Fortinet FORTIWIFI-60 Users Manual

Download

FortiWiFi 60

Installation and

Configuration Guide

INTERNAL

DMZ4321

PWR WLAN

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

WAN1 WAN2

FortiWiFi User Manual Volume 1

Ver sion 2.50

3 March 2004

© Copyright 2003 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reprod uced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc.

FortiGate-60 Installation and Configuration Guide

Version 2.50 MR2 18 August 2003

Trademarks

Products mentioned in this document are trademarks or registered t This device complete with part 15 of the FCC rules. Operations is subject to the following two conditions: holders.

Regulatory Compliance

This device complies with part 15 of the FCC rules. Operation is subject to the following two condigions:

(1) This Device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause accept any interference received, including interference that may cause undesired operation.

NOTE: The manufacturer is not responsible for any radio or TV interference caused by unauthorized modifications to this equipment. Such modifications could void the user’s authority to operate the equipment.

please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to

techdoc@fortinet.com.

Table of Contents

Introduction.......................................................................................................... 13

Antivirus protection ........................................................................................................... 14

Web content filtering....................................... ... ... ... .............................................. ... ... ... .. 14

Email filtering .... .... ... ... ... .... ... ... ... .... ............................................. ... ... ... .... ... ..................... 15

Firewall.............................................................................................................................. 15

NAT/Route mode.......................................................................................................... 16

Transparent mode......................................................................................................... 16

Network intrusion detection............................................................................................... 16

VPN................................................................................................................................... 16

Secure installation, configuration, and management...................................... .................. 17

Web-based manager .................................................................................................... 17

Command line interface................................................................................................ 18

Logging and reporting................................................................................................... 19

Document conventions ..................................................................................................... 19

Fortinet documentation..................................................................................................... 20

Comments on Fortinet technical documentation........................................................... 20

Customer service and technical support........................................................................... 21

Contents

Getting started ..................................................................................................... 23

Warnings........................................................................................................................... 23

Package contents ............................................................................................................. 24

Mounting........................................................................................................................... 24

Powering on...................................................................................................................... 25

Connecting to the web-based manager............................................................................ 26

Connecting to the command line interface (CLI)............................................................... 27

Factory default FortiWiFi configuration settings................................................................ 28

Factory default DHCP configuration ............................................................................. 28

Factory default NAT/Route mode network configuration .............................................. 29

Factory default Transparent mode network configuration............................................. 30

Factory default firewall configuration ............................................................................ 31

Factory default content profiles..................................................................................... 33

Planning the FortiWiFi configuration................................................................................. 35

NAT/Route mode.......................................................................................................... 35

Transparent mode......................................................................................................... 36

Configuration options.................................................................................................... 37

FortiGate model maximum values matrix ......................................................................... 39

Next steps................ ... ... .............................................. ............................................. ........ 40

NAT/Route mode installation.............................................................................. 41

Installing the FortiWiFi unit using the default configuration............................................... 41

Changing the default configuration ............................................................................... 42

FortiWiFi-60 Installation and Configuration Guide 3

Contents

Preparing to configure NAT/Route mode.......................................................................... 42

Advanced NAT/Route mode settings............................................................................ 43

DMZ interface ............................................................................................................... 44

Wireless settings............................ ... ... ... .... ... ... ... .... ............................................. ... ... .. 44

Using the setup wizard....................................... ... ... .............................................. ... ... ... .. 44

Starting the setup wizard .............................................................................................. 44

Reconnecting to the web-based manager............... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... .. 44

Using the command line interface..................................................................................... 45

Configuring the FortiWiFi unit to operate in NAT/Route mode...................................... 45

Connecting the FortiWiFi unit to your networks ................................................................ 47

Configuring your networks................................................................................................ 48

Completing the configuration............................................................................................ 49

Configuring the DMZ interface...................................................................................... 49

Configuring the WLAN interface ................................................................................... 49

Configuring the WAN2 interface ................................................................................... 49

Setting the date and time.............................................................................................. 50

Changing antivirus protection ....................................................................................... 50

Registering your FortiWiFi unit...................................................................................... 50

Configuring virus and attack definition updates ............................................................ 50

Configuration example: Multiple connections to the Internet ............................................ 51

Configuring Ping servers............................................................................................... 52

Destination based routing examples............................................................................. 53

Policy routing examples................................................................................................ 56

Firewall policy example................................................................................................. 57

Transparent mode installation............................................................................ 59

Preparing to configure Transparent mode........................................................................ 59

Wireless settings............................ ... ... ... .... ... ... ... .... ............................................. ... ... .. 59

Using the setup wizard....................................... ... ... .............................................. ... ... ... .. 60

Changing to Transparent mode .................................................................................... 60

Starting the setup wizard .............................................................................................. 60

Reconnecting to the web-based manager............... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... .. 60

Using the command line interface..................................................................................... 61

Changing to Transparent mode .................................................................................... 61

Configuring the Transparent mode management IP address....................................... 61

Configure the Transparent mode default gateway........................................................ 61

Configuring wireless settings ........................................................................................ 62

Connecting the FortiWiFi unit to your networks ................................................................ 62

Wireless configuration........................................ ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... ............... 63

Completing the configuration............................................................................................ 63

Setting the date and time.............................................................................................. 64

Enabling antivirus protection......................................................................................... 64

Registering your FortiWiFi ............................................................................................ 64

Configuring virus and attack definition updates ............................................................ 64

4 Fortinet Inc.

Transparent mode configuration examples....................................................................... 65

Default routes and static routes .................................................................................... 65

Example default route to an external network............................................................... 66

Example static route to an external destination ............................................................ 67

Example static route to an internal destination ............................................................. 70

System status....................................................................................................... 73

Changing the FortiWiFi host name ................................................................................... 74

Changing the FortiWiFi firmware ...................................................................................... 74

Upgrading to a new firmware version ............................... .... ... ... ... ... .... ........................ 74

Reverting to a previous firmware version...................................................................... 76

Installing firmware images from a system reboot using the CLI ................................... 79

Testing a new firmware image before installing it......................................................... 81

Manual virus definition updates ........................................................................................ 82

Manual attack definition updates ...................................................................................... 83

Displaying the FortiWiFi serial number............................................................................. 84

Displaying the FortiWiFi up time....................................................................................... 84

Backing up system settings .............................................................................................. 84

Restoring system settings................................................................................................. 84

Restoring system settings to factory defaults ................................................................... 85

Changing to Transparent mode........................................................................................ 85

Changing to NAT/Route mode.......................................................................................... 86

Restarting the FortiWiFi unit ............................................................................................. 86

Shutting down the FortiWiFi unit....................................................................................... 86

System status ... .... ............................................. ... ... .... ... ............................................. ... .. 87

Viewing CPU and memory status ................................................................................. 87

Viewing sessions and network status ........................................................................... 88

Viewing virus and intrusions status............................................................................... 89

Session list..... ... .... ... ... ... .... ............................................. .................................................. 90

Contents

Virus and attack definitions updates and registration..................................... 93

Updating antivirus and attack definitions .......................................................................... 93

Connecting to the FortiResponse Distribution Network ................................................ 94

Manually initiating antivirus and attack definitions updates .......................................... 95

Configuring update logging........................................................................................... 96

Scheduling updates .......................................................................................................... 96

Enabling scheduled updates......................................................................................... 96

Adding an override server............................................................................................. 97

Enabling scheduled updates through a proxy server.................................................... 98

Enabling push updates ..................................................................................................... 98

Enabling push updates ................................................................................................. 99

Push updates when FortiWiFi IP addresses change .................................................... 99

Enabling push updates through a NAT device............................................................ 100

FortiWiFi-60 Installation and Configuration Guide 5

Contents

Registering FortiGate and FortiWiFi units....................................................................... 104

FortiCare Service Contracts........................................................................................ 104

Registering the FortiWiFi unit...................................................................................... 105

Updating registration information.................................................................................... 107

Recovering a lost Fortinet support password.............................................................. 107

Viewing the list of registered FortiGate and FortiWiFi units........................................ 107

Registering a new FortiWiFi unit................................................................................. 108

Adding or changing a FortiCare Support Contract number......................................... 108

Changing your Fortinet support password.................................................................. 109

Changing your contact information or security question............................................. 109

Downloading virus and attack definitions updates...................................................... 110

Registering a FortiWiFi unit after an RMA ...................................................................... 110

Network configuration....................................................................................... 113

Configuring interfaces..................................................................................................... 113

Viewing the interface list ............................................................................................. 114

Changing the administrative status of an interface..................................................... 114

Configuring an interface with a manual IP address .................................................... 114

Configuring an interface for DHCP ............................................................................. 115

Configuring an interface for PPPoE............................................................................ 116

Adding a secondary IP address to an interface .......................................................... 116

Adding a ping server to an interface........................ ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 117

Controlling administrative access to an interface........................................................ 117

Changing the MTU size to improve network performance.......................................... 118

Configuring traffic logging for connections to an interface.......................................... 118

Configuring the management interface in Transparent mode..................................... 119

Wireless configuration.................... ... ... ... .... ... ... ............................................. .... ... ... ... 120

Adding DNS server IP addresses................................... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 122

Configuring routing.......................................................................................................... 122

Adding a default route............................. .... ... ... ... .... ... ... ... .... ...................................... 122

Adding destination-based routes to the routing table.................................................. 123

Adding routes in Transparent mode............................................................................ 124

Configuring the routing table....................................................................................... 124

Policy routing .............................................................................................................. 125

Configuring DHCP services............................................................................................ 126

Configuring a DHCP relay agent................................................................................. 126

Configuring a DHCP server ........................................................................................ 127

6 Fortinet Inc.

Configuring the modem interface.................................................................................... 129

Connecting a modem to the FortiWiFi unit.................................................................. 130

Configuring modem settings ....................................................................................... 130

Connecting to a dialup account................................................................................... 131

Disconnecting the modem .......................................................................................... 131

Viewing modem status................................................................................................ 131

Backup mode configuration ..................................... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 132

Standalone mode configuration.................................................................................. 132

Adding firewall policies for modem connections ......................................................... 133

RIP configuration............................................................................................... 135

RIP settings..................................................................................................................... 135

Configuring RIP for FortiWiFi interfaces ......................................................................... 137

Adding RIP filters.................................. ... ... .... ... ... ... .... ... ... ... .......................................... 139

Adding a RIP filter list.................. ... ... ... ... .... ... ... ............................................. ............. 139

Assigning a RIP filter list to the neighbors filter........................................................... 140

Assigning a RIP filter list to the incoming filter............................................................ 140

Assigning a RIP filter list to the outgoing filter............................................................. 141

Contents

System configuration ........................................................................................ 143

Setting system date and time.......................................................................................... 143

Changing system options................................................................................................ 144

Adding and editing administrator accounts..................................................................... 145

Adding new administrator accounts......................................... ... ... ... .... ... ... ... .... ... ... ... 146

Editing administrator accounts.................................................................................... 146

Configuring SNMP.......................................................................................................... 147

Configuring the FortiWiFi unit for SNMP monitoring................................................... 148

Configuring FortiWiFi SNMP support.......................................................................... 148

FortiWiFi MIBs ............................................................................................................ 150

FortiWiFi traps............................................................................................................. 151

Fortinet MIB fields....................................................................................................... 152

Replacement messages ................................................................................................. 155

Customizing replacement messages.......................................................................... 155

Customizing alert emails............................................................................................. 156

Firewall configuration........................................................................................ 159

Default firewall configuration........................................................................................... 160

Interfaces.................................................................................................................... 161

Addresses................................................................................................................... 161

Services...................................................................................................................... 161

Schedules................................................................................................................... 162

Content profiles....................... .... ... ... ... ....................................................................... 162

Adding firewall policies.................................................................................................... 162

Firewall policy options................................................................................................. 163

FortiWiFi-60 Installation and Configuration Guide 7

Contents

Configuring policy lists.................................................................................................... 167

Policy matching in detail ............................................................................................. 167

Changing the order of policies in a policy list.............................................................. 168

Enabling and disabling policies................................................................................... 168

Addresses....................................................................................................................... 169

Adding addresses................... .... ... ... ... ... .... ... ... ... .... ... ... ............................................. 169

Editing addresses ....................................................................................................... 170

Deleting addresses ..................................................................................................... 170

Organizing addresses into address groups ................................................................ 171

Services.......................................................................................................................... 172

Predefined services .......................... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ................... 172

Adding custom TCP and UDP services...................... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 174

Adding custom ICMP services....................................... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 175

Adding custom IP services................ ... ... .... ............................................. ... ... .... ... ... ... 175

Grouping services....................................................................................................... 176

Schedules....................................................................................................................... 177

Creating one-time schedules ...................................................................................... 177

Creating recurring schedules...................................................................................... 178

Adding schedules to policies....................................................................................... 179

Virtual IPs........................................................................................................................ 180

Adding static NAT virtual IPs ...................................................................................... 180

Adding port forwarding virtual IPs............................................................................... 182

Adding policies with virtual IPs.................................................................................... 184

IP pools............. .......................................... .... ... ... ... .... ... ... ... .... ...................................... 184

Adding an IP pool........................................................................................................ 185

IP Pools for firewall policies that use fixed ports......................................................... 185

IP pools and dynamic NAT ......................................................................................... 185

IP/MAC binding............................................................................................................... 186

Configuring IP/MAC binding for packets going through the firewall............................ 186

Configuring IP/MAC binding for packets going to the firewall..................................... 187

Adding IP/MAC addresses.......................................................................................... 188

Viewing the dynamic IP/MAC list ................................................................................ 188

Enabling IP/MAC binding............................................................................................ 188

Content profiles . .... ... ... ............................................. .............................................. ......... 189

Default content profiles ............................................................................................... 190

Adding content profiles ............................................................................................... 190

Adding content profiles to policies .............................................................................. 192

Users and authentication.................................................................................. 193

Setting authentication timeout............................ ... ............................................. .... ......... 194

Adding user names and configuring authentication........................................................ 194

Adding user names and configuring authentication.................................................... 194

Deleting user names from the internal database ........................................................ 195

8 Fortinet Inc.

Configuring RADIUS support.......................................................................................... 196

Adding RADIUS servers ............................................................................................. 196

Deleting RADIUS servers ........................................................................................... 196

Configuring LDAP support.............................................................................................. 197

Adding LDAP servers.................................................................................................. 197

Deleting LDAP servers................................................................................................ 198

Configuring user groups.................................................................................................. 199

Adding user groups..................................................................................................... 199

Deleting user groups................................................................................................... 200

IPSec VPN........................................................................................................... 201

Key management............................................................................................................ 202

Manual Keys............................................................................................................... 202

Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... 202

Manual key IPSec VPNs................................................................................................. 203

General configuration steps for a manual key VPN.................................................... 203

Adding a manual key VPN tunnel..................... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 203

AutoIKE IPSec VPNs...................................................................................................... 205

General configuration steps for an AutoIKE VPN ....................................................... 205

Adding a phase 1 configuration for an AutoIKE VPN.................. ... ... .... ... ... ... .... ... ... ... 205

Adding a phase 2 configuration for an AutoIKE VPN.................. ... ... .... ... ... ... .... ... ... ... 210

Managing digital certificates............................................................................................ 212

Obtaining a signed local certificate ............................................................................. 212

Obtaining CA certificates ............................................................................................ 214

Configuring encrypt policies............................................................................................ 215

Adding a source address..................... ... .... ... ... ... .... ... ............................................. ... 216

Adding a destination address............ ... ............................................. .... ... ... ... .... ......... 216

Adding an encrypt policy............................. ... ... ... .... ... ... ... .......................................... 217

IPSec VPN concentrators............................................................................................... 218

VPN concentrator (hub) general configuration steps.................................................. 219

Adding a VPN concentrator ........................................ ... ... .......................................... 220

VPN spoke general configuration steps...................................................................... 221

Monitoring and Troubleshooting VPNs........................................ ... ... ... .... ... ... ... .... ... ... ... 223

Viewing VPN tunnel status.......................................................................................... 223

Viewing dialup VPN connection status ....................................................................... 223

Testing a VPN............................................................................................................. 224

Contents

PPTP and L2TP VPN.......................................................................................... 225

Configuring PPTP........................................................................................................... 225

Configuring the FortiWiFi unit as a PPTP gateway..................................................... 225

Configuring a Windows 98 client for PPTP................................................................. 228

Configuring a Windows 2000 client for PPTP............................................................. 229

Configuring a Windows XP client for PPTP ................................................................ 229

FortiWiFi-60 Installation and Configuration Guide 9

Contents

Configuring L2TP............................................................................................................ 231

Configuring the FortiWiFi unit as an L2TP gateway.................................................... 231

Configuring a Windows 2000 client for L2TP.............................................................. 233

Configuring a Windows XP client for L2TP................................................................. 235

Network Intrusion Detection System (NIDS) ................................................... 237

Detecting attacks .. ... ... ............................................. .... ... ... ... .... ...................................... 237

Selecting the interfaces to monitor.............................................................................. 238

Disabling monitoring interfaces................................................................................... 238

Configuring checksum verification .............................................................................. 238

Viewing the signature list ............................................................................................ 239

Viewing attack descriptions......................................................................................... 239

Disabling NIDS attack signatures ............................................................................... 240

Adding user-defined signatures .................................................................................. 240

Preventing attacks .......................................................................................................... 242

Enabling NIDS attack prevention................................................................................ 242

Enabling NIDS attack prevention signatures .............................................................. 242

Setting signature threshold values................................. ... .... ... ... ... ... .... ... ... ... .... ... ... ... 242

Logging attacks............................................................................................................... 244

Logging attack messages to the attack log................................................................. 244

Reducing the number of NIDS attack log and email messages.................................. 244

Antivirus protection........................................................................................... 247

General configuration steps............... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 247

Antivirus scanning........................................................................................................... 248

File blocking................ ... .... ... ... ... .... ... ... ... ... .... ... ............................................. ... .... ... ... ... 249

Blocking files in firewall traffic ..................................................................................... 249

Adding file patterns to block........................................................................................ 249

Blocking oversized files and emails................................................................................ 250

Configuring limits for oversized files and email........................................................... 250

Exempting fragmented email from blocking.................................................................... 250

Viewing the virus list ....................................................................................................... 251

Web filtering....................................................................................................... 253

General configuration steps............... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 253

Content blocking................................ ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .......................... 254

Adding words and phrases to the Banned Word list................................................... 254

Clearing the Banned Word list .................................................................................... 255

Backing up the Banned Word list................................................................................ 255

Restoring the Banned Word list .................................................................................. 256

URL blocking................................................................................................................... 257

Configuring FortiWiFi Web URL blocking ................................................................... 257

Configuring FortiWiFi Web pattern blocking ............................................................... 259

10 Fortinet Inc.

Configuring Cerberian URL filtering................................................................................ 260

Installing a Cerberian license key ............................................................................... 260

Adding a Cerberian user... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 260

Configuring Cerberian web filter ................................................................................. 261

Enabling Cerberian URL filtering ................................................................................ 262

Script filtering.................................................................................................................. 262

Enabling script filtering................................................................................................ 262

Selecting script filter options ............. ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 262

Exempt URL list.............................................................................................................. 263

Adding URLs to the URL Exempt list.......................................................................... 263

Downloading the URL Exempt List ............................................................................. 264

Uploading a URL Exempt List..................................................................................... 264

Email filter........................................................................................................... 267

General configuration steps............... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 267

Email banned word list....... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 268

Adding words and phrases to the email banned word list........................................... 268

Downloading the email banned word list .................................................................... 269

Uploading the email banned word list......................................................................... 269

Email block list................................... ... ... ... .... ... ... ... .... ... ... ... .......................................... 270

Adding address patterns to the email block list........................................................... 270

Downloading the email block list................................................................................. 270

Uploading an email block list ...................................................................................... 271

Email exempt list... ... ... ... .... ... ... ... .............................................. ... ... ... ... .... ...................... 271

Adding address patterns to the email exempt list.......................... ... .... ... ... ... .... ... ... ... 272

Adding a subject tag ...... .... ... ... ... .... ... ............................................. ................................ 272

Contents

Logging and reporting....................................................................................... 273

Recording logs................................................................................................................ 273

Recording logs on a remote computer........................................................................ 274

Recording logs on a NetIQ WebTrends server........................................................... 274

Recording logs in system memory.............................................................................. 275

Log message levels.................................................................................................... 275

Filtering log messages.................................................................................................... 276

Configuring traffic logging............................................................................................... 277

Enabling traffic logging................................................................................................ 278

Configuring traffic filter settings................................................................................... 278

Adding traffic filter entries ........................................................................................... 279

Viewing logs saved to memory....................................................................................... 280

Viewing logs................................................................................................................ 280

Searching logs............................................................................................................ 280

FortiWiFi-60 Installation and Configuration Guide 11

Contents

Configuring alert email.................................................................................................... 281

Adding alert email addresses...................................................................................... 281

Testing alert email....................................................................................................... 282

Enabling alert email .................................................................................................... 282

Glossary ............................................................................................................. 283

Index ....................................................................................................................287

12 Fortinet Inc.

FortiWiFi-60 Installation and Configuration Guide Version 2.50

Introduction

FortiGate and FortiWiFi Antivirus Firewalls support network-based deployment of application-level services, including antivirus protection and full-scan content filtering. FortiGate and FortiWiFi Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate and FortiWiFi Antivirus Firewalls are ICSA-certified for firewall, IPSec, and antivirus services.

The FortiWiFi-60 Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include:

• application-level services such as virus protection and content filtering,

• network-level services such as firewall, intrusion detection, VPN, and traffic shaping.

The FortiWiFi-60 Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks. The FortiWiFi series complements existing solutions, such as hostbased antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration, and maintenance.

The FortiWiFi-60 model is ideally suited for small businesses, remote offices, retail stores, and broadband telecommuter sites. The FortiWiFi-60 Antivirus Firewall features dual WAN link support for redundant internet connections, and an integrated 4-port switch that eliminates the need for an external hub or switch. Networked devices connect directly to the FortiWiFi-60 unit.

The FortiWiFi-60 provides a secure, wireless LAN solution that combines mobility and flexibility with the enterprise-class FortiWiFi Antivirus Firewall features. The FortiWiFi is a Wi-Fi certified, wireless LAN transceiver that uses a two mini-PCI radios that are IEEE 802.11b and IEEE 802.11gcompliant and that can be upgraded to future radio technologies.

The FortiWiFi serves as the connection point between wireless and wired networks or as the center point of a stand-alone wireless network. FortiWiFi-60 security features include WEP, VPN over the wireless network, and firewall policies that can include user authentication to control access.

PWR WLAN

INTERNAL

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

DMZ4321

WAN1 WA N2

FortiWiFi-60 Installation and Configuration Guide 13

Antivirus protection Introduction

Antivirus protection

FortiWiFi ICSA-certified antivirus protection scans web (HTTP), file transfer (FTP), and email (SMTP, POP3, and IMAP) content as it passes through the FortiWiFi unit. If a virus is found, antivirus protection removes the file containing the virus from the content stream and forwards a replacement message to the intended recipient.

For extra protection, you can configure antivirus protection to block specified file types from passing through the FortiWiFi unit. You can use the feature to stop files that might contain new viruses.

If the FortiWiFi unit contains a hard disk, infected or blocked files can be quarantined. The FortiWiFi administrator can download qua rant ine d file s so tha t th ey can be viru s scanned, cleaned, and forwarded to the intended recipient. Y ou can also configure the FortiWiFi unit to automatically delete quarantined files after a specified time.

The FortiWiFi unit can send email alerts to system administrators when it detects and removes a virus from a content stream. The web and email content can be in normal network traffic or encrypted IPSec VPN traffic.

ICSA Labs has certified that FortiGate and FortiWiFi Antivirus Firewalls:

• detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),

• detect viruses in compressed files using the PKZip format,

• detect viruses in email that has been encoded using uuencode format,

• detect viruses in email that has been encoded using MIME encoding,

• log all actions taken while scanning.

Web content filtering

Web content filtering can scan all HTTP content protocol streams for URLs or web page content. If there is a match between a URL on the URL block list, or a web page contains a word or phrase that is in the content block list, the FortiWiFi unit blocks the web page. The blocked web page is replaced with a message that you can edit using the FortiWiFi web-based manager.

Y ou can configure URL blocking to block all or some of the pages on a web site. Using this feature, you can deny access to parts of a web site without denying access to it completely.

To prevent unintentionally blocking legitimate web pages, you can add URLs to an exempt list that overrides the URL blocking and content blocking lists.

Web content filtering also includes a script filter feature that can block unsecure web content such as Java applets, cookies, and ActiveX.

You can use the Cerberian URL blocking to block unwanted URLs.

14 Fortinet Inc.

Introduction Email filtering

Email filtering

Email filtering can scan all IMAP and POP3 email content for unwanted senders or unwanted content. If there is a match between a sender address pattern on the email block list, or an email contains a word or phrase in the banned word list, the FortiWiFi adds an email tag to the subject line of the email. The recipient can use the mail client software to filter messages based on the email tag.

You can configure email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentionally tagging email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned words lists.

Firewall

The FortiWiFi ICSA-certified firewall protects your computer networks from Internet threats. ICSA has granted FortiWiFi firewalls version 4.0 firewall certification, providing assurance that FortiWiFi firewalls successfully screen and secure corporate networks against a range of threats from public or other untrusted networks.

After basic installation of the FortiWiFi unit, the firewall allows users on the protected network to access the Internet while blocking Internet access to internal networks. You can configure the firewall to put controls on access to the Internet from the protected networks and to allow controlled access to internal networks.

FortiWiFi policies include a range of options that:

• control all incoming and outgoing network traffic,

• control encrypted VPN traffic,

• apply antivirus protection and web content filtering,

• block or allow access for all policy options,

• control when individual policies are in effect,

• accept or deny traffic to and from individual addresses,

• control standard and user defined network services individually or in groups,

• require users to authenticate before gaining access,

• include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy,

• include logging to track connections for individual policies,

• include Network Address Translation (NAT) mode and Route mode policies,

• include mixed NAT and Route mode policies.

The FortiWiFi firewall can operate in NAT/Route mode or Transparent mode.

FortiWiFi-60 Installation and Configuration Guide 15

Network intrusion detection Introduction

NAT/Route mode

In NAT/Route mode, you can create NAT mode policies and Route mode policies.

• NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network.

• Route mode policies accept or deny connections between networks without performing address translation.

Transparent mode

Transparent mode provides the same basic firewall protection as NAT mode. Packets that the FortiWiFi unit receives are forwarded or blocked according to firewall policies. The FortiWiFi unit can be inserted in the network at any point without having to make changes to your network or its components. However, VPN and some advanced firewall features are available only in NAT/Route mode.

Network intrusion detection

The FortiWiFi Network Intrusion Detection System (NIDS) is a real-time network intrusion detection sensor that detects and prevents a variety of suspicious network activity. NIDS uses atta ck signatures to identify more than 1000 attacks. You can enable and disable the attacks that the NIDS detects. You can also write user-defined detection attack signatures.

NIDS prevention detects and prevents many common denial of service and packetbased attacks. You can enable and disable prevention attack signatures and customize attack signature thresholds and other parameters.

To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log, and can be configured to send alert emails.

Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually or you can configure the FortiWiFi unit to automatically check for and download attack definition updates.

VPN

Using FortiWiFi virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network.

16 Fortinet Inc.

Introduction Secure installation, configuration, and management

VPN features include the following:

• Industry standard and ICSA-certified IPSec VPN, including:

• IPSec, ESP security in tunnel mode,

• DES, 3DES (triple-DES), and AES hardware accelerated encryption,

• HMAC MD5 and HMAC SHA1 authentication and data integrity,

• AutoIKE key based on pre-shared key tunnels,

• IPSec VPN using local or CA certificates,

• Manual Keys tunnels,

• Diffie-Hellman groups 1, 2, and 5,

• Aggressive and Main Mode,

• Replay Detection,

• Perfect Forward Secrecy,

• XAuth authentication,

• Dead peer detection.

• PPTP for easy connectivity with the VPN standard supported by the most popular operating systems.

• L2TP for easy connectivity with a more secure VPN standard, also supported by many popular operating systems.

• Firewall policy based control of IPSec VPN traffic.

• IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel.

• VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another through the FortiWiFi unit.

• IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network.

Secure installation, configuration, and management

The first time you power on the FortiWiFi unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the Setup wizard to customize FortiWiFi IP addresses for your network, and the FortiWiFi unit is ready to protect your network. You can then use the web-based manager to customiz e ad va nc ed Fo rtiWiFi features.

You can also create a basic configuration using the FortiWiFi command line interface (CLI).

Web-based manager

Using HTTP or a secure HTTPS connection from any computer running Internet Explorer, you can configure and manage the FortiWiFi unit. The web-based manager supports multiple languages. You can configure the FortiWiFi unit for HTTP and HTTPS administration from any FortiWiFi interface.

FortiWiFi-60 Installation and Configuration Guide 17

Secure installation, configuration, and management Introduction

You can use the web-based manager to configure most FortiWiFi settings. You can also use the web-based manager to monitor the status of the FortiWiFi unit. Configuration changes made using the web-based manager are effective immediately without resetting the firewall or interrupting service. Once you are satisfied with a configuration, you can download and save it. The saved configuration can be restored at any time.

Figure 1: The FortiWiFi web-based manager and setup wizard

Command line interface

You can access the FortiWiFi command line interface (CLI) by connecting a management computer serial port to the FortiWiFi RS-232 serial console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network that is connected to the FortiWiFi unit, including the Internet.

The CLI supports the same configuration and monitoring functionality as the web-based manager. In addition, you can use the CLI for advanced configuration options that are not available from the web-based manager.

This Installation and Configuration Guide contains information about basic and advanced CLI commands. For a more complete description about connecting to and using the FortiWiFi CLI, see the FortiGate CLI Reference Guide.

18 Fortinet Inc.

Introduction Document conventions

Logging and reporting

The FortiWiFi unit supports logging for various categories of traffic and configuration changes. You can configure logging to:

• report traffic that connects to the firewall,

• report network services used,

• report traffic that was permitted by firewall policies,

• report traffic that was denied by firewall policies,

• report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks, and web page blocking,

• report attacks detected by the NIDS,

• send alert email to system administrators to report virus incidents, intrusions, and firewall or VPN events or violations.

Logs can be sent to a remote syslog server or a WebTrends NetIQ Security Reporting Center and Firewall Suite server using the WebTrends enhanced log format. Some models can also save logs to an optional internal hard drive. If a hard drive is not installed, you can configure most FortiWiFi units to log the most recent events and attacks detected by the NIDS to the system memory.

Document conventions

This guide uses the following conventions to describe CLI command syntax.

• angle brackets < > to indicate variable keywords For example:

execute restore config <filename_str> You enter restore config myfile.bak

<xxx_str> indicates an ASCII string variable keyword. <xxx_integer> indicates an integer variable keyword. <xxx_ip> indicates an IP address variable keyword.

• vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords

For example:

set system opmode {nat | transparent} You can enter set system opmode nat or set system opmode

transparent

• square brackets [ ] to indicate that a keyword is optional For example:

get firewall ipmacbinding [dhcpipmac] You can enter get firewall ipmacbinding or

get firewall ipmacbinding dhcpipmac

FortiWiFi-60 Installation and Configuration Guide 19

Fortinet documentation Introduction

Fortinet documentation

Information about FortiGate and FortiWiFi products is available from the following User Manual volumes:

• Volume 1: FortiWiFi-60 Installation and Configuration Guide

Describes installation and basic configuration for the FortiWiFi unit. Also describes how to use FortiWiFi firewall policies to control traffic flow through the FortiWiFi unit and how to use firewall policies to apply antivirus protection, web content filtering, and email filtering to HTTP, FTP, and email content passing through the FortiWiFi unit.

• Volume 2: FortiGate VPN Guide

Contains in-depth information about FortiGate IPSec VPN using certificates, preshared keys and manual keys for encryption. Also contains basic configuration information for the Fortinet Remote VPN Client, detailed configuration information for FortiGate PPTP and L2TP VPN, and VPN configuration examples.

• Volume 3: FortiGate Content Protection Guide

Describes how to configure antivirus protection, web content filtering, and email filtering to protect content as it passes through the FortiGate unit.

• Volume 4: FortiGate NIDS Guide

Describes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from network-based attacks.

• Volume 5: FortiGate Logging and Message Reference Gu ide

Describes how to configure FortiGate logging and alert email. Also contains the FortiGate log message reference.

• Volume 6: FortiGate CLI Reference Guide

Describes the FortiGate CLI and contains a reference to all FortiGate CLI commands.

The FortiWiFi online help also contains procedures for using the FortiWiFi web-based manager to configure and manage the FortiWiFi unit.

Comments on Fortinet technical documentation

You can send information about errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.

20 Fortinet Inc.

Introduction Customer service and technical support

Customer service and technical support

For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com.

You can also register FortiWiFi Antivirus Firewalls from http://support.fortinet.com and change your registration information at any time.

Fortinet email support is available from the following addresses:

amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin

apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,

eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland

America and South America.

Malaysia, all other Asian countries, and Australia.

Europe, Africa, and the Middle East.

For information on Fortinet telephone support, see http://support.fortinet.com. When requesting technical support, please provide the following information:

• Your name

• Company name

•Location

• Email address

• Telephone number

• FortiWiFi unit serial number

• FortiWiFi model

• FortiWiFi FortiOS firmware version

• Detailed description of the problem

FortiWiFi-60 Installation and Configuration Guide 21

Customer service and technical support Introduction

22 Fortinet Inc.

FortiWiFi-60 Installation and Configuration Guide Version 2.50

Getting started

This chapter describes unpacking, setting up, and powering on a FortiWiFi Antivirus Firewall unit. When you have completed the procedures in this chapter, you can proceed to one of the following:

• If you are going to operate the FortiWiFi unit in NAT/Route mode, go to “NAT/Route

mode installation” on page 41.

• If you are going to operate the FortiWiFi unit in Transparent mode, go to

“Transparent mode installation” on page 59.

This chapter describes:

• Warnings

• Package contents

• Mounting

• Powering on

• Connecting to the web-based manager

• Connecting to the command line interface (CLI)

• Factory default FortiWiFi configuration settings

• Planning the FortiWiFi configuration

• FortiGate model maximum values matrix

• Next steps

Warnings

Caution: To comply with FCC radio frequency (RF) exposure limits, dipole antennas should be

located at a minimum of 7.9 inches (20 cm) or more from the body of all persons.

Caution: Do not operate a wireless network device near unshielded blasting caps or in an explosive environment unless the device has been modified to be especially qualified for such

use.

FortiWiFi-60 Installation and Configuration Guide 23

Package contents Getting started

Package contents

The FortiWiFi-60 package contains the following items:

• FortiWiFi-60 Antivirus Firewall

• one orange crossover ethernet cable

• one gray regular ethernet cable

• one null modem cable

• FortiWiFi-60 Quick Start Guide

• CD containing the FortiGate and FortiWiFi user documentation

• one power cable and AC adapter

Figure 2: FortiWiFi-60 package contents

Front

Back

PWR WLAN

Power

WLAN

LED

Ethernet Cables:

Orange - Crossover

Grey - Straight-through

INTERNAL

DMZ4321

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

Internal

Interface

WAN1 WAN2

WAN 1,2

DMZ

Interface

Null-Modem Cable

(RS-232)

DC+12V

Console

Power

Connection

RS-232 Serial

Connection

Power Cable Power Supply

USB

WAN2 WAN1 DMZ

WAN2

WAN1

Documentation

DMZ

INTERNAL

PWR WLAN

LINK 100LINK 100 LINK 100 LINK 100 LINK 100 LINK 100LINK 100

QuickStart Guide

Internal Interface, switch connectors

FortiWiFi-60

DMZ4321

WAN1 WAN2

1234

Internal

1,2,3,4

Mounting

The FortiWiFi-60 unit can be installed on any stable surface. Make sure that the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling.

Dimensions

• 8.63 x 6.13 x 1.38 in. (21.9 x 15.6 x 3.5 cm)

Weight

• 1.5 lb. (0.68 kg)

Power requirements

• DC input voltage: 12 V

• DC input current: 3 A

24 Fortinet Inc.

Getting started Powering on

Environmental specifications

• Operating temperature: 32 to 104°F (0 to 40°C)

• Storage temperature: -13 to 158°F (-25 to 70°C)

• Humidity: 5 to 95% non-condensing

Wireless Connectivity

• Antenna type: Dual external fixed antenna

• Antenna range: 802.11b/g:2.4GHz

• Antenna Gain: 5dBi

Basic WiFi installation guidelines

Because the FortiWiFi-60 is a radio device, it is susceptible to common causes of interference that can reduce throughput and range. Follow these basic guidelines to ensure the best possible performance:

• Install the access point in an area where large steel structures such as shelving units, bookcases, and filing cabinets do not block the radio signals to and from the access point.

• Install the access point away from microwave ovens. Microwave ovens operate on the same frequency as the access point and can cause signal interference.

Powering on

To power on the FortiWiFi-60 unit

1 Connect the AC adapter to the power connection at the back of the FortiWiFi-60 unit. 2 Connect the AC adapter to the power cable. 3 Connect the power cable to a power outlet.

The FortiWiFi-60 unit starts. The Power and WAN LEDS light.

Table 1: FortiWiFi-60 LED indicators

LED State Description Power Green The FortiWiFi unit is powered on.

Off The FortiWiFi unit is powered off.

WAN Green Traffic on WAN link. Link

(Internal DMZ WAN1 WAN2)

100

(Internal DMZ WAN1 WAN2)

Green The correct cable is in use and the connected

equipment has power. Flashing Green Network activity at this interface. Off No link established.

Green The interface is connected at 100 Mbps.

FortiWiFi-60 Installation and Configuration Guide 25

Connecting to the web-based manager Getting started

Connecting to the web-based manager

Use the following procedure to connect to the web-based manager for the first time. Configuration changes made with the web-based manager are effective immediately without resetting the firewall or interrupting service.

To connect to the web-based manager, you need:

• a computer with an ethernet connection,

• Internet Explorer version 4.0 or higher,

• an ethernet cable.

• a crossover cable or an ethernet hub and two ethernet cables.

Note: You can use the web-based manager with recent versions of most popular web browsers. The web-based manager is fully supported for Internet Explorer version 4.0 or higher.

To connect to the web-based manager

1 Set the IP address of the computer with an ethernet connection to the static IP

address 192.168.1.2 and a netmask of 255.255.255.0. You can also configure the management computer to obtain an IP address

automatically using DHCP. The FortiWiFi DHCP server assigns the management computer an IP address in the range 192.168.1.1 to 192.168.1.254.

2 Using the ethernet cable, connect the internal interface of the FortiWiFi unit to the

computer ethernet connection.

3 Start Internet Explorer and browse to the address https://192.168.1.99 (remember to

include the “s” in https://). The FortiWiFi login is displayed.

4 Type admin in the Name field and select Login.

The Register Now window is displayed. Use the information in this window to register your FortiWiFi unit so that Fortinet can contact you for firmware updates. You must also register to receive updates to the FortiWiFi virus and attack definitions.

Figure 3: FortiWiFi login

26 Fortinet Inc.

Getting started Connecting to the command line interface (CLI)

Connecting to the command line interface (CLI)

As an alternative to the web-based manager, you can install and configure the FortiWiFi unit using the CLI. Configuration changes made with the CLI are effective immediately without resetting the firewall or interrupting service.

To connect to the FortiWiFi CLI, you need:

• a computer with an available communications port,

• the null modem cable included in your FortiWiFi package,

• terminal emulation software such as HyperTerminal for Windows.

Note: The following procedure describes how to connect to the CLI using Windows HyperTerminal software. You can use any terminal emulation program.

To connect to the CLI

1 Connect the null modem cable to the communications port of your computer and to

the FortiWiFi Console port.

2 Make sure that the FortiWiFi unit is powered on. 3 Start HyperTerminal, enter a name for the connection, and select OK. 4 Configure HyperTerminal to connect directly to the communications port on the

computer to which you have connected the null modem cable and select OK.

5 Select the following port settings and select OK.

Bits per second 9600 Data bits 8 Parity None Stop b its 1 Flow control None

6 Press Enter to connect to the FortiWiFi CLI.

The following prompt is displayed:

FortiWiFi-60 login:

7 Type admin and press Enter twice.

The following prompt is displayed:

Type ? for a list of commands.

For information about how to use the CLI, see the FortiGate CLI Reference Guide.

FortiWiFi-60 Installation and Configuration Guide 27

Factory default FortiWiFi configuration settings Getting started

Factory default FortiWiFi configuration settings

The FortiWiFi unit is shipped with a factory default configuration. The default configuration allows you to connect to and use the FortiWiFi web-based manager to configure the FortiWiFi unit onto the network. To configure the FortiWiFi unit onto the network you add an administrator password, change network interface IP addresses, add DNS server IP addresses, and configure routing, if required.

If you plan to operate the FortiWiFi unit in Transparent mode, you can switch to Transparent mode from the factory default configuration and then configur e th e FortiWiFi unit onto the network in Transparent mode.

Once the network configuration is complete, you can perform additional configuration tasks such as setting system time, configuring virus and attack definition updates, and registering the FortiWiFi unit.

The factory default firewall configuration includes a single network address translation (NAT) policy that allows users on your internal network to connect to the external network, and stops users on the external network from connecting to the internal network. You can add more policies to provide more control of the network traffic passing through the FortiWiFi unit.

The factory default content profiles can be used to apply different levels of antivirus protection, web content filtering, and email filtering to the network traffic that is controlled by firewall policies.

• Factory default DHCP configuration

• Factory default NAT/Route mode network configuration

• Factory default Transparent mode network configuration

• Factory default firewall configuration

• Factory default content profiles

Factory default DHCP configuration

When the FortiWiFi unit is first powered on, the WAN1 interface is configured to receive its IP address by connecting to a DHCP server. If your ISP provides IP addresses using DHCP, no other configuration is required for this interface.

The FortiWiFi unit can also function as a DHCP server for your internal network. You can configure the TCP/IP settings of the computers on your internal network to obtain an IP address automatically from the FortiWiFi unit DHCP server. For more information about the FortiWiFi DHCP server, see “Configuring DHCP services” on

page 126.

28 Fortinet Inc.

Getting started Factory default FortiWiFi configuration settings

Table 2: FortiWiFi Internal interface DHCP Server default configuration

Enable DHCP ; Starting IP 192.168.1.101 Ending IP 192.168.1.200 Netmask 255.255.255.0 Lease Duration 7 days Default Route 192.168.1.99 DNS IP 192.168.1.99 WINS IP 192.168.1.99

Table 3: FortiWiFi WLAN interface DHCP Server default configuration

Enable DHCP ; Starting IP 192.168.2.101 Ending IP 192.168.2.200 Netmask 255.255.255.0 Lease Duration 7 days Default Route 192.168.2.99 DNS IP 192.168.2.99 WINS IP 192.168.2.99

Factory default NAT/Route mode network configuration

When the FortiWiFi unit is first powered on, it is running in NAT/Route mode and has the basic network configuration listed in Table 4. This configuration allows you to connect to the FortiWiFi unit web-based manager and establish the configuration required to connect the FortiWiFi unit to the network. In Table 4 HTTPS management access means you can connect to the web-based manager using this interface. Ping management access means this interface responds to ping requests.

T able 4: Fact ory defaul t NAT/Route mode network configuration

Administrator account

Internal interface

WAN1 interface

WAN2 interface

User name: admin Password: (none) IP: 192.168.1.99 Netmask: 255.255.255.0 Management Access: HTTPS, Ping Addressing Mode: DHCP Management Access: Ping IP: 192.168.101.99 Netmask: 255.255.255.0 Management Access: Ping

FortiWiFi-60 Installation and Configuration Guide 29

Factory default FortiWiFi configuration settings Getting started

T able 4: Fact ory defaul t NAT/Route mode network configuration (Continued)

IP: 10.10.10.1

DMZ interface

WLAN interface

Netmask: 255.255.255.0 Management Access: HTTPS, Ping IP: 192.168.100.99 Netmask: 255.255.255.0 Management Access: Geography: World Channel: 5 Security: none Key: none SSID: Fortinet

Factory default Transparent mode network configuration

If you switch the FortiWiFi unit to Transparent mode, it has the default network configuration listed in Table 5.

Table 5: Factory default Transparent mode network configuration

Administrator account

Management IP

DNS

Management access

Wireless

User name: admin Password: (none) IP: 10.10.10.1 Netmask: 255.255.255.0 Primary DNS Server: 207.194.200.1 Secondary DNS Server: 207.194.200.129 Internal HTTPS, Ping WAN1 Ping WAN2 Ping DMZ HTTPS, Ping Geography World Channel 5 Security None Key None SSID fortinet

30 Fortinet Inc.

+ 110 hidden pages

Fortinet FORTIWIFI-60 Users Manual

Specifications and Main Features

Frequently Asked Questions

User Manual