Fortinet FortiGate 1000A, Administration Manual

Page 1: ...FortiGate 1000A FortiGate 1000AFA2 Administration Guide USB A2 A1 CONSOLE FortiGate 1000A FA2 Administration Guide Version 2 80 MR11 15 November 2005 01 28011 0254 20051115 ...

Page 2: ...tration Guide Version 2 80 MR11 15 November 2005 01 28011 0254 20051115 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS CAUTION RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS For technical support please visit ht...

Page 3: ...national and US Domestic distributions 20 US Domestic distribution changes 20 Document conventions 22 Fortinet documentation 23 Fortinet Knowledge Center 24 Comments on Fortinet technical documentation 24 Customer service and technical support 24 Web based manager 25 Button bar features 26 Contact Customer Support 26 Online Help 27 Easy Setup Wizard 27 Console Access 28 Logout 28 Web based manager...

Page 4: ...uting table Transparent Mode 70 Routing table list 70 Transparent mode route settings 70 VLAN overview 71 FortiGate units and VLANs 72 VLANs in NAT Route mode 72 Rules for VLAN IDs 72 Rules for VLAN IP addresses 72 Adding VLAN subinterfaces 73 VLANs in Transparent mode 74 Rules for VLAN IDs 76 Transparent mode virtual domains and VLANs 76 Transparent mode VLAN list 77 Transparent mode VLAN setting...

Page 5: ...FortiManager 120 System Admin 123 Administrators 125 Administrators list 125 Administrators options 125 Access profiles 127 Access profile list 127 Access profile options 128 System Maintenance 129 Backup and restore 129 Backing up and Restoring 130 Update center 132 Updating antivirus and attack definitions 134 Enabling push updates 137 Support 140 Sending a bug report 140 Registering a FortiGate...

Page 6: ... Router 155 Static 155 Static route list 157 Static route options 158 Policy 159 Policy route list 159 Policy route options 160 RIP 160 General 161 Networks list 162 Networks options 163 Interface list 163 Interface options 164 Distribute list 165 Distribute list options 166 Offset list 167 Offset list options 167 Router objects 168 Access list 168 New access list 169 New access list entry 169 Pre...

Page 7: ...s list 214 Address options 214 Configuring addresses 215 Address group list 216 Address group options 216 Configuring address groups 217 Service 218 Predefined service list 218 Custom service list 221 Custom service options 222 Configuring custom services 223 Service group list 224 Service group options 225 Configuring service groups 225 Schedule 226 One time schedule list 226 One time schedule op...

Page 8: ...I configuration 245 User 249 Setting authentication timeout 250 Local 250 Local user list 250 Local user options 250 RADIUS 251 RADIUS server list 251 RADIUS server options 252 LDAP 252 LDAP server list 253 LDAP server options 253 User group 255 User group list 255 User group options 256 CLI configuration 257 peer 257 peergrp 258 VPN 261 Phase 1 262 Phase 1 list 262 Phase 1 basic settings 263 Phas...

Page 9: ... 282 VPN configuration procedures 283 IPSec configuration procedures 283 PPTP configuration procedures 285 L2TP configuration procedures 285 CLI configuration 286 ipsec phase1 286 ipsec phase2 288 ipsec vip 289 IPS 293 Signature 294 Predefined signatures 295 Predefined signature list 295 Configuring predefined signatures 296 Configuring parameters for dissector signatures 298 Custom signatures 298...

Page 10: ... 318 config antivirus heuristic 319 config antivirus quarantine 320 config antivirus service http 320 config antivirus service ftp 322 config antivirus service pop3 324 config antivirus service imap 325 config antivirus service smtp 327 Web filter 329 Content block 331 Web content block list 331 Web content block options 331 Configuring the web content block list 332 URL block 332 Web URL block li...

Page 11: ... Service Spam filtering 346 FortiGuard Antispam Service options 347 Configuring the FortiGuard Antispam Service 348 FortiGuard Antispam Service CLI configuration 349 IP address 350 IP address list 350 IP address options 350 Configuring the IP address list 350 DNSBL ORDBL 351 DNSBL ORDBL list 352 DNSBL ORDBL options 352 Configuring the DNSBL ORDBL list 352 Email address 353 Email address list 353 E...

Page 12: ...366 Log filter options 367 Configuring log filters 370 Enabling traffic logging 370 High Availability cluster logging 371 Log access 371 Disk log file access 371 Viewing log messages 373 Searching log messages 375 CLI configuration 376 fortilog setting 376 syslogd setting 377 FortiGuard categories 381 Glossary 387 Index 393 ...

Page 13: ...et documentation Customer service and technical support About FortiGate Antivirus Firewalls The FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include application level services such as virus protection and content filtering network level services such as firewall intrusion detection VPN and traffic shaping The FortiGate A...

Page 14: ...rvices that ensure protection against the latest viruses worms trojans and other threats around the clock Antivirus protection FortiGate ICSA certified antivirus protection scans web HTTP file transfer FTP and email SMTP POP3 and IMAP content as it passes through the FortiGate unit FortiGate antivirus protection uses pattern matching and heuristics to find viruses If a virus is found antivirus pro...

Page 15: ...age The blocked web page is replaced with a message that you can edit using the FortiGate web based manager FortiGate web content filtering also supports FortiGuard web category blocking Using web category blocking you can restrict or allow access to web pages based on content ratings of web pages You can configure URL blocking to block all or some of the pages on a web site Using this feature you...

Page 16: ...ll incoming and outgoing network traffic control encrypted VPN traffic apply antivirus protection and web content filtering block or allow access for all policy options control when individual policies are in effect accept or deny traffic to and from individual addresses control standard and user defined network services individually or in groups require users to authenticate before gaining access...

Page 17: ...us protection to VLAN tagged network and VPN traffic The FortiGate unit supports VLANs in NAT Route and Transparent mode In NAT Route mode you enter VLAN subinterfaces to receive and send VLAN packets FortiGate virtual domains provide multiple logical firewalls and routers in a single FortiGate unit Using virtual domains one FortiGate unit can provide exclusive firewall and routing services to mul...

Page 18: ...can connect to an IPSec VPN tunnel VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another through the FortiGate unit IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network High availability Fortinet achieves high availability HA using redundant hardware and the FortiGate Clustering Protocol FGCP Each FortiGate unit in...

Page 19: ...igure and manage the FortiGate unit The web based manager supports multiple languages You can configure the FortiGate unit for HTTP and HTTPS administration from any FortiGate interface You can use the web based manager to configure most FortiGate settings You can also use the web based manager to monitor the status of the FortiGate unit Configuration changes made using the web based manager are e...

Page 20: ...IPS to the system memory About the FortiOS International and US Domestic distributions Fortinet produces two distributions of FortiOS v3 0 an International distribution and a US Domestic distribution The International distribution is available to users outside of the United States and the US Domestic distribution is available to all users including users in the United States The main difference be...

Page 21: ... to a system generated file name The system generated file name consists of the name of the of the sender email address and the name of the receiver email address separated with an underscore The system generated file name does not include a file name extension For example if the file test doc was quarantined in an email being sent from user address com to info fortinet com the file name of the qu...

Page 22: ...x_ipv6 indicates a dotted decimal IPv6 address xxx_v6mask indicates a dotted decimal IPv6 netmask xxx_ipv6mask indicates a dotted decimal IPv6 address followed by a dotted decimal IPv6 netmask Vertical bar and curly brackets to separate alternative mutually exclusive required keywords For example set opmode nat transparent You can enter set opmode nat or set opmode transparent Square brackets to i...

Page 23: ...Gate Administration Guide Provides basic information about how to configure a FortiGate unit including how to define FortiGate protection profiles and firewall policies how to apply intrusion prevention antivirus protection web content filtering and spam filtering and how to configure a VPN FortiGate online help Provides a context sensitive and searchable version of the Administration Guide in HTM...

Page 24: ...alled certificates and private keys FortiGate VLANs and VDOMs User Guide Describes how to configure VLANs and VDOMS in both NAT Route and Transparent mode Includes detailed examples Fortinet Knowledge Center Additional Fortinet technical documentation is available from the Fortinet Knowledge Center The knowledge center contains troubleshooting and how to articles FAQs technical notes and more Visi...

Page 25: ...any FortiGate interface Figure 1 Web based manager screen You can use the web based manager to configure most FortiGate settings You can also use the web based manager to monitor the status of the FortiGate unit Configuration changes made using the web based manager are effective immediately without resetting the firewall or interrupting service Once you are satisfied with a configuration you can ...

Page 26: ...pport The Contact Customer Support button opens the Fortinet support web page in a new browser window From this page you can Register your FortiGate unit Product Registration Fortinet will email you your username and password to log in to the customer support center Log in to the Customer Support Center Visit the FortiProtect Center Download virus and attack definition updates Find out about train...

Page 27: ...ew other parts of the help system as you like The help system includes a navigation pane with table of contents index and a text search function Easy Setup Wizard The FortiGate setup wizard provides an easy way to configure basic initial settings for the FortiGate unit The wizard walks through the configuration of a new administrator password FortiGate interfaces DHCP server settings internal serv...

Page 28: ... computer must have Java version 1 3 or higher installed For information on how to use the CLI see the FortiGate CLI Reference Guide Figure 4 Console access Logout The Logout button immediately logs you out of the web based manager Log out before you close the browser window If you simply close the browser or leave the web based manager you remain logged in until the idle timeout default 5 minutes...

Page 29: ...the tab like this 1 Go to System Network Interface Figure 5 Parts of the web based manager Web based manager menu The menu provides access to configuration options for all major features of the FortiGate unit Tabs Menu Page Button bar Status bar System Configure system facilities such as network interfaces virtual domains DHCP services time and set system options Router Configure the router Firewa...

Page 30: ...based manager has icons in addition to buttons to enable you to interact with the system There are tooltips to assist you in understanding the function of the icon Pause the mouse pointer over the icon to view the tooltip The following table describes the icons that you will see in the web based manager IPS Configure the intrusion prevention system Antivirus Configure antivirus protection Web Filt...

Page 31: ... one virtual domain For information about virtual domains see System Virtual Domain on page 145 Download or Backup Download a log file or back up a configuration file Edit Edit a configuration This icon appears in lists where you have write permission on the page Go Do a search Insert Policy before Create a new policy to precede the current one Move to Move item in list Next page View next page of...

Page 32: ...he same order as the web based manager menu There is a chapter for each item in the System menu followed by a chapter for each of the remaining top level menu items System Status System Network System DHCP System Config System Admin System Maintenance System Virtual Domain Router Firewall User VPN IPS Antivirus Web filter Spam filter Log Report FortiGuard categories ...

Page 33: ...the system dashboard for a snap shot of the current operating status of the FortiGate unit All FortiGate administrators with read access to system configuration can view system status information On HA clusters the Status page shows the status of the primary unit To view status information for all members of the cluster go to System Config HA and select Cluster Members For more information see HA ...

Page 34: ...t of them The following types of messages can appear in the Alert Message Console Automatic Refresh Interval Select to control how often the web based manager updates the system status display Go Select to set the selected automatic refresh interval Refresh Select to manually update the system status display System restart The system restarted The restart could be due to operator action or power o...

Page 35: ...memory for the duration of time shown Depending on model and configuration content can be blocked or pass unscanned under these conditions UP Time The time in days hours and minutes since the FortiGate unit was last started System Time The current time according to the FortiGate unit internal clock Log Disk Displays hard disk capacity and free space if the FortiGate unit contains a hard disk or No...

Page 36: ...nstalled version of the FortiGuard AV Definitions FortiGuard Intrusion Definitions The current installed version of the FortiGuard Intrusion Definitions used by the Intrusion Prevention System IPS Serial Number The serial number of the current FortiGate unit The serial number is specific to the FortiGate unit and does not change with firmware upgrades Operation Mode The operation mode of the curre...

Page 37: ... for HTTPS connections to the web based manager is excluded Hard Disk Usage The current hard disk local disk status if the unit has a hard disk The web based manager displays hard disk usage for core processes only Hard disk usage for management processes for example for HTTPS connections to the web based manager is excluded Active Sessions The number of communications sessions being processed by ...

Page 38: ... In the Host Name field of the Unit Information section select Change 3 In the New Name field type a new host name 4 Select OK The new host name is displayed in the Host Name field and in the CLI prompt and is added to the SNMP System Name To update the firmware version For information on updating the firmware see Changing the FortiGate firmware on page 41 Network Utilization History Network utili...

Page 39: ...tatus 3 In the Attack Definitions field of the Unit Information section select Update The Intrusion Detection System Definitions Update dialog box appears 4 In the Update File field type the path and filename for the attack definitions update file or select Browse and locate the attack definitions update file 5 Select OK to copy the attack definitions update file to the FortiGate unit The FortiGat...

Page 40: ...e 4 Select OK The FortiGate unit changes operation mode 5 To reconnect to the web based manager you must connect to the interface configured by default for management access By default in NAT Route mode you can connect to port1 The default port1 IP address is 192 168 1 99 Session list The session list displays information about the communications sessions currently being processed by the FortiGate...

Page 41: ...IP Set destination IP address for list filtering To Port Set destination port for list filtering Apply Filter Select to filter session list Virtual Domain Select a virtual domain to list the sessions being processed by that virtual domain Select All to view sessions being processed by all virtual domains Total Sessions Total number of sessions currently being conducted through the FortiGate unit R...

Page 42: ...use this procedure you must connect to the CLI using the FortiGate console port and a null modem cable This procedure reverts the FortiGate unit to its factory default configuration Testing a new firmware image before installing it Use this procedure to test a new firmware image before installing it To use this procedure you must connect to the CLI using the FortiGate console port and a null modem...

Page 43: ...ss of the TFTP server is 192 168 1 168 execute ping 192 168 1 168 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit execute restore image name_str tftp_ipv4 Where name_str is the name of the firmware image file and tftp_ip is the IP address of the TFTP server For example if the firmware image file name is FGT_300 v280 build183 FORTINET out and the ...

Page 44: ...vert the FortiGate unit to its factory default configuration and deletes IPS custom signatures web content lists email filtering lists and changes to replacement messages Before beginning this procedure you can Back up the FortiGate unit configuration Back up the IPS custom signatures Back up web content and email filtering lists For information see Backing up and Restoring on page 130 If you are ...

Page 45: ...re on page 129 10 Update antivirus and attack definitions For information about antivirus and attack definitions see To update antivirus and attack definitions on page 135 Reverting to a previous firmware version using the CLI This procedure reverts the FortiGate unit to its factory default configuration and deletes IPS custom signatures web content lists email filtering lists and changes to repla...

Page 46: ...image FGT_300 v280 build158 FORTINET out 192 168 1 168 The FortiGate unit responds with the message This operation will replace the current firmware version Do you want to continue y n 6 Type y The FortiGate unit uploads the firmware image file After the file uploads a message similar to the following is displayed Get image from tftp server OK Check image OK This operation will downgrade the curre...

Page 47: ...Restoring on page 130 Back up the IPS custom signatures For information see Backing up and restoring custom signature files on page 300 Back up web content and email filtering lists For information see Web filter on page 329 and Spam filter on page 343 If you are reverting to a previous FortiOS version for example reverting from FortiOS v2 80 to FortiOS v2 50 you might not be able to restore your ...

Page 48: ...ad Boot Image FortiGate unit running v3 x BIOS Press any key to display configuration menu Immediately press any key to interrupt the system startup If you successfully interrupt the startup process one of the following messages appears FortiGate unit running v2 x BIOS Enter TFTP Server Address 192 168 1 168 Go to step 9 FortiGate unit running v3 x BIOS G Get firmware image from TFTP server F Form...

Page 49: ...image and restarts The installation might take a few minutes to complete Restoring the previous configuration Change the internal interface address if required You can do this from the CLI using the command config system interface edit internal set ip address_ipv4mask set allowaccess ping https ssh telnet http end After changing the interface address you can access the FortiGate unit from the web ...

Page 50: ... port3 To test a new firmware image 1 Connect to the CLI using a null modem cable and FortiGate console port 2 Make sure the TFTP server is running 3 Copy the new firmware image file to the root directory of the TFTP server 4 Make sure that port1 is connected to the same network as the TFTP server You can use the following command to ping the computer running the TFTP server For example if the TFT...

Page 51: ...to the FTP server The IP address must be on the same network as the TFTP server but make sure you do not use the IP address of another device on this network The following message appears Enter File Name image out 11 Enter the firmware image file name and press Enter The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear FortiGate unit ru...

Page 52: ...P server is running 3 Copy the new firmware image file to the root directory of your TFTP server 4 To confirm that the FortiGate unit can connect to the TFTP server use the following command to ping the computer running the TFTP server For example if the IP address of the TFTP server is 192 168 1 168 execute ping 192 168 1 168 5 Enter the following command to restart the FortiGate unit execute reb...

Page 53: ...starts When the FortiGate unit restarts it is running the previously installed firmware version Switching to the backup firmware image Use this procedure to switch the FortiGate unit to operating with a backup firmware image that you previously installed When you switch the FortiGate unit to the backup firmware image the FortiGate unit operates using the configuration that was saved with that firm...

Page 54: ...e null modem cable and FortiGate console port 2 Enter the following command to restart the FortiGate unit execute reboot As the FortiGate units starts a series of system startup messages are displayed When the following message appears Press any key to enter configuration menu 3 Immediately press any key to interrupt the system startup If you successfully interrupt the startup process the followin...

Page 55: ...zones to the FortiGate network configuration Interface Zone Management DNS Routing table Transparent Mode VLAN overview VLANs in NAT Route mode VLANs in Transparent mode FortiGate IPv6 support Interface In NAT Route mode go to System Network Interface to configure FortiGate interfaces and to add and configure VLAN subinterfaces For information about VLANs in NAT Route mode see VLANs in NAT Route m...

Page 56: ...indicate that the interface can be connected to any network for example port1 port2 and portx If you have added VLAN subinterfaces they also appear in the name list below the physical interface that they have been added to See VLAN overview on page 71 IP The current IP address of the interface Netmask The netmask of the interface Access The administrative access configuration for the interface See...

Page 57: ...for dynamic DNS services To add a secondary IP address To add a ping server to an interface To control administrative access to an interface To change the MTU size of the packets leaving an interface To configure traffic logging for connections to an interface Name The name of the Interface Interface Select the name of the physical interface to add the VLAN subinterface to All VLAN subinterfaces m...

Page 58: ...ortiGate unit to send the DHCP request Note Where you can enter both an IP address and a netmask in the same field you can use the short form of the netmask For example 192 168 1 100 255 255 255 0 can also be entered as 192 168 1 100 24 Distance Enter the administrative distance for the default gateway retrieved from the DHCP server The administrative distance an integer from 1 255 specifies the r...

Page 59: ...of them Otherwise this IP address can be the same as the IP address of another interface or can be any IP address Initial Disc Timeout Initial discovery timeout The time to wait before retrying to start a PPPoE discovery Set Initial Disc to 0 to disable Initial PADT timeout Initial PPPoE Active Discovery Terminate PADT timeout in seconds Use this timeout to shut down the PPPoE session if it is idl...

Page 60: ...administrators can connect You can select the following administrative access options Connect to server Enable Connect to Server so that the interface automatically attempts to connect to a PPPoE server Disable this option if you are configuring the interface offline Status Displays PPPoE status messages as the FortiGate unit connects to the PPPoE server and gets addressing information Select Stat...

Page 61: ...de the MTU size can be from 576 to 1492 bytes Log Select Log to record logs for any traffic to or from the interface To record logs you must also enable traffic log for a logging location and set the logging severity level to Notification or lower Go to Log Report Log Config to configure logging locations and types For information about logging see Log Report on page 361 HTTP To allow HTTP connect...

Page 62: ...aces Bringing down a physical interface also brings down the VLAN subinterfaces associated with it 1 Go to System Network Interface The interface list is displayed 2 Select Bring Down for the interface that you want to stop To start up an interface that is administratively down You can start up physical interfaces and VLAN subinterfaces Starting a physical interface does not start the VLAN subinte...

Page 63: ...tic IP address of any FortiGate interface 1 Go to System Network Interface 2 Choose an interface and select Edit 3 Set Addressing Mode to Manual 4 Change the IP address and Netmask as required 5 Select OK to save your changes If you changed the IP address of the interface to which you are connecting to manage the FortiGate unit you must reconnect to the web based manager using the new interface IP...

Page 64: ...er IP address from the PPPoE server 9 Select the Connect to Server check box if you want the FortiGate unit to connect to the PPPoE server 10 Select Apply The FortiGate unit attempts to contact the PPPoE server from the interface to set the IP address netmask and optionally default gateway IP address and DNS server IP addresses 11 Select Status to refresh the addressing mode status message 12 Sele...

Page 65: ...cess to an interface to control how administrators access the FortiGate unit and the FortiGate interfaces to which administrators can connect Controlling administrative access for an interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet However allowing remote administration from the Internet could compromise the security of your F...

Page 66: ...ctions to and from this zone rather than to and from each interface and VLAN subinterface You can add zones rename and edit zones and delete zones from the zone list When you add a zone you select the names of the interfaces and VLAN subinterfaces to add to the zone Zones are added to virtual domains If you have added multiple virtual domains to your FortiGate configuration make sure you are confi...

Page 67: ... delete zones that have the Delete icon beside them in the zone list 1 If you have added a virtual domain go to System Virtual Domain Current Virtual Domain and select the virtual domain from which to delete the zone 2 Go to System Network Zone 3 Select Delete to remove a zone from the list 4 Select OK to delete the zone To edit a zone 1 If you have added a virtual domain go to System Virtual Doma...

Page 68: ...rom any location on the Internet However allowing remote administration from the Internet could compromise the security of the FortiGate unit You should avoid allowing administrative access for an interface connected to the Internet unless this is required for your configuration To improve the security of a FortiGate unit that allows remote administration from the Internet Use secure administrativ...

Page 69: ...t IP DNS Several FortiGate functions including Alert E mail and URL blocking use DNS You can add the IP addresses of the DNS servers to which your FortiGate unit can connect DNS server IP addresses are usually supplied by your ISP Figure 18 DNS To add DNS server IP addresses 1 Go to System Network DNS 2 Change the primary and secondary DNS server IP addresses as required 3 Select Apply to save the...

Page 70: ...ute number IP The destination IP address for this route Mask The netmask for this route Gateway The IP address of the next hop router to which this route directs traffic Distance The the relative preferability of this route 1 is most preferred Delete icon Select to remove a route View edit icon Select to view or edit a route Move To icon Select to change the order of a route in the list Destinatio...

Page 71: ...LAN segregates devices logically instead of physically Each VLAN is treated as a broadcast domain Devices in VLAN 1 can connect with other devices in VLAN 1 but cannot connect with devices in other VLANs The communication among devices on a VLAN is independent of the physical network A VLAN segregates devices by adding 802 1Q VLAN tags to all of the packets sent and received by the devices in the ...

Page 72: ...ng VLAN trunks between an IEEE 802 1Q compliant switch or router and the FortiGate unit Normally the FortiGate unit internal interface connects to a VLAN trunk on an internal switch and the external interface connects to an upstream Internet router untagged The FortiGate unit can then apply different policies for traffic on each VLAN that connects to the internal interface In this configuration yo...

Page 73: ...LAN ID can be any number between 1 and 4096 Each VLAN subinterface must also be configured with its own IP address and netmask You add VLAN subinterfaces to the physical interface that receives VLAN tagged packets To add a VLAN subinterface in NAT Route mode 1 Go to System Network Interface 2 Select Create New to add a VLAN subinterface 3 Enter a Name to identify the VLAN subinterface 4 Select the...

Page 74: ...LAN packets See Address on page 213 3 Go to Firewall Policy 4 Add firewall policies as required VLANs in Transparent mode In Transparent mode the FortiGate unit can apply firewall policies and services such as authentication protection profiles and other firewall features to traffic on an IEEE 802 1 VLAN trunk You can insert the FortiGate unit operating in Transparent mode into the trunk without m...

Page 75: ...nation interface to the packet based on its destination MAC address The firewall policies for this source and destination VLAN subinterface pair are applied to the packet If the packet is accepted by the firewall the FortiGate unit forwards the packet to the destination VLAN subinterface The destination VLAN ID is added to the packet by the FortiGate unit and the packet is sent to the VLAN trunk F...

Page 76: ...faces Transparent mode virtual domains and VLANs VLAN subinterfaces are added to and associated with virtual domains By default the FortiGate configuration includes one virtual domain named root and you can add as many VLAN subinterfaces as you require to this virtual domain You can add more virtual domains if you want to separate groups of VLAN subinterfaces into virtual domains For information o...

Page 77: ...terface Virtual Domain Select a virtual domain to display the VLAN interfaces added to this virtual domain Name The name of the interface or VLAN subinterface Access The administrative access configuration for the interface See To control administrative access to an interface on page 65 for information about administrative access options Status The administrative status for the interface If the ad...

Page 78: ...le using a Dynamic DNS service DDNS If the FortiGate unit uses a dynamic IP address you can arrange with a DDNS service provider to use a domain name to provide redirection of traffic to your network whenever the IP address changes 8 Configure the administrative access and log settings as you would for any FortiGate interface See Interface settings on page 56 for more descriptions of these setting...

Page 79: ... static routing periodic router advertisements and tunneling of IPv6 addressed traffic over an IPv4 addressed network All of these features must be configured through the Command Line Interface CLI See the FortiGate CLI Reference Guide for information on the following commands Table 2 IPv6 CLI commands Feature CLI Command Interface configuration including periodic router advertisements config syst...

Page 80: ...80 01 28011 0254 20051115 Fortinet Inc FortiGate IPv6 support System Network ...

Page 81: ...ange IP MAC binding Dynamic IP Service Go to System DHCP Service to configure the DHCP service provided by each FortiGate interface You can configure each interface to be a DHCP relay or a DHCP server or you can turn off DHCP services Figure 27 DHCP service list Note To configure DHCP server or DHCP relay functionality on an interface the FortiGate unit must be in NAT Route mode and the interface ...

Page 82: ...2 Select Edit for the interface that you want to be a DHCP relay agent 3 Select DHCP Relay Agent 4 Set type to Regular 5 Enter the DHCP Server IP address 6 Select OK Interface The name of the interface None No DHCP services provided by the interface DHCP Relay Agent Select to configure the interface to be a DHCP relay agent Type Select the type of DHCP relay agent Regular Configure the interface t...

Page 83: ... See To configure a DHCP server for an interface on page 85 Server You can configure one or more DHCP servers for any FortiGate interface As a DHCP server the interface dynamically assigns IP addresses to hosts on a network connected to the interface You can add more than one DHCP server to a single interface to be able to provide DHCP services to multiple networks For more information see To conf...

Page 84: ...r assigns to DHCP clients Lease Time Select Unlimited for an unlimited lease time or enter the interval in days hours and minutes after which a DHCP client must ask the DHCP server for new settings The lease time can range from 5 minutes to 100 days DNS Server Enter the IP addresses of up to 3 DNS servers that the DHCP server assigns to DHCP clients WINS Server Add the IP addresses of one or two W...

Page 85: ...figuration using DHCP The IP range of each DHCP server must match the subnet addresses 2 Configure the routers for DHCP relay 3 Add multiple DHCP servers to the interface one for each subnet When a computer on one of the connected subnets sends a DHCP request it is relayed to the FortiGate interface by the router using DHCP relay The FortiGate unit selects the DHCP server configuration with an IP ...

Page 86: ...ss and an IP address to the IP MAC binding list the DHCP server always assigns this IP address to the MAC address IP MAC binding pairs apply to all FortiGate DHCP servers Figure 33 IP MAC binding list Starting IP The starting IP of the exclude range Ending IP The ending IP of the exclude range Delete Delete an exclude range Edit View icon View or modify an exclude range Starting IP Enter the start...

Page 87: ...e addresses To view the dynamic IP list 1 Go to System DHCP Dynamic IP 2 Select the interface for which you want to view the list Delete icon Delete an IP MAC binding pair Edit View icon View or modify an IP MAC binding pair Name Enter a name for the IP MAC address pair IP Address Enter the IP address for the IP and MAC address pair The IP address must be within the configured IP range MAC Address...

Page 88: ...88 01 28011 0254 20051115 Fortinet Inc Dynamic IP System DHCP ...

Page 89: ...Time to set the FortiGate system time For effective scheduling and logging the FortiGate system time must be accurate You can either manually set the FortiGate system time or you can configure the FortiGate unit to automatically keep its system time correct by synchronizing with a Network Time Protocol NTP server Figure 35 System time System Time The current FortiGate system date and time Refresh ...

Page 90: ... including the idle timeout and authentication timeout The language displayed by the web based manager Front control buttons and LCD PIN protection Dead gateway detection interval and failover detection Automatically adjust clock for daylight saving changes Select the Automatically adjust clock for daylight saving changes check box if you want the FortiGate system clock to be adjusted automaticall...

Page 91: ...ated connection can be idle before the user must authenticate again The maximum authtimeout is 480 minutes 8 hours The default Auth Timeout is 15 minutes For more information see Setting authentication timeout on page 250 Language Select a language for the web based manager to use Choose from English Simplified Chinese Japanese Korean or French LCD Panel Select the PIN Protection check box and typ...

Page 92: ...stem Config Options 2 For Detection Interval type a number in seconds to specify how often the FortiGate unit tests the connection to the ping target 3 For Fail over Detection type a number of times that the connection test fails before the FortiGate unit assumes that the gateway is no longer functioning 4 Select Apply HA Go to System Config HA to configure the FortiGate unit for High Availability...

Page 93: ...s high availability HA using redundant hardware and the FortiGate Clustering Protocol FGCP Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings You can add up to 32 FortiGate units to an HA cluster Each FortiGate unit in an HA cluster must be the same model and must be running the same FortiOS firmware image The FortiGate units i...

Page 94: ... FortiGate HA active active cluster load balances virus scanning sessions among all cluster units All other traffic is processed by the primary unit Using the CLI you can configure the cluster to load balance TCP traffic and virus scanning traffic among all cluster units See To configure load balancing TCP and virus scanning traffic on page 104 When a cluster is operating in active active mode in ...

Page 95: ...and L2TP pass through However during an HA failover event any active PPTP and L2TP sessions are lost and must be restarted after the failover HA configuration Go to System Config HA and use the options described below to configure HA Standalone Mode High Availability Cluster Members Mode Group ID Unit Priority Override Master Password Schedule Priorities of Heartbeat Device Heartbeat device IP add...

Page 96: ...is from 0 to 63 All cluster units must have the same group ID When the FortiGate units are switched to HA mode all of the interfaces of all of the cluster units acquire the same virtual MAC address This virtual MAC address is set according to the group ID Table 3 lists the virtual MAC address set for each group ID If you have more than one HA cluster on the same network each cluster should have a ...

Page 97: ... unit Enable override master for the cluster unit that you have given the highest unit priority Enabling override master means that this cluster unit always becomes the primary unit In a typical FortiGate cluster configuration the primary unit is selected automatically In some situations you might want to control which unit becomes the primary unit You can configure a FortiGate unit as the permane...

Page 98: ...tination IP of each packet processed by the cluster Least Connection Least connection load balancing If the cluster units are connected using switches select Least Connection to distribute network traffic to the cluster unit currently processing the fewest connections Round Robin Round robin load balancing If the cluster units are connected using switches select Round Robin to distribute network t...

Page 99: ...le amount of network bandwidth If possible enable HA heartbeat traffic on interfaces only used for HA heartbeat traffic or on interfaces connected to less busy networks Change the heartbeat device priorities as required to control the interface that is used for heartbeat traffic and the interface to which heartbeat traffic reverts if the interface with the highest heartbeat priority fails or is di...

Page 100: ...FortiGate interface to verify that the interface is functioning properly and connected to its network If a monitored interface fails or is disconnected from its network the interface leaves the cluster The cluster reroutes the traffic being processed by that interface to the same interface of another cluster unit that still has a connection to the network This other cluster unit becomes the new pr...

Page 101: ...e FortiGate unit a unique host name See To change FortiGate host name on page 38 Use host names to identify individual cluster units 4 Go to System Config HA 5 Select HA 6 Select the HA mode 7 Select a Group ID for the cluster The Group ID must be the same for all FortiGate units in the HA cluster 8 Optionally change the Unit Priority See Unit Priority on page 97 9 If required select Override mast...

Page 102: ... interfaces to their networks using the same hub or switch Fortinet recommends using switches for all cluster connections for the best performance Inserting an HA cluster into your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through the cluster Also starting the cluster interrupts network traffic until the individual...

Page 103: ...in the cluster 2 If the cluster is running in Transparent mode change the operating mode of the new cluster unit to Transparent mode 3 Connect the new cluster unit to the cluster 4 Power on the new cluster unit When the unit starts it negotiates to join the cluster After it joins the cluster the cluster synchronizes the new unit configuration with the configuration of the primary unit To configure...

Page 104: ...his command has the following results The first connection is processed by the primary unit priority 0 weight 1 The next three connections are processed by the first subordinate unit priority 1 weight 3 The next three connections are processed by the second subordinate unit priority 2 weight 3 The subordinate units process more connections than the primary unit and both subordinate units on averag...

Page 105: ...ue host name to help to identify cluster members Individual cluster units are also identified by their serial number You can identify the role of a cluster unit from the front panel LCD On the primary unit the LCD displays primary One the subordinate units the LCD displays slave priority_id The priority_id is the priority that the subordinate unit has in the cluster If there are three units in the...

Page 106: ...ds since the cluster unit was last started Monitor Displays system status information for each cluster unit CPU Usage The current CPU status of each cluster unit The web based manager displays CPU usage for core processes only CPU usage for management processes for example for HTTPS connections to the web based manager is excluded Memory Usage The current memory status of each cluster unit The web...

Page 107: ...replaced with a new primary unit The cluster contains fewer FortiGate units The failed primary unit no longer appears on the Cluster Members list The host name and serial number of the primary cluster unit changes The new primary unit logs the following messages to the event log HA slave became master Detected HA member dead If a subordinate unit fails the cluster continues to function normally Fa...

Page 108: ...ecute ha manage command to log into the CLI of any of the other subordinate units in the cluster SNMP You can configure the FortiGate SNMP agent to report system information and send traps alarms or event messages to SNMP managers Using an SNMP manager you can access SNMP traps and data from any FortiGate interface or VLAN subinterface configured for SNMP management access The FortiGate SNMP imple...

Page 109: ...scription can be up to 35 characters long Location Enter the physical location of the FortiGate unit The system location description can be up to 35 characters long Contact Enter the contact information for the person responsible for this FortiGate unit The contact information can be up to 35 characters long Apply Save changes made to the description location and contact information Create New Sel...

Page 110: ...his SNMP community to monitor the FortiGate unit You can also set the IP address to 0 0 0 0 to so that any SNMP manager can use this SNMP community Interface Optionally select the name of the interface that this SNMP manager uses to connect to the FortiGate unit You only have to select the interface if the SNMP manager is not on the same subnet as the FortiGate unit This can occur if the SNMP mana...

Page 111: ...ct Apply To enable SNMP and configure basic SNMP settings 1 Go to System Config SNMP v1 v2c 2 Select the Enable check box to enable the FortiGate SNMP Agent 3 Configure the following SNMP settings Description Location and Contact 4 Select Apply 5 Add one or more SNMP communities To add an SNMP community 1 Go to System Config SNMP v1 v2c 2 Select Create New 3 Enter a Community Name to identify the ...

Page 112: ...e fortinet trap 2 80 mib onto the SNMP manager All traps include the trap message as well as the FortiGate unit serial number Table 7 FortiGate MIBs MIB file name or RFC Description fortinet 2 80 mib The Fortinet MIB is a proprietary MIB that includes detailed FortiGate system configuration information Add this MIB to your SNMP manager to monitor all FortiGate configuration settings For more infor...

Page 113: ...interface and the serial number of the FortiGate unit This trap can be used to track interface IP address changes for interfaces configured with dynamic IP addresses set using DHCP or PPPoE Table 10 FortiGate VPN traps Trap message Description VPN tunnel is up fnTrapVpnTunUp An IPSec VPN tunnel started VPN tunnel down fnTrapVpnTunDown An IPSec VPN tunnel shuts down Table 11 FortiGate IPS traps Tra...

Page 114: ...hite black list is full Table 14 FortiGate logging traps Trap message Description Flag event count fnTrapFlgEventCount FortiLog events number exceeds limit Log full fnTrapLogFull On a FortiGate unit with a hard drive hard drive usage exceeds 90 On a FortiGate unit without a hard drive log to memory usage has exceeds 90 Table 15 FortiGate HA traps Trap message Description HA state fnTrapHaStateChan...

Page 115: ...riority of the individual FortiGate unit in a cluster fnHaOverride The master override setting enable or disable for an individual FortiGate unit in a cluster fnHaAutoSync Auto config synchronization flag fnHaSchedule Load balancing schedule for A A mode fnHaStatsTable Statistics for the individual FortiGate unit in the HA cluster fnHaStatsIndex The index number of the unit in the cluster fnHaStat...

Page 116: ...Index Local user account index number fnUserName The user name of the local user account fnUserAuth The authentication type for the local user local a password stored on the FortiGate unit radius single a password stored on a RADIUS server radius multiple any user who can authenticate on the RADIUS server can log on ldap a password stored on an LDAP server fnUserState Whether the local user is ena...

Page 117: ...otocol TCP UDP ICMP etc of the session fnIpSessFromAddr The source IP address of the active IP session fnIpSessFromPort The source port of the active IP session fnIpSessToPort The destination IP address of the active IP session fnIpSessToAddr The destination port of the active IP session fnIpSessExpiry The expiry time or time to live in seconds for the session Table 24 Dialup VPNs MIB field Descri...

Page 118: ...ssage that you want to change select Edit 4 Edit the content of the message Name The type of replacement message You can change messages added to email web pages in http traffic messages that are displayed to ftp users alert mail messages messages added to smtp email and messages added to web pages blocked by web filter category blocking Description Description of the replacement message type The ...

Page 119: ... be a file that contained a virus or was blocked by antivirus file blocking QUARFILENAME can be used in virus and file block messages Quarantining is only available on FortiGate units with a local disk URL The URL of a web page This can be a web page that is blocked by web filter content or URL blocking URL can also be used in http virus and file block messages to be the URL of the web page from w...

Page 120: ...e blank The FILE variable is still available If you add FILE to the mail virus message splice mode replacement message FILE will always add no filename to replacement messages generated for viruses found in SMTP email For other email protocols FILE adds the name of the infected file to the replacement message FortiManager Configure the FortiGate unit for IPSec communication between the FortiGate u...

Page 121: ...1115 121 Figure 45 FortiManager configuration Enable FortiManager Enable secure IPSec VPN communication between the FortiGate unit and a FortiManager Server FortiManager ID Enter the serial number of the FortiManager server FortiManager IP Enter the IP address of the FortiManager Server ...

Page 122: ...122 01 28011 0254 20051115 Fortinet Inc FortiManager System Config ...

Page 123: ...s that each access control category controls Read access enables the administrator to view the web based manager page The administrator needs write access to change the settings on the page The access profile has a similar effect on administrator access to CLI commands The following table shows which commands are available in each access control category with read and write permission If the get c...

Page 124: ...og Report get alertemail get log execute enter config alertemail config log execute enter Security Policy get antivirus get firewall get ips get spamfilter get vpn get webfilter execute enter execute vpn config antivirus config firewall config ips config spamfilter config vpn config webfilter execute enter execute vpn Auth Users get user execute enter config user exec enter Admin Users get system ...

Page 125: ...st Administrators options Figure 47 Administrator account configuration Create New Add an administrator account Name The login name for an administrator account Trusted hosts The trusted host IP address and netmask from which the administrator can log in Permission The permission profile for the administrator Edit or View icon Select to edit or view the administrator account Delete icon Select to ...

Page 126: ...rity of your network by further restricting administrative access In addition to knowing the password an administrator must connect only through the subnet or subnets you specify You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255 255 255 255 Administrator Enter the login name for the administrator account Password Type...

Page 127: ...You can create access profiles that deny access or allow read only or both read and write access to FortiGate features When an administrator has only read access to a feature the administrator can access the web based manager page for that feature but cannot make changes to the configuration There are no Create or Apply buttons and lists display only the View icon instead of icons for Edit Delete ...

Page 128: ...ssage features To allow an administrator to modify these features enable both Read and Write Log Report Select Read to allow an administrator to view log setting log access and alert email features To allow an administrator to modify these features enable both Read and Write Security Policy Select Read to allow an administrator to view the firewall VPN IPS and antivirus features To allow an admini...

Page 129: ...web and spam filtering files to the management computer You can also restore system configuration VPN certificate web and spam filtering files from previously downloaded backup files Figure 51 Backup and restore list Category The list of files that can be backed up and restored Latest Backup The date and time of the last backup The Restore Upload Backup and Reset to factory default icons All Confi...

Page 130: ...system to its original configuration including resetting interface addresses This procedure does not change the firmware version or the antivirus or attack definitions Debug Log Download debug log Web Filtering Web Content Block Restore or back up the Web Content Block list Web URL Block List Restore or back up the Web URL Block list Web URL Exempt List Restore or back up the Web URL Exempt list S...

Page 131: ...ile or select Browse and locate the file 4 Select OK If you restore the system configuration the FortiGate unit restarts loading the new system settings You should then reconnect to the web based manager and review your configuration to confirm that the uploaded system settings have taken effect 5 Select Return This step does not apply if you restore the system configuration To back up VPN certifi...

Page 132: ...t 9443 To receive push updates the FDN must be able to route packets to the FortiGate unit using UDP port 9443 For information about configuring push updates see To enable push updates on page 137 The FDN is a world wide network of FortiProtect Distribution Servers FDSs When the FortiGate unit connects to the FDN it connects to the nearest FDS To do this all FortiGate units are programmed with a l...

Page 133: ...t registered the FortiGate unit see To register a FortiGate unit on page 142 if there is a NAT device installed between the FortiGate unit and the FDN see Enabling push updates through a NAT device on page 138 or if your FortiGate unit connects to the Internet using a proxy server see To enable scheduled updates through a proxy server on page 136 Refresh When you select Refresh the FortiGate unit ...

Page 134: ...new updates were installed Other messages can indicate that the FortiGate was not able to connect to the FDN and other error conditions Allow Push Update Select this check box to allow automatic updates of the FortiGate unit Use override push IP Select this check box and enter the override IP address and port number Override push IP addresses and ports are used when there is a NAT device between t...

Page 135: ...ng to check for and download updates 4 Select Apply The FortiGate unit starts the next scheduled update according to the new update schedule Whenever the FortiGate unit runs a scheduled update the event is recorded in the FortiGate event log To add an override server If you cannot connect to the FDN or if your organization provides antivirus and attack updates using their own FortiProtect server y...

Page 136: ... proxy server is config system autoupdate tunneling set address proxy address_ip set port proxy port set username username_str set password password_str set status enable end For example if the IP address of the proxy server is 67 35 50 34 its port is 8080 the user name is proxy_user and the password is proxy_pwd enter the following command config system autoupdate tunneling set address 67 35 50 3...

Page 137: ...test updates Enabling push updates is not recommended as the only method for obtaining updates The FortiGate unit might not receive the push notification Also when the FortiGate unit receives a push notification it makes only one attempt to connect to the FDN and download updates To enable push updates 1 Go to System Maintenance Update center 2 Select Allow Push Update 3 Select Apply Push updates ...

Page 138: ...rding information to the push update configuration Using port forwarding the FDN connects to the FortiGate unit using either port 9443 or an override push port that you specify General procedure Use the following steps to configure the FortiGate NAT device and the FortiGate unit on the internal network so that the FortiGate unit on the internal network can receive push updates 1 Add a port forward...

Page 139: ...following settings 3 Select OK To configure the FortiGate unit on the internal network 1 Go to System Maintenance Update center 2 Select the Allow Push Update check box 3 Select the Use override push check box 4 Set IP to the external IP address added to the virtual IP 5 Set Port to the external service port added to the virtual IP 6 Select Apply The FortiGate unit sends the override push IP addre...

Page 140: ... Figure 54 Bug report To report a bug 1 Go to System Maintenance Support 2 Select Report Bug 3 Fill out the Report Bug form 4 Select Submit Report Bug to Fortinet Select Report Bug to submit problems with the FortiGate unit to Fortinet Support FDS Registration Select FDS Registration to register the FortiGate unit with FortiNet Bug Description Enter a description of the problem you have encountere...

Page 141: ...ation information is stored in the Fortinet Customer Support database This information is used to make sure that your registered FortiGate units can be kept up to date All information is strictly confidential Fortinet does not share this information with any third party organizations for any reason Owners of a new FortiGate unit are entitled to 90 days of technical support services To continue rec...

Page 142: ...ort Contracts for the FortiGate units that you want to register 1 Go to System Maintenance Support 2 Select FDS Registration 3 Enter your contact information on the product registration form 4 Provide a security question and an answer to the security question 5 Select the model number of the Product Model to register 6 Enter the Serial Number of the FortiGate unit 7 If you have purchased a FortiCa...

Page 143: ...estart the FortiGate unit after shutdown only by turning the power off and then on 1 Go to System Maintenance Shutdown 2 Select Shutdown 3 Select Apply The FortiGate unit shuts down and all traffic flow stops To reset the FortiGate unit to factory defaults Use the following procedure to reset system settings to the values set at the factory This procedure does not change the firmware version or th...

Page 144: ...tem Maintenance 3 Select Apply The FortiGate unit restarts with the configuration that it had when it was first powered on 4 Reconnect to the web based manager and review the system configuration to confirm that it has been reset to the default settings ...

Page 145: ...for connections between VLAN subinterfaces or zones in the virtual domain Packets never cross the virtual domain border The remainder of FortiGate functionality is shared between virtual domains This means that there is one IPS configuration one antivirus configuration one web filter configuration one protection profile configuration and so on shared by all virtual domains As well virtual domains ...

Page 146: ...gs Physical interfaces see To add physical interfaces to a virtual domain on page 150 VLAN subinterfaces see To add VLAN subinterfaces to a virtual domain on page 151 Zones see To add zones to a virtual domain on page 151 Management IP Transparent mode see To select a management virtual domain and add a management IP on page 150 Routing configuration Router configuration in NAT Route mode see To c...

Page 147: ...ntivirus Definitions and engine Attack Definitions and engine Serial Number Operation Mode Network configuration DNS settings DHCP configuration DHCP settings are applied per interface no matter which virtual domain the interface has been added to System Config Time Options HA SNMP v1 v2c Replacement messages FortiManager configuration System Admin Administrators Access profiles System Maintenance...

Page 148: ...al domain if you want these systems to communicate with network resources that can connect to a different virtual domain Virtual domains Go to System Virtual domain Virtual domains to view and add virtual domains Figure 56 Virtual domain list Create New Add a new virtual domain Current The name of the current virtual domain Select Change to choose a different domain The default virtual domain is r...

Page 149: ...omain Name The virtual domain must not have the same name as a VLAN or zone 4 Select OK Selecting a virtual domain The following procedure applies to NAT Route and Transparent mode To select a virtual domain to configure 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the table 3 Choose the virtual domain to configure 4 Select OK The fo...

Page 150: ...domains Adding interfaces VLAN subinterfaces and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec VPN for a virtual domain Adding interfaces VLAN subinterfaces and zones to a virtual domain To add physical interfaces to a virtual domain A virtual domain must contain at least two interfaces These can be physical ...

Page 151: ...subinterface from one virtual domain to another You cannot remove a VLAN subinterface from a virtual domain if firewall policies have been added for it Delete the firewall policies or remove the VLAN subinterface from the firewall policies first If the VLAN subinterface has been added to a zone it is removed from the zone when you move it to a different virtual domain 1 Go to System Network Interf...

Page 152: ...rtual domain To configure the routing table for a virtual domain in Transparent mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the table 3 Choose the virtual domain for which to configure routing 4 Select OK 5 Go to System Network Routing Table 6 Configure the routing table for the current virtual domain as required See Routing ta...

Page 153: ... table 3 Choose the virtual domain for which to configure firewall addresses 4 Select OK 5 Go to Firewall Address 6 Add new firewall addresses address ranges and address groups to the current virtual domain See Address on page 213 To add IP pools to a virtual domain The following procedure applies to NAT Route mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current...

Page 154: ...irtual domain The following procedure applies to NAT Route and Transparent mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the table 3 Choose the virtual domain for which to configure VPN 4 Select OK 5 Go to VPN 6 Configure IPSec VPN PPTP L2TP and certificates as required See VPN on page 261 ...

Page 155: ...be routed You can decrease the distance value of a static route to indicate that the route is preferable compared to another static route that specifies a different gateway to the same destination network Routes having lower administrative distances are preferable and are selected first when two or more routes to the same destination network are available The FortiGate unit routes packets using a ...

Page 156: ...68 10 1 Device Name of the interface connected to network 192 168 10 0 24 e g external Distance 10 The Gateway setting specifies the IP address of the next hop router interface to the FortiGate external interface The interface behind the router 192 168 10 1 is the default gateway for FortiGate_1 In some cases there may be routers behind the FortiGate unit If the destination IP address of a packet ...

Page 157: ... Destination IP mask 192 168 30 0 24 Gateway 192 168 10 2 Device dmz Distance 10 To route packets from Network_2 to Network_1 Router_2 must be configured to use the FortiGate dmz interface as its default gateway On the FortiGate unit you would create a new static route with these settings Destination IP mask 192 168 20 0 24 Gateway 192 168 10 1 Device internal Distance 10 Static route list Figure ...

Page 158: ...he netmask for this route Gateway The IP address of the first next hop router to which this route directs traffic Device The name of the FortiGate interface through which to route traffic Distance The administrative distance for the route Delete Edit and Move to icons Delete edit or move a static route in the list Destination IP Mask Enter the destination IP address and netmask for this route The ...

Page 159: ...ate unit starts at the top of the policy routing list and attempts to match the packet with a policy The policy route supplies the next hop gateway as well as the FortiGate interface to be used by the traffic If no policy route matches the packet the FortiGate unit routes the packet using the regular routing table Policy route list Figure 62 Policy routes Create New Add a new policy route The sequ...

Page 160: ...RIP supports both RIP version 1 as defined by RFC 1058 and RIP version 2 as defined by RFC 2453 RIP version 2 enables RIP messages to carry more information and to support simple authentication and subnet masks Protocol Match packets that have this protocol number Incoming Interface Match packets that are received on this interface Source Address Mask Match packets that have this source IP address...

Page 161: ...ess servers in the network should have the same RIP timer settings Update The time interval in seconds between RIP updates Garbage The time in seconds that must elapse after the timeout interval for a route expires before RIP deletes the route If RIP receives an update for the route after the timeout timer expires but before the garbage timer expires then the entry is switched back to reachable Ti...

Page 162: ...tributed routes 4 Select a Route map name 5 Select Apply Networks list Identify the networks for which to send and receive RIP updates If a network is not specified interfaces in that network will not be advertised in RIP updates Figure 65 RIP Networks list Route map Enter the name of the route map to use for the redistributed connected routes For information on how to configure route maps see Rou...

Page 163: ...ication RIP version send and receive for the specified interface and configure and enable split horizon Authentication is only available for RIP version 2 packets sent and received by an interface Set authentication to None if Send Version or Receive Version are set to 1 or 1 2 Figure 67 RIP interface list Create New Add a new RIP interface Interface The FortiGate interface name Send Version The R...

Page 164: ... the Receive Version here overrides the default RIP version for this interface Split Horizon Configure RIP to use either regular or poisoned reverse split horizon on this interface Select Regular to prevent RIP from sending updates for a route back out the interface from which it received that route Select Poisoned reverse to send updates with routes learned on an interface back out the same inter...

Page 165: ...fix list If you do not specify an interface the filter will be applied to all interfaces in the current virtual domain You must configure the access list or prefix list that you want the distribute list to use before you configure the distribute list For more information on configuring access lists and prefix lists see Access list on page 168 and Prefix list on page 170 Figure 69 RIP Distribute li...

Page 166: ...ction The direction for the filter Filter The type of filter and the filter name Interface The interface to use this filter on If no interface name is displayed this distribute list is used for all interfaces Enable The status of this distribute list Delete and Edit icons Delete or edit a RIP distribute list Direction Set the direction for the filter Select In to filter incoming packets Select Out...

Page 167: ...virtual domain Create New Add a new offset list Direction The direction for the offset list Access list The access list to use for this offset list Offset The offset number to add to the metric for this offset list Interface The interface to match for this offset list Enable The status of this offset list Delete and Edit icons Delete or edit a RIP offset list Direction Select In to apply the offse...

Page 168: ... action to take for this prefix permit or deny and whether to match the prefix exactly or to match the prefix and any more specific prefix The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list If it finds a match for the prefix it takes the action specified for that prefix If no match is found the default action is deny For an access list...

Page 169: ...try to edit that entry 3 Select Permit or Deny for the Action to take for the prefix in this access list entry 4 Select either Match any or Match a network address 5 If you selected Match a network address enter the IP address and netmask that define the prefix for this access list entry 6 Select Exact match if required 7 Select OK list Entry The access list name and the number of this entry Actio...

Page 170: ...x If no match is found the default action is deny For a prefix list to take effect it must be called by another FortiGate routing feature such as RIP or OSPF Figure 76 Prefix list New Prefix list Figure 77 Prefix list name configuration To add a prefix list name 1 Go to Router Router Objects Prefix List 2 Select Create New 3 Enter a name for the prefix list 4 Select OK Create New Add a new prefix ...

Page 171: ...r 8 Select OK Route map list Route maps are a specialized form of filter Route maps are similar to access lists but have enhanced matching criteria and in addition to permit or deny actions can be configured to make changes as defined by set statements list Entry The prefix list name and the number of this entry Action Set the action to take for this prefix to Permit or Deny Prefix Select Match an...

Page 172: ...tatements are defined in a rule all the match statements must match before the set statements can be used For a route map to take effect it must be called by another FortiGate routing feature such as RIP Figure 79 Route map list New Route map Figure 80 Route map name configuration To add a route map name 1 Go to Router Router Objects Route map 2 Select Create New 3 Enter a name for the route map 4...

Page 173: ...eny to deny routes that match this entry Match The criteria to match Interface Match a route with the selected destination interface Address Match a route if the destination address is included in the selected access list or prefix list Next hop Match a route that has a next hop router address included in the selected access list or prefix list Metric Match a route with the specified metric The me...

Page 174: ... from one key to the next according to the scheduled send and receive lifetimes The sending and receiving routers should have their system dates and times synchronized but overlapping the key lifetimes ensures that a key is always available even if there is some difference in the system times See System time on page 89 for information on setting the FortiGate system date and time Figure 82 Key cha...

Page 175: ...ime select the required hour minute second year month and day to start using this key for received routing updates Key chain entry The key chain name and the ID number for this key chain entry Key The key password can be up to 35 characters long Accept Lifetime Set the time period during which the key can be received Send Lifetime Set the time period during which the key can be sent Start For both...

Page 176: ...te routing table Routing monitor list Figure 85 Routing monitor To filter the routing monitor display 1 Go to Router Monitor Routing Monitor 2 Select a type of route to display or select all to display routes of all types For example select Connected to display all the directly connected routes or select RIP to display all the routes learned from RIP Type FIlter the display to show routes of the s...

Page 177: ...ospf interface get router info protocols Show the current state of active routing protocols Command syntax get router info protocols Note You can configure Type Network and Gateway filters individually or in any combination router info ospf command keywords and variables Keywords Description Availability border routers Show OSPF routing table entries that have an Area Border Router ABR or Autonomo...

Page 178: ...ea A router connected to more than one area is an area border router ABR Routing information is contained in a link state database Routing information is communicated between routers using link state advertisements LSAs More information on OSPF can be found in RFC 2328 Command syntax pattern config router ospf set keyword variable end config router ospf unset keyword end get router ospf show route...

Page 179: ...abase before entering the overflow state The lsas_integer must be the same on all routers attached to the OSPF area and the OSPF backbone The valid range for lsas_integer is 0 to 4294967294 10000 All models database overflow time to recover seconds_integer Enter the time in seconds after which the FortiGate unit will attempt to leave the overflow state If seconds_integer is set to 0 the FortiGate ...

Page 180: ...nly supports RFC 1583 When RFC 1583 compatibility is enabled routers choose the path with the lowest cost Otherwise routers choose the lowest cost intra area path through a non backbone area disable All models router id address_ipv4 Set the router ID The router ID is a unique number in IP address dotted decimal format that is used to identify an OSPF router to other OSPF routers The router ID shou...

Page 181: ...e must be a backbone area that all areas can connect to You can use a virtual link to connect areas that do not have a physical connection to the backbone Routers within an OSPF area maintain link state databases for their own areas config area command syntax pattern config area edit id_ipv4 set keyword variable end config area edit id_ipv4 unset keyword variable end config area delete id_ipv4 end...

Page 182: ...on for interfaces the authentication configured for the area is not used Authentication passwords or keys are defined per interface See config ospf interface on page 194 none All models default cost cost_integer Enter the metric to use for the summary default route in a stub area or not so stubby area NSSA A lower default cost indicates a more preferred route The valid range for cost_integer is 1 ...

Page 183: ... NSSA You can set the translator role to always to ensure this FortiGate unit always acts as a translator if it is in a NSSA even if other routers in the NSSA are also acting as translators You can set the translator role to candidate to have this FortiGate unit participate in the process for electing a translator for a NSSA You can set the translator role to never to ensure this FortiGate unit ne...

Page 184: ...refix list on page 170 config filter list command syntax pattern config filter list edit id_integer set keyword variable end config filter list edit id_integer unset keyword end config filter list delete id_integer end config filter list edit id_integer get end config filter list edit id_integer show end Note Both keywords are required filter list command keywords and variables Keywords and variab...

Page 185: ...ample shows how to display the configuration for area 15 1 1 1 config router ospf config area edit 15 1 1 1 show end config range Access the config range subcommand using the config area command Use the area range command to summarize routes at an area boundary If the network numbers in an area are contiguous the ABR advertises a summary route that includes all the networks within the area that ar...

Page 186: ...to display the configuration for area 15 1 1 1 Note Only the prefix keyword is required All other keywords are optional range command keywords and variables Keywords and variables Description Default Availability advertise disable enable Enable or disable advertising the specified range enable All models prefix address_ipv4mask Specify the range of addresses to summarize 0 0 0 0 0 0 0 0 All models...

Page 187: ...ual link allows traffic from the area to transit a directly connected area to reach the backbone The transit area cannot be a stub area Virtual links can only be set up between two area border routers ABRs config virtual link command syntax pattern config virtual link edit name_str set keyword variable end config virtual link edit name_str unset keyword end config virtual link delete name_str end ...

Page 188: ...y password_str Enter the password to use for text authentication The authentication key must be the same on both ends of the virtual link The maximum length for the authentication key is 15 characters No default All models authentication must be set to text dead interval seconds_integer The time in seconds to wait for a hello packet before declaring a router down The value of the dead interval sho...

Page 189: ... 0 0 0 0 All models retransmit interval seconds_integer The time in seconds to wait before sending a LSA retransmission The value for the retransmit interval must be greater than the expected round trip delay for a packet The valid range for seconds_integer is 1 to 65535 5 All models transmit delay seconds_integer The estimated time in seconds required to send a link state update packet on this vi...

Page 190: ...ge 168 config distribute list command syntax pattern config distribute list edit id_integer set keyword variable end config distribute list edit id_integer unset keyword end config distribute list delete id_integer end config distribute list edit id_integer get end config distribute list edit id_integer show end Note Both keywords are required distribute list command keywords and variables Keyword...

Page 191: ...onfig distribute list edit 2 get end This example shows how to display the configuration for distribute list 2 config router ospf config distribute list edit 2 show end config neighbor Access the config neighbor subcommand using the config router ospf command Use this command to manually configure an OSPF neighbor on nonbroadcast networks OSPF packets are unicast to the specified neighbor address ...

Page 192: ... keywords are optional neighbor command keywords and variables Keywords and variables Description Default Availability cost cost_integer Enter the cost to use for this neighbor The valid range for cost_integer is 1 to 65535 10 All models ip address_ipv4 Enter the IP address of the neighbor 0 0 0 0 All models poll interval seconds_integer Enter the time in seconds between hello packets sent to the ...

Page 193: ... interfaces config network command syntax pattern config network edit id_integer set keyword variable end config network edit id_integer unset keyword end config network delete id_integer end config network edit id_integer get end config network edit id_integer show end network command keywords and variables Keywords and variables Description Default Availability area id_ipv4 The ID number of the ...

Page 194: ...how to display the configuration for network 2 config router ospf config network edit 2 show end config ospf interface Access the config ospf interface subcommand using the config router ospf command Use this command to change interface related OSPF settings config ospf interface command syntax pattern config ospf interface edit interface name_str set keyword variable end config ospf interface edi...

Page 195: ... as plain text If you select md5 the authentication key is used to generate an MD5 hash Both text mode and MD5 mode only guarantee the authenticity of the update packet not the confidentiality of the routing information in the packet In text mode the key is sent in clear text over the network Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured ...

Page 196: ...of the interface to associate with this OSPF configuration null All models ip address_ipv4 Enter the IP address of the interface named by the interface keyword It is possible to apply different OSPF configurations for different IP addresses defined on the same interface The IP address 0 0 0 0 is not allowed 0 0 0 0 All models md5 key id_integer key_str Enter the key ID and password to use for MD5 ...

Page 197: ...ecify the non broadcast keyword you must also configure neighbors using config neighbor on page 191 broadcast All models priority priority_integer Set the router priority for this interface Router priority is used during the election of a designated router DR and backup designated router BDR An interface with router priority set to 0 can not be elected DR or BDR The interface with the highest rout...

Page 198: ...edit test get end This example shows how to display the configuration for the OSPF interface configuration named test config router ospf config ospf interface edit test show end status disable enable Enable or disable OSPF on this interface enable All models transmit delay seconds_integer The estimated time in seconds required to send a link state update packet on this interface OSPF increments th...

Page 199: ...config redistribute rip set metric 3 set routemap rtmp2 set status enable end end This example shows how to display the OSPF settings get router ospf redistribute command keywords and variables Keywords and variables Description Default Availability metric metric_integer Enter the metric to be used for the redistributed routes The metric_integer range is from 1 to 16777214 10 All models metric typ...

Page 200: ... config summary address edit id_integer set keyword variable end config summary address edit id_integer unset keyword end config summary address delete id_integer end get router ospf show router ospf Example This example shows how to summarize routes using the prefix 10 0 0 0 255 0 0 0 Note Only the prefix keyword is required All other keywords are optional summary address command keywords and var...

Page 201: ...d netmasks and adding gateways for these destination addresses The gateways are the next hop routers to which to route traffic that matches the destination addresses in the route The FortiGate unit assigns routes using a best match algorithm To select a route for a packet the FortiGate unit searches through the routing table for a route that best matches the destination address of the packet If a ...

Page 202: ...tic route configuration show router static6 This example shows how to display the configuration for IPV6 static route 2 show router static6 2 static6 command keywords and variables Keywords and variables Description Default Availability device interface name_str The name of the FortiGate interface through which to route traffic null All models NAT Route mode only dst destination address_ipv6mask T...

Page 203: ...N packet Each policy can be individually configured to route connections or apply network address translation NAT to translate source and destination IP addresses and ports You can add IP pools to use dynamic NAT when the firewall translates source addresses You can use policies to configure port address translation PAT through the FortiGate You can add protection profiles to firewall policies to ...

Page 204: ...works When the FortiGate unit receives a connection attempt at an interface it selects a policy list to search through for a policy that matches the connection attempt The FortiGate unit chooses the policy list based on the source and destination addresses of the connection attempt The FortiGate unit then starts at the top of the selected policy list and searches down the list for the first policy...

Page 205: ... 213 Schedule The schedule that controls when the policy should be active See Schedule on page 226 Service The service to which the policy applies See Service on page 218 Action The response to make when the policy matches a connection attempt Enable Enable or disable the policy Enabling the policy makes it available for the firewall to match it to incoming connections source destination n Policy ...

Page 206: ...s on the destination network is hidden from the source network using NAT the destination can also be a virtual IP that maps the destination address of the packet to a hidden destination address See Virtual IP on page 230 Source Select the name of the source interface or zone for the policy The source interface or zone receives the packets to be matched by the policy Destination Select the name of ...

Page 207: ...ENCRYPT Select encrypt to make this policy an IPSec VPN policy An IPSec VPN policy causes the FortiGate unit to accept IPSec packets When encrypt is selected the VPN Tunnel Options appear You can also configure protection profiles log traffic traffic shaping and differentiated services You can also add a comment to the policy You cannot configure NAT or add authentication to an encrypt policy For ...

Page 208: ...ation about logging see Log Report on page 361 Advanced Select advanced to show advanced policy options Advanced policy options When configuring a firewall policy select Advanced to configure advanced firewall policies Dynamic IP Pool Select Dynamic IP Pool to translate the source address to an address randomly selected from an IP Pool An IP Pool can be a single IP address or an IP address range A...

Page 209: ...groups for authentication You can select Authentication for any service Users can authenticate with the firewall using HTTP Telnet or FTP For users to be able to authenticate you must add an HTTP Telnet or FTP policy that is configured for authentication When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password If you want user...

Page 210: ...ry hop Routers that can understand differentiated services sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header You can use the FortiGate Differentiated Services feature to change the DSCP Differentiated Services Code Point value for all packets accepted by a policy The network uses these DSCP values to classify mark shape and police ...

Page 211: ...ination addresses 5 Configure the policy For information about configuring the policy see Policy options on page 205 6 Select OK to add the policy 7 Arrange policies in the policy list so that they have the results that you expect For information about arranging policies in a policy list see How policy matching works on page 204 To delete a policy 1 Go to Firewall Policy 2 Select the Delete icon b...

Page 212: ...he Enable check box beside the policy you want to disable To enable a policy 1 Go to Firewall Policy 2 Select Enable Policy CLI configuration The natip keyword for the firewall policy command is used in encrypted VPN policies A natip address cannot be added using the web based manager You can configure complete firewall policies using from the CLI See the FortiGate CLI Reference Guide for descript...

Page 213: ...ility http_retry_count retry_integer Define the number of times to retry establishing an HTTP connection when the connection fails 0 All models natip address_ipv4mask Configure natip for a firewall policy with action set to encrypt and with outbound NAT enabled Specify the IP address and subnet mask to translate the source address of outgoing packets Set natip for peer to peer VPNs to control outb...

Page 214: ...s and features Address options Add an address representing an IP address and subnet mask or an IP address range Figure 92 Address options Address has the following options Create New Select Create New to add a firewall address Name The name of the firewall address Address The IP address and mask or IP address range of the firewall The Delete and Edit View icons Address Name Enter a name to identif...

Page 215: ... should be 255 0 0 0 The netmask for a class B subnet should be 255 255 0 0 The netmask for a class C subnet should be 255 255 255 0 The netmask for all addresses should be 0 0 0 0 An IP Range address represents A range of IP addresses in a subnet for example 192 168 20 1 to 192 168 20 10 Configuring addresses To add an address 1 Go to Firewall Address 2 Select Create New 3 Enter a name to identif...

Page 216: ...ake it easier to configure policies For example if you add three addresses and then configure them in an address group you can configure a single policy using all three addresses Figure 93 Sample address group list The address group list has the following icons and features Address group options Address group options are configurable when creating or editing an address group Note If an address gro...

Page 217: ...quired to add more addresses to the group 6 Select OK To delete an address group If an address group is included in a policy it cannot be deleted unless it is first removed from the policy 1 Go to Firewall Address Group 2 Select the Delete icon beside the address group you want to delete Group Name Enter a name to identify the address group Addresses address groups and virtual IPs must all have un...

Page 218: ...pted or denied by the firewall You can add any of the predefined services to a policy You can also create custom services and add services to service groups This section describes Predefined service list Custom service list Custom service options Configuring custom services Service group list Service group options Configuring service groups Predefined service list Figure 95 Predefined service list...

Page 219: ...service is used by manual key and AutoIKE VPN tunnels for communicating encrypted data AutoIKE key VPN tunnels use ESP after establishing the tunnel using IKE 50 AOL AOL instant messenger protocol tcp 5190 5194 BGP Border Gateway Protocol routing protocol BGP is an interior exterior routing protocol tcp 179 DHCP Dynamic Host Configuration Protocol DHCP allocates network addresses and delivers conf...

Page 220: ...T messages tcp 119 NTP Network time protocol for synchronizing a computer s time with a time server tcp 123 OSPF Open Shortest Path First OSPF routing protocol OSPF is a common link state routing protocol 89 PC Anywhere PC Anywhere is a remote control and file transfer protocol udp 5632 ICMP_ANY Internet Control Message Protocol is a message control and error reporting protocol between a host and ...

Page 221: ...works tcp 161 162 udp 161 162 SSH Secure Shell is a service for secure connections to computers for remote management tcp 22 udp 22 SYSLOG Syslog service for remote logging udp 514 TALK A protocol supporting conversations between two or more users udp 517 518 TCP All TCP ports tcp 0 65535 TELNET Telnet service for connecting to a remote computer to run commands tcp 23 TFTP Trivial File Transfer Pr...

Page 222: ...name of the custom service Detail The protocol and port numbers for each custom service The Delete and Edit View icons Name The name of the TCP or UDP custom service Protocol Type Select the protocol type of the service you are adding TCP or UDP TCP and UDP options are the same Source Port Specify the Source Port number range for the service by entering the low and high port numbers If the service...

Page 223: ...Source and Destination Port number ranges for the service by entering the low and high port numbers If the service uses one port number enter this number in both the low and high fields 6 Select OK You can now add this custom service to a policy Name The name of the ICMP custom service Protocol Type Select the protocol type of the service you are adding ICMP Type Enter the ICMP type number for the...

Page 224: ...K You can now add this custom service to a policy To delete a custom service 1 Go to Firewall Service Custom 2 Select the Delete icon beside the service you want to delete 3 Select OK To edit a custom service 1 Go to Firewall Service Custom 2 Select the Edit icon beside the service you want to edit 3 Modify the custom service as required 4 Select OK Service group list To make it easier to add poli...

Page 225: ...l Service Group 2 Select Create New 3 Enter a group name to identify the service group 4 Select a service from the Available Services list and select the right arrow to move the service into the group Create New Select Create New to add a service group Group Name The name to identify the service group Members The services added to the service group The Delete and Edit View icons Group Name Enter a...

Page 226: ...fective once for the period of time specified in the schedule Recurring schedules repeat weekly You can use recurring schedules to create policies that are effective only at specified times of the day or on specified days of the week This section describes One time schedule list One time schedule options Configuring one time schedules Recurring schedule list Recurring schedule options Configuring ...

Page 227: ...e start date and time for the schedule Set start and stop time to 00 for the schedule to be active for the entire day One time schedules use a 24 hour clock 5 Set the Stop date and time for the schedule 6 Select OK To delete a one time schedule 1 Go to Firewall Schedule One time Create New Select Create New to add a one time schedule Name The name of the one time schedule Start The start date and ...

Page 228: ... list The recurring schedule list has the following icons and features Note To change the one time schedule name you must delete the schedule and add it with a new name Note If you create a recurring schedule with a stop time that occurs before the start time the schedule starts at the start time and finishes at the stop time on the next day You can use this technique to create recurring schedules...

Page 229: ... use a 24 hour clock 6 Select OK To delete a recurring schedule 1 Go to Firewall Schedule Recurring 2 Select the Delete icon beside the recurring schedule you want to delete 3 Select OK To edit a recurring schedule 1 Go to Firewall Schedule Recurring 2 Select the Edit icon beside the recurring schedule you want to modify 3 Modify the schedule as required Name Enter the name to identify the recurri...

Page 230: ...tination to the virtual IP You can create three types of virtual IPs This section describes Virtual IP list Virtual IP options Configuring virtual IPs Virtual IP list Figure 106 Sample virtual IP list Static NAT Used to translate an address on a source network to a hidden address on a destination network Static NAT translates the source address of return packets to the address on the source networ...

Page 231: ...n address on the destination network Service Port The external port number of the service from the IP Map to IP The real IP address on the destination network Map to Port The port number added to packets when they are forwarded not required The Delete and Edit View icons Name Enter the name to identify the virtual IP Addresses address groups and virtual IPs must all have unique names to avoid conf...

Page 232: ...obtained from your ISP for your web server This address must be a unique address that is not used by another host and cannot be the same as the IP address of the external interface selected in step 4 However the external IP address must be routed to the selected interface The virtual IP address and the external IP address can be on different subnets 7 Enter the Map to IP address to which to map th...

Page 233: ...vice Port number for which you want to configure port forwarding The external service port number must match the destination port of the packets to be forwarded For example if the virtual IP provides access from the Internet to a web server the external service port number is 80 the HTTP port 8 Enter the Map to IP address to which to map the external IP address For example the IP address of a web ...

Page 234: ... from the Internet to a PPTP server the external service port number should be 1723 the PPTP port 8 Enter the Map to IP address to which to map the external IP address For example the IP address of a PPTP server on an internal network 9 Enter the Map to Port number to be added to packets when they are forwarded If you do not want to translate the port enter the same number as the External Service ...

Page 235: ...ols to any interface and select the IP pool to use when configuring a firewall policy You can enter an IP address range using the following formats x x x x x x x x for example 192 168 110 100 192 168 110 120 x x x x x for example 192 168 110 100 120 This section describes IP pool list IP pool options Configuring IP pools IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT ...

Page 236: ...t of the range must be lower than the end of the range The start and end of the range must be on the same subnet as the IP address of the interface to which you are adding the IP pool 5 Select OK To delete an IP pool 1 Go to Firewall IP Pool 2 Select the Delete icon beside the IP pool you want to delete 3 Select OK To edit a IP pool 1 Go to Firewall IP Pool 2 For the IP pool that you want to edit ...

Page 237: ... all connections from your network to the Internet appear to come from this IP address If you want connections to originate from all your Internet IP addresses you can add this address range to an IP pool for the external interface Then you can select Dynamic IP Pool for all policies with the external interface as the destination For each connection the firewall dynamically selects an IP address f...

Page 238: ...ion to HTTP FTP IMAP POP3 and SMTP traffic You may not wish to use the strict protection profile under normal circumstances but it is available if you have extreme problems with viruses and require maximum screening Scan To apply virus scanning to HTTP FTP IMAP POP3 and SMTP traffic Quarantine is also selected for all content services On FortiGate models with a hard disk if antivirus scanning find...

Page 239: ...tering See Configuring web category filtering options on page 241 Spam Filtering See Configuring spam filtering options on page 242 IPS See Configuring IPS options on page 243 Content Archive See Configuring content archive options on page 243 Virus Scan Enable or disable virus scanning for viruses and worms for each protocol HTTP FTP IMAP POP3 SMTP Grayware if enabled in Antivirus Config Grayware...

Page 240: ...n the original attachment The most common encoding base64 translates 3 bytes of binary data into 4 bytes of base64 data So a file may be blocked or logged as oversized even if the attachment is several megabytes less than the configured oversize threshold Add signature to outgoing emails Create and enable a signature to append to outgoing email SMTP only Web Content Block Enable or disable web pag...

Page 241: ...ge for 4xx and 5xx HTTP errors If the error is allowed through then malicious or objectionable sites could use these common error pages to circumvent web category blocking Rate images by URL blocked images will be replaced with blanks HTTP only Enable using FortiGuard to rate images based on the image URL Images that should be bocked are replaced with a blank image on the original web page FortiGu...

Page 242: ...m is listed Typically Spam messages contain URL links to advertisements also called spamvertizing If a URL match is found FortiGuard terminates the session If FortiGuard does not find a match the mail server sends the email to the recipient See FortiGuard Antispam Service on page 346 for more information about this service IP address BWL check Black white list check Enable or disable checking inco...

Page 243: ...diately drops the connection Without splice or scanning enabled you can chose to tag or discard SMTP spam You can tag email by adding a custom word or phrase to the subject or inserting a MIME header and value into the email header You can choose to log any spam action in the event log In the US Domestic distribution spam filter email tagging is not supported Because SMTP virus scanning operates i...

Page 244: ...ou want to modify 3 Modify the profile as required 4 Select OK Display content meta information on the system dashboard Enable to have meta information for each type of traffic display in the Content Summary section of the FortiGate status page There you can view statistics for HTTP traffic FTP traffic and Email traffic IMAP POP3 and SMTP combined Archive content meta information Enable or disable...

Page 245: ... profile from the list 6 Configure the remaining policy settings if required 7 Select OK 8 Repeat this procedure for any policies for which you want to enable network protection Profile CLI configuration Use this command to add edit or delete protection profiles Use protection profiles to apply different protection settings for traffic controlled by firewall policies Command syntax pattern config ...

Page 246: ...de reduces timeouts when uploading and downloading large files When streaming mode is disabled for ftp the FortiGate unit buffers the file for scanning before uploading it to the FTP server If the file is clean the FortiGate unit allows the upload or download to continue Enter all the actions you want this profile to use Use a space to separate the options you enter If you want to remove an option...

Page 247: ...vailable in the US Domestic distribution because streaming mode also called splice is always enabled for SMTP Enter splice to enable the FortiGate unit to simultaneously scan an email and send it to the SMTP server If the FortiGate unit detects a virus it terminates the server connection and returns an error message to the sender listing the virus name and infected file name With streaming is enab...

Page 248: ...248 01 28011 0254 20051115 Fortinet Inc Protection profile Firewall ...

Page 249: ...he user s credentials locally or using an external LDAP or RADIUS server Authentication expires if the user leaves the connection idle for longer than the authentication timeout period You need to determine the number and membership of your user groups appropriate to your authentication needs To set up user groups 1 If external authentication is needed configure RADIUS or LDAP servers See RADIUS o...

Page 250: ...ocal Go to User Local to add local user names and configure authentication Local user list Figure 119 Local user list Local user options Figure 120 Local user options Create New Add a new local username User Name The local user name Type The authentication type to use for this user The Delete and Edit icons User Name Enter the user name Disable Select Disable to prevent this user from authenticati...

Page 251: ...tication The default port for RADIUS traffic is 1812 If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port For more information see the config system global command entry in the FortiGate CLI Reference Guide RADIUS server list Figure 121 RADIUS server list LDAP Select LDAP to require the user to authenticate to an LDAP server Select the name of the LDAP ser...

Page 252: ...ou want to delete 3 Select OK LDAP If you have configured LDAP support and a user is required to authenticate using an LDAP server the FortiGate unit contacts the LDAP server for authentication To authenticate with the FortiGate unit the user enters a user name and password The FortiGate unit sends this user name and password to the LDAP server If the LDAP server can authenticate the user the user...

Page 253: ...d a new LDAP server Name The name that identifies the LDAP server on the FortiGate unit Server Name IP The domain name or IP address of the LDAP server Port The port used to communicate with the LDAP server Common Name Identifier The common name identifier for the LDAP server 20 characters maximum The common name identifier for most LDAP servers is cn However some servers use other common name ide...

Page 254: ... beside the LDAP server name that you want to delete 3 Select OK Common Name Identifier Enter the common name identifier for the LDAP server The common name identifier for most LDAP servers is cn However some servers use other common name identifiers such as uid Distinguished Name Enter the distinguished name used to look up entries on the LDAP server Enter the base distinguished name for the serv...

Page 255: ...he FortiGate PPTP configuration Only users in the selected user group can use PPTP The FortiGate L2TP configuration Only users in the selected user group can use L2TP When you add user names RADIUS servers and LDAP servers to a user group the order in which they are added determines the order in which the FortiGate unit checks for authentication If user names are first then the FortiGate unit chec...

Page 256: ... RADIUS server to the Members list 6 To add an LDAP server to the user group select an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list 7 To remove users RADIUS servers or LDAP servers from the user group select a user RADIUS server or LDAP server from the Members list and select the left arrow to remove the name RADIUS server or LDAP ...

Page 257: ... FortiGate CLI Reference Guide peer Use this command to add or edit the peer certificate information Command syntax pattern config user peer edit name_str set keyword variable config user peer edit name_str unset keyword config user peer delete name_str get user peer name_str show user peer name_str Example This example shows how to add the branch_office peer radius command keywords and variables ...

Page 258: ...h_office peergrp Use this command to add or edit a peer group Command syntax pattern config user peergrp edit name_str set keyword variable config user peergrp edit name_str unset keyword config user peergrp delete name_str get user peergrp name_str show user peergrp name_str Example This example shows how to add peers to the peergrp EU_branches radius command keywords and variables Keywords and v...

Page 259: ...is example shows how to display the list of configured peer groups get user peergrp This example shows how to display the settings for the peergrp EU_branches get user peergrp EU_branches This example shows how to display the configuration for all the peers groups show user peergrp This example shows how to display the configuration for the peergrp EU_branches show user peergrp EU_branches ...

Page 260: ...260 01 28011 0254 20051115 Fortinet Inc CLI configuration User ...

Page 261: ... following protocols to authenticate and encrypt traffic Internet Protocol Security IPSec Point to Point Tunneling Protocol PPTP Layer Two Tunneling Protocol L2TP This chapter contains information about the following VPN topics Phase 1 Phase 2 Manual key Concentrator Ping Generator Monitor PPTP L2TP Certificates VPN configuration procedures CLI configuration ...

Page 262: ...onal advanced phase 1 settings can be selected to ensure the smooth operation of phase 1 negotiations To configure phase 1 settings 1 Go to VPN IPSEC Phase 1 2 Follow the general guidelines in these sections Phase 1 list on page 262 Phase 1 basic settings on page 263 Phase 1 advanced settings on page 265 For information about how to choose the correct phase 1 settings for your particular situation...

Page 263: ...ill be connecting to the FortiGate unit select Dialup User If a remote peer that has a domain name and subscribes to a dynamic DNS service will be connecting to the FortiGate unit select Dynamic DNS IP Address If you set Remote Gateway to Static IP Address type the IP address of the remote peer Dynamic DNS If you set Remote Gateway to Dynamic DNS type the domain name of the remote peer Mode Select...

Page 264: ...the name of the group from the list You must create the user group before it can be selected here See User on page 249 For more information about using peer IDs to authenticate dialup users see the Enabling VPN peer identification section of the FortiGate VPN Guide To authenticate one or more remote peers or dialup clients based on a particular or shared security certificate select Accept this pee...

Page 265: ... following symmetric key algorithms DES Digital Encryption Standard a 64 bit block algorithm that uses a 56 bit key 3DES Triple DES in which plain text is encrypted three times by three keys AES128 A 128 bit block algorithm that uses a 128 bit key AES192 A 128 bit block algorithm that uses a 192 bit key AES256 A 128 bit block algorithm that uses a 256 bit key You can select either of the following...

Page 266: ...s for authentication select the distinguished name DN of the local server certificate that the FortiGate unit will use for authentication purposes If the FortiGate unit is a dialup client and will not be sharing a tunnel with other dialup clients that is the tunnel will be dedicated to this FortiGate dialup client set Mode to Aggressive XAuth This option is provided to support the authentication o...

Page 267: ...encryption and or authentication key you must configure the FortiGate unit to use manual keys instead For more information see Manual key on page 270 Create New Select Create New to create a new phase 2 tunnel configuration Tunnel Name The names of existing tunnel configurations Remote Gateway The names of the phase 1 configurations that are associated with the tunnel configurations Lifetime sec k...

Page 268: ...nfiguration to assign to this tunnel See Phase 1 on page 262 The phase 1 configuration describes how remote peers or clients will be authenticated on this tunnel and how the connection to the remote peer or client will be secured Concentrator If the tunnel will be included in a hub and spoke configuration you may select the concentrator from the list The hub must be added to the FortiGate configur...

Page 269: ... the Encryption and Authentication options of the second combination to NULL To specify a third combination use the Add button beside the fields for the second combination Enable replay detection Optionally enable or disable replay detection Replay attacks occur when an unauthorized party intercepts a series of IPSec packets and replays them back into the tunnel Enable perfect forward secrecy PFS ...

Page 270: ...applies to communication in one direction only you must specify two SPIs per configuration a local SPI and a remote SPI to cover bidirectional communications between two VPN peers To specify manual keys for creating a tunnel 1 Go to VPN IPSEC Manual Key and select Create New Internet browsing Select the FortiGate interface to the local private network if the FortiGate unit has to support an Intern...

Page 271: ...c on the local FortiGate unit The valid range is from 0xbb8 to 0xffffffff This value must match the Remote SPI value in the manual key configuration at the remote peer Remote SPI Type a hexadecimal number up to 8 characters 0 9 a f that represents the SA that handles inbound traffic on the local FortiGate unit The valid range is from 0xbb8 to 0xffffffff This value must match the Local SPI value in...

Page 272: ...48 character hexadecimal number 0 9 a f separated into three segments of 16 characters AES256 type a 64 character hexadecimal number 0 9 a f separated into four segments of 16 characters Authentication Algorithm Select one of the following message digests MD5 Message Digest 5 algorithm which produces a 128 bit message digest SHA1 Secure Hash Algorithm 1 which produces a 160 bit message digest Auth...

Page 273: ...o define a concentrator 1 Go to VPN IPSEC Concentrator 2 Follow the guidelines in these sections Concentrator list on page 273 Concentrator options on page 273 Concentrator list Figure 135 IPSec VPN concentrator list Concentrator options Figure 136 Creating a concentrator for a hub and spoke configuration Create New Select Create New to define a new concentrator for an IPSec hub and spoke configur...

Page 274: ...PSEC Ping Generator 2 Select Enable 3 In the Source IP 1 field type the private IP address or subnet address from which traffic may originate locally for example 192 168 20 12 or 192 168 20 0 respectively 4 In the Destination IP 1 field enter the IP address of a remote computer For a peer to peer configuration the destination address is the private IP address of a server or host behind the remote ...

Page 275: ...ialup client such as FortiClient is still connected FortiClient will continue to show the tunnel connected and idle The dialup client must disconnect before another tunnel can be initiated Dialup monitor The list of dialup tunnels provides information about the status of tunnels that have been established for dialup clients The list displays the IP addresses of dialup clients and the names of all ...

Page 276: ...om the keylife Proxy ID Source The IP address of the host server or private network behind the FortiGate unit A network range may be displayed if the source address in the firewall encryption policy was expressed as a range of IP addresses Proxy ID Destination The meaning of the value in the Proxy ID Destination column changes depending on the configuration of the network at the far end When a For...

Page 277: ...on procedures on page 285 To enable PPTP and specify the PPTP address range 1 Go to VPN PPTP PPTP Range 2 Enable PPTP and specify the address range Name The name of the tunnel Remote gateway The IP address and UDP port of the remote gateway For dynamic DNS tunnels the IP address is updated dynamically Timeout The time before the next key exchange The time is calculated by subtracting the time elap...

Page 278: ... how to perform the related tasks see L2TP configuration procedures on page 285 To enable L2TP and specify the L2TP address range 1 Go to VPN L2TP L2TP Range 2 Enable L2TP and specify the address range L2TP range The L2TP address range specifies the range of addresses reserved for remote clients When a remote client connects to the FortiGate unit the client is assigned an IP address from this rang...

Page 279: ...ons Local certificate list on page 279 Certificate request on page 280 Importing signed certificates on page 281 To import and view CA certificates 1 Go to VPN Certificates CA Certificates 2 For more information see CA certificate list on page 282 and Importing CA certificates on page 282 For detailed information and step by step procedures related to obtaining and installing digital certificates ...

Page 280: ...e request See Certificate request on page 280 Import Select to import a signed local certificate See Importing signed certificates on page 281 Name The names of existing local certificates and pending certificate requests Subject The Distinguished Names DNs of local signed certificates Status The status of the local certificate PENDING designates a certificate request that should be downloaded and...

Page 281: ...ng certified For Domain name enter the fully qualified domain name of the FortiGate unit being certified Do not include the protocol specification http or any port number or path names For E mail enter the email address of the owner of the FortiGate unit being certified Typically email addresses are entered only for clients not gateways Organization Unit Name of your department Organization Legal ...

Page 282: ... list Importing CA certificates After you download the root certificate of the CA save the certificate on a PC that has management access to the FortiGate unit To import a CA root certificate 1 Go to VPN Certificates CA Certificates 2 Select Import Import Select to import a CA root certificate See Importing CA certificates on page 282 Name The names of existing CA root certificates The FortiGate u...

Page 283: ...e presented here For details see the FortiGate VPN Guide IPSec configuration procedures The following configuration procedures are common to all IPSec VPNs 1 Define the phase 1 parameters that the FortiGate unit needs to authenticate remote peers and establish a secure a connection See Phase 1 on page 262 2 Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel with a r...

Page 284: ...92 168 10 80 100 4 Select OK To define an IP destination address 1 Go to Firewall Address and select Create New 2 In the Address Name field type a name that represents the remote network server s or host s to which IP packets may be delivered 3 In the IP Range Subnet field type the corresponding IP address and subnet mask for example 192 168 20 0 24 for a subnet or 192 168 20 2 32 for a server or ...

Page 285: ...ate unit to an external PPTP server instead you must 1 Create a PPTP user group containing one user for each PPTP client See User on page 249 2 Enable PPTP on the FortiGate unit and specify the range of addresses that can be assigned to PPTP clients when they connect See PPTP range on page 278 3 Configure PPTP pass through on the FortiGate unit 4 Configure the PPTP clients To perform Steps 3 and 4...

Page 286: ...nager For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide ipsec phase1 ipsec phase2 ipsec vip ipsec phase1 In the web based manager the Dead Peer Detection option can be enabled when you define advanced Phase 1 options The config vpn ipsec phase1 CLI command supports additional options for specifying a long and short idle time a retry count and a...

Page 287: ...to be idle After this period of time expires whenever the local peer sends traffic to the remote VPN peer it will also send a DPD probe to determine the status of the link The dpd idleworry range is 1 to 300 To control the length of time that the FortiGate unit takes to detect a dead peer with DPD probes use the dpdretrycount and dpd retryinterval keywords 10 All models dpd must be set to enable d...

Page 288: ...1000 Short idle 150 Retry count 5 Retry interval 30 config vpn ipsec phase1 edit Simple_GW set Type dynamic set proposal des md5 set authmethod psk set psksecret Qf2p3O93jIj2bz7E set mode aggressive set dpd enable set dpd idlecleanup 1000 set dpd idleworry 150 set dpd retrycount 5 set dpd retryinterval 30 end ipsec phase2 Use the config vpn ipsec phase2 CLI command to add or edit an IPSec VPN phas...

Page 289: ...k and the IP address of a destination host on the destination network Specify an IP address for every host that needs to be accessed on the other side of the tunnel you can define a maximum of 32 IPSec VIP addresses on the same interface For more information see Configuring IPSec virtual IP addresses on page 290 Command syntax pattern config vpn ipsec vip edit vip_integer set keyword variable end ...

Page 290: ...guration of all existing VIP entries show vpn ipsec vip Configuring IPSec virtual IP addresses Use the FortiGate unit s IPSec VIP feature to enable hosts on physically different networks to communicate with each other as if they were connected to the same private network This feature can be configured manually through CLI commands When the destination IP address in a local ARP request matches an e...

Page 291: ...oordinated to protect against ambiguous routing no two IP addresses are the same Setting up a configuration like this involves performing the following tasks at FortiGate_1 and FortiGate_2 To enable IPSec VPN communication between two network hosts that coordinate the same private address space on physically separate networks perform the following tasks at the local and remote FortiGate units 1 On...

Page 292: ...gure the remote FortiGate unit add VIP entries to define which IP addresses can be accessed at the local end of the VPN tunnel see ipsec vip on page 289 For example to enable access to Host_1 on the Finance network from Host_2 on the HR network enter the following CLI commands on FortiGate_2 config vpn ipsec vip edit 1 set ip 192 168 12 1 set out interface external end ...

Page 293: ...otection profile options on page 239 Protection profile configuration For information about adding protection profiles to firewall policies see To add a protection profile to a policy on page 245 Configuring IPS logging and alert email Whenever the IPS detects or prevents an attack it generates an attack message You can configure the FortiGate unit to add the message to the attack log and to send ...

Page 294: ... can configure the FortiGate unit to automatically check for and download an updated attack definition file containing the latest signatures or you can manually download the updated attack definition file You can also configure the FortiGate unit to allow push updates of updated attack definition files as soon as they are available from the FortiProtect Distribution Network For details see Update ...

Page 295: ...res in the group For each signature you can configure the action the FortiGate IPS takes when it detects an attack The FortiGate IPS can pass drop reset or clear packets or sessions You can also enable or disable logging of the attack Predefined signature list You can enable or disable groups of predefined signatures and configure the settings for individual predefined signatures from the predefin...

Page 296: ...fully established it acts as Clear Session Reset Client When a packet triggers a signature the FortiGate unit generates an alert and drops the packet The FortiGate unit sends a reset to the client and drops the session from the session table This is used for TCP connections only If set for non TCP connection based attacks the action will behave as Clear Session If the Reset Client action is trigge...

Page 297: ...gnature you want to configure Figure 151 Configuring predefined IPS signatures 4 Select the Enable box to enable the signature or clear the Enable box to disable the signature 5 Select the Logging box to enable logging for this signature or clear the Logging box to disable logging for this signature 6 Select the Action for the FortiGate unit to take when traffic matches this signature See Table 32...

Page 298: ... session will not be maintained by tcp_reassembler min_ttl A packet with a higher ttl number in its IP header than the number specified here is not processed by tcp_reassembler port_list A comma separated list of ports The dissector can decode these TCP ports bad_flag_list A comma separated list of bad TCP flags reassembly_ direction Valid settings are from server from client or both codepoint A n...

Page 299: ...gnature box to enable the custom signature group or clear the Enable custom signature box to disable the custom signature group Create New Select Create New to create a new custom signature Clear all custom signatures Remove all the custom signatures from the custom signature group Reset to recommended settings Reset all the custom signatures to the recommended settings Name The custom signature n...

Page 300: ...ng up and restoring the custom signature list see Backing up and Restoring on page 130 Anomaly The FortiGate IPS uses anomaly detection to identify network traffic that does not fit known or preset traffic patterns The FortiGate IPS identifies the four statistical anomaly types for the TCP UDP and ICMP protocols Caution Restoring the custom signature list overwrites the existing file Flooding If t...

Page 301: ... network For more information on minimum maximum and recommended thresholds for the anomalies with configurable thresholds see the FortiGate IPS Anomaly Thresholds and Dissector Values Technical Bulletin Note It is important to know the normal and expected traffic on your network before changing the default anomaly thresholds Setting the thresholds too low could cause false positives and setting t...

Page 302: ...l session is not touched Fortinet recommends using an action other than Drop for TCP connection based attacks Reset When a packet triggers a signature the FortiGate unit generates an alert and drops the packet The FortiGate unit sends a reset to both the client and the server and drops the firewall session from the firewall session table This is used for TCP connections only If set for non TCP con...

Page 303: ...le This is used for TCP connections only If set for non TCP connection based attacks the action will behave as Clear Session If the Reset Server action is triggered before the TCP connection is fully established it acts as Clear Session Drop Session When a packet triggers a signature the FortiGate unit generates an alert and drops the packet For the remainder of this packet s firewall session all ...

Page 304: ...ll will continue to operate while the problem is resolved Command syntax pattern config sys global set ips open enable disable end Enable ips_open to cause the IPS to fail open and disable ips_open to cause the IPS to fail closed system global ip_signature Save system resources by restricting IPS processing to only those services allowed by firewall policies Command syntax pattern config sys globa...

Page 305: ...re specific to more general For example if you define thresholds for 192 168 100 0 24 and 192 168 0 0 16 the address with the 24 bit netmask will be matched first Command syntax pattern config limit edit name_str set keyword variable end config limit edit name_str unset keyword end Keywords and variables Description Default ip_signature enable disable Enter one of the following disable only TCP UD...

Page 306: ...tcp_src_session config limit edit subnet1 set ipaddress 1 1 1 0 255 255 255 0 set threshold 300 end end limit command keywords and variables Keywords and variables Description Default Availability ipaddress address_ipv4mask The ip address and netmask of the source or destination network No default All models threshold threshold_integer Set the threshold that triggers this anomaly No default All mo...

Page 307: ...each protocol HTTP FTP IMAP POP3 SMTP View a read only list of current viruses File Block Antivirus File Block Enable or disable file blocking for each protocol Configure file patterns to block enable or disable blocking for each protocol Quarantine Antivirus Quarantine Enable or disable quarantining for each protocol Quarantine is only available on units with a local disk View and sort the list o...

Page 308: ...FortiProtect Center at http www fortinet com FortiProtectCenter To set up automatic and push updates see Update center on page 132 This chapter describes File block Quarantine Config CLI configuration File block Configure file blocking to remove all files that are a potential threat and to prevent active computer virus attacks You can block files by name by extension or any other pattern giving yo...

Page 309: ...files vb screen saver files scr program information files pif control panel files cpl Figure 159 Default file block list File block list has the following icons and features Create New Select Create New to add a new file pattern to the file block list Apply Select Apply to apply any changes to the file block configuration Pattern The current list of blocked file patterns You can create a pattern b...

Page 310: ...toSubmit list AutoSubmit list options Configuring the AutoSubmit list Config Quarantined files list The quarantined files list displays information about each file that is quarantined because of virus infection or file blocking You can sort the files by any one of file name date service status duplicate count DC or time to live TTL You can also filter the list to view only quarantined files with a...

Page 311: ...antined file is changed to a system generated file name The system generated file name consists of the name of the of the sender email address and the name of the receiver email address separated with an underscore The system generated file name does not include a file name extension For example if the file test doc was quarantined in an email being sent from user address com to info fortinet com ...

Page 312: ...es Configuring the AutoSubmit list To add a file pattern to the AutoSubmit list 1 Go to Anti Virus Quarantine AutoSubmit 2 Select Create New Figure 162 Adding a file pattern 3 Enter the file pattern or file name you want to automatically upload to Fortinet for analysis The Download icon Download the corresponding file in its original format The Submit icon Upload a suspicious file to Fortinet for ...

Page 313: ...o quarantine suspicious files identified by heuristics Quarantine Blocked Files Select the protocols from which to quarantine blocked files identified by antivirus file blocking The Quarantine Blocked Files option is not available for HTTP or FTP because a file name is blocked before downloading and cannot be quarantined Age limit The time limit in hours for which to keep files in quarantine The a...

Page 314: ...te center on page 132 Figure 164 Virus list partial Config Oversize threshold configuration refers to the size limits you can apply to scan files and email in memory The maximum file size allowed in memory is usually 10 of the FortiGate RAM size For example a FortiGate unit with 256 MB of RAM could have a memory oversize threshold range of 1 to 25 MB The range for each FortiGate unit is displayed ...

Page 315: ...e programs in each category you enable The category list and contents are added or updated whenever your FortiGate unit receives a virus update package New categories may be added at any time and will be loaded with the virus updates By default all new categories are disabled Grayware is enabled in a protection profile when Virus Scan is enabled Grayware options Grayware categories are populated w...

Page 316: ... other files often illegally Spy Select enable to block spyware programs Spyware like adware is often included with freeware Spyware is a tracking and analysis program that can report your activities such as web browsing habits to the advertiser s web site where it may be recorded and analyzed Keylog Select enable to block keylogger programs Keylogger programs can record every keystroke made on a ...

Page 317: ...lobal unset keyword end get system global show system global Misc Select enable to block any programs included in the miscellaneous grayware category BHO Select enable to block browser helper objects BHOs are DLL files that are often installed as part of a software package so the software can control the behavior of Internet Explorer 4 x and higher Not all BHOs are malicious but the potential exis...

Page 318: ...on Fortinet Knowledge Center article Command syntax pattern config system global set keyword variable end config system global unset keyword end get system global show system global Keywords and variables Description Default Availability av_failopen off one shot pass Set the action to take if there is an overload of the antivirus system Enter pass to bypass the antivirus system when memory is low ...

Page 319: ...figured in the CLI heuristic is enabled in a protection profile when Virus Scan is enabled Use the heuristic command to change the heuristic scanning mode Command syntax pattern config antivirus heuristic set keyword variable end config antivirus heuristic unset keyword end get antivirus heuristic show antivirus heuristic Example This example shows how to disable heuristic scanning config antiviru...

Page 320: ... the FortiGate unit handles antivirus scanning of large files in HTTP traffic and what ports the FortiGate unit scans for HTTP Command syntax pattern config antivirus service http set keyword variable end Note This command has more keywords than are listed in this Guide See the FortiGate CLI Reference Guide for a complete list of commands and keywords antivirus quarantine command keywords and vari...

Page 321: ...ximum file size in megabytes that can be buffered to memory for virus scanning The maximum file size allowed is 10 of the FortiGate RAM size For example a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 25 MB Note For email scanning the oversize threshold refers to the final size of the email after encoding by the email client including attachments Email clients may use a...

Page 322: ...set port 80 set port 443 end This example shows how to display the antivirus HTTP traffic settings get antivirus service http This example shows how to display the configuration for antivirus HTTP traffic show antivirus service http config antivirus service ftp Use this command to configure how the FortiGate unit handles antivirus scanning of large files in FTP traffic and how the FortiGate unit h...

Page 323: ...e allowed is 10 of the FortiGate RAM size For example a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 25 MB Oversized files can be passed or blocked in a firewall protection profile Note For email scanning the memfilesizelimit refers to the final size of the email after encoding by the email client including attachments Email clients may use a variety of encoding types ...

Page 324: ...e unit with 256 MB of RAM could have a threshold range of 1 MB to 25 MB Note For email scanning the memfilesizelimit refers to the final size of the email after encoding by the email client including attachments Email clients may use a variety of encoding types and some encoding types translate into larger file sizes than the original attachment The most common encoding base64 translates 3 bytes o...

Page 325: ...uncompsizelimit 60 set port 110 set port 111 set port 992 end This example shows how to display the antivirus POP3 traffic settings get antivirus service pop3 This example shows how to display the configuration for antivirus POP3 traffic show antivirus service pop3 config antivirus service imap Use this command to configure how the FortiGate unit handles antivirus scanning of large files in IMAP t...

Page 326: ...mory for virus scanning The maximum file size allowed is 10 of the FortiGate RAM size For example a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 25 MB Note For email scanning the memfilesizelimit refers to the final size of the email after encoding by the email client including attachments Email clients may use a variety of encoding types and some encoding types transl...

Page 327: ...um file size allowed is 10 of the FortiGate RAM size For example a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 25 MB Note For email scanning the memfilesizelimit refers to the final size of the email after encoding by the email client including attachments Email clients may use a variety of encoding types and some encoding types translate into larger file sizes than t...

Page 328: ...ffered to memory for scanning at 1 GB 1000 MB and how to enable antivirus scanning on ports 25 and 465 for SMTP traffic config antivirus service smtp set memfilesizelimit 100 set uncompsizelimit 1000 set port 25 set port 465 end This example shows how to display the antivirus SMTP traffic settings get antivirus service smtp This example shows how to display the configuration for antivirus SMTP tra...

Page 329: ...r URL Block Enable or disable web page filtering for HTTP traffic based on the URL block list Add URLs and URL patterns to block web pages from specific sources Web Exempt List Web Filter URL Exempt Enable or disable web page filtering for HTTP traffic based on the URL exempt list Exempt URLs are not scanned for viruses Add URLs to exempt them from web and virus filtering Web Script Filter Web Fil...

Page 330: ...g in the order the filters appear in the web based manager menu content block URL block URL exempt category block FortiGuard Web Filtering and script filter This chapter describes Content block URL block URL exempt Category block Script filter Allow web pages that return a rating error from FortiGuard Web Filtering Category Action FortiGuard Web Filtering service provides many categories by which ...

Page 331: ...following icons and features Note Perl regular expression patterns are case sensitive for Web Filter content block To make a word or phrase case insensitive use the regular expression i For example bad language i blocks all instances of bad language regardless of case Wildcard patterns are not case sensitive Note Enable Web filtering Web Content Block in your firewall Protection Profile to activat...

Page 332: ...et the pattern type if required 5 Select the language character set 6 Select Enable 7 Select OK URL block You can block access to specific URLs by adding them to the URL block list You can also add patterns using text and regular expressions or wildcard characters to block URLs The FortiGate unit blocks web pages matching any specified URLs or patterns and displays a replacement message instead Ba...

Page 333: ...s in a text file and upload them to the FortiGate unit by selecting the Upload URL block list icon URLs in a text file must be separated by hard returns to upload correctly Figure 169 Sample Web URL block list Web URL block options Web URL block has the following icons and features Note URL blocking does not block access to other services that users can access with a web browser For example URL bl...

Page 334: ...ist For example adding badsite com blocks access to www badsite com mail badsite com www finance badsite com and so on 5 Select Enable 6 Select OK Web pattern block list In addition to blocking specific or partial URLs you can block all URLs that match patterns you create using text and regular expressions or wildcard characters For example badsite matches badsite com badsite org badsite net and s...

Page 335: ...ock 3 Select Create New Figure 172 Adding a new pattern 4 Enter a pattern to add to the web pattern block list 5 Select Enable 6 Select OK URL exempt This section describes URL exempt list URL exempt list options Configuring URL exempt Create New Select Create New to add a new pattern to the web pattern block list Pattern The current list of blocked patterns Select the check box to enable all the ...

Page 336: ...RL to the URL exempt list 1 Go to Web Filter URL Exempt 2 Select Create New Figure 174 Adding a new exempt URL 3 Enter the URL to add to the URL exempt list 4 Select Enable 5 Select OK Note Enable Web filtering Web Exempt List in your firewall Protection Profile to activate the URL exempt settings Create New Select Create New to add a URL to the URL exempt list total The number of URLs in the URL ...

Page 337: ...ted as the Internet evolves Users can also choose to allow block or monitor entire groups of categories to make configuration simpler Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy FortiGuard Web Filtering ratings are performed by a combination of proprietary methods including text analysis exploitation of the Web structu...

Page 338: ... Category block configuration options If you have ordered FortiGuard Web Filtering through Fortinet technical support or are using the free 30 day trial you only need to enable the service to start configuring and using FortiGuard Web Filtering Figure 175 Category block configuration You can configure the following options to enable and help maintain FortiGuard Web Filtering Enable Service FortiGu...

Page 339: ...e 241 and FortiGuard categories on page 381 Once you select Apply the FortiGuard Web Filtering license type and expiration date appears on the configuration screen Web Filter Category Block Category block reports You can generate a text and pie chart format report on web filtering for any profile The FortiGate unit maintains statistics for allowed blocked and monitored web pages for each category ...

Page 340: ...LI Reference Guide for descriptions of all webfilter catblock keywords Profile Select the profile for which you want to generate a report Report Type Select the time frame for which you want to generate the report Choose from hour day or all historical statistics Report Range Select the time range 24 hour clock or day range from six days ago to today for which you want the report For example if yo...

Page 341: ...s get webfilter catblock This example shows how to display the configuration for the catblock settings show webfilter catblock If the show command returns you to the prompt the settings are at default Script filter You can configure the FortiGate unit to filter certain web scripts You can filter Java applets cookies and ActiveX controls from web pages Figure 177 Script filtering options catblock c...

Page 342: ...ome web pages from functioning and displaying correctly Note Enable Web filtering Web Script Filter in your firewall Protection Profile to activate the script filter settings Javascript Select Javascript to block all Javascript based pages or applications Cookies Select Cookies to block web sites from placing cookies on individual computers ActiveX Select ActiveX to block all ActiveX applications ...

Page 343: ...own DNSBL server that provides spam IP address and URL blacklists Fortinet keeps the FortiGuard Antispam Service IP and URLs up to date as new spam source are found Enable FortiGuard Antispam Service check the status of the FortiGuard Antispam Service server view the license type and expiry date and configure the cache IP address BWL check Spam Filter IP Address Black white list check Enable or di...

Page 344: ...ders against the configured spam filter MIME header list Add to and edit MIME headers to the list with the option of using wildcards and regular expressions You can configure the action to take as spam or clear for each MIME header Banned word check Spam Filter Banned Word Enable or disable checking source email against the configured spam filter banned word list Add to and edit banned words to th...

Page 345: ...eck HELO DNS lookup 3 E mail address BWL check 4 MIME headers check 5 IP address BWL check for IPs extracted from Received headers 6 Return e mail DNS check FortiGuard Anti Spam check for IPs extracted from Received headers and URLs in email content 7 Banned word check For POP3 and IMAP 1 E mail address BWL check 2 MIME headers check IP BWL check 3 Return e mail DNS check FortiGuard AntiSpam check...

Page 346: ...he IP address list and URL list from email captured by spam probes located around the world Spam probes are email addresses purposely configured to attract spam and identify known spam sources to create the antispam IP address and URL address lists FortiGuard Antispam Service combines IP address checks and URL checks with other spam filter techniques in a two pass process On the first pass if IP a...

Page 347: ...equired using the CLI See FortiGuard Antispam Service CLI configuration on page 349 FortiGuard Antispam Service licensing Every FortiGate unit comes with a free 30 day FortiGuard Antispam Service trial license FortiGuard Antispam Service license management is done by Fortinet servers so there is no need to enter a license number The FortiGate unit automatically contacts a FortiGuard Antispam Servi...

Page 348: ...xpiration date appears on the configuration screen Spam Filter FortiGuard Antispam Service Enable Service Select to enable the FortiGuard Antispam Service Status Select Check Status to test the connection to the FortiGuard Antispam Service server Status should change from a flashing red yellow indicator to a solid green indicator when the server is contacted successfully License Type The FortiGuar...

Page 349: ...d show spamfilter fortishield Example This example shows how to change the FortiGuard Antispam Service Service Point name config spamfilter fortishield set hostname shield example net end This example shows how to display the FortiGuard Antispam Service settings get spamfilter fortishield This example shows how to display the configuration for the FortiGuard Antispam Service settings show spamfilt...

Page 350: ... addresses You can mark each IP address as clear spam or reject You can filter single IP addresses or a range of addresses at the network level by configuring an address and mask Figure 179 Sample IP address list IP address options IP address list has the following icons and features Configuring the IP address list To add an IP address to the IP address list 1 Go to Spam Filter IP Address Create N...

Page 351: ...wn as open relays which some spammers use to send unsolicited bulk email There are also several free and subscription servers available that provide reliable access to continually updated DNSBLs and ORDBLs Check with the service you are using to confirm the correct domain name for connecting to the server The FortiGate unit communicates with DNSBL servers using UDP through port 53 The FortiGate un...

Page 352: ...an DNSBL or ORDBL server 3 Enter the domain name of the DNSBL or ORDBL server you want to add 4 Select the action to take on email matched by the server 5 Select Enable 6 Select OK Create New Select Create New to add a server to the DNSBL ORDBL list Total The number of items in the list The Page up Page down and Remove all entries icons DNSBL Server The current list of servers Select the check box...

Page 353: ...l from a domain such as sample net You can mark each email address as clear or spam Figure 183 Sample email address list Email address options Email address list has the following icons and features Configuring the email address list To add an email address or domain to the list 1 Go to Spam Filter E mail Address 2 Select Create New Create New Select Create New to add an email address to the email...

Page 354: ...Content_Type image jpg The first part of the MIME header is called the header key or just header The second part is called the value Spammers will often insert comments into header values or leave them blank These malformed headers can fool some spam and virus filters You can use the MIME headers list to mark email from certain bulk mail programs or with certain types of content that are common in...

Page 355: ...t 1 Go to Spam Filter MIME headers Create New Select Create New to add a MIME header to the MIME headers list Total The number of items in the list The Page up Page down and Remove all entries icons Header The list of MIME headers keys Value The list of MIME header values for each key Pattern Type The pattern type used in the MIME header list entry Choose from wildcard or regular expression See Us...

Page 356: ...s on page 358 This section describes Banned word list Banned word options Configuring the banned word list Banned word list You can add one or more banned words to sort email containing those words in the email subject body or both Words can be marked as spam or clear Banned words can be one word or a phrase up to 127 characters long If you enter a single word the FortiGate unit blocks all email t...

Page 357: ... which the banned word belongs Simplified Chinese Traditional Chinese French Japanese Korean Thai or Western Where The location which the FortiGate unit searches for the banned word subject body or all Action The selected action to take on email with banned words The Delete and Edit View icons Pattern Enter the word or phrase you want to include in the banned word list Pattern Type Select the patt...

Page 358: ...regular expressions Regular expression vs wildcard match pattern In Perl regular expressions character refers to any single character It is similar to the character in wildcard match pattern As a result fortinet com not only matches fortinet com but also matches fortinetacom fortinetbcom fortinetccom and so on To match a special character such as and use the escape character For example To mach fo...

Page 359: ...the end of the string a b either of a and b abc abc the string abc at the beginning or at the end of the string ab 2 4 c an a followed by two three or four b s followed by a c ab 2 c an a followed by at least two b s followed by a c ab c an a followed by any number zero or more of b s followed by a c ab c an a followed by one or more b s followed by a c ab c an a followed by an optional b followed...

Page 360: ...abcd perl B perl when not followed by a word boundary e g in perlert but not in perl stuff x tells the regular expression parser to ignore white space that is neither backslashed nor within a character class You can use this to break up your regular expression into slightly more readable parts x used to add regexps within other text If the first character in a pattern is forward slash the is treat...

Page 361: ...erity level and log format Log filters define the types of log messages saved to each location You can configure the FortiGate unit to send alert email to up to three recipients when selected events occur It is not necessary for an event to be logged to trigger an alert email The FortiGate unit will collect and send log messages in alert emails according to the level and time intervals you configu...

Page 362: ...of the following locations From admin example com Sent Tuesday April 27 2004 5 30 PM To example test com Subject Message meets Alert condition Message meets Alert condition 2004 04 27 13 28 52 device_id APS3012803033139 log_id 0101023002 type event subtype ipsec pri notice loc_ip 172 16 81 2 loc_port 500 rem_ip 172 16 81 1 rem_port 500 out_if dmz vpn_tunnel ToDmz action negotiate init local mode s...

Page 363: ...tiGate unit has one Memory The FortiGate system memory The FortiGate system memory has a limited capacity and only displays the most recent log entries Traffic and content logs cannot be stored in the memory buffer When the memory is full the FortiGate unit begins to overwrite the oldest messages All log entries are deleted when the FortiGate unit restarts Syslog A remote computer running a syslog...

Page 364: ...g should be saved and a new active log started each minute hour or day as selected in the Unit drop down list Unit The unit of time that corresponds to the specified Roll Log Frequency minute hour or day Roll log day The day of the week when the FortiGate unit saves the log file and starts a new log file The FortiGate unit uses the time of date configured in the Roll log time setting Roll log poli...

Page 365: ...rity level you select For example if you select Error the unit logs Error Critical Alert and Emergency level messages See Table 38 Logging severity levels on page 364 Name IP The domain name or IP address of the syslog server that stores the logs Port The port number for communication with the syslog server Level The FortiGate unit logs all messages at and above the logging severity level you sele...

Page 366: ...ble Select the Authentication Enable check box to enable SMTP authentication SMTP Server The name address of the SMTP server for email SMTP User The SMTP user name Password The SMTP password Email To Enter one to three email recipients for alert email Test Select Test to send a test alert email to the configured recipients Level The FortiGate unit sends alert email for all messages at and above th...

Page 367: ...te a customized log filter based on the log types described in the following sections Warning The interval to wait before sending an alert e mail for warning level log messages Notification The interval to wait before sending an alert e mail for notification level log messages Information The interval to wait before sending an alert e mail for information level log messages Apply Select Apply to a...

Page 368: ...on or packet log You can apply the following filters Event log The Event Log records management and activity events such as when a configuration has changed or a routing gateway has been added You can apply the following filters Policy allowed traffic The FortiGate unit logs all traffic that is allowed according to the firewall policy settings Policy violation traffic The FortiGate unit logs all t...

Page 369: ...tes HA activity event The FortiGate unit logs all high availability events such as link member and state information Firewall authentication event The FortiGate unit logs all firewall related events such as user authentication Pattern update event The FortiGate unit logs all pattern update events such as antivirus and IPS pattern updates and update failures Virus infected The FortiGate unit logs a...

Page 370: ...traffic log 1 Go to System Network Interface 2 Select the Edit icon for an interface 3 Select Log 4 Select OK 5 Repeat steps 1 through 4 for each interface for which you want to enable logging 6 Make sure you enable traffic logs for a logging location and set the logging severity level to Notification or lower Attack Signature The FortiGate unit logs all detected and prevented attacks based on the...

Page 371: ... an IPSec VPN tunnel between a FortiLog unit and an HA cluster connection is actually between the FortiLog unit and the HA cluster primary unit For more information see the High Availability Guide available at http docs forticare com fgt html Log access Log Access provides access to log messages saved to the FortiGate disk or to the memory buffer You can delete view search and navigate logs On its...

Page 372: ... Download icon for the file you wish to download 5 Select Download file in normal or CSV format 6 Select Open to view the log file or Save to save the log file to your computer To view and search log messages on the FortiGate disk 1 Go to Log Report Log Access 2 Select the log type you wish to access 3 Select Disk from the Type list Type Select the log location for which you want to view logs disk...

Page 373: ...s are displayed You can change the displayed columns or see the raw log messages go to the previous or next log page or search the log by selecting the corresponding icon Type Select the log location for which you want to view logs disk or memory Go to previous page icon View to the previous page in the log file Go to next page icon View to the next page in the log file View per page Select the nu...

Page 374: ...s selected Figure 195 Column settings for viewing log messages The Detailed Information column provides the entire raw log entry and is not needed unless the log contains information not available in any of the other more specific columns Available fields The fields that you can add to the log message display Right arrow button Select to move selected fields from Available fields list to Show thes...

Page 375: ...rch log messages a simple keyword search or an advanced search that enables you to use multiple keywords and specify a time range To perform a simple keyword search 1 Display the log messages you want to search For more information see Viewing log messages on page 373 2 In the Search field type a keyword and select Go The log message list shows only the logs containing the keyword To perform an ad...

Page 376: ...ord variable config log fortilog setting unset keyword get log fortilog setting show log fortilog setting any of the following The message must contain at least one of the keywords none of the following The message must contain none of the keywords Note The command keywords for fortilog setting that are not represented in the web based manager are localid and psksecret log fortilog setting command...

Page 377: ...ortiGate unit to send logs to a remote computer running a syslog server Command syntax pattern config log syslogd setting set keyword variable psksecret str_psk Enter the pre shared key for the IPSec VPN tunnel to a FortiLog unit You can create an IPSec VPN tunnel if one or more FortiGate units are sending log messages to a FortiLog unit across the Internet Using an IPSec VPN tunnel means that all...

Page 378: ...rt audit auth authpriv clock cron daemon ftp kernel local0 local1 local2 local3 local4 local5 local6 local7 lpr mail news ntp syslog user uucp Enter the facility type Also known as message category facility indicates from which part of the system a log message originated Facility can also be used to route messages to different files Facility types are described in Table 39 local7 All models port p...

Page 379: ...display the configuration for logging to a remote syslog server show log syslogd setting If the show command returns you to the prompt the settings are at default Table 39 Facility types Facility type Description alert audit auth security authorization messages authpriv security authorization messages private clock clock daemon cron cron daemon performing scheduled commands daemon system daemons r...

Page 380: ...380 01 28011 0254 20051115 Fortinet Inc CLI configuration Log Report ...

Page 381: ...se and sites that provide information about or promote the cultivation preparation or use of marijuana 2 Cult or Occult Sites that provide information about or promote religions not specified in Traditional Religions or other unconventional cultic or folkloric beliefs and practices Sites that promote or offer methods means of instruction or other resources to affect or influence real events throug...

Page 382: ...ty with no pornographic intent 9 Advocacy Groups Sites that promote change or reform in public policy public opinion social practice economic activities and relationships 10 Alcohol and Tobacco Sites that provide information about promote or support the sale of alcoholic beverages or tobacco products or associated paraphernalia 11 Gambling Sites that provide information about or promote gambling o...

Page 383: ... discussion groups message boards and list servers includes blogs and mail magazines Digital post cards Sites for sending viewing digital post cards 22 Pay to Surf Sites that pay users to view Web sites advertisements or email 23 Web based Email Sites that host Web based email Potentially Bandwidth Consuming 24 File Sharing and Storage Peer to Peer File Sharing Sites that provide client software t...

Page 384: ...information about or cater to gay lesbian or bisexual lifestyles including those that support online shopping but excluding those that are sexually or issue oriented 33 Health Sites that provide information or advice on personal health or medical services procedures or devices but not drugs Includes self help groups 34 Job Search Sites that offer information about or support the seeking of employm...

Page 385: ...ions devoted to professional advancement or workers interests Service and Philanthropic Organizations Sites sponsored by or that support or offer information about organizations devoted to doing good as their primary activity Social and Affiliation Organizations Sites sponsored by or that support or offer information about organizations devoted chiefly to socializing or common interests other than...

Page 386: ...lated business firms including sites supporting the sale of hardware software peripherals and services 53 Military Organizations Military Sites sponsored by branches or agencies of the armed services Others 54 Dynamic Content Dynamic Content URLs that are generated dynamically by a Web server 55 Miscellaneous Content Delivery Networks Commercial hosts that deliver content to subscribing Web sites ...

Page 387: ...ed firewall connections and all IPSec VPN sessions are maintained by the other FortiGate units in the HA cluster DHCP Dynamic Host Configuration Protocol An Internet protocol that assigns IP addresses to network clients usually when the client connects to the Internet Diffie Hellman An algorithm for establishing a shared secret key over an insecure medium See Diffie Hellman group Diffie Hellman gr...

Page 388: ...g properly heartbeat device An ethernet network interface in a cluster that is used by the FGCP for heartbeat communications among cluster units heartbeat failover If an interface functioning as a heartbeat device fails the heartbeat is transferred to another interface also configured as an HA heartbeat device high availability The ability that a cluster has to maintain a connection when there is ...

Page 389: ...d point an IP address or port number of a connection MAC address Media Access Control address A layer 2 hardware address that uniquely identifies a network node main mode A way to hide the identities of VPN peers from passive eavesdroppers during IPSec phase 1 negotiations See also aggressive mode MB Megabyte A unit of storage 1 048 576 bytes MIB Management Information Base A database of objects t...

Page 390: ... cluster The FortiGate firmware uses the term master to refer to the primary cluster unit protocol A standard format for transmitting data The protocol determines the type of error checking to be used the data compression method if any how the sending device indicates that it has finished sending a message and how the receiving device indicates that it has received a message RADIUS Remote Authenti...

Page 391: ...ack of cluster connections keep their configurations and routing tables synchronized with the primary unit and process network traffic assigned to them by the primary unit In an active passive cluster subordinate units do not process network traffic However active passive subordinate units track cluster connections and keep their configurations and routing tables synchronized with the primary unit...

Page 392: ...392 01 28011 0254 20051115 Fortinet Inc Glossary ...

Page 393: ...ddress firewall 213 firewall address group 216 firewall address options 214 list 214 See also firewall address 213 address group 216 adding 217 create new 216 deleting 217 editing 218 list 216 options 216 address name firewall address 214 firewall policy 206 administrator account netmask 126 trusted host 126 advanced firewall policy 208 advertise 186 200 adware grayware category 316 age limit quar...

Page 394: ...135 through a proxy server 136 ANY service 219 AOL service 219 append to protection profile 243 append with protection profile 243 archive content meta information protection profile 244 area 193 attack updates scheduling 135 through a proxy server 136 authentication 182 188 195 enabling 255 firewall policy 209 timeout 91 Authentication Algorithm 271 Authentication Algorithm Manual Key 272 Authent...

Page 395: ...rus 314 config distance 181 config distribute list 190 config interface 194 config limit 305 config neighbor 191 config network 193 config offset list 200 config redistribute 199 configuration backup 130 FortiGuard 338 reset to factory default 143 restore 130 configure antivirus heuristic antivirus 319 configuring manual key IPSec VPN 270 connecting a FortiGate HA cluster 102 conserve mode antivir...

Page 396: ...n 184 disable firewall policy 212 Disk logging settings 364 disk space quarantine 313 display content meta information on the system dashboard protection profile 243 dissector signature IPS 298 distance 180 distribution unit information 36 DNS service 219 DNSBL adding a server to the DNSBL and ORDBL list 352 Spam filter 351 DNSBL list Spam filter 352 DNSBL options Spam filter 352 DNSBL server Spam...

Page 397: ...P 231 external IP address virtual IP 231 external service port virtual IP 232 F facility 378 fail open 304 failopen antivirus 317 failover HA 93 monitoring cluster units 107 FDN FortiProtect Distribution Network 132 FDS FortiProtect Distribution Server 132 FGCP HA 93 file block adding a filename or pattern to the list 310 antivirus 308 default list of patterns 309 pattern 309 protection profile 23...

Page 398: ...he policy list 212 comments 211 configuring 211 create new 205 deleting 211 deny action 207 dest 205 destination address name 206 destination interface zone 206 differentiated services 210 DiffServ 210 disabling 212 dynamic IP pool NAT option 208 editing 211 enable 205 enabling 212 encrypt action 207 fixed port NAT option 208 guaranteed bandwidth 210 211 ID 205 inbound NAT 207 insert policy before...

Page 399: ...ol 237 fixed port NAT option firewall policy 208 flooding anomaly type 300 FortiGate Clustering Protocol HA 93 FortiGate documentation 23 commenting on 24 FortiGuard 337 cache 338 categories 337 381 changing the host name 340 CLI configuration 340 configuration 338 configuration options 338 configuring 339 enable service 338 generating a report 340 licensing 338 ratings 337 report allowed 340 repo...

Page 400: ...figure load balancing 104 configure weighted round robin weights 103 configuring and HA cluster 101 connect a FortiGate HA cluster 102 default heartbeat device configuration 99 device failover 93 DHCP 94 failover 93 FGCP 93 group ID 96 HA monitor 105 heartbeat device IP addresses 99 heartbeat failover 93 hub schedule 98 introduction 18 IP schedule 98 IP Port schedule 98 L2TP 94 least connection 98...

Page 401: ...0 http 246 HTTPS 19 25 service 219 hub HA schedule 98 I ICMP 220 ICMP custom service 223 adding 224 code 223 protocol type 223 type 223 ICMP_ANY service 220 ID firewall policy 205 idle timeout web based manager 91 IKE service 220 IMAP memfilesizelimit 326 service 220 uncompsizelimit 326 inbound NAT firewall policy 207 INFO_ADDRESS service 220 INFO_REQUEST service 220 insert policy before firewall ...

Page 402: ...d information 294 IPS anomaly protection profile 243 IPS options protection profile 243 IPS See also intrusion prevention system 293 IPS signature protection profile 243 ipsec vip 289 IPSec VPN authentication for user group 255 Internet browsing 270 monitor 275 ping generator 274 remote gateway 255 ips open system global 304 ips size system global 305 IPv6 79 IRC service 220 J Javascript 342 joke ...

Page 403: ...55 header 355 pattern type 355 Spam filter 354 value 355 MIME headers check protection profile 242 MIME headers list Spam filter 355 MIME headers options Spam filter 355 misc grayware category 317 Mode 262 mode HA 94 96 Transparent 17 Mode Phase 1 263 monitor HA 105 HA cluster members 106 IPSec VPN 275 monitor priorities HA 100 move to firewall policy 205 mtu 196 MTU size 61 mtu ignore 197 N name ...

Page 404: ... 314 oversized file email protection profile 240 P P1 Proposal Phase 1 265 P2 Proposal Phase 2 269 P2P grayware category 316 pass predefined signature action 296 302 pass fragmented emails protection profile 240 pass sessiondrop predefined signature action 296 303 passive interface 180 password HA 97 pattern 335 added to the web pattern block list 335 adding to the file block list 310 default list...

Page 405: ...208 reverse reply DSCP value 211 schedule 205 207 service 205 207 source 205 source address name 206 source interface zone 206 traffic priority 210 traffic shaping 210 VPN tunnel 207 policy routing 159 poll interval 192 pool IP pool 234 POP3 memfilesizelimit 324 service 220 uncompsizelimit 324 port 321 323 324 326 327 378 port forward dynamic 230 port forwarding virtual IP 230 port forwarding virt...

Page 406: ... profile 238 URL FortiShield check 242 virus scan 239 web default protection profile 238 web category options 241 web content block 240 web exempt list 240 web filtering options 240 web resume download block 240 web script filter 240 web URL block 240 protection profile configuration web filter 330 protocol 190 service 219 system status 41 virtual IP 232 protocol number 223 protocol type 222 223 p...

Page 407: ...block 340 reporting 20 reset predefined signature action 296 302 reset client predefined signature action 296 302 reset server predefined signature action 296 303 restarting 132 restore custom IPS signature 300 restore configuration 130 retransmit interval 189 197 return email DNS check protection profile 242 reverse reply DSCP value firewall policy 211 reverting firmware to an older version 47 RF...

Page 408: ...IMESTAMP 220 UDP 221 user defined TCP 222 UUCP 221 VDOLIVE 221 WAIS 221 WINFRAME 221 X WINDOWS 221 service ftp 322 service group 224 adding 225 create new 225 deleting 226 editing 226 list 224 options 225 service imap 325 service point FortiGuard 337 service points FortiShield 347 service pop3 324 service port virtual IP 231 service smtp 327 Service Policy 284 set time 90 shortcut 183 signature ad...

Page 409: ...75 src2 275 SSH service 221 SSL service definition 219 standalone mode HA 96 start one time schedule 227 recurring schedule 229 start IP IP pool 235 static IP monitor 275 277 static NAT virtual IP 230 adding 232 Status 267 status 177 198 199 275 377 378 FortiShield 348 HA cluster members 106 interface 56 77 quarantine files list 311 status description quarantine files list 311 stop one time schedu...

Page 410: ...list 311 Tunnel Name 267 268 type 183 223 virtual IP 231 U UDP 222 service 221 UDP custom service 222 adding 223 destination port 222 protocol type 222 source port 222 uncompsizelimit 321 323 324 326 327 Unfiltered default protection profile 238 unit information distribution 36 unit priority HA 97 up time HA cluster members 106 update push 137 updates virus list 308 upgrade firmware 42 upgrading f...

Page 411: ...ofile 238 web category block changing the host name 340 CLI configuration 340 configuration options 338 configuring 339 generating a report 340 report allowed 340 report blocked 340 report category 340 report options 340 report profiles 340 report range 340 report type 340 reports 339 web category options protection profile 241 web content block banned word 331 332 language 331 332 pattern type 33...

Page 412: ...ing the web URL block list 334 list 333 options 333 protection profile 240 web URL block list web filter 333 web based manager introduction 19 language 91 92 timeout 91 WebTrends logging settings 365 weighted round robin HA schedule 98 weighted round robin configuring weights 103 where Spam filter banned word 357 WINFRAME service 221 X XAuth 266 X WINDOWS service 221 ...