Fortinet FORTIWIFI-60 Users Manual

Download

Page 1

FortiWiFi 60

Installation and

Configuration Guide

INTERNAL

DMZ4321

PWR WLAN

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

WAN1 WAN2

FortiWiFi User Manual Volume 1

Ver sion 2.50

3 March 2004

Page 2

© Copyright 2003 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reprod uced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc.

FortiGate-60 Installation and Configuration Guide

Version 2.50 MR2 18 August 2003

Trademarks

Products mentioned in this document are trademarks or registered t This device complete with part 15 of the FCC rules. Operations is subject to the following two conditions: holders.

Regulatory Compliance

This device complies with part 15 of the FCC rules. Operation is subject to the following two condigions:

(1) This Device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause accept any interference received, including interference that may cause undesired operation.

NOTE: The manufacturer is not responsible for any radio or TV interference caused by unauthorized modifications to this equipment. Such modifications could void the user’s authority to operate the equipment.

please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to

techdoc@fortinet.com.

Page 3

Table of Contents

Introduction.......................................................................................................... 13

Antivirus protection ........................................................................................................... 14

Web content filtering....................................... ... ... ... .............................................. ... ... ... .. 14

Email filtering .... .... ... ... ... .... ... ... ... .... ............................................. ... ... ... .... ... ..................... 15

Firewall.............................................................................................................................. 15

NAT/Route mode.......................................................................................................... 16

Transparent mode......................................................................................................... 16

Network intrusion detection............................................................................................... 16

VPN................................................................................................................................... 16

Secure installation, configuration, and management...................................... .................. 17

Web-based manager .................................................................................................... 17

Command line interface................................................................................................ 18

Logging and reporting................................................................................................... 19

Document conventions ..................................................................................................... 19

Fortinet documentation..................................................................................................... 20

Comments on Fortinet technical documentation........................................................... 20

Customer service and technical support........................................................................... 21

Contents

Getting started ..................................................................................................... 23

Warnings........................................................................................................................... 23

Package contents ............................................................................................................. 24

Mounting........................................................................................................................... 24

Powering on...................................................................................................................... 25

Connecting to the web-based manager............................................................................ 26

Connecting to the command line interface (CLI)............................................................... 27

Factory default FortiWiFi configuration settings................................................................ 28

Factory default DHCP configuration ............................................................................. 28

Factory default NAT/Route mode network configuration .............................................. 29

Factory default Transparent mode network configuration............................................. 30

Factory default firewall configuration ............................................................................ 31

Factory default content profiles..................................................................................... 33

Planning the FortiWiFi configuration................................................................................. 35

NAT/Route mode.......................................................................................................... 35

Transparent mode......................................................................................................... 36

Configuration options.................................................................................................... 37

FortiGate model maximum values matrix ......................................................................... 39

Next steps................ ... ... .............................................. ............................................. ........ 40

NAT/Route mode installation.............................................................................. 41

Installing the FortiWiFi unit using the default configuration............................................... 41

Changing the default configuration ............................................................................... 42

FortiWiFi-60 Installation and Configuration Guide 3

Page 4

Contents

Preparing to configure NAT/Route mode.......................................................................... 42

Advanced NAT/Route mode settings............................................................................ 43

DMZ interface ............................................................................................................... 44

Wireless settings............................ ... ... ... .... ... ... ... .... ............................................. ... ... .. 44

Using the setup wizard....................................... ... ... .............................................. ... ... ... .. 44

Starting the setup wizard .............................................................................................. 44

Reconnecting to the web-based manager............... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... .. 44

Using the command line interface..................................................................................... 45

Configuring the FortiWiFi unit to operate in NAT/Route mode...................................... 45

Connecting the FortiWiFi unit to your networks ................................................................ 47

Configuring your networks................................................................................................ 48

Completing the configuration............................................................................................ 49

Configuring the DMZ interface...................................................................................... 49

Configuring the WLAN interface ................................................................................... 49

Configuring the WAN2 interface ................................................................................... 49

Setting the date and time.............................................................................................. 50

Changing antivirus protection ....................................................................................... 50

Registering your FortiWiFi unit...................................................................................... 50

Configuring virus and attack definition updates ............................................................ 50

Configuration example: Multiple connections to the Internet ............................................ 51

Configuring Ping servers............................................................................................... 52

Destination based routing examples............................................................................. 53

Policy routing examples................................................................................................ 56

Firewall policy example................................................................................................. 57

Transparent mode installation............................................................................ 59

Preparing to configure Transparent mode........................................................................ 59

Wireless settings............................ ... ... ... .... ... ... ... .... ............................................. ... ... .. 59

Using the setup wizard....................................... ... ... .............................................. ... ... ... .. 60

Changing to Transparent mode .................................................................................... 60

Starting the setup wizard .............................................................................................. 60

Reconnecting to the web-based manager............... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... .. 60

Using the command line interface..................................................................................... 61

Changing to Transparent mode .................................................................................... 61

Configuring the Transparent mode management IP address....................................... 61

Configure the Transparent mode default gateway........................................................ 61

Configuring wireless settings ........................................................................................ 62

Connecting the FortiWiFi unit to your networks ................................................................ 62

Wireless configuration........................................ ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... ............... 63

Completing the configuration............................................................................................ 63

Setting the date and time.............................................................................................. 64

Enabling antivirus protection......................................................................................... 64

Registering your FortiWiFi ............................................................................................ 64

Configuring virus and attack definition updates ............................................................ 64

4 Fortinet Inc.

Page 5

Transparent mode configuration examples....................................................................... 65

Default routes and static routes .................................................................................... 65

Example default route to an external network............................................................... 66

Example static route to an external destination ............................................................ 67

Example static route to an internal destination ............................................................. 70

System status....................................................................................................... 73

Changing the FortiWiFi host name ................................................................................... 74

Changing the FortiWiFi firmware ...................................................................................... 74

Upgrading to a new firmware version ............................... .... ... ... ... ... .... ........................ 74

Reverting to a previous firmware version...................................................................... 76

Installing firmware images from a system reboot using the CLI ................................... 79

Testing a new firmware image before installing it......................................................... 81

Manual virus definition updates ........................................................................................ 82

Manual attack definition updates ...................................................................................... 83

Displaying the FortiWiFi serial number............................................................................. 84

Displaying the FortiWiFi up time....................................................................................... 84

Backing up system settings .............................................................................................. 84

Restoring system settings................................................................................................. 84

Restoring system settings to factory defaults ................................................................... 85

Changing to Transparent mode........................................................................................ 85

Changing to NAT/Route mode.......................................................................................... 86

Restarting the FortiWiFi unit ............................................................................................. 86

Shutting down the FortiWiFi unit....................................................................................... 86

System status ... .... ............................................. ... ... .... ... ............................................. ... .. 87

Viewing CPU and memory status ................................................................................. 87

Viewing sessions and network status ........................................................................... 88

Viewing virus and intrusions status............................................................................... 89

Session list..... ... .... ... ... ... .... ............................................. .................................................. 90

Contents

Virus and attack definitions updates and registration..................................... 93

Updating antivirus and attack definitions .......................................................................... 93

Connecting to the FortiResponse Distribution Network ................................................ 94

Manually initiating antivirus and attack definitions updates .......................................... 95

Configuring update logging........................................................................................... 96

Scheduling updates .......................................................................................................... 96

Enabling scheduled updates......................................................................................... 96

Adding an override server............................................................................................. 97

Enabling scheduled updates through a proxy server.................................................... 98

Enabling push updates ..................................................................................................... 98

Enabling push updates ................................................................................................. 99

Push updates when FortiWiFi IP addresses change .................................................... 99

Enabling push updates through a NAT device............................................................ 100

FortiWiFi-60 Installation and Configuration Guide 5

Page 6

Contents

Registering FortiGate and FortiWiFi units....................................................................... 104

FortiCare Service Contracts........................................................................................ 104

Registering the FortiWiFi unit...................................................................................... 105

Updating registration information.................................................................................... 107

Recovering a lost Fortinet support password.............................................................. 107

Viewing the list of registered FortiGate and FortiWiFi units........................................ 107

Registering a new FortiWiFi unit................................................................................. 108

Adding or changing a FortiCare Support Contract number......................................... 108

Changing your Fortinet support password.................................................................. 109

Changing your contact information or security question............................................. 109

Downloading virus and attack definitions updates...................................................... 110

Registering a FortiWiFi unit after an RMA ...................................................................... 110

Network configuration....................................................................................... 113

Configuring interfaces..................................................................................................... 113

Viewing the interface list ............................................................................................. 114

Changing the administrative status of an interface..................................................... 114

Configuring an interface with a manual IP address .................................................... 114

Configuring an interface for DHCP ............................................................................. 115

Configuring an interface for PPPoE............................................................................ 116

Adding a secondary IP address to an interface .......................................................... 116

Adding a ping server to an interface........................ ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 117

Controlling administrative access to an interface........................................................ 117

Changing the MTU size to improve network performance.......................................... 118

Configuring traffic logging for connections to an interface.......................................... 118

Configuring the management interface in Transparent mode..................................... 119

Wireless configuration.................... ... ... ... .... ... ... ............................................. .... ... ... ... 120

Adding DNS server IP addresses................................... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 122

Configuring routing.......................................................................................................... 122

Adding a default route............................. .... ... ... ... .... ... ... ... .... ...................................... 122

Adding destination-based routes to the routing table.................................................. 123

Adding routes in Transparent mode............................................................................ 124

Configuring the routing table....................................................................................... 124

Policy routing .............................................................................................................. 125

Configuring DHCP services............................................................................................ 126

Configuring a DHCP relay agent................................................................................. 126

Configuring a DHCP server ........................................................................................ 127

6 Fortinet Inc.

Page 7

Configuring the modem interface.................................................................................... 129

Connecting a modem to the FortiWiFi unit.................................................................. 130

Configuring modem settings ....................................................................................... 130

Connecting to a dialup account................................................................................... 131

Disconnecting the modem .......................................................................................... 131

Viewing modem status................................................................................................ 131

Backup mode configuration ..................................... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 132

Standalone mode configuration.................................................................................. 132

Adding firewall policies for modem connections ......................................................... 133

RIP configuration............................................................................................... 135

RIP settings..................................................................................................................... 135

Configuring RIP for FortiWiFi interfaces ......................................................................... 137

Adding RIP filters.................................. ... ... .... ... ... ... .... ... ... ... .......................................... 139

Adding a RIP filter list.................. ... ... ... ... .... ... ... ............................................. ............. 139

Assigning a RIP filter list to the neighbors filter........................................................... 140

Assigning a RIP filter list to the incoming filter............................................................ 140

Assigning a RIP filter list to the outgoing filter............................................................. 141

Contents

System configuration ........................................................................................ 143

Setting system date and time.......................................................................................... 143

Changing system options................................................................................................ 144

Adding and editing administrator accounts..................................................................... 145

Adding new administrator accounts......................................... ... ... ... .... ... ... ... .... ... ... ... 146

Editing administrator accounts.................................................................................... 146

Configuring SNMP.......................................................................................................... 147

Configuring the FortiWiFi unit for SNMP monitoring................................................... 148

Configuring FortiWiFi SNMP support.......................................................................... 148

FortiWiFi MIBs ............................................................................................................ 150

FortiWiFi traps............................................................................................................. 151

Fortinet MIB fields....................................................................................................... 152

Replacement messages ................................................................................................. 155

Customizing replacement messages.......................................................................... 155

Customizing alert emails............................................................................................. 156

Firewall configuration........................................................................................ 159

Default firewall configuration........................................................................................... 160

Interfaces.................................................................................................................... 161

Addresses................................................................................................................... 161

Services...................................................................................................................... 161

Schedules................................................................................................................... 162

Content profiles....................... .... ... ... ... ....................................................................... 162

Adding firewall policies.................................................................................................... 162

Firewall policy options................................................................................................. 163

FortiWiFi-60 Installation and Configuration Guide 7

Page 8

Contents

Configuring policy lists.................................................................................................... 167

Policy matching in detail ............................................................................................. 167

Changing the order of policies in a policy list.............................................................. 168

Enabling and disabling policies................................................................................... 168

Addresses....................................................................................................................... 169

Adding addresses................... .... ... ... ... ... .... ... ... ... .... ... ... ............................................. 169

Editing addresses ....................................................................................................... 170

Deleting addresses ..................................................................................................... 170

Organizing addresses into address groups ................................................................ 171

Services.......................................................................................................................... 172

Predefined services .......................... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ................... 172

Adding custom TCP and UDP services...................... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 174

Adding custom ICMP services....................................... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 175

Adding custom IP services................ ... ... .... ............................................. ... ... .... ... ... ... 175

Grouping services....................................................................................................... 176

Schedules....................................................................................................................... 177

Creating one-time schedules ...................................................................................... 177

Creating recurring schedules...................................................................................... 178

Adding schedules to policies....................................................................................... 179

Virtual IPs........................................................................................................................ 180

Adding static NAT virtual IPs ...................................................................................... 180

Adding port forwarding virtual IPs............................................................................... 182

Adding policies with virtual IPs.................................................................................... 184

IP pools............. .......................................... .... ... ... ... .... ... ... ... .... ...................................... 184

Adding an IP pool........................................................................................................ 185

IP Pools for firewall policies that use fixed ports......................................................... 185

IP pools and dynamic NAT ......................................................................................... 185

IP/MAC binding............................................................................................................... 186

Configuring IP/MAC binding for packets going through the firewall............................ 186

Configuring IP/MAC binding for packets going to the firewall..................................... 187

Adding IP/MAC addresses.......................................................................................... 188

Viewing the dynamic IP/MAC list ................................................................................ 188

Enabling IP/MAC binding............................................................................................ 188

Content profiles . .... ... ... ............................................. .............................................. ......... 189

Default content profiles ............................................................................................... 190

Adding content profiles ............................................................................................... 190

Adding content profiles to policies .............................................................................. 192

Users and authentication.................................................................................. 193

Setting authentication timeout............................ ... ............................................. .... ......... 194

Adding user names and configuring authentication........................................................ 194

Adding user names and configuring authentication.................................................... 194

Deleting user names from the internal database ........................................................ 195

8 Fortinet Inc.

Page 9

Configuring RADIUS support.......................................................................................... 196

Adding RADIUS servers ............................................................................................. 196

Deleting RADIUS servers ........................................................................................... 196

Configuring LDAP support.............................................................................................. 197

Adding LDAP servers.................................................................................................. 197

Deleting LDAP servers................................................................................................ 198

Configuring user groups.................................................................................................. 199

Adding user groups..................................................................................................... 199

Deleting user groups................................................................................................... 200

IPSec VPN........................................................................................................... 201

Key management............................................................................................................ 202

Manual Keys............................................................................................................... 202

Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... 202

Manual key IPSec VPNs................................................................................................. 203

General configuration steps for a manual key VPN.................................................... 203

Adding a manual key VPN tunnel..................... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 203

AutoIKE IPSec VPNs...................................................................................................... 205

General configuration steps for an AutoIKE VPN ....................................................... 205

Adding a phase 1 configuration for an AutoIKE VPN.................. ... ... .... ... ... ... .... ... ... ... 205

Adding a phase 2 configuration for an AutoIKE VPN.................. ... ... .... ... ... ... .... ... ... ... 210

Managing digital certificates............................................................................................ 212

Obtaining a signed local certificate ............................................................................. 212

Obtaining CA certificates ............................................................................................ 214

Configuring encrypt policies............................................................................................ 215

Adding a source address..................... ... .... ... ... ... .... ... ............................................. ... 216

Adding a destination address............ ... ............................................. .... ... ... ... .... ......... 216

Adding an encrypt policy............................. ... ... ... .... ... ... ... .......................................... 217

IPSec VPN concentrators............................................................................................... 218

VPN concentrator (hub) general configuration steps.................................................. 219

Adding a VPN concentrator ........................................ ... ... .......................................... 220

VPN spoke general configuration steps...................................................................... 221

Monitoring and Troubleshooting VPNs........................................ ... ... ... .... ... ... ... .... ... ... ... 223

Viewing VPN tunnel status.......................................................................................... 223

Viewing dialup VPN connection status ....................................................................... 223

Testing a VPN............................................................................................................. 224

Contents

PPTP and L2TP VPN.......................................................................................... 225

Configuring PPTP........................................................................................................... 225

Configuring the FortiWiFi unit as a PPTP gateway..................................................... 225

Configuring a Windows 98 client for PPTP................................................................. 228

Configuring a Windows 2000 client for PPTP............................................................. 229

Configuring a Windows XP client for PPTP ................................................................ 229

FortiWiFi-60 Installation and Configuration Guide 9

Page 10

Contents

Configuring L2TP............................................................................................................ 231

Configuring the FortiWiFi unit as an L2TP gateway.................................................... 231

Configuring a Windows 2000 client for L2TP.............................................................. 233

Configuring a Windows XP client for L2TP................................................................. 235

Network Intrusion Detection System (NIDS) ................................................... 237

Detecting attacks .. ... ... ............................................. .... ... ... ... .... ...................................... 237

Selecting the interfaces to monitor.............................................................................. 238

Disabling monitoring interfaces................................................................................... 238

Configuring checksum verification .............................................................................. 238

Viewing the signature list ............................................................................................ 239

Viewing attack descriptions......................................................................................... 239

Disabling NIDS attack signatures ............................................................................... 240

Adding user-defined signatures .................................................................................. 240

Preventing attacks .......................................................................................................... 242

Enabling NIDS attack prevention................................................................................ 242

Enabling NIDS attack prevention signatures .............................................................. 242

Setting signature threshold values................................. ... .... ... ... ... ... .... ... ... ... .... ... ... ... 242

Logging attacks............................................................................................................... 244

Logging attack messages to the attack log................................................................. 244

Reducing the number of NIDS attack log and email messages.................................. 244

Antivirus protection........................................................................................... 247

General configuration steps............... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 247

Antivirus scanning........................................................................................................... 248

File blocking................ ... .... ... ... ... .... ... ... ... ... .... ... ............................................. ... .... ... ... ... 249

Blocking files in firewall traffic ..................................................................................... 249

Adding file patterns to block........................................................................................ 249

Blocking oversized files and emails................................................................................ 250

Configuring limits for oversized files and email........................................................... 250

Exempting fragmented email from blocking.................................................................... 250

Viewing the virus list ....................................................................................................... 251

Web filtering....................................................................................................... 253

General configuration steps............... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 253

Content blocking................................ ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .......................... 254

Adding words and phrases to the Banned Word list................................................... 254

Clearing the Banned Word list .................................................................................... 255

Backing up the Banned Word list................................................................................ 255

Restoring the Banned Word list .................................................................................. 256

URL blocking................................................................................................................... 257

Configuring FortiWiFi Web URL blocking ................................................................... 257

Configuring FortiWiFi Web pattern blocking ............................................................... 259

10 Fortinet Inc.

Page 11

Configuring Cerberian URL filtering................................................................................ 260

Installing a Cerberian license key ............................................................................... 260

Adding a Cerberian user... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 260

Configuring Cerberian web filter ................................................................................. 261

Enabling Cerberian URL filtering ................................................................................ 262

Script filtering.................................................................................................................. 262

Enabling script filtering................................................................................................ 262

Selecting script filter options ............. ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 262

Exempt URL list.............................................................................................................. 263

Adding URLs to the URL Exempt list.......................................................................... 263

Downloading the URL Exempt List ............................................................................. 264

Uploading a URL Exempt List..................................................................................... 264

Email filter........................................................................................................... 267

General configuration steps............... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 267

Email banned word list....... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... 268

Adding words and phrases to the email banned word list........................................... 268

Downloading the email banned word list .................................................................... 269

Uploading the email banned word list......................................................................... 269

Email block list................................... ... ... ... .... ... ... ... .... ... ... ... .......................................... 270

Adding address patterns to the email block list........................................................... 270

Downloading the email block list................................................................................. 270

Uploading an email block list ...................................................................................... 271

Email exempt list... ... ... ... .... ... ... ... .............................................. ... ... ... ... .... ...................... 271

Adding address patterns to the email exempt list.......................... ... .... ... ... ... .... ... ... ... 272

Adding a subject tag ...... .... ... ... ... .... ... ............................................. ................................ 272

Contents

Logging and reporting....................................................................................... 273

Recording logs................................................................................................................ 273

Recording logs on a remote computer........................................................................ 274

Recording logs on a NetIQ WebTrends server........................................................... 274

Recording logs in system memory.............................................................................. 275

Log message levels.................................................................................................... 275

Filtering log messages.................................................................................................... 276

Configuring traffic logging............................................................................................... 277

Enabling traffic logging................................................................................................ 278

Configuring traffic filter settings................................................................................... 278

Adding traffic filter entries ........................................................................................... 279

Viewing logs saved to memory....................................................................................... 280

Viewing logs................................................................................................................ 280

Searching logs............................................................................................................ 280

FortiWiFi-60 Installation and Configuration Guide 11

Page 12

Contents

Configuring alert email.................................................................................................... 281

Adding alert email addresses...................................................................................... 281

Testing alert email....................................................................................................... 282

Enabling alert email .................................................................................................... 282

Glossary ............................................................................................................. 283

Index ....................................................................................................................287

12 Fortinet Inc.

Page 13

FortiWiFi-60 Installation and Configuration Guide Version 2.50

Introduction

FortiGate and FortiWiFi Antivirus Firewalls support network-based deployment of application-level services, including antivirus protection and full-scan content filtering. FortiGate and FortiWiFi Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate and FortiWiFi Antivirus Firewalls are ICSA-certified for firewall, IPSec, and antivirus services.

The FortiWiFi-60 Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include:

• application-level services such as virus protection and content filtering,

• network-level services such as firewall, intrusion detection, VPN, and traffic shaping.

The FortiWiFi-60 Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks. The FortiWiFi series complements existing solutions, such as hostbased antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration, and maintenance.

The FortiWiFi-60 model is ideally suited for small businesses, remote offices, retail stores, and broadband telecommuter sites. The FortiWiFi-60 Antivirus Firewall features dual WAN link support for redundant internet connections, and an integrated 4-port switch that eliminates the need for an external hub or switch. Networked devices connect directly to the FortiWiFi-60 unit.

The FortiWiFi-60 provides a secure, wireless LAN solution that combines mobility and flexibility with the enterprise-class FortiWiFi Antivirus Firewall features. The FortiWiFi is a Wi-Fi certified, wireless LAN transceiver that uses a two mini-PCI radios that are IEEE 802.11b and IEEE 802.11gcompliant and that can be upgraded to future radio technologies.

The FortiWiFi serves as the connection point between wireless and wired networks or as the center point of a stand-alone wireless network. FortiWiFi-60 security features include WEP, VPN over the wireless network, and firewall policies that can include user authentication to control access.

PWR WLAN

INTERNAL

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

DMZ4321

WAN1 WA N2

FortiWiFi-60 Installation and Configuration Guide 13

Page 14

Antivirus protection Introduction

Antivirus protection

FortiWiFi ICSA-certified antivirus protection scans web (HTTP), file transfer (FTP), and email (SMTP, POP3, and IMAP) content as it passes through the FortiWiFi unit. If a virus is found, antivirus protection removes the file containing the virus from the content stream and forwards a replacement message to the intended recipient.

For extra protection, you can configure antivirus protection to block specified file types from passing through the FortiWiFi unit. You can use the feature to stop files that might contain new viruses.

If the FortiWiFi unit contains a hard disk, infected or blocked files can be quarantined. The FortiWiFi administrator can download qua rant ine d file s so tha t th ey can be viru s scanned, cleaned, and forwarded to the intended recipient. Y ou can also configure the FortiWiFi unit to automatically delete quarantined files after a specified time.

The FortiWiFi unit can send email alerts to system administrators when it detects and removes a virus from a content stream. The web and email content can be in normal network traffic or encrypted IPSec VPN traffic.

ICSA Labs has certified that FortiGate and FortiWiFi Antivirus Firewalls:

• detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),

• detect viruses in compressed files using the PKZip format,

• detect viruses in email that has been encoded using uuencode format,

• detect viruses in email that has been encoded using MIME encoding,

• log all actions taken while scanning.

Web content filtering

Web content filtering can scan all HTTP content protocol streams for URLs or web page content. If there is a match between a URL on the URL block list, or a web page contains a word or phrase that is in the content block list, the FortiWiFi unit blocks the web page. The blocked web page is replaced with a message that you can edit using the FortiWiFi web-based manager.

Y ou can configure URL blocking to block all or some of the pages on a web site. Using this feature, you can deny access to parts of a web site without denying access to it completely.

To prevent unintentionally blocking legitimate web pages, you can add URLs to an exempt list that overrides the URL blocking and content blocking lists.

Web content filtering also includes a script filter feature that can block unsecure web content such as Java applets, cookies, and ActiveX.

You can use the Cerberian URL blocking to block unwanted URLs.

14 Fortinet Inc.

Page 15

Introduction Email filtering

Email filtering

Email filtering can scan all IMAP and POP3 email content for unwanted senders or unwanted content. If there is a match between a sender address pattern on the email block list, or an email contains a word or phrase in the banned word list, the FortiWiFi adds an email tag to the subject line of the email. The recipient can use the mail client software to filter messages based on the email tag.

You can configure email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentionally tagging email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned words lists.

Firewall

The FortiWiFi ICSA-certified firewall protects your computer networks from Internet threats. ICSA has granted FortiWiFi firewalls version 4.0 firewall certification, providing assurance that FortiWiFi firewalls successfully screen and secure corporate networks against a range of threats from public or other untrusted networks.

After basic installation of the FortiWiFi unit, the firewall allows users on the protected network to access the Internet while blocking Internet access to internal networks. You can configure the firewall to put controls on access to the Internet from the protected networks and to allow controlled access to internal networks.

FortiWiFi policies include a range of options that:

• control all incoming and outgoing network traffic,

• control encrypted VPN traffic,

• apply antivirus protection and web content filtering,

• block or allow access for all policy options,

• control when individual policies are in effect,

• accept or deny traffic to and from individual addresses,

• control standard and user defined network services individually or in groups,

• require users to authenticate before gaining access,

• include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy,

• include logging to track connections for individual policies,

• include Network Address Translation (NAT) mode and Route mode policies,

• include mixed NAT and Route mode policies.

The FortiWiFi firewall can operate in NAT/Route mode or Transparent mode.

FortiWiFi-60 Installation and Configuration Guide 15

Page 16

Network intrusion detection Introduction

NAT/Route mode

In NAT/Route mode, you can create NAT mode policies and Route mode policies.

• NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network.

• Route mode policies accept or deny connections between networks without performing address translation.

Transparent mode

Transparent mode provides the same basic firewall protection as NAT mode. Packets that the FortiWiFi unit receives are forwarded or blocked according to firewall policies. The FortiWiFi unit can be inserted in the network at any point without having to make changes to your network or its components. However, VPN and some advanced firewall features are available only in NAT/Route mode.

Network intrusion detection

The FortiWiFi Network Intrusion Detection System (NIDS) is a real-time network intrusion detection sensor that detects and prevents a variety of suspicious network activity. NIDS uses atta ck signatures to identify more than 1000 attacks. You can enable and disable the attacks that the NIDS detects. You can also write user-defined detection attack signatures.

NIDS prevention detects and prevents many common denial of service and packetbased attacks. You can enable and disable prevention attack signatures and customize attack signature thresholds and other parameters.

To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log, and can be configured to send alert emails.

Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually or you can configure the FortiWiFi unit to automatically check for and download attack definition updates.

VPN

Using FortiWiFi virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network.

16 Fortinet Inc.

Page 17

Introduction Secure installation, configuration, and management

VPN features include the following:

• Industry standard and ICSA-certified IPSec VPN, including:

• IPSec, ESP security in tunnel mode,

• DES, 3DES (triple-DES), and AES hardware accelerated encryption,

• HMAC MD5 and HMAC SHA1 authentication and data integrity,

• AutoIKE key based on pre-shared key tunnels,

• IPSec VPN using local or CA certificates,

• Manual Keys tunnels,

• Diffie-Hellman groups 1, 2, and 5,

• Aggressive and Main Mode,

• Replay Detection,

• Perfect Forward Secrecy,

• XAuth authentication,

• Dead peer detection.

• PPTP for easy connectivity with the VPN standard supported by the most popular operating systems.

• L2TP for easy connectivity with a more secure VPN standard, also supported by many popular operating systems.

• Firewall policy based control of IPSec VPN traffic.

• IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel.

• VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another through the FortiWiFi unit.

• IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network.

Secure installation, configuration, and management

The first time you power on the FortiWiFi unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the Setup wizard to customize FortiWiFi IP addresses for your network, and the FortiWiFi unit is ready to protect your network. You can then use the web-based manager to customiz e ad va nc ed Fo rtiWiFi features.

You can also create a basic configuration using the FortiWiFi command line interface (CLI).

Web-based manager

Using HTTP or a secure HTTPS connection from any computer running Internet Explorer, you can configure and manage the FortiWiFi unit. The web-based manager supports multiple languages. You can configure the FortiWiFi unit for HTTP and HTTPS administration from any FortiWiFi interface.

FortiWiFi-60 Installation and Configuration Guide 17

Page 18

Secure installation, configuration, and management Introduction

You can use the web-based manager to configure most FortiWiFi settings. You can also use the web-based manager to monitor the status of the FortiWiFi unit. Configuration changes made using the web-based manager are effective immediately without resetting the firewall or interrupting service. Once you are satisfied with a configuration, you can download and save it. The saved configuration can be restored at any time.

Figure 1: The FortiWiFi web-based manager and setup wizard

Command line interface

You can access the FortiWiFi command line interface (CLI) by connecting a management computer serial port to the FortiWiFi RS-232 serial console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network that is connected to the FortiWiFi unit, including the Internet.

The CLI supports the same configuration and monitoring functionality as the web-based manager. In addition, you can use the CLI for advanced configuration options that are not available from the web-based manager.

This Installation and Configuration Guide contains information about basic and advanced CLI commands. For a more complete description about connecting to and using the FortiWiFi CLI, see the FortiGate CLI Reference Guide.

18 Fortinet Inc.

Page 19

Introduction Document conventions

Logging and reporting

The FortiWiFi unit supports logging for various categories of traffic and configuration changes. You can configure logging to:

• report traffic that connects to the firewall,

• report network services used,

• report traffic that was permitted by firewall policies,

• report traffic that was denied by firewall policies,

• report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks, and web page blocking,

• report attacks detected by the NIDS,

• send alert email to system administrators to report virus incidents, intrusions, and firewall or VPN events or violations.

Logs can be sent to a remote syslog server or a WebTrends NetIQ Security Reporting Center and Firewall Suite server using the WebTrends enhanced log format. Some models can also save logs to an optional internal hard drive. If a hard drive is not installed, you can configure most FortiWiFi units to log the most recent events and attacks detected by the NIDS to the system memory.

Document conventions

This guide uses the following conventions to describe CLI command syntax.

• angle brackets < > to indicate variable keywords For example:

execute restore config <filename_str> You enter restore config myfile.bak

<xxx_str> indicates an ASCII string variable keyword. <xxx_integer> indicates an integer variable keyword. <xxx_ip> indicates an IP address variable keyword.

• vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords

For example:

set system opmode {nat | transparent} You can enter set system opmode nat or set system opmode

transparent

• square brackets [ ] to indicate that a keyword is optional For example:

get firewall ipmacbinding [dhcpipmac] You can enter get firewall ipmacbinding or

get firewall ipmacbinding dhcpipmac

FortiWiFi-60 Installation and Configuration Guide 19

Page 20

Fortinet documentation Introduction

Fortinet documentation

Information about FortiGate and FortiWiFi products is available from the following User Manual volumes:

• Volume 1: FortiWiFi-60 Installation and Configuration Guide

Describes installation and basic configuration for the FortiWiFi unit. Also describes how to use FortiWiFi firewall policies to control traffic flow through the FortiWiFi unit and how to use firewall policies to apply antivirus protection, web content filtering, and email filtering to HTTP, FTP, and email content passing through the FortiWiFi unit.

• Volume 2: FortiGate VPN Guide

Contains in-depth information about FortiGate IPSec VPN using certificates, preshared keys and manual keys for encryption. Also contains basic configuration information for the Fortinet Remote VPN Client, detailed configuration information for FortiGate PPTP and L2TP VPN, and VPN configuration examples.

• Volume 3: FortiGate Content Protection Guide

Describes how to configure antivirus protection, web content filtering, and email filtering to protect content as it passes through the FortiGate unit.

• Volume 4: FortiGate NIDS Guide

Describes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from network-based attacks.

• Volume 5: FortiGate Logging and Message Reference Gu ide

Describes how to configure FortiGate logging and alert email. Also contains the FortiGate log message reference.

• Volume 6: FortiGate CLI Reference Guide

Describes the FortiGate CLI and contains a reference to all FortiGate CLI commands.

The FortiWiFi online help also contains procedures for using the FortiWiFi web-based manager to configure and manage the FortiWiFi unit.

Comments on Fortinet technical documentation

You can send information about errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.

20 Fortinet Inc.

Page 21

Introduction Customer service and technical support

Customer service and technical support

For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com.

You can also register FortiWiFi Antivirus Firewalls from http://support.fortinet.com and change your registration information at any time.

Fortinet email support is available from the following addresses:

amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin

apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,

eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland

America and South America.

Malaysia, all other Asian countries, and Australia.

Europe, Africa, and the Middle East.

For information on Fortinet telephone support, see http://support.fortinet.com. When requesting technical support, please provide the following information:

• Your name

• Company name

•Location

• Email address

• Telephone number

• FortiWiFi unit serial number

• FortiWiFi model

• FortiWiFi FortiOS firmware version

• Detailed description of the problem

FortiWiFi-60 Installation and Configuration Guide 21

Page 22

Customer service and technical support Introduction

22 Fortinet Inc.

Page 23

FortiWiFi-60 Installation and Configuration Guide Version 2.50

Getting started

This chapter describes unpacking, setting up, and powering on a FortiWiFi Antivirus Firewall unit. When you have completed the procedures in this chapter, you can proceed to one of the following:

• If you are going to operate the FortiWiFi unit in NAT/Route mode, go to “NAT/Route

mode installation” on page 41.

• If you are going to operate the FortiWiFi unit in Transparent mode, go to

“Transparent mode installation” on page 59.

This chapter describes:

• Warnings

• Package contents

• Mounting

• Powering on

• Connecting to the web-based manager

• Connecting to the command line interface (CLI)

• Factory default FortiWiFi configuration settings

• Planning the FortiWiFi configuration

• FortiGate model maximum values matrix

• Next steps

Warnings

Caution: To comply with FCC radio frequency (RF) exposure limits, dipole antennas should be

located at a minimum of 7.9 inches (20 cm) or more from the body of all persons.

Caution: Do not operate a wireless network device near unshielded blasting caps or in an explosive environment unless the device has been modified to be especially qualified for such

use.

FortiWiFi-60 Installation and Configuration Guide 23

Page 24

Package contents Getting started

Package contents

The FortiWiFi-60 package contains the following items:

• FortiWiFi-60 Antivirus Firewall

• one orange crossover ethernet cable

• one gray regular ethernet cable

• one null modem cable

• FortiWiFi-60 Quick Start Guide

• CD containing the FortiGate and FortiWiFi user documentation

• one power cable and AC adapter

Figure 2: FortiWiFi-60 package contents

Front

Back

PWR WLAN

Power

WLAN

LED

Ethernet Cables:

Orange - Crossover

Grey - Straight-through

INTERNAL

DMZ4321

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

Internal

Interface

WAN1 WAN2

WAN 1,2

DMZ

Interface

Null-Modem Cable

(RS-232)

DC+12V

Console

Power

Connection

RS-232 Serial

Connection

Power Cable Power Supply

USB

WAN2 WAN1 DMZ

WAN2

WAN1

Documentation

DMZ

INTERNAL

PWR WLAN

LINK 100LINK 100 LINK 100 LINK 100 LINK 100 LINK 100LINK 100

QuickStart Guide

Internal Interface, switch connectors

FortiWiFi-60

DMZ4321

WAN1 WAN2

1234

Internal

1,2,3,4

Mounting

The FortiWiFi-60 unit can be installed on any stable surface. Make sure that the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling.

Dimensions

• 8.63 x 6.13 x 1.38 in. (21.9 x 15.6 x 3.5 cm)

Weight

• 1.5 lb. (0.68 kg)

Power requirements

• DC input voltage: 12 V

• DC input current: 3 A

24 Fortinet Inc.

Page 25

Getting started Powering on

Environmental specifications

• Operating temperature: 32 to 104°F (0 to 40°C)

• Storage temperature: -13 to 158°F (-25 to 70°C)

• Humidity: 5 to 95% non-condensing

Wireless Connectivity

• Antenna type: Dual external fixed antenna

• Antenna range: 802.11b/g:2.4GHz

• Antenna Gain: 5dBi

Basic WiFi installation guidelines

Because the FortiWiFi-60 is a radio device, it is susceptible to common causes of interference that can reduce throughput and range. Follow these basic guidelines to ensure the best possible performance:

• Install the access point in an area where large steel structures such as shelving units, bookcases, and filing cabinets do not block the radio signals to and from the access point.

• Install the access point away from microwave ovens. Microwave ovens operate on the same frequency as the access point and can cause signal interference.

Powering on

To power on the FortiWiFi-60 unit

1 Connect the AC adapter to the power connection at the back of the FortiWiFi-60 unit. 2 Connect the AC adapter to the power cable. 3 Connect the power cable to a power outlet.

The FortiWiFi-60 unit starts. The Power and WAN LEDS light.

Table 1: FortiWiFi-60 LED indicators

LED State Description Power Green The FortiWiFi unit is powered on.

Off The FortiWiFi unit is powered off.

WAN Green Traffic on WAN link. Link

(Internal DMZ WAN1 WAN2)

100

(Internal DMZ WAN1 WAN2)

Green The correct cable is in use and the connected

equipment has power. Flashing Green Network activity at this interface. Off No link established.

Green The interface is connected at 100 Mbps.

FortiWiFi-60 Installation and Configuration Guide 25

Page 26

Connecting to the web-based manager Getting started

Connecting to the web-based manager

Use the following procedure to connect to the web-based manager for the first time. Configuration changes made with the web-based manager are effective immediately without resetting the firewall or interrupting service.

To connect to the web-based manager, you need:

• a computer with an ethernet connection,

• Internet Explorer version 4.0 or higher,

• an ethernet cable.

• a crossover cable or an ethernet hub and two ethernet cables.

Note: You can use the web-based manager with recent versions of most popular web browsers. The web-based manager is fully supported for Internet Explorer version 4.0 or higher.

To connect to the web-based manager

1 Set the IP address of the computer with an ethernet connection to the static IP

address 192.168.1.2 and a netmask of 255.255.255.0. You can also configure the management computer to obtain an IP address

automatically using DHCP. The FortiWiFi DHCP server assigns the management computer an IP address in the range 192.168.1.1 to 192.168.1.254.

2 Using the ethernet cable, connect the internal interface of the FortiWiFi unit to the

computer ethernet connection.

3 Start Internet Explorer and browse to the address https://192.168.1.99 (remember to

include the “s” in https://). The FortiWiFi login is displayed.

4 Type admin in the Name field and select Login.

The Register Now window is displayed. Use the information in this window to register your FortiWiFi unit so that Fortinet can contact you for firmware updates. You must also register to receive updates to the FortiWiFi virus and attack definitions.

Figure 3: FortiWiFi login

26 Fortinet Inc.

Page 27

Getting started Connecting to the command line interface (CLI)

Connecting to the command line interface (CLI)

As an alternative to the web-based manager, you can install and configure the FortiWiFi unit using the CLI. Configuration changes made with the CLI are effective immediately without resetting the firewall or interrupting service.

To connect to the FortiWiFi CLI, you need:

• a computer with an available communications port,

• the null modem cable included in your FortiWiFi package,

• terminal emulation software such as HyperTerminal for Windows.

Note: The following procedure describes how to connect to the CLI using Windows HyperTerminal software. You can use any terminal emulation program.

To connect to the CLI

1 Connect the null modem cable to the communications port of your computer and to

the FortiWiFi Console port.

2 Make sure that the FortiWiFi unit is powered on. 3 Start HyperTerminal, enter a name for the connection, and select OK. 4 Configure HyperTerminal to connect directly to the communications port on the

computer to which you have connected the null modem cable and select OK.

5 Select the following port settings and select OK.

Bits per second 9600 Data bits 8 Parity None Stop b its 1 Flow control None

6 Press Enter to connect to the FortiWiFi CLI.

The following prompt is displayed:

FortiWiFi-60 login:

7 Type admin and press Enter twice.

The following prompt is displayed:

Type ? for a list of commands.

For information about how to use the CLI, see the FortiGate CLI Reference Guide.

FortiWiFi-60 Installation and Configuration Guide 27

Page 28

Factory default FortiWiFi configuration settings Getting started

Factory default FortiWiFi configuration settings

The FortiWiFi unit is shipped with a factory default configuration. The default configuration allows you to connect to and use the FortiWiFi web-based manager to configure the FortiWiFi unit onto the network. To configure the FortiWiFi unit onto the network you add an administrator password, change network interface IP addresses, add DNS server IP addresses, and configure routing, if required.

If you plan to operate the FortiWiFi unit in Transparent mode, you can switch to Transparent mode from the factory default configuration and then configur e th e FortiWiFi unit onto the network in Transparent mode.

Once the network configuration is complete, you can perform additional configuration tasks such as setting system time, configuring virus and attack definition updates, and registering the FortiWiFi unit.

The factory default firewall configuration includes a single network address translation (NAT) policy that allows users on your internal network to connect to the external network, and stops users on the external network from connecting to the internal network. You can add more policies to provide more control of the network traffic passing through the FortiWiFi unit.

The factory default content profiles can be used to apply different levels of antivirus protection, web content filtering, and email filtering to the network traffic that is controlled by firewall policies.

• Factory default DHCP configuration

• Factory default NAT/Route mode network configuration

• Factory default Transparent mode network configuration

• Factory default firewall configuration

• Factory default content profiles

Factory default DHCP configuration

When the FortiWiFi unit is first powered on, the WAN1 interface is configured to receive its IP address by connecting to a DHCP server. If your ISP provides IP addresses using DHCP, no other configuration is required for this interface.

The FortiWiFi unit can also function as a DHCP server for your internal network. You can configure the TCP/IP settings of the computers on your internal network to obtain an IP address automatically from the FortiWiFi unit DHCP server. For more information about the FortiWiFi DHCP server, see “Configuring DHCP services” on

page 126.

28 Fortinet Inc.

Page 29

Getting started Factory default FortiWiFi configuration settings

Table 2: FortiWiFi Internal interface DHCP Server default configuration

Enable DHCP ; Starting IP 192.168.1.101 Ending IP 192.168.1.200 Netmask 255.255.255.0 Lease Duration 7 days Default Route 192.168.1.99 DNS IP 192.168.1.99 WINS IP 192.168.1.99

Table 3: FortiWiFi WLAN interface DHCP Server default configuration

Enable DHCP ; Starting IP 192.168.2.101 Ending IP 192.168.2.200 Netmask 255.255.255.0 Lease Duration 7 days Default Route 192.168.2.99 DNS IP 192.168.2.99 WINS IP 192.168.2.99

Factory default NAT/Route mode network configuration

When the FortiWiFi unit is first powered on, it is running in NAT/Route mode and has the basic network configuration listed in Table 4. This configuration allows you to connect to the FortiWiFi unit web-based manager and establish the configuration required to connect the FortiWiFi unit to the network. In Table 4 HTTPS management access means you can connect to the web-based manager using this interface. Ping management access means this interface responds to ping requests.

T able 4: Fact ory defaul t NAT/Route mode network configuration

Administrator account

Internal interface

WAN1 interface

WAN2 interface

User name: admin Password: (none) IP: 192.168.1.99 Netmask: 255.255.255.0 Management Access: HTTPS, Ping Addressing Mode: DHCP Management Access: Ping IP: 192.168.101.99 Netmask: 255.255.255.0 Management Access: Ping

FortiWiFi-60 Installation and Configuration Guide 29

Page 30

Factory default FortiWiFi configuration settings Getting started

T able 4: Fact ory defaul t NAT/Route mode network configuration (Continued)

IP: 10.10.10.1

DMZ interface

WLAN interface

Netmask: 255.255.255.0 Management Access: HTTPS, Ping IP: 192.168.100.99 Netmask: 255.255.255.0 Management Access: Geography: World Channel: 5 Security: none Key: none SSID: Fortinet

Factory default Transparent mode network configuration

If you switch the FortiWiFi unit to Transparent mode, it has the default network configuration listed in Table 5.

Table 5: Factory default Transparent mode network configuration

Administrator account

Management IP

DNS

Management access

Wireless

User name: admin Password: (none) IP: 10.10.10.1 Netmask: 255.255.255.0 Primary DNS Server: 207.194.200.1 Secondary DNS Server: 207.194.200.129 Internal HTTPS, Ping WAN1 Ping WAN2 Ping DMZ HTTPS, Ping Geography World Channel 5 Security None Key None SSID fortinet

30 Fortinet Inc.

Page 31

Getting started Factory default FortiWiFi configuration settings

Factory default firewall configuration

The factory default firewall configuration is the same in NAT/Route and Transparent mode.

Table 6: Factory default firewall configuration

Internal Address

WAN1 Address

WAN2 Address

WLAN Address

DMZ Address

Recurring Schedule

Firewall Policy

Internal_All

WAN1_All

WAN2_All

WLAN_All

DMZ_All

Always The schedule is valid at all times. This means that

Internal->WAN1 Firewall policy for connections from the internal

Source Internal_All The policy source address. Internal_All means that

Destination WAN1_All The policy destination address. WAN1_All means

Internal->WAN2 Firewall policy for connections from the internal

Source Internal_All The policy source address. Internal_All means that

Destination WAN2_All The policy destination address. WAN2_All means

WLAN->WAN1 Firewall policy for connections from the WLAN

Source WLAN_All The policy source address. Internal_All means that

Destination WAN1_All The policy destination address. WAN1_All means

IP: 0.0.0.0 Represents all of the IP addresses on the internal Mask: 0.0.0.0 IP: 0.0.0.0 Represents all of the IP addresses on the network Mask: 0.0.0.0 IP: 0.0.0.0 Represents all of the IP addresses on the network Mask: 0.0.0.0 IP: 0.0.0.0 Represents all of the IP addresses on the network Mask: 0.0.0.0 IP: 0.0.0.0 Represents all of the IP addresses on the network Mask: 0.0.0.0

network.

connected to the WAN1 interface.

connected to the WAN2 interface.

connected to the WLAN interface.

connected to the DMZ interface.

the firewall policy is valid at all times.

network to the WAN1 network.

the policy accepts connections from any internal IP address.

that the policy accepts connections with a destination address to any IP address on the external (WAN1) network.

network to the WAN2 network.

the policy accepts connections from any internal IP address.

that the policy accepts connections with a destination address to any IP address on the external (WAN2) network.

network to the WAN1 network.

the policy accepts connections from any WLAN IP address.

that the policy accepts connections from the wireless network with a destination address to any IP address on the external (WAN1) network.

FortiWiFi-60 Installation and Configuration Guide 31

Page 32

Factory default FortiWiFi configuration settings Getting started

Table 6: Factory default firewall configuration (Continued)

Firewall Policy

WLAN->WAN2 Firewall policy for connections from the WLAN

Source WLAN_All The policy source address. Internal_All means that

Destination WAN2_All The policy destination address. WAN2_All means

General Firewall Policy Options

Schedule Always The policy schedule. Always means that the policy

Service ANY The policy service. ANY means that this policy

Action ACCEPT The policy action. ACCEPT means that the policy

; NAT NAT is selected for the NAT/Route mode default

 Traffic Shaping Traffic shaping is not selected. The policy does not

 Authentication Authentication is not selected. Users do not have to

; Antivirus & Web Filter Antivirus & Web Filter is selected.

Content Profile

 Log Traffic Log Traffic is not selected. This policy does not

Scan The scan content profile is selected. The policy

network to the WAN2 network.

the policy accepts connections from any WLAN IP address.

that the policy accepts connections from the wireless network with a destination address to any IP address on the external (WAN2) network.

is valid at any time.

processes connections for all services.

allows connections.

policy so that the policy applies network address translation to the traffic processed by the policy. NAT is not available for Transparent mode policies.

apply traffic shaping to the traffic controlled by the policy. You can select this option to cont rol th e maximum or minimum amount of bandwidth available to traffic processed by the policy.

authenticate with the firewall before connecting to their destination address. You can configure user groups and select this option to require users to authenticate with the firewall before they can connect through the firewall.

scans all HTTP, FTP, SMTP, POP3, and IMAP traffic for viruses. See “Scan content profile” on

page 34 for more information about the scan

content profile. Y o u can select one of the other content profiles to apply different levels of content protection to traffic processed by this policy.

record messages to the traffic log for the traffic processed by this policy. You can configure FortiWiFi logging and select Log Traffic to record all connections through the firewall that are accepted by this policy.

32 Fortinet Inc.

Page 33

Getting started Factory default FortiWiFi configuration settings

Factory default content profiles

You can use content profiles to apply different protection settings for content traffic that is controlled by firewall policies. You can use content profiles for:

• Antivirus protection of HTTP, FTP, IMAP, POP3, and SMTP network traffic

• Web content filtering for HTTP network traffic

• Email filtering for IMAP and POP3 network traffic

• Oversized file and email blocking for HTTP, FTP, POP3, SMTP, and IMAP network traffic

• Passing fragmented emails in IMAP, POP3, and SMTP email traffic

Using content profiles, you can build protection configurations that can be applied to different types of firewall policies. This allows you to customize types and levels of protection for different firewall policies.

For example, while traffic between internal and external addresses might need strict protection, traffic between trusted internal addresses might need moderate protection. You can configure policies for different traffic services to use the same or different content profiles.

Content profiles can be added to NAT/Route mode and Transparent mode policies.

Strict content profile

Use the strict content profile to apply maximum content protection to HTTP, FTP, IMAP, POP3, and SMTP content traffic. You do not need to use the strict content profile under normal circumstances, but it is available if you have extreme problems with viruses and require maximum content screening protection.

Table 7: Strict content profile

Options HTTP FTP IMAP POP3 SMTP

Antivirus Scan ;;;;; File Block ;;;;; Web URL Block ; Web Content Block ; Web Script Filter ; Web Exempt List ; Email Block List ;; Email Exempt List ;; Email Content Block ;; Oversized File/Email Block block block block block block Pass Fragmented Emails 

FortiWiFi-60 Installation and Configuration Guide 33

Page 34

Factory default FortiWiFi configuration settings Getting started

Scan content profile

Use the scan content profile to apply antivirus scanning to HTTP, FTP, IMAP, POP3, and SMTP content traffic.

Table 8: Scan content profile

Options HTTP FTP IMAP POP3 SMTP

Antivirus Scan ;;;;; File Block  Web URL Block  Web Content Block  Web Script Filter  Web Exempt List  Email Block List  Email Exempt List  Email Content Block  Oversized File/Email Block pass pass pass pass pass Pass Fragmented Emails 

Web content profile

Use the web content profile to apply antivirus scanning and web content blocking to HTTP content traffic. You can add this content profile to firewall policies that control HTTP traffic.

Table 9: Web content profile

Options HTTP FTP IMAP POP3 SMTP

Antivirus Scan ; File Block  Web URL Block ; Web Content Block ; Web Script Filter  Web Exempt List  Email Block List  Email Exempt List  Email Content Block  Oversized File/Email Block pass pass pass pass pass Pass Fragmented Emails 

34 Fortinet Inc.

Page 35

Getting started Planning the FortiWiFi configuration

Unfiltered content profile

Use the unfiltered content profile if you do not want to apply content protection to traffic. You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected.

Table 10: Unfiltered content profile

Options HTTP FTP IMAP POP3 SMTP

Antivirus Scan  File Block  Web URL Block  Web Content Block  Web Script Filter  Web Exempt List ; Email Block List  Email Exempt List ;; Email Content Block  Oversized File/Email Block pass pass pass pass pass Pass Fragmented Emails ;;;

Planning the FortiWiFi configuration

Before you configure the FortiWiFi unit, you need to plan how to integrate the unit into the network. Among other things, you must de cid e whet he r yo u w ant th e un it to be visible to the network, which firewall functions you want it to provide, and how you want it to control the traffic flowing between its interfaces.

Y o ur configuration plan depen ds on the operatin g mode that you select. The FortiWiFi unit can be configured in one of two modes: NAT/Route mode (the default) or Transparent mode.

NAT/Route mode

In NAT/Route mode, the unit is visible to the network. Like a router, all its interfaces are on different subnets. The following interfaces are available in NAT/Route mode:

• WAN1 is the default interface to the external network (usually the Internet).

• WAN2 is the redundant interface to the external network.

• Internal is the interface to the internal network.

• DMZ is the interface to the DMZ network.

• WLAN is the interface to the wireless LAN network.

You must configure routing to support the redundant WAN1 and WAN2 internet connections. Routing can be used to automatically redirect connections from an interface if its connection to the external network fails.

FortiWiFi-60 Installation and Configuration Guide 35

Page 36

Planning the FortiWiFi configuration Getting started

You can add security policies to control whether communications through the FortiWiFi unit operate in NAT or Route mode. Security policies control the flow of traffic based on the source address, destination address, and service of each packet. In NAT mode, the FortiWiFi unit performs network address translation before it sends the packet to the destination network. In Route mode, there is no translation.

By default, the FortiWiFi unit has a NAT mode security policy that allows users on the internal network to securely download content from the external network. No other traffic is possible until you have configured further security policies.

You typically use NAT/Route mode when the FortiWiFi unit is operating as a gateway between private and public networks. In this configuration, you would create NAT mode policies to control traffic flowing between the internal, private network and the external, public network (usually the Internet).

In addition, you can use NAT/Route mode when the FortiWiFi-60 is operating as a gateway for your wireless network. In this configuration you would create NAT mode policies to control traffic flowing between the wireless network and the Internet as well as between the wireless network and other networks (such as the internal or DMZ networks).

If you have multiple internal networks, such as a DMZ network in addition to the internal, private network, you could create route mode policies for traffic flowing between them.

Figure 4: Example NAT/Route mode network configuration

Internet

Transparent mode

In Transparent mode, the FortiWiFi unit is invisible to the network. Similar to a network bridge, all FortiWiFi interfaces must be on the same subnet. You only have to configure a management IP address so that you can make configuration changes. The management IP address is also used for antivirus and attack definition updates.

You typically use the FortiWiFi unit in Transparent mode on a private network behind an existing firewall or behind a router. The FortiWiFi unit performs firewall functions as well as antivirus and content scanning but not VPN.

NAT mode policies controlling

traffic between WLAN and

external networks.

204.23.1.5

FortiWiFi-60 Unit

in NAT/Route mode

WAN1

NAT mode policies controlling

traffic between internal and

Wireless network

192.168.40.4

WLAN

192.168.40.1

INTERNAL

PWR WLAN

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

external networks.

DMZ4321

WAN1 WAN2

NAT mode policies controlling

traffic between WLAN and

internal networks.

Internal network

Internal

192.168.1.99

192.168.1.3

36 Fortinet Inc.

Page 37

Getting started Planning the FortiWiFi configuration

Figure 5: Example Transparent mode network configuration

Wireless network

Transperent mode policies controlling

Internet

You can connect up to four network segments to the FortiWiFi unit to control traffic between these network segments.

• WAN1 can connect to the external firewall or router.

• Internal can connect to the internal network.

• DMZ and WAN2 can connect to other network segments.

• WLAN connects to the wireless network.

In Transparent mode the wireless network is on the same subnet as the private network. Using Transparent mode firewall policies you can control the flow of traffic from the wireless network segment to other network segments.

Configuration options

traffic between WLAN and

internal networks.

Gateway to

public network

204.23.1.5

10.10.10.2

(firewall, router)

10.10.10.5

WLAN

WAN1

PWR WLAN

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

FortiWiFi-60 Unit

in Transparent mode

Transparent mode policies controlling traffic between

internal and external networks.

INTERNAL

DMZ4321

Transparent mode policies controlling

10.10.10.1 Management IP

Internal

WAN1 WAN2

traffic between WLAN and

internal networks.

Internal network

10.10.10.3

Once you have selected Transparent or NAT/Route mode operation, you can complete the configuration plan and begin to configure the FortiWiFi unit.

You can use the web-based manager setup wizard or the command line interface (CLI) for the basic configuration of the FortiWiFi unit.

Setup wizard

If you are configuring the FortiWiFi unit to operate in NAT/Route mode (the default), the setup wizard prompts you to add the administration password and the internal interface address. The setup wizard also prompts you to choose either a manual (static) or a dynamic (DHCP or PPPoE) address for the WAN1 interface. Using the wizard, you can also add DNS server IP addresses and a default route for the WAN1 interface.

In NAT/Route mode you can also change the configuration of the FortiWiFi DHCP server to supply IP addresses for the computers on your internal network. You can also configure the FortiWiFi to allow Internet access to your internal Web, FTP, or email servers.

Using the web-based manager you can also add a DHCP server configuration to the WLAN interface to supply IP addresses to the computers on your wireless network. You can also add firewall policies to allow Internet access from the wireless network.

FortiWiFi-60 Installation and Configuration Guide 37

Page 38

Planning the FortiWiFi configuration Getting started

If you are configuring the FortiWiFi unit to operate in Transparent mode, you can switch to Transparent mode from the web-based manager and then use the setup wizard to add the administration password, the management IP address and gateway, and the DNS server addresses.

CLI

If you are configuring the FortiWiFi unit to operate in NAT/Route mode, you can add the administration password and all interface addresses. You can also use the CLI to configure the WAN1 interface for either a manual (static) or a dynamic (DHCP or PPPoE) address. Using the CLI, you can also add DNS server IP addresses and a default route for the WAN1 interface.

In NAT/Route mode you can also change the configuration of the FortiWiFi DHCP server to supply IP addresses for the computers on your internal network.

Using the CLI you can also add a DHCP server configuration to the WLAN interface to supply IP addresses to the computers on your wireless network. You can also add firewall policies to allow Internet access from the wireless network.

If you are configuring the FortiWiFi unit to operate in Transparent mode, you can use the CLI to switch to Transparent mode, Then you can add the administration password, the management IP address and gateway, and the DNS server addresses.

38 Fortinet Inc.

Page 39

Getting started FortiGate model maximum values matrix

FortiGate model maximum values matrix

Table 11: FortiGate maximum values matrix

FortiGate model

50 60** 100 200 300 400 500 800 1000 3000 3600 4000

Routes 500 500 500 500 500 500 500 500 500 500 500 500 Policy routing

gateways Administrative

users VLAN

subinterfaces Zones N/A N/A N/A 100 100 100 100 100 200 300 500 500 Virtual domains N/AN/AN/A1632646464128512512512 DHCP address

scopes DHCP reserved

IP/MAC pairs Firewall policies 200 500 1000 2000 5000 5000 20000 20000 50000 50000 50000 50000 Firewall

addresses Firewall address

groups Firewall custom

services Firewall service

groups Firewall recurring

schedules Firewall onetime

schedules Firewall virtual

IPs Firewall IP pools 50 50 50 50 50 50 50 50 50 50 50 50 IP/MAC binding

table entries Firewall content

profiles User names 20 500 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 Radius servers 666666666666 LDAP servers 666666666666 User groups 100 100 100 100 100 100 100 100 100 100 100 100 Total number of

user group members

* Includes the number of physical interfaces. **FortiGate-60 and FortiWiFi-60.

500 500 500 500 500 500 500 500 500 500 500 500

N/A N/A N/A 4096* 4096* 4096* 4096* 4096* 4096* 4096* 4096* 4096*

32 32 32 32 32 32 32 32 32 32 32 32

10 20 30 30 50 50 100 100 200 200 200 200

500 500 500 500 3000 3000 6000 6000 10000 10000 10000 10000

500 500 500 500 500 500 500 500 500 500 500 500

256 256 256 256 256 256 256 256 256 256 256 256

500 500 500 500 500 500 500 500 500 500 500 500

32 32 32 32 32 32 32 32 32 32 32 32

300 300 300 300 300 300 300 300 300 300 300 300

FortiWiFi-60 Installation and Configuration Guide 39

Page 40

Next steps Getting started

Table 11: FortiGate maximum values matrix

FortiGate model

50 60** 100 200 300 400 500 800 1000 3000 3600 4000

IPSec remote gateways (Phase 1)

IPSec VPN tunnels (Phase 2)

IPSec VPN concentrators

PPTP users 500 500 500 500 500 500 500 500 500 500 500 500 L2TP users 500 500 500 500 500 500 500 500 500 500 500 500 NIDS user-defined

signatures Antivirus file

block patterns Web filter and

email filter lists Log setting traffic

filter entries

* Includes the number of physical interfaces. **FortiGate-60 and FortiWiFi-60.

20 50 80 200 1500 1500 3000 3000 5000 5000 5000 5000

500 500 500 500 500 500 500 500 500 500 500 500

100 100 100 100 100 100 100 100 100 100 100 100

56 56 56 56 56 56 56 56 56 56 56 56

Limit varies depending on available system memory. Fortinet recommends limiting total size of web and email filter lists to 4 Mbytes or less. If you want to use larger web filter lists, consider using Cerberian web filtering.

50 50 50 50 50 50 50 50 50 50 50 50

Next steps

Now that your FortiWiFi unit is operating, you can proceed to configure it to connect to networks:

• If you are going to operate the FortiWiFi unit in NAT/Route mode, go to “NAT/Route

mode installation” on page 41.

• If you are going to operate the FortiWiFi unit in Transp arent mode, go to

“Transparent mode installation” on page 59.

40 Fortinet Inc.

Page 41

FortiWiFi-60 Installation and Configuration Guide Version 2.50

NAT/Route mode installation

This chapter describes how to install the FortiWiFi unit in NAT/Route mode. To install the FortiWiFi unit in Transparent mode, see “Transparent mode installation” on

page 59.

This chapter describes:

• Installing the FortiWiFi unit using the default configuration

• Preparing to configure NAT/Route mode

• Using the setup wizard

• Using the command line interface

• Connecting the FortiWiFi unit to your networks

• Configuring your networks

• Completing the configuration

• Configuration example: Multiple connections to the Internet

Installing the FortiWiFi unit using the default configuration

Depending on your requirements, you may be able to deploy the FortiWiFi unit without changing its factory default configuration. If the factory default settings in Table 12 are compatible with your requirements, all you need to do is configure your internal network and then connect the FortiWiFi unit.

T able 12: FortiWiFi unit factory default configuration

Firewall Policies Four NAT policies allow users on the internal network and on the wireless

WAN1 and WAN2 interfaces

DHCP Server on internal and wireless networks

WLAN IP: 192.168.2.99, Channel: 5, SSID: fortinet

network to access any Internet service through the WAN1 and WAN2 interfaces. No other traffic is allowed. All web, ftp, and email traffic is scanned for viruses.

Using DHCP , W AN1 and W AN2 get their IP addresses from your ISP. The FortiWiFi-60 unit also gets DNS server IPs from these interfaces.

Internal Starting IP: 192.168.1.10, Ending IP: 192.168.1.200,

Default route: 192.168.1.99, DNS server: 192.168.1.99

WLAN Starting IP: 192.168.2.10, Ending IP: 192.168.2.200,

Default route: 192.168.2.99, DNS server: 192.168.2.99

FortiWiFi-60 Installation and Configuration Guide 41

Page 42

Preparing to configure NAT/Route mode NAT/Route mode installation

To use the factory default configuration, follow these steps to install the FortiWiFi unit:

1 Configure the TCP/IP settings of the computers on your internal network to obtain an

IP address automatically using DHCP. Refer to your computer documentation for assistance.

2 Turn on DHCP for the computers on your wireless network as well. If required,

configure wireless settings to use channel 5 and SSID fortinet.

3 Complete the procedure in the section “Connecting the FortiWiFi unit to your

networks” on page 47.

Changing the default configuration

You can use the procedures in this chapter to change the default configuration. For example, if your ISP assigns IP addresses using PPPoE instead of DHCP, you only need to change the configuration of the WAN1 interface. Use the information in the rest of this chapter to change the default configuration as required.

This chapter also describe how to change your wireless networking channel and SSID, and how to improve the security of your wireless network by enabling WEP and entering a WEP key.

Preparing to configure NAT/Route mode

Use Table 13 to gather the information that you need to customize NA T/Route mode settings.

Table 13: NAT/Route mode settings

Administrator password: Internal

interface

WAN1 interface

WAN2 interface

IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ Default Gateway: _____._____._____._____ Primary DNS Server: _____._____._____._____ Secondary DNS Server: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____

42 Fortinet Inc.

Page 43

NAT/Route mode installation Preparing to configure NAT/Route mode

Table 13: NAT/Route mode settings

Web Server: _____._____._____._____ SMTP Server: _____._____._____._____ POP3 Server: _____._____._____._____

Internal servers

IMAP Server: _____._____._____._____ FTP Server: _____._____._____._____

If you provide access from the Internet to a web server, mail server, IMAP server, or FTP server installed on an internal network, add the IP addresses of the servers here.

Advanced NAT/Route mode settings

Use Table 14 to gather the information that you need to customize advanced FortiWiFi NAT/Route mode settings.

Table 14: Advanced FortiWiFi NAT/Route mode settings

WAN1 interface

WAN2 interface

DHCP server

DHCP:

PPPoE:

If your ISP supplies you with an IP address using PPPoE, record your PPPoE user name and password.

DHCP:

PPPoE:

If your ISP supplies you with an IP address using PPPoE, record your PPPoE user name and password.

The FortiWiFi unit contains a DHCP server that you can configure to automatically set the addresses of the computers on your internal network.

If your Internet Service Provider (ISP) supplies you with an IP address using DHCP, no further information is required.

User name: Password:

If your Internet Service Provider (ISP) supplies you with an IP address using DHCP, no further information is required.

User name: Password:

Starting IP: _____._____._____._____ Ending IP: _____._____._____._____ Netmask: _____._____._____._____ Default Route: _____._____._____._____ DNS IP: _____._____._____._____

FortiWiFi-60 Installation and Configuration Guide 43

Page 44

Using the setup wizard NAT/Route mode installation

DMZ interface

Use Table 15 to record the IP address and netmask of the FortiWiFi DMZ interface if you are configuring it during installation.

Table 15: DMZ interface (Optional)

DMZ IP: _____._____._____._____ Netmask: _____._____._____._____

Wireless settings

Use Table 16 to record the IP address and netmask of the FortiWiFi-60 WLAN interface if you are configuring it during installation. If you are configuring wireless networking you should also configure the wireless Service Set ID (SSID) and channel. See “Wireless configuration” on page 120 for more information.

Table 16: Wireless settings (Optional)

WLAN IP: _____._____._____._____ Netmask: _____._____._____._____ Geography: World Americas EMEA Japan Israel Channel: Security: None WEP Key: SSID:

Using the setup wizard

From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiWiFi unit. To connect to the web-based manager, see

“Connecting to the web-based manager” on page 26.

Starting the setup wizard

1 Select Easy Setup Wizard (the middle button in the upper-right corner of the

web-based manager).

2 Use the information that you gathered in T able 13 on page 42 to fill in the wizard fields.

Select the Next button to step through the wizard pages.

3 Confirm your configuration settings and then select Finish and Close.

Note: If you use the setup wizard to configure internal server settings, the FortiWiFi unit adds

port forwarding virtual IPs and firewall policies for each server. For each server located on your internal network the FortiWiFi unit adds a WAN1->Internal policy. For each server located on your DMZ network, the FortiWiFi unit adds a WAN1->DMZ policy.

Reconnecting to the web-based manager

If you used the setup wizard to change the IP address of the internal interface, you must reconnect to the web-based manager using a new IP address. Browse to https:// followed by the new IP address of the internal interface. Otherwise, you can reconnect to the web-based manager by browsing to https://192.168.1.99.

44 Fortinet Inc.

Page 45

NAT/Route mode installation Using the command line interface

You have now completed the initial configuration of your FortiWiFi unit, and you can proceed to “Connecting the FortiWiFi unit to your networks” on page 47.

Using the command line interface

As an alternative to using the setup wizard, you can configure the FortiWiFi unit using the command line interface (CLI). To connect to the CLI, see “Connecting to the

command line interface (CLI)” on page 27.

Configuring the FortiWiFi unit to operate in NAT/Route mode

Use the information that you gathered in Table 13 on page 42 to complete the following procedures.

Configuring NAT/Route mode IP addresses

1 Log into the CLI if you are not already logged in. 2 Set the IP address and netmask of the internal interface to the internal IP address and

netmask that you recorded in Table 13 on page 42. Enter:

set system interface internal mode static ip <IP address> <netmask>

Example

set system interface internal mode static ip 192.168.1.1

255.255.255.0

3 Set the IP address and netmask of the WAN1 interface to the IP address and netmask

that you recorded in Table 13 on page 42. To set the manual IP address and netmask, enter:

set system interface wan1 mode static ip <IP address> <netmask>

Example

set system interface wan1 mode

To set the WAN1 interface to use DHCP, enter:

set system interface wan1 mode dhcp connection enable

To set the WAN1 interface to use PPPoE, enter:

set system interface wan1 mode pppoe password

Example

set system interface wan1 mode pppoe username user@domain.com password mypass connection enable

connection

static

enable

ip 204.23.1.5 255.255.255.0

username

FortiWiFi-60 Installation and Configuration Guide 45

Page 46

Using the command line interface NAT/Route mode installation

4 Optionally set the IP address and netmask of the WAN2 interface to the IP address

and netmask that you recorded in Table 13 on page 42. To set the manual IP address and netmask, enter:

set system interface wan2 mode static ip <IP address> <netmask>

Example

set system interface wan2 mode

To set the WAN2 interface to use DHCP, enter:

set system interface wan2 mode dhcp connection enable

To set the WAN2 interface to use PPPoE, enter:

set system interface wan2 mode pppoe password

Example

set system interface wan2 mode pppoe username user@domain.com password mypass connection enable

5 Optionally set the IP address and netmask of the DMZ interface to the DMZ IP

address and netmask that you recorded in Table 15 on page 44. Enter:

set system interface dmz mode static ip <IP address> <netmask>

Example

set system interface dmz mode static ip 10.10.10.2

255.255.255.0

6 Optionally set the IP address and netmask of the WLAN interface to the WLAN IP

address and netmask that you recorded in Table 16 on page 44. Enter:

set system interface wlan mode static ip <IP address> <netmask>

Example

set system interface wlan mode static ip 192.168.40.1

255.255.255.0

7 Optionally set the wireless configuration using the information that you recorded in

Table 16 on page 44. Enter:

set system interface wlan wireless geography {World | Americas | EMEA | Israel | Japan} channel <channel_number> ssid <ssid_name> security WEP key <WEP_key>

Example

set system interface wlan wireless geography Americas channel 10 ssid My_SSID security WEP key My_Wep_Key

8 Confirm that the addresses are correct. Enter:

get system interface

The CLI lists the IP address, netmask and other settings for each of the FortiWiFi interfaces.

9 Set the primary DNS server IP addresses. Enter

set system dns primary <IP address>

Example

set system dns primary 293.44.75.21

connection

static

enable

ip 34.3.21.35 255.255.255.0

username

46 Fortinet Inc.

Page 47

NAT/Route mode installation Connecting the FortiWiFi unit to your networks

10 Optionally, set the secondary DNS server IP addresses. Enter

set system dns secondary <IP address>

Example

set system dns secondary 293.44.75.22

11 Set the default route to the Default Gateway IP address (not required for DHCP and

PPPoE).

set system route number <route_no> dst 0.0.0.0 0.0.0.0 gw1 <gateway_ip>

Example

set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 204.23.1.2

Connecting the FortiWiFi unit to your networks

When you have completed the initial configuration, you can connect the FortiWiFi unit between your internal network and the Internet.

There are seven 10/100 BaseTX connectors on the back of the FortiWiFi-60 unit:

• Four Internal ports for connecting to your internal ne two rk ,

• One WAN1 port for connecting to your public switch or router and the Internet,

• One WAN 2 port for connecting to a second public switch or router and the Internet for a redundant Internet connection,

• One DMZ port for connecting to a DMZ network.

Note: You can also connect the WAN1 and WAN2 interfaces to different Internet connections to provide a redundant connection to the Internet.

To connect the FortiWiFi unit:

1 Connect the Internal interface connectors to PCs and other network devices in your

internal network. The Internal interface functions as a switch, allowing up to four devices to be

connected to the internal network and the internal interface.

2 Connect the WAN1 interface to the Internet.

Connect to the public switch or router provided by your Internet Service Provider. If you are a DSL or cable subscriber, connect the WAN1 interface to the internal or LAN connection of your DSL or cable modem.

3 Optionally connect the WAN2 interface to the Internet.

Connect to the public switch or router, usually provided by a different Internet Service Provider. If you are a DSL or cable subscriber, connect the WAN2 interface to the internal or LAN connection of your DSL or cable modem.

4 Optionally, connect the DMZ interface to your DMZ network.

You can use a DMZ network to provide access from the Internet to a web server or other server without installing the servers on your internal network.

FortiWiFi-60 Installation and Configuration Guide 47

Page 48

Configuring your networks NAT/Route mode installation

Figure 6: FortiWiFi-60 NAT/Route mode connections

DMZ Network

Internal Network

Web Server

Mail Server

Wireless Network

FortiWiFi-60

Configuring your networks

If you are operating the FortiWiFi unit in NAT/Route mode, your networks must be configured to route all Internet traffic to the IP address of the FortiWiFi interface to which they are connected. For your internal network, change the default gateway address of all computers and routers connected directly to your internal network to the IP address of the FortiWiFi internal interface. For the wireless network, change the default gateway address of all computers on the wireless network to the IP address of the wlan interface. For your DMZ network, change the default gateway address of all computers and routers connected directly to your DMZ network to the IP address of the FortiWiFi DMZ interface. For the external network, route all packets to the FortiWiFi WAN1 or WAN 2 interface.

If you are using the FortiWiFi unit as the DHCP server for your internal network, configure the computers on your internal network for DHCP.

Make sure that the connected FortiWiFi unit is functioning properly by connecting to the Internet from a computer on your internal network. You should be able to connect to any Internet address.

DMZ

Internal

INTERNAL

DMZ4321

PWR WLAN

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

Internet

WAN1 WAN2

WAN2WAN1

Broadband (cable or DSL)

48 Fortinet Inc.

Page 49

NAT/Route mode installation Completing the configuration

Completing the configuration

Use the information in this section to complete the initial configuration of the FortiWiFi unit.

Configuring the DMZ interface

If you are planning to configure a DMZ network, you might want to change the IP address of the DMZ interface. Use the following procedure to configure the DMZ interface using the web-based manager.

1 Log into the web-based manager. 2 Go to System > Network > Interface. 3 For the dmz interface, select Modify . 4 Change the IP address and Netmask as required. 5 Select Apply.

Configuring the WLAN interface

If you are planning to configure a wireless network, you might want to change the IP address of the WLAN interface and configure your wireless settings. Use the information in “Wireless configuration” on page 120 to complete the FortiWiFi-60 wireless configuration.

1 Log into the web-based manager. 2 Go to System > Network > Interface. 3 For the wlan interface, select Modify . 4 Change the IP address and Netmask as required. 5 Set Geography to your location and select a channel. 6 Set Security to WEP (recommended) and enter a WEP key. 7 Change the SSID if required. 8 Select OK.

Configuring the WAN2 interface

If you are planning to configure a second internet connection using the WAN2 interface, you might want to change the IP address of the WAN2 interface. Use the following procedure to configure the WAN2 interface using the web-based manager.

1 Log into the web-based manager. 2 Go to System > Network > Interface. 3 For the wan2 interface, select Modify . 4 Change the IP address and Netmask as required. 5 Select Apply.

FortiWiFi-60 Installation and Configuration Guide 49

Page 50

Completing the configuration NAT/Route mode installation

Setting the date and time

For effective scheduling and logging, the FortiWiFi system date and time should be accurate. You can either manually set the system date and time or you can configure the FortiWiFi unit to automatically keep its time correct by synchronizing with a Network Time Protocol (NTP) server.

To set the FortiWiFi system date and time, see “Setting system date and time” on

page 143.

Changing antivirus protection

By default, the FortiWiFi unit scans all web and email content for viruses. You can use the following procedure to change the antivirus configuration. To change the antivirus configuration:

1 Go to Firewall > Policy > Internal->WAN1. 2 Select Edit to edit this policy. 3 For Anti-Virus & Web Filter you can select a different Content Profile.

See “Factory default content profiles” on page 33 for descriptions of the default content profiles.

4 Select OK to save your changes.

You can also add you own content profiles. See “Adding content profiles” on

page 190.

Registering your FortiWiFi unit

After purchasing and installing a new FortiWiFi unit, you can register the unit by going to System > Update > Support, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration.

Registration consists of entering your contact information and the serial numbers of the FortiWiFi units you or your organization have purchased. Registration is quick and easy. You can register multiple FortiWiFi units in a single session without re-entering your contact information.

For more information about registration, see “Registering FortiGate and FortiWiFi

units” on page 104.

Configuring virus and attack definition updates

You can go to System > Update to configure the FortiWiFi unit to automatically check to see if new versions of the virus definitions and attack definitions are available. If it finds new versions, the FortiWiFi unit automatically downloads and installs the updated definitions.

The FortiWiFi unit uses HTTPS on port 8890 to check for updates. The FortiWiFi WAN1 interface must have a path to the FortiResponse Distribution Network (FDN) using port 8890.

To configure automatic virus and attack updates, see “Updating ant iviru s an d at tack

definitions” on page 93.

50 Fortinet Inc.

Page 51

NAT/Route mode installation Configuration example: Multiple connections to the Internet

Configuration example: Multiple connections to the Internet

This section describes some basic routing and firewall policy configuration examples for a FortiWiFi unit with multiple connections to the Internet (see Figure 7). In this topology, the organization operating the FortiWiFi unit uses two Internet service providers to connect to the Internet. The FortiWiFi unit is connected to the Internet using the WAN1 and WAN2 interfaces. The WAN1 interface connects to gateway 1, operated by ISP1 and the WAN2 interface connects to gateway 2, operated by ISP2.

By adding ping servers to interfaces, and by configuring routing you can control how traffic uses each Internet connection. With this routing configuration is place you can proceed to create firewall policies to support multiple internet connections.

This section provides some examples of routing and firewall configurations to configure the FortiWiFi unit for multiple internet connections. To use the information in this section you should be familiar with FortiWiFi routing (see “Configuring routing” on

page 122) and FortiWiFi firewall configuration (see “Firewall configuration” on page 159).

The examples below show how to configure destination-based routing and policy routing to control different traffic patterns.

• Configuring Ping servers

• Destination based routing examples

• Policy routing examples

• Firewall policy example

FortiWiFi-60 Installation and Configuration Guide 51

Page 52

Configuration example: Multiple connections to the Internet NAT/Route mode installation

Figure 7: Example multiple Internet connection configuration

Internal Network

192.168.1.0

Internal

192.168.1.99

INTERNAL

DMZ4321

PWR WLAN

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

WAN1 WAN2

1.1.1.2

Gateway #1: 1.1.1.1

External Network #1

100.100.100.0

Configuring Ping servers

Use the following procedure to make Gateway 1 the ping server for the WAN1 interface and Gateway 2 the ping server for the WAN2 in terface.

1 Go to System > Network > Interface. 2 For the WAN1 interface, select Modify .

• Ping Server: 1.1.1.1

• Select Enable Ping Server

•Select OK

3 For the WAN2 interface, select Modify .

• Ping Server: 2.2.2.1

• Select Enable Ping Server

•Select OK

ISP1

Internet

WAN2WAN1

2.2.2.2

Gateway #2: 2.2.2.1

ISP2

External Network #2

200.200.200.0

52 Fortinet Inc.

Page 53

NAT/Route mode installation Configuration example: Multiple connections to the Internet

Using the CLI

1 Add a ping server to the WAN1 interface.

set system interface wan1 config detectserver 1.1.1.1 gwdetect enable

2 Add a ping server to the WAN2 interface.

set system interface wan2 config detectserver 2.2.2.1 gwdetect enable

Destination based routing examples

This section describes the following destination-based routing examples:

• Primary and backup links to the Internet

• Load sharing

• Load sharing and primary and secondary connections

Primary and backup links to the Internet

Use the following procedure to add a default destination-based route that directs all outgoing traffic to Gateway 1. If Gateway 1 fails, all connections are re-directed to Gateway 2. Gateway 1 is the primary link to the Internet and Gateway 2 is the backup link.

1 Go to System > Network > Routing Table. 2 Select New.

• Destination IP: 0.0.0.0

• Mask: 0.0.0.0

• Gateway #1: 1.1.1.1

• Gateway #2: 2.2.2.1

• Device #1: wan1

• Device #2: wan2

•Select OK.

Using the CLI

1 Add the route to the routing table.

set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1 dev1 wan1 gw2 2.2.2.1 dev2 wan2

Table 17: Route for primary and backup links

Destination IP‘ Mask Gateway #1 Device #1 Gateway #2 Device #2

0.0.0.0 0.0.0.0 1.1.1.1 wan1 2.2.2.1 wan2

FortiWiFi-60 Installation and Configuration Guide 53

Page 54

Configuration example: Multiple connections to the Internet NAT/Route mode installation

Load sharing

You can also configure destination routing to direct traffic through both gateways at the same time. If users on your internal network connect to the networks of ISP1 and ISP2, you can add routes for each of these destinations. Each route can include a backup destination to the network of the other ISP.

Table 18: Load sharing routes

Destination IP‘ Mask Gateway #1 Device #1 Gateway #2 Device #2

100.100.100.0 255.255.255.0 1.1.1.1 wan1 2.2.2.1 wan2

200.200.200.0 255.255.255.0 2.2.2.1 wan2 1.1.1.1 wan1

The first route directs all traffic destined for the 100.100.100.0 network to gateway 1 with the IP address 1.1.1.1. If this router is down, traffic destined for the 100.100.100.0 network is re-directed to gateway 2 with the IP address 2.2.2.1.

Load sharing and primary and secondary connections

You can combine these rout es into a mo r e com p let e mu ltip le int er ne t co nn ec tio n configuration. In the topology shown in Figure 7 on page 52, users on the Internal network would connect to the Internet to access web pages and other Internet resources. However, they may also connect to services, such as email, provided by their ISPs. Y ou can combi ne the routes described in the previous examples to provide users with a primary and backup connection to the Internet, while at the same time routing traffic to each ISP network as required.

The routing described below allows a user on the internal network to connect to the Internet through gateway 1 and ISP1. At the same time, this user can also connect through the DMZ interface to gateway 2 to access a mail server maintained by ISP2.

Adding the routes using the web-based manager

1 Go to System > Network > Routing Table. 2 Select New to add the default route for primary and backup links to the Internet.

• Destination IP: 0.0.0.0

• Mask: 0.0.0.0

• Gateway #1: 1.1.1.1

• Gateway #2: 2.2.2.1

• Device #1: wan1

• Device #2: wan2

•Select OK.

54 Fortinet Inc.

Page 55

NAT/Route mode installation Configuration example: Multiple connections to the Internet

3 Select New to add a route for connections to the network of ISP1.

• Destination IP: 100.100.100.0

• Mask: 255.255.255.0

• Gateway #1: 1.1.1.1

• Gateway #2: 2.2.2.1

• Device #1: wan1

• Device #2: wan2

4 Select New to add a route for connections to the network of ISP2.

• Destination IP: 200.200.200.0

• Mask: 255.255.255.0

• Gateway #1: 2.2.2.1

• Gateway #2: 1.1.1.1

• Device #1: wan1

• Device #2: wan2

•Select OK.

5 Change the order of the routes in the routing table to move the default route below the

other two routes.

• For the default route select Move to .

• Type a number in the Move to field to move this route to the bottom of the list. If there are only 3 routes, type 3.

•Select OK.

Adding the routes using the CLI

1 Add the route for connections to the network of ISP2.

set system route number 1 dst 100.100.100.0 255.255.255.0 gw1

1.1.1.1 dev1 wan1 gw2 2.2.2.1 dev2 wan2

1 Add the route for connections to the network of ISP1.

set system route number 2 dst 200.200.200.0 255.255.255.0 gw1

2.2.2.1 dev1 wan2 gw2 1.1.1.1 dev2 wan1

2 Add the default route for primary and backup links to the Internet.

set system route number 3 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1 dev1 wan1 gw2 2.2.2.1 dev2 wan2

The routing table should have routes arranged as shown in Table 19.

Table 19: Example combined routing table

Destination IP‘ Mask Gateway #1 Device #1 Gateway #2 Device #2

100.100.100.0 255.255.255.0 1.1.1.1 wan1 2.2.2.1 wan2

200.200.200.0 255.255.255.0 2.2.2.1 wan2 1.1.1.1 wan1

0.0.0.0 0.0.0.0 1.1.1.1 wan1 2.2.2.1 wan2

FortiWiFi-60 Installation and Configuration Guide 55

Page 56

Configuration example: Multiple connections to the Internet NAT/Route mode installation

Policy routing examples

Policy routing can be added to increase the control you have over how packets are routed. Policy routing works on top of destination-based routing. This means you should configure destination-based routing first and then build policy routing on top to increase the control provided by destination-based routing.

For example, if you have used destination-based routing to configure routing for dual internet connections, you can use policy routing to apply more control to which traffic is sent to which destination route. This section describes the following policy routing examples, based on topology similar to that shown in Figure 7 on page 52. Differences are noted in each example.

The policy routes described in these examples only work if you have already defined destination routes similar to those described in the previous section.

• Routing traffic from internal subnets to different external networks

• Routing a service to an external network

For more information about policy routing, see “Policy routing” on page 125.

Routing traffic from internal subnets to different external networks

If the FortiWiFi unit provides internet access for multiple internal subnets, you can use policy routing to control the route that traffic from each network takes to the Internet. For example, if the internal network includes the subnets 192.168.10.0 and

192.168.20.0 you can enter the following policy routes:

1 Enter the following command to route traffic from the 192.168.10.0 subnet to the

100.100.100.0 external network:

set system route policy 1 src 192.168.10.0 255.255.255.0 dst

100.100.100.0 255.255.255.0 gw 1.1.1.1

2 Enter the following command to route traffic from the 192.168.20.0 subnet to the

200.200.200.0 external network:

set system route policy 2 src 192.168.20.0 255.255.255.0 dst

200.200.200.0 255.255.255.0 gw 2.2.2.1

Routing a service to an external network

You can use the following policy routes to direct all HTTP traffic (using port 80) to one external network and all other traffic to the other external network.

1 Enter the following command to route all HTTP traffic using port 80 to the next hop

gateway with IP address 1.1.1.1.

set system route policy 1 src 0.0.0.0 0.0.0.0 dst 0.0.0.0

0.0.0.0 protocol 6 port 80 80 gw 1.1.1.1

2 Enter the following command to route all other traffic to the next hop gateway with IP

address 2.2.2.1.

Set system route policy 2 src 0.0.0.0 0.0.0.0 dst 0.0.0.0

0.0.0.0 gw 2.2.2.1

56 Fortinet Inc.

Page 57

NAT/Route mode installation Configuration example: Multiple connections to the Internet

Firewall policy example

Firewall policies control how traffic flows through the FortiWiFi unit. Once routing for multiple internet connections has been configured you must create firewall policies to control which traffic is allowed through the FortiWiFi unit and the interfaces through which this traffic can connect.

For traffic originating on the Internal network to be able to connect to the Internet through both Internet connections, you must add redundant policies from the internal interface to each interface that connects to the Internet. Once these policies have been added, the routing configuration controls which internet connection is actually used.

Adding a redundant default policy

Figure 7 on page 52 shows a FortiWiFi unit connected to the Internet using its internal

and DMZ interfaces. The default policy allows all traffic from the internal network to connect to the Internet through the WAN1 interface. If you add a similar policy to the internal to WAN2 policy list, this policy will allow all traffic from the internal network to connect to the Internet through the WAN2 interface. With both of these policies added to the firewall configuration, the routing configuration will determine which Internet connection the traffic from the internal network actually uses. For more information about the default policy, see “Default firewall configuration” on page 160.

To add a redundant default policy

1 Go to Firewall > Policy > Int->WAN2. 2 Select New. 3 Configure the policy to match the default policy.

Source Internal_All Destination WAN2_All Schedule Always Service ANY Action Accept NAT Select NAT.

4 Select OK to save your changes.

Adding more firewall policies

In most cases your firewall configuration includes more than just the default policy. However, the basic premise of creating redundant policies applies even as the firewall configuration becomes more complex. To configure the FortiWiFi unit to use multiple Internet connections you must add duplicate policies for connections between the internal network and both interfaces connected to the Internet. As well, as you add redundant policies, you must arrange them in both policy lists in the same order.

FortiWiFi-60 Installation and Configuration Guide 57

Page 58

Configuration example: Multiple connections to the Internet NAT/Route mode installation

Restricting access to a single Internet connection

In some cases you might want to limit some traffic to only being able to use one Internet connection. For example, in the topology shown in Figure 7 on page 52 the organization might want its mail server to only be able to connect to the SMTP mail server of ISP1. To do this, you add a single Internal->WAN1 firewall policy for SMTP connections. Because redundant policies have not been added, SMTP traffic from the Internet network is always connected to ISP1. If the connection to ISP1 fails the SMTP connection is not available.

58 Fortinet Inc.

Page 59

FortiWiFi-60 Installation and Configuration Guide Version 2.50

Transparent mode installation

This chapter describes how to install your FortiWiFi unit in Transparent mode. If you want to install the FortiWiFi unit in NAT/Route mode, see “NAT/Route mode

installation” on page 41.

This chapter describes:

• Preparing to configure Transparent mode

• Using the setup wizard

• Using the command line interface

• Connecting the FortiWiFi unit to your networks

• Completing the configuration

• Transparent mode configuration examples

Preparing to configure Transparent mode

Use Table 20 to gather the information that you need to customize Transparent mode settings.

Table 20: Transparent mode settings

Administrator Password:

Management IP

DNS Settings

Wireless settings

If you are configuring wireless networking Use Table 21 to record the wireless Service Set ID (SSID) and channel. See “Wireless configuration” on page 120 for more information.

IP: _____._____._____._____ Netmask: _____._____._____._____ Default Gateway: _____._____._____._____

The management IP address and netmask must be valid for the network from which you will manage the FortiWiFi unit. Add a default gateway if the FortiWiFi unit must connect to a router to reach the management computer.

Primary DNS Server: _____._____._____._____ Secondary DNS Server: _____._____._____._____

FortiWiFi-60 Installation and Configuration Guide 59

Page 60

Using the setup wizard Transparent mode installation

Table 21: Wireless settings (Optional)

Geography: World Americas EMEA Japan Israel Channel: Security: None WEP Key: SSID:

Using the setup wizard

From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiWiFi unit. To connect to the web-based manager, see

“Connecting to the web-based manager” on page 26.

Changing to Transparent mode

The first time that you connect to the FortiWiFi unit, it is configured to run in NAT/Route mode. To switch to Transparent mode using the web-based manager:

1 Go to System > Status. 2 Select Change to Transparent Mode. 3 Select Transparent in the Operation Mode list. 4 Select OK.

The FortiWiFi unit changes to Transparent mode. To reconnect to the web-based manager, change the IP address of your management

computer to 10.10.10.2. Connect to the internal or DMZ interface and browse to https:// followed by the Transparent mode management IP address. The default FortiWiFi Transparent mode management IP address is 10.10.10.1.

Starting the setup wizard

1 Select Easy Setup Wizard (the middle button in upper-right corner of the web-based

manager).

2 Use the information that you gathered in T able 20 on page 59 to fill in the wizard fields.

Select the Next button to step through the wizard pages.

3 Confirm your configuration settings and then select Finish and Close.

Reconnecting to the web-based manager

If you changed the IP address of the management interface while you were using the setup wizard, you must reconnect to the web-based manager using the new IP address. Browse to https:// followed by the new IP address of the management interface. Otherwise, you can reconnect to the web-based manager by browsing to https://10.10.10.1. If you connect to the management interfa ce through a ro uter, make sure that you have added a default gateway for that router to the management IP default gateway field.

60 Fortinet Inc.

Page 61

Transparent mode installation Using the command line interface

Using the command line interface

As an alternative to the setup wizard, you can configure the FortiWiFi unit using the command line interface (CLI). To connect to the CLI, see “Connecting to the command

line interface (CLI)” on page 27. Use the information that you gathered in Table 20 on page 59 to complete the following procedures.

Changing to Transparent mode

1 Log into the CLI if you are not already logged in. 2 Switch to Transparent mode. Enter:

set system opmode transparent

After a few seconds, the login prompt appears.

3 Type admin and press Enter.

The following prompt appears:

Type ? for a list of commands.

4 Confirm that the FortiWiFi unit has switched to Transparent mode. Enter:

get system status

The CLI displays the status of the FortiWiFi unit. The last line shows the current operation mode.

Operation mode: Transparent

Configuring the Transparent mode management IP address

1 Log into the CLI if you are not already logged in. 2 Set the management IP address and netmask to the IP address and netmask that you

recorded in Table 20 on page 59. Enter:

set system management ip <IP address> <netmask>

Example

set system management ip 10.10.10.2 255.255.255.0

3 Confirm that the address is correct. Enter:

get system management

The CLI lists the management IP address and netmask.

Configure the Transparent mode default gateway

1 Log into the CLI if you are not already logged in. 2 Set the default route to the default gateway that you recorded in Table 20 on page 59.

Enter:

set system route number <number> gateway <IP address>

Example

set system route

You have now completed the initial configuration of the FortiWiFi unit.

number 1 gw1

204.23.1.2

FortiWiFi-60 Installation and Configuration Guide 61

Page 62

Connecting the FortiWiFi unit to your networks Transparent mode installation

Configuring wireless settings

1 Log into the CLI if you are not already logged in. 2 Set the wireless configuration using the SSID and channel that you recorded in

Table 21 on page 60. Enter:

set system interface wlan wireless geography {World | Americas | EMEA | Israel | Japan} channel <channel_number> ssid <ssid_name> security WEP key <WEP_key>

Example

set system interface wlan wireless geography Americas channel 10 ssid My_SSID security WEP key My_Wep_Key

Connecting the FortiWiFi unit to your networks

When you have completed the initial configuration, you can connect the FortiWiFi unit between your internal network and the Internet using the Internal and WAN1 interfaces. You can also connect networks to the DMZ interface and the WAN2 interface.

There are seven 10/100Base-TX connectors on the FortiWiFi-60:

• Four Internal ports for connecting to your internal ne two rk ,

• WAN1 for connecting to the Internet,

• DMZ and WAN2 which can be connected to networks.

To connect the FortiWiFi unit running in Transparent mode:

1 Connect the Internal interface connectors to PCs and other network devices in your

internal network. The Internal interface functions as a switch, allowing up to four devices to be

connected to the internal network and the internal interface.

2 Connect the WAN1 interface to the Internet.

3 Optionally connect the WAN2 and DMZ interfaces to other networks.

62 Fortinet Inc.

Page 63

Transparent mode installation Wireless configuration

Figure 8: FortiWiFi-60 Transparent mode connections

Wireless Network

Internal Network

Hub or Switch

PWR WLAN

FortiWiFi-60

Internal

INTERNAL

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

DMZ

DMZ4321

WAN1 WAN2

WAN1

Public Switch

or Router

Other Network

Hub or Switch

Internet

In Transparent mode, the FortiWiFi unit does not change the layer 3 topology. This means that all of its interfaces are on the same IP subnet and that it appears to other devices as a bridge. Typically, the FortiWiFi unit would be deployed in Transparent mode when it is intended to provide antivirus and content scanning behind an existing firewall solution.

A FortiWiFi unit in Transparent mode can also perform firewalling. Even though it takes no part in the layer 3 topology, it can examine layer 3 header information and make decisions on whether to block or pass traffic.

Wireless configuration

Use the information in “Wireless configuration” on page 120 to complete the FortiWiFi60 wireless configuration.

Completing the configuration

Use the information in this section to complete the initial configuration of the FortiWiFi unit.

FortiWiFi-60 Installation and Configuration Guide 63

Page 64

Completing the configuration Transparent mode installation

Setting the date and time

For effective scheduling and logging, the FortiWiFi system date and time should be accurate. You can either manually set the date and time or you can configure the FortiWiFi unit to automatically keep its date and time correct by synchronizing with a Network Time Protocol (NTP) server.

To set the FortiWiFi system date and time, see “Setting system date and time” on

page 143.

Enabling antivirus protection

To enable antivirus protection to protect users on your internal network from downloading a virus from the Internet:

1 Go to Firewall > Policy > Internal->WAN1. 2 Select Edit to edit this policy. 3 Select Anti-Virus & Web filter to enable antivirus protection for this policy. 4 Select the Scan Content Profile. 5 Select OK to save your changes.

Registering your FortiWiFi

For more information about registration, see “Registering FortiGate and FortiWiFi

units” on page 104.

Configuring virus and attack definition updates

You can configure the FortiWiFi unit to automatically check to see if new versions of the virus definitions and attack definitions are available. If it finds new versions, the FortiWiFi unit automatically downloads and installs the updated definitions.

The FortiWiFi unit uses HTTPS on port 8890 to check for updates. The FortiWiFi WAN1 interface must have a path to the FortiResponse Distribution Network (FDN) using port 8890.

To configure automatic virus and attack updates, see “Updating ant iviru s an d at tack

definitions” on page 93.

64 Fortinet Inc.

Page 65

Transparent mode installation Transparent mode configuration examples

Transparent mode configuration examples

A FortiWiFi unit operating in Transparent mode still requires a basic configuration to operate as a node on the IP network. As a minimum, the FortiWiFi unit must be configured with an IP address and subnet mask. These are used for management access and to allow the unit to receive antivirus and definitions updates. Also, the unit must have sufficient route information to reach:

• the management computer,

• The FortiResponse Distribution Network (FDN),

• a DNS server.

A route is required whenever the FortiWiFi unit connects to a router to reach a destination. If all of the destinations are located on the external network, you may be required to enter only a single default route. If, however, the network topology is more complex, you may be required to enter one or more static routes in addition to the default route.

This section describes:

• Default routes and static routes

• Example default route to an external network

• Example static route to an external destination

• Example static route to an internal destination

Default routes and static routes

To create a route to a destination, you need to define an IP prefix which consists of an IP network address and a corresponding netmask value. A default route matches any prefix and forwards traffic to the next hop router (otherwise known as the default gateway). A static route matches a more specific prefix and forwards traffic to the next hop router.

Default route example:

IP Prefix 0.0.0.0 (IP address)

0.0.0.0 (Netmask)

Next Hop 192.168.1.2

Static Route example:

IP Prefix 172.100.100.0 (IP address)

255.255.255.0 (Netmask)

Next Hop 192.168.1.2

Note: When adding routes to the FortiWiFi unit, add the default route last so that it

appears on the bottom of the route list. This ensures that the unit will attempt to match more specific routes before selecting the default route.

FortiWiFi-60 Installation and Configuration Guide 65

Page 66

Transparent mode configuration examples Transparent mode installation

Example default route to an external network

Figure 9 shows a FortiWiFi unit where all destinations, including the management

computer, are located on the external network. T o reach these destinations, the FortiWiFi unit must connect to the “upstream” router leading to the external network. To facilitate this connection, you must enter a single default route that points to the upstream router as the next hop/default gateway.

Figure 9: Default route to an external network

DNS

Gateway IP 192.168.1.2

Management IP

192.168.1.1

FortiWiFi-60

Internal Network

Internet

INTERNAL

PWR WLAN

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

Upstream

Router

DMZ4321

WAN1 WAN2

FortiResponse Distribution Network (FDN)

Management Computer

DMZ

General configuration steps

1 Set the FortiWiFi unit to operate in Transparent mode. 2 Configure the Management IP address and Netmask of the FortiWiFi unit. 3 Configure the default route to the external network.

66 Fortinet Inc.

Page 67

Transparent mode installation Transparent mode configuration examples

Web-based manager example configuration steps

To configure basic Transparent mode settings and a default route using the web-based manager:

1 Go to System > Status.

• Select Change to Transparent Mode.

• Select Transparent in the Operation Mode list.

•Select OK. The FortiWiFi unit changes to Transparent mode.

2 Go to System > Network > Management.

• Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.0

• Select Apply.

3 Go to System > Network > Routing.

• Select New to add the default route to the external network. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2

•Select OK.

CLI configuration steps

To configure the Fortinet basic settings and a default route using the CLI:

1 Change the system to operat e in Transparent Mode.

set system opmode transparent

2 Add the Management IP address and Netmask.

set system management ip 192.168.1.1 255.255.255.0

3 Add the default route to the external ne two r k.

set system route number 1 gw1 192.168.1.2

Example static route to an external destination

Figure 10 shows a FortiWiFi unit that requires routes to the FDN located on the

external network. The FortiWiFi unit does not require routes to the DNS servers or management computer because they are located on the internal network.

To connect to the FDN, you would typically enter a single default route to the external network. However , to provide an extr a degree of security, you could enter static routes to a specific FortiResponse server in addition to a default route to the external network. If the static route becomes unavailable (perhaps because the IP address of the FortiResponse server changes) the FortiWiFi unit will still be able to receive antivirus and NIDS updates from the FDN using the default route.

FortiWiFi-60 Installation and Configuration Guide 67

Page 68

Transparent mode configuration examples Transparent mode installation

Note: This is an example configuration only. To configure a static route, you require a destination IP address.

Figure 10: Static route to an external destination

24.102.233.5

FortiResponse Distribution

Internet

Network (FDN)

Gateway IP 192.168.1.2

Management IP

Upstream

Router

DMZ

DNS

192.168.1.1

INTERNAL

DMZ4321

FortiWiFi-60

PWR WLAN

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

WAN1 WAN2

Internal Network

Management Computer

General configuration steps

1 Set the FortiWiFi unit to operate in Transparent mode. 2 Configure the Management IP address and Netmask of the FortiWiFi unit. 3 Configure the static route to the FortiResponse server. 4 Configure the default route to the external network.

68 Fortinet Inc.

Page 69

Transparent mode installation Transparent mode configuration examples

Web-based manager example configuration steps

To configure the basic FortiWiFi settings and a static route using the web-based manager:

1 Go to System > Status.

• Select Change to Transparent Mode.

• Select Transparent in the Operation Mode list.

•Select OK. The FortiWiFi unit changes to Transparent mode.

2 Go to System > Network > Management.

• Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.0

• Select Apply.

3 Go to System > Network > Routing.

• Select New to add the static route to the FortiResponse server. Destination IP: 24.102.233.5 Mask: 255.255.255.0 Gateway: 192.168.1.2

•Select OK.

• Select New to add the default route to the external network. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2

•Select OK.

CLI configuration steps

To configure the Fortinet basic settings and a static route using the CLI:

1 Set the system to operate in Transparent Mode.

set system opmode transparent

2 Add the Management IP address and Netmask.

set system management ip 192.168.1.1 255.255.255.0

3 Add the static route to the primary FortiResponse server.

set system route number 1 dst 24.102.233.5 255.255.255.0 gw1

192.168.1.2

4 Add the default route to the external ne two r k.

set system route number 2 gw1 192.168.1.2

FortiWiFi-60 Installation and Configuration Guide 69

Page 70

Transparent mode configuration examples Transparent mode installation

Example static route to an internal destination

Figure 11 shows a FortiWiFi unit where the FDN is located on an external subnet and

the management computer is located on a remote, internal subnet. To reach the FDN, you need to enter a single default route that points to the upstream router as the next hop/default gateway. To reach the management computer, you need to enter a single static route that leads directly to it. This route will point to the internal router as the next hop. (No route is required for the DNS servers because they are on the same layer 3 subnet as the FortiWiFi unit.)

Figure 11: Static route to an internal destination

FortiResponse

Internet

Distribution Network (FDN)

Gateway IP 192.168.1.2

Management IP

192.168.1.1

FortiWiFi-60

Internal Network A

PWR WLAN

LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

INTERNAL

Upstream

Router

DMZ4321

WAN1 WAN2

Gateway IP

192.168.1.3

Internal

Router

DNS

DMZ

Internal Network B

Management Computer

172.16.1.11

General configuration steps

1 Set the unit to operate in Transparent mode. 2 Configure the Management IP address and Netmask of the FortiWiFi unit. 3 Configure the static route to the management computer on the internal network.

70 Fortinet Inc.

Page 71

Transparent mode installation Transparent mode configuration examples

4 Configure the default route to the external network.

Web-based manager example configuration steps

To configure the FortiWiFi basic settings, a static route, and a default route using the web-based manager:

1 Go to System > Status.

• Select Change to Transparent Mode.

• Select Transparent in the Operation Mode list.

•Select OK. The FortiWiFi unit changes to Transparent mode.

2 Go to System > Network > Management.

• Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.0

• Select Apply.

3 Go to System > Network > Routing.

• Select New to add the static route to the management computer. Destination IP: 172.16.1.11 Mask: 255.255.255.0 Gateway: 192.168.1.3

•Select OK.

• Select New to add the default route to the external network. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2

•Select OK.

CLI configuration steps

To configure the FortiWiFi basic settings, a static route, and a default route using the CLI:

1 Set the system to operate in Transparent Mode.

set system opmode transparent

2 Add the Management IP address and Netmask.

set system management ip 192.168.1.1 255.255.255.0

3 Add the static route to the management computer.

set system route number 1 dst 172.16.1.11 255.255.255.0 gw1

192.168.1.3

4 Add the default route to the external ne two r k.

set system route number 2 gw1 192.168.1.2

FortiWiFi-60 Installation and Configuration Guide 71

Page 72

Transparent mode configuration examples Transparent mode installation

72 Fortinet Inc.

Page 73

FortiWiFi-60 Installation and Configuration Guide Version 2.50

System status

Y o u can connect to the web-based manager and view the current system st atus of the FortiWiFi unit. The status information that is displayed includes the current firmware version, the current virus and attack definitions, and the FortiWiFi unit serial number.

If you log into the web-based manager using the admin administrator account, you can make any of the following changes to the FortiWiFi system settings:

• Changing the FortiWiFi host name

• Changing the FortiWiFi firmware

• Manual virus definition updates

• Manual attack definition updates

• Backing up system settings

• Restoring system settings

• Restoring system settings to factory defaults

• Changing to Transparent mode

• Changing to NAT/Route mode

• Restarting the FortiWiFi unit

• Shutting down the FortiWiFi unit

If you log into the web-based manager with another administrator account, you can view the system settings including:

• Displaying the FortiWiFi serial number

• Displaying the FortiWiFi up time

All administrative users can also go to the Monitor page and view FortiWiFi system status. System status displays FortiWiFi system health monitoring information, including CPU and memory status, session and network status.

• System status

All administrative users can also go to the Session page and view the active communication sessions to and through the FortiWiFi unit.

• Session list

FortiWiFi-60 Installation and Configuration Guide 73

Page 74

Changing the FortiWiFi host name System status

Changing the FortiWiFi host name

The FortiWiFi host name appears on the Status p age and in the FortiWiFi CLI prompt. The host name is also used as the SNMP system name. For information about the SNMP system name, see “Configuring SNMP” on page 147.

The default host name is FortiWiFi-60.

To change the FortiWiFi host name

1 Go to System > Status. 2 Select Edit Host Name . 3 Type a new host name. 4 Select OK.

The new host name is displayed on the Status page, and in the CLI prompt, and is added to the SNMP System Name.

Changing the FortiWiFi firmware

After you download a FortiWiFi firmware image from Fortinet, you can use the procedures listed in Table 1 to install the firmware image on your FortiWiFi unit.

Table 1: Firmware upgrade procedures

Procedure Description

Upgrading to a new firmware version

Reverting to a previous firmware version

Installing firmware images from a system reboot using the CLI

Testing a new firmware image before installing it

Upgrading to a new firmware version

Use the following procedures to upgrade the FortiWiFi unit to a newer firmware version.

Commonly-used web-based manager and CLI procedures to upgrade to a new FortiOS firmware version or to a more recent build of the same firmware version.

Use the web-based manager or CLI procedure to revert to a previous firmware version. This procedure reverts the FortiWiFi unit to its factory default configuration.

Use this procedure to install a new firmware version or revert to a previous firmware version. You must run this procedure by connecting to the CLI using the FortiWiFi console port and a null-modem cable. This procedure reverts the FortiWiFi unit to its factory default configuration.

Use this procedure to test a new firmware image before installing it. You must run this procedure by connecting to the CLI using the FortiWiFi console port and a null-modem cable. This procedure temporarily installs a new firmware image using your current configuration. You can test the firmware image before installing it permanently. If the firmware image works correctly you can use one of the other procedures listed in this table to install it permanently.

74 Fortinet Inc.

Page 75

System status Changing the FortiWiFi firmware

Upgrading the firmware using the web-based manager

Note: Installing firmware replaces the current antivirus and attack definitions with the definitions

included with the firmware release that you are installing. After you install new firmware, use the procedure “Manually initiating antivirus and attack definitions updates” on page 95 to make sure that antivirus and attack definitions are up to date.

To upgrade the firmware using the web-based manager

1 Copy the firmware image file to your management computer. 2 Log into the web-based manager as the admin administrative user. 3 Go to System > Status. 4 Select Firmware Upgrade . 5 Type the path and filename of the firmware image file, or select Browse and locate the

file.

6 Select OK.

The FortiWiFi unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiWiFi login. This process takes a few minutes.

7 Log into the web-based manager. 8 Go to System > Status and check the Firmware Version to confirm that the firmware

upgrade is successfully installed.

9 Update antivirus and attack definitions. For information about antivirus and attack

definitions, see “Manually initiating antivirus and attack definitions updates” on

page 95.

Upgrading the firmware using the CLI

To use the following procedure you must have a TFTP server that the FortiWiFi unit can connect to.

Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure “Manually initiating antivirus and attack definitions updates” on

page 95 to make sure that antivirus and attack definitions are up to date. You can also use the

CLI command definitions.

To upgrade the firmware using the CLI

1 Make sure that the TFTP server is running. 2 Copy the new firmware image file to the root directory of the TFTP server. 3 Log into the CLI as the admin administrative user. 4 Make sure the FortiWiFi unit can connect to the TFTP server.

You can use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168:

execute ping 192.168.1.168

execute updatecenter updatenow to update the antivirus and attack

FortiWiFi-60 Installation and Configuration Guide 75

Page 76

Changing the FortiWiFi firmware System status

5 Enter the following command to copy the firmware image from the TFTP server to the

FortiWiFi unit:

execute restore image <name_str> <tftp_ip> Where <name_str> is the name of the firmware image file on the TFTP server and

<tftp_ip> is the IP address of the TFTP server. For example, if the firmware image

file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image FGT_300-v250-build045-FORTINET.out

192.168.1.168

The FortiWiFi unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes.

6 Reconnect to the CLI. 7 To confirm that the new firmware image is successfully installed, enter:

get system status

8 Use the procedure “Manually initiating antivirus and attack definitions updates” on

page 95 to update antivirus and attack definitions, or from the CLI, enter:

execute updatecenter updatenow

9 To confirm that the antivirus and attack definitions are successfully updated, enter the

following command to display the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information.

get system objver

Reverting to a previous firmware version

Use the following procedures to revert your FortiWiFi unit to a previous firmware version.

Reverting to a previous firmware version using the web-based manager

The following procedures revert the FortiWiFi unit to its factory default configuration and delete NIDS user-defined signatures, web content lists, email filtering lists, and changes to replacement messages.

Before beginning this procedure you can:

• Back up the FortiWiFi unit configuration. For information, see “Backing up system

settings” on page 84.

• Back up the NIDS user-defined signatures. For information, see the FortiGate

NIDS Guide

• Back up web content and email filtering lists. For information, see the FortiGate Content Protection Guide.

If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore the previous configuration from the backup configuration file.

76 Fortinet Inc.

Page 77

System status Changing the FortiWiFi firmware

Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure “Manually initiating antivirus and attack definitions updates” on page 95 to make sure that antivirus and attack definitions are up to date.

To revert to a previous firmware version using the web-based manager

1 Copy the firmware image file to your management computer. 2 Log into the FortiWiFi web-based manager as the admin administrative user. 3 Go to System > Status. 4 Select Firmware Upgrade . 5 Type the path and filename of the previous firmware image file, or select Browse and

locate the file.

6 Select OK.

The FortiWiFi unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiWiFi login. This process takes a few minutes.

7 Log into the web-based manager. 8 Go to System > Status and check the Firmware Version to confirm that the firmware

is successfully installed.

9 Restore your configuration.

For information about restoring your configuration, see “Restoring system settings” on

page 84.

10 Update antivirus and attack definitions. For information about antivirus and attack

definitions, see “Manually initiating antivirus and attack definitions updates” on

page 95.

Reverting to a previous firmware version using the CLI

This procedure reverts your FortiWiFi unit to its factory default configuration and deletes NIDS user-defined signatures, web content lists, email filtering lists, and changes to replacement messages.

Before beginning this procedure you can:

• Back up the FortiWiFi unit configuration using the command execute backup config.

• Back up the NIDS user defined signatures using the command execute backup

nidsuserdefsig

• Back up web content and email filtering lists. For information, see the FortiGate Content Protection Guide.

If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore your previous configuration from the backup configuration file.

FortiWiFi-60 Installation and Configuration Guide 77

Page 78

Changing the FortiWiFi firmware System status

execute updatecenter updatenow to update the antivirus and attack definitions.

To use the following procedure you must have a TFTP server that the FortiWiFi unit can connect to.

To revert to a previous firmware version using the CLI

1 Make sure that the TFTP server is running. 2 Copy the new firmware image file to the root directory of the TFTP server. 3 Log into the FortiWiFi CLI as the admin administrative user. 4 Make sure the FortiWiFi unit can connect to the TFTP server.

You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168:

execute ping 192.168.1.168

5 Enter the following command to copy the firmware image from the TFTP server to the

FortiWiFi unit:

execute restore image <name_str> <tftp_ip> Where <name_str> is the name of the firmware image file on the TFTP server and

<tftp_ip> is the IP address of the TFTP server. For example, if the firmware image

file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image FGT_300-v250-build045-FORTINET.out

192.168.1.168

The FortiWiFi unit uploads the firmware image file. After the file uploads, a message similar to the following is displayed:

Get image from tftp server OK. This operation will downgrade the current firmware version! Do you want to continue? (y/n)

6 Type Y. 7 The FortiWiFi unit reverts to the old firmware version, resets the configuration to

factory defaults, and restarts. This process takes a few minutes.

8 Reconnect to the CLI. 9 To confirm that the new firmware image has been loaded, enter:

get system status

10 Restore your previous configuration. Use the following command:

execute restore config

11 Update antivirus and attack definitions. For information, see “Manually initiating

antivirus and attack definitions updates” on page 95, or from the CLI, enter:

execute updatecenter updatenow

78 Fortinet Inc.

Page 79

System status Changing the FortiWiFi firmware

12 To confirm that the antivirus and attack definitions have been updated, enter the

following command to display the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information.

get system objver

Installing firmware images from a system reboot using the CLI

This procedure installs a specified firmware image and resets the FortiWiFi unit to default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware version.

To perform this procedure you:

• access the CLI by connecting to the FortiWiFi console port using a null-modem cable,

• install a TFTP server that you can connect to from the FortiWiFi internal interface. The TFTP server should be on the same subnet as the internal interface.

Before beginning this procedure you can:

• Back up the FortiWiFi unit configuration. For information, see “Backing up system

settings” on page 84.

• Back up the NIDS user defined signatures. For information, see the FortiGate

NIDS Guide.

• Back up web content and email filtering lists. For information, see the FortiGate Content Protection Guide.

To install firmware from a system reboot

1 Connect to the CLI using the null-modem cable and FortiWiFi console port. 2 Make sure that the TFTP server is running. 3 Copy the new firmware image file to the root directory of the TFTP server. 4 Make sure that the internal interface is connected to the same network as the TFTP

server.

5 To confirm that the FortiWiFi unit can connect to the TFTP server, use the following

command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168, enter:

execute ping 192.168.1.168

FortiWiFi-60 Installation and Configuration Guide 79

Page 80

Changing the FortiWiFi firmware System status

6 Enter the following command to restart the FortiWiFi unit:

execute reboot

As the FortiWiFi unit starts, a series of system startup messages is displayed. When the following message appears:

Press any key to enter configuration menu.....

......

7 Immediately press any key to interrupt the system startup.

Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the

FortiWiFi unit reboots and you must log in and repeat the

execute reboot command.

If you successfully interrupt the startup process, the following message appears:

[G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options.

Enter G,F,B,Q,or H:

8 Type G to get the new firmware image from the TFTP server. 9 Type the address of the TFTP server and press Enter.

The following message appears:

Enter Local Address [192.168.1.188]:

10 Type the address of the internal interface of the FortiWiFi unit and press Enter.

Note: The local IP address is used only to download the firmware image. After the firmware is

installed, the address of this interface is changed back to the default IP address for this interface.

The following message appears:

Enter File Name [image.out]:

11 Enter the firmware image filename and press Enter.

The TFTP server uploads the firmware image file to the FortiWiFi unit and messages similar to the following are displayed:

Save as Default firmware/Run image without saving:[D/R] Save as Default firmware/Backup firmware/Run image without

saving:[D/B/R]

12 Type D.

The FortiWiFi unit installs the new firmware image and restarts. The installation might take a few minutes to complete.

Restoring the previous configuration

Change the internal interface addresses if required. You can do this from the CLI using the command:

set system interface

80 Fortinet Inc.

Page 81

System status Changing the FortiWiFi firmware

After changing the interface addresses, you can access the FortiWiFi unit from the web-based manager and restore the configuration.

• To restore the FortiWiFi unit configuration, see “Restoring system settings” on

page 84.

• To restore NIDS user defined signatures, see “Adding user-defined signatures” on

page 240.

• To restore web content filtering lists, see “Restoring the Banned Word list” on

page 256 and “Uploading a URL block list” on page 258

• To restore email filtering lists, see “Uploading the email banned word list” on

page 269 and “Uploading an email block list” on page 271.

If you are reverting to a previous firmware version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore your previous configuration from the backup up configuration file.

Update the virus and attack definitions to the most recent version, see “Manually

initiating antivirus and attack definitions updates” on page 95.

Testing a new firmware image before installing it

You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure the FortiWiFi unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time the FortiWiFi unit restarts, it operates with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure “Upgrading to a new firmware version” on page 74.

To run this procedure you:

• access the CLI by connecting to the FortiWiFi console port using a null-modem cable,

• install a TFTP server that you can connect to from the FortiWiFi internal interface. The TFTP server should be on the same subnet as the internal interface.

To test a new firmware image

1 Connect to the CLI using a null-modem cable and FortiWiFi console port. 2 Make sure the TFTP server is running. 3 Copy the new firmware image file to the root directory of the TFTP server.

You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168:

execute ping 192.168.1.168

4 Enter the following command to restart the FortiWiFi unit:

execute reboot

5 As the FortiWiFi unit reboots, press any key to interrupt the system startup.

As the FortiWiFi units starts, a series of system startup messages are displayed. When the following message appears:

Press any key to enter configuration menu.....

......

FortiWiFi-60 Installation and Configuration Guide 81

Page 82

Manual virus definition updates System status

6 Immediately press any key to interrupt the system startup.

Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the

FortiWiFi unit reboots and you must log in and repeat the

If you successfully interrupt the startup process, the following message appears:

[G]: Get firmware image from TFTP server. [F]: Format boot device. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options.

Enter G,F,Q,or H:

7 Type G to get the new firmware image from the TFTP server. 8 Type the address of the TFTP server and press Enter.

The following message appears:

Enter Local Address [192.168.1.188]:

9 Type the address of the internal interface of the FortiWiFi unit and press Enter.

Note: The local IP address is used only to download the firmware image. After the firmware is

installed, the address of this interface is changed back to the default IP address for this interface.

execute reboot command.

The following message appears:

Enter File Name [image.out]:

10 Enter the firmware image file name and press Enter.

The TFTP server uploads the firmware image file to the FortiWiFi unit and messages similar to the following appear.

Save as Default firmware/Run image without saving:[D/R]

11 Type R.

The FortiWiFi image is installed to system memory and the FortiWiFi unit starts running the new firmware image but with its current configuration.

12 You can log into the CLI or the web-based manager using any administrative account. 13 To confirm that the new firmware image has been loaded, from the CLI enter:

get system status

You can test the new firmware image as required.

Manual virus definition updates

The Status page of the FortiWiFi web-based manager displays the current installed versions of the FortiWiFi antivirus definitions.

82 Fortinet Inc.

Page 83

System status Manual attack definition updates

Note: For information about configuring the FortiWiFi unit for automatic antivirus definitions updates, see “Virus and attack definitions updates and registration” on page 93. You can also manually start an antivirus definitions update by going to System > Update and selecting Update Now.

To update the antivirus definitions manually

1 Download the latest antivirus definitions update file from Fortinet and copy it to the

computer that you use to connect to the web-based manager.

2 Start the web-based manager and go to System > Status. 3 In the Antivirus Definitions Version section, select Definitions Update . 4 Type the path and filename for the antivirus definitions update file, or select Browse

and locate the antivirus definitions update file.

5 Select OK to copy the antivirus definitions update file to the FortiWiFi unit.

The FortiWiFi unit updates the antivirus definitions. This takes about 1 minute.

6 Go to System > Status to confirm that the Antivirus Definitions Version information

has updated.

Manual attack definition updates

The Status page of the FortiWiFi web-based manager displays the current installed versions of the FortiWiFi Attack Definitions used by the Network Intrusion Detection System (NIDS).

Note: For information about configuring the FortiWiFi unit for automatic attack definitions updates, see “Virus and attack definitions updates and registration” on page 93. You can also manually start an attack definitions update by going to System > Update and selecting Update Now.

To update the attack definitions manually

1 Download the latest attack definitions update file from Fortinet and copy it to the

computer that you use to connect to the web-based manager.

2 Start the web-based manager and go to System > Status. 3 In the Attack Definitions Version section, select Definitions Update . 4 Type the path and filename for the attack de fin itions up da te file , or select Browse an d

locate the attack definitions update file.

5 Select OK to copy the attack definitions update file to the FortiWiFi unit.

The FortiWiFi unit updates the attack definitions. This takes about 1 minute.

6 Go to System > Status to confirm that the Attack Definitions Version information has

updated.

FortiWiFi-60 Installation and Configuration Guide 83

Page 84

Displaying the FortiWiFi serial number System status

Displaying the FortiWiFi serial number

1 Go to System > Status.

The serial number is displayed on the System Status page of the web-based manager. The serial number is specific to the FortiWiFi unit and does not change with firmware upgrades.

Displaying the FortiWiFi up time

1 Go to System > Status.

The FortiWiFi up time displays the time in days, hours, and minutes since the FortiWiFi unit was last started.

Backing up system settings

You can back up system settings by downloading them to a text file on the management computer.

To back up system settings

1 Go to System > Status. 2 Select System Settings Backup. 3 Select Backup System Settings. 4 Type a name and location for the file.

The system settings file is backed up to the management computer.

5 Select Return to go back to the Status page.

Restoring system settings

You can restore system settings by uploading a previously downloaded system settings text file.

To restore system settings

1 Go to System > Status. 2 Select System Settings Restore. 3 Enter the path and filename of the system settings file, or select Browse and locate

the file.

4 Select OK to restore the system settings file to the FortiWiFi unit.

The FortiWiFi unit restarts, loading the new system settings.

5 Reconnect to the web-based manager and review your configuration to confirm that

the uploaded system settings have taken effect.

84 Fortinet Inc.

Page 85

System status Restoring system settings to factory defaults

Restoring system settings to factory defaults

Use the following procedure to restore system settings to the values set at the factory. This procedure does not change the firmware version or the antivirus or attack definitions.

Caution: This procedure deletes all changes that you have made to the FortiWiFi configuration

and reverts the system to its original configuration, including resetting interface addresses.

To restore system settings to factory defaults

1 Go to System > Status. 2 Select Restore Factory Defaults. 3 Select OK to confirm.

The FortiWiFi unit restarts with the configuration that it had when it was first powered on.

4 Reconnect to the web-based manager and review the system configuration to confirm

that it has been reset to the default settings. For information about restoring system settings, see “Restoring system settings” on

page 84.

Changing to Transparent mode

Use the following procedure to change the FortiWiFi unit from NAT/Route mode to Transparent mode. After you change the FortiWiFi unit to Transparent mode, most of the configuration resets to Transparent mode factory defaults.

The following items are not set to Transparent mode factory defaults:

• The admin administrator account password (see “Adding and editing administrator

accounts” on page 145)

• Custom replacement messages (see “Replacement messages” on page 155 )

To change to Transparent mode

1 Go to System > Status. 2 Select Change to Transparent Mode. 3 Select Transparent in the operation mode list. 4 Select OK.

The FortiWiFi unit changes operation mode.

5 To reconnect to the web-based manager, connect to the interface configured for

Transparent mode management access and browse to https:// followed by the Transparent mode management IP address.

By default in Transpar ent mode, you can connect to the internal or DMZ interface. The default Transparent mode management IP address is 10.10.10.1.

FortiWiFi-60 Installation and Configuration Guide 85

Page 86

Changing to NAT/Route mode System status

Changing to NAT/Route mode

Use the following procedure to change the FortiWiFi unit from Transparent mode to NA T/Route mode. After you change the FortiWiFi unit to NAT/Route mode, most of the configuration resets to NAT/Route mode factory defaults.

The following items are not set to NAT/Route mode factory defaults:

• The admin administrator account password (see “Adding and editing administrator

accounts” on page 145)

• Custom replacement messages (see “Replacement messages” on page 155 )

To change to NAT/Route mode

1 Go to System > Status. 2 Select Change to NAT Mode. 3 Select NAT/Route in the operation mode list. 4 Select OK.

The FortiWiFi unit changes operation mode.

5 T o re connect to the web-based manag er you must connect to the interface configured

by default for management access. By default in NAT/Route mode, you can connect to the internal or DMZ interface. The

default Transparent mode management IP address is 192.168.1.99.

Restarting the FortiWiFi unit

1 Go to System > Status. 2 Select Restart.

The FortiWiFi unit restarts.

Shutting down the FortiWiFi unit

You can restart the FortiWiFi unit after shutdown only by turning the power off and then on.

1 Go to System > Status. 2 Select Shutdown.

The FortiWiFi unit shuts down and all traffic flow stops.

86 Fortinet Inc.

Page 87

System status System status

System status

Y o u can use the system status monitor to display FortiWiFi system health information. The system health information includes memory usage, the number of active communication sessions, and the amount of network bandwidth currently in use. The web-based manager displays current statistics as well as statistics for the previous minute.

You can also view current virus and intrusion status. The web-based manager displays the current number of viruses and attacks as well as a graph of virus and attack levels over the previous 20 hours.

In each case you can set an automatic refresh interval that updates the display every 5 to 30 seconds. You can also refresh the display manually.

• Viewing CPU and memory status

• Viewing sessions and network status

• Viewing virus and intrusions status

Viewing CPU and memory status

Current CPU and memory status indicates how close the FortiWiFi unit is to running at full capacity. The web-based manager displays CPU and memory usage for core processes only. CPU and memory use for management processes (for exam ple, for HTTPS connections to the web-based manager) is excluded.

If CPU and memory use is low, the FortiWiFi unit is able to process much more network traffic than is currently running. If CPU and memory use is high, the FortiWiFi unit is performing near its full capacity. Putting additional demands on the system might cause traffic processing delays.

CPU and memory intensive processes, such as encrypting and decrypting IPSec VPN traffic, virus scanning, and processing high levels of network traffic containing small packets, increase CPU and memory usage.

To view CPU and memory status

1 Go to System > Status > Monitor.

CPU & Memory status is displayed. The display includes bar graphs of current CPU and memory usage as well as line graphs of CPU and memory usage for the previous minute.

2 Set the automatic refresh interval and select Go to control how often the web-based

manager updates the display. More frequent updates use system resources and increase network traffic. However,

this occurs only when you are viewing the display using the web-based manager.

3 Select Refresh to manually update the information displayed.

FortiWiFi-60 Installation and Configuration Guide 87

Page 88

System status System status

Figure 1: CPU and memory status monitor

Viewing sessions and network status

Use the session and network status display to track how many network sessions the FortiWiFi unit is processing and to see what effect the number of sessions has on the available network bandwidth. Also, by comparing CPU and memory usage with session and network status you can see how much demand network traffic is putting on system resources.

The Sessions section displays the total number of sessions being processed by the FortiWiFi unit on all interfaces. It also displays the sessions as a percentage of the maximum number of sessions that the FortiWiFi unit is designed to support.

The Network utilization section displays the total network bandwidth being used through all FortiWiFi interfaces. It also displays network utilization as a percentage of the maximum network bandwidth that can be processed by the FortiWiFi unit.

To view sessions and network status

1 Go to System > Status > Monitor. 2 Select Sessions & Network.

Sessions and network status is displayed. The display includes bar graphs of the current number of sessions and current network utilization as well as line graphs of session and network utilization usage for the last minute. The line graph scales are shown in the upper left corner of the graph.

3 Set the automatic refresh interval and select Go to control how often the web-based

manager updates the display. More frequent updates use system resources and increase network traffic. However,

this only occurs when you are viewing the display using the web-based manager.

88 Fortinet Inc.

Page 89

System status System status

4 Select Refresh to manually update the information displayed.

Figure 2: Sessions and network status monitor

Viewing virus and intrusions status

Use the virus and intrusions status display to track when viruses are found by the FortiWiFi antivirus system and to track when the NIDS detects a network-based attack.

To view virus and intrusions status

1 Go to System > Status > Monitor. 2 Select Virus & Intrusions.

Virus and intrusions status is displayed. The display includes bar graphs of the number viruses and intrusions detected per hour as well as line graphs of the number of viruses and intrusions detected for the last 20 hours.

3 Set the automatic refresh interval and select Go to control how often the web-based

manager updates the display. More frequent updates use system resources and increase network traffic. However,

this only occurs when you are viewing the display using the web-based manager. The line graph scales are shown on the upper right corner of the graph.

4 Select Refresh to manually update the information displayed.

FortiWiFi-60 Installation and Configuration Guide 89

Page 90

Session list System status

Figure 3: Sessions and network status monitor

Session list

The session list displays information about the communications sessions currently being processed by the FortiWiFi unit. You can use the session list to view current sessions. FortiWiFi administrators with read and write permission and the FortiWiFi admin user can also stop active communication sessions.

To view the session list

1 Go to System > Status > Session.

The web-based manager displays the total number of active sessions in the FortiWiFi unit session table and lists the top 16.

2 To navigate the list of sessions, select Page Up or Page Down . 3 Select Refresh to update the session list. 4 If you are logged in as an administrative user with read and write privileges or as the

admin user, you can select Clear to stop an active session.

90 Fortinet Inc.

Page 91

System status Session list

Each line of the session list displays the following information.

Protocol The service protocol of the connection, for example, udp, tcp, or icmp. From IP The source IP address of the connection. From Port The source port of the connectio n. To IP The destination IP address of the connection. To Port The destination port of the connection. Expire The time, in seconds, before the connection expires. Clear Stop an active communication session.

Figure 4: Example session list

FortiWiFi-60 Installation and Configuration Guide 91

Page 92

Session list System status

92 Fortinet Inc.

Page 93

FortiWiFi-60 Installation and Configuration Guide Version 2.50

Virus and attack definitions updates and registration

You can configure the FortiWiFi unit to connect to the FortiResponse Distribution Network (FDN) to update the antivirus and attack definitions and the antivirus engine. You have the following update options:

• Request updates from the FDN,

• Schedule updates to automatically request the latest versions hourly, daily, or weekly,

• Set Push updates so that the FDN contacts your FortiWiFi unit when a new update is available.

To receive scheduled updates and push updates, you must register the FortiWiFi unit on the Fortinet support web page.

This chapter describes:

• Updating antivirus and attack definitions

• Scheduling updates

• Enabling push updates

• Registering FortiGate and FortiWiFi units

• Updating registration information

• Registering a FortiWiFi unit after an RMA

Updating antivirus and attack definitions

You can configure the FortiWiFi unit to connect to the FortiResponse Distribution Network (FDN) to automatically receive the latest antivirus and attack definitions and antivirus engine updates. The FortiWiFi unit supports the following antivirus and attack definition update features:

• User-initiated updates from the FDN,

• Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus engine updates from the FDN,

• Push updates from the FDN,

• Update status including version numbers, expiry dates, and update dates and times,

• Push updates through a NAT device.

FortiWiFi-60 Installation and Configuration Guide 93

Page 94

Updating antivirus and attack definitions Virus and attack definitions updates and registration

The Update page on the web-based manager displays the following antivirus and attack definition update information.

Version Current antivirus engine, virus definition, and attack definition version

Expiry date Expiry date of your license for antivirus engine, virus definition, and attack

Last update attempt

Last update status

numbers.

definition updates. Date and time on which the FortiWiFi unit last attempted to download

antivirus engine, virus definition, and attack definition updates. Success or failure of the last update attempt. No updates means the last

update attempt was successful but no new updates were available. Update succeeded or similar messages mean the last update attempt was successful and new updates were installed. Other messages can indicate that the FortiWiFi was not able to connect to the FDN and other error conditions.

This section describes:

• Connecting to the FortiResponse Distribution Network

• Manually initiating antivirus and attack definitions updates

• Configuring update logging

Connecting to the FortiResponse Distribution Network

Before the FortiWiFi unit can receive antivirus and attack updates, it must be able to connect to the FortiResponse Distribution Network (FDN). The FortiWiFi unit uses HTTPS on port 8890 to connect to the FDN. The FortiWiFi WAN1 interface must have a path to the Internet using port 8890. For information about configuring scheduled updates, see “Scheduling updates” on page 96.

You can also configure the FortiWiFi unit to allow push updates. Push updates are provided to the FortiWiFi unit from the FDN using HTTPS on UDP port 9443. To receive push updates, the FDN must have a path to the FortiWiFi WAN1 interface using UDP port 9443. For information about configuring push updates, see “Enabling

push updates” on page 98.

The FDN is a world-wide network of FortiResponse Distribution Servers (FDSs). When the FortiWiFi unit connects to the FDN it connects to the nearest FDS. To do this, all FortiWiFi units are programmed with a list of FDS addresses sorted by nearest time zone according to the time zone configured for the FortiWiFi unit. To make sure the FortiWiFi unit receives updates from the nearest FDS, check that you have selected the correct time zone for your area.

To make sure the FortiWiFi unit can connect to the FDN

1 Go to System > Config > Time and make sure the time zone is set to the time zone

for the region in which your FortiWiFi unit is located.

2 Go to System > Update. 3 Select Refresh.

The FortiWiFi unit tests its connection to the FDN. The test results are displayed at the top of the System Update page.

94 Fortinet Inc.

Page 95

Virus and attack definitions updates and registration Updating antivirus and attack definitions

Table 1: Connections to the FDN

Connections Status Comments

Available The FortiWiFi unit can connect to the FDN. You can

Not available The FortiWiFi unit cannot connect to the FDN. You

FortiResponse Distribution Network

Available The FDN can connect to the FortiWiFi unit to send

Not available The FDN cannot connect to the FortiWiFi unit to send

Push Update

configure the FortiWiFi unit for scheduled updates. See

“Scheduling updates” on page 96.

must configure your FortiWiFi unit and your network so that the FortiWiFi unit can connect to the Internet and to the FDN. For example, you may need to add routes to the FortiWiFi routing table or configure your network to allow the FortiWiFi unit to use HTTPS on port 8890 to connect to the Internet.

You may also have to connect to an override FortiResponse server to receive updates. See “Adding

an override server” on page 97.

push updates. You can configure the FortiWiFi unit to receive push updates. See “Enabling push updates” on

page 98.

push updates. Push updates may not be available if you have not registered the FortiWiFi unit (see

“Registering the FortiWiFi unit” on page 105), if there is

a NAT device installed between the FortiWiFi unit and the FDN (see “Enabling push updates through a NAT

device” on page 100), or if your FortiWiFi unit connects

to the Internet using a proxy server (see “Enabling

scheduled updates through a proxy server” on page 98).

Manually initiating antivirus and attack definitions updates

You can use the following procedure to update the antivirus and attack definitions at any time. The FortiWiFi unit must be able to connect to the FDN or to an override FortiResponse server.

To update antivirus and attack definitions

1 Go to System > Update. 2 Select Update Now to update the antivirus and attack definitions.

If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following:

Your update request has been sent. Your database will be updated in a few minutes. Please check your update page for the status of the update.

After a few minutes, if an update is available, the System Update page lists new version information for antivirus definitions, the antivirus engine, or attack definitions. The System Status page also displays new dates and version numbers for antivirus and attack definitions. Messages are recorded to the event log indicating whether the update was successful or not.

FortiWiFi-60 Installation and Configuration Guide 95

Page 96

Scheduling updates Virus and attack definitions updates and registration

Configuring update logging

Use the following procedure to configure FortiWiFi logging to record log messages when the FortiWiFi unit updates antivirus and attack definitions. The update log messages are recorded on the FortiWiFi Event log.

To configure update logging

1 Go to Log&Report > Log Setting. 2 Select Config Policy for the type of logs that the FortiWiFi unit is configured to record.

For information about recording logs, see “Recording logs” on page 273.

3 Select Update to record log messages when the FortiWiFi unit updates antivirus and

attack definitions.

4 Select any of the following update log options.

Failed Update Records a log message whenever an update attempt fails. Successful

Update FDN error Records a log message whenever it cannot connect to the FDN or

5 Select OK.

Records a log message whenever an update attempt is successful.

whenever it receives an error message from the FDN.

Scheduling updates

The FortiWiFi unit can check for and download updated definitions hourly, daily, or weekly, according to a schedule that you specify.

This section describes:

• Enabling scheduled updates

• Adding an override server

• Enabling scheduled updates through a proxy server

Enabling scheduled updates

To enable scheduled updates

1 Go to System > Update. 2 Select the Scheduled Update check box. 3 Select one of the following to check for and download updates.

Hourly Once every 1 to 23 hours. Select the number of hours and minutes between

Daily Once a day. You can specify the time of day to check for updates. Weekly Once a week. You can specify the day of the week and the time of day to check

each update request.

for updates.

96 Fortinet Inc.

Page 97

Virus and attack definitions updates and registration Scheduling updates

4 Select Apply.

The FortiWiFi unit starts the next scheduled update according to the new update schedule.

Whenever the FortiWiFi unit runs a scheduled update, the event is recorded in the FortiWiFi event log.

Figure 1: Configuring automatic antivirus and attack definitions updates

Adding an override server

If you cannot connect to the FDN, or if your organization provides antivirus and attack updates using their own FortiResponse server, you can use the following procedure to add the IP address of an override FortiResponse server.

To add an override server

1 Go to System > Update. 2 Select the Use override server address check box. 3 Type the IP address of a FortiResponse server. 4 Select Apply.

The FortiWiFi unit tests the connection to the override server. If the FortiResponse Distribution Network setting changes to available, the FortiWiFi

unit has successfully connected to the override server. If the FortiResponse Distribution Network stays set to not available, the FortiWiFi unit

cannot connect to the override server. Check the FortiWiFi configuration and network configuration for settings that would prevent the FortiWiFi unit connecting to the override FortiResponse server.

FortiWiFi-60 Installation and Configuration Guide 97

Page 98

Enabling push updates Virus and attack definitions updates and registration

Enabling scheduled updates through a proxy server

If your FortiWiFi unit must connect to the Internet through a proxy server, you can use the set system autoupdate tunneling command to allow the FortiWiFi unit to connect (or tunnel) to the FDN using the proxy server. Using this command you can specify the IP address and port of the proxy server. As well, if the proxy server requires authentication, you can add the user name and password required for the proxy server to the autoupdate configuration. The full syntax for enabling updates through a proxy server is:

set system autoupdate tunneling enable [address <proxy-address_ip> [port <proxy-port> [username <username_str> [password <password_str>]]]]

For example, if the IP address of the proxy server is 64.23.6.89 and its port is 8080, enter the following command:

set system autouopdate tunneling enable address 64.23.6.89 port 8080

For more information about the set system autoupdate command, see Volume 6, FortiGate CLI Reference Guide.

The FortiWiFi unit connects to the proxy server using the HTTP CONNECT method, as described in RFC 2616. The FortiWiFi unit sends an HTTP CONNECT request to the proxy server (optionally with authentication information) specifying the IP address and port required to connect to the FDN. The proxy server establishes the connectio n to the FDN and passes information between the FortiWiFi unit and the FDN.

The CONNECT method is used mostly for tunneling SSL traffic. Some proxy servers do not allow the CONNECT to connect to any port; they restrict the allowed ports to the well known ports for HTTPS and perhaps some other similar services. Because FortiWiFi autoupdates use HTTPS on port 8890 to connect to the FDN, your proxy server might have to be configured to allow connections on this port.

There are no special tunneling requirements if you have configured an override server address to connect to the FDN.

Enabling push updates

The FDN can push updates to FortiWiFi units to provide the fastest possible response to critical situations. You must register the FortiWiFi unit before it can receive push updates. See “Registering the FortiWiFi unit” on page 105.

When you configure a FortiWiFi unit to allow push updates, the FortiWiFi unit sends a SETUP message to the FDN. The next time a new antivirus engine, new antivirus definitions, or new attack definitions are released, the FDN notifies all FortiWiFi units that are configured for push updates that a new update is available. Within 60 seconds of receiving a push notification, the FortiWiFi unit requests an update from the FDN.

Note: Push updates are not supported if the FortiWiFi unit must use a proxy server to connect to the FDN. For more information, see “Enabling scheduled updates through a proxy server” on

page 98.

98 Fortinet Inc.

Page 99

Virus and attack definitions updates and registration Enabling push updates

When the network configuration permits, configuri ng push updates is recommended in addition to configuring scheduled updates. On average the FortiWiFi unit receives new updates sooner through push updates than if the FortiWiFi unit receives only scheduled updates. However, scheduled updates make sure that the FortiWiFi unit receives the latest updates.

Enabling push updates is not recommended as the only method for obtaining updates. The FortiWiFi unit might not receive the push notification. Also, when the FortiWiFi unit receives a push notification it makes only one attempt to connect to the FDN and download updates.

This section describes:

• Enabling push updates

• Push updates when FortiWiFi IP addresses change

• Enabling push updates through a NAT device

Enabling push updates

To enable push updates

1 Go to System > Update. 2 Select Allow Push Update. 3 Select Apply.

Push updates when FortiWiFi IP addresses change

The SETUP message that the FortiWiFi unit sends when you enable push updates includes the IP address of the FortiWiFi interface that the FDN connects to. If your FortiWiFi unit is running in NAT/Route mode, the SETUP message includes the FortiWiFi WAN1 IP address. If your FortiWiFi unit is running in Transparent mode, the SETUP message includes the FortiWiFi management IP address. The FDN must be able to connect to this IP address for your FortiWiFi unit to be able to receive push update messages. If your FortiWiFi unit is behind a NAT device, see “Enabling push

updates through a NAT device” on page 100.

Whenever the WAN1 IP address of the FortiWiFi unit changes, the FortiWiFi unit sends a new SETUP message to notify the FDN of the address change. As long as the FortiWiFi unit sends this SETUP message and the FDN receives it, the FDN can maintain the most up-to-date WAN1 IP address for the FortiWiFi unit.

The FortiWiFi unit sends the SETUP message if you change the WAN1 IP address manually or if you have set the WAN1 interface addressing mode to DHCP or PPPoE and your DHCP or PPPoE server changes the IP address.

If you have redundant connections to the Internet, the FortiWiFi unit also sends the SETUP message when one Internet connection goes down and the FortiWiFi unit fails over to the other Internet connection.

In Transparent mode if you change the management IP address, the FortiWiFi unit also sends the SETUP message to notify the FDN of the address change.

FortiWiFi-60 Installation and Configuration Guide 99

Page 100

Enabling push updates Virus and attack definitions updates and registration

Enabling push updates through a NAT device

If the FDN can connect to the FortiWiFi unit only through a NAT device, you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration. Using port forwarding, the FDN connects to the FortiWiFi unit using either port 9443 or an override push port that you specify.

Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic (for example, set using PPPoE or DHCP).

Example: push updates through a NAT device

This example describes how to configure a FortiWiFi NAT device to forward push updates to a FortiWiFi unit installed on its internal network. For the FortiWiFi unit on the internal network to receive push updates, the FortiWiFi NAT device must be configured with a port forwarding virtual IP. This virtual IP maps the IP address of the external interface of the FortiWiFi NAT device and a custom port to the IP address of the FortiWiFi unit on the internal network. This IP address can either be the external IP address of the FortiWiFi unit if it is operating in NAT/Route mode, or the Management IP address of the FortiWiFi unit if it is operating in Transparent mode.

Note: This example describes the configuration for a FortiWiFi NAT device. However, you can use any NAT device with a static external IP address that can be configured for port forwarding.

General procedure

Use the following steps to configure the FortiWiFi NAT device and the FortiWiFi unit on the internal network so that the FortiWiFi unit on the internal network can receive push updates:

1 Add a port forwarding virtual IP to the FortiWiFi NAT device. 2 Add a firewall policy to the FortiWiFi NAT device that includes the port forwarding

virtual IP.

3 Configure the FortiWiFi unit on the internal network with an override push IP and port.

Note: Before completing the following procedure, you should register the internal network

FortiWiFi unit so that it can receive push updates.

100 Fortinet Inc.