Fortinet FortiGate 60M, Installation Manual

Page 1: ...FortiGate 60M Installation Guide INTERNAL DMZ 4 3 2 1 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN1 WAN2 PWR STATUS Version 2 80 MR8 28 January 2005 01 28008 0111 20050128 ...

Page 2: ...prior written permission of Fortinet Inc FortiGate 60M Installation Guide Version 2 80 MR8 28 January 2004 01 28008 0111 20050128 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS For technical support please visit http www fortinet com Send information about errors or omissions in th...

Page 3: ... and off 15 Connecting to the web based manager 16 Connecting to the command line interface CLI 17 Quick installation using factory defaults 18 Factory default FortiGate configuration settings 19 Factory default DHCP server configuration 19 Factory default NAT Route mode network configuration 20 Factory default Transparent mode network configuration 21 Factory default firewall configuration 21 Fac...

Page 4: ...5 Connecting the FortiGate unit to your network 46 Next steps 47 High availability installation 49 Priorities of heartbeat device and monitor priorities 49 Configuring FortiGate units for HA operation 49 High availability configuration settings 49 Configuring FortiGate units for HA using the web based manager 51 Configuring FortiGate units for HA using the CLI 52 Connecting the cluster to your net...

Page 5: ...re analyzes content and behavior in real time enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks The FortiGate 60M model is ideally suited for small business remote offices retail stores and telecommuters The FortiGate 60M Antivirus Firewall features dual WAN link support for redundant internet connections and an integrated ...

Page 6: ...ased manager Using HTTP or a secure HTTPS connection from any computer running Internet Explorer you can configure and manage the FortiGate unit The web based manager supports multiple languages You can configure the FortiGate unit for HTTP and HTTPS administration from any FortiGate interface You can use the web based manager to configure most FortiGate settings You can also use the web based man...

Page 7: ...ortiGate unit The wizard walks through the configuration of a new administrator password FortiGate interfaces DHCP server settings internal servers web FTP etc and basic antivirus settings Document conventions This guide uses the following conventions to describe command syntax Angle brackets to indicate variables For example execute restore config filename_str You enter execute restore config myf...

Page 8: ... list including all the options you want to apply and excluding all the options you want to remove FortiGate documentation Information about FortiGate products is available from the following guides FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit FortiGate Installation Guide Describes how to install a FortiGate unit Includes a hardware referen...

Page 9: ...t Fortinet technical documentation is available from the Fortinet Knowledge Center The knowledge center contains short how to articles FAQs technical notes product and feature guides and much more Visit the Fortinet Knowledge Center at http kc forticare com Comments on Fortinet technical documentation Please send information about any errors or omissions in this document or any Fortinet technical ...

Page 10: ... web based manager as you work FortiMail Web Mail Online Help Describes how to use the FortiMail web based email client including how to send and receive email how to add import and export addresses and how to configure message display preferences FortiLog documentation FortiLog Administration Guide Describes how to install and configure a FortiLog unit to collect FortiGate and FortiMail log files...

Page 11: ...mail address Telephone number FortiGate unit serial number FortiGate model FortiGate FortiOS firmware version Detailed description of the problem amer_support fortinet com For customers in the United States Canada Mexico Latin America and South America apac_support fortinet com For customers in Japan Korea China Hong Kong Singapore Malaysia all other Asian countries and Australia eu_support fortin...

Page 12: ...12 01 28008 0111 20050128 Fortinet Inc Customer service and technical support Introduction ...

Page 13: ... up and powering on a FortiGate Antivirus Firewall unit This section includes Package contents Mounting Turning the FortiGate unit power on and off Connecting to the web based manager Connecting to the command line interface CLI Quick installation using factory defaults Factory default FortiGate configuration settings Planning the FortiGate configuration Next steps ...

Page 14: ...o allow for adequate air flow and cooling Dimensions 8 63 x 6 13 x 1 38 in 21 9 x 15 6 x 3 5 cm Weight 1 5 lb 0 68 kg INTERNAL DMZ 4 3 2 1 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN1 WAN2 PWR STATUS Power LED Status LED Internal Interface switch connectors 1 2 3 4 WAN 1 2 Interface DMZ Interface Internal Interface Documentation Ethernet Cables Orange Crossover Grey Straight...

Page 15: ...ate 60M unit starts The Power and Status LEDs are on To power off the FortiGate unit Always shut down the FortiGate operating system properly before turning off the power switch 1 From the web based manager go to System Maintenance ShutDown select Shut Down and select Apply or from the CLI enter execute shutdown Table 1 FortiGate 60M LED indicators LED State Description Power Green The FortiGate u...

Page 16: ...ethernet connection to the static IP address 192 168 1 2 with a netmask of 255 255 255 0 You can also configure the management computer to obtain an IP address automatically using DHCP The FortiGate DHCP server assigns the management computer an IP address in the range 192 168 1 1 to 192 168 1 254 2 Using the ethernet cable connect the internal interface of the FortiGate unit to the computer ether...

Page 17: ...port of your computer and to the FortiGate Console port 1 Connect the RJ 45 to DB 9 cable to the communications port of your computer and to the FortiGate Console port 2 Make sure that the FortiGate unit is powered on 3 Start HyperTerminal enter a name for the connection and select OK 4 Configure HyperTerminal to connect directly to the communications port on your computer and select OK 5 Select t...

Page 18: ...sses added to the FortiGate unit configuration and returns lookup results to the internal network For more information about default DHCP server settings see Factory default DHCP server configuration on page 19 The following procedure describes how to configure your internal network and the FortiGate unit to use the FortiGate default settings 1 Connect the FortiGate unit between the internal netwo...

Page 19: ...n to operate the FortiGate unit in Transparent mode you can switch to Transparent mode from the factory default configuration and then configure the FortiGate unit onto the network in Transparent mode Once the network configuration is complete you can perform additional configuration tasks such as setting system time configuring virus and attack definition updates and registering the FortiGate uni...

Page 20: ...istrative access means this interface responds to ping requests Table 2 FortiGate DHCP Server default configuration Name internal_dhcp_server Interface Internal Default Gateway 192 168 1 99 IP Range 192 168 1 110 192 168 1 210 Network Mask 255 255 255 0 Lease Duration 7 days DNS Server 1 192 168 1 99 Table 3 Factory default NAT Route mode network configuration Administrator account User name admin...

Page 21: ... for information about adding firewall policies The following firewall configuration settings are included in the default firewall configuration to make it easier to add firewall policies Network Settings Default Gateway for default route 192 168 100 1 Interface connected to external network for default route wan1 Default Route A default route consists of a default gateway and the name of the inte...

Page 22: ...ic between trusted internal addresses might need moderate protection You can configure firewall policies for different traffic services to use the same or different protection profiles Protection profiles can be added to NAT Route mode and Transparent mode firewall policies The FortiGate unit comes preconfigured with four protection profiles Table 5 Default firewall configuration Configuration set...

Page 23: ...nfiguration plan depends on the operating mode that you select The FortiGate unit can be configured in one of two modes NAT Route mode the default or Transparent mode You can also configure the FortiGate unit and the network it protects using the default settings Web To apply antivirus scanning and web content blocking to HTTP content traffic You can add this protection profile to firewall policie...

Page 24: ...AT or Route mode Firewall policies control the flow of traffic based on the source address destination address and service of each packet In NAT mode the FortiGate unit performs network address translation before it sends the packet to the destination network In Route mode there is no address translation You typically use NAT Route mode when the FortiGate unit is operating as a gateway between pri...

Page 25: ...ernal private network and the external public network usually the Internet If you have multiple internal networks such as one or more DMZ networks in addition to the internal private network you can create route mode firewall policies for traffic flowing between them Figure 7 Example NAT Route multiple internet connection configuration Transparent mode In Transparent mode the FortiGate unit is inv...

Page 26: ... configure the administrator password the interface addresses the default gateway address and the DNS server addresses Optionally use the Setup Wizard to configure the internal server settings for NAT Route mode To connect to the web based manager you require Ethernet connection between the FortiGate unit and a management computer Internet Explorer version 6 0 or higher on the management computer ...

Page 27: ...t IP address and gateway and the DNS server addresses Next steps Now that your FortiGate unit is operating you can proceed to configure it to connect to networks If you are going to operate the FortiGate unit in NAT Route mode go to NAT Route mode installation on page 29 If you are going to operate the FortiGate unit in Transparent mode go to Transparent mode installation on page 41 If you are goi...

Page 28: ...28 01 28008 0111 20050128 Fortinet Inc Next steps Getting started ...

Page 29: ...ing the setup wizard Connecting the FortiGate unit to the network s Configuring the networks Configuring the modem interface Next steps Preparing to configure the FortiGate unit in NAT Route mode Use Table 6 on page 30 to gather the information that you need to customize NAT Route mode settings You can configure the FortiGate unit in several ways the web based manager GUI is a complete interface f...

Page 30: ...e FortiGate unit You can also continue to use the web based manager for all FortiGate unit settings For information about connecting to the web based manager see Connecting to the web based manager on page 16 Table 6 NAT Route mode settings Administrator Password Internal IP _____ _____ _____ _____ Netmask _____ _____ _____ _____ WAN1 IP _____ _____ _____ _____ Netmask _____ _____ _____ _____ WAN2...

Page 31: ... and any other required settings For information about how to configure these and other interface settings see the FortiGate online help or the FortiGate Administration Guide 5 Select OK 6 Repeat this procedure for each interface To configure DNS server settings 1 Go to System Network DNS 2 Enter the IP address of the primary DNS server 3 Enter the IP address of the secondary DNS server 4 Select O...

Page 32: ...ng the command line interface CLI For information about connecting to the CLI see Connecting to the command line interface CLI on page 17 Configuring the FortiGate unit to operate in NAT Route mode Use the information that you gathered in Table 6 on page 30 to complete the following procedures To add change the administrator password 1 Log in to the CLI 2 Change the admin administrator password En...

Page 33: ...e static set ip address_ip netmask end Example config system interface edit wan1 set mode static set ip 204 23 1 5 255 255 255 0 end To set the WAN1 interface to use DHCP enter config system interface edit wan1 set mode dhcp end To set the WAN1 interface to use PPPoE enter config system interface edit wan1 set mode pppoe set connection enable set username name_str set password passwrd end 4 Use th...

Page 34: ...e is connected to an external network The default route is not required if the interface connected to the external network is configured using DHCP or PPPoE Set the default route to the Default Gateway IP address Enter config router static edit 1 set dst 0 0 0 0 0 0 0 0 set gateway gateway_IP set device interface end Example If the default gateway IP is 204 23 1 2 and this gateway is connected to ...

Page 35: ...ettings Table 8 Setup wizard settings Password Prepare an administrator password Internal Interface Use the information you gathered in Table 6 on page 30 External Interface Use the information you gathered in Table 6 on page 30 The External interface in the setup wizard refers to the WAN1 interface of the FortiGate unit DHCP server Starting IP _____ _____ _____ _____ Ending IP _____ _____ _____ _...

Page 36: ...blocking and blocking of oversize email for HTTP FTP IMAP POP3 and SMTP Add this protection profile to a default firewall policy Medium Create a protection profile that enables virus scanning for HTTP FTP IMAP POP3 and SMTP recommended Add this protection profile to a default firewall policy None Do not configure antivirus protection Select one of these security levels to protect your network from...

Page 37: ...work The Internal interface functions as a switch allowing up to four devices to be connected to the internal network and the internal interface 2 Connect the WAN1 interface to the Internet Connect to the public switch or router provided by your Internet Service Provider If you are a DSL or cable subscriber connect the WAN1 interface to the internal or LAN connection of your DSL or cable modem 3 O...

Page 38: ...eway address of all computers and routers connected directly to your DMZ network to the IP address of the FortiGate DMZ interface For the external network route all packets to the FortiGate WAN1 or WAN 2 interface If you are using the FortiGate unit as the DHCP server for your internal network configure the computers on your internal network for DHCP Make sure that the connected FortiGate unit is ...

Page 39: ...se the following information to configure FortiGate system time to register the FortiGate unit and to configure antivirus and attack definition updates Refer to the FortiGate Administration Guide for complete information on configuring monitoring and maintaining the FortiGate unit To set the date and time For effective scheduling and logging the FortiGate system date and time must be accurate You ...

Page 40: ...virus attack and spam definition updates You can configure the FortiGate unit to automatically keep virus grayware and attack definitions up to date 1 Go to System Maintenance Update Center 2 Select Refresh to test the FortiGate unit connectivity with the FortiProtect Distribution Network FDN To be able to connect to the FDN the FortiGate unit default route must point to a network such as the Inte...

Page 41: ...rent mode see Planning the FortiGate configuration on page 23 This chapter describes Preparing to configure Transparent mode Using the web based manager Using the command line interface Using the setup wizard Connecting the FortiGate unit to your network Next steps Preparing to configure Transparent mode Use Table 9 to gather the information that you need to customize Transparent mode settings You...

Page 42: ...he management computer to 10 10 10 2 Connect to the internal or DMZ interface and browse to https followed by the Transparent mode management IP address The default FortiGate Transparent mode management IP address is 10 10 10 1 To change the Management IP 1 Go to System Network Management 2 Enter the management IP address and netmask that you recorded in Table 9 on page 42 3 Select access methods ...

Page 43: ...eb based manager by browsing to https 10 10 10 1 If you connect to the management interface through a router make sure that you have added a default gateway for that router to the management IP default gateway field Using the command line interface As an alternative to the web based manager or setup wizard you can begin the initial configuration of the FortiGate unit using the command line interfa...

Page 44: ...system manageip set ip 10 10 10 2 255 255 255 0 end 3 Confirm that the address is correct Enter get system manageip The CLI lists the management IP address and netmask To configure DNS server settings 1 Set the primary and secondary DNS server IP addresses Enter config system dns set primary address_ip set secondary address_ip end Example config system dns set primary 293 44 75 21 set secondary 29...

Page 45: ...ment computer to 10 10 10 2 Connect to the internal or DMZ interface and browse to https followed by the Transparent mode management IP address The default FortiGate Transparent mode management IP address is 10 10 10 1 To start the setup wizard 1 Select Easy Setup Wizard the middle button in the upper right corner of the web based manager 2 Use the information that you gathered in Table 9 on page ...

Page 46: ...n external firewall or router DMZ and WAN2 can connect to other network segments To connect the FortiGate unit running in Transparent mode 1 Connect the Internal interface connectors to PCs and other network devices in your internal network The Internal interface functions as a switch allowing up to four devices to be connected to the internal network and the internal interface 2 Connect the WAN1 ...

Page 47: ... accurate You can either manually set the system date and time or configure the FortiGate unit to automatically keep its time correct by synchronizing with a Network Time Protocol NTP server 1 Go to System Config Time 2 Select Refresh to display the current FortiGate system date and time 3 Select your Time Zone from the list 4 Optionally select Automatically adjust clock for daylight saving change...

Page 48: ...nformation and the serial numbers of the FortiGate units that you or your organization have purchased You can register multiple FortiGate units in a single session without re entering your contact information To configure virus attack and spam definition updates You can configure the FortiGate unit to automatically keep virus grayware and attack definitions up to date 1 Go to System Maintenance Up...

Page 49: ...e steps for changing the priorities of heartbeat devices or for configuring monitor priorities settings Both of these HA settings should be configured after the cluster is up and running Configuring FortiGate units for HA operation A FortiGate HA cluster consists of two or more FortiGate units with the same HA configuration This section describes how to configure each of the FortiGate units to be ...

Page 50: ... in the cluster get the same virtual MAC address This virtual MAC address is set according to the group ID Group ID MAC Address 0 00 09 0f 06 ff 00 1 00 09 0f 06 ff 01 2 00 09 0f 06 ff 02 3 00 09 0f 06 ff 03 63 00 09 0f 06 ff 3f If you have more than one HA cluster on the same network each cluster should have a different group ID If two clusters on the same network have same group ID the duplicate...

Page 51: ...tches select Least connection to distribute traffic to the cluster unit with the fewest concurrent connections Round Robin Round robin load balancing If the FortiGate units are connected using switches select round robin to distribute traffic to the next available cluster unit Weighted Round Robin Weighted round robin load balancing Similar to round robin but weighted values are assigned to each o...

Page 52: ...nce all of the units are configured continue with Connecting the cluster to your networks on page 53 11 If you are configuring a Transparent mode cluster reconnect to the web based manager You may have to wait a few minutes before you can reconnect 12 Go to System Status 13 Select Change to Transparent Mode and select OK to switch the FortiGate unit to Transparent mode 14 Allow the FortiGate unit ...

Page 53: ...the FortiGate units in the cluster Once all of the units are configured continue with Connecting the cluster to your networks on page 53 3 If you are configuring a Transparent mode cluster switch the FortiGate unit to Transparent mode config system global set opmode transparent end 4 Allow the FortiGate unit to restart in Transparent mode and then power off the FortiGate unit 5 Repeat this procedu...

Page 54: ...each FortiGate unit to a switch or hub connected to your internal network Connect the WAN1 interfaces of each FortiGate unit to a switch or hub connected to your external network Connect the DMZ interfaces of the FortiGate units to another switch or hub By default the DMZ interfaces are used for HA heartbeat communications These interfaces should be connected together for the HA cluster to functio...

Page 55: ... the FortiGate units in the cluster are synchronized so that the FortiGate units can function as a cluster Because of this synchronization you configure and manage the HA cluster instead of managing the individual FortiGate units in the cluster You can configure and manage the cluster by connecting to the cluster web based manager using any cluster interface configured for HTTPS administrative acc...

Page 56: ...56 01 28008 0111 20050128 Fortinet Inc Installing and configuring the cluster High availability installation ...

Page 57: ...ettings Connecting and disconnecting the modem in Standalone mode Defining a Ping Server Adding firewall policies for modem connections Selecting a modem mode The internal modem in the FortiGate 60M can work in one of two modes depending on your requirements redundant mode standalone mode Redundant mode configuration The redundant modem interface in redundant mode backs up a selected ethernet inte...

Page 58: ...p account The modem interface operates as the primary connection to the Internet The FortiGate unit routes traffic through the modem interface which remains permanently connected to the dialup account If the connection to the dialup account fails the FortiGate unit automatically redials the modem The modem redials the ISP number based on the amount of times specified by the redial limit or until i...

Page 59: ...e FortiGate interface that the modem is redundant for Figure 13 Modem settings Standalone and Redundant Enable Modem or Enable USB Modem Select to enable the FortiGate modem Depending on the model the modem is internal or it is a USB connected external modem Modem status The modem status shows one of not active connecting connected disconnecting or hung up Standalone mode only Dial Now Hang Up Sta...

Page 60: ...out Standalone mode only Enter the timeout duration in minutes After this period of inactivity the modem disconnects Holddown Timer Redundant mode only Enter the time 1 60 seconds that the FortiGate unit waits before switching from the modem interface to the primary interface after the primary interface has been restored The default is 1 second Configure a higher value if you find the FortiGate un...

Page 61: ...t interface To add a ping server to an interface 1 Go to System Network Interface 2 Choose an interface and select Edit 3 Set Ping Server to the IP address of the next hop router on the network connected to the interface 4 Select the Enable check box 5 Select OK to save the changes Dead gateway detection The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to make sure...

Page 62: ...for modem connections The modem interface requires firewall addresses and policies You can add one or more addresses to the modem interface For information about adding addresses see the FortiGate Administration Guide When you add addresses the modem interface appears on the policy grid You can configure firewall policies to control the flow of packets between the modem interface and the other int...

Page 63: ...environmental specifications 15 F firewall policies modem 62 firewall setup wizard 6 30 34 42 45 starting 31 36 42 45 Fortinet customer service 10 H HA configuring FortiGate units for HA operation 49 connecting an HA cluster 53 55 hang up 59 High availability 49 holddown timer 60 HTTPS 6 I internal network configuring 38 IP addresses configuring from the CLI 43 L lease duration DHCP 20 M managemen...

Page 64: ...configuring 58 modem 57 58 starting IP DHCP 20 synchronize with NTP server 39 48 T technical support 10 time zone 39 47 Transparent mode changing to 43 configuring the default gateway 44 management IP address 44 W web based manager 6 connecting to 16 introduction 6 wizard setting up firewall 30 34 42 45 starting 31 36 42 45 ...