose access profiles contain system configuration
read and write privileges can change or update the unit information. For information
on access profiles, see “Access profiles” on page 113.

Host Name The host name of the current FortiGate unit.
Firmware Version The version of the firmware installed on the current FortiGate unit.
Antivirus Definitions The current installed version of the FortiGate Antivirus Definitions.
Attack Definitions The current installed version of the FortiGate Attack Definitions used by

Serial Number The serial number of the current FortiGate unit.

Operation Mode The operation mode of the current FortiGate unit.

the Intrusion Prevention System (IPS).

The serial number is
specific to the FortiGate unit and does not change with firmware
upgrades.

Recent Virus Detections

Time The time at which the recent virus was detected.
Src / Dst The source and destination addresses of the virus.
Service The service from which the virus was delivered; HTTP, FTP, IMAP,

Virus Detected The name of the virus detected.

POP3, or SMTP.

Interface Status

All interfaces in the FortiGate unit are listed in the table.

Interface The name of the interface.
IP / Netmask The IP address and netmask of the interface (NAT/Route mode only).
Status The status of the interface; either up (green up arrow) or down (red

down arrow).

FortiGate-300A Administration Guide 01-28006-0092-20041105 27

Status System status

System Resources

CPU Usage The current CPU status. The web-based manager displays CPU usage

Memory Usage The current memory status. The web-based manager displays memory

Hard Disk Usage The current hard disk (local disk) status. The web-based manager

Active Sessions The number of communications sessions being processed by the

Network Utilization The total network bandwidth being used through all FortiGate interfaces

History Select History to view a graphical representation of the last minute of

Figure 3: Sample system resources history

for core processes only. CPU usage for management processes (for
example, for HTTPS connections to the web-based manager) is
excluded.

usage for core processes only. Memory usage for management
processes (for example, for HTTPS connections to the web-based
manager) is excluded.

displays hard disk usage for core processes only. CPU usage for
management processes (for example, for HTTPS connections to the
web-based manager) is excluded.

FortiGate unit.

and the percentage of the maximum network bandwidth that can be
processed by the FortiGate unit.

CPU, memory, sessions, and network usage. This page also shows the
virus and intrusion detections over the last 20 hours.

History

The history page displays 6 graphs representing the following system resources and
protection:

CPU Usage History CPU usage for the previous minute.
Memory Usage History Memory usage for the previous minute.
Session History Session history for the previous minute.

Network Utilization
History

Virus History The virus detection history over the last 20 hours.
Intrusion History The intrusion detection history over the last 20 hours.

28 01-28006-0092-20041105 Fortinet Inc.

Network utilization for the previous minute.

System status Status

Recent Intrusion Detections

Time The time at which the recent intrusion was detected.
Src / Dst The source and destination addresses of the attack.
Service The service from which the attack was delivered; HTTP, FTP, IMAP,

Attack Name The name of the attack.

POP3, or SMTP.

Changing unit information

Administrators with system configuration write access can use the unit information
area of the System Status page:

• To change FortiGate host name

• To update the firmware version

• To update the antivirus definitions manually

• To update the attack definitions manually

• To change to Transparent mode

• To change to NAT/Route mode

To change FortiGate host name

The FortiGate host name appears on the Status page and in the FortiGate CLI
prompt. The host name is also used as the SNMP system name. For information
about the SNMP system name, see “SNMP” on page 98.

The default host name is FortiGate-300A.

Note: If the FortiGate unit is part of an HA cluster, you should set a unique name to distinguish
the unit from others in the cluster.

1 Go to System > Status > Status.

2 In the Host Name field of the Unit Information section, select Change.

3 In the New Name field, type a new host name.

4 Select OK.

The new host name is displayed in the Host Name field, and in the CLI prompt, and is
added to the SNMP System Name.

To update the firmware version

For information on updating the firmware, see “Changing the FortiGate firmware” on

page 32.

To update the antivirus definitions manually

Note: For information about configuring the FortiGate unit for automatic antivirus definitions

updates, see “Update center” on page 120.

1 Download the latest antivirus definitions update file from Fortinet and copy it to the

computer that you use to connect to the web-based manager.

FortiGate-300A Administration Guide 01-28006-0092-20041105 29

Status System status

2 Start the web-based manager and go to System > Status > Status.

3 In the Antivirus Definitions field of the Unit Information section, select Update.

4 In the Update File field, type the path and filename for the antivirus definitions update

file, or select Browse and locate the antivirus definitions update file.

5 Select OK to copy the antivirus definitions update file to the FortiGate unit.

The FortiGate unit updates the antivirus definitions. This takes about 1 minute.

6 Go to System > Status to confirm that the Antivirus Definitions Version information

has updated.

To update the attack definitions manually

Note: For information about configuring the FortiGate unit for automatic attack definitions

updates, see “Update center” on page 120.

1 Download the latest attack definitions update file from Fortinet and copy it to the

computer that you use to connect to the web-based manager.

2 Start the web-based manager and go to System > Status > Status.

3 In the Attack Definitions field of the Unit Information section, select Update.

The Intrusion Detection System Definitions Update dialog box appears.

4 In the Update File field, type the path and filename for the attack definitions update

file, or select Browse and locate the attack definitions update file.

5 Select OK to copy the attack definitions update file to the FortiGate unit.

The FortiGate unit updates the attack definitions. This takes about 1 minute.

6 Go to System > Status > Status to confirm that the Attack Definitions Version

information has updated.

To change to Transparent mode

After you change the FortiGate unit from the NAT/Route mode to Transparent mode,
most of the configuration resets to Transparent mode factory defaults, except for HA
settings (see “HA” on page 84).

To change to Transparent mode:

1 Go to System > Status > Status.

2 In the Operation Mode field of the Unit Information section, select Change.

3 In the Operation Mode field, select Transparent.

4 Select OK.

The FortiGate unit changes operation mode.

5 To reconnect to the web-based manager, connect to the interface configured for

Transparent mode management access and browse to https:// followed by the
Transparent mode management IP address.

By default in Transparent mode, you can connect to port1. The default Transparent
mode management IP address is 10.10.10.1.

30 01-28006-0092-20041105 Fortinet Inc.