1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Firewall
  5. FortiGate 1U
  6. Quick start manual

Fortinet FortiGate 1U Quick Start Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
FortiOS 5.0.4 | 1U Models

Advertisement

Table of Contents
loading

Related Manuals for Fortinet FortiGate 1U

Summary of Contents for Fortinet FortiGate 1U

  • Page 1 FortiOS 5.0.4 | 1U Models...
  • Page 2 For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
  • Page 5 FortiGate 1U QuickStart Guide...
  • Page 6 Register for Support 登録のお願い 本日、 フォーティネッ ト製品の登録をしてください。 登録すると次のメリッ トがあります。 テクニカルサポート • 新機能の追加 • 新しい脅威 への防御 请马上注册 您的飞塔产品 您在注册以后才能得到技术支持、新产品特 点信息、最新威胁防护 Information...
  • Page 7 FortiGate Setup Options OS X Web Browser with Ethernet cable...
  • Page 8 Windows/OS X with USB...
  • Page 9 Terminal Emulation with Console Cable...
  • Page 10 iPhone/iPad/iPod Touch with Apple USB cable...
  • Page 11 Installation...
  • Page 12 SFP Transceivers caps...
  • Page 15 The FortiGate Cookbook Recipes for Success with your FortiGate...

  • Page 17: Table Of Contents

    Contents Introduction ........................1 Tips for using the FortiGate Cookbook ................. 2 Installing & Setup ......................5 Connecting a private network to the Internet using NAT/Route mode ......6 Extra help: NAT/Route mode .................... 10 Adding a FortiGate unit without changing the network configuration ......13 Extra help: Transparent mode ..................
  • Page 18 Security Policies & Firewall Objects ................69 Ordering security policies to allow different access levels ..........70 Controlling when BYOD users can access the Internet ........... 74 Using port forwarding on a FortiGate unit ................ 77 Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit ........82 Using AirPrint with iOS and OS X and a FortiGate unit ............
  • Page 19 Providing Single Sign-On for Windows AD with LDAP ..........169 Preventing security certificate warnings when using SSL inspection ......173 Extra help: Certificates ....................177 SSL and IPsec VPN ....................179 Using IPsec VPN to provide communication between offices ........180 Providing remote users with access using SSL VPN .............

  • Page 21: Introduction

    Introduction The FortiGate Cookbook provides examples, or recipes, of basic and advanced FortiGate configurations to administrators who are unfamiliar with the unit. All examples require access to the graphical user interface (GUI), also known as the web-based manager. Each example begins with a description of the desired configuration, followed by step-by-step instructions.

  • Page 22: Tips For Using The Fortigate Cookbook

    Tips for using the FortiGate Cookbook Before you get started, here are a few tips about using the FortiGate Cookbook: Understanding the basics While the FortiGate Cookbook was written with new FortiGate users in mind, some basic steps, such as logging into the FortiGate unit, are not included in most recipes. This information can be found in the first example, “Connecting a private network to the Internet using NAT/Route mode”...
  • Page 23 Text elements Bold text indicates the name of a GUI field or feature. When required, italic text indicates information that you must enter. Selecting OK/Apply Always select OK or Apply when you complete a GUI step. Because this must be done frequently, it is an assumed step and is not included in most recipes.

  • Page 25: Installing & Setup

    Installing & Setup The FortiGate unit provides protection for a variety of different network functions and configurations. This section contains information about the basic setup for common network functions as well as different roles that a FortiGate unit can have within your network.

  • Page 26: Connecting A Private Network To The Internet Using Nat/Route Mode

    Connecting a private network to the Internet using NAT/Route mode In this example, you will learn how to connect and configure a new FortiGate unit to securely connect a private network to the Internet. Typically, a FortiGate unit is installed as a gateway or router between a private network and the Internet, where the FortiGate operates in NAT/Route mode in order to hide the addresses of the private network from prying eyes, while still allowing anyone on the private network to freely connect to the Internet.
  • Page 27 Connecting the network Connect the FortiGate WAN1 interface to your ISP-supplied equipment. Connect the internal network to the FortiGate internal interface (typically port 1). Power on the ISP’s equipment, the FortiGate unit, and the PCs on the Internal network. FortiGate Internal Network Configuring the FortiGate unit’s interfaces...
  • Page 28 Edit the internal interface. Set the Addressing Mode to Manual and set the IP/Netmask the private IP of the FortiGate unit . Go to Router > Static > Static Routes and select Create New to add a default route. Set the Destination IP/Mask to 0.0.0.0/0.0.0.0 , set the Device to wan1 , and set the Gateway to the gateway (or default route) provided by your ISP or to the...
  • Page 29 Creating a policy to enable NAT/Route mode Go to Policy > Policy > Policy and select Create New to add a security policy that allows users on the private network to access the Internet. Select Enable NAT and Use Destination Interface Address and click OK.

  • Page 30: Extra Help: Nat/Route Mode

    Extra help: NAT/Route mode This section provides instructions for troubleshooting connection issues in situations when a NAT/Route configuration is used. 1. Use FortiExplorer if you can’t connect tot he FortiGate GUI or CLI If you can’t connect to the FortiGate GUI or CLI, you may be able to connect using FortiExplorer.
  • Page 31 Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping www.fortinet.com ping: cannot resolve www.fre.com: Unknown host If the name cannot be resolved, the FortiGate unit or PC cannot connect to a DNS server and you should confirm the DNS server IP addresses are present and correct.
  • Page 32 11. Verify that you can connect to the wan1 IP address of the FortiGate unit. Once you have established that the internal network is operating, ping the FortiGate wan1 interface IP address. If you cannot connect to the wan1 interface, the FortiGate unit is not allowing internal to wan1 sessions.

  • Page 33: Adding A Fortigate Unit Without Changing The Network Configuration

    Adding a FortiGate unit without changing the network configuration This section describes how to connect and configure a new FortiGate unit to protect a private network without changing the network configuration. This is known as Transparent mode and it allows you to add network security without replacing the router.
  • Page 34 Connecting the FortiGate and configuring Transparent mode Changing to Transparent mode removes most configuration changes made in NAT/Route mode. To keep your current NAT/Mode configuration, backup the configuration using the System Information dashboard widget. Go to System > Dashboard > Status > System Information and beside Operation Mode select Change.
  • Page 35 Creating a security policy Go to Policy > Policy > Policy and select Create New to add a security policy that allows users on the private network to access the Internet. Under Security Profiles, enable Antivirus and enable Application Control. Press OK to save the security policy Power off the FortiGate unit.
  • Page 36 Results On the PC that you used to connect to the FortiGate internal interface, open a web browser and browse to any Internet website. You should also be able to connect to the Internet using FTP or any other protocol or connection method.

  • Page 37: Extra Help: Transparent Mode

    Extra help: Transparent mode This section provides instructions for troubleshooting connection issues when using a FortiGate in Transparent mode. 1. Use FortiExplorer if you can’t connect tot he FortiGate GUI or CLI If you can’t connect to the FortiGate GUI or CLI, you may be able to connect using FortiExplorer.
  • Page 38 Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping www.fortinet.com ping: cannot resolve www.fre.com: Unknown host If the name cannot be resolved, the FortiGate unit or PC cannot connect to a DNS server and you should confirm the DNS server IP addresses are present and correct.
  • Page 39 incorrect results, the FortiGate unit cannot connect to the Internet from its management IP address. Check the FortiGate unit’s default route to make sure it is correct. Check your Internet firewall to make sure it allows connections from the FortiGate management IP address to the Internet.
  • Page 40 13. Reset the FortiGate unit to factory defaults and try again If all else fails, use the CLI command . When prompted, type to confirm the reset. Resetting the FortiGate unit to factory defaults will put the unit back into NAT/Route mode. The FortiGate Cookbook 5.0.

  • Page 41: Verifying And Updating The Fortigate Unit's Firmware

    Verifying and updating the FortiGate unit’s firmware This example verifies the current version of FortiOS firmware and, if necessary, updates it to the latest version. Always review the Release Notes before installing a new firmware version. They provide the recommended upgrade path for the firmware release as well as additional information not available in other documentation.
  • Page 42 FortiOS firmware To download a newer firmware version, browse to http://support.fortinet.com and log in using your Fortinet account user name and password. Your FortiGate unit must be registered before you can access firmware images from the Support site. Go to Download Firmware Images >...
  • Page 43 Updating the FortiGate to the latest firmware Go to System > Dashboard > Status. Backup your configuration from the System Information dashboard widget, next to System Configuration.. Always remember to back up your configuration before doing any firmware upgrades. Under System Information > Firmware Version, select Update.

  • Page 44: Setting Up Fortiguard Services

    Setting up FortiGuard services If you have purchased FortiGuard services and registered your FortiGate unit, the FortiGate should automatically connect to a FortiGuard Distribution Network (FDN) and display license information about your FortiGuard services. In this example, you will verify whether the FortiGate unit is communicating with the FDN by checking the License Information dashboard widget.
  • Page 45 Verifying the connection On the dashboard, go to the License Information widget. Any subscribed services should have a green check mark, indicating that connections are successful. A grey X indicates that the FortiGate unit cannot connect to the FortiGuard network, or that the FortiGate unit is not registered.

  • Page 46: Extra Help: Fortiguard

    FortiGuard services appear as expired/unreachable. Verify that you have registered your FortiGate unit, purchased FortiGuard services and that the services have not expired at support.fortinet.com. Services are active but still appear as expired/unreachable. Verify that the FortiGate unit can communicate with the Internet.

  • Page 47: Logging Network Traffic To Gather Information

    Logging network traffic to gather information This example demonstrates how to enable logging to capture the details of the network traffic processed by your FortiGate unit. 1. Recording log messages and enabling event logging 2. Enabling logging in the security policies 3.
  • Page 48 Recording log messages and enabling event logging Go to Log & Report > Log Config > Log Settings. Select where log messages will be recorded. You can save log messages to disk if your FortiGate unit supports this, to a FortiAnalyzer or FortiManager unit if you have one, or to FortiCloud if you have a subscription.
  • Page 49 Enabling logging in the security policies Go to Policy > Policy > Policy. Edit the policies controlling the traffic you wish to log. Under Logging Options, you can choose either Log Security Events or Log all Sessions. In most cases, you should select Log Security Events.
  • Page 50 You can also select any entry to view more information about a specific session. Different types of event logs can be found at Log & Report > Event Log. The example shows the System log that records system events, such as administrative logins and configuration changes.

  • Page 51: Extra Help: Logging

    Logging to a FortiAnalyzer unit is not working as expected. The firmware for the FortiGate and FortiAnalyzer units may not be compatible. Check the firmware release notes, found at support.fortinet.com, to see if this is the case. Extra help: Logging...

  • Page 52: Using Forticloud To Record Log Messages

    Using FortiCloud to record log messages This example describes setting up FortiGate logging to FortiCloud, an online log retention service provided by Fortinet. It also describes how to use FortiCloud to view and access FortiGate traffic logs. You must register your FortiGate unit before you can activate FortiCloud.
  • Page 53 Activating FortiCloud Go to System > Dashboard > Status. In the FortiCloud section of the License Information widget, select the green Activate button. Fill in the required information to create a new FortiCloud account. Using FortiCloud to record log messages...
  • Page 54 Sending logs to FortiCloud Go to Log & Report > Log Config > Log Setting. Enable Send Logs to FortiCloud and adjust the Event Logging settings as required. Select Test Connectivity to verify the connection between the FortiGate unit and your FortiCloud account.
  • Page 55 Results Go to System > Dashboard > Status. In the FortiCloud section of the License Information widget, select Launch Portal. From the portal, you can view the log data and reports. You can access your FortiCloud account at any time by going to www.forticloud.com. Daily Summary reports can also be found through the FortiGate unit by going to Log &...

  • Page 56: Using Snmp To Monitor The Fortigate Unit

    FortiGate unit can send traps to the SNMP manager. 1. Configuring the FortiGate SNMP agent 2. Enabling SNMP on a FortiGate interface 3. Downloading Fortinet MIB files to and configuring an example SNMP manager 4. Results...
  • Page 57 Configuring the FortiGate SNMP agent Go to System > Config > SNMP. Configure the SNMP agent. Using SNMP to monitor the FortiGate unit...
  • Page 58 Under SNMP v1/v2c create a new community. Add the IP address of SNMP manager (in the example, 192.168.1.114/32). If required, change the query and trap ports to match the SNMP manager. You can add multiple SNMP managers or set the IP address/Netmask to 0.0.0.0/0.0.0.0 and the Interface to ANY so that any SNMP manager on any network connected to the FortiGate unit can use this SNMP community...
  • Page 59 FortiGate SNMP MIB file and the Fortinet Core MIB file. Two types of MIB files are available for FortiGate units: the Fortinet MIB, and the FortiGate MIB. The Fortinet MIB contains traps, fields, and information that is common to all Fortinet products. The FortiGate MIB contains traps, fields, and information that is specific to FortiGate units.
  • Page 60 Choose Select Device, enter the IP address of the FortiGate unit, and choose the appropriate community string credentials. Open the SNMP Trap Receiver and select Launch. The FortiGate Cookbook 5.0.
  • Page 61 On the FortiGate unit, perform an action to trigger a trap (for example, change the IP address of the DMZ interface). Verify that the SNMP manager receives the trap. On the FortiGate unit, view log messages showing the trap was sent by going to Log & Report >...

  • Page 62: Setting Up An Explicit Proxy For Users On A Private Network

    Setting up an explicit proxy for users on a private network In this example, an explicit web proxy is set to accommodate faster web browsing. This allows internal users to connect using port 8080 rather than port 80. 1. Enabling explicit web proxy on the internal interface 2.
  • Page 63 Enabling explicit web proxy on the internal interface Go to System > Network > Interfaces. Edit an internal port (port 4 in the example). Enable both DHCP Server and Explicit Web Proxy. Go to System > Config > Features. Ensure that WAN Opt.
  • Page 64 Configuring the explicit web proxy for HTTP/HTTPS traffic Go to System > Network > Explicit Proxy and enable the HTTP/HTTPS explicit web proxy. Ensure that the Default Firewall Policy Action is set to Deny. The FortiGate Cookbook 5.0.
  • Page 65 Adding a security policy for proxy traffic Go to Policy > Policy > Policy. Create a new policy and set the Incoming Interface to web-proxy, the Outgoing Interface to an internal port (in the example, port 3), and the Service to webproxy. Results Configure web browsers on the private network to connect using a proxy server.

  • Page 66: Adding Packet Capture To Help Troubleshooting

    Adding packet capture to help troubleshooting Packet capture is a means of logging traffic and its details to troubleshoot any issues you might encounter with traffic flow or connectivity. This example shows the basics of setting up packet capture on the FortiGate unit and analyzing the results. 1.
  • Page 67 Creating a packet capture filter Go to System > Network > Packet Capture. Create a new filter. In this example, the FortiGate unit will capture 100 HTTP packets on the internal interface from/to host 192.168.1.200. Host(s) can be a single IP or multiple IPs separated by comma, IP range, or subnet.
  • Page 68 Stopping the packet capture Once the FortiGate reaches the maximum number of packets to save (in this case 100), the capturing progress stops and you can download the saved pcap file. You can also stop the capturing at any time before reaching the maximum number of packets.

  • Page 69: Protecting A Web Server On The Dmz Network

    Protecting a web server on the DMZ network In the following example, a web server is connected to a DMZ network. An internal- to-DMZ security policy allows internal users to access the web server using an internal IP address (10.10.10.22). A WAN-to-DMZ security policy hides the internal address, allowing external users to access the web server using a public IP address (172.20.120.22).
  • Page 70 Configuring the FortiGate unit’s DMZ interface Go to System > Network > Interfaces. Edit the DMZ interface. A DMZ Network (from the term ‘demilitarized zone’) is a secure network connected to the FortiGate that only grants access if it has been explicitly allowed.
  • Page 71 Creating security policies Go to Policy > Policy > Policy. Create a security policy to allow HTTP and HTTPS traffic from the Internet to the DMZ interface and the web server. Create a second security policy to allow HTTP and HTTPS traffic from the internal network to the DMZ interface and the web server.
  • Page 72 Results External users can access the web server on the DMZ network from the Internet using http://172.20.120.22 and https://172.20.120.22. Internal users can access the web server using http://10.10.10.22 and https://10.10.10.22. Go to Policy > Monitor > Policy Monitor. Use the policy monitor to verify that traffic from the Internet and from the internal network is allowed to access the web server.

  • Page 73: Using Port Pairing To Simplify Transparent Mode

    Using port pairing to simplify transparent mode When you create a port pair, all traffic accepted by one of the paired ports can only exit out the other port. Restricting traffic in this way simplifies your FortiGate configuration because security policies between these interfaces are pre- configured.
  • Page 74 Switching the FortiGate unit to transparent mode and adding a static route Go to System > Dashboard > Status. In the System Information widget, select Change. Set Operation mode to Transparent. Log into the FortiGate unit using the management IP (in the example, 192.168.1.100).
  • Page 75 Creating firewall addresses Go to Firewall Objects > Address > Addresses. Create an address for the web server using the web server’s Subnet IP. Create a second address, with an IP range for internal users. Creating security policies Go to Policy > Policy > Policy. Create a security policy that allows internal users to access the web server using HTTP and HTTPS.
  • Page 76 Create a second security policy that allows connections from the web server to the internal users’ network and to the Internet using any service. Results Connect to the web server from the internal network and surf the Internet from the server itself.
  • Page 77 Select an entry for details. Go to Policy > Monitor > Policy Monitor to view the active sessions. Using port pairing to simplify transparent mode...

  • Page 78: Using Two Isps For Redundant Internet Connections

    Using two ISPs for redundant Internet connections This example describes how to improve the reliability of a network connection using two ISPs. The example includes the configuration of equal cost multi-path load balancing, which efficiently distributes sessions to both Internet connections without overloading either connection.
  • Page 79 Configuring connections to the two ISP Go to System > Network > Interfaces and configure the wan1 and wan2 connections. Make sure that both use DHCP as the Addressing mode and have Retrieve default gateway from server and Override internal DNS enabled. Using two ISPs for redundant Internet connections...
  • Page 80 Adding security policies Go to Policy > Policy > Policy. Create a security policy for the primary interface connecting to the ISPs and the internal network. Create a security policy for each interface connecting to the ISPs and the internal network.
  • Page 81 Set the Ping Interval and Failover Threshold to a smaller value for a more immediate reaction to a connection going down. Go to Router > Static > Settings and set the ECMP Load Balancing Method to Spillover. The Spillover Threshold value is calculated in kbps (kilobits per second).
  • Page 82 Disconnect the wan1 port on the FortiGate unit to see that all traffic automatically goes through the wan2 port unit, until wan1 is available again. The FortiGate Cookbook 5.0.

  • Page 83: Adding A Backup Fortigate Unit To Improve Reliability

    Adding a backup FortiGate unit to improve reliability Adding a backup FortiGate unit to a currently installed FortiGate unit provides redundancy if the primary FortiGate unit fails. This system design is known as High Availability (HA) and is intended to improve network reliability. 1.
  • Page 84 Adding the backup FortiGate unit and configuring HA Connect the backup FortiGate unit as shown in the diagram. Go to System > Dashboard > Status. Change the host name of the primary FortiGate unit. Go to System > Config > HA. Configure the HA settings for the primary FortiGate unit.
  • Page 85 Go to System > Config > HA. Configure the HA settings for the backup FortiGate unit. Ensure that the Group Name and Password are the same as on the primary FortiGate unit. Go to System > Config > HA to view the cluster information.
  • Page 86 Go to System > Dashboard > Status to see the cluster information. Testing the failover functionality Unplug the Ethernet cable from the WAN1 interface of the primary FortiGate unit. Traffic will divert to the backup FortiGate unit. Use the ping command to view the results. Shut down the primary FortiGate unit, and you will see that traffic fails over to the backup FortiGate unit.
  • Page 87 Upgrading the firmware for the HA cluster When a new version of the FortiOS firmware becomes available, upgrade the firmware on the primary FortiGate unit and the backup FortiGate unit will upgrade automatically. Go to System > Dashboard > Status and view the System Information widget.

  • Page 89: Security Policies & Firewall Objects

    Security Policies & Firewall Objects Security policies and firewall objects are used to tell the FortiGate unit which traffic should be allowed and which should be blocked. No traffic can pass through a FortiGate unit unless specifically allowed to by a security policy.

  • Page 90: Ordering Security Policies To Allow Different Access Levels

    Ordering security policies to allow different access levels This example illustrates how to order multiple security policies in the policy table, in order for the appropriate policy to be applied to different network traffic. In the example, three policies will be used: one that allows a specific PC access to all services, one that allows only Internet access to other network devices, and the default deny policy.
  • Page 91 Configuring the Internet access only policy Go to Policy > Policy > Policy. The screen that appears is the policy list. In the example, Global View has been selected, with the Seq.#, From, To, Source, Destination, Action, Service, and Sessions columns visible. To change the visible columns, right-click on the menu bar and select only the columns you wish to see.
  • Page 92 IP address to the PC when it connects to the FortiGate. Go to Firewall Objects > Address > Addresses. Create a new address. Set Type to IP Subnet, Subnet/IP Range to the IP address that will be assigned to the PC, and Interface to LAN.
  • Page 93 the PC policy, not the Internet access only policy, select the Seq.# column and drag the policy to the top of the list. The device identity list will now appear at the top of the list. After the list is refreshed, this policy will be assigned Seq.# 1.

  • Page 94: Controlling When Byod Users Can Access The Internet

    Controlling when BYOD users can access the Internet This example uses a FortiOS device definition and security policy scheduling to limit use of Bring Your Own Device (BYOD) users during company time. In this example, a FortiWiFi unit is used. A similar method can be used to control BYOD access using a FortiAP and a FortiGate..
  • Page 95 Adding BYOD to the FortiWiFi unit Go to User & Device > Device > Device Definitions. Add a new device by assigning an Alias and setting the MAC Address and Device Type. The device will now appear on the definitions list.
  • Page 96 Adding a device identity security policy Go to Policy > Policy > Policy. Create a new policy, setting the Policy Subtype to Device Identity. Set the Incoming Interface to the wireless interface used for BYOD connections and set the Outgoing Interface as the Internet- facing interface.

  • Page 97: Using Port Forwarding On A Fortigate Unit

    Using port forwarding on a FortiGate unit This example illustrates how to use virtual IPs to configure port forwarding on a FortiGate unit, which redirects traffic from one port to another. In this example, incoming connections from the Internet are allowed access to a server on the internal network by opening TCP ports in the range 7882 to 7999 and UDP ports 2119 and 2995.
  • Page 98 Creating three virtual IPs Go to Firewall Objects > Virtual IPs > Virtual IPs. Enable Port Forwarding and add a virtual IP using TCP protocol with the range 7882- 7999. Create a second virtual IP for the UDP port 2119. Create a third a virtual IP for the UDP port 2995.
  • Page 99 Adding virtual IPs to a VIP group Go to Firewall Objects > Virtual IPs > VIP Groups. Create a VIP group that includes all three virtual IPs. Creating a security policy Go to Policy > Policy > Policy. Create a security policy allowing inbound connections to the server from the Internet.
  • Page 100 Results Go to Policy > Monitor > Policy Monitor to see the active sessions. Select the blue bar for more information on a session. Go to Log & Report > Traffic Log > Forward Traffic to see the logged activity. The FortiGate Cookbook 5.0...
  • Page 101 Select an entry for more information about the session. Using port forwarding on a FortiGate unit...

  • Page 102: Using Airplay With Ios, Appletv, Fortiap, And A Fortigate Unit

    Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit This example sets up AirPlay services for use with an iOS device using Bonjour and multicast security policies. 1. Configuring the FortiAP and SSIDs 2. Adding addresses for the wireless network 3.
  • Page 103 Configuring the FortiAP and SSIDs Go to System > Network > Interfaces. Edit the internal interface to be used for the FortiAP and set Addressing Mode to Dedicate to FortiAP. Connect the FortiAP unit to the FortiGate unit. Go to WiFi Controller > Managed Access Points >...
  • Page 104 Go to WiFi Controller > WiFi Network > SSID. Create a WiFi SSID for the network for wireless users and enable DHCP Server. Adding addresses for the wireless network Go to Firewall Objects > Address > Addresses. Create an address for SSID 1. The FortiGate Cookbook 5.0.
  • Page 105 Create a second address for the internal network containing the OS X computers. Adding two service objects for AirPlay Go to Firewall Objects > Service > Services. Add service objects for each device connection. Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit...
  • Page 106 Adding multicast security policies Go to Policy > Policy > Multicast Policy. Create a policy to allow multicast traffic from the LAN and WLAN1 for AppleTV to iOS devices. Set Incoming Interface to LAN, Source Address to the Internal network, Outgoing Interface to the SSID, and Destination Address to Bonjour.
  • Page 107 Adding inter-subnet security policies Go to Policy > Policy > Policy. Create a policy allowing traffic from the Apple TV to the iOS device. Set Incoming Interface to LAN, Source Address to the Internal network, and Outgoing Interface to the SSID. Create a policy allowing traffic from the iOS device to the Apple TV.
  • Page 108 Select an entry for more information. Go to Log & Report > Traffic Log > Log Forward and filter policy IDs 6 and 7, which allow AirPlay traffic. The FortiGate Cookbook 5.0.
  • Page 109 Select an entry for more information. Apple TV can also be connected to the Internet wirelessly. AirPlay will function from any iOS device connected to the same SSID as Apple TV. No configuration is required on the FortiGate unit. Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit...

  • Page 110: Using Airprint With Ios And Os X And A Fortigate Unit

    Using AirPrint with iOS and OS X and a FortiGate unit This example sets up AirPrint services for use with an iOS device and OS X computers using Bonjour and multicast security policies. 1. Configuring the FortiAP and SSIDs 2. Adding addresses for the wireless networks and printer 3.
  • Page 111 Configuring the FortiAP and SSIDs Go to System > Network > Interfaces. Set an internal interface as dedicated to the FortiAP unit. Connect the FortiAP unit to the FortiGate unit. Go to WiFi Controller > Managed Access Points > Managed FortiAP and authorize the FortiAP.
  • Page 112 Go to WiFi Controller > WiFi Network > SSID. Create a WiFi SSID for the network for wireless users and enable DHCP Server. The FortiGate Cookbook 5.0.
  • Page 113 Create an SSID for the network for the AirPrint printer and enable DHCP Server. Adding addresses for the wireless networks and printer Go to Firewall Objects > Address > Addresses. Create addresses for the SSID1, SSID2, and AirPrint printer. Using AirPrint with iOS and OS X and a FortiGate unit...
  • Page 114 Create an address for the internal network containing the OS X computers. Adding service objects for printing Go to Firewall Objects > Service > Services. Create a new service for Internet Printing Protocol (IPP) for iOS devices. Create a new service for PDL Data Stream for OS X computers.
  • Page 115 Adding multicast security policies Go to Policy > Policy > Multicast Policy. Create two policies to allow multicast traffic from WLAN1 and WLAN2 for iOS devices. For the first policy, set Incoming Interface to WLAN1, Source Address to the SSID1 IP, Outgoing Interface to WLAN2, and Destination Address to Bonjour.
  • Page 116 For the second policy, set Incoming Interface to WLAN2, Source Address to the AirPrint, Outgoing Interface to LAN, and Destination Address to Bonjour. Adding inter-subnet security policies Go to Policy > Policy > Policy. Create a policy allowing printing from wireless devices.
  • Page 117 Results Print a document from an iOS device. Go to Log & Report > Traffic Log > Multicast Traffic to see the printing traffic passing through the FortiGate unit. Select an entry to see more information. Go to Log & Report > Traffic Log > Forward Traffic and verify the entry with the IPP service.
  • Page 118 Print a document from an OS X computer. Go to Log & Report > Traffic Log > Multicast Traffic to see the printing traffic passing through the FortiGate unit. Select an entry to see more information. Go to Log & Report > Traffic Log > Forward Traffic and filter the destination interface for WLAN2 traffic.

  • Page 119: Security Features

    Security Features Security features, including antivirus, web filtering, application control, intrusion protection (IPS), email filtering, and data leak prevention (DLP), apply core security functions to the traffic accepted by your FortiGate unit. Each security feature has a default profile. You can also create custom profiles to meet the needs of your network.

  • Page 120: Monitoring Your Network Using Client Reputation

    Monitoring your network using client reputation Client reputation allows you to monitor traffic as it flows through your FortiGate unit to identify users who may be engaging in risky or dangerous behavior. A variety of different areas can be monitored, depending on what concerns you have about activity on your network.
  • Page 121 Enabling logging to disk In order to see your Client Reputation Tracking results, logging to disk must be enabled. Go to Log & Report > Log Config > Log Settings. Under Logging and Archiving, enable Disk. Enabling client reputation Go to Security Profiles > Client Reputation >...
  • Page 122 Results Monitor traffic for a day. To see the results, go to Security Profiles > Client Reputation > Reputation Score. The chart lists users by IP address and scores the users according to the risk level of their behavior. Scores are listed from highest to lowest.

  • Page 123: Controlling Network Access Using Application Control

    Controlling network access using application control This example uses application control to monitor traffic and determine what applications are contributing to high bandwidth usage or distracting employees. After this is determined, a different application sensor is used to block those applications from having network access.
  • Page 124 Creating an application control sensor to monitor traffic Go to Security Profiles > Application Control > Application Sensors. Select the plus icon in the upper right corner of the window to create a new sensor list for monitoring application traffic. Select Create New to add a new application filter.
  • Page 125 Adding the monitoring sensor to a security policy Go to Policy > Policy > Policy. Edit the security policy that allows internal users to access the Internet. Under Security Profiles, enable Application Control and set it to use the new filter. Controlling network access using application control...
  • Page 126 Reviewing the application control monitor Go to Security Profiles > Monitor > Application Monitor to see the results found by the application sensor. Select a bar to see further details on the usage statistics. In the example, you can see an occurrence of an HTTP segmented download, which typically occurs during Peer-to-Peer (P2P) downloads.
  • Page 127 Select Create New to add a new application filter. In the Category list, select the application categories you wish to block. As well as blocking P2P, other types of applications can be selected that are known to distract employees. Ensure that you set the Action to Block. Adding the blocking sensor to a security policy Go to Policy >...
  • Page 128 Results Go to Log & Report > Traffic Log > Forward Traffic. You can see the sensor is working and blocking the traffic from the selected application types, including the P2P application Skype. Select an entry to view more information, including the application name and the device the traffic originated on.

  • Page 129: Protecting A Web Server From External Attacks

    Protecting a web server from external attacks This example uses the FortiOS intrusion protection system (IPS) to protect a web server by configuring an IPS sensor to protect against common attacks and adding it to the policy which allows external traffic to access the server. A denial of service (DoS) security policy is also added to further protect the server against that specific type of attack.
  • Page 130 Configuring an IPS sensor to protect against common attacks Go to Security Profiles > Intrusion Protection > IPS Sensors. Select the plus icon in the upper right corner of the window to create a new sensor. Create a new IPS filter. Set the Target to server and set the Action to Block All.
  • Page 131 Adding the IPS sensor to a security policy Go to Policy > Policy > Policy. Edit the security policy allowing traffic to the web server from the Internet. Enable IPS and set it to use the new sensor. Adding a DoS security policy Go to Policy >...
  • Page 132 Results WARNING: Causing a DoS attack is illegal, unless you own the server under attack. Before performing an attack, make sure you have the correct server IP. Perform an DoS tcp_sync_flood attack to the web server IP address. IPS blocks the TCP sync session when it reaches the tcp_syn_ flood threshold, in this case 20.

  • Page 133: Blocking Outgoing Traffic Containing Sensitive Data

    Blocking outgoing traffic containing sensitive data Data leak prevention (DLP) analyzes outgoing traffic and blocks any sensitive information from leaving the network. In this example, DLP will be used to block files using the file’s name and type. 1. Creating a file filter 2.
  • Page 134 Creating a file filter Go to Security Profiles > Data Leak Prevention > File Filter. Select Create New to make a File Filter Table. Create a new filter in the table. Set the Filter Type to File Name Pattern and enter the pattern you wish to match.
  • Page 135 Creating a DLP sensor that uses the file filter Go to Security Profiles > Data Leak Prevention > Sensors. Select the plus icon in the upper right corner of the window to create a new sensor. Select Create New to make a new filter. Set the type to Files.
  • Page 136 Adding the DLP sensor to a security policy Go to Policy > Policy > Policy. Edit the security policy that controls the traffic you wish to block. Enable DLP Sensor and set it to use the new sensor. Results Attempt to upload a file that matches the file filter criteria using FTP protocol.
  • Page 137 To find more information about the blocked traffic, go to Log & Report > Traffic Log > Forward Traffic. The selected log message shows the name of the file that was blocked (File_pattern_text. exe), the type of file filter that blocked it (file-type), and a variety of other information which may be useful.

  • Page 138: Blocking Large Files From Entering The Network

    Blocking large files from entering the network Some files are too large to be properly scanned by a FortiGate unit, which can put your network at risk. This example configures data leak prevention (DLP) to block files larger than 10 MB (10,000 kB) from entering the network. 1.
  • Page 139 Creating a DLP sensor to block large files Go to Security Profiles > Data Leak Prevention > Sensors. Select the plus icon in the upper right corner of the window to create a new sensor. Select Create New to make a new filter and set the filter type to Files.
  • Page 140 Adding the DLP sensor to a security policy Go to Policy > Policy > Policy. Edit the security policy controlling the traffic you wish to block. Under Security Features, enable DLP Sensor and set it to use the new sensor. Results Attempt to download a file larger than 10 MB.

  • Page 141: Blocking Access To Specific Websites

    Blocking access to specific websites This example sets up the FortiGate unit to block users from viewing a specific website using web filtering. 1. Creating a web filter profile 2. Adding the web filter profile to a security policy 3. Results Website Block FortiGate...
  • Page 142 Create a new profile and select Enable Web Site Filter and Create New. Set the URL to *fortinet.com, using * as a wildcard character in order to block all subdomains of the site. Set the Type to Wildcard and the Action to Block.
  • Page 143 Results In a web browser, visit www.fortinet.com and docs.fortinet.com. In both cases, the FortiGate unit displays a message, stating that the website is blocked. This example will only block HTTP web traffic. In order to block HTTPS traffic as well, see “Blocking HTTPS traffic with web...

  • Page 144: Extra Help: Web Filtering

    Extra help: Web filtering This section contains tips to help you with some common challenges of FortiGate web filtering. The Web Filter option does not appear in the GUI. Go to Config > System > Features and enable Web Filter. New Web Filter profiles cannot be created.

  • Page 145: Blocking Https Traffic With Web Filtering

    Blocking HTTPS traffic with web filtering Some websites are accessible using HTTPS protocol, such as Youtube. This example shows how to use web filtering to block HTTPS access. This example requires an active license for FortiGuard Web Filtering Services. 1. Verifying FortiGuard services are enabled 2.
  • Page 146 Verifying FortiGuard Services are enabled Go to System > Dashboard > Status. In the License Information widget, verify that you have an active subscription to FortiGuard Web Filtering. If you have a subscription, the service will have a green checkmark beside it. The FortiGate Cookbook 5.0.
  • Page 147 Creating a web filter profile Go to Security Profiles > Web Filter > Profiles. Select the plus icon in the upper right corner to create a new profile. Enable FortiGuard Categories and expand the category Bandwidth Consuming. Right-click on Streaming Media and Download, the category to which Youtube belongs, and select Block.
  • Page 148 Adding the profiles to a security policy Go to Policy > Policy > Policy. Edit the security policy controlling the traffic you wish to block. Under Security Profiles, enable Web Filter and SSL Inspection and set both to use the new profiles. The FortiGate Cookbook 5.0.
  • Page 149 Results Browse to https://www.youtube.com. A replacement message appears indicating that the website was blocked. Blocked traffic can be monitored by going to Security Profiles > Monitor > Web Monitor. Blocking HTTPS traffic with web filtering...

  • Page 150: Using Web Filter Overrides To Control Website Access

    Using web filter overrides to control website access This example shows two methods of using web filter overrides to control access to specific websites: one for the entire network and one for specific users. This example requires an active license for FortiGuard Web Filtering Services. Method 1 Method 2 1.
  • Page 151 Go to Security Profiles > Web Filter > Rating Overrides. Create a new override and enter the URL fortinet.com. Select Lookup Rating to see its current FortiGuard Rating. Set Category to Custom Categories (local categories) and create a new Sub-Category for blocked sites.
  • Page 152 Adding FortiGuard blocking to the default web filter profile Go to Security Profiles > Web Filter > Profiles. Create a new profile and enable FortiGuard Categories. Right-click on Local Categories and select Block. Adding the web filter profile to a security policy Go to Policy >...
  • Page 153 Results In a web browser, go to www.fortinet.com. The website will be blocked and a replacement message from FortiGuard Web Filtering will appear. Rating overrides can also be used to allow access to specific sites within a FortiGuard category, such as General Interest - Personal, while still blocking the rest of the sites listed in that category.
  • Page 154 Go to User & Device > User > User Definition. Using the User Creation Wizard, create two users (in the example, ckent and bwayne). Assign ckent to override_group but not bwayne. The FortiGate Cookbook 5.0.
  • Page 155 Because the default web filter does not block Local Categories, using it will allow ckent to access fortinet.com for the duration of the override period (by default, Duration is set to 15 minutes). Adding the web filter profile to a security policy Go to Policy >...
  • Page 156 Create an Authentication Rule that includes both override_group and bwayne and has Web Filter set to override_profile. Results In a web browser, go to www.fortinet.com. After the user authentication screen, the website is blocked and a replacement message from FortiGuard Web Filtering appears.
  • Page 157 However, user ckent is able to override the filter and can access the site for 15 minutes. You can monitor web filter overrides by going to Log & Report > Traffic Log > Forward Traffic. Select an entry for more information about a session, including the user and hostname.

  • Page 159: Wireless Networking

    Wireless Networking FortiOS WiFi networking provides a wide range of capabilities for integrating wireless networks into your organization’s network architecture. Each WiFi network, or SSID, is represented by a virtual network interface to which you can apply firewall policies, security profiles, and other features in the same way you would for physical wired networks.

  • Page 160: Setting Up A Temporary Guest Wifi User

    Setting up a temporary guest WiFi user In this example, a temporary user account will be created and distributed to a guest user, allowing the guest to have wireless access to the Internet. 1. Connecting the FortiAP unit using the DMZ interface 2.
  • Page 161 Connecting the FortiAP unit using the DMZ interface Go to System > Network > Interfaces. Select the dmz interface. Set the dmz interface to be Dedicated to FortiAP. Connect the FortiAP to the DMZ interface. Go to WiFi Controller > Managed Access Points >...
  • Page 162 Creating a WiFi guest user group Go to User & Device > User > User Groups. Create a new group, setting Type to Guest, User ID to Email, and Password to Auto- Generate. These guest user accounts are temporary and will expire four hours after the first login. Creating an SSID using a captive portal Go to WiFi Controller >...
  • Page 163 Creating a security policy to allow guest users Internet access Go to Firewall Objects > Address > Addresses. Create a firewall address for the guest WiFi users. Use the DHCP IP range for Subnet/IP Range and set the Interface to the wireless interface.
  • Page 164 Creating a guest user management account Optionally, you can create an administrator that is used only to create guest accounts. Access to this account can be given to a receptionist, to simply the process of making new accounts. Go to System > Admin > Administrators. Create a new account.
  • Page 165 Results Log in to the FortiGate unit using the guest user management account. Go to User & Device > User > Guest Management and select Create New. Use a guest’s email account to create a new user ID. The FortiGate unit generates a user account and password.
  • Page 166 To verify that the guest user logged in successfully, go to WiFi Controller > Monitor > Client Monitor. Go to Policy > Monitor > Policy Monitor and verify the active sessions. Select one of the bars to view more information about a session. The FortiGate Cookbook 5.0.

  • Page 167: Setting Up A Network Using A Fortigate Unit And A Fortiap Unit

    Setting up a network using a FortiGate unit and a FortiAP unit This example sets up a wired network and a wireless network that are in the same subnet. This will allow wireless and wired users to share network resources. 1.
  • Page 168 Configuring the internal wired network to use DHCP Edit the internal interface. Set Addressing mode to Manual and enable DHCP server. Take note of the IP range. Go to Firewall Objects > Address > Addresses. Set Type to IP Range and set Subnet/IP Range to use the IP range from the DHCP server.
  • Page 169 Go to Policy > Policy > Policy. Create a security policy allowing users on the wired network to access the Internet. Creating the internal wireless network Connect the FortiAP to the internal interface. Go to WiFi Controller > Managed Access Points >...
  • Page 170 Go to WiFi Controller > WiFi Network > SSID and create a new SSID. Ensure the Traffic Mode is set to Local bridge with FortiAP’s Interface. Bridge mode is more efficient than Tunnel mode, as it uses the CAPWAP tunnel for authentication only.
  • Page 171 Go to WiFi Controller > Managed Access Points > Managed FortiAPs. Edit the FortiAP unit. Under Wireless Settings, set AP Profile to use the new profile. Results Users connected to the new SSID will be able to access the Internet. The wireless devices will be in the same subnet as the internal wired network.

  • Page 172: Providing Remote Users Access To The Corporate Network And Internet

    Providing remote users access to the corporate network and Internet In this example, a user in a remote location, such as a hotel or their home, will use a FortiAP unit to securely connect to the corporate network and browse the Internet from behind the corporate firewall.
  • Page 173 Connecting the FortiAP unit to the corporate FortiGate unit Insert the Ethernet cable provided into the FortiAP unit’s WAN port. Connect the Ethernet cable to an internal port on your FortiGate. You may use a different port but, for ease of use, an internal port is preferred.
  • Page 174 Creating an SSID and a firewall addresses Go to WiFi Controller > WiFi Network > SSID. Select Create New. Enable the DHCP Server and make note of the IP range. Configure the WiFi Settings with a unique SSID name and Pre-shared Key. Go to Firewall Objects >...
  • Page 175 For the corporate network, set Type to Subnet and use the corporate network’s IP address. Set Interface to an internal interface. Creating security policies Go to Policy > Policy > Policy. Create a policy that allows remote wireless users to access the Internet. Set the Incoming Interface to the SSID and the Outgoing Interface as your Internet-facing interface.
  • Page 176 Create a second policy for remote wireless users to access the corporate network. Again, set the Incoming Interface to the SSID but now the Outgoing Interface is an internal interface. Configuring the FortiAP unit to connect to the corporate FortiGate unit Go to WiFi Controller >...
  • Page 177 In the System Information tab, enter the AC IP Address of the public facing interface of the corporate FortiGate unit. The Internet- facing interface is also the public facing interface. To locate this IP address, go to System > Network > Interfaces. The FortiAP will search for this FortiGate interface when it tries to connect.
  • Page 178 Results Go to WiFi Controller > Monitor > Client Monitor to see remote wireless users connected to the FortiAP unit. Go to Log & Report > Traffic Log > Forward Traffic to see remote wireless users appear in the logs. Select an entry to view more information about remote traffic to the corporate network and to the Internet.

  • Page 179: Authentication

    Authentication Authentication, the act of confirming the identity of a person or device, is a key part of network security. In the context of a private computer network, the identities of users or host computers must be established to ensure that only authorized parties can access the network.

  • Page 180: Providing Single Sign-On For A Windows Ad Network With A Fortigate

    Providing Single Sign-On for a Windows AD network with a FortiGate This example uses the Fortinet Single Sign-On (FSSO) Collector Agent to integrate a FortiGate unit into the Windows AD domain. 1. Installing the FSSO Collector Agent 2. Configuring the Single Sign-on Agent 3.
  • Page 181 Installing the FSSO Collector Agent Run the setup for the Fortinet SSO Collector Agent. After logging in, configure the agent settings. Add the Collector Agent address information. Providing Single Sign-On for a Windows AD network with a FortiGate...
  • Page 182 Select the domains to monitor, and any users whose activity you do not wish to monitor. Set the working mode and complete the installation. The FortiGate Cookbook 5.0.
  • Page 183 Configuring the Single Sign-on Agent If required, select Require authenticated connection from FortiGate, and add a password. You will also enter this password when configuring the FSSO on the FortiGate unit. Configuring the FortiGate unit to connect to the FSSO agent On the FortiGate unit, go to User &...
  • Page 184 Adding a firewall address for the internal network Go to Firewall Objects > Address > Addresses. Adding a security profile that includes an authentication rule Go to Policy > Policy > Policy. Add an accept user identity security policy and add the new FSSO group. The FortiGate Cookbook 5.0.
  • Page 185 Results Go to Log & Report > Traffic Log > Forward Traffic. As users log into the Windows AD system, the FortiGate collects their connection information. Select an entry for more information. Providing Single Sign-On for a Windows AD network with a FortiGate...

  • Page 186: Providing Single Sign-On In Advanced Mode For A Windows Ad Network

    Providing Single Sign-On in advanced mode for a Windows AD network Using Fortinet Single Sign-On, the FortiGate unit automatically authenticates any user that successfully logs into Windows. The Domain Controller agent Advanced mode has the advantage of supporting nested or inherited user groups. If Standard mode is used, the FortiGate unit can authenticates only users who are a direct member of a group.
  • Page 187 Configuring the DC agent for Advanced mode Log on to the Windows server where the DC agent is installed. Go to All Programs > FortiNet > Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent. Select Directory Access Information and set AD Access mode to Advanced.
  • Page 188 Creating an FSSO user group Select the Windows AD groups to include in the FortiGate FSSO user group. Creating an identity-based security policy Create an identity-based security policy that uses the FSSO user group that you created. Results The Windows AD user, having authenticated at logon, does not have to authenticate again to connect to the Internet.

  • Page 189: Providing Single Sign-On For Windows Ad With Ldap

    Providing Single Sign-On for Windows AD with LDAP A logged-on Windows user can be automatically authenticated on a FortiGate unit through Fortinet Single Sign-On. Some Windows AD systems use an external LDAP server. FSSO can also accommodate this configuration. 1. Configuring access to the LDAP server 2.
  • Page 190 Configuring access to the LDAP server Go to User & Device > Authentication > LDAP Servers and enter the information needed to connect the FortiGate unit to the external LDAP server. Configuring the DC agent as an FSSO agent Go to User & Device > Authentication > Single Sign-On to enter the information the FortiGate unit needs to access the DC agent.
  • Page 191 FSSO agent Log on to the Windows server where the DC agent is installed. Go to All Programs > FortiNet > Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent. Select Set Group Filters. Select Add. Enter...
  • Page 192 Creating a security policy to allow the FSSO user group access Create identity-based security policies that use the FSSO user group that you created. Results The Windows AD user, having authenticated at logon, does not have to authenticate again to connect to the Internet. The FortiGate Cookbook 5.0.

  • Page 193: Preventing Security Certificate Warnings When Using Ssl Inspection

    Preventing security certificate warnings when using SSL inspection This example illustrates how to prevent your users from getting a security certificate error, which happens because an SSL session is established with the SSL Proxy, not the destination website. Instead of having users select Continue when they receive an error, a bad habit to encourage, you will provide them with the FortiGate SSL CA certificate to install on their browsers.
  • Page 194 Enabling certificate configuration in the web- based manager Go to System > Config > Features and enable Certificates. Downloading the Fortinet_ CA_SSLProxy Go to System > Certificates > Local Certificates to download the Fortinet_CA_ SSLProxy certificate. Make the CA certificate file available to your users.
  • Page 195 For Firefox: Depending on platform, go to Tools > Options or Edit > Preferences and find the Advanced Encryption settings. View Certificates, specifically the Authorities certificate list. Preventing security certificate warnings when using SSL inspection...
  • Page 196 Import the Fortinet_CA_SSLProxy certificate file. Results Even if you bypass the error message by selecting “Continue to this website”, the browser may still show an error in the toolbar. After you install the FortiGate SSL CA certificate, there will be no certificate security issue when you browse to sites on which the FortiGate unit performs SSL content inspection.

  • Page 197: Extra Help: Certificates

    Extra help: Certificates This section contains tips to help you with some common challenges of using certificates. Certificate options do not appear in the GUI. Go to System > Features > Config and select Show More. Enable the Certificates feature. A new certificate must be used.

  • Page 199: Ssl And Ipsec Vpn

    SSL and IPsec VPN Virtual private networks (VPNs) extend a private network across a public network, typically the Internet. Two types of VPN can be configured with FortiGate unit: SSL VPN and IPsec VPN. SSL VPN configuration requires an SSL VPN web portal for users to log into, a user authentication configuration for SSL VPN users, and the creation of SSL VPN security policies that control the source and destination access of SSL VPN users.

  • Page 200: Using Ipsec Vpn To Provide Communication Between Offices

    Using IPsec VPN to provide communication between offices This example provides secure, transparent communication between two FortiGates located at different offices using route-based IPsec VPN. In this example, one office will be referred to as HQ and the other will be referred to as Branch. 1.
  • Page 201 Configuring the HQ’s IPsec On the HQ FortiGate, go to VPN > IPsec > Auto Key (IKE). Select Create Phase 1. Set IP Address to the IP of the Branch FortiGate, Local Interface to the Internet-facing interface, and enter a Pre-shared Key. Using IPsec VPN to provide communication between offices...
  • Page 202 Now select Create Phase 2, set it to use the new Phase 1, and expand the Advanced options. Specify Source address as the HQ subnet and Destination address as the Branch subnet. Adding firewall addresses for the local and remote LAN on HQ Go to Firewall Objects >...
  • Page 203 Create a remote LAN address. Set Type to Subnet, Subnet/IP Range to the Branch subnet, and Interface to the VPN Phase 1. Creating an HQ security policy and static route. Go to Policy > Policy > Policy. Create a policy for outbound traffic. Set Incoming Interface to an internal port, Source Address to the local address, Outgoing Interface to the VPN Phase 1,...

  • Page 204: Ipsec Vpn

    Go to Router > Static > Static Routes. Create a route for IPsec traffic, setting Device to the VPN Phase 1. If the Router menu is not visible, go to System > Config > Features to ensure that Advanced Routing is turned on. Configuring the Branch’s IPsec VPN One the Branch FortiGate, Go to VPN >...
  • Page 205 Now select Create Phase 2, set it to use the new Phase 1, and expand the Advanced options. Specify Source address as the Branch subnet and Destination address as the HQ subnet. Adding firewall addresses for the local and remote LAN on HQ Go to Firewall Objects >...
  • Page 206 Create a remote LAN address. Set Type to Subnet, Subnet/IP Range to the HQ subnet, and Interface to the VPN Phase 1. Creating an HQ security policy and static route. Go to Policy > Policy > Policy. Create a policy for outbound traffic. Set Incoming Interface to an internal port, Source Address to the local address, Outgoing Interface to the VPN Phase 1,...
  • Page 207 Go to Router > Static > Static Routes. Create a route for IPsec traffic, setting Device to the VPN Phase 1. Results Go to VPN > Monitor > IPSec Monitor to verify the status of the VPN tunnel. It should be up.

  • Page 208: Providing Remote Users With Access Using Ssl Vpn

    Providing remote users with access using SSL This example provides remote users with access to the corporate network using SSL VPN and connection to the Internet through the corporate FortiGate unit. During the connecting phase, the FortiGate unit will also verify that the remote user’s antivirus software is installed and current.
  • Page 209 Creating an SSL VPN tunnel for remote users Go to VPN > SSL > Portal. Edit the full-access portal. The full-access portal allows the use of tunnel mode and/or web mode. In this scenario we are using both modes. Enable Split Tunneling is not enabled so that all Internet traffic will go through the FortiGate unit and be subject to the corporate security profiles.
  • Page 210 Creating a user and a user group Go to User & Device > User > User Definition. Add a remote user with the User Creation Wizard (in the example, ‘twhite’). Go to User & Device > User > User Groups. Add the user to a user group for SSL VPN connections.
  • Page 211 Adding an address for the local network Go to Firewall Objects > Address > Addresses. Add the address for the local network. Set Type to Subnet, Subnet/ IP Range to the local subnet, and Interface to an internal port. Adding security policies for access to the Internet and internal network Go to Policy >...
  • Page 212 Add a second security policy allowing access to the Internet. For this policy, Incoming Interface is sslvpn tunnel interface and Outgoing Interface is your Internet-facing interface. Setting the FortiGate unit to verify users have current antivirus software Go to System > Status > Dashboard. In the CLI Console widget, enter the commands on the right to enable the host to check for compliant antivirus software on the...
  • Page 213 The FortiGate unit performs the host check. After the check is complete, the portal appears. Select the bookmark Remote Desktop link to begin an RDP session. Go to VPN > Monitor > SSL-VPN to verify the list of SSL users. The Web Application description indicates that the user is using web mode.
  • Page 214 Go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry. In the Tunnel Mode widget, select Connect to enable the tunnel. Select the bookmark Remote Desktop link to begin an RDP session. Go to VPN >...
  • Page 215 Go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry. Go to Log & Report > Traffic Log > Forward Traffic. Internet access occurs simultaneously through the FortiGate unit. Select an entry to view more information. Providing remote users with access using SSL VPN...

  • Page 216: Providing Secure Remote Access To A Network For An Ios Device

    Providing secure remote access to a network for an iOS device This recipe uses the VPN Wizard to provide a group of remote iOS users with secure, encrypted access to the corporate network. The example enables group members to access the internal network and forces them through the FortiGate unit when accessing the Internet.
  • Page 217 Creating a user group for iOS users Go to User & Device > User > User Definition. Create a new user. Go to User & Device > User > User Groups. Create a user group for iOS users and add the user you created.
  • Page 218 Go to Firewall Objects > Address > Addresses. Add the address for the remote user, including the IP range. Configuring the IPsec VPN phases using the VPN Wizard Go to VPN > IPSec > Auto Key (IKE). Select Create VPN Wizard. Name the VPN connection and select Dial Up - iPhone / iPad Native IPsec Client.
  • Page 219 Creating security policies for access to the internal network and the Internet Go to Policy > Policy > Policy. Create a security policy allowing remote iOS users to access the internal network. Go to Policy > Policy > Policy. Create a security policy allowing remote iOS users to access the Internet securely through the FortiGate unit.
  • Page 220 Configuring VPN on the iOS device On the iPad, go to Settings > General > VPN and select Add VPN Configuration. Enter the VPN address, user account, and password in their relevant fields. Enter the pre-shared key in the Secret field. Results On the FortiGate unit, go to VPN >...
  • Page 221 Select an entry to view more information. Remote iOS users can also access the Internet securely via the FortiGate unit. Go to Log & Report > Traffic Log > Forward Traffic to view the traffic. Select an entry to view more information. Providing secure remote access to a network for an iOS device...
  • Page 222 View the status of the tunnel on the iOS device. On the iPad, go to Settings > General > VPN and view the Status of the connection. Using a Ping tool, send a ping packet directly to an IP address on the LAN behind the FortiGate unit to verify the connection through the VPN tunnel..

  • Page 223: Using Redundant Ospf Routing Over Ipsec Vpn

    Using redundant OSPF routing over IPsec VPN This example sets up redundant secure communication between two remote networks using an Open Shortest Path First (OSPF) VPN connection. In this example, the HQ FortiGate unit will be called FortiGate 1 and the Branch FortiGate unit will be called FortiGate 2.
  • Page 224 Creating redundant IPsec tunnels on FortiGate 1 Go to VPN > IPsec > Auto Key (IKE). Select Create Phase 1 and create the primary tunnel. Set IP Address to FortiGate 2’s wan1 IP, Local Interface to wan1 (the primary Internet-facing interface) and enter a Pre-shared Key.
  • Page 225 Go to VPN > IPsec > Auto Key (IKE). Select Create Phase 1 and create the secondary tunnel. Set IP Address to use FortiGate 2’s wan2 IP, Local Interface to wan2 (the secondary Internet-facing interface) and enter the Pre-shared Key. Go to VPN >...
  • Page 226 Configuring IP addresses and OSPF on FortiGate 1 Go to System > Network > Interfaces. Select the arrow for wan1 to expand the list. Edit the primary tunnel interface and create IP addresses. Select the arrow for wan2 to expand the list.
  • Page 227 Select Create New in the Interfaces section. Create primary and secondary tunnel interfaces. Set a Cost of 10 for the primary interface and 100 for the secondary interface. Configuring firewall addresses on FortiGate 1 Go to Firewall Objects > Address > Addresses.
  • Page 228 Edit the primary and secondary interfaces of FortiGate 2. Configuring security policies on FortiGate 1 Go to Policy > Policy > Policy. Create the four security policies required for both FortiGate 1’s primary and secondary interfaces to connect to FortiGate 2’s primary and secondary interfaces.
  • Page 229 Using redundant OSPF routing over IPsec VPN...
  • Page 230 Creating redundant IPsec tunnels on FortiGate 2 Go to VPN > IPsec > Auto Key (IKE). Select Create Phase 1 and create the primary tunnel. Set IP Address to FortiGate 1’s wan1 IP, Local Interface to wan1 (the primary Internet-facing interface) and enter a Pre-shared Key.
  • Page 231 Select Create Phase 1 and create the secondary tunnel. Set IP Address to use FortiGate 2’s IP, Local Interface to wan2 (the secondary Internet-facing interface) and enter the Pre-shared Key. Select Create Phase 2. Set it to use the new Phase 1. Using redundant OSPF routing over IPsec VPN...
  • Page 232 Configuring IP addresses and OSPF on FortiGate 2 Go to System > Network > Interfaces. Select the arrow for wan1 to expand the list. Edit the primary tunnel interface and create IP addresses. Select the arrow for wan2 to expand the list.
  • Page 233 Select Create New in the Interfaces section. Create primary and secondary tunnel interfaces. Set a Cost of 10 for the primary interface and 100 for the secondary interface. Configuring firewall addresses on FortiGate 2 Go to Firewall Objects > Address > Addresses.
  • Page 234 Edit the primary and secondary interfaces of FortiGate 1. Configuring security policies on FortiGate 2 Go to Policy > Policy > Policy. Create the four security policies required for both FortiGate 2’s primary and secondary interfaces to connect to FortiGate 1’s primary and secondary interfaces.
  • Page 235 Using redundant OSPF routing over IPsec VPN...
  • Page 236 Results Go to VPN > Monitor > IPsec Monitor to verify the statuses of both the primary and secondary IPsec VPN tunnels on FortiGate 1 and FortiGate 2. Go to Router > Monitor > Routing. Monitor to verify the routing table on FortiGate 1 and FortiGate 2.
  • Page 237 confirm that the secondary tunnel will be used automatically to maintain a secure connection. Verify the IPsec VPN tunnel statuses on FortiGate 1 and FortiGate 2. Both FortiGates should show that primary tunnel is DOWN and secondary tunnel is UP. Go to VPN >...
  • Page 239 About Fortinet High Performace Network Security | Q3 / 2013...
  • Page 240 Unified Threat Management (UTM) and Next- Generation Firewall (NGFW). Fortinet is a worldwide leading provider of UTM appliances according to IDC and Gartner, with a 17.3% and 19.6% share of the UTM security appliance market respectively.
  • Page 241 Pioneering Security Timely product introductions meet or exceed market demands as information security threats escalate. Threat Landscape Evolution Network Security Market Evolution Threat Landscape Evolution **IDC: Worldwide Network Security 2013-2017 Forecast and 2012 Vendor Shares, June 2013. ATP is Fortinet estimate.
  • Page 242 Other Market Size $8.0B Revenue by Region EMEA APAC Americas FortiGate Segmentation Fortinet® FortiGate®-5140B enterprise consolidated security appliance has achieved a BreakingPoint Resiliency Score™ of 95/100 - the highest published score Entry-Level on record. Appliances Mid-Level Appliances Enterprise Level Appliances...
  • Page 243 Typical Ad hoc Model The Fortinet UTM Model Numerous stand-alone security products from different vendors are costly Fortinet’s fully integrated security technologies offer increased protection, to deploy, complex to manage, and degrade network performance and improved performance, reduced costs, and greater reliability.
  • Page 244 The Fortinet Advantage Consolidated security technologies, hardware-accelerated performance, and global threat research and support are the market-leading technologies enable you to improve your security posture while reducing your costs and simplifying your security infrastructure.
  • Page 245 Our FortiGuard Labs’ global research organization provides global technical FortiOS 5 is the foundation for all team continuously monitors the support for all Fortinet products, Fortinet FortiGate integrated security evolving threat landscape. More than with support staff in the Americas, platforms.
  • Page 246 A Leader in UTM for a 5th Consecutive Year For the 5th consecutive year, Fortinet is a leader in Quadrant. quadrant contains vendors at the forefront of making and selling UTM products that are built for midsize business requirements. Vendors in this quadrant...
  • Page 247 $100 Price per Protected-Mbps and TCO NGFW Fortinet’s FortiGate family of consolidated network security appliances delivered proven enterprise-class performance and protection in three NSS Labs’ independent tests for Next- Generation Firewall, Network IPS, and Enterprise Firewall. NSS Labs tested three FortiGate appliances in real-world...
  • Page 248 • • • • • NSS Labs IPS • • • • • • ICSA NGFW Evaluation The Fortinet FortiGate line combines • • • • • • BreakingPoint Resiliency Score the FortiOS™ security operating system • • • •...
  • Page 249 IEEE 802.11n provides concurrent security and WiFi client access on both Fortinet offers you more models and threat protection that make them the the 2.4GHz and 5GHz spectrums ideal solution for your most demanding...
  • Page 250 End-to-End IT Security Solutions The FortiGate family of physical and virtual appliances offers a wide range of deployment options to meet your unique network requirements. Fortinet solutions enable your IT team to manage, control, and protect your network simply and powerfully.
  • Page 251 Manages up to 200 concurrent phone second. calls per location. FortiClient FortiMail FortiWeb Extends Fortinet’s security expertise to Secure messaging that provides antis- Application firewall that inspects up to endpoint devices. pam and AV filtering of up to 2.0 million 70,000 HTTP transactions/second.
  • Page 252 Tel: +52-(55) 5524-8428 Fortinet International Inc. organization provides global technical SWEDEN Unit 505, Stanhope House, support for all Fortinet products, with EMEA Frösundaviks allé 15, 4 tr 734 King’s Road, Quarry Bay support staff in the Americas, Europe, EMEA SALES OFFICE...
  • Page 253 Product Guide...
  • Page 254 FortiGate/FortiWiFi 30D Small Wonders Compact desktop security appliances, ideal for kiosks, retail outlets and telecommuters. FortiWiFi 30D “ Since deploying the FortiWiFi Appliances, we have enabled our ” environment. - Ashland High-quality enterprise class hardware appliance that is • Small Footprint small in size yet big on features.
  • Page 255 FortiGate/FortiWiFi 60-90 Series Broadband Internet Fortresses High performance desktop security appliances, ideal for distributed enterprises. FortiGate 60D “ With the FortiGate solutions, we can now protect our valuable customer information by blocking network attacks such as worms and spyware. The FortiGate appliances are very convenient and easy to use and with the ”...
  • Page 256 FortiGate 100-200 Series Network Access Controllers Gateways with high port density, ideal for environment. FortiGate 100D “ Managing multiple restaurant locations nationwide, it was very important for us to select a network security solution that was cost- ” enterprise-level network security to our restaurants. - Paradigm Device-based policies let you enforce security in a BYOD •...
  • Page 257 FortiGate 300-600 Series Trusted Internet Sentries Mid range UTM appliance, ideal for organizations that wish to tighten Internet usage and enhance protection. FortiGate 300C “ management scheme and very low maintenance. The performance of ” -Amadeus Hospitality Powerful UTM appliances that protect against external •...
  • Page 258 High performance security appliance, ideal for protection server farms or mid enterprises. FortiGate 800C “ The biggest advantage of Fortinet is that the company manages to combine so many functions in one appliance and still keeps prices reasonable. We are also impressed by the help we received from ”...
  • Page 259 Data Center Titans enterprises. FortiGate 3950B “ Since deploying the Fortinet solution at our nationwide data centers, for us to easily scale and meet the rapidly growing needs of our business ” - all while saving costs and improving customer satisfaction.
  • Page 260 FortiGate VM Series Cloud Defenders FortiGate Virtual Appliance provides critical security controls within your virtual infrastructure. Provides visibility and control over communications within the virtualized infrastructure. Features are identical to • Support Popular VM platforms both physical & virtual appliance from the same centralized •...
  • Page 261 FortiClient For Windows, OS X, iOS & Android OS X • • • Bodyguards Comprehensive host security applications that Multifunction Host security solution that eleminates the need of running multiple security applications on your terminal. Tight integration with FortiGate to install, manage and enforce which reuses FortiGate settings.
  • Page 262 FortiAnalyzer Series Devoted Oracles Solution for logging, analyzing, and reporting from multiple Fortinet devices. Allows IT administrators to quickly identify and react to network security threats across the network. Over 550 reports and customizable charts help monitor and maintain identify attack patterns, acceptable use policies, and demonstrate policy compliance.
  • Page 263 FortiSwitch Name Series Name FortiSwitch 348B FortiSwitch 248B Smart Edges easy connectivity for IP phones, access points and more. Achieves higher productivity with faster transfer times over Purpose-built Layer 2 access switches. high speed interfaces. FortiToken Physical & Soft Tokens Access-ories authentication.
  • Page 264 Other Products Application Security Network Services FortiMail FortiBalancer Messaging Security Gateway Application Delivery FortiDB FortiCache Database Security Solution Content Caching FortiScan FortiDNS Vulnerability Management Secured DNS Server FortiRecorder FortiVoice Premise Surveillance VoIP & IP Telephony FortiWeb Web Application Firewall FortiDDoS Application D/DOS Mitigator FortiAuthenticator Access Management...
  • Page 266 Rack mount instructions: Elevated Operating Ambient - Température ambiante élevée - Reduced Air Flow - Ventilation réduite - Mechanical Loading - Branchement - Circuit Overloading - Surtension - Reliable Earthing - Mise à la terre - Grounding: Caution: Attention: IMPORTANT: IMPORTANT: 警告...
  • Page 267 Avertissement: For products with double pole/neutral fusing: Caution: Attention: For products with slotted head “thumbscrews” located behind hazardous circuits and/or parts. (e.g: thumbscrews on removable fan modules): For products with supplementary earthing terminals: For products with moving fan blades: WARNING: AVERTISSEMENT: WARNING: この装置は、...
  • Page 268 Trademarks and Copyright Statement Product License Agreement 1. License Grant. 2. Limitation on Use. 3. Proprietary Rights. 4. Term and Termination. 5. Transfer. 6. Limited Warranty. 7. Disclaimer of Other Warranties and Restrictions.
  • Page 269 8. Governing Law. 9. Limitation of Liability. 10. Import / Export Requirements; FCPA Compliance. 11. U.S. Government End Users. 12. Tax Liability. 13. General Provisions. 14. Privacy. 15. Open Source Software.
  • Page 272 The FortiGate Cookbook contains a variety of step-by-step examples of how to integrate a FortiGate unit into your network and apply features such as security profiles, wireless networking, and VPN. Using the FortiGate Cookbook, you can go from idea to execution in simple steps, configuring a secure network for better productivity with reduced risk.

Table of Contents