Page 1 October 2009. See the most recent FortiOS 4.0 MR1 release notes for up-to-date information about new 4.0 MR1 features. Contact techdoc@fortinet.com if you have any questions or comments about this preliminary version of the FortiOS 4.0 MR1 FortiGate Administration Guide.
Page 2 FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Page 3: Table Of Contents
Registering your Fortinet product................26 Customer service and technical support..............26 Training .......................... 27 Documentation ......................27 Fortinet Tools and Documentation CD ..............27 Fortinet Knowledge Base..................27 Comments on Fortinet technical documentation ............. 27 Scope ..........................27 Conventions ........................28 IP addresses......................
Page 4 Accounting and quota enforcement ................78 Logging enhancements....................79 Support for per-VDOM FortiAnalyzer units or syslog devices ........79 SQL log format for Executive Summary reports ............81 Antivirus changes ......................82 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 5 Adding filters to web-based manager lists ..............99 Using page controls on web-based manager lists ..........102 Using column settings to control the columns displayed ........103 Using filters with column settings................104 Web-based manager icons..................105 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 6 Backing up your configuration .................. 148 Backing up your configuration through the web-based manager ......148 Backing up your configuration through the CLI............148 Backing up your configuration to a USB key ............149 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 7 Assigning an administrator to a VDOM..............171 Changing the management VDOM................. 172 Configuring VDOM resource limits ................172 Setting VDOM global resource limits ..............173 Configuring resource usage for individual VDOMs..........174 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 8 System Wireless................... 215 FortiWiFi wireless interfaces ..................215 Channel assignments ....................216 IEEE 802.11a channel numbers ................216 IEEE 802.11b channel numbers ................216 IEEE 802.11g channel numbers ................217 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 9 Disconnecting a cluster unit from a cluster ............. 240 SNMP..........................241 Configuring SNMP ....................242 Configuring an SNMP community................242 Fortinet MIBs ......................244 Fortinet and FortiGate traps..................245 Fortinet and FortiGate MIB fields................248 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 10 Viewing the admin profiles list ................283 Configuring an admin profile................... 284 Central Management....................285 Settings ........................286 Monitoring administrators..................289 FortiGate IPv6 support ....................289 Customizable web-based manager ................290 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 11 Updating antivirus and attack definitions..............328 Enabling push updates....................330 Enabling push updates when a FortiGate unit IP address changes ....... 330 Enabling push updates through a NAT device ............331 Adding VDOM Licenses....................333 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 12 Viewing and editing multicast settings ..............373 Overriding the multicast settings on an interface............ 374 Multicast destination NAT ..................374 Bi-directional Forwarding Detection (BFD) .............. 375 Configuring BFD ..................... 375 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 13 Scenario two: enterprise-sized business ..............417 Firewall Address .................. 421 About firewall addresses.................... 421 Viewing the firewall address list................422 Configuring addresses ....................423 Viewing the address group list .................. 424 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 14 Adding dynamic virtual IPs ..................460 Adding a virtual IP with port translation only............461 Virtual IP Groups......................462 Viewing the VIP group list ..................462 Configuring VIP groups....................462 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 15 Logging options ...................... 503 SIP support ................... 505 VoIP and SIP ........................ 505 The FortiGate unit and VoIP security ................ 507 SIP NAT........................507 How SIP support works ....................509 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 16 Viewing the custom signature list ................535 Creating custom signatures ..................535 Protocol decoders....................... 536 Viewing the protocol decoder list ................536 Upgrading the IPS protocol decoder list ..............537 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 17 FortiGuard Web Filtering reports ................565 Email filtering ..................567 FortiGuard Email Filtering (also called the FortiGuard Antispam Service) ... 567 Order of email filtering .................... 567 Email filter controls ....................568 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 18 What is application control? ..................603 FortiGuard application control database..............603 Viewing the application control black/white lists ............ 604 Creating a new application control black/white list..........605 Configuring an application control black/white list..........605 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 19 Tunnel Mode widget ....................645 Virtual Desktop Application Control ................. 647 Host Check list ......................648 SSL VPN monitor list ....................649 User ....................... 651 Getting started - User authentication ................ 651 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 20 Configuring a WAN optimization rule ............... 685 About WAN optimization addresses ............... 687 Configuring WAN optimization peers ............... 688 Configuring authentication groups ................689 WAN optimization monitoring..................690 Changing web cache settings..................692 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 21 Accessing logs stored on the FortiAnalyzer unit............. 722 Accessing logs stored on the FortiGuard Analysis and Management Service ..723 Customizing the display of log messages............... 723 Column settings ...................... 724 Filtering log messages.................... 725 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 22 Printing your FortiAnalyzer report ................731 Viewing basic traffic reports ..................731 Log severity levels ...................... 733 Log types ........................734 Traffic log ........................ 734 Example configuration: logging all FortiGate traffic ..........735 Index...................... 737 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 23: Introduction
• Conventions Fortinet products Fortinet's portfolio of security gateways and complementary products offers a powerful blend of ASIC-accelerated performance, integrated multi-threat protection, and constantly updated, in-depth threat intelligence. This unique combination delivers network, content, and application security for enterprises of all sizes, managed service providers, and telecommunications carriers, while providing a flexible, scalable path for expansion.
Page 24: About This Document
The most recent version of this document is available from the FortiGate page of the Fortinet Technical Documentation web site. The information in this document is also available in a slightly different form as FortiGate web-based manager online help.
Page 25 AntiVirus explains how to enable antivirus options when you create a firewall protection profile. • Intrusion Protection explains how to configure IPS options when a firewall protection profile is created. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 26: Registering Your Fortinet Product
Registering your Fortinet product Before you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.
Page 27: Training
Fortinet Tools and Documentation CD Many Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.
Page 28: Conventions
Fortinet technical documentation uses the conventions described below. IP addresses To avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Page 29: Typographical Conventions
Introduction Conventions Typographical conventions Fortinet documentation uses the following typographical conventions: Table 1: Typographical conventions in Fortinet technical documentation Convention Example Button, menu, text box, From Minimum log level, select Notification. field, or check box label CLI input* config system dns set primary <address_ipv4>...
Page 30 • <xxx_url>: A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as http://www.fortinet./com/. • <xxx_ipv4>: An IPv4 address, such as 192.168.1.99. • <xxx_v4mask>: A dotted decimal IPv4 netmask, such as 255.255.255.0.
Page 31 If the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 32 Conventions Introduction FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 33: What's New In Fortios Version 4.0 Mr1
• Auto-configuration of IPsec VPNs • Integral basic DNS server • Per-VDOM DNS configuration • Password policy • Use LDAP groups in firewall and SSL-VPN authentication • Traffic shaping enhancements FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 34: New Sip Alg Configuration Options
RFC 2543-complaint SIP calls involving branch commands that are missing or that are valid for RFC 2543 but invalid for RFC 3261. For more information, see “Support for RFC 2543-compliant branch commands” on page 516. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 35: Easy Forticare And Fortiguard Services Registration And Renewal
In the web-based manager, each VDOM has a replacement messages configuration page at System > Config > Replacement Messages, as exists at the global level. Modify the messages as needed. For more information, see “Replacement messages” on page 250. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 36: Content Archiving Is Now Dlp Archive
The Topology page is no longer part of the default web-based manager configuration. To access this feature, create a custom menu layout in your administrative profile and add the Topology page. It is in the Additional content category. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 37: Usage Page Shows Application, Policy, And Dlp Archive Usage
Using the FortiOS 4.0 customizeable GUI feature you can add a WCCP widget to the web-based manager and use this widget to add WCCP entries to the FortiGate configuration. For more information, see “Configuring WCCP” on page 212. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 38: Ssl Vpn Enhancements
Enter another Field Name / Value pair, for the password, for example. A new set of Field Name / Value fields is added. Fill them in. 5 Select OK. 6 Select Done. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 39: Ip Address Ranges Are Now Defined As Firewall Addresses
IP addresses reserved for remote clients: config vpn ssl settings set tunnel-ip-pools ip_pool1 ip_pool2 You define ip_pool1 and ip_pool2 using the config firewall address command. Only range and subnet address types are allowed. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 40: Os Check Changes
7 Select OK. To configure host check - CLI config vpn ssl web portal edit <portal_name> host-check {none | av | fw | av-fw | custom} host-check-interval <seconds> FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 41: Virtual Desktop Enhancements
Enable to allow the user to copy files between the virtual desktop and removable media such as USB drives. media Allow network share access Enable to allow the user to copy files between the virtual desktop and network drives. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 42: Virtual Desktop Application Control
9 Select OK. To create an application control list - CLI config vpn ssl web virtual-desktop-app-list edit <applist_name> action {allow | block} FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 43: Two-Factor Authentication
To require two-factor authentication in an SSL VPN conf vpn ssl settings set force-two-factor-auth enable If this option is enabled, only users with two-factor authentication can log in to the SSL VPN. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 44: Force Utf-8 Login
FortiGate unit uses SCEP to request and download a new certificate. This applies to both Local and CA certificates. You can also configure periodic updating of a Certificate Revocation List (CRL). FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 45 Enter how many days before CA certificate expiry auto-update-days- the FortiGate generates a warning message. Enter 0 warning <days_int> for no warning. To configure CRL auto-update config vpn certificate crl edit <crl_name> scep-url <URL_str> update-interval <seconds> FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 46 Enter the URL of the SCEP server. No default. scep-url <URL_str> Enter how frequently, in seconds, the FortiGate unit update-interval checks for an updated CRL. Enter 0 to update the <seconds> CRL only when it expires. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 47: Dynamic Routing For Ipv6 Traffic
{enable | disable} route-map-in6 <routemap-name_str> route-map-out6 <routemap-name_str> route-reflector-client6 {enable | disable} route-server-client6 {enable | disable} send-community6 {both | disable | extended | standard} soft-reconfiguration6 {enable | disable} unsuppress-map6 <route-map-name_str> FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 48 IPv6 BGP neighbors. originate6 {enable | disable} Enable or disable the advertising of graceful- capability-graceful- disable restart capability to IPv6 BGP neighbors. restart6 {enable | disable} FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 49 Enable or disable advertising of the FortiGate next-hop-self6 disable unit’s IP address (instead of the neighbor’s IP {enable | disable} address) in the NEXT_HOP information that is sent to IBGP peers. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 50 <route-map-name_str> create the route-map before it can be selected here. config network6 Variables Enter an ID number for the entry. The number No default. edit <network_id> must be an integer. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 51: Router Access-List6
Enter the prefix for this access list rule, either: prefix6 { • Type the IP address and netmask. <prefix_ipv6mask> | any } • Type any to match any prefix. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 52: Router Ospf6
Values can range <mbps_integer> from 1 to 65535. Specify the default metric that OSPF default-metric should use for redistributed routes. The <metric_integer> valid range for metric_integer is 1 to 16777214. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 53 <cost_integer> (NSSA). A lower default cost indicates a more preferred route. The valid range for cost_integer is 1 to 16777214. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 54 Increase the value for transmit-delay on low speed links. The valid range for seconds_integer is 1 to 65535. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 55 OSPF increments the age of the LSAs in the update packet to account for transmission and propagation delays on the interface. Increase the value for transmit-delay on low speed links. The valid range for seconds_integer is 1 to 65535. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 56: Router Prefix-List6
<string> config rule edit <prefix_rule_id> action {deny | permit} ge <length_integer> le <length_integer> prefix6 {<address_ipv6mask> | any} Note: The action and prefix keywords are required. All other keywords are optional. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 57 {<address_ipv6mask> | any} prefix. The length of the netmask should be less than the setting for ge. If prefix is set to any, ge and le should not be set. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 58: Router Ripng
<name_str> offset <metric_integer> status {enable | disable} config redistribute {connected | static | ospf | bgp} metric <metric_integer> routemap <name_str> status {enable | disable} Note: All keywords are optional. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 59 RIP timer settings. The update timer interval can not be larger than timeout or garbage timer intervals. Range 5 to 2 147 483 647 seconds. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 60 Any unreachable routes are automatically removed from the routing table. This is also called split horizon with poison reverse. Note: All keywords are optional. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 61 {in | out} incoming routes. Enter out to apply the offset to the metrics of outgoing routes. Enter the name of the interface to match for this interface <name_str> Null. offset list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 62: Get Router Info6 {Bgp | Ospf | Protocols | Rip
The get router info6 protocols command returns information about all of the protocols. Syntax get router info6 bgp get router info6 ospf get router info6 protocols get router info6 rip FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 63: Ipv6 Dns
You can configure remote administration over an IPv6 network. This is possible because of changes to network interface and administrator configurations. To see IPv6 options in the we-based manager, you must enable IPv6 Support on GUI in System > Admin > Settings. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 64: Network Interface Changes For Ipv6
Valid types are: http https ping snmp ssh telnet. Separate each type with a space. To add or remove an option from the list, retype the complete list as required. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 65: Administrator Settings
Enter up to three trusted IPv6 address from No default. ip6-trusthost1 <ip6addr> which administrative access is permitted. ip6-trusthost2 <ip6addr> ip6-trusthost3 <ip6addr> Example config system admin edit "admin" set ip6-trusthost1 2002::2/64 set ip6-trusthost2 ::/0 set ip6-trusthost3 ::/0 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 66: Utm Features Support Ipv6 Traffic
In FortiOS Version 4.0 MR1, VDOM administrators see their own VDOM-specific dashboard when they log in or go to System > Status. The super_admin can view only the global dashboard. Figure 5: VDOM dashboard FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 67: Ipsec Protocol Improvements
In the CLI, the dhgrp keyword now accepts the value 14 when you edit a VPN configuration in any of the following commands: config vpn ipsec phase1 config vpn ipsec phase1-interface FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 68: Support For Sha256
<tunnel_name> set authentication <authentication_algorithm> You can set <authentication_algorithm> to sha256. • config vpn ipsec manualkey-interface edit <tunnel_name> set auth-alg <authentication_algorithm> You can set <authentication_algorithm> to sha256. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 69: Auto-Configuration Of Ipsec Vpns
<string> domain <string> mode-cfg {enable | disable} mode-cfg-ip-version {4|6} ipv4-dns-server1 ipv4-dns-server2 ipv4-dns-server3 ipv6-dns-server1 ipv6-dns-server2 ipv6-dns-server3 ipv4-end-ip <ip4addr> ipv6-end-ip <ip6addr> ipv4-netmask <ip4mask> ipv4-start-ip <ip4addr> ipv6-start-ip <ip6addr> ipv6-prefix <ip6prefix> ipv4-wins-server1 ipv4-wins-server2 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 70 FortiGate unit provides. This is available if type is dynamic. Select whether an IKE Configuration Method client mode-cfg-ip-version receives an IPv4 or IPv6 IP address. This is {4|6} available if mode-cfg and assign-ip are enabled. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 71: Ipsec Phase 2 Configuration For Ike Configuration Method
This is the configuration for an IKE Configuration Method client, which receives information about destination subnets from the server and thus must not specify any traffic selectors itself. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 72: Integral Basic Dns Server
To add local DNS entries using the CLI, use the following new command. Syntax conf system dns-database edit <zone-string> set domain <domain> set ttl <int> config dns-entry edit <entry-id> canonical-name <canonical_name_string> hostname <hostname_string> ip <ip_address> ipv6 <ipv6_address> FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 73: Enabling Dns On An Interface
DNS server configured for the FortiGate unit. • — Look up domain name in local database. Do not relay the request non-recursive to the DNS server configured for the FortiGate unit. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 74: Per-Vdom Dns Configuration
Enter the secondary IPv4 DNS IP server address. 0.0.0.0 secondary <dns_ip4> Enter the primary IPv6 DNS server IP address. ip6-primary <dns_ip6> Enter the secondary IPv6 DNS IP server address. :: ip6-secondary <dns_ip6> FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 75: Password Policy
3 Configure other administration settings as needed. 4 Select Apply. To set a password policy - CLI config system password-policy status {enable | disable} apply-to [admin-password ipsec-preshared-key] change-4-characters {enable | disable} expire <days> minimum-length <chars> FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 76: Use Ldap Groups In Firewall And Ssl-Vpn Authentication
In the CLI, when you define a FortiGate user group, you can specify the required LDAP server user group memberships using the new ldap-memberof keyword. config user group edit <FGTgroupname> set group-type {sslvpn | firewall } set member <user1> [<user2>] [<usern>...] set ldap-memberof <LDAPgroupstring> FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 77: Traffic Shaping Enhancements
2 097 000. Enter 0 to disable bandwidth limit. Quotas and Accounting “Accounting and quota enforcement”, below. IP List IP/Range An IP address or range of addresses that this shaper controls. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 78: Accounting And Quota Enforcement
Enable to log the volume of traffic through the traffic shaper. Select the log period: Hour, Day, Week, or Month. 4 Configure other traffic shaping options as needed. 5 Select OK. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 79: Logging Enhancements
CLI. If you want to use a different FortiAnalyzer or syslog configuration for your VDOM, you must override the global configuration using the following commands: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 80 Use this command to override the global configuration created with the config log syslogd setting command. These settings configure the connection to the syslog device. Syntax config log syslogd override-setting FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 81: Sql Log Format For Executive Summary Reports
You can also customize the appearance of existing reports and create new reports from the FortiGate CLI using the config report CLI commands. For more information, see “Viewing Executive Summary reports from SQL logs” on page 730 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 82: Antivirus Changes
Go to UTM > Virus Database to enable grayware detection. The previous UTM > Grayware page has been removed and you can no longer enable or disable individual grayware categories. Figure 8: Virus Database FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 83: Reliable Syslog
For a single word, the FortiGate checks all web pages for that word. For a phrase, the FortiGate checks all web pages for any word in the phrase. For a phrase in quotation marks, the FortiGate unit checks all web pages for the entire phrase. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 84 | western} Set the pattern type for the content. Choose from regexp pattern-type wildcard or wildcard.Create patterns for banned words using {regexp | wildcard} Perl regular expressions or wildcards. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 85: Web Filtering By Content Header
{enable | disable} After you have created content header lists, you need to select the content header list in the protection profile as follows: config firewall profile edit <profile_name> FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 86: Safe Search
<profile_name> set http-post-lang [<charset1> ... <charset5>] To view the list of available character sets, enter set http-post-lang ? from within the edit shell for the profile. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 87: Snmpv3 Enhancements
SNMP engine. This value is included in each message sent to or from the SNMP engine. In FortiOS, the snmpEngineID is composed of two parts: • Fortinet prefix 0x8000304404 • the engine-id string, 24 characters maximum, defined in the CLI config system snmp sysinfo command The snmpEngineID is optional, so you are not required to define an engine-id value.
Page 88: Schedule Groups
Members. Schedules Members The list of schedules in the group. Use the arrows to move selected schedules between this list and Available Services. 2 Select OK FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 89: Web-Based Manager
Connecting to the FortiGate CLI from the web-based manager • Button bar features • Contacting Customer Support • Backing up your FortiGate configuration • Using FortiGate Online Help • Logging out FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 90: Common Web-Based Manager Tasks
Select OK to continue logging in. 2 Type admin or the name of a configured administrator in the Name field. 3 Type the password for the administrator account in the Password field. 4 Select Login. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 91: Changing Your Fortigate Administrator Password
FortiGate and changing configuration options. For improved security you should regularly change the admin administrator account password and the passwords for any other administrator accounts that you add. Note: See the Fortinet Knowledge Center article Recovering lost administrator account passwords if you forget or lose an administrator account password and cannot log into your FortiGate unit.
Page 92: Changing Administrative Access To Your Fortigate Unit
PC that is logged into the web-based manager and then left unattended. However, you can use the following steps to change this idle timeout. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 93: Connecting To The Fortigate Cli From The Web-Based Manager
From this page you can: • visit the Fortinet Knowledge Center • log into Customer Support (Support Login) • register your Fortinet product (Product Registration) • view Fortinet Product End of Life information •...
Page 94: Backing Up Your Fortigate Configuration
Backing up your FortiGate configuration Web-based manager • visit the FortiGuard Center. You must register your Fortinet product to receive product updates, technical support, and FortiGuard services. To register a Fortinet product, go to Product Registration and follow the instructions.
Page 95 Email Send an email to Fortinet Technical Documentation at techdoc@fortinet.com if you have comments on or corrections for the online help or any other Fortinet technical documentation product. Print Print the current online help page. Bookmark Add an entry for this online help page to your browser bookmarks or favorites list to make it easier to find useful online help pages.
Page 96: Searching The Online Help
The search results pane lists the names of all the online help pages that contain all the words that you entered. Select a name from the list to display that help page. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 97: Logging Out
Alt+7 Send an email to Fortinet Technical Documentation at techdoc@fortinet.com if you have comments on or corrections for the online help or any other Fortinet technical documentation product. Alt+8 Print the current online help page. Alt+9 Add an entry for this online help page to your browser bookmarks or favorites list, to make it easier to find useful online help pages.
Page 98: Using The Web-Based Manager Menu
Configure a FortiGate unit to act as a wireless network controller, managing the wireless Access Point (AP) functionality of FortiWiFi units. Log&Report Configure logging and alert email. View log messages and reports. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 99: Using Web-Based Manager Lists
“Viewing the predefined signature list” on page 533) • Firewall user monitor list (see “Firewall user monitor list” on page 676) • IPSec VPN Monitor (see “Monitoring VPNs” on page 626) FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 100 IP address or for all addresses in a range of addresses. To specify a range, separate the top and bottom values of the range with a hyphen, for example 25-50. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 101 (for example, filtering ignores <string> but does not ignore >string>). Figure 22: A firewall policy list filter set to display all policies that do not include a source address with a name that contains “My_Address” FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 102: Using Page Controls On Web-Based Manager Lists
Web-based manager pages with page controls include: • session list (see “Viewing the current sessions list” on page 122) • Router Monitor (see “Router Monitor” on page 383) FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 103: Using Column Settings To Control The Columns Displayed
“Viewing the firewall policy list” on page 390) • Intrusion protection predefined signatures list (see “Viewing the predefined signature list” on page 533) • Firewall user monitor list (see “Firewall user monitor list” on page 676) FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 104: Using Filters With Column Settings
On firewall policy, IPv6 policy, predefined signature, firewall user monitor, IPSec monitor and log and report log access lists you can combine filters with column settings to provide even more control of the information displayed by the list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 105: Web-Based Manager Icons
Description The tooltip for this icon displays the Description or Comments field for this table entry. Disconnect Disconnect a FortiGate unit from a functioning HA cluster. from cluster FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 106 Edit icon when you have read-only access to a web-based manager list. View details View detailed information about an item. For example, you can use this icon to view details about certificates. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 107: System Status
Note: The information on the System Status page applies to the whole HA cluster, not just the primary unit. This includes information such as URLs visited, emails sent and received, and viruses caught. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 108: Vdom And Global Dashboards
Widget Title Shows the name of the display Open/Close arrow Select to open or close the display. History Select to show an expanded set of data. Not available for all widgets. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 109: System Information
Select Change to change the host name. For more information, see “Changing the FortiGate unit host name” on page 126. If the FortiGate unit is in HA mode, this field is not displayed. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 110: License Information
FortiGate unit cannot connect to the FDN, and orange if the FDN is reachable but the license has expired. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 111 When a contract is due to expire within 30 days, any administrator with the super_admin profile sees a notification message that provides access to an Add Contract form. Simply enter the new contract number and select Add. Fortinet Support also sends contract expiry reminders.
Page 112 • If Registered appears the name of the support that registered this FortiGate unit is also displayed. • You can select Login Now to log into the Fortinet Support account that registered this FortiGate unit. FortiGuard Services AntiVirus The FortiGuard Antivirus version, license issue date and service status. If your license has expired, you can select Renew two renew the license.
Page 113: Unit Operation
Note: Your reason will be added to the Disk Event Log if disk logging, event logging, and admin events are enabled. For more information on Event Logging, see “Configuring Event logging” on page 717. Figure 32: Unit Operation examples FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 114: System Resources
The System Resources widget displays basic FortiGate unit resource usage, such as CPU and memory (RAM) usage. Any System Resources that are not displayed on the status page can be viewed as a graph by selecting the History icon. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 115: Alert Message Console
Alert messages help you track system events on your FortiGate unit such as firmware changes, network security events, or virus detection events. Each message shows the date and time that the event occurred. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 116 2 Select the Edit icon in the Alert Message Console title bar. 3 Select the types of alerts that the Alert Message Console should display. By default, all alert types are enabled. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 117: Log And Archive Statistics
Various configuration settings are required to actually collect data for the Log and Archive Statistics widget as described below. For detailed procedures involving the Statistics list, see “Viewing Log and Archive Statistics” on page 130. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 118 Viewing the system dashboard System Status Figure 36: Log and Archive Statistics Refresh Reset Close Figure 37: Statistics Refresh Reset Close FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 119: Cli Console
Detach moves the CLI Console widget into a pop-up window that you can resize and reposition. The two controls on the detached CLI Console are Customize and Attach. Attach moves the CLI console widget back onto the System Status page. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 120: Top Sessions
When the display is shown, information is only stored in memory. Note: Rebooting the FortiGate unit will reset the Top Session statistics to zero. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 121 To change the information displayed on the Top Sessions widget 1 Selecting edit icon to change the information displayed by the Top Sessions widget: 2 Change the Top Sessions settings as required: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 122: Viewing The Current Sessions List
ID of the policy, if any, that applies to the session • how long until the session expires • which virtual domain the session belongs to To view the current sessions list 1 Go to System > Status > Dashboard. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 123 Edit Filter dialog allowing you to set the display filters by column. See “Adding filters to web-based manager lists” on page Protocol The service protocol of the connection, for example, udp, tcp, or icmp. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 124: Top Viruses
Only one interface at a time can be monitored. You can change the interface being monitored by selecting Edit, choosing the interface from the drop down menu, and selecting Apply. Doing this will clear all the traffic history data. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 125: Changing System Information
2 In the System Information section, select Change on the System Time line. 3 Select the time zone and then either set the date and time manually or configure synchronization with an NTP server. Figure 44: Time Settings FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 126: Changing The Fortigate Unit Host Name
FortiGate administrators whose admin profiles permit maintenance read and write access can change the FortiGate firmware. Firmware images can be transferred from a number of sources including a local hard disk, a local USB disk, or the FortiGuard Network. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 127: Upgrading To A New Firmware Version
1 Copy the new firmware image file to your management computer. The firmware images for FortiGate units are available at the Fortinet Support web site. 2 Log into the web-based manager as the super admin, or an administrator account that has system configuration read and write privileges.
Page 128: Reverting To A Previous Firmware Version
To revert to a previous firmware version using the web-based manager 1 Copy the firmware image file to your management computer. The firmware images for FortiGate units are available at the Fortinet Support web site. 2 Log into the web-based manager as the super admin, or an administrator account that has system configuration read and write privileges.
Page 129: Viewing Operational History
License Information section of the System Status page. Note: For information about configuring automatic FortiGuard updates, see “Configuring FortiGuard Services” on page 322. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 130: Viewing Log And Archive Statistics
To update FortiGuard antivirus definitions, IPS definitions, or antispam rule set manually 1 Download the latest update file from Fortinet support site and copy it to the computer that you use to connect to the web-based manager. 2 Start the web-based manager and go to System > Status > Dashboard.
Page 131 The kind of IM traffic this transaction is. Local The local address for this transaction. Remote The remote address for this transaction Direction If the file was sent or received. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 132: Viewing The Attack Log
Date and Time The time that the attempt to access the URL was detected. From The host that attempted to view the URL. URL Blocked The URL that was blocked. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 133: Configuring Amc Modules
FortiGate-5001A with an empty double-width AMC slot: get system amc : auto 2 Power down the FortiGate unit. 3 Insert the FortiGate-ADM-FB8 module into the double-width AMC slot. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 134: Auto-Bypass And Recovery For Amc Bridge Module
This command lists the AMC slots and the settings for each one. Example command output for a FortiGate-620B with an empty AMC slot: get system amc : auto 3 Power down the FortiGate unit. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 135: Enabling Or Disabling Bypass Mode For Amc Bridge Modules
For example if you have installed a FortiGate-ASM-CX4 module in AMC slot 2 of a FortiGate-3810A and bypass mode is enabled: diagnose sys amc bypass status ASM-CX4 in slot 2: amc-sw2/1 <--> amc-sw2/2: mode=bypass (admin action) FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 136 3 Log into the web-based manager and go to System > Status > Dashboard and view the Unit Operation widget to see the status of the AMC bridge module. Figure 48 shows bypass mode disabled. Figure 48: FortiGate-3810A with FortiGate-ASM-CX4 module installed in AMC slot 2 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 137: Viewing Application, Policy, And Dlp Archive Usage Data
Sessions accepted by firewall policies that do not include protection profiles with application control configured do not contribute to the data displayed. Figure 49: Top Application Usage chart display Edit Reset Refresh Close FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 138 Select the check box to show the user name (when known) instead of the IP address. Resolve Host Name Select to use reverse-DNS lookup to determine the host name instead of displaying the IP address. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 139: Top Policy Usage
Usage to show data for up to 20 firewall policies. Only firewall policies that have accepted sessions appear on the chart or table. Figure 52: Top Policy Usage chart display Edit Reset Refresh Close Close FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 140 Refresh Interval Select display update interval in seconds. Range 10 to 240 seconds. Select 0 to disable updating. You can also update using the Refresh icon in the module header. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 141: Dlp Archive Usage
To configure the DLP Archive Usage module 1 Go to System > Status > Usage. 2 Select the Edit icon in the DLP Archive Usage module title bar. 3 Enter the following information and select OK. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 142: Using The Topology Viewer
Go to System > Status > Topology to view the system topology. The Topology page consists of a large canvas upon which you can draw a network topology diagram of your FortiGate installation. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 143 The FortiGate unit object shows the link status of the unit’s interfaces. Green indicates the interface is up. Gray indicates the interface is down. Select the interface to view its IP address and netmask, if assigned. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 144 Exit. Select to finish editing the diagram. Save changes first. The toolbar contracts to show only the Refresh and Zoom controls. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 145: Adding A Subnet Object
(-) and the IP range end address. FQDN If Type is FQDN, enter the fully qualified domain name. Connect to interface Select the interface or zone to associate with this address. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 146: Customizing The Topology Diagram
Line Color Select the color of connecting lines between subnet objects and interfaces. Line Width Select the thickness of connecting lines. Reset to Default Reset all topology diagram settings to default. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 147: Managing Firmware Versions
In addition to firmware images, Fortinet releases patch releases—maintenance release builds that resolve important issues. Fortinet strongly recommends reviewing the release notes for the patch release before upgrading the firmware. Follow the steps below: •...
Page 148: Backing Up Your Configuration
Management server, or to a USB key. You can also back up to a FortiGuard Management server if you have FortiGuard Analysis and Management Service enabled. Fortinet recommends backing up all configuration settings from your FortiGate unit before upgrading to FortiOS 4.0. This ensures all configuration settings are still available if you require downgrading to FortiOS 3.0 MR7 and want to restore those configuration settings.
Page 149: Backing Up Your Configuration To A Usb Key
Encrypt configuration file check box, enter a password, and then enter it again to confirm. 3 Select Backup. After successfully backing up your configuration file, either from the CLI or the web-based manager, proceed with upgrading to FortiOS 4.0. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 150: Testing Firmware Before Upgrading
7 Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 8 Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 151: Upgrading Your Fortigate Unit
The following procedure describes how to upgrade to FortiOS 4.0 in the web-based manager. Fortinet recommends using the CLI to upgrade to FortiOS 4.0. The CLI upgrade procedure reverts all current firewall configurations to factory default settings.
Page 152: Upgrading To Fortios 4.0 Through The Cli
The following procedure uses a TFTP server to upgrade the firmware. The CLI upgrade procedure reverts all current firewall configurations to factory default settings. See the Fortinet Knowledge Center article, Loading FortiGate firmware using TFTP for procedure, for additional information about upgrading firmware in the CLI.
Page 153: Verifying The Upgrade
FortiOS 4.0. You can verify your configuration settings by: • going through each menu and tab in the web-based manager • using the show shell command in the CLI. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 154: Reverting To A Previous Firmware Image
6 Log in to the web-based manager. Go to System > Status to verify that the firmware version under System Information has changed to the correct firmware. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 155: Verifying The Downgrade
IP address of the TFTP server is 192.168.1.168, enter: execute restore image tftp image.out 192.168.1.168 The FortiGate unit responds with the message: This operation will replace the current firmware version! Do you want to continue? (y/n) FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 156 8 Reconnect to the CLI. 9 Enter the following command to confirm the firmware image installed successfully: get system status “Restoring your configuration” on page 157 to restore you previous configuration settings. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 157: Restoring Your Configuration
4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 158 Restoring files... All done. Rebooting... This may take a few minutes. Use the CLI show shell command to verify your settings are restored, or log in to the web-based manager. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 159: Using Virtual Domains
They can connect only to network resources that communicate with the management virtual domain. The management VDOM is set to root by default, but you can change it. For more information, see “Changing the management VDOM” on page 172. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 160: Vdom Configuration Settings
VPN settings. You can also move physical interfaces from the root VDOM to other VDOMs and move VLAN subinterfaces from one VDOM to another. For more information on VLANs, see the FortiGate VLAN and VDOMS Guide. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 161 Protection Profile “Firewall Protection Profile” on page 479 AntiVirus File Filter “File Filter” on page 521 Intrusion Protection “Intrusion Protection” on page 531 Web Filter “Web Filter” on page 549 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 162 “Configuring Event logging” on page 717 Log access “Accessing and viewing log messages” on page 720 DLP Archive “Viewing DLP Archives” on page 725 Report Access “Configuring FortiAnalyzer report schedules” on page 727 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 163: Global Configuration Settings
“Getting started - User and authentication authentication” on page 651 time-out Admin Settings Web- “Settings” on page 286 based manager language Admin Settings LCD “Settings” on page 286 panel PIN, where applicable FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 164: Enabling Vdoms
Alternatively, through the CLI, enter: config system global, set vdom-admin When virtual domains are enabled, the web-based manager and the CLI are changed as follows: • Global and per-VDOM configurations are separated. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 165: Configuring Vdoms And Global Settings
Configuring 250 or more VDOMs will result in reduced system performance. Table 10: VDOM support by FortiGate model FortiGate model Support Default VDOM Maximum VDOM VDOMs maximum license Low and mid-range models High-end models FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 166: Creating A New Vdom
4 Under License Information > Virtual Domains, select Purchase More. 5 You will be taken to the Fortinet customer support web site where you can log in and purchase a license key for 25, 50, 100, 250, or 500 VDOMs.
Page 167: Working With Vdoms And Global Settings
VDOM option under System. To work with virtual domains, select System > VDOM. Figure 62: VDOM list Disabled VDOM Management VDOM FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 168: Adding Interfaces To A Vdom
VLAN to the correct VDOM. VDOMs can only be added in global settings, and not within VDOMs. For information on creating VLAN subinterfaces, see “Creating a VLAN subinterface” on page 185. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 169: Inter-Vdom Links
1 Log in as admin. 2 Go to System > Network > Interface. 3 Select the arrow on the Create New button. 4 Select VDOM link. You will see the New VDOM Link screen. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 170: Assigning An Interface To A Vdom
VDOM at a later date. Delete the items in this list or modify them to remove the interface before proceeding. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 171: Assigning An Administrator To A Vdom
6 Select the VDOM that this administrator manages. Administrators are assigned to a specific VDOM when the account is created unless they are super_admin administrators. For more information, see “Configuring an administrator account” on page 270. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 172: Changing The Management Vdom
• The number of IPSec VPN Dal-up Tunnels that can be started in a VDOM. When this limit is reached, additional tunnels are dropped. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 173: Setting Vdom Global Resource Limits
FortiGate unit limits dynamic resources by the capacity of the FortiGate unit and can vary depending on how busy the system is. Limits for static resources are set by limitations in the FortiGate configuration as documented in the FortiGate Maximum Values Matrix document. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 174: Configuring Resource Usage For Individual Vdoms
VDOM at any time by going to System > VDOM and selecting the edit icon for a VDOM. When configuring resource usage for a VDOM you can set the Maximum and Guaranteed value for each resource. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 175 VDOMs. The default value is 0, which means that an amount of this resource is not guaranteed for this VDOM. Current The amount of the resource that this VDOM currently uses. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 176 Configuring VDOM resource limits Using virtual domains FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 177: System Network
VDOM links (see “Inter-VDOM links” on page 169) • configure the modem (see “Configuring the modem interface” on page 199) • change the information displayed about the interfaces FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 178 View Interface Description Interface Status Edit Figure 68: Interface list - admin view with virtual domains enabled Delete Figure 69: Switch mode for models 100A and 200A Rev2.0 and higher FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 179 In VDOM mode, when VDOMs are not all in NAT or Transparent mode some values may not be available for display and will be displayed as “-” instead. When IPv6 Support on GUI is enabled, IPv6 addresses may be displayed in this column. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 180: Switch Mode
DNS forwarding, DHCP services, VDOM interface assignments, and routing. If they are not removed, you will not be able to switch modes, and you will see an error message. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 181: Interface Settings
For more information, see “Configuring a virtual IPSec interface” on page 191. Figure 71: Create New Interface settings FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 182 It will not appears in logs. Link Status Indicates whether the interface is connected to a network (link status is up) or not (link status is down). FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 183 This field is only available when Manual addressing mode is selected. Ping Server To enable dead gateway detection, enter the IP address of the next hop router on the network connected to the interface and select Enable. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 184 Select either Up (green arrow) or Down (red arrow) as the status of this interface. Status Up indicates the interface is active and can accept network traffic. Down indicates the interface is not active and cannot accept traffic. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 185: Creating A Vlan Subinterface
To add a loopback interface - web-based manager 1 Go to System > Network > Interface. 2 Select Create New and set Type to Loopback Interface to add a loopback interface. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 186: Creating An 802.3Ad Aggregate Interface
When an interface is included in an aggregate interface, it is not listed on the System > Network > Interface screen. You cannot configure the interface individually and it is not available for inclusion in firewall policies, VIPs, IP pools, or routing. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 187: Creating A Redundant Interface
VDOM as the redundant interface • it has no defined IP address and is not configured for DHCP or PPPoE • it has no DHCP server or relay configured on it FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 188: Configuring Dhcp On An Interface
If you configure an interface to use DHCP, the FortiGate unit automatically broadcasts a DHCP request. The interface is configured with the IP address and any DNS server addresses and default gateway address that the DHCP server provides. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 189 DNS server IP addresses on the DNS page. On low end models, this is enabled by default. When VDOMs are enabled, you can override the internal DNS only on the management VDOM. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 190: Configuring An Interface For Pppoe
Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. PADT must be supported by your ISP. Set initial PADT timeout to 0 to disable. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 191: Configuring Dynamic Dns On An Interface
VLAN interface from the Local Interface list. The virtual IPSec interface is listed as a subinterface of that interface by going to System > Network > Interface. For more information, see FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 192: Configuring Administrative Access To An Interface
You can allow remote administration of the FortiGate unit running in NAT/Route mode, but allowing remote administration from the Internet could compromise the security of the FortiGate unit. You should avoid this unless it is required for your configuration. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 193: Interface Status Detection For Gateway Load Balancing
Responses received to more protocols does not enhance the status of the server or interface and receiving response from fewer protocols does not reduce the status of the server or interface. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 194 FortiGate units do not recognize RST (reset) packets from TCP Echo servers as normal TCP echo replies. If the FortiGate receives an RST response to a TCP echo request, the FortiGate unit assumes the server is unreachable. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 195: Interface Mtu Packet Size
MTU to find an MTU size for optimum network performance. Select interfaces on some FortiGate models support frames larger than the traditional 1 500 bytes. Contact Fortinet Customer Support for the maximum frame sizes your FortiGate unit supports.
Page 196: Secondary Ip Addresses
Allow secure HTTPS connections to the web-based manager through this secondary IP. PING Allow secondary IP to respond to pings. Use this setting to verify your installation and for testing. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 197: Adding A Software Switch Interface
‘?’ or <TAB> to scroll through the available list. The CLI command to configure a software switch interface called soft_switch with port1, external and dmz interfaces is: config system switch-interface edit soft_switch set members port1 external dmz FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 198: Configuring Zones
1 Go to System > Network > Zone. 2 Select Create New or select the Edit icon for a zone. 3 Select name, and interfaces. 4 Select OK. Figure 83: Zone settings FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 199: Configuring The Modem Interface
This feature is enabled in the CLI using config system dialinsvr. If VDOMs are enabled, the modem can be assigned to one of the VDOMs just like the other interfaces. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 200 Figure 84: Modem settings (Standalone) Figure 85: Modem settings (Redundant) Enable Modem Select to enable the FortiGate modem. Modem status Modem status can be: not active, connecting, connected, disconnecting, or hung up. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 201: Redundant Mode Configuration
When the modem connects to a dialup account, the FortiGate unit routes IP packets normally destined for the selected ethernet interface to the modem interface. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 202: Standalone Mode Configuration
For example, if the modem interface is acting as the FortiGate unit external interface you must set the device setting of the FortiGate unit default route to modem. To configure standalone mode 1 Go to System > Network > Modem. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 203: Adding Firewall Policies For Modem Connections
The FortiGate unit dials into each dialup account in turn until the modem connects to an ISP. To disconnect from a dialup account 1 Go to System > Network > Modem. 2 Select Hang Up to disconnect the modem. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 204: Checking Modem Status
Enter the primary DNS server IP address. Secondary DNS Server Enter the secondary DNS server IP address. Local Domain Name Enter the domain name to append to addresses with no domain portion when performing DNS lookups. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 205: Dns Servers
If virtual domains are enabled, you create a DNS database in each VDOM. All of the interfaces in a VDOM share the DNS database in that VDOM. This section describes: • About split DNS • Configuring FortiGate DNS services FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 206: About Split Dns
4 Go to System > Network > DNS Database and configure the FortiGate DNS database. Add zones and entries as required. See “Configuring the FortiGate DNS database” on page 208. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 207 4 Go to System > Network > DNS Database and configure the FortiGate DNS database. Add zones and entries as required. See “Configuring the FortiGate DNS database” on page 208. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 208: Configuring The Fortigate Dns Database
You can also specify if the entry is an IPv4 address (A), an IPv6 address (AAAA), a name server (NS), a canonical name (CNAME), or a mail exchange (MX) name. Go to System > Network > DNS Database to configure the FortiGate DNS database. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 209 A description of the entry. Adding or modifying DNS entries Type Select the type of entry to add. The options change depending on the type. Hostname Enter the host name. Available for all Types. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 210: Configuring The Explicit Web Proxy
For a more complete description of the FortiGate web proxy see the FortiGate WAN Optimization, Web Cache, and Web Proxy User Guide. To configure web proxies go to System > Network > Web Proxy. Figure 88: Configuring Web Proxy settings FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 211 If an interface has a VLAN subinterface configured, it must be enabled separately for explicit web proxy. Enabled interfaces will be displayed independent of explicit web proxy being enabled or not on the Web Proxy screen. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 212: Configuring Wccp
WCCP page. It is in the Additional content category. See “Configuring an admin profile” on page 284. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 213: Routing Table (Transparent Mode)
1 Ensure your FortiGate unit is in Transparent mode. For more details see “Changing operation mode” on page 263. 2 Go to System > Network > Routing Table. 3 Select Create New. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 214: Transparent Mode Route Settings
For an Internet connection, the next hop routing gateway routes traffic to the Internet. Distance The administration distance or relative preferability of the route. An administration distance of 1 is most preferred. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 215: System Wireless
IEEE 802.11b (2.4-GHz Band) • IEEE 802.11g (2.4-GHz Band) • WEP64 and WEP128 Wired Equivalent Privacy (WEP) • Wi-Fi Protected Access (WPA), WPA2 and WPA2 Auto using pre-shared keys or RADIUS servers FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 216: Channel Assignments
Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure that the channel number complies with the regulatory standards of Mexico. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 217: Ieee 802.11G Channel Numbers
• • • • 2457 • • • • • • 2462 • • • • • • 2467 • • • • 2472 • • • • 2484 • FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 218: Wireless Settings
When operating the FortiWiFi unit in Client mode, radio settings are not configurable. Figure 92: FortiWiFi wireless parameters - Access Point mode Figure 93: FortiWiFi wireless parameters - Client mode Figure 94: FortiWiFi wireless parameters - Monitoring mode FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 219: Adding A Wireless Interface
You can add up to three virtual wireless interfaces to your access point. These additional interfaces share the same wireless parameters configured for the WLAN interface for Band, Geography, Channel, Tx Power, and Beacon Interval. Ensure each wireless interface has a unique SSID. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 220 If you choose not to broadcast the SSID, you need to inform users of the SSID so they can configure their wireless devices. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 221: Wireless Mac Filter
If the MAC address is on the approved list, the user gains access to the network. If the user is not in the list, the user is rejected. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 222: Managing The Mac Filter List
To edit a MAC filter list 1 Go to System > Wireless > MAC Filter. 2 Select Edit for the wireless interface. Figure 98: Wireless interface MAC filter 3 Complete the following and select OK: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 223: Wireless Monitor
Signal Strength (dBm) The strength of the signal from the client. Noise (dBm) The received noise level. S/N (dB) The signal-to-noise ratio in deciBels calculated from signal strength and noise level. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 224: Rogue Ap Detection
Access points are listed in the Unknown Access Points list until you mark them as either Accepted or Rogue access points. This designation helps you to track access points. It does not affect anyone’s ability to use these access points. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 225 Rogue Access Points list. You can also enter information about accepted and rogue APs in the CLI without having to detect them first. See the system wireless ap-status command in the FortiGate Reference. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 226 Rogue AP detection System Wireless FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 227: System Dhcp
“Configuring an interface as a DHCP relay agent” on page 229. DHCP services can also be configured through the Command Line Interface (CLI). See FortiGate CLI Reference for more information. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 228: Configuring Dhcp Services
Type of DHCP relay or server: Regular or IPSec. Enable Green check mark icon indicates that server or relay is enabled. Add DHCP Server Select to configure and add a DHCP server for this interface. icon FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 229: Configuring An Interface As A Dhcp Relay Agent
3 Select the Add DHCP Server icon to create a new DHCP server, or select the Edit icon beside an existing DHCP server to change its settings. 4 Configure the DHCP server. 5 Select OK. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 230 DHCP client must ask the DHCP server for new settings. The lease time can range from 5 minutes to 100 days. Advanced Select to configure advanced options. The remaining options in this table are advanced options. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 231: Viewing Address Leases
You can assign up to 200 IP addresses as reserved. For more information see the FortiGate Maximum Values Matrix. Use the CLI config system dhcp reserved-address command. For more information, see the FortiGateCLI Reference. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 232 Viewing address leases System DHCP FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 233: System Config
HA mode if one or more FortiGate unit interfaces is configured as a PPTP or L2TP client or if the FortiGate unit is configured for standalone session synchronization. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 234 VDOM partitioning options. Other differences between configuration options for regular HA and for virtual clustering HA are described below and in the FortiGate HA Overview and the FortiGate HA Guide. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 235 When the cluster is operating you can change the group name, if required. Two clusters on the same network cannot have the same group name. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 236: Cluster Members List
HA configuration of primary unit, change the device priority and host name of subordinate units, and download a debug log for any cluster unit. You can also view HA statistics for the cluster. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 237 Up and down arrows Changes the order of cluster members in the list. The operation of the cluster or of the units in the cluster are not affected. All that changes is the order of the units on the cluster members list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 238: Viewing Ha Statistics
239. Download debug log Select to download an encrypted debug log to a file. You can send this debug log file to Fortinet Technical Support (http://support.fortinet.com) to help diagnose problems with the cluster or with individual cluster units. Viewing HA statistics From the cluster members list, you can select View HA Statistics to display the serial number, status, and monitor information for each cluster unit.
Page 239: Changing Subordinate Unit Host Name And Device Priority
To change the host name and device priority of a subordinate unit in an operating cluster, go to System > Config > HA to display the cluster members list. Select Edit for any slave (subordinate) unit in the cluster members list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 240: Disconnecting A Cluster Unit From A Cluster
IP/Netmask Specify an IP address and netmask for the interface. You can use this IP address to connect to this interface to configure the disconnected FortiGate unit. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 241: Snmp
FortiGate unit. To monitor FortiGate system information and receive FortiGate traps, you must first compile the proprietary Fortinet and FortiGate Management Information Base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager.
Page 242: Configuring Snmp
SNMP queries and traps. Each community can be configured to monitor the FortiGate unit for a different set of events. You can also add the IP addresses of up to 8 SNMP managers to each community. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 243 Note: When the FortiGate unit is in virtual domain mode, SNMP traps can only be sent on interfaces in the management virtual domain. Traps cannot be sent over other interfaces. Figure 114: SNMP community options (part 1) Figure 115: SNMP community options (part 2) FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 244: Fortinet Mibs
3 Select Apply. Fortinet MIBs The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit configuration.
Page 245: Fortinet And Fortigate Traps
To receive Fortinet device SNMP traps, you must load and compile the FORTINET- CORE-MIB into your SNMP manager. The name of the table indicates if it is found in the Fortinet MIB or the FortiGate MIB. The Trap Message column includes the message included with the trap as well as the SNMP MIB field name to help locate the information about the trap.
Page 246 (fnTrapIpChange) The trap message includes the name of the interface, the new IP address and the serial number of the Fortinet unit. You can use this trap to track interface IP address changes for interfaces with dynamic IP addresses set using DHCP or PPPoE.
Page 247 Used for verification by FortiManager. (fgFmTrapConfChange) The FortiGate unit configuration has been changed by something other than the managing FortiManager device. (fgFmTrapIfChange) No message. Sent to monitoring FortiManager when an interface changes IP address. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 248: Fortinet And Fortigate Mib Fields
MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet and FortiGate MIB fields by compiling the FORTINET-CORE-MIB.mib and FORTINET- FORTIGATE-MIB.mib files into your SNMP manager and browsing the MIB fields on your...
Page 249 Table 27: FortiGate Dialup VPNs MIB field Description fgVpnDialupIndex An index value that uniquely identifies an VPN dial-up peer in the table. fgVpnDialupGateway The remote gateway IP address on the tunnel. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 250: Replacement Messages
Go to System > Config > Replacement Message to change replacement messages and customize alert email and information that the FortiGate unit adds to content streams such as email messages, web pages, and FTP sessions. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 251: Vdom And Global Replacement Messages
The same applies to pages blocked by web filtering and email blocked by spam filtering. Note: Disclaimer replacement messages provided by Fortinet are examples only. VDOM and global replacement messages FortiGate units include global replacement messages that are used by all VDOMs.
Page 252: Changing Replacement Messages
HTML codes and by working with replacement message tags. For descriptions of the replacement message tags, see Table 39 on page 262. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 253 FortiGuard Web Filtering replacement messages • IM and P2P replacement messages • Endpoint NAC replacement message • NAC quarantine replacement messages • Traffic quota control replacement messages • SSL VPN replacement message FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 254: Mail Replacement Messages
If the FortiGate unit supports SSL content scanning and inspection and if Protocol Recognition > HTTPS Content Filtering Mode is set to Deep Scan in the protection profile, these replacement messages can also replace web pages downloaded using the HTTPS protocol. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 255: Ftp Replacement Messages
Message name Description Virus message Antivirus Virus Scan enabled for FTP in a protection profile deletes an infected file being downloaded using FTP and sends this message to the FTP client. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 256: Nntp Replacement Messages
If you enable Send alert email for logs based on severity for alert email, whether or not replacement messages are sent by alert email depends on how you set the alert email Minimum log level. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 257: Spam Replacement Messages
Administration replacement message If you enter the following CLI command the FortiGate unit displays the Administration Login disclaimer whenever an administrator logs into the FortiGate unit web-based manager or CLI. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 258: Authentication Replacement Messages
The following is an example of a simple authentication page that meets the requirements listed above. <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</H4> <FORM ACTION="/" method="post"> <INPUT NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%" TYPE="hidden"> <TABLE ALIGN="center" BGCOLOR="#00cccc" BORDER="0" CELLPADDING="15" CELLSPACING="0" WIDTH="320"><TBODY> FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 259: Fortiguard Web Filtering Replacement Messages
HTTP protocol when FortiGuard web filtering blocks a URL, provides details about blocked HTTP 4xx and 5xx errors, and for FortiGuard overrides. FortiGuard Web Filtering replacement messages are HTTP pages. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 260: Im And P2P Replacement Messages
In an Application Control list, the block-photo CLI keyword is enabled for block message MSN, or Yahoo and the application control list is added to a protection profile. You enable photo blocking from the CLI. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 261: Endpoint Nac Replacement Message
FortiGate interface added to the banned user list using HTTP on port 80. This replacement message is not displayed if method is set to Attacker and Victim IP Address. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 262: Traffic Quota Control Replacement Messages
%%FILE%% can be used in virus and file block messages. The FortiGuard - Web Filtering logo. %%FORTIGUARD_WF%% The Fortinet logo. %%FORTINET%% The link to the FortiClient Host Security installs download for the %%LINK%% Endpoint Control feature.
Page 263: Operation Mode And Vdom Management Access
To switch from NAT/Route to Transparent mode 1 Go to System > Config > Operation Mode or select Change beside Operation Mode on the System Status page for the virtual domain. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 264: Management Access
IP address that applies to all interfaces in your VDOM that permit management access. The FortiGate also uses this IP address to connect to the FDN for virus and attack updates (see “Configuring FortiGuard Services” on page 322). FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 265 Use Trusted Hosts to limit where the remote access can originate from. • Do not change the system idle timeout from the default value of 5 minutes (see “Settings” on page 286). FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 266 Operation mode and VDOM management access System Config FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 267: System Admin
System > Admin > Admin Profile, but it is one of the selections in the Admin Profile drop-down list in System > Admin New/Edit Administrator dialog box. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 268 Other than being read-only, the super_admin_readonly profile can view all the FortiGate configuration tools. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 269: Viewing The Administrators List
Authentication of a specific account on a RADIUS, LDAP, or TACACS+ server. Remote+ Authentication of any account on an LDAP, RADIUS, or TACACS+ server. Wildcard PKI-based certificate authentication of an account. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 270: Configuring An Administrator Account
New. To configure the settings for an existing administrator, select the Edit icon beside the administrator. Figure 120: Administrator account configuration - Regular (local) authentication Figure 121: Administrator account configuration - Remote authentication FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 271 Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. This is not available if Wildcard is selected or when Type is PKI. See the Fortinet Knowledge Center article Recovering lost administrator account passwords if you forget or lose an administrator account password and cannot log in to your FortiGate unit.
Page 272: Changing An Administrator Account Password
“Viewing the administrators list” on page 269. Note: If you forget or lose an administrator account password and cannot log in to your FortiGate unit, see the Fortinet Knowledge Center article Recovering lost administrator account passwords. Configuring remote authentication for administrators You can authenticate administrators using RADIUS, LDAP, or TACACS+ servers.
Page 273 2 Select Create New, or select the Edit icon beside an existing RADIUS server. 3 Enter a name that identifies the RADIUS server. Use this name when you create the user group FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 274 4 Configure additional features as required. For more information, see “Configuring an administrator account” on page 270. 5 Select OK. For more information about using a RADIUS server to authenticate system administrators, Fortinet Knowledge Centre article #3849 Using RADIUS for Admin Access and Authorization. • Admin profiles •...
Page 275 The TCP port used to communicate with the LDAP server. Common Name The common name identifier for the LDAP server. Identifier Distinguished Name The base distinguished name for the server in the correct X.500 or LDAP format. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 276 Wildcard is enabled. Password Admin Profile The admin profile to apply to the administrator. 4 Configure additional features as required. For more information, see “Configuring an administrator account” on page 270. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 277 5 For Server Key, enter the key to access the TACACS+ server. The maximum number is 16. 6 For Authentication Type, enter one of Auto, ASCII, PAP, CHAP, and MSCHAP. Auto authenticates using PAP, MSCHAP, and CHAP (in that order). 7 Select OK. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 278: Configuring Pki Certificate Authentication For Administrators
To do this you need to: • configure a PKI administrator to be included in the user group • create a user group. To view the PKI user list, go to User > PKI. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 279 A name that identifies the administrator. Type PKI. User Group The user group that includes the PKI user as a member. Admin Profile The admin profile to apply to the administrator. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 280: Admin Profiles
FortiGate features into access control categories for which an administrator with read/write access can enable none (deny), read only, or read/write access. The following table lists the web-based manager pages to which each category provides access: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 281 Access Control category. You can access “get” and “show” commands with Read Only access. Access to “config” commands requires Read-Write access. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 282 Network Configuration (netgrp) system arp-table system dhcp system interface system zone execute dhcp lease-clear execute dhcp lease-list execute clear system arp table execute interface FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 283: Viewing The Admin Profiles List
You need to use the admin account or an account with Admin Users read/write access to create or edit admin profiles. To view the admin profiles list, go to System > Admin > Admin Profile. Figure 127: Admin profile list Delete Edit FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 284: Configuring An Admin Profile
OK. Figure 128: Admin profile options Profile Name Enter the name of the admin profile. Access Control List of the items that can customize access control settings if configured. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 285: Central Management
FortiGuard Analysis and Management Service, you can also remotely upgrade the firmware on the FortiGate unit. Figure 129: Central Management using FortiManager Figure 130: Central Management using the FortiGuard Management Service FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 286: Settings
FortiGate unit is managed by a central management server. For more information, see “Managing configuration revisions” on page 319. Settings The Settings tab includes the following features that you can configure: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 287 An alternative HTTPS port number for remote client web browsers to connect to the FortiGate unit. The default port number is 10443. Telnet Port TCP port to be used for administrative telnet access. The default is 23. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 288 Wireless Controller menu in the web-based manager and the corresponding CLI commands. Note: If you make a change to the default port number for HTTP, HTTPS, Telnet, or SSH, ensure that the port number is unique. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 289: Monitoring Administrators
IPv4. The internet is currently in transition from IPv4 to IPv6 addressing. IPv6 hosts and routers maintain interoperability with the existing IPv4 infrastructure in two ways: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 290: Customizable Web-Based Manager
Page layout - arrangement of widgets on a screen of the web-based manager (see Figure 146). • Tier 1 menu item - top-level menu item in web-based manager layout (see “To create Tier-1 and Tier-2 menu items” on page 294). FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 291 Hide from within the GUI layout dialog box (see Figure 138). The following configuration will set up read-only administrative access to Log&Report items for the Report Profile profile, and prevent access to the default layout. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 292 4 Select OK to save the settings. The admin profiles list reappears. 5 From the list, select the Edit icon beside Report Profile. 6 Under GUI Control > Menu Layout, select Customize, and then select OK. (see Figure 137 Figure 138). FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 293 Reset menu to default layout configuration In the GUI layout dialog box, select the customization drop-down menu icon beside System and select hide (see Figure 138). Repeat for each menu item except Log&Report. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 294 To create a new tab 1 Select the Create New tab item icon (see Figure A tab is created with the default name custom menu, and an additional Create New icon appears beside it. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 295 8 widgets. 2 For the Custom Log Report Tab1, select 2 columns. 3 To save your modified configuration, select Save in the Edit this tab dialog box. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 296 This search employs a real-time filtering mechanism with a “contains” type search on the widget names. For example, if you search on “use”, you will be shown User Group, IM User Monitor, Firewall User Monitor, Banned User, and Top Viruses (see Figure 144). FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 297 For the Custom Log Report Tab1, select the following items for inclusion in the layout: • Alert E-mail • Schedule. Close the Edit Layout dialog box. Figure 145: Log&Report category selection for Custom Log Report Tab1 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 298 Figure 146: Custom Log Report Tab1 page layout preview For the Custom Log Report Tab2, select the following items for inclusion in the layout: • Event Log • Log Setting. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 299 Save to close the custom GUI layout dialog box (see Figure 149). To abandon the configuration, select Reset menus (see Figure 149). To exit the GUI layout dialog box without saving your changes, select Cancel (see Figure 149). FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 300 FortiGate unit, then log back in using the name and password of an administrator assigned the Report Profile administrative profile. The FortiGate web-based manager reflects the customized configuration of Report Profile (see Figure 150). Figure 150: Customized web-based manager page FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 301: System Certificates
Fortinet_CA Embedded inside firmware and BIOS. Fortinet’s CA certificate. Used to verify certificates that claim to be signed by Fortinet, for example with a FortiGate/FortiManager tunnel or an SSL connection to a FortiGuard server. Listed under Certificates > CA, or in FortiGate CLI under vpn certificate ca or vpn certificate ocsp.
Page 302: Local Certificates
Import a signed local certificate. For more information, see “Importing a signed server certificate” on page 305. Name The names of existing local certificates and pending certificate requests. Subject The Distinguished Names (DNs) of local signed certificates. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 303: Generating A Certificate Request
Generate, and complete the fields in the table below. To download and send the certificate request to a CA, see “Downloading and submitting a certificate request” on page 304. Figure 152: Generate Certificate Signing Request Remove/Add OU FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 304: Downloading And Submitting A Certificate Request
2 In the Local Certificates list, select the Download icon in the row that corresponds to the generated certificate request. 3 In the File Download dialog box, select Save to Disk. 4 Name the file and save it to the local file system. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 305: Importing A Signed Server Certificate
To import the PKCS12 file, go to System > Certificates > Local Certificates and select Import. Figure 154: Upload PKCS12 Certificate Certificate with key Enter the full path to and file name of the previously exported PKCS12 file. file FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 306: Importing Separate Server Certificate And Private Key Files
System > Certificates > Remote. To view certificate details, select the View Certificate Detail icon in the row that corresponds to the certificate. Note: There is one OCSP per VDOM. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 307: Importing Remote (Ocsp) Certificates
Fortinet_CA certificate. To view installed CA root certificates or import a CA root certificate, go to System > Certificates > CA Certificates. To view root certificate details, select the View Certificate Detail icon in the row that corresponds to the certificate. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 308: Importing Ca Certificates
If you choose SCEP, the system starts the retrieval process as soon as you select OK. The system assigns a unique name to each CA certificate. The names are numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on). FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 309: Crl
CRL is retrieved automatically from the server when the FortiGate unit does not have a copy of it or when the current copy expires. To import a certificate revocation list, go to System > Certificates > CRL and select Import. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 310 OK. The system assigns a unique name to each CRL. The names are numbered consecutively (CRL_1, CRL_2, CRL_3, and so on). FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 311: System Maintenance
FortiGate unit includes a USB port (see “Formatting USB Disks” on page 318). You can also restore the system configuration from previously downloaded backup files in the Backup & Restore menu. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 312: Backing Up And Restoring
Backup & Restore section. For more information, “Central Management” on page 285. To view the backup and restore options, go to System > Maintenance > Backup and Restore. Figure 162: Backup and restore FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 313: Basic Backup And Restore Options
USB disk. Backup Select to back up the configuration. If you are backing up to a FortiManager device, a confirmation message is displayed after successfully completion of the backup. Restore FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 314 A list of revisions is displayed when restoring the configuration from a remote location. The list allows you to choose the configuration to restore. To view the basic backup and restore options, go to System > Maintenance > Backup & Restore. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 315 Tip: For simplified procedures on managing firmware, including backup and restore options, and on uploading and downloading firmware for your FortiGate unit, see “Managing firmware versions” on page 147. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 316: Upgrading And Downgrading Firmware
FortiGate unit. To view the firmware options, go to System > Maintenance > Backup & Restore. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 317: Upgrading And Downgrading Firmware Through Fortiguard
Select to allow installation of older versions than the one currently installed. downgrade This is useful if the current version changed functionality you need and you have to revert to an older firmware image. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 318: Configuring Advanced Options
Select to apply the selected settings. Download Debug Log Download an encrypted debug log to a file. You can send this debug log to Fortinet Technical Support to help diagnose problems with your FortiGate unit. Formatting USB Disks FortiGate units with USB ports support USB disks for backing up and restoring configurations.
Page 319: Managing Configuration Revisions
• a specified revision number. Download icon Download this revision to your local PC. Revert icon Restore the previous selected revision. You will be prompted to confirm this action. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 320: Using Script Files
Select to execute a script from the FortiManager unit or the FortiGuard Analysis & Management Service. Choose the script you want to run management station from the list of all scripts stored remotely. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 321: Creating Script Files
FortiGuard Analysis & Management Service portal web site. For more information about viewing or running an uploaded script on the portal web site, see the FortiGuard Analysis & Management Service Users Guide. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 322: Configuring Fortiguard Services
NAT device. Registering your FortiGate unit on the Fortinet Support web page provides a valid license contract and connection to the FDN. On the Fortinet Support web page, go to Product Registration and follow the instructions.
Page 323: Configuring The Fortigate Unit For Fdn And Fortiguard Subscription Services
Configuring FortiGuard Services FortiGuard Antispam service FortiGuard Antispam is an antispam system from Fortinet that includes an IP address black list, a URL black list, spam filtering tools, contained in an antispam rule set that is downloaded to the FortiGate unit. The IP address black list contains IP addresses of email servers known to generate spam.
Page 324 Select to manually update this service on your FortiGate unit. This will prompt you to download the update file from your local computer. Select Update Now to immediately download current updates from FDN directly. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 325 Allow Push Update Select to allow push updates. Updates are then sent automatically to your FortiGate unit when they are available, eliminating any need for you to check if they are available. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 326 Update Now Select to manually initiate an FDN update. Submit attack Fortinet recommends that you select this check box. It helps to improve the quality of IPS signature. characteristics… (recommended)
Page 327 The Analysis & Management Service Options section contains the Account ID and other options regarding the FortiGuard Analysis & Management Service. You can access this section by selecting the expand arrow. Figure 174: FortiGuard Analysis & Management Service options FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 328: Troubleshooting Fdn Connectivity
(including grayware) definitions and IPS attack definitions. Note: Updating antivirus and IPS attack definitions can cause a very short disruption in traffic scanning while the FortiGate unit applies the new signature definitions. Fortinet recommends scheduling updates when traffic is light to minimize disruption.
Page 329 1 Go to System > Maintenance > FortiGuard. 2 Select the Use override server address check box. 3 Type the fully qualified domain name or IP address of the FortiGuard server. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 330: Enabling Push Updates
FortiGate unit will usually receive new updates sooner. Fortinet does not recommend enabling push updates as the only method for obtaining updates. The FortiGate unit might not receive the push notification. When the FortiGate unit receives a push notification, it makes only one attempt to connect to the FDN and download updates.
Page 331: Enabling Push Updates Through A Nat Device
1 Register the FortiGate unit on the internal network so that it has a current support license and can receive push updates. For more information, see “Registering your Fortinet product” on page 2 Configure the following FortiGuard options on the FortiGate unit on the internal network.
Page 332 Enter 9443. This is the port number to which the NAT FortiGate unit will send the push update after it comes through the virtual IP. FortiGate units expect push update notifications on port 9443. 4 Select OK. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 333: Adding Vdom Licenses
If you have you can increase the maximum number of VDOMs on your FortiGate unit you can purchase a license key from Fortinet to increase the maximum number of VDOMs to 25, 50, 100 or 250. By default, FortiGate units support a maximum of 10 VDOMs.
Page 334 Adding VDOM Licenses System Maintenance FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 335: Router Static
The following topics are covered in this section: • How the routing table is built • How routing decisions are made • Multipath routing and determining the best route • Route priority • Route priority FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 336: How The Routing Table Is Built
31 (sometimes not available), the traffic will use the route with an administrative distance of 5. Different routing protocols have different default administrative distances. The default administrative distances for any of these routing protocols are configurable. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 337: Route Priority
Blackhole routes are used to dispose of packets instead of responding to suspicious inquiries. This provides added security since the originator will not discover any information from the target network. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 338: Static Route
Figure 177 shows the static route list belonging to a FortiGate unit that has interfaces named “port1” and “port2”. The names of the interfaces on your FortiGate unit may be different. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 339 Device The names of the FortiGate interfaces through which intercepted packets are received and sent. Distance The administrative distances associated with each route. The values represent distances to next-hop routers. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 340: Default Route And Default Gateway
FortiGate unit. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 341 FortiGate routing table must include a static route to that network. For example, in Figure 179, the FortiGate unit must be configured with static routes to interfaces 192.168.10.1 and 192.168.11.1 in order to forward packets to Network_1 and Network_2 respectively. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 342 For more information see FortiGate CLI Reference. To change the gateway for the default route 1 Go to Router > Static > Static Route. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 343: Adding A Static Route To The Routing Table
Edit Static Route dialog box belonging to a FortiGate unit that has an interface named “internal”. The names of the interfaces on your FortiGate unit may be different. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 344: Ecmp Route Failover And Load Balancing
IP address of the sessions to be load balanced. This is the default load (also called balancing method. No configuration changes are required to support source IP source IP based) load balancing. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 345 ECMP route failover and load balancing configuration. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 346: Configuring Spill-Over Or Usage-Based Ecmp
In this example, the FortiGate unit sends all sessions to the 192.168.20.0 network through port3. When port3 exceeds its spillover threshold of 100 Kbps the FortiGate unit sends all new sessions to the 192.168.20.0 network through port4. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 347 When you add ECMP routes they are added to the routing table in the order displayed by the routing monitor or by the get router info routing-table static command. This order is independent of the configured bandwidth limit. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 348: Configuring Weighted Static Route Load Balancing
Configure weighted load balancing to control how the FortiGate unit distributes sessions among ECMP routes by adding weights for each route. Add higher weights to routes that you want to load balance more sessions to. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 349 The following example shows two ECMP routes with weights added. Destination IP/Mask 192.168.20.0/24 Device port1 Gateway 172.20.110.1 Distance Weight Destination IP/Mask 192.168.20.0/24 Device port2 Gateway 172.20.120.2 Distance Weight Figure 182: Adding a weighted static route In this example: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 350 IP address 172.20.120.2. • one half of the sessions to the 192.168.20.0 network will use the third route and be sent out port3 to the gateway with IP address 172.20.130.3. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 351: Policy Route
The IP source addresses and network masks that cause policy routing to occur. Destination The IP destination addresses and network masks that cause policy routing to occur. Delete icon Delete a policy route. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 352: Adding A Policy Route
Use a two digit hexadecimal bit pattern to match the service, or use a two digit hexadecimal bit mask to mask out. For more information, see “Type of Service” on page 353. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 353 TOS route. Using increased quality may increase the cost of delivery because better performance may consume limited network resources. For more information, see RFC 791 and RFC 1349. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 354: Moving A Policy Route
Select After to place it following the indicated route. Policy route ID Enter the Policy route ID of the route in the Policy route table to move the selected route before or after. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 355 Router Static Policy Route FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 356 Policy Route Router Static FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 357: Router Dynamic
Routing Information Protocol (RIP) is a distance-vector routing protocol intended for small, relatively homogeneous networks. The FortiGate implementation of RIP supports RIP version 1 (see RFC 1058) and RIP version 2 (see RFC 2453). FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 358: Viewing And Editing Basic Rip Settings
Figure 187 shows the basic RIP settings on a FortiGate unit that has interfaces named “dmz” and “external”. The names of the interfaces on your FortiGate unit may be different. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 359 FortiGate interfaces whose IP addresses match the RIP network address space. IP/Netmask Enter the IP address and netmask that defines the RIP-enabled network. Select to add the network information to the Networks list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 360: Selecting Advanced Rip Options
FortiGate routing table. The range is from 1 to 16. This metric is the hop count, with 1 being best or shortest. This value also applies to Redistribute unless otherwise specified. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 361: Configuring A Rip-Enabled Interface
Note: Additional options such as split-horizon and key-chains can be configured per interface through the CLI. For more information, see the “router” chapter of the FortiGate CLI Reference or the Fortinet Knowledge Center. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ •...
Page 362: Ospf
A neighbor is any router that directly connected to the same area as the FortiGate unit. After initial contact, the FortiGate unit exchanges Hello packets with its OSPF neighbors regularly to confirm that the neighbors can be reached. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 363: Defining An Ospf As-Overview
1 Go to Router > Dynamic > OSPF. 2 Under Areas, select Create New. 3 Define the characteristics of one or more OSPF areas. See “Defining OSPF areas” on page 367. 4 Under Networks, select Create New. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 364: Configuring Basic Ospf Settings
If Router ID is not explicitly set, the highest IP address of the VDOM or unit will be used. Advanced Options Select the Expand Arrow to view or hide advanced OSPF settings. For more information, see “Selecting advanced OSPF options” on page 366. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 365 Delete and Edit Delete or edit an OSPF area entry, network entry, or interface definition. Icons are visible only when there are entries in Areas, Networks, and Interfaces icons sections. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 366: Selecting Advanced Ospf Options
Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214. Select to redistribute routes learned through BGP. Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 367: Defining Ospf Areas
OSPF backbone. Virtual links can be set up only between two FortiGate units that act as area border routers. For more information on virtual links, see the FortiGate CLI Reference. Figure 192: New/Edit OSPF Area FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 368: Specifying Ospf Networks
You must define the area before you can select the area ID. For more information, see “Defining OSPF areas” on page 367. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 369: Selecting Operating Parameters For An Ospf Interface
Select the name of the FortiGate interface to associate with this OSPF interface definition (for example, port1, external, or VLAN_1). The FortiGate unit can have physical, VLAN, virtual IPSec or GRE interfaces connected to the OSPF-enabled network. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 370: Bgp
BGP update, the FortiGate unit examines the Multi-Exit Discriminator (MED) attributes of potential routes to determine the best path to a destination network before recording the path in the FortiGate unit routing table. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 371: Viewing And Editing Bgp Settings
Add the neighbor information to the Neighbors list, or edit an entry in the list. Neighbor The IP addresses of BGP peers. Remote AS The numbers of the autonomous systems associated with the BGP peers. Delete icon Delete a BGP neighbor entry. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 372: Multicast
CLI commands to configure PIM settings, see multicast in the “router” chapter of the FortiGate CLI Reference. Note: For more information about FortiGate multicast support, see the FortiGate Multicast Technical Note or the FortiGate Routing Guide. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 373: Viewing And Editing Multicast Settings
The priority number assigned to Designated Router (DR) candidacy on the interface. Available only when sparse mode is enabled. Delete and Edit Delete or edit the PIM settings on the interface. icons FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 374: Overriding The Multicast Settings On An Interface
Configure multicast DNAT in the CLI by using the following command: config firewall multicast-policy edit p1 set dnat <dnatted-multicast-group> set ... next For more information, see the “firewall” chapter of the FortiGate CLI Reference. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 375: Bi-Directional Forwarding Detection (Bfd)
3. The port that BFD traffic originates from will be checked for security purposes as indicated by disabling bfd-dont-enforce-src-port. config system settings FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 376 OSPF, and you can override the global settings at the interface level. To enable BFD on OSPF: configure routing OSPF set bfd enable To override BFD on an interface: configure routing OSPF configure ospf-interface edit <interface_name> set bfd disable FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 377: Customizable Routing Widgets
Prefix The IP address prefix for this access-list. When this prefix is matched, the action is taken. The prefix can match any address, or a specific address. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 378: Distribute List
The offset list is part of the RIP and OSPF routing protocols. For more information about RIP, see “RIP” on page 357. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 379: Offset List
Select to remove a offset entry. Edit Icon Select to edit an existing offset entry. For more information on the offset list, see the “router” chapter of the FortiGate CLI Reference. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 380: Prefix List
• When a single matching match-* rule is found, changes to the routing information are made as defined through the rule’s set-ip-nexthop, set-metric, set-metric-type, and/or set-tag settings. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 381 Select to add a route map entry to a route map. Edit Icon Select to edit an existing route map entry. For more information on the route map, see the “router” chapter of the FortiGate CLI Reference. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 382 Customizable routing widgets Router Dynamic FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 383: Router Monitor
Routing Monitor list belonging to a FortiGate unit that has interfaces named “port1”, “port4”, and “lan”. The names of the interfaces on your FortiGate unit may be different. Figure 204: Routing Monitor list FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 384 The interface through which packets are forwarded to the gateway of the destination network. Up Time The total accumulated amount of time that a route learned through RIP, OSPF, or BGP has been reachable. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 385: Searching The Fortigate Routing Table
5 Select Apply Filter. Note: All of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 386 Searching the FortiGate routing table Router Monitor FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 387: Firewall Policy
When the FortiGate unit finds the first matching policy, it applies the matching policy’s specified actions to the packet, and disregards subsequent firewall policies. Matching firewall policies are determined by comparing the firewall policy and the packet’s: • source and destination interfaces FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 388: Moving A Policy To A Different Position In The Policy List
“How list order affects policy matching” on page 387. Moving a policy in the firewall policy list does not change its ID, which only indicates the order in which the policy was created. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 389: Enabling And Disabling Policies
FortiGate units support multicast policies. You can configure and create multicast policies using the following CLI command: config firewall multicast-policy For more information, see the FortiOS CLI Reference and the FortiGate Multicast Technical Note. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 390: Viewing The Firewall Policy List
The schedule that controls when the policy should be active. For more information, see “Firewall Schedule” on page 437. Service The service to which the policy applies. For more information, see “Firewall Service” on page 427. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 391: Configuring Firewall Policies
IPSec virtual interface. For more information, see “Overview of IPSec VPN configuration” on page 611. • DENY policy actions block communication sessions, and may optionally log the denied traffic. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 392 “Viewing the firewall policy list” on page 390). Note: You can configure differentiated services (DSCP) firewall policy options through the CLI. See the “firewall” chapter of the FortiGate CLI Reference. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 393 If Action is set to SSL-VPN and the policy is for web-only mode clients, select all. If Action is set to SSL-VPN and the policy is for tunnel mode clients, select the name of the address that you reserved for tunnel mode clients. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 394 This option is available only after you have added a SSL-VPN user group. You can also configure NAT and protection profiles, log traffic, shape traffic or add a comment to the policy. See “Configuring SSL VPN identity-based firewall policies” on page 400. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 395 Maximum Select to limit bandwidth in order to keep less important services from using bandwidth needed for more important ones. Bandwidth FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 396: Adding Authentication To Firewall Policies
FortiGate unit matches. For user name and password-based (HTTP, FTP, and Telnet) authentication, the FortiGate unit prompts network users to input their firewall user name and password. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 397: Identity-Based Firewall Policy Options (Non-Ssl-Vpn)
Edit. Make sure that Action is set to ACCEPT. Select Enable Identity Based Policy. Figure 210: Selecting user groups for authentication Edit Delete FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 398 LDAP and RADIUS servers. This option is selected by default. Directory Include Directory Service groups defined in User > User Group. The groups are authenticated through a domain controller using Fortinet Server Authentication Service (FSAE) Extensions (FSAE). If you select this option, you must install the FSAE on the Directory Service domain controller.
Page 399: Ipsec Firewall Policy Options
Select to enable traffic from a dialup client or computers on the remote private network to initiate the tunnel. Allow outbound Select to enable traffic from computers on the local private network to initiate the tunnel. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 400: Configuring Ssl Vpn Identity-Based Firewall Policies
VPN user groups. To add SSL VPN user groups, see “SSL VPN user groups” on page 668. For more information, see “Configuring firewall policies” on page 391. Figure 213: Configuring a new SSL VPN firewall policy FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 401 For remote clients that will be authenticated by an external RADIUS server. LDAP For remote clients that will be authenticated by an external LDAP server. TACACS+ For remote clients that will be authenticated by an external TACACS+ server. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 402 Selected User Groups List of user groups that are included in the firewall policy. To remove a user group from the list, select the name and then select the Left Arrow. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 403 Move Down Delete Edit Enable Identity Based Select to enable identity-based policy authentication. Policy Select to create an identity-based firewall policy. Rule ID The ID number of the policy. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 404: Using Dos Policies To Detect And Prevent Attacks
FortiGate UTM User Guide. Viewing the DoS policy list The DoS policy list displays the DoS policies in their order of matching precedence for each interface, source/destination address pair, and service. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 405 “Firewall Service” on page 427. The DoS sensor selected in this policy. Interface The interface to which this policy applies. Delete icon Delete the policy from the list. Edit icon Edit the policy. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 406: Configuring Dos Policies
Using sniffer policies you can configure a FortiGate unit interface to operate as a one-arm intrusion detection system (IDS) appliance by sniffing packets for attacks without actually receiving and otherwise processing the packets. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 407: Viewing The Sniffer Policy List
FortiGate UTM User Guide. Viewing the sniffer policy list The sniffer policy list displays sniffer policies in their order of matching precedence for each interface, source/destination address pair, and service. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 408 The service to which the policy applies. For more information, see “Firewall Service” on page 427. The DoS sensor selected in this policy. Sensor The IPS sensor selected in this policy. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 409: Configuring Sniffer Policies
Select and specify a DoS sensor to have the FortiGate unit apply the sensor to matching network traffic. You can also select Create new to add a new DoS Sensor. See “DoS sensors” on page 545. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 410: How Fortios Selects Unused Nat Ports
(IP address 172.20.120.2) and sends a packet with the following IP addresses and port numbers: src-ip: 10.78.33.97 dst-ip: 172.20.120.2 src-port: 10000 dst-port: 80 When this packet passes through the FortiGate unit with NAT enabled the packet is modified to be: src-ip: 92.168.1.1 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 411: Global Pool
192.168.1.1. If there is only one NAT IP then this approach is no different from global per- protocol pools. However, consider the topology shown in Figure 222 with two separate Internet connections and thus two NAT IP addresses 192.168.1.1 and 192.168.2.2. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 412: Per Nat Ip, Destination Ip, Port, And Protocol Pool
FortiGate unit uses these indexes to guide matching traffic to the session. One index is for traffic flowing in the same direction as the packet that initiated the creation of the session: src-ip: 10.78.33.97 dst-ip: 172.20.120.2 proto: tcp src-port: 10000 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 413 To get an idea of how large, for one destination IP address and one NAT IP address the calculation would be N=1, R=32, 768, P=2, D=1 and Dp=32,768: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 414: Firewall Policy Examples
With their current network topography, all 15 of the internal computers are behind a router and must go to an external source to access the IPS mail and web servers. All home- based employees access the router through open/non-secured connections. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 415 2 Select Create New and enter or select the following settings for Home_User_1: Interface / Zone Source: internal Destination: wan1 Address Source: Destination: Home_User_1 CompanyA_Network Schedule Always Service Action IPSEC VPN Tunnel Home1 Allow Inbound Allow outbound Inbound NAT FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 416 FortiGate unit. They now access the email and web servers in a DMZ, which is also behind the FortiGate unit. All home-based employees now access the office network through the FortiGate unit via VPN tunnels. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 417: Scenario Two: Enterprise-Sized Business
The staff firewall policies will all use a protection profile configured specifically for staff access. Enabled features include virus scanning, spam filtering, IPS, and blocking of all P2P traffic. FortiGuard web filtering is also used to block advertising, malware, and spyware sites. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 418 Policies are configured in Firewall > Policy. Protection Profiles are configured in Firewall > Protection Profile. Main office “staff to Internet” policy: Source Interface Internal Source Address Destination Interface External Destination Address Schedule Always Action Accept FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 419 Branch Staff Destination Interface Destination Address Servers Schedule Always Action Accept For more information about these examples, see: • SOHO and SMB Configuration Example Guide • FortiGate Enterprise Configuration Example FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 420 Firewall policy examples Firewall Policy FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 421: Firewall Address
Valid IP address and netmask formats include: • x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0 • x.x.x.x/x, such as 192.168.1.0/24 Note: An IP address 0.0.0.0 with netmask 255.255.255.255 is not a valid firewall address. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 422: Viewing The Firewall Address List
(the down arrow) located in the Create New button, then select IPv6 Address, to configure an IPv6 firewall address. For more information on enabling IPv6 support, see “Settings” on page 286. Name The name of the firewall address. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 423: Configuring Addresses
Select the interface, zone, or virtual domain (VDOM) link to which you want to bind the IP address. Select Any if you want to bind the IP address with the interface/zone when you create a firewall policy. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 424: Viewing The Address Group List
To organize addresses into an address group 1 Go to Firewall > Address > Group. 2 Select Create New. 3 Complete the following: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 425 Tip: You can also create firewall address groups when configuring a firewall policy: Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Source Address list, select Address Group > Create New. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 426 Configuring address groups Firewall Address FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 427: Firewall Service
For more information, see “Configuring custom services” on page 433. To view the predefined service list, go to Firewall > Service > Predefined. Figure 231: Predefined service list (top portion) FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 428 Generic Routing Encapsulation. GRE allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol, by encapsulating the packets of the protocol within GRE packets. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 429 Usenet messages. Network Time Protocol. NTP synchronizes a host’s time with a time server. NetMeeting NetMeeting allows users to teleconference using 1720 the Internet as the transmission medium. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 430 Server Message Block. SMB allows clients to use file and print shares from enabled hosts. This is primarily used for Microsoft Windows hosts, but may be used with operating systems running the Samba daemon. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 431 161-162 SOCKS SOCKetS. SOCKS is an Internet protocol that 1080 allows client-server applications to transparently 1080 use the services of a network firewall. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 432: Viewing The Custom Service List
If you need to create a firewall policy for a service that is not in the predefined service list, you can add a custom service. To view the custom service list, go to Firewall > Service > Custom. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 433: Configuring Custom Services
If the service uses one port number, enter this number in both the Low and High fields. The default values allow the use of any source port. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 434 Figure 235: New Custom Service - IP Name Enter a name for the IP custom service. Protocol Type Select IP. Protocol Number Enter the IP protocol number for the service. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 435: Viewing The Service Group List
Tip: You can also create custom service groups when you configure a firewall policy. Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Service list, select Service Group > Create New. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 436 Use the arrows to move selected services Services between this list and Members. Members The list of services in the group. Use the arrows to move selected services between this list and Available Services. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 437: Firewall Schedule
The initials of the days of the week on which the schedule is active. Start The start time of the recurring schedule. Stop The stop time of the recurring schedule. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 438: Configuring Recurring Schedules
Create New Add a one-time schedule. Name The name of the one-time schedule. Start The start date and time for the schedule. Stop The stop date and time for the schedule. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 439: Configuring One-Time Schedules
Schedule groups can contain both recurring and on-time schedules. Schedule groups cannot contain other schedule groups. To organize schedules into a schedule group, go to Firewall > Schedule > Group. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 440 Members. Schedules Members The list of schedules in the group. Use the arrows to move selected schedules between this list and Available Schedule. 2 Select OK FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 441: Traffic Shaping
If multiple users start multiple communications session using the same policy, all of these communications sessions must share from the bandwidth available for the policy. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 442: Traffic Priority
Since packets must be received by the FortiGate unit before they are subject to traffic shaping, if the FortiGate unit cannot process all of the traffic it receives, then dropped packets, delays, and latency are likely to occur. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 443: Configuring Shared Traffic Shapers
Apply Shaping Select Per Policy to apply this traffic shaper to a single firewall policy that uses it. Select For all policies using this shaper to apply this traffic shaper to all firewall policies that use it. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 444: Configuring Per Ip Traffic Shaping
IP address. Range 1 to 2 097 000. Enter 0 to disable bandwidth limit. Quotas and Accounting “Accounting and quota enforcement” on page 445. IP List IP/Range An IP address or address range that this shaper controls. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 445: Accounting And Quota Enforcement
Enable to log the volume of traffic through the traffic shaper. Select the log period: Hour, Day, Week, or Month. 4 Configure other traffic shaping options as needed. 5 Select OK. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 446 Accounting and quota enforcement Traffic Shaping FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 447: Firewall Virtual Ip
In Transparent mode, virtual IPs are available from the FortiGate CLI. Inbound connections Virtual IPs can be used in conjunction with firewall policies whose Action is not DENY to apply bidirectional NAT, also known as inbound NAT. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 448 Server load balancing requires that you configure at least one “real” server, but can use up to eight. Real servers can be configured with health check monitors. Health check monitors can be used to gauge server responsiveness before forwarding packets. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 449 IP address, except in its session table. The web server has no indication that another network exists. As far as the server can tell, all packets are sent by the FortiGate unit. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 450: Outbound Connections
For example, if a network interface’s IP address is 10.10.10.1, and its bound virtual IP’s external IP is 10.10.10.2, mapping inbound traffic to the private network IP address 192.168.2.1, traffic outbound from 192.168.2.1 will be translated to 10.10.10.2, not 10.10.10.1 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 451: Vip Requirements
Remove the virtual IP from the list. The Delete icon only appears if the virtual IP is not selected in a firewall policy. Edit icon Edit the virtual IP to change any virtual IP option including the virtual IP name. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 452: Configuring Virtual Ips
IP address range and adds the IP address range to the External IP Address/Range field. This option appears only if Type is Static NAT. Port Forwarding Select to perform port address translation (PAT). FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 453 “Adding static NAT port forwarding for an IP address range and a port range” on page 459 • “Adding dynamic virtual IPs” on page 460 • “Adding a virtual IP with port translation only” on page 461 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 454: Adding A Static Nat Virtual Ip For A Single Ip Address
FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network. Figure 253: Virtual IP options: static NAT virtual IP for a single IP address Name static_NAT External Interface wan1 Type Static NAT FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 455: Adding A Static Nat Virtual Ip For An Ip Address Range
192.168.37.6 are translated and sent to 10.10.10.44. The computers on the Internet are unaware of this translation and see three computers with individual IP addresses rather than a FortiGate unit with a private network behind it. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 456 The IP address range of the servers on the internal network. Define the range by entering the first address of the range in the first field Address/Range and the last address of the range in the second field. 4 Select OK. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 457: Adding Static Nat Port Forwarding For A Single Ip Address And A Single Port
To add static NAT virtual IP port forwarding for a single IP address and a single port 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 458 IP to the dmz network IP addresses of the web servers. 1 Go to Firewall > Policy and select Create New. 2 Configure the firewall policy: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 459: Adding Static Nat Port Forwarding For An Ip Address Range And A Port Range
DMZ network. In this example, the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network. Name Port_fwd_NAT_VIP_port_range External Interface external Type Static NAT FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 460: Adding Dynamic Virtual Ips
To add a dynamic virtual IP 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Enter a name for the dynamic virtual IP. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 461: Adding A Virtual Ip With Port Translation Only
The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides PPTP passthrough access from the Internet to a PPTP server, the external service port number should be 1723 (the PPTP port). FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 462: Virtual Ip Groups
VIP group, go to Firewall > Virtual IP > VIP Group and select the Edit icon for the VIP group to edit. Enter the information as described below, and select OK. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 463: Ip Pools
A single IP address is entered normally. For example, 192.168.110.100 is a valid IP pool address. If an IP address range is required, use either of the following formats. • x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120 • x.x.x.[x-x], for example 192.168.110.[100-120] FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 464: Ip Pools And Dynamic Nat
If you use fixed port in such a case, the FortiGate unit preserves the original source port. But conflicts may occur since users may have different sessions using the same TCP 5 tuples. Original address Change to 192.168.1.1 172.16.30.10 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 465: Viewing The Ip Pool List
Edit icon Select to edit the following information: Name, Interface, IP Range/Subnet. Configuring IP Pools To add an IP pool, go to Firewall > Virtual IP > IP Pool. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 466: Double Nat: Combining Ip Pool With Virtual Ip
IP to translate the destination port from 8080 to 80. To create an IP pool 1 Go to Firewall > Virtual IP > IP Pool. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 467 2 Select Create New. 3 Configure the firewall policy: Source Interface/Zone internal Source Address 10.1.1.0/24 Destination Interface/Zone Destination Address server-1 Schedule always Service HTTP Action ACCEPT 4 Select NAT. 5 Select OK. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 468: Adding Nat Firewall Policies In Transparent Mode
Use the following steps to configure NAT in Transparent mode • Adding two management IPs • Adding an IP pool to the wan1 interface • Adding an internal to wan1 firewall policy FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 469 "internal" set dstintf "wan1" set scraddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable set ippool enable set poolname nat-out FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 470 Adding NAT firewall policies in transparent mode Firewall Virtual IP Note: You can add the firewall policy from the web-based manager and then use the CLI to enable NAT and add the IP Pool. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 471: Firewall Load Balance
IP address. Figure 265: Virtual server and real servers setup Internet/Intranet User (Virtual Server/Load Balancer) LAN/WAN Real Server Real Server Real Server FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 472: Configuring Virtual Servers
Edit the virtual server to change any virtual server option including the virtual server name. To create a virtual server 1 Go to Firewall > Load Balance > Virtual Server > Create New. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 473 Interface Select the virtual server external interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 474 This option appears only if HTTP or HTTS are selected for Type. Note: Additional HTTP Multiplexing options are available in the CLI. For more information, see the FortiGate CLI Reference. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 475: Configuring Real Servers
Configure a real server to bind it to a virtual server. To view the real server list, go to Firewall > Load Balance > Real Server. Figure 268: Real server list Delete Edit FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 476: Configuring Health Check Monitors
3 Select OK. Configuring health check monitors You can specify which health check monitor configuration to use when polling to determine a virtual server’s connectivity status. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 477 Select the protocol used to perform the health check. • • HTTP • PING Port Enter the port number used to perform the health check. This option does not appear if the Type is PING. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 478: Monitoring The Servers
Graceful Select to start or stop real servers. When stopping a server, the FortiGate unit will not accept new sessions but will wait for the active sessions to finish. Stop/Start FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 479: Firewall Protection Profile
669. You can use protection profiles to configure: • antivirus protection • web filtering • FortiGuard Web Filtering • email filtering • • data leak prevention sensor • dashboard statistics FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 480: Adding A Protection Profile To A Firewall Policy
If a FortiAnalyzer unit is configured, files are quarantined remotely. Quarantine permits system administrators to inspect, recover, or submit quarantined files to Fortinet for analysis. Apply virus scanning and web content filtering to HTTP traffic. Add this protection profile to firewall policies that control HTTP traffic.
Page 481: Viewing The Protection Profile List
HTTPS, IMAPS, POP3S, and SMTPS Antivirus, DLP, and DLP archiving • HTTPS web filtering and FortiGuard web filtering • IMAPS, POP3S, and SMTPS email filtering • re-encrypts the sessions and forwards them to their destinations. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 482: Supported Fortigate Models
Two encrypted SSL sessions are set up, one between the client and the FortiGate unit, and a second one between the FortiGate unit and the server. Inside the FortiGate unit the packets are decrypted. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 483 If you want the certificate to have a different name, change these file names. 8 Add the imported signing CA certificate to the SSL content scanning and inspection configuration. Use the following CLI command if the certificate name is Example_CA. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 484: Configuring Ssl Content Scanning And Inspection
HTTP POST Action Go to Firewall > Protection Profile. Add or edit a protection profile and configure Web Filtering for HTTPS. For more information, see “Web Filtering options” on page 493. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 485 “Data Leak Prevention Sensor options” on page 501. DLP archiving DLP archiving for HTTPS, IMAPS, POP3S, and SMTPS. Add DLP Rules for the protocol to be archived. See “DLP archiving” on page 588. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 486: Configuring A Protection Profile
If the default protection profiles do not provide the settings required, you can create custom protection profiles. To add a protection profile, go to Firewall > Protection Profile and select Create New. Figure 276: New Protection Profile Expand Arrow FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 487: Protocol Recognition Options
80 for HTTP). You can edit the settings for each content protocol and select inspection for all port numbers for that protocol, or select one or more port numbers to monitor for that protocol. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 488 Note: If your FortiGate unit supports SSL content scanning and inspection, you must set HTTPS Content Filtering Mode to Deep Scan before you can configure additional HTTPS content scanning protection profile options. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 489: Anti-Virus Options
Edit icon beside an existing protection profile. Then select the Expand Arrow beside Anti-Virus, enter the information as described below, and select OK. For more antivirus configuration options, see “AntiVirus” on page 517. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 490 Quarantine Select for each protocol to quarantine suspect files for later inspection or submission to Fortinet for analysis. This option appears only if the FortiGate unit has a hard drive or a configured FortiAnalyzer unit, and will take effect only if you have first enabled and configured the quarantine.
Page 491 FTP client. Without client comforting, clients and their users have no indication that the download has started until the FortiGate unit has completely buffered and scanned the download. During this delay users may cancel or repeatedly retry the transfer, thinking it has failed. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 492: Ips Options
Then select the Expand Arrow beside IPS, select the check box to enable IPS, select an IPS Sensor, and select OK. For more information on IPS, see “Intrusion Protection” on page 531. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 493: Web Filtering Options
Note: If your FortiGate unit does not support SSL content scanning and inspection, or if you have set HTTPS Content Filtering Mode to URL Filtering, you can only select URL filtering and blocking invalid URLs for HTTPS. Figure 282: Protection Profile Web Filtering options FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 494 Therefore, rating queries by either or both the IP address and the domain name is not reliable. In this case, the FortiGate unit does not perform FortiGuard Web Filtering. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 495: Fortiguard Web Filtering Options
Separate multiple character set names with a space. You can add up to 5 character set names. FortiGuard Web Filtering options You can enable and apply FortiGuard Web Filtering options using a protection profile. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 496 Then select the Expand Arrow beside Web Filtering and scroll down to FortiGuard Web Filtering. Enter the information as described below, and select OK. Figure 284: Protection Profile FortiGuard Web Filtering options FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 497 HTTPS if your FortiGate unit supports SSL content scanning and inspection. Allow websites when a rating Allow web pages that return a rating error from the web filtering service. error occurs FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 498: Email Filtering Options
If the IP address is found, FortiGuard Antispam terminates the session. If FortiGuard Antispam does not find a match, the email server sends the email to the recipient. With the URL filter, FortiGuard Antispam checks the body of email messages to FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 499 Note: Some popular email clients cannot filter messages based on the MIME header. For these clients, select to tag email message subject lines instead. Figure 286: Protection Profile Email Filtering options FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 500 “Creating a new email address list” on page 576. Return e-mail DNS check Select to enable checking that the domain specified in the reply-to or from address has an A or MX record. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 501: Data Leak Prevention Sensor Options
You apply data leak prevention (DLP) to traffic by selecting a data leak prevention sensor. You can use DLP to prevent sensitive data from leaving your network and to provide DLP archiving. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 502: Application Control Options
New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Application Control and select the application control black/white list to add to the protection profile. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 503: Logging Options
To configure Logging options, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Logging, enter the information as described below, and select FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 504 Select to log IPS signature and anomaly events. Application Log Application Select to log Application Control events. Control Control Data Leak Log DLP Select to log DLP events. Prevention Sensor FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 505: Sip Support
Description Protocol (SDP) messages that allow participants to agree on a set of compatible media types. SIP applications are based on a client-server structure and support user mobility with two operating modes: proxy and redirect. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 506 RTP Session – phone rings SIP Client B SIP Client A 6. RTP session opens when (a@example.com) Client B answers (b@example.com) 1. SIP clients register with SIP server FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 507: The Fortigate Unit And Voip Security
Policy” on page 387. Figure 296: SIP source NAT 217.10.79.9 217.10.69.11 SIP Server RTP Server SIP service provider has a SIP server and a separate RTP server 217.233.122.132 Internet 10.72.0.57 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 508 FortiGate unit (217.233.90.60) and the FortiGate unit then translates the SIP contact header to the SIP server (10.0.0.60). The SIP server changes the SIP/SDP connection information (which tells the SIP phone which RTP IP it should contact) also to 217.233.90.60. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 509: How Sip Support Works
IP address or interface. The FortiGate unit segments the VoIP network, separating the voice traffic from other traffic to ensure that appropriate priority and policies are applied. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 510: Configuring Sip
SIP ALG. You can use the SIP.TCP or SIP.UDP application control list entries to block SIP sessions. To enable SIP and set rate limiting from the web-based manager 1 Go to UTM > Application Control. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 511: Enabling Sip Support From The Cli
SIP Entering this command enables SIP support with all SIP settings set to defaults. See the FortiGate CLI Reference for information about all of the SIP settings and their defaults. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 512: Enabling Sip Logging
For more information about enabling and configuring logging, see “Log&Report” on page 709. Enabling advanced SIP features in an application list You can configure advanced SIP features for an application list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 513 For example, you can type the following commands to block INVITE requests: config application list edit <list_name> config entries edit 1 set category voip set application SIP FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 514 You can control the SIP client to only connect to the registrar itself. This can avoid VoIP spoofing. From the CLI, type the following commands: config application list edit <list_name> config entries edit 1 set category voip set application SIP set strict-register enable FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 515 Opening and closing SIP register and non-register pinholes You can use open-register-pinhole and open-contact-pinhole to control whether the FortiGate unit opens register and non-register pinholes. Non-register pinholes are usually opened for SIP invite requests. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 516 RFC 2543 but invalid for RFC 3261. config application list edit <list_name> config entries edit 1 set category voip set application SIP set rfc2543-branch enable FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 517: Antivirus
Note: File filter includes file pattern and file type scans which are applied at different stages in the antivirus process. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 518: Antivirus Tasks
This task checks if files and email messages exceed configured thresholds. It is enabled by setting the Oversized File/Email option under Firewall > Protection Profile > Antivirus to Pass. For more information, see “Anti-Virus options” on page 489. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 519: Fortiguard Antivirus
If the file passes the file pattern scan, it will have a virus scan applied to it. The virus definitions are keep up to date through the FortiNet Distribution Network. The list is updated on a regular basis so you do not have to wait for a firmware upgrade. For more information on updating virus definitions, see “FortiGuard antivirus”...
Page 520 View and sort the list of quarantined files, protocol. File Quarantine is only available on configure file patterns to upload automatically to units with a local disk, or with a configured Fortinet for analysis, and configure quarantining FortiAnalyzer unit. options in AntiVirus. Pass fragmented email messages.
Page 521: File Filter
Visual Basic files (*.vb?) • screen saver files (*.scr) • program information files (*.pif) • control panel files (*.cpl) The FortiGate unit can take actions against the following file types: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 522: Viewing The File Filter List Catalog
Creating a new file filter list To add a file pattern list to the file pattern list catalog, go to UTM > AntiVirus > File Filter and select Create New. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 523: Viewing The File Filter List
Configuring the file filter list For file patterns, you can add a maximum of 5000 patterns to a list. For file types, you can only select from the supported types. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 524: File Quarantine
View the file name and status information about the file in the Quarantined Files list. Submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to Fortinet for analysis. FortiGate units can also quarantine blocked and infected files to a FortiAnalyzer unit. Files stored on the FortiAnalyzer unit can also be viewed from the Quarantined Files list.
Page 525: Viewing The Autosubmit List
If the FortiGate unit has a local hard disk, you can configure the FortiGate unit to upload suspicious files automatically to Fortinet for analysis. You can add file patterns to the AutoSubmit list using wildcard characters (* or ?). File patterns are applied for AutoSubmit regardless of file blocking settings.
Page 526 TTL column displays EXP. and the file is deleted (although the entry in the quarantined files list is maintained). Entering an age limit of 0 (zero) means files are stored on disk indefinitely, depending on low disk space action. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 527: Selecting The Virus Database
FortiGuard Center Virus Encyclopedia contains detailed descriptions of the viruses, worms, trojans, and other threats that can be detected and removed by your FortiGate unit using the information in the FortiGuard virus definitions. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 528: Antivirus Cli Configuration
CPUs, making scanning faster. This feature is available on models numbered 1000 and higher. For more information, see the Antivirus failopen and optimization Fortinet Knowledge Center article. config antivirus heuristic The FortiGate heuristic antivirus engine performs tests on files to detect virus-like behavior or known virus indicators.
Page 529 This feature is available on models numbered 200 and higher. config antivirus service <service_name> Use this command to configure how the FortiGate unit handles antivirus scanning of large files, and what ports the FortiGate unit scans for the service. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 530 Antivirus CLI configuration AntiVirus FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 531: Intrusion Protection
The FortiGate Intrusion Protection system matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Fortinet’s FortiGuard infrastructure ensures the rapid identification of new threats and the development of new attack signatures.
Page 532: Intrusion Protection Settings And Controls
If required, you can override the default settings of the signatures specified in an IPS sensor. The FortiGate unit provides a number of pre-built IPS sensors, but you should check their settings before using them, to ensure they meet your network requirements. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 533: Viewing The Predefined Signature List
Column Settings Select to customize the signature information displayed in the table. You can also readjust the column order. For more information, see “Using column settings to control the columns displayed” on page 103 “Web-based manager icons” on page 105. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 534: Using Display Filters
2 Select the filter icon beside any column name in the signature table. 3 In Edit Filters, specify the filtering criteria. The criteria will vary depending on the column name. 4 Select the Enable check box. 5 Select OK. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 535: Custom Signatures
Note: Custom signatures must be added to a signature override in an IPS filter to have any effect. Creating a custom signature is a necessary step, but a custom signature does not affect traffic simply by being created. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 536: Protocol Decoders
CLI. For more information, see the FortiGate Reference. Figure 317: The protocol decoder list Protocols The protocol decoder name. Ports The port number or numbers that the decoder monitors. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 537: Upgrading The Ips Protocol Decoder List
Includes only the signatures designed to detect attacks against clients; uses the default enable status and action of each signature. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 538: Adding An Ips Sensor
To view an IPS sensor, go to UTM > Intrusion Protection > IPS Sensor and select the Edit icon of any IPS sensor. The Edit IPS Sensor window is divided into three parts: the sensor attributes, Filters, and Overrides. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 539 Create a new filter and insert it above the current filter. Move to icon After selecting this icon, enter the destination position in the window that appears, and select OK. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 540: Configuring Filters
Select All, or select Specify and then one or more severity ratings. Severity defines the relative importance of each signature. Signatures rated critical detect the most dangerous attacks while those rated as info pose a much smaller threat. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 541: Configuring Pre-Defined And Custom Overrides
If you wanted to disable one of those signatures, the simplest way would be to create an override and mark the signature as disabled. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 542 “NAC quarantine and the Banned User list” on Attackers (to page 678. Banned Users List) The FortiGate unit deals with the attack according to the IPS sensor or DoS sensor configuration regardless of this setting. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 543: Packet Logging
For example, if packet-log-history is set to , the FortiGate unit will save the packet containing the IPS signature and the six before it. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 544 3 Select the Attack Log log type. 4 Select the Packet Log icon of the log entry you want to view. The IPS Packet Log Viewer window appears. Figure 323: Log entry with packet log icon FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 545: Dos Sensors
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings must be configured separately in each VDOM. All sensors and custom signatures will appear only in the VDOM in which they were created. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 546: Viewing The Dos Sensor List
DoS sensor, or select Create New to create a new DoS sensor. Note: You can configure NAC quarantine for DoS sensors from the FortiGate CLI. For more information, see “Configuring NAC quarantine” on page 679. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 547: Understanding The Anomalies
Table 49 on page 548. Understanding the anomalies For each of the TCP, UDP, and ICMP protocols, DoS sensors offer four statistical anomaly types. The result is twelve configurable anomalies. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 548: Intrusion Protection Cli Configuration
FortiGate unit will continue to operate while the problem is being resolved. ips global socket-size Set the size of the IPS buffer. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 549: Web Filter
The FortiGate unit applies the rules in this order and failure to comply with a rule will automatically block a site despite what the setting for later filters might be. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 550: How Web Filtering Works
495. Rating corrections as well as suggesting ratings for new pages can be submitted on the FortiGuard Center web page. Visit the Fortinet Knowledge Center details and a link to the FortiGuard Center. The following tables compare web filtering options in protection profiles and the web filter menu.
Page 551 Enable to block downloading the remainder of a file that has already been partially downloaded. Enabling this option prevents the unintentional download of virus files, but can cause download interruptions. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 552: Web Content Filter
For each pattern you can select Block or Exempt. Block, blocks access to a web page that matches with the pattern. Exempt allows access to the web page even if other entries in the list that would block access to the page. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 553: Viewing The Web Content Filter List Catalog
To view the web content filter list go to UTM > Web Filter > Web Content Filter and select the Edit icon of the web content filter list you want to view. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 554: Configuring The Web Content Filter List
To add or edit a content filter pattern go to UTM > Web Filter > Web Content Filter and select Create New or select the Edit icon of the web content filter list you want to edit. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 555: Url Filter
Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.example.com. Instead, use firewall policies to deny FTP connections. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 556: Viewing The Url Filter List Catalog
Creating a new URL filter list Different FortiGate models support different maximum numbers of URL filter lists. For details, see the FortiGate Maximum Values Matrix in Fortinet’s Knowledge Center web site http://kc.forticare.com. To add a URL filter list to the URL filter list catalog go to UTM > Web Filter > URL Filter.
Page 557: Configuring The Url Filter List
URLs with this suffix. To add a URL to the URL filter list go to UTM > Web Filter > URL Filter. Select Create New or edit an existing list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 558: Url Formats
To control access to all pages with a URL that ends with example.com, add example.com to the filter list. For example, adding example.com controls access to www.example.com, mail.example.com, www.finance.example.com, and so FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 559: Moving Urls In The Url Filter List
Enter the URL before or after which the new URL is to be located in the list. FortiGuard - Web Filter FortiGuard Web Filtering is a managed web filtering solution provided by Fortinet. FortiGuard Web Filtering sorts hundreds of millions of web pages into a wide range of categories users can allow, block, or monitor.
Page 560: Configuring Fortiguard Web Filtering
This button is not available under User Overrides. Return Select to return to the override category page. Clear All icon Select to clear the table. URL/Category The URL or category to which the override applies. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 561: Configuring Administrative Override Rules
Enter the name of the user selected in Scope. User Group Select a user group from the dropdown list. User groups must be configured before FortiGuard Web Filtering configuration. For more information, see “User Group” on page 666. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 562 Scope Select one of the following: User, User Group, IP, or Profile. Depending on the option selected, a different option appears below Scope. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 563: Creating Local Categories
Select the gray funnel to open the Category Filter dialog box. When the list has been filtered, the funnel changes to green. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 564: Configuring Local Ratings
URL block list is processed. The local ratings override the FortiGuard server ratings and appear in reports as “Local Category”. To create a local rating go to UTM > Web Filter > Local Ratings. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 565: Category Block Cli Configuration
View reports for a range of hours or days, or view a complete report of all activity. To create a web filter report go to UTM > Web Filter > Reports. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 566 • Viewing the local ratings list • Configuring local ratings • Viewing the override list • Configuring administrative override rules • Configuring FortiGuard Web Filtering • FortiGuard - Web Filter FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 567: Email Filtering
Mark as Spam, the FortiGate unit tags as spam the email according to the settings in the protection profile. For SMTP and SMTPS if the action is discard the email message is discarded or dropped. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 568: Email Filter Controls
System > Maintenance > FortiGuard Configure the FortiGuard Email Filtering Enable FortiGuard Email Filtering, check the status service. Fortinet has its own DNSBL server of the FortiGuard Antispam server, view the license for FortiGuard Antispam that provides spam type and expiry date, and configure the cache. For IP address and URL blacklists.
Page 569 You can configure the language and whether to search the email body, subject, or both. You can configure the action to take as spam or clear for each word. Spam Action FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 570: Banned Word
Create New Add a new list to the catalog. For more information, see “Creating a new banned word list” on page 571. Name The available Email Filter banned word lists. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 571: Creating A New Banned Word List
To view the banned word list, go to UTM > Email Filter > Banned Word and select the Edit icon of the banned word list you want to view. Figure 346: Sample banned word List Remove All Entries Edit Delete Current Page FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 572: Adding Words To The Banned Word List
“Using wildcards and Perl regular expressions” on page 578. Language Select the character set for the banned word. Where Select where the FortiGate unit should search for the banned word: Subject, Body, or All. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 573: Ip Address And Email Address Black/White Lists
Creating a new IP address list To add an IP address list to the IP address list catalog, go to UTM > Email Filter > IP Address and select Create New. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 574: Viewing The Ip Address List
Reject (SMTP or SMTPS) to drop the session. If an IP address is set to reject but mail is delivered from that IP address via using POP3 or IMAP, the email messages will be marked as spam. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 575: Adding An Ip Address
Figure 351: Sample email address list catalog Edit Delete Create New Create a new address list. Name Email Filter email address lists. # Entries The number of entries in each email address list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 576: Creating A New Email Address List
OK. Comments Optional comment. To add or edit comment, enter text in comment field and select OK. Create New Add an email address to the email address list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 577: Configuring The Email Address List
The FortiGate unit compares the MIME header key-value pair of incoming email to the list pair in sequence. If a match is found, the corresponding action is taken. If no match is found, the email is passed on to the next spam filter. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 578: Config Spamfilter Dnsbl
In Perl regular expressions, the ‘.’ character refers to any single character. It is similar to the ‘?’ character in wildcard match pattern. As a result: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 579: Perl Regular Expression Formats
Email filtering Using wildcards and Perl regular expressions • fortinet.com not only matches fortinet.com but also fortinetacom, fortinetbcom, fortinetccom, and so on. Note: To add a question mark (?) character to a regular expression from the FortiGate CLI, enter Ctrl+V followed by ?. To add a single backslash character (\) to a regular expression from the CLI you must add precede it with another backslash character.
Page 580: Example Regular Expressions
'/' is missing. In regular expressions, the leading and trailing space is treated as part of the regular expression. Example regular expressions Block any word in a phrase /block|any|word/ FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 581 /try it for free/i /student loans/i /you’re already approved/i /special[\+\-\*=<>\.\,;!\?%&~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i Figure 355: MMS Message Flood Remove All Entries Current Page Figure 356: MMS Duplicate Message Remove All Entries Current Page FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 582 Using wildcards and Perl regular expressions Email filtering FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 583: Data Leak Prevention
This section provides an introduction to configuring DLP. For more information see the FortiGate UTM User Guide. If you enable virtual domains (VDOMs) on the Fortinet unit, data leak prevention is configured separately for each virtual domain. For details, see “Using virtual domains” on page 159.
Page 584: Adding And Configuring A Dlp Sensor
Adding and configuring a DLP sensor You can create a new DLP sensor and configure it to include the DLP rules and DLP compound rules required to protect the traffic leaving your network. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 585: Adding Or Editing A Rule Or Compound Rule In A Dlp Sensor
Prevention > Sensor and select the Edit icon of the sensor to be configured. Select the edit icon of the rule or compound rule to edit. Change the settings for the rule or compound rule. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 586 DLP Sensors Data Leak Prevention Figure 359: Adding a DLP rule to a DLP sensor Figure 360: Adding a DLP compound rule to a DLP sensor FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 587 Session Control rules and compound rules. The options are: • Disable, do not archive. • Full, perform full DLP archiving. • Summary, perform summary DLP archiving. “DLP archiving” on page 588. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 588: Dlp Archiving
DLP archiving is available for SIP and SCCP. Full and summary DLP archiving is available for SIMPLE. You add DLP sensors to archive Email, Web, FTP, IM, and session control content. Archiving of spam email messages is configured in protection profiles. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 589: Configuring Dlp Archiving
DLP will not create more than one DLP archive entry from the same content. Note: Enabling full DLP archiving reduces the amount of system memory available for virus scanning. Fortinet recommends against using full DLP archiving if antivirus scanning is also configured because of these memory constraints. Especially on FortiGate units with low system memory.
Page 590 Figure 362: The Content_Archive DLP sensor 6 Verify that the Content_Archive sensor includes the All-HTTP rule. 7 Edit the All_HTTP rule in the sensor and verify that Archive is set to Full. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 591 DLP rule to a DLP sensor and configure the sensor for full DLP archiving. 1 Go to UTM > Data Leak Prevention > Rule and add a rule to find the string “confidential” in POP3, SMTP, and IMAP email messages. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 592 3 Edit the sensor and select Create New to add a rule to the sensor. 4 Configure the rule as follows: Action None Archive Full Severity 1 (Lowest) Member type Rule Email_confidential Select FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 593: Configuring Spam Email Message Archiving
4 Select a DLP sensor from the list. 5 Select the check boxes for the email protocols to archive spam for beside Archive SPAMed email to FortiAnalyzer/FortiGuard. 6 Select OK. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 594: Viewing Dlp Archives
Individual rules in a sensor are linked with an implicit OR condition while rules within a compound rule are linked with an implicit AND condition. Viewing the DLP rule list To view the DLP rule list, go to UTM > Data Leak Prevention > Rule. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 595 Caution: Before use, examine the rules closely to ensure you understand how they will affect the traffic on your network. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 596: Adding Or Configuring Dlp Rules
Figure 368: DLP rule for HTTP traffic Name The name of the rule. Comments An optional comment describing the rule. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 597 DLP scanner. To scan the contents of DOCX files, select the Scan archive contents option. Scan PDF text When selected, the text contents of PDF documents are extracted and scanned for a match. All metadata and binary information is ignored. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 598 Search for the specified URL in HTTP traffic. User group Search for traffic from any user in the specified user group. Rule operators: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 599: Dlp Compound Rules
Viewing the DLP compound rule list To view the DLP compound rule list, go to UTM > Data Leak Prevention > Compound. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 600: Adding And Configuring Dlp Compound Rules
The rules that you can add to the compound rule vary depending on the protocol that you select. You can select the following protocols: Email, HTTP, FTP, NNTP, and Instant Messaging. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 601 Add Rule/Delete Rule Use the add rule and delete rule icons to add and remove rules from the compound rule. Select the add rule icon and then select rule from the list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 602 DLP Compound Rules Data Leak Prevention FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 603: Application Control
Add application control black/white lists to protection profiles applied to the network traffic you need to monitor. FortiGuard application control database Fortinet is constantly increasing the list of applications that application control can detect by adding applications to the FortiGuard Application Control Database.
Page 604: Viewing The Application Control Black/White Lists
Select to remove the application control black/white list. The delete icon is only available if the application control black/white list is not selected in any protection profiles. Edit icon Select to edit the application control black/white list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 605: Creating A New Application Control Black/White List
AIM traffic will trigger the first rule, and be passed. All other detected IM traffic will trigger the second rule, and the FortiGate unit will block it. Figure 374: Editing an application control black/white list FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 606: Adding Or Configuring An Application Control Black/White List Entry
To add a new entry, select Create New. To edit an existing entry, select the Edit icon if the entry you want to modify. Figure 375: The application control black/white list entry for FTP FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 607 Specify a method that appears in the traffic that you want to block or pass. For example, enter POST as a method in the HTTP.Method application to have the FortiGate unit examine HTTP traffic for the POST method. Multiple methods can be entered. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 608: Application Control Statistics
Reset Stats Click to reset the statistics to zero. Users For each IM protocol, the following user information is listed: • Current Users • (Users) Since Last Reset • (Users) Blocked. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 609 VoIP Usage For SIP and SCCP protocol, the following information is listed: • Active Sessions (phones connected, etc) • Total Calls (since last reset) • Calls Failed/Dropped • Calls Succeeded FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 610 Application control statistics Application Control FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 611: Ipsec Vpn
3 Create a firewall policy to permit communication between your private network and the VPN. For a policy-based VPN, the firewall policy action is IPSEC. For an interface- based VPN, the firewall policy action is ACCEPT. See “Configuring firewall policies” on page 391. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 612: Policy-Based Versus Route-Based Vpns
Put all the IPSec interfaces in a zone and enable intra-zone traffic. There must be more than one IPSec interface in the zone. For more information and an example, see the FortiGate IPSec VPN User Guide. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 613: Auto Key
The names of the local interfaces to which IPSec tunnels are bound. These can be physical, aggregate, VLAN, inter-VDOM link or wireless interfaces. Delete and Edit icons Delete or edit a phase 1 configuration. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 614: Creating A New Phase 1 Configuration
IP Address If you selected Static IP Address, type the IP address of the remote peer. Dynamic DNS If you selected Dynamic DNS, type the domain name of the remote peer. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 615 If the remote peer is a FortiClient dialup client, the identifier is specified in the Local ID field, accessed by selecting Config in the Policy section of the VPN connection’s Advanced Settings. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 616: Defining Phase 1 Advanced Settings
Create Phase 1, and then select Advanced. For information about how to choose the correct advanced phase 1 settings for your particular situation, see the FortiGate IPSec VPN User Guide. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 617 AES192 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. AES256 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 618 (tunnel mode) or config vpn ipsec phase1- interface (interface mode) CLI command to optionally specify a retry count and a retry interval. For more information, see the FortiGate CLI Reference. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 619: Creating A New Phase 2 Configuration
Auto Key (IKE), select Create Phase 2, and then select Advanced. For information about how to choose the correct advanced phase 2 settings for your particular situation, see the FortiGate IPSec VPN User Guide. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 620 KBytes, or Both. If you select Both, the key expires when either the time has passed or the number of KB have been processed. The range is from 120 to 172 800 seconds, or from 5120 to 2 147 483 648 KB. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 621 The range is from 0 to 65535. To specify all ports, type 0. Protocol Type the IP protocol number of the service. The range is from 0 to 255. To specify all services, type 0. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 622: Manual Key
VPN devices. Caution: If you are not familiar with the security policies, SAs, selectors, and SA databases for your particular installation, do not attempt the following procedure without qualified assistance. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 623 AES192 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. AES256 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. Note: The algorithms for encryption and authentication cannot both be NULL. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 624: Internet Browsing Configuration
FortiGate unit. Inbound NAT Select the check box. 3 Configure other settings as required. 4 Select OK. To configure a route-based VPN Internet browsing configuration 1 Go to Firewall > Policy. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 625: Concentrator
A concentrator configuration specifies which spokes to include in an IPSec hub-and-spoke configuration. To specify the spokes of an IPSec hub-and-spoke configuration, go to VPN > IPSEC > Concentrator and select Create New. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 626: Monitoring Vpns
The public IP address of the remote host device, or if a NAT device exists in front of the remote host, the public IP address of the NAT device. Gateway FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 627 For Static IP or dynamic DNS VPNs, the list provides status and IP addressing information about VPN tunnels, active or not, to remote peers that have static IP addresses or domain names. You can also start and stop individual tunnels from the list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 628 Monitoring VPNs IPSec VPN FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 629: Pptp Vpn
To configure the PPTP tunnel, create a customized screen in the web-based manager. The PPTP Range tab is found under the Categories heading as a selection in the Additional category: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 630 Apply. Note: The start and end IPs in the PPTP address range must be in the same 24-bit subnet, e.g. 192.168.1.1 - 192.168.1.254. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 631: Pptp Configuration Using Cli Commands
<address_ipv4> ip-mode {range | usrgrp} local-ip <address_localip> sip <address_ipv4> status {disable | enable} usrgrp <group_name> Variables Description Default The ending address of the PPTP address range. eip <address_ipv4> 0.0.0.0 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 632 Enable to have the PPTP client retrieve the IP ip-mode address from the PPTP user group or select an IP {range | usrgrp} address from the pre-configured IP address range. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 633: Ssl Vpn
Configuring SSL VPN • SSL VPN web portal • Configuring web portal layout • Configuring the virtual desktop • Virtual Desktop Application Control • Host Check list • SSL VPN monitor list FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 634: Ssl.root
Select Edit to select the firewall addresses that represent IP address ranges reserved for tunnel-mode SSL VPN clients. If the appropriate addresses do not exist, go to Firewall > Address to create them. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 635: Ssl Vpn Web Portal
Select the signed server certificate to use for authentication purposes. If you leave the default setting (Self-Signed), the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect. Require Client Certificate If you want to enable the use of group certificates for authenticating remote clients, select the check box.
Page 636: Default Web Portal Configurations
To use a default SSL VPN web portal configuration, select the Edit icon next to the web portal in the Portal list. The SSL VPN web portal that you select will open. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 637 SSL VPN SSL VPN web portal Figure 390: Default web portals Edit button Default full-access web portal Default tunnel-access web portal Default web-access web portal FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 638: Configuring Web Portal Settings
When the user starts an SSL VPN session with virtual desktop enabled, the virtual desktop replaces the user’s normal desktop. When the virtual desktop exits, the user’s normal desktop is restored. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 639: Configuring Security Control
SSL VPN SSL VPN web portal Virtual desktop requires the Fortinet host check plugin. If the plugin is not present, it is automatically downloaded to the client computer. To enable virtual desktop 1 Go to VPN > SSL > Portal and select the Edit icon for the web portal.
Page 640: Configuring Web Portal Layout
Displays the login name of the user, the amount of time the user has been logged in, and the inbound and outbound traffic of HTTP and HTTPS. Bookmarks Displays configured bookmarks, allows for the addition of new bookmarks and editing of existing bookmarks. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 641: Session Information Widget
1 Open the web portal. 2 If the Bookmarks widget is missing, add it by selecting Bookmarks from the Add Widget list in the top right corner of the web portal window. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 642 5 If there is a Done button, you can select another bookmark to edit or select Done to leave the edit mode. 6 Select Apply at the top of the web portal page to save the changes that you made. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 643 SSL VPN SSL VPN web portal Figure 394: Using the Bookmarks widget to add a bookmark Remove widget Edit Add bookmark window Select OK Bookmark added FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 644: Connection Tool Widget
1 Open the web portal. 2 If the Connection Tool widget is missing, add it by selecting Connection Tool from the Add Widget list in the top right corner of the web portal window. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 645: Tunnel Mode Widget
FortiGate unit. The user’s other traffic follows its normal route. The remaining items in the widget are available to the user during an SSL VPN session. 5 Select OK in the Tunnel Mode widget. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 646 Initiate a session and establish an SSL VPN tunnel with the FortiGate unit. Disconnect End the session and close the tunnel to the FortiGate unit. Refresh now Refresh the Fortinet SSL VPN Client page (web portal). FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ •...
Page 647: Virtual Desktop Application Control
MD5 Signatures Enter one or more known MD5 signatures for the application executable file.You can use a third-party utility to calculate MD5 signatures or hashes for any file. You can enter multiple signatures to match multiple versions of the application. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 648: Host Check List
The type of host check application. Can be AV for antivirus or FW for firewall. Version The version of the host check application. Edit icon Select Edit beside an existing host check application to modify it. Delete icon Delete a host check application. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 649: Ssl Vpn Monitor List
• Registry — Search for a Windows Registry entry. In Registry, enter a registry item, for example HKLM\SOFTWARE\Fortinet\FortiClient\Misc. Action Select one of Require — If the item is found, the client meets the check item condition.
Page 650 SSL VPN monitor list SSL VPN FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 651: User
“Configuring a Directory Service server” on page 663. • Configure for certificate-based authentication for administrative access (HTTPS web- based manager), IPSec, SSL-VPN, and web-based firewall authentication. For more information, see “PKI” on page 664. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 652: Local User Accounts
To view the list of existing local users, go to User > Local. Figure 400: Example Local user list Delete Edit Create New Add a new local user account. User Name The local user name. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 653 If you enable virtual domains (VDOMs) on the FortiGate unit, IM is available separately for each virtual domain. For more information, see “Using virtual domains” on page 159. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 654 “IM user monitor list” on page 677. Configuring older versions of IM applications Some older versions of IM protocols are able to bypass file blocking because the message types are not recognized. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 655: Remote
CLI to change the default RADIUS port. For more information, see the config system global command in the FortiGate CLI Reference. To view the list of RADIUS servers, go to User > Remote > RADIUS. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 656: Configuring A Radius Server
If you have not selected a protocol, the default protocol configuration uses PAP, MS- CHAPv2, and CHAP, in that order. To add a new RADIUS server, go to User > Remote > RADIUS, select Create New, and enter or select the following: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 657: Ldap
An LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 658: Configuring An Ldap Server
For example, you could use the following base distinguished name: ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is a domain component. You can also specify multiple instances of the same field in the distinguished name, for...
Page 659 Enter the base distinguished name for the server using the correct X.500 or LDAP format. The FortiGate unit passes this distinguished name unchanged to the server. The maximum number of characters is 512. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 660 Expand arrow beside the Distinguished Name in the LDAP Distinguished Name Query tree. Figure 408: Example LDAP server Distinguished Name Query tree Common Name Identifier (CN) Distinguished Name (DN) Expand Arrow FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 661: Tacacs
CHAP (challenge-handshake authentication protocol) Provides the same functionality as PAP, but more secure as it does not send the password and other user information over the network to the security server. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 662: Directory Service
Directory Service user groups. When a user logs in to the Windows or Novell domain, a Fortinet Server Authentication Extension (FSAE) sends the FortiGate unit the user’s IP address and the names of the Directory Service user groups to which the user belongs.
Page 663: Configuring A Directory Service Server
User Directory Service You must install the Fortinet Server Authentication Extensions (FSAE) on the network and configure the FortiGate unit to retrieve information from the Directory Service server. For more information about FSAE, see the FSAE Technical Note. To view the list of Directory Service servers, go to User > Directory Service.
Page 664: Pki
Guide. For information about the detailed PKI configuration settings available only through the CLI, see the FortiGate CLI Reference. To view the list of PKI users, go to User > PKI. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 665: Configuring Peer Users And Peer Groups
FortiGate CLI Reference. Caution: If you use the CLI to create a peer user, Fortinet recommends that you enter a value for either subject or ca. If you do not do so, and then open the user record in the web- based manager, you will be prompted to enter a subject or ca value before you can continue.
Page 666: User Group
The FortiGate unit checks local user accounts first. If the unit does not find a match, it checks the RADIUS, LDAP, or TACACS+ servers that belong to the user group. Authentication succeeds when the FortiGate unit finds a matching user name and password. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 667: Firewall User Groups
You can also authenticate a user by certificate if you have selected this method. For more information, see “Adding authentication to firewall policies” on page 396. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 668: Directory Service User Groups
On a network, you can configure the FortiGate unit to allow access to members of Directory Service server user groups who have been authenticated on the network. The Fortinet Server Authentication Extensions (FSAE) must be installed on the network domain controllers.
Page 669: Viewing The User Group List
Note: By default, the FortiGate web-based manager displays Firewall options. The following figures show the variations that display for each of the user group types: Firewall, Directory Service, and SSL VPN. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 670 “Entry not found” error occurs. Figure 416: User group configuration - Firewall Right Arrow Expand Arrow Left Arrow Figure 417: User group configuration - Directory Service Right Arrow Left Arrow Expand Arrow FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 671 FortiGuard Web Filtering Available only if Type is Firewall or Directory Service. Override Configure Web Filtering override capabilities for this group. “Configuring FortiGuard Web filtering override options” on page 672. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 672: Configuring Fortiguard Web Filtering Override Options
Authenticating user, who chooses the override scope. User Only the user. Override Type Select from the list to allow access to: Directory Only the lowest level directory in the URL. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 673: Dynamically Assigning Vpn Client Ip Addresses From A User Group
3 Add a Tunnel mode widget to the portal or edit the tunnel mode widget if it has already been added to the portal. 4 Set IP Mode to User Group and save the changes to the portal. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 674 7 Select Advanced. 8 Set XAUTH to Enable as Server. 9 Set User Group to the firewall user group containing the RADIUS server. 10 Configure the remaining IPSec VPN settings as required. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 675: Options
If you specify a certificate, the per-policy setting will overwrite the global setting. For information about how to use certificate authentication, see FortiGate Certificate Management User Guide. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 676: Monitor
FortiGate configuration (disable a user account) and then use the User monitor to immediately end the user’s current session. To view the list of authenticated users (Firewall), go to User > Monitor > Firewall. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 677: Im User Monitor List
FortiGate unit displays which users are connected. You can analyze the list and decide which users to allow or block. To view the list of active IM users, go to User > Monitor > IM. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 678: Nac Quarantine And The Banned User List
Because of this difference, with DLP you have more control over what is blocked and what is not. For example, if a DLP sensor matches content in an FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 679: Nac Quarantine And Dlp Replacement Messages
30 minutes. The example also shows how to set quarantine to both for the icmp_flood anomaly: config ips DoS edit QDoS_sensor config anomaly edit udp_dst_session set quarantine attacker set quarantine-expiry 30 next FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 680: The Banned User List
The position number of the user or IP address in the list. Application The protocol that was used by the user or IP address added to the Banned User list. Protocol FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 681 Banned User list. If Expires is Indefinite you must manually remove the user or host from the list. Delete icon Delete the selected user or IP address from the Banned User list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 682 NAC quarantine and the Banned User list User FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 683: Wan Optimization And Web Caching
WAN traffic to be optimized that is accepted by a firewall policy according to source and destination addresses and destination port of the traffic • add the WAN optimization techniques to be applied to the traffic. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 684 Move To icon Move the corresponding rule before or after another rule in the list. See “Moving a rule to a different position in the rule list” on page 685. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 685: Moving A Rule To A Different Position In The Rule List
WAN optimization rules depend on how you configure the rule. This section describes all of the options. To add a WAN optimization rule, go to WAN Opt. & Cache > Rule and select Create New. Figure 427: Configuring a WAN optimization rule FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 686 Cache Select to apply WAN optimization web caching to the sessions accepted by this rule. For more information, see the FortiGate WAN Optimization, Web Cache, and Web Proxy User Guide. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 687: About Wan Optimization Addresses
The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 688: Configuring Wan Optimization Peers
FortiGate unit as a peer to another FortiGate unit, use this ID as its peer host ID. Apply Save a change to the Local Host ID to the FortiGate configuration. Adding or modifying a peer Create New Select to add a new peer. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 689: Configuring Authentication Groups
To add authentication groups, go to WAN Opt. & Cache > Peer > Authentication Group. Figure 429: WAN optimization Authentication Group list Delete Edit Viewing basic information Create New Add a new authentication group. Name The name of the authentication group. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 690: Wan Optimization Monitoring
The monitor unit uses collected log information and presents it in a graphical format to show network traffic summary and bandwidth optimization information. To view the WAN optimization monitor, go to WAN Opt. & Cache > Monitor. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 691 This section shows network bandwidth optimization per time Period. A line or column chart compares an application’s pre-optimized (LAN data) size Optimization with its optimized size (WAN data). Refresh icon Select to refresh the Bandwidth Optimization display. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 692: Changing Web Cache Settings
If the web cache is configured to cache these negative responses, it returns that response in subsequent requests for that page or image for the specified number of minutes. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 693 / value, the FortiGate unit treats it as a PNC header if it is a type-N object. When ignore IE Reload is enabled, the FortiGate unit ignores the PNC interpretation of the Accept / header. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 694 Most download managers make byte-range requests with a PNC header. To serve such requests from the cache, you should also configure byte-range support when you configure the Revalidate pragma-no-cache option. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 695: Endpoint Nac
You select the Endpoint NAC profile to use when you enable Endpoint NAC in the firewall policy. • Enable endpoint NAC in firewall policies. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 696: Configuring Forticlient Installer Download And Version Enforcement
Retrieve the latest information from FortiGuard Services. FortiClient Installer Select one of the following options to determine the link that the FortiClient Download Portal provides to non-compliant users to Download Location download the FortiClient installer. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 697: Configuring Application Detection Lists
The list contains the FortiClient versions available from the selected FortiClient Installer Download Location. Fortinet recommends that administrators deploy a FortiClient version update to their users or ask users to install the update and then wait a reasonable period of time for the updates to be installed before updating the minimum version required to the most recent version.
Page 698 Application Select the application from the list. Status Select one of the following: • Installed — application is installed but not currently running • Running — application is currently running FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 699: Viewing The Application List
An Endpoint NAC profile contains FortiClient enforcement settings and can specify an application detection list. Firewall policies can apply an Endpoint NAC profile to the traffic they handle. Go to Endpoint NAC > Profile to create Endpoint NAC profiles. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 700: Monitoring Endpoints
To view the list of known endpoints, go to Endpoint NAC > Endpoints. An endpoint is added to the list when it uses a firewall policy that has Endpoint NAC enabled. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 701 Page Shows the current page number in the list. Select the left and right arrows to display the first, previous, next or last page of known endpoints. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 702 If the endpoint is non-compliant, this column displays the number of times the endpoint has attempted to connect through the FortiGate unit. The FortiClient application is not required to obtain this information. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 703: Wireless Controller
The wireless controller feature is hidden by default on some FortiGate models. To enable the wireless controller 1 Go to System > Admin > Settings. 2 Select Enable Wireless Controller. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 704: Configuring Fortiwifi Units As Managed Access Points
Enter the wireless service set identifier (SSID) or network name for this wireless interface. Users who want to use the wireless network must configure their computers with this network name. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 705: Configuring A Physical Access Point
LAN. To configure a physical access point 1 Go to Wireless Controller > Physical AP, select Create New, and enter the following information: FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 706 In the Available list, select the virtual APs to be carried on this physical AP and then select the right-arrow button to move them to the Selected list. 2 Select OK. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 707: Configuring Dhcp For Your Wireless Lan
The wireless radio channel that the access point uses. Rate The data rate of the access point. First Seen The data and time when the FortiWifi unit first detected the access point. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 708 Select the icon to move this entry to the Rogue Access Points list. Forget AP Return item to Unknown Access Points list from Accepted Access Points list or Rogue Access Points list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 709: Log&Report
Viewing Executive Summary reports from SQL logs • Viewing FortiAnalyzer reports • Viewing basic traffic reports • Log severity levels • Log types • Example configuration: logging all FortiGate traffic FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 710: Configuring How A Fortigate Unit Stores Logs
Figure 439: Configuring remote logging to the FortiAnalyzer unit Expand Arrow To configure the FortiGate unit to send logs to the FortiAnalyzer unit 1 Go to Log&Report > Log Config > Log Setting. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 711 FortiGate unit learns the IP address of the FortiAnalyzer unit. To test the connection, go to Log&Report > Log Config > Log Setting, expand Remote Logging options, and then select Test Connectivity. Figure 440: Test Connectivity with FortiAnalyzer FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 712: Remote Logging To The Fortiguard Analysis And Management Service
Remote logging to the FortiGuard Analysis and Management Service You can configure logging to a FortiGuard Analysis server after registering for the FortiGuard Analysis and Management Service on the Fortinet support web site. Fortinet recommends verifying that the connection is working properly before configuring logging to a FortiGuard Analysis server.
Page 713: Remote Logging To A Syslog Server
2 Select the check box beside Syslog. 3 Select the Expand Arrow beside the check box to reveal the Syslog options. 4 Enter the appropriate information for the Syslog server. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 714: Local Logging To Memory
Content archiving is not available in SQL format. You can enable SQL format logging for traffic logs, but this can cause some loss of logs because SQL format writing is slower than the compressed format. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 715: Configuring Alert Email
FortiGate unit needs to send email. Select Test Connectivity to confirm that you can receive alert email messages from the FortiGate unit. Then configure Alert Email options to control when the FortiGate unit sends alert email. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 716 Select if you require an alert email message based on blocked web sites that were accessed. HA status changes Select if you require an alert email message based on HA status changes. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 717: Configuring Event Logging
All administrative events, such as user logins, resets, and configuration updates. HA activity event All high availability events, such as link, member, and state information. Firewall All firewall-related events, such as user authentication. authentication event FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 718: Data Leak Prevention Log
2 Select Edit beside the protection profile that you want. 3 Select the Expand arrow to expand Application Control. 4 Select the check box beside the application control list. 5 Select a list from the application control list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 719: Antivirus Log
1 Go to Firewall > Protection Profile. 2 Select Edit beside the protection profile that you want. 3 Select the Expand Arrow beside Logging to reveal the available options. 4 Select Log Spam. 5 Select OK. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 720: Attack Log (Ips)
Remote, Memory or Disk. If you are logging to the FortiGate unit’s hard disk, select Edit beside a rolled log file to view log messages. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 721: Accessing Logs Stored In Memory
To view log messages in the FortiGate memory buffer, go to Log&Report > Log Access > Memory, and then select a log type from the Log Type list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 722: Accessing Logs Stored On The Hard Disk
View a log file’s log messages. Delete icon Delete rolled logs. Fortinet recommends to download the rolled log file before deleting it because the rolled log file cannot be retrieved after deleting it. Accessing logs stored on the FortiAnalyzer unit You can view and navigate through logs saved to the FortiAnalyzer unit.
Page 723: Accessing Logs Stored On The Fortiguard Analysis And Management Service
Filtering is also another way to customize the display of log messages. By using the filter icon, you can display specific information of log messages. For example, you may want to display only event log messages that have a severity level of alert. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 724: Column Settings
Move the selected field up one position in the Show these fields in this order list. Move down Move the selected field down one position in the Show these fields in this order list. 7 Select OK. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 725: Filtering Log Messages
The DLP Archive menu is only visible if: • You have configured the FortiGate unit for remote logging and archiving to a FortiAnalyzer unit. See “Remote logging to a FortiAnalyzer unit” on page 710. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 726: Viewing The File Quarantine List
If your FortiGate unit supports SSL content scanning and inspection Service can also be IMAPS, POP3S, SMTPS, or HTTPS. Apply Select to apply the sorting and filtering selections to the list of quarantined files. Delete Select to delete the selected files. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 727: Configuring Fortianalyzer Report Schedules
The TTL information is not available if the files are quarantined on a FortiAnalyzer unit. Upload status Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded. This option is available only if the FortiGate unit has a local hard disk.
Page 728 Select a configured report layout from the list. You must apply a report layout to a report schedule. For more information, see the FortiAnalyzer Administration Guide. Language Select the language you want used in the report schedule from the list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 729 FortiAnalyzer reports. You can also configure basic traffic reports, which use the log information stored in your FortiGate system memory to present basic traffic information in a graphical format. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 730: Viewing Executive Summary Reports From Sql Logs
Report Files column. You can also select the Expand Arrow to view the rolled report and view the entire report. After viewing the report, select Historical Reports to return to the list. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 731: Printing Your Fortianalyzer Report
The charts show the bytes used for the service traffic. To view basic traffic reports, go to Log&Report > Report Access > Memory. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 732 • • Email • • Gaming • Instant Messaging • Newsgroups • • Streaming • TFTP • VoIP • Generic TCP • Generic UDP • Generic ICMP • Generic IP FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 733: Log Severity Levels
The FortiGate unit logs all messages at and above the logging severity level you select. For example, if you select Error, the unit logs Error, Critical, Alert and Emergency level messages. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 734: Log Types
If you are logging “other-traffic”, the FortiGate unit will incur a higher system load because “other-traffic” logs log individual traffic packets. Fortinet recommends logging firewall policy traffic since it minimizes the load. Logging “other-traffic” is disabled by default. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/...
Page 735: Example Configuration: Logging All Fortigate Traffic
The following commands enable traffic logging on port1 and port2. You should repeat these commands for all other FortiGate unit interfaces that receive traffic. config system interface edit port1 set log enable FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 736 1 set interface <interface_name> set srcaddr all set dstaddr all set service ANY set ips-sensor-status enable set ips-sensor <sensor_name> Where <sensor_name> is the name of the IPS sensor added above. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 737: Index
LDAP server, 657, 658 BFD on BGP, 376 license key, 333 BFD on OSPF, 376 local ratings, 564 BGP settings, 371 local URL block categories, 563 CA certificates, 307 local user account, 652 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 738 305 administrator password system configuration backup and restore, 312 changing, 91 system configuration backup and restore, FortiManager, administrator settings, 286 administrators system configuration, central management options, 315 viewing list, 269 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 739 Autokey Keep Alive system global av_failopen, 528 IPSec VPN, phase 2, 621 system global optimize, 528 autonomous system (AS), 362, 370 virus list, 527 AutoSubmit antivirus and attack definitions, 328 quarantine, 527 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 740 371 CLI, 89 storing updates from neighbor, 50 admin profile, 282 connecting to from the web-based manager, 93 black/white list, 573 CLI command blackhole route, 337 PPTP tunnel setup, 631 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 741 495 default route, 340 content filtering mode default-cost HTTPS, 489 router ospf area, 53 content scanning default-information-originate SSL, 481 router rip, 59 content streams replacement messages, 251 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 742 HA, 235 subordinate unit, 239 documentation, 27 commenting on, 27 DH Group conventions, 28 IPSec VPN, phase 1, 618 Fortinet, 27 IPSec VPN, phase 2, 620 domain name, 422 DHCP and IP Pools, 395 DoS policy, 404 configuring relay agent, 229...
Page 743 IP, 453 adding, 423 address group, 424 address name, 423 create new, 422 fail-open, CLI command for IPS, 548 IP range/subnet, 423 FAQ, 27 list, 422 name, 422 subnet, 423 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 744 WINS, 432 ESP, 428 X-WINDOWS, 432 FINGER, 428 firmware FTP, 428 reverting to previous version, 128 FTP_GET, 428 upgrading to a new version, 127 FTP_PUT, 428 viewing, 316 GOPHER, 428 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 745 Technical Support, registering with, 26 accessing logs, 722 Technical Support, web site, 26 configuring report schedules, 727 Training Services, 27 logging to, 710 Fortinet customer service, 26 printing reports, 731 Fortinet documentation, 27 VDOM, 160 Fortinet Family Products, 23 FortiBridge, 23...
Page 746 FortiGate online help, 94 insert policy before heuristics firewall policy, 391, 684 antivirus, 528 inspection quarantine, 529 SSL, 481 high availability See HA, 233 installation, 27 hop count., 62 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 747 Internet-Locator-Service service, 429 IPS sensor filter, 540 inter-VDOM links, 169 options, protection profile, 492 introduction IPS sensors Fortinet documentation, 27 creating, 537 intrusion detected IPSec, 61, 362 HA statistics, 239 IPSec firewall policy intrusion protection allow inbound, 399 custom signature list, 535...
Page 748 91, 271, 272 local ratings list low disk space viewing, 563 quarantine, 527 Local SPI IPSec VPN, manual key, 623 local user, 652 MAC address local user account filtering, 221 configuring, 652 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 749 203 network address translation (NAT), 448 redundant (backup) mode, 199 Network Layer Reachability Information (NLRI), 49 standalone mode, 199, 202 Network Time Protocol, 126 viewing status, 204 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 750 491 passive-interface router ospf, 53 router rip, 59 password administrator, 27 configuring authentication password, 272 HA, 236 recovering lost password, 91, 271, 272 virtual IPs, 448 patch number, 127 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 751 RFC 2516, 190 PPTP, 629, 667 service, 430 PPTP IP address user group, 629, 631 PPTP range defining addresses, 629, 631 PPTP tunnel setup CLI command, 631 customized GUI, 629 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 752 IP address BWL check, 500 IP address changes, 330 IPS sensor, 493 management IP address changes, 331 IPS sensor options, 492 through a proxy server, 330 java applet filter, 494 list, 481 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 753 726 HA statistics, 239 date, 727 registering DC, 727 Fortinet product, 94 download, 727 with Fortinet Technical Support, 26 duplicates, 727 regular administrator, 267 file name, 727 regular expression, 30 filter, 726 service, 727 relay sorting, 726...
Page 754 221 router bgp neighbor, 50 select router-id recurring schedule, 438 router ospf, 53 send-community route-server-client router bgp neighbor, 50 router bgp neighbor, 50 sensor DoS, 545 IPS, 537 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 755 (SPF), 53 PING6, 430 signatures POP3, 430 custom, intrusion protection signatures, 535 PPTP, 430 SIMPLE predefined, 427 protection profile, 512 QUAKE, 430 rate limiting, 512 quarantine files list, 727 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 756 CLI command for IPS, 548 firewall policy, 400 SOCKS setting the cipher suite, 635 service, 431 specifying server certificate, 635 soft-reconfiguration specifying timeout values, 635 router bgp neighbor, 50 web-only mode, 633 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 757 480 system resources strict blocking (HTTP only) viewing, 114 protection profile, 498 system status string, 30 viewing, 108 stub system status widgets OSPF area, 367 customizing, 108 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 758 HA statistics, 239 HA statistics, 239 unit operation tracking viewing, 113 SIP, 513 unsuppress-map traffic history router bgp neighbor, 50 viewing, 124 up time Traffic Priority, 684, 689 HA statistics, 239 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 759 427 service, 432 firmware, 316 FortiAnalyzer reports, 730 FortiGuard support contract, 324 HA statistics, 238 hostname, 126 IP pool list, 465 IPS sensor list, 537 IPS sensor options, 492 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 760 IPSec VPN, firewall policy, 399 Virtual IP VPN, IPSec transparent mode, 468 firewall policy, 399 VPNs, 629 WAIS service, 432 WAN optimization explicit mode, 687 monitoring, 690 transparent mode, 687 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 761 FortiWiFi-60A, 219 adding to a FortiWiFi-60AM, 219 adding to a FortiWiFi-60B, 219 WPA, 215, 220, 221 WPA Radius wireless security, 221 WPA2, 215, 221 WPA2 Auto, 215, 221 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 762 Index WPA2 Radius X-Forwarded-For (XFF), 211 wireless security, 221 X-WINDOWS service, 432 X.509 security certificates. See system certificates XAuth zones IPSec VPN, phase 1, 618 configuring, 198 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 http://docs.fortinet.com/ • Feedback...
Page 763 www.fortinet.com...
Page 764 www.fortinet.com...

This manual is also suitable for:

Fortigate-50 series Fortigate-5000 series Fortigate-5001sx Fortigate-5001a

Fortinet FortiGate Series Administration Manual

Introduction

Fortinet Products

About this Document

Registering Your Fortinet Product

Customer Service and Technical Support

Training

Documentation

Scope

Conventions

What's New in Fortios Version 4.0 MR1

New SIP ALG Configuration Options

Easy Forticare and Fortiguard Services Registration and Renewal

Endpoint Control Enhancements

Per-VDOM Replacement Messages

Content Archiving Is Now DLP Archive

Topology Viewer Is Now a Custom Web-Based Manager Page

Usage Page Shows Application, Policy, and DLP Archive Usage

Alert Message Console Enhancements

WCCP Widget

SSL VPN Enhancements

Two-Factor Authentication

Fortigate Wireless Controller

Interface Status Detection for Gateway Load Balancing

Enhanced ECMP Route Failover and Load Balancing

SCEP Extensions

Dynamic Routing for Ipv6 Traffic

Ipv6 DNS

Ipv6 Transparent Mode

Ipv6 Administrative Access

UTM Features Support Ipv6 Traffic

HTTP Basic Authentication in Firewall Policies

VDOM Dashboard

Ipsec Protocol Improvements

Auto-Configuration of Ipsec Vpns

Integral Basic DNS Server

Per-VDOM DNS Configuration

Password Policy

Use LDAP Groups in Firewall and SSL-VPN Authentication

Traffic Shaping Enhancements

Logging Enhancements

Antivirus Changes

Reliable Syslog

Web Filtering Combined Block/Exempt List

Web Filtering by Content Header

Safe Search

Data Leak Prevention Supports International Character Sets

Snmpv3 Enhancements

Schedule Groups

Web-Based Manager

Common Web-Based Manager Tasks

Button Bar Features

Contacting Customer Support

Backing up Your Fortigate Configuration

Using Fortigate Online Help

Logging out

Web-Based Manager Pages

Web-Based Manager Icons

System Status

Viewing the System Dashboard

Changing System Information

Changing the Fortigate Firmware

Viewing Operational History

Manually Updating Fortiguard Definitions

Viewing Log and Archive Statistics

Configuring AMC Modules

Auto-Bypass and Recovery for AMC Bridge Module

Viewing Application, Policy, and DLP Archive Usage Data

Using the Topology Viewer

Managing Firmware Versions

Backing up Your Configuration

Testing Firmware before Upgrading

Upgrading Your Fortigate Unit

Reverting to a Previous Firmware Image

Restoring Your Configuration

Using Virtual Domains

Virtual Domains

Enabling Vdoms

Configuring Vdoms and Global Settings

Configuring VDOM Resource Limits