Fortinet FortiGate FortiGate-50R, FortiGate 50R Installation And Configuration Manual
FortiGate 50R
Installation and
Configuration Guide
FortiGate User Manual Volume 1
INTERNAL EXTERNAL
Version 2.50 MR2
18 August 2003
POWER
STATUS
© Copyright 2003 Fortinet Inc. All rights reserved.
No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Fortinet Inc.
FortiGate-50R Installation and Configuration Guide
Version 2.50 MR2
18 August 2003
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective
holders.
Regulatory Compliance
FCC Class A Part 15 CSA/CUS
For technical support, please visit http://www.fortinet.com.
Send information about errors or omissions in this document or any Fortinet technical documentation to
techdoc@fortinet.com.
Table of Contents
Introduction .......................................................................................................... 11
NAT/Route mode and Transparent mode......................................................................... 11
NAT/Route mode .......................................................................................................... 11
Transparent mode......................................................................................................... 11
About this document ......................................................................................................... 12
Document conventions ..................................................................................................... 13
Fortinet documentation ..................................................................................................... 14
Comments on Fortinet technical documentation........................................................... 14
Customer service and technical support........................................................................... 15
Getting started ..................................................................................................... 17
Package contents ............................................................................................................. 18
Mounting ........................................................................................................................... 18
Powering on...................................................................................................................... 19
Connecting to the web-based manager............................................................................ 20
Connecting to the command line interface (CLI)............................................................... 21
Factory default FortiGate configuration settings ............................................................... 22
Factory Default DHCP configuration............................................................................. 23
Factory default NAT/Route mode network configuration .............................................. 23
Factory default Transparent mode network configuration............................................. 24
Factory default firewall configuration ............................................................................ 24
Factory default content profiles..................................................................................... 25
Planning your FortiGate configuration .............................................................................. 28
NAT/Route mode .......................................................................................................... 28
Transparent mode......................................................................................................... 28
Configuration options .................................................................................................... 29
FortiGate model maximum values matrix ......................................................................... 30
Next steps......................................................................................................................... 31
Contents
NAT/Route mode installation.............................................................................. 33
Installing the FortiGate unit using the default configuration .............................................. 33
Changing the default configuration ............................................................................... 34
Preparing to configure NAT/Route mode.......................................................................... 34
Advanced NAT/Route mode settings............................................................................ 35
Using the setup wizard...................................................................................................... 35
Starting the setup wizard .............................................................................................. 35
Reconnecting to the web-based manager .................................................................... 35
Using the command line interface..................................................................................... 36
Configuring the FortiGate unit to operate in NAT/Route mode ..................................... 36
Connecting the FortiGate unit to your networks................................................................ 37
Configuring your networks ................................................................................................ 38
FortiGate-50R Installation and Configuration Guide 3
Contents
Completing the configuration ............................................................................................ 38
Setting the date and time .............................................................................................. 38
Changing antivirus protection ....................................................................................... 38
Registering your FortiGate............................................................................................ 38
Configuring virus and attack definition updates ............................................................ 39
Transparent mode installation............................................................................ 41
Preparing to configure Transparent mode ........................................................................ 41
Using the setup wizard...................................................................................................... 42
Changing to Transparent mode .................................................................................... 42
Starting the setup wizard .............................................................................................. 42
Reconnecting to the web-based manager .................................................................... 42
Using the command line interface..................................................................................... 42
Changing to Transparent mode .................................................................................... 43
Configuring the Transparent mode management IP address ....................................... 43
Configure the Transparent mode default gateway........................................................ 43
Connecting the FortiGate unit to your networks................................................................ 44
Completing the configuration ............................................................................................ 45
Setting the date and time .............................................................................................. 45
Enabling antivirus protection......................................................................................... 45
Registering your FortiGate............................................................................................ 45
Configuring virus and attack definition updates ............................................................ 45
Transparent mode configuration examples....................................................................... 46
Default routes and static routes .................................................................................... 46
Example default route to an external network............................................................... 47
Example static route to an external destination ............................................................ 48
Example static route to an internal destination ............................................................. 51
System status....................................................................................................... 53
Changing the FortiGate host name................................................................................... 54
Changing the FortiGate firmware...................................................................................... 54
Upgrade to a new firmware version .............................................................................. 55
Revert to a previous firmware version .......................................................................... 56
Install a firmware image from a system reboot using the CLI ....................................... 59
Test a new firmware image before installing it .............................................................. 61
Manual virus definition updates ........................................................................................ 63
Manual attack definition updates ...................................................................................... 64
Displaying the FortiGate serial number............................................................................. 64
Displaying the FortiGate up time....................................................................................... 64
Backing up system settings .............................................................................................. 64
Restoring system settings................................................................................................. 65
Restoring system settings to factory defaults ................................................................... 65
Changing to Transparent mode ........................................................................................ 65
Changing to NAT/Route mode.......................................................................................... 66
Restarting the FortiGate unit............................................................................................. 66
4 Fortinet Inc.
Shutting down the FortiGate unit ...................................................................................... 66
System status ................................................................................................................... 67
Viewing CPU and memory status ................................................................................. 67
Viewing sessions and network status ........................................................................... 68
Viewing virus and intrusions status............................................................................... 69
Session list........................................................................................................................ 70
Virus and attack definitions updates and registration ..................................... 71
Updating antivirus and attack definitions .......................................................................... 71
Connecting to the FortiResponse Distribution Network ................................................ 72
Configuring scheduled updates .................................................................................... 73
Configuring update logging ........................................................................................... 74
Adding an override server............................................................................................. 75
Manually updating antivirus and attack definitions........................................................ 75
Configuring push updates ............................................................................................. 75
Push updates through a NAT device ............................................................................ 76
Scheduled updates through a proxy server .................................................................. 80
Registering FortiGate units ............................................................................................... 81
FortiCare Service Contracts.......................................................................................... 81
Registering the FortiGate unit ....................................................................................... 82
Updating registration information ...................................................................................... 84
Recovering a lost Fortinet support password................................................................ 84
Viewing the list of registered FortiGate units ................................................................ 84
Registering a new FortiGate unit .................................................................................. 85
Adding or changing a FortiCare Support Contract number........................................... 85
Changing your Fortinet support password .................................................................... 86
Changing your contact information or security question ............................................... 86
Downloading virus and attack definitions updates ........................................................ 86
Registering a FortiGate unit after an RMA........................................................................ 87
Contents
Network configuration......................................................................................... 89
Configuring interfaces ....................................................................................................... 89
Viewing the interface list ............................................................................................... 90
Bringing up an interface ................................................................................................ 90
Changing an interface static IP address ....................................................................... 90
Adding a secondary IP address to an interface ............................................................ 90
Adding a ping server to an interface ............................................................................. 91
Controlling management access to an interface ........................................................... 91
Configuring traffic logging for connections to an interface ............................................ 92
Configuring the external interface with a static IP address ........................................... 92
Configuring the external interface for DHCP................................................................. 92
Configuring the external interface for PPPoE ............................................................... 93
Changing the external interface MTU size to improve network performance ............... 93
Configuring the management interface (Transparent mode) ........................................ 94
FortiGate-50R Installation and Configuration Guide 5
Contents
Adding DNS server IP addresses ..................................................................................... 95
Configuring routing............................................................................................................ 95
Adding a default route................................................................................................... 96
Adding destination-based routes to the routing table.................................................... 96
Adding routes in Transparent mode.............................................................................. 97
Configuring the routing table......................................................................................... 98
Policy routing ................................................................................................................ 98
Providing DHCP services to your internal network ........................................................... 99
System configuration ........................................................................................ 101
Setting system date and time.......................................................................................... 101
Changing web-based manager options .......................................................................... 102
Adding and editing administrator accounts..................................................................... 104
Adding new administrator accounts ............................................................................ 104
Editing administrator accounts.................................................................................... 105
Configuring SNMP .......................................................................................................... 106
Configuring the FortiGate unit for SNMP monitoring .................................................. 106
Configuring FortiGate SNMP support ......................................................................... 106
FortiGate MIBs............................................................................................................ 107
FortiGate traps ............................................................................................................ 108
Customizing replacement messages.............................................................................. 108
Customizing replacement messages .......................................................................... 109
Customizing alert emails............................................................................................. 110
Firewall configuration........................................................................................ 113
Default firewall configuration........................................................................................... 114
Addresses ................................................................................................................... 114
Services ...................................................................................................................... 115
Schedules ................................................................................................................... 115
Content profiles........................................................................................................... 115
Adding firewall policies.................................................................................................... 115
Firewall policy options................................................................................................. 116
Configuring policy lists .................................................................................................... 120
Policy matching in detail ............................................................................................. 120
Changing the order of policies in a policy list.............................................................. 121
Enabling and disabling policies................................................................................... 121
Addresses ....................................................................................................................... 122
Adding addresses ....................................................................................................... 122
Editing addresses ....................................................................................................... 123
Deleting addresses ..................................................................................................... 123
Organizing addresses into address groups ................................................................ 124
6 Fortinet Inc.
Services .......................................................................................................................... 125
Predefined services .................................................................................................... 125
Providing access to custom services .......................................................................... 127
Grouping services ....................................................................................................... 128
Schedules ....................................................................................................................... 129
Creating one-time schedules ...................................................................................... 129
Creating recurring schedules ...................................................................................... 130
Adding a schedule to a policy ..................................................................................... 131
Virtual IPs........................................................................................................................ 131
Adding static NAT virtual IPs ...................................................................................... 132
Adding port forwarding virtual IPs ............................................................................... 133
Adding policies with virtual IPs.................................................................................... 134
IP pools........................................................................................................................... 135
Adding an IP pool........................................................................................................ 135
IP Pools for firewall policies that use fixed ports ......................................................... 136
IP pools and dynamic NAT ......................................................................................... 136
IP/MAC binding ............................................................................................................... 137
Configuring IP/MAC binding for packets going through the firewall ............................ 137
Configuring IP/MAC binding for packets going to the firewall ..................................... 138
Adding IP/MAC addresses.......................................................................................... 138
Viewing the dynamic IP/MAC list ................................................................................ 139
Enabling IP/MAC binding ............................................................................................ 139
Content profiles............................................................................................................... 140
Default content profiles ............................................................................................... 141
Adding a content profile .............................................................................................. 141
Adding a content profile to a policy ............................................................................. 142
Contents
Users and authentication .................................................................................. 145
Setting authentication timeout......................................................................................... 146
Adding user names and configuring authentication ........................................................ 146
Adding user names and configuring authentication .................................................... 146
Deleting user names from the internal database ........................................................ 147
Configuring RADIUS support .......................................................................................... 148
Adding RADIUS servers ............................................................................................. 148
Deleting RADIUS servers ........................................................................................... 148
Configuring LDAP support .............................................................................................. 149
Adding LDAP servers.................................................................................................. 149
Deleting LDAP servers................................................................................................ 150
Configuring user groups.................................................................................................. 151
Adding user groups..................................................................................................... 151
Deleting user groups................................................................................................... 152
FortiGate-50R Installation and Configuration Guide 7
Contents
IPSec VPN........................................................................................................... 153
Key management............................................................................................................ 154
Manual Keys ............................................................................................................... 154
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... 154
Manual key IPSec VPNs................................................................................................. 155
General configuration steps for a manual key VPN .................................................... 155
Adding a manual key VPN tunnel ............................................................................... 155
AutoIKE IPSec VPNs ...................................................................................................... 157
General configuration steps for an AutoIKE VPN ....................................................... 157
Adding a phase 1 configuration for an AutoIKE VPN.................................................. 157
Adding a phase 2 configuration for an AutoIKE VPN.................................................. 161
Managing digital certificates............................................................................................ 163
Obtaining a signed local certificate ............................................................................. 163
Obtaining a CA certificate ........................................................................................... 167
Configuring encrypt policies............................................................................................ 168
Adding a source address ............................................................................................ 169
Adding a destination address...................................................................................... 169
Adding an encrypt policy............................................................................................. 169
IPSec VPN concentrators ............................................................................................... 171
VPN concentrator (hub) general configuration steps .................................................. 171
Adding a VPN concentrator ........................................................................................ 173
VPN spoke general configuration steps...................................................................... 174
Redundant IPSec VPNs.................................................................................................. 175
Configuring redundant IPSec VPN ............................................................................. 175
Monitoring and Troubleshooting VPNs ........................................................................... 177
Viewing VPN tunnel status.......................................................................................... 177
Viewing dialup VPN connection status ....................................................................... 177
Testing a VPN............................................................................................................. 178
PPTP and L2TP VPN .......................................................................................... 179
Configuring PPTP ........................................................................................................... 179
Configuring the FortiGate unit as a PPTP gateway .................................................... 180
Configuring a Windows 98 client for PPTP ................................................................. 182
Configuring a Windows 2000 client for PPTP ............................................................. 183
Configuring a Windows XP client for PPTP ................................................................ 184
Configuring L2TP............................................................................................................ 185
Configuring the FortiGate unit as a L2TP gateway ..................................................... 186
Configuring a Windows 2000 client for L2TP.............................................................. 189
Configuring a Windows XP client for L2TP ................................................................. 190
8 Fortinet Inc.
Network Intrusion Detection System (NIDS) ................................................... 193
Detecting attacks ............................................................................................................ 193
Selecting the interfaces to monitor.............................................................................. 194
Disabling the NIDS...................................................................................................... 194
Configuring checksum verification .............................................................................. 194
Viewing the signature list ............................................................................................ 195
Viewing attack descriptions......................................................................................... 195
Enabling and disabling NIDS attack signatures .......................................................... 196
Adding user-defined signatures .................................................................................. 196
Preventing attacks .......................................................................................................... 197
Enabling NIDS attack prevention ................................................................................ 197
Enabling NIDS attack prevention signatures .............................................................. 198
Setting signature threshold values.............................................................................. 198
Configuring synflood signature values ........................................................................ 200
Logging attacks............................................................................................................... 200
Logging attack messages to the attack log................................................................. 200
Reducing the number of NIDS attack log and email messages.................................. 201
Antivirus protection........................................................................................... 203
Contents
General configuration steps............................................................................................ 203
Antivirus scanning........................................................................................................... 204
File blocking.................................................................................................................... 205
Blocking files in firewall traffic ..................................................................................... 205
Adding file patterns to block........................................................................................ 205
Blocking oversized files and emails ................................................................................ 206
Configuring limits for oversized files and email........................................................... 206
Exempting fragmented email from blocking.................................................................... 206
Viewing the virus list ....................................................................................................... 206
Web filtering ....................................................................................................... 207
General configuration steps............................................................................................ 207
Content blocking ............................................................................................................. 208
Adding words and phrases to the banned word list .................................................... 208
URL blocking................................................................................................................... 209
Using the FortiGate web filter ..................................................................................... 209
Using the Cerberian web filter..................................................................................... 212
Script filtering .................................................................................................................. 214
Enabling the script filter............................................................................................... 214
Selecting script filter options ....................................................................................... 214
Exempt URL list .............................................................................................................. 215
Adding URLs to the exempt URL list .......................................................................... 215
Email filter........................................................................................................... 217
General configuration steps............................................................................................ 217
FortiGate-50R Installation and Configuration Guide 9
Contents
Email banned word list.................................................................................................... 218
Adding words and phrases to the banned word list .................................................... 218
Email block list ................................................................................................................ 219
Adding address patterns to the email block list........................................................... 219
Email exempt list............................................................................................................. 219
Adding address patterns to the email exempt list ....................................................... 220
Adding a subject tag ....................................................................................................... 220
Logging and reporting....................................................................................... 221
Recording logs................................................................................................................ 221
Recording logs on a remote computer ........................................................................ 221
Recording logs on a NetIQ WebTrends server ........................................................... 222
Filtering log messages .................................................................................................... 222
Configuring traffic logging ............................................................................................... 224
Enabling traffic logging................................................................................................ 224
Configuring traffic filter settings................................................................................... 225
Adding traffic filter entries ........................................................................................... 225
Configuring alert email .................................................................................................... 226
Adding alert email addresses...................................................................................... 226
Testing alert email....................................................................................................... 227
Enabling alert email .................................................................................................... 227
Glossary ............................................................................................................. 229
Index .................................................................................................................... 233
10 Fortinet Inc.
FortiGate-50R Installation and Configuration Guide Version 2.50 MR2
Introduction
The FortiGate-50 Antivirus Firewall is an
easy-to-deploy and easy-to-administer
solution that delivers exceptional value
and performance for small office and
home office (SOHO) applications.
The FortiGate-50R is limited to a
maximum of 10 users.
Your FortiGate-50 is a dedicated easily managed security device that delivers a full
suite of capabilities that include:
• application-level services such as virus protection, web content filtering, email
filtering, and network intrusion detection (NIDS).
• network-level services such as firewall, intrusion detection, VPN, and traffic
shaping.
NAT/Route mode and Transparent mode
The FortiGate can operate in NAT/Route mode or Transparent mode.
NAT/Route mode
In NAT/Route mode, the FortiGate-50 is installed as a privacy barrier between the
internal network and the Internet. The firewall provides network address translation
(NAT) to protect the internal private network. You can control whether firewall policies
run in NAT mode or route mode. NAT mode policies route allowed connections
between firewall interfaces, performing network address translation to hide addresses
on the protected internal networks. Route mode policies route allowed connections
between firewall interfaces without performing network address translation.
Transparent mode
Transparent Mode provides firewall protection to a pre-existing network with public
addresses. The internal and external network interfaces of the FortiGate unit must be
in the same subnet and the FortiGate unit can be inserted into your network at any
point without the need to make any changes to your network.
FortiGate-50R Installation and Configuration Guide 11
About this document Introduction
About this document
This installation and configuration guide describes how to install and configure the
FortiGate-50. This document contains the following information:
• Getting started describes unpacking, mounting, and powering on the FortiGate.
• NAT/Route mode installation describes how to install the FortiGate if you are
planning on running it in NAT/Route mode.
• Transparent mode installation describes how to install the FortiGate if you are
planning on running it in Transparent mode.
• System status describes how to view the current status of your FortiGate unit and
related status procedures including installing updated FortiGate firmware, backing
up and restoring system settings, and switching between Transparent and
NAT/Route mode.
• Virus and attack definitions updates and registration describes configuring
automatic virus and attack definition updates. This chapter also contains
procedures for connecting to the FortiGate tech support webs site and for
registering your FortiGate unit.
• Network configuration describes configuring interfaces, configuring routing, and
configuring the FortiGate as a DHCP server for your internal network.
• System configuration describes system administration tasks available from the
System > Config web-based manager pages. This chapter describes setting
system time, adding and changed administrative users, configuring SNMP, and
editing replacement message
• Firewall configuration describes how to configure firewall policies to control traffic
through the FortiGate unit and apply content protection profiles to content traffic.
• Users and authentication describes how to add user names to the FortiGate user
database and how to configure the FortiGate to connect to a RADIUS server to
authenticate users.
• IPSec VPN describes how to configure FortiGate IPSec VPN.
• PPTP and L2TP VPN describes how to configure PPTP and L2TP VPNs between
the FortiGate and a windows client.
• Network Intrusion Detection System (NIDS) describes how to configure the
FortiGate NIDS to detect and prevent network attacks.
• Antivirus protection describes how use the FortiGate to protect your network from
viruses and worms.
• Web filtering describes how to configure web content filtering to prevent unwanted
Web content from passing through the FortiGate.
• Email filter describes how to configure email filtering to filter unwanted email
content.
• Logging and reporting describes how to configure logging and alert email to track
activity through the FortiGate.
•The Glossary defines many of the terms used in this document.
12 Fortinet Inc.
Introduction Document conventions
Document conventions
This guide uses the following conventions to describe CLI command syntax.
• angle brackets < > to indicate variable keywords
For example:
execute restore config <filename_str>
You enter restore config myfile.bak
<xxx_str> indicates an ASCII string variable keyword.
<xxx_integer> indicates an integer variable keyword.
<xxx_ip> indicates an IP address variable keyword.
• vertical bar and curly brackets {|} to separate alternative, mutually exclusive
required keywords
For example:
set system opmode {nat | transparent}
You can enter set system opmode nat or set system opmode
transparent
• square brackets [ ] to indicate that a keyword is optional
For example:
get firewall ipmacbinding [dhcpipmac]
You can enter get firewall ipmacbinding or
get firewall ipmacbinding dhcpipmac
FortiGate-50R Installation and Configuration Guide 13
Fortinet documentation Introduction
Fortinet documentation
Information about FortiGate products is available from the following FortiGate User
Manual volumes:
• Volume 1: FortiGate Installation and Configuration Guide
Describes installation and basic configuration for the FortiGate unit. Also describes
how to use FortiGate firewall policies to control traffic flow through the FortiGate
unit and how to use firewall policies to apply antivirus protection, web content
filtering, and email filtering to HTTP, FTP and email content passing through the
FortiGate unit.
• Volume 2: FortiGate VPN Guide
Contains in-depth information about FortiGate IPSec VPN using certificates, preshared keys and manual keys for encryption. Also contains basic configuration
information for the Fortinet Remote VPN Client, detailed configuration information
for FortiGate PPTP and L2TP VPN, and VPN configuration examples.
• Volume 3: FortiGate Content Protection Guide
Describes how to configure antivirus protection, web content filtering, and email
filtering to protect content as it passes through the FortiGate unit.
• Volume 4: FortiGate NIDS Guide
Describes how to configure the FortiGate NIDS to detect and protect the FortiGate
unit from network-based attacks.
• Volume 5: FortiGate Logging and Message Reference Guide
Describes how to configure FortiGate logging and alert email. Also contains the
FortiGate log message reference.
• Volume 6: FortiGate CLI Reference Guide
Describes the FortiGate CLI and contains a reference to all FortiGate CLI
commands.
The FortiGate online help also contains procedures for using the FortiGate web-based
manager to configure and manage your FortiGate unit.
Comments on Fortinet technical documentation
You can send information about errors or omissions in this document or any Fortinet
technical documentation to techdoc@fortinet.com.
14 Fortinet Inc.
Introduction Customer service and technical support
Customer service and technical support
For antivirus and attack definition updates, firmware updates, updated product
documentation, technical support information, and other resources, please visit the
Fortinet technical support web site at http://support.fortinet.com.
You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and
modify your registration information at any time.
Fortinet email support is available from the following addresses:
amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin
apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,
eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland
America and South America.
Malaysia, all other Asian countries, and Australia.
Europe, Africa, and the Middle East.
For information on Fortinet telephone support, see http://support.fortinet.com.
When requesting technical support, please provide the following information:
• Your name
• Company name
•Location
• Email address
• Telephone number
• FortiGate unit serial number
• FortiGate model
• FortiGate FortiOS firmware version
• Detailed description of the problem
FortiGate-50R Installation and Configuration Guide 15
Customer service and technical support Introduction
16 Fortinet Inc.
FortiGate-50R Installation and Configuration Guide Version 2.50 MR2
Getting started
This chapter describes unpacking, setting up, and powering on your FortiGate
Antivirus Firewall. When you have completed the procedures in this chapter, you can
proceed to one of the following:
• If you are going to operate the FortiGate unit in NAT/Route mode, go to
“NAT/Route mode installation” on page 33.
• If you are going to operate the FortiGate unit in Transparent mode, go to
“Transparent mode installation” on page 41.
This chapter describes:
• Package contents
• Mounting
• Powering on
• Connecting to the web-based manager
• Connecting to the command line interface (CLI)
• Factory default FortiGate configuration settings
• Planning your FortiGate configuration
• FortiGate model maximum values matrix
• Next steps
FortiGate-50R Installation and Configuration Guide 17
Package contents Getting started
Package contents
The FortiGate-50 package contains the following items:
• the FortiGate-50 Antivirus Firewall
• one orange cross-over ethernet cable
• one gray regular ethernet cable
• one null-modem cable
• FortiGate-50 QuickStart Guide
• A CD containing the FortiGate user documentation
• one AC adapter
Figure 1: FortiGate-50 package contents
Front
Ethernet Cables:
INTERNAL EXTERNAL
POWER
STATUS
Orange - Crossover
Grey - Straight-through
Mounting
Null-Modem Cable
(RS-232)
AC Adapter
FortiGate-50
POWER
INTERNAL EXTERNAL
STATUS
QuickStart Guide
Copyright 2003 Fortinet Incorporated. All rights reserved.
Trademarks
Products mentioned in this document are trademarks.
Documentation
Power
Connection
ConsoleDC+5V 3A
RS-232 Serial
Connection
Internal
Interface
External
External
Interface
External
Interface
Back
Internal
Internal
Interface
Status
LED
Power
LED
USER MANUAL
The FortiGate-50 unit can be installed on any stable surface. Make sure that the
appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for
adequate air flow and cooling.
Dimensions
• 8.63 x 6.13 x 1.38 in. (21.9 x 15.6 x 3.5 cm)
Weight
• 1.5 lb. (0.68 kg)
Power requirements
• DC input voltage: 5 V
• DC input current: 3 A
18 Fortinet Inc.
Getting started Powering on
Environmental specifications
• Operating temperature: 32 to 104°F (0 to 40°C)
• Storage temperature: -13 to 158°F (-25 to 70°C)
• Humidity: 5 to 95% non-condensing
Powering on
To power on the FortiGate-50 unit:
1 Connect the AC adapter to the power connection at the back of the FortiGate-50 unit.
2 Connect the AC adapter to a power outlet.
The FortiGate-50 unit starts up. The Power and Status lights light. The Status light
flashes while the FortiGate-50 unit is starting up and remains lit when the system is up
and running.
Table 1: FortiGate-50 LED indicators
LED State Description
Power Green The FortiGate unit is powered on.
Off The FortiGate unit is powered off.
Status Flashing
Internal
External
(Front)
Internal
External (Back)
Green
Green The FortiGate unit is running normally.
Off The FortiGate unit is powered off.
Green The correct cable is in use, and the connected equipment has
Flashing
Green
Off No link established.
Green The correct cable is in use, and the connected equipment has
Flashing
Amber
Off No link established.
The FortiGate unit is starting up.
power.
Network activity at this interface.
power.
Network activity at this interface.
FortiGate-50R Installation and Configuration Guide 19
Connecting to the web-based manager Getting started
Connecting to the web-based manager
Use the following procedure to connect to the web-based manager for the first time.
Configuration changes made with the web-based manager are effective immediately
without the need to reset the firewall or interrupt service.
To connect to the web-based manager, you need:
• a computer with an ethernet connection,
• Internet Explorer version 4.0 or higher,
• a crossover cable or an ethernet hub and two ethernet cables.
Note: You can use the web-based manager with recent versions of most popular web browsers.
The web-based manager is fully supported for Internet Explorer version 4.0 or higher.
Connecting to the web-based manager
1 Set the IP address of the computer with an ethernet connection to the static IP
address 192.168.1.2 and a netmask of 255.255.255.0.
You can also configure the management computer to obtain an IP address
automatically using DHCP. The FortiGate DHCP server assigns the management
computer an IP address in the range 192.168.1.1 to 192.168.1.254.
2 Using the crossover cable or the ethernet hub and cables, connect the Internal
interface of the FortiGate unit to the computer ethernet connection.
3 Start Internet Explorer and browse to the address https://192.168.1.99.
The FortiGate login is displayed.
4 Type admin in the Name field and select Login.
The Register Now window is displayed. Use the information on this window to register
your FortiGate unit so that Fortinet can contact you for firmware updates. You must
also register to receive updates to the FortiGate virus and attack definitions.
20 Fortinet Inc.
Getting started Connecting to the command line interface (CLI)
Figure 2: FortiGate login
Connecting to the command line interface (CLI)
As an alternative to the web-based manager, you can install and configure the
FortiGate unit using the CLI. Configuration changes made with the CLI are effective
immediately without the need to reset the firewall or interrupt service.
To connect to the FortiGate CLI, you need:
• a computer with an available communications port,
• the null modem cable included in your FortiGate package,
• terminal emulation software such as HyperTerminal for Windows.
Note: The following procedure describes how to connect to the CLI using Windows
HyperTerminal software. You can use any terminal emulation program.
To connect to the CLI:
1 Connect the null modem cable to the communications port of your computer and to
the FortiGate Console port.
2 Make sure that the FortiGate unit is powered on.
3 Start HyperTerminal, enter a name for the connection, and select OK.
4 Configure HyperTerminal to connect directly to the communications port on the
computer to which you have connected the null modem cable and select OK.
5 Select the following port settings and select OK.
FortiGate-50R Installation and Configuration Guide 21
Factory default FortiGate configuration settings Getting started
Bits per second 9600
Data bits 8
Parity None
Stop bits 1
Flow control None
6 Press Enter to connect to the FortiGate CLI.
The following prompt appears:
FortiGate-50 login:
7 Type admin and press Enter twice.
The following prompt appears:
Type ? for a list of commands.
For information on how to use the CLI, see the FortiGate CLI Reference Guide.
Factory default FortiGate configuration settings
The FortiGate unit is shipped with a factory default configuration. This default
configuration allows you to connect to and use the FortiGate web-based manager to
configure the FortiGate unit onto your network. To configure the FortiGate unit onto
your network you add an administrator password, change network interface IP
addresses, add DNS server IP addresses, and configuring routing if required.
If you are planning on operating the FortiGate unit in Transparent mode, you can
switch to transparent mode from the factory default configuration and then configure
the FortiGate unit onto your network in Transparent mode.
Once the network configuration is complete, you can perform additional configuration
tasks such as setting system time, configuring virus and attack definition updates, and
registering the FortiGate unit.
The factory default firewall configuration includes a single network address translation
(NAT) policy that allows users on your internal network to connect to the external
network, and stops users on the external network from connecting to the internal
network. You can add more policies to provide more control of the network traffic
passing through the FortiGate unit.
The factory default content profiles can be used to quickly apply different levels of
antivirus protection, web content filtering, and email filtering to the network traffic
controlled by firewall policies.
• Factory Default DHCP configuration
• Factory default NAT/Route mode network configuration
• Factory default Transparent mode network configuration
• Factory default firewall configuration
• Factory default content profiles
22 Fortinet Inc.
Getting started Factory default FortiGate configuration settings
Factory Default DHCP configuration
When the FortiGate unit is first powered on, the external interface is configured to
receive its IP address by connecting to a DHCP server. If your ISP provides IP
addresses using DHCP, no other configuration is required for this interface.
The FortiGate unit can also function as a DHCP server for your internal network. You
can configure the TCP/IP settings of the computers on your internal network to obtain
an IP address automatically from the FortiGate unit DHCP server. For more
information about the FortiGate DHCP server, see “Providing DHCP services to your
internal network” on page 99.
Table 2: FortiGate DHCP Server default configuration
Enable DHCP ;
Starting IP 192.168.1.1
Ending IP 192.168.1.254
Netmask 255.255.255.0
Lease Duration 604800 seconds
Default Route 192.168.1.99
Exclusion Range 192.168.1.99 - 192.168.1.99
Factory default NAT/Route mode network configuration
When the FortiGate unit is first powered on, it is running in NAT/Route mode and has
the basic network configuration listed in Ta bl e 3. This configuration allows you to
connect to the FortiGate unit web-based manager and establish the configuration
required to connect the FortiGate unit to your network. In Table 3 HTTPS
management access means you can connect to the web-based manager using this
interface. Ping management access means this interface responds to ping requests.
Table 3: Factory default NAT/Route mode network configuration
Administrator
account
Internal interface
External interface
User name: admin
Password: (none)
IP: 192.168.1.99
Netmask: 255.255.255.0
Management Access: HTTPS, Ping
Addressing Mode: DHCP
Management Access: Ping
FortiGate-50R Installation and Configuration Guide 23
Factory default FortiGate configuration settings Getting started
Factory default Transparent mode network configuration
If you switch the FortiGate unit to Transparent mode, it has the default network
configuration listed in Ta bl e 4 .
Table 4: Factory default Transparent mode network configuration
Administrator
account
Management IP
DNS
Management access
User name: admin
Password: (none)
IP: 10.10.10.1
Netmask: 255.255.255.0
Primary DNS Server: 207.194.200.1
Secondary DNS Server: 207.194.200.129
Internal HTTPS, Ping
External Ping
Factory default firewall configuration
The factory default firewall configuration is the same in NAT/Route and Transparent
mode.
Table 5: Factory default firewall configuration
Internal
Address
External
Address
Recurring
Schedule
Firewall
Policy
Internal_All
External_All
Always The schedule is valid at all times. This means that
Int->Ext Firewall policy for connections from the internal
Source Internal_All The policy source address. Internal_All means that
Destination External_All The policy destination address. External_All means
Schedule Always The policy schedule. Always means that the policy
Service ANY The policy service. ANY means that this policy
Action ACCEPT The policy action. ACCEPT means that the policy
; NAT NAT is selected for the NAT/Route mode default
IP: 0.0.0.0 Represents all of the IP addresses on the internal
Mask: 0.0.0.0
IP: 0.0.0.0 Represents all of the IP addresses on the external
Mask: 0.0.0.0
network.
network.
the firewall policy is valid at all times.
network to the external network.
the policy accepts connections from any internal IP
address.
that the policy accepts connections with a
destination address to any IP address on the
external network.
is valid at any time.
processes connections for all services.
allows connections.
policy so that the policy applies network address
translation to the traffic processed by the policy.
NAT is not available for Transparent mode policies.
24 Fortinet Inc.
Getting started Factory default FortiGate configuration settings
Table 5: Factory default firewall configuration (Continued)
Traffic Shaping Traffic shaping is not selected. The policy does not
Authentication Authentication is not selected. Users do not have to
; Antivirus & Web Filter Antivirus & Web Filter is selected.
Content
Profile
Log Traffic Log Traffic is not selected. This policy does not
Factory default content profiles
You can use content profiles to apply different protection settings for content traffic
controlled by firewall policies. You can use content profiles for:
• Antivirus protection of HTTP, FTP, IMAP, POP3, and SMTP network traffic
• Web content filtering for HTTP network traffic
• Email filtering for IMAP and POP3 network traffic
• Oversized file and email blocking for HTTP, FTP, POP3, SMTP, and IMAP network
traffic
• Passing fragmented emails in IMAP, POP3, and SMTP email traffic
Using content profiles you can build up protection configurations that can be easily
applied to different types of Firewall policies. This allows you to customize different
types and different levels of protection for different firewall policies.
For example, while traffic between internal and external addresses might need strict
protection, traffic between trusted internal addresses might need moderate protection.
You can configure policies for different traffic services to use the same or different
content profiles.
apply traffic shaping to the traffic controlled by the
policy. You can select this option to control the
maximum or minimum amount of bandwidth
available to traffic processed by the policy.
authenticate with the firewall before connecting to
their destination address. You can configure user
groups and select this option to require users to
authenticate with the firewall before they can
connect through the firewall.
Scan The scan content profile is selected. The policy
scans all HTTP, FTP, SMTP, POP3, and IMAP
traffic for viruses. See “Scan content profile” on
page 26 for more information about the scan
content profile. You can select one of the other
content profiles to apply different levels of content
protection to traffic processed by this policy.
record messages to the traffic log for the traffic
processed by this policy. You can configure
FortiGate logging and select Log Traffic to record all
connections through the firewall that are accepted
by this policy.
Content profiles can be added to NAT/Route mode and Transparent mode policies.
FortiGate-50R Installation and Configuration Guide 25
Factory default FortiGate configuration settings Getting started
Strict content profile
Use the strict content profile to apply maximum content protection to HTTP, FTP,
IMAP, POP3, and SMTP content traffic. You would not use the strict content profile
under normal circumstances, but it is available if you are having extreme problems
with viruses and require maximum content screening protection.
Table 6: Strict content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan ;;;;;
File Block ;;;;;
Web URL Block ;
Web Content Block ;
Web Script Filter ;
Web Exempt List ;
Email Block List ;;
Email Exempt List ;;
Email Content Block ;;
Oversized File/Email Block block block block block block
Pass Fragmented Emails
Scan content profile
Use the scan content profile to apply antivirus scanning to HTTP, FTP, IMAP, POP3,
and SMTP content traffic.
Table 7: Scan content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan ;;;;;
File Block
Web URL Block
Web Content Block
Web Script Filter
Web Exempt List
Email Block List
Email Exempt List
Email Content Block
Oversized File/Email Block pass pass pass pass pass
Pass Fragmented Emails
26 Fortinet Inc.
Getting started Factory default FortiGate configuration settings
Web content profile
Use the web content profile to apply antivirus scanning and Web content blocking to
HTTP content traffic. You can add this content profile to firewall policies that control
HTTP traffic.
Table 8: Web content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan ;
File Block
Web URL Block ;
Web Content Block ;
Web Script Filter
Web Exempt List
Email Block List
Email Exempt List
Email Content Block
Oversized File/Email Block pass pass pass pass pass
Pass Fragmented Emails
Unfiltered content profile
Use the unfiltered content profile if you do not want to apply any content protection to
content traffic. You can add this content profile to firewall policies for connections
between highly trusted or highly secure networks where content does not need to be
protected.
Table 9: Unfiltered content profile
Options HTTP FTP IMAP POP3 SMTP
Antivirus Scan
File Block
Web URL Block
Web Content Block
Web Script Filter
Web Exempt List ;
Email Block List
Email Exempt List ;;
Email Content Block
Oversized File/Email Block pass pass pass pass pass
Pass Fragmented Emails ;;;
FortiGate-50R Installation and Configuration Guide 27
Planning your FortiGate configuration Getting started
Planning your FortiGate configuration
Before beginning to configure the FortiGate unit, you need to plan how to integrate the
unit into your network. Among other things, you have to decide whether or not the unit
will be visible to the network, which firewall functions it will provide, and how it will
control the traffic flowing between its interfaces.
Your configuration plan is dependent upon the operating mode that you select. The
FortiGate unit can be configured in either of two modes: NAT/Route mode (the default)
or Transparent mode.
NAT/Route mode
In NAT/Route mode, the unit is visible to the network. Like a router, all of its interfaces
are on different subnets. The following interfaces are available in NAT/Route mode:
• External is the interface to the external network (usually the Internet).
• Internal is the interface to the internal network.
You can add security policies to control whether communications through the
FortiGate unit operate in NAT mode or in route mode. Security policies control the flow
of traffic based on each packet’s source address, destination address and service. In
NAT mode, the FortiGate performs network address translation before the packet is
sent to the destination network. In route mode, no translation takes place.
By default, the FortiGate unit has a NAT mode security policy that allows users on the
internal network to securely download content from the external network. No other
traffic is possible until you have configured more security policies.
You would typically use NAT/Route mode when the FortiGate unit is used as a
gateway between private and public networks. In this configuration, you would create
NAT mode policies to control traffic flowing between the internal, private network and
the external, public network (usually the Internet).
Figure 3: Example NAT/Route mode network configuration
Transparent mode
In Transparent mode, the FortiGate unit is invisible to the network. Similar to a
network bridge, all of FortiGate interfaces must be on the same subnet. You only have
to configure a management IP address so that you can make configuration changes.
The management IP address is also used for antivirus and attack definition updates.
You would typically use the FortiGate unit in Transparent mode on a private network
behind an existing firewall or behind a router. The FortiGate unit performs firewalling
as well as antivirus and content scanning but not VPN.
28 Fortinet Inc.
Getting started Planning your FortiGate configuration
Figure 4: Example Transparent mode network configuration
Configuration options
Once you have selected Transparent or NAT/Route mode operation, you can
complete your configuration plan, and begin configuring the FortiGate unit.
You can use the web-based manager setup wizard or the command line interface
(CLI) for the basic configuration of the FortiGate unit.
Setup Wizard
If you are configuring the FortiGate unit to operate in NAT/Route mode (the default),
the Setup Wizard prompts you to add the administration password and the internal
interface address. The Setup Wizard also prompts you to choose either a manual
(static) or a dynamic (DHCP or PPPoE) address for the external interface. Using the
wizard, you can also add DNS server IP addresses and a default route for the external
interface.
In NAT/Route mode you can also change the configuration of the FortiGate DHCP
server to supply IP addresses for the computers on your internal network. You can
also configure the FortiGate to allow Internet access to your internal Web, FTP, or
email servers.
If you are configuring the FortiGate unit to operate in Transparent mode, you can
switch to Transparent mode from the web-based manager and then use the Setup
Wizard to add the administration password, the management IP address and
gateway, and the DNS server addresses.
CLI
If you are configuring the FortiGate unit to operate in NAT/Route mode, you can add
the administration password and the Internal interface address. You can also use the
CLI to configure the external interface for either a manual (static) or a dynamic (DHCP
or PPPoE) address. Using the CLI, you can also add DNS server IP addresses and a
default route for the external interface.
In NAT/Route mode you can also change the configuration of the FortiGate DHCP
server to supply IP addresses for the computers on your internal network.
If you are configuring the FortiGate unit to operate in Transparent mode, you can use
the CLI to switch to Transparent mode, Then you can add the administration
password, the management IP address and gateway, and the DNS server addresses.
FortiGate-50R Installation and Configuration Guide 29
FortiGate model maximum values matrix Getting started
FortiGate model maximum values matrix
Table 10: FortiGate maximum values matrix
FortiGate model
50 60 100 200 300 400 500 1000 2000 3000 3600
Policy 200 500 1000 2000 5000 5000 20000 50000 50000 50000 50000
Address 500 500 500 500 3000 3000 6000 10000 10000 10000 10000
Address group 500 500 500 500 500 500 500 500 500 500 500
Service 500 500 500 500 500 500 500 500 500 500 500
Service group 500 500 500 500 500 500 500 500 500 500 500
Recurring schedule 256 256 256 256 256 256 256 256 256 256 256
Onetime schedule 256 256 256 256 256 256 256 256 256 256 256
User 20 500 1000 1000 1000 1000 1000 1000 1000 1000 1000
User group 100 100 100 100 100 100 100 100 100 100 100
Group members 300 300 300 300 300 300 300 300 300 300 300
Virtual IPs 500 500 500 500 500 500 500 500 500 500 500
IP/MAC binding 50 100 1000 1000 2000 2000 2000 5000 5000 5000 5000
Route 500 500 500 500 500 500 500 500 500 500 500
Policy route gateway 500 500 500 500 500 500 500 500 500 500 500
Admin user 500 500 500 500 500 500 500 500 500 500 500
IPsec Phase 1 20 50 80 200 1500 1500 3000 5000 5000 5000 5000
VPN concentrator 500 500 500 500 500 500 500 500 500 500 500
VLAN subinterface N/A N/A N/A N/A N/A 1024* 1024* 2048* 2048* 8192* 8192*
Zone N/A N/A N/A N/A N/A 100 100 200 200 300 500
IP pool 50 50 50 50 50 50 50 50 50 50 50
RADIUS server 66666666666
File pattern 56 56 56 56 56 56 56 56 56 56 56
PPTP user 500 500 500 500 500 500 500 500 500 500 500
L2TP user 500 500 500 500 500 500 500 500 500 500 500
URL block no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit
Content block no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit
Exempt URL no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit
30 Fortinet Inc.
Loading...