Manuel d'utilisation / d'entretien du produit FortiGate FortiGate-800 du fabricant Fortinet
Aller à la page of 336
FortiGate 800 Installation and Configuration Guide Esc Enter CONSOLE INTERNAL EXTERNAL DMZ HA 123 4 USB 8 PWR FortiGate User Manual V olume 1 Ve r s i o n 2 .
© Copyright 2004 Fortine t Inc. All rights reserved . No part of this publication incl uding text, examples , diagrams or illustrations may be reproduced, transmitted, or translated in any form or by an y means, electro nic, mechanical, manual, optical or otherwise, for any purpose, without prio r written permiss ion of Fort inet Inc.
Contents FortiGate-800 Installation and Configuration Guide 3 Table of Contents Introduction ............. ................................ .................................................. ........... 15 Antivirus protection ........................
Contents 4 Fortinet Inc. NAT/Route mode installation ...... ................................ ............................... ......... 41 Preparing to configure NAT/Route mode .............. ................ ................ ................. ........
Contents FortiGate-800 Installation and Configuration Guide 5 Transparent mode configuration examples..... ................ ................ ................ ................ .. 64 Default routes and static routes ........ ................ ...........
Contents 6 Fortinet Inc. Displaying the FortiGate up time .............. ................ ................. ................ ............. ......... 108 Displaying log hard disk status .......................... ................ ................ .....
Contents FortiGate-800 Installation and Configuration Guide 7 Network configuration .............. ................................................. ............... ......... 137 Configuring zones ................. ................ ............. .....
Contents 8 Fortinet Inc. Adding RIP filters ............... ............. ................ ............. ................ ............. ................ ...... 165 Adding a RIP filter list ........ ................ ............. ............. ........
Contents FortiGate-800 Installation and Configuration Guide 9 Services ............ ............. ............. ................ ............. ................. ............ ............. .......... ... 200 Predefined services .................... ...
Contents 10 Fortinet Inc. IPSec VPN .................... ............................................................... ............... ......... 231 Key management ........... ............. ................ ............. ................. ..........
Contents FortiGate-800 Installation and Configuration Guide 11 Network Intrusion Detection System (NIDS) .... ............................ ............ ....... 269 Detecting attacks ............... ............. ................ ............. ........
Contents 12 Fortinet Inc. URL blocking............... ............. ................ ............. ................ ............. ................ ............. 293 Configuring FortiGate Web U RL blocking ...................... ............. .........
Contents FortiGate-800 Installation and Configuration Guide 13 Viewing logs saved to memory ................ .......... ...... ............. ............. ................ ............. 317 Viewing logs ......... ............. ................ .......
Contents 14 Fortinet Inc..
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 15 Introduction FortiGate A ntivirus Firew alls support netw ork-based deployment of application-level services, including antivirus protection and full-scan con tent filtering.
16 Fortinet Inc. Antivirus protection Introduction Antivirus protection FortiGate I CSA-certified a ntivirus prot ection scans web (HTTP) , file transfe r (FTP), and email (SMTP , POP3, and IMAP) content as it p asses through the FortiGate unit.
Introduction Email filtering FortiGate-800 Installation and Configuration Guide 17 Email filtering FortiGate email filtering can scan all IM AP and POP3 email content for un wanted senders or unwanted content.
18 Fortinet Inc. VLANs and virtual domains Introduction NAT/Route mode In NA T/Route mode, yo u can create NA T mode policie s and Route mode policies. • NA T mode policies use networ k address translation to hide the addresses in a more secure network from u s ers in a less secure network.
Introduction VPN FortiGate-800 Installation and Configuration Guide 19 VPN Using FortiGate virtual private network ing (VPN), you can provide a secure connection between wid ely separated office netw orks or secu rely link telec ommuters or travellers to an of fice network.
20 Fortinet Inc. Secure installation, configurat ion, and management Introduction Secure inst allation, configuration, and management The first tim e you powe r on the F ortiGate uni t, it is already configured with default IP addresses and security po licies.
Introduction Secure installation, configura tion, and management FortiGate-800 Installation and Configuration Guide 21 Command line interface Y ou can access the FortiGate command line interface (CLI) by connecting a management compute r serial port to the Fo rtiGate RS-232 serial console connector .
22 Fortinet Inc. Document co nventions Introduction Document conventions This guide uses the fo llowing conven tions to de scribe CLI co mmand syntax. • angle brac kets < > to indicate variable keywords For example: execute restore config <filename_str> Y ou enter restore config myfile.
Introduction Customer service and technical su pport FortiGate-800 Installation and Configuration Guide 23 • V olume 4: FortiGat e NIDS Guide Describes how to configure the FortiGate NI DS to dete ct and pr otect the Fo rtiGate unit from network-based att acks.
24 Fortinet Inc. Customer service and technical support Introduction.
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 25 Getting st arted This chapter describes unp acking, setting up, and powering on a FortiGate Antivirus Firewall unit.
26 Fortinet Inc. Package contents Getting started Package content s The FortiGate-800 p ackage contains the following items: • FortiGate -800 Antivirus Fir ewall • one orange crossover ethern et c.
Getting started Powering on FortiGate-800 Installation and Configuration Guide 27 Power requirements • Power dissipatio n: 300 W (max) • AC input volt age: 100 to 2 40 V AC • AC input current: 6.
28 Fortinet Inc. Connecting to the web-based manager Getting started Connecting to the web-based manager Use the followin g proced ure to con nect to the web-based manager for the first time. Configuration changes ma de with the web- based manager ar e effective imm ediately without resetting the firewall or in terrupting service.
Getting started Connecting to the command line in terface (CLI) FortiGate-800 Installation and Configuration Guide 29 Connecting to the command line interface (CLI) As an alternative to the web-based ma nager , you can install and configure the FortiGate unit using the CLI.
30 Fortinet Inc. Factory default FortiGate confi guration setting s Getting started Factory default FortiGate configuration settings The FortiGate unit is shipped with a fa ct ory default conf iguration. Th e default configuration allows you to connect to and use the FortiGa te web-based manager to configure th e FortiGate un it onto the ne twork.
Getting started Factory default FortiGate configurati on settings FortiGate-800 Installation and Configuration Guide 31 Factory default Transparent mode network configuration If you switch the FortiGate unit to T ranspar ent mode, it has the default network configuration listed in Ta b l e 3 .
32 Fortinet Inc. Factory default FortiGate confi guration setting s Getting started Factory default firewall configuration The factory default firewall configu ration is the same in NA T/Route and Tr ansparent mode.
Getting started Factory default FortiGate configurati on settings FortiGate-800 Installation and Configuration Guide 33 Factory default content profiles Y ou ca n use cont ent profiles to apply d ifferent protection settings for conten t traffic that is controlled by fi rewall policies.
34 Fortinet Inc. Factory default FortiGate confi guration setting s Getting started Scan content profile Use the scan content profile to apply antivirus scannin g to HTTP , FTP , IMAP , POP3, and SMTP content traf fic. Quarantine is al so selected for all content services.
Getting started Factory default FortiGate configurati on settings FortiGate-800 Installation and Configuration Guide 35 Web content profile Use the web content profile to apply antiv irus scanning and web content blocking to HTTP content traffic. Y ou can add this cont ent profile to firewall policies that control HTTP traffic.
36 Fortinet Inc. Planning the FortiGa te configuration Getting started Planning the FortiGate configuration Before you configure t he FortiGate unit, you need to plan how to integrate the unit into the network.
Getting started Planning the FortiGate configura tion FortiGate-800 Installation and Configuration Guide 37 NAT/Route mode with multiple external network connections In NA T/Route mode, yo u can configure th e Fort iGate unit with multiple redundant connections to the external net work (usually the Int ernet).
38 Fortinet Inc. Planning the FortiGa te configuration Getting started Figure 6: Example T ransparent mode network configuration Y ou can connect up to 8 network segments to the FortiGate unit to control traf fic between these network segment s. • External can connect to the external firewall or router .
Getting started Fo rtiGate model maximum values matrix FortiGate-800 Installation and Configuration Guide 39 Front keypad and LCD If you are configuring the FortiGate unit to operate in NA T/Route mode, you can use the control but tons and LCD to add th e IP add ress of the FortiGate interfaces as well as the external default gatewa y .
40 Fortinet Inc. Next steps Getting started Next step s Now that your FortiGate unit is operating , y ou can proceed to configure it to connect to networks: • If you are goin g to operate the F ort iGate unit in NA T/Route mode, go to “NA T/Route mo de installation” on page 41 .
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 41 NA T/Route mode inst allation This chapter describes how to install the FortiGate un it in NA T/Route mode.
42 Fortinet Inc. Preparing to configure NAT/Route mode NAT/Route mode installa tion Advanced NAT/Route mode settings Use Ta b l e 11 to gather the information that you need to customize advanced FortiGate N A T/Route mode settings. T able 10: NA T/Route mode settings Administrator Password: Internal interface IP: _____.
NAT/Route mode installati on Using the setup wizard FortiGate-800 Installation and Configuration Guide 43 DMZ and user-def ined interfaces Use Ta b l e 1 2 to record the IP addresses and netmasks of the FortiGate DMZ and user-defined interfaces if you are con fig uring them during inst allation.
44 Fortinet Inc. Using the front control buttons and LCD NAT/Route mode i nstallation Using the front control buttons and LCD As an alternative to the setup wizard, use the information that you recorded in T able 10 on page 42 and T able 12 on page 43 to complete the following pr ocedure.
NAT/Route mode installation Using the command line interface FortiGate-800 Installation and Configuration Guide 45 3 Set the IP address and netma sk of the external interfa ce to the external IP address and netmask that you recor ded in T able 10 on page 42 .
46 Fortinet Inc. Connecting the FortiGate unit to your networks NAT/Route mode installati on 9 Set the default route to the Default Gateway IP address (not required for DHCP and PPPoE). set system route number <route_no> dst 0.0.0.0 0.0.0.0 gw1 <gateway_ip> Example set system route number 0 dst 0.
NAT/Route mode installati on Connecting the FortiGa te unit to your networks FortiGate-800 Installation and Configuration Guide 47 Figure 7: FortiGate-800 NA T/Route mode connection s T o connect to FortiGate-800 us er-defined interface s 1 Connect the user-defined interface to the h ub or switch connected to the intended network.
48 Fortinet Inc. Configuring your networks NAT/Route mode installati on Figure 8: Example FortiGate-800 user-d efined interface c onnections Configuring your networks If you are running the FortiGate .
NAT/Route mode installation Completing the configura tion FortiGate-800 Installation and Configuration Guide 49 Completing the configuration Use the information in this se ction to complete the configur ation of the FortiGate unit.
50 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation Registering your FortiGate unit After pur chasing and inst alling a new For tiGat e unit, you can register the u nit by goin g to the System Update Support page, or usin g a web browser to connect to http://support.
NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-800 Installation and Configuration Guide 51 Figure 9: Example multiple Internet connection configura.
52 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation Using the CLI 1 Add a ping server to the ex ternal inter face. set system interface external config detectserver 1.1.1.1 gwdetect enable 2 Add a ping serv er to the DMZ interface.
NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-800 Installation and Configuration Guide 53 Load sharing Y ou can also configure destination routing to direct traf fic through both gateways at the same time.
54 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation 3 Select New to add a route for connections to the network of ISP1. • Destination IP: 100.100.100.0 • Mask: 255.255.255.0 • Gateway #1: 1.1.
NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-800 Installation and Configuration Guide 55 Policy routing examples Adding policy routing increases your control over how p ackets are routed. Policy routing works on top of destination- based ro uting.
56 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation Firewall policy example Firewall policies control how traf fic flow s through t he FortiGat e unit. After you configure routing for multiple Internet co nnections, you must create firewall policie s.
NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-800 Installation and Configuration Guide 57 Restricting access to a singl e Internet connection In some case s you might want to lim it some traffic to be ing able to use only on e Internet connection.
58 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation.
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 59 T ransp arent mode inst allation This chapter describes how to install your FortiGate unit in Transp arent mo de.
60 Fortinet Inc. Using the setu p wizard Transparen t mode instal lation Using the setup wizard From the web-based manager, you can use th e setup wizard to begin the initial configuration of the FortiGate unit. For in formation about connecting to the web-based manager, see “C onnecting to the web-base d manager” on p age 28 .
Transparent mode installatio n Usin g the front control buttons an d LCD FortiGate-800 Installation and Configuration Guide 61 Using the front control buttons and LCD This procedure descr ibes how to use t he control buttons and LCD to configur e T ransparent mode IP addresses.
62 Fortinet Inc. Completing the configuration T ransparent mod e installation Configuring the Transparent mode management IP address 1 Make sure that you are logge d into the CLI. 2 Set the management IP addr ess and netmask to the IP addr ess and netmask that you recorde d in T able 16 on p age 59 .
Transparent mode installatio n Connecting the FortiGate un it to your networks FortiGate-800 Installation and Configuration Guide 63 Registering your FortiGate unit After pur chasing and inst alling a new For tiGat e unit, you can register the u nit by goin g to the System Update Support page, or usin g a web browser to connect to http://support.
64 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 10: FortiGate -800 T ransparent mode connections T ransparent mode configuration examples A FortiGate unit operating in T ransparent mode still requir es a basic configuration to operate as a node on the IP networ k.
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-800 Installation and Configuration Guide 65 This section describes: • Default routes and st atic routes • Example.
66 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 1 1: Default route to an external network General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode . 2 Configure the Manag ement IP address and Netmask o f the FortiGate unit.
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-800 Installation and Configuration Guide 67 Web-based manager exampl e configuration steps T o configure basic T ransparent mode settings and a default route using the web-based manager 1 Go to System > St atus .
68 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 12: St atic route to an external destination General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode . 2 Configure the Manag ement IP address and Netmask o f the FortiGate unit.
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-800 Installation and Configuration Guide 69 2 Go to System > Network > Management . • Change the Man agement IP and Netma sk: IP: 192.168.1.1 Mask: 255.255.2 55.
70 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 13: St atic route to an internal destination General configuration steps 1 Set the unit to operate in T ransparent mode. 2 Configure the Manag ement IP address and Netmask o f the FortiGate unit.
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-800 Installation and Configuration Guide 71 Web-based manager exampl e configuration steps T o configure the FortiGate basic settings, a static route, and a d efault route using the web-based manager : 1 Go to System > St atus .
72 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation.
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 73 High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP).
74 Fortinet Inc. Configuring an HA clu ster High availabili ty An active-passive (A -P) HA cluster , also referr ed to as ho t standby HA, cons ists of a primary FortiGate unit that processes traf fic, and one or more subordinate FortiGate units.
High availability Configuring an HA cluster FortiGate-800 Installation and Configuration Guide 75 6 Select the HA mode. Select Active-Active mode to crea te an Active-Active HA clust er . Select Active-Passive mode to crea te an Active-Passive H A cluster .
76 Fortinet Inc. Configuring an HA clu ster High availabili ty Figure 14: Example Active-Active HA con figuration 11 If you are configuring a NA T/Route mode cluste r , power off the FortiGate un it and then repeat this procedur e for all the FortiGate uni t s in the cluster .
High availability Configuring an HA cluster FortiGate-800 Installation and Configuration Guide 77 Inserting an HA cluster into your networ k temporarily interrupt s communications on the network because ne w physical con nections are being made to route traf fic through the cluster .
78 Fortinet Inc. Managing an HA clu ster High availabili ty 2 Power on all the FortiGat e units in the cluster . As the units powe r on they negotiate to choose the prima ry cluster unit and the subordinate unit s. This negotiation occurs with no user intervention .
High availability Managing an HA cluster FortiGate-800 Installation and Configuration Guide 79 Y ou can also use SNMP to m anage the cluster by con figuring a cluster interfa ce for SNMP administrative access. Using an SNMP manager you can get cluster configuration informa tion and receive tr aps.
80 Fortinet Inc. Managing an HA clu ster High availabili ty T o monitor cluster inte rfaces 1 Connect to the cluster and lo g into the web-based manager. 2 Go to System > Config > HA . 3 In the Monitor on Interface sect ion, select the names of the interfaces that you want to monitor .
High availability Managing an HA cluster FortiGate-800 Installation and Configuration Guide 81 3 Select Sessions & Network. The cluster displays sessions and networ k status for each cluster member . The primary unit is identified as Local and the other unit s in the cluster are listed by serial number .
82 Fortinet Inc. Managing an HA clu ster High availabili ty Viewing cluster sessions T o view the clus ter communication sessions 1 Connect to the cluster and lo g into the web-based manager.
High availability Managing an HA cluster FortiGate-800 Installation and Configuration Guide 83 Monitoring cluster units for failover If the primary unit in the cluster fails, the unit s in the cluster renego tiate to select a new primary unit.
84 Fortinet Inc. Managing an HA clu ster High availabili ty T o manag e a cluster unit 1 Use SSH to connect to the cluster an d log into the CLI. Connect to any clu ster interfac e configur e d for SSH m anagemen t to log into the cluster . Y ou can also use a direct cable conn ection to log into the primary unit CLI.
High availability Managing an HA cluster FortiGate-800 Installation and Configuration Guide 85 Synchronizing the cl uster configuration Cluster synchronization keeps all unit s in the cluster synchro nized with the master unit.
86 Fortinet Inc. Managing an HA clu ster High availabili ty 4 Repeat steps 2 and 3 for all the subordin ate units in the HA cluster . Upgrading firmware T o upgrade the firmware of the For tiGate units in a cluster , you must upgrade the firmware of each unit sep a rately .
High availability Advanced HA opti ons FortiGate-800 Installation and Configuration Guide 87 Replacing a FortiGate unit after failover A failover can occur be cause of a hardware or sof tware problem . When a failover occurs, you can atte mpt to restart the failed FortiGate u n it by cycling its power .
88 Fortinet Inc. Advanced HA options High availabili ty set system ha override enable Enable override so that the permanent prim ary unit overrides any othe r primary unit. For example, if the p ermanent primary unit sh uts down, one o f the other unit s in the cluster replaces it as the primary unit.
High availability Active-Active cl uster packet flow FortiGate-800 Installation and Configuration Guide 89 Weight values are enter ed in order according to the pr iority of the unit s in the cluster .
90 Fortinet Inc. Active-Active cluster packet flow High availabili ty NAT/Route mode packet flow In NA T/Route mode , five MAC ad dresses are involved in active-active communication between a client a.
High availability Active-Active cl uster packet flow FortiGate-800 Installation and Configuration Guide 91 The following are exa mples of switches that are compatible with the FGCP because they use a .
92 Fortinet Inc. Active-Active cluster packet flow High availabili ty.
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 93 System st atus Y ou can connect to the web-based manager and view the current system st atus of the FortiGate unit.
94 Fortinet Inc. Changing the FortiGat e host name System status Changing the FortiGate host name The FortiGate host name ap pears on the S tatus p age and in the FortiGate CLI prompt. The host name is al so used as the SNMP system name. Fo r information about the SNMP system name, see “Config uring SNMP” on pa ge 173 .
System status Changing the Forti Gate firmware FortiGate-800 Installation and Configuration Guide 95 Upgrading to a new firmware version Use the following procedures to upgra de the FortiGate unit to a newer firmware version.
96 Fortinet Inc. Changing the FortiGate fi rmware System status 4 Make sure the FortiGate uni t c an connect to the TFTP server . Y ou can use the following command to ping the computer running the TFTP ser ver . For example, if the IP address of the TFTP server is 192.
System status Changing the Forti Gate firmware FortiGate-800 Installation and Configuration Guide 97 If you are reverting to a previous FortiOS ve rsion (for example, reverting from F ortiOS v2.50 to FortiOS v2.36) you might not be able to restore the pr evious configuration from the backup configuration file.
98 Fortinet Inc. Changing the FortiGate fi rmware System status If you are reverting to a previous FortiOS ve rsion (for example, reverting from F ortiOS v2.50 to FortiOS v2.36) you might not be ab le to restore your previous configu ration from the backup configuration file.
System status Changing the Forti Gate firmware FortiGate-800 Installation and Configuration Guide 99 11 Update antivirus and atta ck definitions. For information, see “Manually initiating antivirus .
100 Fortinet Inc. Changing the FortiGate fi rmware System status 5 T o confirm that the FortiGate unit can co nnect to the TFTP se rver , use the following command to ping the computer running the TFTP server . For example, if the IP address of the TFTP server is 192.
System status Changing the Forti Gate firmware FortiGate-800 Installation and Configuration Guide 101 11 Enter the firmware image filen ame and press Enter . The TFTP server up loads the firmware imag e file to the FortiGate unit and messages similar to the following are displayed: • FortiGate unit running v2.
102 Fortinet Inc. Changing the FortiGate fi rmware System status T o run this pr ocedure you: • access the CLI by connecting to the Fo rtiGate console port using a null-modem cable, • install a TFTP server that you can conn ect to from the F ortiGate int ernal interfac e.
System status Changing the Forti Gate firmware FortiGate-800 Installation and Configuration Guide 103 9 T ype the address of th e TFTP server and press Ente r . The following m essage appears: Enter Local Address [192.168.1.188]: 10 T ype the address of th e internal interfac e of the FortiGate unit and pr ess Enter .
104 Fortinet Inc. Changing the FortiGate fi rmware System status T o inst all a backup firmware image 1 Connect to the CLI using the null-modem cable and FortiGate console por t. 2 Make sure that the TFTP server is running. 3 Copy the new firmware image file to the root directory of your TFTP server .
System status Changing the Forti Gate firmware FortiGate-800 Installation and Configuration Guide 105 Switching to the ba ckup firmware image Use this procedure to switch th e FortiGate unit to operating with a backup firmwar e image that you previously in stalled.
106 Fortinet Inc. Manual virus definition updates System status Switching back to the default firmware image Use this procedure to switch th e FortiGate unit to operating with the backup firmware image that had been running as the default fi rmware image.
System status Manual attack definition updates FortiGate-800 Installation and Configuration Guide 107 4 T ype the path and filenam e for the antivirus definitions update file , or select Browse and locate the antivirus definitions update file. 5 Select OK to copy the antivirus defini tions update file to the FortiGate unit.
108 Fortinet Inc. Displayi ng the FortiG ate up time System status Displaying the FortiGate up time 1 Go to System > St atus . The FortiGate up time displays the tim e in days, hours, and minutes since the FortiGate u nit was las t started. Displaying log hard disk st atus 1 Go to System > St atus .
System status Restoring system settings to factory defaults FortiGate-800 Installation and Configuration Guide 109 Restoring system settings to factory default s Use the following procedur e to restore system se ttings to the values set at the factory .
11 0 Fortinet Inc. Changing to NAT/Route mode System status Changing to NA T/Route mode Use the follo wing proced ure to cha nge the Fo rtiGate u nit from Transparent mode to NA T/Route mode. After you change the Fort iGate unit to NA T/R oute mode, most of the configura tion resets to NA T/Route mode fac tory defaults.
System status System status FortiGate-800 Installation and Configuration Guide 111 System st atus Y ou can use the system status moni tor to di splay FortiGate system health inform ation. The system health information includes memory usage, the numbe r of active communication sessions, and the am ount of network bandwidth currently in use.
11 2 Fortinet Inc. System status System status Figure 19: CPU and memory status monitor Viewing sessions and network status Use the session and network st atus display to track how many network sessions the FortiGate u nit is process ing and to s ee what effect the num ber of sess ions has on th e available network bandwid th.
System status System status FortiGate-800 Installation and Configuration Guide 11 3 4 Select Refresh to ma nually update the information displayed. Figure 20: Sessions an d network st atus monitor Vie.
11 4 Fortinet Inc. Session list System status Figure 21: Sessions an d network st atus monitor Session list The session list displays information abo ut the communications sessions cu rrently being processed by the FortiGate unit. Y ou can use the session list to view current sessions.
System status Session list FortiGate-800 Installation and Configuration Guide 11 5 Each line of the session list di splays the following information. Figure 22: Example session list Protocol The service protocol of the connection, for example, udp, tcp, or icmp.
11 6 Fortinet Inc. Session list System status.
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 11 7 V irus and att ack definitions up dates and registration Y ou can configure t.
11 8 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration The Update p age on the web-based manage r displays the following antiviru s and attack defin ition update information.
Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-800 Installation and Configuration Guide 11 9 Manually initiating antivirus and attack definitions updates Y ou can use the following procedure to update the antivirus and at tack definition s at any time.
120 Fortinet Inc. Scheduling updates Virus and attack defi nitions updates and registra tion Configuring update logging Use the follo wing proced ure to con figure Fort iGate loggin g to record log mess ages when the Fo rtiGate un it updates antivirus and a ttack definitions.
Virus and attack definitions upda tes and registration Scheduling updates FortiGate-800 Installation and Configuration Guide 121 4 Select Apply . The FortiGate unit star ts the next sche dule d update according to the new update schedule. Whenever the FortiGate unit runs a scheduled update, the event is recor ded in the FortiGate e vent log.
122 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Enabling scheduled updat es through a proxy server If your FortiGate unit must connect to the Internet t.
Virus and attack definitions updates and registration Enabling push updates FortiGate-800 Installation and Configuration Guide 123 When the network configuratio n permits, c onfig uring push update s is recommended in addition to configuring scheduled updates.
124 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Enabling push updates th rough a NAT device If the FDN can connect to the FortiGate un it only throug h a NA T device, you must configure port forwarding on the NA T device and add th e port forwarding information to the push update configuration.
Virus and attack definitions updates and registration Enabling push updates FortiGate-800 Installation and Configuration Guide 125 Figure 24: Example network topolog y: Push updates through a NA T dev.
126 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Adding a port forwarding virtual IP to the FortiGate NAT device Use the follo wing proced ure to con figure a FortiGate NA T device to use port forwarding to forward push update connection s from the FDN to a FortiGate unit on the internal networ k.
Virus and attack definitions updates and registration Enabling push updates FortiGate-800 Installation and Configuration Guide 127 Figure 25: Pus h update port forwarding virtual I P Adding a firewall policy for the port forwarding virtual IP T o configure the FortiGate NA T device 1 Add a new external to internal firewall policy .
128 Fortinet Inc. Registering Forti Gate units Virus and attack defi nitions updates and registra tion 4 Set IP to the external IP address added to the virtual IP . For the examp le topology , enter 64.2 30.123. 149. 5 Set Port to the external servic e port added to the virtual IP .
Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-800 Installation and Configuration Guide 129 All registration information is stored in the Fortinet Customer Support dat abase. This information is used to make sure tha t your registered FortiGate units can be kept up to date.
130 Fortinet Inc. Registering Forti Gate units Virus and attack defi nitions updates and registra tion Registering the FortiGate unit Before registering a FortiGate unit, you require the follo wing in.
Virus and attack definitions updates and registration Updating registration informati on FortiGate-800 Installation and Configuration Guide 131 4 Select the model number of the Product Model to register . 5 Enter the Serial Number of the Fo rtiGate unit.
132 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on Recovering a lost Fortinet support password If you provided a security question and answer wh en you registered on the Fortinet support web site, you can use the following proced ure to receive a replacement password.
Virus and attack definitions updates and registration Updating registration informati on FortiGate-800 Installation and Configuration Guide 133 Figure 29: Sample list of registered Fo rtiGate unit s Registering a new FortiGate unit T o register a n ew FortiGa te unit 1 Go to System > Up date > Support .
134 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on 6 Select the Serial Nu mber of the F ortiGate unit for which to add or change a FortiCare Support Contract number . 7 Add the new Support Contract number .
Virus and attack definitions updates and registration Updating registration informati on FortiGate-800 Installation and Configuration Guide 135 Downloading virus and attack definitions updates Use the followin g procedur e to manu ally download virus and attack de finitions updates.
136 Fortinet Inc. Registering a FortiGate unit after an RMA Vi rus and attack defi nitions updates and registra tion Registering a FortiGate unit af ter an RMA The Return Material Authoriz ation (RMA) process sta rts when a registered FortiGate unit does not work properly be cause of a hardware failure .
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 137 Network configuration Y ou can use the System Network page to change an y of t.
138 Fortinet Inc. Configuring interfac es Network configuration Adding zones The new zone does not appe ar in the policy grid until you add an interface to it, see “T o add an interfac e to a zone” below , and add a firewall address for it (see “Adding addresses” on p age 197 ).
Network configuration Configuring interfaces FortiGate-800 Installation and Configuration Guide 139 Viewing the interface list T o view the interface list 1 Go to System > Network > Interface .
140 Fortinet Inc. Configuring interfac es Network configuration T o add an interf ace to a zone 1 Go to System > Network > Interface . 2 Choose the interface or VLAN subint erface to add to a zone and select Modify . 3 From the Belong to Zone list, select the zone that you want to add the interface to.
Network configuration Configuring interfaces FortiGate-800 Installation and Configuration Guide 141 4 Clear the Retr ieve default gateway and DNS from server check box if you do not wan t the FortiGate unit to obta in a default gat eway IP addr ess and DNS server IP addresses from the DHCP server .
142 Fortinet Inc. Configuring interfac es Network configuration 7 Select Apply . The FortiGate unit attempts to cont act the PPPoE server from the in terface to set the IP address, netmask, defaul t gate way IP address, and DNS server IP addresses. 8 Select S tatus: to refresh th e addressin g mode status m essage.
Network configuration Configuring interfaces FortiGate-800 Installation and Configuration Guide 143 Controlling administrati ve access to an interface For a FortiGate unit running in NA T/Rout e mode,.
144 Fortinet Inc. Configuring interfac es Network configuration Changing the MTU size to improve network performance T o improve ne twork perfo rmance, yo u can chan ge the ma ximum trans mission unit (MTU) of the packet s that the FortiGate unit transmits from any interface.
Network configuration VLAN overview FortiGate-800 Installation and Configuration Guide 145 • Enable secure administrative access to this interface using only HTTPS or SSH, • Do not change the system idle timeo ut from the default value of 5 minutes ( see “T o set the system idle timeout” on page 1 70 ).
146 Fortinet Inc. VLANs in NAT/Route mode Network configuration In a typical VLAN configur ation, 802.1Q-com pliant VLAN layer-2 switches or layer-3 routers or firewalls add VLAN t ags to pa cket s. Packet s passing be tween device s in the same VLAN can be handled by layer 2 switches.
Network configuration Virtual domains in Transparent mode FortiGate-800 Installation and Configuration Guide 147 Adding VLAN subinterfaces The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router . The VLAN ID can be any number between 1 and 409 6.
148 Fortinet Inc. Virtual domains in Transparen t mode Network configuration T o support VLANs in Transparent mode, you add virtu al domains to the F ortiGate unit.
Network configuration Virtual domains in Transparent mode FortiGate-800 Installation and Configuration Guide 149 Virtual domain properties A virtual domain has the following exclu sive properties: • VLAN name, •V L A N I D , • VLAN interf ace assign ment, • VLAN zone assign ment (optional), • Firewall policy .
150 Fortinet Inc. Virtual domains in Transparen t mode Network configuration Adding VLAN subinterf aces to a virtual domain Use the following procedure to add VLAN su binterfaces to a virtual domain. Y ou must add at least two VLAN subinterfaces to each virtual domain.
Network configuration Virtual domains in Transparent mode FortiGate-800 Installation and Configuration Guide 151 Figure 32: FortiGate unit cont aining a virtual domain with zone s Multiple zones in a single virtual domain can not be connected to a single VLAN tr unk.
152 Fortinet Inc. Virtual domains in Transparen t mode Network configuration Adding firewall policies for virtual domains Once the network configuration for th e virtual domain is complete, you must create firewall policies for the virtua l domain to allow packets to flow throug h the firewall between VL AN subinterfa ces.
Network configuration Adding DNS server IP addresses FortiGate-800 Installation and Configuration Guide 153 Deleting virtual domains Y ou must remove all VLAN subinterfaces and zones that have been added to the virtual domain before you ca n delete the virtual domain.
154 Fortinet Inc. Configuring routing Network configuration Adding a default route Y ou can add a default route for ne twork traffic leavin g the external interface. T o add a defa ult route 1 Go to System > Network > Routing T able . 2 Select New to add a new route.
Network configuration Configuring routing FortiGate-800 Installation and Configuration Guide 155 6 Set Device #1 to the FortiGate interface or VLAN subinterface through which to route traffic to connect to Gateway #1. Y ou can select the name of an interface, VLAN subinterface, or Auto (the default).
156 Fortinet Inc. Configuring routing Network configuration 5 Select OK to save the new route. 6 Repeat steps 1 t o 5 to add more rout es as req uired. Configuring the routing table The routing ta ble shows the destination IP address and mask of each route that you add, as well as the gateways and devices ad ded to the route.
Network configuration Configuring DHCP services FortiGate-800 Installation and Configuration Guide 157 Using policy routing you can bui ld a routing policy dat abase (RPDB) that selects the appropriate route for tr affic by applying a se t of routing rules.
158 Fortinet Inc. Configuring DHCP servi ces Network configurati on Configuring a DHCP relay agent In a DHCP relay configuration, the Fort iGate unit forwards DHCP request s from DHCP clients through th e FortiGate unit to a DHCP server . The FortiGate unit also returns response s from the DH CP server to the DHCP clients.
Network configuration Configuring DHCP services FortiGate-800 Installation and Configuration Guide 159 Y ou can add multiple scopes to an interface so that th e DHCP server added to that interface can supply IP addresses to compute rs on multiple subnets.
160 Fortinet Inc. Configuring DHCP servi ces Network configurati on Adding a reserve IP to a DHCP server If you have configured an inte rfac e as a DHCP server , you can reserve an IP address for a pa rticular device on the n etwork acco rding to the MAC address of the device.
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 161 RIP configuration The FortiGate implement ation of the Routing Information Protocol (RIP) support s both RIP version 1 as defined by RFC 1058, a nd RIP ver sion 2 as defined by RFC 2453.
162 Fortinet Inc. RIP settings RIP configuration 5 Change the following RIP time r settings, as re quired. RIP timer de faults are effective in most configurations. Y ou should only have to change these timers to tr oubleshoot netw ork routing problems.
RIP configuration Configuring RIP for FortiGate interfaces FortiGate-800 Installation and Configuration Guide 163 Figure 34: Configuring RIP settings Configuring RIP for FortiGate interfaces Y ou can customize a RIP configuration for each FortiGate interface.
164 Fortinet Inc. Configuring RIP for Forti Gate interfaces RIP configuration 4 Select OK to save the R IP config uration for the selected interface. Figure 35: Example RIP configuration for an internal interface Password Enter the password to be used for RIP version 2 authentication.
RIP configuration Adding RIP filters FortiGate-800 Installation and Configuration Guide 165 Adding RIP filters Use the Filter pag e to create RIP filter list s and assign RIP filter list s to the neighbor s filter , inco ming rout e filter , or outgo ing route filter .
166 Fortinet Inc. Adding RIP filters RIP configuration 3 For Filter Name, type a nam e for the RIP filter list. The name can be 15 characters long an d can contai n upper and lower case letters, numbers, and special char acters. The name cannot cont ain sp aces.
RIP configuration Adding RIP filters FortiGate-800 Installation and Configuration Guide 167 Assigning a RIP fi lter list to the outgoing filter The outgoing filter allows or denie s addi ng rout es to outgoing RIP update packet s. Y ou can assign a single RIP filter list to the outgoing filter .
168 Fortinet Inc. Adding RIP filters RIP configuration.
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 169 System configuration Use the System Config page to make any of the following c.
170 Fortinet Inc. Changing system options System co nfiguration 9 Select Apply . Figure 36: Example date and time setti ng Changing system options On the System Config Options page, you can: • Set the system idle timeout. • Set the authentication timeout.
System configuration Changing system opti ons FortiGate-800 Installation and Configuration Guide 171 3 Select Apply . Auth T imeout controls the amount of inacti ve time that the fi rewall waits before requiring users to authen ticate again. For more informatio n, see “Users and authenti cation” on page 223 .
172 Fortinet Inc. Adding and editing administrato r accounts System configuration Adding and editing administrator account s When the FortiGate unit is initia lly installed, it is configur ed with a single administr ator account with the user name admin.
System configuration Configuring SNMP FortiGate-800 Installation and Configuration Guide 173 Editing administrator accounts The admin account user can change indi vidual administrator account p asswords, configure the IP addresses from which administrato rs can access the web-based manager, and change the admin istrator permission levels.
174 Fortinet Inc. Configuring SNMP System configuration RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II) (for more info rmation, see FortiGate MIBs ).
System configuration Configuring SNMP FortiGate-800 Installation and Configuration Guide 175 T o configure SNMP community settings 1 Go to System > Config > SNMP v1/v2c . 2 Select the Enable SNMP check box. 3 Configure the following SNMP settings: 4 Select Apply .
176 Fortinet Inc. Configuring SNMP System configuration Figure 37: Sample SNMP configuration FortiGate MIBs The FortiGate SNMP agent suppo rts FortiGat e propriet ary MIBs as well as standa rd RFC 1213 and RFC 2665 MIBs. The FortiGate MIBs are listed in Ta b l e 2 0 .
System configuration Configuring SNMP FortiGate-800 Installation and Configuration Guide 177 FortiGate traps The FortiGa te agent ca n send t raps to up to thre e SNMP tr ap receiver s on your network that are configur ed to receive tr ap s from the FortiGate unit.
178 Fortinet Inc. Configuring SNMP System configuration VPN traps NIDS traps Antivirus traps Logging traps T able 23: FortiGate VPN traps T rap message Description VPN tunnel is up An IPSec VPN tunnel starts up and begins processing network traf- fic.
System configuration Configuring SNMP FortiGate-800 Installation and Configuration Guide 179 Fortinet MIB fields The Fortinet MIB contain s fields for co nfiguration settings and current st atus information for all parts of the FortiGate pr oduct.
180 Fortinet Inc. Configuring SNMP System configuration Users and authentication configuration VPN configuration and status NIDS configuration Antivirus configur ation Web filter configuration T able 29: User and authentication MIB fields FnUserLoca lT able Local user list.
System configuration Replacement messa ges FortiGate-800 Installation and Configuration Guide 181 Logging and reporting configuration Replacement messages Replacement messages are adde d to content pa.
182 Fortinet Inc. Replacement messages System configuration Customizing replacement messages Each of the replacement messages in the replace ment message list is created by combining replacement message se ctions. Y ou can use these sections as building blocks to create your own replacement messages.
System configuration Replacement messa ges FortiGate-800 Installation and Configuration Guide 183 Customizing alert emails Customize alert emails to control the content disp layed in alert email messages sent to system administrators. T o customize alert emails 1 Go to System > Config > Replacement Mes sages .
184 Fortinet Inc. Replacement messages System configuration %%SOURCE_IP%% The IP add ress from which the block file was received. For email this is the IP address of the email server that sent the email containing the blocked file. For HTTP this is the IP address of web page that sent the blocked file.
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 185 Firewall configuration Firewall policies control all traf fic passing th rough the FortiGate unit. Firewall policies are instructions tha t the FortiGate unit uses to decide what to do with a connection request.
186 Fortinet Inc. Default firewall configuration Firewall configuration This chapter describes : • Default firewall configuration • Adding firewall policies • Configuring policy lists • Addres.
Firewall confi guration Default firewall configurati on FortiGate-800 Installation and Configuration Guide 187 Interfaces Add policies to control connections b etween FortiGate interfaces and be tween the networks conn ected to these int erfaces.
188 Fortinet Inc. Default firewall configuration Firewall configuration Addresses T o add policies be tween interfaces, VLAN subinterfaces, and zones, the firewall configuration must cont ain addresses for each interfa ce, VLAN subinterface, or zone. By default the firewall configuration includes the addresses listed in Ta b l e 3 7 .
Firewall confi guration Adding firewall policies FortiGate-800 Installation and Configuration Guide 189 Content profiles Add content p rofiles to po licies to apply antivirus pr otection, we b filtering, a nd email filtering to web, file transfer , and ema il services.
190 Fortinet Inc. Adding firewall policies Firewall configuration Figure 40: Adding a NA T/Ro ute policy Firewall policy options This section describes the o ptions th at you can add to fir ewall policies. Source Select an address o r address group that matches the source address of the p acket.
Firewall confi guration Adding firewall policies FortiGate-800 Installation and Configuration Guide 191 Destination Select an address or address group that matches the destin ation address of the packet. Before you can add this address to a p olicy , you must add it to the destina tion interface, VLAN subinterface, or zone .
192 Fortinet Inc. Adding firewall policies Firewall configuration NAT Configure the policy fo r NA T . NA T translates the source address and the sour ce port of packets accepted by the policy . If you select NA T , y ou can also select Dynamic IP Pool and Fixed Port .
Firewall confi guration Adding firewall policies FortiGate-800 Installation and Configuration Guide 193 Authentication Select Authentication and select a user gr oup to require users to enter a user name and password b efore the firewall accept s the connection.
194 Fortinet Inc. Adding firewall policies Firewall configuration Figure 41: Adding a T ransp arent mode policy Log Traffic Select Log Traf fic to write me ssages to the t raffic log whenever th e policy proces ses a connection. For information abo ut logging, see “Logging and reporting” on page 309 .
Firewall confi guration Configuring policy lists FortiGate-800 Installation and Configuration Guide 195 Configuring policy list s The firewall matches policies by searching for a match starting at the top of the po licy list and moving down until it finds the firs t match.
196 Fortinet Inc. Configuring policy lists Firewall co nfiguration Changing the order of po licies in a policy list T o change t he order of a policy in a policy list 1 Go to Firewa ll > Policy . 2 Select the policy list that you want to change the o rder of.
Firewall confi guration Addresses FortiGate-800 Installation and Configuration Guide 197 Addresses All policies require source and de stination addresses. T o add addresses to a policy , you must first add addresses to the address list for the interfaces, zones, or VLAN subinterfaces o f the policy .
198 Fortinet Inc. Addresses Firewall configurati on 6 Enter the Netmask. The netmask corre sponds to the type of address th at you are adding. For exam ple: • The netmask for the IP address of a si ngle computer should be 255.255.255.255 . • The netmask for a class A subnet shou ld be 255.
Firewall confi guration Addresses FortiGate-800 Installation and Configuration Guide 199 Deleting addresses Deleting an address removes it from an address list. T o delete an address that has been added to a policy , you must first remove the address from the policy .
200 Fortinet Inc. Services Firewall configuration Figure 43: Adding an in ternal ad dress group Services Use services to determine the types of communication accepted or denied by the firewall. Y ou can add any of t he predefine d services to a policy .
Firewall confi guration Services FortiGate-800 Installation and Configuration Guide 201 GRE Generic Routing Encapsulation. A protocol that allows an arbitrary network p rotocol to be transmitte d over any other arbi trary network protocol, by encapsulating the packet s of the protocol within GRE packets.
202 Fortinet Inc. Services Firewall configuration LDAP Lightweight Directory Access Protocol is a set of protocols used to access information directories. tcp 389 NetMeeting NetMeeting allows users to teleconference using the Internet as th e transmission medium.
Firewall confi guration Services FortiGate-800 Installation and Configuration Guide 203 Adding custom TC P and UDP services Add a custom TCP or UDP service if you need to create a policy fo r a service that is not in the predef ined service list. T o add a custom TCP or UDP servic e 1 Go to Firewall > Service > Cus tom .
204 Fortinet Inc. Services Firewall configuration Adding custom ICMP services Add a custom ICMP service if you need to cr eate a policy for a service that is not in the predefin ed service list . T o add a cust om ICMP service 1 Go to Firewall > Service > Cus tom .
Firewall confi guration Schedules FortiGate-800 Installation and Configuration Guide 205 3 T ype a Group Name to identify the group . This name appears in the service list when you add a policy and cannot be the same as a predefined service nam e.
206 Fortinet Inc. Schedules Firewall configura tion Creating one-time schedules Y ou can create a one-time schedule that activates or deactivates a policy for a specified pe riod of time . For exam ple, yo ur firewall might be configured with the default policy that allows acce ss to all services on the In ternet at all times.
Firewall confi guration Schedules FortiGate-800 Installation and Configuration Guide 207 Creating recurring schedules Y ou can create a recurring schedule tha t acti vates or deactivates policies at specified times of the day or on specified days of t he week.
208 Fortinet Inc. Virtual IPs Firewall configuration Adding schedules to policies After you create schedules, you can ad d them to policies to schedule when the policies are active . Y ou can add th e new schedules to policie s when you create the policy , or you can ed it existing policies and add a new schedule to them.
Firewall confi guration Virtual IPs FortiGate-800 Installation and Configuration Guide 209 This section describes: • Adding static NA T virtual IPs • Adding port fo rwarding vir tual IPs • Adding policies with virtual IPs Adding static NAT virtual IPs T o add a st atic NA T virtual IP 1 Go to Firewall > Virtual IP .
210 Fortinet Inc. Virtual IPs Firewall configuration 7 In Map to IP , type the real IP address on the destination networ k, for example, the IP address of a web server on an intern al network. 8 Select OK to save the v irtual IP . Y ou can now add the virtual IP to firewall policies.
Firewall confi guration Virtual IPs FortiGate-800 Installation and Configuration Guide 21 1 6 Enter the External IP Address that you want to map to an addr ess on the destination zone. Y ou can set the external IP address to the IP address of the external interface selected in step 4 or to any other address.
212 Fortinet Inc. Virtual IPs Firewall configuration Figure 48: Adding a port forwarding virtu al IP Adding policies wi th virtual IPs Use the followin g proced ure to add a policy that uses a virt ual IP to fo rward packets. T o add a policy with a virtual IP 1 Go to Firewall > Polic y .
Firewall confi guration IP pools FortiGate-800 Installation and Configuration Guide 213 4 Select OK to save the policy . IP pools An IP pool (also called a dynamic IP pool) is a range of IP ad dresses added to a firewall interface.
214 Fortinet Inc. IP/MAC binding Firewall configuration Figure 49: Adding an IP Pool IP Pools for firewall pol icies that use fixed ports Some network configurations do not operate correctly if a NA T policy tran slates the source port of packet s used by the connec tion.
Firewall confi guration IP/MAC binding FortiGate-800 Installation and Configuration Guide 215 Y ou can enter the static IP addresses an d corresponding MAC addresses of trusted computers in the st atic IP/MAC t able.
216 Fortinet Inc. IP/MAC binding Firewall configuration For example, if the IP/MAC pair IP 1.1.1. 1 and 12 :34:56:78:90:ab:cd is added to the IP/MAC binding list: • A packet with IP addre ss 1.1.1.1 a nd MAC address 12:34: 56:78:90:ab:cd is allowed to go on to be matched with a firewall policy .
Firewall confi guration IP/MAC binding FortiGate-800 Installation and Configuration Guide 217 3 Enter the IP Address and th e MAC Address. Y ou can bind multiple IP addresses to the same MAC address. Y ou cannot bi nd multiple MAC addresses to the same IP address.
218 Fortinet Inc. Content profiles Firewall configuration Figure 50: IP/MAC settings Content profiles Use content profiles to app ly diff erent prot ection settings for content traf fic that is controlled by firewall policies.
Firewall confi guration Content profiles FortiGate-800 Installation and Configuration Guide 219 Default content profiles The FortiGate unit has the following four default content profiles that are displayed on the Firewall Cont ent Profile page. Y o u can use the default content prof iles or create your own.
220 Fortinet Inc. Content profiles Firewall configuration 6 Enable the email filter protec tion options that you want. 7 Enable the fragmented email and oversized file an d email options that you want. 8 Select OK. Figure 51: Example con tent profile Web Content Block Block web pages that contain unwanted words or phrases.
Firewall confi guration Content profiles FortiGate-800 Installation and Configuration Guide 221 Adding content prof iles to policies Y ou can add content profiles to policies with actio n set to allow or encryp t and with service set to ANY , HTTP , FTP , IMAP , POP3, SMTP , or a service group that includes these services.
222 Fortinet Inc. Content profiles Firewall configuration.
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 223 Users and authentication FortiGate un its support user authe ntication to the FortiGate user database, a RADIUS server , a nd an LD AP server .
224 Fortinet Inc. Setting authentication timeout Users and authenticati on This chapter describes : • Setting authentication timeout • Adding user names and co nfiguring authentication • Configu.
Users and authentication Adding user names and con figuring authentica tion FortiGate-800 Installation and Configuration Guide 225 5 Select the T ry other servers if connect to selected server fails c.
226 Fortinet Inc. Configuring RADIUS supp ort Users and authentication Configuring RADIUS support If you have configur ed RADIUS support and a user is required to authenticate using a RADIUS server , the FortiGate unit cont ac ts the RADIUS server for authentication.
Users and authentication Configuring LDAP suppo rt FortiGate-800 Installation and Configuration Guide 227 Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server , the FortiGate unit contact s the LDAP server for authentication.
228 Fortinet Inc. Configuri ng LDAP support Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server . Enter the base distinguishe d name for the server using the correct X.500 or LDAP format. The FortiGate u nit passes this distinguished name unchanged to the server .
Users and authentication Configuring user groups FortiGate-800 Installation and Configuration Guide 229 Configuring user group s T o enable authentication, yo u mu st add user names, RADIUS servers, and LDAP servers to one or more user gr oups. Y ou can then select a user group wh en you require authenticati on.
230 Fortinet Inc. Configuring user g roups Users and authentication Figure 55: Adding a user group 3 Enter a Group Name to identify th e user group. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _.
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 231 IPSec VPN A Virtua l Private Network (VPN) is an extension of a private network that encompasses links across sh ared or public networks such as the Intern et.
232 Fortinet Inc. Key management IPSec VPN Key management There are three basic elem ents in any en cryption system: • an algorithm that change s info rmation into code, • a cryptographic key that serves as a secret starting point for the algorithm, • a management system to control the ke y .
IPSec VPN Manual key IPSec VPNs FortiGate-800 Installation and Configuration Guide 233 In some respect s, certificates are simpler to manage than manual keys or pre-shared keys. For this reason, certificates are best suited to large network deployments.
234 Fortinet Inc. Manual key IPSec VPNs IPSec VPN 5 Enter the Remote SPI. The Remote Security Parameter Index is a hexade cimal number of up to eight digit s (digits can be 0 to 9, a to f) in the rang e bb8 to FFFFFFF . This number must be added to the Local SPI at the opposite end of the tunnel.
IPSec VPN AutoIKE IPSec VPNs FortiGate-800 Installation and Configuration Guide 235 AutoIKE IPSec VPNs FortiGate unit s support two methods of Au tomatic Internet Key Exchange (AutoIKE) for establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates.
236 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 3 T ype a Gateway Name for the remot e VPN peer . The remote VPN pee r can be either a gatewa y to another netw ork or an individual client on the In ternet. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _.
IPSec VPN AutoIKE IPSec VPNs FortiGate-800 Installation and Configuration Guide 237 10 Configure the Local ID the that the FortiGate un it sends to the remote VPN peer . • Preshared key: If the FortiGate unit is fu nctioning as a client and uses its ID to authenticate it self to the remote VPN peer , enter an ID.
238 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Optionally , configure NA T T raversal. 5 Optionally , configur e Dead Peer Detection . Use these settings to monitor the st atus of the connec tion between VPN peer s. DPD allows dead connections to be cleane d up and new VPN tunnels est ablished.
IPSec VPN AutoIKE IPSec VPNs FortiGate-800 Installation and Configuration Guide 239 Figure 56: Adding a ph ase 1 con figuration ( St andard options) Figure 57: Adding a ph ase 1 con figuration ( Advan.
240 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN Adding a phase 2 configurat ion for an AutoIKE VPN Add a phas e 2 configu ration to spec ify the paramete rs used to c reate and maintain a VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer (the VPN gateway or client).
IPSec VPN AutoIKE IPSec VPNs FortiGate-800 Installation and Configuration Guide 241 10 Enable Autokey Kee p Alive if you want to kee p the VPN tunnel ru nning even if no da ta is being processed. 11 Select a concentra tor if you want the tunn el to be part of a hub and spoke VPN configuration.
242 Fortinet Inc. Managing digital certificates IPSec VPN Managing digit al certificates Use digital cer tificates to make sure that both participants in an IPSec communication session are trustworthy , prior to setting up an encrypted VPN tunnel between the particip ants.
IPSec VPN Managing digital certificates FortiGate-800 Installation and Configuration Guide 243 6 Configure the key . 7 Select OK to generate the private and pub lic key p air and the certificate re quest. The private/public key p air are generated and the certificate request is displayed on the Local Certificates list with a status of Pend ing.
244 Fortinet Inc. Managing digital certificates IPSec VPN Downloading the certificate request Use the followin g proced ure to dow nload a ce rtificate request from the FortiGate unit to the management compute r . T o downlo ad the certificate reque st 1 Go to VPN > Certificates > Local Certificates .
IPSec VPN Configuring encrypt policies FortiGate-800 Installation and Configuration Guide 245 Obtaining CA certificates For the VPN peers to authenticate themselves to each other , they must both obtain a CA certificate from th e same certificate author ity .
246 Fortinet Inc. Configuring encrypt policies IPSec VPN In addition to defining membership in th e VPN by address, you can configure the encrypt policy for services such as DNS, FTP , and POP3, and to allow connectio ns according to a predefined schedule ( by the time of the day or the day of the week, month, or year).
IPSec VPN Configuring encrypt policies FortiGate-800 Installation and Configuration Guide 247 Adding a destination address The destination addr ess can be a VPN client address on the Inte rnet or the addr ess of a network behin d a remote VPN gatew ay .
248 Fortinet Inc. Configuring encrypt policies IPSec VPN For information about configu ring the remaining policy settin gs, see “Adding firewall policies” on page 18 9 .
IPSec VPN IPSec VPN concen trators FortiGate-800 Installation and Configuration Guide 249 Figure 60: Adding an encryp t policy IPSec VPN concentrators In a hub-and-spoke networ k, all VPN tunnels terminate at a single VPN peer called a hub. The pee rs that connect to th e hub are know n as spokes.
250 Fortinet Inc. IPSec VPN concentrators IPSec VPN If the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (but not to the other spokes) . It also requires policies tha t control it s encrypted connectio ns to the other spokes and it s non-encrypted co nnections to other networks, such as the Internet.
IPSec VPN IPSec VPN concen trators FortiGate-800 Installation and Configuration Guide 251 See “Adding an encrypt policy” on p age 247 . 5 Arrange the policie s in the following order: • encrypt .
252 Fortinet Inc. IPSec VPN concentrators IPSec VPN VPN spoke general co nfiguration steps A remote VPN pe er that fu nctions as a spoke re quires the f ollowing conf iguration: • A tunnel (Auto IKE phase 1 an d phase 2 conf iguration or manu al key configura tion) for the hub.
IPSec VPN Redundant IPSec VPNs FortiGate-800 Installation and Configuration Guide 253 See “Adding an encrypt policy” on p age 247 . 6 Arrange the policie s in the following order: • outbound enc.
254 Fortinet Inc. Redundant IPSec VPNs IPSec VPN Configuring redundant IPSec VPNs Prior to configuring the VPN, make sure t hat bo th FortiGate units have multiple connections to the Internet. For each unit, first add multiple (two or more) external interfaces.
IPSec VPN Monitoring and Troublesh ooting VPNs FortiGate-800 Installation and Configuration Guide 255 Monitoring and T roubleshooting VPNs • Viewin g VPN tunnel st atus • Viewing dialu p VPN conne.
256 Fortinet Inc. Monitoring and Troubleshooti ng VPNs IPSec VPN Figure 63: Dialup Monitor Testing a VPN T o confirm tha t a VPN betwe en two netw orks has been config ured corre ctly , use the ping command from one inter nal network to connect to a co mputer on the other internal network.
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 257 PPTP and L2TP VPN Y ou can use PPTP and L2TP to crea te a virtual private network (VPN) between a remote client computer that is runn ing Wi ndows and your internal netwo rk.
258 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN Configuring the FortiGat e unit as a PPTP gateway Use the followin g proced ures to con figure the FortiGate u nit as a PPTP gate way: T o add users and user group s Add a user for each PPTP clie nt.
PPTP and L2TP VPN Configuring PPTP FortiGate-800 Installation and Configuration Guide 259 3 Select New to add an addr ess. 4 Enter the Address Name, IP Address, and NetMask for an addr ess in the PPTP address range. 5 Select OK to sa ve the sour ce address.
260 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 6 Set Service to match the traffic ty pe inside the PP TP VPN tunnel. For example, if PPTP user s can ac cess a web server , select HTTP . 7 Set Action to ACCEPT . 8 Select NA T if address tr anslation is required.
PPTP and L2TP VPN Configuring PPTP FortiGate-800 Installation and Configuration Guide 261 T o connect to the PPTP VPN 1 S tart the dialup connection that yo u configured in the previous procedure. 2 Enter your PPTP VPN Us er Name and Password. 3 Select Connect.
262 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 5 Name the connectio n and select Next. 6 If the Public Network dialog box appears, choose the appropriate ini tial connection and select Next. 7 In the VPN Server Selection dialog, enter the IP addr ess or host name of the FortiGate unit to connect to and select Next.
PPTP and L2TP VPN Configuring L2TP FortiGate-800 Installation and Configuration Guide 263 Configuring L2TP Some implement ations of L2TP support elem ents of IPSec.
264 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN Figure 65: Sample L2TP addres s range configura tion T o add source addresses Add a sour ce address for ever y address in the L2TP addr ess range. 1 Go to Firewall > Address . 2 Select the interface to which L2T P clients connect.
PPTP and L2TP VPN Configuring L2TP FortiGate-800 Installation and Configuration Guide 265 6 Select OK to add the address group . T o add a dest ination address Add an address to which L2TP users can conn ect. 1 Go to Firewall > Address . 2 Select the internal interf ace or the DMZ interface.
266 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 7 In the Connect window , select Properties. 8 Select the Security tab. 9 Make sure th at Require d ata encryption is selected. 10 Select the Networking tab. 11 Set VPN server type to La yer-2 T unneling Pr otocol (L2TP) .
PPTP and L2TP VPN Configuring L2TP FortiGate-800 Installation and Configuration Guide 267 4 In the connect window , enter the User Name and Password tha t you use to connect to your dialup network conne ction. This user name and p assword is not the same as your VPN user name and p assword.
268 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN T o disable IPSec 1 Select the Networking tab. 2 Select Internet Protocol (TCP/IP) properti es. 3 Double-click t he Advanced tab. 4 Go to the Options tab and select IP security properties. 5 Make sure that Do not use IPSEC is selected.
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 269 Network Intrusion Detection System (NIDS) The FortiGat e NIDS is a re al-time .
270 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Selecting the interfaces to monitor T o select t he interfaces to monitor for att acks 1 Go to NIDS > Detection > General . 2 Select the interfaces to monitor for ne twork attacks.
Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-800 Installation and Configuration Guide 271 Viewing the signature list Y ou can display the current list of NIDS signature groups and the members o f a signature group. T o view the signa ture list 1 Go to NIDS > Detection > Signature List .
272 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Figure 67: Example signatur e group members list Disabling NIDS attack signatures By default, all NIDS attack signatures ar e enabled . Y ou can use the NIDS signature list to disable detection of some atta cks.
Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-800 Installation and Configuration Guide 273 T o add user- defined signatures 1 Go to NIDS > Detection > User Defined Signature List .
274 Fortinet Inc. Preventing attacks Network Intrusion Detection System (NIDS) Preventing att acks NIDS attack prev ention prot ects the FortiGat e unit an d the netwo rks connect ed to it from common TCP , ICMP , UDP , and IP atta cks. Y ou can enable NIDS attack prevention to prevent a set of default att a cks with default threshold values.
Network Intrusion Detection S ystem (NIDS) Preventing attacks FortiGate-800 Installation and Configuration Guide 275 Setting signature threshold values Y ou can change the default threshold val ues for the NIDS Prevention sig natures listed in Ta b l e 4 0 .
276 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS) T o set Pr evention signat ure threshold values 1 Go to NIDS > Prevention . 2 Select Modify beside the signature for which you want to set the Threshold value. Signatures that do not ha ve threshol d valu es do not have Modify icons.
Network Intrusion Detection System (NIDS) Logging attacks FortiGate-800 Installation and Configuration Guide 277 The FortiGate unit uses an alert email queu e in which each new message is compared with the p revious messages. If the new messag e is not a duplicate, the FortiGate unit sends it immedia tely and put s a copy in the queue .
278 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS).
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 279 Antivirus protection Y ou can enable antivirus protection in fire wall policies. Y ou can select a content profile that controls how the antivir us protection behaves.
280 Fortinet Inc. Antivirus scanning Antivirus protection 6 Configure the FortiGate unit to send an alert email when it blocks or delet es an infected file.
Antivirus protection File blocking FortiGate-800 Installation and Configuration Guide 281 Figure 69: Example content profile for virus scan ning File blocking Enable file b locking to re move all files that are a potential threat and to provide th e best protection fr om active computer virus attacks.
282 Fortinet Inc. File blocking Antivirus protection By default, w hen blocki ng is enabled, the FortiG ate unit bl ocks the follo wing file patterns: • executable files (*.bat, *.com, and *.exe) • compressed or archive files (*.gz, *.rar , *.tar , *.
Antivirus protection Quarantine FortiGate-800 Installation and Configuration Guide 283 Quarantine FortiGate u nits with a hard disk can quaranti ne blocked o r infecte d files. The quarantined files are rem oved from the cont ent stream and stored on the FortiGate hard disk.
284 Fortinet Inc. Quarantine Antivirus protection 5 Add this content prof ile to firewall policies. See “Adding content profiles to policies” on pag e 221 . Viewing the qua rantine list T o view the quaran tine list 1 Go to Anti-Virus > Quaran tine .
Antivirus protection Quarantine FortiGate-800 Installation and Configuration Guide 285 Filtering the quarantine list Y ou can filter the quarantine list to: • Display only blocked files • Display .
286 Fortinet Inc. Blocking oversized files and emails Antivirus protection 3 T ype the Age Limit (TTL) in ho urs to specify how long files are left in quaranti ne. The maximum number of hours is 48 0. The Fo rtiGate unit automatic ally deletes a file when the T TL reache s 00:00.
Antivirus protection Exempting fragmented email from blocking FortiGate-800 Installation and Configuration Guide 287 Exempting fragmented email from blocking A fragmented email is a large email message that has been split into smaller messages that are sent individu ally and recombined when they are receive d.
288 Fortinet Inc. Viewing the virus list Antivirus protection.
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 289 W eb filtering When you enable Anti-V irus & Web filter in a firewall policy , you select a content profile that controls how web filterin g behave s for HTTP traf fic.
290 Fortinet Inc. Content blocking Web filtering 3 Configure web filtering settin gs to control how the FortiGate unit app lies web filtering to the HTTP traf fic allowed by policies.
Web filtering Content blocking FortiGate-800 Installation and Configuration Guide 291 4 T ype a banned word or phrase. If you type a single word (for ex ample, banned ), the FortiGate unit blocks all web pages that contain that word. If you type a phrase (for example, banned phrase ), the FortiGate unit blocks web pages th at conta in both word s.
292 Fortinet Inc. Content blocking Web filtering Backing up the Banned Word list Y ou can back up the banned word list by downloading it to a text file on the management compu ter . T o back up th e banned word list 1 Go to Web Filter > Cont ent Block .
Web filtering URL blocking FortiGate-800 Installation and Configuration Guide 293 5 Select Return to display the updated Banned W ord List. 6 Y ou can continue to maint ain the Banned Word List by makin g changes to the text file and uploading it again as nece ssary .
294 Fortinet Inc. URL blocking Web filtering 4 Ensure that th e Enable ch eckbox has been select ed and then select OK. 5 Select OK to add the URL to the Web URL block list. Y ou can enter multiple URLs and the n select Check All to enable all items in the Web URL block list.
Web filtering URL blocking FortiGate-800 Installation and Configuration Guide 295 Downloading the Web URL block list Y ou can back up the Web URL bl ock list by downloading it to a text file on the management compu ter . T o downlo ad a Web URL bloc k list 1 Go to Web Filter > Web URL Block .
296 Fortinet Inc. Configuring Cerberian URL filtering Web filtering 8 Y ou can continue to maintain the W eb URL bl ock list by makin g changes to the text file and uploading it again. Configuring FortiGate Web pattern blocking Y ou can configure FortiGate web pattern bl ocking to blo ck web pages that match a URL pattern.
Web filtering Configuring Cerberian URL filtering FortiGate-800 Installation and Configuration Guide 297 Installing a Cerberian license key Before you ca n use the C erberian we b filter , yo u must install a license key . The license key determines th e number of end users allowe d to use Cerberian web filtering through the Fort iGate unit.
298 Fortinet Inc. Configuring Cerberian URL filtering Web filtering Y ou can add users to the default group and apply any po licies to the group. Use the default group to add: • All the users who are not assigned alias names on the FortiGate unit. • All the users who are no t assigned to ot her user groups.
Web filtering Script filtering FortiGate-800 Installation and Configuration Guide 299 Script filtering Y ou can configure the FortiGate unit to re move Java applet s, cookies, and ActiveX scripts from the HT ML web pages.
300 Fortinet Inc. Exempt URL list Web filtering Exempt URL list Add URLs to the exempt URL list to allow legitimate traf fic that might otherwise be blocked by content or URL blocking.
Web filtering Exempt URL list FortiGate-800 Installation and Configuration Guide 301 Figure 75: Example URL Exempt list Downloading the URL Exempt List Y ou can back up the URL Exempt List by downloading it to a text file on the management compu ter .
302 Fortinet Inc. Exempt URL list Web filtering 3 Select Upload URL Exempt List . 4 T ype the path and filename of your URL Exe m pt List text file, or select Browse and locate the file. 5 Select OK to upload the f ile to the FortiGate unit. 6 Select Return to display the updated URL Exemp t List.
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 303 Email filter Email filtering is enabled in firewall policies.
304 Fortinet Inc. Email banned word list Email filter Email banned word list When the FortiGate unit detect s an email that contains a word or phr ase in the banned word list, the FortiGate unit adds a t ag to the subject line of the email and writes a message to the event log.
Email filter Email banned word list FortiGate-800 Installation and Configuration Guide 305 Downloading the email banned word list Y ou can back up the banned word list by downloading it to a text file on the management compu ter: T o downlo ad the banned word list 1 Go to Email Filter > Content Block .
306 Fortinet Inc. Email block list Email filter Email block list Y ou can configure the FortiGate unit to ta g all IMAP and POP3 protocol tra ffic sent from unwanted email addresse s.
Email filter Email exempt li st FortiGate-800 Installation and Configuration Guide 307 Uploading an email block list Y ou can create a email block list in a text ed itor and then upload the text file to the FortiGate unit. Add one p attern to each line of the text file.
308 Fortinet Inc. Adding a subject tag Email filter Adding address patterns to the email exempt list T o add an addre ss p attern to the email exempt list 1 Go to Email Filter > Exempt List . 2 Select New . 3 T ype the add ress pattern that you wan t to exempt.
FortiGate-800 Inst allati on and Configuration Guide V ersion 2.50 FortiGate-800 Installation and Configuration Guide 309 Logging and reporting Y ou can configure the FortiGate unit to log network activity from routine configuration changes and traf fic sessions to emergency event s.
310 Fortinet Inc. Recording logs Logging and reporting Recording logs on a remote computer Y ou can configure the FortiGate unit to re cord log messages on a r emote computer . The remote computer must be configu red with a syslog server . T o record logs on a remote computer 1 Go to Log&Report > Log Settin g .
Logging and repo rting Recording logs FortiGate-800 Installation and Configuration Guide 31 1 5 Select Config Policy . T o configure the FortiGate unit to filter the types of logs and event s to record, use the procedures in “Filtering log messag es” on page 313 an d “Configuring traf fic logging” on page 314 .
312 Fortinet Inc. Recording logs Logging and reporting Recording logs in system memory If your FortiGate unit does not cont ain a hard disk, you can config ure the FortiGate unit to rese rve some s ystem me mory for storing current event, attack, antivirus, web filter , and email filter log messages.
Logging and repo rting Filtering log me ssages FortiGate-800 Installation and Configuration Guide 313 Filtering log messages Y ou can configure the logs t hat you want to record and the message categorie s that you want to record in each log. T o filter log entries 1 Go to Log&Report > Log Settin g .
314 Fortinet Inc. Configuring traffic loggi ng Logging and reporting Figure 79: Exam ple log filter con figuration Configuring traffic logging Y ou can configure the FortiGate unit to reco rd traffic .
Logging and repo rting Configuring traffic loggi ng FortiGate-800 Installation and Configuration Guide 315 Enabling traf fic logging Y ou can enable logging on any interface, VLAN subinterface, an d firewall policy .
316 Fortinet Inc. Configuring traffic loggi ng Logging and reporting Configuring traffic filter settings Y ou can configure the information re corded in all tr affic log messages. T o conf igure traffic filter settings 1 Go to Log&Report > Log Settin g > T raffic Filter .
Logging and repo rting Viewing logs saved to memory FortiGate-800 Installation and Configuration Guide 317 4 Select OK. The traf fic filter list displays the new traffi c address entry with the settings that you selected in “Enabling traf fic logging” on page 315 .
318 Fortinet Inc. Viewing and managing logs saved to the hard disk Logging and reporti ng 4 T o view a specific line in the log, type a li ne number in the Go to line field and select . 5 T o navigate through th e log message pages, sele ct Go to next page or Go to previous page .
Logging and reporting Viewing and managing logs saved to the hard disk FortiGate-800 Installation and Configuration Guide 319 Viewing logs Log messages are listed with the mo st recent message at the top. T o view the ac tive or saved logs 1 Go to Log&Report > Logging .
320 Fortinet Inc. Viewing and managing logs saved to the hard disk Logging and reporti ng Downloading a log file to the management computer Y ou can download log files to the management compu ter as plain text files or comma- separated value (CSV) files.
Logging and repo rting Configu ring aler t email FortiGate-800 Installation and Configuration Guide 321 Configuring alert email Y ou can configure the FortiGate unit to send ale rt email to up to three email addresses when there are virus incident s, block incidents, network intrusions, and other firewall or VPN events or violations.
322 Fortinet Inc. Configu ring aler t email Logging and reporting Enabling alert email Y ou can configure the FortiGate unit to send alert email in respon se to virus incidents, intrusion attempts, and critical firewall or VPN event s or violations.
FortiGate-800 Installation and Configuration Guide 323 FortiGate-800 Inst allation and Co nfiguration Guide V ersion 2.50 Glossary Connection : A link between machines, applications, processes, and so on t hat can be logical, phys ical, or both.
324 Fortinet Inc. Glossary LAN, Local Area Network : A computer n etwork that spans a relatively small area. Most LANs connect worksta tions and personal computers. Each computer on a LAN is able to ac cess data and devices a nywhere on the LAN. This means that many users can share data as well as physical re sources such as printers.
Glossary FortiGate-800 Installation and Configuration Guide 325 SSH , Secure shell : A secure T elnet replacement that you can use to log into another computer over a network and run commands. SSH provides str ong secure authentication and secure communications over insecure channels.
326 Fortinet Inc. Glossary.
FortiGate-800 Installation and Configuration Guide 327 FortiGate-800 Inst allation and Configuration Guide V ersion 2.50 Index A accept policy 191 action policy option 191 active log deleting all mess.
328 Fortinet Inc. Index attack updates configuring 121 scheduling 120 through a proxy server 122 authentication 193, 223 configuring 224 enabling 229 LDAP server 227 RADIUS server 226 timeout 170 auto.
Index FortiGate-800 Installation and Configuration Guide 329 DHCP adding a DHCP server to an interface 158 adding a reserved IP to a DHCP server 160 adding a scope to a DHCP server 158 configuring 157.
330 Fortinet Inc. Index FortiResponse Distribution Ne twork 118 connecting to 118 FortiResponse D istribution Server 118 from IP system status 115 from port system status 115 front keypad and LCD conf.
Index FortiGate-800 Installation and Configuration Guide 331 IPSec VPN authentication for user group 229 AutoIKE 232 certificates 23 2 disabling 266, 268 manual keys 232 pre-shared keys 232 remote gat.
332 Fortinet Inc. Index mode Transparent 18 monitor system status 114 monitored in terfaces 270 monitoring system status 111 MTU size 144 changing 144 definition 324 improving network performance 144 .
Index FortiGate-800 Installation and Configuration Guide 333 PPTP dialup connection configuring Windows 2000 client 261 configuring Windows 98 clien t 260 configuring Windows XP client 261 PPTP gatewa.
334 Fortinet Inc. Index schedule 205 applying to policy 2 08 automatic antivirus and at tack defin ition updates 120 creating one-time 206 creating recurring 207 one-time 206 policy option 191 recurri.
Index FortiGate-800 Installation and Configuration Guide 335 system settings backing up 108 restoring 108 restoring to factory default 109 system status 93, 111, 161 system status monitor 114 T TCP co.
336 Fortinet Inc. Index viewing dialup connection status 2 55 logs 318, 319 logs saved to memory 317 VPN tunnel status 255 virtual domain adding 149 adding a VLAN 150 adding a zone 150 adding firewall.
Un point important après l'achat de l'appareil (ou même avant l'achat) est de lire le manuel d'utilisation. Nous devons le faire pour quelques raisons simples:
Si vous n'avez pas encore acheté Fortinet FortiGate FortiGate-800 c'est un bon moment pour vous familiariser avec les données de base sur le produit. Consulter d'abord les pages initiales du manuel d'utilisation, que vous trouverez ci-dessus. Vous devriez y trouver les données techniques les plus importants du Fortinet FortiGate FortiGate-800 - de cette manière, vous pouvez vérifier si l'équipement répond à vos besoins. Explorant les pages suivantes du manuel d'utilisation Fortinet FortiGate FortiGate-800, vous apprendrez toutes les caractéristiques du produit et des informations sur son fonctionnement. Les informations sur le Fortinet FortiGate FortiGate-800 va certainement vous aider à prendre une décision concernant l'achat.
Dans une situation où vous avez déjà le Fortinet FortiGate FortiGate-800, mais vous avez pas encore lu le manuel d'utilisation, vous devez le faire pour les raisons décrites ci-dessus,. Vous saurez alors si vous avez correctement utilisé les fonctions disponibles, et si vous avez commis des erreurs qui peuvent réduire la durée de vie du Fortinet FortiGate FortiGate-800.
Cependant, l'un des rôles les plus importants pour l'utilisateur joués par les manuels d'utilisateur est d'aider à résoudre les problèmes concernant le Fortinet FortiGate FortiGate-800. Presque toujours, vous y trouverez Troubleshooting, soit les pannes et les défaillances les plus fréquentes de l'apparei Fortinet FortiGate FortiGate-800 ainsi que les instructions sur la façon de les résoudre. Même si vous ne parvenez pas à résoudre le problème, le manuel d‘utilisation va vous montrer le chemin d'une nouvelle procédure – le contact avec le centre de service à la clientèle ou le service le plus proche.