Manuel d'utilisation / d'entretien du produit 100A du fabricant Fortinet
Aller à la page of 374
FortiGate 100A Administration Guide INTERNAL DMZ 1 4 3 2 1 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN 1 WAN 2 PWR STA TUS A DMZ 2 FortiGate-100A Admi nistration Guide Ve r s i o n 2 .
© Copyright 2004 Fortine t Inc. All rights reserved. No part of this publication incl uding text, examples, di agrams or illustration s may be reproduced, transmitted, or translated in any form or by any means, electronic, m echanical, m anual, optical or otherwise, for any purpose, without prio r written pe rmission of F ortinet I nc.
Contents FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 3 Table of Contents Introduction ............. ................................ .................................................. ........... 13 About FortiGate Antivirus Firewa lls .
Contents 4 01-28007-0068-2004120 3 Fortinet Inc. Management ............... ................ ............. ................ ................. ................ ................ ........ 59 DNS ............... ............. ................ ............
Contents FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 5 Replacement messages .... ................ ................ ................ ................ ................ ............. 106 Replacement messages list .... ................ ..
Contents 6 01-28007-0068-2004120 3 Fortinet Inc. Policy ................ ................. ............. ................ ................ ............. ................ .............. ..... 145 Policy route list ........ ................ ............
Contents FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 7 Address ....... ............. ................ ................ ................ ............. ................ ................. ...... ... 198 Address list .................... .
Contents 8 01-28007-0068-2004120 3 Fortinet Inc. RADIUS ............ ................. ............. ................ ................ ............. ................ ................ .. . 2 3 5 RADIUS server list ............... ................ .....
Contents FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 9 VPN configuration procedures . .......... ............. ................ ................ ............. ................ ... 266 IPSec configuration procedures ........ ..........
Contents 10 01-28007-0068-2004120 3 Fortinet Inc. Web filter ............. ............................................ ............................ ............... ......... 309 Content block ........... ............. ................ ...............
Contents FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 11 MIME headers............. ................ ................ ................. ............. ................ ................ ...... 3 31 MIME headers list ................... ..
Contents 12 01-28007-0068-2004120 3 Fortinet Inc..
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 13 Introduction FortiGate A ntivirus Firew alls support ne tw ork-based deployment of application-level services, including antivirus protection and full-scan con tent filtering.
14 01-28007-0068-2004120 3 Fortinet Inc. Antivirus protection Introduction The FortiGate-100A al so supports advanced features such as multiple W AN and DMZ interfaces, 802.1Q VLAN, vi rtual domains, high availab ility (HA), and the RIP and OSPF routing protocols.
Introduction Spam filtering FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 15 T o preven t unintentionally blocking legitimate we b pages, you can add URL s to an exempt list that overrides th e URL blocking and content blocking list s. The exempt list also exempts web tra ffic this address from virus scanning.
16 01-28007-0068-2004120 3 Fortinet Inc. VLANs and virtual domains Introduction NAT/Route mode In NA T/Route mode, the FortiGat e unit is a Layer 3 device. This means that each of it s interfaces is associated with a dif ferent IP subnet and that it appears to other devices as a router .
Introduction Intrusion Prevention System (IPS) FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 17 Intrusion Prevention System (IPS) The FortiGate Intrusion Prev ention System (IPS) combines signature and anomaly based intrusion detection and preven tion.
18 01-28007-0068-2004120 3 Fortinet Inc. High availabili ty Introduction High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate un it in an HA cluster enforces the same overall security policy and shar es the same configuration settings.
Introduction Secure installation, configura tion, and management FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 19 The CLI supports the same config urati on and monitoring functionality as the web-based manager. In addition, yo u can use the CLI fo r advanced configurat ion options that are not available from the we b-based manager.
20 01-28007-0068-2004120 3 Fortinet Inc. Secure installation, configurat ion, and management Introduction Y ou enter: execute restore config myfile.bak <xxx_str> indicates an ASCII string that does not cont ain new-lines or carriage returns. <xxx_integer> indicates an integer string that is a decimal (bas e 10) number .
Introduction Fortinet Knowledge Center FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 21 FortiGate document ation Information about FortiGate product s is available from the following guides: • FortiGate QuickS tart Guide Provides basic informatio n about connecting and in stalling a FortiGate unit.
22 01-28007-0068-2004120 3 Fortinet Inc. FortiManager documentation Introduction Related document ation Additional info rmation about Fortinet produc ts is available from the following related documentation .
Introduction FortiLog documentation FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 23 FortiLog documentation • FortiLog Administration Guide Describes how to install and configure a FortiLog unit to collect FortiGa te and FortiMail log files.
24 01-28007-0068-2004120 3 Fortinet Inc. FortiLog documentation Introduction.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 25 System st atus Y ou can connect to the web-based man ager and view the current system st atus of the FortiGate u nit.
26 01-28007-0068-2004120 3 Fortinet Inc. Viewing system status System status Stat u s View the system status p age, also known as the system dashboard, for a snap shot of the current oper ating status of the FortiGate unit. All FortiGate ad ministrators with read acces s to system c onfiguration can view sys tem status inform ation.
System status Viewing system status FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 27 System status Unit Information Admin users and administra tors whose acce ss profiles cont ain system configuration read and write privileges can ch ange or upd ate the unit information.
28 01-28007-0068-2004120 3 Fortinet Inc. Viewing system status System status Interface Status All interfaces in the FortiGate unit are listed in the t able. System Resources Reset Select to reset the count values in th e table to zero. HTTP The number of URLs visited.
System status Changing unit information FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 29 Figure 3: Sample system re sources history History The history p age displays 6 graphs represent.
30 01-28007-0068-2004120 3 Fortinet Inc. Changing unit information System status T o change FortiGate host name The FortiGate host name ap pears on the S tatus page an d in the FortiGate CLI prompt. The host name is al so used as the SNMP system name.
System status Changing unit information FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 31 3 In the Attack Definitions field of the Unit Information sect ion, select Update. The Intrusion Dete ction System Definitions Update dialog box appe ars.
32 01-28007-0068-2004120 3 Fortinet Inc. Changing unit information System status Session list The session list displays information abo ut the communications sessions cu rrently being processed by the FortiGate unit. Y ou can use the session list to view current sessions.
System status Upgrading to a new firmware ver sion FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 33 Changing the FortiGate firmware FortiGate administra tors who se access prof iles contain system configu ration read and write privileges and th e Fort iGate admin user can chan ge the FortiGate firmware.
34 01-28007-0068-2004120 3 Fortinet Inc. Upgrading to a new firmware version System status 3 Go to System > St atus . 4 Under Unit Information > Firmware V ersion , select Update. 5 T ype the path an d filename of the firmwa re image file, or select Browse a nd locate the file.
System status Reverting to a previous firmware version FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 35 Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server . For example, if the firmware image file name is FGT_300-v280-build183-FORTINET.
36 01-28007-0068-2004120 3 Fortinet Inc. Reverting to a previous fi rmware version System status 2 Log into the FortiGate web- based manager . 3 Go to System > St atus . 4 Under Unit Information > Firmware V ersion , select Update. 5 T ype the path an d filename of the firmwa re image file, or select Browse a nd locate the file.
System status Reverting to a previous firmware version FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 37 T o use the followin g procedure you must have a TFTP server that the FortiGate unit can connect to. T o revert to a previous firmware version using the CLI 1 Make sure that the TFTP server is running.
38 01-28007-0068-2004120 3 Fortinet Inc. Installing firmware images from a system reboot using t he CLI System status 11 Update antivirus and atta ck definitions.
System status Installing firmware images from a system reboot using the CLI FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 39 5 T o confirm that the For tiGate unit can co nnect to the TFTP server , use the following command to ping the computer running the TFTP server .
40 01-28007-0068-2004120 3 Fortinet Inc. Installing firmware images from a system reboot using t he CLI System status 10 T ype a n IP addre ss that the F ortiGate unit can use to connect to the TFTP server . The IP address can be any IP address that is valid for the n etwork that the interface is connected to.
System status Testing a new fi rmware image before installing it FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 41 Testing a new firmware im age before installing it Y ou can test a new firmware image by in stalling the firmware image from a system reboot and saving it to system memory .
42 01-28007-0068-2004120 3 Fortinet Inc. Testing a new firmware image be fore installi ng it System status If you successfully int errupt the startup process, one of th e following messages appears: • FortiGate unit running v2.x BIOS Enter TFTP Server Address [192.
System status Installing and using a backup firmware image FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 43 Installing and using a backup firmware image If the FortiGate unit is running BIOS version v3.x, you can install a backup firmware image.
44 01-28007-0068-2004120 3 Fortinet Inc. Installing and using a backup firmware image System status 7 T ype G to get the new firmw are image fr om the TF TP server . The following m essage appears: Enter TFTP server address [192.168.1.168]: 8 T ype the address of the TFT P server and press Enter .
System status Installing and using a backup firmware image FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 45 If you successfully int errupt the startup process, the followin g message appears: [G]: Get firmware image from TFTP server. [F]: Format boot device.
46 01-28007-0068-2004120 3 Fortinet Inc. Installing and using a backup firmware image System status.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 47 System network System network settings control how th e Fort iGate unit connect s to and interacts with your network.
48 01-28007-0068-2004120 3 Fortinet Inc. Interface sett ings System network Figure 5: Interface list Interface settings Interface s ettings displa ys the curren t configurat ion of a sele cted FortiGat e interface or VLAN subinter face.
System network Interface settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 49 Figure 6: Interface settings See the following procedures for con figuring interfaces: • T o bring d.
50 01-28007-0068-2004120 3 Fortinet Inc. Interface sett ings System network The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID added by the IEEE 802 .1Q-compliant router or swit ch connected to the VLAN subinterface . For more informatio n on VLANs, see “VLAN overview” on pag e 63 .
System network Interface settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 51 PPPoE If you configure the interface to use PPPoE, the FortiGate unit auto matically broadcasts a PPPoE request.
52 01-28007-0068-2004120 3 Fortinet Inc. Interface sett ings System network DDNS Enable or disable updates to a Dynamic DNS (DDNS) service . When the FortiGate unit has a s tatic domain na me and a dyna mic public IP address, select DDNS En able to force the unit to update the D DNS server each time the addre ss changes.
System network Configuring interfaces FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 53 MTU T o improve networ k performa nce, you can change the maximum tra nsmission uni t (MTU) of the packet s that the FortiGate unit transmits from any interface.
54 01-28007-0068-2004120 3 Fortinet Inc. Configuring interfac es System network T o add a VLAN subinterface See “T o add a VLAN subinter face in NA T/Route mode” on page 65 . T o bring down an interface that is administratively up Y ou can bring down physical interfaces or VLAN subinterfaces.
System network Configuring interfaces FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 55 T o change the static IP address of an interface Y ou can change the static IP ad dress of any FortiGate interface. 1 Go to System > Network > Interface .
56 01-28007-0068-2004120 3 Fortinet Inc. Configuring interfac es System network 9 Select the Connect to Server check box if you want the FortiGate unit to connect to the PPPoE server .
System network Configuring interfaces FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 57 3 Set Ping Server to the IP address of the ne xt hop router on the network connected to the interface. 4 Select the Enable check box. 5 Select OK to save the changes.
58 01-28007-0068-2004120 3 Fortinet Inc. Zone settings System network Zone Y ou can use zones to group related interf aces an d VLAN subinterfaces. Grouping interfaces and VLAN sub interfaces into zo nes simplifies policy cr eation.
System network Zone settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 59 T o add a zone 1 If you have added a virtual domain, g o to System > Virtual Domain > Current Virtual Domain and select the virtual domain to which you want to add the zone.
60 01-28007-0068-2004120 3 Fortinet Inc. Zone settings System network Controlling administrative acce ss to a FortiGate interface connected to the Internet allows remot e administratio n of the F ortiG ate unit from any location on the Inte rnet.
System network Zone settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 61 DNS Several FortiG ate function s, including A lert E-mail an d URL blocking, use DNS. Y ou can add the IP addresses of the DNS serv ers to which your FortiGate unit can connect.
62 01-28007-0068-2004120 3 Fortinet Inc. Routing table li st System network Routing t able (T ransp arent Mode) In T ransparen t mode, you can configure routin g to add st atic routes from the FortiGate unit to local routers.
System network Transparent mode route settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 63 4 Set Gateway to the IP address of the next hop routing gateway . For an Internet connection, the n ext hop rout ing gateway ro utes traf fic to the Internet .
64 01-28007-0068-2004120 3 Fortinet Inc. FortiGate units and VLANs System network FortiGate units and VLANs In a typical VLAN configur ation, 802.1Q-com pliant VLAN layer-2 switches or layer-3 routers or firewalls add VLAN t ags to pa cket s. Packets p assing between device s in the same VLAN can be handled by layer 2 switches.
System network Adding VLAN sub interfaces FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 65 Figure 15 shows a simplified NA T/Route mode VLAN configuration. In this example, FortiGate internal interface conn ects to a VLAN switch using an 802.
66 01-28007-0068-2004120 3 Fortinet Inc. Adding VLAN subinterfaces System network 5 Enter the VLAN ID that matches the VLAN ID of th e packets to be received by this VLAN subinterface. 6 Select the virtual domain to which to add this VLAN subinterfa ce.
System network Adding VLAN sub interfaces FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 67 If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you can configure a FortiGate unit oper ating in T ransparent mode to pro vide security for network traf fic passing between dif ferent VLANs.
68 01-28007-0068-2004120 3 Fortinet Inc. Rules for VLAN IDs System network Figure 17: FortiGate unit in T ransp arent mode Rules for VLAN IDs In T ransp arent mode two VLAN subinterfa ces added to the same physical interface cannot have the same VLAN ID.
System network Transparent mode VLAN list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 69 Transparent mode VLAN list In T ransp arent mode, go to System > Net work > Inte rface to add VLAN subinterface s.
70 01-28007-0068-2004120 3 Fortinet Inc. Transparent mode VLAN settings System network T o add a VLAN subinterface in T ranspare nt mode The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VL AN ID can be any numbe r between 1 and 4096.
System network Transparent mode VLAN settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 71 FortiGate IPv6 support Y ou can assign both an IPv4 and an IPv6 address to any interface on a FortiGate unit. The interface functi ons as two interfac es, one for IPv4-add ressed packet s and another for IPv6-addressed packet s.
72 01-28007-0068-2004120 3 Fortinet Inc. Transparent mode VLAN settings System network.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 73 System DHCP Y ou can configure DHCP server or DHCP re lay agent functionalit y on any FortiGate interface or VLAN sub interface. A FortiGate interface can act as either a DHCP server or as a DHCP relay agent.
74 01-28007-0068-2004120 3 Fortinet Inc. DHCP service settings System DHCP DHCP service settings Go to System > DHCP > Service and select an edit or view icon to view to modify the DHCP service configuration for an interface.
System DHCP DHCP service settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 75 T o configure an interface to be a DHCP server Y ou can configure a DHCP server for any Fo rtiGate inte rface. As a DHCP server , the interface dynamically assigns IP addresse s to hosts on the network connected to th e interface.
76 01-28007-0068-2004120 3 Fortinet Inc. DHCP server settings System DHCP DHCP server settings Figure 23: Server options T o configure a DHCP server for an interface After configur ing an interface to.
System DHCP DHCP server settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 77 3 Add a name for the DHCP server . 4 Select the interface 5 Configure the DHCP server . The IP range must match th e subnet address of the network from which the DHCP request was receive d.
78 01-28007-0068-2004120 3 Fortinet Inc. DHCP exclude range settings System DHCP DHCP exclude range settings The range canno t exceed 65536 IP addresses. Figure 25: Exclude range settings T o add an exclusion range 1 Go to System > DHCP > Exclude Range .
System DHCP DHCP IP/MAC binding settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 79 DHCP IP/MAC binding setting s Figure 27: IP/MAC binding options T o add a DHCP IP/MAC binding pair 1 Go to System > DHCP > IP/MAC Binding . 2 Select Create New .
80 01-28007-0068-2004120 3 Fortinet Inc. DHCP IP/MAC binding settings System DHCP.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 81 System config Use the System Config page to make any of the following chan ges to .
82 01-28007-0068-2004120 3 Fortinet Inc. System config T o manually set the FortiGate date and time 1 Go to System > Config > T ime . 2 Select Refresh to disp lay the current FortiGate system date and time. 3 Select your T ime Zone from the list.
System config FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 83 Figure 29: System config options T o set the system idle timeout 1 Go to System > Config > Options . 2 For Idle T imeout, type a number in minutes. 3 Select Apply . T o set the Auth timeout 1 Go to System > Config > Options .
84 01-28007-0068-2004120 3 Fortinet Inc. System config T o modify the dead gateway detectio n settings Modify dead gateway detection to control how the FortiGate unit co nfirms connectivity with a ping se rver added to an in terface conf igura tion.
System config HA configuration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 85 An active-passive (A -P) HA cluster , also re ferred to as hot standby HA, cons ists of a primary FortiGate unit that processes traf fic, and one or more subordinate FortiGate units.
86 01-28007-0068-2004120 3 Fortinet Inc. HA configuration System config Cluster Members When the cluster is operatin g, you can select Cluster Members to view the st atus of all FortiGate units in the cluster . S tatus info rmation includes the cluster ID, status, up time, weight, and monitor info rmation.
System config HA configuration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 87 Y ou can use the unit priority to control t he order in which cluster unit s become the primary cluster unit when a cluster unit fails. For examp le, if you have three FortiGate-3600s in a cluste r you can set the unit priorities as shown in Ta b l e 4 .
88 01-28007-0068-2004120 3 Fortinet Inc. HA configuration System config Schedule If you are config uring an active-ac tive cluster , select a load balanc ing schedule. Priorities of H eartbeat Device Enable or disable HA he artbeat communication an d set the heartbeat priority for ea ch interface in the cluster .
System config HA configuration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 89 Y ou can enable heartbeat communi cations for physical interfaces, but not for VLAN subinterface s. Enabling the HA heartbeat for mo re interfaces increases reliab ility .
90 01-28007-0068-2004120 3 Fortinet Inc. Configuring an HA clu ster System config Monitor priorities Monitor priorities and link failover is not supporte d for the internal interface . Enable or d isable monito ring a FortiG ate inter face to verif y that the in terface is functioning properly and connected to it s network.
System config C onfiguring an HA cluster FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 91 1 Power on the FortiGate unit to be configured. 2 Connect to the we b-based manag er. 3 Give the FortiGate unit a unique host name. See “T o chan ge FortiGate host name” on p age 30 .
92 01-28007-0068-2004120 3 Fortinet Inc. Configuring an HA clu ster System config T o connect a FortiGate HA cluster Use the follo wing proced ure to con nect a cluste r operating in NA T/Route m ode or T ransparent mode. Con nect the FortiGate units in the cluster to each other and to your network.
System config C onfiguring an HA cluster FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 93 Figure 31: HA network confi guration 2 Power on all the FortiGat e units in the cluster . As the units st art, they negotiate to choose the primary cluster un it and the subordinat e units.
94 01-28007-0068-2004120 3 Fortinet Inc. Managing an HA clu ster System config T o configure weighted-round-robin weight s By default, in active-active HA mode the weighted round-robin schedule assigns the same weight to each FortiGate unit in th e cl uster .
System config Managing an HA cluster FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 95 Y ou can use the web-based manager to monitor the status and logs of in dividual cluster members. See “ T o view the st atus of each cluster member” on p age 95 and “T o view and manage lo gs for individual cluster u nits” on p age 96 .
96 01-28007-0068-2004120 3 Fortinet Inc. Managing an HA clu ster System config T o view and manage logs for individual cluster units 1 Connect to the cluster and lo g into the web-based ma nager.
System config Managing an HA cluster FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 97 If a subordinate unit fails, the cluster continues to function normally . Failure of a subordinat e unit results in the following: • The cluster contain s fewer FortiGate units.
98 01-28007-0068-2004120 3 Fortinet Inc. Configuring SNMP System config RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II) (for more info rmation, see “FortiGate MIBs” on page 101 ).
System config SNMP community FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 99 SNMP community An SNMP community is a gro uping of equi pment for networ k administration purposes. Add SNMP communi ties so that SNMP manage rs can connect to the FortiGate unit to view system information and receive SNMP trap s.
100 01-28007-0068-2004120 3 Fortinet Inc. SNMP community System config T o configure SNMP access to an interface in NA T/Route mode Before a remote SNMP manager can connect to the For tiGate agent, you must configure on e or more Fo rtiGate inte rfaces to a ccept SNMP co nnections.
System config FortiGate MIBs FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 101 T o add an SNMP community 1 Go to System > Config > SNMP v1/v2c . 2 Select Create New . 3 Enter a Community Name to identify the SNMP community . 4 Configure Host s, Queries, T raps, and SNM P Events.
102 01-28007-0068-2004120 3 Fortinet Inc. FortiGate traps System config FortiGate traps The FortiGate agent can send traps to SNMP managers that you ha ve added to SNMP communities. For SNMP managers to receive trap s, you must load and compile the Fortinet trap MIB (file name f ortinet.
System config Fortinet MIB fields FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 103 Fortinet MIB fields The Fortinet MIB contain s fields reporting current FortiGate unit status information. The tables below list the names of the MIB fields and de scribe the status information available for each one.
104 01-28007-0068-2004120 3 Fortinet Inc. Fortinet MIB fields System config T able 14: System MIB fields MIB field Description model FortiGate model number , for example, 400 for the FortiGate-400. serial FortiGate unit ser ial number . version The firmware version currently running on the FortiGate unit.
System config Fortinet MIB fields FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 105 T able 16: Administrator acco unts MIB field Description index The index number of the administrator account ad ded to the FortiGate unit. name The user name of an admi nistrator account added to the Forti Gate unit.
106 01-28007-0068-2004120 3 Fortinet Inc. Replacement messages list System config Replacement messages Change replacement messages to customize ale rt email and information that the FortiGate unit adds to content streams such as email messages, web pages, and FTP sessions.
System config Changing replacement messa ges FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 107 Changing replacement messages Figure 37: Sample HTTP virus replacement mes sage Replacement messages can be text or HTML messages. Y ou can add HTML code to HTML messag es.
108 01-28007-0068-2004120 3 Fortinet Inc. Changing replacement messages System config FortiManager Configure the FortiGate unit for IPSec comm un ication between the FortiGate unit and a FortiManager se rver . When you enable this feature, all co mmunication between the FortiGate unit and the FortiManage r server takes place using VPN.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 109 System administration When the Fo rtiGate unit is firs t installed, it is configured with a single administrator account with the user name admin.
11 0 01-28007-006 8-20041203 Fortinet Inc. Administrators list System administration Administrators list Figure 39: Administrators list Administrators options Figure 40: Administrator account confi guration T o configure an administrator account 1 Go to System > Admin > Administrators .
System administration Administrators opti ons FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 111 3 T ype a login name for the administra tor account. 4 T ype and confirm a passwo rd for the administrator account. 5 Optionally type a T rusted Host IP address an d netmask from which the administrator can log into the web-based manager .
11 2 01-28007-006 8-20041203 Fortinet Inc. Access profile list System administration Access profile list Figure 42: Access profile list Access profile options Figure 43: Access profile option Create New Add a new access profile. Profile Name T he name of the access profile.
System administration Access profile options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 11 3 T o configure an access profile 1 Go to System > Admin > Access Profile . 2 Select Create New to add an access profile, or select the edit icon to edit an existing access profile.
11 4 01-28007-006 8-20041203 Fortinet Inc. Access profile optio ns System administration.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 11 5 System maintenance Use the web-based manage r to maintain the FortiGate unit. Backup and restore Y ou can back up system con figuration, VPN cert ificate, web and sp am filtering files to the management comput er .
11 6 01-28007-006 8-20041203 Fortinet Inc. Backing up and Restorin g System maintenance Backing up and Restoring T o back up all configuration files 1 Go to System > Maintenance > Bac kup & Restore . 2 For All Configuration Files, select the Backup icon.
System maintenance Backing up and Re storing FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 11 7 5 Select OK to restore all configur ation files to the FortiGate unit.
11 8 01-28007-006 8-20041203 Fortinet Inc. Backing up and Restorin g System maintenance Up date center Y ou can configure the FortiGate unit to connect to the FortiProtect Distr ibution Network (FDN) to update the antiviru s (including grayware), S pam Filter and att ack definitions and engines.
System maintenance Backing up and Re storing FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 11 9 Figure 45: Update center FortiProtect Distribution Network The status of the connection to the Fo rtiProtect Distribu tion Network (FDN). A green indicato r means that the FortiGat e unit can connect to the FDN.
120 01-28007-0068-2004120 3 Fortinet Inc. Updating antivirus and atta ck definitions System maintenance Updating antivirus an d attack definitions Use the followin g procedur es to config ur e the For.
System maintenance Updating ant ivirus and attack definiti ons FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 121 2 Select Update Now to update the antivi rus and attack definitions and engine s.
122 01-28007-0068-2004120 3 Fortinet Inc. Updating antivirus and atta ck definitions System maintenance 4 Select Apply . The FortiGate unit test s the conn ection to the over ride server . If the FortiProtect Distribution Network setting chang es to av ailable, the FortiGate unit has successfully connected to the override server .
System maintenance Enabling push updates FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 123 There are no special tun neling requirement s if you have configured an override server address to connect to the FDN.
124 01-28007-0068-2004120 3 Fortinet Inc. Enabling push upd ates System maintenance The FortiGate unit sends the SETUP me ssage if you change the interface 2 IP address manually or if yo u have set the interface 2 add ressing mode to DHCP or PPPoE and your DHCP or PPPoE se rver changes the IP address.
System maintenance Enabling push updates FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 125 8 In the Map to IP section, type the IP addre ss of the FortiGate unit on the interna l network. If the FortiGate unit is operating in NA T/ Route mode, enter the IP address of the external inter face.
126 01-28007-0068-2004120 3 Fortinet Inc. Sending a bug report System maintenance Figure 46: Support Sending a bug report Use the Report Bug form to send bug information to Fortinet support. Figure 47: Bug report Report Bug Select Report Bug to submit problems with the FortiGate un it to Fortinet Support.
System maintenance Registering a FortiGate unit FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 127 T o report a bug 1 Go to System > Maintenance > Supp ort . 2 Select Report Bug. 3 Fill out the Report Bug form. 4 Select Submit. T o configure a customized mail relay 1 Go to System > Maintenance > Supp ort .
128 01-28007-0068-2004120 3 Fortinet Inc. Registering a FortiGate uni t System maintenance Soon you will also be able to: • Access Fortinet user docum entation • Access the Fortinet know ledge base All registration information is stored in the Fortinet Customer Support dat abase.
System maintenance Registering a FortiGate unit FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 129 FortiCare Support Contract numb ers, if you purchased FortiCare Support Contr acts for the FortiGate units that you want to register . 1 Go to System > Maintenance > Supp ort .
130 01-28007-0068-2004120 3 Fortinet Inc. Registering a FortiGate uni t System maintenance 2 Select Reboot. 3 Select Apply . The FortiGate unit rest arts. T o shut down the system Y ou can restar t the FortiGate unit after shut down only by turning the powe r off and then on.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 131 System virtual domain FortiGate v irtual doma ins prov ide multiple logical firew alls and routers in a single FortiGate unit.
132 01-28007-0068-2004120 3 Fortinet Inc. Exclusive virtual domain properties System virtual domain V irtual domain properties By default, each FortiGate unit runs a virt ual domain named root. Th is virtual domain includes all of the FortiGate physical in te rfaces, VLAN subinterfaces, zones, firewall policies, routing settin gs, and VPN settings.
System virtual domain Shared configuration settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 133 Shared configuration settings The following configur ation sett ings are shared by all virt ual domains. Ev en if you have configured multiple virtual domain s, there are no changes to how you config ure the following settings.
134 01-28007-0068-2004120 3 Fortinet Inc. Administration and management System virtual domain Administration and management In addition to the global properties, virt ual domains share a common administra tive model. Administrators have ac cess to all of the virtual domains on the FortiGate unit.
System virtual domain Adding a virtual domain FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 135 See the following procedures for con figuring virtual domains: • T o add VLAN subinter .
136 01-28007-0068-2004120 3 Fortinet Inc. Adding interfaces, VLAN subinterfaces, and z ones to a virtual domain System virtual domain T o select a management virtua l domain The following procedure applie s to NA T/Route mode only . 1 Go to System > Virtual Domain > Virtual Domains .
System virtual domain Adding interfaces, VLAN subinterfaces, and zones to a virtual domain FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 137 2 Set Virtual doma in to All or to the name of the virtual domain th at currently contains the interface.
138 01-28007-0068-2004120 3 Fortinet Inc. Configuring routing for a virtual domain System virtual doma in 4 Select OK. 5 Go to System > Network > Zone . 6 Select Create new . See “Zone” on p age 58 . Any zones that you add are added to the current virtual domain.
System virtual domain Configuring fi re wall policies for a virtual domain FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 139 6 Select Create new to add firewall po licies to the curren t virtual domain.
140 01-28007-0068-2004120 3 Fortinet Inc. Configuring IPSec VPN for a virt ual domain System virtual domain Configuring IPSec VPN for a virtual domain T o configure VPN for a virtual domain The following procedu re applies to NA T/Route and Tran sparent mode.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 141 Router This chapte r describes how to conf igure FortiGa te routing and RIP .
142 01-28007-0068-2004120 3 Fortinet Inc. Router For example, consider Figu re 50 , which shows a FortiGate unit conne cted to a router . T o ensu re that all outbound packet s destined to any network.
Router Static ro ute list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 143 Figure 51: Destinations on networks behi nd internal routers T o route p ackets from Network_1 to Network_ 2, Router_1 must be configured to use the FortiGate internal interfac e as its default gateway .
144 01-28007-0068-2004120 3 Fortinet Inc. Static route options Router Static route options Figure 53: St atic rou te configuration T o add or edit a sta tic route 1 Go to Router > St atic > St atic Route . 2 Select Create New to add a new route or se lect the edit icon beside an existing route to edit that route.
Router Policy route list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 145 Figure 54: Move a st atic route 3 For Move t o, select eith er Before or After a nd type the number t hat you want to place this route before or af ter . 4 Select OK.
146 01-28007-0068-2004120 3 Fortinet Inc. Policy route options Router Policy route options Figure 56: Policy route configuration T o add a policy route 1 Go to Router > Policy Route . 2 Select Create New to add a new policy route or select the edit icon beside an existing policy route to edit that policy route.
Router General FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 147 RIP is a distance-vector routing protocol in tended for small, relatively homog eneous, networks. RIP uses hop count as it s routin g metric. Each network is usually counted as one hop.
148 01-28007-0068-2004120 3 Fortinet Inc. Networks list Router T o configure RIP general settings 1 Go to Router > RIP > General . 2 Select the default RIP V ersion. 3 Change the Default Metric if require d. 4 Select Enable Default- information-originate if the conf iguration requires ad vertising a default static ro ute into RIP .
Router Networks options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 149 Networks options Figure 59: RIP Networks configura tion T o configure a RIP network 1 Go to Router > RIP > Networks . 2 Select Create New to add a ne w RIP network or select the ed it icon beside an existing RIP networ k to edit that RIP network.
150 01-28007-0068-2004120 3 Fortinet Inc. Interface options Router Interface options Figure 61: RIP in terface configuration Interface The Forti Gate interfac e name. Send V ersion RIP routing messages are UDP packet s that use port 520. Select 1 to configure RIP to s end RIP version 1 messages from an interface.
Router Distribute list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 151 T o configure a RIP interface 1 Go to Router > RIP > Interface . 2 Select the edit icon beside an In terface to configur e that interface. 3 Select a Send V ersion if you want to override the default send version for this interface.
152 01-28007-0068-2004120 3 Fortinet Inc. Distribute list options Router Distribute list options Figure 63: RIP Distribu te list configuration T o configure a distribute list 1 Go to Router > RIP > Dist ribute Li st .
Router Offset list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 153 Offset list Use offset list s to add the specifi ed of fset to the metric of a route. Figure 64: RIP Offset list Offset list options Figure 65: RIP Offset list configuration T o configure an offset list 1 Go to Router > RIP > Offset List .
154 01-28007-0068-2004120 3 Fortinet Inc. Access list Router 3 Set Direction to In or Out. 4 Enter the of fset number . 5 Select the interface to match for this offset list. 6 Check or clear the Enable check box to enable or disable this of fset list.
Router New access list entry FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 155 T o add an access list name 1 Go to Router > Router Object s > Access List .
156 01-28007-0068-2004120 3 Fortinet Inc. New Prefix list Router The FortiGate unit atte mpts to match a p acket against the rules in a prefix list starting at the top of the list. If it finds a match for t h e prefix, it take s the ac tion specified for th at prefix.
Router New prefix list entry FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 157 New prefix list entry Figure 71: Prefix list entry configuration T o configure a prefix list e ntry 1 Go to Router > Router Object s > Prefix List .
158 01-28007-0068-2004120 3 Fortinet Inc. New Route-map Router The FortiGate unit attempt s to match the rule s in a route ma p starting at the top of the list. If it finds a match it makes the changes defined in the set st atements and then takes the action specified for the rule.
Router Route- map list entry FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 159 Route-map list entry Figure 74: Route map entry co nfiguration T o configure a route map entry 1 Go to Router > Router Obje cts > Route Map .
160 01-28007-0068-2004120 3 Fortinet Inc. Key chain list Router 4 Under Matc h, select th e criteria to match. 5 Under Set, select the criteria to change . 6 Select OK. Key chain list RIP version 2 uses authentication keys to ensure that th e routing information exchanged between ro uters is reliable.
Router Key chain list entry FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 161 3 Enter a name for the key chain. 4 Select OK. Key chain list entry Figure 77: Key chain entry co nfiguration T o configure a ke y chain entry 1 Go to Router > Router Object s > Key-chain .
162 01-28007-0068-2004120 3 Fortinet Inc. Routing monitor list Router 5 Under Accept Lifetime, select In finit e, Duration or End time. • If you selected Duration, enter the time in seconds that this key should be active.
Router get router info ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 163 3 S p ecify the n etwork for w hich to displa y routes. 4 S pecify a gateway to display the routes using that gateway .
164 01-28007-0068-2004120 3 Fortinet Inc. get router info rip Router get router info rip Use this command to disp lay information about RIP . Command syntax get router info rip <keyword> Example.
Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 165 config summary-address Note: In the following table, only the router-id keyword is required.
166 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router Example This examp le shows how to set th e OSPF router ID to 1.1.1.1: config router ospf set router-id 1.1.1.1 end This examp le shows how to display the OSPF settings. default-metric <metric_integer> S pecify the default metric that OSPF should use for redistributed routes.
Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 167 get router ospf This examp le shows how to display th e OSPF config uration. show router ospf config area Access the config area subcommand usin g the config router ospf command.
168 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router area command keywords and variables Keyword s and variables Description Default A vailability authentication {md5 | none | text} Set the authentication typ e. Use the authentication keyword to define the authentication used for OSPF packets sent and received in this area.
Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 169 Example This examp le shows how to configur e a stub ar ea with th e id 15.1.1 .1, a stub t ype of summary , a default cost of 20, and MD5 authentication . config router ospf config area edit 15.
170 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router This examp le shows how to display the configu ration for ar ea 15.1.1.1. config router ospf config area edit 15.1.1.1 show end config filter-list Access the config filter-list subcommand using the config area subcomman d.
Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 171 Example This example shows how to use an access list named acc_list1 to filter packet s entering area 15.
172 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router config range edit <id_integer> get end config range edit <id_integer> show end Example This example shows how to set the prefix for rang e 1 of area 15.1.1.1. config router ospf config area edit 15.
Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 173 config router ospf config area edit 15.1.1.1 show end config virtual-link Access the config virtual-link subcommand using the config area command. Use virtual links to connect an area to the backbone wh en the area has no direct connection to the backbone.
174 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router virtual-link command keywords and variables Keyword s and variables Description Default A vailability authentication {md5 | none | text} Set the authentication type.
Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 175 Example This examp le shows how to configure a virtual link. config router ospf config area edit 15.1.1.1 config virtual-link edit vlnk1 set peer 1.1.1.1 end end This examp le shows how to display the settings for area 1 5.
176 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router Use this com mand to use an access list to filter the networks in r outing u pdates. Routes not matched by any of the di stribute lists will not be advertised. Y ou must configure the access list that you want the distr ibute list to use before you configure the distribute list.
Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 177 config router ospf config distribute-list edit 2 set access-list acc_list1 set protocol static end end This examp le shows how to display th e settings fo r distribute list 2.
178 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router config neighbor edit <id_integer> show end Example This example shows how to man ually add a neighbor . config router ospf config neighbor edit 1 set ip 192.168.21.63 end end This examp le shows how to display the settings fo r neighbor 1.
Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 179 config network Access the config network subcommand u sing the config router ospf command. Use this command to identify the interfaces to include in the specified OSPF area.
180 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router This examp le shows how to display the settings fo r networ k 2. config router ospf config network edit 2 get end This example shows how to display the configuration for network 2.
Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 181 osp f-interface command keywords and variables Keywords and v ariables Description Default A vailability authentication {md5 | none | text} Use the authentication keyword to define the authentication used for OSPF packets sent and received by this interface.
182 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router hello-interval <seconds_integer> The time, in seconds, betw een hello packets . All routers on the network must use the same value for hello-interval . The valid range for seconds_integer is 1 to 65535.
Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 183 network-type {broadcast | non- broadcast | point-to- multipoint | point-to-point} S pecify the type of network to which the interface is connected. OSPF supports four different types of network.
184 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router Example This example shows how to assign a n OSPF interface configuration named test to the interface na med internal and how to configure text authentication fo r this interface. config router ospf config ospf-interface edit test set interface internal set ip 192.
Router config router ospf FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 185 config redistribute co mmand syntax pattern config redistribute {connected | static | rip} set <keyword>.
186 01-28007-0068-2004120 3 Fortinet Inc. config router ospf Router Use this command to summarize external ro utes for redistribution into OSPF . This command works only fo r summarizing external routes on an Autonomous System Boundary Router (ASBR). Fo r information on summariza tion between areas, see “config range” on p age 171 .
Router config router static6 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 187 This examp le shows how to display th e OSPF config uration. show router ospf config router static6 Use this command to add, ed it, or delete static routes for IPv6 traffic.
188 01-28007-0068-2004120 3 Fortinet Inc. config router static6 Router Example This example shows how to a dd an IPV6 st atic route that has the sequence number 2.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 189 Firewall Firewall policies control all traf fic passing through the FortiGate unit. Firewall policies are instructions tha t the FortiGate unit uses to decide what to do with a connection request.
190 01-28007-0068-2004120 3 Fortinet Inc. How policy matching works Firewall Policy Go to Firewall > Polic y to add firewall policies to control connections and traf fic between F ortiGate interf aces, zon es, and VLAN subinterfac es.
Firewall Policy options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 191 The policy list has the following icons and fe atures. Figure 80: Move to options Policy options Policy options are configurable when creating or editin g a firewall policy .
192 01-28007-0068-2004120 3 Fortinet Inc. Policy options Firewall Figure 81: St andard policy options Policy has the following st andard options: Interface / Zone Source Select the source interface name to which the policy will apply . Destination Select the destination interface name to which the policy will apply .
Firewall Policy options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 193 Action Select how you want the fire wall to respond when the policy matches a connection attempt. • ACCEPT : Select accept to accept connections matched by the policy .
194 01-28007-0068-2004120 3 Fortinet Inc. Advanced policy opti ons Firewall Advanced policy options Figure 82: Advanced policy o ptions Authentication Y ou must add users and a firewall protection profile to a user grou p before you can select Authenticatio n.
Firewall Advanced poli cy options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 195 In most cases you should make su re that users can use DNS through the firewa ll without auth entication. If D NS is not availabl e users cannot connect to a web, FTP , or T elnet ser ver using a domain name.
196 01-28007-0068-2004120 3 Fortinet Inc. Configuring firewall po licies Firewall . Comments Y ou can add a description or other information about the p olicy .
Firewall Policy CLI co nfiguration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 197 3 Select the position fo r the policy . 4 Select OK. T o disable a pol icy Disable a policy to tem porarily prevent the fi rewall from selecting the policy .
198 01-28007-0068-2004120 3 Fortinet Inc. Policy CLI configuration Firewall Address Y ou can add, edit, and delete firewall addre sses as required. Y ou can also organize related addresses into address g roups to simplify policy creation.
Firewall Address li st FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 199 This section describes: • Address list • Address opt ions • Configuring addresses • Address group list • Address group options • Configuring address group s Address list Y ou can add addresse s to the list and edit existing addresses.
200 01-28007-0068-2004120 3 Fortinet Inc. Configuring addresses Firewall An IP/Mask a ddress can re present: • The address of a subn et (for example, for a class C subnet, IP address: 192.168.20.0 and Netmask: 255.255.255.0). • A single IP address (for exampl e, IP Address: 192.
Firewall Address group list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 201 4 Select OK. T o delete an address Deleting an address r emoves it from the address list. T o delete an address that has been added to a policy , you must first remove the address from the p olicy .
202 01-28007-0068-2004120 3 Fortinet Inc. Configuring address grou ps Firewall Figure 87: Address gr oup options Address group has the following option s: Configuring address groups T o organize addresses into an address group 1 Go to Firewall > Address > Group .
Firewall Predefined service list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 203 3 Make any required changes. 4 Select OK. Service Use services to determine the types of communication accepted or denied by the firewall. Y ou can add any of t he predefined services to a policy .
204 01-28007-0068-2004120 3 Fortinet Inc. Predefined service list Firewall T able 21: FortiGate predefined servic es Service name Description Protocol Port ANY Match connections on any port. A connecti on that uses any of the predefined service s is allowed through the firewall .
Firewall Predefined service list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 205 IRC Internet Relay Chat allows people connected to the Internet to join live discussions. tcp 6660-6669 L2TP L2TP is a PPP-based tunnel protocol for remote access.
206 01-28007-0068-2004120 3 Fortinet Inc. Custom service list Firewall Custom service list Add a custom service if you need to create a policy fo r a service that is not in the predefined service list. Figure 89: Sample custom ser vice list The custom s ervices list ha s the following ic ons and fe atures.
Firewall Custom service options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 207 Custom service options Diffe rent options appear depend ing on the prot oco l type of custom service you want to define. Choose from TCP , UDP , ICMP , or IP .
208 01-28007-0068-2004120 3 Fortinet Inc. Configuring custom services Firewall IP custom service options Figure 92: IP custom service options Configuring custom services T o add a custom TCP or UDP service 1 Go to Firewall > Service > Cus tom . 2 Select Create New .
Firewall Service group list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 209 6 Select OK. Y ou can now add this custom service to a policy . T o delete a custom service 1 Go to Firewall > Service > Cus tom . 2 Select the Delete icon beside the service you want to delete .
210 01-28007-0068-2004120 3 Fortinet Inc. Configuring servi ce groups Firewall Figure 94: Service grou p options Service group has the following options. Configuring service groups T o organize services into a service group 1 Go to Firewall > Service > Grou p .
Firewall One-time schedule list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 21 1 4 Select OK. Schedule Use schedules to control when policies are ac tive or inactive.
212 01-28007-0068-2004120 3 Fortinet Inc. One-time schedul e options Firewall One-time schedule options Figure 96: One-time schedule options One-time schedule has the followin g options. Configuring one-time schedules T o add a one-time schedule 1 Go to Firewall > Schedule > One -time .
Firewall Recurring sched ule list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 213 Recurring schedule list Y ou can create a recurring sche dule that acti vates or deactivates policies at specified times of the day or on specified days of t he week.
214 01-28007-0068-2004120 3 Fortinet Inc. Configuring recu rring schedules Firewall Configuring recu rring schedules T o add a recurring schedule 1 Go to Firewall > Schedule > Re curring . 2 Select Create New . 3 Enter a name for the schedule. 4 Select the days of the week that yo u want th e schedule to be active.
Firewall Virtual IP list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 215 Y ou can create three types of virtual IPs: This section describes: • Virtual IP list • Vir tual IP options • Configuring virtual IPs Virtual IP list Figure 99: Sample virtua l IP list The virtual IP list has the following icons and featur es.
216 01-28007-0068-2004120 3 Fortinet Inc. Configuring virtual IPs Firewall Figure 100:Virtual IP options; static NA T Figure 101:V irtual IP op tions; port forwarding Virtual IP has the following options. Configuring virtual IPs T o add a static NA T virtual IP 1 Go to Firewall > Virtual IP .
Firewall Configuring virtua l IPs FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 217 4 Select the virtual IP External Interface from the list. The external inter face is connected to the sour ce network and receive s the packet s to be forwarded to the destination networ k.
218 01-28007-0068-2004120 3 Fortinet Inc. Configuring virtual IPs Firewall 6 Enter the External IP Address that you want to map to an addr ess on the destination interface. Y ou can set the external IP address to the IP address of the external inter face selected in step 4 or to any other address.
Firewall Configuring virtua l IPs FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 219 10 Select OK. T o delete a virtual IP 1 Go to Firewall > Virtual IP . 2 Select the Delete icon beside the virtual IP you want to delete. 3 Select OK.
220 01-28007-0068-2004120 3 Fortinet Inc. IP pool list Firewall IP pool list Figure 102:Sampl e IP pool list The IP pool list has the following icons and fe atures. IP pool options Figure 103:IP po ol options Virtual IP has the following options. Configuring IP pools T o add an IP pool 1 Go to Firewall > IP Pool .
Firewall IP Pools for firewall policies that use fixed ports FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 221 5 Select OK. T o delete an IP pool 1 Go to Firewall > IP Pool . 2 Select the Delete icon beside the IP pool you want to delete.
222 01-28007-0068-2004120 3 Fortinet Inc. Protection profile list Firewall Protection profile Use protection profiles to apply dif ferent protection settings for traf fic that is controlled by firewall po licies.
Firewall Default protection profiles FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 223 Default protection profiles The FortiGate unit comes preconfigured with four pr otection profiles.
224 01-28007-0068-2004120 3 Fortinet Inc. Protection profile options Firewall Configuring antivirus options Figure 106:Protection p rofile antivirus options The following option s are available for an tivirus through the protection pro file. See “Antivirus” on p age 289 for more antivirus configuration options.
Firewall Prote ction profile options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 225 Configuring web filtering options Figure 107:Prote ction profile web fi ltering options The following options ar e available for web f iltering throug h the protection profile.
226 01-28007-0068-2004120 3 Fortinet Inc. Protection profile options Firewall The following options are ava ilable for web ca tegory filterin g through the protect ion profile. See “Category block” on p age 317 for more category blocking configuration options.
Firewall Prote ction profile options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 227 Configuring IPS options Figure 1 10:Protection profile IPS opti ons The following options are ava ilable for IPS through the protection profile. See “IPS” on page 277 for more IPS configuration options.
228 01-28007-0068-2004120 3 Fortinet Inc. Configuring prote ction profiles Firewa ll The following options are ava ilable for content archive thro ugh the protection profile.
Firewall Profile CLI configuration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 229 T o add a protection profile to a policy Y ou can enable protection profiles fo r firewall policies with action set to allow or encrypt and with service set to ANY , HT TP , FTP , I MAP , POP3, SMTP , or a service group that includes these services.
230 01-28007-0068-2004120 3 Fortinet Inc. Profile CLI configuration Firewall firewall profile command keywords and variables Keyword s and variables Description Default A vailability ftp {block conten.
Firewall Profile CLI configuration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 231 This examp le shows how to display the settings for the firewall profile command. get firewall profile This examp le shows how to display the settings for the spammail profile.
232 01-28007-0068-2004120 3 Fortinet Inc. Profile CLI configuration Firewall.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 233 Users and authentication Y ou can control access to network resource s by defining lists of authorized users, called user groups.
234 01-28007-0068-2004120 3 Fortinet Inc. Local user list Users and authentication Setting authentication timeout Authentication timeout controls how long an authenticated fire wall connection can be idle before the user mu st authenticate again. T o set authentication timeout 1 Go to System > Config > Options .
Users and authentication RADIUS server list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 235 T o add a user name and configure authentication 1 Go to User > Local . 2 Select Create New to add a new user name or select the Edit icon to edit an existing configuration.
236 01-28007-0068-2004120 3 Fortinet Inc. RADIUS server options Users and authentication RADIUS server options Figure 1 1 5:RADIUS configuration T o configure the FortiGate un it for RADIUS authentication 1 Go to User > RADIUS . 2 Select Create New to add a new RADIUS serv er or select the Edit icon to edit an existing configuration.
Users and authentication LDAP server list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 237 The FortiGate unit support s LDAP protoc ol functionality defined in RFC225 1 for looking up and validating user names an d passwords. FortiGate LDAP supports all LDAP servers compliant with LDAP v3.
238 01-28007-0068-2004120 3 Fortinet Inc. LDAP server options Users and authentication T o configure the FortiGate unit for LDAP authentication: 1 Go to User > LDAP . 2 Select Create New to add a new LDAP server , or select the Edit icon to edit an existing configuration.
Users and authentication User group list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 239 User group T o enable authentication, yo u must add user names, RADIUS servers, and LDAP servers to one or more user grou ps. Y ou can then assign a firewall protection pr ofile to the user group.
240 01-28007-0068-2004120 3 Fortinet Inc. User group options Users and authentication User group options Figure 1 19:User group configurati on T o configure a user group 1 Go to User > User Group . 2 Select Create New to add a new user group, or select the Edit icon to edit an existing configuration.
Users and authentication peer FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 241 T o delete a user group Y ou cannot delete a user group that is in cluded in a fir ewall policy , a dialup user phase 1 configuration, or a PP TP or L2TP configuration.
242 01-28007-0068-2004120 3 Fortinet Inc. peergrp Users and authentication config user peer edit branch_office set ca set cn set cn-type end This example shows how to display the list of configured peers. get user peer This examp le shows how to display the settings fo r the peer branch_office .
Users and authentication peergrp FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 243 config user peergrp edit EU_branches set member Sophia_branch Valencia_branch Cardiff_branch end This examp le shows how to display the list of co nfigured pee r groups.
244 01-28007-0068-2004120 3 Fortinet Inc. peergrp Users and authentication.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 245 VPN FortiGate unit s support the following protoc ols to authenticate and en cryp.
246 01-28007-0068-2004120 3 Fortinet Inc. Phase 1 list VPN Phase 1 The basic phase 1 settings associa te IPSec phase 1 parameters with a remote gateway and de termine: • whether the various phase 1 .
VPN Phase 1 basic settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 247 Phase 1 basic settings Figure 121:Phase 1 basic settings Encryption Algorithm The names of the encryptio n and authenti cation algorithms used by ea ch phase 1 configuration.
248 01-28007-0068-2004120 3 Fortinet Inc. Phase 1 basic settings VPN Pre-shared Key If Preshared Key is selected, type the preshared key that the F ortiGate unit will use to authenticate itself to the remote peer during phase 1 negotiations. Y ou must defi ne the same value at the remote peer .
VPN Ph ase 1 advanced settings FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 249 Phase 1 advanced settings Figure 122:Phase 1 advanced settings P1 Proposal Se lect the encryption and authenticatio n algorithms that will b e used to generate ke ys for protecting neg otiations.
250 01-28007-0068-2004120 3 Fortinet Inc. Phase 1 advanced settings VPN Phase 2 Y ou configure phase 2 setti ngs to specify the parameter s for creating and maint aining a VPN tunnel between th e FortiGate unit and the remote pee r or client. In most cas es, you only need to configure the basic phase 2 settings.
VPN Phase 2 list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 251 2 Follow the general guidelin es in these sections: • “Phase 2 list” on page 25 1 • “Phase 2 basic settings.
252 01-28007-0068-2004120 3 Fortinet Inc. Phase 2 advanced options VPN Phase 2 advanced options Figure 125:Phase 2 advanced settings Tu n n e l N a m e T ype a name to identi fy the tunnel configuration. Remote Gateway Select the phase 1 configuration to assign to this tun nel.
VPN Phase 2 advanced opti ons FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 253 Manual key If required, you can manually defin e cryptographic keys for establishin g an IPSec VPN tunnel.
254 01-28007-0068-2004120 3 Fortinet Inc. Manual key list VPN In both cases, you do not specify IPSec phase 1 and phase 2 p arameters; you define manual keys on the VPN > IPSEC > Manual Key tab instead.
VPN Manual key opti ons FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 255 Manual key options Figure 127:Adding a manual key VPN tunnel VPN T unnel Name Type a name for the VPN tunnel. Local SPI Type a hexadecimal number (up to 8 characters, 0-9, a -f) that represents the SA that handles outbound traffic on the local FortiGate unit.
256 01-28007-0068-2004120 3 Fortinet Inc. Concentra tor list VPN Concentrator In a hub-and-spoke co nfiguration, connecti ons to a number of re mote peers radiate from a single, central FortiGate unit.
VPN Concentrator options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 257 Concentrator options Figure 129:Creating a concentrator for a hub-and-spoke configuration Ping Generator The ping generator genera tes traffic in an IPSec VPN tunnel to keep the tunnel connection open when no traffic is being generated inside th e tunnel.
258 01-28007-0068-2004120 3 Fortinet Inc. Ping generator optio ns VPN 2 Select Enable. 3 In the Source IP 1 field, type the private IP address or subnet address from which traffic may originate locally (for ex ample, 192.168.20.12 or 192.168.20.0 respectively).
VPN Dialup monitor FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 259 T o establish or t ake down a VPN tunnel 1 Go to VPN > IPSEC > Monitor . 2 In the list of tunnels, select the Bring down tunnel or Bring up tunnel button in the row that corresponds to the tunnel that yo u want to bring down or up.
260 01-28007-0068-2004120 3 Fortinet Inc. PPTP range VPN PPTP FortiGate unit s support PP TP to tunnel P PP traffi c between two VPN peers. Windows or Linux PP TP clients can est ablish a PPTP tunnel with a For tiGate unit that has been configured to act as a PP TP server .
VPN L2TP range FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 261 L2TP A FortiGate unit can be configured to act as an L2TP ne twork server . The FortiGate implementa tion of L2TP enables a remote dialup client to establish an L2TP tunnel with the FortiGate unit directly .
262 01-28007-0068-2004120 3 Fortinet Inc. Local certificate list VPN Certificates Digital certificates are downloadable files that you can install on the For tiGate unit and on remote peers an d clients for auth entication purposes.
VPN Certificate reque st FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 263 Figure 136:Certificate d etails Certificate request T o obt ain a personal or site ce rtificate, yo u must send a r equest to a CA that provides digital certificates that adhere to the X.
264 01-28007-0068-2004120 3 Fortinet Inc. Importing signed certifi cates VPN Importing signed certificates Y our CA will provide you with a signed certific ate to install on th e FortiGate unit. When you receive the signed certificate from the CA, save th e certificate on a PC that has management access to the For tiGate unit.
VPN CA certificate list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 265 CA certificate list Follow the CA instructions to download their root certificate, and then install the root certificate on the FortiGate unit. The inst alle d CA ce rtificates are displayed in t he CA certificate list.
266 01-28007-0068-2004120 3 Fortinet Inc. IPSec confi guration proce dures VPN VPN configuration procedures The FortiGate VPN Guide uses a t ask-based approach to provide all of the procedures needed to create different ty pes of VPN configurations.
VPN IPSec configuration procedures FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 267 2 In the Address Name field, type a name t hat represents the loca l network, server(s), or host(s) from which IP p ackets may origina te on the private network behind the loca l FortiGate u nit.
268 01-28007-0068-2004120 3 Fortinet Inc. PPTP configuration procedures VPN 3 Y ou may enable a protection profile, a nd/or event logging, or select advanced settings to shape traffic or dif ferentiate servic es. See the “Fir ewall” chapter of the F ortiGate Administration G uide .
VPN ipsec phase1 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 269 CLI configuration This section provides informat ion about features that must be configured through C LI commands. CLI commands provide additional network options that cannot be configured through the web-b ased manager .
270 01-28007-0068-2004120 3 Fortinet Inc. ipsec phase1 VPN Example Use the following command to edit an IPSec VPN phase 1 configuration with the following characteristics: • Phase 1 configuratio n n.
VPN ipsec phase2 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 271 ipsec phase2 Use the config vpn ipsec phase2 CLI command to add or edit an IPSec VPN phase 2 configuration.
272 01-28007-0068-2004120 3 Fortinet Inc. ipsec vip VPN ipsec vip A FortiGate unit can act a s a proxy by answering ARP request s locally and forwarding the associated traffic to the intended destination host over an IPSec VPN tunnel.
VPN ipsec vip FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 273 For more informa tion, see “Configuring IPSec virtual IP addresses” on p age 274 .
274 01-28007-0068-2004120 3 Fortinet Inc. ipsec vip VPN This examp le shows how to display the settings for the vpn ipsec vip command. get vpn ipsec vip This examp le shows how to display the settings for the VIP entry named 1 . get vpn ipsec vip 1 This exampl e shows how to display the current con figuration of all existing VIP entries.
VPN ipsec vip FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 275 When Host_1 attempt s to send a p acket to Host_2 for the first time, Host_1 issues an ARP request locally for the MAC address of Host_2. However , because Ho st_2 resides on a remote network, it does no t respond.
276 01-28007-0068-2004120 3 Fortinet Inc. ipsec vip VPN.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 277 IPS The FortiGate Intrusion Prev ention System (IPS) combines signature- and an omaly- based intrusion detection and prevention with low latency and excelle nt reliability .
278 01-28007-0068-2004120 3 Fortinet Inc. Predefined IPS This chapter describes: • Signature • Anomaly • Configuring IPS logging and alert email • Default fail open setting Signature The FortiGate IPS matches network traf fi c again st patterns contained in attack signatures.
IPS Predefined FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 279 Predefined signature list Y ou can enable or disa ble groups of predefi n ed signatures and configure the settings for individual prede fined signatures from the predefined signa ture list.
280 01-28007-0068-2004120 3 Fortinet Inc. Predefined IPS Configuring predefined signatures T o enable or disable predefined signatur e groups 1 Go to IPS > Signature > Predefined . 2 Select the Configure icon next to the predefined signature group that you want to enable or disable .
IPS Predefined FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 281 4 Select the Enable box to enable the signatu re or clear the Enable box to disable the signature. 5 Select the Logging box to e nable logging for this signature or clear the L ogging box to disable logging fo r this signature.
282 01-28007-0068-2004120 3 Fortinet Inc. Custom IPS Custom Y ou can cr eate custom IPS signatur es. The cu stom signature s you crea te are add ed to a single Custom signature grou p. Custom signatures provide the power and fl exibility to customize the FortiGate IPS for diverse network enviro nments.
IPS Custom FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 283 Adding custom signatures T o add a custom signature 1 Go to IPS > Signature > Custom . 2 Select Create New to add a new custom signature or select the Edit icon to edit an existing custom signature.
284 01-28007-0068-2004120 3 Fortinet Inc. Custom IPS Anomaly The FortiGate IPS u ses anomaly detection to ide ntify network traffic that does not fit known or preset traf fic patterns. The Fort i Gate IPS identifies the four statistical anomaly typ es for the TCP , UD P , an d ICMP prot ocols.
IPS Custom FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 285 Configuring an anomaly Each anomaly is preset with a recommended configuration. By d efault all anomaly signatures are enabled. Y ou ca n use the recommended configuration s or you can modify the recommended co nfigurations to meet the needs of you r network.
286 01-28007-0068-2004120 3 Fortinet Inc. Custom IPS T o configure the settings of an anomaly 1 Go to IPS > Anomaly . 2 Select the Edit icon for the si gnature you want to configure. 3 Select the Enable box to enable the anoma ly or clear the Enable box to disable the anomaly .
IPS Anomaly CLI configuration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 287 Anomaly CLI configuration (config ips anomaly) config limit Access the config limit subcomman d using the config ips anomaly <name_str> command. Use this command for session control based on source and destination network ad dress.
288 01-28007-0068-2004120 3 Fortinet Inc. Anomaly CLI configuration IPS Configuring IPS logging and alert email Whenever the IPS dete cts or prevent s an attack, it generates an att ack message. Y ou can configure the FortiGate unit to add the message to the attack log and to send an alert email t o administra tors.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 289 Antivirus Antivirus provides configur ation access to most of the antivirus options you enable when you creat e a firewall prot ection profile.
290 01-28007-0068-2004120 3 Fortinet Inc. Antivirus Protection profil e configuration For information about configu r ing Protection Profiles, see “Protection profile” on page 222 . For information about adding protecti on profiles to firewall policies, see “T o add a protection profile to a policy” on p age 229 .
Antivirus File block list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 291 This section describes: • File block list • Configuring the file block list File block list The file block list is preconfig ure d with a default list of file patterns: • executable files (*.
292 01-28007-0068-2004120 3 Fortinet Inc. Configuring the file b lock list Antivirus Configuring the file block list T o add a file name or file pattern to the file block list 1 Go to Anti-Virus > File Block . 2 Enter the file name or file p attern you want to add.
Antivirus Quarantined files l ist options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 293 Figure 153:Sample qu arantined files list Quarantined files list options The quarantined file.
294 01-28007-0068-2004120 3 Fortinet Inc. AutoSubmit list Antivirus AutoSubmit list Y ou can configure the FortiGate unit to automatically upload suspicious files to Fortinet for analysis. Y ou can add file patt erns to the AutoSubmit list using wildcard characters (* or ?).
Antivirus Config FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 295 Config Go to Config to set quarantine configurat ion options including whethe r to quarantine blocked or infected file s and from which se rvice. Y ou can also configure the time to live and file size values, and enable AutoSubmit settings.
296 01-28007-0068-2004120 3 Fortinet Inc. Virus list Antivirus Config Config displays a list of the current viruses blocked by the FortiGa te unit. Y ou can also configure file and email size limit s, and grayware blocking.
Antivirus Grayware FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 297 Figure 158:Example threshold configu ration Y ou can enable oversized file blocking in a firewall pro tection profile.
298 01-28007-0068-2004120 3 Fortinet Inc. Grayware options Antivirus The categories may change or expand when the FortiGate unit receives upda tes. In the examp le above you can choos e to enable the following g rayware ca tegories. Enabling a graywa re category blocks all files listed in the ca tegory .
Antivirus config antivirus heuristic FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 299 CLI configuration config antivirus heuristic The FortiGate heuristic antivirus e ngine pe rforms tests on files to detect virus-like behavior or known virus ind icators.
300 01-28007-0068-2004120 3 Fortinet Inc. config antivirus quaranti ne Antivirus This examp le shows how to display the settings for the antivirus heuristic command. get antivirus heuristic This example sh ows how to displa y the configurat ion for the antivirus heuristic command.
Antivirus config antivi rus service http FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 301 config antivirus service http unset <keyword> end get antivirus service [http] show antivirus service [http] How file size limits work The memfilesizelimit is applied first to all inco ming files, compressed or uncompresse d.
302 01-28007-0068-2004120 3 Fortinet Inc. config antivirus se rvice ftp Antivirus Example This examp le shows how t o set the ma ximum file size that can be buffered to memor y for scanning at 12 MB, .
Antivirus config antivirus servic e ftp FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 303 How file size limits work See “How file size limits work” on page 301 .
304 01-28007-0068-2004120 3 Fortinet Inc. config antivirus se rvice pop3 Antivirus config antivirus service pop3 Use this command to configur e how the Fort iGate unit handles antivir us scanning of large files in POP3 traf fic and what ports the FortiGate unit scans for POP3.
Antivirus config antivirus service imap FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 305 Example This examp le shows how t o set the ma ximum file size that can be buffered to memor y .
306 01-28007-0068-2004120 3 Fortinet Inc. config antivirus se rvice imap Antivirus How file size limits work See “How file size limits work” on page 301 .
Antivirus config antivirus service smtp FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 307 config antivirus service smtp Use this command to configur e how the Fort iGate unit handles an.
308 01-28007-0068-2004120 3 Fortinet Inc. config antivirus se rvice smtp Antivirus Example This examp le shows how t o set the ma ximum file size that can be buffered to memor y for scanning at 100 MB.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 309 W eb filter Web filte r provides configuration access to th e Web filtering and Web category filtering options you enable when you create a firewall Protection Profile.
310 01-28007-0068-2004120 3 Fortinet Inc. Web filter T able 28: Web filter and Protection Profil e web catego ry filtering confi guration Protection profil e configuration For information about configu r ing Protection Profiles, see “Protection profile” on page 222 .
Web filter Web conten t block list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 31 1 Content block Control web content by blocking spe cific words or word patterns. Th e FortiGate unit blocks web p ages containing ba nned words and displays a replaceme nt message instead.
312 01-28007-0068-2004120 3 Fortinet Inc. Configuring the web content block list Web filter Configuring the web content block list Figure 161:Adding a banned word to the content block list When you select Create New or Edit you ca n configure the following settings for the banned word.
Web filter Web URL blo ck list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 313 This section describes: • Web URL block list • Web URL block options • Configuring the web URL blo.
314 01-28007-0068-2004120 3 Fortinet Inc. Configuring the web URL block li st Web filter Configuring the we b URL block list T o add a URL to the web URL block list 1 Go to Web Filter > URL Block . 2 Select Web URL Block. 3 Select Create New . Figure 163:Adding a new URL 4 Enter a URL or partial URL to add to the URL bloc k lis t.
Web filter Web pattern block options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 315 Figure 164:Sample web pattern block list Web pattern block options Web p attern block has the following icons and features: Configuring web pattern block T o add a pattern to the web pattern block list 1 Go to Web Filter > URL Block .
316 01-28007-0068-2004120 3 Fortinet Inc. URL exempt list Web filter URL exempt list Y ou can configure specific URLs as exempt from web filtering. URLs on the exempt list are not scanned for viruses.
Web filter FortiGuard managed web filtering service FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 317 Category block Y ou can filter http content by specific categories us i ng the FortiGuard managed web filtering service.
318 01-28007-0068-2004120 3 Fortinet Inc. Category block configuration options Web filter FortiGuard licensing Every FortiG ate unit com es with a fr ee 30-day FortiGuard trial licen se. FortiGuard license managemen t is done by Fortinet se rvers, so there is no need to enter a license number .
Web filter Configuring web category block FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 319 Configuring web category block T o enabl e FortiGuard web filtering 1 Go to Web Filter > Category Block. 2 Select Enab le Service. 3 Select Check status to make sure the Fo rtiG ate unit c an access the FortiGuard server .
320 01-28007-0068-2004120 3 Fortinet Inc. Category block reports opti ons Web filter Category block reports options The following table describ es the options for gen erating reports: The following t .
Web filter Category block CLI configuration FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 321 Command syntax pattern config webfilter catblock set <keyword> <variable> end c.
322 01-28007-0068-2004120 3 Fortinet Inc. Web script filter options Web filter Figure 170:Scri pt filtering options Web script filter options Y ou can configure the following options for script filterin g: Note: Blocking any of th ese items may prevent some web pages from functioning and displaying correctly .
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 323 S p am filter S pam filter provides configuration access to the sp am filtering options you enable when you create a firewall protection prof ile .
324 01-28007-0068-2004120 3 Fortinet Inc. Spam filter Protection profil e configuration For information about configu ring protection profiles, see “Protection pr ofile” on page 222 . For information about adding protecti on profiles to firewall policies, see “T o add a protection profile to a policy” on p age 229 .
Spam filter FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 325 Order of spam filter operations Generally , incoming email is passed through the spam filters in the or der the filters app.
326 01-28007-0068-2004120 3 Fortinet Inc. FortiShi eld options Spam filter Both FortiShield antisp am processes are completely au tomated and configured by Fortinet. With constan t monitoring and dynam ic updates, FortiShield is always current. Y ou can enable or disable FortiShie ld in a firewall protection profile.
Spam filter IP address list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 327 4 Select Apply . Y ou can now enable Fort iShield for any firewall protection profile yo u create. See “Configuring sp am filtering options” on page 226 .
328 01-28007-0068-2004120 3 Fortinet Inc. Configuring the IP address list Spam filter Configuring the IP address list T o add an IP address to the IP address list 1 Go to Sp am Filter > IP Address . 2 Select Create New . Figure 173:Adding an IP address 3 Enter the IP address/mask you wan t to add.
Spam filter RBL & ORDBL list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 329 This section describes: • RBL & ORDBL list • RBL & ORDBL options • Configuring the RBL & ORDBL list RBL & ORDBL list Y ou can configure the FortiGate unit to filter email by acce ssing RBL or ORDBL servers.
330 01-28007-0068-2004120 3 Fortinet Inc. Email address list Spam filter Figure 175:Addi ng an RBL or ORDBL serve r 3 Enter the do main name of the RBL or ORDBL server you want to add. 4 Select the action to take on email matched by the serv er . 5 Select Enable.
Spam filter Configuring the email address li st FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 331 Configuring the em ail address list T o add an email address or domain to th e list 1 Go to Sp am Filter > E-mail Address . 2 Select Create New .
332 01-28007-0068-2004120 3 Fortinet Inc. MIME headers list Spam filter Y ou can use the MIME headers list to mark email from cert ain bulk mail programs or with certai n types of content that are common in spam messages. Y ou can choose to mark the email as spam or clear for each header you configure.
Spam filter Configuring th e MIME headers list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 333 Configuring the MIME headers list T o add a MIME header to the list 1 Go to Sp am Filter > MIME headers . 2 Select Create New . Figure 179:Adding a MIME header 3 Enter the MIME header ke y .
334 01-28007-0068-2004120 3 Fortinet Inc. Banned word list Spam filter Banned word list Y ou can add one or more banned words to sort email containing those words in the email subject, body , or both. Words ca n be marked as spam or cle ar . Banned words can be one word or a phrase up to 127 characters long.
Spam filter Configuring the bann ed word list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 335 Figure 181:Addi ng a banned word Configuring the banned word list T o add or edit a banned word 1 Go to Sp am Filter > Banned W ord . 2 Select Create New to add a banned word o r select Edit for th e banned word you wa nt to modify .
336 01-28007-0068-2004120 3 Fortinet Inc. Configuring the banne d word list Spam filter Regular expression vs. wildcard match pattern In Perl regular expressions, ‘.’ character refe rs to any single character . It is similar to the ‘?’ character in wildcard match patt ern.
Spam filter Configuring the bann ed word list FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 337 Examples T o block an y word i n a phrase /block|any|word/ T o block purposely misspelled words S pammers often insert other char acters betw een the letters of a word to fool sp am blocking software.
338 01-28007-0068-2004120 3 Fortinet Inc. Configuring the banne d word list Spam filter.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 339 Log & Report FortiGate units provide extensive logging ca pabilities for traffic, system and network protection functions.
340 01-28007-0068-2004120 3 Fortinet Inc. Log Setting options Log & Report Figure 182:Example alert email For descriptions of log format s and specific log messages see the FortiGate Log Message Reference Guide .
Log & Report Log Setting op tions FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 341 Figure 183:Lo g setting options for all log locatio ns T o configure Log Setting 1 Go to Log&Report > Log Config > Log Se tting . 2 Select the check box to enable logging to a location .
342 01-28007-0068-2004120 3 Fortinet Inc. Log Setting options Log & Report Disk settings T able 31: Logging severity leve ls Level Descriptio n Emergency The system has become unstable. Alert Immediate action is require d. Critical Functionali ty is affected.
Log & Report Log Setting op tions FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 343 T o configure log file uploading 1 Select the blue arrow to exp and Log file upload settings. 2 Select Upload When Rolling. 3 Enter the IP address of the logging se rver .
344 01-28007-0068-2004120 3 Fortinet Inc. Alert E-mail options Log & Report Alert E-ma il options In Alert E-mail options you specify the mail server and recipients for email messages and you specify the severity leve l and frequency of the messages.
Log & Report Log filter options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 345 Y ou can select specific events to trigge r aler t email in Log Filter , described in “Log filter options” on page 345 . T o configure al ert email 1 Go to Log&Report > Alert E-mail .
346 01-28007-0068-2004120 3 Fortinet Inc. Log filter options Log & Report Figure 185:Example traffic and event log filter settings Traffic log The Traf fic Log rec ords all the traffic to and thro ugh the F ortiGate inte rfaces.
Log & Report Log filter options FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 347 Anti-virus log The Anti-virus Log records virus incidents in Web, FTP , and email tr affic, such as when the FortiGa te unit detects an infected file, blocks a file type, or blocks an oversized file or email.
348 01-28007-0068-2004120 3 Fortinet Inc. Configuring log filters Log & Report Attack log The Attack Log r ecords attacks detected and prevented by the FortiGate unit. Y ou can apply the following filters: Spam filter log The S pam Filter Log records blocking of address p atterns and content in IMAP and POP3 traffic.
Log & Report Viewing log messa ges FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 349 T o enable t raffic lo ggi ng for a firewall policy Y ou can enable traf fic logging for a firewa ll policy . All connections accepted by the firewall policy are record ed in the traffic log.
350 01-28007-0068-2004120 3 Fortinet Inc. Viewing log messages Log & Report The following table describ es the features and icons you can use to naviga te and search the logs when viewing logs through the web-based manager. T o view log messages in the FortiGate memory buffer 1 Go to Log&Report > Log Access.
Log & Report Search ing log messages FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 351 The Detailed In formation column provides the entire raw log entry and is not needed unless the log contains information not availa ble in any of the other , more specific columns.
352 01-28007-0068-2004120 3 Fortinet Inc. fortilog setting Log & Repo rt Figure 189:Search fo r log messag es 3 If you want to sear ch for log messages in a p articular date r ange, select the From and To d a t e s . 4 Select one of the following options: 5 In the Keywords field, type the keywords for the sear ch.
Log & Report fortilog setting FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 353 get log fortilog setting show log fortilog setting Example This example shows how to enable logging to a FortiLog unit, set the FortiLog IP address, add a local ID, and add a pr e-sh ared key for an IPSec VPN tunnel.
354 01-28007-0068-2004120 3 Fortinet Inc. syslogd setting Log & Report syslogd setting Use this command to configure log settings for logging to a remote syslog server . Y ou can configure the FortiGate unit to s end logs to a remote comput er running a syslog server .
Log & Report syslogd setting FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 355 Example This example shows h ow to enable logging to a remote syslog server , configure an IP address and port for th e server , and set the facility type to user .
356 01-28007-0068-2004120 3 Fortinet Inc. syslogd setting Log & Report.
FortiGate-100A Administration Guide V ersion 2.80 MR7 FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 357 FortiGuard categories FortiGuard is a web filtering solution provid ed by Fortinet. Fo rtiGuard sor ts thousands of Web pages into a wid e variety o f categor ies that users can allow , block, or m onitor .
358 01-28007-0068-2004120 3 Fortinet Inc. FortiGuard categories 5. Racism or Hate Sites that promot e the identification of racial groups, the denigration or subjection of groups, or the superiority of any group.
FortiGuard categories FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 359 16. Weapons Sites that provide information about, promote, or support the sale of weapons an d related items.
360 01-28007-0068-2004120 3 Fortinet Inc. FortiGuard categories General Interest 28. Arts and Entertainment Sites that provide information about o r promote motion pictures, non-news radio and television, music and programming guides, bo oks, humor , comics, movie theatres, galle ries, artists or review on entertainment, and magazines.
FortiGuard categories FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 361 39. Reference Materials Sites that of fer reference-shelf content such as atlases, dictionar ies, encyclopedia s, formularies, white and yellow pages, and public statistical data.
362 01-28007-0068-2004120 3 Fortinet Inc. FortiGuard categories Business Or iented 49. Business and Economy Sites sponso red by or devoted to business firms, business associations, industry groups, or business in general.
Glossary FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 363 Glossary address : An IP address (logica l address) or the address of a physical inte rface (har dware addr ess). An Ethernet addre ss is sometimes ca lled a MAC address. See also IP address .
364 01-28007-0068-2004120 3 Fortinet Inc. Glossary Ethernet : Can refer to the IEEE 802.3 signaling protocol, or an Ether net controller (also known as a Media Access Controller or MAC ). external int erface : The FortiGate interface that connects to the Internet.
Glossary FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 365 MTU , Maximum T ransmission Unit : The largest physical packet size, m easured in bytes , that a networ k can transmit. Any p ackets larger than the MTU are divided into smaller p ackets before they are sent.
366 01-28007-0068-2004120 3 Fortinet Inc. Glossary SMTP , Simple Mail T ransfer Protocol : A protocol that supports email delivery services. SNMP , Simple Network Manag ement Protocol : A set of protocols for managing networks. SNMP agent s store and return dat a about themselves to SNMP requesters .
FortiGate-100A Administrati on Guide 01-28007-0068-2004120 3 367 FortiGate-100A Administrati on Guide V ersion 2.80 MR7 Index A abr-type 165 access-list 176 Action, Policy 267 active sessions HA monit.
368 01-28007-0068-2004120 3 Fortinet Inc. Index csv 354 custom TCP service 206, 207, 208 custom UDP service 206, 2 07, 208 customer service 23 D database 163 RIP 164 database-filter-out 181 database-o.
Index FortiGate-100A Administrati on Guide 01-28007 -0068-20041203 369 go HA monitor 95 group ID HA 86 grouping services 2 09 groups user 239 guaranteed bandwidth 195, 196 H HA 84, 85 add a new uni t .
370 01-28007-0068-2004120 3 Fortinet Inc. Index L L2TP 239 configuring gateway 261 enabling 261 overview 261 language web-based manager 83 Least-Connection HA schedule 88 Lifetime (sec/kb) 251 link fa.
Index FortiGate-100A Administrati on Guide 01-28007 -0068-20041203 371 peer 174 Peer option 248 Phase 1 246 Phase 1 advanced options 249 Phase 1 basic settings 247 Phase 1 list 246 Phase 2 250 Phase 2.
372 01-28007-0068-2004120 3 Fortinet Inc. Index service 203 custom TCP 206, 207, 208 custom UDP 206, 207, 2 08 group 209 predefined 203 service name 204 user-defined TCP 206, 2 07, 208 user-defined UD.
Index FortiGate-100A Administrati on Guide 01-28007 -0068-20041203 373 URL options 313 user groups configuring 239 User-defined signatures 282 user-defined TCP services 20 6, 207, 208 user-defined UDP.
374 01-28007-0068-2004120 3 Fortinet Inc. Index.
Un point important après l'achat de l'appareil (ou même avant l'achat) est de lire le manuel d'utilisation. Nous devons le faire pour quelques raisons simples:
Si vous n'avez pas encore acheté Fortinet 100A c'est un bon moment pour vous familiariser avec les données de base sur le produit. Consulter d'abord les pages initiales du manuel d'utilisation, que vous trouverez ci-dessus. Vous devriez y trouver les données techniques les plus importants du Fortinet 100A - de cette manière, vous pouvez vérifier si l'équipement répond à vos besoins. Explorant les pages suivantes du manuel d'utilisation Fortinet 100A, vous apprendrez toutes les caractéristiques du produit et des informations sur son fonctionnement. Les informations sur le Fortinet 100A va certainement vous aider à prendre une décision concernant l'achat.
Dans une situation où vous avez déjà le Fortinet 100A, mais vous avez pas encore lu le manuel d'utilisation, vous devez le faire pour les raisons décrites ci-dessus,. Vous saurez alors si vous avez correctement utilisé les fonctions disponibles, et si vous avez commis des erreurs qui peuvent réduire la durée de vie du Fortinet 100A.
Cependant, l'un des rôles les plus importants pour l'utilisateur joués par les manuels d'utilisateur est d'aider à résoudre les problèmes concernant le Fortinet 100A. Presque toujours, vous y trouverez Troubleshooting, soit les pannes et les défaillances les plus fréquentes de l'apparei Fortinet 100A ainsi que les instructions sur la façon de les résoudre. Même si vous ne parvenez pas à résoudre le problème, le manuel d‘utilisation va vous montrer le chemin d'une nouvelle procédure – le contact avec le centre de service à la clientèle ou le service le plus proche.