background image

FortiGate

Version 4.0

Administration Guide

Visit 

http://support.fortinet.com

 to register your FortiGate product. By registering you can

receive product updates, technical support, and FortiGuard services.

Summary of Contents for Gate 60D

Page 1: ...FortiGate Version 4 0 Administration Guide Visit http support fortinet com to register your FortiGate product By registering you can receive product updates technical support and FortiGuard services...

Page 2: ...rtinet Inc Trademarks Dynamic Threat Prevention System DTPS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard FortiGuard Antispam For...

Page 3: ...s new in FortiOS 4 0 27 FortiOS 4 0 FortiGate models and features supported 28 UTM features grouped under new UTM menu 29 Data Leak Prevention 29 Application Control 29 SSL content scanning and inspec...

Page 4: ...e over HTTPS 39 Adding non standard ports for firewall authentication 39 Dynamically assigning VPN client IP addresses from a RADIUS record 40 DHCP over route based IPSec VPNs 40 SNMP upgraded to v3 0...

Page 5: ...ion 80 Viewing operational history 81 Manually updating FortiGuard definitions 82 Viewing Statistics 83 Viewing the session list 83 Viewing Content Archive information on the Statistics widget 84 View...

Page 6: ...15 Changing the management VDOM 116 Configuring global and VDOM resource limits 116 VDOM resource limits 117 Global resource limits 118 System Network 119 Interfaces 119 Switch Mode 122 Interface sett...

Page 7: ...Transparent mode virtual domains and VLANs 156 Troubleshooting ARP Issues 157 System Wireless 159 FortiWiFi wireless interfaces 159 Channel assignments 160 IEEE 802 11a channel numbers 160 IEEE 802 11...

Page 8: ...199 Alert Mail replacement messages 199 Spam replacement messages 200 Administration replacement message 200 Authentication replacement messages 201 FortiGuard Web Filtering replacement messages 202 I...

Page 9: ...es 250 CRL 251 Importing a certificate revocation list 251 System Maintenance 253 About the Maintenance menu 253 Backing up and restoring 254 Basic backup and restore options 255 Upgrading and downgra...

Page 10: ...RIP 289 Viewing and editing basic RIP settings 290 Selecting advanced RIP options 292 Configuring a RIP enabled interface 293 OSPF 294 Defining an OSPF AS Overview 295 Configuring basic OSPF settings...

Page 11: ...firewall policies 331 Endpoint Compliance Check options 336 DoS policies 337 Viewing the DoS policy list 337 Configuring DoS policies 338 Firewall policy examples 339 Scenario one SOHO sized business...

Page 12: ...tual IPs 378 Adding a virtual IP with port translation only 379 Virtual IP Groups 380 Viewing the VIP group list 380 Configuring VIP groups 380 IP pools 381 IP pools and dynamic NAT 382 IP Pools for f...

Page 13: ...Guaranteed bandwidth and maximum bandwidth 423 Traffic priority 424 Traffic shaping considerations 424 Configuring traffic shaping 425 SIP support 427 VoIP and SIP 427 The FortiGate unit and VoIP sec...

Page 14: ...on 456 Signatures 456 Viewing the predefined signature list 457 Using display filters 458 Custom signatures 459 Viewing the custom signature list 459 Creating custom signatures 459 Protocol decoders 4...

Page 15: ...onfiguring FortiGuard Web Filtering 488 Viewing the override list 488 Configuring administrative override rules 489 Creating local categories 491 Viewing the local ratings list 491 Configuring local r...

Page 16: ...ist 520 Adding and configuring DLP compound rules 520 Application Control 523 What is application control 523 FortiGuard application control database 523 Viewing the application control lists 524 Crea...

Page 17: ...Tool widget 563 Tunnel Mode widget 564 User 567 Getting started User authentication 567 Local user accounts 568 Configuring Local user accounts 568 Remote 571 RADIUS 571 Configuring a RADIUS server 5...

Page 18: ...Gate models that support WAN optimization 604 Configuring WAN optimization 605 How list order affects rule matching 606 Moving a rule to a different position in the rule list 607 Configuring a WAN opt...

Page 19: ...installer download 642 Viewing and configuring the software detection list 643 Monitoring endpoints 644 Log Report 647 FortiGate logging 647 FortiGuard Analysis and Management Service 648 FortiGuard A...

Page 20: ...4 Viewing log information 664 Customizing the display of log messages 665 Column settings 666 Filtering log messages 667 Content Archive 667 Content archiving and data leak prevention 668 Configuring...

Page 21: ...ed networking features such as high availability active active active passive for maximum network uptime and virtual domain capabilities to separate various networks requiring different security polic...

Page 22: ...sts and describes some of the new features and changes in FortiOS Version 4 0 Web based manager introduces the features of the FortiGate web based manager and explains how to connect to it It also inc...

Page 23: ...tions and traffic between FortiGate interfaces zones and VLAN subinterfaces Firewall Address describes how to configure addresses and address groups for firewall policies Firewall Service describes av...

Page 24: ...eb based manager Document conventions Fortinet technical documentation uses the conventions described below IP addresses To avoid publication of public IP addresses that belong to Fortinet or any othe...

Page 25: ...t takes to resolve your technical support ticket by providing your configuration file a network diagram and other specific information For a list of required information see the Fortinet Knowledge Cen...

Page 26: ...h as technical notes In addition to the Fortinet Technical Documentation web site you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD and on the Fortinet Knowledge...

Page 27: ...rs Adding IPS sensors to a DoS policy from the CLI One arm IDS sniffer mode IPS interface policies for IPv6 IPS Packet Logging Enhanced Antispam Engine ASE WCCP v2 support Any interface for firewall p...

Page 28: ...e information in this section is subject to change Table 2 New FortiOS 4 0 feature support Feature FortiGate Models WAN optimization 51B 111C 310B 620B 3016B 3600A 3810A 5001A SW SSL Content Scanning...

Page 29: ...rtiGate unit to detect and take action against network traffic depending on the application generating the traffic Based on FortiGate Intrusion Protection protocol decoders application control is a mo...

Page 30: ...ins a hard disk drive these files are cached to more efficiently serve downloads to multiple end points Go to Endpoint Control FortiClient to see the software and antivirus signature versions that the...

Page 31: ...ks can be detected and blocked before the firewall sees the packets So system resources are not affected by denial of service attacks All attacking traffic can be filtered out before being accepted by...

Page 32: ...se processing the packets To configure one arm IDS you enable sniffer mode on a FortiGate interface and connect that interface to a hub or to the SPAN port of a switch that is processing network traff...

Page 33: ...Network to add new antispam techniques without requiring a FortiOS firmware update You can also update the ASE manually using the following CLI command execute restore ase ftp sftp filename server use...

Page 34: ...rtiGate interface IP address to the cache servers If all cache servers connect to the same FortiGate interface interface_ipv4 can be 0 0 0 0 and the FortiGate unit uses the IP address of that interfac...

Page 35: ...es organized by source and destination interfaces In FortiOS 4 0 this is called Section View You can also switch to Global View to list all firewall policies in order according to a sequence number Th...

Page 36: ...from other VIPs To configure load balance VIPs go to Firewall Load Balance In previous releases of FortiOS you created VIP mappings between one or more real servers and an external IP address In Fort...

Page 37: ...ttings have been added to protection profiles and familiar configuration settings in protection profiles have been reorganized For a complete description of FortiOS 4 0 protection profiles see Configu...

Page 38: ...rd determines the length of the hold down period during which the software watchdog monitors critical software processes before concluding they have stabilized Rogue Wireless Access Point detection Fo...

Page 39: ...l authentication By default when a communication session is accepted by an identity based firewall policy the user must authenticate with the firewall by using the FTP HTTP HTTPS or Telnet protocol to...

Page 40: ...s In previous releases of FortiOS you could use DHCP to assign IP addresses to dialup clients on policy based IPSec VPNs only In FortiOS 4 0 DHCP is also available to dialup clients on route based IPS...

Page 41: ...ogs provide more information about the FortiGate unit operation including event log for VPN tunnel up down IPSec SSL PPTP VPNs including authenticated user name local and remote IP addresses event log...

Page 42: ...Web filtering HTTP POST traffic blocking or comforting HTTP post traffic What s new in FortiOS 4 0 FortiGate Version 4 0 Administration Guide 42 01 400 89802 20090424 http docs fortinet com Feedback...

Page 43: ...running a web browser you can connect to the FortiGate web based manager to configure and manage the FortiGate unit The recommended minimum screen resolution for the management computer is 1280 by 102...

Page 44: ...Selecting Online Help on the button bar displays help for the current web based manager page You can use the FortiGate command line interface CLI to configure the same FortiGate settings that you can...

Page 45: ...ears The credentials entered are encrypted before they are sent to the FortiGate unit If you choose to accept the certificate permanently the warning is not displayed again Just before the FortiGate l...

Page 46: ...hinese Changing administrative access to your FortiGate unit Through administrative access an administrator can connect to the FortiGate unit to view and change configuration settings The default conf...

Page 47: ...However you can use the following steps to change this idle timeout To change the web based manager idle timeout 1 Go to System Admin Settings 2 Change the Idle Timeout minutes as required 3 Select Ap...

Page 48: ...eceive product updates technical support and FortiGuard services To register a Fortinet product go to Product Registration and follow the instructions Backing up your FortiGate configuration The Backu...

Page 49: ...ation settings apply only to a FortiGate unit operating with virtual domains enabled If you are not operating your FortiGate unit with virtual domains enabled you can ignore the VDOM and Global icons...

Page 50: ...cannot use the Bookmark icon to add an entry to your favorites list if you are viewing online help from Internet Explorer running on a management PC with Windows XP and service pack 2 installed When y...

Page 51: ...press the Enter key on your keyboard or select Go The search results pane lists the names of all the online help pages that contain all the words that you entered Select a name from the list to displ...

Page 52: ...w a different tab select the tab The procedures in this manual direct you to a page by specifying the menu item the submenu item and the tab for example 1 Go to System Network Interface Figure 10 Part...

Page 53: ...n added to a user group you must first remove the user from the user group see Figure 11 Figure 11 A web based manager list read write access If you log in as an administrator with an admin profile th...

Page 54: ...d filters to a web based manager list by selecting any filter icon to display the Edit Filters window From the Edit Filters window you can select any column name to filter and configure the filter for...

Page 55: ...To view the session list go to System Status In the Statistics section beside Sessions select Details Figure 14 A session list with a numeric filter set to display sessions with source IP address in t...

Page 56: ...columns that can contain only specific items for example a log message severity or a pre defined signature action you can select a single item from a list In this case you can only filter on a single...

Page 57: ...page 315 intrusion protection predefined signatures list see Viewing the predefined signature list on page 457 web filtering lists see Web Filter on page 475 antispam lists see Antispam on page 495 Fi...

Page 58: ...oints on page 644 Log and report log access lists see Accessing Logs on page 662 To change column settings on a list that supports it select Column Settings From Available fields select the column hea...

Page 59: ...o provide even more control of the information displayed by the list For example you can go to Intrusion Protection Signature Predefined and configure the Intrusion Protection predefined signatures li...

Page 60: ...erface is up and the interface accepts traffic Change Password Change the administrator password This icon appears in the Administrators list if your admin profile enables you to give write permission...

Page 61: ...ignificant for example firewall policies IPS Sensors and DoS Sensors Last page View the last page of a list Move to Change the position of an item in a list Used in lists when the order of items in th...

Page 62: ...Web based manager icons Web based manager FortiGate Version 4 0 Administration Guide 62 01 400 89802 20090424 http docs fortinet com Feedback...

Page 63: ...ng status of the FortiGate unit FortiGate administrators whose admin profiles permit write access to system configuration can change or update FortiGate unit information For more information on admin...

Page 64: ...ets not currently shown on the System Status page Any widgets currently on the System Status page will be greyed out in the Add Content menu as you can only have one of each display on the System Stat...

Page 65: ...iGate unit s internal clock Select Change to change the time or configure the FortiGate unit to get the time from an NTP server For more information see Configuring system time on page 78 HA Status Th...

Page 66: ...current firmware installed on the FortiGate unit The format for the firmware version is Select Update to change the firmware For more information see Upgrading to a new firmware version on page 80 For...

Page 67: ...ack definitions To update the definitions manually select Update For more information see Manually updating FortiGuard definitions on page 82 Web Filtering The FortiGuard Web Filtering license license...

Page 68: ...f the interface If you select Reboot or ShutDown a pop up window opens allowing you to enter the reason for the system event You can only have one management and one logging analyzing method displayed...

Page 69: ...indicates there is OFTP communication Select the FortiAnalyzer graphic to configure remote logging tot he FortiAnalyzer unit on your FortiGate unit See Logging to a FortiAnalyzer unit on page 650 Fort...

Page 70: ...ore information see Viewing operational history on page 81 CPU Usage The current CPU status displayed as a dial gauge and as a percentage The web based manager displays CPU usage for core processes on...

Page 71: ...ed in the statistics widget is derived from log messages that can be saved to a FortiAnalyzer unit saved locally or backed up to an external source such as a syslog server You can use this data to see...

Page 72: ...time when the counts were last reset Counts are reset when the FortiGate unit reboots or when you select Reset Reset Reset the Content Archive and Attack Log statistic counts to zero Sessions The num...

Page 73: ...o the statistics widget You can configure a protection profile to collect statistics for HTTP HTTPS FTP IMAP POP3 and SMTP traffic If your FortiGate unit supports SSL content scanning and inspection a...

Page 74: ...t performance For this reason when this display is not shown on the dashboard it is not collecting data and not impacting system performance When the display is shown information is only stored in mem...

Page 75: ...ssion protocol such as tcp or udp source address and port destination address and port the ID of the policy if any that applies to the session how long until the session expires which virtual domain t...

Page 76: ...d with this source IP address if available In the table display format this will be a separate column Display UserName is available only when the sort criteria is Source Address Resolve Host Name Sele...

Page 77: ...ver the last hour day and month This feature can help you locate peaks in traffic that you need to address as well as their frequency duration and other information Only one interface at a time can be...

Page 78: ...rtiGate 800 unit Administrators whose admin profiles permit system configuration write access can change the FortiGate unit host name System Time The current FortiGate system date and time Refresh Upd...

Page 79: ...ding a local hard disk a local USB disk or the FortiGuard Network For more information about using the USB disk and the FortiGuard Network see System Maintenance on page 253 Figure 39 Firmware Upgrade...

Page 80: ...Firmware Version line 5 Type the path and filename of the firmware image file or select Browse and locate the file 6 Select OK The FortiGate unit uploads the firmware image file upgrades to the new fi...

Page 81: ...process takes a few minutes 7 Log into the web based manager 8 Go to System Status and check the Firmware Version to confirm that the firmware is successfully installed 9 Restore your configuration F...

Page 82: ...or AS Rule Set field of the FortiGuard Subscriptions select Update 4 Select Browse and locate the update file or type the path and filename 5 Select OK to copy the update file to the FortiGate unit T...

Page 83: ...sion list First Page Select to go to the first displayed page of current sessions Previous Page Select to go to the page of sessions immediately before the current page Page Enter the page number of t...

Page 84: ...s 2 In the Content Archive section select Details for HTTP Viewing Email content information 1 Go to System Status 2 In the Content Archive section select Details for Email Policy ID The number of the...

Page 85: ...out sessions matched by DLP rules You can select the Details link beside each attack type to view more information You can select Reset on the header of the Statistics section to clear the content arc...

Page 86: ...Date and Time The time that the attack was detected From The source of the attack To The target host of the attack Service The service type Attack The type of attack that was detected and prevented D...

Page 87: ...g area The viewport control at the bottom right of the topology page represents the entire drawing area The darker rectangle represents the viewport Drag the viewport rectangle within the viewport con...

Page 88: ...e firewall address that you select and is connected by a line to the interface associated with that address See Adding a subnet object on page 89 Insert Text Select this control and then click on the...

Page 89: ...in firewall policies Connect to interface Select the interface or zone to associate with this address If the field already displays a name changing the setting changes the interface or zone associated...

Page 90: ...u selected an image as Background resize the diagram to fit within the image Background One of Solid A solid color selected in Background Color U S Map A map of the United States World Map A map of th...

Page 91: ...w the release notes for the patch release Download the patch release Back up the current configuration Install the patch release using the procedure Testing firmware before upgrading on page 94 Test t...

Page 92: ...ortiGuard Analysis and Management Service If you want to encrypt your configuration file to save VPN certificates select the Encrypt configuration file check box enter a password and then enter it aga...

Page 93: ...ftp_username ftp_passwd encrypt_passwd Backing up your configuration to a USB key If your FortiGate unit has a USB port you can back up your current configuration to a USB key When backing up a confi...

Page 94: ...eady downloaded the firmware image to your management computer To test the firmware image before upgrading 1 Copy the new firmware image file to the root directory of the TFTP server 2 Start the TFTP...

Page 95: ...ce Backup and Restore This option enables you to have two firmware images such as FortiOS 3 0 MR7 and FortiOS 4 0 available for downgrading or upgrading If the upgrade was not successful go to Reverti...

Page 96: ...mware image to your management computer To upgrade to FortiOS 4 0 through the CLI 1 Copy the new firmware image file to the root directory of the TFTP server 2 Start the TFTP server 3 Log in to the CL...

Page 97: ...sed manager instead log in to the web based manager and go to System Maintenance FortiGuard Verifying the upgrade After logging back in to the web based manager most of your FortiOS 3 0 MR7 configurat...

Page 98: ...settings VDOM parameters settings admin user account session helpers system accprofiles If you created additional settings in FortiOS 4 0 make sure to back up the current configuration before downgra...

Page 99: ...following procedure assumes that you have already downloaded the firmware image to your management computer To downgrade through the CLI 1 Copy the new firmware image file to the root directory of the...

Page 100: ...t to continue y n 7 Type y The FortiGate unit reverts to the old firmware version resets the configuration to factory defaults and restarts This process takes a few minutes After the FortiGate unit up...

Page 101: ...ration from either a Local PC FortiManager or FortiGuard if your FortiGate unit is configured for FortiGuard Analysis and Management Service 4 If required enter your password for the configuration fil...

Page 102: ...tings For example if the backed up configuration file is confall and the IP address of the TFTP server is 192 168 1 168 and the password is ghrffdt123 execute restore allconfig confall 192 168 1 168 g...

Page 103: ...tration Continued security maintenance Savings in physical space and power Easier administration VDOMs provide separate security domains that allow separate zones user authentication firewall policies...

Page 104: ...e NAT Route or Transparent can be selected independently for each VDOM For a complete list of shared configuration settings see Global configuration settings on page 107 Savings in physical space and...

Page 105: ...nitor on page 167 Wireless Rogue AP Rogue AP detection on page 168 DHCP service Configuring DHCP services on page 172 DHCP Address Leases Viewing address leases on page 175 Config Operation mode NAT R...

Page 106: ...tory Service on page 579 PKI PKI on page 581 User Group User Group on page 583 Options Settings on page 228 Monitor Monitoring administrators on page 229 Log Report Logging configuration FortiGate log...

Page 107: ...a new firmware version on page 80 System Status page or Managing firmware versions on page 91 Network Interfaces and VLAN subinterfaces Interfaces on page 119 and VLAN overview on page 150 You config...

Page 108: ...page 168 Config HA HA on page 177 Config SNMP SNMP on page 185 Config Replacement messages Replacement messages on page 194 Admin Administrators Administrators on page 209 You can add global administ...

Page 109: ...for incoming and outgoing traffic Availability of the associated tasks depends on the permissions of the admin If your are using a super_admin profile account you can perform all tasks If you are usin...

Page 110: ...VDOMs you must first create them When using multiple VDOMs it can be useful to assign fewer resources to some VDOMs and more resources to others This VDOM resource management will result in better Fo...

Page 111: ...haracters This name cannot be changed 6 Optionally enter a comment for the VDOM up to a maximum of 63 characters 7 Select OK Working with VDOMs and global settings When you log in as admin and virtual...

Page 112: ...ent VDOM It cannot be deleted or changed to disabled it is always active Name The name of the VDOM Operation Mode The VDOM operation mode either NAT or Transparent When a VDOM is in Transparent mode S...

Page 113: ...with all virtual interfaces the speed of the link depends on the CPU load but generally it is faster than physical interfaces There are no MTU settings for inter VDOM links DHCP support includes inte...

Page 114: ...tmask for this interface 9 Select the administrative access method or methods Keep in mind that PING TELNET and HTTP are less secure methods 10 Optionally enter a description for this interface 11 Rep...

Page 115: ...its own resources you need to create an administrator account for that VDOM A VDOM admin can change configuration settings within that VDOM but cannot make changes that affect other VDOMs on the Forti...

Page 116: ...agement VDOM To change the management VDOM 1 Go to System VDOM 2 From the list of VDOMs select the VDOM to be the new management VDOM This list is located to the immediate left of the Apply button 3 S...

Page 117: ...esource limits 1 Go to System VDOM 2 Select Create New enter a name and then select OK or select the Edit icon of an existing VDOM 3 Modify the values described in the table below as required 4 Select...

Page 118: ...view or set global resource limits go to System VDOM Global Resources Select the Edit icon to change any settings Figure 51 Configuring global resource limits Resource Description of the resource Conf...

Page 119: ...nfiguring zones Configuring the modem interface Configuring Networking Options Web Proxy Routing table Transparent Mode VLAN overview VLANs in NAT Route mode VLANs in Transparent mode Interfaces In NA...

Page 120: ...and interface mode Switch mode combines the internal interfaces into one switch with one address Interface mode gives each internal interface its own address Before switching modes all configuration...

Page 121: ...n configuration is enabled you can view information only for the interfaces that are in your current virtual domain unless you are using the super admin account If VDOMs are enabled you will be able t...

Page 122: ...OMs Pair one two interfaces that are joined together such as 2 VDOM links Virtual Domain The virtual domain to which the interface belongs This column is visible only to the super admin and only when...

Page 123: ...ecting the Create New arrow enables you to create Inter VDOM links For more information on Inter VDOM links see Inter VDOM links on page 113 Some types of interfaces such as loopback interfaces can on...

Page 124: ...Interfaces System Network FortiGate Version 4 0 Administration Guide 124 01 400 89802 20090424 http docs fortinet com Feedback Figure 56 Create New Interface settings Figure 57 Edit Interface settings...

Page 125: ...s by adding up to three wireless interfaces for a total of four wireless interfaces Other models support creation of VLAN interfaces only and have no Type field You cannot change the type of an existi...

Page 126: ...ce for PPPoE on page 131 IP Netmask Enter the IP address subnet mask in the IP Netmask field The IP address must be on the same subnet as the network to which the interface connects Two interfaces can...

Page 127: ...ot have a DHCP server or relay configured on it it does not have any VLAN subinterfaces it is not referenced in any firewall policy VIP IP Pool or multicast policy it is not an HA heartbeat interface...

Page 128: ...he aggregate interface and move it to the Selected Interfaces list 6 If this interface operates in NAT Route mode you need to configure addressing for it For information about dynamic addressing see C...

Page 129: ...rface it has no defined IP address and is not configured for DHCP or PPPoE it has no DHCP server or relay configured on it it does not have any VLAN subinterfaces it is not referenced in any firewall...

Page 130: ...By default low end models are configured to DHCP addressing mode with Override Internal DNS and Retrieve default Gateway from DHCP server both enabled These settings allow for easy out of the box con...

Page 131: ...e Enter the administrative distance for the default gateway retrieved from the DHCP server The administrative distance an integer from 1 255 specifies the relative priority of a route when there are m...

Page 132: ...P address for the interface If your ISP has assigned you a block of IP addresses use one of them Otherwise this IP address can be the same as the IP address of another interface or can be any IP addre...

Page 133: ...d remote endpoints of the IPSec interface so that you can run dynamic routing over the interface or use ping to test the tunnel enable administrative access through the IPSec interface enter a descrip...

Page 134: ...command to configure a loopback interface called loop1 with an IP address of 10 0 0 10 is config system interface edit loop1 set type loopback set ip 10 0 0 10 255 255 255 0 end For more information...

Page 135: ...s are HTTPS and SSH You can allow remote administration of the FortiGate unit running in NAT Route mode but allowing remote administration from the Internet could compromise the security of the FortiG...

Page 136: ...n VLAN configurations see the VLAN and VDOM guide To change the MTU size of the packets leaving an interface 1 Go to System Network Interface 2 Choose a physical interface and select Edit 3 Below Admi...

Page 137: ...manager through this secondary IP PING Allow secondary IP to respond to pings Use this setting to verify your installation and for testing HTTP Allow HTTP connections to the web based manager through...

Page 138: ...2 Select Create New or select the Edit icon for a zone 3 Select name and interfaces 4 Select OK Access The administrative access methods for this address They can be different from the primary IP add...

Page 139: ...modem through a USB to serial converter For these models you must configure modem operation using the CLI Initially modem interfaces are disabled and must be enabled in the CLI to be visible in the we...

Page 140: ...When enabled a user can dial into the unit s modem and perform administration actions as if logged in over one of the standard interfaces This feature is enabled in the CLI using config system dialins...

Page 141: ...are routed to the modem interface The modem disconnects after the idle timeout period if there is no network activity You cannot select Dial on demand if Auto dial is selected Idle timeout Standalone...

Page 142: ...ct the name of the interface in the modem configuration and configure a ping server for that interface You must also configure firewall policies for connections between the modem interface and other F...

Page 143: ...to configure static routes to route traffic to the modem interface For example if the modem interface is acting as the FortiGate unit external interface you must set the device setting of the FortiGat...

Page 144: ...tion in Dialup Accounts 4 Select Apply 5 Select Dial Now The FortiGate unit dials into each dialup account in turn until the modem connects to an ISP To disconnect from a dialup account 1 Go to System...

Page 145: ...ptions include DNS server and dead gateway detection settings To configure network options 1 Go to System Network Options 2 Enter primary and secondary DNS servers 3 Enter local domain name 4 Enter De...

Page 146: ...erver for that interface To add a ping server to an interface 1 Go to System Network Interface 2 Choose an interface and select Edit 3 Set Ping Server to the IP address of the next hop router on the n...

Page 147: ...610 To enable explicit web proxy on an interface go to System Network Interface select the interface and enable explicit web proxy If VDOMs are enabled only interfaces that belong to the current VDOM...

Page 148: ...Enable to include the Client IP Header from the original HTTP request Via Header Enable to include the Via Header from the original HTTP request X forwarded for Header Enable to include the X Forward...

Page 149: ...routing table is located at System Network Routing Table Adding a static route in Transparent Mode 1 Ensure your FortiGate unit is in Transparent mode For more details see Changing operation mode on...

Page 150: ...n connect with other devices in VLAN 1 but cannot connect with devices in other VLANs The communication among devices on a VLAN is independent of the physical network A VLAN segregates devices by addi...

Page 151: ...re network and IPSec VPN traffic between security domains The FortiGate unit can also apply policies protection profiles and other firewall features for network and VPN traffic that is allowed to pass...

Page 152: ...is the same as the relationship between any two FortiGate network interfaces Rules for VLAN IP addresses IP addresses of all FortiGate interfaces cannot overlap That is the IP addresses of all interfa...

Page 153: ...Enter a Name to identify the VLAN subinterface 4 Select the physical interface that receives the VLAN packets intended for this VLAN subinterface 5 Enter the VLAN ID that matches the VLAN ID of the pa...

Page 154: ...the internal interface and another VLAN subinterface to the external interface If these VLAN subinterfaces have the same VLAN IDs the FortiGate unit applies firewall policies to the traffic on this V...

Page 155: ...virus scanning web content filtering and other services to each VLAN Figure 78 FortiGate unit in Transparent mode VLAN1 VLAN2 VLAN3 Internal External VLAN Switch or router VLAN Switch or router VLAN...

Page 156: ...g virtual domains on page 103 Adding a VLAN subinterface in Transparent mode To add a VLAN subinterface 1 Go to System Network Interface 2 Select Create New 3 Enter a Name to identify the VLAN subinte...

Page 157: ...nk the packets originated from two different device which is generally an attempt to hack into the network This is true especially in Transparent mode where ARP packets arriving on one interface are s...

Page 158: ...VLANs in Transparent mode System Network FortiGate Version 4 0 Administration Guide 158 01 400 89802 20090424 http docs fortinet com Feedback...

Page 159: ...rent security settings For details on adding wireless interfaces see Adding a wireless interface on page 163 You can configure the FortiWiFi unit to Provide an access point that clients with wireless...

Page 160: ...EEE 802 11a wireless standard 802 11a is only available on FortiWiFi 60B units All channels are restricted to indoor usage except in the Americas where both indoor and outdoor use is permitted on chan...

Page 161: ...4 Ghz Band channel numbers Channel number Frequency MHz Regulatory Areas Americas EMEA Israel Japan 1 2412 2 2417 3 2422 4 2427 5 2432 6 2437 7 2442 8 2447 9 2452 10 2457 11 2462 12 2467 13 2472 14 24...

Page 162: ...ode you can add up to three virtual wireless interfaces All wireless interfaces use the same wireless parameters That is you configure the wireless settings once and all wireless interfaces use those...

Page 163: ...a channel for your wireless network or select Auto The channels that you can select depend on the Geography setting See Channel assignments on page 160 for channel information Tx Power Set the transm...

Page 164: ...et as a manual address Enter a valid IP address and netmask If the FortiWiFi is running in Transparent mode this field does not appear The interface will be on the same subnet as the other interfaces...

Page 165: ...ect a data encryption method You must also enter a pre shared key containing at least 8 characters or select a RADIUS server If you select a RADIUS server the wireless clients must have accounts on th...

Page 166: ...ds go to System Wireless MAC Filter Managing the MAC Filter list The MAC Filter list enables you to view the MAC addresses you have added to a wireless interface and their status either allow or deny...

Page 167: ...ng the wireless network MAC Address Enter the MAC address to add to the list Add Add the entered MAC address to the list Remove Select one or more MAC addresses in the list and select Remove to delete...

Page 168: ...t until you mark them as either Accepted or Rogue access points This designation helps you to track access points It does not affect anyone s ability to use these access points Rx KBytes The amount of...

Page 169: ...k indicates an active access point A grey X indicates that the access point is inactive SSID The wireless service set identifier SSID or network name for the wireless interface MAC Address The MAC add...

Page 170: ...Rogue AP detection System Wireless FortiGate Version 4 0 Administration Guide 170 01 400 89802 20090424 http docs fortinet com Feedback...

Page 171: ...a relay for connections of the same type regular or IPSec You can configure one or more DHCP servers on any FortiGate interface A DHCP server dynamically assigns IP addresses to hosts on the network...

Page 172: ...the DHCP server settings to match Figure 89 DHCP service list FortiGate 200A shown IP Range 192 168 1 110 to 192 168 1 210 Netmask 255 255 255 0 Default gateway 192 168 1 99 Lease time 7 days DNS Ser...

Page 173: ...figure a DHCP server 1 Go to System DHCP Service 2 Select blue arrow for the interface 3 Select the Add DHCP Server icon to create a new DHCP server or select the Edit icon beside an existing DHCP ser...

Page 174: ...DHCP clients Domain Enter the domain that the DHCP server assigns to DHCP clients Lease Time Select Unlimited for an unlimited lease time or enter the interval in days hours and minutes after which a...

Page 175: ...3 DNS servers that the DHCP server assigns to DHCP clients WINS Server 1 WINS Server 2 Add the IP addresses of one or two WINS servers that the DHCP server assigns to DHCP clients Option 1 Option 2 O...

Page 176: ...Viewing address leases System DHCP FortiGate Version 4 0 Administration Guide 176 01 400 89802 20090424 http docs fortinet com Feedback...

Page 177: ...n of HA web based manager configuration options the HA cluster members list HA statistics and disconnecting cluster members If you enable virtual domains VDOMs on the FortiGate unit HA is configured g...

Page 178: ...Note FortiGate HA is not compatible with PPP protocols such as PPPoE FortiGate HA is also not compatible with DHCP If one or more FortiGate unit interfaces is dynamically configured using DHCP or PPPo...

Page 179: ...nit can have two device priorities one for each virtual cluster During HA negotiation the unit with the highest device priority in a virtual cluster becomes the primary unit for that virtual cluster C...

Page 180: ...erface of another cluster unit that still has a connection to the network This other cluster unit becomes the new primary unit Port monitoring also called interface monitoring is disabled by default L...

Page 181: ...ach virtual cluster To display the virtual cluster members list for an operating cluster log in as the global admin administrator and go to System Config HA Figure 96 Example FortiGate 5001SX virtual...

Page 182: ...ster units Priority The device priority of the cluster unit Each cluster unit can have a different device priority During HA negotiation the unit with the highest device priority becomes the primary u...

Page 183: ...conds since the cluster unit was last started Monitor Displays system status information for each cluster unit CPU Usage The current CPU status of each cluster unit The web based manager displays CPU...

Page 184: ...onnect a cluster unit from a functioning cluster without disrupting the operation of the cluster Figure 99 Disconnect a cluster member Peer View and optionally change the subordinate unit host name Pr...

Page 185: ...prietary Fortinet and FortiGate Management Information Base MIB files A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager These MIBs provide the informati...

Page 186: ...sses of up to 8 SNMP managers to each community SNMP Agent Enable the FortiGate SNMP agent Description Enter descriptive information about the FortiGate unit The description can be up to 35 characters...

Page 187: ...http docs fortinet com Feedback Figure 101 SNMP community options part 1 Figure 102 SNMP community options part 2 Note When the FortiGate unit is in virtual domain mode SNMP traps can only be sent on...

Page 188: ...Interface Optionally select the name of the interface that this SNMP manager uses to connect to the FortiGate unit You only have to select the interface if the SNMP manager is not on the same subnet...

Page 189: ...indicates if it is found in the Fortinet MIB or the FortiGate MIB The Trap Message column includes the message included with the trap as well as the SNMP MIB field name to help locate the information...

Page 190: ...r supply failure detected Not available on all models Available on some devices which support redundant power supplies Interface IP change fnTrapIpChange The IP address for an interface has changed Th...

Page 191: ...s been blocked fgAvTrapVirName The virus name that triggered the event Table 19 FortiGate HA traps Trap message Description HA switch fgTrapHaSwitch The specified cluster member has transitioned from...

Page 192: ...ember Serial Serial number of an HA cluster member fgHaStatsTable Statistics for the individual FortiGate unit in the HA cluster fgHaStatsIndex The index number of the unit in the cluster fgHaStatsSer...

Page 193: ...ess of the active IP session fgIpSessFromPort The source port of the active IP session UDP and TCP only fgIpSessToAddr The destination IPv4 address of the active IP session fgIpSessToPort The destinat...

Page 194: ...gateway used by the tunnel fgVpnTunEntRemGwyPort The port of the remote gateway used by the tunnel if it is UDP fgVpnTunEntLocGwyIp The IP of the local gateway used by the tunnel fgVpnTunEntLocGwyPor...

Page 195: ...to display the replacement messages for that category Select the Edit icon beside each replacement message to customize that message for your requirements Figure 103 Replacement messages list Note Di...

Page 196: ...editing a replacement message Different replacement messages have different sets of fields and options You can customize the following categories of replacement messages Mail replacement messages HTTP...

Page 197: ...ofile antivirus Pass Fragmented Emails is not enabled so a fragmented email is blocked This message replaces the first fragment of the fragmented email Data leak prevention message In a DLP sensor a r...

Page 198: ...ata leak prevention message In a DLP sensor a rule with action set to Block replaces a blocked web page or file with this web page Banned by data leak prevention message In a DLP sensor a rule with ac...

Page 199: ...message is displayed whenever the banned user attempts to access until the user is removed from the banned user list Table 31 FTP replacement messages Message name Description Virus message Antivirus...

Page 200: ...et the alert email Minimum log level Table 33 Spam replacement messages Message name Description Email IP Spam Filtering IP address BWL check enabled for an email protocol in a protection profile iden...

Page 201: ...nd controls not found on other replacement messages Users see the authentication login page when they use a VPN or a firewall policy that requires authentication You can customize this page in the sam...

Page 202: ...oes not re direct the user to a redirect URL or the firewall policy does not include a redirect URL When a firewall user selects the button on the disclaimer page to decline access through the FortiGa...

Page 203: ...89 The OVRD_FORM tag provides the form used to initiate an override if FortiGuard Web Filtering blocks access to a web page Do not remove this tag from the replacement message Table 36 IM and P2P repl...

Page 204: ...to include an email address or other contact information or if applicable a note about how long the user can expect to be blocked For more information about NAC quarantine see NAC quarantine and the B...

Page 205: ...ing HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80 Table 37 NAC quarantine replacement messages Message name Des...

Page 206: ...g override form and should not be used in other replacement messages PROTOCOL The protocol http ftp pop3 imap or smtp in which a virus was detected PROTOCOL is added to alert email virus messages QUAR...

Page 207: ...access In Transparent mode you configure a single management IP address that applies to all interfaces in your VDOM that permit management access The FortiGate also uses this IP address to connect to...

Page 208: ...t access can be via HTTP HTTPS telnet or SSH sessions if those services are enabled on the interface HTTPS and SSH are preferred as they are more secure You can allow remote administration of the Fort...

Page 209: ...or with any admin profile other than super_admin A regular administrator account has access to configuration options as determined by its Admin Profile If virtual domains are enabled the regular admin...

Page 210: ...vileges super_admin_readonly This profile cannot be deleted or changed similar to the super_admin The read only super_admin profile is suitable in a situation where it is necessary for a system admini...

Page 211: ...here can only be one VDOM override user per system For more information see the FortiGate CLI Reference Viewing the administrators list You need to use the default admin account an account with the su...

Page 212: ...ontrol to create a new administrator To create a new administrator go to System Admin Administrators and select Create New To configure the settings for an existing administrator select the Edit icon...

Page 213: ...er Group The administrator user group cannot be deleted once the group is selected for authentication This is available only if Type is Remote or PKI Wildcard Select to allow all accounts on the RADIU...

Page 214: ...rvers provide authentication authorization and accounting functions FortiGate units use the authentication and authorization functions of the RADIUS server To use the RADIUS server for authentication...

Page 215: ...RADIUS server secret The RADIUS server administrator can provide this information 6 Optionally provide information regarding a secondary RADIUS server custom authentication scheme and a NAS IP Called...

Page 216: ...DAP is an Internet protocol used to maintain authentication data that may include departments people groups of people passwords email addresses printers etc If you have configured LDAP support and an...

Page 217: ...The domain name or IP address of the LDAP server Server Port The TCP port used to communicate with the LDAP server Common Name Identifier The common name identifier for the LDAP server Distinguished...

Page 218: ...ices via one or more centralized servers If you have configured TACACS support and an administrator is required to authenticate using a TACACS server the FortiGate unit contacts the TACACS server for...

Page 219: ...ticates using PAP MSCHAP and CHAP in that order 7 Select OK For further information about TACACS authentication see Configuring TACACS servers on page 578 To create the user group TACACS 1 Go to User...

Page 220: ...strator to be included in the user group create a user group To view the PKI user list go to User PKI Figure 113 Example PKI user list To configure a PKI user 1 Go to User PKI 2 Select Create New or s...

Page 221: ...ative access In addition to knowing the password an administrator must connect only through the subnet or subnets you specify You can even restrict an administrator to a single IP address if you defin...

Page 222: ...System Admin Central Management System Admin Settings Antivirus Configuration UTM AntiVirus Auth Users User Firewall Configuration Firewall FortiGuard Update System Maintenance FortiGuard IM P2P VoIP...

Page 223: ...th Users authgrp user Firewall Configuration fwgrp firewall Use the set fwgrp custom and config fwgrp permission commands to set some firewall permissions individually You can make selections for poli...

Page 224: ...wing the admin profiles list You need to use the admin account or an account with Admin Users read write access to create or edit admin profiles To view the admin profiles list go to System Admin Admi...

Page 225: ...Select Create New or select the Edit icon beside an existing profile Enter or select the following and select OK Figure 115 Admin profile options Create New Add a new admin profile Profile Name The na...

Page 226: ...for FortiGuard Analysis and Management Service you can also remotely upgrade the firmware on the FortiGate unit Figure 116 Central Management using FortiManager Figure 117 Central Management using the...

Page 227: ...ement for this FortiGate unit You can select FortiManager or the FortiGuard Analysis and Management Service FortiManager Select to use FortiManager as the central management service for the FortiGate...

Page 228: ...CD equipped models only SCP capability for users logged in via SSH IPv6 support on the web based manager To configure settings go to System Admin Settings enter or select the following and select OK F...

Page 229: ...improve security keep the idle timeout at the default value of 5 minutes Display Settings Language The language the web based manager uses Choose from English Simplified Chinese Japanese Korean Spani...

Page 230: ...other for IPv6 addressed packets For more information see the FortiGate IPv6 Support Technical Note available from the Fortinet Knowledge Center Before you can work with IPv6 on the web based manager...

Page 231: ...as part of the administrator admin profile New admin profiles are based on the default layout The FortiGate default layout cannot be modified Terms used in this section include Dialog box HTML layer...

Page 232: ...ive access to Log Report items for the Report Profile profile and prevent access to the default layout Note The current administrator Access Control settings apply only to the fixed components of the...

Page 233: ...t access to the default layout items set Access Control to None for all items except Log Report 3 Under GUI Control Menu Layout select Standard 4 Select OK to save the settings The admin profiles list...

Page 234: ...x for Report Profile In the GUI layout dialog box select the customization drop down menu icon beside System and select hide see Figure 124 Repeat for each menu item except Log Report Select Customize...

Page 235: ...4 Select the Create New Tier 2 icon 3 5 The first Tier 2 menu item with the default name custom menu will appear with an additional Create New Tier 2 icon below it 4 6 Select and rename the default na...

Page 236: ...tab Figure 127 Creating tabs in page layout To modify the configuration of the current page 1 Select the required tab then select Edit Layout The Edit this tab dialog box appears see Figure 128 You ma...

Page 237: ...dd content to the Custom Log Report Tab1 dialog box appears see Figure 129 Figure 129 Add content dialog box The Add content dialog box includes a search feature that you can use to find widgets This...

Page 238: ...an item that you want to include in the tab The item is placed in the page layout behind the Custom Log Report Tab1 dialog box You will see the configured layout when you close the Add content to the...

Page 239: ...Version 4 0 Administration Guide 01 400 89802 20090424 239 http docs fortinet com Feedback Figure 132 Custom Log Report Tab1 page layout preview For the Custom Log Report Tab2 select the following it...

Page 240: ...og Report Tab2 page layout preview To preview a customized layout in the custom GUI layout dialog box select Show Preview see Figure 135 When you have completed the configuration selections for the pa...

Page 241: ...gured the custom GUI To save the configuration select OK to close the Admin Profile dialog box see Figure 121 To view the web based manager configuration created in Report Profile you must log out of...

Page 242: ...Customizable web based manager System Admin FortiGate Version 4 0 Administration Guide 242 01 400 89802 20090424 http docs fortinet com Feedback...

Page 243: ...tificates see the FortiGate Certificate Management User Guide Table 41 Automatically generated FortiGate certificates Fortinet_Firmware Embedded inside the firmware Signed by Fortinet_CA Same on all F...

Page 244: ...ificate and send it to you to install on the FortiGate unit To view certificate requests and or import signed server certificates go to System Certificates Local Certificates To view certificate detai...

Page 245: ...ificate request go to System Certificates Local Certificates select Generate and complete the fields in the table below To download and send the certificate request to a CA see Downloading and submitt...

Page 246: ...FortiGate unit If you select Domain Name enter the fully qualified domain name of the FortiGate unit Do not include the protocol specification http or any port number or path names If a domain name i...

Page 247: ...computer that has management access to the FortiGate unit To install the signed server certificate go to System Certificates Local Certificates and select Import The certificate file can be in either...

Page 248: ...ote Certificates list To view installed Remote OCSP certificates or import a Remote OCSP certificate go to System Certificates Remote To view certificate details select the View Certificate Detail ico...

Page 249: ...e displayed in the CA Certificates list You cannot delete the Fortinet_CA certificate To view installed CA root certificates or import a CA root certificate go to System Certificates CA Certificates T...

Page 250: ...3 and so on Import Import a CA root certificate See Importing CA certificates on page 250 Name The names of existing CA root certificates The FortiGate unit assigns unique names CA_Cert_1 CA_Cert_2 CA...

Page 251: ...the CRL on a computer that has management access to the FortiGate unit To import a certificate revocation list go to System Certificates CRL and select Import Import Import a CRL For more information...

Page 252: ...URL of the HTTP server LDAP Select to use an LDAP server to retrieve the CRL then select the LDAP server from the list SCEP Select to use an SCEP server to retrieve the CRL then select the Local Certi...

Page 253: ...backups of configuration files or update FortiGuard services The maintenance menu has the following tabs Backup Restore allows you to back up and restore your system configuration file remotely upgra...

Page 254: ...nfiguration to your management PC a central management server or a USB disk You can back up and restore your configuration to a USB disk if the FortiGate unit includes a USB port and if you have conne...

Page 255: ...iguration to The options available for backing up your current configuration Select one of the displayed options Local PC Back up the configuration to the management computer the FortiGate unit is con...

Page 256: ...essfully completion of the backup Restore Restore configuration from The options available for restoring the configuration from a specific file Select one of the displayed options Local PC Restore a c...

Page 257: ...ased by contacting support Additional information including how to register you FortiGate unit for the FortiGuard Analysis and Management Service is available in the FortiGuard Analysis and Management...

Page 258: ...ore options and on uploading and downloading firmware for your FortiGate unit see Managing firmware versions on page 91 Backup The options available for backing up your current configuration to the Fo...

Page 259: ...firmware options go to System Maintenance Backup Restore Note The FortiGuard FortiManager protocol is used when connecting to the FortiGuard Analysis and Management Service This protocol runs over SSL...

Page 260: ...e if you are upgrading to FortiOS 3 0 MR6 and the FortiGate unit is located in North America the firmware version available is v3 0 MR6 NA build 0700 Allow firmware downgrade Select to allow installat...

Page 261: ...tiple versions of configuration files Revision control requires a configured central management server This server can either be a FortiManager unit or the FortiGuard Analysis and Management Service I...

Page 262: ...is and Management Service account The uploaded script files appear on the FortiGuard Analysis and Management Service portal web site After executing scripts you can view the script execution history o...

Page 263: ...elect Apply to upload and execute the file If the FortiGate unit is configured to use the FortiGuard Analysis and Management Service the script will be saved on the server for later use Select From re...

Page 264: ...ces Go to System Maintenance FortiGuard to configure your FortiGate unit to use the FortiGuard Distribution Network FDN and FortiGuard Services The FDN provides updates to antivirus definitions IPS de...

Page 265: ...tiGuard Antispam service FortiGuard Antispam is an antispam system from Fortinet that includes an IP address black list a URL black list spam filtering tools contained in an antispam rule set that is...

Page 266: ...ng logging and reporting capabilities for all FortiGate units These services were previously available only on FortiAnalyzer and FortiManager units The subscription based service is available from the...

Page 267: ...vice subscription The status can be Unreachable Not Registered Valid License or Valid Contract The option Subscribe appears if Availability is Not Registered The option Renew appears if Availability h...

Page 268: ...thod used for last attempt to download definition updates for this service Date Local system date when the FortiGate unit last checked for updates for this service Use override server address Select t...

Page 269: ...able scheduled updates Every Attempt to update once every 1 to 23 hours Select the number of hours between each update request Daily Attempt to update once a day You can specify the hour of the day to...

Page 270: ...Port Section Select one of the following ports for your web filtering and antispam requirements Use Default Port 53 Select to use port 53 for transmitting with FortiGuard Antispam servers Use Alterna...

Page 271: ...to update the antivirus including grayware definitions and IPS attack definitions To make sure the FortiGate unit can connect to the FDN 1 Go to System Status and select Change on the System Time lin...

Page 272: ...definitions and engines Messages are recorded to the event log indicating whether the update was successful or not To enable scheduled updates 1 Go to System Maintenance FortiGuard 2 Select the expand...

Page 273: ...message to the FDN The next time new antivirus or IPS attack definitions are released the FDN notifies all FortiGate units that are configured for push updates that a new update is available Within 60...

Page 274: ...e These procedures also include adding port forwarding virtual IP and a firewall policy to the NAT device Figure 161 Example network Push updates through a NAT device The overall process is 1 Register...

Page 275: ...tions from the FDN to the FortiGate unit on the internal network To add a port forwarding virtual IP to the FortiGate NAT device 1 Go to Firewall Virtual IP 2 Select Create New 3 Enter the appropriate...

Page 276: ...e key The license key is entered in System Maintenance License in the Input License Key field This appears only on high end FortiGate models Figure 162 License key for additional VDOMs Source Interfac...

Page 277: ...leave and to which device the packet should be routed As an option you can define route policies Route policies specify additional criteria for examining the properties of incoming packets Using rout...

Page 278: ...figuration permits delivery the FortiGate unit delivers the packet to the local network If the packet is destined for another network the FortiGate unit forwards the packet to a next hop router accord...

Page 279: ...ure the priority field through the CLI The route with the lowest value in the priority field is considered the best route and it is also the primary route The command to set the priority field is set...

Page 280: ...ss for those packets The gateway address specifies the next hop router to which traffic will be routed Working with static routes The Static Route list displays information that the FortiGate unit com...

Page 281: ...ct destination you must edit the factory default configuration and make the router the default gateway for the FortiGate unit Create New Add a static route to the Static Route list For more informatio...

Page 282: ...g specifies the IP address of the next hop router interface to the FortiGate external interface The interface behind the router 192 168 10 1 is the default gateway for FortiGate_1 In some cases there...

Page 283: ...Destination IP mask 192 168 20 0 24 Gateway 192 168 10 1 Device internal Distance 10 Changing the gateway for the default route The default gateway determines where packets matching the default route...

Page 284: ...ct Create New 3 Enter the IP address and netmask For example 172 1 2 0 255 255 255 0 would be a route for all addresses on the subnet 172 1 2 x 4 Enter the FortiGate unit interface closest to this sub...

Page 285: ...conditions the FortiGate unit routes the packet through the specified interface to the specified gateway Figure 167 shows the policy route list belonging to a FortiGate unit that has interfaces named...

Page 286: ...e received Outgoing The interfaces through which policy routed packets are routed Source The IP source addresses and network masks that cause policy routing to occur Destination The IP destination add...

Page 287: ...and network mask to match A value of 0 0 0 0 0 0 0 0 disables the feature Destination Address Mask To perform policy routing based on the IP destination address of the packet type the destination add...

Page 288: ...Policy Route Router Static FortiGate Version 4 0 Administration Guide 288 01 400 89802 20090424 http docs fortinet com Feedback...

Page 289: ...virtual domains on page 103 Bi Directional Forwarding BFD is a protocol that works with BGP and OSPF to quickly discover routers on the network that cannot be contacted and to re route traffic accordi...

Page 290: ...nit compares two routes to the same destination it adds the route having the lowest hop count to the routing table Similarly when RIP is enabled on an interface the FortiGate unit sends RIP responses...

Page 291: ...on see Configuring a RIP enabled interface on page 293 Advanced Options Select the Expand Arrow to view or hide advanced RIP options For more information see Selecting advanced RIP options on page 292...

Page 292: ...or both Receive Version The versions of RIP used to listen for updates on each interface 1 2 or both Authentication The type of authentication used on this interface None Text or MD5 Passive Permissi...

Page 293: ...ng RIP updates Timeout Enter the maximum amount of time in seconds that a route is considered reachable while no updates are received for the route This is the maximum time the FortiGate unit will kee...

Page 294: ...OSPF area that unit can participate in OSPF communications FortiGate units use the OSPF Hello protocol to acquire neighbors in an area A neighbor is any router that directly connected to the same area...

Page 295: ...pdates its routing table based on the results of the SPF calculation to ensure that an OSPF packet will be routed using the shortest path to its destination Depending on the network topology the entri...

Page 296: ...of the AS definition you specify the AS areas and specify which networks to include those areas You may optionally adjust the settings associated with OSPF operation on the FortiGate interfaces To vie...

Page 297: ...s that are part of the network are advertised in OSPF link state advertisements You can enable OSPF on all FortiGate interfaces whose IP addresses match the OSPF network address space For more informa...

Page 298: ...nt the generation of a default route Regular Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems only if the route is stored in the FortiGate routing ta...

Page 299: ...F domain are made known to OSPF AS However the area itself continues to be treated like a stub area by the rest of the AS Regular areas and stub areas including not so stubby areas are connected to th...

Page 300: ...e known to OSPF AS and you want the area to be treated like a stub area by the rest of the AS STUB If the routers in the area must send packets to an area border router in order to reach the backbone...

Page 301: ...he same FortiGate interface could be connected to two neighbors through different subnets You could configure an OSPF interface definition containing one set of Hello and dead interval parameters for...

Page 302: ...Authenticate LSA exchanges using a plain text password The password can be up to 35 characters and is sent in clear text over the network MD5 Use one or more keys to generate an MD5 cryptographic hash...

Page 303: ...sic BGP options Note You can configure graceful restarting and other advanced settings only through CLI commands For more information on advanced BGP settings see the router chapter of the FortiGate C...

Page 304: ...ave a physical or VLAN interface connected to those networks IP Netmask Enter the IP address and netmask of the network to be advertised Add Add the network information to the Networks list Network Th...

Page 305: ...to the RP and data from the source is sent to the RP If an RP for the specified IP s multicast group is already known to the Boot Strap Router BSR the RP known to the BSR is used and the static RP ad...

Page 306: ...also receive identical feeds from two ingress points in the network and route them independently Configure multicast DNAT in the CLI by using the following command config firewall multicast policy edi...

Page 307: ...or the whole unit and turn it off for one or two interfaces Alternatively you can specifically enable BFD for each neighbor router or interface Which method you choose will be determined by the amount...

Page 308: ...and then disable it for each neighbor that is running the protocol config system settings set bfd enable end config router bgp config neighbor edit ip_address set bfd disable end end Configuring BFD o...

Page 309: ...IP or OSPF The offset list is part of the RIP and OSPF routing protocols For more information about RIP see RIP on page 289 For more information about OSPF see OSPF on page 294 Each rule in an access...

Page 310: ...a key is always available even if there is some difference in the system times RIP version 2 uses authentication keys to ensure that the routing information exchanged between routers is reliable For...

Page 311: ...key on that chain Accept Lifetime The start and end time that this key can accept routing packets Start The start time for this key The format is H M S M D YYYY End The end time for this key The end c...

Page 312: ...destinations using the BGP routing protocol Compared to access lists route maps support enhanced packet matching criteria In addition route maps can be configured to permit or deny the addition of rou...

Page 313: ...must be called by a FortiGate unit routing process Figure 186 Route Map GUI widget For more information on the route map see the router chapter of the FortiGate CLI Reference Route map Enter the name...

Page 314: ...Customizable routing widgets Router Dynamic FortiGate Version 4 0 Administration Guide 314 01 400 89802 20090424 http docs fortinet com Feedback...

Page 315: ...formation see Using virtual domains on page 103 This section describes Viewing routing information Searching the FortiGate routing table Viewing routing information By default all routes are displayed...

Page 316: ...es Type The type values assigned to FortiGate routes Static Connected RIP OSPF or BGP Subtype If applicable the subtype classification assigned to OSPF routes An empty string implies an intra area rou...

Page 317: ...select Connected from the Type list type 172 16 14 0 24 in the Network field and then select Apply Filter to display the associated routing table entry or entries Any entry that contains the word Con...

Page 318: ...Searching the FortiGate routing table Router Monitor FortiGate Version 4 0 Administration Guide 318 01 400 89802 20090424 http docs fortinet com Feedback...

Page 319: ...y instructions may also include protection profiles which can specify application layer inspection and other protocol specific protection and logging For details on using protection profiles see Firew...

Page 320: ...efore the policy to block FTP all connections including FTP would immediately match the general policy and the policy to block FTP would never be applied This policy order would not have the intended...

Page 321: ...For more information see the FortiOS CLI Reference and the FortiGate Multicast Technical Note Viewing the firewall policy list The firewall policy list displays firewall policies in their order of mat...

Page 322: ...e information see Firewall Address on page 345 Destination The destination address or address group to which the policy applies For more information see Firewall Address on page 345 Schedule The sched...

Page 323: ...IPSec VPN or SSL VPN tunnel respectively and may optionally apply NAT and allow traffic for one or both directions If permitted by the firewall encryption policy a tunnel may be initiated automaticall...

Page 324: ...ct the name of a firewall address to associate with the Source Interface Zone Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy You...

Page 325: ...f Action is set to SSL VPN select the name of the IP address that corresponds to the host server or network that remote clients need to access behind the FortiGate unit Schedule Select a one time or r...

Page 326: ...enabled in User Options Authentication User Authentication Disclaimer Available only on some models and only if Action is set to ACCEPT Select this option to display the Authentication Disclaimer page...

Page 327: ...would then be able to access his or her email Traffic Priority Select High Medium or Low Select Traffic Priority so the FortiGate unit manages the relative priorities of different types of traffic Fo...

Page 328: ...user groups for authentication Note If you do not install certificates on the network user s web browser the network users may see an SSL certificate warning message and have to manually accept the de...

Page 329: ...Traffic If the Log Allowed Traffic option is selected when adding an identity based policy a green check mark appears Otherwise a white cross mark appears Delete icon Select to remove this policy Edit...

Page 330: ...nally select Traffic Shaping and choose a traffic shaper 11 Select OK IPSec firewall policy options In a firewall policy see Configuring firewall policies on page 323 the following encryption options...

Page 331: ...esses of inbound decrypted packets into the IP address of the FortiGate interface to the local private network Outbound NAT Select only in combination with a natip CLI value to translate the source ad...

Page 332: ...P address matching the selected firewall address will be subject to this policy You can also create firewall addresses by selecting Create New from this list For more information see Configuring addre...

Page 333: ...y to accept SSL VPN traffic This option is available only after you have added a SSL VPN user group SSL Client Certificate Restrictive Allow traffic generated by holders of a shared group certificate...

Page 334: ...in the firewall policy To add a service to the list select the name and then select the Right Arrow Selected Services List of services that are included in the firewall policy To remove a service fro...

Page 335: ...shaping configuration to traffic from port2 to port1 Log Allowed Traffic Select to record messages to the traffic log whenever the policy processes a connection You must also enable traffic log for a...

Page 336: ...re evaluated for matches with user groups Tip If you select NAT the IP address of the outgoing interface of the FortiGate unit is used as the source address for new sessions started by SSL VPN Note Th...

Page 337: ...licies in their order of matching precedence for each interface source destination address pair and service If virtual domains are enabled on the FortiGate unit DoS policies are configured separately...

Page 338: ...see Adding filters to web based manager lists on page 53 Status When selected the DoS policy is enabled Clear the checkbox to disable the policy ID A unique identifier for each policy Policies are nu...

Page 339: ...ftware company performing development and providing customer support In addition to their internal network of 15 computers they also have several employees who work from home all or some of the time W...

Page 340: ...want to integrate web and email servers into the security solution To deal with their first requirement Company A configures specific policies for each home based worker to ensure secure communicatio...

Page 341: ...gh the FortiGate unit via VPN tunnels Outbound NAT no Protection Profile Select the check mark and select standard_profile Interface Zone Source internal Destination wan1 Address Source CompanyA_netwo...

Page 342: ...catalog server without first going through the firewall The topography at the branch office has all three users accessing the servers at the main branch through non secured internet connections Figur...

Page 343: ...h a FortiGate HA cluster to the servers in a DMZ The public access terminals first go through a FortiWiFi unit where additional policies can be applied to the HA Cluster and finally to the servers The...

Page 344: ...O and SMB Configuration Example Guide FortiGate Enterprise Configuration Example Source Interface Internal Source Address All Destination Interface DMZ Destination Address Servers Schedule Always Acti...

Page 345: ...address groups About firewall addresses A firewall address can contain one or more network addresses Network addresses can be represented by an IP address with a netmask an IP address range or a full...

Page 346: ...wing the firewall address list Firewall addresses in the list are grouped by type IP Netmask FQDN or IPv6 FortiGate unit default configurations include the all address which represents any IP address...

Page 347: ...ly using the address Edit icon Select to edit the address Caution Be cautious if employing FQDN firewall addresses Using a fully qualified domain name in a firewall policy while convenient does presen...

Page 348: ...For example if address A1 is associated with port1 and address A2 is associated with port2 they cannot be grouped However if A1 and A2 have an interface of Any they can be grouped even if the addresse...

Page 349: ...The list of all configured and default firewall addresses Use the arrows to move selected addresses between the lists of available and member addresses Members The list of addresses included in the a...

Page 350: ...Configuring address groups Firewall Address FortiGate Version 4 0 Administration Guide 350 01 400 89802 20090424 http docs fortinet com Feedback...

Page 351: ...ll services separately for each virtual domain For more information see Using virtual domains on page 103 This section describes Viewing the predefined service list Viewing the custom service list Con...

Page 352: ...g TCP 135 UDP 135 DHCP Dynamic Host Configuration Protocol DHCP allocates network addresses and delivers configuration parameters from DHCP servers to hosts UDP 67 68 DHCP6 Dynamic Host Configuration...

Page 353: ...Service ILS includes LDAP User Locator Service and LDAP over TLS SSL TCP 389 L2TP Layer 2 Tunneling Protocol L2TP is a PPP based tunnel protocol for remote access TCP 1701 UDP 1701 LDAP Lightweight Di...

Page 354: ...puters to connect and use a network service TCP 1812 1813 RAUDIO RealAudio multimedia traffic UDP 7070 RDP Remote Desktop Protocol is a multi channel protocol that allows a user to connect to a networ...

Page 355: ...ocol SMTP is used for sending email messages between email clients and email servers and between email servers TCP 25 SMTPS SMTP with SSL Used for sending email messages between email clients and emai...

Page 356: ...is similar to FTP but without security features such as authentication UDP 69 TIMESTAMP ICMP timestamp request messages ICMP 13 TRACEROUTE A computer network tool used to determine the route taken by...

Page 357: ...The protocol and port numbers for each custom service Delete icon Remove the custom service The Delete icon appears only if the service is not currently being used by a firewall policy Edit icon Edit...

Page 358: ...t OK Figure 214 New Custom Service IP Destination Port Specify the destination port number range for the service by entering the low and high port numbers If the service uses one port number enter thi...

Page 359: ...ervice group to simplify your firewall policy list For example instead of having five identical policies for five different but related firewall services you might combine the five services into a sin...

Page 360: ...oup Name Enter a name to identify the service group Available Services The list of configured and predefined services available for your group with custom services at the bottom Use the arrows to move...

Page 361: ...ate a recurring schedule that activates a policy during a specified period of time For example you might prevent game playing during office hours by creating a recurring schedule that covers office ho...

Page 362: ...dule to block access to the Internet during a holiday To view the one time schedule list go to Firewall Schedule One time Figure 219 One time schedule list Delete icon Remove the schedule from the lis...

Page 363: ...and stop times to 00 Figure 220 New One time Schedule Delete icon Remove the schedule from the list The Delete icon appears only if the schedule is not being used in a firewall policy Edit icon Edit t...

Page 364: ...Configuring one time schedules Firewall Schedule FortiGate Version 4 0 Administration Guide 364 01 400 89802 20090424 http docs fortinet com Feedback...

Page 365: ...a NAT firewall policy For details see Configuring virtual IPs on page 370 If you enable virtual domains VDOMs on the FortiGate unit firewall virtual IPs are configured separately for each virtual doma...

Page 366: ...ddress ranges the external IP address range corresponds to a mapped IP address range containing an equal number of IP addresses and each IP address in the external range is always translated to the sa...

Page 367: ...gs map 192 168 37 4 to 10 10 10 42 so the FortiGate unit changes the packets addresses The source address is changed to 10 10 10 2 and the destination is changed to 10 10 10 42 The FortiGate unit make...

Page 368: ...ent In the previous example the NAT check box is checked when configuring the firewall policy If the NAT check box is not selected when building the firewall policy the resulting policy does not perfo...

Page 369: ...mes A physical external IP address can be used as the external VIP IP address Duplicate entries or overlapping ranges are not permitted Viewing the virtual IP list To view the virtual IP list go to Fi...

Page 370: ...nation Address field is a virtual IP Figure 225 Creating a Virtual IP Name Enter or change the name to identify the virtual IP To avoid confusion addresses address groups and virtual IPs cannot have t...

Page 371: ...if Port Forwarding is enabled SSL Offloading Select to accelerate clients SSL connections to the server by using the FortiGate unit to perform SSL operations then select which segments of the connecti...

Page 372: ...net is mapped to 10 10 10 42 on a private network Attempts to communicate with 192 168 37 4 from the Internet are translated and sent to 10 10 10 42 by the FortiGate unit The computers on the Internet...

Page 373: ...ed for 192 168 37 5 are translated and sent to 10 10 10 43 and packets destined for 192 168 37 6 are translated and sent to 10 10 10 44 The computers on the Internet are unaware of this translation an...

Page 374: ...OK Name static_NAT_range External Interface wan1 Type Static NAT External IP Address Range The Internet IP address range of the web servers The external IP addresses are usually static IP addresses o...

Page 375: ...t forwarding for a single IP address and a single port The IP address 192 168 37 4 port 80 on the Internet is mapped to 10 10 10 42 port 8000 on a private network Attempts to communicate with 192 168...

Page 376: ...dmz network IP addresses of the web servers 1 Go to Firewall Policy and select Create New 2 Configure the firewall policy Name Port_fwd_NAT_VIP External Interface wan1 Type Static NAT External IP Addr...

Page 377: ...192 168 37 5 rather than a FortiGate unit with a private network behind it Figure 232 Static NAT virtual IP port forwarding for an IP address range and a port range example To add static NAT virtual I...

Page 378: ...ss Range The external IP addresses are usually static IP addresses obtained from your ISP This addresses must be unique not used by another host and cannot be the same as the IP address of the externa...

Page 379: ...translation only When adding a virtual IP if you enter a virtual IP address that is the same as the mapped IP address and apply port forwarding the destination IP address will be unchanged but the po...

Page 380: ...ber VIP IP address es and port number s Viewing the VIP group list To view the virtual IP group list go to Firewall Virtual IP VIP Group Figure 233 VIP Group list Configuring VIP groups To add a VIP g...

Page 381: ...the policy destination interface is the same as the IP pool interface With an IP pool added to the internal interface you can select Dynamic IP pool for policies with the internal interface as the de...

Page 382: ...ent source port translation However selecting fixed port means that only one connection can be supported through the firewall for this service To be able to support multiple connections add an IP pool...

Page 383: ...t Configuring IP Pools To add an IP pool go to Firewall Virtual IP IP Pool 192 168 1 2 172 16 30 11 192 168 1 10 172 16 30 19 192 168 1 11 172 16 30 10 192 168 1 12 172 16 30 11 192 168 1 13 172 16 30...

Page 384: ...d ports must be used Figure 237 Double NAT To allow the local users to access the server you can use fixed port and IP pool to allow more than one user connection while using virtual IP to translate t...

Page 385: ...IP to translate the destination port number and the IP pool to translate the source addresses 1 Go to Firewall Policy 2 Select Create New 3 Configure the firewall policy 4 Select NAT 5 Select OK Name...

Page 386: ...their default route One of the management IPs of the FortiGate unit is set to 192 168 1 99 This configuration results in a typical NAT mode firewall When a PC on the internal network attempts to conn...

Page 387: ...68 1 99 24 end 2 Enter the following command to add an IP pool to the wan1 interface config firewall ippool edit nat out set interface wan1 set startip 10 1 1 201 set endip 10 1 1 201 end 3 Enter the...

Page 388: ...mode Firewall Virtual IP FortiGate Version 4 0 Administration Guide 388 01 400 89802 20090424 http docs fortinet com Feedback Note You can add the firewall policy from the web based manager and then u...

Page 389: ...antially more servers can be added behind the FortiGate unit in order to cope with the increased load This section describes How load balancer works Configuring virtual servers Configuring real server...

Page 390: ...tional server is required Round Robin Directs requests to the next server and treats all servers as equals regardless of response time or number of connections Dead servers or non responsive servers a...

Page 391: ...o which the virtual server communicates Load Balance Method Select a load balancing method For more information see Load Balance Method on page 390 Persistence Select a persistence for the virtual ser...

Page 392: ...ther option but still improved over communications without SSL acceleration and can be used in failover configurations where the failover path does not have an SSL accelerator If the server is already...

Page 393: ...ion The limit on the number of active connections directed to a real server If the maximum number of connections is reached for the real server the FortiGate unit will automatically switch all further...

Page 394: ...the interval timeout or retry which are settings common to all types This field is empty if the type of the health check monitor is PING Delete Select to remove the health check monitor configuration...

Page 395: ...s of the existing virtual servers Real Server The IP addresses of the existing real servers Health Status Display the health status according to the health check results for each real server A green a...

Page 396: ...Monitoring the servers Firewall Load Balance FortiGate Version 4 0 Administration Guide 396 01 400 89802 20090424 http docs fortinet com Feedback...

Page 397: ...n apply to one or more firewall policies Because protection profiles can be used by more than one firewall policy you can configure one protection profile for the traffic types handled by a set of fir...

Page 398: ...ion Profile in the firewall policy 4 Select the protection profile that you want to apply to the firewall policy The firewall policy will use settings from the protection profile that apply to its Ser...

Page 399: ...P3S and SMTPS traffic To perform SSL content scanning and inspection the FortiGate unit does the following intercepts and decrypts HTTPS IMAPS POP3S and SMTPS sessions between clients and servers Fort...

Page 400: ...ed keys Two encrypted SSL sessions are set up one between the client and the FortiGate unit and a second one between the FortiGate unit and the server Inside the FortiGate unit the packets are decrypt...

Page 401: ...y with another signing CA certificate To do this you need the signing CA certificate file the CA certificate key file and the CA certificate password All SSL content scanning and inspection uses the s...

Page 402: ...FortiGate unit can also apply Antivirus and DLP content inspection and content archiving to HTTPS Using SSL content scanning and inspection to decrypt HTTPS also allows you to apply more web filterin...

Page 403: ...the DLP rules to a DLP sensor See Adding or editing a rule in a DLP sensor on page 513 Go to Firewall Protection Profile Add or edit a protection profile and use Data Leak Prevention Sensor to add th...

Page 404: ...For Displaying content meta information on the system dashboard select HTTPS IMAPS POP3S and SMTPS as required These options display meta information on the Statistics dashboard widget For more inform...

Page 405: ...onitors the default content protocol port numbers for example port 80 for HTTP You can edit the settings for each content protocol and select inspection for all port numbers for that protocol or selec...

Page 406: ...pand Arrow beside Protocol Recognition enter the information as described below and select OK Figure 251 Protection profile Protocol Recognition options SSL content scanning and inspection Figure 252...

Page 407: ...Web URL Filter and Block invalid URLs for HTTPS Selecting URL Filtering also limits the FortiGuard Web Filtering options that you can select for HTTPS Deep Scan Decryption on SSL Traffic Select this o...

Page 408: ...s and streams traffic to the destination terminating the stream to the destination if a virus is detected For details on configuring splicing see the splice option for each protocol in the config fire...

Page 409: ...rsize threshold Threshold If the file is larger than the threshold value in megabytes the file is passed or blocked The maximum threshold for scanning in memory is 10 of the FortiGate unit s RAM Allow...

Page 410: ...hat the download has been blocked The number of URLs in the cache is limited by the size of the cache FTP and HTTP client comforting steps The following steps show how client comforting works for an F...

Page 411: ...time For more information about overrides see Web Filter on page 475 You can configure web filtering for HTTP and HTTPS traffic If your FortiGate unit supports SSL content scanning and inspection and...

Page 412: ...ry the score for the web page increases When the total score for a web page equals or exceeds the threshold the page is blocked The default score for content block list entry is 10 and the default thr...

Page 413: ...ava Applet Filter Select to block Java applets Web Resume Download Block Select to block downloading parts of a file that have already been downloaded Enabling this option will prevent the unintention...

Page 414: ...nd Protocol recognition options on page 405 To configure FortiGuard Web Filtering options go to Firewall Protection Profile Select Create New to add a protection profile or the Edit icon beside an exi...

Page 415: ...tails for blocked HTTP 4xx and 5xx errors Display a replacement message for 400 and 500 series HTTP errors If the error is allowed through malicious or objectionable sites can use these common error p...

Page 416: ...URL is blocked because it belongs to the Search Engines category which is blocked With Strict Blocking disabled the URL is allowed because it is classified as Image Search which the profile allows It...

Page 417: ...ing options go to Firewall Protection Profile Select Create New to add a protection profile or the Edit icon beside an existing protection profile Then select the Expand Arrow beside Spam Filtering en...

Page 418: ...ig Replacement Messages and customizing the Spam Spam submission message For more information see Spam replacement messages on page 200 IP address BWL check Select to compare the IP address of email m...

Page 419: ...splice the FortiGate unit simultaneously scans and streams traffic to the destination terminating the stream to the destination if a virus is detected For details on configuring splicing see the splic...

Page 420: ...e 523 To configure application control options go to Firewall Protection Profile Select Create New to add a protection profile or the Edit icon beside an existing protection profile Then select the Ex...

Page 421: ...you enable antivirus protection you could also enable the antivirus protection profile logging options to write an event log message every time a virus is detected by this protection profile For more...

Page 422: ...nt Block Select to log content blocking events URL Filter Select to log blocked and exempted URLs ActiveX Filter Select to log blocked Active X plugins Cookie Filter Select to log blocked cookies Java...

Page 423: ...andwidth Traffic priority Traffic shaping considerations Configuring traffic shaping Guaranteed bandwidth and maximum bandwidth When you enter a value in the Guaranteed Bandwidth field when adding a t...

Page 424: ...esholds have been surpassed frames and packets will be dropped and sessions will be affected in other ways For example incorrect traffic shaping configurations may actually further degrade certain net...

Page 425: ...aper 1 Go to Firewall Traffic Shaping Traffic Shaping 2 Select Create New Figure 269 Creating traffic shapers Create New Add a traffic shaper For more information see To create a traffic shaper on pag...

Page 426: ...e relative priorities of different types of traffic For example a policy for connecting to a secure web server needed to support ecommerce traffic should be assigned a high traffic priority Less impor...

Page 427: ...lso describes how FortiOS SIP support works and how to configure the key SIP features For more configuration information see the FortiGate CLI Reference The FortiGate unit supports the following SIP f...

Page 428: ...to signal the destination SIP client Figure 271 SIP in redirect mode SIP Client A SIP Client B SIP Proxy Server IP Network b example com a example com RTP Session 1 SIP clients register with SIP serve...

Page 429: ...rity The FortiGate intrusion prevention system IPS provides another strategic line of defense particularly against VoIP network predators The IPS has deep packet inspection capabilities to provide con...

Page 430: ...manage NAT The FortiGate unit also supports a variation of this scenario the RTP server hides its real address Figure 274 SIP destination NAT RTP server hidden In this scenario shown in Figure 274 a...

Page 431: ...red so that the SIP phone 219 29 81 20 will connect to 217 233 90 60 The media gateway RTP server 219 29 81 10 will connect to 217 233 90 65 What happens is as follows 1 The SIP phone connects to the...

Page 432: ...ou can enable SIP support set two rate limits enable SIP logging and view SIP statistics using the web based manager You need to configure most features however through the CLI Enabling SIP support an...

Page 433: ...es edit 12 set register rate 100 set invite rate 30 end end More about rate limiting FortiGate units support rate limiting for the following types of VoIP traffic Session Initiation Protocol SIP Skinn...

Page 434: ...tion see the FortiGate CLI Reference Turning on SIP tracking The FortiGate SIP ALG Application Level Gateway tracks the SIP session over its life span A SIP session or SIP dialog is normally establish...

Page 435: ...etadata Depending on your log configuration you can view the archived information For more information see Log Report on page 647 From the CLI type the following commands config application list edit...

Page 436: ...erver From the CLI type the following commands config application list edit list_name config entries edit 12 set reg diff port enable end end Controlling the SIP ALG You can enable contact fixup so th...

Page 437: ...SIP support Configuring SIP FortiGate Version 4 0 Administration Guide 01 400 89802 20090424 437 http docs fortinet com Feedback edit 12 set contact fixup enable disable end end...

Page 438: ...Configuring SIP SIP support FortiGate Version 4 0 Administration Guide 438 01 400 89802 20090424 http docs fortinet com Feedback...

Page 439: ...tine view the virus list and configure the grayware list For details see Using virtual domains on page 103 This section describes Order of operations Antivirus tasks Antivirus settings and controls Fi...

Page 440: ...ices The tasks will be discussed in the order that they are applied followed by FortiGuard antivirus File size This task checks if files and email messages exceed configured thresholds It is enabled b...

Page 441: ...if enabled performs tests on the file to detect virus like behavior or known virus indicators In this way heuristic scanning may detect new viruses but may also produce some false positive results Fi...

Page 442: ...ed or disabled Quarantine UTM AntiVirus Quarantined Files Enable or disable quarantining for each protocol File Quarantine is only available on units with a local disk or with a configured FortiAnalyz...

Page 443: ...file will be blocked and a replacement messages will be sent to the user If both file filter and virus scan are enabled the FortiGate unit blocks files that match the enabled file filter and does not...

Page 444: ...lf gzip rar tar lzh upx zip cab bzip2 bzip activemime hlp arj base64 binhex uue fsg aspack jad class cod msc petite sis prc unknown ignored Note The unknown type is any file type that is not listed in...

Page 445: ...cribe the list if required Name File filter list name To change the name edit text in the name field and select OK Comment Optional comment To add or edit comment enter text in comment field and selec...

Page 446: ...Firewall Protection Profile Antivirus to enable quarantine for required protocols in the protection profiles For details see Configuring a protection profile on page 404 You can configure a protectio...

Page 447: ...e Antivirus CLI configuration on page 453 If your FortiGate unit supports SSL content scanning and inspection Service can also be IMAPS POP3S SMTPS or HTTPS Apply Select to apply the sorting and filte...

Page 448: ...ere quarantined A rapidly increasing number can indicate a virus outbreak TTL Time to live in the format hh mm When the TTL elapses the FortiGate unit labels the file as EXP under the TTL heading In t...

Page 449: ...ns for HTTP FTP IMAP POP3 SMTP IM and NNTP Traffic If your FortiGate unit supports SSL content scanning and inspection you can also quarantine blocked and infected files from HTTPS IMAPS POP3S and SMT...

Page 450: ...iles list When the limit is reached the TTL column displays EXP and the file is deleted although the entry in the quarantined files list is maintained Entering an age limit of 0 zero means files are s...

Page 451: ...can enable this feature to allow the FortiGate unit to scan for non active viruses For details see Anti Virus options on page 407 To view information about the virus databases go to UTM AntiVirus Vir...

Page 452: ...are populated with known executable files Each time the FortiGate unit receives a virus and attack definitions update the grayware categories and contents are updated To view the grayware list go to...

Page 453: ...sance games that you may want to block from network users HackerTool Block hacker tools Hijacker Block browser hijacking programs Browser hijacking occurs when a spyware type program changes web brows...

Page 454: ...heuristic scanning mode config antivirus quarantine The quarantine command also allows configuration of heuristic related settings This feature is available on models numbered 200 and higher config an...

Page 455: ...guration About intrusion protection The FortiGate unit can log suspicious traffic send alert email messages to system administrators and log pass or block suspicious packets or sessions You can adjust...

Page 456: ...all protection profiles For information about creating IPS sensors see Configuring IPS sensors on page 462 For information about accessing and modifying the protection profile IPS sensor selection see...

Page 457: ...s and whether the signature is enabled by default To view the predefined signature list go to UTM Intrusion Protection Predefined You can also use filters and column settings to display the signatures...

Page 458: ...ormation Low Medium High and Critical Target The target of the signature servers clients or both Protocols The protocol the signature applies to OS The operating system the signature applies to Applic...

Page 459: ...System IPS Guide Viewing the custom signature list To view the custom signature list go to UTM Intrusion Protection Custom Figure 292 The custom signature list Creating custom signatures Use custom s...

Page 460: ...e protocol decoder list To view the decoders and the port numbers that the protocol decoders monitor go to UTM Intrusion Protection Protocol Decoder The decoder list is provided for your reference and...

Page 461: ...licy that controls all of the traffic to and from a web server protected by the FortiGate unit The FortiGuard Service periodically updates the pre defined signatures with signatures added to counter n...

Page 462: ...e first compared to network traffic If the IPS sensor does not find any matches it then compares the signatures in each filter to network traffic one filter at a time from top to bottom If no signatur...

Page 463: ...h the signatures apply Application The applications to which the signatures apply Enable The status of the signatures included in the filter The signatures can be set to enabled disabled or default Th...

Page 464: ...signature Add Custom Override Select to create an override based on a custom signature Current position of each override in the list Name The name of the signature Enable The status of the override A...

Page 465: ...nt to include in the filter from the Available to the Selected list or the Left Arrow to remove previously selected protocols from the filter Quarantine Attackers to Banned Users List Select to enable...

Page 466: ...t the filter in a protection profile applied to a policy An override does not have the ability to affect network traffic until these steps are taken Signature Select the browse icon to view the list o...

Page 467: ...bleshoot a problem the packet log history command allows you to specify how many packets are captured when an IPS signature is found in a packet If the value is set to larger than 1 the packet contain...

Page 468: ...save them To view and save logged packets 1 Go Log Report Log Access 2 Depending on where the logs are configured to be stored select the appropriate tab Memory Select Memory if logs are stored in the...

Page 469: ...t is capable of detecting and protecting against a number of anomaly attacks You can enable or disable logging for each traffic anomaly and configure the detection threshold and action to take when th...

Page 470: ...ignatures will appear only in the VDOM in which they were created Create New Add a new DoS sensor to the bottom of the list ID A unique identifier for each DoS sensor The ID does not indicate the sequ...

Page 471: ...s traffic to pass when the FortiGate unit detects it or set Block to prevent the traffic from passing Threshold Displays the number of sessions packets that must show the anomalous behavior before the...

Page 472: ...om one source IP address exceeds the configured threshold value the action is executed The threshold is expressed in packets per second tcp_src_session If the number of concurrent TCP connections from...

Page 473: ...on Protection Intrusion protection CLI configuration FortiGate Version 4 0 Administration Guide 01 400 89802 20090424 473 http docs fortinet com Feedback ips global socket size Set the size of the IPS...

Page 474: ...Intrusion protection CLI configuration Intrusion Protection FortiGate Version 4 0 Administration Guide 474 01 400 89802 20090424 http docs fortinet com Feedback...

Page 475: ...separately for each virtual domain For details see Using virtual domains on page 103 This section describes Order of web filtering How web filtering works Web filter controls Web content block URL fil...

Page 476: ...e FortiGuard ratings Finally the FortiGuard unit applies script filtering for ActiveX Cookie and Java applet which can be configured in Firewall Protection Profile Web Filtering Once you have finished...

Page 477: ...page blocking based on the banned words and patterns in the content block list for HTTP or HTTPS traffic Add words and patterns to block web pages containing those words or patterns Table 49 Web filte...

Page 478: ...rs HTTP only Rate images by URL Blocked images will be replaced with blanks HTTP only Allow web sites when a rating error occurs HTTP only Strict Blocking HTTP only Category Action FortiGuard Web Filt...

Page 479: ...equested web page is checked against the content block list The score value of each pattern appearing on the page is added and if the total is greater than the threshold value set in the protection pr...

Page 480: ...OK Comment Optional comment To add or edit comment enter text in comment field and select OK Create new Select to add a pattern to the web content block list Total The number of patterns in the web c...

Page 481: ...nguage Select a language from the dropdown list Score Enter a score for the pattern Each entry in the web content block list incudes a score When you add a web content block list to a protection profi...

Page 482: ...erwise block it To view the web content exempt list go to UTM Web Filter Web Content Exempt Select the Edit icon of the web content block list you want to view Figure 310 Sample web content exempt lis...

Page 483: ...own icon Select to view the next page Remove All Entries icon Select to clear the table Pattern The current list of patterns Select the check box to enable all the patterns in the list Pattern type Th...

Page 484: ...et s Knowledge Center web site http kc forticare com To add a URL filter list to the URL filter list catalog go to UTM Web Filter URL Filter Select Create New Figure 313 New URL Filter list dialog box...

Page 485: ...l comment To add or edit comment enter text in comment field and select OK Create New Select to add a URL to the URL block list Page up icon Select to view the previous page Page down icon Select to v...

Page 486: ...c For information about SSL content scanning and inspection see SSL content scanning and inspection on page 399 HTTP URL formats Type a top level URL or IP address to control access to all pages on a...

Page 487: ...rest FortiGuard Web Filtering Service Point to determine the category of a requested web page then follows the firewall policy configured for that user or interface FortiGuard Web Filtering includes o...

Page 488: ...er must provide a correct user name and password or the web site remains blocked Authentication is based on user groups and can be performed for local RADIUS and LDAP users For more information about...

Page 489: ...cross indicates that the off site URL option is set to Block which means that the overwrite web page will not display the contents from off site domains For details see Configuring administrative over...

Page 490: ...you set the offsite feature to allow the images on the page will then show up Only users that apply under the scope for the page override can see the images from the temporary overrides The users wil...

Page 491: ...list IP Enter the IP address of the computer initiating the override Profile Select a protection profile from the dropdown list Off site URLs Select Allow or Block See the previous table for details...

Page 492: ...y the URL block list is processed The local ratings override the FortiGuard server ratings and appear in reports as Local Category To create a local rating go to UTM Web Filter Local Ratings Delete ic...

Page 493: ...uard Web Filtering Service Point name cannot be changed using the web based manager Configure all FortiGuard Web Filtering settings using the CLI For more information see the FortiGate CLI Reference f...

Page 494: ...FortiGuard Web Filter Web Filter FortiGate Version 4 0 Administration Guide 494 01 400 89802 20090424 http docs fortinet com Feedback...

Page 495: ...ng URL checking E mail checksum check and Spam submission Updates to the IP reputation and spam signature databases are provided continuously via the global FortiGuard distribution network From the Fo...

Page 496: ...se but enabled on a per profile basis Table 52 describes the Antispam settings and where to configure and access them To access protection profile Antispam options go to Firewall Protection Profile se...

Page 497: ...s You can place an email address anywhere in the list The filter checks each email address in sequence Return e mail DNS check n a Enable or disable checking incoming email return address domain again...

Page 498: ...phrase to the subject or MIME header of tagged email You can choose to log any spam action in the event log For IMAP spam email may be tagged only after the user downloads the entire message by openi...

Page 499: ...threshold value set in the protection profile the FortiGate unit processes the message according to the Spam Action setting in the protection profile The score for a pattern is applied only once even...

Page 500: ...ds Select the check box to enable all the banned words in the list Pattern Type The pattern type used in the banned word list entry Choose from wildcard or regular expression For more information see...

Page 501: ...ss list catalog go to UTM AntiSpam IP Address and select Create New Score Enter a score for the pattern Each entry in the banned word list added to the protection profile incudes a score When an email...

Page 502: ...ments Enter a comment to describe the list if required Name Antispam IP address list name To change the name edit text in the name field and select OK Comments Optional comment To add or edit a commen...

Page 503: ...ddress list catalog go to UTM AntiSpam E mail Address To view any individual antispam email address list select the Edit icon for the list you want to see Figure 331 Sample antispam email address list...

Page 504: ...Address and select the Edit icon of the antispam email address list you want to view Figure 333 Sample email address list Profiles The protection profiles each antispam email address list has been ap...

Page 505: ...Current Page The current page number of list items that are displayed Select the left and right arrows to display the first previous next or last page of the IP address list Remove All Entries icon Cl...

Page 506: ...ers use unsecured third party SMTP or SMTPS servers to send unsolicited bulk email Using DNSBLs and ORDBLs is an effective way to tag or reject spam as it enters the network These lists act as domain...

Page 507: ...rd boundary In Perl regular expressions the pattern does not have an implicit word boundary For example the regular expression test not only matches the word test but also any word that contains test...

Page 508: ...ny of a b and c such as defg d d Any two decimal digits such as 42 same as d 2 i Makes the pattern case insensitive For example bad language i blocks any instance of bad language regardless of case w...

Page 509: ...r characters between the letters of a word to fool spam blocking software v i a g r o i cr e _01 dit i Block common spam phrases The following phrases are some examples of common phrases found in spam...

Page 510: ...Using wildcards and Perl regular expressions Antispam FortiGate Version 4 0 Administration Guide 510 01 400 89802 20090424 http docs fortinet com Feedback...

Page 511: ...ortiGate unit This section describes how to configure the DLP settings If you enable virtual domains VDOMs on the Fortinet unit data leak prevention is configured separately for each virtual domain Fo...

Page 512: ...tent_Archive All non encrypted email FTP HTTP IM and NNTP traffic is archived to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service Traffic is only archived No blocking or quaranti...

Page 513: ...ion of the DLP sensor Create New Select Create New to add a new rule or compound rule to the sensor Enable You can disable a rule or compound rule by clearing this check box The item will be listed as...

Page 514: ...banned message and this message is forwarded to the recipient These replacement messages also replace all subsequent communication attempts until the user is removed from the banned user list Quaranti...

Page 515: ...r every rule in the compound rule must match the traffic to trigger the configured action Individual rules in a sensor are linked with an implicit OR condition while rules within a compound rule are l...

Page 516: ...Canada SIN Email US SSN Email Visa Mastercard These four rules detect American Express numbers Canadian Social Insurance Numbers U S Social Security Numbers or Visa and Mastercard numbers within the m...

Page 517: ...your FortiGate unit supports SSL content scanning and inspection you can also configure the HTTP rule to apply to HTTPS get or HTTPS post traffic or both For more information about SSL content scanni...

Page 518: ...metadata information is included If you are scanning for text in PDF files use the Scan PDF Text option Binary formatting codes and file information may appear within the text causing text matches to...

Page 519: ...Check the total size of the information transfer In the case of email traffic for example the transfer size includes the message header body and any encoded attachment URL Search for the specified UR...

Page 520: ...ng the individually configurable attributes of multiple rules compound rules allow you to specify far more detailed and specific conditions to trigger an action Viewing the DLP compound rule list To v...

Page 521: ...rule applies HTTP POST GET When the protocol is set to HTTP select whether to have the compound rule apply to POST GET or both types of HTTP transactions FTP PUT GET When the protocol is set to FTP s...

Page 522: ...DLP Compound Rules Data Leak Prevention FortiGate Version 4 0 Administration Guide 522 01 400 89802 20090424 http docs fortinet com Feedback...

Page 523: ...affic passing through the FortiGate unit Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses non standard ports or pr...

Page 524: ...l List and select Create New Enter a name and optionally a comment of description Select OK Since a new application control list is blank the list edit window appears For information on creating appli...

Page 525: ...es First create an entry in which AIM is the specified application Set the action to Pass Then create an entry in which the Category is im the Application is all and the action is Block Since the entr...

Page 526: ...f Application is all every application in the selected category is included Action If the FortiGate unit detects traffic from the specified application the selected action will be taken Logging If tra...

Page 527: ...ent meta information on the system dashboard Select to include meta information detected for the IM system on the FortiGate unit dashboard VoIP options Limit Call Setup Enter the maximum number of cal...

Page 528: ...ol the following user information is listed Current Users Users Since Last Reset Users Blocked Chat For each IM protocol the following chat information is listed Total Chat Sessions Server based Chat...

Page 529: ...total usage of the P2P application Applications set to Block will not affect the statistics Note that the same application can have different actions set in different application control lists In thi...

Page 530: ...Application control statistics Application Control FortiGate Version 4 0 Administration Guide 530 01 400 89802 20090424 http docs fortinet com Feedback...

Page 531: ...an specify manual keys Interface mode supported in NAT Route mode only creates a virtual interface for the local end of a VPN tunnel Use the following configuration procedures for all IPSec VPNs 1 Def...

Page 532: ...ork Interface The names of all tunnels bound to physical aggregate VLAN inter VDOM link or wireless interfaces are displayed under their associated interface names in the Name column For more informat...

Page 533: ...ult gw keyword for the vpn ipsec phase1 interface command in the FortiGate CLI Reference Auto Key You can configure two VPN peers or a FortiGate dialup server and a VPN client to generate unique Inter...

Page 534: ...t how to choose the correct phase 1 settings for your particular situation see the FortiGate IPSec VPN User Guide Figure 351 New Phase 1 Name Type a name to represent the phase 1 definition The maximu...

Page 535: ...t during phase 1 negotiations You must define the same value at the remote peer or client The key must contain at least 6 printable characters and should be known only by network administrators For op...

Page 536: ...ent Dialup Clients Technical Note You must set Mode to Aggressive when the dialup clients use unique identifiers and unique pre shared keys If the dialup clients use unique pre shared keys only you ca...

Page 537: ...u cannot configure Interface mode in a Transparent mode VDOM P1 Proposal Select the encryption and authentication algorithms used to generate keys for protecting negotiations Add or delete encryption...

Page 538: ...tiGate unit is a dialup client type the user name and password that the FortiGate unit will need to authenticate itself to the remote XAuth server Enable as Server This is available only if Remote Gat...

Page 539: ...generated automatically using a Diffie Hellman algorithm You can use a number of additional advanced phase 2 settings to enhance the operation of the tunnel To modify IPSec phase 2 advanced parameter...

Page 540: ...d party intercepts a series of IPSec packets and replays them back into the tunnel Enable perfect forward secrecy PFS Enable or disable PFS Perfect forward secrecy PFS improves security by forcing a n...

Page 541: ...dst addr type dst name src addr type and src name keywords for the vpn ipsec phase2 command in the FortiGate CLI Reference Source address If the FortiGate unit is a dialup server type the source IP a...

Page 542: ...here is an SA for each direction so for each VPN you must specify two SPIs a local SPI and a remote SPI to cover bidirectional communications between two VPN devices To specify manual keys for creatin...

Page 543: ...128 bit block Cipher Block Chaining CBC algorithm that uses a 128 bit key AES192 a 128 bit block Cipher Block Chaining CBC algorithm that uses a 192 bit key AES256 a 128 bit block Cipher Block Chainin...

Page 544: ...iGate unit Site to site connections between the remote peers do not exist however You can establish VPN tunnels between any two of the remote peers through the FortiGate unit hub In a hub and spoke ne...

Page 545: ...unnels go to User Monitor IPSEC For more information see IPSEC monitor list on page 592 Create New Define a new concentrator for an IPSec hub and spoke configuration For more information see Defining...

Page 546: ...Monitoring VPNs IPSec VPN FortiGate Version 4 0 Administration Guide 546 01 400 89802 20090424 http docs fortinet com Feedback...

Page 547: ...PPTP gateway you can select a PPTP client IP from a local address range or use the server defined in the PPTP user group You select which method to use for IP address retrieval and in the case of the...

Page 548: ...an IP address from the reserved range of IP addresses to the client PPTP interface or retrieves the assigned IP address from the PPTP user group If you use the PPTP user group you must also define th...

Page 549: ...must add a user group before you can select the option See User Group on page 583 IP Mode Select a method of determining the IP address for the PPTP connection Range Enable to specify a local address...

Page 550: ...ess_ipv4 The starting address of the PPTP IP address range 0 0 0 0 status disable enable Enable or disable PPTP VPN disable usrgrp group_name This keyword is available when status is set to enable Ent...

Page 551: ...column format with the ability to modify settings minimize the widget window or other functions depending on the type of content within the widget When users have complete administrative rights over t...

Page 552: ...guring the settings select Apply Figure 361 SSL VPN Settings Note If required you can enable SSL version 2 encryption for compatibility with older browsers through a FortiGate CLI command For more inf...

Page 553: ...r suites that use more than 128 bits to encrypt data Low RC4 64 bits DES and higher If you are not sure which level of SSL encryption the remote client web browser supports select this option to enabl...

Page 554: ...administrator and the system user have the ability to customize the SSL VPN portal This section describes General tab Advanced tab Adding and editing widgets Session Information widget Bookmarks widge...

Page 555: ...s FortiGate Version 4 0 Administration Guide 01 400 89802 20090424 555 http docs fortinet com Feedback Figure 363 Default web portals Default full access web portal Edit button Default tunnel access w...

Page 556: ...ct Advanced The SSL VPN web portal Advanced tab is displayed Use the Advanced tab to configure advanced settings that monitor the SSL VPN clients and apply other advanced settings To edit settings for...

Page 557: ...ow a client to connect to the SSL VON session only if they are running a third party antivirus or firewall application Client Check AV Select to have the FortiGate unit check for a running antivirus a...

Page 558: ...r example if the latest patch level is 4 and tolerance is 2 clients will be accepted with patch 2 3 4 5 or 6 OK Select to save the configuration If you select OK you exit out of the SSL VPN web portal...

Page 559: ...r Session Information Displays the login name of the user the amount of time the user has been logged in and the inbound and outbound traffic of HTTP and HTTPS Bookmarks Displays configured bookmarks...

Page 560: ...en select Add The Add bookmark window opens When you finish creating the bookmark select OK in the Add bookmark window and then in the Bookmarks widget Figure 368 Bookmarks widget Edit Edit Select to...

Page 561: ...ications Add Select to create a bookmark hyperlink Edit Select to edit an existing bookmark hyperlink When you select Edit a list of existing bookmarks appears Name Enter a name for the bookmark Type...

Page 562: ...okmark hyperlink Edit Select to edit an existing bookmark hyperlink When you select Edit a list of existing bookmarks appears Select the bookmark you want to edit Name The name of the bookmark Type Th...

Page 563: ...save the bookmark configuration Cancel Select to exit the Bookmarks Edit window without saving the new bookmark configuration Edit Select to edit the information in the Connections Tool widget Remove...

Page 564: ...widget Select to close the Tunnel Mode widget and remove it from the web portal home page OK Select OK to save the configuration If you select OK the Tunnel Mode configuration window closes Cancel Sel...

Page 565: ...page web portal Link status Indicates the state of the SSL VPN tunnel Up is displayed when an SSL VPN tunnel with the FortiGate unit has been established Down is displayed when a tunnel connection has...

Page 566: ...Default web portal configurations SSL VPN FortiGate Version 4 0 Administration Guide 566 01 400 89802 20090424 http docs fortinet com Feedback...

Page 567: ...r more of the following tasks prior to configuring the user groups Configure local user accounts For each user you can choose whether the password is verified by the FortiGate unit by a RADIUS server...

Page 568: ...th a password stored on the FortiGate unit the user name and password must match a user account stored on the FortiGate unit or with a password stored on an authentication server the user name must ma...

Page 569: ...Note Deleting the user name deletes the authentication configured for the user User Name A name that identifies the user Disable Select to prevent this user from authenticating Password Select to auth...

Page 570: ...ed Note If virtual domains are enabled on the FortiGate unit IM features are configured globally To access these features select Global Configuration on the main menu Create New Add a new user to the...

Page 571: ...tunnel the user must belong to one of the user groups that is allowed access correctly enter a user name and password to prove his or her identity if asked to do so RADIUS Remote Authentication and Di...

Page 572: ...llenge handshake authentication protocol v1 CHAP challenge handshake authentication protocol provides the same functionality as PAP but does not send the password and other user information over the n...

Page 573: ...in length Secondary Server Name IP Enter the domain name or IP address of the secondary RADIUS server if you have one Secondary Server Secret Enter the RADIUS server secret key for the secondary RADI...

Page 574: ...ts to assign the IP address from the RADIUS record first SSL VPN tunnel mode For SSL VPN you implement this feature by adding the Tunnel Mode widget to the SSL VPN portal configuration Go to VPN SSL P...

Page 575: ...rt does not extend to proprietary functionality such as notification of password expiration that is available from some LDAP servers Nor does the FortiGate LDAP supply information to the user about wh...

Page 576: ...ch simple bind using a simple password authentication without a search You can use simple authentication if the user records all fall under one dn If the users are under more than one dn use the anony...

Page 577: ...12 Query icon View the LDAP server Distinguished Name Query tree for the LDAP server that you are configuring so that you can cross reference to the Distinguished Name For more information see Using Q...

Page 578: ...cess servers and other networked computing devices via one or more centralized servers TACACS allows a client to accept a user name and password and send a query to a TACACS authentication server The...

Page 579: ...t the following Figure 383 TACACS server configuration Directory Service Windows Active Directory AD and Novell eDirectory provide central authentication services by storing information about network...

Page 580: ...Because the domain controller authenticates users the FortiGate unit does not perform authentication It recognizes group members by their IP address You must install the Fortinet Server Authenticatio...

Page 581: ...valid certificate for successful authentication no user name or password are necessary Firewall and SSL VPN are the only user groups that can use PKI authentication Add User Group Add a user or group...

Page 582: ...er user you need a peer user name the text from the subject field of the certificate of the authenticating peer user or the CA certificate used to authenticate the peer user You can add or modify othe...

Page 583: ...unit authenticates users by requesting each user name and password The FortiGate unit checks local user accounts first If the unit does not find a match it checks the RADIUS LDAP or TACACS servers tha...

Page 584: ...page authorized users can authenticate to access the web page or to allow members of another group to access it For each resource that requires authentication you specify which user groups are permit...

Page 585: ...ncluding the override feature see FortiGuard Web Filter on page 487 For information on configuring user groups see Configuring a user group on page 586 SSL VPN user groups An SSL VPN user group provid...

Page 586: ...oup Firewall Directory Service and SSL VPN For more information see Firewall user groups on page 584 Directory Service user groups on page 585 and SSL VPN user groups on page 585 Members The Local use...

Page 587: ...stration Guide 01 400 89802 20090424 587 http docs fortinet com Feedback Figure 389 User group configuration Firewall Figure 390 User group configuration Directory Service Right Arrow Left Arrow Expan...

Page 588: ...d firewall policies on page 331 Portal Select the SSL VPN web portal configuration to use with the User Group For more information see SSL VPN web portal on page 554 Available Users Groups or Availabl...

Page 589: ...ng information Figure 392 FortiGuard Web Filtering Override configuration Allow to create FortiGuard Web Filtering overrides Select to allow members of this group to request an override on the FortiGu...

Page 590: ...d to HTTPS only you can install customized certificates on the FortiGate unit and the users can also have customized certificates installed on their browsers Otherwise users will see a warning message...

Page 591: ...list SSL VPN monitor list IM user monitor list NAC quarantine and the Banned User list Firewall user monitor list In some environments it is useful to determine which users are authenticated by the F...

Page 592: ...ons on page 60 Clear All Filters Remove all filters applied to the Firewall user monitor list De authenticate All Users Stop authenticated sessions for all users in the Firewall user monitor list User...

Page 593: ...to display the first previous next or last page of monitored VPNs Filter icons Edit the column filters to filter or sort the IPSec monitor list according to the criteria you specify For more informati...

Page 594: ...hich users to allow or block To view the list of active IM users go to User Monitor IM Figure 397 IM user monitor list No The connection identifiers User The user names of all connected remote users S...

Page 595: ...arantine and DLP You can also use Data Leak Prevention DLP sensors to block access and to add users to the Banned User list However unlike NAC quarantine which drops packets at the network layer DLP b...

Page 596: ...to pre defined and custom overrides in an IPS sensor For more information see Configuring filters on page 464 and Configuring pre defined and custom overrides on page 465 To configure NAC quarantine f...

Page 597: ...nned or quarantined by Data Leak Prevention Set various options in a DLP sensor to add users or IP addresses to the Banned User list For more information see Adding or editing a rule in a DLP sensor o...

Page 598: ...NAC quarantine and the Banned User list User FortiGate Version 4 0 Administration Guide 598 01 400 89802 20090424 http docs fortinet com Feedback...

Page 599: ...ual domain For details see Using virtual domains on page 103 This section describes Frequently asked questions about FortiGate WAN optimization Overview of FortiGate WAN optimization Configuring WAN o...

Page 600: ...communication session As of FortiOS 4 0 in a single VDOM if a firewall policy includes a protection profile all sessions accepted by the policy are processed by the protection profile and are not pro...

Page 601: ...the WAN is intercepted by a WAN optimization peer This client side WAN optimization peer sets up a WAN optimization tunnel with a server side WAN optimization peer Together these WAN optimization peer...

Page 602: ...tiGate unit over a WAN optimization tunnel Traffic in the tunnel can be sent in plain text or encrypted using SSL Both the plain text and the encrypted tunnels use TCP port 7810 Figure 400 WAN optimiz...

Page 603: ...ses that are always changing as the users travel to different customer sites This configuration is also useful if you have FortiGate units that get external IP addresses using DHCP or PPPoE For more i...

Page 604: ...twork is simpler in this case because client addresses are not involved but the server sees all traffic as coming from the FortiGate unit and not from individual clients FortiGate models that support...

Page 605: ...ring WAN optimization The WAN optimization rule list displays WAN optimization rules in their order of matching precedence If virtual domains are enabled on the FortiGate unit WAN optimization rules a...

Page 606: ...most general prevents rules that match a wide range of traffic from superseding and effectively masking rules that match exceptions Create New Add a new WAN optimization rule New rules are added to t...

Page 607: ...e applied This rule order would not have the intended effect Figure 403 Example secure tunneling for FTP Incorrect rule order Similarly if specific traffic requires exceptional WAN optimization rule s...

Page 608: ...IP address matching this IP address or address range will be accepted by and subject to this rule For a passive rule the server passive source address range should be compatible with the source addres...

Page 609: ...mode if Auto Detect is set to Active or Off You can also select transparent mode for web cache only rules Select transparent mode to keep the original source address of the packets when they are sent...

Page 610: ...t include web caching You can add WAN optimization rules for web caching only You can also add web caching to WAN optimization rules for HTTP traffic that also include byte caching protocol optimizati...

Page 611: ...You add WAN optimization rules that enable web caching only by going to WAN Opt Cache Rule and selecting Create New to add a WAN optimization rule To add a rule that enables web caching only set the...

Page 612: ...server side FortiGate unit so you should also Enable Byte Caching for optimum WAN optimization performance Figure 407 Example client server active passive web cache topology Mode Web Cache Only Sourc...

Page 613: ...FortiGate unit 1 Go to WAN Opt Cache Peer and enter a Local Host ID for the client FortiGate unit 2 Select Create New and add a Peer Host ID and the IP address for the server side FortiGate unit 3 Go...

Page 614: ...caching configuration you create a peer to peer WAN optimization rule on the client side FortiGate unit and include the peer host ID of the server side FortiGate unit In the rule you set Auto Detect t...

Page 615: ...hing SSL offloading secure tunneling and add an authentication group Figure 410 Example peer to peer web cache topology Figure 411 Adding the server side Peer Host ID to the client side peer list Figu...

Page 616: ...different position in the list See Moving a rule to a different position in the rule list on page 607 Figure 413 Adding the client side Peer Host ID to the server side peer list To configure the serve...

Page 617: ...setting WAN optimization auto detect to passive Figure 414 Example complimentary passive server WAN optimization rule Configuring client server active passive WAN optimization You configure client ser...

Page 618: ...e rule to optimize HTTP traffic To configure peers on the client side FortiGate unit and add a firewall policy 1 Go to WAN Opt Cache Peer and enter a Local Host ID for the client side FortiGate unit 2...

Page 619: ...above the CIFS rule in the list See Moving a rule to a different position in the rule list on page 607 Figure 417 HTTP FTP and CIFS rules in the rule list To configure the server side FortiGate unit...

Page 620: ...l request This extra information is required because the server side FortiGate unit does not require a WAN optimization rule All that is required on the server side FortiGate unit is that the client P...

Page 621: ...ost ID and the IP address for the server side FortiGate unit 3 Select OK to save the peer 4 Go to Firewall Policy and add a firewall policy that accepts traffic to be optimized 5 Go to WAN Opt Cache R...

Page 622: ...with a netmask the IP address can represent one or more hosts For example a source or destination address can be a single computer such as 192 45 46 45 a subnetwork such as 192 168 1 0 for a class C s...

Page 623: ...single file This is usually not a problem across a LAN However across WAN latency and bandwidth reduction can slow down CIFS performance When you set Protocol to CIFS in a WAN optimization rule the F...

Page 624: ...and non compressed versions of the same file separately SSL offloading for WAN optimization and web caching WAN optimization SSL offloading uses the FortiGate unit to encrypt and decrypt SSL sessions...

Page 625: ...server The web server CA is not downloaded from the server side to the client side FortiGate unit Instead the client side FortiGate unit proxies the SSL parameters from the client side to the server...

Page 626: ...reate New to add the WAN optimization rule 6 Select OK to save the rule The rule is added to the bottom of the WAN optimization list 7 If required move the rule to a different position in the list See...

Page 627: ...rver The FortiGate unit intercepts the HTTPS traffic and a web cache only WAN optimization rule with SSL offloading enabled decrypts the traffic before sending it to the web server The FortiGate unit...

Page 628: ...Gate unit The port2 interface is connected to the Internet You could also use a different IP address and route traffic for this IP address to the FortiGate unit port2 interface This example also inclu...

Page 629: ...fferent position in the list See Moving a rule to a different position in the rule list on page 607 To configure the FortiGate unit for SSL offloading of HTTPS traffic The firewall policy added in the...

Page 630: ...st configure and add an authentication group to the WAN optimization rule to use secure tunneling The authentication group configures the certificate or pre shared key parameters required by the secur...

Page 631: ...eer Authentication Group and select Create New 2 Configure the authentication group 3 Select OK to save the authentication group 4 Go to WAN Opt Cache Rule and select Create New 5 Configure a rule to...

Page 632: ...SCSI port is TCP 3260 Its also common for some iSCSI servers to use TCP 860 If required use the following command to change the iSCSI port to 860 config wanopt iscsi set iscsi port 860 end 2 Enter the...

Page 633: ...nstead you can use the following command to list the WAN optimization storages that you have added get wanopt storage web_cache_sto name web_cache_sto partition label 77A2A1AB1D0EF8B7 partition size 3...

Page 634: ...w primary unit must rebuild its web and byte caches As well the new primary unit cannot connect to an iSCSI or SAS partition that was used by the failed primary unit Rebuilding the byte caches can hap...

Page 635: ...ers added to the authentication group When you add the authentication group to a WAN optimization rule only these FortiGate units can authenticate to use this WAN optimization rule Peer s can be any p...

Page 636: ...er the server side FortiGate unit compares the client side Local Host ID in the tunnel request with the peer name in the server side authentication group If the names match authentication is successfu...

Page 637: ...ponse message This message includes the server side Local Host ID and the authentication group that matches the one in the tunnel request The client side FortiGate unit then performs the same authenti...

Page 638: ...caching and protocol optimization Bandwidth Optimization Shows network bandwidth optimization per time Period A line or column chart compares an application s pre optimized LAN data size with its opti...

Page 639: ...ache it is a strong indication that the copy in the cache is stale If so HTTP does a conditional GET to the Overlay Caching Scheme OCS based on the last modified time of the cached object Enable ignor...

Page 640: ...using the ignore PNC option configuration you can lower the impact of the PNC by enabling the revalidate pragma no cache setting When the revalidate pragma no cache setting is enabled a client s non c...

Page 641: ...ion you can also see the applications that are installed on endpoints This section describes Configuring endpoint control Monitoring endpoints Configuring endpoint control Endpoint control requires th...

Page 642: ...minimum required version of the FortiClient application latest available FortiClient version latest available antivirus signature package version the number of times the FortiClient application has b...

Page 643: ...twork The FortiClient application is provided by the FortiGuard Distribution Network The FortiGate unit must be able to access the FortiGuard Distribution Network See Configuring FortiGuard Services o...

Page 644: ...he software detection list on page 643 Name A descriptive name for the application Pattern A pattern to match the application name as it appears in the endpoint s Windows Registry FortiClient matches...

Page 645: ...or Both Compliant endpoints are running the minimum required version of FortiClient or a more recent version To configure the minimum required version of FortiClient see Configuring FortiClient requir...

Page 646: ...acturer of the endpoint Computer Model The model name of the endpoint CPU Model The CPU running on the endpoint Description The description of the endpoint Detected Software The software applications...

Page 647: ...Storing logs Log types Accessing Logs Viewing log information Customizing the display of log messages Content Archive Alert Email Reports FortiGate logging A FortiGate unit can log many different netw...

Page 648: ...FortiGate CLI Reference In the FortiGate web based manager you can view log messages available in system memory on a FortiAnalyzer unit running firmware version 3 0 or higher or if available the hard...

Page 649: ...ard Analysis and Management Service Administration Guide Log severity levels You can define what severity level the FortiGate unit records logs at when you configure the logging location The FortiGate...

Page 650: ...create reports This particular log storage solution is available to all FortiGate units running FortiOS 3 0 MR6 or higher through a subscription to the FortiGuard Analysis and Management Service For...

Page 651: ...Discovery feature This feature allows the FortiGate unit to find a FortiAnalyzer unit that is on the network within the same subnet When you select Automatic Discovery the FortiGate unit uses HELLO pa...

Page 652: ...nalyzer units 7 Select Apply Testing the FortiAnalyzer configuration After configuring FortiAnalyzer settings test the connection between the FortiGate unit and FortiAnalyzer unit to verify both devic...

Page 653: ...roduct name for example FortiAnalyzer 400 FortiGate Device ID The serial number of the FortiGate unit Registration Status The status of whether or not the FortiGate unit is registered with the FortiAn...

Page 654: ...he logging levels see Table 55 Log severity levels on page 649 Logging to a Syslog server A Syslog server is a remote computer running Syslog software and is an industry standard for logging Syslog is...

Page 655: ...ds config log webtrends setting set server address_ipv4 set status disable enable end Name IP The domain name or IP address of the syslog server Port The port number for communication with the syslog...

Page 656: ...config log webtrends setting set status enable set server 172 16 125 99 end For more information about setting the options for the types of logs sent to WebTrends see the Log chapter in the FortiGate...

Page 657: ...u are logging other traffic the FortiGate unit will incur a higher system load because other traffic logs log individual traffic packets Fortinet recommends logging firewall policy traffic since it mi...

Page 658: ...heck protocol header strict end Strict header checking detects invalid raw IP packets by validating packet checksums and also checks IP headers to make sure they adhere to current standards The defaul...

Page 659: ...wing logs System Activity event All system related events such as ping server failure and gateway status IPSec negotiation event All IPSec negotiation events such as progress and error reports DHCP se...

Page 660: ...file includes IPS IM P2P and VoIP events that the FortiGate unit records The application control log also includes some IPS activities Before enabling logging of Application Control events verify tha...

Page 661: ...s 1 Go to Firewall Protection Profile 2 Select Edit beside the protection profile that you want 3 Select the Expand Arrow beside Logging to reveal the available options 4 Select the web filtering even...

Page 662: ...st run firmware version 3 0 or higher Accessing logs stored in memory You can access logs stored in the FortiGate system memory from the Memory tab The traffic log type is not available in the Log Typ...

Page 663: ...Log Type stored on the FortiGate hard disk When a log file reaches its maximum size the FortiGate unit saves the log files with an incremental number and starts a new log file with the same name For...

Page 664: ...ort Log Access and then select the tab that corresponds to the log storage device used Remote Memory or Disk If you are logging to the FortiGate unit s hard disk select Edit beside a rolled log file t...

Page 665: ...s displays after the current page number For example if 3 54 appears you are currently viewing page 3 of 54 pages To view pages select the left and right arrows to display the first previous next or l...

Page 666: ...columns 1 Go to Log Report Log Access 2 Select the tab to view logs from Memory Disk or Remote 3 Select a log type from the Log Type list 4 Select the View icon if you are viewing a log file on a Fort...

Page 667: ...in the Filter list You can also select the columns that appear in the Filter list instead of selecting the actual column You can view log messages in Raw format only after configuring the filters If...

Page 668: ...prevention DLP sensors Then you add the DLP sensors to protection profiles and add the protection profiles to firewall policies All sessions accepted by firewall policies that are matched by rules in...

Page 669: ...ions from the web based manager before using the CLI to enable content archiving for the VoIP protocols For more information about configuring application lists see Configuring an application control...

Page 670: ...ction profile for that remote logging device For example if the FortiAnalyzer unit is configured to receive content archives then only content archives from the FortiAnalyzer unit appear in the Conten...

Page 671: ...or logging on to the SMTP server to send alert email You need to do this only if you selected SMTP authentication Send alert email for the following Select to have the alert email sent for one or mult...

Page 672: ...ire an alert email message based on firewall authentication failures SSL VPN login failure Select if you require an alert email message based on any SSL VPN logins that failed Administrator login logo...

Page 673: ...hical format to show network usage for a number of services The charts show the bytes used for the service traffic To view basic traffic reports go to Log Report Report Access Memory Figure 439 Viewin...

Page 674: ...inistrator before configuring report schedules from the FortiGate unit to verify that the appropriate report layout is configured Report layouts can only be configured from the FortiAnalyzer unit Brow...

Page 675: ...hedules in Report Config General report schedule settings Create New Create a new report schedule Name The name of the report schedule Description The comment made when the report schedule was created...

Page 676: ...variables for the report Virtual Domain Select to create a report based on virtual domains Enter a specific virtual domain to include in the report User Select to create a report based on a network us...

Page 677: ...Arrow to view the rolled report and view the entire report After viewing the report select Historical Reports to return to the list Figure 441 Generated reports displayed in Report Access Printing yo...

Page 678: ...Reports Log Report FortiGate Version 4 0 Administration Guide 678 01 400 89802 20090424 http docs fortinet com Feedback...

Page 679: ...ed IP pool and virtual IP 384 content archive 668 custom firewall service 357 custom service firewall 357 custom signatures 459 customized CLI console 64 DHCP interface settings 130 DHCP relay agent 1...

Page 680: ...ort 375 static NAT virtual IP IP address range 373 static route transparent mode 149 static route adding to routing table 284 subnet object 89 system administrators 209 system certificates 247 system...

Page 681: ..._failopen 453 BHO grayware 452 CLI configuration 453 configure antivirus heuristic 453 configuring grayware list 452 dial grayware 452 download grayware 452 file block 443 file block list 445 game gra...

Page 682: ...banned word web content block 480 483 banned word spam filter action 500 adding words to the banned word list 500 catalog 498 language 500 list 499 pattern 500 pattern type 500 banned word check prot...

Page 683: ...m dialup account 144 web based manager 44 conservation mode 191 contact information SNMP 186 contacting customer support 48 content archive viewing 84 content block catalog 479 web filter 478 content...

Page 684: ...420 Distinguished Name query 577 DLP See data leak protection DNAT virtual IPs 367 368 DNS service 352 documentation commenting on 26 Fortinet 26 domain name 346 DoS policy 337 configuring 338 viewing...

Page 685: ...443 default list of patterns 443 list antivirus 445 protection profile 408 file name quarantine files list 447 file pattern catalog 444 quarantine autosubmit list 448 filter filtering information on w...

Page 686: ...g 326 329 335 user groups 584 firewall protection profile default protection profiles 398 list 399 options 404 firewall service AFS3 352 AH 352 ANY 352 AOL 352 BGP 352 CVSPSERVER 352 DCE RPC 352 DHCP...

Page 687: ...or FDN and services 266 configuring web filter service 266 FortiGuard Analysis and Management Services 266 licenses 66 265 management and analysis service options 270 support contract 266 web filterin...

Page 688: ...p 50 using FortiGate online help 49 heuristics antivirus 453 quarantine 454 high availability See HA 177 hijacker grayware category 453 host name changing 78 changing for a cluster 182 viewing 78 host...

Page 689: ...IP range subnet 384 385 list 383 name 384 385 options 383 PPPoE 326 proxy ARP 370 390 SIP 431 start IP 383 transparent mode 386 IP range subnet firewall address 347 IP pool 384 385 IPS see intrusion...

Page 690: ...unit 663 accessing logs on FortiGuard Analysis server 664 ActiveX filter 422 alert email configuring 670 applying through protection profile 421 basic traffic reports 673 blocked files 422 browsing lo...

Page 691: ...rts 407 monitoring WAN optimization 637 moving a firewall policy 320 607 MS CHAP 572 MS CHAP V2 572 MS SQL service 353 MTU size 127 135 multicast 304 multicast destination NAT 306 multicast policy 321...

Page 692: ...old 409 oversized file email protection profile 409 P P1 Proposal IPSec phase 1 537 P2 Proposal IPSec VPN phase 2 540 P2P grayware category 453 packets VDOM 104 page controls web based manager 57 PAP...

Page 693: ...PPTP IP address user group 547 549 PPTP range defining addresses 547 549 PPTP tunnel setup CLI command 549 customized GUI 547 predefined services 351 predefined signature default action 458 list 457 P...

Page 694: ...ors protection profile 415 proxy SIP 427 proxy ARP 370 390 FortiGate interface 370 390 IP pool 370 390 virtual IP 370 390 proxy server 273 push updates 273 push update 268 configuring 273 external IP...

Page 695: ...schedules 674 FortiAnalyzer printing 677 viewing FortiAnalyzer reports 677 restoring 3 0 configuration 101 using the CLI 101 using web based manager 101 return email DNS check protection profile 418...

Page 696: ...GP 352 custom service list 356 CVSPSERVER 352 DCE RPC 352 DHCP 172 352 DHCP6 352 DNS 352 ESP 352 FINGER 352 firewall policy 322 325 FTP 352 FTP_GET 352 FTP_PUT 352 GOPHER 352 GRE 352 group 359 H323 35...

Page 697: ...port workflow 432 SIP MSNmessenger service 355 Skinny Call Control Protocol See SCCP SMTP service 355 user 671 SNAT virtual IPs 367 SNMP configuring community 186 contact information 186 event 188 man...

Page 698: ...vpn pptp 550 status description quarantine files list 448 stop one time schedule 363 recurring schedule 362 streaming mode 408 419 strict default protection profile 398 strict blocking HTTP only prote...

Page 699: ...Priority 606 635 traffic priority firewall policy 606 635 traffic shaping 606 635 traffic reports viewing 673 traffic shaping configuring 425 firewall policy 326 329 335 guaranteed bandwidth 326 425...

Page 700: ...ks 113 license key 276 limited resources 110 management VDOM 112 maximum number 110 NAT Route 104 packets 104 RADIUS authentication 116 system maintenance 254 transparent mode 104 VDOM partitioning HA...

Page 701: ...alog 479 web content exempt list 482 web content exempt list catalog 481 wireless monitor 167 viewport 87 VIP transparent mode 386 VIP group configuring 380 Virtual IP transparent mode 386 virtual IP...

Page 702: ...0 web content block list web filter 479 web content exempt protection profile 412 web content exempt list adding 482 web equivalent privacy 165 web filter 475 adding a URL to the web URL block list 48...

Page 703: ...gs FortiWiFi 50B 162 settings FortiWiFi 60A 162 settings FortiWiFi 60AM 162 settings FortiWiFi 60B 162 SSID 164 SSID broadcast 164 Tx power 163 viewing monitor 167 WLAN interface 159 WLAN interface ad...

Page 704: ...Index FortiGate Version 4 0 Administration Guide 704 01 400 89802 20090424 http docs fortinet com Feedback...

Page 705: ...www fortinet com...

Page 706: ...www fortinet com...

Reviews: