Fortinet FortiGate 100, Installation Manual

Page 1: ...FortiGate 100 Installation Guide INTERNAL EXTERNAL DMZ POWER STATUS Version 2 80 MR4 30 August 2004 01 28004 0019 20040830 ...

Page 2: ...prior written permission of Fortinet Inc FortiGate 100 Installation Guide Version 2 80 MR4 30 August 2004 01 28004 0019 20040830 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS For technical support please visit http www fortinet com Send information about errors or omissions in thi...

Page 3: ...e network configuration 16 Factory default Transparent mode network configuration 17 Factory default firewall configuration 17 Factory default protection profiles 18 Planning the FortiGate configuration 19 NAT Route mode 20 NAT Route mode with multiple external network connections 20 Transparent mode 21 Configuration options 22 Next steps 23 NAT Route mode installation 25 Preparing to configure th...

Page 4: ...web based manager 41 Connecting the FortiGate unit to your network 42 Next steps 43 High availability installation 45 Priorities of heartbeat device and monitor priorities 45 Configuring FortiGate units for HA operation 45 High availability configuration settings 45 Configuring FortiGate units for HA using the web based manager 47 Configuring FortiGate units for HA using the CLI 48 Connecting the ...

Page 5: ...itecture analyzes content and behavior in real time enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks The FortiGate 100 model is an easy to deploy and easy to administer solution that delivers exceptional value and performance for small office home office and branch office applications The FortiGate installation wizard guid...

Page 6: ... configuration you can download and save it The saved configuration can be restored at any time Figure 1 FortiGate web based manager and setup wizard Command line interface You can access the FortiGate command line interface CLI by connecting a management computer serial port to the FortiGate RS 232 serial console connector You can also use Telnet or a secure SSH connection to connect to the CLI f...

Page 7: ...se 10 number xxx_octet indicates a hexadecimal string that uses the digits 0 9 and letters A F xxx_ipv4 indicates a dotted decimal IPv4 address xxx_v4mask indicates a dotted decimal IPv4 netmask xxx_ipv4mask indicates a dotted decimal IPv4 address followed by a dotted decimal IPv4 netmask xxx_ipv6 indicates a dotted decimal IPv6 address xxx_v6mask indicates a dotted decimal IPv6 netmask xxx_ipv6ma...

Page 8: ...n required to install a FortiGate model Includes hardware reference default configuration installation procedures connection procedures and basic configuration procedures FortiGate Administration Guide Each Administration Guide describes how to configure a FortiGate model Configuration information includes how to use FortiGate firewall policies to control traffic flow through the FortiGate unit an...

Page 9: ...or using the FortiGate web based manager to configure and manage the FortiGate unit For a complete list of FortiGate documentation visit Fortinet Technical Support at http support fortinet com Comments on Fortinet technical documentation You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc fortinet com ...

Page 10: ... available from the following addresses For information on Fortinet telephone support see http support fortinet com When requesting technical support please provide the following information Your name Company name Location Email address Telephone number FortiGate unit serial number FortiGate model FortiGate FortiOS firmware version Detailed description of the problem amer_support fortinet com For ...

Page 11: ...bes unpacking setting up and powering on a FortiGate Antivirus Firewall unit This section includes Package contents Mounting Turning the FortiGate unit power on and off Connecting to the web based manager Connecting to the command line interface CLI Factory default FortiGate configuration settings Planning the FortiGate configuration Next steps ...

Page 12: ...t the unit has at least 1 5 in 3 75 cm of clearance on each side to allow for adequate air flow and cooling Dimensions 10 25 x 6 13 x 1 75 in 26 x 15 6 x 4 5 cm Weight 1 75 lb 0 8 kg Power requirements DC input voltage 12 V DC input current 5 A Back Front Power LED Internal External DMZ Interfaces Status LED INTERNAL EXTERNAL DMZ POWER STATUS DMZ External Console DC 12V 5A Internal RS 232 Serial C...

Page 13: ...shut down the FortiGate operating system properly before turning off the power switch 1 From the web based manager go to System Maintenance ShutDown select Shut Down and select Apply or from the CLI enter execute shutdown 2 Disconnect the power supply Table 1 FortiGate 100 LED indicators LED State Description Power Green The FortiGate unit is powered on Off The FortiGate unit is powered off Status...

Page 14: ...th a netmask of 255 255 255 0 2 Using the crossover cable or the ethernet hub and cables connect the internal interface of the FortiGate unit to the computer ethernet connection 3 Start Internet Explorer and browse to the address https 192 168 1 99 remember to include the s in https The FortiGate login is displayed Figure 3 FortiGate login 4 Type admin in the Name field and select Login Connecting...

Page 15: ...me for the connection and select OK 4 Configure HyperTerminal to connect directly to the communications port on your computer and select OK 5 Select the following port settings and select OK 6 Press Enter to connect to the FortiGate CLI The following prompt is displayed FortiGate 100 login 7 Type admin and press Enter twice The following prompt is displayed Welcome Type to list available commands ...

Page 16: ...tops users on the external network from connecting to the internal network You can add more firewall policies to provide more control of the network traffic passing through the FortiGate unit The factory default protection profiles can be used to apply different levels of antivirus protection web content filtering spam filtering and IPS to the network traffic that is controlled by firewall policie...

Page 17: ...tion settings are included in the default firewall configuration to make it easier to add firewall policies External interface IP 192 168 100 99 Netmask 255 255 255 0 Administrative Access Ping DMZ interface IP 10 10 10 1 Netmask 255 255 255 0 Administrative Access HTTPS Ping Network Settings Default Gateway for default route 192 168 100 1 Interface connected to external network for default route ...

Page 18: ...This allows you to customize types and levels of protection for different firewall policies For example while traffic between internal and external addresses might need strict protection traffic between trusted internal addresses might need moderate protection You can configure firewall policies for different traffic services to use the same or different protection profiles Protection profiles can...

Page 19: ...n be configured in one of two modes NAT Route mode the default or Transparent mode Strict To apply maximum protection to HTTP FTP IMAP POP3 and SMTP traffic You may not use the strict protection profile under normal circumstances but it is available if you have problems with viruses and require maximum screening Scan To apply antivirus scanning and file quarantining to HTTP FTP IMAP POP3 and SMTP ...

Page 20: ...private network and the external public network usually the Internet If you have multiple internal networks such as a DMZ network in addition to the internal private network you could create route mode firewall policies for traffic flowing between them Figure 5 Example NAT Route mode network configuration NAT Route mode with multiple external network connections In NAT Route mode you can configure...

Page 21: ...nd attack definition updates You typically use the FortiGate unit in Transparent mode on a private network behind an existing firewall or behind a router The FortiGate unit performs firewall functions IPSec VPN virus scanning IPS web content filtering and Spam filtering Figure 7 Example Transparent mode network configuration You can connect up to three network segments to the FortiGate unit to con...

Page 22: ...figuration of the FortiGate DHCP server to supply IP addresses for the computers on your internal network If you are configuring the FortiGate unit to operate in Transparent mode you can use the CLI to switch to Transparent mode Then you can add the administration password the management IP address and gateway and the DNS server addresses Setup wizard If you are configuring the FortiGate unit to o...

Page 23: ...nfigure it to connect to networks If you are going to operate the FortiGate unit in NAT Route mode go to NAT Route mode installation on page 25 If you are going to operate the FortiGate unit in Transparent mode go to Transparent mode installation on page 37 If you are going to operate the or more FortiGate units in HA mode go to High availability installation on page 45 ...

Page 24: ...24 01 28004 0019 20040830 Fortinet Inc Configuration options Getting started ...

Page 25: ...and line interface Using the setup wizard Connecting the FortiGate unit to the network s Configuring the networks Next steps Preparing to configure the FortiGate unit in NAT Route mode Use Table 5 to gather the information that you need to customize NAT Route mode settings You can configure the FortiGate unit in several ways the web based manager GUI is a complete interface for configuring most se...

Page 26: ... initial configuration of the FortiGate unit You can also continue to use the web based manager for all FortiGate unit settings For information about connecting to the web based manager see Connecting to the web based manager on page 14 Table 5 NAT Route mode settings Administrator Password Internal IP _____ _____ _____ _____ Netmask _____ _____ _____ _____ External IP _____ _____ _____ _____ Netm...

Page 27: ...enter the IP address and netmask for the interface For DHCP addressing select DHCP and any required settings For PPPoE addressing select PPPoE and enter the username and password and any other required settings For information about how to configure these and other interface settings see the FortiGate online help or the FortiGate Administration Guide 5 Select OK 6 Repeat this procedure for each in...

Page 28: ... 0 0 0 0 select the Delete icon to delete this route 3 Select Create New 4 Set Destination IP to 0 0 0 0 5 Set Mask to 0 0 0 0 6 Set Gateway to the default gateway IP address 7 Set Device to the interface connected to the external network 8 Select OK Using the command line interface You can also configure the FortiGate unit using the command line interface CLI For information about connecting to t...

Page 29: ...20 99 255 255 255 0 end 3 Set the IP address and netmask of the external interface to the external IP address and netmask that you recorded in Table 5 on page 26 config system external edit external set mode static set ip address_ip netmask end Example config system external edit external set mode static set ip 204 23 1 5 255 255 255 0 end To set the external interface to use DHCP enter config sys...

Page 30: ... To add a default route Add a default route to configure where the FortiGate unit sends traffic that should be sent to an external network usually the Internet Adding the default route also defines which interface is connected to an external network The default route is not required if the interface connected to the external network is configured using DHCP or PPPoE Set the default route to the De...

Page 31: ...antivirus protection to high medium or none Table 7 lists the additional settings that you can configure with the setup wizard See Table 5 on page 26 and Table 6 on page 26 for other settings Table 7 Setup wizard settings Password Prepare an administrator password Internal Interface Use the information you gathered in Table 5 on page 26 External Interface Use the information you gathered in Table ...

Page 32: ...cting the FortiGate unit to the network s When you have completed the initial configuration you can connect the FortiGate unit between your internal network and the Internet There are three 10 100Base TX connectors on the FortiGate 100 Internal for connecting to your internal network External for connecting to the Internet DMZ for connecting to a DMZ network Antivirus High Create a protection prof...

Page 33: ...the internal or LAN connection of your DSL or cable modem 3 Optionally connect the DMZ interface to your DMZ network You can use a DMZ network to provide access from the Internet to a web server or other server without installing the servers on your internal network Figure 9 FortiGate 100 NAT Route mode connections Note You can also connect both the external and DMZ interfaces to different Interne...

Page 34: ... internal network You should be able to connect to any Internet address Next steps You can use the following information to configure FortiGate system time to register the FortiGate unit and to configure antivirus and attack definition updates Refer to the FortiGate Administration Guide for complete information on configuring monitoring and maintaining the FortiGate unit To set the date and time F...

Page 35: ...To configure virus attack and spam definition updates You can configure the FortiGate unit to automatically receive new versions of the virus attack and spam definitions on a schedule through the web based manager You can also receive updates whenever a threat occurs by using Push Updates 1 Go to System Maintenance Update Center 2 Select Refresh to test the FortiGate unit connectivity with the For...

Page 36: ...36 01 28004 0019 20040830 Fortinet Inc Reconnecting to the web based manager NAT Route mode installation ...

Page 37: ...rent mode see Planning the FortiGate configuration on page 19 This chapter describes Preparing to configure Transparent mode Using the web based manager Using the command line interface Using the setup wizard Connecting the FortiGate unit to your network Next steps Preparing to configure Transparent mode Use Table 8 to gather the information that you need to customize Transparent mode settings You...

Page 38: ... to the internal or DMZ interface and browse to https followed by the Transparent mode management IP address The default FortiGate Transparent mode management IP address is 10 10 10 1 To change the Management IP 1 Go to System Network Management 2 Enter the management IP address and netmask that you recorded in Table 8 on page 38 3 Select access methods and logging for any interfaces as required 4...

Page 39: ...terface through a router make sure that you have added a default gateway for that router to the management IP default gateway field Using the command line interface As an alternative to the web based manager or setup wizard you can begin the initial configuration of the FortiGate unit using the command line interface CLI To connect to the CLI see Connecting to the command line interface CLI on pag...

Page 40: ...onfirm that the address is correct Enter get system manageip The CLI lists the management IP address and netmask To configure DNS server settings 1 Set the primary and secondary DNS server IP addresses Enter config system dns set primary address_ip set secondary address_ip end Example config system dns set primary 293 44 75 21 set secondary 293 44 75 22 end To configure the default gateway 1 Make ...

Page 41: ... management computer to 10 10 10 2 Connect to the internal or DMZ interface and browse to https followed by the Transparent mode management IP address The default FortiGate Transparent mode management IP address is 10 10 10 1 To start the setup wizard 1 Select Easy Setup Wizard the middle button in the upper right corner of the web based manager 2 Use the information that you gathered in Table 8 o...

Page 42: ...ng to an external firewall or router DMZ for connecting to another network segment To connect the FortiGate unit running in Transparent mode 1 Connect the Internal interface to the hub or switch connected to your internal network 2 Connect the External interface to network segment connected to the external firewall or router Connect to the public switch or router provided by your Internet Service ...

Page 43: ...y adjust clock for daylight saving changes check box 5 Select Set Time and set the FortiGate system date and time 6 Set the hour minute second month day and year as required 7 Select Apply To use NTP to set the FortiGate date and time 1 Go to System Config Time 2 Select Synchronize with NTP Server to configure the FortiGate unit to use NTP to automatically set the system time and date 3 Enter the ...

Page 44: ...em Maintenance Update Center 2 Select Refresh to test the FortiGate unit connectivity with the FortiProtect Distribution Network FDN To be able to connect to the FDN the FortiGate unit default route must point to a network such as the Internet to which a connection to the FDN can be established If FortiProtect Distribution Network changes to Available then the FortiGate unit can connect to the FDN...

Page 45: ...e steps for changing the priorities of heartbeat devices or for configuring monitor priorities settings Both of these HA settings should be configured after the cluster is up and running Configuring FortiGate units for HA operation A FortiGate HA cluster consists of two or more FortiGate units with the same HA configuration This section describes how to configure each of the FortiGate units to be ...

Page 46: ...n the cluster get the same virtual MAC address This virtual MAC address is set according to the group ID Group ID MAC Address 0 00 09 0f 06 ff 00 1 00 09 0f 06 ff 01 2 00 09 0f 06 ff 02 3 00 09 0f 06 ff 03 63 00 09 0f 06 ff 3f If you have more than one HA cluster on the same network each cluster should have a different group ID If two clusters on the same network have same group ID the duplicate M...

Page 47: ... using switches select Least connection to distribute traffic to the cluster unit with the fewest concurrent connections Round Robin Round robin load balancing If the FortiGate units are connected using switches select round robin to distribute traffic to the next available cluster unit Weighted Round Robin Weighted round robin load balancing Similar to round robin but weighted values are assigned...

Page 48: ... Once all of the units are configured continue with Connecting the cluster to your networks on page 49 11 If you are configuring a Transparent mode cluster reconnect to the web based manager You may have to wait a few minutes before you can reconnect 12 Go to System Status 13 Select Change to Transparent Mode and select OK to switch the FortiGate unit to Transparent mode 14 Allow the FortiGate uni...

Page 49: ... all the FortiGate units in the cluster Once all of the units are configured continue with Connecting the cluster to your networks on page 49 3 If you are configuring a Transparent mode cluster switch the FortiGate unit to Transparent mode config system global set opmode transparent end 4 Allow the FortiGate unit to restart in Transparent mode and then power off the FortiGate unit 5 Repeat this pr...

Page 50: ...p and negotiation all network traffic is dropped To connect the cluster 1 Connect the cluster units Connect the internal interfaces of each FortiGate unit to a switch or hub connected to your internal network Connect the external interfaces of each FortiGate unit to a switch or hub connected to your external network Connect the DMZ interfaces of the FortiGate units to another switch or hub Figure ...

Page 51: ...ll of the FortiGate units in the cluster are synchronized so that the FortiGate units can function as a cluster Because of this synchronization you configure and manage the HA cluster instead of managing the individual FortiGate units in the cluster You can configure and manage the cluster by connecting to the cluster web based manager using any cluster interface configured for HTTPS administrativ...

Page 52: ...52 01 28004 0019 20040830 Fortinet Inc Configuring FortiGate units for HA using the CLI High availability installation ...

Page 53: ...r service 10 H HA configuring FortiGate units for HA operation 45 connecting an HA cluster 49 51 High availability 45 HTTPS 6 I internal network configuring 34 IP addresses configuring from the CLI 39 M management IP address transparent mode 40 N NAT Route mode configuration from the CLI 28 NTP 34 43 NTP server 34 43 P power requirements 12 powering on 13 S set time 34 43 setup wizard 26 31 38 41 ...

Page 54: ...54 01 28004 0019 20040830 Fortinet Inc Index ...