Fortinet FortiGate FortiGate-800, Install Manual

Page 1: ...www fortinet com FortiGate 800 and FortiGate 800F FortiOS 3 0MR4 I N S T A L L G U I D E ...

Page 2: ...SIC FortiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiAnalyzer FortiManager Fortinet FortiOS FortiPartner FortiProtect FortiReporter FortiResponse FortiShield FortiVoIP and FortiWiFi are trademarks of Fortinet Inc in the United States and or other countries The...

Page 3: ...c conventions 11 FortiGate documentation 11 Fortinet Knowledge Center 12 Comments on Fortinet technical documentation 12 Customer service and technical support 12 Installing the FortiGate unit 13 Package Contents 13 FortiGate 800 800F 13 Mounting 14 Air flow 14 Mechanical loading 15 Powering on the FortiGate unit 15 Powering off the FortiGate unit 16 Connecting to the FortiGate unit 16 Web based m...

Page 4: ...ation 32 Using the web based manager 32 Configuring basic settings 32 Adding a default route 33 Verifying the web based manager configuration 33 Verify connection 33 Using the front control buttons and LCD 34 Adding a default gateway using the LCD 34 Verifying the front control buttons and LCD configuration 35 Verify connection 35 Using the command line interface 35 Configuring the FortiGate unit ...

Page 5: ... to a new firmware version 49 Upgrading the firmware using the web based manager 49 Upgrading the firmware using the CLI 50 Reverting to a previous firmware version 51 Reverting to a previous firmware version using the web based manager 51 Reverting to a previous firmware version using the CLI 52 Installing firmware images from a system reboot using the CLI 53 Restoring the previous configuration ...

Page 6: ...FortiGate 800 and FortiGate 800F FortiOS 3 0MR4 Install Guide 6 01 30004 0269 20070215 Contents ...

Page 7: ...t Management System uses Fortinet s Dynamic Threat Prevention System DTPS technology which leverages breakthroughs in chip design networking security and content analysis The unique ASIC based architecture analyzes content and behavior in real time enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks About the FortiGate units ...

Page 8: ...ess to technical support Fortinet Family Products Fortinet offers a family of products that includes both software and hardware appliances for a complete network security solution including mail logging reporting network management and security along with FortiGate Unified Threat Management Systems For more information on the Fortinet product family visit the Fortinet web site at www fortinet com ...

Page 9: ...content inspection capabilities to detect the most advanced email threats FortiAnalyzer FortiAnalyzer provides network administrators with the information they need to enable the best protection and security for their networks against attacks and vulnerabilities The FortiAnalyzer unit features include collects logs from FortiGate devices and syslog devices generates hundreds of reports using colle...

Page 10: ...f managed FortiGate devices The FortiManager System emphasizes ease of use including easy integration with third party systems About this document This document explains how to install and configure your FortiGate unit onto your network This document also includes how to install and upgrade new firmware versions on your FortiGate unit This document contains the following chapters Installing the Fo...

Page 11: ...Administration Guide Provides basic information about how to configure a FortiGate unit including how to define FortiGate protection profiles and firewall policies how to apply intrusion prevention antivirus protection web content filtering and spam filtering and how to configure a VPN FortiGate online help Provides a context sensitive and searchable version of the Administration Guide in HTML for...

Page 12: ...Gate PPTP VPN User Guide Explains how to configure a PPTP VPN using the web based manager FortiGate Certificate Management User Guide Contains procedures for managing digital certificates including generating certificate requests installing signed certificates importing CA root certificates and certificate revocation lists and backing up and restoring installed certificates and private keys FortiG...

Page 13: ... grey straight through Ethernet cable Fortinet part number CC300249 one RJ 45 to DB 9 serial cable Fortinet part number CC300247 one power cable SFP transceivers FortiGate 800F only two 19 inch rack mount brackets FortiGate 800 QuickStart Guide or FortiGate 800F QuickStart Guide Fortinet Tools and Documentation CD Figure 1 FortiGate 800 package contents Esc Enter CONSOLE I N T E R N A L E X T E R ...

Page 14: ...x 12 5 x 1 75 in 42 7 x 30 5 x 4 5 cm Weight 10 lb 4 5 kg Power requirements Power dissipation 300W max AC input voltage 100 to 240 VAC AC input current 6A Frequency 50 to 60Hz The FortiGate 800 and FortiGate 800F units may overload your supply circuit and impact your overcurrent protection and supply wiring Use appropriate equipment nameplate ratings to address this concern Make sure the FortiGat...

Page 15: ...dapter to the power cable 4 Connect the power cable to a power outlet 5 Turn on the power switch After a few seconds SYSTEM STARTING appears on the LCD The main menu setting appears on the LCD when the system is running The FortiGate unit starts and the Power LEDs light up Table 2 FortiGate 800 and FortiGate 800F LED indicators Menu Fortigat NAT Standalone LED Status Description Power Green The Fo...

Page 16: ...browser The web based manager supports multiple languages You can use the web based manager to configure most FortiGate settings and monitor the status of the FortiGate unit Front control buttons and LCD You can use the front control buttons and LCD on the FortiGate unit to configure IP addresses default gateways and switch operating modes The LCD shows you what mode you are in without having to g...

Page 17: ... remote clients whenever they initiate a HTTPS connection to the FortiGate unit When you connect the FortiGate unit displays two security warnings in a browser The first warning prompts you to accept and optionally install the FortiGate unit s self signed security certificate If you do not accept the certificate the FortiGate unit refuses the connection If you accept the certificate the FortiGate ...

Page 18: ...ort the RJ 45 to DB 9 serial cable included in your FortiGate package terminal emulation software such as HyperTerminal for Microsoft Windows To connect to the CLI 1 Connect the RJ 45 to DB 9 serial cable to the communications port of your computer and to the FortiGate console port 2 Start HyperTerminal enter a name for the connection and select OK 3 Configure HyperTerminal to connect directly to ...

Page 19: ...s The following table defines each button and what it does when configuring the basic settings of your FortiGate unit Table 4 Front control button definitions Using the front control buttons and LCD When the main menu is displayed you can begin to configure the IP addresses netmasks default gateways and if required change the operating mode Use the following procedures as a guide when configuring ...

Page 20: ...ps to configure netmasks and default gateways To change the operating mode 1 Make sure the LCD displays the main menu setting 2 Press Enter to select the interfaces 3 Press the up and down buttons to highlight the menu To Bridge Mode 4 Press Enter to change to Transparent mode The FortiGate unit changes to Transparent mode This may take a few minutes 5 The LCD should display the following Figure 5...

Page 21: ...orm additional configuration tasks such as setting system time configuring virus and attack definition updates and registering the FortiGate unit The factory default firewall configuration includes a single network address translation NAT policy that allows users on your internal network to connect to the external network and stops users on the external network from connecting to the internal netw...

Page 22: ...unt User name Password admin none IP 192 168 1 99 Internal interface Netmask 255 255 255 0 Administrative Access HTTPS Ping IP 192 168 100 99 External interface Netmask 255 255 255 0 Administrative Access Ping IP 10 10 10 1 DMZ interface Netmask 255 255 255 0 Administrative Access HTTPS Ping IP 0 0 0 0 HA Netmask 0 0 0 0 Administrative Access Ping IP 0 0 0 0 Port 1 Netmask 0 0 0 0 Administrative A...

Page 23: ...n settings are included in the default firewall configuration to make it easier to add firewall policies Table 7 Factory default firewall configuration Administrator account User name admin Password none Management IP IP 0 0 0 0 Netmask 0 0 0 0 DNS Primary DNS Server 65 39 139 53 Secondary DNS Server 65 39 139 63 Internal HTTPS Ping External Ping DMZ HTTPS Ping Administrative access Port 1 Ping Po...

Page 24: ...services to use the same or different protection profiles Protection profiles can be added to NAT Route mode and Transparent mode firewall policies The FortiGate unit comes preconfigured with four protection profiles Restoring the default settings Should you need to start again you can revert to the factory default settings if you change a network setting and are unable to recover from it Strict T...

Page 25: ...web based manager To reset the default settings 1 Go to System Status 2 In the Unit Information display select Reset Restoring the default settings using the CLI To reset the default settings enter the following command execute factoryreset Note If you want to restore factory default settings using the front control buttons and LCD see LCD and front control buttons on page 19 ...

Page 26: ...FortiGate 800 and FortiGate 800F FortiOS 3 0MR4 Install Guide 26 01 30004 0269 20070215 Restoring the default settings Factory defaults ...

Page 27: ...t it to provide and how you want it to control the traffic flowing between its interfaces Your configuration plan depends on the operating mode you select You can configure the FortiGate unit in one of two modes NAT Route mode the default or Transparent mode You can also configure the FortiGate unit and the network it protects using the default settings NAT Route mode In NAT Route mode the FortiGa...

Page 28: ...redundant interface to the external network usually the Internet You must configure routing to support redundant Internet connections Routing can automatically redirect connections from an interface if its connection to the external network fails Otherwise security policy configurations is similar to a NAT Route mode configuration with a single Internet connection You would create NAT mode firewal...

Page 29: ...IPSec VPN virus scanning IPS web filtering and Spam filtering You can connect up to eight network segments to the FortiGate unit to control traffic between these network segments Figure 8 Example Transparent mode configuration Internet DMZ network DMZ 10 10 10 2 10 10 10 23 Internal network Internal 192 168 1 1 192 168 1 3 Route mode policies controlling traffic between Internal networks NAT polic...

Page 30: ... access is enabled for that interface You can use the following procedures to disable ping access for the external interface of a FortiGate unit You can use the same procedure for any FortiGate interface You can also use the same procedure in NAT Route or Transparent mode To disable ping administrative access from the web based manager 1 Log into the FortiGate web based manager 2 Go to System Netw...

Page 31: ...e complexity of the configuration access and equipment and the type of interface you are most comfortable using Table 10 NAT Route mode settings Administrator Password Internal IP _____ _____ _____ _____ Netmask _____ _____ _____ _____ External IP _____ _____ _____ _____ Netmask _____ _____ _____ _____ HA IP _____ _____ _____ _____ Netmask _____ _____ _____ _____ Port 1 IP _____ _____ _____ _____ ...

Page 32: ...tiGate unit settings For more information about connecting to the web based manager see Connecting to the web based manager on page 16 Configuring basic settings After connecting to the web based manager you can use the following procedures to complete the basic configuration of the FortiGate unit To add change the administrator password 1 Go to System Admin Administrators 2 Select the Change Pass...

Page 33: ...this route 3 Select Create New 4 Select Destination IP to 0 0 0 0 5 Set Mask to 0 0 0 0 6 Set Gateway to the default gateway IP address 7 Set Device to the interface connected to the external network 8 Select OK Verifying the web based manager configuration To verify access settings go to the interface you want to verify and select the edit icon The Administrative Access field should have check ma...

Page 34: ...k 7 Press Enter and change the Netmask 8 After you set the last digit of the Netmask press Enter 9 Press Esc to return to the main menu setting Adding a default gateway using the LCD The default gateway is usually configured for the interface connected to the Internet To add a default gateway to an interface 1 Press Enter to display the interface list 2 Use the down arrow key to highlight the name...

Page 35: ...an also configure the FortiGate unit using the command line interface CLI For information about connecting to the CLI see Connecting to the CLI on page 18 Configuring the FortiGate unit to operate in NAT Route mode Use the information you gathered in Table 10 on page 31 to complete the following procedures To add change the administrator password 1 Log into the CLI 2 Change the admin administrator...

Page 36: ...xternal interface to use PPPoE config system interface edit external set mode pppoe set connection enable set username name_str set password psswrd end 2 Use the same syntax to set the IP address of each FortiGate interface as required 3 Confirm that the addresses are correct Enter get system interface The CLI lists the IP address netmask and other settings for each of the FortiGate interfaces To ...

Page 37: ...teway is connected to Port 1 which is a user defined external interface config router static edit 1 set dst 0 0 0 0 0 0 0 0 set gateway 204 23 1 2 set device port1 end Verifying the CLI configuration To verify access settings enter the following CLI command show system interface The terminal emulation program should show the interface vdom IP address allow access and type settings of the FortiGate...

Page 38: ...ernet Connect to the public switch or router provided by your ISP If you are a DSL or cable subscriber connect the External interface to the internal or LAN connection of your DSL or cable modem 3 Optionally connect the DMZ interface to the DMZ network You can use a DMZ network to provide access from the Internet to a web server or other server without installing the servers on your internal netwo...

Page 39: ...FortiGate unit in Transparent mode This section includes the following topics Preparing to configure Transparent mode Using the web based manager Using the front control buttons and LCD Using the command line interface Connecting the FortiGate unit to your network Preparing to configure Transparent mode Use Table 12 on page 39 to gather the information you need to customize mode settings You can c...

Page 40: ...arent mode To configure DNS server settings 1 Go to System Network Options 2 Enter the IP address of the primary DNS server 3 Enter the IP address of the secondary DNS server 4 Select Apply Using the front control buttons and LCD Use the information you recorded in Table 12 on page 39 to complete this procedure Begin the following procedure when the main menu setting is displayed on the LCD To cha...

Page 41: ... entered from the front control buttons and LCD should be displayed Verify connection To verify your connection try the following browse to www fortinet com retrieve or send email from your email account If you cannot browse the website or retrieve send email from your account review the previous steps to ensure all information was entered correctly and try again Using the command line interface A...

Page 42: ... fwdintf internal end To configure DNS server settings Set the primary and secondary DNS server IP addresses Enter config system dns set primary address_ip set secondary address_ip end Reconnecting to the web based manager When the FortiGate unit has switched to Transparent mode reconnect to the web based manager using the new IP address Browse to https followed by the new IP address If you connec...

Page 43: ...tly and try again Next steps Use the following information to configure FortiGate system time and antivirus and attack definition updates Refer to the FortiGate Administration Guide for complete information on configuring monitoring and maintaining your FortiGate unit Set the date and time For effective scheduling and logging the FortiGate system date and time must be accurate You can either manua...

Page 44: ...ld wide network of FortiGuard Distribution Servers FDS When the FortiGate unit connects to the FDN it connects to the nearest FDS To do this all FortiGate units are programmed with a list of FDS addresses sorted by nearest time zone according to the time zone configured for the FortiGate unit You can update your antivirus and IPS signatures using the web based manager or the CLI Before you can beg...

Page 45: ...the System FortiGuard Center page lists new version information for antivirus definitions The System Status page also displays new dates and version numbers for the antivirus definitions Messages are recorded to the event log indicating whether the update was successful or not Updating the IPS signatures from the CLI Use the following procedure to update IPS signatures To update IPS signatures usi...

Page 46: ...ver If you cannot connect to the FDN or if your organization provides updates using their own FortiGuard server add the IP address of an override FortiGuard server in either the web based manager or the CLI To add an override server from the web based manager 1 Go to System Maintenance FortiGuard Center 2 Select the blue arrow for AntiVirus and IPS Downloads to expand the options 3 Select the Use ...

Page 47: ... the FortiGate unit cannot connect to the override server Check the FortiGate configuration and network configuration for settings that would prevent the FortiGate unit from connecting to the override FortiGuard server To add an override server using the CLI 1 Log into the CLI 2 Enter the following command config system autoupdate override set address set status end ...

Page 48: ...FortiGate 800 and FortiGate 800F FortiOS 3 0MR4 Install Guide 48 01 30004 0269 20070215 Next steps Configuring the FortiGate unit ...

Page 49: ...n or to a more recent build of the same firmware version Upgrading the firmware using the web based manager Use the following procedures to upgrade the FortiGate unit to a new firmware version To upgrade the firmware using the web based manager 1 Copy the firmware image file to your management computer 2 Log into the web based manager as the admin administrative user 3 Go to System Status 4 Under ...

Page 50: ...2 168 1 168 execute ping 192 168 1 168 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit execute restore image name_str tftp_ip4 Where name_str is the name of the firmware image file and tftp_ip is the IP address of the TFTP server For example if the firmware image file name is image out and the IP address of the TFTP server is 192 168 1 168 enter ...

Page 51: ...ous FortiOS version for example reverting from FortiOS v3 0 to FortiOS v2 80 you might not be able to restore the previous configuration from the backup configuration file To revert to a previous firmware version using the web based manager 1 Copy the firmware image file to the management computer 2 Log into the FortiGate web based manager 3 Go to System Status 4 Under System Information Firmware ...

Page 52: ...ation see the FortiGate Administration Guide If you are reverting to a previous FortiOS version for example reverting from FortiOS v3 0 to FortiOS v2 80 you might not be able to restore the previous configuration from the backup configuration file To revert to a previous firmware version using the CLI 1 Make sure the TFTP server is running 2 Copy the firmware image file to the root directory of th...

Page 53: ...tiGate unit reverts to the old firmware version resets the configuration to factory defaults and restarts This process takes a few minutes 8 Reconnect to the CLI 9 To confirm the new firmware image has been loaded enter get system status 10 To restore your previous configuration if needed use the command execute restore config name_str tftp_ip4 11 Update antivirus and attack definitions For inform...

Page 54: ... is running 3 Copy the new firmware image file to the root directory of the TFTP server 4 Make sure the internal interface is connected to the same network as the TFTP server 5 To confirm the FortiGate unit can connect to the TFTP server use the following command to ping the computer running the TFTP server For example if the IP address of the TFTP server is 192 168 1 168 execute ping 192 168 1 16...

Page 55: ...P address the FortiGate unit can use to connect to the TFTP server The IP address can be any IP address that is valid for the network the interface is connected to Make sure you do not enter the IP address of another device on this network The following message appears Enter File Name image out 11 Enter the firmware image filename and press Enter The TFTP server uploads the firmware image file to ...

Page 56: ...lling a configuration file and a firmware image file on a system reboot The USB Auto Install feature uses a configuration file and a firmware image file that is on the FortiUSB key and on a system reboot checks if these files need to be installed If so the FortiGate unit installs the configuration file and firmware image file directly from the key to the unit Backup and Restore from the FortiUSB k...

Page 57: ... firmware version Do you want to continue y n 3 Type y Using the USB Auto Install feature The USB Auto Install feature automatically updates the FortiGate configuration file and image file on a system reboot Also this feature provides you with an additional backup if you are unable to save your system settings before shutting down or rebooting your FortiGate unit The following procedures use both ...

Page 58: ...ion settings get system status Additional CLI Commands for the FortiUSB key Use the following CLI commands when you want to delete a file from the FortiUSB key list what files are on the key including formatting the key or renaming a file exec usb disk list exec usb disk delete filename exec usb disk format exec usb disk rename old_filename1 old_filename2 Testing a new firmware image before instal...

Page 59: ... sure the internal interface is connected to the same integer as the TFTP server You can use the following command to ping the computer running the TFTP server For example if the TFTP server s IP address is 192 168 1 168 execute ping 192 168 1 168 5 Enter the following command to restart the FortiGate unit execute reboot 6 As the FortiGate unit reboots press any key to interrupt the system startup...

Page 60: ...as the TFTP server but make sure you do not use the IP address of another device on the network The following message appears Enter File Name image out 11 Enter the firmware image file name and press Enter The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear FortiGate unit running v2 x BIOS Do You Want To Save The Image Y n Type n Forti...

Page 61: ...sing the CLI 50 upgrading using the web based manager 49 Fortinet Family Products FortiBridge 10 FortiClient 9 FortiGuard 8 FortiLog 9 FortiMail 9 FortiManager 10 FortiReporter 9 FortiUSB key additional CLI commands 58 backup and restore 56 USB Auto Install 57 front control buttons and LCD 19 I installing firmware 53 L LCD front control buttons 19 LED indicators description 15 M Mechanical loading...

Page 62: ...uling updates 45 upgrading firmware using the CLI 50 firmware using the web based manager 49 USB Auto Install 57 using front control buttons and LCD 34 40 using the web based manager 32 40 V verifying CLI configuration 37 connection CLI 37 connection LCD 35 41 connection web based manager 33 35 LCD and front control buttons 35 41 web based manager config 33 W web based manager connecting 16 ...

Page 63: ...www fortinet com ...

Page 64: ...www fortinet com ...