Page 1
FortiGate ® Version 4.0 Desktop Install Guide...
Page 2
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Introduction ....................3 Registering your Fortinet product................. 3 Customer service and technical support..............3 Fortinet documentation ....................4 Fortinet Tools and Documentation CD ............... 4 Fortinet Knowledge Center ..................4 Comments on Fortinet technical documentation ............4 Conventions ........................4 IP addresses.......................
Page 4
Backup and Restore from a USB key ............... 42 Using the USB Auto-Install ..................42 Additional CLI Commands for a USB key..............43 Testing new firmware before installing............... 43 Index......................1 FortiGate Version 4.0 Desktop Install Guide 01-400-95522-20090501 http://docs.fortinet.com/ • Feedback...
• Conventions Registering your Fortinet product Before you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.
Fortinet Tools and Documentation CD Many Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.
Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment. Typographical conventions Fortinet documentation uses the following typographical conventions: Table 1: Typographical conventions in Fortinet technical documentation Convention Example Button, menu, text box, From Minimum log level, select Notification.
• Operating temperature: 32 to 104°F (0 to 40°C) If you install the Fortinet unit in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient temperature. Therefore, make sure to install the equipment in an environment compatible with the manufacturer's maximum rated ambient temperature.
(e.g. use of power strips). Mounting If required to fit into a rack unit, remove the rubber feet from the bottom of the Fortinet unit. Place the FortiGate unit on any flat, stable surface. Ensure the unit has sufficient clearance on each side to ensure adequate airflow for cooling.
Using the supplied Ethernet cable, connect one end of the cable to your router or modem, whatever the connection is to the Internet. Connect the other end to the Fortinet unit. Connect to either the External, WAN port, or port 1. Connect additional cable to the Internal port or port 2 and your internal hub or switch.
Page 12
Turning off the Fortinet unit Installing FortiGate Version 4.0 Desktop Install Guide 01-400-95522-20090501 http://docs.fortinet.com/ • Feedback...
NAT mode In NAT/Route mode, the Fortinet unit is visible to the network. Like a router, all its interfaces are on different subnets. In NAT mode, each port is on a different subnet, enabling you to have a single IP address available to the public Internet.
Configuring Transparent mode In transparent mode, the Fortinet unit is invisible to the network. Similar to a network bridge, all FortiGate interfaces must be on the same subnet. You only have to configure a management IP address to make configuration changes. The management IP address is also used for antivirus and attack definition updates.
Configuring Configuring NAT mode The first warning prompts you to accept and optionally install the Fortinet unit’s self- signed security certificate. If you do not accept the certificate, the Fortinet unit refuses the connection. If you accept the certificate, the FortiGate login page appears. The credentials entered are encrypted before they are sent to the Fortinet unit.
Configuring Configure the interfaces When shipped, the Fortinet unit has a default address of 192.168.1.99 and a netmask of 255.255.255.0. for either the Port 1 or Internal interface. You need to configure this and other ports for use on your network.
Page 17
Enable to use the DNS addresses retrieved from the DHCP server instead of the DNS server IP addresses on the DNS page on System > Network > Options. On Fortinet-100 units and lower, you should also enable Obtain DNS server address automatically in System > Network >...
(DNS server) implements the protocol. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com when browsing the Internet.
<dns_ipv4> Add a default route and gateway A route provides the Fortinet unit with the information it needs to forward a packet to a particular destination. A static route causes packets to be forwarded to a destination other than the default gateway.
For the initial installation, a single firewall policy that enables all traffic to flow through will enable you to verify your configuration is working. On lower-end units such a default firewall policy is already in place. For the high-end Fortinet units, you need to add a firewall policy.
Page 21
Select the port connected to the Internet. Source Address Destination Interface Select the port connected to the network. Destination Address All Schedule always Service Action Accept Figure 8: Creating an incoming firewall policy FortiGate Version 4.0 Desktop Install Guide 01-400-95522-20090501 http://docs.fortinet.com/ • Feedback...
When configuring transparent mode, you need to switch to transparent mode and configure the management IP address, default routes, and simple firewall policies. You can use the web-based manager or the CLI to configure the Fortinet unit in transparent mode.
For the initial installation, a single firewall policy that enables all traffic through will enable you to verify your configuration is working. On lower-end units such a default firewall policy is already in place. For the higher end Fortinet units, you will need to add a firewall policy.
Page 24
Configuring transparent mode Configuring The following steps add two policies that allows all traffic through the Fortinet unit, to enable you to continue testing the configuration on the network. To add an outgoing traffic firewall policy - web-based manager 1 Go to Firewall > Policy.
Remember to verify the firewall policies. The firewall policies control the flow of information through the Fortinet unit. If the policies are not set up correctly, or are too restrictive, they can prohibit network traffic.
1 Go to System > Maintenance > Backup & Restore. 2 Select to back up to your Local PC or to a USB key. The USB Disk option will be grayed out if the Fortinet unit supports USB disks but none are connected.
For effective scheduling and logging, the FortiGate system date and time must be accurate. You can either manually set the system date and time or configure the Fortinet unit to automatically keep its time correct by synchronizing with a Network Time Protocol (NTP) server.
Set the Administrator password The Fortinet unit ships with a default empty password. You will want to apply a password to prevent anybody logging into the Fortinet unit and changing configuration options.
The FDN is a world-wide network of FortiGuard Distribution Servers (FDS). When the Fortinet unit connects to the FDN, it connects to the nearest FDS. To do this, all Fortinet units are programmed with a list of FDS addresses sorted by nearest time zone according to the time zone configured for the Fortinet unit.
The Fortinet unit is pre configured with four default protection profiles. In many cases you can use these default protection profiles, use them just as they are or as a starting point to create your own.
Fortinet unit will act on the general policy, having calculated that the policy has been matched, and then stop. The second policy will be ignored and the Fortinet unit will let the URLs or IPs you wanted blocked get through.
• File pattern - The Fortinet will check the file against the file pattern setting you have configured. You can set which file names or file types the Fortinet unit looks for in the incoming traffic. • Virus scan - The virus definitions are kept up to date through the FortiNet Distribution Network.
FortiGuard antivirus services. To configure the file patterns that the Fortinet scans, go to UTM > AntiVirus > File Filter. To enable grayware blocking, go to UTM > AntiVirus > Grayware.
(white list) or don’t want (black list) to receive email from. You can add or remove addresses from lists as required. The Fortinet unit uses both an IP address list and an email address list to filter incoming email, if enabled in the protection profile.
Using this information, you can then take the corrective action necessary to resolve any problems before they become major problems. With alert email, you can configure the Fortinet unit to send alert messages, when specific events occur with specific frequency. By logging to a FortiAnalyzer unit, you can run over 400 reports on various network traffic.
1 Log into the site using your user name and password. 2 Go to Firmware Images > FortiGate. 3 Select the most recent FortiOS version. 4 Locate the firmware for your Fortinet unit, right-click the link and select the Download option for your browser. Note: Always review the Release Notes for a new firmware release before installing.
5 Type the path and filename of the firmware image file, or select Browse and locate the file. 6 Select OK. The Fortinet unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the Fortinet login. This process takes a few minutes.
Note: You need an unencrypted configuration file for this feature. Also the default files, image.out and system.conf, must be in the root directory of the USB key. Note: Make sure at least FortiOS v3.0MR1 is installed on the Fortinet unit before installing. To configure the USB Auto-Install 1 Go to System >...
CLI command execute update-now to update the antivirus and attack definitions. For more information, see the FortiGate Administration Guide. Before you begin, ensure you have a TFTP server running and accessible to the Fortinet unit. To upgrade the firmware using the CLI 1 Make sure the TFTP server is running.
Page 41
Note: To use this procedure, you must log in using the admin administrator account, or an administrator account that has system configuration read and write privileges. To use the following procedure, you must have a TFTP server the Fortinet unit can connect to.
You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware. To use this procedure, you must connect to the CLI using the Fortinet console port and a RJ-45 to DB-9, or null modem cable.
The following message appears: Enter Local Address [192.168.1.188]: 10 Type an IP address the Fortinet unit can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network the interface is connected to.
Note: You need an unencrypted configuration file for this feature. Also the default files, image.out and system.conf, must be in the root directory of the USB key. Note: Make sure at least FortiOS v3.0MR1 is installed on the Fortinet unit before installing. To configure the USB Auto-Install using the CLI 1 Log into the CLI.
“Upgrading the firmware” on page To use this procedure, you must connect to the CLI using the Fortinet console port and a RJ-45 to DB-9 or null modem cable. This procedure temporarily installs a new firmware image using your current configuration.
Page 46
The following message appears: Enter Local Address [192.168.1.188]: 10 Type an IP address of the Fortinet unit to connect to the TFTP server. The IP address must be on the same network as the TFTP server, but make sure you do not use the IP address of another device on the network.
CLI upgrade with web-based manager backing up upgrading using the CLI FortiGate documentation commenting on certificate, security FortiGuard Fortinet customer service upgrading the firmware Fortinet documentation comments, documentation Fortinet Knowledge Center configure backup gateway FortiGuard...
Page 48
CLI signatures, update static route auto-install system reboot, installing CLI commands technical support web filtering TFTP server web-based manager time and date FortiGate Version 4.0 Desktop Install Guide 01-400-95522-20090501 http://docs.fortinet.com/ • Feedback...
Page 49
Index FortiGate Version 4.0 Desktop Install Guide 01-400-95522-20090501 http://docs.fortinet.com/ • Feedback...