Fortinet FortiGate 1U, Quick Start Manual

Page 1: ...FortiOS 5 0 4 1U Models ...

Page 2: ...nd other conditions may affect performance results Nothing herein represents any binding commitment by Fortinet and Fortinet disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinet s FOFSBM PVOTFM XJUI B QVSDIBTFS UIBU FYQSFTTMZ XBSSBOUT UIBU UIF JEFOUJmFE QSPEVDU XJMM perform according to the performance metrics herein...

Page 3: ......

Page 4: ...2 ...

Page 5: ...3 QUICKSTART GUIDE FortiGate 1U QuickStart Guide ...

Page 6: ...1SPUFDUJPO DPOUSF EF OPVWFMMFT NFOBDFT B SFJTUSB JPOF UJ QFSNFUUF EJ VTVGSVJSF EJ t 4VQQPSUP 5FDOJDP t VPWF GVO JPOBMJUB t 1SPUFF JPOF EBMMF VMUJNF NJOBDDDF FCF SFHJTUSBS FM QSPEVDUP QBSB SFDJCJS t QPZP UÏDOJDP t VFWBT GVODJPOBMJEBEFT EFM QSPEVDUP t 1SPUFDDJØO DPOUSB BUBRVFT Register for Support IUUQT GPSUJ OFU TVQQPSU 5PMM GSFF 1IPOF BY NBJM SFHJTUFS GPSUJOFU DPN Information 登録のお願い 本日 フォーティネッ ト製品...

Page 7: ...VHG 0DQDJHU POOFDU UIF UIFSOFU DBCMF UP UIF 5 QPSU BOE ZPVS DPNQVUFS 7JTJU JO B XFC CSPXTFS G UIJT EPFT OPU TIPX UIF MPHJO QBHF DIBOHF UIF 1 BEESFTT PG ZPV DPNQVUFS UP BOE USZ BHBJO PHJO VTJOH VTFSOBNF iBENJOw BOE OP QBTTXPSE MJDL i8J BSEw JO UIF UPQ SJHIU DPSOFS BOE GPMMPX JOTUSVDUJPOT 3FHJTUFS ZPVS EFWJDF GSPN UIF EBTICPBSE QBHF Web Browser with Ethernet cable KWWSV 5 1PSU ...

Page 8: ...JODMVEFE PS EPXOMPBE GSPN IUUQ GPSUJ OFU GFYQ B 64 5 1PSU RUWL SORUHU 6HWXS L DUG PSUJ YQMPSFS QSPWJEFT EJSFDU DPOmHVSBUJPO BDDFTT UP ZPVS PSUJ BUF XJUIPVU NPEJmDBUJPO PG UIF OFUXPSL TFUUJOHT 0UIFS GFBUVSFT BOE UPPMT JODMVEF BVUPNBUJD mSNXBSF EPXOMPBE FBTZ SFHJTUSBUJPO BOE BDDFTT UP BEEJUJPOBM EFWJDF SFTPVSDFT PMMPX QSPNQUT PS DMJDL i3FHJTUFSw UP SFHJTUFS ZPVS EFWJDF XJUI PSUJ BSF MJDL i4FUVQ 8J B...

Page 9: ...POUSPM POF 1SFTT OUFS PO ZPVS LFZCPBSE UP DPOOFDU UP UIF PHJO VTJOH VTFSOBNF iBENJOw BOE OP QBTTXPSE PV DBO OPX QSPDFFE XJUI DPOmHVSJOH ZPVS PSUJ BUF VOJU MJTU PG DPNNBOET DBO CF GPVOE BU IUUQ GPSUJ OFU DMJ POTPMF 1PSU _ FU TUBSUFE CZ UZQJOH i w GPS B MJTU PG BWBJMBCMF DPNNBOET FHJO UZQJOH B DPNNBOE BOE UZQF i w GPS B MJTU PG BWBJMBCMF XBZT UP DPNQMFUF PS FYBNQMF iDPOmH w XJMM TIPX UIF MPXFTU MFWF...

Page 10: ... YQMPSFS J04 QQ UP ZPVS EFWJDF GSPN IUUQ GPSUJ OFU GFYQ JPT 6TF ZPVS QQMF 64 DBCMF UP DPOOFDU UP UIF 64 QPSU BVODI UIF PSUJ YQMPSFS QQ BOE TFMFDU UIF EFWJDF NPEFM PHJO VTJOH VTFSOBNF iBENJOw BOE OP QBTTXPSE POmHVSF ZPVS EFWJDF 5IJT WFSTJPO EPFT OPU IBWF B XJ BSE IUUQ GPSUJ OFU GFYQ JPT ...

Page 11: ...JOUP UIF SBDL 1PTJUJPO UIF PSUJ BUF VOJU JO UIF SBDL OTVSF UIFSF JT FOPVHI SPPN BSPVOE UIF VOJU UP BMMPX GPS TVGmDJFOU BJS nPX JOF VQ UIF SBDL NPVOU CSBDLFU IPMFT UP UIF IPMFT PO UIF SBDL BOE FOTVSF UIBU UIF PSUJ BUF VOJU JT MFWFM JOHFS UJHIUFO GPVS SBDL NPVOU TDSFXT UP BUUBDI UIF VOJU UP UIF SBDL BVUJPO MFDUSPTUBUJD EJTDIBSHF 4 DBO EBNBHF ZPVS PSUJOFU FRVJQNFOU 7R LQVWDOO WKH XQLW RQ D ÁDW VXUIDF...

Page 12: ...E FBDI UJNF UIBU ZPV BSF JOTFSUJOH B USBOTDFJWFS SFP Transceivers 5SBOTNJU 0QUJDBM PSF YUSBDUJPO FWFS 3FDFJWF 0QUJDBM PSF 4 1 BHF 4PDLFUT 4PDLFU BUDI PUF OTUBMMJOH BOE SFNPWJOH 4 1 USBOTDFJWFST DBO TIPSUFO UIFJS VTFGVM MJGF 7R LQVWDOO WKH 6 3 WUDQVFHLYHUV OTVSF UIBU ZPV BSF QSPQFSMZ HSPVOEFE 3FNPWF UIF caps GSPN UIF 4 1 DBHF TPDLFUT PO UIF GSPOU QBOFM PG UIF VOJU 1PTJUJPO UIF 4 1 USBOTDFJWFS JO GS...

Page 13: ...TJNJMBS UPPM UP PQFO UIF MFWFS 1SFTT UIF USBOTDFJWFS mSNMZ JOUP UIF DBHF TPDLFU XJUI ZPVS UIVNC 7FSJGZ UIBU UIF USBOTDFJWFS JT MBUDIFE DPSSFDUMZ CZ HSBTQJOH UIF TJEFT PG UIF USBOTDFJWFS BOE USZJOH UP QVMM JU PVU XJUIPVU MPXFSJOH UIF FYUSBDUJPO MFWFS G UIF USBOTDFJWFS DBOOPU CF SFNPWFE JU JT JOTUBMMFE BOE MBUDIFE DPSSFDUMZ G UIF USBOTDFJWFS DBO CF SFNPWFE SFJOTFSU JU BOE QSFTT IBSEFS XJUI ZPVS UIVN...

Page 14: ......

Page 15: ...The FortiGate Cookbook Recipes for Success with your FortiGate THE FORTIGATE COOKBOOK ...

Page 16: ......

Page 17: ...ting up FortiGuard services 24 Extra help FortiGuard 26 Logging network traffic to gather information 27 Extra help Logging 31 Using FortiCloud to record log messages 32 Using SNMP to monitor the FortiGate unit 36 Setting up an explicit proxy for users on a private network 42 Adding packet capture to help troubleshooting 46 Protecting a web server on the DMZ network 49 Using port pairing to simpli...

Page 18: ...ting a web server from external attacks 109 Blocking outgoing traffic containing sensitive data 113 Blocking large files from entering the network 118 Blocking access to specific websites 121 Extra help Web filtering 124 Blocking HTTPS traffic with web filtering 125 Using web filter overrides to control website access 130 Wireless Networking 139 Setting up a temporary guest WiFi user 140 Setting u...

Page 19: ...SSL inspection 173 Extra help Certificates 177 SSL and IPsec VPN 179 Using IPsec VPN to provide communication between offices 180 Providing remote users with access using SSL VPN 188 Providing secure remote access to a network for an iOS device 196 Using redundant OSPF routing over IPsec VPN 203 THE FORTIGATE COOKBOOK ...

Page 20: ......

Page 21: ...ed into the following chapters Installing Setup This chapter explains the configuration of common network functions and the different network roles a FortiGate unit can have Security Policies Firewall Objects This chapter describes security policies and firewall objects which determine whether to allow or block traffic Security Features This chapter describes the core security features that you ca...

Page 22: ...t out of the FortiGate Cookbook start with the screenshots and then read the text for more details Model and firmware GUI menus options and interface names may vary depending on the FortiGate model you are using and the firmware build For example the menu Router Static Static Routes is not available on some models Also on different models the Ethernet interface that would normally connect to the I...

Page 23: ...of a GUI field or feature When required italic text indicates information that you must enter Selecting OK Apply Always select OK or Apply when you complete a GUI step Because this must be done frequently it is an assumed step and is not included in most recipes THE FORTIGATE COOKBOOK ...

Page 24: ......

Page 25: ... t Setting up an explicit proxy for users on a private network t Adding packet capture to help troubleshooting t Protecting a web server on the DMZ network t Using port pairing to simplify transparent mode t Using two ISPs for redundant Internet connections t Adding a backup FortiGate unit to improve reliability Installing Setup The FortiGate unit provides protection for a variety of different net...

Page 26: ... using NAT Route mode In this example you will learn how to connect and configure a new FortiGate unit to securely connect a private network to the Internet Typically a FortiGate unit is installed as a gateway or router between a private network and the Internet where the FortiGate operates in NAT Route mode in order to hide the addresses of the private network from prying eyes while still allowin...

Page 27: ...ate unit s interfaces From a PC on the Internal network connect to the FortiGate web based manager using either FortiExplorer or an Internet browser You can configure the PC to get its IP address using DHCP and then browse to https 192 168 1 99 You could also give the PC a static IP address on the 192 168 1 0 255 255 255 0 subnet Login using admin and no password Go to System Network Interface and...

Page 28: ...oute provided by your ISP or to the next hop router depending on your network requirements A default route always has a Destination IP Mask of 0 0 0 0 0 0 0 0 Normally you would have only one default route If the static route list already contains a default route you can edit it or delete it and add a new one The FortiGate unit s DNS Settings are set to Use FortiGuard Services by default which is ...

Page 29: ...nfiguration If you have one of these models this step has already been done for you and as soon as your FortiGate unit is connected and the computers on your internal network are configured they should be able to access the Internet Results On the PC that you used to connect to the FortiGate internal interface open a web browser and browse to any Internet website You should also be able to connect...

Page 30: ...he FortiGate unit Use a web browser to connect to the web based manager from the FortiGate internal interface by browsing to its IP address From the PC try to ping the internal interface IP address for example ping 192 168 1 99 If you cannot connect to the internal interface verify the IP configuration of the PC Go to the next step when you can connect to the internal interface 5 Check the FortiGa...

Page 31: ...and verify that the default route is correct Go to Router Monitor Router Monitor and verify that the default route appears in the list as a static route Along with the default route you should see at least two connected routes one for each connected FortiGate interface On some FortiGate models routing options are configured by going to System Network Routing or through the CLI 10 Disable web filte...

Page 32: ...t gateway IP address from a PC on the internal network 13 Consider changing the MAC address of your external interface Some ISPs do not want the MAC address of the device connecting to their network cable to change If you have added a FortiGate unit to your network you may have to change the MAC address of the external interface typically WAN1 by using the following CLI command FRQ J V VWHP LQWHUI...

Page 33: ... unit without changing the network configuration This section describes how to connect and configure a new FortiGate unit to protect a private network without changing the network configuration This is known as Transparent mode and it allows you to add network security without replacing the router The FortiGate unit blocks access from the Internet to the private network but allows users on the pri...

Page 34: ...d beside Operation Mode select Change Set the Operation Mode to Transparent Set the Management IP Netmask and Default Gateway to connect the FortiGate unit the internal network You can now access the web based manager by browsing to the Management IP in the example you would browse to https 10 31 101 40 The FortiGate unit s DNS Settings are set to Use FortiGuard Services by default which is suffic...

Page 35: ...ecurity Profiles enable Antivirus and enable Application Control Press OK to save the security policy Power off the FortiGate unit Connecting the network Connect the FortiGate unit between the internal network and the router Connect the wan1 interface to the router internal interface and connect the internal network to the FortiGate internal interface port Power on the FortiGate unit FortiGate Int...

Page 36: ...ate unit operating in Transparent mode is installed between a DHCP server and PCs that get their address by DHCP you must add a security policy to allow the DHCP server s response to get back through the FortiGate unit from the DHCP server to the DHCP client The internal to wan1 policy allows the DHCP request to get from the client to the server but the response from the server is a new session no...

Page 37: ...dget which indicates the connection status of FortiGate network interfaces System Dashboard Status 4 Verify that you can connect to the management IP address of the FortiGate unit from the Internal network From the internal network attempt to ping the management IP address If you cannot connect to the internal interface verify the IP configuration of the PC and make sure the cables are connected a...

Page 38: ...ttempting to connect to This could happen because the configuration of the default web filter profile is blocking access to the site It is also possible that FortiGuard Web Filtering has produced a rating error for the website causing the web filter profile to block access A rating error could occur for a number of reasons including not being able to access FortiGuard To fix this problem go to Sec...

Page 39: ...ere to forward a packet If a the MAC address of a specific device is getting added to the bridge table then packets to that MAC address will be blocked This may appear as traffic going to a MAC address but no reply traffic coming back In this situation check the bridge table to ensure the correct MAC addresses have been added to the bridge table Use the following CLI command to check the bridge ta...

Page 40: ...he FortiGate unit to factory defaults and try again If all else fails use the CLI command H HFXWH IDFWRU UHVHW When prompted type to confirm the reset Resetting the FortiGate unit to factory defaults will put the unit back into NAT Route mode ...

Page 41: ...vide the recommended upgrade path for the firmware release as well as additional information not available in other documentation Only perform a firmware update during a maintenance window Verifying and updating the FortiGate unit s firmware This example verifies the current version of FortiOS firmware and if necessary updates it to the latest version Check firmware version No action required Curr...

Page 42: ...o http support fortinet com and log in using your Fortinet account user name and password Your FortiGate unit must be registered before you can access firmware images from the Support site Go to Download Firmware Images FortiGate Locate and download the firmware for your FortiGate unit Download and read the Release Notes for this firmware version Always review the Release Notes before installing a...

Page 43: ...m Information Firmware Version select Update Find the firmware image file that you downloaded and select OK to upload and install the firmware build on the FortiGate unit Results The FortiGate unit uploads the firmware image file updates to the new firmware version restarts and displays the FortiGate login This process takes a few minutes From the FortiGate web based manager go to System Dashboard...

Page 44: ...uard services and registered your FortiGate unit the FortiGate should automatically connect to a FortiGuard Distribution Network FDN and display license information about your FortiGuard services In this example you will verify whether the FortiGate unit is communicating with the FDN by checking the License Information dashboard widget ...

Page 45: ...nnections are successful A grey X indicates that the FortiGate unit cannot connect to the FortiGuard network or that the FortiGate unit is not registered A red X indicates that the FortiGate unit was able to connect but that a subscription has expired or has not been activated You can also view the FortiGuard connection status by going to System Config FortiGuard THE FORTIGATE COOKBOOK ...

Page 46: ...u cannot unblock the port change it by going to System Config FortiGuard and selecting the service s where communication errors are occurring Under Port Selection select Use Alternate Port Communication errors remain FortiGate units contact the FortiGuard Network by sending UDP packets with typical source ports of 1027 or 1031 and destination ports of 53 or 8888 The FDN reply packets would then ha...

Page 47: ...n session yes yes Security events only yes no 1 Recording log messages and enabling event logging 2 Enabling logging in the security policies 3 Results Logging network traffic to gather information This example demonstrates how to enable logging to capture the details of the network traffic processed by your FortiGate unit THE FORTIGATE COOKBOOK ...

Page 48: ... if you have one or to FortiCloud if you have a subscription Each of these options allow you to record and view log messages and to create reports based on them In most cases it is recommended to Send Logs to FortiCloud as shown in the example For more information on FortiCloud see Using FortiCloud to record log messages on page 32 Next enable Event Logging You can choose to Enable All types of lo...

Page 49: ...ecurity Events Log all Sessions can be useful for more detailed traffic analysis but also has a greater effect on system performance and requires more storage Results View traffic logs by going to Log Report Traffic Log Forward Traffic The logs display a variety of information about your traffic including date time source device and destination To change the information shown right click on any co...

Page 50: ...cific session Different types of event logs can be found at Log Report Event Log The example shows the System log that records system events such as administrative logins and configuration changes As with the Forward Traffic log select an entry for further information ...

Page 51: ...ce has been selected in the Log Settings under GUI Preferences The FortiGate unit s performance level has decreased since enabling disk logging If enabling disk logging has impacted overall performance change the log settings to either send logs to a FortiAnalyzer unit a FortiManager unit or to FortiCloud Log All Sessions is enabled on all security policies and cannot be changed This can occur if ...

Page 52: ...st register your FortiGate unit before you can activate FortiCloud Using FortiCloud to record log messages This example describes setting up FortiGate logging to FortiCloud an online log retention service provided by Fortinet It also describes how to use FortiCloud to view and access FortiGate traffic logs FortiGate Internal Network FortiCloud ...

Page 53: ...s 33 Activating FortiCloud Go to System Dashboard Status In the FortiCloud section of the License Information widget select the green Activate button Fill in the required information to create a new FortiCloud account THE FORTIGATE COOKBOOK ...

Page 54: ... from FortiCloud to easily view your logs Enabling logging in the security policies Go to Policy Policy Policy Edit the security policies that control the traffic you wish to log Under Logging Options select either Log Security Events or Log all Sessions depending on your needs In most cases Log Security Events will provide sufficient information in the traffic logs Log all Sessions can be useful ...

Page 55: ...and reports You can access your FortiCloud account at any time by going to www forticloud com Daily Summary reports can also be found through the FortiGate unit by going to Log Report Report FortiCloud You can also configure your FortiCloud account to have these reports emailed to you Logs viewed through the GUI will also now read Log location FortiCloud in the upper right corner THE FORTIGATE COO...

Page 56: ...rtiGate unit The Simple Network Management Protocol SNMP enables you to monitor hardware on your network You configure the hardware such as the FortiGate SNMP agent to report system information and send traps alarms or event messages to SNMP managers In this example you configure the FortiGate SNMP agent and an example SNMP manager so that the SNMP manager can get status information from the Forti...

Page 57: ...Using SNMP to monitor the FortiGate unit 37 Configuring the FortiGate SNMP agent Go to System Config SNMP Configure the SNMP agent THE FORTIGATE COOKBOOK ...

Page 58: ...IP address Netmask to 0 0 0 0 0 0 0 0 and the Interface to ANY so that any SNMP manager on any network connected to the FortiGate unit can use this SNMP community and receive traps from the FortiGate unit Enable the SNMP Events traps that you need In most cases leave them all enabled Enabling SNMP on a FortiGate interface Go to System Network Interfaces Enable SNMP administrative access on the int...

Page 59: ...nd the FortiGate MIB The Fortinet MIB contains traps fields and information that is common to all Fortinet products The FortiGate MIB contains traps fields and information that is specific to FortiGate units Configure the SNMP manager at 192 168 1 114 to receive traps from the FortiGate unit Install the FortiGate and Fortinet MIBs Results This example uses the SolarWinds SNMP trap viewer In the So...

Page 60: ...40 The FortiGate Cookbook 5 0 Choose Select Device enter the IP address of the FortiGate unit and choose the appropriate community string credentials Open the SNMP Trap Receiver and select Launch ...

Page 61: ... perform an action to trigger a trap for example change the IP address of the DMZ interface Verify that the SNMP manager receives the trap On the FortiGate unit view log messages showing the trap was sent by going to Log Report Event Log System THE FORTIGATE COOKBOOK ...

Page 62: ...nal interface 2 Configuring the explicit web proxy for HTTP HTTPS traffic 3 Adding a security policy for proxy traffic 4 Results Setting up an explicit proxy for users on a private network In this example an explicit web proxy is set to accommodate faster web browsing This allows internal users to connect using port 8080 rather than port 80 ...

Page 63: ...Enabling explicit web proxy on the internal interface Go to System Network Interfaces Edit an internal port port 4 in the example Enable both DHCP Server and Explicit Web Proxy Go to System Config Features Ensure that WAN Opt Cache is enabled THE FORTIGATE COOKBOOK ...

Page 64: ...te Cookbook 5 0 Configuring the explicit web proxy for HTTP HTTPS traffic Go to System Network Explicit Proxy and enable the HTTP HTTPS explicit web proxy Ensure that the Default Firewall Policy Action is set to Deny ...

Page 65: ...y Results Configure web browsers on the private network to connect using a proxy server The IP address of the HTTP proxy server is 10 10 1 99 the IP address of the FortiGate internal interface and the port is 8080 the default explicit web proxy port Web browsers configured to use the proxy server are able to connect to the Internet Go to Policy Policy Policy to see the ID of the policy allowing we...

Page 66: ... to help troubleshooting Packet capture is a means of logging traffic and its details to troubleshoot any issues you might encounter with traffic flow or connectivity This example shows the basics of setting up packet capture on the FortiGate unit and analyzing the results FortiGate Internal Network Internet Packet Capture Duplicate Packet Original Packet ...

Page 67: ...200 t Host s can be a single IP or multiple IPs separated by comma IP range or subnet t Port s can be single or multiple separated by comma or range t Protocol can be single or multiple separated by comma or range Use 6 for TCP 17 for UDP and 1 for ICMP Starting the packet capture Select Start to begin the packet capture Using an internal computer or a device set to IP address 192 168 1 200 surf t...

Page 68: ...download the saved pcap file You can also stop the capturing at any time before reaching the maximum number of packets Results Open the pcap file with a pcap file viewer such as tcpdump or Wireshark Adjust the settings in the filter depending on the kind of traffic you wish to capture Go to Log Report Event Log System to verify that the packet capture file downloaded successfully ...

Page 69: ...b server is connected to a DMZ network An internal to DMZ security policy allows internal users to access the web server using an internal IP address 10 10 10 22 A WAN to DMZ security policy hides the internal address allowing external users to access the web server using a public IP address 172 20 120 22 Internet WAN 1 172 20 120 22 FortiGate DMZ DMZ Network Web Server 10 10 10 22 LAN Internal Ne...

Page 70: ...ly grants access if it has been explicitly allowed Using the DMZ interface is recommended but not required Adding virtual IPs Go to Firewall Objects Virtual IPs Virtual IPs Create two virtual IPs one for HTTP access and one for HTTPS access Each virtual IP will have the same address mapping from the public facing interface to the DMZ interface The difference is the port for each traffic type port ...

Page 71: ... HTTP and HTTPS traffic from the Internet to the DMZ interface and the web server Create a second security policy to allow HTTP and HTTPS traffic from the internal network to the DMZ interface and the web server Adding this policy allows traffic to pass directly from the internal interface to the DMZ interface THE FORTIGATE COOKBOOK ...

Page 72: ...10 10 22 and https 10 10 10 22 Go to Policy Monitor Policy Monitor Use the policy monitor to verify that traffic from the Internet and from the internal network is allowed to access the web server This verifies that the policies are configured correctly Go to Log Report Traffic Log Forward Traffic The traffic log shows sessions from the internal network and from the Internet accessing the web serv...

Page 73: ...ng a static route 2 Creating an internal and wan1 port pair 3 Creating firewall addresses 4 Creating security policies 5 Results Using port pairing to simplify transparent mode When you create a port pair all traffic accepted by one of the paired ports can only exit out the other port Restricting traffic in this way simplifies your FortiGate configuration because security policies between these in...

Page 74: ... Change Set Operation mode to Transparent Log into the FortiGate unit using the management IP in the example 192 168 1 100 Go to System Network Routing Table and set a static route Creating an internal and wan1 port pair Go to System Network Interfaces Create an internal wan1 pair so that all traffic accepted by the internal interface can only exit out of the wan1 interface ...

Page 75: ...ddresses Create an address for the web server using the web server s Subnet IP Create a second address with an IP range for internal users Creating security policies Go to Policy Policy Policy Create a security policy that allows internal users to access the web server using HTTP and HTTPS THE FORTIGATE COOKBOOK ...

Page 76: ...web server to the internal users network and to the Internet using any service Results Connect to the web server from the internal network and surf the Internet from the server itself Go to Log Report Traffic Log Forward Traffic to verify that there is traffic from the internal to wan1 interface ...

Page 77: ...Using port pairing to simplify transparent mode 57 Select an entry for details Go to Policy Monitor Policy Monitor to view the active sessions THE FORTIGATE COOKBOOK ...

Page 78: ...lover detection and spillover load balancing 4 Results Using two ISPs for redundant Internet connections This example describes how to improve the reliability of a network connection using two ISPs The example includes the configuration of equal cost multi path load balancing which efficiently distributes sessions to both Internet connections without overloading either connection ...

Page 79: ...ing connections to the two ISPs Go to System Network Interfaces and configure the wan1 and wan2 connections Make sure that both use DHCP as the Addressing mode and have Retrieve default gateway from server and Override internal DNS enabled THE FORTIGATE COOKBOOK ...

Page 80: ...icy for the primary interface connecting to the ISPs and the internal network Create a security policy for each interface connecting to the ISPs and the internal network Configuring failover detection and spillover load balancing Go to Router Static Settings Create two new Dead Gateway Detection entries ...

Page 81: ...llover Threshold value is calculated in kbps kilobits per second However the bandwidth on interfaces is calculated in kBps kilo Bytes per second For wan1 interface Spillover Threshold 100 kbps 100000 bps Assume that 1000 bps is equal to 1024 bps Thus 100000 bps 102400 bps 102400 8 Bps 12800 Bps Results Go to Log Report Traffic Log Forward Traffic to see network traffic from different source IP add...

Page 82: ...62 The FortiGate Cookbook 5 0 Disconnect the wan1 port on the FortiGate unit to see that all traffic automatically goes through the wan2 port unit until wan1 is available again ...

Page 83: ... Adding a backup FortiGate unit to a currently installed FortiGate unit provides redundancy if the primary FortiGate unit fails This system design is known as High Availability HA and is intended to improve network reliability Switch Switch WAN 1 WAN 1 FortiGate Primary FortiGate Backup Internal Network Internal Internal Dual HA Links Internet WAN 1 FortiGate Primary Internal Network Internal Inte...

Page 84: ... the backup FortiGate unit as shown in the diagram Go to System Dashboard Status Change the host name of the primary FortiGate unit Go to System Config HA Configure the HA settings for the primary FortiGate unit Go to System Dashboard Status Change the host name of the backup FortiGate unit ...

Page 85: ...Configure the HA settings for the backup FortiGate unit Ensure that the Group Name and Password are the same as on the primary FortiGate unit Go to System Config HA to view the cluster information Select View HA Statistics for more information on the cluster THE FORTIGATE COOKBOOK ...

Page 86: ...lity Unplug the Ethernet cable from the WAN1 interface of the primary FortiGate unit Traffic will divert to the backup FortiGate unit Use the ping command to view the results Shut down the primary FortiGate unit and you will see that traffic fails over to the backup FortiGate unit Use the ping command to view the results ...

Page 87: ...ortiGate unit will upgrade automatically Go to System Dashboard Status and view the System Information widget Select Upgrade beside the Firmware Version listing The firmware will load on the primary FortiGate unit and then on the backup unit Go to Log Report Event Log System Go to System Dashboard Status View the System Information widget again Both FortiGate units should have the new firmware ins...

Page 88: ......

Page 89: ...Gate unit which traffic should be allowed and which should be blocked No traffic can pass through a FortiGate unit unless specifically allowed to by a security policy With a security policy you can control the addresses and services used by the traffic and apply various features such as security profiles authentication and VPNs Firewall objects are those elements within the security policy that fu...

Page 90: ...le 4 Results Ordering security policies to allow different access levels This example illustrates how to order multiple security policies in the policy table in order for the appropriate policy to be applied to different network traffic In the example three policies will be used one that allows a specific PC access to all services one that allows only Internet access to other network devices and t...

Page 91: ...e columns right click on the menu bar and select only the columns you wish to see Edit the first policy which allows outgoing traffic Set Service to HTTP HTTPS and DNS This policy now only allows Internet access Creating the policy for the PC Go to System Network Interfaces Edit the LAN interface Under DHCP Server expand the Advanced options Create a new MAC Address Access Control List Set MAC to ...

Page 92: ...nly to the specified IP Go to Policy Policy Policy Create a new policy Set Incoming Interface to LAN Source Address to the PC address and Outgoing Interface to WAN1 Ordering the policy table Use the PC to browse to any Internet site then go to Policy Policy Policy The policy with Seq 1 is the Internet access only policy while 2 is the policy for the PC The Sessions column shows that all sessions a...

Page 93: ...om the LAN interface If the traffic comes from a different source the FortiGate will attempt to apply the Internet access only policy If this attempt also fails traffic will be blocked using the default deny policy When ordering multiple security policies the most specific policies in this case the policy for the PC must go to the top of the list to ensure that the FortiGate unit checks them first...

Page 94: ...y policy 4 Results Controlling when BYOD users can access the Internet This example uses a FortiOS device definition and security policy scheduling to limit use of Bring Your Own Device BYOD users during company time 74 The FortiGate Cookbook 5 0 4 In this example a FortiWiFi unit is used A similar method can be used to control BYOD access using a FortiAP and a FortiGate ...

Page 95: ...ppear on the definitions list Devices not yet added may also appear in the list Double click the entry and enter an Alias to add it Adding schedules for the use of a BYOD Go to Firewall Objects Schedule Schedules Create a new recurring schedule to suit your needs The example schedule when included with a security policy allows users to access the Internet with their personal wireless devices over ...

Page 96: ...new authentication rule that includes the wireless devices and the new schedule Results Go to Log Report Traffic Log Forward Traffic When a mobile user connects during the lunch break they can surf the Internet as shown in the logs When the time in the schedule is reached further surfing cannot continue This does not appear in the logs as only allowed traffic is logged Evidence that the schedule a...

Page 97: ...irtual IPs to configure port forwarding on a FortiGate unit which redirects traffic from one port to another In this example incoming connections from the Internet are allowed access to a server on the internal network by opening TCP ports in the range 7882 to 7999 and UDP ports 2119 and 2995 Open TCP ports 7882 7999 UDP port 2119 and 2995 for traffic from the Internet to the server Internet Forti...

Page 98: ... virtual IPs Go to Firewall Objects Virtual IPs Virtual IPs Enable Port Forwarding and add a virtual IP using TCP protocol with the range 7882 7999 Create a second virtual IP for the UDP port 2119 Create a third a virtual IP for the UDP port 2995 ...

Page 99: ...bjects Virtual IPs VIP Groups Create a VIP group that includes all three virtual IPs Creating a security policy Go to Policy Policy Policy Create a security policy allowing inbound connections to the server from the Internet Set the Destination Address as the new VIP group THE FORTIGATE COOKBOOK ...

Page 100: ...Gate Cookbook 5 0 Results Go to Policy Monitor Policy Monitor to see the active sessions Select the blue bar for more information on a session Go to Log Report Traffic Log Forward Traffic to see the logged activity ...

Page 101: ...Using port forwarding on a FortiGate unit 81 Select an entry for more information about the session THE FORTIGATE COOKBOOK ...

Page 102: ...dresses for the wireless network 3 Adding service objects for multicasting 4 Adding multicast security policies 5 Adding inter subnet security policies 6 Results Using AirPlay with iOS AppleTV FortiAP and a FortiGate unit This example sets up AirPlay services for use with an iOS device using Bonjour and multicast security policies ...

Page 103: ...nterfaces Edit the internal interface to be used for the FortiAP and set Addressing Mode to Dedicate to FortiAP Connect the FortiAP unit to the FortiGate unit Go to WiFi Controller Managed Access Points Managed FortiAP and authorize the FortiAP Once authorized it will appear in the authorized list THE FORTIGATE COOKBOOK ...

Page 104: ...0 Go to WiFi Controller WiFi Network SSID Create a WiFi SSID for the network for wireless users and enable DHCP Server Adding addresses for the wireless network Go to Firewall Objects Address Addresses Create an address for SSID 1 ...

Page 105: ... FortiGate unit 85 Create a second address for the internal network containing the OS X computers Adding two service objects for AirPlay Go to Firewall Objects Service Services Add service objects for each device connection THE FORTIGATE COOKBOOK ...

Page 106: ...the Internal network Outgoing Interface to the SSID and Destination Address to Bonjour The Bonjour address allows the devices to find each other when they connect through the FortiGate unit Go to Policy Policy Multicast Policy Create a policy to allow multicast traffic from the WLAN1 and LAN for iOS devices to AppleTV Set Incoming Interface to the SSID Source Address to the SSID IP Outgoing Interf...

Page 107: ...Address to the Internal network and Outgoing Interface to the SSID Create a policy allowing traffic from the iOS device to the Apple TV Set Incoming Interface to the SSID Source Address to the SSID IP and Outgoing Interface to the LAN Results Use Airplay from the iPad to stream video to the Apple TV Go to Log Report Traffic Log Multicast Traffic to see the multicast traffic between the WLAN1 and L...

Page 108: ...88 The FortiGate Cookbook 5 0 Select an entry for more information Go to Log Report Traffic Log Log Forward and filter policy IDs 6 and 7 which allow AirPlay traffic ...

Page 109: ...unit 89 Select an entry for more information Apple TV can also be connected to the Internet wirelessly AirPlay will function from any iOS device connected to the same SSID as Apple TV No configuration is required on the FortiGate unit THE FORTIGATE COOKBOOK ...

Page 110: ... the wireless networks and printer 3 Adding service objects for printing 4 Adding multicast security policies 5 Adding inter subnet security policies 6 Results Using AirPrint with iOS and OS X and a FortiGate unit This example sets up AirPrint services for use with an iOS device and OS X computers using Bonjour and multicast security policies ...

Page 111: ...o System Network Interfaces Set an internal interface as dedicated to the FortiAP unit Connect the FortiAP unit to the FortiGate unit Go to WiFi Controller Managed Access Points Managed FortiAP and authorize the FortiAP Once authorized it will appear in the authorized list THE FORTIGATE COOKBOOK ...

Page 112: ...92 The FortiGate Cookbook 5 0 Go to WiFi Controller WiFi Network SSID Create a WiFi SSID for the network for wireless users and enable DHCP Server ...

Page 113: ...3 Create an SSID for the network for the AirPrint printer and enable DHCP Server Adding addresses for the wireless networks and printer Go to Firewall Objects Address Addresses Create addresses for the SSID1 SSID2 and AirPrint printer THE FORTIGATE COOKBOOK ...

Page 114: ...e internal network containing the OS X computers Adding service objects for printing Go to Firewall Objects Service Services Create a new service for Internet Printing Protocol IPP for iOS devices Create a new service for PDL Data Stream for OS X computers ...

Page 115: ...ion Address to Bonjour For the second policy set Incoming Interface to WLAN2 Source Address to the SSID2 IP Outgoing Interface to WLAN1 and Destination Address to Bonjour The Bonjour address allows the devices to find each other when they connect through the FortiGate unit Create two policies to allow multicast traffic from the LAN and WLAN2 for OS X computers For the first policy set Incoming Int...

Page 116: ...olicy Create a policy allowing printing from wireless devices Set Incoming Interface to WLAN1 Source Address to the SSID1 IP Outoing Interface to WLAN2 Destination Address to the AirPrint and Service to IPP Create a policy allowing printing from an OS X computer to the AirPrint printer Set Incoming Interface to LAN Source Address to the Internal network Outoing Interface to WLAN2 Destination Addre...

Page 117: ...nt from an iOS device Go to Log Report Traffic Log Multicast Traffic to see the printing traffic passing through the FortiGate unit Select an entry to see more information Go to Log Report Traffic Log Forward Traffic and verify the entry with the IPP service THE FORTIGATE COOKBOOK ...

Page 118: ... Report Traffic Log Multicast Traffic to see the printing traffic passing through the FortiGate unit Select an entry to see more information Go to Log Report Traffic Log Forward Traffic and filter the destination interface for WLAN2 traffic Select an entry to see more information ...

Page 119: ...trol website access Security Features Security features including antivirus web filtering application control intrusion protection IPS email filtering and data leak prevention DLP apply core security functions to the traffic accepted by your FortiGate unit Each security feature has a default profile You can also create custom profiles to meet the needs of your network These profiles are then appli...

Page 120: ... to the traffic Monitoring your network using client reputation Client reputation allows you to monitor traffic as it flows through your FortiGate unit to identify users who may be engaging in risky or dangerous behavior A variety of different areas can be monitored depending on what concerns you have about activity on your network In this example particular attention will be given to any traffic ...

Page 121: ... Client Reputation Threat Level Definition Enable Client Reputation Tracking Assign a Risk Level Value for each category based on your traffic concerns and needs In the example the value for P2P Applications has been raised to Critical All other categories have been left at their default level Enabling client reputation also enables the Log Allowed Traffic setting for all security policies For mor...

Page 122: ...eaches are imminent Select a blue bar to view more information about a particular user s activity including the application being used and the client reputation score If you wish to continue to monitor user behavior and are either using FortiCloud for logging or have an SMTP email server daily or weekly client reputation reports can be sent to you Client Reputation only monitors risky activity it ...

Page 123: ... 3 Reviewing the application control monitor 4 Creating an application sensor to block applications 5 Adding the blocking sensor to a security policy 6 Results Controlling network access using application control This example uses application control to monitor traffic and determine what applications are contributing to high bandwidth usage or distracting employees After this is determined a diffe...

Page 124: ...con in the upper right corner of the window to create a new sensor list for monitoring application traffic Select Create New to add a new application filter Leave all Filter Options selected Ensure that you set the Action to Monitor At this stage in the process you are monitoring the traffic to locate any problems that may be occurring rather than blocking applications ...

Page 125: ...Adding the monitoring sensor to a security policy Go to Policy Policy Policy Edit the security policy that allows internal users to access the Internet Under Security Profiles enable Application Control and set it to use the new filter THE FORTIGATE COOKBOOK ...

Page 126: ...ils on the usage statistics In the example you can see an occurrence of an HTTP segmented download which typically occurs during Peer to Peer P2P downloads To avoid this from occurring in the future P2P applications must be blocked Creating an application sensor to block applications Go to Security Profiles Application Control Application Sensors and create a new sensor list for blocking applicati...

Page 127: ...as blocking P2P other types of applications can be selected that are known to distract employees Ensure that you set the Action to Block Adding the blocking sensor to a security policy Go to Policy Policy Policy Edit the firewall policy allowing internal users to access the Internet Under Security Profiles enable Application Control and set it to use the new filter THE FORTIGATE COOKBOOK ...

Page 128: ... Log Forward Traffic You can see the sensor is working and blocking the traffic from the selected application types including the P2P application Skype Select an entry to view more information including the application name and the device the traffic originated on ...

Page 129: ...4 Results Protecting a web server from external attacks This example uses the FortiOS intrusion protection system IPS to protect a web server by configuring an IPS sensor to protect against common attacks and adding it to the policy which allows external traffic to access the server A denial of service DoS security policy is also added to further protect the server against that specific type of at...

Page 130: ...r to protect against common attacks Go to Security Profiles Intrusion Protection IPS Sensors Select the plus icon in the upper right corner of the window to create a new sensor Create a new IPS filter Set the Target to server and set the Action to Block All ...

Page 131: ...allowing traffic to the web server from the Internet Enable IPS and set it to use the new sensor Adding a DoS security policy Go to Policy Policy DoS Policy Create a new policy The Incoming Interface is your Internet facing interface In the Anomalies list enable Status and Logging and set the Action to Block for all types THE FORTIGATE COOKBOOK ...

Page 132: ...the correct server IP Perform an DoS tcp_sync_flood attack to the web server IP address IPS blocks the TCP sync session when it reaches the tcp_syn_ flood threshold in this case 20 Go to Log Report Security Log Intrusion Protection to view the results of the DoS policy Select an entry to view more information including the severity of the attack and the attack name ...

Page 133: ...sensor to a security policy 4 Results Blocking outgoing traffic containing sensitive data Data leak prevention DLP analyzes outgoing traffic and blocks any sensitive information from leaving the network In this example DLP will be used to block files using the file s name and type Internet Data Leak Internal Network FortiGate THE FORTIGATE COOKBOOK ...

Page 134: ...ct Create New to make a File Filter Table Create a new filter in the table Set the Filter Type to File Name Pattern and enter the pattern you wish to match If needed you can use a wildcard character in the pattern Create a second filter this time setting the Filter Type to File Type Select a File Type from the list ...

Page 135: ...on Sensors Select the plus icon in the upper right corner of the window to create a new sensor Select Create New to make a new filter Set the type to Files Enable File Type included in and set it to your file filter Under Examine the following Services select the services you wish to monitor with DLP Set the Action to Block THE FORTIGATE COOKBOOK ...

Page 136: ...icy Policy Edit the security policy that controls the traffic you wish to block Enable DLP Sensor and set it to use the new sensor Results Attempt to upload a file that matches the file filter criteria using FTP protocol The file should be blocked and a message from the server should appear ...

Page 137: ...ut the blocked traffic go to Log Report Traffic Log Forward Traffic The selected log message shows the name of the file that was blocked File_pattern_text exe the type of file filter that blocked it file type and a variety of other information which may be useful THE FORTIGATE COOKBOOK ...

Page 138: ...Blocking large files from entering the network Some files are too large to be properly scanned by a FortiGate unit which can put your network at risk This example configures data leak prevention DLP to block files larger than 10 MB 10 000 kB from entering the network Internet Large file containing a virus Internal Network FortiGate ...

Page 139: ...Leak Prevention Sensors Select the plus icon in the upper right corner of the window to create a new sensor Select Create New to make a new filter and set the filter type to Files Enable File Size and set the size to 10 000 kB Select all of the services you wish to examine and set the Action to Block THE FORTIGATE COOKBOOK ...

Page 140: ...block Under Security Features enable DLP Sensor and set it to use the new sensor Results Attempt to download a file larger than 10 MB The download will fail and a replacement message from the FortiGate unit will appear The DLP sensor may not take effect until all the current sessions have expired If the file is not blocked immediately wait 24 hours and try again ...

Page 141: ...e 2 Adding the web filter profile to a security policy 3 Results Blocking access to specific websites This example sets up the FortiGate unit to block users from viewing a specific website using web filtering Website Internal Network Block FortiGate THE FORTIGATE COOKBOOK ...

Page 142: ...t the URL to fortinet com using as a wildcard character in order to block all subdomains of the site Set the Type to Wildcard and the Action to Block Adding the web filter profile to a security policy Go to Policy Policy Policy Edit the policy controlling the traffic you wish to block from the website Under Security Profiles enable Web Filter and set it to use the new profile ...

Page 143: ...et com and docs fortinet com In both cases the FortiGate unit displays a message stating that the website is blocked This example will only block HTTP web traffic In order to block HTTPS traffic as well see Blocking HTTPS traffic with web filtering on page 125 THE FORTIGATE COOKBOOK ...

Page 144: ...cles If web filtering is enabled in a policy go to System Config FortiGuard and click the blue arrow beside Web Filtering Under Port Selection select Use Alternate Port 8888 Select Apply to save the changes Check whether the license is shown as active If it is still inactive expired switch back to the default port and check again Websites blocked using the FortiGuard Categories are not consistentl...

Page 145: ...e profiles to a security policy 5 Results This example requires an active license for FortiGuard Web Filtering Services Blocking HTTPS traffic with web filtering Some websites are accessible using HTTPS protocol such as Youtube This example shows how to use web filtering to block HTTPS access Website Internal Network Block HTTPS Traffic FortiGate THE FORTIGATE COOKBOOK ...

Page 146: ...ortiGuard Services are enabled Go to System Dashboard Status In the License Information widget verify that you have an active subscription to FortiGuard Web Filtering If you have a subscription the service will have a green checkmark beside it ...

Page 147: ...rofile Enable FortiGuard Categories and expand the category Bandwidth Consuming Right click on Streaming Media and Download the category to which Youtube belongs and select Block Creating an SSL inspection profile Go to Policy Policy SSL Inspection Select the plus icon in the upper right corner to create a new profile Enable the inspection of the HTTPS Protocol THE FORTIGATE COOKBOOK ...

Page 148: ...Adding the profiles to a security policy Go to Policy Policy Policy Edit the security policy controlling the traffic you wish to block Under Security Profiles enable Web Filter and SSL Inspection and set both to use the new profiles ...

Page 149: ...b filtering 129 Results Browse to https www youtube com A replacement message appears indicating that the website was blocked Blocked traffic can be monitored by going to Security Profiles Monitor Web Monitor THE FORTIGATE COOKBOOK ...

Page 150: ...cy 4 Results This example requires an active license for FortiGuard Web Filtering Services Using web filter overrides to control website access This example shows two methods of using web filter overrides to control access to specific websites one for the entire network and one for specific users Method 2 1 Creating a user group and two users 2 Creating a web filter profile 3 Adding the web filter...

Page 151: ...g Overrides Create a new override and enter the URL fortinet com Select Lookup Rating to see its current FortiGuard Rating Set Category to Custom Categories local categories and create a new Sub Category for blocked sites The sub category has been added to the list of FortiGuard Categories under Local Categories THE FORTIGATE COOKBOOK ...

Page 152: ...b Filter Profiles Create a new profile and enable FortiGuard Categories Right click on Local Categories and select Block Adding the web filter profile to a security policy Go to Policy Policy Policy Edit the policy that allows outbound traffic Under Security Profiles enable Web Filter and set it to use the new profile ...

Page 153: ...b Filtering will appear Rating overrides can also be used to allow access to specific sites within a FortiGuard category such as General Interest Personal while still blocking the rest of the sites listed in that category Method 2 Creating a user group and two users Go to User Device User User Groups Select Create New and create the group override_group THE FORTIGATE COOKBOOK ...

Page 154: ...134 The FortiGate Cookbook 5 0 Go to User Device User User Definition Using the User Creation Wizard create two users in the example ckent and bwayne Assign ckent to override_group but not bwayne ...

Page 155: ...oup s to override_group Set Assign to Profile to default to use it as the alternate web filter profile for override_ group users Because the default web filter does not block Local Categories using it will allow ckent to access fortinet com for the duration of the override period by default Duration is set to 15 minutes Adding the web filter profile to a security policy Go to Policy Policy Policy ...

Page 156: ...verride_profile Results In a web browser go to www fortinet com After the user authentication screen the website is blocked and a replacement message from FortiGuard Web Filtering appears Select Override You are prompted to authenticate to view the page User bwayne is not able to override the web filter and receives an error message ...

Page 157: ...ckent is able to override the filter and can access the site for 15 minutes You can monitor web filter overrides by going to Log Report Traffic Log Forward Traffic Select an entry for more information about a session including the user and hostname THE FORTIGATE COOKBOOK ...

Page 158: ......

Page 159: ...S WiFi networking provides a wide range of capabilities for integrating wireless networks into your organization s network architecture Each WiFi network or SSID is represented by a virtual network interface to which you can apply firewall policies security profiles and other features in the same way you would for physical wired networks This chapter contains the following examples THE FORTIGATE C...

Page 160: ... Creating a security policy to allow guest users Internet access 5 Creating a guest user management account 6 Results Setting up a temporary guest WiFi user In this example a temporary user account will be created and distributed to a guest user allowing the guest to have wireless access to the Internet Guest WiFi User FortiAP Internet Internal Network FortiGate ...

Page 161: ...erface to be Dedicated to FortiAP Connect the FortiAP to the DMZ interface Go to WiFi Controller Managed Access Points Managed FortiAPs and right click on the FortiAP unit Select Authorize Using the DMZ interface creates a secure network that will only grant access if it is explicitly allowed This allows guest access to be carefully controlled THE FORTIGATE COOKBOOK ...

Page 162: ...ng a captive portal Go to WiFi Controller WiFi Network SSID Create a new SSID Set Traffic Mode to Tunnel to Wireless Controller and enable DHCP Server taking note of the IP range assigned Under WiFi Settings set Security Mode to Captive Portal and User Groups to the new guest user group A Captive Portal will intercept connections to the wireless network and display a login screen on the guest user...

Page 163: ... WiFi users Use the DHCP IP range for Subnet IP Range and set the Interface to the wireless interface Go to Policy Policy Policy Create a security policy allowing guest users to have wireless access to the Internet Set Incoming Interface to the wireless interface Outgoing Interface to your Internet facing interface and Source Address to the guest WiFi users group THE FORTIGATE COOKBOOK ...

Page 164: ...used only to create guest accounts Access to this account can be given to a receptionist to simply the process of making new accounts Go to System Admin Administrators Create a new account Set the Type to Regular and set a Password Enable Restrict to Provision Guest Accounts and set Guest Groups to the WiFi guest user group ...

Page 165: ...ct Create New Use a guest s email account to create a new user ID The FortiGate unit generates a user account and password This account is only valid for four hours the default time limit for the guest user group The guest can now log in using the FortiGate Captive Portal Once authenticated the guest is able to connect wirelessly to the Internet THE FORTIGATE COOKBOOK ...

Page 166: ...0 To verify that the guest user logged in successfully go to WiFi Controller Monitor Client Monitor Go to Policy Monitor Policy Monitor and verify the active sessions Select one of the bars to view more information about a session ...

Page 167: ...uring the internal wired network to use DHCP 2 Creating the internal wireless network 3 Results Setting up a network using a FortiGate unit and a FortiAP unit This example sets up a wired network and a wireless network that are in the same subnet This will allow wireless and wired users to share network resources THE FORTIGATE COOKBOOK ...

Page 168: ...ired network to use DHCP Edit the internal interface Set Addressing mode to Manual and enable DHCP server Take note of the IP range Go to Firewall Objects Address Addresses Set Type to IP Range and set Subnet IP Range to use the IP range from the DHCP server ...

Page 169: ...ired network to access the Internet Creating the internal wireless network Connect the FortiAP to the internal interface Go to WiFi Controller Managed Access Points Managed FortiAPs and right click on the FortiAP unit Select Authorize It may take a few minutes for the FortiAP unit to appear on the Managed FortiAPs list THE FORTIGATE COOKBOOK ...

Page 170: ...h FortiAP s Interface Bridge mode is more efficient than Tunnel mode as it uses the CAPWAP tunnel for authentication only Bridge mode is also required in order to have a wired and wireless network be on the same subnet Go to WiFi Controller WiFi Network Custom AP Profiles Select Create New Set SSID for both Radio 1 and Radio 2 to the new SSID ...

Page 171: ... the new profile Results Users connected to the new SSID will be able to access the Internet The wireless devices will be in the same subnet as the internal wired network Go to WiFi Controller Monitor Client Monitor to see WiFi users and their IP addresses Go to Log Report Traffic Log Forward Traffic to verify that the same policy controls both wired and wireless traffic THE FORTIGATE COOKBOOK ...

Page 172: ...ct to the FortiGate unit 5 Connecting to the FortiGate unit remotely 6 Results Providing remote users access to the corporate network and Internet In this example a user in a remote location such as a hotel or their home will use a FortiAP unit to securely connect to the corporate network and browse the Internet from behind the corporate firewall Internet Internal Network Remote User FortiAP Forti...

Page 173: ... a different port but for ease of use an internal port is preferred Configure the port by going to System Network Interfaces Set the Addressing mode to Dedicate to FortiAP Go to WiFi Controller Managed Access Points Managed FortiAP The FortiAP unit should be listed There will be an orange question mark icon listed under State Right click on the icon and select Authorize Now that the FortiAP unit i...

Page 174: ...ake note of the IP range Configure the WiFi Settings with a unique SSID name and Pre shared Key Go to Firewall Objects Address Addresses Create addresses for both the remote users and the corporate network For the remote users set Type to IP Range The range for the remote users should be within the range used for the DHCP server Set Interface to the new SSID ...

Page 175: ...e the corporate network s IP address Set Interface to an internal interface Creating security policies Go to Policy Policy Policy Create a policy that allows remote wireless users to access the Internet Set the Incoming Interface to the SSID and the Outgoing Interface as your Internet facing interface THE FORTIGATE COOKBOOK ...

Page 176: ...rface to the SSID but now the Outgoing Interface is an internal interface Configuring the FortiAP unit to connect to the corporate FortiGate unit Go to WiFi Controller Managed Access Points Managed FortiAPs and note the IP Address assigned to your FortiAP Enter the address into your browser s address bar to access your FortiAP web manager ...

Page 177: ...terface when it tries to connect The remote user may now take this device to the desired remote location to connect securely to the corporate FortiGate unit Connecting to the corporate FortiGate remotely At the remote location connect the FortiAP to the Internet using an Ethernet cable Next connect the FortiAP to power Once connected the FortiAP requests an IP address and locates the FortiGate wir...

Page 178: ...lient Monitor to see remote wireless users connected to the FortiAP unit Go to Log Report Traffic Log Forward Traffic to see remote wireless users appear in the logs Select an entry to view more information about remote traffic to the corporate network and to the Internet ...

Page 179: ...tes Authentication Authentication the act of confirming the identity of a person or device is a key part of network security In the context of a private computer network the identities of users or host computers must be established to ensure that only authorized parties can access the network The FortiGate unit enables controlled network access and applies authentication to users of security polic...

Page 180: ... 5 Adding a firewall address for the internal network 6 Adding a security profile that includes an authentication rule 7 Results Providing Single Sign On for a Windows AD network with a FortiGate This example uses the Fortinet Single Sign On FSSO Collector Agent to integrate a FortiGate unit into the Windows AD domain Internet Windows AD Internal Network FortiGate FSSO Agent FSSO Collector Agent ...

Page 181: ...dows AD network with a FortiGate 161 Installing the FSSO Collector Agent Run the setup for the Fortinet SSO Collector Agent After logging in configure the agent settings Add the Collector Agent address information THE FORTIGATE COOKBOOK ...

Page 182: ...162 The FortiGate Cookbook 5 0 Select the domains to monitor and any users whose activity you do not wish to monitor Set the working mode and complete the installation ...

Page 183: ...ill also enter this password when configuring the FSSO on the FortiGate unit Configuring the FortiGate unit to connect to the FSSO agent On the FortiGate unit go to User Device Authentication Single Sign On Enter this password used configuring the FSSO on the FortiGate unit in the previous step Adding a FSSO user group On the FortiGate unit go to User Device User User Groups THE FORTIGATE COOKBOOK...

Page 184: ...irewall address for the internal network Go to Firewall Objects Address Addresses Adding a security profile that includes an authentication rule Go to Policy Policy Policy Add an accept user identity security policy and add the new FSSO group ...

Page 185: ...s AD network with a FortiGate 165 Results Go to Log Report Traffic Log Forward Traffic As users log into the Windows AD system the FortiGate collects their connection information Select an entry for more information THE FORTIGATE COOKBOOK ...

Page 186: ...anced mode for a Windows AD network Using Fortinet Single Sign On the FortiGate unit automatically authenticates any user that successfully logs into Windows The Domain Controller agent Advanced mode has the advantage of supporting nested or inherited user groups If Standard mode is used the FortiGate unit can authenticates only users who are a direct member of a group Internet Windows AD Internal...

Page 187: ...tiGate unit Configuring the FSSO agent Go to User Device Authentication Single Sign On to enter the information the FortiGate unit needs to access the DC agent After you select Apply Refresh the Windows AD groups are listed This confirms that the FortiGate unit can communicate with the DC agent On a Windows AD network with a large number of groups the FortiGate unit s performance might be affected...

Page 188: ...include in the FortiGate FSSO user group Creating an identity based security policy Create an identity based security policy that uses the FSSO user group that you created Results The Windows AD user having authenticated at logon does not have to authenticate again to connect to the Internet ...

Page 189: ... policy to allow the FSSO user group access 6 Results Providing Single Sign On for Windows AD with LDAP A logged on Windows user can be automatically authenticated on a FortiGate unit through Fortinet Single Sign On Some Windows AD systems use an external LDAP server FSSO can also accommodate this configuration Port 1 Internet Internal Network WAN 1 FortiGate Windows AD Domain Controller 192 168 1...

Page 190: ...on needed to connect the FortiGate unit to the external LDAP server Configuring the DC agent as an FSSO agent Go to User Device Authentication Single Sign On to enter the information the FortiGate unit needs to access the DC agent Select the LDAP Server In Users Groups use the Edit Users Groups tab to select user groups from the LDAP tree ...

Page 191: ... Enter the FortiGate unit serial number and specify which user groups the DC agent should monitor for the FortiGate unit Select Add again To avoid adversely affecting the FortiGate unit s performance configure the filter to send information only for the groups you intend to authenticate Creating an FSSO user group and adding AD user groups Go to User Device User User Groups Create a Fortinet Singl...

Page 192: ...y policy to allow the FSSO user group access Create identity based security policies that use the FSSO user group that you created Results The Windows AD user having authenticated at logon does not have to authenticate again to connect to the Internet ...

Page 193: ...the web browser Preventing security certificate warnings when using SSL inspection This example illustrates how to prevent your users from getting a security certificate error which happens because an SSL session is established with the SSL Proxy not the destination website Instead of having users select Continue when they receive an error a bad habit to encourage you will provide them with the Fo...

Page 194: ...tificate file available to your users Importing the CA certificate into the web browser For Internet Explorer Go to Tools Internet Options On the Content tab select Certificates and find the Trusted Root Certification Authorities Import the certificate using the Import Wizard Make sure that the certificate is imported into Trusted Root Certification Authorities You will see a warning because the F...

Page 195: ...ings when using SSL inspection 175 For Firefox Depending on platform go to Tools Options or Edit Preferences and find the Advanced Encryption settings View Certificates specifically the Authorities certificate list THE FORTIGATE COOKBOOK ...

Page 196: ...you bypass the error message by selecting Continue to this website the browser may still show an error in the toolbar After you install the FortiGate SSL CA certificate there will be no certificate security issue when you browse to sites on which the FortiGate unit performs SSL content inspection ...

Page 197: ...ill in the required fields The certificate must then be either self signed or signed by a third party Finally import the new certificate Certificate warnings appear when users attempt to authenticate Go to User Device Authentiction Settings and set Certificate to use the correct certificate The wrong certificate appears when using an SSL VPN Go to VPN SSL Config and set Server Certificate to use t...

Page 198: ......

Page 199: ...gured with FortiGate unit SSL VPN and IPsec VPN SSL VPN configuration requires an SSL VPN web portal for users to log into a user authentication configuration for SSL VPN users and the creation of SSL VPN security policies that control the source and destination access of SSL VPN users IPsec supports a similar client server architecture as SSL VPN However to support a client server architecture IP...

Page 200: ...Q security policy and static route 4 Configure the Branch IPsec VPN Phase 1 and Phase 2 settings 5 Add Branch firewall addresses for the local and remote LAN 6 Create a branch IPsec security policy and static route 7 Results Using IPsec VPN to provide communication between offices This example provides secure transparent communication between two FortiGates located at different offices using route...

Page 201: ...es 181 Configuring the HQ s IPsec VPN On the HQ FortiGate go to VPN IPsec Auto Key IKE Select Create Phase 1 Set IP Address to the IP of the Branch FortiGate Local Interface to the Internet facing interface and enter a Pre shared Key THE FORTIGATE COOKBOOK ...

Page 202: ...nced options Specify Source address as the HQ subnet and Destination address as the Branch subnet Adding firewall addresses for the local and remote LAN on HQ Go to Firewall Objects Address Addresses Create a local address Set Type to Subnet Subnet IP Range to the HQ subnet and Interface to an internal port ...

Page 203: ...licy Policy Create a policy for outbound traffic Set Incoming Interface to an internal port Source Address to the local address Outgoing Interface to the VPN Phase 1 and Destination Address to the remote LAN address Create a second policy for inbound traffic Set Incoming Interface to the VPN phase 1 Source Address to the local address Outgoing Interface to an internal port and Destination Address ...

Page 204: ...menu is not visible go to System Config Features to ensure that Advanced Routing is turned on Configuring the Branch s IPsec VPN One the Branch FortiGate Go to VPN IPsec Auto Key IKE Select Create Phase 1 Set IP Address to the IP of the HQ FortiGate Local Interface to the Internet facing interface and enter the same Pre shared Key used previously ...

Page 205: ...anced options Specify Source address as the Branch subnet and Destination address as the HQ subnet Adding firewall addresses for the local and remote LAN on HQ Go to Firewall Objects Address Addresses Create a local address Set Type to Subnet Subnet IP Range to the Branch subnet and Interface to an internal port THE FORTIGATE COOKBOOK ...

Page 206: ...olicy Create a policy for outbound traffic Set Incoming Interface to an internal port Source Address to the local address Outgoing Interface to the VPN Phase 1 and Destination Address to the remote LAN address Create a second policy for inbound traffic Set Incoming Interface to the VPN phase 1 Source Address to the local address Outgoing Interface to an internal port and Destination Address to the...

Page 207: ...tatus of the VPN tunnel It should be up A user on either of the office networks should be able to connect to any address on the other office network transparently From the HQ FortiGate unit go to Log Report Traffic Log Forward Traffic to verify that both inbound and outbound traffic is occurring To verify traffic on the Branch FortiGate unit as well go to Log Report Traffic Log Forward Traffic THE...

Page 208: ...for access to the Internet and internal network 5 Setting the FortiGate unit to verify users have current antivirus software 6 Results Providing remote users with access using SSL VPN This example provides remote users with access to the corporate network using SSL VPN and connection to the Internet through the corporate FortiGate unit During the connecting phase the FortiGate unit will also verif...

Page 209: ...ode and or web mode In this scenario we are using both modes Enable Split Tunneling is not enabled so that all Internet traffic will go through the FortiGate unit and be subject to the corporate security profiles Select Create New in the Include Bookmarks area to add a bookmark for a remote desktop link connection Bookmarks are used as links to internal network resources THE FORTIGATE COOKBOOK ...

Page 210: ...0 Creating a user and a user group Go to User Device User User Definition Add a remote user with the User Creation Wizard in the example twhite Go to User Device User User Groups Add the user to a user group for SSL VPN connections ...

Page 211: ...internal network Go to Policy Policy Policy Add a security policy allowing access to the internal network Set Type to VPN and Subtype to SSL VPN If your FortiGate unit does not have the Policy based IPsec feature turned on you will only have to set Policy Type to VPN Set Incoming Interface to your Internet facing interface Local Interface to an internal port and Local Protected Subnet to the addre...

Page 212: ...nterface is your Internet facing interface Setting the FortiGate unit to verify users have current antivirus software Go to System Status Dashboard In the CLI Console widget enter the commands on the right to enable the host to check for compliant antivirus software on the remote user s computer Results Log into the portal using the credentials you created in step two ...

Page 213: ... the host check After the check is complete the portal appears Select the bookmark Remote Desktop link to begin an RDP session Go to VPN Monitor SSL VPN to verify the list of SSL users The Web Application description indicates that the user is using web mode THE FORTIGATE COOKBOOK ...

Page 214: ...ew the details for the SSL entry In the Tunnel Mode widget select Connect to enable the tunnel Select the bookmark Remote Desktop link to begin an RDP session Go to VPN Monitor SSL VPN to verify the list of SSL users The tunnel description indicates that the user is using tunnel mode ...

Page 215: ...o to Log Report Traffic Log Forward Traffic and view the details for the SSL entry Go to Log Report Traffic Log Forward Traffic Internet access occurs simultaneously through the FortiGate unit Select an entry to view more information THE FORTIGATE COOKBOOK ...

Page 216: ...s to the internal network and the Internet 5 Configuring VPN on the iOS device 6 Results Providing secure remote access to a network for an iOS device This recipe uses the VPN Wizard to provide a group of remote iOS users with secure encrypted access to the corporate network The example enables group members to access the internal network and forces them through the FortiGate unit when accessing t...

Page 217: ...User Definition Create a new user Go to User Device User User Groups Create a user group for iOS users and add the user you created Adding addresses for the local LAN and remote users Go to Firewall Objects Address Addresses Add the address for the local network including the subnet and local interface THE FORTIGATE COOKBOOK ...

Page 218: ...E Select Create VPN Wizard Name the VPN connection and select Dial Up iPhone iPad Native IPsec Client Click Next Enter your pre shared key and select the iOS user group then click Next Note that the pre shared key is a credential for the VPN and should differ from the user s password Select your Internet facing interface for the Local Outgoing Interface and enter the IP range from the address rang...

Page 219: ...rk and the Internet Go to Policy Policy Policy Create a security policy allowing remote iOS users to access the internal network Go to Policy Policy Policy Create a security policy allowing remote iOS users to access the Internet securely through the FortiGate unit Ensure that Enable NAT is checkmarked THE FORTIGATE COOKBOOK ...

Page 220: ... the VPN address user account and password in their relevant fields Enter the pre shared key in the Secret field Results On the FortiGate unit go to VPN Monitor IPsec Monitor and view the status of the tunnel Users on the internal network will be accessible using the iOS device Go to Log Report Traffic Log Forward Traffic to view the traffic ...

Page 221: ...evice 201 Select an entry to view more information Remote iOS users can also access the Internet securely via the FortiGate unit Go to Log Report Traffic Log Forward Traffic to view the traffic Select an entry to view more information THE FORTIGATE COOKBOOK ...

Page 222: ...he tunnel on the iOS device On the iPad go to Settings General VPN and view the Status of the connection Using a Ping tool send a ping packet directly to an IP address on the LAN behind the FortiGate unit to verify the connection through the VPN tunnel ...

Page 223: ...ddresses on FortiGate 1 4 Configuring security policies on FortiGate 1 5 Creating redundant IPsec tunnels for FortiGate 2 6 Configuring IP addresses and OSPF on FortiGate 2 7 Configuring firewall addresses on FortiGate 2 8 Configuring security policies on FortiGate 2 9 Results Using redundant OSPF routing over IPsec VPN This example sets up redundant secure communication between two remote network...

Page 224: ...rtiGate 1 Go to VPN IPsec Auto Key IKE Select Create Phase 1 and create the primary tunnel Set IP Address to FortiGate 2 s wan1 IP Local Interface to wan1 the primary Internet facing interface and enter a Pre shared Key Select Create Phase 2 Set it to use the new Phase 1 ...

Page 225: ...reate Phase 1 and create the secondary tunnel Set IP Address to use FortiGate 2 s wan2 IP Local Interface to wan2 the secondary Internet facing interface and enter the Pre shared Key Go to VPN IPsec Auto Key IKE Select Create Phase 2 Set it to use the new Phase 1 THE FORTIGATE COOKBOOK ...

Page 226: ...unnel interface and create IP addresses Select the arrow for wan2 to expand the list Edit the secondary tunnel interface and create IP addresses Go to Router Dynamic OSPF Enter the Router ID for FortiGate 1 Select Create New in the Area section Add the backbone area of 0 0 0 0 Select Create New in the Networks section Create the networks and select Area 0 0 0 0 for each one ...

Page 227: ...on Create primary and secondary tunnel interfaces Set a Cost of 10 for the primary interface and 100 for the secondary interface Configuring firewall addresses on FortiGate 1 Go to Firewall Objects Address Addresses Edit the subnets behind FortiGate 1 and FortiGate 2 THE FORTIGATE COOKBOOK ...

Page 228: ...ry interfaces of FortiGate 2 Configuring security policies on FortiGate 1 Go to Policy Policy Policy Create the four security policies required for both FortiGate 1 s primary and secondary interfaces to connect to FortiGate 2 s primary and secondary interfaces ...

Page 229: ...Using redundant OSPF routing over IPsec VPN 209 THE FORTIGATE COOKBOOK ...

Page 230: ...rtiGate 2 Go to VPN IPsec Auto Key IKE Select Create Phase 1 and create the primary tunnel Set IP Address to FortiGate 1 s wan1 IP Local Interface to wan1 the primary Internet facing interface and enter a Pre shared Key Select Create Phase 2 Set it to use the new Phase 1 ...

Page 231: ...t Create Phase 1 and create the secondary tunnel Set IP Address to use FortiGate 2 s IP Local Interface to wan2 the secondary Internet facing interface and enter the Pre shared Key Select Create Phase 2 Set it to use the new Phase 1 THE FORTIGATE COOKBOOK ...

Page 232: ...unnel interface and create IP addresses Select the arrow for wan2 to expand the list Edit the secondary tunnel interface and create IP addresses Go to Router Dynamic OSPF Enter the Router ID for FortiGate 2 Select Create New in the Area section Add the backbone area of 0 0 0 0 Select Create New in the Networks section Create the networks and select Area 0 0 0 0 for each one ...

Page 233: ...on Create primary and secondary tunnel interfaces Set a Cost of 10 for the primary interface and 100 for the secondary interface Configuring firewall addresses on FortiGate 2 Go to Firewall Objects Address Addresses Edit the subnets behind FortiGate 1 and FortiGate 2 THE FORTIGATE COOKBOOK ...

Page 234: ...ry interfaces of FortiGate 1 Configuring security policies on FortiGate 2 Go to Policy Policy Policy Create the four security policies required for both FortiGate 2 s primary and secondary interfaces to connect to FortiGate 1 s primary and secondary interfaces ...

Page 235: ...Using redundant OSPF routing over IPsec VPN 215 THE FORTIGATE COOKBOOK ...

Page 236: ...ute Verify that traffic flows via the primary tunnel From a PC1 set to IP 10 20 1 100 behind FortiGate 1 run a tracert to a PC2 set to IP address 10 21 1 00 behind FortiGate 2 and vise versa From PC1 you should see that the traffic goes through 10 1 1 2 which is the primary tunnel interface IP set on FortiGate 2 From PC2 you should see the traffic goes through 10 1 1 1 which is the primary tunnel ...

Page 237: ...ry OSPF route with cost 100 appears on both FortiGate units Go to Router Monitor Routing Monitor Type OSPF for the Type and select Apply Filter to verify OSPF route Verify that traffic flows via the secondary tunnel From a PC1 set to IP 10 20 1 100 behind FortiGate 1 run a tracert to a PC2 set to IP 10 21 1 100 behind FortiGate 2 and vice versa From PC1 you should see that the traffic goes through...

Page 238: ......

Page 239: ...About Fortinet High Performace Network Security Q3 2013 ...

Page 240: ...ts issued 106 patents pending Corporate Overview Forward Looking Market Leadership Fortinet pioneered an innovative high performance network security solution that addresses the fundamental problems of an increasingly bandwidth intensive network environment and a more sophisticated IT threat landscape We are a global leading provider of network security appliances and the leader in Unified Threat ...

Page 241: ...exceed market demands as information security threats escalate IDC Worldwide Network Security 2013 2017 Forecast and 2012 Vendor Shares June 2013 ATP is Fortinet estimate Threat Landscape Evolution Threat Landscape Evolution Network Security Market Evolution ...

Page 242: ...siliency Score of 95 100 the highest published score on record FU UIF GVMM 3FQPSU BU IUUQ XXX XPSMETGBTUFTUmSFXBMM DPN FTJHOBUJPO CBTFE PO JOEFQFOEFOU UIJSE QBSUZ mFME UFTUJOH CZ SFBLJOH1PJOU PO Fortinet s FortiGate 5140B with FortiGate 5104C Blades Worldwide Security Appliance Market Share Q1 2013 1 IDC Worldwide Security Appliances Tracker June 2013 market share based on factory revenue Rank Com...

Page 243: ...ndors are costly to deploy complex to manage and degrade network performance and reliability The Fortinet UTM Model Fortinet s fully integrated security technologies offer increased protection improved performance reduced costs and greater reliability Consolidated Solution Model ...

Page 244: ...ccelerated performance and global threat research and support are the UISFF EFmOJOH BEWBOUBHFT UIBU TFU PSUJOFU BQBSU PSUJOFU T market leading technologies enable you to improve your security posture while reducing your costs and simplifying your security infrastructure ...

Page 245: ...rotection from the latest threats FortiCare Worldwide 24x7 Support Our FortiCare customer support organization provides global technical support for all Fortinet products with support staff in the Americas Europe the Mid East and Asia We offer multiple options for FortiCare contracts so you can obtain the right level of support for your organization s needs FortiCare 1 866 648 4638 FortiOS 5 The M...

Page 246: ...EFOT w Fortinet s high performance network security solutions support all of the classic UTM features including Firewall VPN IPS and Secure Web Gateway capabilities Anti Malware URL and Application Control plus a number of new extended features including integrated switching wireless controller and advanced threat protection Fortinet s leadership is further enabled by innovative and aggressive eng...

Page 247: ...rtiGate 3240C Stonesoft 1302 SonicWALL SuperMassive Palo Alto PA 5020 HP TippingPoint 6100 CheckPoint 12600 Q1 Q2 Q3 Q4 RUWLQHW UHFRJQL HG IRU GHOLYHULQJ RXWVWDQGLQJ HQWHUSULVH PDQDJHPHQW VHFXULW HIIHFWLYHQHVV and TCO Fortinet s FortiGate family of consolidated network security appliances delivered proven enterprise class performance and protection in three NSS Labs independent tests for Next Gene...

Page 248: ...ed Spam High Performance Network Security Platforms The Fortinet FortiGate line combines the FortiOS security operating system with FortiASIC processors and other hardware to provide a comprehensive high performance array of security and networking functions including Firewall VPN and Traffic Shaping Application Control Intrusion Prevention System IPS Antimalware Web Content Filtering Virtual Appl...

Page 249: ... of a separate wireless network Single pane of glass management Integrated wireless controller Eliminate multiple security system blind spots Deploy a secure wireless network in minutes Single device can broadcast up to seven SSIDs or Virtual Access Points VAPs enabling multi tenant environments IEEE 802 11n provides concurrent security and WiFi client access on both the 2 4GHz and 5GHz spectrums ...

Page 250: ...FortiGate family of physical and virtual appliances offers a wide range of deployment options to meet your unique network requirements Fortinet solutions enable your IT team to manage control and protect your network simply and powerfully ...

Page 251: ... connections FortiSwitch Gigabit switching that delivers up to 960 Gbps switch throughput FortiBridge Preserves availability of network resources in the event of a power failure or a device malfunction FortiDDoS Provides up to 3 Gbps full duplex protection FortiWeb Application firewall that inspects up to 70 000 HTTP transactions second FortiClient Extends Fortinet s security expertise to endpoint...

Page 252: ...401 St Clements House 27 28 Clements Lane London EC4N 8UZ United Kingdom Sales 44 0 2032079029 Fax 44 0 2032079129 UNITED ARAB EMIRATES Ground Floor Suite 19 Dubai Internet City Building 16 Dubai 73030 United Arab Emirates Sales 971 4 433 0504 Fax 971 4 426 4698 TURKEY Saray Mah Doktor Adnan Büyükdeniz Cad No 4 Akkom Ofis Park 2 Blok Kat 10 Ümraniye lstanbul 34768 Office 90 216 250 3259 60 APAC AP...

Page 253: ...PRODUCT GUIDE Product Guide ...

Page 254: ... An ideal solution for those who seek for fast and easy setup by using the innovative FortiExplorer from your PC or smartphone Variants support nFYJCMF EFQMPZNFOU PQUJPOT Since deploying the FortiWiFi Appliances we have enabled our HPSOR HHV WR ZRUN PRUH HIÀFLHQWO DQG KDYH DOVR JLYHQ FXVWRPHUV WKH EHQHÀW RI ZRUNLQJ RQ WKHLU ODSWRSV LQ D VHFXUH DQG ZLUHOHVV environment Ashland Small Footprint Silen...

Page 255: ...res Works with FortiCloud that lets you monitor threat and network status wherever you are via the web without adding another device to your network With the FortiGate solutions we can now protect our valuable customer information by blocking network attacks such as worms and spyware The FortiGate appliances are very convenient and easy to use and with the FortiGuard service we have real time secu...

Page 256: ...k and out by tightly integrating with the FortiClient endpoint solution 6OJmFE DDFTT POUSPM XJUI JOUFHSBUFE XJSFMFTT BOE TXJUDI controllers Managing multiple restaurant locations nationwide it was very important for us to select a network security solution that was cost HIIHFWLYH HDV WR XVH 7KH RUWL DWH SURGXFW OLQH LV DOORZLQJ XV WR RIIHU enterprise level network security to our restaurants Parad...

Page 257: ...ernal threats and internal abuses with advanced application DPOUSPM XFC mMUFSJOH BOE NPSF RVJQQFE XJUI OFYU HFOFSBUJPO NVMUJ QBTT 7 mMUFST UIBU QSPUFDUT BHBJOTU UPEBZ T APTs and Botnets RUWLQHW SURYLGHV XV ZLWK D VHFXUH HQYLURQPHQW LQ D VLPLSOLÀHG management scheme and very low maintenance The performance of RUWLQHW V ÀUHZDOO LV VHFRQG WR QRQH Amadeus Hospitality Space saving 1RU size Active bypas...

Page 258: ...ure superior service availability High speed interfaces suitable for server farms The biggest advantage of Fortinet is that the company manages to combine so many functions in one appliance and still keeps prices reasonable We are also impressed by the help we received from RUWLQHW V ORFDO WHDP LQ WKH SODQQLQJ DQG GHSOR PHQW VWDJH ZKLFK PDGH sure the solutions were easy for administrators to insta...

Page 259: ...tionwide data centers ZH YH EHHQ DEOH WR HDVLO DGG QHZ FXVWRPHUV ZLWKRXW KDYLQJ WR EULQJ RQ DGGLWLRQDO QHWZRUN UHVRXUFHV RUWLQHW V YLUWXDO GRPDLQ IXQFWLRQDOLW DOORZV for us to easily scale and meet the rapidly growing needs of our business all while saving costs and improving customer satisfaction SoftLayer Technologies 2 or 3RU Models 10G Interfaces Dual power supplies Up to 500 virtual systems F...

Page 260: ...l Appliance provides critical security controls within your virtual infrastructure Support Popular VM platforms Up to 500 Virtual systems FortiAP Series Integrates with FortiGate which serves as business grade wireless controller with proven security components Build robust enterprise wireless network without additional licenses Just add access points Secured Wireless Outposts Thin access points t...

Page 261: ... applications on your terminal Tight integration with FortiGate to install manage and enforce FOEQPJOU DPNQMJBODF PSUJ BUF QSPWJTJPOT OEQPJOU QSPmMFT which reuses FortiGate settings Clients get consistent policies both on and off the LAN Bodyguards Comprehensive host security applications that H WHQG RUWL DWH V HQGSRLQW FRQWURO UHH RZQORDG OS X ...

Page 262: ...e Devoted Oracles Solution for logging analyzing and reporting from multiple Fortinet devices FortiAnalyzer 4000B FortiManager Series 1SPWJEFT FBTZ DFOUSBMJ FE DPOmHVSBUJPO QPMJDZ CBTFE provisioning update management Easily manage complex mesh and star VPN environments while leveraging PSUJ BOBHFS BT DPOmHVSBUJPO EJTUSJCVUJPO QPJOU RVJQQFE with detailed revision tracking and thorough auditing capa...

Page 263: ...e time password Tightly integrated with in built Token server on FortiGate Access ories 2QH 7LPH 3DVVZRUG WRNHQV IRU WZR IDFWRU authentication FortiSwitch Series PTU GmDJFOU BZFS BDDFTT TPMVUJPOT 1P NPEFMT QSPWJEFT easy connectivity for IP phones access points and more Achieves higher productivity with faster transfer times over high speed interfaces Smart Edges Purpose built Layer 2 access switch...

Page 264: ...ecorder Premise Surveillance FortiWeb Web Application Firewall FortiDDoS Application D DOS Mitigator FortiAuthenticator Access Management FortiBalancer Application Delivery FortiCache Content Caching FortiDNS Secured DNS Server FortiVoice VoIP IP Telephony Also Available as Virtual Appliance Application Security Network Services ...

Page 265: ......

Page 266: ...XJTUFE 1BJS 651 BOT MB NFTVSF EV QPTTJCMF JM FTU QSÏGÏSBCMF E VUJMJTFS MFT DÉCMFT UIFSOFU EF QBJSF UPSTBEÏF CMJOEÏF BVTTJ BQQFMÏ FO BOHMBJT 451 PV 4IJFMEFE 5XJTUFE 1BJS QMVUÙU RVF EF QBJSF UPSTBEÏF OPO CMJOEÏF ÏHBMFNFOU BQQFMÏ FO BOHMBJT 651 PV 6OTIJFMEFE 5XJTUFE 1BJS P OPU DPOOFDU PS EJTDPOOFDU DBCMFT EVSJOH MJHIUOJOH BDUJWJUZ UP BWPJE EBNBHF UP ZPVS PSUJOFU QSPEVDU PS QFSTPOBM JOKVSZ F QBT CSBOD...

Page 267: ... B BSEPVT NPWJOH QBSUT FFQ BXBZ GSPN NPWJOH GBO CMBEFT AVERTISSEMENT 1ÏDFT NPCJMFT EBOHFSFVTFT 4F UFOJS ÏJDJHOÏ EFT QBMFT EF WFOUJMBUFVST NPCJMFT 5HJXODWRU 1RWLFHV HGHUDO RPPXQLFDWLRQ RPPLVVLRQ 86 5IJT EFWJDF DPNQMJFT XJUI 1BSU PG 3VMFT 0QFSBUJPO JT TVCKFDU UP UIF GPMMPXJOH UXP DPOEJUJPOT UIJT EFWJDF NBZ OPU DBVTF IBSNGVM JOUFSGFSFODF BOE UIJT EFWJDF NVTU BDDFQU BOZ JOUFSGFSFODF SFDFJWFE JODMVEJOH...

Page 268: ...VDU T BT QSPWJEFE GPS JO UIJT HSFFNFOU PUXJUITUBOEJOH BOZUIJOH UP UIF DPOUSBSZ EJTUSJCVUPST SFTFMMFST BOE PUIFS PSUJOFU QBSUOFST B BSF OPU BHFOUT PG PSUJOFU BOE C BSF OPU BVUIPSJ FE UP CJOE PSUJOFU JO BOZ XBZ 6 Limited Warranty PSUJOFU QSPWJEFT UIJT MJNJUFE XBSSBOUZ GPS JUT QSPEVDU POMZ UP UIF TJOHMF FOE VTFS QFSTPO PS FOUJUZ UIBU PSJHJOBMMZ QVSDIBTFE UIF 1SPEVDU GSPN PSUJOFU PS JUT BVUIPSJ FE SFT...

Page 269: ...TJPO PG VOF i 1 w PS 6 FTTFS FOFSBM 1VCMJD JDFOTF 7FSTJPO PG FCSVBSZ i 1 w PS PUIFS PQFO TPVSDF TPGUXBSF MJDFOTFT XIJDI BNPOH PUIFS SJHIUT QFSNJU UIF VTFS UPVTF DPQZ NPEJGZ BOE SFEJTUSJCVUF NPEVMFT PS QPSUJPOT UIFSFPG BOE NBZ BMTP SFRVJSF BUUSJCVUJPO EJTDMPTVSFT BOE BDDFTT UP UIF TPVSDF DPEF i0QFO 4PVSDF 4PGUXBSFw 5IF 1 SFRVJSFT UIBU GPS BOZ 0QFO 4PVSDF 4PGUXBSF DPWFSFE VOEFS UIF 1 XIJDI JT EJTUSJ...

Page 270: ...MVT UIF TDSJQUT VTFE UP DPOUSPM DPNQJMBUJPO BOE JOTUBMMBUJPO PG UIF MJCSBSZ DUJWJUJFT PUIFS UIBO DPQZJOH EJTUSJCVUJPO BOE NPEJmDBUJPO BSF OPU DPWFSFE CZ UIJT JDFOTF UIFZ BSF PVUTJEF JUT TDPQF 5IF BDU PG SVOOJOH B QSPHSBN VTJOH UIF JCSBSZ JT OPU SFTUSJDUFE BOE PVUQVU GSPN TVDI B QSPHSBN JT DPWFSFE POMZ JG JUT DPOUFOUT DPOTUJUVUF B XPSL CBTFE PO UIF JCSBSZ JOEFQFOEFOU PG UIF VTF PG UIF JCSBSZ JO B U...

Page 271: ...FS SFTUSJDUJPOT PO UIF SFDJQJFOUT FYFSDJTF PG UIF SJHIUT HSBOUFE IFSFJO PV BSF OPU SFTQPOTJCMF GPS FOGPSDJOH DPNQMJBODF CZ UIJSE QBSUJFT XJUI UIJT JDFOTF G BT B DPOTFRVFODF PG B DPVSU KVEHNFOU PS BMMFHBUJPO PG QBUFOU JOGSJOHFNFOU PS GPS BOZ PUIFS SFBTPO OPU MJNJUFE UP QBUFOU JTTVFT DPOEJUJPOT BSF JNQPTFE PO ZPV XIFUIFS CZ DPVSU PSEFS BHSFFNFOU PS PUIFSXJTF UIBU DPOUSBEJDU UIF DPOEJUJPOT PG UIJT JD...

Page 272: ...te a FortiGate unit into your network and apply features such as security profiles wireless networking and VPN Using the FortiGate Cookbook you can go from idea to execution in simple steps configuring a secure network for better productivity with reduced risk Written for FortiOS 5 0 4 ...