Summary of Contents for Fortinet FortiGate FortiGate-1000A
Page 1
FortiGate 1000A FortiGate 1000AFA2 FortiGate-1000A/FA2 Administration Guide Administration Guide Version 2.80 MR11 15 November 2005 01-28011-0254-20051115 CONSOLE...
Page 2
CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
US Domestic distribution changes ... 20 Document conventions ... 22 Fortinet documentation ... 23 Fortinet Knowledge Center ... 24 Comments on Fortinet technical documentation ... 24 Customer service and technical support... 24 Web-based manager... 25 Button bar features ... 26 Contact Customer Support ...
Page 4
Server ... 83 DHCP server settings ... 84 Exclude range ... 85 DHCP exclude range settings... 86 IP/MAC binding ... 86 DHCP IP/MAC binding settings ... 87 Dynamic IP... 87 System Config... 89 System time ... 89 01-28011-0254-20051115 Fortinet Inc.
• • The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks.
Availability (HA) operation and redundant hot-swappable power supplies ensure non- stop operation in mission-critical applications. The FortiGate-1000A is kept up to date automatically by Fortinet’s FortiGuard network, which provides continuous updates for FortiGuard Subscription Services that ensure protection against the latest viruses, worms, trojans and other threats around the clock.
Mail messages can be identified as spam or clear. FortiShield is an antispam system from Fortinet that includes an IP address black list, a URL black list, and spam filtering tools. The IP address black list contains IP addresses of email servers known to be used to generate Spam.
In NAT/Route mode, the FortiGate unit is a Layer 3 device. This means that each of its interfaces is associated with a different IP subnet and that it appears to other devices as a router. This is how a firewall is normally deployed. In NAT/Route mode, you can create NAT mode policies and Route mode policies.
Introduction Transparent mode In Transparent mode, the FortiGate unit does not change the Layer 3 topology. This means that all of its interfaces are on the same IP subnet and that it appears to other devices as a bridge. Typically, the FortiGate unit is deployed in Transparent mode to provide antivirus and content filtering behind an existing firewall solution.
• High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster.
Introduction Active-active (A-A) HA load balances virus scanning among all the FortiGate units in the cluster. An active-active HA cluster consists of a primary FortiGate unit that processes traffic and one or more secondary units that also process traffic. The primary FortiGate unit uses a load balancing algorithm to distribute virus scanning to all the FortiGate units in the HA cluster.
IPS to the system memory. About the FortiOS International and US Domestic distributions Fortinet produces two distributions of FortiOS v3.0, an International distribution and a US Domestic distribution. The International distribution is available to users outside of the United States and the US Domestic distribution is available to all users, including users in the United States.
Page 21
For example, if the file test.doc was quarantined in an email being sent from user@address.com to info@fortinet.com the file name of the quarantined file would be user_info. The default mail virus replacement message (splice mode) is...
A space to separate options that can be entered in any combination and must be separated by spaces. For example: set allowaccess {ping https ssh snmp http telnet} You can enter any of the following: set allowaccess ping set allowaccess ping https ssh set allowaccess https ping ssh 01-28011-0254-20051115 Introduction Fortinet Inc.
Introduction Fortinet documentation The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com. The following • • • • • • • • FortiGate-1000A/FA2 Administration Guide set allowaccess snmp...
Fortinet technical documentation, to techdoc@fortinet.com. Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network. Please visit the Fortinet Technical Support web site at learn about the technical support services that Fortinet provides.
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 Web-based manager Using HTTP or a secure HTTPS connection from any computer running a web browser, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages. You can configure the FortiGate unit for HTTP and HTTPS administration from any FortiGate interface.
The button bar in the upper right corner of the web-based manager provides access to several important FortiGate features. Figure 2: Web-based manager button bar Contact Customer Support The Contact Customer Support button opens the Fortinet support web page in a new browser window. From this page you can • •...
Web-based manager Online Help The Online Help button opens web-based help for the current web-based manager page. There are hyperlinks to related topics and procedures related to the controls on the current web-based manager page. Figure 3: Online Help window You can view other parts of the help system as you like.
If you simply close the browser or leave the web-based manager, you remain logged-in until the idle timeout (default 5 minutes) expires. Connect to the FortiGate unit using the CLI. Disconnect from the FortiGate unit. Clear the screen. 01-28011-0254-20051115 Web-based manager Fortinet Inc.
Page Configure system facilities, such as network interfaces, virtual domains, DHCP services, time and set system options. Configure the router. Configure firewall policies and protection profiles that apply the network protection features. Also configure virtual IP addresses and IP pools.
Clear a log file. Column Select log columns to display. Settings Delete Delete an item. This icon appears in lists where the item is deletable and you have write permission on the page. 01-28011-0254-20051115 Web-based manager Delete Edit Fortinet Inc.
Web-based manager Status bar The status bar is at the bottom of the web-based manager screen. Figure 7: Status bar The status bar shows • • FortiGate-1000A/FA2 Administration Guide Download Download a log file or back up a configuration file. or Backup Edit Edit a configuration.
System Status System Network System DHCP System Config System Admin System Maintenance System Virtual Domain Router Firewall User Antivirus Web filter 01-28011-0254-20051115 Web-based manager Spam filter Log & Report FortiGuard categories Fortinet Inc.
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 System Status You can connect to the web-based manager and view the current system status of the FortiGate unit. The status information that is displayed includes the system status, unit information, system resources, and session log. This chapter includes: •...
Antivirus or IPS fail-open conditions The system restarted. The restart could be due to operator action or power off/on cycling. The named administrator upgraded the firmware on either the active or non-active partition. 01-28011-0254-20051115 System Status Fortinet Inc.
Page 35
System Status Firmware downgraded by <admin_name> Fortigate has reached connection limit for <n> seconds Each message shows the date and time that it was posted. If there is insufficient space for all of the messages, you can select Show All to view the rest of them. Figure 9: System status (FortiGate-1000AFA2) System status UP Time...
The number of URLs visited and the number of files uploaded and downloaded. Select Details to see the FTP site URL, date, time, user and lists of files uploaded and downloaded. The name of the interface. 01-28011-0254-20051115 System Status 127. The serial number is Fortinet Inc.
System Status IP / Netmask Status System Resources CPU Usage Memory Usage Hard Disk Usage Active Sessions Network Utilization The total network bandwidth being used through all FortiGate interfaces History Figure 10: Sample system resources history History The history page displays 6 graphs representing the following system resources and protection: CPU Usage History Memory Usage History Memory usage for the previous minute.
To update the firmware version To update the antivirus definitions manually To update the attack definitions manually To change to Transparent mode To change to NAT/Route mode 01-28011-0254-20051115 “SNMP” on page 108. “Changing the FortiGate firmware” on System Status Fortinet Inc.
Page 39
Note: For information about configuring the FortiGate unit for automatic antivirus definitions updates, see Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status > Status.
FortiGate unit. You can use the session list to view current sessions. Figure 11: Sample session list From IP From Port “HA” on page 92). Set source IP address for list filtering Set source port for list filtering 01-28011-0254-20051115 System Status Fortinet Inc.
FortiGate administrators whose access profiles contain system configuration read and write privileges and the FortiGate admin user can change the FortiGate firmware. After you download a FortiGate firmware image from Fortinet, you can use the procedures listed in FortiGate-1000A/FA2 Administration Guide...
If the FortiGate unit is running BIOS version v3.x, you can install a backup firmware image. Once the backup firmware image is installed you can switch to this backup image when required. “To update antivirus and attack definitions” on page 135 01-28011-0254-20051115 System Status to make sure that antivirus Fortinet Inc.
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build183-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build183-FORTINET.out...
Back up the IPS custom signatures. Back up web content and email filtering lists. “Backing up and Restoring” on page “To update antivirus and attack definitions” on page 135 01-28011-0254-20051115 System Status to update 130. to make sure that antivirus Fortinet Inc.
System Status To revert to a previous firmware version using the web-based manager Copy the firmware image file to the management computer. Log into the FortiGate web-based manager. Note: To use this procedure you must login using the admin administrator account, or an administrator account that has system configuration read and write privileges.
Page 46
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build158-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build158-FORTINET.out...
System Status To confirm that the new firmware image has been loaded, enter: get system status To restore your previous configuration if needed, use the command: execute restore config <name_str> <tftp_ipv4> Update antivirus and attack definitions. For information, see the CLI, enter: execute update_now Installing firmware images from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiGate unit to...
Page 48
[F]: Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,B,Q,or H: 01-28011-0254-20051115 System Status execute reboot command. Fortinet Inc.
System Status Type an IP address that the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network that the interface is connected to. Make sure you do not enter the IP address of another device on this network.
TFTP server that you can connect to from port1. The TFTP server should be on the same subnet as port3. FortiGate unit running v2.x BIOS Press Any Key To Download Boot Image. FortiGate unit running v3.x BIOS Press any key to display configuration menu... 01-28011-0254-20051115 System Status execute reboot command. Fortinet Inc.
Page 51
System Status If you successfully interrupt the startup process, one of the following messages appears: • • Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: Type an IP address that can be used by the FortiGate unit to connect to the FTP...
Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options. 01-28011-0254-20051115 System Status execute reboot command. Fortinet Inc.
System Status Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: Type an IP address that can be used by the FortiGate unit to connect to the FTP server.
Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options. 01-28011-0254-20051115 System Status execute reboot command. execute reboot command. Fortinet Inc.
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 System Network System network settings control how the FortiGate unit connects to and interacts with your network. Basic network settings start with configuring FortiGate interfaces to connect to your network and configuring the FortiGate DNS settings. More advanced network settings include adding VLAN subinterfaces and zones to the FortiGate network configuration.
Bring Down or Bring Up. For more information, “To bring down an interface that is administratively up” on page 62 “To start up an interface that is administratively down” on page Delete, edit, and view icons. 01-28011-0254-20051115 System Network “VLAN Fortinet Inc.
Page 57
System Network Figure 13: Interface settings See the following procedures for configuring interfaces: • • • • • • • • • • • • • Name The name of the Interface. Interface Select the name of the physical interface to add the VLAN subinterface to. All VLAN subinterfaces must be associated with a physical interface.
Page 58
Interface The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN subinterface. For more information on VLANs, see Virtual Domain Select a virtual domain to add the interface or VLAN subinterface to this virtual domain.
Page 59
System Network PPPoE If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoE request. You can disable connect to server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE request.
Page 60
Ping server Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface. Adding a ping server is required for routing failover. See...
Page 61
System Network HTTP SNMP TELNET To improve network performance, you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits from any physical interface. Ideally, this MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets.
To configure traffic logging for connections to an interface “To add a VLAN subinterface in NAT/Route mode” on page 67. You cannot add an interface to a zone if you have added firewall policies for 01-28011-0254-20051115 System Network “To add a zone” on Fortinet Inc.
Page 63
System Network Select OK to save the changes. To add an interface to a virtual domain If you have added virtual domains to the FortiGate unit, you can use this procedure to add an interface or VLAN subinterface to a virtual domain. To add a virtual domain, domain if you have added firewall policies for the interface.
Page 64
Optionally, you can also configure management access and add a ping server to the secondary IP address: set allowaccess ping https ssh snmp http telnet set gwdetect enable Save the changes: for information on PPPoE settings. 01-28011-0254-20051115 System Network “PPPoE” Fortinet Inc.
Page 65
To add a ping server to an interface Go to System > Network > Interface. Choose an interface and select Edit. Set Ping Server to the IP address of the next hop router on the network connected to the interface. Select the Enable check box.
Displays Yes if traffic between interfaces in the same zone is blocked and No if traffic between interfaces in the same zone is not blocked. Edit/View icons. Select to edit or view a zone. Delete icon. Select to remove a zone. 01-28011-0254-20051115 System Network Fortinet Inc.
System Network Zone settings Figure 16: Zone options Name Block intra-zone traffic Interface members Enable check boxes to select the interfaces that are part of this zone. To add a zone If you have added a virtual domain, go to System > Virtual Domain > Current Virtual Domain and select the virtual domain to which you want to add the zone.
FortiGate unit from. Enter the default gateway address. Select the virtual domain from which you want to perform system management. 01-28011-0254-20051115 132). “To control administrative access to an interface” 91). This must be a valid IP System Network “To Fortinet Inc.
System Network Enter the Default Gateway. Select the Management Virtual Domain. Select Apply. The FortiGate unit displays the following message: Management IP address was changed. Click here to redirect. Click on the message to connect to the new Management IP. Several FortiGate functions, including Alert E-mail and URL blocking, use DNS.
Move To icon. Select to change the order of a route in the list. Enter the destination IP address and netmask for this route. Enter the IP address of the next hop router to which this route directs traffic The the relative preferability of this route. 1 is most preferred.
VLAN tags to packets. Packets passing between devices in the same VLAN can be handled by layer 2 switches. Packets passing between devices in different VLANs must be handled by a layer 3 device such as router, firewall, or layer 3 switch.
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096. Each VLAN subinterface must also be configured with its own IP address and netmask.
FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal VLANs. The FortiGate external interface forwards tagged packets through the trunk to an external VLAN switch or router which could be connected to the Internet. The FortiGate unit can be configured to apply different policies for traffic on each VLAN in the trunk.
Page 75
Figure 24 three VLAN subinterfaces. In this configuration the FortiGate unit could be added to this network to provide virus scanning, web content filtering, and other services to each VLAN. FortiGate-1000A/FA2 Administration Guide VLAN Switch or router VLAN1 Internal VLAN1 VLAN2...
System Network Transparent mode VLAN list In Transparent mode, go to System > Network > Interface to add VLAN subinterfaces. Figure 25: Sample Transparent mode VLAN list Create New Virtual Domain Select a virtual domain to display the VLAN interfaces added to this virtual Name Access Status...
Page 78
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4096. You add VLAN subinterfaces to the physical interface that receives VLAN- tagged packets.
The interface functions as two interfaces, one for IPv4-addressed packets and another for IPv6-addressed packets. FortiGate units support static routing, periodic router advertisements, and tunneling of IPv6-addressed traffic over an IPv4-addressed network. All of these features must be configured through the Command Line Interface (CLI). See the FortiGate CLI...
Page 80
FortiGate IPv6 support System Network 01-28011-0254-20051115 Fortinet Inc.
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 System DHCP You can configure DHCP server or DHCP relay agent functionality on any FortiGate interface or VLAN subinterface. A FortiGate interface can act as either a DHCP server or as a DHCP relay agent. An interface cannot provide both functions at the same time.
Select DHCP Server if you want the FortiGate unit to be the DHCP server. “To configure an interface to be a DHCP server” on page 01-28011-0254-20051115 System DHCP “To configure an interface as a Fortinet Inc.
System DHCP To configure an interface to be a DHCP server You can configure a DHCP server for any FortiGate interface. As a DHCP server, the interface dynamically assigns IP addresses to hosts on the network connected to the interface. You can also configure a DHCP server for more than one FortiGate interface.
Code is the DHCP option code in the range 1 to 255. Option is an even number of hexadecimal characters and is not required for some option codes. For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions. 01-28011-0254-20051115 System DHCP Fortinet Inc.
DHCP request was received and uses this DHCP server to assign an IP configuration to the computer that made the DHCP request. The DHCP configuration packets are sent back to the router and the router relays them to the DHCP client.
Select Create New to add a DHCP IP/MAC binding pair. The name for the IP and MAC address pair. The IP address for the IP and MAC address pair. The IP address must be within the configured IP range. 01-28011-0254-20051115 System DHCP Fortinet Inc.
System DHCP DHCP IP/MAC binding settings Figure 34: IP/MAC binding options Name IP Address MAC Address To add a DHCP IP/MAC binding pair Go to System > DHCP > IP/MAC Binding. Select Create New. Add a name for the IP/MAC pair. Add the IP address and MAC address.
Page 88
Dynamic IP System DHCP 01-28011-0254-20051115 Fortinet Inc.
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 System Config Use the System Config page to make any of the following changes to the FortiGate system configuration: • • • • • • System time Go to System > Config > Time to set the FortiGate system time. For effective scheduling and logging, the FortiGate system time must be accurate.
FortiGate unit to synchronize its time once a day. Timeout settings including the idle timeout and authentication timeout The language displayed by the web-based manager Front control buttons and LCD PIN protection Dead gateway detection interval and failover detection 01-28011-0254-20051115 System Config Fortinet Inc.
Page 91
System Config Figure 36: System config options Idle Timeout Auth Timeout Language LCD Panel Detection Interval Fail-over Detection Set the ping server dead gateway detection failover number. Enter the To set the system idle timeout Go to System > Config > Options. For Idle Timeout, type a number in minutes.
VPN, IPS, virus scanning, web filtering, and spam filtering services. “To add a ping server to an interface” on page HA overview HA configuration Configuring an HA cluster Managing an HA cluster 01-28011-0254-20051115 System Config Fortinet Inc.
Page 93
The FortiGate Clustering Protocol (FGCP) Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster.
Page 94
Configuring a FortiGate interface to be a DHCP server or a DHCP relay agent is not affect by HA operation. For information about DHCP server and relay, see DHCP” on page “To configure load balancing TCP and virus scanning 104. and the Fortinet Knowledge 01-28011-0254-20051115 System Config FortiGate High Center. “System...
System Config PPTP and L2TP are supported in HA mode. You can configure PPTP and L2TP settings (see add firewall policies to allow PPTP and L2TP pass through. However, during an HA failover event, any active PPTP and L2TP sessions are lost and must be restarted after the failover.
“HA modes” on page Table 3 lists the virtual MAC address set for each group ID. MAC Address 00-09-0f-06-ff-00 00-09-0f-06-ff-01 00-09-0f-06-ff-02 00-09-0f-06-ff-03 00-09-0f-06-ff-3f 01-28011-0254-20051115 System Config “To view the status of Fortinet Inc.
Page 97
System Config Unit Priority Optionally set the unit priority of the cluster unit. Each cluster unit can have a different unit priority. The unit priority is not synchronized among cluster members. During HA negotiation, the unit with the highest unit priority becomes the primary unit. The unit priority range is 0 to 255.
Page 98
IP Port to distribute traffic to cluster units based on the source IP, source port, destination IP, and destination port of the packet. “To configure load balancing TCP and virus scanning traffic” on page 01-28011-0254-20051115 System Config “To configure weighted-round-robin 104. Fortinet Inc.
Page 99
System Config To enable HA heartbeat communication for an interface, enter a priority for the interface. To disable HA heartbeat communication for an interface, delete the priority for the interface. The HA heartbeat priority range is 0 to 512. The interface with the highest priority handles all HA heartbeat traffic.
Page 100
• • Configuring an HA cluster Managing an HA cluster 01-28011-0254-20051115 “Override Master” on page 97), this FortiGate unit System Config Fortinet Inc.
System Config Configuring an HA cluster Use the following procedures to create an HA cluster consisting of two or more FortiGate units. These procedures describe how to configure each of the FortiGate units for HA operation and then how to connect the FortiGate units to form a cluster. Once the cluster is connected you can configure it in the same way as you would configure a standalone FortiGate unit.
Page 102
Then you must connect these interfaces to their networks using the same hub or switch. Fortinet recommends using switches for all cluster connections for the best performance.
Page 103
From the CLI you can use the following command to configure a weight value for each cluster unit. FortiGate-1000A/FA2 Administration Guide Internal Network Port1 Port2 Hub or Switch Port4 Port4 Port1 Port2 01-28011-0254-20051115 FortiGate-1000A Hub or Switch FortiGate-1000A Internet Router...
The next three connections are processed by the first subordinate unit (priority 1, weight 3) The next three connections are processed by the second subordinate unit (priority 2, weight 3) config system ha set load-balance-all enable 01-28011-0254-20051115 Weight System Config Fortinet Inc.
System Config Managing an HA cluster The configurations of all of the FortiGate units in the cluster are synchronized so that the FortiGate units can function as a cluster. Because of this synchronization, you manage the HA cluster instead of managing the individual cluster units. You manage the cluster by connecting to the web-based manager using any cluster interface configured for HTTPS administrative access.
Page 106
The number of packets that have been processed by the cluster unit since it last started up. The number of viruses detected by the cluster unit. interfaces. The number of bytes that have been processed by the cluster unit since it last started up. 01-28011-0254-20051115 System Config Fortinet Inc.
Page 107
System Config To view and manage logs for individual cluster units Connect to the cluster and log into the web-based manager. Go to Log&Report > Log Access. The Traffic log, Event log, Attack log, Antivirus log, Web Filter log, and Email Filter log for the primary unit are displayed.
FortiGate system information and can receive FortiGate traps. To monitor FortiGate system information and receive FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of...
System Config Figure 40: Configuring SNMP SNMP Agent Description Location Contact Apply Create New Communities Name Queries Traps Enable Delete icon Edit/View icon SNMP community An SNMP community is a grouping of equipment for network administration purposes. Add SNMP communities so that SNMP managers can connect to the FortiGate unit to view system information and receive SNMP traps.
Page 110
SNMP manager is not on the same subnet as the FortiGate unit. This can occur if the SNMP manager is on the Internet or behind a router. Select Add to add more SNMP managers. You can add up to 8 SNMP managers to a single community.
Page 111
System Config Queries Traps SNMP Event To configure SNMP access to an interface in NAT/Route mode Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or more FortiGate interfaces to accept SNMP connections. See control administrative access to an interface”...
Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIBs to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.
Page 113
System Config Table 8: Generic FortiGate traps Trap message ColdStart WarmStart LinkUp LinkDown Table 9: FortiGate system traps Trap message CPU usage high (fnTrapCpuHigh) Memory low (fnTrapMemLow) Interface IP change (fnTrapIpChange) Table 10: FortiGate VPN traps Trap message VPN tunnel is up (fnTrapVpnTunUp) VPN tunnel down (fnTrapVpnTunDown)
The tables below list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.2.80.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Page 115
System Config Table 17: System MIB fields MIB field fnSysModel fnSysSerial fnSysVersion fnSysVersionAv fnSysVersionNids fnSysHaMode fnSysOpMode fnSysCpuUsage fnSysMemUsage fnSysSesCount Table 18: HA MIB fields MIB field fnHaGroupId fnHaPriority fnHaOverride fnHaAutoSync fnHaSchedule fnHaStatsTable FortiGate-1000A/FA2 Administration Guide Description FortiGate model number, for example, 400 for the FortiGate-400. FortiGate unit serial number.
Page 116
The idle period in minutes after which the administrator must re- authenticate. Description The number of virtual domains on the FortiGate unit. Table of virtual domains. fnVdIndex Internal virtual domain index number on the FortiGate unit. fnVdName The name of the virtual domain. 01-28011-0254-20051115 System Config Fortinet Inc.
System Config Table 23: Active IP sessions MIB field fnIpSessIndex fnIpSessProto fnIpSessFromAddr fnIpSessFromPort fnIpSessToPort fnIpSessToAddr fnIpSessExpiry Table 24: Dialup VPNs MIB field fnVpnDialupIndex fnVpnDialupGateway fnVpnDialupLifetime fnVpnDialupTimeout fnVpnDialupSrcBegin Remote subnet address. fnVpnDialupSrcEnd fnVpnDialupDstAddr fnVpnDialupDstMask Table 25: IPS MIB field fnIpsSigId fnIpsSigSrcIp Replacement messages Change replacement messages to customize alert email and information that the FortiGate unit adds to content streams such as email messages, web pages, and FTP...
Description of the replacement message type. The web-based manager describes where each replacement message is used by the FortiGate unit. Edit/View icon. Select to change a replacement message. 01-28011-0254-20051115 System Config Fortinet Inc.
System Config Changing replacement messages Figure 44: Sample HTTP virus replacement message Replacement messages can be text or HTML messages. You can add HTML code to HTML messages. In addition, replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.
The IPS attack message. %%NIDSEVENT%% is added to alert email intrusion messages. The name of the web filtering service. The name of the content category of the web site. The Fortinet logo. 01-28011-0254-20051115 System Config Fortinet Inc.
Page 121
System Config Figure 45: FortiManager configuration Enable FortiManager Enable secure IPSec VPN communication between the FortiGate unit FortiManager ID FortiManager IP FortiGate-1000A/FA2 Administration Guide and a FortiManager Server. Enter the serial number of the FortiManager server. Enter the IP address of the FortiManager Server. 01-28011-0254-20051115 FortiManager...
Page 122
FortiManager System Config 01-28011-0254-20051115 Fortinet Inc.
System > DHCP System > Config System > Maintenance > Backup System > Maintenance > Support Log & Report > Log Config Log & Report > Log Access Router Firewall Anti-Virus Web Filter User System > Admin System > Maintenance > Update Center System >...
System Admin This chapter describes: • • Administrators Use the admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels. Administrators list Figure 46: Administrators list Create New Name Trusted hosts Permission...
Page 126
Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see profiles, see “Access profile list” on page 01-28011-0254-20051115 System Admin “Using trusted hosts” on page 126. 127. Fortinet Inc.
System Admin When you set trusted hosts for all administrators, the FortiGate unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.
Network update feature. To allow an administrator to modify this feature, enable both Read and Write. Select both Read and Write to allow an administrator to access the system shutdown, reboot and reset to factory default functions. 01-28011-0254-20051115 System Admin Fortinet Inc.
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 System Maintenance Use the web-based manager to maintain the FortiGate unit. Backup and restore You can back up system configuration, VPN certificate, web and spam filtering files to the management computer. You can also restore system configuration, VPN certificate, web and spam filtering files from previously downloaded backup files.
IPS User-Defined Upload or download IPS signatures. Signatures All Certificates Restore or back up all VPN certificates in a single password- protected file. See VPN certificates” on page 01-28011-0254-20051115 System Maintenance “To restore VPN certificates” “To back up 131. Fortinet Inc.
Page 131
System Maintenance Select OK to restore all configuration files to the FortiGate unit. The FortiGate unit restarts, loading the new configuration files. Reconnect to the web-based manager and review your configuration to confirm that the uploaded configuration files have taken effect. To back up individual categories Go to System >...
• • • To receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet support web page. “To enable scheduled updates” on page 137. User-initiated updates from the FDN, Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus...
Page 133
System Maintenance Figure 52: Update center FortiProtect Distribution Network Push Update Refresh Use override server address Update FortiGate-1000A/FA2 Administration Guide The status of the connection to the FortiProtect Distribution Network (FDN). A green indicator means that the FortiGate unit can connect to the FDN. You can configure the FortiGate unit for scheduled updates.
The update attempt occurs at a randomly determined time within the selected hour. Select Update Now to manually initiate an update. Select Apply to save update settings. 01-28011-0254-20051115 System Maintenance 138. Fortinet Inc.
Page 135
System Maintenance Select Update Now to update the antivirus and attack definitions and engines. If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following: Your update request has been sent. Your database will be updated in a few minutes.
Page 136
<proxy-address_ip> set port <proxy-port> set username <username_str> set password <password_str> set status enable config system autoupdate tunneling set address 67.35.50.34 set port 8080 set username proxy_user set password proxy_pwd set status enable 01-28011-0254-20051115 System Maintenance Fortinet Inc.
System Maintenance There are no special tunneling requirements if you have configured an override server address to connect to the FDN. Enabling push updates The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. You must register the FortiGate unit before it can receive push updates.
Go to Firewall > Virtual IP. Select Create New. Type a name for the virtual IP. In the External Interface section, select the external interface that the FDN connects In the Type section, select Port Forwarding. 01-28011-0254-20051115 System Maintenance Fortinet Inc.
Page 139
System Maintenance In the External IP Address section, type the external IP address that the FDN connects to. Type the External Service Port that the FDN connects to. In the Map to IP section, type the IP address of the FortiGate unit on the internal network.
Support Support You can use the Support page to report problems with the FortiGate unit to Fortinet Support or to register your FortiGate unit with the FortiProtect Distribution Server (FDS). Figure 53: Support Report Bug to Fortinet FDS Registration Select FDS Registration to register the FortiGate unit with FortiNet.
For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing. To activate the FortiCare Support Contract, you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information.
Page 142
A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiGate unit. Your Fortinet support user name and password is sent to the email address provided with your contact information.
System Maintenance Shutdown You can use the Maintenance page to log out, restart and shut down the FortiGate unit. Figure 55: System shut down To log out of the system Go to System > Maintenance > Shutdown. Select Logout. Select Apply. The FortiGate unit logs out.
Page 144
The FortiGate unit restarts with the configuration that it had when it was first powered Reconnect to the web-based manager and review the system configuration to confirm that it has been reset to the default settings. 01-28011-0254-20051115 System Maintenance Fortinet Inc.
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 System Virtual Domain FortiGate virtual domains provide multiple logical firewalls and routers in a single FortiGate unit. Using virtual domains, one FortiGate unit can provide exclusive firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network.
System Virtual Domain 151) “To select a management virtual 150) “To configure routing for a virtual 152) “To configure the routing 152) 152) “To add IP pools to a virtual “To add Virtual IPs to a virtual 154) Fortinet Inc. 153)
System Virtual Domain Shared configuration settings The following configuration settings are shared by all virtual domains. Even if you have configured multiple virtual domains, there are no changes to how you configure the following settings. • • • • • •...
A check mark icon in this column indicates that this is the domain used for system management. Delete icon. Select to delete a virtual domain. You cannot delete the root virtual domain or a domain that is used for system management. 01-28011-0254-20051115 System Virtual Domain Fortinet Inc.
Selecting a management virtual domain In NAT/Router mode, you select a virtual domain to be used for system management. In Transparent mode, you must also define a management IP. The interface that you want to use for management access must have Administrative Access enabled. See “To control administrative access to an interface”...
Go to System > Network > Interface. Adding interfaces, VLAN subinterfaces, and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec VPN for a virtual domain 01-28011-0254-20051115 System Virtual Domain Fortinet Inc.
Page 151
System Virtual Domain Set Virtual domain to All or to the name of the virtual domain that currently contains the interface. Select Edit for the physical interface you want to move. Choose the Virtual Domain to which to move the interface. Select OK.
66. Any zones that you add are added to the current virtual “Router” on page 155. Network traffic entering this virtual domain is routed only “Routing table (Transparent Mode)” on page 01-28011-0254-20051115 System Virtual Domain 70. Network traffic entering this Fortinet Inc.
Page 153
System Virtual Domain Select Create new to add firewall policies to the current virtual domain. interfaces, VLAN subinterfaces, or zones added to the current virtual domain. The firewall policies that you add are only visible when you are viewing the current virtual domain.
Select Change following the current virtual domain name above the table. Choose the virtual domain for which to configure VPN. Select OK. Go to VPN. Configure IPSec VPN, PPTP, L2TP, and certificates as required. See page 261. 01-28011-0254-20051115 System Virtual Domain “VPN” on Fortinet Inc.
You configure routes by defining the destination IP address and netmask of packets that the FortiGate unit is intended to intercept, and specifying a (gateway) IP address for those packets. The gateway address specifies the next hop router to which traffic will be routed.
Page 156
• • • The Gateway setting specifies the IP address of the next hop router interface to the FortiGate external interface. The interface behind the router (192.168.10.1) is the default gateway for FortiGate_1. In some cases, there may be routers behind the FortiGate unit. If the destination IP address of a packet is not on the local network but is on a network behind one of those routers, the FortiGate routing table must include a static route to that network.
Router Figure 58: Destinations on networks behind internal routers To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.30.0/24...
The destination IP address for this route. The netmask for this route. The IP address of the first next hop router to which this route directs traffic. The name of the FortiGate interface through which to route traffic. The administrative distance for the route.
Router Select the Move to icon beside the route you want to move. Current Order shows the existing number for this route. Figure 61: Move a static route For Move to, select either Before or After and type the number that you want to place this route before or after.
Match packets that have this destination IP address and netmask. Match packets that have this destination port range. To match a single port, enter the same port number for both From and To. Send packets that match this policy route to this next hop router. 01-28011-0254-20051115 Router...
Router RIP is a distance-vector routing protocol intended for small, relatively homogeneous, networks. RIP uses hop count as its routing metric. Each network is usually counted as one hop. The network diameter is limited to 15 hops. General Figure 64: RIP General settings...
Static Metric Route-map To configure RIP general settings Go to Router > RIP > General. Select the default RIP Version. Change the Default Metric if required. Select Enable Default-information-originate if the configuration requires advertising a default static route into RIP.
Figure 66: RIP Networks configuration To configure a RIP network definition Go to Router > RIP > Networks. Select Create New to add a new RIP network definition or select the Edit icon to edit an existing RIP network definition.
In text mode the key is sent in clear text over the network. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the network. 01-28011-0254-20051115 Router...
Password Key-chain To configure a RIP interface Go to Router > RIP > Interface. Select the edit icon beside an Interface to configure that interface. Select a Send Version if you want to override the default send version for this interface.
Interface Enable To configure a distribute list Go to Router > RIP > Distribute List. Select Create New to add a new distribute list or select the edit icon beside an existing distribute list to edit that distribute list. Set Direction to In or Out.
Access-list Offset Interface Enable To configure an offset list Go to Router > RIP > Offset List. FortiGate-1000A/FA2 Administration Guide Add a new offset list. The direction for the offset list. The access list to use for this offset list.
Check or clear the Enable check box to enable or disable this offset list. Select OK. Router objects Router objects are a set of tools used by routing protocols and features. Access list Access lists are filters used by FortiGate routing features.
Router New access list Figure 74: Access list name configuration To add an access list name Go to Router > Router Objects > Access List. Select Create New. Enter a name for the access list. Select OK. New access list entry...
New Prefix list Figure 77: Prefix list name configuration To add a prefix list name Go to Router > Router Objects > Prefix List. Select Create New. Enter a name for the prefix list. Select OK. Add a new prefix list name. An access list and a prefix list cannot have the same name.
Less or equal to To configure a prefix list entry Go to Router > Router Objects > Prefix List. Select the Add prefix-list entry icon to add a new prefix list entry or select the edit icon beside an existing prefix list entry to edit that entry.
New Route-map Figure 80: Route map name configuration To add a route map name Go to Router > Router Objects > Route-map. Select Create New. Enter a name for the route map. Select OK. Add a new route map name.
Match a route if the destination address is included in the selected access list or prefix list. Match a route that has a next hop router address included in the selected access list or prefix list. Match a route with the specified metric. The metric can be a number from 1 to 16.
New key chain Figure 83: Key chain name configuration To add a key chain name Go to Router > Router Objects > Key-chain. for information on setting the FortiGate system date and Add a new key chain. The key chain name.
Start To configure a key chain entry Go to Router > Router Objects > Key-chain. Select the Add key-chain entry icon to add a new key chain entry or select the Edit icon beside an existing key chain entry to edit that entry.
Up Time To filter the routing monitor display Go to Router > Monitor > Routing Monitor. Select a type of route to display or select all to display routes of all types. For example, select Connected to display all the directly connected routes, or select RIP to display all the routes learned from RIP.
CLI commands see the FortiGate CLI Reference Guide. get router info ospf Use this command to display information about OSPF. Command syntax router info ospf command keywords and variables Keywords border-routers database interface...
An OSPF autonomous system (AS) or routing domain is a group of areas connected to a backbone area. A router connected to more than one area is an area border router (ABR). Routing information is contained in a link state database. Routing information is communicated between routers using link state advertisements (LSAs).
Page 179
Router Note: In the following table, only the router-id keyword is required. All other keywords are optional. ospf command keywords and variables Keywords and variables abr-type {cisco | ibm | shortcut | standard} database-overflow {disable | enable} database-overflow- max-lsas <lsas_integer>...
Page 180
<address_ipv4> spf-timers <delay_integer> <hold_integer> Example This example shows how to set the OSPF router ID to 1.1.1.1: This example shows how to display the OSPF settings. Description Specify the default metric that OSPF should use for redistributed routes. The valid range for metric_integer is 1 to 16777214.
Page 181
This example shows how to display the OSPF configuration. config area Access the config area subcommand using the config router ospf command. Use this command to set OSPF area related parameters. Routers in an OSPF autonomous system (AS) or routing domain are organized into logical groupings called areas.
Page 182
Enable or disable redistributing routes into a NSSA area. 01-28011-0254-20051115 Router Default Availability All models. none All models. All models. disable All models. All models. All models. enable Fortinet Inc.
Page 183
This example shows how to display the settings for area 15.1.1.1. FortiGate-1000A/FA2 Administration Guide Description A NSSA border router can translate the Type 7 LSAs used for external route information within the NSSA to Type 5 LSAs used for distributing external route information to other parts of the OSPF routing domain.
Page 184
Set the direction for the filter. Enter in to filter incoming packets. Enter out to filter outgoing packets. Enter the name of the access list or prefix list to use for this filter list. 01-28011-0254-20051115 170. Default Availability null Router “Access All models. All models. Fortinet Inc.
Page 185
The range id_integer can be 0 to 4294967295. FortiGate-1000A/FA2 Administration Guide config router ospf config area edit 15.1.1.1 config filter-list config router ospf config area edit 15.1.1.1...
Page 186
Enable or disable using a substitute prefix. disable All models. config router ospf config area edit 15.1.1.1 config range config router ospf config area edit 15.1.1.1 01-28011-0254-20051115 Default enable 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 edit 1 set prefix 1.1.0.0 255.255.0.0 Router Availability All models. All models. All models. Fortinet Inc.
Page 187
Virtual links can only be set up between two area border routers (ABRs). config virtual link command syntax pattern Note: Only the peer keyword is required. All other keywords are optional. FortiGate-1000A/FA2 Administration Guide config router ospf config area edit 15.1.1.1 show config virtual-link edit <name_str>...
Page 188
1 to 255. key_str is an alphanumeric string of up to 16 characters. 01-28011-0254-20051115 Router Default Availability All models. none All models. default. authentication must be set to text. All models. All models. All models. default. authentication must be set to md5. Fortinet Inc.
Page 189
This example shows how to display the settings for area 15.1.1.1. This example shows how to display the configuration for area 15.1.1.1. FortiGate-1000A/FA2 Administration Guide Description The router id of the remote ABR. 0.0.0.0 is not allowed. The time, in seconds, to wait before sending a LSA retransmission. The...
Page 190
CLI configuration config distribute-list Access the config distribute-list subcommand using the config router ospf command. Use this command to use an access list to filter the networks in routing updates. Routes not matched by any of the distribute lists will not be advertised.
Page 191
This example shows how to display the settings for distribute list 2. This example shows how to display the configuration for distribute list 2. config neighbor Access the config neighbor subcommand using the config router ospf command. Use this command to manually configure an OSPF neighbor on nonbroadcast networks.
Page 192
The valid range for priority_integer is 0 to 255. config router ospf config neighbor edit 1 set ip 192.168.21.63 config router ospf config neighbor edit 1 01-28011-0254-20051115 Router Default Availability All models. 0.0.0.0 All models. All models. All models. Fortinet Inc.
Router config network Access the config network subcommand using the config router ospf command. Use this command to identify the interfaces to include in the specified OSPF area. The prefix keyword can define one or multiple interfaces. config network command syntax pattern...
Page 194
This example shows how to display the settings for network 2. This example shows how to display the configuration for network 2. config ospf-interface Access the config ospf-interface subcommand using the config router ospf command. Use this command to change interface related OSPF settings.
Page 195
In text mode the key is sent in clear text over the network. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the network. If you configure authentication for the interface, authentication for areas is not used.
Page 196
576 to 65535. 01-28011-0254-20051115 Router Default Availability All models. All models. disable All models. All models. All models. null All models. 0.0.0.0 No default. All models. authentication must be set to md5. 1500 All models. Fortinet Inc.
Page 197
“config neighbor” on page 191. Set the router priority for this interface. Router priority is used during the election of a designated router (DR) and backup designated router (BDR). An interface with router priority set to 0 can not be elected DR or BDR.
Page 198
192.168.20.3 set authentication text set authentication-key a2b3c4d5e config router ospf config ospf-interface edit test config router ospf config ospf-interface edit test show 01-28011-0254-20051115 Router Default Availability All models. enable All models. Fortinet Inc.
Router config redistribute Access the config redistribute subcommand using the config router ospf command. Use the config redistribute command to advertise routes learned from RIP, static routes, or a direct connection to the destination network. config redistribute command syntax pattern...
Page 200
Use this command to summarize external routes for redistribution into OSPF. This command works only for summarizing external routes on an Autonomous System Boundary Router (ASBR). For information on summarization between areas, see “config range” on page route, you reduce the size of the OSPF link-state database.
10.0.0.0 255.0.0.0 get router ospf show router ospf config router static6 edit <sequence_integer> set <keyword> <variable> config router static6 edit <sequence_integer> unset <keyword> config router static6 delete <sequence_integer> get router static6 [<sequence_integer>] show router static6 [<sequence_integer>] 01-28011-0254-20051115 CLI configuration...
Page 202
Enter ::/0 for the destination IPV6 address and netmask to add a default route. The IPV6 address of the first next hop router to which this route directs traffic. config router static6 edit 2 set dev internal set dst 12AB:0:0:CD30::/60...
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 Firewall Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions that the FortiGate unit uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (by port number).
You can add, delete, edit, re-order, enable, and disable policies in the policy list. Figure 86: Sample policy list How policy matching works Policy list Policy options Advanced policy options Configuring firewall policies Policy CLI configuration 01-28011-0254-20051115 Firewall Fortinet Inc.
Firewall The policy list has the following icons and features. Create new Source Dest Schedule Service Action Enable source -> destination (n) Policy list headings indicating the traffic to which the policy Figure 87: Move to options Policy options Policy options are configurable when creating or editing a firewall policy. FortiGate-1000A/FA2 Administration Guide Select Create New to add a firewall policy.
Page 206
Select the name of a firewall address or address group that matches the destination address of the packets to be matched with this policy. 230. 01-28011-0254-20051115 “Interface” on page 55 for information about zones. “Address” on page 213. “Virtual IP” Fortinet Inc. Firewall...
Page 207
Firewall Schedule Select a schedule that controls when the policy is available to be matched with connections. See Service Select the name of a service or service group that matches the service or protocol of the packets to be matched with this policy. You can select from a wide range of predefined services or add custom services and service groups.
If you do not select Dynamic IP pool, a policy with Fixed Port selected can only allow one connection at a time. 237. “Authentication” on page 361. 01-28011-0254-20051115 “IP pool” on page “Protection profile” 209. “Log & Report” on Firewall 234. Fortinet Inc.
Page 209
Firewall Figure 89: Advanced policy options Authentication You must add users and a firewall protection profile to a user group before you can select Authentication. For information about adding and configuring user groups, see “User group” on page Select Authentication and select one or more user groups to require users to enter a user name and password before the firewall accepts the connection.
Less important services should be assigned a low priority. The firewall provides bandwidth to low- priority connections only when bandwidth is not needed for high-priority connections. 01-28011-0254-20051115 Firewall Fortinet Inc.
Firewall You can configure policies to apply DSCP values for both original (or forward) traffic and reverse (or reply) traffic. These values are optional and may be enabled independently from each other. When both are disabled, no changes to the DS field are made.
Note: This command has more keywords than are listed in this Guide. See the FortiGate CLI Reference Guide for a complete list of commands and keywords. Command syntax pattern config firewall policy edit <id_integer> set <keyword> <variable> 01-28011-0254-20051115 Firewall Fortinet Inc.
Firewall firewall policy command keywords and variables Keywords and variables Description http_retry_count <retry_integer> natip <address_ipv4mask> Address You can add, edit, and delete firewall addresses as required. You can also organize related addresses into address groups to simplify policy creation. A firewall address can be configured with a name, an IP address, and a netmask, or a name and IP address range.
The Delete and Edit/View icons. Enter a name to identify the firewall address. Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall policies. address range separated by a hyphen 01-28011-0254-20051115 Firewall Fortinet Inc.
Firewall An IP/Mask address can represent: • • • An IP address can be: • • • The netmask corresponds to the type of address that you are adding. For example: • • • • • An IP Range address represents: •...
Address group options are configurable when creating or editing an address group. Select Create New to add an address group. The name of the address group. The addresses in the address group. The Delete and Edit/View icons. 01-28011-0254-20051115 Firewall Fortinet Inc.
Firewall Figure 94: Address group options Address group has the following options: Group Name Available Addresses Members Configuring address groups To organize addresses into an address group Go to Firewall > Address > Group. Select Create New. Enter a group name to identify the address group. Select an address from the Available Addresses list and select the right arrow to move the address into the group.
• • • • • • • Predefined service list Figure 95: Predefined service list Predefined service list Custom service list Custom service options Configuring custom services Service group list Service group options Configuring service groups 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 219
Firewall The predefined services list has the following icons and features. Name Detail Table 29 any policy. Table 29: FortiGate predefined services Service name DHCP FINGER GOPHER H323 HTTP HTTPS FortiGate-1000A/FA2 Administration Guide The name of the predefined services. The protocol for each predefined service. lists the FortiGate predefined firewall services.
Page 220
Internet. For connections used by the popular Quake multi-player computer game. For streaming real audio multimedia traffic. 01-28011-0254-20051115 Firewall Protocol Port 6660-6669 1701 1720 111, 2049 5632 icmp icmp icmp icmp 1723 26000, 27000, 27910, 27960 7070 Fortinet Inc.
Firewall Table 29: FortiGate predefined services (Continued) Service name RLOGIN SIP- MSNmessenger SMTP SNMP SYSLOG TALK TELNET TFTP UUCP VDOLIVE WAIS WINFRAME X-WINDOWS Custom service list Add a custom service if you need to create a policy for a service that is not in the predefined service list.
If the service uses one port number, enter this number in both the low and high fields. low and high port numbers. If the service uses one port number, enter this number in both the low and high fields. 01-28011-0254-20051115 Firewall Fortinet Inc.
Firewall ICMP custom service options Figure 98: ICMP custom service options Name Protocol Type Type Code IP custom service options Figure 99: IP custom service options Name Protocol Type Protocol Number The IP protocol number for the service. Configuring custom services To add a custom TCP or UDP service Go to Firewall >...
To make it easier to add policies, you can create groups of services and then add one policy to allow or block access for all the services in the group. A service group can contain predefined services and custom services in any combination. You cannot add service groups to another service group. 01-28011-0254-20051115 Firewall Fortinet Inc.
Firewall Figure 100:Sample service group list The service group list has the following icons and features. Create New Group Name Members Service group options Service group options are configurable when creating or editing a service group. Figure 101:Service group options Service group has the following options.
Internet at all times. You can add a one-time schedule to block access to the Internet during a holiday period. One-time schedule list One-time schedule options Configuring one-time schedules Recurring schedule list Recurring schedule options Configuring recurring schedules 01-28011-0254-20051115 Firewall Fortinet Inc.
Firewall Figure 102:Sample one-time schedule list The one-time schedule list has the following icons and features. Create New Name Start Stop One-time schedule options Figure 103:One-time schedule options One-time schedule has the following options. Name Start Stop Configuring one-time schedules To add a one-time schedule Go to Firewall >...
The name of the recurring schedule. The initials of the days of the week on which the schedule is active. The start time of the recurring schedule. The stop time of the recurring schedule. The Delete and Edit/View icons. 01-28011-0254-20051115 Firewall Fortinet Inc.
Firewall Recurring schedule options Figure 105:Recurring schedule options Recurring schedule has the following options. Name Select Start Stop Configuring recurring schedules To add a recurring schedule Go to Firewall > Schedule > Recurring. Select Create New. Enter a name for the schedule. Select the days of the week that you want the schedule to be active.
Similar to port forwarding, dynamic port forwarding is used to translate any address and a specific port number on a source network to a hidden address and, optionally a different port number on a destination network. Virtual IP list Virtual IP options Configuring virtual IPs 01-28011-0254-20051115 Firewall Fortinet Inc.
Firewall The virtual IP list has the following icons and features. Create New Name Service Port Map to IP Map to Port Virtual IP options Different options appear depending on the type of virtual IP you want to define. Choose from Static NAT or port forwarding. Figure 107:Virtual IP options;...
Enter the port number to be added to packets when they are forwarded. (Port forwarding only.) Select the protocol (TCP or UDP) that you want the forwarded packets to use. (Port forwarding only.) Table 30 on page 233 contains example virtual IP external interface settings 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 233
Firewall Table 30: Virtual IP external interface examples External Interface Description internal external To add port forwarding virtual IPs Go to Firewall > Virtual IP. Select Create New. Enter a name for the port forwarding virtual IP. Select the virtual IP External Interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network.
You can enable Dynamic IP Pool in a firewall policy to translate the source address of outgoing packets to an address randomly selected from the IP pool. An IP pool list appears when the policy destination interface is the same as the IP pool interface. 01-28011-0254-20051115 Firewall Fortinet Inc.
Firewall You can add an IP pool if you want to add NAT mode policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface. If you add an IP pool to port1, you can select Dynamic IP pool for policies with the port1 interface as the destination.
For the IP pool that you want to edit, select Edit beside it. Modify the IP pool as required. Select OK to save the changes. Select the interface to which to add an IP pool. Enter a name for the IP pool. 01-28011-0254-20051115 Firewall Fortinet Inc.
Firewall IP Pools for firewall policies that use fixed ports Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service. You can select fixed port for NAT policies to prevent source port translation.
You can add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. 01-28011-0254-20051115 Firewall Fortinet Inc.
Enable or disable quarantining for each protocol. You can quarantine suspect files to view them or submit files to Fortinet for analysis. 01-28011-0254-20051115 Protection profile 239.
Enabling this option will prevent the unintentional download of virus files hidden in fragmented files. Note that some types of files, such as PDF, fragment files to increase download speed and enabling this option can cause download interruptions. 01-28011-0254-20051115 Firewall Fortinet Inc.
Firewall Configuring web category filtering options Figure 115:Protection profile web category filtering options (FortiGuard) The following options are available for web category filtering through the protection profile. See options. Enable category block (HTTP only) Block unrated websites (HTTP only) Provide details for blocked HTTP 4xx and 5xx errors (HTTP only) Rate images by URL (blocked...
A or MX record. Enable or disable checking source MIME headers against the configured spam filter MIME header list. Enable or disable checking source email against the configured spam filter banned word list. 01-28011-0254-20051115 Firewall for more for more Fortinet Inc.
Page 243
Firewall Spam Action Append to Append with Note: Some popular email clients cannot filter messages based on the MIME header. Check your email client features before deciding how to tag spam. Configuring IPS options Figure 117:Protection profile IPS options The following options are available for IPS through the protection profile. See page 293 IPS Signature IPS Anomaly...
FortiLog unit for each protocol. Content meta-information can include date and time, source and destination information, request and response size, and scan result. Content archive is only available if FortiLog is enabled under Log&Report > Log Config > Log Settings. 01-28011-0254-20051115 Firewall Fortinet Inc.
Firewall To add a protection profile to a policy You can enable protection profiles for firewall policies with action set to allow or encrypt and with service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes these services. Go to Firewall >...
Page 246
If you want to remove an option from the list or add an option to the list, you must retype the list with the option removed or added. 01-28011-0254-20051115 Firewall Default Availability All models. splice No default. All models. Fortinet Inc.
Page 247
Firewall firewall profile command keywords and variables (Continued) Keywords and variables smtp {bannedword block content-archive fragmail no-content-summary oversize quarantine scan spamemailbwl spamfsip spamfsurl spamhdrcheck spamhelodns spamipbwl spamraddrdns spamrbl splice} This example shows how to display the settings for the firewall profile command.
Page 248
Protection profile Firewall 01-28011-0254-20051115 Fortinet Inc.
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 User You can control access to network resources by defining lists of authorized users, called user groups. To use a particular resource, such as a network or a VPN tunnel, the user must belong to one of the user groups that is allowed access. The user then must correctly enter a user name and password to prove his or her identity.
Select Disable to prevent this user from authenticating. Select Password to require the user to authenticate using a password. Enter the password that this user must use to authenticate. The password should be at least six characters long. 01-28011-0254-20051115 User Fortinet Inc.
User LDAP Radius To add a user name and configure authentication Go to User > Local. Select Create New to add a new user name or select the Edit icon to edit an existing configuration. Type the User Name. Select the authentication type for this user. Select OK.
FortiGate unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiGate unit. The Delete and Edit icons. Enter a name to identify the RADIUS server. Enter the RADIUS server secret. 01-28011-0254-20051115 User Fortinet Inc.
User The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords. FortiGate LDAP supports all LDAP servers compliant with LDAP v3. FortiGate LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers.
Page 254
For example, you could use the following base distinguished name: ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is domain component. You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units: ou=accounts,ou=marketing,dc=fortinet,dc=com 01-28011-0254-20051115 User Fortinet Inc.
User User group To enable authentication, you must add user names, RADIUS servers, and LDAP servers to one or more user groups. You can then assign a firewall protection profile to the user group. You can configure authentication as follows: •...
The list of users, RADIUS servers, or LDAP servers that can be added to a user group. The list of users, RADIUS servers, or LDAP servers added to a user group. Select a protection profile for this user group. 01-28011-0254-20051115 User Fortinet Inc.
User To delete a user group You cannot delete a user group that is included in a firewall policy, a dialup user phase 1 configuration, or a PPTP or L2TP configuration. Go to User > User Group. Select Delete beside the user group that you want to delete. Select OK.
Enter the names of peers to add to the peer group. Separate names by spaces. To add or remove names from the group you must re-enter the whole list with the additions or deletions required. 01-28011-0254-20051115 User Default Availability No default. All models. Fortinet Inc.
Page 259
User This example shows how to display the list of configured peer groups. This example shows how to display the settings for the peergrp EU_branches. This example shows how to display the configuration for all the peers groups. This example shows how to display the configuration for the peergrp EU_branches. FortiGate-1000A/FA2 Administration Guide config user peergrp edit EU_branches...
Page 260
CLI configuration User 01-28011-0254-20051115 Fortinet Inc.
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 FortiGate units support the following protocols to authenticate and encrypt traffic: • • • This chapter contains information about the following VPN topics: • • • • • • • • • • • FortiGate-1000A/FA2 Administration Guide Internet Protocol Security (IPSec) Point-to-Point Tunneling Protocol (PPTP)
Select Create New to create a new phase 1 configuration. The names of existing phase 1 configurations. The IP address or domain name of a remote peer, or Dialup for a dialup client. Main or Aggressive. 01-28011-0254-20051115 Guide. “Manual key” on Fortinet Inc.
Encryption Algorithm Delete and Edit icons Phase 1 basic settings Figure 128:Phase 1 basic settings Gateway Name Remote Gateway IP Address Dynamic DNS Mode Authentication Method FortiGate-1000A/FA2 Administration Guide The names of the encryption and authentication algorithms used by each phase 1 configuration.
Page 264
“Configuring the phase 1 IKE exchange” sections of the 01-28011-0254-20051115 “Certificates” FortiGate VPN Authenticating FortiClient Note. “User” on page 249. For more FortiGate VPN FortiGate CLI Reference Guide. If the Guide. When the remote peers and FortiGate VPN Guide. Fortinet Inc.
Phase 1 advanced settings Figure 129:Phase 1 advanced settings P1 Proposal FortiGate-1000A/FA2 Administration Guide Select the encryption and authentication algorithms that will be used to generate keys for protecting negotiations. Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations.
If you enabled NAT traversal, enter a keepalive frequency setting. The value represents an interval from 0 to 900 seconds. Enable this option to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. 01-28011-0254-20051115 Fortinet Inc.
To configure phase 2 settings Go to VPN > IPSEC > Phase 2. Follow the general guidelines in these sections: • • • For information about how to choose the correct phase 2 settings for your particular situation, refer to the Note: The procedures in this section assume that you want the FortiGate unit to generate unique IPSec encryption and authentication keys automatically.
If the tunnel will be included in a hub-and-spoke configuration, you may select the concentrator from the list. The hub must be added to the FortiGate configuration before it can be selected here. See 01-28011-0254-20051115 “Phase 1” on “Concentrator” on page 272. Fortinet Inc.
Page 269
P2 Proposal Enable replay detection Enable perfect forward secrecy (PFS) DH Group Keylife Autokey Keep Alive DHCP-IPSec FortiGate-1000A/FA2 Administration Guide Select the encryption and authentication algorithms that will be used to change data into encrypted code. Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations.
Prior knowledge of the encryption and/or authentication key is required (that is, one of the VPN peers requires a specific IPSec encryption and/or authentication key). Encryption and authentication needs to be disabled. 01-28011-0254-20051115 Fortinet Inc.
Follow the guidelines in these sections: • • Manual key list Figure 133:IPSec VPN Manual Key list Create New Remote Gateway Encryption Algorithm Authentication Algorithm Delete and Edit icons Manual key options VPN Tunnel Name Type a name for the VPN tunnel. Local SPI Remote SPI Remote Gateway...
If the tunnel will be included in a hub-and-spoke configuration, you may select the concentrator from the list. The hub must be added to the FortiGate configuration before it can be selected here. See “Concentrator” on page 272. 01-28011-0254-20051115 Fortinet Inc.
In a hub-and-spoke network, all VPN tunnels terminate at the hub. The peers that connect to the hub are known as “spokes”. The hub functions as a concentrator on the network, managing all VPN connections between the spokes. VPN traffic passes from one tunnel to the other through the hub.
VPN peer (for example, 172.16.5.1/32). For a dialup-client or Internet-browsing configuration where the remote VPN client is configured to acquire a virtual IP address, the destination address must correspond to the virtual IP address that can be acquired. 01-28011-0254-20051115 Fortinet Inc.
Ping generator options Figure 137:Ping generator Enable Source IP 1 Destination IP 1 Source IP 2 Destination IP 2 Monitor You can use the monitor to view activity on IPSec VPN tunnels and start or stop those tunnels. The display provides a list of addresses, proxy IDs, and timeout information for all active tunnels.
Page 276
Destination field displays the IP address of the remote private network. Start or stop the current dialup tunnel. If you stop the tunnel, the dialup user may have to reconnect to establish a new VPN session. Display the previous or next page of dialup-tunnel status listings. 01-28011-0254-20051115 Fortinet Inc.
Static IP and dynamic DNS monitor The list of tunnels provides information about VPN connections to remote peers that have static IP addresses or domain names. You can use this list to view status and IP addressing information for each tunnel configuration. You can also start and stop individual tunnels from the list.
Type the starting address in the range of reserved IP addresses. Type the ending address in the range of reserved IP addresses. Select the name of the PPTP user group that you defined. Select the option to disable PPTP support. 285. 01-28011-0254-20051115 “L2TP configuration Fortinet Inc.
Figure 141:L2TP range Enable L2TP Starting IP Ending IP User Group Disable L2TP Certificates Digital certificates are downloadable files that you can install on the FortiGate unit and on remote peers and clients for authentication purposes. An X.509 digital certificate contains information that has been digitally signed by a trusted third party known as a certificate authority (CA).
Delete a certificate from the FortiGate configuration. Select to save a copy of the certificate request to a local computer. Send the request to your CA to obtain a certificate for the FortiGate unit. 01-28011-0254-20051115 “Certificate request” on “Importing signed certificates” Figure 143. Fortinet Inc.
Figure 144:Generating a certificate signing request Certification Name Subject Information Organization Unit Organization Locality (City) State/Province Country e-mail Key Type Key Size Importing signed certificates Your CA will provide you with a signed certificate to install on the FortiGate unit. When you receive the signed certificate from the CA, save the certificate on a PC that has management access to the FortiGate unit.
Information about the CA. Select to display certificate details. Delete a CA certificate from the FortiGate configuration. Select if you want to save a copy of the CA root certificate to a local computer. 01-28011-0254-20051115 “Importing CA certificates” on Fortinet Inc.
Figure 147:Importing a CA certificate Browse to the location on the management PC where the certificate has been saved, select the certificate, and then select OK. Select OK. VPN configuration procedures procedures needed to create different types of VPN configurations. The guide contains the following chapters: •...
IP packets may be delivered. The name may correspond to a VIP-address range for dialup clients. Keep the default setting (always) unless changes are needed to meet specific requirements. Keep the default setting (ANY) unless changes are needed to meet your specific requirements. 01-28011-0254-20051115 Fortinet Inc.
Action VPN Tunnel You may enable a protection profile, and/or event logging, or select advanced settings to shape traffic or differentiate services. See the “Firewall” chapter of the FortiGate Administration Guide. Select OK. Place the policy in the policy list above any other policies having similar source and destination addresses.
Page 287
ipsec phase1 command keywords and variables Keywords and variables dpd-idlecleanup <seconds_integer> dpd-idleworry <seconds_integer> dpd-retrycount <retry_integer> dpd-retryinterval <seconds_integer> FortiGate-1000A/FA2 Administration Guide Description The DPD long idle setting when dpd is set to enable. Set the time, in seconds, that a link must remain unused before the local VPN peer pro-actively probes its state.
ipsec phase2 command keywords and variables Keywords and variables bindtoif <interface-name_str> single-source {disable | enable} ipsec vip A FortiGate unit can act as a proxy by answering ARP requests locally and forwarding the associated traffic to the intended destination host over an IPSec VPN tunnel. The feature is intended to enable IPSec VPN communications between two hosts that coordinate the same private address space on physically separate networks.
1 set ip 192.168.12.1 set out-interface external next edit 2 set ip 192.168.12.2 set out-interface external get vpn ipsec vip get vpn ipsec vip 1 show vpn ipsec vip 01-28011-0254-20051115 Default Availability 0.0.0.0 All models. null All models. Fortinet Inc.
Page 291
Consider the following example, which shows two physically separate networks. The IP addresses of the computers on both networks are in the 192.168.12.0/24 range, but no two IP addresses are the same. An IPSec VPN has been configured between FortiGate_1 and FortiGate_2. The FortiGate configuration permits Host_1 on the Finance network to transmit data to Host_2 on the HR network through the IPSec VPN tunnel.
Page 292
1 set ip 192.168.12.2 set out-interface external 289). For example, to enable access to Host_1 on the Finance network config vpn ipsec vip edit 1 set ip 192.168.12.1 set out-interface external 01-28011-0254-20051115 “ipsec Fortinet Inc.
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 The FortiGate Intrusion Prevention System (IPS) combines signature and anomaly intrusion detection and prevention with low latency and excellent reliability. The FortiGate unit can record suspicious traffic in logs, can send alert email to system administrators, and can log, pass, drop, reset, or clear suspicious packets or sessions.
The FortiGate IPS matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Fortinet’s FortiProtect infrastructure ensures the rapid identification of new threats and the development of new attack signatures. You can configure the FortiGate unit to automatically check for and download an updated attack definition file containing the latest signatures, or you can manually download the updated attack definition file.
Predefined signatures Predefined signatures are arranged into groups based on the type of attack. By default, all signature groups are enabled while some signatures within groups are not. Check the default settings to ensure they meet the requirements of your network traffic.
When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The session is not touched. Fortinet recommends using an action other than Drop for TCP connection based attacks. When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet.
Page 297
Select the Configure icon next to the predefined signature group that you want to enable or disable. Figure 150:Enabling or disabling a predefined signature group Select the enable box to enable the predefined signature group or clear the enable box to disable the predefined signature group. Select OK.
If the codepoint is set to a number from 1 to 63, the codepoint for the session is changed to the specified value. If the codepoint is set to -1 (the default) no change is made to the codepoint in the IP header. 01-28011-0254-20051115 Fortinet Inc.
Custom signatures provide the power and flexibility to customize the FortiGate IPS for diverse network environments. The FortiGate predefined signatures cover common attacks. If you are using an unusual or specialized application or an uncommon platform, you can add custom signatures based on the security alerts released by the application and platform vendors.
If the number of concurrent sessions from a single source is over a threshold, the source session limit is reached. If the number of concurrent sessions to a single destination is over a threshold, the destination session limit is reached. 01-28011-0254-20051115 Table 32 “Backing up Fortinet Inc.
You can enable or disable logging for each anomaly, and you can control the IPS action in response to detecting an anomaly. In many cases you can also configure the thresholds that the anomaly uses to detect traffic patterns that could represent an attack.
Page 302
Drop When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The firewall session is not touched. Fortinet recommends using an action other than Drop for TCP connection based attacks. Reset When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet.
threshold To configure the settings of an anomaly Go to IPS > Anomaly. Select the Edit icon for the signature you want to configure. Select the Enable box to enable the anomaly or clear the Enable box to disable the anomaly.
This means that crucial network traffic will not be blocked and the Firewall will continue to operate while the problem is resolved. config sys global ip_signature {enable | disable} 01-28011-0254-20051115 Default disable Default enable Fortinet Inc.
Keywords and variables ip_signature {enable | disable} system global ips-size Set the size of the IPS buffer. Command syntax pattern Keywords and variables ips-size <ips_buffer_size> Configuring anomaly settings (config ips anomaly) config limit Note: This command has more keywords than are listed in this Guide. See the FortiGate CLI Reference Guide for a complete list of commands and keywords.
Page 306
The ip address and netmask of the source or destination network. Set the threshold that triggers this anomaly. config ips anomaly tcp_src_session config limit edit subnet1 set ipaddress 1.1.1.0 255.255.255.0 set threshold 300 01-28011-0254-20051115 Default Availability All models. default. All models. default. Fortinet Inc.
Antivirus > Quarantine View and sort the list of quarantined files, configure file patterns to upload automatically to Fortinet for analysis, and configure quarantining options in AntiVirus. Antivirus > Config > Config Set the size thresholds for files and emails for each protocol in Antivirus.
IPS (attack) engines and definitions, as well as the local spam DNSBL, through the FortiProtect Distribution Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see This chapter describes: •...
Antivirus This section describes: • • File block list The file block list is preconfigured with a default list of file patterns: • • • • • • • • • • Figure 159:Default file block list File block list has the following icons and features: Create New Apply Pattern...
You can also submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to Fortinet for analysis. This section describes: •...
EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL. Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded.
(* or ?). File patterns are applied for AutoSubmit regardless of file blocking settings. You can also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly from the quarantined files list. The FortiGate unit uses encrypted email to autosubmit files to an SMTP server through port 25.
Antivirus Select Enable. Select OK. Note: To enable automatic uploading of the configured file patterns you must go to Anti-Virus > Quarantine > Config, select Enable AutoSubmit, and select Use File Pattern. Config Go to Config to set quarantine configuration options including whether to quarantine blocked or infected files and from which service.
Heuristics is configurable through the CLI only. See page 317. Select Apply to save the configuration. Virus list Config Grayware Grayware options 38. To find out how to use the Fortinet Update Center, see 132. Figure 01-28011-0254-20051115 “CLI configuration” on “Changing unit 165. Antivirus...
Antivirus Note: For email scanning, the oversize threshold refers to the final size of the email after encoding by the email client, including attachments. Email clients may use a variety of encoding types and some encoding types translate into larger file sizes than the original attachment. The most common encoding, base64, translates 3 bytes of binary data into 4 bytes of base64 data.
Page 316
Select enable to block remote administration tools. Remote administration tools allow outside users to remotely change and monitor a computer on a network. 01-28011-0254-20051115 Antivirus Fortinet Inc.
When the free memory once again reaches 30% or greater of the total memory, the system returns to nonconserve mode. For more information see the Antivirus failopen and optimization Fortinet Knowledge Center article. Command syntax pattern...
FortiGate unit for either antivirus scanning or straight throughput traffic. When optimize is set to antivirus, the FortiGate unit uses symmetric multiprocessing to spread the antivirus tasks to several CPUs, making scanning faster. For more information see the Antivirus failopen and optimization Fortinet Knowledge Center article. Command syntax pattern...
Antivirus Example This example shows how to set the FortiGate unit to optimize operations for antivirus scanning. config antivirus heuristic The FortiGate heuristic antivirus engine performs tests on files to detect virus-like behavior or known virus indicators. Heuristic scanning is performed last, after file blocking and virus scanning have found no matches.
Quarantine files found by heuristic scanning in traffic for the specified protocols. config antivirus service http set <keyword> <variable> 01-28011-0254-20051115 Antivirus Default Availability FortiGate imap models smtp numbered pop3 200 and http higher. FortiGate default. models numbered 200 and higher. Fortinet Inc.
Page 321
Antivirus antivirus service http command keywords and variables Keywords and variables memfilesizelimit <MB_integer> port <port_integer> uncompsizelimit <MB_integer> How file size limits work The memfilesizelimit is applied first to all incoming files, compressed or uncompressed. If the file is larger than the limit the file is passed or blocked according to the user configuration in the firewall profile.
70 set port 80 set port 443 get antivirus service http show antivirus service http config antivirus service ftp set <keyword> <variable> config antivirus service ftp unset <keyword> get antivirus service [ftp] show antivirus service [ftp] 01-28011-0254-20051115 Antivirus Fortinet Inc.
Page 323
Antivirus antivirus service ftp command keywords and variables Keywords and variables memfilesizelimit <MB_integer> port <port_integer> uncompsizelimit <MB_integer> How file size limits work Example This example shows how to set the maximum file size buffered to memory for scanning at 25 MB, the maximum uncompressed file size that can be buffered to memory at 100 MB, and how to enable antivirus scanning on ports 20 and 21 for FTP traffic.
Enter a value in megabytes between 1 and the total memory size. Enter 0 for no limit (not recommended). “How file size limits work” on page 01-28011-0254-20051115 Default 10 (MB) 10 (MB) 321. Antivirus Availability All models. All models. All models. Fortinet Inc.
Antivirus Example This example shows how to set the maximum file size that can be buffered to memory for scanning at 20 MB, the maximum uncompressed file size that can be buffered to memory for scanning at 60 MB, and how to enable antivirus scanning on ports 110, 111, and 992 for POP3 traffic.
Page 326
25 set uncompsizelimit 50 set port 143 set port 993 get antivirus service imap show antivirus service imap 01-28011-0254-20051115 Default 10 (MB) 10 (MB) 321. Antivirus Availability All models. All models. All models. Fortinet Inc.
Antivirus config antivirus service smtp Use this command to configure how the FortiGate unit handles antivirus scanning of large files in SMTP traffic, what ports the FortiGate unit scans for SMTP, and how the FortiGate unit handles interaction with an SMTP server for delivery of email with infected email file attachments.
Page 328
This example shows how to display the configuration for antivirus SMTP traffic. config antivirus service smtp set memfilesizelimit 100 set uncompsizelimit 1000 set port 25 set port 465 get antivirus service smtp show antivirus service smtp 01-28011-0254-20051115 Antivirus Fortinet Inc.
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 Web filter Web filter provides configuration access to the Web filtering and Web category filtering options you enable when you create a firewall Protection Profile. To access protection profile web filter options go to Firewall > Protection Profile, select edit or Create New, and select Web Filtering or Web Category Filtering.
Page 330
This chapter describes: • • • • • 237. For information about adding protection profiles to firewall policies, see Content block URL block URL exempt Category block Script filter 01-28011-0254-20051115 Web Filter setting “Protection profile” on 245. Web filter “To Fortinet Inc.
Web filter Content block Control web content by blocking specific words or word patterns. The FortiGate unit blocks web pages containing banned words and displays a replacement message instead. You can use Perl regular expressions or wildcards to add banned word patterns to the list.
“Using Perl regular expressions” on page Select the character set for the banned word. Choose from: Chinese Simplified, Chinese Traditional, French, Japanese, Korean, Thai, or Western. Select Enable to activate the banned word in the list. 01-28011-0254-20051115 Web filter 358. Fortinet Inc.
Web filter Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.badsite.com. Instead, you can use firewall policies to deny FTP connections. This section describes: •...
FortiGate web pattern blocking supports standard regular expressions. You can add up to 20 patterns to the web pattern block list. Note: Enable Web filtering > Web URL Block in your firewall Protection Profile to activate the web pattern block settings. 334. 01-28011-0254-20051115 Web filter “Web pattern Fortinet Inc.
Web filter Figure 171:Sample web pattern block list Web pattern block options Web pattern block has the following icons and features: Create New Pattern Configuring web pattern block To add a pattern to the web pattern block list Go to Web Filter > URL Block. Select Web Pattern Block.
Select this icon to scroll the URL exempt list down. Select this icon to delete the entire URL exempt list. The current list of exempt URLs. Select the check box to enable all the URLs in the list. The Delete and Edit/View icons. 01-28011-0254-20051115 Web filter Fortinet Inc.
• FortiGuard-Web Filtering service FortiGuard-Web Filtering is a managed web filtering solution provided by Fortinet. FortiGuard-Web Filtering sorts hundreds of millions of web pages into a wide range of categories that users can allow, block, or monitor. The FortiGate unit accesses the...
FortiGuard-Web Filtering licensing Every FortiGate unit comes with a free 30-day FortiGuard-Web Filtering trial license. FortiGuard-Web Filtering license management is done by Fortinet servers, so there is no need to enter a license number. The FortiGate unit automatically contacts a FortiGuard-Web Filtering Service Point when you enable FortiGuard-Web Filtering category blocking.
Web filter To have a URL’s... Configuring web category block To enable FortiGuard-Web Filtering Go to Web Filter > Category Block. Select Enable Service. Select Check status to make sure the FortiGate unit can access the FortiGuard-Web Filtering server. After a moment, the FortiGuard-Web Filtering status should change from Unknown to Available.
The number of allowed web addresses accessed in the selected time frame. The number of blocked web addresses accessed in the selected time frame. The number of monitored web addresses accessed in the selected time frame. 01-28011-0254-20051115 Web filter Fortinet Inc.
The hostname of the FortiGuard Service Point. The FortiGate comes preconfigured with the host name. Use this command only if you need to change the host name. config webfilter catblock set ftgd_hostname guard.example.net get webfilter catblock show webfilter catblock 01-28011-0254-20051115 Script filter Default guard.fortinet.com...
You can configure the following options for script filtering: Javascript Cookies ActiveX Select Javascript to block all Javascript-based pages or applications. Select Cookies to block web sites from placing cookies on individual computers. Select ActiveX to block all ActiveX applications. 01-28011-0254-20051115 Web filter Fortinet Inc.
Table 36: Spam Filter and Protection Profile spam filtering configuration Protection Profile spam filtering options IP address FortiGuard-Antispam Service check Enable or disable Fortinet’s antispam service called FortiGuard-Antispam Service. FortiGuard-Antispam Service is Fortinet’s own DNSBL server that provides spam IP address and URL blacklists.
Page 344
You can configure the language and whether to search the email body, subject, or both. You can configure the action to take as spam or clear for each word. “Protection profile” on 245. Spam filter “To Fortinet Inc.
Spam filter This chapter describes: • • • • • • • • Order of spam filter operations The order in which incoming mail is passed through the spam filters is determined by the protocol used to transfer the mail: For SMTP IP address BWL check - Last hop IP RBL &...
• FortiGuard-Antispam Service Spam filtering FortiGuard-Antispam Service is an antispam system from Fortinet that includes an IP address black list, a URL black list, and spam filtering tools. The IP address black list contains IP addresses of email servers known to be used to generate Spam. The URL black list contains URLs of website found in Spam email.
Spam filter Both FortiGuard-Antispam Service processes are completely automated and configured by Fortinet. With constant monitoring and dynamic updates, FortiGuard- Antispam Service is always current. You can enable or disable FortiGuard-Antispam Service in a firewall protection profile. See page FortiGuard-Antispam Service Service Points FortiGuard-Antispam Service Service Points provide worldwide coverage.
The cache is enabled by default. Time to live. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again. “Configuring spam filtering options” on page 01-28011-0254-20051115 Spam filter 242. Fortinet Inc.
Spam filter FortiGuard-Antispam Service CLI configuration Use the hostname keyword for the spamfilter fortishield command if you ever need to change the default hostname for the FortiGuard-Antispam Service Service Point. The FortiGuard-Antispam Service Service Point name cannot be changed using the web-based manager. You can configure all the FortiGuard- Antispam Service settings using from the CLI.
Mark as Spam to apply the spam action configured in the protection profile, Mark as Clear to let the email pass to the next filter, or Mark as Reject (SMTP only) to drop the session. The Delete and Edit/View icons. 01-28011-0254-20051115 Spam filter Fortinet Inc.
Spam filter Select Create New. Figure 180:Adding an IP address Enter the IP address/mask you want to add. If required, select before or after another IP address in the list to place the new IP address in the correct position. Select the action to take on email from the IP address.
The action to take on email matched by the DNSBLs and ORDBLs. Actions are: Mark as Spam to apply the spam action configured in the protection profile, or Mark as Reject to drop the session. The Delete and Edit/View icons. 01-28011-0254-20051115 Spam filter Fortinet Inc.
Spam filter Email address The FortiGate unit uses the email address list to filter incoming email. The FortiGate unit compares the email address or domain of the sender to the list in sequence. If a match is found, the corresponding protection profile action is taken. If no match is found, the email is passed on to the next spam filter.
You can use Perl regular expressions or wildcards to add MIME header patterns to the list. See Note: MIME header entries are case sensitive. X-mailer: outgluck X-Distribution: bulk Content_Type: text/html Content_Type: image/jpg “Using Perl regular expressions” on page 01-28011-0254-20051115 Spam filter 358. Fortinet Inc.
Spam filter This section describes: • • • MIME headers list You can configure the FortiGate unit to filter email with specific MIME header key-value pairs. You can mark each MIME header as clear or spam. Figure 185:Sample MIME headers list MIME headers options MIME headers list has the following icons and features: Create New...
Perl regular expressions. See expressions” on page “Using Perl regular expressions” on page Banned word list Banned word options Configuring the banned word list 358. 01-28011-0254-20051115 Spam filter 358. “Using Perl regular Fortinet Inc.
Spam filter Figure 187:Sample banned word List Banned word options Banned word has the following icons and features: Create new Total Pattern Pattern Type Language Where Action When you select Create New or Edit you can configure the following settings for the banned word.
‘*’ means 0 or more times. For example, the wildcard match pattern forti*.com should therefore be fort.*\.com. fortinet.com not only matches fortinet.com but also matches fortinetacom, fortinetbcom, fortinetccom and so on. To mach fortinet.com, the regular expression should be: fortinet\.com forti*\.com matches fortiiii.com but does not match fortinet.com...
Page 359
Spam filter Word boundary In Perl regular expressions, the pattern does not have an implicit word boundary. For example, the regular expression “test” not only matches the word “test” but also matches any word that contains the “test” such as “atest”, “mytest”, “testimony”, “atestb”.
Page 360
‘/’ will be parsed as a list of regexp options ('i', 'x', etc). An error occurs If the second '/' is missing. In regular expressions, the leading and trailing space is treated as part of the regular expression. 01-28011-0254-20051115 Spam filter Fortinet Inc.
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 Log & Report FortiGate units provide extensive logging capabilities for traffic, system and network protection functions. You can set the severity level of the messages that are logged, and you can choose the types of events that are logged. All types of log messages, except traffic and content, can be saved in internal memory.
Log config High Availability cluster logging Log access CLI configuration Log Setting options Alert E-mail options Log filter options Configuring log filters Enabling traffic logging 01-28011-0254-20051115 Log & Report FortiGate Log Fortinet Knowledge Center web site. Fortinet Inc.
Page 363
Log & Report FortiLog Disk Memory Syslog WebTrends Figure 190:Log setting options for all log locations To configure Log Setting Go to Log&Report > Log Config > Log Setting. Select the check box to enable logging to a location. Select the blue arrow beside the location. The setting options appear.
Page 364
Enter the port number used by the FTP server. The default port is 21, which is the standard FTP port. Enter the user name required to connect to the FTP server. Enter the password required to connect to the FTP server. 01-28011-0254-20051115 Table 38, “Logging 364. Log & Report Fortinet Inc.
Log & Report Remote Directory Log files to upload To configure log file uploading Select the blue arrow to expand Log file upload settings. Select Upload When Rolling. Enter the IP address of the logging server. Enter the port number on the logging server. The default is 21 (FTP). Enter the Username and Password required on the logging server.
The interval to wait before sending an alert e-mail for alert level log messages. The interval to wait before sending an alert e-mail for critical level log messages. The interval to wait before sending an alert e-mail for error level log messages. 01-28011-0254-20051115 Log & Report Fortinet Inc.
Log & Report Warning Notification Information Apply Note: If more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email. You can select specific events to trigger alert email in Log Filter, described in filter options”...
You can apply the following filters: The FortiGate unit logs all traffic that is allowed according to the firewall policy settings. The FortiGate unit logs all traffic that violates the firewall policy settings. for more information. 01-28011-0254-20051115 Log & Report “Enabling Fortinet Inc.
Page 369
Log & Report System Activity event IPSec negotiation event DHCP service event L2TP/PPTP/PPPoE service event Admin event HA activity event Firewall authentication event Pattern update event Anti-virus log The Anti-virus Log records virus incidents in Web, FTP, and email traffic, such as when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized file or email.
The FortiGate unit logs all instances of blocked email in SMTP traffic. The FortiGate unit logs all instances of blocked email in POP3 traffic. The FortiGate unit logs all instances of blocked email in IMAP traffic. 01-28011-0254-20051115 Log & Report Fortinet Inc.
Log & Report To enable traffic logging for a firewall policy You can enable traffic logging for a firewall policy. All connections accepted by the firewall policy are recorded in the traffic log. Go to Firewall > Policy. Select the Edit icon for a policy. Select Log Traffic.
Page 372
Clear log icon. Delete the log entries from the log file (but not the file). Download icon. Download the log as a text or CSV file. View icon. Display the log file through the web-based manager. 01-28011-0254-20051115 Log & Report Fortinet Inc.
Log & Report Select the View icon for the disk file you want to display. For detailed information about searching logs, see page Viewing log messages You can view and navigate log messages saved to FortiGate hard disk drives or to the memory buffer.
Page 374
Move selected field up one position in the Show these fields list. Move selected field down one position in the Show these fields list. 01-28011-0254-20051115 Log & Report Fortinet Inc.
Log & Report To change the columns in the log message display While viewing log messages, select the Column Settings icon. The Column Settings window opens. To add fields, select them in the Available fields list and select the right arrow button. To remove fields, select them in the Show these fields list and select the left arrow button.
FortiLog unit across the Internet. Using an IPSec VPN tunnel means that all log messages sent by the FortiGate are encrypted and secure. 01-28011-0254-20051115 Log & Report Default Availability disable All models. All models. default. Fortinet Inc.
Log & Report log fortilog setting command keywords and variables (Continued) Keywords and variables psksecret <str_psk> server <address_ipv4> status {disable | enable} Note: The IPSec VPN settings for the FortiGate unit must match the VPN settings on the FortiLog unit. Example This example shows how to enable logging to a FortiLog unit, set the FortiLog IP address, add a local ID, and add a pre-shared key for an IPSec VPN tunnel.
Page 378
Enter the IP address of the syslog server that stores the logs. Enter enable to enable logging to a remote syslog server. 01-28011-0254-20051115 Log & Report Default Availability All models. disable All models. local7 Table All models. No default. All models. All models. disable Fortinet Inc.
Page 379
Log & Report Table 39: Facility types Facility type alert audit auth authpriv clock cron daemon kernel local0 – local7 mail news syslog Example This example shows how to enable logging to a remote syslog server, configure an IP address and port for the server, and set the facility type to user. This example shows how to display the log setting for logging to a remote syslog server.
Page 380
CLI configuration Log & Report 01-28011-0254-20051115 Fortinet Inc.
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 FortiGuard categories FortiGuard is a web filtering solution provided by Fortinet. FortiGuard sorts thousands of Web pages into a wide variety of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard server to determine the category of a requested Web page and then follows the policy configured for that user or interface.
Page 382
Sites with content that is gratuitously offensive or shocking, but not violent or frightening. Includes sites devoted in part or whole to scatology and similar topics or to improper language, humor, or behavior. 01-28011-0254-20051115 FortiGuard categories Fortinet Inc.
Page 383
FortiGuard categories Table 40: FortiGuard categories Category name 16. Weapons Potentially Non-productive 17. Advertisement 18. Brokerage and Trading 19. Freeware and Software Download 20. Games 21. Internet Communication 22. Pay to Surf 23. Web-based Email Potentially Bandwidth Consuming 24. File Sharing and Storage 25.
Page 384
Political Organizations -- Sites sponsored by or providing information about political parties and interest groups focused on elections or legislation. 01-28011-0254-20051115 FortiGuard categories Fortinet Inc.
Page 385
FortiGuard categories Table 40: FortiGuard categories Category name 39. Reference Materials 40. Religion 41. Search Engines and Portals 42. Shopping and Auction 43. Social Organizations 44. Society and Lifestyles 45. Special Events 46. Sports 47. Travel 48. Vehicles FortiGate-1000A/FA2 Administration Guide Description Sites that offer reference-shelf content such as atlases, dictionaries, encyclopedias, formularies,...
Page 386
IP addresses. Private IP Addresses -- IP addresses defined in RFC 1918, 'Address Allocation for Private Intranets. Web Hosting -- Sites of organizations that provide hosting services, or top-level domain pages of Web communities. 01-28011-0254-20051115 FortiGuard categories Fortinet Inc.
VPN peer uses its identity as part of the authentication process. See also main mode. AH, Authentication Header: An IPSec security protocol. Fortinet IPSec uses ESP in tunnel mode, not AH. See ESP. ARP, Address Resolution Protocol: A protocol that resolves a logical IP address to a physical Ethernet address.
Page 388
The FortiGate interface that connects to an internal (private) network. Internet: The network that encompasses the world. As a generic term, it refers to any collection of interdependent networks. IP, Internet Protocol: The component of TCP/IP that handles routing. 01-28011-0254-20051115 Fortinet Inc.
Page 389
Any packets larger than the MTU are divided into smaller packets before they are sent. NAT, Network Address Translation: A way of routing IPv4 packets transparently. Using NAT, a router or FortiGate unit between a private and public network translates private IP addresses to public addresses and the other way around.
Page 390
A hardware device that connects computers on the Internet together and routes traffic between them. A router may connect a LAN and/or DMZ to the Internet. routing: The process of determining which path to use for sending packets to a destination.
Page 391
SNMP, Simple Network Management Protocol: A set of protocols for managing networks. SNMP agents store and return data about themselves to SNMP requesters. spam: Unsolicited email. SSH, Secure Shell: An application that enables users to log into a remote computer and run commands securely.
Page 392
Glossary 01-28011-0254-20051115 Fortinet Inc.
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 Index abr-type 179 accept action firewall policy 207 access-list 190 action firewall policy 205, 207 Spam filter banned word 357 Spam filter DNSBL and ORDBL 352 Spam filter IP address 350 Spam filter MIME headers 355 action type Spam filter email address 353 Action, Policy 285...
Page 394
357 where 357 banned word check protection profile 242 banned word list Spam filter 356 banned word options Spam filter 357 service 219 grayware category 317 bindtoif 289 block unrated websites (HTTP only) protection profile 241 01-28011-0254-20051115 Fortinet Inc.
Page 395
blocked web category report 340 border-routers 177 browsing the Internet through a VPN tunnel 270 CA certificates 281 cache FortiGuard 338 FortiShield 348 categories FortiGuard 337, 381 category protection profile 241 web category report 340 category block 337 configuration options 338 reports 339, 340 category blocking 337 Certificate Name 281...
Page 396
IP pool 237 dynamic port forwarding 230 dynamic port forwarding virtual IP adding 234 email address action type 353 adding an email address or domain to the Spam filter email address list 353 pattern type 353 Spam filter 353 01-28011-0254-20051115 Fortinet Inc.
Page 398
(reply) DSCP value 211 schedule 205, 207 service 205, 207 source 205 source address name 206 source interface/zone 206 traffic priority 210 traffic shaping 210 VPN tunnel 207 firewall protection profile default protection profiles 238 list 238 options 239 01-28011-0254-20051115 Fortinet Inc.
Page 399
340 reports 339 service points 337 TTL 339 Fortilog logging settings 363 fortilog setting 376 Fortinet customer service 24 Fortinet Knowledge Center 24 FortiProtect Distribution Network 132 FortiProtect Distribution Server 132 FortiShield cache 348 changing the FortiShield hostname 349...
Page 400
PPTP 94 primary cluster unit 93 primary unit 93 priorities of heartbeat device 98 random (schedule) 98 round-robin 98 schedule 98 standalone mode 96 unit priority 97 view the status of each cluster member 105 weighted-round-robin 98 01-28011-0254-20051115 Fortinet Inc.
Page 401
HA cluster members active sessions 106 back to HA configuration page 106 cluster ID 106 CPU usage 106 go 106 intrusion detected 106 memory usage 106 monitor 106 network utilization 106 refresh every 106 status 106 total bytes 106 total packets 106 up time 106 virus detected 106 header...
Page 402
184 load balancing HA 93 Local certificate list 279 Local certificate options 280 Local ID 266 Local SPI, Manual Key 271 Log & report 361 Log file upload settings 364 Log filter options 367 Log settings 362 01-28011-0254-20051115 Fortinet Inc.
Page 403
NetMeeting service 220 network address translation introduction 16 network intrusion detection 17 network utilization HA cluster members 106 network-type 197 next hop router 65 service 220 grayware category 316 NNTP service 220 nonconserve mode antivirus 317 none HA schedule 98...
Page 405
policy accept action 207 action 205, 207 adding 211 address name 206 advanced 208 allow inbound 207 allow outbound 207 authentication 209 changing the position in the policy list 212 comments 211 configuring 211 create new 205 deleting 211 deny action 207 dest 205 destination address name 206 destination interface/zone 206...
Page 406
311 date 311 DC 311 download 312 duplicates 312 file name 311 filter 311 options 311 service 311 sort by 311 status 311 status description 311 submit 312 TTL 311 upload status 311 Quick Mode Identities 270 01-28011-0254-20051115 Fortinet Inc.
Page 407
221 RLOGIN service 221 Round-Robin HA schedule 98 route 177 routemap 199 router next hop 65 router-id 180 routing configuring 70 policy 159 scan anomaly type 300 default protection profile 238 schedule automatic antivirus and attack definition updates 135...
Page 408
311 source firewall policy 205 source address name firewall policy 206 source interface/zone firewall policy 206 source IP address example 284 source port 222 source session limit anomaly type 300 spam action protection profile 243 01-28011-0254-20051115 Fortinet Inc.
Page 409
Spam filter 343 adding a server to the DNSBL and ORDBL list 352 adding an email address or domain to the Spam filter email address list 353 adding MIME headers to the Spam filter MIME header list adding words to the Spam filter banned word list 357 banned word 356 banned word list 356 banned word options 357...
Page 410
336 web filter 335 URL FortiShield check protection profile 242 user groups configuring 255 user-defined TCP services 222 Username 276 UUCP service 221 value Spam filter MIME headers 355 VDOLIVE service 221 virtual domain properties 146 01-28011-0254-20051115 Fortinet Inc.
Page 411
virtual IP 230 adding 232, 233, 234 adding a dynamic port forwarding virtual IP 234 adding a port forwarding virtual IP 233 adding a static NAT virtual IP 232 configuring 232 create new 231 deleting 234 editing 234 external interface 231 external IP address 231 external service port 232 firewall 230...
Page 412
333 web-based manager introduction 19 language 91, 92 timeout 91 WebTrends logging settings 365 weighted round-robin HA schedule 98 weighted-round-robin configuring weights 103 where Spam filter banned word 357 WINFRAME service 221 XAuth 266 X-WINDOWS service 221 01-28011-0254-20051115 Fortinet Inc.