Fortinet FortiGate 50R, Installation And Configuration Manual

Page 1: ...FortiGate 50R Installation and Configuration Guide INTERNAL EXTERNAL POWER STATUS FortiGate User Manual Volume 1 Version 2 50 MR2 18 August 2003 ...

Page 2: ...ut prior written permission of Fortinet Inc FortiGate 50R Installation and Configuration Guide Version 2 50 MR2 18 August 2003 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS For technical support please visit http www fortinet com Send information about errors or omissions in this ...

Page 3: ...ode network configuration 23 Factory default Transparent mode network configuration 24 Factory default firewall configuration 24 Factory default content profiles 25 Planning your FortiGate configuration 28 NAT Route mode 28 Transparent mode 28 Configuration options 29 FortiGate model maximum values matrix 30 Next steps 31 NAT Route mode installation 33 Installing the FortiGate unit using the defau...

Page 4: ...ing your FortiGate 45 Configuring virus and attack definition updates 45 Transparent mode configuration examples 46 Default routes and static routes 46 Example default route to an external network 47 Example static route to an external destination 48 Example static route to an internal destination 51 System status 53 Changing the FortiGate host name 54 Changing the FortiGate firmware 54 Upgrade to...

Page 5: ...tinet support password 84 Viewing the list of registered FortiGate units 84 Registering a new FortiGate unit 85 Adding or changing a FortiCare Support Contract number 85 Changing your Fortinet support password 86 Changing your contact information or security question 86 Downloading virus and attack definitions updates 86 Registering a FortiGate unit after an RMA 87 Network configuration 89 Configu...

Page 6: ...s 105 Configuring SNMP 106 Configuring the FortiGate unit for SNMP monitoring 106 Configuring FortiGate SNMP support 106 FortiGate MIBs 107 FortiGate traps 108 Customizing replacement messages 108 Customizing replacement messages 109 Customizing alert emails 110 Firewall configuration 113 Default firewall configuration 114 Addresses 114 Services 115 Schedules 115 Content profiles 115 Adding firewa...

Page 7: ...ckets going through the firewall 137 Configuring IP MAC binding for packets going to the firewall 138 Adding IP MAC addresses 138 Viewing the dynamic IP MAC list 139 Enabling IP MAC binding 139 Content profiles 140 Default content profiles 141 Adding a content profile 141 Adding a content profile to a policy 142 Users and authentication 145 Setting authentication timeout 146 Adding user names and ...

Page 8: ...ess 169 Adding a destination address 169 Adding an encrypt policy 169 IPSec VPN concentrators 171 VPN concentrator hub general configuration steps 171 Adding a VPN concentrator 173 VPN spoke general configuration steps 174 Redundant IPSec VPNs 175 Configuring redundant IPSec VPN 175 Monitoring and Troubleshooting VPNs 177 Viewing VPN tunnel status 177 Viewing dialup VPN connection status 177 Testi...

Page 9: ...ttack log 200 Reducing the number of NIDS attack log and email messages 201 Antivirus protection 203 General configuration steps 203 Antivirus scanning 204 File blocking 205 Blocking files in firewall traffic 205 Adding file patterns to block 205 Blocking oversized files and emails 206 Configuring limits for oversized files and email 206 Exempting fragmented email from blocking 206 Viewing the vir...

Page 10: ...0 Adding a subject tag 220 Logging and reporting 221 Recording logs 221 Recording logs on a remote computer 221 Recording logs on a NetIQ WebTrends server 222 Filtering log messages 222 Configuring traffic logging 224 Enabling traffic logging 224 Configuring traffic filter settings 225 Adding traffic filter entries 225 Configuring alert email 226 Adding alert email addresses 226 Testing alert emai...

Page 11: ... can operate in NAT Route mode or Transparent mode NAT Route mode In NAT Route mode the FortiGate 50 is installed as a privacy barrier between the internal network and the Internet The firewall provides network address translation NAT to protect the internal private network You can control whether firewall policies run in NAT mode or route mode NAT mode policies route allowed connections between f...

Page 12: ...etwork System configuration describes system administration tasks available from the System Config web based manager pages This chapter describes setting system time adding and changed administrative users configuring SNMP and editing replacement message Firewall configuration describes how to configure firewall policies to control traffic through the FortiGate unit and apply content protection pr...

Page 13: ...ates an ASCII string variable keyword xxx_integer indicates an integer variable keyword xxx_ip indicates an IP address variable keyword vertical bar and curly brackets to separate alternative mutually exclusive required keywords For example set system opmode nat transparent You can enter set system opmode nat or set system opmode transparent square brackets to indicate that a keyword is optional F...

Page 14: ...guration information for FortiGate PPTP and L2TP VPN and VPN configuration examples Volume 3 FortiGate Content Protection Guide Describes how to configure antivirus protection web content filtering and email filtering to protect content as it passes through the FortiGate unit Volume 4 FortiGate NIDS Guide Describes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from n...

Page 15: ...rt is available from the following addresses For information on Fortinet telephone support see http support fortinet com When requesting technical support please provide the following information Your name Company name Location Email address Telephone number FortiGate unit serial number FortiGate model FortiGate FortiOS firmware version Detailed description of the problem amer_support fortinet com...

Page 16: ...16 Fortinet Inc Customer service and technical support Introduction ...

Page 17: ...the following If you are going to operate the FortiGate unit in NAT Route mode go to NAT Route mode installation on page 33 If you are going to operate the FortiGate unit in Transparent mode go to Transparent mode installation on page 41 This chapter describes Package contents Mounting Powering on Connecting to the web based manager Connecting to the command line interface CLI Factory default Fort...

Page 18: ...earance on each side to allow for adequate air flow and cooling Dimensions 8 63 x 6 13 x 1 38 in 21 9 x 15 6 x 3 5 cm Weight 1 5 lb 0 68 kg Power requirements DC input voltage 5 V DC input current 3 A Front AC Adapter INTERNAL EXTERNAL POWER STATUS Power LED External Interface Internal Interface Status LED Back External Console DC 5V 3A Internal RS 232 Serial Connection External Interface Internal...

Page 19: ...he FortiGate 50 unit is starting up and remains lit when the system is up and running Table 1 FortiGate 50 LED indicators LED State Description Power Green The FortiGate unit is powered on Off The FortiGate unit is powered off Status Flashing Green The FortiGate unit is starting up Green The FortiGate unit is running normally Off The FortiGate unit is powered off Internal External Front Green The ...

Page 20: ...the management computer to obtain an IP address automatically using DHCP The FortiGate DHCP server assigns the management computer an IP address in the range 192 168 1 1 to 192 168 1 254 2 Using the crossover cable or the ethernet hub and cables connect the Internal interface of the FortiGate unit to the computer ethernet connection 3 Start Internet Explorer and browse to the address https 192 168...

Page 21: ... null modem cable included in your FortiGate package terminal emulation software such as HyperTerminal for Windows To connect to the CLI 1 Connect the null modem cable to the communications port of your computer and to the FortiGate Console port 2 Make sure that the FortiGate unit is powered on 3 Start HyperTerminal enter a name for the connection and select OK 4 Configure HyperTerminal to connect...

Page 22: ...nd then configure the FortiGate unit onto your network in Transparent mode Once the network configuration is complete you can perform additional configuration tasks such as setting system time configuring virus and attack definition updates and registering the FortiGate unit The factory default firewall configuration includes a single network address translation NAT policy that allows users on you...

Page 23: ...configuration When the FortiGate unit is first powered on it is running in NAT Route mode and has the basic network configuration listed in Table 3 This configuration allows you to connect to the FortiGate unit web based manager and establish the configuration required to connect the FortiGate unit to your network In Table 3 HTTPS management access means you can connect to the web based manager us...

Page 24: ...epresents all of the IP addresses on the external network Mask 0 0 0 0 Recurring Schedule Always The schedule is valid at all times This means that the firewall policy is valid at all times Firewall Policy Int Ext Firewall policy for connections from the internal network to the external network Source Internal_All The policy source address Internal_All means that the policy accepts connections fro...

Page 25: ...es can be added to NAT Route mode and Transparent mode policies Traffic Shaping Traffic shaping is not selected The policy does not apply traffic shaping to the traffic controlled by the policy You can select this option to control the maximum or minimum amount of bandwidth available to traffic processed by the policy Authentication Authentication is not selected Users do not have to authenticate ...

Page 26: ...ofile to apply antivirus scanning to HTTP FTP IMAP POP3 and SMTP content traffic Table 6 Strict content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan File Block Web URL Block Web Content Block Web Script Filter Web Exempt List Email Block List Email Exempt List Email Content Block Oversized File Email Block block block block block block Pass Fragmented Emails Table 7 Scan content profile ...

Page 27: ...rewall policies for connections between highly trusted or highly secure networks where content does not need to be protected Table 8 Web content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan File Block Web URL Block Web Content Block Web Script Filter Web Exempt List Email Block List Email Exempt List Email Content Block Oversized File Email Block pass pass pass pass pass Pass Fragmented ...

Page 28: ...on address and service In NAT mode the FortiGate performs network address translation before the packet is sent to the destination network In route mode no translation takes place By default the FortiGate unit has a NAT mode security policy that allows users on the internal network to securely download content from the external network No other traffic is possible until you have configured more se...

Page 29: ...IP addresses for the computers on your internal network You can also configure the FortiGate to allow Internet access to your internal Web FTP or email servers If you are configuring the FortiGate unit to operate in Transparent mode you can switch to Transparent mode from the web based manager and then use the Setup Wizard to add the administration password the management IP address and gateway an...

Page 30: ...0 500 500 IP MAC binding 50 100 1000 1000 2000 2000 2000 5000 5000 5000 5000 Route 500 500 500 500 500 500 500 500 500 500 500 Policy route gateway 500 500 500 500 500 500 500 500 500 500 500 Admin user 500 500 500 500 500 500 500 500 500 500 500 IPsec Phase 1 20 50 80 200 1500 1500 3000 5000 5000 5000 5000 VPN concentrator 500 500 500 500 500 500 500 500 500 500 500 VLAN subinterface N A N A N A ...

Page 31: ... FortiGate unit is operating you can proceed to configure it to connect to networks If you are going to operate the FortiGate unit in NAT Route mode go to NAT Route mode installation on page 33 If you are going to operate the FortiGate unit in Transparent mode go to Transparent mode installation on page 41 ...

Page 32: ...32 Fortinet Inc Next steps Getting started ...

Page 33: ...uration If the factory default settings in Table 11 are compatible with your requirements all you need to do is configure your internal network and then connect the FortiGate unit Table 11 FortiGate unit factory default configuration Operating Mode NAT Route mode Firewall Policy One NAT mode policy that allows users on the internal network to access any Internet service No other traffic is allowed...

Page 34: ...rmation in the rest of this chapter to change the default configuration as required Preparing to configure NAT Route mode Use Table 12 to gather the information that you need to customize NAT Route mode settings Table 12 NAT Route mode settings Administrator password Internal interface IP _____ _____ _____ _____ Netmask _____ _____ _____ _____ External interface IP _____ _____ _____ _____ Netmask ...

Page 35: ...tup wizard to change the IP address of the internal interface you must reconnect to the web based manager using a new IP address Browse to https followed by the new IP address of the internal interface Otherwise you can reconnect to the web based manager by browsing to https 192 168 1 99 You have now completed the initial configuration of your FortiGate unit and you can proceed to Connecting the F...

Page 36: ...k of the external interface to the external IP address and netmask that you recorded in Table 12 on page 34 To set the manual IP address and netmask enter set system interface external static ip IP address netmask Example set system interface external mode static ip 204 23 1 5 255 255 255 0 To set the external interface to use DHCP enter set system interface external mode dhcp connection enable To...

Page 37: ... you can connect the FortiGate unit between your internal network and the Internet There are two 10 100 BaseTX connectors on the FortiGate 50 Internal for connecting to your internal network External for connecting to the Internet To connect the FortiGate 50 unit 1 Connect the Internal interface to the hub or switch connected to your internal network 2 Connect the External interface to the Interne...

Page 38: ...tting the date and time For effective scheduling and logging the FortiGate system date and time should be accurate You can either manually set the system date and time or you can configure the FortiGate unit to automatically keep its time correct by synchronizing with a Network Time Protocol NTP server To set the FortiGate system date and time see Setting system date and time on page 101 Changing ...

Page 39: ...Registering FortiGate units on page 81 Configuring virus and attack definition updates You can go to System Update to configure the FortiGate unit to automatically check to see if new versions of the virus definitions and attack definitions are available If it finds new versions the FortiGate unit automatically downloads and installs the updated definitions The FortiGate unit uses HTTPS on port 88...

Page 40: ...40 Fortinet Inc Completing the configuration NAT Route mode installation ...

Page 41: ...works Completing the configuration Transparent mode configuration examples Preparing to configure Transparent mode Use Table 14 to gather the information that you need to customize Transparent mode settings Table 14 Transparent mode settings Administrator Password Management IP IP _____ _____ _____ _____ Netmask _____ _____ _____ _____ Default Gateway _____ _____ _____ _____ The management IP addr...

Page 42: ... Select Easy Setup Wizard the middle button in upper right corner of the web based manager 2 Use the information that you gathered in Table 14 on page 41 to fill in the wizard fields Select the Next button to step through the wizard pages 3 Confirm your configuration settings and then select Finish and Close Reconnecting to the web based manager If you changed the IP address of the management inte...

Page 43: ...Configuring the Transparent mode management IP address 1 Log into the CLI if you are not already logged in 2 Set the management IP address and netmask to the IP address and netmask that you recorded in Table 14 on page 41 Enter set system management ip IP address netmask Example set system management ip 10 10 10 2 255 255 255 0 3 Confirm that the address is correct Enter get system management The ...

Page 44: ... 2 Connect the External interface to the Internet Connect to the public switch or router provided by your Internet Service Provider Figure 6 FortiGate 50 network connections In Transparent mode the FortiGate unit does not change the layer 3 topology This means that all of its interfaces are on the same IP subnet and that it appears to other devices as a bridge Typically the FortiGate unit would be...

Page 45: ...nges Registering your FortiGate After purchasing and installing a new FortiGate unit you can register the unit by going to System Update Support or using a web browser to connect to http support fortinet com and selecting Product Registration Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased Registration...

Page 46: ...to enter one or more static routes in addition to the default route This section describes Default routes and static routes Example default route to an external network Example static route to an external destination Example static route to an internal destination Default routes and static routes To create a route to a destination you need to define an IP prefix which consists of an IP network add...

Page 47: ...ach these destinations the FortiGate unit must connect to the upstream router leading to the external network To facilitate this connection you must enter a single default route that points to the upstream router as the next hop default gateway Figure 7 Default route to an external network General configuration steps 1 Set the FortiGate unit to operate in Transparent mode 2 Configure the Managemen...

Page 48: ... Transparent Mode set system opmode transparent 2 Add the Management IP address and Netmask set system management ip 192 168 1 1 255 255 255 0 3 Add the default route to the external network set system route number 1 gw1 192 168 1 2 Example static route to an external destination Figure 8 shows a FortiGate unit that requires routes to the FDN located on the external network The Fortigate unit does...

Page 49: ...General configuration steps 1 Set the FortiGate unit to operate in Transparent mode 2 Configure the Management IP address and Netmask of the FortiGate unit 3 Configure the static route to the FortiResponse server 4 Configure the default route to the external network Note This is an example configuration only To configure a static route you require a destination IP address ...

Page 50: ...add the static route to the FortiResponse server Destination IP 24 102 233 5 Mask 255 255 255 0 Gateway 192 168 1 2 Select OK Select New to add the default route to the external network Destination IP 0 0 0 0 Mask 0 0 0 0 Gateway 192 168 1 2 Select OK CLI configuration steps To configure the Fortinet basic settings and a static route using the CLI 1 Set the system to operate in Transparent Mode se...

Page 51: ...next hop default gateway To reach the management computer you need to enter a single static route that leads directly to it This route will point to the internal router as the next hop No route is required for the DNS servers because they are on the same layer 3 subnet as the FortiGate unit Figure 9 Static route to an internal destination General configuration steps 1 Set the unit to operate in Tr...

Page 52: ...ew to add the static route to the management computer Destination IP 172 16 1 11 Mask 255 255 255 0 Gateway 192 168 1 3 Select OK Select New to add the default route to the external network Destination IP 0 0 0 0 Mask 0 0 0 0 Gateway 192 168 1 2 Select OK CLI configuration steps To configure the FortiGate basic settings a static route and a default route using the CLI 1 Set the system to operate i...

Page 53: ... definition updates Manual attack definition updates Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT Route mode Restarting the FortiGate unit Shutting down the FortiGate unit If you log into the web based manager with any other administrator account you can go to System Status to view the system setting...

Page 54: ...ore recent build of the same firmware version Revert to a previous firmware version Use the web based manager or CLI procedure to revert to a previous firmware version This procedure reverts your FortiGate unit to its factory default configuration Install a firmware image from a system reboot using the CLI Use this procedure to install a new firmware version or revert to a previous firmware versio...

Page 55: ...u must have a TFTP server that you can connect to from the FortiGate unit 1 Make sure that the TFTP server is running 2 Copy the new firmware image file to the root directory of the TFTP server 3 Log into the CLI as the admin administrative user 4 Make sure the FortiGate unit can connect to the TFTP server You can use the following command to ping the computer running the TFTP server For example i...

Page 56: ...been updated enter the following command to display the antivirus engine virus and attack definitions version contract expiry and last update attempt information get system objver Revert to a previous firmware version Use the following procedures to revert your FortiGate unit to a previous firmware version Reverting to a previous firmware version using the web based manager The following procedure...

Page 57: ...web content lists email filtering lists and changes to replacement messages Before running this procedure you can Backup the FortiGate unit configuration using the command execute backup config Backup the NIDS user defined signatures using the command execute backup nidsuserdefsig Backup web content and email filtering lists see the FortiGate Content Protection Guide If you are reverting to a prev...

Page 58: ...build045 FORTINET out 192 168 1 168 The FortiGate unit uploads the firmware image file Once the file has been uploaded a message similar to the following is displayed Get image from tftp server OK This operation will downgarde the current firmware version Do you want to continue y n 6 Type Y 7 The FortiGate unit reverts to the old firmware version resets the configuration to factory defaults and r...

Page 59: ...us configuration from the backup configuration file To install firmware from a system reboot 1 Connect to the CLI using the null modem cable and FortiGate console port 2 Make sure that the TFTP server is running 3 Copy the new firmware image file to the root directory of your TFTP server 4 Make sure that the internal interface is connected to the same network as the TFTP server 5 To confirm that t...

Page 60: ...rmware image from TFTP server F Format boot device B Boot with backup firmware and set as default Q Quit menu and continue to boot with default firmware H Display this list of options Enter G F B Q or H 8 Type G to get the new firmware image from the TFTP server 9 Type the address of the TFTP server and press Enter The following message appears Enter Local Address 192 168 1 188 10 Type the address...

Page 61: ... To restore web content and email filtering lists see the FortiGate Content Protection Guide If you are reverting to a previous firmware version for example reverting from FortiOS v2 50 to FortiOS v2 36 you may not be able to restore your previous configuration from the backup up configuration file 12 Update the virus and attack definitions to the most recent version see Manually updating antiviru...

Page 62: ...ars FortiGate unit running v2 x BIOS Press Any Key To Download Boot Image FortiGate unit running v3 x BIOS Press any key to enter configuration menu 7 Immediately press any key to interrupt the system startup I If you successfully interrupt the startup process one of the following messages appears FortiGate unit running v2 x BIOS Enter TFTP Server Address 192 168 1 168 Go to step 9 FortiGate unit ...

Page 63: ...finitions You can use the following procedure to update the antivirus definitions manually 1 Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web based manager 2 Start the web based manager and go to System Status 3 To the right of the Antivirus Definitions Version select Definitions Update 4 Enter the path and filename ...

Page 64: ...te 6 Go to System Status to confirm that the Attack Definitions Version information has been updated Displaying the FortiGate serial number 1 Go to System Status The serial number is displayed in the System Status page of the web based manager The serial number is specific to the FortiGate unit and does not change with firmware upgrades Displaying the FortiGate up time 1 Go to System Status The Fo...

Page 65: ...sion or the antivirus or attack definitions 1 Go to System Status 2 Select Restore Factory Defaults 3 Select OK to confirm The FortiGate unit restarts with the configuration that it had when it was first powered on 4 Reconnect to the web based manager and review the system configuration to confirm that it has been reset to the default settings To restore your system settings see Restoring system s...

Page 66: ...o to System Status 2 Select Change to NAT Mode 3 Select NAT Route in the operation mode list 4 Select OK The FortiGate unit changes operation mode 5 To reconnect to the web based manager you must connect to the interface configured by default for management access By default in NAT Route mode you can connect to the internal interface The default Transparent mode management IP address is 192 168 1 ...

Page 67: ...anually Viewing CPU and memory status Viewing sessions and network status Viewing virus and intrusions status Viewing CPU and memory status Current CPU and memory status indicates how close the FortiGate unit is to running at full capacity The web based manager displays CPU and memory usage for core processes only CPU and memory use for management processes for example for HTTPS connections to the...

Page 68: ...mparing CPU and memory usage with session and network status you can see how much demand network traffic is placing on system resources Sessions displays the total number of sessions being processed by the FortiGate unit on all interfaces Sessions also displays the sessions as a percentage of the maximum number of sessions that the FortiGate unit is designed to support Network utilization displays...

Page 69: ...k when the NIDS detects a network based attack 1 Go to System Status Monitor 2 Select Virus Intrusions Virus and intrusions status is displayed The display includes bar graphs of the number viruses and intrusions detected per hour as well as line graphs of the number of viruses and intrusions detected for the last 20 hours Figure 3 Sessions and network status monitor 3 Set the automatic refresh in...

Page 70: ...e top 16 2 To page through the list of sessions select Page Up or Page Down 3 Select Refresh to update the session list 4 If you have logged in as an administrative user with read and write privileges or as the admin user you can select Clear to stop any active session Each line of the session list displays the following information Figure 4 Example session list Protocol The service protocol of th...

Page 71: ...ster the FortiGate unit on the Fortinet Support web page This chapter describes Updating antivirus and attack definitions Registering FortiGate units Updating registration information Registering a FortiGate unit after an RMA Updating antivirus and attack definitions You can configure the FortiGate unit to connect to the FortiResponse Distribution Network FDN to automatically receive the latest an...

Page 72: ...ate external interface using UDP port 9443 To configure push updates see Configuring push updates on page 75 The FDN is a world wide network of FortiResponse Distribution Servers FDSs When your FortiGate unit connects to the FDN it actually connects to the nearest FDS To do this all FortiGate units are programmed with a list of FDS addresses sorted by nearest time zone according to the time zone c...

Page 73: ... unit and your network so that the FortiGate unit can connect to the Internet and to the FDN For example you may need to add routes to the FortiGate routing table or configure your network to allow the FortiGate unit to use HTTPS on port 8890 to connect to the Internet You may also have to connect to an override FortiResponse server to receive updates See Configuring update logging on page 74 Push...

Page 74: ...nd attack definitions Update log messages are recorded on the FortiGate Event log 1 Go to Log Report Log Setting 2 Select Config Policy for the type of logs that the FortiGate unit is configured to record See Recording logs on page 221 3 Select Update to record log messages when the FortiGate unit updates antivirus and attack definitions 4 Select the following update log options 5 Select OK Failed...

Page 75: ...cedure the FortiGate unit must be able to connect to the FDN or to an override FortiResponse server 1 Go to System Update 2 Select Update Now to update the antivirus and attack definitions If the connection to the FDN or override server is successful the web based manager displays a message similar to the following Your update request has been sent Your database will be updated in a few minutes Pl...

Page 76: ...es Enabling push updates is not recommended as the only method for obtaining updates The push notification may not be received by the FortiGate unit Also when the FortiGate unit receives a push notification it will only make one attempt to connect to the FDN and download updates Push updates and external dynamic IP addresses If the external interface of the FortiGate unit is configured with a dyna...

Page 77: ... port forwarding virtual IP This virtual IP maps the IP address of the external interface of the FortiGate NAT device and a custom port to the IP address of the FortiGate unit on the internal network This IP address can either be the external IP address of the FortiGate unit if it is operating in NAT Route mode or the Management IP address of the FortiGate unit if it is operating in Transparent mo...

Page 78: ...he internal network To configure the FortiGate NAT device 1 Go to Firewall Virtual IP 2 Select New 3 Add a name for the virtual IP 4 Select the External interface that the FDN connects to For the example topology select the external interface 5 Select Port Forwarding 6 Enter the External IP address that the FDN connects to For the example topology enter 64 230 123 149 7 Enter the External Service ...

Page 79: ...ternal to internal firewall policy 2 Configure the policy with the following settings 3 Select OK Configure the FortiGate unit with an override push IP and port To configure the FortiGate unit on the internal network 1 Go to System Update 2 Select Allow Push Update 3 Select Use override push 4 Set IP to the External IP Address added to the virtual IP For the example topology enter 64 230 123 149 S...

Page 80: ...ser name and password required for the proxy server to the autoupdate configuration The full syntax for enabling updates through a proxy server is set system autouopdate tunneling enable address proxy address_ip port proxy port username username_str password password_str For example if the IP address of the proxy server is 64 23 6 89 and its port is 8080 enter the following command set system auto...

Page 81: ...dditional FortiGate units Add or change FortiCare Support Contract numbers for each FortiGate unit View and change registration information Download virus and attack definitions updates Download firmware upgrades Modify registration information after an RMA Soon you will also be able to Access Fortinet user documentation Access the Fortinet knowledge base All registration information is stored in ...

Page 82: ...ormation including First and last name Company name Email address Your Fortinet support login user name and password will be sent to this email address Address Contact phone number A security question and an answer to the security question This information is used for password recovery The security question should be a simple question that only you know the answer to The answer should not be easy ...

Page 83: ...unit product information 7 Select Finish If you have not entered a FortiCare Support Contract number SCN you can return to the previous page to enter the number If you do not have a FortiCare Support Contract you can select Continue to complete the registration If you have entered a support contract number a real time validation is performed to verify that the SCN information matches the FortiGate...

Page 84: ... security question and answer contact Fortinet tech support 1 Go to System Update Support 2 Select Support Login 3 Enter your Fortinet support user name 4 Select Forgot your password 5 Enter your email address and select Submit The security question that you entered when you registered is displayed 6 Enter the answer to your security question and select Get Password If you entered the correct answ...

Page 85: ...the Serial Number of the FortiGate unit 7 If you have purchased a FortiCare Support Contract for this FortiGate unit enter the support contract number 8 Select Finish The list of FortiGate products that you have registered is displayed The list now includes the new FortiGate unit Adding or changing a FortiCare Support Contract number 1 Go to System Update Support and select Support Login 2 Enter y...

Page 86: ...n or security question 1 Go to System Update Support and select Support Login 2 Enter your Fortinet support user name and password 3 Select Login 4 Select My Profile 5 Select Edit Profile 6 Make the required changes to your contact information 7 Make the required changes to your security question and answer 8 Select Update Profile Your changes are saved to the Fortinet technical support database I...

Page 87: ...it is still protected by hardware coverage you can return the FortiGate unit that is not functioning to your reseller or distributor The RMA is recorded and you will receive a replacement unit Fortinet adds the RMA information to the Fortinet support database When you receive the replacement unit you can use the following procedure to update your product registration information 1 Go to System Upd...

Page 88: ...88 Fortinet Inc Registering a FortiGate unit after an RMA Virus and attack definitions updates and registration ...

Page 89: ...owing procedures to configure interfaces Viewing the interface list Bringing up an interface Changing an interface static IP address Adding a secondary IP address to an interface Adding a ping server to an interface Controlling management access to an interface Configuring traffic logging for connections to an interface Configuring the external interface with a static IP address Configuring the ex...

Page 90: ... the interface that you want to bring up Changing an interface static IP address Use the following procedure to change the static IP address of any FortiGate interface You can also use this procedure to add an IP address to an interface 1 Go to System Network Interface 2 Select Modify for the interface to change 3 Change the IP address and Netmask as required The IP address of the interface must b...

Page 91: ...he interface for which to configure management access 3 Select the management Access methods for the interface Configuring management access for an interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet Allowing management access from the Internet could compromise the security of your FortiGate unit You should avoid allowing managem...

Page 92: ...e with a static IP address 1 Go to System Network Interface 2 For the external interface select Modify 3 Set Addressing mode to Manual 4 Change the IP address and Netmask as required 5 Select OK to save your changes Configuring the external interface for DHCP Use the following procedure to configure the external interface to use DHCP This configuration is required if your ISP uses DHCP to assign t...

Page 93: ...gateway IP address When the FortiGate unit gets this information from the PPPoE server the new addresses and netmask are displayed in the external IP address and netmask fields If the PPPoE connection with your ISP is dropped the FortiGate unit automatically attempts to re establish the connection 6 Select Connect to PPPoE server to automatically connect to the PPPoE server If you do not select Co...

Page 94: ... each interface By default in Transparent mode you manage the FortiGate unit by connecting to the internal or dmz interface However you can configure the management interface so that you can manage the FortiGate unit by connecting to any interface 5 Select Apply to save your changes Note If you connect to your ISP using DHCP to obtain an IP address for the external interface you cannot set the MTU...

Page 95: ...anges Configuring routing This section describes how to configure FortiGate routing You can configure routing to add static routes from the FortiGate unit to local routers Using policy routing you can increase the flexibility of FortiGate routing to support more advanced routing functions You can also use routing to create a multiple Internet connection configuration that supports redundancy and l...

Page 96: ...n add one or two gateways to a route If you add one gateway the FortiGate unit routes the traffic to that gateway You can add a second gateway to route traffic to the second gateway if the first gateway fails To support routing failover the IP address of each gateway must be added to the ping server of the interface connected to the same network as the gateway See Adding a ping server to an interf...

Page 97: ...selects the interface according to rules If the Gateway 2 IP address is on the same subnet as a FortiGate interface the system sends the traffic to that interface If the Gateway 2 IP address is not on the same subnet as a FortiGate interface the system routes the traffic to the external interface using the default route You can use Device 2 to send packets to an interface that is on a different su...

Page 98: ...ystem Network Routing Table 2 Choose a route to move and select Move to to change its order in the routing table 3 Type a number in the Move to field to specify where in the routing table to move the route and select OK 4 Select Delete to remove a route from the routing table Figure 3 Routing table Policy routing Policy routing extends the functions of destination routing Using policy routing you ...

Page 99: ...nternal network If the FortiGate unit is operating in NAT Route mode you can configure it to be the DHCP server for your internal network 1 Go to System Network DHCP 2 Select Enable DHCP 3 Configure DHCP server settings 4 Select Apply 5 Configure the IP network settings of the computers on your network to obtain an IP address automatically using DHCP Starting IP Ending IP Enter Starting IP and End...

Page 100: ...ponding MAC addresses and the expiry time and date for these addresses The FortiGate unit adds these addresses to the dynamic IP MAC list and if IP MAC binding is enabled the addresses in the dynamic IP MAC list are added to the list of trusted IP MAC address pairs For more information about IP MAC binding see IP MAC binding on page 137 To view the dynamic IP list 1 Go to System Network DHCP 2 Sel...

Page 101: ...e information on NTP and to find the IP address of an NTP server that you can use see http www ntp org To set the date and time 1 Go to System Config Time 2 Select Refresh to display the current FortiGate system date and time 3 Select your Time Zone from the list 4 Select Automatically adjust clock for daylight saving changes if you want the FortiGate system clock to be adjusted automatically when...

Page 102: ... web based manager options On the System Config Options page you can Set the system idle timeout Set the authentication timeout Select the language for the web base manager Modify the dead gateway detection settings To set the system idle timeout 1 For Idle Timeout type a number in minutes 2 Select Apply Idle Timeout controls the amount of inactive time that the web based manager waits before requ...

Page 103: ... Chinese Japanese Korean or Traditional Chinese To modify the Dead Gateway Detection settings Modify dead gateway detection to control how the FortiGate unit confirms connectivity with a ping server added to an interface configuration To add a ping server to an interface see Adding a ping server to an interface on page 91 1 For Detection Interval type a number in seconds to specify how often the F...

Page 104: ...ion from which the administrator can log into the web based manager If you want the administrator to be able to access the FortiGate unit from any address set the trusted host to 0 0 0 0 and the netmask to 0 0 0 0 To limit the administrator to only be able to access the FortiGate unit from a specific network set the trusted host to the address of the network and set the netmask to the netmask for ...

Page 105: ...an 6 characters long the system displays a warning message but still accepts the password 5 Select OK 6 To edit the settings of an administrator account select Edit 7 Optionally type a Trusted Host IP address and netmask for the location from which the administrator can log into the web based manager If you want the administrator to be able to access the FortiGate unit from any address set the tru...

Page 106: ...ically set to the FortiGate host name To change the System Name see Changing the FortiGate host name on page 54 System Location Describe the physical location of the FortiGate unit The system location description can be up to 31 characters long and can contain spaces numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ The characters are not allowed Contact Informat...

Page 107: ... community string functions like a password that is sent with SNMP traps The default trap community string is public Change the trap community string to the one accepted by your trap receivers The trap community string can be up to 31 characters long and can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Spaces and the characters are not allowed Trap R...

Page 108: ...B that includes detailed FortiGate system configuration information Add this MIB to your SNMP manager to monitor all FortiGate configuration settings RFC1213 mib The RFC 1213 MIB is the standard MIB II MIB that describes network management protocols for TCP IP networks Table 1 FortiGate MIBs MIB file name Description Table 2 FortiGate traps Trap message Description The interface_name Interface IP ...

Page 109: ... and add and edit the replacement message sections as required 1 Go to System Config Replacement Messages 2 For the replacement message you want to customize select Modify 3 In the Message setup dialog box edit the content of the message Table 3 lists the replacement message sections that can be added to replacement messages and describes the tags that can appear in each section In addition to the...

Page 110: ...Section End BLOCKED Quarantine Used when quarantine is enabled permitted for all scan services and block services for email only Section Start QUARANTINE Allowed Tag QUARFILE NAME The name of the file that was quarantined Section End QUARANTINE Table 3 Replacement message sections Table 4 Alert email message sections NIDS event Used for NIDS event alert email messages Section Start NIDS_EVENT Allo...

Page 111: ... IP address of the email server that sent the email containing the blocked file For HTTP this is the IP address of web page that sent the blocked file DEST_IP The IP address of the computer that would have received the blocked file For email this is the IP address of the user s computer that attempted to download the message from which the file ware removed EMAIL_FROM The email address of the send...

Page 112: ...112 Fortinet Inc Customizing replacement messages System configuration ...

Page 113: ...rewall can process connections differently depending on the time of day or the day of the week month or year Each policy can be individually configured to route connections or to apply network address translation NAT to translate source and destination IP addresses and ports You can add IP pools to use dynamic NAT when the firewall translates source addresses You can use policies to configure port...

Page 114: ...se interfaces To add policies between interfaces the interfaces must include addresses By default the FortiGate unit is configured with two firewall addresses Internal_All added to the internal interface this address matches all addresses on the internal network External_All added to the external interface this address matches all addresses on the external network The firewall uses these addresses...

Page 115: ...tering and email filtering to web file transfer and email services The FortiGate unit includes the following default content profiles Strict to apply maximum content protection to HTTP FTP IMAP POP3 and SMTP content traffic Scan to apply antivirus scanning to HTTP FTP IMAP POP3 and SMTP content traffic Web to apply antivirus scanning and Web content blocking to HTTP content traffic Unfiltered to a...

Page 116: ... or address group that matches the source address of the packet Before you can add this address to a policy you must add it to the source interface To add an address see Addresses on page 122 Destination Select an address or address group that matches the destination address of the packet Before you can add this address to a policy you must add it to the destination interface To add an address see...

Page 117: ... you can also configure NAT and Authentication for the policy DENY Deny the connection The only other policy option that you can configure is log traffic to log the connections denied by this policy ENCRYPT Make this policy an IPSec VPN policy If you select ENCRYPT you can select an AutoIKE key or Manual Key VPN tunnel for the policy and configure other IPSec settings You cannot add authentication...

Page 118: ...or FTP policy that is configured for authentication When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password Allow inbound Select Allow inbound so that users behind the remote VPN gateway can connect to the source address Allow outbound Select Allow outbound so that users can connect to the destination address behind the remot...

Page 119: ...d make sure that users can use DNS through the firewall without authentication If DNS is not available users cannot connect to a web FTP or Telnet server using a domain name Anti Virus Web filter Enable antivirus protection and web filter content filtering for traffic controlled by this policy You can select Anti Virus Web filter if Service is set to ANY HTTP SMTP POP3 IMAP or FTP or to a service ...

Page 120: ...bling policies Policy matching in detail When the FortiGate unit receives a connection attempt at an interface it must select a policy list to search through for a policy that matches the connection attempt The FortiGate unit chooses the policy list based on the source and destination addresses of the connection attempt The FortiGate unit then starts at the top of the selected policy list and sear...

Page 121: ...icy list to move the policy and select OK Enabling and disabling policies You can enable and disable policies in the policy list to control whether the policy is active or not The FortiGate unit matches enabled policies but does not match disabled policies Disabling a policy Disable a policy to temporarily prevent the firewall from selecting the policy Disabling a policy does not stop active commu...

Page 122: ...55 255 255 All possible IP addresses represented by IP Address 0 0 0 0 and Netmask 0 0 0 0 This section describes Adding addresses Editing addresses Deleting addresses Organizing addresses into address groups Adding addresses 1 Go to Firewall Address 2 Select the interface to which to add the address 3 Select New to add a new address 4 Enter an Address Name to identify the address The name can con...

Page 123: ...ess and netmask You cannot edit the address name To change the address name you must delete the address entry and then add the address again with a new name 1 Go to Firewall Address 2 Select the interface list containing the address that you want to edit 3 Choose an address to edit and select Edit Address 4 Make the required changes and select OK to save your changes Deleting addresses Deleting an...

Page 124: ...ress groups cannot have the same names as individual addresses If an address group is included in a policy it cannot be deleted unless it is first removed from the policy 1 Go to Firewall Address Group 2 Select the interface to which to add the address group 3 Enter a Group Name to identify the address group The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special c...

Page 125: ...ncapsulating the packets of the protocol within GRE packets 47 AH Authentication Header AH provides source host authentication and data integrity but not secrecy This protocol is used for authentication by IPSec remote gateways set to aggressive mode 51 ESP Encapsulating Security Payload This service is used by manual key and AutoIKE VPN tunnels for communicating encrypted data AutoIKE key VPN tun...

Page 126: ...formation directories tcp 389 NetMeeting NetMeeting allows users to teleconference using the Internet as the transmission medium tcp 1720 NFS Network File System allows network users to access shared files stored on computers of different types tcp 111 2049 NNTP Network News Transport Protocol is a protocol used to post distribute and retrieve USENET messages tcp 119 NTP Network time protocol for ...

Page 127: ...25 SNMP Simple Network Management Protocol is a set of protocols for managing complex networks tcp 161 162 udp 161 162 SSH SSH service for secure connections to computers for remote management tcp 22 udp 22 SYSLOG Syslog service for remote logging udp 514 TALK A protocol supporting conversations between two or more users udp 517 518 TCP All TCP ports tcp 0 65535 TELNET Telnet service for connectin...

Page 128: ...services in the group A service group can contain predefined services and custom services in any combination You cannot add service groups to another service group 1 Go to Firewall Service Group 2 Select New 3 Enter a Group Name to identify the group This name appears in the service list when you add a policy and cannot be the same as a predefined service name The name can contain numbers 0 9 uppe...

Page 129: ...ou can create a one time schedule that activates or deactivates a policy for a specified period of time For example your firewall might be configured with the default policy that allows access to all services on the Internet at all times You can add a one time schedule to block access to the Internet during a holiday period 1 Go to Firewall Schedule One time 2 Select New 3 Enter a Name for the sch...

Page 130: ...nique to create recurring schedules that run from one day to the next You can also create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time 1 Go to Firewall Schedule Recurring 2 Select New to create a new schedule 3 Enter a Name for the schedule The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ O...

Page 131: ...tween an address on the source network and the real address on the destination network This mapping is called a virtual IP For example if the computer hosting your web server is located on your internal network it could have a private IP address such as 192 168 1 34 To get packets from the Internet to the web server you must have an external address for the web server on the Internet You must then...

Page 132: ...Make sure Type is set to Static NAT 6 In the External IP Address field enter the external IP address to be mapped to an address on the destination network For example if the virtual IP provides access from the Internet to a web server on a destination network the external IP address must be a static IP address obtained from your ISP for your web server This address must be a unique address that is...

Page 133: ...et for this external interface using PPPoE or DHCP For example if the virtual IP provides access from the Internet to a server on your internal network the External IP Address must be a static IP address obtained from your ISP for this server This address must be a unique address that is not used by another host However this address must be routed to the External Interface selected in step 4 7 Ent...

Page 134: ... interface must match the interface connected to the network with the Map to IP address 3 Use the following information to configure the policy Source Select the source address from which users can access the server Destination Select the virtual IP Schedule Select a schedule as required Service Select the service that matches the Map to Service that you selected for the port forwarding virtual IP...

Page 135: ...ther addresses on the same network as the interface for which you are adding the IP pool You can add multiple IP pools to any interface but only the first IP pool is used by the Firewall This section describes Adding an IP pool IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT Adding an IP pool To add an IP pool 1 Go to Firewall IP Pool 2 Select the interface to which to...

Page 136: ...firewall can support is limited by the number of IP addresses in the IP pool IP pools and dynamic NAT You can use IP pools for dynamic NAT For example your organization may have purchased a range of Internet addresses but you may have only one Internet connection the external interface of your FortiGate unit You can assign one of your organization s Internet IP addresses to the external interface ...

Page 137: ...describes Configuring IP MAC binding for packets going through the firewall Configuring IP MAC binding for packets going to the firewall Adding IP MAC addresses Viewing the dynamic IP MAC list Enabling IP MAC binding Configuring IP MAC binding for packets going through the firewall Use the following procedure to use IP MAC binding to filter packets that would normally be allowed through the firewa...

Page 138: ...or is connecting to the FortiGate unit for management 1 Go to Firewall IP MAC Binding Setting 2 Select Enable IP MAC binding going to the firewall 3 Go to Firewall IP MAC Binding Static IP MAC 4 Select New to add IP MAC binding pairs to the IP MAC binding list All packets that would normally connect to the firewall are first compared with the entries in the IP MAC binding table For example if the ...

Page 139: ...lowed 5 Select Enable to enable IP MAC binding for the IP MAC pair 6 Select OK to save the IP MAC binding pair Viewing the dynamic IP MAC list 1 Go to Firewall IP MAC Binding Dynamic IP MAC Enabling IP MAC binding 1 Go to Firewall IP MAC Binding Setting 2 Select Enable IP MAC binding going through the firewall to turn on IP MAC binding for packets that could be matched by policies 3 Select Enable ...

Page 140: ...ail for POP3 SMTP and IMAP policies Using content profiles you can build up protection configurations that can be easily applied to different types of Firewall policies This allows you to customize different types and different levels of protection for different firewall policies For example while traffic between internal and external addresses might need strict protection traffic between trusted ...

Page 141: ...ot want to apply any content protection to content traffic You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected Anti Virus Scan Scan web FTP and email traffic for viruses and worms See Antivirus scanning on page 204 File Block Delete files with blocked file patterns even if they do not con...

Page 142: ... policies to which to add a content profile For example to enable network protection for files downloaded by internal network users from the web select an internal to external policy list Email Content Block Add a subject tag to email that contains unwanted words or phrases See Email banned word list on page 218 Oversized File Email Block Block or pass files and email that exceed thresholds config...

Page 143: ...on Guide 143 3 Select New to add a new policy or choose a policy and select Edit 4 Select Anti Virus Web filter 5 Select a content profile 6 Configure the remaining policy settings if required 7 Select OK 8 Repeat this procedure for any policies for which to enable network protection ...

Page 144: ...144 Fortinet Inc Content profiles Firewall configuration ...

Page 145: ...T IPSec dialup user phase 1 configurations XAuth functionality for Phase 1 IPSec VPN configurations PPTP L2TP When a user enters a user name and password the FortiGate unit searches the internal user database for a matching user name If Disable is selected for that user name the user cannot authenticate and the connection is dropped If Password is selected for that user and the password matches th...

Page 146: ...e 3 Enter the user name The user name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Select one of the following authentication configurations Disable Prevent this user from authenticating Password Enter the password that this user must use to authenticate The password should be at least six cha...

Page 147: ...to try to connect to other RADIUS servers added to the FortiGate RADIUS configuration 6 Select OK Figure 17 Adding a user name Deleting user names from the internal database You cannot delete user names that have been added to user groups Remove user names from user groups before deleting them 1 Go to User Local 2 Select Delete User for the user name to delete 3 Select OK Note Deleting the user na...

Page 148: ...o to User RADIUS 2 Select New to add a new RADIUS server 3 Enter the name of the RADIUS server You can enter any name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Enter the domain name or IP address of the RADIUS server 5 Enter the RADIUS server secret 6 Select OK Figure 18 Example RA...

Page 149: ...ation of password expiration that is available from some LDAP servers FortiGate LDAP support does not supply information to the user about why authentication failed LDAP user authentication is supported for PPTP L2TP IPSec VPN and firewall authentication With PPTP L2TP and IPSec VPN PAP packet authentication protocol is supported and CHAP Challenge Handshake Authentication Protocol is not This sec...

Page 150: ...ollowing base distinguished name ou marketing dc fortinet dc com where ou is organization unit and dc is domain component You can also specify multiple instances of the same field in the distinguished name for example to specify multiple organization units ou accounts ou marketing dc fortinet dc com 8 Select OK Figure 19 Example LDAP configuration Deleting LDAP servers You cannot delete LDAP serve...

Page 151: ...the selected user group can use PPTP The FortiGate L2TP configuration Only users in the selected user group can use L2TP When you add user names RADIUS servers and LDAP servers to a user group the order in which they are added affects the order in which the FortiGate unit checks for authentication If user names are first then the FortiGate unit checks for a match with these local users If a match ...

Page 152: ...select the right arrow to add the RADIUS server to the Members list 6 To add an LDAP server to the user group select an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list 7 To remove users RADIUS servers or LDAP servers from the user group select a user RADIUS server or LDAP server from the Members list and select the left arrow to remov...

Page 153: ...ublic network Instead of being sent in its original format the data frames are encapsulated within an additional header and then routed between tunnel endpoints Upon arrival at the destination endpoint the data is decapsulated and forwarded to its destination within the private network Encryption transforms data stream from clear text something that a human or a program can interpret to cipher tex...

Page 154: ...er The peers do not actually send the key to each other Instead as part of the security negotiation process they use it in combination with a Diffie Hellman group to create a session key The session key is used for encryption and authentication purposes and is automatically regenerated during the communication session by IKE Pre shared keys are similar to the manual keys in that they require the n...

Page 155: ...ps for a manual key VPN Adding a manual key VPN tunnel General configuration steps for a manual key VPN A manual key VPN configuration consists of a manual key VPN tunnel the source and destination addresses for both ends of the tunnel and an encrypt policy to control access to the VPN tunnel To create a manual key VPN configuration 1 Add a manual key VPN tunnel See Adding a manual key VPN tunnel ...

Page 156: ... Key Each two character combination entered in hexadecimal format represents one byte Use the same authentication key at both ends of the tunnel 11 Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration See Adding a VPN concentrator on page 173 Select OK to save the manual key VPN tunnel DES Enter a 16 character 8 byte hexadecimal number 0 9 A F 3DES Enter a 4...

Page 157: ... the tunnel See Configuring encrypt policies on page 168 Adding a phase 1 configuration for an AutoIKE VPN When you add a phase 1 configuration you define the terms by which the FortiGate unit and a remote VPN peer gateway or client authenticate themselves to each other prior to the establishment of an IPSec VPN tunnel The phase 1 configuration is related to the phase 2 configuration In phase 1 th...

Page 158: ...Hellman groups to propose for phase 1 As a general rule the VPN peers should use the same DH Group settings 8 Enter the Keylife The keylife is the amount of time in seconds before the phase 1 encryption key expires When the key expires a new key is generated without interrupting service P1 proposal keylife can be from 120 to 172 800 seconds 9 For Authentication Method select Preshared Key or RSA S...

Page 159: ...cific VPN peer or a group of VPN peers with a shared user name ID and password pre shared key Also add the peer ID Also add the peer ID Accept peer ID in dialup group Select to authenticate each remote VPN peer with a unique user name ID and password pre shared key Also select a dialup group user group Configure the user group prior to configuring this peer option XAuth Enable as a Client Name Ent...

Page 160: ...le DPD between the local and remote peers Short Idle Set the time in seconds that a link must remain unused before the local VPN peer considers it to be idle After this period of time expires whenever the local peer sends traffic to the remote VPN peer it will also send a DPD probe to determine the status of the link To control the length of time that the FortiGate unit takes to detect a dead peer...

Page 161: ... between the local VPN peer the FortiGate unit and the remote VPN peer the VPN gateway or client To add a phase 2 configuration 1 Go to VPN IPSEC Phase 2 2 Select New to add a new phase 2 configuration 3 Enter a Tunnel Name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Note Adding a Phas...

Page 162: ...ylife expires 8 Select the DH Group s The VPN peers must use the same DH Group settings 9 Enter the Keylife The keylife causes the phase 2 key to expire after a specified amount of time after a specified number of kbytes of data have been processed by the VPN tunnel or both If you select both the key does not expire until both the time has passed and the number of kbytes have been processed When t...

Page 163: ...uter to the certificate authority and from the certificate authority to your local computer Obtaining a signed local certificate Obtaining a CA certificate Obtaining a signed local certificate The signed local certificate provides the FortiGate unit with a means to authenticate itself to other devices Note Digital certificates are not required for configuring FortiGate VPNs Digital certificates ar...

Page 164: ...certified Domain Name For Domain name enter the fully qualified domain name of the FortiGate unit being certified Do not include the protocol specification http or any port number or path names E Mail For E mail enter the email address of the owner of the FortiGate unit being certified Typically e mail addresses are entered only for clients not gateways Organization Unit Enter a name that identifi...

Page 165: ...o VPN Local Certificates 2 Select Download to download the local certificate to the management computer 3 Select Save 4 Name the file and save it in a directory on the management computer Requesting the signed local certificate With this procedure you copy and paste the certificate request from the management computer to the CA web server To request the signed local certificate 1 On the management...

Page 166: ... you connect to the CA web server and download the signed local certificate to the management computer Do this after receiving notification from the CA that it has signed the certificate request To retrieve the signed local certificate 1 Connect the CA web server 2 Follow the CA web server instructions to download the signed local certificate The File Download dialog will display 3 Select Save 4 S...

Page 167: ...remote VPN peer The remote VPN peer obtains the CA certificate in order to validate the digital certificate that it receives from the FortiGate unit Retrieving a CA certificate Connect to the CA web server and download the CA certificate to the management computer To retrieve the CA certificate 1 Connect the CA web server 2 Follow the CA web server instructions to download the CA certificate The F...

Page 168: ...u can configure the encrypt policy for services such as DNS FTP and POP3 and to allow connections according to a predefined schedule by the time of the day or the day of the week month or year You can also configure the encrypt policy for Inbound NAT to translate the source of incoming packets Outbound NAT to translate the source address of outgoing packets Traffic shaping to control the bandwidth...

Page 169: ...en FortiGate models 3 Select New to add an address 4 Enter the Address Name IP Address and NetMask for a single computer or for an entire subnetwork on an internal interface of the remote VPN peer 5 Select OK to save the source address Adding an encrypt policy 1 Go to Firewall Policy 2 Select the policy list to which you want to add the policy usually Int Ext 3 Select New to add a new policy 4 Set...

Page 170: ...ocal hosts to see the IP addresses of remote hosts hosts located on the network behind the remote VPN gateway Outbound NAT The FortiGate unit translates the source address of outgoing packets to the IP address of the FortiGate interface connected to the destination address network Typically this is an external interface of the FortiGate unit Outbound NAT makes it impossible for remote hosts to see...

Page 171: ...N peer is a FortiGate unit functioning as the hub or concentrator it requires a VPN configuration connecting it to each spoke AutoIKE phase 1 and 2 settings or manual key settings plus encrypt policies It also requires a concentrator configuration that groups the hub and spoke tunnels together The concentrator configuration defines the FortiGate unit as the hub in a hub and spoke network If the VP...

Page 172: ...r a client on the Internet or a network located behind a gateway See Adding a source address on page 169 3 Add the concentrator configuration This step groups the tunnels together on the FortiGate unit The tunnels link the hub to the spokes The tunnels are added as part of the AutoIKE phase 2 configuration or the manual key configuration See Adding a VPN concentrator on page 173 4 Add an encrypt p...

Page 173: ...o add a VPN concentrator 3 Enter the name of the new concentrator in the Concentrator Name field 4 To add tunnels to the VPN concentrator select a VPN tunnel from the Available Tunnels list and select the right arrow 5 To remove tunnels from the VPN concentrator select the tunnel in the Members list and select the left arrow 6 Select OK to add the VPN concentrator Figure 26 Adding a VPN concentrat...

Page 174: ... addresses for each remote VPN spoke The destination address is the address of the spoke either a client on the Internet or a network located behind a gateway See Adding a destination address on page 169 4 Add a separate outbound encrypt policy for each remote VPN spoke These policies control the encrypted connections initiated by the local VPN spoke The encrypt policy must include the appropriate...

Page 175: ...ers one can have multiple Internet connections while the other has only one Internet connection Of course with an asymmetrical configuration the level redundancy will vary from one end of the VPN to the other Configuring redundant IPSec VPN Prior to configuring the VPN make sure that both FortiGate units have multiple connections to the Internet For each unit first add multiple two or more externa...

Page 176: ...Make sure that the remote VPN peer Remote Gateway has a static IP address See Adding a phase 1 configuration for an AutoIKE VPN on page 157 2 Add the phase 2 parameters VPN tunnel for up to three VPN connections If the Internet connections are in the same zone add one VPN tunnel and add the remote gateways to it You can add up to three remote gateways If the Internet connections are in separate zo...

Page 177: ...as the tunnel time out To view VPN tunnel status 1 Go to VPN IPSEC AutoIKE Key The Status column displays the status of each tunnel If Status is Up the tunnel is active If Status is Down the tunnel is not active The Timeout column displays the time before the next key exchange The time is calculated by subtracting the time elapsed since the last key exchange from the keylife Figure 27 AutoIKE key ...

Page 178: ...cal peer Figure 28 Dialup Monitor Testing a VPN To confirm that a VPN between two networks has been configured correctly use the ping command from one internal network to connect to a computer on the other internal network The IPSec VPN tunnel starts automatically when the first data packet destined for the VPN is intercepted by the FortiGate unit To confirm that a VPN between a network and one or...

Page 179: ... configuration changes to the client computer and the FortiGate unit This chapter provides an overview of how to configure FortiGate PPTP and L2TP VPN For a complete description of FortiGate PPTP and L2TP see the FortiGate VPN Guide This chapter describes Configuring PPTP Configuring L2TP Configuring PPTP As its name suggests PPTP involves the Point to Point protocol PPTP packages data within PPP ...

Page 180: ...o to User Local 2 Add and configure PPTP users See Adding user names and configuring authentication on page 146 3 Go to User User Group 4 Add and configure PPTP user groups See Configuring user groups on page 151 Enabling PPTP and specifying an address range 1 Go to VPN PPTP PPTP Range 2 Select Enable PPTP 3 Enter the Starting IP and the Ending IP for the PPTP address range 4 Select the User Group...

Page 181: ...n address group 1 Go to Firewall Address Group 2 Add a new address group to the interface to which PPTP clients connect 3 Enter a Group Name to identify the address group The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 To add addresses to the address group select an address from the Avai...

Page 182: ...e 4 Set Destination to the address to which PPTP users can connect 5 Set Service to match the traffic type inside the PPTP VPN tunnel For example if PPTP users can access a web server select HTTP 6 Set Action to ACCEPT 7 Select NAT if address translation is required You can also configure traffic shaping logging and antivirus and web filter settings for PPTP policies 8 Select OK to save the firewa...

Page 183: ...e PPTP VPN 1 Start the dialup connection that you configured in the previous procedure 2 Enter your PPTP VPN User Name and Password 3 Select Connect Configuring a Windows 2000 client for PPTP Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiGate PPTP VPN Configuring a PPTP dialup connection 1 Go to Start Settings Network and Dial up C...

Page 184: ...ur workplace and select Next 4 Select Virtual Private Network Connection and select Next 5 Name the connection and select Next 6 If the Public Network dialog box appears choose the appropriate initial connection and select Next 7 In the VPN Server Selection dialog enter the IP address or host name of the FortiGate unit to connect to and select Next 8 Select Finish Configuring the VPN connection 1 ...

Page 185: ...revious procedure 3 Enter your PPTP VPN User Name and Password 4 Select Connect 5 In the connect window enter the User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password Configuring L2TP Some implementations of L2TP support elements of IPSec These elements must be disabled when L2TP is used with...

Page 186: ...o to User Local 2 Add and configure L2TP users See Adding user names and configuring authentication on page 146 3 Go to User User Group 4 Add and configure L2TP user groups See Configuring user groups on page 151 Enabling L2TP and specifying an address range 1 Go to VPN L2TP L2TP Range 2 Select Enable L2TP 3 Enter the Starting IP and the Ending IP for the L2TP address range 4 Select the User Group...

Page 187: ...o an address group 1 Go to Firewall Address Group 2 Add a new address group to the interface to which L2TP clients connect 3 Enter a Group Name to identify the address group The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 To add addresses to the address group select an address from the A...

Page 188: ...ewall policy Add a policy which specifies the source and destination addresses and sets the service for the policy to the traffic type inside the L2TP VPN tunnel 1 Go to Firewall Policy 2 Select New to add a new policy 3 Set Source to the group that matches the L2TP address range 4 Set Destination to the address to which L2TP users can connect 5 Set Service to match the traffic type inside the L2T...

Page 189: ...yption is selected 10 Select the Networking tab 11 Set VPN server type to Layer 2 Tunneling Protocol L2TP 12 Save your changes and continue with the following procedure Disabling IPSec 1 Select the Networking tab 2 Select Internet Protocol TCP IP properties 3 Double click the Advanced tab 4 Go to the Options tab and select IP security properties 5 Make sure that Do not use IPSEC is selected 6 Sele...

Page 190: ...he User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password Configuring a Windows XP client for L2TP Use the following procedure to configure a client computer running Windows XP so that it can connect to a FortiGate L2TP VPN Configuring an L2TP VPN dialup connection 1 Go to Start Settings 2 Sele...

Page 191: ...KEY_LOCAL_MACHINE System CurrentControlSet Services Rasman Parameters 8 Add the following registry value to this key Value Name ProhibitIpSec Data Type REG_DWORD Value 1 9 Save your changes and restart the computer for the changes to take effect You must add the ProhibitIpSec registry value to each Windows XP based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter fo...

Page 192: ...PN connection that you configured in the previous procedure 3 Enter your L2TP VPN User Name and Password 4 Select Connect 5 In the connect window enter the User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password ...

Page 193: ...acks Logging attacks Detecting attacks The NIDS Detection module detects a wide variety of suspicious network traffic and network based attacks Use the following procedures to configure the general NIDS settings and the NIDS Detection module Signature List For the general NIDS settings you need to select which interfaces will be monitored for network based attacks You also need to decide whether t...

Page 194: ...ake sure that they have not been changed in transit The NIDS can run checksum verification on IP TCP UDP and ICMP traffic For maximum detection you can turn on checksum verification for all types of traffic However if the FortiGate unit does not need to run checksum verification you can turn it off for some or all types of traffic to improve system performance For example you might not need to run...

Page 195: ...gnature list 1 Go to NIDS Detection Signature List 2 Select View Details to display the members of a signature group Select a signature and copy its attack ID 3 Open a web browser and enter this URL http www fortinet com ids ID attack ID Remember to include the attack ID For example to view the Fortinet Attack Analysis web page for the ssh CRC32 overflow bin sh attack ID 101646338 use the followin...

Page 196: ...ocate specific attack signatures by ID number and name 3 Uncheck the Enable check box 4 Select OK 5 Repeat steps 2 to 4 for each NIDS attack signature group that you want to disable Select Check All to enable all NIDS attack signature groups in the signature list Select Uncheck All to disable all NIDS attack signature groups in the signature list Adding user defined signatures You can create a use...

Page 197: ...the text file as well as a name for the text file Preventing attacks NIDS attack prevention protects the FortiGate unit and the networks connected to it from common TCP ICMP UDP and IP attacks You can enable the NIDS attack prevention to prevent a set of default attacks with default threshold values You can also enable and set the threshold values for individual attack signatures Enabling NIDS att...

Page 198: ...S attack prevention signature list 4 Select Uncheck All to disable all signatures in the NIDS attack prevention signature list 5 Select Reset to Default Values to enable only the default NIDS attack prevention signatures and return to the default threshold values Figure 36 Example NIDS attack prevention signature list entries Setting signature threshold values You can change the default threshold ...

Page 199: ...alue units Default threshold value Minimum threshold value Maximum threshold value synflood Maximum number of SYN segments received per second 200 30 3000 portscan Maximum number of SYN segments received per second 128 10 256 srcsession Total number of TCP sessions initiated from the same source 2048 128 10240 ftpovfl Maximum buffer size for an FTP command bytes 256 128 1024 smtpovfl Maximum buffe...

Page 200: ... attack log Use the following procedure to log attack messages to the attack log 1 Go to Log Report Log Setting 2 Select Config Policy for the log locations you have set 3 Select Attack Log 4 Select Attack Detection and Attack Prevention 5 Select OK Value Description Minimum value Maximum value Default value Threshold Number of SYN requests sent to a destination host or server per second If the SY...

Page 201: ...ge is compared with the previous messages If the new message is not a duplicate the FortiGate unit sends it immediately and puts a copy in the queue If the new message is a duplicate the FortiGate unit deletes it and increases an internal counter for the number of message copies in the queue The FortiGate unit holds duplicate alert email messages for 60 seconds If a duplicate message has been in t...

Page 202: ...202 Fortinet Inc Logging attacks Network Intrusion Detection System NIDS ...

Page 203: ...nti Virus Web filter option in firewall policies that allow web HTTP FTP and email IMAP POP3 and SMTP connections through the FortiGate unit Select a content profile that provides the antivirus protection options that you want to apply to a policy See Adding a content profile to a policy on page 142 3 Configure antivirus protection settings to control how the FortiGate unit applies antivirus prote...

Page 204: ...ng and Microsoft Office files containing macros are scanned for macro viruses FortiGate virus scanning does not scan the following file types cdimage floppy image ace bzip2 Tar Gzip Bzip2 If a file is found to contain a virus it is removed from the content stream and replaced with a replacement message To scan FortiGate firewall traffic for viruses 1 Select antivirus scanning in a content profile ...

Page 205: ...r tgz and zip dynamic link libraries dll HTML application hta Microsoft Office files doc ppt xl Microsoft Works files wps Visual Basic files vb screen saver files scr Blocking files in firewall traffic Use content profiles to apply file blocking to HTTP FTP POP3 IMAP and SMTP traffic controlled by firewall policies 1 Select file blocking in a content profile See Adding a content profile on page 14...

Page 206: ...ssage that is forwarded to the receiver It is recommend that you disable the fragmenting of email messages in the client email software To exempt fragmented emails from automatic antivirus blocking you can enable Pass Fragmented Email for the email content protocols IMAP POP3 and SMTP Configure the FortiGate unit to pass fragmented emails by doing the following 1 Enable Pass Fragmented Emails for ...

Page 207: ... configuration steps Content blocking URL blocking Using the Cerberian web filter Script filtering Exempt URL list General configuration steps Configuring web filtering involves the following general steps 1 Select web filtering options in a new or existing content profile See Adding a content profile on page 141 2 Select the Anti Virus Web filter option in firewall policies that allow HTTP connec...

Page 208: ... set that you choose 4 Type a banned word or phrase If you type a single word for example banned the FortiGate unit blocks all web pages that contain that word If you type a phrase for example banned phrase the FortiGate unit blocks web pages that contain both words When this phrase appears on the banned word list the FortiGate unit inserts plus signs in place of spaces for example banned phrase I...

Page 209: ...web filter You can configure the FortiGate unit to block all pages on a website by adding the top level URL or IP address You can also block individual pages on a website by including the full path and filename of the web page to block This section describes Adding URLs or URL patterns to the block list Clearing the URL block list Downloading the URL block list Uploading a URL block list Adding UR...

Page 210: ... You can enter multiple URLs and patterns and then select Check All to enable all items in the URL block list Each page of the URL block list displays 100 URLs 6 Use Page Up and Page Down to navigate through the URL block list Figure 39 Example URL block list Clearing the URL block list 1 Go to Web Filter URL Block 2 Select Clear URL Block List to remove all URLs and patterns from the URL block li...

Page 211: ...lists available at http www squidguard org blacklist as a starting point for creating your own URL block list Three times per week the squidGuard robot searches the web for new URLs to add to the blacklists You can upload the squidGuard blacklists to the FortiGate unit as a text file with only minimal editing to remove comments at the top of each list and to combine the lists that you want into a ...

Page 212: ... key on the FortiGate unit Before you can use the Cerberian web filter you must install a license key The license key determines the number of end users allowed to use Cerberian web filtering through the FortiGate unit 1 Go to Web Filter URL Block 2 Select Cerberian URL Filtering 3 Enter the license number 4 Select Apply Adding a Cerberian user to the FortiGate unit The Cerberian web policies can ...

Page 213: ...ers who are not assigned alias names on the FortiGate unit All the users who are not assigned to any other user groups The Cerberian web filter groups the web pages into 53 categories The default policy blocks the URLs of 12 categories You can modify the default policy and apply it to any user groups To configure the Cerberian web filtering 1 Add the user name which is the alias you added on the F...

Page 214: ...d ActiveX scripts from the HTML web pages Enabling the script filter Selecting script filter options Enabling the script filter 1 Go to Firewall Content Profile 2 Select the content profile for which you want to enable script filtering 3 Select Script Filter 4 Select OK Selecting script filter options 1 Go to Web Filter Script Filter 2 Select the script filter options that you want to enable You c...

Page 215: ...l exempts access to the main page of this example website You can also add IP addresses for example 122 63 44 67 index html exempts access to the main web page at this address Do not include http in the URL to exempt Exempting a top level URL such as www goodsite com exempts all requested subpages for example www goodsite com badpage from all content and URL filtering rules 4 Select Enable to exem...

Page 216: ...216 Fortinet Inc Exempt URL list Web filtering ...

Page 217: ...iguration steps Configuring email filtering involves the following general steps 1 Select email filter options in a new or existing content profile See Adding a content profile on page 141 2 Select the Anti Virus Web filter option in firewall policies that allow IMAP and POP3 connections through the FortiGate unit Select a content profile that provides the email filtering options that you want to ...

Page 218: ...a phrase for example banned phrase the FortiGate unit tags email that contains both words When this phrase appears on the banned word list the FortiGate unit inserts plus signs in place of spaces for example banned phrase If you type a phrase in quotes for example banned word the FortiGate unit tags all email in which the words are found together as a phrase Content filtering is not case sensitive...

Page 219: ...subdomain name For example mail abccompany com To tag email from an entire organization category type the top level domain name For example type com to tag email sent from all organizations that use com as the top level domain The pattern can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters hyphen _ underscore and Spaces and other special characters are not al...

Page 220: ...d other special characters are not allowed 4 Select Enable to exempt the address pattern 5 Select OK to add the address pattern to the email exempt list You can enter multiple patterns and then select Check All to activate all patterns in the email exempt list You can also enable any pattern in the email exempt list by checking the box in the Enable column Adding a subject tag When the FortiGate u...

Page 221: ... or more of a computer running a syslog server a computer running a WebTrends firewall reporting server the console For information about filtering the log types and activities that the FortiGate unit records see Filtering log messages on page 222 For information about traffic logs see Configuring traffic logging on page 224 This section describes Recording logs on a remote computer Recording logs...

Page 222: ...etIQ Security Reporting Center 2 0 and Firewall Suite 4 1 See the Security Reporting Center and Firewall Suite documentation for more information To record logs on a NetIQ WebTrends server 1 Go to Log Report Log Setting 2 Select Log in WebTrends Enhanced Log Format 3 Type the IP address of the NetIQ WebTrends firewall reporting server 4 Select the severity level for which you want to record log me...

Page 223: ...log Management events include changes to the system configuration as well as administrator and user logins and logouts Activity events include system activities such as VPN tunnel establishment and HA failover events Virus Log Record virus intrusion events such as when the FortiGate unit detects a virus blocks a file type or blocks an oversized file or email Web Filtering Log Record activity event...

Page 224: ... traffic logging Configuring traffic filter settings Adding traffic filter entries Enabling traffic logging You can enable logging on any interface and firewall policy Enabling traffic logging for an interface If you enable traffic logging for an interface all connections to and through the interface and recorded in the traffic log 1 Go to System Network Interface 2 Select Edit in the Modify colum...

Page 225: ...tting Traffic Filter 2 Select New 3 Configure the traffic filter for the type of traffic that you want to record on the traffic log Resolve IP Select Resolve IP if you want traffic log messages to list the IP address and the domain name stored on the DNS server If the primary and secondary DNS server addresses provided to you by your ISP have not already been added go to System Network DNS and add...

Page 226: ...alert email Enabling alert email Adding alert email addresses Because the FortiGate unit uses the SMTP server name to connect to the mail server it must be able to look up this name on your DNS server Therefore before configuring alert email ensure that you have configured at least one DNS server To add a DNS server 1 Go to System Network DNS 2 If they have not already been added add the primary a...

Page 227: ...n configure the FortiGate unit to send alert email in response to virus incidents intrusion attempts and critical firewall or VPN events or violations If you have configured logging to a local disk you can enable sending an alert email when the hard disk is almost full Use the following procedure to enable alert email 1 Go to Log Report Alert Mail Categories 2 Select Enable alert email for virus i...

Page 228: ...228 Fortinet Inc Configuring alert email Logging and reporting ...

Page 229: ...messages are formatted and transmitted and what actions Web servers and browsers should take in response to various commands HTTPS The SSL protocol for transmitting private documents over the Internet using a Web browser Internal interface The FortiGate interface that is connected to an internal private network Internet A collection of networks connected together that span the entire globe using t...

Page 230: ...ified address and waiting for a reply POP3 Post Office Protocol A protocol used to transfer e mail from a mail server to a mail client across the Internet Most e mail clients use POP PPP Point to Point Protocol A TCP IP protocol that provides host to network and router to router connections PPTP Point to Point Tunneling Protocol A Windows based technology for creating VPNs PPTP is supported by Win...

Page 231: ...tworks TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent UDP User Datagram Protocol A connectionless protocol that like TCP runs on top of IP networks Unlike TCP UDP provides very few error recovery services offering instead a direct way to send and receive datagrams over an IP network It is used primarily for broadcasting ...

Page 232: ...232 Fortinet Inc Glossary ...

Page 233: ...low outbound encrypt policy 118 allow traffic IP MAC binding 138 Anti Virus Web filter policy 119 antivirus definition updates manual 63 antivirus definitions updating 71 antivirus updates 73 configuring 74 through a proxy server 80 attack definition updates downloading 86 87 manual 64 attack definitions updating 71 75 attack detection checksum verification 194 disabling the NIDS 194 enabling and ...

Page 234: ...iles default 141 cookies blocking 214 critical firewall events alert email 227 critical VPN events alert email 227 custom service 127 customer service 15 D date and time setting example 102 109 date setting 101 default gateway configuring Transparent mode 43 default route 23 99 deny firewall policy 117 policy 117 destination policy option 116 117 destination route adding 96 adding a default route ...

Page 235: ...all policy accept 117 Comments 120 deny 117 guaranteed bandwidth 118 Log Traffic 120 maximum bandwidth 118 firewall setup wizard 35 42 starting 35 42 firmware changing 54 installing 59 re installing current version 59 reverting to an older version 59 upgrading 54 upgrading to a new version 55 upgrading using the CLI 55 57 upgrading using the web base manager 55 56 first trap receiver IP address SN...

Page 236: ...b based manager 103 LDAP example configuration 150 LDAP server adding server address 149 deleting 150 lease duration DHCP 23 99 log setting filtering log entries 74 222 traffic filter 225 Log Traffic firewall policy 120 policy 120 logging 221 attack log 223 configuring traffic settings 224 225 email filter log 223 enabling alert email 227 event log 223 filtering log messages 222 log to remote host...

Page 237: ... 117 Anti Virus Web filter 119 arranging in policy list 120 Comments 120 deny 117 disabling 121 enabling 121 enabling authentication 151 fixed port 117 guaranteed bandwidth 118 Log Traffic 120 matching 120 maximum bandwidth 118 policy list configuring 120 policy routing 98 POP3 126 230 port address translation 133 port forwarding 133 adding virtual IP 133 virtual IP 131 port number traffic filter ...

Page 238: ...p 91 routing 230 adding static routes 96 configuring 95 configuring routing table 98 policy 98 routing table 230 adding default route 96 adding routes 96 adding routes Transparent mode 97 configuring 98 S scanning antivirus 204 schedule 129 applying to policy 131 automatic antivirus and attack definition updates 73 creating one time 129 creating recurring 130 one time 129 policy option 117 recurri...

Page 239: ...me zone 101 timeout firewall authentication 103 idle 102 IPSec VPN 177 178 web based manager 102 to IP system status 70 to port system status 70 traffic configuring global settings 224 225 filtering 224 logging 224 traffic filter adding entries 225 display 225 log setting 225 packet 225 port number 225 resolve IP 225 service name 225 session 225 type 225 traffic log 223 Traffic Priority 118 Traffi...

Page 240: ...iew 203 VPN configuring L2TP gateway 186 configuring PPTP gateway 180 186 L2TP configuration 186 PPTP configuration 180 Tunnel 118 viewing dialup connection status 177 VPN events enabling alert email 227 VPN tunnel viewing status 177 W web filtering ActiveX 214 cookies 214 Java applets 214 overview 207 217 web filtering log 223 web page content blocking 208 218 web based manager changing options 1...