Fortinet FortiGate FortiGate-60M, Administration Manual

Page 1: ...dministration Guide INTERNAL DMZ 4 3 2 1 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN1 WAN2 PWR STATUS FortiGate 60M Administration Guide Version 2 80 MR7 17 December 2004 01 28007 0144 20041217 ...

Page 2: ...tion Guide Version 2 80 MR7 17 December 2004 01 28007 0144 20041217 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS CAUTION RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS For technical support please visit http w...

Page 3: ...hnical documentation 22 Related documentation 23 FortiManager documentation 23 FortiClient documentation 23 FortiMail documentation 23 FortiLog documentation 24 Customer service and technical support 24 System status 25 Console access 25 Status 26 Viewing system status 26 Changing unit information 29 Session list 32 Changing the FortiGate firmware 33 Upgrading to a new firmware version 33 Revertin...

Page 4: ...ANs in NAT Route mode 66 Rules for VLAN IDs 66 Rules for VLAN IP addresses 66 Adding VLAN subinterfaces 67 VLANs in Transparent mode 68 Rules for VLAN IDs 70 Transparent mode virtual domains and VLANs 70 Transparent mode VLAN list 71 Transparent mode VLAN settings 71 FortiGate IPv6 support 73 System DHCP 75 Service 75 DHCP service settings 76 Server 77 DHCP server settings 78 Exclude range 79 DHCP...

Page 5: ...toring 118 Update center 120 Updating antivirus and attack definitions 122 Enabling push updates 125 Support 127 Sending a bug report 128 Registering a FortiGate unit 129 Shutdown 131 System virtual domain 133 Virtual domain properties 134 Exclusive virtual domain properties 134 Shared configuration settings 135 Administration and management 136 Virtual domains 136 Adding a virtual domain 137 Sele...

Page 6: ...st options 154 Offset list 155 Offset list options 155 Router objects 156 Access list 156 New access list 156 New access list entry 157 Prefix list 157 New Prefix list 158 New prefix list entry 159 Route map list 159 New Route map 160 Route map list entry 161 Key chain list 162 New key chain 162 Key chain list entry 163 Monitor 164 Routing monitor list 164 CLI configuration 165 get router info osp...

Page 7: ...d service list 205 Custom service list 208 Custom service options 209 Configuring custom services 210 Service group list 211 Service group options 211 Configuring service groups 212 Schedule 213 One time schedule list 213 One time schedule options 214 Configuring one time schedules 214 Recurring schedule list 215 Recurring schedule options 215 Configuring recurring schedules 216 Virtual IP 216 Vir...

Page 8: ...37 RADIUS server list 237 RADIUS server options 238 LDAP 238 LDAP server list 239 LDAP server options 239 User group 241 User group list 241 User group options 242 CLI configuration 243 peer 243 peergrp 244 VPN 247 Phase 1 248 Phase 1 list 248 Phase 1 basic settings 249 Phase 1 advanced settings 251 Phase 2 252 Phase 2 list 253 Phase 2 basic settings 253 Phase 2 advanced options 254 Manual key 255...

Page 9: ...nfiguration procedures 268 PPTP configuration procedures 270 L2TP configuration procedures 270 CLI configuration 271 ipsec phase1 271 ipsec phase2 273 ipsec vip 274 IPS 279 Signature 280 Predefined 280 Custom 284 Anomaly 286 Anomaly CLI configuration 289 Configuring IPS logging and alert email 290 Default fail open setting 290 Antivirus 291 File block 292 File block list 293 Configuring the file b...

Page 10: ...ns 313 Configuring the web content block list 314 URL block 314 Web URL block list 315 Web URL block options 315 Configuring the web URL block list 316 Web pattern block list 316 Web pattern block options 317 Configuring web pattern block 317 URL exempt 317 URL exempt list 318 URL exempt list options 318 Configuring URL exempt 318 Category block 319 FortiGuard managed web filtering service 319 Cat...

Page 11: ...ons 332 Configuring the email address list 333 MIME headers 333 MIME headers list 334 MIME headers options 334 Configuring the MIME headers list 335 Banned word 335 Banned word list 336 Banned word options 336 Configuring the banned word list 337 Using Perl regular expressions 337 Log Report 341 Log config 342 Log Setting options 342 Alert E mail options 346 Log filter options 347 Configuring log ...

Page 12: ...Contents 12 01 28007 0144 20041217 Fortinet Inc Index 369 ...

Page 13: ...service and technical support About FortiGate Antivirus Firewalls The FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include application level services such as virus protection and content filtering network level services such as firewall intrusion detection VPN and traffic shaping The FortiGate Antivirus Firewall uses For...

Page 14: ...the user s consent or knowledge Grayware programs are generally considered an annoyance but these programs can cause system performance problems or be used for malicious means If the FortiGate unit contains a hard disk infected or blocked files and grayware files can be quarantined The FortiGate administrator can download quarantined files so that they can be virus scanned cleaned and forwarded to...

Page 15: ... IP address email address mime headers and content Mail messages can be identified as spam or clear You can also add the names of known Real time Blackhole List RBL and Open Relay Database List ORDBL servers These services contain lists of known spam sources If an email message is found to be spam the FortiGate adds an email tag to the subject line of the email The recipient can use the mail clien...

Page 16: ...ach of its interfaces is associated with a different IP subnet and that it appears to other devices as a router This is how a firewall is normally deployed In NAT Route mode you can create NAT mode policies and Route mode policies NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network Route mode policies accept or deny c...

Page 17: ...ve firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network You can develop and manage interfaces VLAN subinterfaces zones firewall policies routing and VPN configuration for each virtual domain separately For these configuration settings each virtual domain is functionally similar to a single FortiGate unit This separat...

Page 18: ...can connect to an IPSec VPN tunnel VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another through the FortiGate unit IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network High availability Fortinet achieves high availability HA using redundant hardware and the FortiGate Clustering Protocol FGCP Each FortiGate unit in...

Page 19: ...d manage the FortiGate unit The web based manager supports multiple languages You can configure the FortiGate unit for HTTP and HTTPS administration from any FortiGate interface You can use the web based manager to configure most FortiGate settings You can also use the web based manager to monitor the status of the FortiGate unit Configuration changes made using the web based manager are effective...

Page 20: ...ls can also save logs to an optional internal hard drive If a hard drive is not installed you can configure most FortiGate units to log the most recent events and attacks detected by the IPS to the system memory Document conventions This guide uses the following conventions to describe CLI command syntax Angle brackets to indicate variables For example execute restore config filename_str You enter...

Page 21: ...you can enter show system interface To show the settings for the internal interface you can enter show system interface internal A space to separate options that can be entered in any combination and must be separated by spaces For example set allowaccess ping https ssh snmp http telnet You can enter any of the following set allowaccess ping set allowaccess ping https ssh set allowaccess https pin...

Page 22: ...he web based manager as you work FortiGate CLI Reference Guide Describes how to use the FortiGate CLI and contains a reference to all FortiGate CLI commands FortiGate Log Message Reference Guide Describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units FortiGate High Availability Guide Contains in depth information about...

Page 23: ...to set up a VPN connection from your computer to remote networks scan your computer for viruses and restrict access to your computer and applications by setting up firewall policies FortiClient Host Security online help Provides information and procedures for using and configuring the FortiClient software FortiMail documentation FortiMail Administration Guide Describes how to install configure and...

Page 24: ...roducts and service contracts from http support fortinet com and change your registration information at any time Technical support is available through email from any of the following addresses Choose the email address for your region For information about our priority support hotline live support see http support fortinet com When requesting technical support please provide the following informa...

Page 25: ...ion log This chapter includes Console access Status Session list Changing the FortiGate firmware Console access An alternative to the web based manager discussed in this manual is text based Console Access using the FortiGate command line interface CLI You can get console access by selecting Console Access button in the upper right corner of the web based manager The management computer must have ...

Page 26: ...mation for all members of the cluster go to System Config HA and select Cluster Members For more information see HA configuration on page 87 FortiGate administrators whose access profiles contain system configuration write privileges can change or update FortiGate unit information For information on access profiles see Access profiles on page 113 Viewing system status Changing unit information Vie...

Page 27: ...isk Displays hard disk capacity and free space if the FortiGate unit contains a hard disk or Not Available if no hard disk is installed The FortiGate unit uses the hard disk to store log messages and quarantine files infected with a virus or blocked by antivirus file blocking Notification Contains reminders such as Change Password or Product Registration Select the reminder to see the detailed rem...

Page 28: ...tatus The web based manager displays CPU usage for core processes only CPU usage for management processes for example for HTTPS connections to the web based manager is excluded Memory Usage The current memory status The web based manager displays memory usage for core processes only Memory usage for management processes for example for HTTPS connections to the web based manager is excluded Hard Di...

Page 29: ...pdate the attack definitions manually To change to Transparent mode To change to NAT Route mode CPU Usage History CPU usage for the previous minute Memory Usage History Memory usage for the previous minute Session History Session history for the previous minute Network Utilization History Network utilization for the previous minute Virus History The virus detection history over the last 20 hours I...

Page 30: ... Status Status 3 In the Antivirus Definitions field of the Unit Information section select Update 4 In the Update File field type the path and filename for the antivirus definitions update file or select Browse and locate the antivirus definitions update file 5 Select OK to copy the antivirus definitions update file to the FortiGate unit The FortiGate unit updates the antivirus definitions This ta...

Page 31: ... The FortiGate unit changes operation mode 5 To reconnect to the web based manager connect to the interface configured for Transparent mode management access and browse to https followed by the Transparent mode management IP address By default in Transparent mode you can connect to the internal interface The default Transparent mode management IP address is 10 10 10 1 To change to NAT Route mode A...

Page 32: ...ering From Port Set source port for list filtering To IP Set destination IP address for list filtering To Port Set destination port for list filtering Apply Filter Select to filter session list Virtual Domain Select a virtual domain to list the sessions being processed by that virtual domain Select All to view sessions being processed by all virtual domains Total Number of Sessions Total number of...

Page 33: ...a previous firmware version This procedure reverts the FortiGate unit to its factory default configuration Installing firmware images from a system reboot using the CLI Use this procedure to install a new firmware version or revert to a previous firmware version To use this procedure you must connect to the CLI using the FortiGate console port and a null modem cable This procedure reverts the Fort...

Page 34: ...rver that the FortiGate unit can connect to 1 Make sure that the TFTP server is running 2 Copy the new firmware image file to the root directory of the TFTP server 3 Log into the CLI 4 Make sure the FortiGate unit can connect to the TFTP server You can use the following command to ping the computer running the TFTP server For example if the IP address of the TFTP server is 192 168 1 168 execute pi...

Page 35: ... update antivirus and attack definitions or from the CLI enter execute update_now Reverting to a previous firmware version Use the following procedures to revert your FortiGate unit to a previous firmware version Reverting to a previous firmware version using the web based manager The following procedures revert the FortiGate unit to its factory default configuration and deletes IPS custom signatu...

Page 36: ... 10 Update antivirus and attack definitions For information about antivirus and attack definitions see To update antivirus and attack definitions on page 123 Reverting to a previous firmware version using the CLI This procedure reverts the FortiGate unit to its factory default configuration and deletes IPS custom signatures web content lists email filtering lists and changes to replacement message...

Page 37: ...te restore image FGT_300 v280 build158 FORTINET out 192 168 1 168 The FortiGate unit responds with the message This operation will replace the current firmware version Do you want to continue y n 6 Type y The FortiGate unit uploads the firmware image file After the file uploads a message similar to the following is displayed Get image from tftp server OK Check image OK This operation will downgrad...

Page 38: ... up and Restoring on page 118 Back up the IPS custom signatures For information see Backing up and restoring custom signature files on page 285 Back up web content and email filtering lists For information see Web filter on page 311 and Spam filter on page 325 If you are reverting to a previous FortiOS version for example reverting from FortiOS v2 80 to FortiOS v2 50 you might not be able to resto...

Page 39: ...s Any Key To Download Boot Image FortiGate unit running v3 x BIOS Press any key to display configuration menu Immediately press any key to interrupt the system startup If you successfully interrupt the startup process one of the following messages appears FortiGate unit running v2 x BIOS Enter TFTP Server Address 192 168 1 168 Go to step 9 FortiGate unit running v3 x BIOS G Get firmware image from...

Page 40: ...arts The installation might take a few minutes to complete Restoring the previous configuration Change the internal interface address if required You can do this from the CLI using the command config system interface edit internal set ip address_ipv4mask set allowaccess ping https ssh telnet http end After changing the interface address you can access the FortiGate unit from the web based manager ...

Page 41: ...bnet as the internal interface To test a new firmware image 1 Connect to the CLI using a null modem cable and FortiGate console port 2 Make sure the TFTP server is running 3 Copy the new firmware image file to the root directory of the TFTP server 4 Make sure that the internal interface is connected to the same network as the TFTP server You can use the following command to ping the computer runni...

Page 42: ...ver The IP address must be on the same network as the TFTP server but make sure you do not use the IP address of another device on this network The following message appears Enter File Name image out 11 Enter the firmware image file name and press Enter The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear FortiGate unit running v2 x BIO...

Page 43: ...System status Changing the FortiGate firmware FortiGate 60M Administration Guide 01 28007 0144 20041217 43 ...

Page 44: ...44 01 28007 0144 20041217 Fortinet Inc Changing the FortiGate firmware System status ...

Page 45: ... network configuration Interface Zone Management DNS Routing table Transparent Mode Configuring the modem interface VLAN overview VLANs in NAT Route mode VLANs in Transparent mode FortiGate IPv6 support Interface In NAT Route mode go to System Network Interface to configure FortiGate interfaces and to add and configure VLAN subinterfaces For information about VLANs in NAT Route mode see VLANs in N...

Page 46: ...0 The modem interface is available if a modem is connected to the USB port see Configuring the modem interface on page 61 If you have added VLAN subinterfaces they also appear in the name list below the physical interface that they have been added to See VLAN overview on page 65 IP The current IP address of the interface Netmask The netmask of the interface Access The administrative access configu...

Page 47: ... dynamic DNS services To add a secondary IP address To add a ping server to an interface To control administrative access to an interface To change the MTU size of the packets leaving an interface To configure traffic logging for connections to an interface Name The name of the Interface Interface Select the name of the physical interface to add the VLAN subinterface to All VLAN subinterfaces must...

Page 48: ...u can enter both an IP address and a netmask in the same field you can use the short form of the netmask For example 192 168 1 100 255 255 255 0 can also be entered as 192 168 1 100 24 Distance Enter the administrative distance for the default gateway retrieved from the DHCP server The administrative distance an integer from 1 255 specifies the relative priority of a route when there are multiple ...

Page 49: ...them Otherwise this IP address can be the same as the IP address of another interface or can be any IP address Initial Disc Timeout Initial discovery timeout The time to wait before retrying to start a PPPoE discovery Set Initial Disc to 0 to disable Initial PADT timeout Initial PPPoE Active Discovery Terminate PADT timeout in seconds Use this timeout to shut down the PPPoE session if it is idle f...

Page 50: ...ptions Connect to server Enable Connect to Server so that the interface automatically attempts to connect to a PPPoE server Disable this option if you are configuring the interface offline Status Displays PPPoE status messages as the FortiGate unit connects to the PPPoE server and gets addressing information Select Status to refresh the addressing mode status message initializing No activity conne...

Page 51: ...nfigure logging locations and types For information about logging see Log Report on page 341 Configuring interfaces Use the following procedures to configure FortiGate interfaces and VLAN subinterfaces You cannot use the following procedures for the modem interface To bring down an interface that is administratively up To add interfaces to a zone To add an interface to a virtual domain To change t...

Page 52: ... a zone on page 57 You cannot add an interface to a zone if you have added firewall policies for the interface Delete firewall policies for the interface and then add the interface to the zone 1 Go to System Network Zone 2 Choose the zone to add the interface or VLAN subinterface to and select Edit 3 Select the names of the interfaces or VLAN subinterfaces to add to the zone 4 Select OK to save th...

Page 53: ...rom the DHCP server 5 Select the Connect to Server check box if you want the FortiGate unit to connect to the DHCP server 6 Select Apply The FortiGate unit attempts to contact the DHCP server from the interface to set the IP address netmask and optionally the default gateway IP address and DNS server IP addresses 7 Select Status to refresh the addressing mode status message 8 Select OK To configur...

Page 54: ...ands config system interface edit intf_str config secondaryip edit 0 set ip second_ip netmask_ip Optionally you can also configure management access and add a ping server to the secondary IP address set allowaccess ping https ssh snmp http telnet set gwdetect enable Save the changes end To configure support for dynamic DNS services 1 Go to System Network Interface 2 Select the interface to the Int...

Page 55: ...om the Internet Use secure administrative user passwords Change these passwords regularly Enable secure administrative access to this interface using only HTTPS or SSH Do not change the system idle timeout from the default value of 5 minutes see To set the system idle timeout on page 85 To configure administrative access in Transparent mode see To configure the management interface on page 58 1 Go...

Page 56: ...omains to your FortiGate configuration make sure you are configuring the correct virtual domain before adding or editing zones Figure 8 Zone list Zone settings Figure 9 Zone options Create New Select Create New to create a zone Name The names of the zones that you have added Block intra zone traffic Displays Yes if traffic between interfaces in the same zone is blocked and No if traffic between in...

Page 57: ...m Network Zone 3 Select Delete to remove a zone from the list 4 Select OK to delete the zone To edit a zone 1 If you have added a virtual domain go to System Virtual Domain Current Virtual Domain and select the virtual domain in which to edit the zone 2 Go to System Network Zone 3 Select Edit to modify a zone 4 Select or deselect Block intra zone traffic 5 Select the names of the interfaces or VLA...

Page 58: ...ministrative access to this interface using only HTTPS or SSH Do not change the system idle timeout from the default value of 5 minutes see To set the system idle timeout on page 85 Figure 10 Management To configure the management interface 1 Go to System Network Management 2 Enter the Management IP Netmask 3 Enter the Default Gateway 4 Select the Management Virtual Domain 5 Select Apply The Forti...

Page 59: ... use the interface IP address as their DNS server DNS requests sent to the interface are forwarded to the DNS server addresses you configured or that the FortiGate unit obtained automatically Figure 11 DNS To add DNS server IP addresses 1 Go to System Network DNS 2 Change the primary and secondary DNS server IP addresses as required 3 Select Apply to save the changes Obtain DNS server address auto...

Page 60: ...ute number IP The destination IP address for this route Mask The netmask for this route Gateway The IP address of the next hop router to which this route directs traffic Distance The the relative preferability of this route 1 is most preferred Delete icon Select to remove a route View edit icon Select to view or edit a route Move To icon Select to change the order of a route in the list Destinatio...

Page 61: ... In standalone mode the modem interface is the connection from the FortiGate unit to the Internet When connecting to the ISP in either configuration the FortiGate unit modem can automatically dial up to three dialup accounts until the modem connects to an ISP Configuring modem settings Connecting and disconnecting the modem Backup mode configuration Standalone mode configuration Adding firewall po...

Page 62: ...g Up to manually disconnect the modem Redial Limit The maximum number of times 1 10 that the FortiGate unit dials the ISP to restore an active connection on the modem interface The default redial limit is 1 Select None to allow the modem to never stop redialing Holddown Timer For backup configurations The time 1 60 seconds that the FortiGate unit waits before switching from the modem interface to ...

Page 63: ...em interface and switches back to the ethernet interface when the ethernet interface can again connect to its network For the FortiGate unit to be able to switch from an ethernet interface to the modem you must select the name of the interface in the modem configuration and configure a ping server for that interface You must also configure firewall policies for connections between the modem interf...

Page 64: ...t interface that the modem is replacing 3 Configure other modem settings as required See Configuring modem settings on page 61 Make sure there is correct information in one or more Dialup Accounts 4 Select Dial Up The FortiGate unit initiates dialing into each dialup account in turn until the modem connects to an ISP 5 Configure firewall policies for connections to the modem interface See Adding f...

Page 65: ...main Devices in VLAN 1 can connect with other devices in VLAN 1 but cannot connect with devices in other VLANs The communication among devices on a VLAN is independent of the physical network A VLAN segregates devices by adding 802 1Q VLAN tags to all of the packets sent and received by the devices in the VLAN VLAN tags are 4 byte frame extensions that contain a VLAN identifier as well as other in...

Page 66: ...ng VLAN trunks between an IEEE 802 1Q compliant switch or router and the FortiGate unit Normally the FortiGate unit internal interface connects to a VLAN trunk on an internal switch and the external interface connects to an upstream Internet router untagged The FortiGate unit can then apply different policies for traffic on each VLAN that connects to the internal interface In this configuration yo...

Page 67: ... ID can be any number between 1 and 4096 Each VLAN subinterface must also be configured with its own IP address and netmask You add VLAN subinterfaces to the physical interface that receives VLAN tagged packets To add a VLAN subinterface in NAT Route mode 1 Go to System Network Interface 2 Select Create New to add a VLAN subinterface 3 Enter a Name to identify the VLAN subinterface 4 Select the ph...

Page 68: ...LAN packets See Address on page 200 3 Go to Firewall Policy 4 Add firewall policies as required VLANs in Transparent mode In Transparent mode the FortiGate unit can apply firewall policies and services such as authentication protection profiles and other firewall features to traffic on an IEEE 802 1 VLAN trunk You can insert the FortiGate unit operating in Transparent mode into the trunk without m...

Page 69: ...ion interface to the packet based on its destination MAC address The firewall policies for this source and destination VLAN subinterface pair are applied to the packet If the packet is accepted by the firewall the FortiGate unit forwards the packet to the destination VLAN subinterface The destination VLAN ID is added to the packet by the FortiGate unit and the packet is sent to the VLAN trunk Figu...

Page 70: ...faces Transparent mode virtual domains and VLANs VLAN subinterfaces are added to and associated with virtual domains By default the FortiGate configuration includes one virtual domain named root and you can add as many VLAN subinterfaces as you require to this virtual domain You can add more virtual domains if you want to separate groups of VLAN subinterfaces into virtual domains For information o...

Page 71: ...face Virtual Domain Select a virtual domain to display the VLAN interfaces added to this virtual domain Name The name of the interface or VLAN subinterface Access The administrative access configuration for the interface See To control administrative access to an interface on page 55 for information about administrative access options Status The administrative status for the interface If the admin...

Page 72: ... using a Dynamic DNS service DDNS If the FortiGate unit uses a dynamic IP address you can arrange with a DDNS service provider to use a domain name to provide redirection of traffic to your network whenever the IP address changes 8 Configure the administrative access MTU and log settings as you would for any FortiGate interface See Interface settings on page 46 for more descriptions of these setti...

Page 73: ...atic routing periodic router advertisements and tunneling of IPv6 addressed traffic over an IPv4 addressed network All of these features must be configured through the Command Line Interface CLI See the FortiGate CLI Reference Guide for information on the following commands Table 2 IPv6 CLI commands Feature CLI Command Interface configuration including periodic router advertisements config system ...

Page 74: ...74 01 28007 0144 20041217 Fortinet Inc FortiGate IPv6 support System network ...

Page 75: ... MAC binding Dynamic IP Service Go to System DHCP Service to configure the DHCP service provided by each FortiGate interface You can configure each interface to be a DHCP relay or a DHCP server or you can turn off DHCP services Figure 21 DHCP service list Note To configure DHCP server or DHCP relay functionality on an interface the FortiGate unit must be in NAT Route mode and the interface must ha...

Page 76: ...2 Select Edit for the interface that you want to be a DHCP relay agent 3 Select DHCP Relay Agent 4 Set type to Regular 5 Enter the DHCP Server IP address 6 Select OK Interface The name of the interface None No DHCP services provided by the interface DHCP Relay Agent Select to configure the interface to be a DHCP relay agent Type Select the type of DHCP relay agent Regular Configure the interface t...

Page 77: ...e To configure a DHCP server for an interface on page 78 Server You can configure one or more DHCP servers for any FortiGate interface As a DHCP server the interface dynamically assigns IP addresses to hosts on a network connected to the interface You can add more than one DHCP server to a single interface to be able to provide DHCP services to multiple networks For more information see To configu...

Page 78: ...nding IP for the range of IP addresses that this DHCP server assigns to DHCP clients Network Mask Enter the netmask that the DHCP server assigns to DHCP clients Lease Time Select Unlimited for an unlimited lease time or enter the interval in days hours and minutes after which a DHCP client must ask the DHCP server for new settings The lease time can range from 5 minutes to 100 days DNS Server Ente...

Page 79: ...nected subnets sends a DHCP request it is relayed to the FortiGate interface by the router using DHCP relay The FortiGate unit selects the DHCP server configuration with an IP range that matches the subnet address from which the DHCP request was received and uses this DHCP server to assign an IP configuration to the computer that made the DHCP request The DHCP configuration packets are sent back t...

Page 80: ... the device When you add the MAC address and an IP address to the IP MAC binding list the DHCP server always assigns this IP address to the MAC address IP MAC binding pairs apply to all FortiGate DHCP servers Figure 27 IP MAC binding list Starting IP Enter the starting IP of an exclude range Ending IP Enter the ending IP of an exclude range Create New Select Create New to add a DHCP IP MAC binding...

Page 81: ...dresses and the expiry time and date for these addresses To view the dynamic IP list 1 Go to System DHCP Dynamic IP 2 Select the interface for which you want to view the list Name Enter a name for the IP MAC address pair IP Address Enter the IP address for the IP and MAC address pair The IP address must be within the configured IP range MAC Address Enter the MAC address of the device Interface Sel...

Page 82: ...82 01 28007 0144 20041217 Fortinet Inc Dynamic IP System DHCP ...

Page 83: ... set the FortiGate system time For effective scheduling and logging the FortiGate system time must be accurate You can either manually set the FortiGate system time or you can configure the FortiGate unit to automatically keep its system time correct by synchronizing with a Network Time Protocol NTP server Figure 29 System time System Time The current FortiGate system date and time Refresh Select ...

Page 84: ...tions Timeout settings including the idle timeout and authentication timeout The language displayed by the web based manager Dead gateway detection interval and failover detection Automatically adjust clock for daylight saving changes Select the Automatically adjust clock for daylight saving changes check box if you want the FortiGate system clock to be adjusted automatically when your time zone c...

Page 85: ...tes 8 hours To improve security keep the idle timeout at the default value of 5 minutes Auth Timeout Set the firewall user authentication timeout to control how long an authenticated connection can be idle before the user must authenticate again The maximum authtimeout is 480 minutes 8 hours The default Auth Timeout is 15 minutes For more information see Setting authentication timeout on page 236 ...

Page 86: ...tion synchronize the cluster routing table and report individual cluster member status The units in the cluster are constantly communicating HA status information to make sure that the cluster is operating properly This communication is called the HA heartbeat FortiGate HA supports link failover device failover and HA heartbeat failover FortiGate units can be configured to operate in active passiv...

Page 87: ...units in the HA cluster By default the FortiGate unit load balances virus scanning among all of the FortiGate units in the cluster Using the CLI you can configure the FortiGate unit to load balance all network traffic among the FortiGate units in the cluster See the FortiGate CLI Reference Guide for more information For more information about FortiGate HA and the FGCP see the FortiGate High Availa...

Page 88: ... clusters on the same network have the same group ID the duplicate MAC addresses cause addressing conflicts on the network Unit Priority Optionally set the unit priority of the cluster unit Each cluster unit can have a different unit priority the unit priority is not synchronized among cluster members During HA negotiation the unit with the highest unit priority becomes the primary cluster unit Th...

Page 89: ... for the cluster unit that you have given the highest unit priority Enabling Override Master means that this cluster unit always becomes the primary cluster unit In a typical FortiGate cluster configuration the primary unit is selected automatically In some situations you might want to control which unit becomes the primary unit You can configure a FortiGate unit as the permanent primary unit by s...

Page 90: ...faces are connected to load balancing switches Hub Load balancing if the cluster interfaces are connected to a hub Traffic is distributed to cluster units based on the Source IP and Destination IP of the packet Least Connection Least connection load balancing If the cluster units are connected using switches select Least Connection to distribute network traffic to the cluster unit currently proces...

Page 91: ... mode the cluster assigns virtual IP addresses to the heartbeat device interfaces The primary cluster unit heartbeat device interface is assigned the IP address 10 0 0 1 and the subordinate unit is assigned the IP address 10 0 0 2 A third cluster unit would be assigned the IP address 10 0 0 3 and so on For best results isolate each heartbeat device on its own network Heartbeat packets contain sens...

Page 92: ...f the other units in the cluster becomes the new primary unit to provide better service to the high priority network If a low priority interface fails on one cluster unit and a high priority interface fails on another cluster unit a unit in the cluster with a working connection to the high priority interface would if it becomes necessary to negotiate a new primary unit be selected instead of a uni...

Page 93: ...ster When you select apply you may temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates 13 If you are configuring a NAT Route mode cluster power off the FortiGate unit and then repeat this procedure for all the FortiGate units in the cluster Once all of the units are configured continue with To connect a FortiGate HA cluster on page 94 14 If you are configuring a Tran...

Page 94: ...re that the cluster is operating properly This cluster communication is also called the cluster heartbeat Inserting an HA cluster into your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through the cluster Also starting the cluster interrupts network traffic until the individual FortiGate units in the cluster are funct...

Page 95: ...nfiguration as the other units in the cluster 2 If the cluster is running in Transparent mode change the operating mode of the new FortiGate unit to Transparent mode 3 Connect the new FortiGate unit to the cluster 4 Power on the new FortiGate unit When the unit starts it negotiates to join the cluster After it joins the cluster the cluster synchronizes the new unit configuration with the configura...

Page 96: ...ate unit priority 1 weight 3 The next three connections are processed by the second subordinate unit priority 2 weight 3 The subordinate units process more connections than the primary unit and both subordinate units on average process the same number of connections Managing an HA cluster The configurations of all of the FortiGate units in the cluster are synchronized so that the FortiGate units c...

Page 97: ... the cluster and log into the web based manager 2 Go to System Config HA 3 Select Cluster Members A list of cluster members appears The list includes the cluster ID of each cluster member as well as status information for each cluster member Figure 33 Example cluster members list active active cluster Refresh every Select to control how often the web based manager updates the system status display...

Page 98: ...ntains fewer FortiGate units The failed primary unit no longer appears on the Cluster Members list The host name and serial number of the primary cluster unit changes The new primary unit logs the following messages to the event log HA slave became master Detected HA member dead CPU Usage The current CPU status of each cluster unit The web based manager displays CPU usage for core processes only C...

Page 99: ...cluster Each cluster unit is numbered starting at 1 The information displayed for each cluster unit includes the unit serial number and the host name of the unit 3 Complete the command with the number of the subordinate unit to log into For example to log into subordinate unit 1 enter the following command execute ha manage 1 Press Enter to connect to and log into the CLI of the selected subordina...

Page 100: ... system location description can be up to 35 characters long Contact Enter the contact information for the person responsible for this FortiGate unit The contact information can be up to 35 characters long Apply Save changes made to the description location and contact information Create New Select Create New to add a new SNMP community Communities The list of SNMP communities added to the FortiGa...

Page 101: ...o three SNMP communities Each community can have a different configuration for SNMP queries and traps Each community can be configured to monitor the FortiGate unit for a different set of events You can also add the IP addresses of up to 8 SNMP managers to each community Figure 35 SNMP community options part 1 Figure 36 SNMP community options part 2 Community Name Enter a name to identify the SNMP...

Page 102: ...dd one or more SNMP communities IP Address The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiGate unit You can also set the IP address to 0 0 0 0 to so that any SNMP manager can use this SNMP community Interface Optionally select the name of the interface that this SNMP manager uses to connect to the FortiGate unit You only have to select the in...

Page 103: ...y compiled into your SNMP manager you do not have to compile them again Table 6 FortiGate MIBs MIB file name or RFC Description fortinet 2 80 mib The Fortinet MIB is a proprietary MIB that includes detailed FortiGate system configuration information Add this MIB to your SNMP manager to monitor all FortiGate configuration settings For more information about FortiGate MIB fields see FortiGate MIBs o...

Page 104: ...trap message includes the name of the interface and the serial number of the FortiGate unit HA state HA state changes The trap message includes the previous state the new state and a flag indicating whether the unit is the master HA switch The primary unit in an HA cluster fails and is replaced with a new primary unit Memory low SysMemLow Memory usage exceeds 90 The interface_name Interface IP is ...

Page 105: ...ynFlood NIDS attack prevention detects and provides protection from a syn flood attack Port scan attack IdsPortScan NIDS attack prevention detects and provides protection from a port scan attack Table 11 FortiGate antivirus traps Trap message Description Virus detected AvVirus The FortiGate unit detects a virus and removes the infected file from an HTTP or FTP download or from an email message Tab...

Page 106: ... priority of the individual FortiGate unit in a cluster override The master override setting enable or disable for an individual FortiGate unit in a cluster autoSync Auto config synchronization flag schedule Load balancing schedule for A A mode stats Statistics for all of the units in the HA cluster index The index number of the FortiGate unit serial The FortiGate unit serial number cpuUsage The c...

Page 107: ...er Can be password LDAP or RADIUS state Whether the local user is enabled or disable Table 18 Virtual domains MIB field Description index The index number virtual domain added to the FortiGate unit name The name of the virtual domain added to the FortiGate unit Each FortiGate unit includes at least one virtual domain named root auth The authentication type of for the local user Can be password LDA...

Page 108: ...Figure 37 Replacement messages list To change a replacement message 1 Go to System Config Replacement Messages 2 Select the category of replacement message to edit by clicking on the blue triangle for that category 3 For the replacement message that you want to change select Edit 4 Edit the content of the message Name The type of replacement message You can change messages added to email web pages...

Page 109: ... a file that contained a virus or was blocked by antivirus file blocking QUARFILENAME can be used in virus and file block messages Quarantining is only available on FortiGate units with a local disk URL The URL of a web page This can be a web page that is blocked by web filter content or URL blocking URL can also be used in http virus and file block messages to be the URL of the web page from whic...

Page 110: ...ile was removed EMAIL_TO The email address of the intended receiver of the message from which the file was removed NIDSEVENT The IPS attack message NIDSEVENT is added to alert email intrusion messages SERVICE The name of the web filtering service CATEGORY The name of the content category of the web site FORTINET The Fortinet logo Table 20 Replacement message tags Continued Tag Description Enable F...

Page 111: ...w read only write only or both read and write access to the following FortiGate features This chapter describes Administrators Access profiles Administrators Use the admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels System Configuration Can access the system status interface virtual domain HA routin...

Page 112: ...ge Password icon The admin administrator account cannot be deleted Administrator Enter the login name for the administrator account Password Type a password for the administrator account For improved security the password should be at least 6 characters long Confirm Password Type the password for the administrator account a second time to confirm that you have typed it correctly Trusted Host 1 Tru...

Page 113: ...or must connect only through the subnet or subnets you specify You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255 255 255 255 When you set trusted hosts for all administrators the FortiGate unit does not respond to administrative access attempts from any other hosts This provides the highest security If you leave even ...

Page 114: ...under Access Control Allow Write All Select Allow Write All to give an administrator write privilege on all the items under Access Control System Configuration Allow or deny access to the system status interface virtual domain HA routing option SNMP time and replacement message features Log Report Allow or deny access to the log setting log access and alert email features Security Policy Allow or ...

Page 115: ...41217 115 To configure an access profile 1 Go to System Admin Access Profile 2 Select Create New to add an access profile or select the edit icon to edit an existing access profile 3 Enter a name for the access profile 4 Select or clear the Access Control check boxes as required 5 Select OK ...

Page 116: ...116 01 28007 0144 20041217 Fortinet Inc Access profiles System administration ...

Page 117: ... spam filtering files to the management computer You can also restore system configuration VPN certificate web and spam filtering files from previously downloaded backup files Figure 45 Backup and restore list Category The list of files that can be backed up and restored Latest Backup The date and time of the last backup The Restore Upload Backup and Reset to factory default icons All Configuratio...

Page 118: ... system to its original configuration including resetting interface addresses This procedure does not change the firmware version or the antivirus or attack definitions Debug Log Download debug log Web Filtering Web Content Block Restore or back up the Web Content Block list Web URL Block List Restore or back up the Web URL Block list Web URL Exempt List Restore or back up the Web URL Exempt list ...

Page 119: ... or select Browse and locate the file 4 Select OK If you restore the system configuration the FortiGate unit restarts loading the new system settings You should then reconnect to the web based manager and review your configuration to confirm that the uploaded system settings have taken effect 5 Select Return This step does not apply if you restore the system configuration To back up VPN certificat...

Page 120: ...rt 9443 To receive push updates the FDN must be able to route packets to the FortiGate unit using UDP port 9443 For information about configuring push updates see To enable push updates on page 125 The FDN is a world wide network of FortiProtect Distribution Servers FDSs When the FortiGate unit connects to the FDN it connects to the nearest FDS To do this all FortiGate units are programmed with a ...

Page 121: ...registered the FortiGate unit see To register a FortiGate unit on page 130 if there is a NAT device installed between the FortiGate unit and the FDN see Enabling push updates through a NAT device on page 126 or if your FortiGate unit connects to the Internet using a proxy server see To enable scheduled updates through a proxy server on page 124 Refresh When you select Refresh the FortiGate unit te...

Page 122: ...an indicate that the FortiGate was not able to connect to the FDN and other error conditions Allow Push Update Select this check box to allow automatic updates of the FortiGate unit Use override push IP Select this check box and enter the override IP address and port number Override push IP addresses and ports are used when there is a NAT device between the FortiGate Unit and the FDN The FortiGate...

Page 123: ...e check box 3 Select one of the following to check for and download updates 4 Select Apply The FortiGate unit starts the next scheduled update according to the new update schedule Whenever the FortiGate unit runs a scheduled update the event is recorded in the FortiGate event log To add an override server If you cannot connect to the FDN or if your organization provides antivirus and attack update...

Page 124: ...em autoupdate tunneling set address proxy address_ip set port proxy port set username username_str set password password_str set status enable end For example if the IP address of the proxy server is 67 35 50 34 its port is 8080 the user name is proxy_user and the password is proxy_pwd enter the following command config system autoupdate tunneling set address 67 35 50 34 set port 8080 set username...

Page 125: ...nded as the only method for obtaining updates The FortiGate unit might not receive the push notification Also when the FortiGate unit receives a push notification it makes only one attempt to connect to the FDN and download updates To enable push updates 1 Go to System Maintenance Update center 2 Select Allow Push Update 3 Select Apply Push updates when FortiGate IP addresses change The SETUP mess...

Page 126: ... FortiGate NAT device and the FortiGate unit on the internal network so that the FortiGate unit on the internal network can receive push updates 1 Add a port forwarding virtual IP to the FortiGate NAT device 2 Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP 3 Configure the FortiGate unit on the internal network with an override push IP and port To add...

Page 127: ...Select the Use override push check box 4 Set IP to the external IP address added to the virtual IP 5 Set Port to the external service port added to the virtual IP 6 Select Apply The FortiGate unit sends the override push IP address and port to the FDN The FDN now uses this IP address and port for push updates to the FortiGate unit on the internal network If the external IP address or external serv...

Page 128: ...egister the FortiGate unit with FortiNet Contact Information Enter the contact information so that FortiNet support can reply to your bug report Items marked with an are required Bug Description Enter a description of the problem you have encountered with the FortiGate unit Send diagnostic information Send diagnostic information about the FortiGate unit including its current configuration to Forti...

Page 129: ... organization purchased You can register multiple FortiGate units in a single session without re entering your contact information Once registration is completed Fortinet sends a Support Login user name and password to your email address You can use this user name and password to log on to the Fortinet support web site to View your list of registered FortiGate units Register additional FortiGate u...

Page 130: ...d the FortiCare Support Contract number to the registration information You can also register the FortiGate unit without purchasing a FortiCare Support Contract In that case when you purchase a FortiCare Support Contract you can update the registration information to add the support contract number A single FortiCare Support Contract can cover multiple FortiGate units You must enter the same servi...

Page 131: ...eturn to the previous page to enter the number If you do not have a FortiCare Support Contract you can select Continue to complete the registration If you have entered a support contract number a real time validation is performed to verify that the SCN information matches the FortiGate unit If the information does not match you can try entering it again A web page is displayed that contains detail...

Page 132: ...e to reset system settings to the values set at the factory This procedure does not change the firmware version or the antivirus or attack definitions 1 Go to System Maintenance Shutdown 2 Select Reset to factory default 3 Select Apply The FortiGate unit restarts with the configuration that it had when it was first powered on 4 Reconnect to the web based manager and review the system configuration...

Page 133: ...nections between VLAN subinterfaces or zones in the virtual domain Packets never cross the virtual domain border The remainder of FortiGate functionality is shared between virtual domains This means that there is one IPS configuration one antivirus configuration one web filter configuration one protection profile configuration and so on shared by all virtual domains As well virtual domains share f...

Page 134: ...gs Physical interfaces see To add physical interfaces to a virtual domain on page 138 VLAN subinterfaces see To add VLAN subinterfaces to a virtual domain on page 139 Zones see To add zones to a virtual domain on page 139 Management IP Transparent mode see To select a management virtual domain and add a management IP on page 138 Routing configuration Router configuration in NAT Route mode see To c...

Page 135: ...virus Definitions and engine Attack Definitions and engine Serial Number Operation Mode Network configuration DNS settings DHCP configuration DHCP settings are applied per interface no matter which virtual domain the interface has been added to System Config Time Options HA SNMP v1 v2c Replacement messages FortiManager configuration System Admin Administrators Access profiles System Maintenance Up...

Page 136: ...al domain if you want these systems to communicate with network resources that can connect to a different virtual domain Virtual domains Go to System Virtual domain Virtual domains to view and add virtual domains Figure 50 Virtual domain list Create New Add a new virtual domain Current The name of the current virtual domain Select Change to choose a different domain The default virtual domain is r...

Page 137: ...in Name The virtual domain must not have the same name as a VLAN or zone 4 Select OK Selecting a virtual domain The following procedure applies to NAT Route and Transparent mode To select a virtual domain to configure 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the table 3 Choose the virtual domain to configure 4 Select OK The foote...

Page 138: ...domains Adding interfaces VLAN subinterfaces and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec VPN for a virtual domain Adding interfaces VLAN subinterfaces and zones to a virtual domain To add physical interfaces to a virtual domain A virtual domain must contain at least two interfaces These can be physical ...

Page 139: ...interface from one virtual domain to another You cannot remove a VLAN subinterface from a virtual domain if firewall policies have been added for it Delete the firewall policies or remove the VLAN subinterface from the firewall policies first If the VLAN subinterface has been added to a zone it is removed from the zone when you move it to a different virtual domain 1 Go to System Network Interface...

Page 140: ...rtual domain To configure the routing table for a virtual domain in Transparent mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the table 3 Choose the virtual domain for which to configure routing 4 Select OK 5 Go to System Network Routing Table 6 Configure the routing table for the current virtual domain as required See Routing ta...

Page 141: ...ble 3 Choose the virtual domain for which to configure firewall addresses 4 Select OK 5 Go to Firewall Address 6 Add new firewall addresses address ranges and address groups to the current virtual domain See Address on page 200 To add IP pools to a virtual domain The following procedure applies to NAT Route mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current vi...

Page 142: ...irtual domain The following procedure applies to NAT Route and Transparent mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the table 3 Choose the virtual domain for which to configure VPN 4 Select OK 5 Go to VPN 6 Configure IPSec VPN PPTP L2TP and certificates as required See VPN on page 247 ...

Page 143: ...ed You can decrease the distance value of a static route to indicate that the route is preferable compared to another static route that specifies a different gateway to the same destination network Routes having lower administrative distances are preferable and are selected first when two or more routes to the same destination network are available The FortiGate unit routes packets using a best ma...

Page 144: ...68 10 1 Device Name of the interface connected to network 192 168 10 0 24 e g external Distance 10 The Gateway setting specifies the IP address of the next hop router interface to the FortiGate external interface The interface behind the router 192 168 10 1 is the default gateway for FortiGate_1 In some cases there may be routers behind the FortiGate unit If the destination IP address of a packet ...

Page 145: ...stination IP mask 192 168 30 0 24 Gateway 192 168 10 2 Device dmz Distance 10 To route packets from Network_2 to Network_1 Router_2 must be configured to use the FortiGate dmz interface as its default gateway On the FortiGate unit you would create a new static route with these settings Destination IP mask 192 168 20 0 24 Gateway 192 168 10 1 Device internal Distance 10 Static route list Figure 53 ...

Page 146: ...uence number for this route IP The destination IP address for this route Mask The netmask for this route Gateway The IP address of the first next hop router to which this route directs traffic Device The name of the FortiGate interface through which to route traffic Distance The administrative distance for the route The Delete Edit and Move to icons Destination IP Mask Enter the destination IP add...

Page 147: ...g list and attempts to match the packet with a policy The policy route supplies the next hop gateway as well as the FortiGate interface to be used by the traffic If no policy route matches the packet the FortiGate unit routes the packet using the regular routing table Policy route list Figure 56 Policy routes Create New Add a new policy route The sequence number for this policy route Incoming The ...

Page 148: ...RIP supports both RIP version 1 as defined by RFC 1058 and RIP version 2 as defined by RFC 2453 RIP version 2 enables RIP messages to carry more information and to support simple authentication and subnet masks Protocol Match packets that have this protocol number Incoming Interface Match packets that are received on this interface Source Address Mask Match packets that have this source IP address...

Page 149: ... servers in the network should have the same RIP timer settings Update The time interval in seconds between RIP updates Garbage The time in seconds that must elapse after the timeout interval for a route expires before RIP deletes the route If RIP receives an update for the route after the timeout timer expires but before the garbage timer expires then the entry is switched back to reachable Timeo...

Page 150: ...used for the redistributed routes 4 Select a Route map name 5 Select Apply Networks list Identify the networks for which to send and receive RIP updates If a network is not specified interfaces in that network will not be advertised in RIP updates Figure 59 RIP Networks list Route map Enter the name of the route map to use for the redistributed connected routes For information on how to configure ...

Page 151: ...n 2 authentication RIP version send and receive for the specified interface and configure and enable split horizon Authentication is only available for RIP version 2 packets sent and received by an interface Set authentication to None if Send Version or Receive Version are set to 1 or 1 2 Figure 61 RIP interface list Create New Add a new RIP interface Interface The FortiGate interface name Send Ve...

Page 152: ... the Receive Version here overrides the default RIP version for this interface Split Horizon Configure RIP to use either regular or poisoned reverse split horizon on this interface Select Regular to prevent RIP from sending updates for a route back out the interface from which it received that route Select Poisoned reverse to send updates with routes learned on an interface back out the same inter...

Page 153: ... list If you do not specify an interface the filter will be applied to all interfaces in the current virtual domain You must configure the access list or prefix list that you want the distribute list to use before you configure the distribute list For more information on configuring access lists and prefix lists see Access list on page 156 and Prefix list on page 157 Figure 63 RIP Distribute list ...

Page 154: ...ribute list Direction The direction for the filter Filter The type of filter and the filter name Interface The interface to use this filter on If no interface name is displayed this distribute list is used for all interfaces Enable The status of this distribute list The Delete and Edit icons Direction Set the direction for the filter Select In to filter incoming packets Select Out to filter outgoi...

Page 155: ...virtual domain go to System Virtual Domain Virtual Domains and select the virtual domain Create New Add a new offset list Direction The direction for the offset list Access list The access list to use for this offset list Offset The offset number to add to the metric for this offset list Interface The interface to match for this offset list Enable The status of this offset list The Delete and Edit...

Page 156: ...ix exactly or to match the prefix and any more specific prefix The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list If it finds a match for the prefix it takes the action specified for that prefix If no match is found the default action is deny For an access list to take effect it must be called by another FortiGate routing feature such ...

Page 157: ...ed Match a network address enter the IP address and netmask that define the prefix for this access list entry 6 Select Exact match if required 7 Select OK Prefix list A prefix list is an enhanced version of an access list that allows you to control the length of the prefix netmask Each rule in a prefix list consists of a prefix IP address and netmask the action to take for this prefix permit or de...

Page 158: ...ture such as RIP or OSPF Figure 70 Prefix list New Prefix list Figure 71 Prefix list name configuration To add a prefix list name 1 Go to Router Router Objects Prefix List 2 Select Create New 3 Enter a name for the prefix list 4 Select OK Create New Add a new prefix list name An access list and a prefix list cannot have the same name Name The prefix list name Action The action to take for the pref...

Page 159: ... Select OK Route map list Route maps are a specialized form of filter Route maps are similar to access lists but have enhanced matching criteria and in addition to permit or deny actions can be configured to make changes as defined by set statements list Entry The prefix list name and the number of this entry Action Set the action to take for this prefix to Permit or Deny Prefix Select Match any t...

Page 160: ...tiple match statements are defined in a rule all the match statements must match before the set statements can be used For a route map to take effect it must be called by another FortiGate routing feature such as RIP Figure 73 Route map list New Route map Figure 74 Route map name configuration To add a route map name 1 Go to Router Router Objects Route map 2 Select Create New 3 Enter a name for th...

Page 161: ... to deny routes that match this entry Match The criteria to match Interface Match a route with the selected destination interface Address Match a route if the destination address is included in the selected access list or prefix list Next hop Match a route that has a next hop router address included in the selected access list or prefix list Metric Match a route with the specified metric The metri...

Page 162: ...ates from one key to the next according to the scheduled send and receive lifetimes The sending and receiving routers should have their system dates and times synchronized but overlapping the key lifetimes ensures that a key is always available even if there is some difference in the system times See System time on page 83 for information on setting the FortiGate system date and time Figure 76 Key...

Page 163: ...e required hour minute second year month and day to start using this key for received routing updates Key chain entry The key chain name and the ID number for this key chain entry Key The key password can be up to 35 characters long Accept Lifetime Set the time period during which the key can be received Send Lifetime Set the time period during which the key can be sent Start For both accept and s...

Page 164: ...te routing table Routing monitor list Figure 79 Routing monitor To filter the routing monitor display 1 Go to Router Monitor Routing Monitor 2 Select a type of route to display or select all to display routes of all types For example select Connected to display all the directly connected routes or select RIP to display all the routes learned from RIP Type FIlter the display to show routes of the s...

Page 165: ...face get router info protocols Show the current state of active routing protocols Command syntax get router info protocols Note You can configure Type Network and Gateway filters individually or in any combination router info ospf command keywords and variables Keywords and variables Description Availability border routers Show OSPF routing table entries that have an Area Border Router ABR or Auto...

Page 166: ...uter connected to more than one area is an area border router ABR Routing information is contained in a link state database Routing information is communicated between routers using link state advertisements LSAs More information on OSPF can be found in RFC 2328 Command syntax pattern config router ospf set keyword variable end config router ospf unset keyword end get router ospf show router ospf ...

Page 167: ...before entering the overflow state The lsas_integer must be the same on all routers attached to the OSPF area and the OSPF backbone The valid range for lsas_integer is 0 to 4294967294 10000 All models database overflow time to recover seconds_integer Enter the time in seconds after which the FortiGate unit will attempt to leave the overflow state If seconds_integer is set to 0 the FortiGate unit w...

Page 168: ...y supports RFC 1583 When RFC 1583 compatibility is enabled routers choose the path with the lowest cost Otherwise routers choose the lowest cost intra area path through a non backbone area disable All models router id address_ipv4 Set the router ID The router ID is a unique number in IP address dotted decimal format that is used to identify an OSPF router to other OSPF routers The router ID should...

Page 169: ...ust be a backbone area that all areas can connect to You can use a virtual link to connect areas that do not have a physical connection to the backbone Routers within an OSPF area maintain link state databases for their own areas config area command syntax pattern config area edit id_ipv4 set keyword variable end config area edit id_ipv4 unset keyword variable end config area delete id_ipv4 end co...

Page 170: ...on for interfaces the authentication configured for the area is not used Authentication passwords or keys are defined per interface See config ospf interface on page 182 none All models default cost cost_integer Enter the metric to use for the summary default route in a stub area or not so stubby area NSSA A lower default cost indicates a more preferred route The valid range for cost_integer is 1 ...

Page 171: ...SA You can set the translator role to always to ensure this FortiGate unit always acts as a translator if it is in a NSSA even if other routers in the NSSA are also acting as translators You can set the translator role to candidate to have this FortiGate unit participate in the process for electing a translator for a NSSA You can set the translator role to never to ensure this FortiGate unit never...

Page 172: ...ix list on page 157 config filter list command syntax pattern config filter list edit id_integer set keyword variable end config filter list edit id_integer unset keyword end config filter list delete id_integer end config filter list edit id_integer get end config filter list edit id_integer show end Note Both keywords are required filter list command keywords and variables Keywords and variables...

Page 173: ...le shows how to display the configuration for area 15 1 1 1 config router ospf config area edit 15 1 1 1 show end config range Access the config range subcommand using the config area command Use the area range command to summarize routes at an area boundary If the network numbers in an area are contiguous the ABR advertises a summary route that includes all the networks within the area that are w...

Page 174: ... how to display the configuration for area 15 1 1 1 Note Only the prefix keyword is required All other keywords are optional range command keywords and variables Keywords and variables Description Default Availability advertise disable enable Enable or disable advertising the specified range enable All models prefix address_ipv4mask Specify the range of addresses to summarize No default All models...

Page 175: ... link allows traffic from the area to transit a directly connected area to reach the backbone The transit area cannot be a stub area Virtual links can only be set up between two area border routers ABRs config virtual link command syntax pattern config virtual link edit name_str set keyword variable end config virtual link edit name_str unset keyword end config virtual link delete name_str end con...

Page 176: ...t authentication The authentication key must be the same on both ends of the virtual link The maximum length for the authentication key is 15 characters No default All models authentication must be set to text dead interval seconds_integer The time in seconds to wait for a hello packet before declaring a router down The value of the dead interval should be four times the value of the hello interva...

Page 177: ...fig router ospf command retransmit interval seconds_integer The time in seconds to wait before sending a LSA retransmission The value for the retransmit interval must be greater than the expected round trip delay for a packet The valid range for seconds_integer is 1 to 65535 5 All models transmit delay seconds_integer The estimated time in seconds required to send a link state update packet on thi...

Page 178: ...g distribute list edit id_integer unset keyword end config distribute list delete id_integer end config distribute list edit id_integer get end config distribute list edit id_integer show end Example This example shows how to configure a distribute list numbered 2 to use an access list named acc_list1 for all static routes Note Both keywords are required distribute list command keywords and variab...

Page 179: ...or distribute list 2 config router ospf config distribute list edit 2 show end config neighbor Access the config neighbor subcommand using the config router ospf command Use this command to manually configure an OSPF neighbor on nonbroadcast networks OSPF packets are unicast to the specified neighbor address You can configure multiple neighbors config neighbor command syntax pattern config neighbo...

Page 180: ...other keywords are optional neighbor command keywords and variables Keywords and variables Description Default Availability cost cost_integer Enter the cost to use for this neighbor The valid range for cost_integer is 1 to 65535 10 All models ip address_ipv4 Enter the IP address of the neighbor 0 0 0 0 All models poll interval seconds_integer Enter the time in seconds between hello packets sent to...

Page 181: ...d_integer end config network edit id_integer get end config network edit id_integer show end Example Use the following command to enable OSPF for the interfaces attached to networks specified by the IP address 10 0 0 0 and the netmask 255 255 255 0 and to add these interfaces to area 10 1 1 1 config router ospf config network edit 2 set area 10 1 1 1 set prefix 10 0 0 0 255 255 255 0 end end netwo...

Page 182: ...interface command syntax pattern config ospf interface edit interface name_str set keyword variable end config ospf interface edit interface name_str unset keyword end config ospf interface delete interface name_str end config ospf interface edit interface name_str get end config ospf interface edit interface name_str show end Note The interface name_str variable in the syntax pattern below repres...

Page 183: ...outer is mistakenly added to the network If you configure authentication for the interface authentication for areas is not used All routers on the network must use the same authentication type none All models authentication key password_str Enter the password to use for text authentication The authentication key must be the same on all neighboring routers The maximum length for the authentication ...

Page 184: ...y without unsetting all of the keys The key ID and key must be the same on all neighboring routers The valid range for id_integer is 1 to 255 key_str is an alphanumeric string of up to 16 characters No default All models authentication must be set to md5 mtu mtu_integer Change the Maximum Transmission Unit MTU size included in database description packets sent out this interface The valid range fo...

Page 185: ...riority router ID is used Point to point networks do not elect a DR or BDR therefore this setting has no effect on a point to point network The valid range for priority_integer is 0 to 255 1 All models retransmit interval seconds_integer The time in seconds to wait before sending a LSA retransmission The value for the retransmit interval must be greater than the expected round trip delay for a pac...

Page 186: ...ion key a2b3c4d5e end end This example shows how to display the settings for the OSPF interface configuration named test config router ospf config ospf interface edit test get end This example shows how to display the configuration for the OSPF interface configuration named test config router ospf config ospf interface edit test show end config redistribute Access the config redistribute subcomman...

Page 187: ...outer ospf config summary address Access the config summary address subcommand using the config router ospf command redistribute command keywords and variables Keywords and variables Description Default Availability metric metric_integer Enter the metric to be used for the redistributed routes The metric_integer range is from 1 to 16777214 10 All models metric type 1 2 Specify the external link ty...

Page 188: ...d get router ospf show router ospf Example This example shows how to summarize routes using the prefix 10 0 0 0 255 0 0 0 config router ospf config summary address edit 5 set prefix 10 0 0 0 255 0 0 0 end end This example shows how to display the OSPF settings get router ospf Note Only the prefix keyword is required All other keywords are optional summary address command keywords and variables Key...

Page 189: ...tination address of the packet If a match is not found the FortiGate unit routes the packet using the default route Command syntax pattern config router static6 edit sequence_integer set keyword variable end config router static6 edit sequence_integer unset keyword end config router static6 delete sequence_integer end get router static6 sequence_integer show router static6 sequence_integer static6...

Page 190: ... 60 set gateway 12AB 0 0 CD30 123 4567 89AB CDEF end This example shows how to display the list of IPV6 static route numbers get router static6 This example shows how to display the settings for IPV6 static route 2 get router static6 2 This example shows how to display the IPV6 static route configuration show router static6 This example shows how to display the configuration for IPV6 static route ...

Page 191: ...t Each policy can be individually configured to route connections or apply network address translation NAT to translate source and destination IP addresses and ports You can add IP pools to use dynamic NAT when the firewall translates source addresses You can use policies to configure port address translation PAT through the FortiGate You can add protection profiles to firewall policies to apply d...

Page 192: ...port and time and date at which the connection attempt was received The first policy that matches is applied to the connection attempt If no policy matches the connection is dropped So as a general rule always order your firewall policies from most specific to most general The default policy accepts all connection attempts from the internal network to the Internet From the internal network users c...

Page 193: ...ress group to which the policy applies Address on page 200 Schedule The schedule that controls when the policy should be active See Schedule on page 213 Service The service to which the policy applies See Service on page 205 Action The response to make when the policy matches a connection attempt Enable Enable or disable the policy Enabling the policy makes it available for the firewall to match i...

Page 194: ...you must add it to the destination interface VLAN subinterface or zone For information about adding an address see Addresses on page x For NAT Route mode policies where the address on the destination network is hidden from the source network using NAT the destination can also be a virtual IP that maps the destination address of the packet to a hidden destination address See Virtual IP on page 216 ...

Page 195: ...If you select NAT you can also select Dynamic IP Pool and Fixed Port NAT is not available in Transparent mode Dynamic IP Pool Select Dynamic IP Pool to translate the source address to an address randomly selected from the IP pool An IP pool dropdown list appears when the policy destination interface is the same as the IP pool interface You cannot select Dynamic IP Pool if the destination interface...

Page 196: ...oups for authentication You can select Authentication for any service Users can authenticate with the firewall using HTTP Telnet or FTP For users to be able to authenticate you must add an HTTP Telnet or FTP policy that is configured for authentication When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password If you want users ...

Page 197: ...able routers sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header You can use the FortiGate DiffServ feature to change the DSCP Differentiated Services Code Point value for all packets accepted by a policy The network uses these DSCP values to classify mark shape and police traffic and to perform intelligent queuing DSCP features are ...

Page 198: ...he results that you expect For information about arranging policies in a policy list see How policy matching works on page 192 To delete a policy 1 Go to Firewall Policy 2 Select the Delete icon beside the policy you want to delete 3 Select OK To edit a policy 1 Go to Firewall Policy 2 Select the Edit icon beside the policy you want to edit 3 Edit the policy as required 4 Select OK To change the p...

Page 199: ...le To enable a policy 1 Go to Firewall Policy 2 Select Enable Policy CLI configuration The natip keyword for the firewall policy command is used in encrypted VPN policies A natip address cannot be added using the web based manager You can configure complete firewall policies using from the CLI See the FortiGate CLI Reference Guide for descriptions of all firewall policy keywords Command syntax pat...

Page 200: ...ry_count retry_integer Define the number of times to retry establishing an HTTP connection when the connection fails 0 All models natip address_ipv4mask Configure natip for a firewall policy with action set to encrypt and with outbound NAT enabled Specify the IP address and subnet mask to translate the source address of outgoing packets Set natip for peer to peer VPNs to control outbound NAT IP ad...

Page 201: ...work Figure 85 Sample address list The address list has the following icons and features Address options Add an address representing an IP address and subnet mask or an IP address range Figure 86 Address options Address has the following options Create New Select Create New to add a firewall address Name The name of the firewall address Address The IP address and mask or IP address range of the fi...

Page 202: ...he netmask for a class B subnet should be 255 255 0 0 The netmask for a class C subnet should be 255 255 255 0 The netmask for all addresses should be 0 0 0 0 An IP Range address represents A range of IP addresses in a subnet for example 192 168 20 1 to 192 168 20 10 Configuring addresses To add an address 1 Go to Firewall Address 2 Select Create New 3 Enter a name to identify the address 4 Enter ...

Page 203: ...d then configure them in an address group you can configure a single policy using all three addresses Figure 87 Sample address group list The address group list has the following icons and features Address group options Address group options are configurable when creating or editing an address group Note To change the address name you must delete the address and add it again with a new name To avo...

Page 204: ...f an address group is included in a policy it cannot be deleted unless it is first removed from the policy 1 Go to Firewall Address Group 2 Select the Delete icon beside the address group you want to delete 3 Select OK To edit an address group 1 Go to Firewall Address Group 2 Select the Edit icon beside the address group you want to modify Group Name Enter a name to identify the address group Addr...

Page 205: ...efined service list Custom service list Custom service options Configuring custom services Service group list Service group options Configuring service groups Predefined service list Figure 89 Predefined service list The predefined services list has the following icons and features Table 21 lists the FortiGate predefined firewall services You can add these services to any policy Note To change the...

Page 206: ...col tcp 179 DHCP Dynamic Host Configuration Protocol DHCP allocates network addresses and delivers configuration parameters from DHCP servers to hosts udp 67 DNS Domain name service for translating domain names into IP addresses tcp 53 udp 53 FINGER A network service that provides information about users tcp 79 FTP FTP service for transferring files tcp 21 GOPHER Gopher communication service Gophe...

Page 207: ...2 ICMP_ANY Internet Control Message Protocol is a message control and error reporting protocol between a host and gateway Internet PING ICMP echo request reply for testing connections to other devices icmp 8 TIMESTAMP ICMP timestamp request messages icmp 13 INFO_REQUEST ICMP information request messages icmp 15 INFO_ADDRESS ICMP address mask request messages icmp 17 POP3 Post office protocol is an...

Page 208: ... TCP ports tcp 0 65535 TELNET Telnet service for connecting to a remote computer to run commands tcp 23 TFTP Trivial File Transfer Protocol is a simple file transfer protocol similar to FTP but with no security features udp 69 UDP All UDP ports udp 0 65535 UUCP Unix to Unix copy utility a simple file copying protocol udp 540 VDOLIVE For VDO Live streaming multimedia traffic tcp 7000 7010 WAIS Wide...

Page 209: ...ou are adding TCP or UDP TCP and UDP options are the same Source Port Specify the Source Port number range for the service by entering the low and high port numbers If the service uses one port number enter this number in both the low and high fields Destination Port Specify the Destination Port number range for the service by entering the low and high port numbers If the service uses one port num...

Page 210: ...ields 6 Select OK You can now add this custom service to a policy To add a custom ICMP service 1 Go to Firewall Service Custom 2 Select Create New 3 Enter a name for the new custom ICMP service 4 Select ICMP as the Protocol Type 5 Enter the ICMP type number and code number for the service 6 Select OK You can now add this custom service to a policy To add a custom IP service 1 Go to Firewall Servic...

Page 211: ...ups of services and then add one policy to allow or block access for all the services in the group A service group can contain predefined services and custom services in any combination You cannot add service groups to another service group Figure 94 Sample service group list The service group list has the following icons and features Service group options Service group options are configurable wh...

Page 212: ...rvice group If a service group is included in a policy it cannot be deleted unless it is first removed from the policy 1 Go to Firewall Service Group 2 Select the Delete icon beside the service group you want to delete 3 Select OK To edit a service group 1 Go to Firewall Service Group 2 Select the Edit icon beside the service group you want to modify 3 Make any required changes Group Name Enter a ...

Page 213: ...le list Recurring schedule options Configuring recurring schedules One time schedule list You can create a one time schedule that activates or deactivates a policy for a specified period of time For example your firewall might be configured with the default policy that allows access to all services on the Internet at all times You can add a one time schedule to block access to the Internet during ...

Page 214: ... clock 5 Set the Stop date and time for the schedule 6 Select OK To delete a one time schedule 1 Go to Firewall Schedule One time 2 Select the Delete icon beside the one time schedule you want to delete 3 Select OK To edit a one time schedule 1 Go to Firewall Schedule One time 2 Select the Edit icon beside the one time schedule you want to modify 3 Modify the schedule as required 4 Select OK to sa...

Page 215: ...the start time the schedule starts at the start time and finishes at the stop time on the next day You can use this technique to create recurring schedules that run from one day to the next You can also create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time Create New Select Create New to add a recurring schedule Name The name of the recurring sched...

Page 216: ...IP addresses on a destination network that are hidden from the source network by NAT security policies To allow connections between these networks you must create a mapping between an address on the source network and the real address on the destination network This mapping is called a virtual IP For example if the computer hosting your web server is located on your DMZ network it could have a pri...

Page 217: ...twork Using port forwarding you can also route packets with a specific port number and a destination address that matches the IP address of the interface that receives the packets This technique is called port forwarding or port address translation PAT You can also use port forwarding to change the destination port of the forwarded packets Dynamic port forwarding Similar to port forwarding dynamic...

Page 218: ...erface Select the virtual IP external interface from the list Type Select Static NAT or Port Forwarding External IP Address Enter the external IP address that you want to map to an address on the destination network To configure dynamic port forwarding set the external IP address to 0 0 0 0 External Service Port Enter the external service port number that you want to configure port forwarding for ...

Page 219: ...ess and the external IP address can be on different subnets 7 Enter the Map to IP address to which to map the external IP address For example the IP address of a web server on an internal network 8 Select OK You can now add the virtual IP to firewall policies To add port forwarding virtual IPs 1 Go to Firewall Virtual IP 2 Select Create New 3 Enter a name for the port forwarding virtual IP 4 Selec...

Page 220: ...9 Enter the Map to Port number to be added to packets when they are forwarded If you do not want to translate the port enter the same number as the External Service Port 10 Select OK To add a dynamic port forwarding virtual IP 1 Go to Firewall Virtual IP 2 Select Create New 3 Enter a name for the dynamic port forwarding virtual IP 4 Select the virtual IP External Interface from the list The extern...

Page 221: ...destination interface is the same as the IP pool interface You can add an IP pool if you want to add NAT mode policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface For example if you add an IP pool to the internal interface you can select Dynamic IP pool for WAN1 Internal WAN2 Internal and D...

Page 222: ...4 Enter the IP Range for the IP pool The IP range defines the start and end of an address range The start of the range must be lower than the end of the range The start and end of the range must be on the same subnet as the IP address of the interface to which you are adding the IP pool Create New Select Create New to add an IP pool Start IP The start IP defines the start of an address range End I...

Page 223: ...irewall randomly selects an IP address from the IP pool and assigns it to each connection In this case the number of connections that the firewall can support is limited by the number of IP addresses in the IP pool IP pools and dynamic NAT You can use IP pools for dynamic NAT For example your organization might have purchased a range of Internet addresses but you might have only one Internet conne...

Page 224: ... need strict protection traffic between trusted internal addresses might need moderate protection You can configure policies for different traffic services to use the same or different protection profiles Protection profiles can be added to NAT Route mode and Transparent mode policies This section describes Protection profile list Default protection profiles Protection profile options Configuring ...

Page 225: ...g and web content blocking to HTTP traffic You can add this protection profile to firewall policies that control HTTP traffic Unfiltered To apply no scanning blocking or IPS Use the unfiltered content profile if you do not want to apply content protection to content traffic You can add this protection profile to firewall policies for connections between highly trusted or highly secure networks whe...

Page 226: ...es to view them or submit files to Fortinet for analysis Pass fragmented emails Enable or disable passing fragmented email for mail protocols IMAP POP3 SMTP Fragmented email cannot be scanned for viruses Oversized file email Select block or pass for files and email that exceed configured thresholds for each protocol To configure the oversized file threshold go to Antivirus Config Config The maximu...

Page 227: ...banned words and patterns in the content block list Web URL Block Enable or disable web page filtering for HTTP traffic based on the URL block list Web Exempt List Enable or disable web page filtering for HTTP traffic based on the URL exempt list Exempt URLs are not scanned for viruses Web Script Filter Enable or disable blocking scripts from web pages for HTTP traffic Web resume download block En...

Page 228: ...ror pages to circumvent web category blocking Allow websites when a rating error occurs HTTP only Allow web pages that return a rating error from the web filtering service Category The FortiGuard web filtering service provides many categories by which to filter web traffic You can set the action to take on web pages for each category Choose from allow block or monitor IP address FortiShield check ...

Page 229: ...r of email identified as spam For SMTP if you have virus scan or splice CLI enabled you will only be able to discard spam email Note that splice is enabled automatically when you enable virus scanning Discard immediately drops the connection Without splice or scanning enabled you can chose to tag or discard SMTP spam You can tag email by adding a custom word or phrase to the subject or inserting a...

Page 230: ...ou want to modify 3 Modify the profile as required 4 Select OK Display content meta information on the system dashboard Enable to have meta information for each type of traffic display in the Content Summary section of the FortiGate status page There you can view statistics for HTTP traffic FTP traffic and Email traffic IMAP POP3 and SMTP combined Archive content meta information Enable or disable...

Page 231: ...ofile from the list 6 Configure the remaining policy settings if required 7 Select OK 8 Repeat this procedure for any policies for which you want to enable network protection Profile CLI configuration Use this command to add edit or delete protection profiles Use protection profiles to apply different protection settings for traffic controlled by firewall policies Command syntax pattern config fir...

Page 232: ...ding large files When splice is disabled for ftp the FortiGate unit buffers the file for scanning before uploading it to the FTP server If the file is clean the FortiGate unit will allow the upload to continue Enter all the actions you want this profile to use Use a space to separate the options you enter If you want to remove an option from the list or add an option to the list you must retype th...

Page 233: ... returns an error message to the sender listing the virus name and infected file name In this mode the SMTP server is not able to deliver the email if it was sent with an infected attachment Throughput is higher when splice is enabled When splice is disabled the FortiGate unit scans the email first If the FortiGate unit detects a virus it removes the infected attachment adds a customizable message...

Page 234: ...234 01 28007 0144 20041217 Fortinet Inc Protection profile Firewall ...

Page 235: ...fy the user s credentials locally or using an external LDAP or RADIUS server Authentication expires if the user leaves the connection idle for longer than the authentication timeout period You need to determine the number and membership of your user groups appropriate to your authentication needs To set up user groups 1 If external authentication is needed configure RADIUS or LDAP servers See RADI...

Page 236: ... minutes Local Go to User Local to add local user names and configure authentication Local user list Figure 113 Local user list Local user options Figure 114 Local user options Create New Add a new local username User Name The local user name Type The authentication type to use for this user The Delete and Edit icons User Name Enter the user name Disable Select Disable to prevent this user from au...

Page 237: ... authentication The default port for RADIUS traffic is 1812 If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port For more information see the config system global command entry in the FortiGate CLI Reference Guide RADIUS server list Figure 115 RADIUS server list LDAP Select LDAP to require the user to authenticate to an LDAP server Select the name of the L...

Page 238: ...ame that you want to delete 3 Select OK LDAP If you have configured LDAP support and a user is required to authenticate using an LDAP server the FortiGate unit contacts the LDAP server for authentication To authenticate with the FortiGate unit the user enters a user name and password The FortiGate unit sends this user name and password to the LDAP server If the LDAP server can authenticate the use...

Page 239: ...8 LDAP server configuration Create New Add a new LDAP server Server Name IP The domain name or IP address of the LDAP server Port The port used to communicate with the LDAP server Common Name Identifier The common name identifier for the LDAP server 20 characters maximum The common name identifier for most LDAP servers is cn However some servers use other common name identifiers such as uid Distin...

Page 240: ...ect Delete beside the LDAP server name that you want to delete 3 Select OK Common Name Identifier Enter the common name identifier for the LDAP server The common name identifier for most LDAP servers is cn However some servers use other common name identifiers such as uid Distinguished Name Enter the distinguished name used to look up entries on the LDAP server Enter the base distinguished name fo...

Page 241: ...XAuth The FortiGate PPTP configuration Only users in the selected user group can use PPTP The FortiGate L2TP configuration Only users in the selected user group can use L2TP When you add user names RADIUS servers and LDAP servers to a user group the order in which they are added determines the order in which the FortiGate unit checks for authentication If user names are first then the FortiGate un...

Page 242: ...to add the RADIUS server to the Members list 6 To add an LDAP server to the user group select an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list 7 To remove users RADIUS servers or LDAP servers from the user group select a user RADIUS server or LDAP server from the Members list and select the left arrow to remove the name RADIUS serve...

Page 243: ...see the FortiGate CLI Reference Guide peer Use this command to add or edit the peer certificate information Command syntax pattern config user peer edit name_str set keyword variable config user peer edit name_str unset keyword config user peer delete name_str get user peer name_str show user peer name_str Example This example shows how to add the branch_office peer radius command keywords and var...

Page 244: ...peer branch_office peergrp Use this command to add or edit a peer group Command syntax pattern config user peergrp edit name_str set keyword variable config user peergrp edit name_str unset keyword config user peergrp delete name_str get user peergrp name_str show user peergrp name_str Example This example shows how to add peers to the peergrp EU_branches radius command keywords and variables Keyw...

Page 245: ... end This example shows how to display the list of configured peer groups get user peergrp This example shows how to display the settings for the peergrp EU_branches get user peergrp EU_branches This example shows how to display the configuration for all the peers groups show user peergrp This example shows how to display the configuration for the peergrp EU_branches show user peergrp EU_branches ...

Page 246: ...246 01 28007 0144 20041217 Fortinet Inc CLI configuration Users and authentication ...

Page 247: ...ing protocols to authenticate and encrypt traffic Internet Protocol Security IPSec Point to Point Tunneling Protocol PPTP Layer Two Tunneling Protocol L2TP This chapter contains information about the following VPN topics Phase 1 Phase 2 Manual key Concentrator Ping Generator Monitor PPTP L2TP Certificates VPN configuration procedures CLI configuration ...

Page 248: ...nal advanced phase 1 settings can be selected to ensure the smooth operation of phase 1 negotiations To configure phase 1 settings 1 Go to VPN IPSEC Phase 1 2 Follow the general guidelines in these sections Phase 1 list on page 248 Phase 1 basic settings on page 249 Phase 1 advanced settings on page 251 For information about how to choose the correct phase 1 settings for your particular situation ...

Page 249: ...ents with dynamic IP addresses will be connecting to the FortiGate unit select Dialup User If a remote peer that has a domain name and subscribes to a dynamic DNS service will be connecting to the FortiGate unit select Dynamic DNS and type the domain name of the remote peer into the Dynamic DNS field IP Address If Static IP Address is selected type the IP address of the remote peer Dynamic DNS If ...

Page 250: ... be identical to the value in the Local ID field of the phase 1 remote gateway configuration on the remote peer To grant access to selected remote peers or clients based on a peer ID select Accept this peer ID and type the identifier This value must be identical to the value in the Local ID field of the phase 1 remote gateway configuration on the remote peer or client To grant access to dialup use...

Page 251: ...wing symmetric key algorithms DES Digital Encryption Standard a 64 bit block algorithm that uses a 56 bit key 3DES Triple DES in which plain text is encrypted three times by three keys AES128 A 128 bit block algorithm that uses a 128 bit key AES192 A 128 bit block algorithm that uses a 192 bit key AES256 A 128 bit block algorithm that uses a 256 bit key You can select either of the following messa...

Page 252: ...o 172800 seconds Local ID If you are using peer IDs for authentication enter the peer ID that the local FortiGate unit will use to authenticate itself to remote VPN peers If you are using certificates for authentication select the distinguished name DN of the local certificate XAuth If you select Enable as Client type the user name and password that the FortiGate unit will need to authenticate its...

Page 253: ...IPSec encryption and or authentication key you must configure the FortiGate unit to use manual keys instead For more information see Manual key on page 255 Create New Select Create New to create a new phase 2 tunnel configuration Tunnel Name The names of existing tunnel configurations Remote Gateway The names of the phase 1 configurations that are associated with the tunnel configurations Lifetime...

Page 254: ...before it can be selected here See Concentrator on page 258 P2 Proposal Select the encryption and authentication algorithms that will be used to change data into encrypted code Add or delete encryption and authentication algorithms as required Select a minimum of one and a maximum of three combinations The remote peer must be configured to use at least one of the proposals that you define You can ...

Page 255: ...an exchange whenever keylife expires DH Group Select one Diffie Hellman group 1 2 or 5 The remote peer or client must be configured to use the same group Keylife Select the method for determining when the phase 2 key expires Seconds KBytes or Both If you select both the key expires when either the time has passed or the number of KB have been processed The range is from 120 to 172800 seconds or fr...

Page 256: ...ecify two SPIs per configuration a local SPI and a remote SPI to cover bidirectional communications between two VPN peers To specify manual keys for creating a tunnel 1 Go to VPN IPSEC Manual Key and select Create New 2 Follow the guidelines in these sections Manual key list on page 256 Manual key options on page 257 Manual key list Figure 127 IPSec VPN Manual Key list Note It may not be safe or p...

Page 257: ... the public interface to the remote peer The address identifies the recipient of ESP datagrams Encryption Algorithm Select one of the following symmetric key encryption algorithms DES Digital Encryption Standard a 64 bit block algorithm that uses a 56 bit key 3DES Triple DES in which plain text is encrypted three times by three keys AES128 A 128 bit block algorithm that uses a 128 bit key AES192 A...

Page 258: ...define a concentrator 1 Go to VPN IPSEC Concentrator 2 Follow the guidelines in these sections Concentrator list on page 258 Concentrator options on page 259 Concentrator list Figure 129 IPSec VPN concentrator list Authentication Algorithm Select one of the following message digests MD5 Message Digest 5 algorithm which produces a 128 bit message digest SHA1 Secure Hash Algorithm 1 which produces a...

Page 259: ...es refer to the source and destination addresses of IP packets that are to be transported through the VPN tunnel When source and destination addresses of 0 0 0 0 are entered no ping traffic is generated between the source and destination To configure the ping generator 1 Go to VPN IPSEC Ping Generator Create New Select Create New to define a new concentrator for an IPSec hub and spoke configuratio...

Page 260: ...4 for the Source IP 2 and Destination IP 2 settings 6 Select Apply Ping generator options Figure 131 Ping generator Monitor You can use the monitor to view activity on IPSec VPN tunnels and start or stop those tunnels The display provides a list of addresses proxy IDs and timeout information for all active tunnels To view active tunnels 1 Go to VPN IPSEC Monitor To interpret the display see the fo...

Page 261: ... for each tunnel configuration You can also start and stop individual tunnels from the list Figure 133 Static IP and dynamic DNS monitor Flush dialup tunnels icon Stop all dialup tunnels and stop the traffic passing through all dialup tunnels Dialup users may have to reconnect to establish new VPN sessions Name The name of the tunnel Remote gateway The IP address and UDP port of the remote gateway...

Page 262: ...n IP address from a reserved range of IP addresses to the client PPTP interface The PPTP client uses the assigned IP address as its source address for the duration of the connection Figure 134 PPTP range Name The name of the tunnel Remote gateway The IP address and UDP port of the remote gateway For dynamic DNS tunnels the IP address is updated dynamically Timeout The time before the next key exch...

Page 263: ...e client is assigned an IP address from this range Afterward the FortiGate unit uses the assigned address to communicate with the remote client Figure 135 L2TP range Enable PPTP You must add a user group before you can select the option Starting IP Type the starting address in the range of reserved IP addresses Ending IP Type the ending address in the range of reserved IP addresses User Group Sele...

Page 264: ... page 267 and Importing CA certificates on page 267 For detailed information and step by step procedures related to obtaining and installing digital certificates see the FortiGate VPN Guide Local certificate list Figure 136 Certificate list Generate Select to generate a local certificate request See Certificate request on page 265 Import Select to import a signed local certificate See Importing si...

Page 265: ...at provides digital certificates that adhere to the X 509 standard The FortiGate unit provides a way for you to generate the request The generated request includes information such as the FortiGate unit s public static IP address domain name or email address To generate a certificate request 1 Go to VPN Certificates Local Certificates 2 Select Generate Figure 138 Generating a certificate signing r...

Page 266: ...h a dialup client use an email address For Host IP enter the public IP address of the FortiGate unit being certified For Domain name enter the fully qualified domain name of the FortiGate unit being certified Do not include the protocol specification http or any port number or path names For E mail enter the email address of the owner of the FortiGate unit being certified Typically email addresses...

Page 267: ...ertificate 1 Go to VPN Certificates CA Certificates 2 Select Import Figure 141 Importing a CA certificate 3 Browse to the location on the management PC where the certificate has been saved select the certificate and then select OK 4 Select OK Import Select to import a CA root certificate See Importing CA certificates on page 267 Name The names of existing CA root certificates The FortiGate unit as...

Page 268: ... See Phase 2 on page 252 3 Define source and destination addresses for the IP packets that are to be transported through the VPN tunnel and create the firewall encryption policy which defines the scope of permitted services between the IP source and destination addresses See Adding firewall policies for IPSec VPN tunnels on page 268 Adding firewall policies for IPSec VPN tunnels Firewall policies ...

Page 269: ... follows Interface Zone Source Select the local interface to the internal private network Destination Select the local interface to the external public network Address Name Source Select the name that corresponds to the local network server s or host s from which IP packets may originate Destination Select the name that corresponds to the remote network server s or host s to which IP packets may b...

Page 270: ...nd 4 see the FortiGate VPN Guide To arrange for PPTP packets to pass through the FortiGate unit to an external PPTP server instead you must 1 Create a PPTP user group containing one user for each PPTP client See Users and authentication on page 235 2 Enable PPTP on the FortiGate unit and specify the range of addresses that can be assigned to PPTP clients when they connect See PPTP range on page 26...

Page 271: ...lability dpd idlecleanup seconds_integer The DPD long idle setting when dpd is set to enable Set the time in seconds that a link must remain unused before the local VPN peer pro actively probes its state After this period of time expires the local peer will send a DPD probe to determine the status of the link even if there is no traffic between the local peer and the remote peer The dpd idlecleanu...

Page 272: ...worry 150 set dpd retrycount 5 set dpd retryinterval 30 end dpd retrycount retry_integer The DPD retry count when dpd is set to enable Set the number of times that the local VPN peer sends a DPD probe before it considers the link to be dead and tears down the security association SA The dpd retrycount range is 0 to 10 To avoid false negatives due to congestion or other transient failures set the r...

Page 273: ...e local FortiGate interface No default All models dstaddr name_str Enter the name of the firewall destination IP address that corresponds to the recipient or network behind the remote VPN peer You must create the firewall address before you can select it here For more information see Adding firewall policies for IPSec VPN tunnels on page 268 No default All models selector must be set to specify ds...

Page 274: ...otiations Select policy to choose a selector from a firewall encryption policy The VPN tunnel referenced in the firewall encryption policy will be referenced Select wildcard to disable selector negotiation for this tunnel Use this option to avoid negotiation errors such as invalid ID Information that may occur during quick mode when the set of policies between the peers is not symmetric Select spe...

Page 275: ...f the IPSec VPN tunnel config vpn ipsec vip edit 1 set ip 192 168 12 1 set out interface external next edit 2 set ip 192 168 12 2 set out interface external end Note The interface to the destination network must be associated with a VPN tunnel through a firewall encryption policy action must be set to encrypt The policy determines which VPN tunnel will be selected to forward traffic to the destina...

Page 276: ...rtiGate unit s virtual IP VIP table the FortiGate unit responds with its own MAC address and forwards traffic to the correct destination at the other end of the VPN tunnel afterward Consider the following example which shows two physically separate networks The IP addresses of the computers on both networks are in the 192 168 12 0 24 range but no two IP addresses are the same An IPSec VPN has been...

Page 277: ...n both FortiGate units define the gateway tunnel on which to transmit VPN traffic to the remote location see Phase 1 on page 248 and Phase 2 on page 252 2 On both FortiGate units define the firewall encrypt policy that is needed to select and enable communication through the defined VPN gateway tunnel see Adding firewall policies for IPSec VPN tunnels on page 268 3 Using CLI commands to configure ...

Page 278: ...278 01 28007 0144 20041217 Fortinet Inc CLI configuration VPN ...

Page 279: ...rofile select edit or Create New and select IPS See Protection profile options on page 225 Protection profile configuration For information about adding protection profiles to firewall policies see To add a protection profile to a policy on page 231 IPS updates and information FortiProtect services are a valuable customer resource and include automatic updates of virus and IPS attack engines and d...

Page 280: ...ition to an extensive list of predefined attack signatures you can also create your own custom attack signatures for the FortiGate unit See Adding custom signatures on page 285 Predefined Predefined signatures are arranged into groups based on the type of attack By default all signature groups are enabled while some signatures within groups are not Check the default settings to ensure they meet th...

Page 281: ...rs Action can be Pass Drop Reset Reset Client Reset Server Drop Session Clear Session or Pass Session See Table 24 Revision The revision number for individual signatures To show the signature group members click on the blue triangle Modify The Configure and Reset icons Reset only appears when the default settings have been modified Selecting Reset restores the default settings Table 24 Actions to ...

Page 282: ... Used for TCP connections only If you set this action for non TCP connection based attacks the action will behave as Clear Session If the Reset Client action is triggered before the TCP connection is fully established it acts as Clear Session Reset Server The FortiGate unit drops the packet that triggered the signature sends a reset to the server and removes the session from the FortiGate session ...

Page 283: ...of a signature 1 Go to IPS Signature Predefined 2 Select the blue triangle next to a signature group name to display the members of that group 3 Select the Reset icon for the signature you want to restore to recommended settings The Reset icon is displayed only if the settings for the signature have been changed from recommended settings 4 Select OK Configuring parameters for dissector signatures ...

Page 284: ...eout If a session is idle for longer than this number of seconds the session will not be maintained by tcp_reassembler min_ttl A packet with a higher ttl number in its IP header than the number specified here is not processed by tcp_reassembler port_list A comma separated list of ports The dissector can decode these TCP ports bad_flag_list A comma separated list of bad TCP flags reassembly_ direct...

Page 285: ... custom signatures from the custom signature group Reset to recommended settings Reset all the custom signatures to the recommended settings Name The custom signature names Revision The revision number for each custom signature The revision number is a number you assign to the signature when you create or revise it Enable The status of each custom signature A white check mark in a green circle ind...

Page 286: ...sessions targeting a single destination in one second is over a threshold the destination is experiencing flooding Scan If the number of sessions from a single source in one second is over a threshold the source is scanning Source session limit If the number of concurrent sessions from a single source is over a threshold the source session limit is reached Destination session limit If the number o...

Page 287: ...nt Reset Server Drop Session Clear Session or Pass Session Modify The Edit and Reset icons If you have changed the settings for an anomaly you can use the Reset icon to change the settings back to the recommended settings Name The anomaly name Enable Select the Enable box to enable the anomaly or clear the Enable box to disable the anomaly Logging Select the Logging box to enable logging for the a...

Page 288: ... is fully established it acts as Clear Session Reset Client The FortiGate unit drops the packet that triggered the anomaly sends a reset to the client and removes the session from the FortiGate session table Used for TCP connections only If you set this action for non TCP connection based attacks the action will behave as Clear Session If the Reset Client action is triggered before the TCP connect...

Page 289: ... edit name_str unset keyword end config limit delete name_str Example Use the following command to configure the limit for the tcp_src_session anomaly config ips anomaly tcp_src_session config limit edit subnet1 set ipaddress 1 1 1 0 255 255 255 0 set threshold 300 end end Note This guide only covers Command Line Interface CLI commands that are not represented in the web based manager For complete...

Page 290: ...ng signatures for attacks that your system is not vulnerable to for example web attacks when you are not running a web server For more information on FortiGate logging and alert email see Log Report on page 341 Default fail open setting If for any reason the IPS should cease to function it will fail open by default This means that crucial network traffic will not be blocked and the Firewall will c...

Page 291: ...otocol HTTP FTP IMAP POP3 SMTP View a read only list of current viruses File Block Antivirus File Block Enable or disable file blocking for each protocol Configure file patterns to block enable or disable blocking for each protocol Quarantine Antivirus Quarantine Enable or disable quarantining for each protocol Quarantine is only available on units with a local disk View and sort the list of quara...

Page 292: ...ortiProtect Center at http www fortinet com FortiProtectCenter To set up automatic and push updates see Update center on page 120 This chapter describes File block Quarantine Config CLI configuration File block Configure file blocking to remove all files that are a potential threat and to prevent active computer virus attacks You can block files by name by extension or any other pattern giving you...

Page 293: ... information files pif Figure 153 Default file block list File block list has the following icons and features Create New Select Create New to add a new file pattern to the file block list Apply Select Apply to apply any changes to the file block configuration Pattern The current list of blocked file patterns You can create a pattern by using or wildcard characters Check All Select a check box bes...

Page 294: ...ned files list Quarantined files list options AutoSubmit list AutoSubmit list options Configuring the AutoSubmit list Config Quarantined files list The quarantined files list displays information about each file that is quarantined because of virus infection or file blocking You can sort the files by any one of file name date service status duplicate count DC or time to live TTL You can also filte...

Page 295: ... oversize exe Date The date and time that the file was quarantined in the format dd mm yyyy hh mm This value indicates the time that the first file was quarantined if the duplicate count increases Service The service from which the file was quarantined HTTP FTP IMAP POP3 SMTP Status The reason the file was quarantined infected heuristics or blocked Status Description Specific information related t...

Page 296: ...tions AutoSubmit list has the following icons and features Configuring the AutoSubmit list To add a file pattern to the AutoSubmit list 1 Go to Anti Virus Quarantine AutoSubmit 2 Select Create New Figure 156 Adding a file pattern 3 Enter the file pattern or file name you want to automatically upload to Fortinet for analysis 4 Select Enable 5 Select OK Create New Select Create New to add a new file...

Page 297: ...The time limit in hours for which to keep files in quarantine The age limit is used to formulate the value in the TTL column of the quarantined files list When the limit is reached the TTL column displays EXP and the file is deleted although a record is maintained in the quarantined files list Entering an age limit of 0 zero means files are stored on disk indefinitely depending on low disk space a...

Page 298: ...0 Figure 158 Virus list partial Config Oversize threshold configuration refers to the size limits you can apply to scan files and email in memory The maximum file size allowed in memory is usually 10 of the FortiGate RAM size For example a FortiGate unit with 256 MB of RAM could have a memory oversize threshold range of 1 to 25 MB The range for each FortiGate unit is displayed in the web based man...

Page 299: ...out the user s consent or knowledge Grayware programs are generally considered an annoyance but these programs can cause system performance problems or be used for malicious means The FortiGate unit scans for known grayware executable programs in each category you enable The category list and contents are added or updated whenever your FortiGate unit receives a virus update package New categories ...

Page 300: ...d including passwords chat and instant messages Hijacker Select enable to block browser hijacking programs Browser hijacking occurs when a spyware type program changes web browser settings including favorites or bookmarks start pages and menu options Plugin Select enable to block browser plugins Browser plugins can often be harmless Internet browsing tools that are installed and operate directly f...

Page 301: ...onfig antivirus heuristic set keyword variable end config antivirus heuristic unset keyword end get antivirus heuristic show antivirus heuristic Example This example shows how to disable heuristic scanning config antivirus heuristic set mode disable end Note This guide only covers Command Line Interface CLI commands that are not represented in the web based manager For complete descriptions and ex...

Page 302: ... the FortiGate unit handles antivirus scanning of large files in HTTP traffic and what ports the FortiGate unit scans for HTTP Command syntax pattern config antivirus service http set keyword variable end Note This command has more keywords than are listed in this Guide See the FortiGate CLI Reference Guide for a complete list of commands and keywords antivirus quarantine command keywords and vari...

Page 303: ...um file size in megabytes that can be buffered to memory for virus scanning The maximum file size allowed is 10 of the FortiGate RAM size For example a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 25 MB Note For email scanning the oversize threshold refers to the final size of the email after encoding by the email client including attachments Email clients may use a va...

Page 304: ...set port 80 set port 443 end This example shows how to display the antivirus HTTP traffic settings get antivirus service http This example shows how to display the configuration for antivirus HTTP traffic show antivirus service http config antivirus service ftp Use this command to configure how the FortiGate unit handles antivirus scanning of large files in FTP traffic and how the FortiGate unit h...

Page 305: ...llowed is 10 of the FortiGate RAM size For example a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 25 MB Oversized files can be passed or blocked in a firewall protection profile Note For email scanning the memfilesizelimit refers to the final size of the email after encoding by the email client including attachments Email clients may use a variety of encoding types and...

Page 306: ...e unit with 256 MB of RAM could have a threshold range of 1 MB to 25 MB Note For email scanning the memfilesizelimit refers to the final size of the email after encoding by the email client including attachments Email clients may use a variety of encoding types and some encoding types translate into larger file sizes than the original attachment The most common encoding base64 translates 3 bytes o...

Page 307: ...ompsizelimit 60 set port 110 set port 111 set port 992 end This example shows how to display the antivirus POP3 traffic settings get antivirus service pop3 This example shows how to display the configuration for antivirus POP3 traffic show antivirus service pop3 config antivirus service imap Use this command to configure how the FortiGate unit handles antivirus scanning of large files in IMAP traf...

Page 308: ...mory for virus scanning The maximum file size allowed is 10 of the FortiGate RAM size For example a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 25 MB Note For email scanning the memfilesizelimit refers to the final size of the email after encoding by the email client including attachments Email clients may use a variety of encoding types and some encoding types transl...

Page 309: ...file size allowed is 10 of the FortiGate RAM size For example a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 25 MB Note For email scanning the memfilesizelimit refers to the final size of the email after encoding by the email client including attachments Email clients may use a variety of encoding types and some encoding types translate into larger file sizes than the ...

Page 310: ...ffered to memory for scanning at 1 GB 1000 MB and how to enable antivirus scanning on ports 25 and 465 for SMTP traffic config antivirus service smtp set memfilesizelimit 100 set uncompsizelimit 1000 set port 25 set port 465 end This example shows how to display the antivirus SMTP traffic settings get antivirus service smtp This example shows how to display the configuration for antivirus SMTP tra...

Page 311: ...anned words and patterns in the content block list for HTTP traffic Add words and patterns to block web pages containing those words or patterns Web URL Block Web Filter URL Block Enable or disable web page filtering for HTTP traffic based on the URL block list Add URLs and URL patterns to block web pages from specific sources Web Exempt List Web Filter URL Exempt Enable or disable web page filter...

Page 312: ...ck URL block URL exempt category block FortiGuard and script filter This chapter describes Content block URL block URL exempt Category block Script filter Protection Profile web category filtering Web Filter setting Enable category block HTTP only Web Filter Category Block Configuration Enable FortiGuard web filtering Enable or disable FortiGuard and enable and set the size limit for the cache Blo...

Page 313: ...wing icons and features Note Perl regular expression patterns are case sensitive for Web Filter content block To make a word or phrase case insensitive use the regular expression i For example bad language i will block all instances of bad language regardless of case Wildcard patterns are not case sensitive Note Enable Web filtering Web Content Block in your firewall Protection Profile to activate...

Page 314: ...et the pattern type if required 5 Select the language character set 6 Select Enable 7 Select OK URL block You can block access to specific URLs by adding them to the URL block list You can also add patterns using text and regular expressions or wildcard characters to block URLs The FortiGate unit blocks web pages matching any specified URLs or patterns and displays a replacement message instead Ba...

Page 315: ...n a text file and upload them to the FortiGate unit by selecting the Upload URL block list icon URLs in a text file must be separated by hard returns to upload correctly Figure 163 Sample Web URL block list Web URL block options Web URL block has the following icons and features Note URL blocking does not block access to other services that users can access with a web browser For example URL block...

Page 316: ...ist For example adding badsite com blocks access to www badsite com mail badsite com www finance badsite com and so on 5 Select Enable 6 Select OK Web pattern block list In addition to blocking specific or partial URLs you can block all URLs that match patterns you create using text and regular expressions or wildcard characters For example badsite matches badsite com badsite org badsite net and s...

Page 317: ... 3 Select Create New Figure 166 Adding a new pattern 4 Enter a pattern to add to the web pattern block list 5 Select Enable 6 Select OK URL exempt This section describes URL exempt list URL exempt list options Configuring URL exempt Create New Select Create New to add a new pattern to the web pattern block list Pattern The current list of blocked patterns Select the check box to enable all the web...

Page 318: ...RL to the URL exempt list 1 Go to Web Filter URL Exempt 2 Select Create New Figure 168 Adding a new exempt URL 3 Enter the URL to add to the URL exempt list 4 Select Enable 5 Select OK Note Enable Web filtering Web Exempt List in your firewall Protection Profile to activate the URL exempt settings Create New Select Create New to add a URL to the URL exempt list total The number of URLs in the URL ...

Page 319: ...added to or updated as the Internet evolves Users can also choose to allow block or monitor entire groups of categories to make configuration simpler Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy FortiGuard ratings are performed by a combination of proprietary methods including text analysis exploitation of the Web struc...

Page 320: ...ategory block configuration options If you have ordered FortiGuard through Fortinet technical support or are using the free 30 day trial you only need to enable the service to start configuring and using FortiGuard Figure 169 Category block configuration You can configure the following options to enable and help maintain FortiGuard web filtering Enable Service FortiGuard Select to enable FortiGuar...

Page 321: ...tegories on page 359 Once you select Apply the FortiGuard license type and expiration date appears on the configuration screen Web Filter Category Block Category block reports You can generate a text and pie chart format report on web filtering for any profile The FortiGate unit maintains statistics for allowed blocked and monitored web pages for each category You can view reports for a range of h...

Page 322: ...e Guide for descriptions of all webfilter catblock keywords Profile Select the profile for which you want to generate a report Report Type Select the time frame for which you want to generate the report Choose from hour day or all historical statistics Report Range Select the time range 24 hour clock or day range from six days ago to today for which you want the report For example if you select re...

Page 323: ...le shows how to display the configuration for the catblock settings show webfilter catblock If the show command returns you to the prompt the settings are at default Script filter You can configure the FortiGate unit to filter certain web scripts You can filter Java applets cookies and ActiveX controls from web pages Figure 171 Script filtering options catblock command keywords and variables Keywo...

Page 324: ...ome web pages from functioning and displaying correctly Note Enable Web filtering Web Script Filter in your firewall Protection Profile to activate the script filter settings Javascript Select Javascript to block all Javascript based pages or applications Cookies Select Cookies to block web sites from placing cookies on individual computers ActiveX Select ActiveX to block all ActiveX applications ...

Page 325: ...ervice FortiShield This service works like an RBL server and is continuously updated to block spam sources Check the status of the FortiShield server view the license type and expiry date and configure the cache IP address BWL check Spam Filter IP Address Black white list check Enable or disable checking incoming IP addresses against the configured spam filter IP address list SMTP only Add to and ...

Page 326: ...ders against the configured spam filter MIME header list Add to and edit MIME headers to the list with the option of using wildcards and regular expressions You can configure the action to take as spam or clear for each MIME header Banned word check Spam Filter Banned Word Enable or disable checking source email against the configured spam filter banned word list Add to and edit banned words to th...

Page 327: ...eply FortiShield and RBL ORDBL are run simultaneously To avoid delays queries are sent while other filters are running The first reply to trigger a spam action will take effect as soon as the reply is received This chapter describes FortiShield IP address RBL ORDBL Email address MIME headers Banned word Using Perl regular expressions FortiShield FortiShield is an antispam system from Fortinet that...

Page 328: ... After a moment the FortiShield status should change from Unknown to Available If the FortiShield status is unavailable wait and try again 3 Enable and set a TTL time to live for the cache Enable Service Select to enable the FortiShield service Status Select Check Status to test the connection to the FortiShield server Status should change from a flashing red yellow indicator to a solid green indi...

Page 329: ...o the next spam filter You can enter an IP address and mask in two formats x x x x x x x x for example 62 128 69 100 255 255 255 0 x x x x x for example 62 128 69 100 24 This section describes IP address list IP address options Configuring the IP address list IP address list You can configure the FortiGate unit to filter email from specific IP addresses You can mark each IP address as clear spam o...

Page 330: ...ack of unsecured third party SMTP servers known as open relays which some spammers use to send unsolicited bulk email There are also several free and subscription servers available that provide reliable access to continually updated RBLs and ORDBLs Check with the service you are using to confirm the correct domain name for connecting to the server The FortiGate unit communicates with RBL servers u...

Page 331: ... ORDBL 2 Select Create New Note Because the FortiGate unit uses the server domain name to connect to the RBL or ORDBL server it must be able to look up this name on the DNS server For information on configuring DNS see DNS on page 59 Create New Select Create New to add a server to the RBL ORDBL list Total The number of items in the list The Page up Page down and Remove all entries icons RBL Server...

Page 332: ...he email is passed on to the next spam filter You can use Perl regular expressions or wildcards to add email address patterns to the list See Using Perl regular expressions on page 337 This section describes Email address list Email address options Configuring the email address list Email address list The FortiGate unit can filter email from specific senders or all email from a domain such as samp...

Page 333: ...ng such as the type of text in the email body or the program that generated the email Some examples of MIME headers include X mailer outgluck X Distribution bulk Content_Type text html Content_Type image jpg The first part of the MIME header is called the header key or just header The second part is called the value Spammers will often insert comments into header values or leave them blank These m...

Page 334: ...You can configure the FortiGate unit to filter email with specific MIME header key value pairs You can mark each MIME header as clear or spam Figure 179 Sample MIME headers list MIME headers options MIME headers list has the following icons and features Note MIME header entries are case sensitive Create New Select Create New to add a MIME header to the MIME headers list Total The number of items i...

Page 335: ... FortiGate unit searches for banned words in email messages If a match is found the corresponding protection profile action is taken If no match is found the email is passed to the recipient You can use Perl regular expressions or wildcards to add banned word patterns to the list See Using Perl regular expressions on page 337 This section describes Banned word list Banned word options Configuring ...

Page 336: ... icons and features When you select Create New or Edit you can configure the following settings for the banned word Create new Select Create New to add a word or phrase to the banned word list Total The number of items in the list The Page up Page down and Remove all entries icons Pattern The list of banned words Select the check box to enable all the banned words in the list Pattern Type The patt...

Page 337: ...ee http www perldoc com perl5 8 0 pod perlre html for detailed information about using Perl regular expressions Pattern Enter the word or phrase you want to include in the banned word list Pattern Type Select the pattern type for the banned word Choose from wildcard or regular expression See Using Perl regular expressions on page 337 Language Select the character set for the banned word Choose fro...

Page 338: ...pression test not only matches the word test but also matches any word that contains the test such as atest mytest testimony atestb The notation b specifies the word boundary To match exactly the word test the expression should be btest b Case sensitivity Regular expression pattern matching is case sensitive in the Web and Spam filters To make a word or phrase case insensitive use the regular expr...

Page 339: ... of case w a word a nonempty sequence of alphanumeric characters and low lines underscores such as foo and 12bar8 and foo_1 100 s mk the strings 100 and mk optionally separated by any amount of white space spaces tabs newlines abc b abc when followed by a word boundary e g in abc but not in abcd perl B perl when not followed by a word boundary e g in perlert but not in perl stuff x tells the regul...

Page 340: ...340 01 28007 0144 20041217 Fortinet Inc Using Perl regular expressions Spam filter ...

Page 341: ...on You can configure the FortiGate unit to send alert email to up to three recipients when selected events occur It is not necessary for an event to be logged to trigger an alert email The FortiGate unit will collect and send log messages in alert emails according to the level and time intervals you configure in the alert email options All collected messages are assembled in one alert email which ...

Page 342: ... 52 device_id APS3012803033139 log_id 0101023002 type event subtype ipsec pri notice loc_ip 172 16 81 2 loc_port 500 rem_ip 172 16 81 1 rem_port 500 out_if dmz vpn_tunnel ToDmz action negotiate init local mode stage 112 dir inbound status success msg Initiator tunnel 172 16 81 1 transform ESP_3DES HMAC_SHA1 Message meets Alert condition 2004 04 27 13 28 54 device_id APS3012803033139 log_id 0101023...

Page 343: ...ll the FortiGate unit begins to overwrite the oldest messages All log entries are deleted when the FortiGate unit restarts Syslog A remote computer running a syslog server WebTrends A remote computer running a NetIQ WebTrends firewall reporting server FortiGate log formats comply with WebTrends Enhanced Log Format WELF and are compatible with NetIQ WebTrends Security Reporting Center 2 0 and Firew...

Page 344: ...le is started Roll log policy The policy to follow for saving the current log and starting a new active log Overwritten deletes the oldest log entry when the disk is full Block traffic stops all network traffic when the disk is full Do not log stops logging messages when the disk is full Level The FortiGate unit logs all messages at and above the logging severity level you select For example if yo...

Page 345: ...he logging severity level you select For example if you select Error the unit logs Error Critical Alert and Emergency level messages See Table 31 Logging severity levels on page 344 Facility Facility indicates the source of a log message By default FortiGate reports Facility as local7 You might want to change Facility to distinguish log messages from different FortiGate units Enable CSV Format If ...

Page 346: ...The FortiGate unit sends alert email for all messages at and above the logging severity level you select Emergency The interval to wait before sending an alert e mail for emergency level log messages Alert The interval to wait before sending an alert e mail for alert level log messages Critical The interval to wait before sending an alert e mail for critical level log messages Error The interval t...

Page 347: ...gging severity level 6 Select the logging severity level for which you want to send alert email 7 Select Apply Log filter options For each logging location you enable you can create a customized log filter based on the log types described in the following sections Note If more than one log message is collected before an interval is reached the messages are combined and sent out as one alert email ...

Page 348: ...uting gateway has been added You can apply the following filters Policy allowed traffic The FortiGate unit logs all traffic that is allowed according to the firewall policy settings Policy violation traffic The FortiGate unit logs all traffic that violates the firewall policy settings Note You can enable traffic logging for specific interfaces or firewall policies See Enabling traffic logging on p...

Page 349: ...unit logs all pattern update events such as antivirus and IPS pattern updates and update failures Virus infected The FortiGate unit logs all virus infections Filename blocked The FortiGate unit logs all instances of blocked files File oversized The FortiGate unit logs all instances of oversized files Content block The FortiGate unit logs all instances of blocked content specified in the banned wor...

Page 350: ...ace 2 Select the Edit icon for an interface 3 Select Log 4 Select OK 5 Repeat steps 1 through 4 for each interface for which you want to enable logging 6 Make sure you enable traffic logs for a logging location and set the logging severity level to Notification or lower To enable traffic logging for a firewall policy You can enable traffic logging for a firewall policy All connections accepted by ...

Page 351: ...Searching log messages Figure 187 Sample list of logs stored on the FortiGate disk Viewing log messages You can view log messages saved to the memory buffer Figure 188 Viewing log messages The following table describes the features and icons you can use to navigate and search the logs when viewing logs through the web based manager Type The location of the log messages memory Go to previous page i...

Page 352: ...es in the log Search Type a search word and select Go Advanced Search Select to search log messages by date time and keywords Column settings button Select to choose columns for log display Raw or Formatted Select Raw to switch to an unformatted log message display Select Formatted to switch to a log message display organized into columns Available fields The fields that you can add to the log mes...

Page 353: ...ds list and then select Move Up or Move Down as necessary 5 Select OK Searching log messages There are two ways to search log messages a simple keyword search or an advanced search that enables you to use multiple keywords and specify a time range To perform a simple keyword search 1 Display the log messages you want to search For more information see Viewing log messages on page 351 2 In the Sear...

Page 354: ...setting unset keyword get log fortilog setting show log fortilog setting all of the following The message must contain all of the keywords any of the following The message must contain at least one of the keywords none of the following The message must contain none of the keywords Note The command keywords for fortilog setting that are not represented in the web based manager are localid and pskse...

Page 355: ...iGate unit to send logs to a remote computer running a syslog server Command syntax pattern config log syslogd setting set keyword variable psksecret str_psk Enter the pre shared key for the IPSec VPN tunnel to a FortiLog unit You can create an IPSec VPN tunnel if one or more FortiGate units are sending log messages to a FortiLog unit across the Internet Using an IPSec VPN tunnel means that all lo...

Page 356: ...rt audit auth authpriv clock cron daemon ftp kernel local0 local1 local2 local3 local4 local5 local6 local7 lpr mail news ntp syslog user uucp Enter the facility type Also known as message category facility indicates from which part of the system a log message originated Facility can also be used to route messages to different files Facility types are described in Table 32 local7 All models port p...

Page 357: ...play the configuration for logging to a remote syslog server show log syslogd setting If the show command returns you to the prompt the settings are at default Table 32 Facility types Facility type Description alert audit auth security authorization messages authpriv security authorization messages private clock clock daemon cron cron daemon performing scheduled commands daemon system daemons runn...

Page 358: ...358 01 28007 0144 20041217 Fortinet Inc CLI configuration Log Report ...

Page 359: ... sites that provide information about or promote the cultivation preparation or use of marijuana 2 Cult or Occult Sites that provide information about or promote religions not specified in Traditional Religions or other unconventional cultic or folkloric beliefs and practices Sites that promote or offer methods means of instruction or other resources to affect or influence real events through the ...

Page 360: ...ty with no pornographic intent 9 Advocacy Groups Sites that promote change or reform in public policy public opinion social practice economic activities and relationships 10 Alcohol and Tobacco Sites that provide information about promote or support the sale of alcoholic beverages or tobacco products or associated paraphernalia 11 Gambling Sites that provide information about or promote gambling o...

Page 361: ...scussion groups message boards and list servers includes blogs and mail magazines Digital post cards Sites for sending viewing digital post cards 22 Pay to Surf Sites that pay users to view Web sites advertisements or email 23 Web based Email Sites that host Web based email Potentially Bandwidth Consuming 24 File Sharing and Storage Peer to Peer File Sharing Sites that provide client software to e...

Page 362: ...information about or cater to gay lesbian or bisexual lifestyles including those that support online shopping but excluding those that are sexually or issue oriented 33 Health Sites that provide information or advice on personal health or medical services procedures or devices but not drugs Includes self help groups 34 Job Search Sites that offer information about or support the seeking of employm...

Page 363: ...ons devoted to professional advancement or workers interests Service and Philanthropic Organizations Sites sponsored by or that support or offer information about organizations devoted to doing good as their primary activity Social and Affiliation Organizations Sites sponsored by or that support or offer information about organizations devoted chiefly to socializing or common interests other than ...

Page 364: ...lated business firms including sites supporting the sale of hardware software peripherals and services 53 Military Organizations Military Sites sponsored by branches or agencies of the armed services Others 54 Dynamic Content Dynamic Content URLs that are generated dynamically by a Web server 55 Miscellaneous Content Delivery Networks Commercial hosts that deliver content to subscribing Web sites ...

Page 365: ...e medium See Diffie Hellman group Diffie Hellman group FortiGate units support Diffie Hellman groups 1 2 and 5 The size of the modulus used to calculate the key varies according to the group Group 1 768 bit modulus Group 2 1024 bit modulus Group 5 1536 bit modulus digital certificate A digital document that guarantees the identity of a person or entity and is issued by a CA DMZ Demilitarized Zone ...

Page 366: ...tocol An Internet email protocol that allows access to an email server from any IMAP compatible browser internal interface The FortiGate interface that connects to an internal private network Internet The network that encompasses the world As a generic term it refers to any collection of interdependent networks IP Internet Protocol The component of TCP IP that handles routing IP address The point ...

Page 367: ... DCE interface PPPoE PPP over Ethernet A protocol that specifies how to encapsulate PPP packets over Ethernet PPTP Point to Point Tunneling Protocol A security protocol that creates a VPN by encapsulating PPP packets protocol A standard format for transmitting data The protocol determines the type of error checking to be used the data compression method if any how the sending device indicates that...

Page 368: ...essed on the same subnet See also netmask TCP Transmission Control Protocol One of the main protocols in TCP IP networks TCP guarantees delivery of data and also guarantees that packets are delivered in the same order sent trojan horse A harmful program that disguises itself as another program UDP User Datagram Protocol A connectionless protocol that runs on IP networks and is used primarily for b...

Page 369: ...okey Keep Alive 255 B back up configuration 118 backup mode modem 61 63 bandwidth guaranteed 197 198 maximum 197 198 banned word spam 335 bindtoif 273 border routers 165 browsing the Internet through a VPN tunnel 255 C CA certificates 266 Certificate Name 250 266 CLI 19 upgrading the firmware 34 36 cluster managing an HA cluster 96 cluster ID HA 97 cluster members HA 88 command line interface 19 C...

Page 370: ... interface 50 dynamic DNS monitor 260 261 dynamic IP pool IP pool 201 236 237 239 241 dynamic port forwarding 217 220 E Email address 332 Enable perfect forward secrecy PFS 255 Enable replay detection 255 Encryption for FortiLog unit 343 Encryption Algorithm 249 256 Encryption Algorithm Manual Key 257 Encryption Key Manual Key 257 Exempt URL options 318 expire system status 32 F facility 356 fail ...

Page 371: ...f each cluster member 97 HA cluster configuring 92 HA monitor active sessions 98 CPU usage 98 intrusion detected 98 memory usage 98 monitor 97 network utilization 98 total bytes 98 total packets 98 up time 97 virus detected 98 heartbeat failover 86 heartbeat device IP addresses HA 91 hello interval 176 184 High Availability 87 high availability introduction 18 http 232 HTTPS 19 206 hub HA schedule...

Page 372: ...itor 98 metric 187 metric type 187 MIB FortiGate 103 MIME headers 333 Mode 248 249 mode HA 88 Transparent 16 modem adding firewall policies 64 backup mode 61 63 configuring settings 61 standalone mode 61 64 monitor HA monitor 97 IPSec VPN 260 monitor priorities HA 92 mtu 184 MTU size 51 mtu ignore 184 N NAT introduction 16 push update 126 NAT Route mode introduction 16 natip 200 Nat traversal 252 ...

Page 373: ... push update configuring 125 external IP address changes 125 management IP address changes 126 through a NAT device 126 through a proxy server 124 Q Quarantine 294 Quarantine list 294 Quick Mode Identities 255 R random HA schedule 90 RBL and ORDBL 330 read write access level administrator account 83 112 117 121 128 read only access level administrator account 83 112 117 recurring schedule creating...

Page 374: ...46 71 stub type 171 Subject Information 266 substitute 174 substitute status 174 syn interval 84 synchronize with NTP server 84 Syslog logging settings 345 system configuration 83 system date and time setting 83 system options changing 84 T tag 187 188 TCP custom service 208 209 210 technical support 24 threshold 289 time setting 83 time zone 84 Timeout 253 261 262 timeout firewall authentication ...

Page 375: ...s detected HA monitor 98 virus protection worm protection 14 VLAN overview 65 VLAN subinterface bringing down 52 bringing up 52 starting 52 VPN introduction 17 VPN certificates restore 119 upload 119 VPN Tunnel Policy 269 VPNs 247 W web content filtering introduction 14 Web filter 311 359 content block 313 Web pattern block 316 Web script filter options 324 Web URL block list 315 web based manager...

Page 376: ...376 01 28007 0144 20041217 Fortinet Inc Index ...