FortiManager ... 10 About this document... 10 Document conventions... 11 Fortinet documentation ... 12 Fortinet Tools and Documentation CD ... 13 Fortinet Knowledge Center ... 13 Comments on Fortinet technical documentation ... 13 Customer service and technical support ... 13 Installing the FortiGate unit ...
Page 4
Factory defaults ... 27 Configuring the FortiGate unit... 33 Connecting to the FortiGate unit ... 21 Web-based manager ... 21 Command line interface ... 21 Connecting to the web-based manager ... 21 Command line interface ... 23 Connecting to the CLI ... 23 Quick installation using factory defaults ...
Page 5
Configuring the modem interface ... 51 Using a wireless network ... 57 FortiGate Firmware ... 65 Next steps ... 46 Set the date and time... 46 Updating antivirus and IPS signatures ... 47 Updating antivirus and IPS signatures from the web-based manager . 47 Updating the IPS signatures from the CLI ...
Page 6
Index... 81 Reverting to a previous firmware version... 67 Reverting to a previous firmware version using the web-based manager .. 67 Reverting to a previous firmware version using the CLI ... 68 Installing firmware images from a system reboot using the CLI ... 70 Restoring the previous configuration ...
Introduction Introduction Welcome and thank you for selecting Fortinet products for your real-time network protection. FortiGate™ Unified Threat Management System improves network security, reduces network misuse and abuse, and helps you use communications resources more efficiently without compromising the performance of your network.
FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide Introduction INTERNAL WAN1 WAN2 LINK / ACT POWER STATUS 10/100 INTERNAL WAN1 WAN2 (PoE) WLAN LINK / ACT POWER STATUS 10/100 POWER INTERNAL EXTERNAL STATUS http://support.fortinet.com and selecting 01-30004-0265-20070831...
Introduction Fortinet Family Products Fortinet offers a family of products that includes both software and hardware appliances for a complete network security solution including mail, logging, reporting, network management, and security along with FortiGate Unified Threat Management Systems. For more information on the Fortinet product family, go to www.fortinet.com/products.
About this document FortiAnalyzer FortiReporter FortiBridge FortiManager About this document FortiAnalyzer™ provides network administrators with the information they need to enable the best protection and security for their networks and monitor against attacks and vulnerabilities. The FortiAnalyzer unit features include: •...
Introduction This document contains the following chapters: • Installing the FortiGate unit on a FortiGate unit. • Factory defaults • Configuring the FortiGate unit of the FortiGate unit and how to integrate the FortiGate unit into your network. • Configuring the modem interface modem with the FortiGate-50A and FortiGate-50AM units.
Go to VPN > IPSEC > Phase 1 and select Create New. Program output Welcome! Variables <address_ipv4> The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com. The following FortiGate product documentation •...
Fortinet Tools and Documentation CD All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For up-to-date versions of Fortinet documentation see the Fortinet Technical Documentation web site at http://docs.forticare.com.
Page 14
Customer service and technical support Introduction FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide 01-30004-0265-20070831...
Ethernet cable (Fortinet part number CC300248) • one gray straight-through Ethernet cable (Fortinet part number CC300249) • one RJ-45 to DB-9 serial cable (Fortinet part number CC300247) • one AC adapter and power cable • FortiGate-50A QuickStart Guide •...
The FortiGate-50B package contains the following items: • FortiGate-50B Unified Threat Management System • one gray straight-through Ethernet cable (Fortinet part number CC300249) • one RJ-45 to DB-9 serial cable (Fortinet part number CC300247) • one AC adapter and power cable • FortiGate-50B QuickStart Guide •...
The FortiWiFi-50B package contains the following items: • FortiWiFi-50B Unified Threat Management System • one gray straight-through Ethernet cable (Fortinet part number CC300249) • one RJ-45 to DB-9 serial cable (Fortinet part number CC300247) • one AC adapter and power cable • two mounting brackets •...
Power Power Cable Power Supply Q u i c k S t a r t G u i d e INTERNAL EXTERNAL Copyright 2006 Fortinet Incorporated. All rights reserved. Trademarks Products mentioned in this document are trademarks. Documentation 01-30004-0265-20070831 POWER...
Installing the FortiGate unit Mounting Adhere the rubber feet included in the package to the underside of the FortiWiFi unit, near the corners of the device. Place the FortiGate unit on any flat, stable surface. Ensure the unit has at least 1.5 inches (3.75 cm) of clearance on each side to ensure adequate airflow for cooling.
Powering on the FortiGate unit Power over Ethernet Table 5: FortiGate-50A and FortiGate-100 LED indicators State Description Power Green The FortiGate unit is powered on. The FortiGate unit is powered off. Status Flashing The FortiGate unit is starting up. The FortiGate unit is running normally. Internal Green The correct cable is in use, and the connected...
Installing the FortiGate unit Powering off the FortiGate unit Always shut down the FortiGate operating system properly before turning off the power switch to avoid potential hardware problems. To power off the FortiGate unit From the web-based manager, go to System > Status. In the Unit Operation display, select Shutdown, or from the CLI, enter: execute shutdown Disconnect the power supply.
Page 22
Connecting to the FortiGate unit To connect to the web-based manager Set the IP address of the computer with an Ethernet connection to the static IP address 192.168.1.2 with a netmask of 255.255.255.0. You can also configure the management computer to obtain an IP address automatically using DHCP.
Installing the FortiGate unit Command line interface You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate serial console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network that is connected to the FortiGate unit, including the Internet.
External interface Configuring Manual IP, DHCP, or PPPoE addressing Internet Router FortiGate-50A The FortiGate DHCP server also assigns the DNS server IP address 192.168.1.99 to each computer on the internal network. As a result, the FortiGate unit internal interface acts as a DNS server for the internal network.
Page 25
Use the following DNS server addresses: select and enter the DNS server addresses given to you by the ISP, select Apply Go to Router > Static, edit route #1 and change Gateway to the default gateway IP address from the ISP and select OK.
Page 26
Quick installation using factory defaults Installing the FortiGate unit FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide 01-30004-0265-20070831...
Factory defaults Factory defaults The FortiGate unit ships with a factory default configuration. The default configuration enables you to connect to and use the FortiGate web-based manager to configure the FortiGate unit onto the network. To configure the FortiGate unit, you add an administrator password, change network interface IP addresses, add DNS server IP addresses, and, if required, configure basic routing.
Factory default DHCP server configuration Factory default NAT/Route mode network configuration With the FortiGate-50 series, you can quickly configure the internal network and the FortiGate unit by using the factory default DHCP server settings. See installation using factory defaults” on page 24 Table 7: FortiGate DHCP Server default configuration Name internal_dhcp_server...
Factory default protection profiles Table 10: Factory default firewall configuration Configuration setting Name Firewall policy Internal -> External Source: All Destination: All Firewall address Pre-defined service More than 50 predefined services Recurring schedule Always Protection Profiles Strict, Scan, Web, Unfiltered The factory default firewall configuration is the same in NAT/Route mode and Transparent mode.
Factory defaults Restoring the default settings You can revert to the factory default settings if you change a network setting and are unable to recover from it. Caution: This procedure deletes all changes you have made to the FortiGate configuration and reverses the system to its original configuration, including resetting interface addresses.
Page 32
Restoring the default settings Factory defaults FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide 01-30004-0265-20070831...
FortiGate unit and the network it protects using the default settings. NAT/Route mode In NAT/Route mode, the FortiGate unit is visible to the network. Like a router, all its interfaces are on different subnets. The following interfaces are available in...
(usually the Internet). Figure 8: Example NAT/Route mode network configuration for a FortiGate-50A. External 204.23.1.5 Internet Router NAT mode policies controlling traffic between internal and external networks. In NAT/Route mode, you can configure the FortiGate unit with multiple redundant connections to the external network (usually the Internet).
You typically use the FortiGate unit in Transparent mode on a private network behind an existing firewall or behind a router. The FortiGate unit performs firewall functions, IPSec VPN, virus scanning, IPS web content filtering, and Spam filtering.
NAT/Route mode installation NAT/Route mode installation Preparing to configure the FortiGate unit in NAT/Route mode To disable ping administrative access from the web-based manager Log into the FortiGate web-based manager. Go to System > Network > Interface. Choose the external interface and select Edit. Clear the Ping Administrative Access check box.
Configuring the FortiGate unit Administrator Password: Internal External/WAN1 DMZ/WAN2 Network settings DHCP or PPPoE configuration You can configure any FortiGate interface to acquire its IP address from a DHCP or PPPoE server. Your Internet Service Provider (ISP) may provide IP addresses using one of these protocols.
DHCP or PPPoE. To add a default route Go to Router > Static. If the Static Route table contains a default route (IP and Mask set to 0.0.0.0), select the Delete icon to delete this route.
Verify the connection To verify your connection, try the following: • browse to www.fortinet.com • retrieve or send email from your email account If you cannot browse to the web site or retrieve/send email from your account, review the previous steps to ensure all information was entered correctly and try again.
Page 40
NAT/Route mode installation config system interface edit <interface> set mode static set ip <address_ip> <netmask> Example config system interface edit internal set mode static set ip 192.168.120.99 255.255.255.0 Set the IP address and netmask of the external interface to the external IP address and netmask you recorded in config system interface edit <interface>...
DHCP or PPPoE. To add a default route Set the default route to the Default Gateway IP address. Enter: config router static Example If the default gateway IP is 10.10.1.2 and this gateway is connected to the external interface:...
Connect the External or WAN1 interface to the Internet. Connect to the public switch or router provided by your ISP. If you are a DSL or cable subscriber, connect the External interface to the internal or LAN connection of your DSL or cable modem.
The management IP address and netmask must be valid for the network from which you will manage the FortiGate unit. Add a default gateway if the FortiGate unit must connect to a router to reach the management computer. Primary DNS Server:...
Transparent mode installation Using the command line interface You do not have to reconnect to the web-based manager at this time. Once you select Apply, the changes are immediate, and you can go to the system dashboard to verify the FortiGate unit has changed to Transparent mode. To configure DNS server settings Go to System >...
IP address. Browse to https:// followed by the new IP address. If you connect to the management interface through a router, make sure you have added a default gateway for that route to the management IP default gateway field.
Enter the IP address or domain name of the NTP server that the FortiGate unit can use to set its time and date. FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide Configuring the FortiGate unit Internal network Internal Hub, switch or router FortiGate-50B Management Computer for complete information on 01-30004-0265-20070831...
You can update your antivirus and IPS signatures using the web-based manager or the CLI. Before you can begin receiving updates, you must register your FortiGate unit from the Fortinet web page. Note: Update AV and IPS signatures on a regular basis. If you do not update AV and IPS signatures regularly, the FortiGate unit can become vulnerable to new viruses.
Next steps Note: Updating antivirus definitions can cause a very short disruption in traffic currently being scanned while the FortiGate unit applies the new signature database. Schedule updates when traffic is light, for example overnight, to minimize any disruption. Updating the IPS signatures from the CLI You can update IPS signatures using the CLI.
Configuring the FortiGate unit Example config system autoupdate schedule Adding an override server If you cannot connect to the FDN, or if your organization provides updates using their own FortiGuard server, use the following procedures to add the IP address of an override FortiGuard server in either the web-based manager or the CLI.
Page 50
Next steps Configuring the FortiGate unit FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide 01-30004-0265-20070831...
Configuring the modem interface Configuring the modem interface The modem interface is only available on the FortiGate-50A. The following sections will cover how to configure the FortiGate-50A modem using the CLI. The FortiGate-50A supports a redundant or stand alone 56K modem interface in NAT/Route mode.
Selecting a modem mode Selecting a modem mode Redundant mode configuration Stand alone mode configuration Figure 12: Example modem interface network connection FortiGate-50A DC+12V External Internal Modem Console USB-to-serial converter V.92 External modem The modem interface can work in one of two modes: •...
Configuring the modem interface In stand alone mode the modem interface replaces the external Ethernet interface. You must also configure firewall policies for connections between the modem interface and other FortiGate interfaces. Configuring the modem for the FortiGate-50A Configure the modem for the FortiGate-50A using the CLI. The following table of CLI commands are specifically for the FortiGate-50A modem configuration.
Page 54
Configuring the modem for the FortiGate-50A Enter the password used to access the passwd2 specified dialup account. <password_str> Enter the password used to access the passwd3 specified dial-up account. <password_str> Table 15: CLI commands for the FortiGate-50A If the modem at phone1 is Actiontec or peer_modem1 AscendTNT, select that type, otherwise leave {actiontec |...
To add a ping server to an interface Go to System > Network > Interface. Choose an interface and select Edit. Set Ping Server to the IP address of the next hop router on the network connected to the interface. Select the Enable check box.
Adding firewall policies for modem connections Configuring the modem interface Adding firewall policies for modem connections The modem interface requires firewall addresses and policies. You can add one or more addresses to the modem interface. For information about adding addresses, see the FortiGate Administration Guide.
Using a wireless network Using a wireless network This chapter is specifically for the FortiWiFi-50B. WiFi-50B In a wired network, computers are connected through a series of cables that transfer information. In a wireless network, information is transferred over radio waves.
Setting up a wireless network Positioning an Access Point Radio Frequency interface Figure 13: FortiWiFi-50B as an Access Point Internal Router WAN1 Internet WAN2 MODEM / DSL / Cable When placing the FortiWiFi-50B AP, your main concern is providing a strong signal to all users.
Using a wireless network To avoid RF interference: • Remove these devices from the immediate area where users are working. Something as simple as a Bluetooth enabled mouse may cause transmission interruptions. • Keep the FortiWiFi-50B AP and wireless devices at least 10 feet away from appliances such as microwave ovens and cordless phones.
Wireless Security Wireless Security Wireless Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA) Radio waves transmitted between a wireless device and access points provide the weakest link between the wireless device and network servers. Wireless networking can be risky because information travels on radio waves, which is a public medium.
Wireless users should configure their computers to connect to the network that broadcasts this network name. For security reasons, do not leave the default name of “fortinet” as the network name. Broadcasting enables wireless users to find a network. The FortiWiFi-50B models includes an option not to broadcast the SSID.
FortiWiFi-50B operation modes Using a wireless network Figure 15: FortiWiFi in Access Point mode Internal Router WAN1 Internet WAN2 MODEM / DSL / Cable Client mode When using the FortiWiFi-50B in Client mode, the device is set to receive transmissions from another access point. This enables you to connect remote users to an existing network using wireless protocols from a location that does not have a wired infrastructure.
For example, 10.10.80.1 to 10.10.80.20. Enter the network mask you created in Table 12 on page Enter domain name, for example, www.fortinet.com. The expiry date of an IP address. This feature specifies either an unlimited or limited timeframe of an IP address.
Setting up the FortiWiFi-50B as an Access Point Set the security options Configure the firewall policies To ensure proper security and protection of your network and its information, set the security options for the FortiWiFi-50B unit. To set the data security Go to System >...
FortiGate Firmware FortiGate Firmware Fortinet periodically updates the FortiGate firmware to include enhancements and address issues. After you have registered your FortiGate unit, FortiGate firmware is available for download at http://support.fortinet.com. Only the FortiGate administrators (whose access profiles contain system configuration read and write privileges) and the FortiGate admin user can change the FortiGate firmware.
Upgrading to a new firmware version Upgrading the firmware using the CLI Type the path and filename of the firmware image file, or select Browse and locate the file. Select OK. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login.
FortiGate Firmware The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes. Reconnect to the CLI. To confirm the new firmware image is successfully installed, enter: get system status Update antivirus and attack definitions (see the or from the CLI, enter: execute update-now...
Reverting to a previous firmware version Reverting to a previous firmware version using the CLI Select OK. The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes.
Page 69
FortiGate Firmware Make sure the FortiGate unit can connect to the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168: execute ping 192.168.1.168 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image <name_str>...
Installing firmware images from a system reboot using the CLI Installing firmware images from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiGate unit to default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware version.
Page 71
FortiGate Firmware Enter the following command to restart the FortiGate unit: execute reboot The FortiGate unit responds with the following message: This operation will reboot the system ! Do you want to continue? (y/n) Type y. As the FortiGate units starts, a series of system startup messages is displayed. When one of the following messages appears: •...
Installing firmware images from a system reboot using the CLI Restoring the previous configuration Enter the firmware image filename and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following are displayed: •...
Note: The FortiUSB key is purchased separately. The FortiGate unit only supports the FortiUSB key, available from Fortinet. Backup and Restore from the FortiUSB key Use the FortiUSB key to backup a configuration file or restore a configuration file.
The FortiUSB key Using the USB Auto-Install feature exec backup config usb <filename> Enter the following command to verify the configuration files are on the key: exec usb-disk list To restore configuration using the CLI Log into the CLI. Enter the following command to restore the configuration files: exec restore config usb <filename>...
FortiGate Firmware config system auto-install set default-config-file <filename> set auto-install-config <enable/disable> set default-image-file <filename> set auto-install-image <enable/disable> Additional CLI commands for the FortiUSB key Use the following CLI commands when you want to delete a file from the FortiUSB key, list what files are on the key, including formatting the key or renaming a file: •...
Page 76
Testing a new firmware image before installing it Make sure the internal interface is connected to the same network as the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168: execute ping 192.168.1.168 Enter the following command to restart the FortiGate unit: execute reboot...
FortiGate Firmware Type an IP address that can be used by the FortiGate unit to connect to the FTP server. The IP address can be any IP address that is valid for the network the interface is connected to. Make sure you do not enter the IP address of another device on this network.
Page 78
Installing and using a backup firmware image • Access the CLI by connecting to the FortiGate console port using a RJ-45 to DB-9 serial cable or null-modem cable. • Install a TFTP server that you can connect to from the FortiGate as described in the procedure “Installing firmware images from a system reboot using the CLI”...
Page 79
FortiGate Firmware Type an IP address that can be used by the FortiGate unit to connect to the FTP server. The IP address can be any IP address that is valid for the network the interface is connected to. Make sure you do not enter the IP address of another device on this network.
Page 80
Installing and using a backup firmware image FortiGate Firmware FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide 01-30004-0265-20070831...
31, 65, 67 FortiGate documentation commenting on 13 FortiGate-50A/50B, FortiWiFi-50B and FortiGate-100 FortiOS 3.0 MR4 Install Guide 01-30004-0265-20070831 Fortinet 9 Fortinet customer service 13 Fortinet documentation 12 Fortinet Family Products 9 FortiBridge 10 FortiClient 9 FortiGuard 9...
Page 82
FortiGate interface from responding to 35 ping server 55 PoE 20 Power over Ethernet 20 PPPoE configuration 37 products, Fortinet family 9 protection profiles, default 30 reconnecting to the web-based manager 45 redundant mode configuring 52 modem 51...