Fortinet FortiGate FortiGate-500A, Administration Manual

Page 1: ...FortiGate 500A Administration Guide Esc Enter A CONSOLE 5 6 USB LAN 1 2 3 4 L1 L2 L3 L4 10 100 10 100 1000 FortiGate 500A Administration Guide Version 2 80 MR6 5 November 2004 01 28006 0100 20041105...

Page 2: ...tion Guide Version 2 80 MR6 5 November 2004 01 28006 0100 20041105 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Complia...

Page 3: ...tation 22 FortiManager documentation 22 FortiClient documentation 22 FortiMail documentation 22 FortiLog documentation 23 Customer service and technical support 23 System status 25 Console access 25 S...

Page 4: ...arent mode VLAN list 69 Transparent mode VLAN settings 69 FortiGate IPv6 support 71 System DHCP 73 Service 73 DHCP service settings 74 Server 75 DHCP server settings 76 Exclude range 77 DHCP exclude r...

Page 5: ...it 129 Shutdown 132 System virtual domain 135 Virtual domain properties 136 Exclusive virtual domain properties 136 Shared configuration settings 137 Administration and management 138 Virtual domains...

Page 6: ...w Prefix list 160 New prefix list entry 161 Route map list 162 New Route map 162 Route map list entry 163 Key chain list 164 New key chain 164 Key chain list entry 165 Monitor 166 Routing monitor list...

Page 7: ...dule options 215 Configuring one time schedules 215 Recurring schedule list 216 Recurring schedule options 217 Configuring recurring schedules 217 Virtual IP 218 Virtual IP list 219 Virtual IP options...

Page 8: ...s 252 Configuring XAuth 253 Phase 2 254 Phase 2 list 254 Phase 2 basic settings 255 Phase 2 advanced options 256 Manual key 257 Manual key list 258 Manual key options 258 Concentrator 259 Concentrator...

Page 9: ...S VPN 283 Manual key IPSec VPN 284 Adding firewall policies for IPSec VPN tunnels 284 Setting the encryption policy direction 284 Setting the source address for encrypted traffic 284 Setting the desti...

Page 10: ...options 315 CLI configuration 316 heuristic 316 quarantine 318 service http 319 service ftp 320 service pop3 321 service imap 322 service smtp 323 Web filter 325 Content block 327 Web content block l...

Page 11: ...IP address options 342 Configuring the IP address list 343 RBL ORDBL 343 RBL ORDBL list 344 RBL ORDBL options 344 Configuring the RBL ORDBL list 344 Email address 345 Email address list 345 Email addr...

Page 12: ...net Inc Log access 364 Disk log file access 364 Viewing log messages 365 Searching log messages 368 CLI configuration 369 fortilog setting 369 syslogd setting 370 FortiGuard categories 373 FortiGate m...

Page 13: ...service and technical support About FortiGate Antivirus Firewalls The FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include...

Page 14: ...unit You can use the feature to stop files that might contain new viruses FortiGate antivirus protection can also identify and remove known grayware programs Grayware programs are usually unsolicited...

Page 15: ...b content such as Java applets cookies and ActiveX Spam filtering FortiGate spam filtering can scan all POP3 SMTP and IMAP email content for spam You can configure spam filtering to filter mail accord...

Page 16: ...ch of its interfaces is associated with a different IP subnet and that it appears to other devices as a router This is how a firewall is normally deployed In NAT Route mode you can create NAT mode pol...

Page 17: ...routing and VPN configuration for each virtual domain separately For these configuration settings each virtual domain is functionally similar to a single FortiGate unit This separation simplifies con...

Page 18: ...e running the same FortiOS firmware image FortiGate HA supports link redundancy and device redundancy FortiGate units can be configured to operate in active passive A P or active active A A HA mode Ac...

Page 19: ...ding the Internet The CLI supports the same configuration and monitoring functionality as the web based manager In addition you can use the CLI for advanced configuration options that are not availabl...

Page 20: ...IPv4 netmask xxx_ipv6 indicates a dotted decimal IPv6 address xxx_v6mask indicates a dotted decimal IPv6 netmask xxx_ipv6mask indicates a dotted decimal IPv6 address followed by a dotted decimal IPv6...

Page 21: ...asic information about how to configure a FortiGate unit including how to define FortiGate protection profiles and firewall policies how to apply intrusion prevention antivirus protection web content...

Page 22: ...VPN connection from your computer to remote networks scan your computer for viruses and restrict access to your computer and applications by setting up firewall policies FortiClient Host Security onli...

Page 23: ...Fortinet products and service contracts from http support fortinet com and change your registration information at any time Technical support is available through email from any of the following addr...

Page 24: ...24 01 28006 0100 20041105 Fortinet Inc Customer service and technical support Introduction...

Page 25: ...ion log This chapter includes Console access Status Session list Changing the FortiGate firmware Console access An alternative to the web based manager discussed in this manual is text based Console A...

Page 26: ...update FortiGate unit information For information on access profiles see Access profiles on page 114 Viewing system status Changing unit information Viewing system status Figure 2 System status Conne...

Page 27: ...as Change Password or Product Registration Select the reminder to see the detailed reminder message Host Name The host name of the current FortiGate unit Firmware Version The version of the firmware i...

Page 28: ...nly CPU usage for management processes for example for HTTPS connections to the web based manager is excluded Active Sessions The number of communications sessions being processed by the FortiGate uni...

Page 29: ...section select Change 3 In the New Name field type a new host name 4 Select OK The new host name is displayed in the Host Name field and in the CLI prompt and is added to the SNMP System Name To upda...

Page 30: ...filename for the attack definitions update file or select Browse and locate the attack definitions update file 5 Select OK to copy the attack definitions update file to the FortiGate unit The FortiGat...

Page 31: ...ist displays information about the communications sessions currently being processed by the FortiGate unit You can use the session list to view current sessions Figure 4 Sample session list Note If th...

Page 32: ...Gate admin user can change the FortiGate firmware After you download a FortiGate firmware image from Fortinet you can use the procedures listed in Table 1 to install the firmware image on your FortiGa...

Page 33: ...ersion To use this procedure you must connect to the CLI using the FortiGate console port and a null modem cable This procedure reverts the FortiGate unit to its factory default configuration Testing...

Page 34: ...server is 192 168 1 168 execute ping 192 168 1 168 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit execute restore image name_str tftp_ipv4 Where na...

Page 35: ...iguration Back up the IPS custom signatures Back up web content and email filtering lists For information see Backing up and Restoring on page 118 If you are reverting to a previous FortiOS version fo...

Page 36: ...up the IPS custom signatures using the command execute backup ipsuserdefsig Back up web content and email filtering lists For information see Backing up and Restoring on page 118 If you are reverting...

Page 37: ...yed Get image from tftp server OK Check image OK This operation will downgrade the current firmware version Do you want to continue y n 7 Type y The FortiGate unit reverts to the old firmware version...

Page 38: ...nstall firmware from a system reboot 1 Connect to the CLI using the null modem cable and FortiGate console port 2 Make sure that the TFTP server is running 3 Copy the new firmware image file to the ro...

Page 39: ...boot device B Boot with backup firmware and set as default Q Quit menu and continue to boot with default firmware H Display this list of options Enter G F B Q or H 8 Type G to get the new firmware ima...

Page 40: ...tion see Backup and restore on page 117 To restore IPS custom signatures see Backing up and restoring custom signature files on page 301 To restore web content filtering lists see Backup and restore o...

Page 41: ...ing command to restart the FortiGate unit execute reboot 6 As the FortiGate unit reboots press any key to interrupt the system startup As the FortiGate units starts a series of system startup messages...

Page 42: ...g appear FortiGate unit running v2 x BIOS Do You Want To Save The Image Y n Type N FortiGate unit running v3 x BIOS Save as Default firmware Run image without saving D R or Save as Default firmware Ba...

Page 43: ...192 168 1 168 execute ping 192 168 1 168 5 Enter the following command to restart the FortiGate unit execute reboot As the FortiGate unit starts a series of system startup messages are displayed When...

Page 44: ...e that you previously installed When you switch the FortiGate unit to the backup firmware image the FortiGate unit operates using the configuration that was saved with that firmware image If you insta...

Page 45: ...re image is restored To switch back to the default firmware image 1 Connect to the CLI using the null modem cable and FortiGate console port 2 Enter the following command to restart the FortiGate unit...

Page 46: ...46 01 28006 0100 20041105 Fortinet Inc Changing the FortiGate firmware System status...

Page 47: ...to the FortiGate network configuration Interface Zone Management DNS Routing table Transparent Mode VLAN overview VLANs in NAT Route mode VLANs in Transparent mode FortiGate IPv6 support Interface In...

Page 48: ...If you have added VLAN subinterfaces they also appear in the name list below the physical interface that they have been added to See VLAN overview on page 62 IP The current IP address of the interfac...

Page 49: ...add a secondary IP address To add a ping server to an interface To control administrative access to an interface To change the MTU size of the packets leaving an interface To configure traffic loggin...

Page 50: ...to send the DHCP request Note Where you can enter both an IP address and a netmask in the same field you can use the short form of the netmask For example 192 168 1 100 255 255 255 0 can also be enter...

Page 51: ...e this IP address can be the same as the IP address of another interface or can be any IP address Initial Disc Timeout Initial discovery timeout The time to wait before retrying to start a PPPoE disco...

Page 52: ...tions Connect to server Enable Connect to Server so that the interface automatically attempts to connect to a PPPoE server Disable this option if you are configuring the interface offline Status Displ...

Page 53: ...Config to configure logging locations and types For information about logging see Log Report on page 353 Configuring interfaces Use the following procedures to configure FortiGate interfaces and VLAN...

Page 54: ...for the interface and then add the interface to the zone 1 Go to System Network Zone 2 Choose the zone to add the interface or VLAN subinterface to and select Edit 3 Select the names of the interfaces...

Page 55: ...tiGate unit attempts to contact the DHCP server from the interface to set the IP address netmask and optionally the default gateway IP address and DNS server IP addresses 7 Select Status to refresh th...

Page 56: ...terface edit intf_str config secondaryip edit 0 set ip second_ip netmask_ip Optionally you can also configure management access and add a ping server to the secondary IP address set allowaccess ping h...

Page 57: ...ge 60 1 Go to System Network Interface 2 Choose an interface and select Edit 3 Select the Administrative Access methods for the interface 4 Select OK to save the changes To change the MTU size of the...

Page 58: ...l domain to which you want to add the zone 2 Go to System Network Zone 3 Select Create New 4 In the New Zone dialog box type a name for the zone Create New Select Create New to create a zone Name The...

Page 59: ...ual domain go to System Virtual Domain Current Virtual Domain and select the virtual domain in which to edit the zone 2 Go to System Network Zone 3 Select Edit to modify a zone 4 Select or deselect Bl...

Page 60: ...inistrative access to this interface using only HTTPS or SSH Do not change the system idle timeout from the default value of 5 minutes see To set the system idle timeout on page 83 Figure 10 Managemen...

Page 61: ...e In Transparent mode you can configure routing to add static routes from the FortiGate unit to local routers Routing table list Figure 12 Routing table Primary DNS Server Enter the primary DNS server...

Page 62: ...ame VLAN A VLAN segregates devices logically instead of physically Each VLAN is treated as a broadcast domain Devices in VLAN 1 can connect with other devices in VLAN 1 but cannot connect with devices...

Page 63: ...r layer 3 switch Using VLANs a single FortiGate unit can provide security services and control connections between multiple security domains Traffic from each security domain is given a different VLAN...

Page 64: ...hysical interface cannot have the same VLAN ID However you can add two or more VLAN subinterfaces with the same VLAN IDs to different physical interfaces There is no internal connection or link betwee...

Page 65: ...D that matches the VLAN ID of the packets to be received by this VLAN subinterface 6 Select the virtual domain to which to add this VLAN subinterface See System virtual domain on page 135 for informat...

Page 66: ...FortiGate Internal and external interface you would add a VLAN subinterface to the internal interface and another VLAN subinterface to the external interface If these VLAN subinterfaces have the same...

Page 67: ...and configured with three VLAN subinterfaces In this configuration the FortiGate unit could be added to this network to provide virus scanning web content filtering and other services to each VLAN VL...

Page 68: ...aces Transparent mode virtual domains and VLANs VLAN subinterfaces are added to and associated with virtual domains By default the FortiGate configuration includes one virtual domain named root and yo...

Page 69: ...face Virtual Domain Select a virtual domain to display the VLAN interfaces added to this virtual domain Name The name of the interface or VLAN subinterface Access The administrative access configurati...

Page 70: ...using a Dynamic DNS service DDNS If the FortiGate unit uses a dynamic IP address you can arrange with a DDNS service provider to use a domain name to provide redirection of traffic to your network whe...

Page 71: ...atic routing periodic router advertisements and tunneling of IPv6 addressed traffic over an IPv4 addressed network All of these features must be configured through the Command Line Interface CLI See t...

Page 72: ...72 01 28006 0100 20041105 Fortinet Inc FortiGate IPv6 support System network...

Page 73: ...MAC binding Dynamic IP Service Go to System DHCP Service to configure the DHCP service provided by each FortiGate interface You can configure each interface to be a DHCP relay or a DHCP server or you...

Page 74: ...Select Edit for the interface that you want to be a DHCP relay agent 3 Select DHCP Relay Agent 4 Set type to Regular 5 Enter the DHCP Server IP address 6 Select OK Interface The name of the interface...

Page 75: ...e To configure a DHCP server for an interface on page 76 Server You can configure one or more DHCP servers for any FortiGate interface As a DHCP server the interface dynamically assigns IP addresses t...

Page 76: ...r the range of IP addresses that this DHCP server assigns to DHCP clients Network Mask Enter the netmask that the DHCP server assigns to DHCP clients Lease Time Select Unlimited for an unlimited lease...

Page 77: ...f the connected subnets sends a DHCP request it is relayed to the FortiGate interface by the router using DHCP relay The FortiGate unit selects the DHCP server configuration with an IP range that matc...

Page 78: ...the device When you add the MAC address and an IP address to the IP MAC binding list the DHCP server always assigns this IP address to the MAC address IP MAC binding pairs apply to all FortiGate DHCP...

Page 79: ...resses and the expiry time and date for these addresses To view the dynamic IP list 1 Go to System DHCP Dynamic IP 2 Select the interface for which you want to view the list Name Enter a name for the...

Page 80: ...80 01 28006 0100 20041105 Fortinet Inc Dynamic IP System DHCP...

Page 81: ...set the FortiGate system time For effective scheduling and logging the FortiGate system time must be accurate You can either manually set the FortiGate system time or you can configure the FortiGate...

Page 82: ...ions Timeout settings including the idle timeout and authentication timeout The language displayed by the web based manager Dead gateway detection interval and failover detection Automatically adjust...

Page 83: ...connection can be idle before the user must authenticate again The maximum authtimeout is 480 minutes 8 hours The default Auth Timeout is 15 minutes For more information see Setting authentication ti...

Page 84: ...times that the connection test fails before the FortiGate unit assumes that the gateway is no longer functioning 4 Select Apply HA Fortinet achieves high availability HA using redundant hardware and t...

Page 85: ...f the FortiGate units in the cluster Using the CLI you can configure the FortiGate unit to load balance all network traffic among the FortiGate units in the cluster See the FortiGate CLI Reference Gui...

Page 86: ...Mode if you want to stop a cluster unit from operating in HA mode High Availability Select High Availability to operate the FortiGate unit in HA mode After selecting High Availability complete the re...

Page 87: ...rimary cluster unit The unit priority range is 0 to 255 The default unit priority is 128 You can use the unit priority to control the order in which cluster units become the primary cluster unit when...

Page 88: ...by selecting override master With this configuration the same cluster unit always becomes the primary cluster unit If override master is enabled and the primary cluster unit fails another cluster uni...

Page 89: ...ster interfaces are connected to load balancing switches Hub Load balancing if the cluster interfaces are connected to a hub Traffic is distributed to cluster units based on the Source IP and Destinat...

Page 90: ...er assigns virtual IP addresses to the heartbeat device interfaces The primary cluster unit heartbeat device interface is assigned the IP address 10 0 0 1 and the subordinate unit is assigned the IP a...

Page 91: ...s in the cluster becomes the new primary unit to provide better service to the high priority network If a low priority interface fails on one cluster unit and a high priority interface fails on anothe...

Page 92: ...iates 13 If you are configuring a NAT Route mode cluster power off the FortiGate unit and then repeat this procedure for all the FortiGate units in the cluster Once all of the units are configured con...

Page 93: ...called the cluster heartbeat Inserting an HA cluster into your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through th...

Page 94: ...peration with the same HA configuration as the other units in the cluster 2 If the cluster is running in Transparent mode change the operating mode of the new FortiGate unit to Transparent mode 3 Conn...

Page 95: ...t subordinate unit priority 1 weight 3 The next three connections are processed by the second subordinate unit priority 2 weight 3 The subordinate units process more connections than the primary unit...

Page 96: ...dividual cluster units To monitor cluster units for failover To manage individual cluster units To view the status of each cluster member 1 Connect to the cluster and log into the web based manager 2...

Page 97: ...ars on the Cluster Members list The host name and serial number of the primary cluster unit changes The new primary unit logs the following messages to the event log HA slave became master Detected HA...

Page 98: ...cluster unit is numbered starting at 1 The information displayed for each cluster unit includes the unit serial number and the host name of the unit 3 Complete the command with the number of the subo...

Page 99: ...e unit The system location description can be up to 35 characters long Contact Enter the contact information for the person responsible for this FortiGate unit The contact information can be up to 35...

Page 100: ...communities Each community can have a different configuration for SNMP queries and traps Each community can be configured to monitor the FortiGate unit for a different set of events You can also add...

Page 101: ...Apply 5 Add one or more SNMP communities IP Address The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiGate unit You can also set the IP address to...

Page 102: ...nto your SNMP manager you do not have to compile them again Table 6 FortiGate MIBs MIB file name or RFC Description fortinet 2 80 mib The Fortinet MIB is a proprietary MIB that includes detailed Forti...

Page 103: ...anges The trap message includes the name of the interface and the serial number of the FortiGate unit HA state HA state changes The trap message includes the previous state the new state and a flag in...

Page 104: ...antivirus traps Trap message Description Virus detected AvVirus The FortiGate unit detects a virus and removes the infected file from an HTTP or FTP download or from an email message Table 12 FortiGa...

Page 105: ...age The current CPU usage as a percent memUsage The current memory utilization in MB sesCount The current IP session count Table 15 HA MIB fields MIB field Description groupId HA group ID priority The...

Page 106: ...ssword LDAP or RADIUS state Whether the local user is enabled or disable Table 18 Virtual domains MIB field Description index The index number virtual domain added to the FortiGate unit name The name...

Page 107: ...sages list Figure 36 Replacement messages list To change a replacement message 1 Go to System Config Replacement Messages 2 Select the category of replacement message to edit by clicking on the blue t...

Page 108: ...contained a virus or was blocked by antivirus file blocking QUARFILENAME can be used in virus and file block messages Quarantining is only available on FortiGate units with a local disk URL The URL o...

Page 109: ...hich the file was removed EMAIL_TO The email address of the intended receiver of the message from which the file was removed NIDSEVENT The IPS attack message NIDSEVENT is added to alert email intrusio...

Page 110: ...110 01 28006 0100 20041105 Fortinet Inc FortiManager System config...

Page 111: ...elongs to an access profile You can create access profiles that deny access to or allow read only write only or both read and write access to the following FortiGate features This chapter describes Ad...

Page 112: ...The admin administrator account cannot be deleted Administrator Enter the login name for the administrator account Password Type a password for the administrator account For improved security the pas...

Page 113: ...d confirm the new password 4 Select OK Using trusted hosts Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access In a...

Page 114: ...lete the prof_admin access profile Profile Name Enter the name of the access profile Access Control Access Control lists the items that can be controlled by the access profile Allow Read All Select Al...

Page 115: ...elect the edit icon to edit an existing access profile 3 Enter a name for the access profile 4 Select or clear the Access Control check boxes as required 5 Select OK Admin Users Allow or deny access t...

Page 116: ...116 01 28006 0100 20041105 Fortinet Inc Access profiles System administration...

Page 117: ...spam filtering files to the management computer You can also restore system configuration VPN certificate web and spam filtering files from previously downloaded backup files Figure 44 Backup and res...

Page 118: ...system to its original configuration including resetting interface addresses This procedure does not change the firmware version or the antivirus or attack definitions Debug Log Download debug log Web...

Page 119: ...or select Browse and locate the file 4 Select OK If you restore the system configuration the FortiGate unit restarts loading the new system settings You should then reconnect to the web based manager...

Page 120: ...t 9443 To receive push updates the FDN must be able to route packets to the FortiGate unit using UDP port 9443 For information about configuring push updates see To enable push updates on page 125 The...

Page 121: ...e FortiGate unit to send push updates Push updates may not be available if you have not registered the FortiGate unit see To register a FortiGate unit on page 131 if there is a NAT device installed be...

Page 122: ...was successful and new updates were installed Other messages can indicate that the FortiGate was not able to connect to the FDN and other error conditions Allow Push Update Select this check box to a...

Page 123: ...whether the update was successful or not To enable scheduled updates 1 Go to System Maintenance Update center 2 Select the Scheduled Update check box 3 Select one of the following to check for and do...

Page 124: ...m autoupdate tunneling set address proxy address_ip set port proxy port set username username_str set password password_str set status enable end For example if the IP address of the proxy server is 6...

Page 125: ...only method for obtaining updates The FortiGate unit might not receive the push notification Also when the FortiGate unit receives a push notification it makes only one attempt to connect to the FDN...

Page 126: ...e FortiGate NAT device and the FortiGate unit on the internal network so that the FortiGate unit on the internal network can receive push updates 1 Add a port forwarding virtual IP to the FortiGate NA...

Page 127: ...network 1 Go to System Maintenance Update center 2 Select the Allow Push Update check box 3 Select the Use override push check box 4 Set IP to the external IP address added to the virtual IP 5 Set Po...

Page 128: ...Report Bug form to send bug information to Fortinet support Figure 47 Bug report Report Bug Select Report Bug to submit problems with the FortiGate unit to Fortinet Support FDS Registration Select FD...

Page 129: ...n Registration consists of entering your contact information and the serial numbers of the FortiGate units that you or your organization purchased You can register multiple FortiGate units in a single...

Page 130: ...ons for any reason Owners of a new FortiGate unit are entitled to 90 days of technical support services To continue receiving support services after the 90 day expiry date you must purchase a FortiCar...

Page 131: ...tiCare Support Contracts for the FortiGate units that you want to register 1 Go to System Maintenance Support 2 Select FDS Registration 3 Enter your contact information on the product registration for...

Page 132: ...iGate unit after shutdown only by turning the power off and then on 1 Go to System Maintenance Shutdown 2 Select Shutdown 3 Select Apply The FortiGate unit shuts down and all traffic flow stops To res...

Page 133: ...01 28006 0100 20041105 133 3 Select Apply The FortiGate unit restarts with the configuration that it had when it was first powered on 4 Reconnect to the web based manager and review the system configu...

Page 134: ...134 01 28006 0100 20041105 Fortinet Inc Shutdown System maintenance...

Page 135: ...nections between VLAN subinterfaces or zones in the virtual domain Packets never cross the virtual domain border The remainder of FortiGate functionality is shared between virtual domains This means t...

Page 136: ...s Physical interfaces see To add physical interfaces to a virtual domain on page 140 VLAN subinterfaces see To add VLAN subinterfaces to a virtual domain on page 141 Zones see To add zones to a virtua...

Page 137: ...irus Definitions and engine Attack Definitions and engine Serial Number Operation Mode Network configuration DNS settings DHCP configuration DHCP settings are applied per interface no matter which vir...

Page 138: ...l domain if you want these systems to communicate with network resources that can connect to a different virtual domain Virtual domains Go to System Virtual domain Virtual domains to view and add virt...

Page 139: ...n Name The virtual domain must not have the same name as a VLAN or zone 4 Select OK Selecting a virtual domain The following procedure applies to NAT Route and Transparent mode To select a virtual dom...

Page 140: ...omains Adding interfaces VLAN subinterfaces and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec VPN for a virtua...

Page 141: ...interface from one virtual domain to another You cannot remove a VLAN subinterface from a virtual domain if firewall policies have been added for it Delete the firewall policies or remove the VLAN sub...

Page 142: ...tual domain To configure the routing table for a virtual domain in Transparent mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the ta...

Page 143: ...ble 3 Choose the virtual domain for which to configure firewall addresses 4 Select OK 5 Go to Firewall Address 6 Add new firewall addresses address ranges and address groups to the current virtual dom...

Page 144: ...rtual domain The following procedure applies to NAT Route and Transparent mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the table 3...

Page 145: ...ed You can decrease the distance value of a static route to indicate that the route is preferable compared to another static route that specifies a different gateway to the same destination network Ro...

Page 146: ...8 10 1 Device Name of the interface connected to network 192 168 10 0 24 e g external Distance 10 The Gateway setting specifies the IP address of the next hop router interface to the FortiGate externa...

Page 147: ...tination IP mask 192 168 30 0 24 Gateway 192 168 10 2 Device dmz Distance 10 To route packets from Network_2 to Network_1 Router_2 must be configured to use the FortiGate dmz interface as its default...

Page 148: ...ence number for this route IP The destination IP address for this route Mask The netmask for this route Gateway The IP address of the first next hop router to which this route directs traffic Device T...

Page 149: ...list and attempts to match the packet with a policy The policy route supplies the next hop gateway as well as the FortiGate interface to be used by the traffic If no policy route matches the packet t...

Page 150: ...IP supports both RIP version 1 as defined by RFC 1058 and RIP version 2 as defined by RFC 2453 RIP version 2 enables RIP messages to carry more information and to support simple authentication and sub...

Page 151: ...servers in the network should have the same RIP timer settings Update The time interval in seconds between RIP updates Garbage The time in seconds that must elapse after the timeout interval for a ro...

Page 152: ...sed for the redistributed routes 4 Select a Route map name 5 Select Apply Networks list Identify the networks for which to send and receive RIP updates If a network is not specified interfaces in that...

Page 153: ...n 2 authentication RIP version send and receive for the specified interface and configure and enable split horizon Authentication is only available for RIP version 2 packets sent and received by an in...

Page 154: ...the Receive Version here overrides the default RIP version for this interface Split Horizon Configure RIP to use either regular or poisoned reverse split horizon on this interface Select Regular to pr...

Page 155: ...list If you do not specify an interface the filter will be applied to all interfaces in the current virtual domain You must configure the access list or prefix list that you want the distribute list...

Page 156: ...ibute list Direction The direction for the filter Filter The type of filter and the filter name Interface The interface to use this filter on If no interface name is displayed this distribute list is...

Page 157: ...irtual domain go to System Virtual Domain Virtual Domains and select the virtual domain Create New Add a new offset list Direction The direction for the offset list Access list The access list to use...

Page 158: ...x exactly or to match the prefix and any more specific prefix The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list If it finds a match for...

Page 159: ...d Match a network address enter the IP address and netmask that define the prefix for this access list entry 6 Select Exact match if required 7 Select OK Prefix list A prefix list is an enhanced versi...

Page 160: ...ure such as RIP or OSPF Figure 69 Prefix list New Prefix list Figure 70 Prefix list name configuration To add a prefix list name 1 Go to Router Router Objects Prefix List 2 Select Create New 3 Enter a...

Page 161: ...t Less or equal to and enter a number from 0 to 32 to match prefix lengths that are less than or equal to this number 8 Select OK list Entry The prefix list name and the number of this entry Action Se...

Page 162: ...he default action is deny If no match statements are defined in a rule the default action is to match everything If multiple match statements are defined in a rule all the match statements must match...

Page 163: ...to deny routes that match this entry Match The criteria to match Interface Match a route with the selected destination interface Address Match a route if the destination address is included in the se...

Page 164: ...tes from one key to the next according to the scheduled send and receive lifetimes The sending and receiving routers should have their system dates and times synchronized but overlapping the key lifet...

Page 165: ...e required hour minute second year month and day to start using this key for received routing updates Key chain entry The key chain name and the ID number for this key chain entry Key The key password...

Page 166: ...e routing table Routing monitor list Figure 78 Routing monitor To filter the routing monitor display 1 Go to Router Monitor Routing Monitor 2 Select a type of route to display or select all to display...

Page 167: ...t router info ospf database get router info ospf interface get router info protocols Show the current state of active routing protocols Command syntax get router info protocols Note You can configure...

Page 168: ...A router connected to more than one area is an area border router ABR Routing information is contained in a link state database Routing information is communicated between routers using link state ad...

Page 169: ...efore entering the overflow state The lsas_integer must be the same on all routers attached to the OSPF area and the OSPF backbone The valid range for lsas_integer is 0 to 4294967294 10000 All models...

Page 170: ...supports RFC 1583 When RFC 1583 compatibility is enabled routers choose the path with the lowest cost Otherwise routers choose the lowest cost intra area path through a non backbone area disable All...

Page 171: ...ust be a backbone area that all areas can connect to You can use a virtual link to connect areas that do not have a physical connection to the backbone Routers within an OSPF area maintain link state...

Page 172: ...n for interfaces the authentication configured for the area is not used Authentication passwords or keys are defined per interface See config ospf interface on page 184 none All models default cost co...

Page 173: ...SA You can set the translator role to always to ensure this FortiGate unit always acts as a translator if it is in a NSSA even if other routers in the NSSA are also acting as translators You can set t...

Page 174: ...x list on page 159 config filter list command syntax pattern config filter list edit id_integer set keyword variable end config filter list edit id_integer unset keyword end config filter list delete...

Page 175: ...le shows how to display the configuration for area 15 1 1 1 config router ospf config area edit 15 1 1 1 show end config range Access the config range subcommand using the config area command Use the...

Page 176: ...how to display the configuration for area 15 1 1 1 Note Only the prefix keyword is required All other keywords are optional range command keywords and variables Keywords and variables Description Defa...

Page 177: ...link allows traffic from the area to transit a directly connected area to reach the backbone The transit area cannot be a stub area Virtual links can only be set up between two area border routers ABR...

Page 178: ...authentication The authentication key must be the same on both ends of the virtual link The maximum length for the authentication key is 15 characters No default All models authentication must be set...

Page 179: ...ig router ospf command retransmit interval seconds_integer The time in seconds to wait before sending a LSA retransmission The value for the retransmit interval must be greater than the expected round...

Page 180: ...distribute list edit id_integer unset keyword end config distribute list delete id_integer end config distribute list edit id_integer get end config distribute list edit id_integer show end Example T...

Page 181: ...or distribute list 2 config router ospf config distribute list edit 2 show end config neighbor Access the config neighbor subcommand using the config router ospf command Use this command to manually c...

Page 182: ...ther keywords are optional neighbor command keywords and variables Keywords and variables Description Default Availability cost cost_integer Enter the cost to use for this neighbor The valid range for...

Page 183: ..._integer end config network edit id_integer get end config network edit id_integer show end Example Use the following command to enable OSPF for the interfaces attached to networks specified by the IP...

Page 184: ...nterface command syntax pattern config ospf interface edit interface name_str set keyword variable end config ospf interface edit interface name_str unset keyword end config ospf interface delete inte...

Page 185: ...outer is mistakenly added to the network If you configure authentication for the interface authentication for areas is not used All routers on the network must use the same authentication type none Al...

Page 186: ...without unsetting all of the keys The key ID and key must be the same on all neighboring routers The valid range for id_integer is 1 to 255 key_str is an alphanumeric string of up to 16 characters No...

Page 187: ...riority router ID is used Point to point networks do not elect a DR or BDR therefore this setting has no effect on a point to point network The valid range for priority_integer is 0 to 255 1 All model...

Page 188: ...on key a2b3c4d5e end end This example shows how to display the settings for the OSPF interface configuration named test config router ospf config ospf interface edit test get end This example shows ho...

Page 189: ...uter ospf config summary address Access the config summary address subcommand using the config router ospf command redistribute command keywords and variables Keywords and variables Description Defaul...

Page 190: ...get router ospf show router ospf Example This example shows how to summarize routes using the prefix 10 0 0 0 255 0 0 0 config router ospf config summary address edit 5 set prefix 10 0 0 0 255 0 0 0...

Page 191: ...ute that best matches the destination address of the packet If a match is not found the FortiGate unit routes the packet using the default route Command syntax pattern config router static6 edit seque...

Page 192: ...60 set gateway 12AB 0 0 CD30 123 4567 89AB CDEF end This example shows how to display the list of IPV6 static route numbers get router static6 This example shows how to display the settings for IPV6 s...

Page 193: ...t Each policy can be individually configured to route connections or apply network address translation NAT to translate source and destination IP addresses and ports You can add IP pools to use dynami...

Page 194: ...all policies How policy matching works When the FortiGate unit receives a connection attempt at an interface it selects a policy list to search through for a policy that matches the connection attempt...

Page 195: ...licy should be active See Schedule on page 214 Service The service to which the policy applies See Service on page 206 Action The response to make when the policy matches a connection attempt Enable E...

Page 196: ...Before you can add this address to a policy you must add it to the destination interface VLAN subinterface or zone For information about adding an address see Addresses on page x For NAT Route mode po...

Page 197: ...f you select NAT you can also select Dynamic IP Pool and Fixed Port NAT is not available in Transparent mode Dynamic IP Pool Select Dynamic IP Pool to translate the source address to an address random...

Page 198: ...ups for authentication You can select Authentication for any service Users can authenticate with the firewall using HTTP Telnet or FTP For users to be able to authenticate you must add an HTTP Telnet...

Page 199: ...ble routers sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header You can use the FortiGate DiffServ feature to change the DSCP Different...

Page 200: ...policy 7 Arrange policies in the policy list so that they have the results that you expect For information about arranging policies in a policy list see How policy matching works on page 194 To delet...

Page 201: ...2 Clear the Enable check box beside the policy you want to disable To enable a policy 1 Go to Firewall Policy 2 Select Enable Policy CLI configuration The natip keyword for the firewall policy comman...

Page 202: ...Configuring address groups firewall policy command keywords and variables Keywords and variables Description Default Availability natip address_ipv4mask Configure natip for a firewall policy with act...

Page 203: ...bnet IP address 192 168 20 0 and Netmask 255 255 255 0 A single IP address for example IP Address 192 168 20 1 and Netmask 255 255 255 255 All possible IP addresses represented by IP Address 0 0 0 0 a...

Page 204: ...ss 1 Go to Firewall Address 2 Select Create New 3 Enter a name to identify the address 4 Enter the IP address and netmask or the IP address range 5 Select OK To edit an address Edit an address to chan...

Page 205: ...Figure 87 Address group options Address group has the following options Note If an address group is included in a policy it cannot be deleted unless it is first removed from the policy Create New Sel...

Page 206: ...all Address Group 2 Select the Delete icon beside the address group you want to delete 3 Select OK To edit an address group 1 Go to Firewall Address Group 2 Select the Edit icon beside the address gro...

Page 207: ...llows an arbitrary network protocol to be transmitted over any other arbitrary network protocol by encapsulating the packets of the protocol within GRE packets 47 AH Authentication Header AH provides...

Page 208: ...tocol used for retrieving email messages tcp 143 Internet Locator Service Internet Locator Service includes LDAP User Locator Service and LDAP over TLS SSL tcp 389 IRC Internet Relay Chat allows peopl...

Page 209: ...P Routing Information Protocol is a common distance vector routing protocol udp 520 SIP MSNmessenger Session Initiation Protocol is used by Microsoft Messenger to initiate an interactive possibly mult...

Page 210: ...WAIS Wide Area Information Server is an Internet search protocol tcp 210 WINFRAME For WinFrame communications between computers running Windows NT tcp 1494 X WINDOWS For remote communications between...

Page 211: ...and high port numbers If the service uses one port number enter this number in both the low and high fields Destination Port Specify the Destination Port number range for the service by entering the...

Page 212: ...service 6 Select OK You can now add this custom service to a policy To add a custom IP service 1 Go to Firewall Service Custom 2 Select Create New 3 Enter a name for the new custom IP service 4 Selec...

Page 213: ...as the following icons and features Service group options Service group options are configurable when creating or editing a service group Figure 94 Service group options Service group has the followin...

Page 214: ...ewall Service Group 2 Select the Edit icon beside the service group you want to modify 3 Make any required changes 4 Select OK Schedule Use schedules to control when policies are active or inactive Yo...

Page 215: ...ime schedule list has the following icons and features One time schedule options Figure 96 One time schedule options One time schedule has the following options Configuring one time schedules To add a...

Page 216: ...of the day or on specified days of the week For example you might want to prevent game play during working hours by creating a recurring schedule Figure 97 Sample recurring schedule list The recurrin...

Page 217: ...hedules use a 24 hour clock 6 Select OK To delete a recurring schedule 1 Go to Firewall Schedule Recurring 2 Select the Delete icon beside the recurring schedule you want to delete 3 Select OK To edit...

Page 218: ...P You can create three types of virtual IPs This section describes Virtual IP list Virtual IP options Configuring virtual IPs Note To change the one time schedule name you must delete the schedule and...

Page 219: ...ic NAT or port forwarding Figure 100 Virtual IP options static NAT Figure 101 Virtual IP options port forwarding Create New Select Create New to add a virtual IP Name The name of the virtual IP IP The...

Page 220: ...ted in step 4 However the external IP address must be routed to the selected interface The virtual IP address and the external IP address can be on different subnets 7 Enter the Map to IP address to w...

Page 221: ...Service Port number for which you want to configure port forwarding The external service port number must match the destination port of the packets to be forwarded For example if the virtual IP provi...

Page 222: ...The external service port number must match the destination port of the packets to be forwarded For example if the virtual IP provides PPTP passthrough access from the Internet to a PPTP server the e...

Page 223: ...t1 you can select Dynamic IP pool for policies with the port1 interface as the destination For example you can add IP pools to port2 port1 and port3 port1 policies You can add multiple IP pools to any...

Page 224: ...of the range must be lower than the end of the range The start and end of the range must be on the same subnet as the IP address of the interface to which you are adding the IP pool 5 Select OK To de...

Page 225: ...is operating in NAT Route mode all connections from your network to the Internet appear to come from this IP address If you want connections to originate from all your Internet IP addresses you can a...

Page 226: ...MAP POP3 and SMTP traffic You may not wish to use the strict protection profile under normal circumstances but it is available if you have extreme problems with viruses and require maximum screening S...

Page 227: ...See Configuring web category filtering options on page 229 Spam Filtering See Configuring spam filtering options on page 230 IPS See Configuring IPS options on page 231 Content Archive See Configuring...

Page 228: ...eate and enable a signature to append to outgoing email SMTP only Web Content Block Enable or disable web page blocking for HTTP traffic based on the banned words and patterns in the content block lis...

Page 229: ...HTTP only Block any web pages that have not been rated by the web filtering service Provide details for blocked HTTP 4xx and 5xx errors HTTP only Display a replacement message for 4xx and 5xx HTTP er...

Page 230: ...or disable checking incoming email addresses against the configured spam filter email address list Return e mail DNS check Enable or disable checking that the domain specified in the reply to or from...

Page 231: ...les 1 Go to Firewall Protection Profile 2 Select Create New 3 Enter a name for the profile 4 Configure the protection profile options 5 Select OK Note Some popular email clients cannot filter messages...

Page 232: ...etwork protection for files downloaded from the web by internal network users select an internal to external policy list 3 Select Create New to add a policy or select Edit for the policy you want to m...

Page 233: ...profiles to apply different protection settings for traffic controlled by firewall policies Command syntax pattern config firewall profile edit profilename_str set keyword variable end config firewall...

Page 234: ...downloading files from an FTP server the FortiGate unit sends 1 byte every 30 seconds to prevent the client from timing out during scanning and download If a virus is detected the FortiGate unit stops...

Page 235: ...ce enables the FortiGate unit to simultaneously scan an email and send it to the SMTP server If the FortiGate unit detects a virus it terminates the server connection and returns an error message to t...

Page 236: ...mand get firewall profile This example shows how to display the settings for the spammail profile get firewall profile spammail This example shows how to display the configuration for the firewall pro...

Page 237: ...fy the user s credentials locally or using an external LDAP or RADIUS server Authentication expires if the user leaves the connection idle for longer than the authentication timeout period You need to...

Page 238: ...minutes Local Go to User Local to add local user names and configure authentication Local user list Figure 112 Local user list Local user options Figure 113 Local user options Create New Add a new loc...

Page 239: ...authentication The default port for RADIUS traffic is 1812 If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port For more information see the config system gl...

Page 240: ...e domain name or IP address of the RADIUS server 5 Enter the RADIUS server secret 6 Select OK To delete a RADIUS server You cannot delete a RADIUS server that has been added to a user group 1 Go to Us...

Page 241: ...validating user names and passwords FortiGate LDAP supports all LDAP servers compliant with LDAP v3 FortiGate LDAP support does not extend to proprietary functionality such as notification of password...

Page 242: ...LDAP server Server Name IP Enter the domain name or IP address of the LDAP server Server Port Enter the port used to communicate with the LDAP server By default LDAP uses port 389 Common Name Identif...

Page 243: ...Auth The FortiGate PPTP configuration Only users in the selected user group can use PPTP The FortiGate L2TP configuration Only users in the selected user group can use L2TP When you add user names RAD...

Page 244: ...an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list 7 To remove users RADIUS servers or LDAP servers from the user group select a user R...

Page 245: ...tern config user peer edit name_str set keyword variable config user peer edit name_str unset keyword config user peer delete name_str get user peer name_str show user peer name_str Example This examp...

Page 246: ...str set keyword variable config user peergrp edit name_str unset keyword config user peergrp delete name_str get user peergrp name_str show user peergrp name_str Example This example shows how to add...

Page 247: ...his example shows how to display the settings for the peergrp EU_branches get user peergrp EU_branches This example shows how to display the configuration for all the peers groups show user peergrp Th...

Page 248: ...248 01 28006 0100 20041105 Fortinet Inc CLI configuration Users and authentication...

Page 249: ...col L2TP This chapter contains information about the following VPN topics Phase 1 Phase 2 Manual key Concentrator Ping Generator Monitor PPTP L2TP Certificates CLI configuration Authenticating peers w...

Page 250: ...re Phase 1 list Figure 120 IPSec VPN Phase 1 list Create New Select Create New to add a Phase 1 configuration also called a remote gateway Gateway Name The names of the Phase 1 configurations remote g...

Page 251: ...n fields may become available or be removed IP Address If you select Static IP Address for Remote Gateway enter the IP address of the gateway or client Dynamic DNS If you select Dynamic DNS for Remote...

Page 252: ...icate name of the remote client or peer for the remote client or peer to start a VPN session with the FortiGate unit Select Accept any peer ID to accept the local ID or peer ID of any remote client or...

Page 253: ...thentication enter the distinguished name DN of the local certificate XAuth You can configure the FortiGate unit as an Extended Authentication XAuth client or an XAuth server For more information see...

Page 254: ...AP between the XAuth client and the FortiGate unit and CHAP between the FortiGate unit and the authentication server Use CHAP whenever possible Use PAP if the authentication server does not support CH...

Page 255: ...identification process For information about how to create a Phase 1 Dialup User configuration see Dialup VPN on page 283 If the tunnel is to connect a static remote gateway select the name of an exi...

Page 256: ...ypted session NULL Do not use a message digest MD5 Message Digest 5 the hash algorithm developed by RSA Data Security SHA1 Secure Hash Algorithm 1 which produces a 160 bit message digest To specify on...

Page 257: ...nnection open even if no data is being transferred DHCP IPSec If the tunnel will service remote dialup clients that broadcast a DHCP request when connecting to the tunnel select DHCP IPSec The FortiGa...

Page 258: ...name for the VPN tunnel Local SPI The local Security Parameter Index SPI identifies the local manual key VPN peer Enter a hexadecimal number digits can be 0 to 9 a to f in the range bb8 to FFFFFFF Thi...

Page 259: ...nto two segments of 16 characters For AES192 enter a 48 character 24 byte hexadecimal number 0 9 A F Separate the number into three segments of 16 characters For AES256 enter a 64 character 32 byte he...

Page 260: ...through two tunnels simultaneously The ping interval is fixed at 40 seconds The source and destination IP addresses refer to the source and destination addresses of IP packets that are to be transport...

Page 261: ...tunnel connections including addressing proxy IDs and status information To monitor a VPN tunnel 1 Go to VPN IPSEC Monitor You can establish or take down a VPN tunnel manually through the Monitor tab...

Page 262: ...ther tunnel can be initiated Flush dialup tunnels icon Stop all dialup tunnels and stop the traffic passing through all dialup tunnels Dialup users may have to re connect to establish new VPN sessions...

Page 263: ...a user name for each PPTP client You can add users to the FortiGate user database to authentication servers RADIUS or LDAP or to both See Users and authentication on page 237 2 Enable PPTP and specify...

Page 264: ...service to HTTP See To add a firewall policy on page 200 6 Configure the Windows clients See Configuring a Windows 2000 client for PPTP Configuring a Windows XP client for PPTP Enabling PPTP and spec...

Page 265: ...rocedure 2 Enter your PPTP VPN User Name and Password 3 Select Connect 4 In the connect window enter the User Name and Password that you use to connect to your dialup network connection This user name...

Page 266: ...he same as your VPN user name and password PPTP passthrough The FortiGate unit supports PPTP passthrough by configuring a port forwarding virtual IP to use port 1723 Normally PPTP passthrough requires...

Page 267: ...internal 4 For Address name Set Source to All Set Destination to PPTP_pass 5 Set Schedule as required 6 Set Service to ANY 7 Set action to ACCEPT 8 Select NAT 9 Select OK L2TP You can set up VPN conne...

Page 268: ...L2TP range See To add an address on page 204 4 Add a destination address The destination address is the address to which the L2TP clients can connect For example if the destination address is on the...

Page 269: ...the address of the FortiGate unit to connect to and select Next 5 Set Connection Availability to Only for myself and select Next 6 Select Finish 7 In the Connect window select Properties 8 Select the...

Page 270: ...CA authentication Instead it checks for a local or active directory IPSec policy To connect to the L2TP VPN 1 Start the dialup connection that you configured in the previous procedure 2 Enter your L2T...

Page 271: ...ected File and Printer Sharing for Microsoft Networks Client for Microsoft Networks To disable IPSec 1 Select the Networking tab 2 Select Internet Protocol TCP IP properties 3 Double click the Advance...

Page 272: ...a public key and some identifying information that has been digitally signed by a trusted third party known as a certificate authority CA Because CAs can be trusted the certificates issued by a CA ar...

Page 273: ...X 509 standard To generate a certificate request 1 Go to VPN Certificates Local Certificates 2 Select Generate 3 Enter a Certificate Name Typically this is the name of the FortiGate unit being certifi...

Page 274: ...upport all three key sizes 7 Select OK The request is generated and displayed in the Local Certificates list with a status of Pending 8 Select the Download button to download the request to a PC on th...

Page 275: ...Certificates Certificate Name Type a certificate name Subject Information Enter an ID type and the related information for the FortiGate unit being certified You can use one of the following three ID...

Page 276: ...r is configured to authenticate using digital certificates it sends the Distinguished Name DN on its certificate to the remote peer This DN can be used to deny VPN access For example a FortiGate unit...

Page 277: ...and before it can be selected here For more information see the config user chapter of the CLI Reference Guide 3 If you want to define the DN of the FortiGate unit select Advanced and from the Local I...

Page 278: ...is period of time expires whenever the local peer sends traffic to the remote VPN peer it will also send a DPD probe to determine the status of the link The dpd idleworry range is 1 to 300 To control...

Page 279: ...ple_GW set Type dynamic set proposal des md5 set authmethod psk set psksecret Qf2p3O93jIj2bz7E set mode aggressive set dpd enable set dpd idlecleanup 1000 set dpd idleworry 150 set dpd retrycount 5 se...

Page 280: ...ffic to the intended destinations automatically Each IPSec VIP entry is identified by an integer An entry identifies the name of the FortiGate interface to the destination network and the IP address o...

Page 281: ...1 set out interface external next edit 2 set ip 192 168 12 2 set out interface external end This example shows how to display the settings for the vpn ipsec vip command get vpn ipsec vip This example...

Page 282: ...is often referred to as adding a tunnel See Phase 2 on page 254 4 Add the firewall configuration required for the VPN See Adding firewall policies for IPSec VPN tunnels on page 284 Gateway to gateway...

Page 283: ...Dynamic DNS VPN allows remote users or gateways with dynamic IP addresses to use VPN to connect to a private network In this case the gateway or client at the remote end of the VPN tunnel has a dynam...

Page 284: ...bout firewall policies You can also use firewall policies for IPSec VPN to apply protection profiles to VPN traffic to log IPSec VPN traffic and to apply advanced features to IPSec VPN traffic such as...

Page 285: ...licy direction See Setting the encryption policy direction on page 284 3 Add the source and destination addresses See To add an address on page 204 4 Set Action to ENCRYPT 5 From the VPN tunnel list s...

Page 286: ...n set Internet browsing to the virtual source interface Then create Internet access policies for VPN users For example if the virtual source interface is VLAN_21 and port 3 is connected to the Interne...

Page 287: ...iguration to define the parameters used to authenticate the remote VPN peer 2 Set other phase 1 options as required See Phase 1 on page 250 3 Add the phase 2 configuration to define the parameters use...

Page 288: ...s the address of the spoke either a client on the Internet or a network located behind a gateway See To add an address on page 204 3 Add the concentrator configuration This step groups the tunnels tog...

Page 289: ...le VPN concentrator configuration To add a VPN concentrator configuration 1 Go to VPN IPSEC Concentrator 2 Select New to add a VPN concentrator 3 Enter the name of the new concentrator in the Concentr...

Page 290: ...the address of the spoke either a client on the Internet or a network located behind a gateway See To add an address on page 204 4 Add a separate outbound encrypt policy for each remote VPN spoke Thes...

Page 291: ...een two VPN peers one peer can have multiple Internet connections while the other has only one Internet connection In the case of an asymmetrical configuration the level of redundancy varies from one...

Page 292: ...three VPN connections If the Internet connections are in the same zone add one VPN tunnel and add the remote gateways to it You can add up to three remote gateways If the Internet connections are in s...

Page 293: ...the two sites have been coordinated to protect against ambiguous routing no two IP addresses are the same Setting up a configuration like this involves performing the following tasks at FortiGate_1 a...

Page 294: ...remote peer software configuration Check the FortiGate firewall configuration Configuration Error Correction Wrong remote network information Check the IP addresses of the remote gateway and network W...

Page 295: ...rofile select edit or Create New and select IPS See Protection profile options on page 227 Protection profile configuration For information about adding protection profiles to firewall policies see To...

Page 296: ...tion to an extensive list of predefined attack signatures you can also create your own custom attack signatures for the FortiGate unit See Adding custom signatures on page 301 Predefined Predefined si...

Page 297: ...rs Action can be Pass Drop Reset Reset Client Reset Server Drop Session Clear Session or Pass Session See Table 24 Revision The revision number for individual signatures To show the signature group me...

Page 298: ...Used for TCP connections only If you set this action for non TCP connection based attacks the action will behave as Clear Session If the Reset Client action is triggered before the TCP connection is f...

Page 299: ...f a signature 1 Go to IPS Signature Predefined 2 Select the blue triangle next to a signature group name to display the members of that group 3 Select the Reset icon for the signature you want to rest...

Page 300: ...out If a session is idle for longer than this number of seconds the session will not be maintained by tcp_reassembler min_ttl A packet with a higher ttl number in its IP header than the number specifi...

Page 301: ...custom signatures from the custom signature group Reset to recommended settings Reset all the custom signatures to the recommended settings Name The custom signature names Revision The revision numbe...

Page 302: ...essions targeting a single destination in one second is over a threshold the destination is experiencing flooding Scan If the number of sessions from a single source in one second is over a threshold...

Page 303: ...nt Reset Server Drop Session Clear Session or Pass Session Modify The Edit and Reset icons If you have changed the settings for an anomaly you can use the Reset icon to change the settings back to the...

Page 304: ...is fully established it acts as Clear Session Reset Client The FortiGate unit drops the packet that triggered the anomaly sends a reset to the client and removes the session from the FortiGate session...

Page 305: ...edit name_str unset keyword end config limit delete name_str Example Use the following command to configure the limit for the tcp_src_session anomaly config ips anomaly tcp_src_session config limit ed...

Page 306: ...g signatures for attacks that your system is not vulnerable to for example web attacks when you are not running a web server For more information on FortiGate logging and alert email see Log Report on...

Page 307: ...otocol HTTP FTP IMAP POP3 SMTP View a read only list of current viruses File Block Antivirus File Block Enable or disable file blocking for each protocol Configure file patterns to block enable or dis...

Page 308: ...rtiProtect Center at http www fortinet com FortiProtectCenter To set up automatic and push updates see Update center on page 120 This chapter describes File block Quarantine Config CLI configuration F...

Page 309: ...information files pif Figure 151 Default file block list File block list has the following icons and features Create New Select Create New to add a new file pattern to the file block list Apply Select...

Page 310: ...ed files list Quarantined files list options AutoSubmit list AutoSubmit list options Configuring the AutoSubmit list Config Quarantined files list The quarantined files list displays information about...

Page 311: ...oversize exe Date The date and time that the file was quarantined in the format dd mm yyyy hh mm This value indicates the time that the first file was quarantined if the duplicate count increases Serv...

Page 312: ...ions AutoSubmit list has the following icons and features Configuring the AutoSubmit list To add a file pattern to the AutoSubmit list 1 Go to Anti Virus Quarantine AutoSubmit 2 Select Create New Figu...

Page 313: ...he time limit in hours for which to keep files in quarantine The age limit is used to formulate the value in the TTL column of the quarantined files list When the limit is reached the TTL column displ...

Page 314: ...he FortiGate unit to receive automatic updates daily or whenever required To manually upload a virus list update see Changing unit information on page 29 To find out how to use the Fortinet Update Cen...

Page 315: ...lt all new categories are disabled Grayware is enabled in a protection profile when Virus Scan is enabled Grayware options Grayware categories are populated with known executable files Each time the F...

Page 316: ...or bookmarks start pages and menu options Plugin Select enable to block browser plugins Browser plugins can often be harmless Internet browsing tools that are installed and operate directly from the b...

Page 317: ...settings for the antivirus heuristic command get antivirus heuristic This example shows how to display the configuration for the antivirus heuristic command show antivirus heuristic Table 26 antiviru...

Page 318: ...ted in this Guide See the FortiGate CLI Reference Guide for a complete list of commands and keywords antivirus quarantine command keywords and variables Keywords and variables Description Default Avai...

Page 319: ...port 80 Use the unset command to remove all ports from the list config antivirus service http set port 70 set port 90 set port 443 end This example shows how to display the antivirus HTTP traffic sett...

Page 320: ...canning does not erase the default port 21 Use the unset command to remove all ports from the list config antivirus service ftp set port 22 set port 23 end This example shows how to display the antivi...

Page 321: ...lt port 110 Use the unset command to remove all ports from the list config antivirus service pop3 set port 992 set port 993 end This example shows how to display the antivirus POP3 traffic settings ge...

Page 322: ...the unset command to remove all ports from the list config antivirus service imap set port 10585 set port 10686 set port 10787 end This example shows how to display the antivirus IMAP traffic settings...

Page 323: ...ot erase the default port 25 Use the unset command to remove all ports from the list config antivirus service smtp set port 465 end This example shows how to display the antivirus SMTP traffic setting...

Page 324: ...324 01 28006 0100 20041105 Fortinet Inc CLI configuration Antivirus...

Page 325: ...anned words and patterns in the content block list for HTTP traffic Add words and patterns to block web pages containing those words or patterns Web URL Block Web Filter URL Block Enable or disable we...

Page 326: ...k URL block URL exempt category block FortiGuard and script filter This chapter describes Content block URL block URL exempt Category block Script filter Protection Profile web category filtering Web...

Page 327: ...ing icons and features Note Perl regular expression patterns are case sensitive for Web Filter content block To make a word or phrase case insensitive use the regular expression i For example bad lang...

Page 328: ...t the pattern type if required 5 Select the language character set 6 Select Enable 7 Select OK URL block You can block access to specific URLs by adding them to the URL block list You can also add pat...

Page 329: ...must be separated by hard returns to upload correctly Figure 161 Sample Web URL block list Web URL block options Web URL block has the following icons and features Configuring the web URL block list...

Page 330: ...all pages with a URL that ends with badsite com add badsite com to the block list For example adding badsite com blocks access to www badsite com mail badsite com www finance badsite com and so on 5...

Page 331: ...3 Select Create New Figure 164 Adding a new pattern 4 Enter a pattern to add to the web pattern block list 5 Select Enable 6 Select OK URL exempt This section describes URL exempt list URL exempt lis...

Page 332: ...L to the URL exempt list 1 Go to Web Filter URL Exempt 2 Select Create New Figure 166 Adding a new exempt URL 3 Enter the URL to add to the URL exempt list 4 Select Enable 5 Select OK Note Enable Web...

Page 333: ...added to or updated as the Internet evolves Users can also choose to allow block or monitor entire groups of categories to make configuration simpler Blocked pages are replaced with a message indicati...

Page 334: ...If you have ordered FortiGuard through Fortinet technical support or are using the free 30 day trial you only need to enable the service to start configuring and using FortiGuard Figure 167 Category b...

Page 335: ...229 and FortiGuard categories on page 373 Once you select Apply the FortiGuard license type and expiration date appears on the configuration screen Web Filter Category Block Category block reports Yo...

Page 336: ...Guide for descriptions of all webfilter catblock keywords Profile Select the profile for which you want to generate a report Report Type Select the time frame for which you want to generate the repor...

Page 337: ...t end This example shows how to display the catblock settings get webfilter catblock This example shows how to display the configuration for the catblock settings show webfilter catblock If the show c...

Page 338: ...gure the following options for script filtering Note Blocking any of these items may prevent some web pages from functioning and displaying correctly Note Enable Web filtering Web Script Filter in you...

Page 339: ...Enable or disable checking incoming IP addresses against the configured spam filter IP address list SMTP only Add to and edit IP addresses to the list You can configure the action to take as spam clea...

Page 340: ...ers against the configured spam filter MIME header list Add to and edit MIME headers to the list with the option of using wildcards and regular expressions You can configure the action to take as spam...

Page 341: ...es the IP address list from email captured by spam probes located around the world Spam probes are email addresses purposely configured to attract spam and identify known spam sources to create the an...

Page 342: ...the FortiGate unit to filter email from specific IP addresses You can mark each IP address as clear spam or reject You can filter single IP addresses or a range of addresses at the network level by c...

Page 343: ...reported spam source addresses and ORDBLs keep track of unsecured third party SMTP servers known as open relays which some spammers use to send unsolicited bulk email There are also several free and...

Page 344: ...lter RBL ORDBL 2 Select Create New Figure 173 Adding an RBL or ORDBL server 3 Enter the domain name of the RBL or ORDBL server you want to add 4 Select the action to take on email matched by the serve...

Page 345: ...ess list The FortiGate unit can filter email from specific senders or all email from a domain such as sample net You can mark each email address as clear or spam Figure 174 Sample email address list E...

Page 346: ...les of MIME headers include X mailer outgluck X Distribution bulk Content_Type text html Content_Type image jpg The first part of the MIME header is called the header key or just header The second par...

Page 347: ...headers Note MIME header entries are case sensitive Create New Select Create New to add a MIME header to the MIME headers list Total The number of items in the list The Page up Page down and Remove a...

Page 348: ...on page 350 This section describes Banned word list Banned word options Configuring the banned word list Banned word list You can add one or more banned words to sort email containing those words in...

Page 349: ...wildcard or regular expression See Using Perl regular expressions on page 350 Language The character set to which the banned word belongs Simplified Chinese Traditional Chinese French Japanese Korean...

Page 350: ...any single character It is similar to the character in wildcard match pattern As a result fortinet com not only matches fortinet com but also matches fortinetacom fortinetbcom fortinetccom and so on...

Page 351: ...end of the string a b either of a and b abc abc the string abc at the beginning or at the end of the string ab 2 4 c an a followed by two three or four b s followed by a c ab 2 c an a followed by at l...

Page 352: ...d perl B perl when not followed by a word boundary e g in perlert but not in perl stuff x tells the regular expression parser to ignore white space that is neither backslashed nor within a character c...

Page 353: ...level and log format Log filters define the types of log messages saved to each location You can configure the FortiGate unit to send alert email to up to three recipients when selected events occur I...

Page 354: ...52 device_id APS3012803033139 log_id 0101023002 type event subtype ipsec pri notice loc_ip 172 16 81 2 loc_port 500 rem_ip 172 16 81 1 rem_port 500 out_if dmz vpn_tunnel ToDmz action negotiate init lo...

Page 355: ...ll the FortiGate unit begins to overwrite the oldest messages All log entries are deleted when the FortiGate unit restarts Syslog A remote computer running a syslog server WebTrends A remote computer...

Page 356: ...e is started Roll log policy The policy to follow for saving the current log and starting a new active log Overwritten deletes the oldest log entry when the disk is full Block traffic stops all networ...

Page 357: ...he logging severity level you select For example if you select Error the unit logs Error Critical Alert and Emergency level messages See Table 36 Logging severity levels on page 356 Facility Facility...

Page 358: ...email Test Select Test to send a test alert email to the configured recipients Level The FortiGate unit sends alert email for all messages at and above the logging severity level you select Emergency...

Page 359: ...rt email 7 Select Apply Log filter options For each logging location you enable you can create a customized log filter based on the log types described in the following sections Information The interv...

Page 360: ...n or packet log You can apply the following filters Event log The Event Log records management and activity events such as when a configuration has changed or a routing gateway has been added You can...

Page 361: ...HA activity event The FortiGate unit logs all high availability events such as link member and state information Firewall authentication event The FortiGate unit logs all firewall related events such...

Page 362: ...raffic log 1 Go to System Network Interface 2 Select the Edit icon for an interface 3 Select Log 4 Select OK 5 Repeat steps 1 through 4 for each interface for which you want to enable logging 6 Make s...

Page 363: ...traffic logging for a firewall policy All connections accepted by the firewall policy are recorded in the traffic log 1 Go to Firewall Policy 2 Select the Edit icon for a policy 3 Select Log Traffic...

Page 364: ...disk Figure 184 Sample list of logs stored on the FortiGate disk The following table describes the column headings and the icons you can use to view and manage the log files when accessing logs saved...

Page 365: ...iew and search log messages on the FortiGate disk 1 Go to Log Report Log Access 2 Select the log type you wish to access 3 Select Disk from the Type list 4 Select the View icon for the disk file you w...

Page 366: ...ayed 4 Select the View icon for the log file you want to open The log messages are displayed You can change the displayed columns or see the raw log messages go to the previous or next log page or sea...

Page 367: ...and select the right arrow button 3 To remove fields select them in the Show these fields list and select the left arrow button 4 To change the position of a column select the field in the Show these...

Page 368: ...n advanced search 1 Display the log messages you want to search For more information see Viewing log messages on page 365 2 Select Advanced Search The Log Search window is displayed Figure 187 Search...

Page 369: ...ables Description Default Availability encrypt enable disable Enter enable to enable encrypted communication with the FortiLog unit disable All models localid str_id Enter the local ID for an IPSec VP...

Page 370: ...he settings are at default syslogd setting Use this command to configure log settings for logging to a remote syslog server You can configure the FortiGate unit to send logs to a remote computer runni...

Page 371: ...he IP address of the syslog server that stores the logs No default All models status disable enable Enter enable to enable logging to a remote syslog server disable All models Table 37 Facility types...

Page 372: ...to user config log syslogd setting set status enable set server 220 210 200 190 set port 601 set facility user end This example shows how to display the log setting for logging to a remote syslog ser...

Page 373: ...sites that provide information about or promote the cultivation preparation or use of marijuana 2 Cult or Occult Sites that provide information about or promote religions not specified in Traditional...

Page 374: ...y with no pornographic intent 9 Advocacy Groups Sites that promote change or reform in public policy public opinion social practice economic activities and relationships 10 Alcohol and Tobacco Sites t...

Page 375: ...scussion groups message boards and list servers includes blogs and mail magazines Digital post cards Sites for sending viewing digital post cards 22 Pay to Surf Sites that pay users to view Web sites...

Page 376: ...nformation about or cater to gay lesbian or bisexual lifestyles including those that support online shopping but excluding those that are sexually or issue oriented 33 Health Sites that provide inform...

Page 377: ...ns devoted to professional advancement or workers interests Service and Philanthropic Organizations Sites sponsored by or that support or offer information about organizations devoted to doing good as...

Page 378: ...ated business firms including sites supporting the sale of hardware software peripherals and services 53 Military Organizations Military Sites sponsored by branches or agencies of the armed services O...

Page 379: ...32 32 32 32 32 32 system interface ip6 prefix list 32 32 32 32 32 32 32 32 32 32 32 32 32 system ipv6_tunnel 4 4 4 4 4 4 4 4 4 4 4 4 4 system accprofile 8 8 8 16 16 16 16 16 64 64 64 64 64 system adm...

Page 380: ...500 500 500 500 500 500 firewall service group member 300 300 300 300 300 300 300 300 300 300 300 300 300 firewall schedule onetime 256 500 256 256 256 256 256 256 256 256 256 256 256 firewall schedu...

Page 381: ...stem memory and performance considerations ips anomaly limit 100 100 100 100 100 100 100 100 100 100 100 100 100 ips custom 32 32 32 32 32 32 32 32 32 32 32 32 32 log trafficfilter rule 50 50 50 50 50...

Page 382: ...100 100 100 100 router ospf network 100 100 100 100 100 100 100 100 100 100 100 100 100 router ospf neighbor 10 10 10 10 10 10 10 10 10 10 10 10 10 router ospf passive interface 100 100 100 100 100 10...

Page 383: ...ages are formatted and transmitted and what actions Web servers and browsers should take in response to various commands HTTPS The SSL protocol for transmitting private documents over the Internet usi...

Page 384: ...o the specified address and waiting for a reply POP3 Post Office Protocol A protocol used to transfer e mail from a mail server to a mail client across the Internet Most e mail clients use POP PPP Poi...

Page 385: ...networks TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent UDP User Datagram Protocol A connectionless protocol that like TC...

Page 386: ...386 01 28006 0100 20041105 Fortinet Inc Glossary...

Page 387: ...bandwidth guaranteed 199 200 maximum 199 200 banned word spam 348 bindtoif 280 browsing the Internet through a VPN tunnel 257 285 C CA certificates 275 Certificate Name 252 275 CLI 19 upgrading the fi...

Page 388: ...262 Dynamic DNS VPN 283 dynamic IP pool IP pool 203 238 239 241 243 dynamic port forwarding 218 222 E Email address 345 Enable perfect forward secrecy PFS 256 Enable replay detection 256 Encryption 25...

Page 389: ...nitor active sessions 97 CPU usage 97 intrusion detected 97 memory usage 97 monitor 97 network utilization 97 total bytes 97 total packets 97 up time 97 virus detected 97 heartbeat failover 85 heartbe...

Page 390: ...onitor 97 metric 189 metric type 189 MIB FortiGate 102 MIME headers 346 Mode 250 251 mode HA 87 Transparent 16 monitor HA monitor 97 IPSec VPN 261 monitor priorities HA 91 mtu 186 MTU size 53 definiti...

Page 391: ...ver 124 push updates 124 push update configuring 125 external IP address changes 125 management IP address changes 126 through a NAT device 126 through a proxy server 124 Q Quarantine 310 Quarantine l...

Page 392: ...interval 82 synchronize with NTP server 82 Syslog logging settings 357 system configuration 81 system date and time setting 81 system options changing 82 T tag 189 190 TCP custom service 210 211 tech...

Page 393: ...ng introduction 15 Web filter 325 373 content block 327 Web pattern block 330 Web script filter options 338 Web URL block list 329 web based manager introduction 19 language 83 84 timeout 83 WebTrends...

Page 394: ...394 01 28006 0100 20041105 Fortinet Inc Index...