Page 1 FortiGate 1000A FortiGate 1000AFA2 FortiGate-1000A/FA2 Administration Guide Administration Guide Version 2.80 MR11 15 November 2005 01-28011-0254-20051115 CONSOLE...
Page 2 CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
Page 3: Table Of Contents
US Domestic distribution changes ... 20 Document conventions ... 22 Fortinet documentation ... 23 Fortinet Knowledge Center ... 24 Comments on Fortinet technical documentation ... 24 Customer service and technical support... 24 Web-based manager... 25 Button bar features ... 26 Contact Customer Support ...
Page 4 Server ... 83 DHCP server settings ... 84 Exclude range ... 85 DHCP exclude range settings... 86 IP/MAC binding ... 86 DHCP IP/MAC binding settings ... 87 Dynamic IP... 87 System Config... 89 System time ... 89 01-28011-0254-20051115 Fortinet Inc.
Page 5 SNMP... 108 Configuring SNMP ... 108 SNMP community ... 109 FortiGate MIBs... 112 FortiGate traps ... 112 Fortinet MIB fields ... 114 Replacement messages ... 117 Replacement messages list ... 118 Changing replacement messages ... 119 FortiManager... 120 System Admin ... 123 Administrators ...
Page 6 New prefix list entry... 171 Route-map list... 171 New Route-map ... 172 Route-map list entry... 173 Key chain list... 174 New key chain... 174 Key chain list entry... 175 Monitor ... 176 Routing monitor list ... 176 01-28011-0254-20051115 Fortinet Inc.
Page 7 CLI configuration... 177 get router info ospf ... 177 get router info protocols ... 177 get router info rip... 178 config router ospf ... 178 config router static6... 201 Firewall... 203 Policy ... 204 How policy matching works... 204 Policy list ... 204 Policy options...
Page 8 Phase 1 advanced settings... 265 Phase 2... 266 Phase 2 list ... 267 Phase 2 basic settings ... 268 Phase 2 advanced options... 268 Manual key... 270 Manual key list ... 271 Manual key options ... 271 01-28011-0254-20051115 Fortinet Inc.
Page 9 Concentrator ... 272 Concentrator list... 273 Concentrator options... 273 Ping Generator... 274 Ping generator options... 275 Monitor ... 275 Dialup monitor... 275 Static IP and dynamic DNS monitor... 277 PPTP... 277 PPTP range ... 278 L2TP ... 278 L2TP range ... 278 Certificates ...
Page 10 Configuring the web URL block list ... 334 Web pattern block list... 334 Web pattern block options ... 335 Configuring web pattern block ... 335 URL exempt ... 335 URL exempt list... 336 URL exempt list options ... 336 Configuring URL exempt... 336 01-28011-0254-20051115 Fortinet Inc.
Page 11 Category block ... 337 FortiGuard-Web Filtering service ... 337 Category block configuration options... 338 Configuring web category block... 339 Category block reports... 339 Category block reports options ... 340 Generating a category block report... 340 Category block CLI configuration... 340 Script filter ...
Page 12 Log access... 371 Disk log file access ... 371 Viewing log messages ... 373 Searching log messages... 375 CLI configuration... 376 fortilog setting... 376 syslogd setting ... 377 FortiGuard categories ... 381 Glossary ... 387 Index ... 393 01-28011-0254-20051115 Fortinet Inc.
Page 13: Introduction
• • The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks.
Page 14: Antivirus Protection
Availability (HA) operation and redundant hot-swappable power supplies ensure non- stop operation in mission-critical applications. The FortiGate-1000A is kept up to date automatically by Fortinet’s FortiGuard network, which provides continuous updates for FortiGuard Subscription Services that ensure protection against the latest viruses, worms, trojans and other threats around the clock.
Page 15: Web Content Filtering
Mail messages can be identified as spam or clear. FortiShield is an antispam system from Fortinet that includes an IP address black list, a URL black list, and spam filtering tools. The IP address black list contains IP addresses of email servers known to be used to generate Spam.
Page 16: Firewall
In NAT/Route mode, the FortiGate unit is a Layer 3 device. This means that each of its interfaces is associated with a different IP subnet and that it appears to other devices as a router. This is how a firewall is normally deployed. In NAT/Route mode, you can create NAT mode policies and Route mode policies.
Page 17: Vlans And Virtual Domains
Introduction Transparent mode In Transparent mode, the FortiGate unit does not change the Layer 3 topology. This means that all of its interfaces are on the same IP subnet and that it appears to other devices as a bridge. Typically, the FortiGate unit is deployed in Transparent mode to provide antivirus and content filtering behind an existing firewall solution.
Page 18: High Availability
• High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster.
Page 19: Secure Installation, Configuration, And Management
Introduction Active-active (A-A) HA load balances virus scanning among all the FortiGate units in the cluster. An active-active HA cluster consists of a primary FortiGate unit that processes traffic and one or more secondary units that also process traffic. The primary FortiGate unit uses a load balancing algorithm to distribute virus scanning to all the FortiGate units in the HA cluster.
Page 20: About The Fortios International And Us Domestic Distributions
IPS to the system memory. About the FortiOS International and US Domestic distributions Fortinet produces two distributions of FortiOS v3.0, an International distribution and a US Domestic distribution. The International distribution is available to users outside of the United States and the US Domestic distribution is available to all users, including users in the United States.
Page 21 For example, if the file test.doc was quarantined in an email being sent from user@address.com to info@fortinet.com the file name of the quarantined file would be user_info. The default mail virus replacement message (splice mode) is...
Page 22: Document Conventions
A space to separate options that can be entered in any combination and must be separated by spaces. For example: set allowaccess {ping https ssh snmp http telnet} You can enter any of the following: set allowaccess ping set allowaccess ping https ssh set allowaccess https ping ssh 01-28011-0254-20051115 Introduction Fortinet Inc.
Page 23: Fortinet Documentation
Introduction Fortinet documentation The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com. The following • • • • • • • • FortiGate-1000A/FA2 Administration Guide set allowaccess snmp...
Page 24: Fortinet Knowledge Center
Fortinet technical documentation, to techdoc@fortinet.com. Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network. Please visit the Fortinet Technical Support web site at learn about the technical support services that Fortinet provides.
Page 25: Web-Based Manager
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 Web-based manager Using HTTP or a secure HTTPS connection from any computer running a web browser, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages. You can configure the FortiGate unit for HTTP and HTTPS administration from any FortiGate interface.
Page 26: Button Bar Features
The button bar in the upper right corner of the web-based manager provides access to several important FortiGate features. Figure 2: Web-based manager button bar Contact Customer Support The Contact Customer Support button opens the Fortinet support web page in a new browser window. From this page you can • •...
Page 27: Online Help
Web-based manager Online Help The Online Help button opens web-based help for the current web-based manager page. There are hyperlinks to related topics and procedures related to the controls on the current web-based manager page. Figure 3: Online Help window You can view other parts of the help system as you like.
Page 28: Console Access
If you simply close the browser or leave the web-based manager, you remain logged-in until the idle timeout (default 5 minutes) expires. Connect to the FortiGate unit using the CLI. Disconnect from the FortiGate unit. Clear the screen. 01-28011-0254-20051115 Web-based manager Fortinet Inc.
Page 29: Web-Based Manager Pages
Page Configure system facilities, such as network interfaces, virtual domains, DHCP services, time and set system options. Configure the router. Configure firewall policies and protection profiles that apply the network protection features. Also configure virtual IP addresses and IP pools.
Page 30: Lists
Clear a log file. Column Select log columns to display. Settings Delete Delete an item. This icon appears in lists where the item is deletable and you have write permission on the page. 01-28011-0254-20051115 Web-based manager Delete Edit Fortinet Inc.
Page 31: Status Bar
Web-based manager Status bar The status bar is at the bottom of the web-based manager screen. Figure 7: Status bar The status bar shows • • FortiGate-1000A/FA2 Administration Guide Download Download a log file or back up a configuration file. or Backup Edit Edit a configuration.
Page 32: Organization Of This Manual
System Status System Network System DHCP System Config System Admin System Maintenance System Virtual Domain Router Firewall User Antivirus Web filter 01-28011-0254-20051115 Web-based manager Spam filter Log & Report FortiGuard categories Fortinet Inc.
Page 33: System Status
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 System Status You can connect to the web-based manager and view the current system status of the FortiGate unit. The status information that is displayed includes the system status, unit information, system resources, and session log. This chapter includes: •...
Page 34: Viewing System Status
Antivirus or IPS fail-open conditions The system restarted. The restart could be due to operator action or power off/on cycling. The named administrator upgraded the firmware on either the active or non-active partition. 01-28011-0254-20051115 System Status Fortinet Inc.
Page 35 System Status Firmware downgraded by <admin_name> Fortigate has reached connection limit for <n> seconds Each message shows the date and time that it was posted. If there is insufficient space for all of the messages, you can select Show All to view the rest of them. Figure 9: System status (FortiGate-1000AFA2) System status UP Time...
Page 36: Unit Information
The number of URLs visited and the number of files uploaded and downloaded. Select Details to see the FTP site URL, date, time, user and lists of files uploaded and downloaded. The name of the interface. 01-28011-0254-20051115 System Status 127. The serial number is Fortinet Inc.
Page 37: System Resources
System Status IP / Netmask Status System Resources CPU Usage Memory Usage Hard Disk Usage Active Sessions Network Utilization The total network bandwidth being used through all FortiGate interfaces History Figure 10: Sample system resources history History The history page displays 6 graphs representing the following system resources and protection: CPU Usage History Memory Usage History Memory usage for the previous minute.
Page 38: Changing Unit Information
To update the firmware version To update the antivirus definitions manually To update the attack definitions manually To change to Transparent mode To change to NAT/Route mode 01-28011-0254-20051115 “SNMP” on page 108. “Changing the FortiGate firmware” on System Status Fortinet Inc.
Page 39 Note: For information about configuring the FortiGate unit for automatic antivirus definitions updates, see Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status > Status.
Page 40: Session List
FortiGate unit. You can use the session list to view current sessions. Figure 11: Sample session list From IP From Port “HA” on page 92). Set source IP address for list filtering Set source port for list filtering 01-28011-0254-20051115 System Status Fortinet Inc.
Page 41: Changing The Fortigate Firmware
FortiGate administrators whose access profiles contain system configuration read and write privileges and the FortiGate admin user can change the FortiGate firmware. After you download a FortiGate firmware image from Fortinet, you can use the procedures listed in FortiGate-1000A/FA2 Administration Guide...
Page 42: Upgrading To A New Firmware Version
If the FortiGate unit is running BIOS version v3.x, you can install a backup firmware image. Once the backup firmware image is installed you can switch to this backup image when required. “To update antivirus and attack definitions” on page 135 01-28011-0254-20051115 System Status to make sure that antivirus Fortinet Inc.
Page 43: Upgrading The Firmware Using The Cli
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build183-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build183-FORTINET.out...
Page 44: Reverting To A Previous Firmware Version
Back up the IPS custom signatures. Back up web content and email filtering lists. “Backing up and Restoring” on page “To update antivirus and attack definitions” on page 135 01-28011-0254-20051115 System Status to update 130. to make sure that antivirus Fortinet Inc.
Page 45: Reverting To A Previous Firmware Version Using The Cli
System Status To revert to a previous firmware version using the web-based manager Copy the firmware image file to the management computer. Log into the FortiGate web-based manager. Note: To use this procedure you must login using the admin administrator account, or an administrator account that has system configuration read and write privileges.
Page 46 Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build158-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build158-FORTINET.out...
Page 47: Installing Firmware Images From A System Reboot Using The Cli
System Status To confirm that the new firmware image has been loaded, enter: get system status To restore your previous configuration if needed, use the command: execute restore config <name_str> <tftp_ipv4> Update antivirus and attack definitions. For information, see the CLI, enter: execute update_now Installing firmware images from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiGate unit to...
Page 48 [F]: Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,B,Q,or H: 01-28011-0254-20051115 System Status execute reboot command. Fortinet Inc.
Page 49: Restoring The Previous Configuration
System Status Type an IP address that the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network that the interface is connected to. Make sure you do not enter the IP address of another device on this network.
Page 50: Testing A New Firmware Image Before Installing It
TFTP server that you can connect to from port1. The TFTP server should be on the same subnet as port3. FortiGate unit running v2.x BIOS Press Any Key To Download Boot Image. FortiGate unit running v3.x BIOS Press any key to display configuration menu... 01-28011-0254-20051115 System Status execute reboot command. Fortinet Inc.
Page 51 System Status If you successfully interrupt the startup process, one of the following messages appears: • • Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: Type an IP address that can be used by the FortiGate unit to connect to the FTP...
Page 52: Installing And Using A Backup Firmware Image
Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options. 01-28011-0254-20051115 System Status execute reboot command. Fortinet Inc.
Page 53: Switching To The Backup Firmware Image
System Status Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: Type an IP address that can be used by the FortiGate unit to connect to the FTP server.
Page 54: Switching Back To The Default Firmware Image
Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options. 01-28011-0254-20051115 System Status execute reboot command. execute reboot command. Fortinet Inc.
Page 55: System Network
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 System Network System network settings control how the FortiGate unit connects to and interacts with your network. Basic network settings start with configuring FortiGate interfaces to connect to your network and configuring the FortiGate DNS settings. More advanced network settings include adding VLAN subinterfaces and zones to the FortiGate network configuration.
Page 56: Interface Settings
Bring Down or Bring Up. For more information, “To bring down an interface that is administratively up” on page 62 “To start up an interface that is administratively down” on page Delete, edit, and view icons. 01-28011-0254-20051115 System Network “VLAN Fortinet Inc.
Page 57 System Network Figure 13: Interface settings See the following procedures for configuring interfaces: • • • • • • • • • • • • • Name The name of the Interface. Interface Select the name of the physical interface to add the VLAN subinterface to. All VLAN subinterfaces must be associated with a physical interface.
Page 58 Interface The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN subinterface. For more information on VLANs, see Virtual Domain Select a virtual domain to add the interface or VLAN subinterface to this virtual domain.
Page 59 System Network PPPoE If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoE request. You can disable connect to server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE request.
Page 60 Ping server Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface. Adding a ping server is required for routing failover. See...
Page 61 System Network HTTP SNMP TELNET To improve network performance, you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits from any physical interface. Ideally, this MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets.
Page 62: Configuring Interfaces
To configure traffic logging for connections to an interface “To add a VLAN subinterface in NAT/Route mode” on page 67. You cannot add an interface to a zone if you have added firewall policies for 01-28011-0254-20051115 System Network “To add a zone” on Fortinet Inc.
Page 63 System Network Select OK to save the changes. To add an interface to a virtual domain If you have added virtual domains to the FortiGate unit, you can use this procedure to add an interface or VLAN subinterface to a virtual domain. To add a virtual domain, domain if you have added firewall policies for the interface.
Page 64 Optionally, you can also configure management access and add a ping server to the secondary IP address: set allowaccess ping https ssh snmp http telnet set gwdetect enable Save the changes: for information on PPPoE settings. 01-28011-0254-20051115 System Network “PPPoE” Fortinet Inc.
Page 65 To add a ping server to an interface Go to System > Network > Interface. Choose an interface and select Edit. Set Ping Server to the IP address of the next hop router on the network connected to the interface. Select the Enable check box.
Page 66: Zone
Displays Yes if traffic between interfaces in the same zone is blocked and No if traffic between interfaces in the same zone is not blocked. Edit/View icons. Select to edit or view a zone. Delete icon. Select to remove a zone. 01-28011-0254-20051115 System Network Fortinet Inc.
Page 67: Zone Settings
System Network Zone settings Figure 16: Zone options Name Block intra-zone traffic Interface members Enable check boxes to select the interfaces that are part of this zone. To add a zone If you have added a virtual domain, go to System > Virtual Domain > Current Virtual Domain and select the virtual domain to which you want to add the zone.
Page 68: Management
FortiGate unit from. Enter the default gateway address. Select the virtual domain from which you want to perform system management. 01-28011-0254-20051115 132). “To control administrative access to an interface” 91). This must be a valid IP System Network “To Fortinet Inc.
Page 69: Dns
System Network Enter the Default Gateway. Select the Management Virtual Domain. Select Apply. The FortiGate unit displays the following message: Management IP address was changed. Click here to redirect. Click on the message to connect to the new Management IP. Several FortiGate functions, including Alert E-mail and URL blocking, use DNS.
Page 70: Routing Table (Transparent Mode)
Move To icon. Select to change the order of a route in the list. Enter the destination IP address and netmask for this route. Enter the IP address of the next hop router to which this route directs traffic The the relative preferability of this route. 1 is most preferred.
Page 71: Vlan Overview
Figure 21: Basic VLAN topology FortiGate-1000A/FA2 Administration Guide Internet Untagged packets Enter VLAN 1 VLAN 2 POWER VLAN 1 VLAN 1 network 01-28011-0254-20051115 VLAN overview Firewall or Router VLAN trunk VLAN Switch or router VLAN 2 VLAN 2 network...
Page 72: Fortigate Units And Vlans
VLAN tags to packets. Packets passing between devices in the same VLAN can be handled by layer 2 switches. Packets passing between devices in different VLANs must be handled by a layer 3 device such as router, firewall, or layer 3 switch.
Page 73: Adding Vlan Subinterfaces
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096. Each VLAN subinterface must also be configured with its own IP address and netmask.
Page 74: Vlans In Transparent Mode
FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal VLANs. The FortiGate external interface forwards tagged packets through the trunk to an external VLAN switch or router which could be connected to the Internet. The FortiGate unit can be configured to apply different policies for traffic on each VLAN in the trunk.
Page 75 Figure 24 three VLAN subinterfaces. In this configuration the FortiGate unit could be added to this network to provide virus scanning, web content filtering, and other services to each VLAN. FortiGate-1000A/FA2 Administration Guide VLAN Switch or router VLAN1 Internal VLAN1 VLAN2...
Page 76: Rules For Vlan Ids
Enter VLAN POWER switch Internet “System Virtual Domain” on page 145 01-28011-0254-20051115 VLAN 3 VLAN ID = 300 VLAN 1 VLAN 2 VLAN 3 External VLAN 1 VLAN VLAN 2 Trunk VLAN 3 Untagged packets Router System Network Fortinet Inc.
Page 77: Transparent Mode Vlan List
System Network Transparent mode VLAN list In Transparent mode, go to System > Network > Interface to add VLAN subinterfaces. Figure 25: Sample Transparent mode VLAN list Create New Virtual Domain Select a virtual domain to display the VLAN interfaces added to this virtual Name Access Status...
Page 78 The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4096. You add VLAN subinterfaces to the physical interface that receives VLAN- tagged packets.
Page 79: Fortigate Ipv6 Support
The interface functions as two interfaces, one for IPv4-addressed packets and another for IPv6-addressed packets. FortiGate units support static routing, periodic router advertisements, and tunneling of IPv6-addressed traffic over an IPv4-addressed network. All of these features must be configured through the Command Line Interface (CLI). See the FortiGate CLI...
Page 80 FortiGate IPv6 support System Network 01-28011-0254-20051115 Fortinet Inc.
Page 81: System Dhcp
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 System DHCP You can configure DHCP server or DHCP relay agent functionality on any FortiGate interface or VLAN subinterface. A FortiGate interface can act as either a DHCP server or as a DHCP relay agent. An interface cannot provide both functions at the same time.
Page 82: Dhcp Service Settings
Select DHCP Server if you want the FortiGate unit to be the DHCP server. “To configure an interface to be a DHCP server” on page 01-28011-0254-20051115 System DHCP “To configure an interface as a Fortinet Inc.
Page 83: Server
System DHCP To configure an interface to be a DHCP server You can configure a DHCP server for any FortiGate interface. As a DHCP server, the interface dynamically assigns IP addresses to hosts on the network connected to the interface. You can also configure a DHCP server for more than one FortiGate interface.
Page 84: Dhcp Server Settings
Code is the DHCP option code in the range 1 to 255. Option is an even number of hexadecimal characters and is not required for some option codes. For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions. 01-28011-0254-20051115 System DHCP Fortinet Inc.
Page 85: Exclude Range
DHCP request was received and uses this DHCP server to assign an IP configuration to the computer that made the DHCP request. The DHCP configuration packets are sent back to the router and the router relays them to the DHCP client.
Page 86: Dhcp Exclude Range Settings
Select Create New to add a DHCP IP/MAC binding pair. The name for the IP and MAC address pair. The IP address for the IP and MAC address pair. The IP address must be within the configured IP range. 01-28011-0254-20051115 System DHCP Fortinet Inc.
Page 87: Dhcp Ip/Mac Binding Settings
System DHCP DHCP IP/MAC binding settings Figure 34: IP/MAC binding options Name IP Address MAC Address To add a DHCP IP/MAC binding pair Go to System > DHCP > IP/MAC Binding. Select Create New. Add a name for the IP/MAC pair. Add the IP address and MAC address.
Page 88 Dynamic IP System DHCP 01-28011-0254-20051115 Fortinet Inc.
Page 89: System Config
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 System Config Use the System Config page to make any of the following changes to the FortiGate system configuration: • • • • • • System time Go to System > Config > Time to set the FortiGate system time. For effective scheduling and logging, the FortiGate system time must be accurate.
Page 90: Options
FortiGate unit to synchronize its time once a day. Timeout settings including the idle timeout and authentication timeout The language displayed by the web-based manager Front control buttons and LCD PIN protection Dead gateway detection interval and failover detection 01-28011-0254-20051115 System Config Fortinet Inc.
Page 91 System Config Figure 36: System config options Idle Timeout Auth Timeout Language LCD Panel Detection Interval Fail-over Detection Set the ping server dead gateway detection failover number. Enter the To set the system idle timeout Go to System > Config > Options. For Idle Timeout, type a number in minutes.
Page 92: Ha Overview
VPN, IPS, virus scanning, web filtering, and spam filtering services. “To add a ping server to an interface” on page HA overview HA configuration Configuring an HA cluster Managing an HA cluster 01-28011-0254-20051115 System Config Fortinet Inc.
Page 93 The FortiGate Clustering Protocol (FGCP) Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster.
Page 94 Configuring a FortiGate interface to be a DHCP server or a DHCP relay agent is not affect by HA operation. For information about DHCP server and relay, see DHCP” on page “To configure load balancing TCP and virus scanning 104. and the Fortinet Knowledge 01-28011-0254-20051115 System Config FortiGate High Center. “System...
Page 95: Ha Configuration
System Config PPTP and L2TP are supported in HA mode. You can configure PPTP and L2TP settings (see add firewall policies to allow PPTP and L2TP pass through. However, during an HA failover event, any active PPTP and L2TP sessions are lost and must be restarted after the failover.
Page 96: Standalone Mode
“HA modes” on page Table 3 lists the virtual MAC address set for each group ID. MAC Address 00-09-0f-06-ff-00 00-09-0f-06-ff-01 00-09-0f-06-ff-02 00-09-0f-06-ff-03 00-09-0f-06-ff-3f 01-28011-0254-20051115 System Config “To view the status of Fortinet Inc.
Page 97 System Config Unit Priority Optionally set the unit priority of the cluster unit. Each cluster unit can have a different unit priority. The unit priority is not synchronized among cluster members. During HA negotiation, the unit with the highest unit priority becomes the primary unit. The unit priority range is 0 to 255.
Page 98 IP Port to distribute traffic to cluster units based on the source IP, source port, destination IP, and destination port of the packet. “To configure load balancing TCP and virus scanning traffic” on page 01-28011-0254-20051115 System Config “To configure weighted-round-robin 104. Fortinet Inc.
Page 99 System Config To enable HA heartbeat communication for an interface, enter a priority for the interface. To disable HA heartbeat communication for an interface, delete the priority for the interface. The HA heartbeat priority range is 0 to 512. The interface with the highest priority handles all HA heartbeat traffic.
Page 100 • • Configuring an HA cluster Managing an HA cluster 01-28011-0254-20051115 “Override Master” on page 97), this FortiGate unit System Config Fortinet Inc.
Page 101: Configuring An Ha Cluster
System Config Configuring an HA cluster Use the following procedures to create an HA cluster consisting of two or more FortiGate units. These procedures describe how to configure each of the FortiGate units for HA operation and then how to connect the FortiGate units to form a cluster. Once the cluster is connected you can configure it in the same way as you would configure a standalone FortiGate unit.
Page 102 Then you must connect these interfaces to their networks using the same hub or switch. Fortinet recommends using switches for all cluster connections for the best performance.
Page 103 From the CLI you can use the following command to configure a weight value for each cluster unit. FortiGate-1000A/FA2 Administration Guide Internal Network Port1 Port2 Hub or Switch Port4 Port4 Port1 Port2 01-28011-0254-20051115 FortiGate-1000A Hub or Switch FortiGate-1000A Internet Router...
Page 104: Set Weight
The next three connections are processed by the first subordinate unit (priority 1, weight 3) The next three connections are processed by the second subordinate unit (priority 2, weight 3) config system ha set load-balance-all enable 01-28011-0254-20051115 Weight System Config Fortinet Inc.
Page 105: Managing An Ha Cluster
System Config Managing an HA cluster The configurations of all of the FortiGate units in the cluster are synchronized so that the FortiGate units can function as a cluster. Because of this synchronization, you manage the HA cluster instead of managing the individual cluster units. You manage the cluster by connecting to the web-based manager using any cluster interface configured for HTTPS administrative access.
Page 106 The number of packets that have been processed by the cluster unit since it last started up. The number of viruses detected by the cluster unit. interfaces. The number of bytes that have been processed by the cluster unit since it last started up. 01-28011-0254-20051115 System Config Fortinet Inc.
Page 107 System Config To view and manage logs for individual cluster units Connect to the cluster and log into the web-based manager. Go to Log&Report > Log Access. The Traffic log, Event log, Attack log, Antivirus log, Web Filter log, and Email Filter log for the primary unit are displayed.
Page 108: Snmp
FortiGate system information and can receive FortiGate traps. To monitor FortiGate system information and receive FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of...
Page 109: Snmp Community
System Config Figure 40: Configuring SNMP SNMP Agent Description Location Contact Apply Create New Communities Name Queries Traps Enable Delete icon Edit/View icon SNMP community An SNMP community is a grouping of equipment for network administration purposes. Add SNMP communities so that SNMP managers can connect to the FortiGate unit to view system information and receive SNMP traps.
Page 110 SNMP manager is not on the same subnet as the FortiGate unit. This can occur if the SNMP manager is on the Internet or behind a router. Select Add to add more SNMP managers. You can add up to 8 SNMP managers to a single community.
Page 111 System Config Queries Traps SNMP Event To configure SNMP access to an interface in NAT/Route mode Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or more FortiGate interfaces to accept SNMP connections. See control administrative access to an interface”...
Page 112: Fortigate Mibs
Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIBs to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.
Page 113 System Config Table 8: Generic FortiGate traps Trap message ColdStart WarmStart LinkUp LinkDown Table 9: FortiGate system traps Trap message CPU usage high (fnTrapCpuHigh) Memory low (fnTrapMemLow) Interface IP change (fnTrapIpChange) Table 10: FortiGate VPN traps Trap message VPN tunnel is up (fnTrapVpnTunUp) VPN tunnel down (fnTrapVpnTunDown)
Page 114: Fortinet Mib Fields
The tables below list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.2.80.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Page 115 System Config Table 17: System MIB fields MIB field fnSysModel fnSysSerial fnSysVersion fnSysVersionAv fnSysVersionNids fnSysHaMode fnSysOpMode fnSysCpuUsage fnSysMemUsage fnSysSesCount Table 18: HA MIB fields MIB field fnHaGroupId fnHaPriority fnHaOverride fnHaAutoSync fnHaSchedule fnHaStatsTable FortiGate-1000A/FA2 Administration Guide Description FortiGate model number, for example, 400 for the FortiGate-400. FortiGate unit serial number.
Page 116 The idle period in minutes after which the administrator must re- authenticate. Description The number of virtual domains on the FortiGate unit. Table of virtual domains. fnVdIndex Internal virtual domain index number on the FortiGate unit. fnVdName The name of the virtual domain. 01-28011-0254-20051115 System Config Fortinet Inc.
Page 117: Replacement Messages
System Config Table 23: Active IP sessions MIB field fnIpSessIndex fnIpSessProto fnIpSessFromAddr fnIpSessFromPort fnIpSessToPort fnIpSessToAddr fnIpSessExpiry Table 24: Dialup VPNs MIB field fnVpnDialupIndex fnVpnDialupGateway fnVpnDialupLifetime fnVpnDialupTimeout fnVpnDialupSrcBegin Remote subnet address. fnVpnDialupSrcEnd fnVpnDialupDstAddr fnVpnDialupDstMask Table 25: IPS MIB field fnIpsSigId fnIpsSigSrcIp Replacement messages Change replacement messages to customize alert email and information that the FortiGate unit adds to content streams such as email messages, web pages, and FTP...
Page 118: Replacement Messages List
Description of the replacement message type. The web-based manager describes where each replacement message is used by the FortiGate unit. Edit/View icon. Select to change a replacement message. 01-28011-0254-20051115 System Config Fortinet Inc.
Page 119: Changing Replacement Messages
System Config Changing replacement messages Figure 44: Sample HTTP virus replacement message Replacement messages can be text or HTML messages. You can add HTML code to HTML messages. In addition, replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.
Page 120: Fortimanager
The IPS attack message. %%NIDSEVENT%% is added to alert email intrusion messages. The name of the web filtering service. The name of the content category of the web site. The Fortinet logo. 01-28011-0254-20051115 System Config Fortinet Inc.
Page 121 System Config Figure 45: FortiManager configuration Enable FortiManager Enable secure IPSec VPN communication between the FortiGate unit FortiManager ID FortiManager IP FortiGate-1000A/FA2 Administration Guide and a FortiManager Server. Enter the serial number of the FortiManager server. Enter the IP address of the FortiManager Server. 01-28011-0254-20051115 FortiManager...
Page 122 FortiManager System Config 01-28011-0254-20051115 Fortinet Inc.
Page 123: System Admin
System > DHCP System > Config System > Maintenance > Backup System > Maintenance > Support Log & Report > Log Config Log & Report > Log Access Router Firewall Anti-Virus Web Filter User System > Admin System > Maintenance > Update Center System >...
Page 124 Fortinet Inc.
Page 125: Administrators
System Admin This chapter describes: • • Administrators Use the admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels. Administrators list Figure 46: Administrators list Create New Name Trusted hosts Permission...
Page 126 Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see profiles, see “Access profile list” on page 01-28011-0254-20051115 System Admin “Using trusted hosts” on page 126. 127. Fortinet Inc.
Page 127: Access Profiles
System Admin When you set trusted hosts for all administrators, the FortiGate unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.
Page 128: Access Profile Options
Network update feature. To allow an administrator to modify this feature, enable both Read and Write. Select both Read and Write to allow an administrator to access the system shutdown, reboot and reset to factory default functions. 01-28011-0254-20051115 System Admin Fortinet Inc.
Page 129: System Maintenance
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 System Maintenance Use the web-based manager to maintain the FortiGate unit. Backup and restore You can back up system configuration, VPN certificate, web and spam filtering files to the management computer. You can also restore system configuration, VPN certificate, web and spam filtering files from previously downloaded backup files.
Page 130: Backing Up And Restoring
IPS User-Defined Upload or download IPS signatures. Signatures All Certificates Restore or back up all VPN certificates in a single password- protected file. See VPN certificates” on page 01-28011-0254-20051115 System Maintenance “To restore VPN certificates” “To back up 131. Fortinet Inc.
Page 131 System Maintenance Select OK to restore all configuration files to the FortiGate unit. The FortiGate unit restarts, loading the new configuration files. Reconnect to the web-based manager and review your configuration to confirm that the uploaded configuration files have taken effect. To back up individual categories Go to System >...
Page 132: Update Center
• • • To receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet support web page. “To enable scheduled updates” on page 137. User-initiated updates from the FDN, Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus...
Page 133 System Maintenance Figure 52: Update center FortiProtect Distribution Network Push Update Refresh Use override server address Update FortiGate-1000A/FA2 Administration Guide The status of the connection to the FortiProtect Distribution Network (FDN). A green indicator means that the FortiGate unit can connect to the FDN. You can configure the FortiGate unit for scheduled updates.
Page 134: Updating Antivirus And Attack Definitions
The update attempt occurs at a randomly determined time within the selected hour. Select Update Now to manually initiate an update. Select Apply to save update settings. 01-28011-0254-20051115 System Maintenance 138. Fortinet Inc.
Page 135 System Maintenance Select Update Now to update the antivirus and attack definitions and engines. If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following: Your update request has been sent. Your database will be updated in a few minutes.
Page 136 <proxy-address_ip> set port <proxy-port> set username <username_str> set password <password_str> set status enable config system autoupdate tunneling set address 67.35.50.34 set port 8080 set username proxy_user set password proxy_pwd set status enable 01-28011-0254-20051115 System Maintenance Fortinet Inc.
Page 137: Enabling Push Updates
System Maintenance There are no special tunneling requirements if you have configured an override server address to connect to the FDN. Enabling push updates The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. You must register the FortiGate unit before it can receive push updates.
Page 138: Enabling Push Updates Through A Nat Device
Go to Firewall > Virtual IP. Select Create New. Type a name for the virtual IP. In the External Interface section, select the external interface that the FDN connects In the Type section, select Port Forwarding. 01-28011-0254-20051115 System Maintenance Fortinet Inc.
Page 139 System Maintenance In the External IP Address section, type the external IP address that the FDN connects to. Type the External Service Port that the FDN connects to. In the Map to IP section, type the IP address of the FortiGate unit on the internal network.
Page 140: Support
Support Support You can use the Support page to report problems with the FortiGate unit to Fortinet Support or to register your FortiGate unit with the FortiProtect Distribution Server (FDS). Figure 53: Support Report Bug to Fortinet FDS Registration Select FDS Registration to register the FortiGate unit with FortiNet.
Page 141: Registering A Fortigate Unit
For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing. To activate the FortiCare Support Contract, you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information.
Page 142 A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiGate unit. Your Fortinet support user name and password is sent to the email address provided with your contact information.
Page 143: Shutdown
System Maintenance Shutdown You can use the Maintenance page to log out, restart and shut down the FortiGate unit. Figure 55: System shut down To log out of the system Go to System > Maintenance > Shutdown. Select Logout. Select Apply. The FortiGate unit logs out.
Page 144 The FortiGate unit restarts with the configuration that it had when it was first powered Reconnect to the web-based manager and review the system configuration to confirm that it has been reset to the default settings. 01-28011-0254-20051115 System Maintenance Fortinet Inc.
Page 145: System Virtual Domain
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 System Virtual Domain FortiGate virtual domains provide multiple logical firewalls and routers in a single FortiGate unit. Using virtual domains, one FortiGate unit can provide exclusive firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network.
Page 146: Virtual Domain Properties
System Virtual Domain 151) “To select a management virtual 150) “To configure routing for a virtual 152) “To configure the routing 152) 152) “To add IP pools to a virtual “To add Virtual IPs to a virtual 154) Fortinet Inc. 153)
Page 147: Shared Configuration Settings
System Virtual Domain Shared configuration settings The following configuration settings are shared by all virtual domains. Even if you have configured multiple virtual domains, there are no changes to how you configure the following settings. • • • • • •...
Page 148: Administration And Management
A check mark icon in this column indicates that this is the domain used for system management. Delete icon. Select to delete a virtual domain. You cannot delete the root virtual domain or a domain that is used for system management. 01-28011-0254-20051115 System Virtual Domain Fortinet Inc.
Page 149: Adding A Virtual Domain
Selecting a management virtual domain In NAT/Router mode, you select a virtual domain to be used for system management. In Transparent mode, you must also define a management IP. The interface that you want to use for management access must have Administrative Access enabled. See “To control administrative access to an interface”...
Page 150: Configuring Virtual Domains
Go to System > Network > Interface. Adding interfaces, VLAN subinterfaces, and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec VPN for a virtual domain 01-28011-0254-20051115 System Virtual Domain Fortinet Inc.
Page 151 System Virtual Domain Set Virtual domain to All or to the name of the virtual domain that currently contains the interface. Select Edit for the physical interface you want to move. Choose the Virtual Domain to which to move the interface. Select OK.
Page 152: Configuring Routing For A Virtual Domain
66. Any zones that you add are added to the current virtual “Router” on page 155. Network traffic entering this virtual domain is routed only “Routing table (Transparent Mode)” on page 01-28011-0254-20051115 System Virtual Domain 70. Network traffic entering this Fortinet Inc.
Page 153 System Virtual Domain Select Create new to add firewall policies to the current virtual domain. interfaces, VLAN subinterfaces, or zones added to the current virtual domain. The firewall policies that you add are only visible when you are viewing the current virtual domain.
Page 154: Configuring Ipsec Vpn For A Virtual Domain
Select Change following the current virtual domain name above the table. Choose the virtual domain for which to configure VPN. Select OK. Go to VPN. Configure IPSec VPN, PPTP, L2TP, and certificates as required. See page 261. 01-28011-0254-20051115 System Virtual Domain “VPN” on Fortinet Inc.
Page 155: Router
You configure routes by defining the destination IP address and netmask of packets that the FortiGate unit is intended to intercept, and specifying a (gateway) IP address for those packets. The gateway address specifies the next hop router to which traffic will be routed.
Page 156 • • • The Gateway setting specifies the IP address of the next hop router interface to the FortiGate external interface. The interface behind the router (192.168.10.1) is the default gateway for FortiGate_1. In some cases, there may be routers behind the FortiGate unit. If the destination IP address of a packet is not on the local network but is on a network behind one of those routers, the FortiGate routing table must include a static route to that network.
Page 157: Static Route List
Router Figure 58: Destinations on networks behind internal routers To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.30.0/24...
Page 158: Static Route Options
The destination IP address for this route. The netmask for this route. The IP address of the first next hop router to which this route directs traffic. The name of the FortiGate interface through which to route traffic. The administrative distance for the route.
Page 159: Policy
Router Select the Move to icon beside the route you want to move. Current Order shows the existing number for this route. Figure 61: Move a static route For Move to, select either Before or After and type the number that you want to place this route before or after.
Page 160: Policy Route Options
Match packets that have this destination IP address and netmask. Match packets that have this destination port range. To match a single port, enter the same port number for both From and To. Send packets that match this policy route to this next hop router. 01-28011-0254-20051115 Router...
Page 161: General
Router RIP is a distance-vector routing protocol intended for small, relatively homogeneous, networks. RIP uses hop count as its routing metric. Each network is usually counted as one hop. The network diameter is limited to 15 hops. General Figure 64: RIP General settings...
Page 162: Networks List
Static Metric Route-map To configure RIP general settings Go to Router > RIP > General. Select the default RIP Version. Change the Default Metric if required. Select Enable Default-information-originate if the configuration requires advertising a default static route into RIP.
Page 163: Networks Options
Figure 66: RIP Networks configuration To configure a RIP network definition Go to Router > RIP > Networks. Select Create New to add a new RIP network definition or select the Edit icon to edit an existing RIP network definition.
Page 164: Interface Options
In text mode the key is sent in clear text over the network. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the network. 01-28011-0254-20051115 Router...
Page 165: Distribute List
Password Key-chain To configure a RIP interface Go to Router > RIP > Interface. Select the edit icon beside an Interface to configure that interface. Select a Send Version if you want to override the default send version for this interface.
Page 166: Distribute List Options
Interface Enable To configure a distribute list Go to Router > RIP > Distribute List. Select Create New to add a new distribute list or select the edit icon beside an existing distribute list to edit that distribute list. Set Direction to In or Out.
Page 167: Offset List
Access-list Offset Interface Enable To configure an offset list Go to Router > RIP > Offset List. FortiGate-1000A/FA2 Administration Guide Add a new offset list. The direction for the offset list. The access list to use for this offset list.
Page 168: Router Objects
Check or clear the Enable check box to enable or disable this offset list. Select OK. Router objects Router objects are a set of tools used by routing protocols and features. Access list Access lists are filters used by FortiGate routing features.
Page 169: New Access List
Router New access list Figure 74: Access list name configuration To add an access list name Go to Router > Router Objects > Access List. Select Create New. Enter a name for the access list. Select OK. New access list entry...
Page 170: Prefix List
New Prefix list Figure 77: Prefix list name configuration To add a prefix list name Go to Router > Router Objects > Prefix List. Select Create New. Enter a name for the prefix list. Select OK. Add a new prefix list name. An access list and a prefix list cannot have the same name.
Page 171: New Prefix List Entry
Less or equal to To configure a prefix list entry Go to Router > Router Objects > Prefix List. Select the Add prefix-list entry icon to add a new prefix list entry or select the edit icon beside an existing prefix list entry to edit that entry.
Page 172: New Route-Map
New Route-map Figure 80: Route map name configuration To add a route map name Go to Router > Router Objects > Route-map. Select Create New. Enter a name for the route map. Select OK. Add a new route map name.
Page 173: Route-Map List Entry
Match a route if the destination address is included in the selected access list or prefix list. Match a route that has a next hop router address included in the selected access list or prefix list. Match a route with the specified metric. The metric can be a number from 1 to 16.
Page 174: Key Chain List
New key chain Figure 83: Key chain name configuration To add a key chain name Go to Router > Router Objects > Key-chain. for information on setting the FortiGate system date and Add a new key chain. The key chain name.
Page 175: Key Chain List Entry
Start To configure a key chain entry Go to Router > Router Objects > Key-chain. Select the Add key-chain entry icon to add a new key chain entry or select the Edit icon beside an existing key chain entry to edit that entry.
Page 176: Monitor
Up Time To filter the routing monitor display Go to Router > Monitor > Routing Monitor. Select a type of route to display or select all to display routes of all types. For example, select Connected to display all the directly connected routes, or select RIP to display all the routes learned from RIP.
Page 177: Cli Configuration
CLI commands see the FortiGate CLI Reference Guide. get router info ospf Use this command to display information about OSPF. Command syntax router info ospf command keywords and variables Keywords border-routers database interface...
Page 178: Get Router Info Rip
An OSPF autonomous system (AS) or routing domain is a group of areas connected to a backbone area. A router connected to more than one area is an area border router (ABR). Routing information is contained in a link state database. Routing information is communicated between routers using link state advertisements (LSAs).
Page 179 Router Note: In the following table, only the router-id keyword is required. All other keywords are optional. ospf command keywords and variables Keywords and variables abr-type {cisco | ibm | shortcut | standard} database-overflow {disable | enable} database-overflow- max-lsas <lsas_integer>...
Page 180 <address_ipv4> spf-timers <delay_integer> <hold_integer> Example This example shows how to set the OSPF router ID to 1.1.1.1: This example shows how to display the OSPF settings. Description Specify the default metric that OSPF should use for redistributed routes. The valid range for metric_integer is 1 to 16777214.
Page 181 This example shows how to display the OSPF configuration. config area Access the config area subcommand using the config router ospf command. Use this command to set OSPF area related parameters. Routers in an OSPF autonomous system (AS) or routing domain are organized into logical groupings called areas.
Page 182 Enable or disable redistributing routes into a NSSA area. 01-28011-0254-20051115 Router Default Availability All models. none All models. All models. disable All models. All models. All models. enable Fortinet Inc.
Page 183 This example shows how to display the settings for area 15.1.1.1. FortiGate-1000A/FA2 Administration Guide Description A NSSA border router can translate the Type 7 LSAs used for external route information within the NSSA to Type 5 LSAs used for distributing external route information to other parts of the OSPF routing domain.
Page 184 Set the direction for the filter. Enter in to filter incoming packets. Enter out to filter outgoing packets. Enter the name of the access list or prefix list to use for this filter list. 01-28011-0254-20051115 170. Default Availability null Router “Access All models. All models. Fortinet Inc.
Page 185 The range id_integer can be 0 to 4294967295. FortiGate-1000A/FA2 Administration Guide config router ospf config area edit 15.1.1.1 config filter-list config router ospf config area edit 15.1.1.1...
Page 186 Enable or disable using a substitute prefix. disable All models. config router ospf config area edit 15.1.1.1 config range config router ospf config area edit 15.1.1.1 01-28011-0254-20051115 Default enable 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 edit 1 set prefix 1.1.0.0 255.255.0.0 Router Availability All models. All models. All models. Fortinet Inc.
Page 187 Virtual links can only be set up between two area border routers (ABRs). config virtual link command syntax pattern Note: Only the peer keyword is required. All other keywords are optional. FortiGate-1000A/FA2 Administration Guide config router ospf config area edit 15.1.1.1 show config virtual-link edit <name_str>...
Page 188 1 to 255. key_str is an alphanumeric string of up to 16 characters. 01-28011-0254-20051115 Router Default Availability All models. none All models. default. authentication must be set to text. All models. All models. All models. default. authentication must be set to md5. Fortinet Inc.
Page 189 This example shows how to display the settings for area 15.1.1.1. This example shows how to display the configuration for area 15.1.1.1. FortiGate-1000A/FA2 Administration Guide Description The router id of the remote ABR. 0.0.0.0 is not allowed. The time, in seconds, to wait before sending a LSA retransmission. The...
Page 190 CLI configuration config distribute-list Access the config distribute-list subcommand using the config router ospf command. Use this command to use an access list to filter the networks in routing updates. Routes not matched by any of the distribute lists will not be advertised.
Page 191 This example shows how to display the settings for distribute list 2. This example shows how to display the configuration for distribute list 2. config neighbor Access the config neighbor subcommand using the config router ospf command. Use this command to manually configure an OSPF neighbor on nonbroadcast networks.
Page 192 The valid range for priority_integer is 0 to 255. config router ospf config neighbor edit 1 set ip 192.168.21.63 config router ospf config neighbor edit 1 01-28011-0254-20051115 Router Default Availability All models. 0.0.0.0 All models. All models. All models. Fortinet Inc.
Page 193: Config Network
Router config network Access the config network subcommand using the config router ospf command. Use this command to identify the interfaces to include in the specified OSPF area. The prefix keyword can define one or multiple interfaces. config network command syntax pattern...
Page 194 This example shows how to display the settings for network 2. This example shows how to display the configuration for network 2. config ospf-interface Access the config ospf-interface subcommand using the config router ospf command. Use this command to change interface related OSPF settings.
Page 195 In text mode the key is sent in clear text over the network. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the network. If you configure authentication for the interface, authentication for areas is not used.
Page 196 576 to 65535. 01-28011-0254-20051115 Router Default Availability All models. All models. disable All models. All models. All models. null All models. 0.0.0.0 No default. All models. authentication must be set to md5. 1500 All models. Fortinet Inc.
Page 197 “config neighbor” on page 191. Set the router priority for this interface. Router priority is used during the election of a designated router (DR) and backup designated router (BDR). An interface with router priority set to 0 can not be elected DR or BDR.
Page 198 192.168.20.3 set authentication text set authentication-key a2b3c4d5e config router ospf config ospf-interface edit test config router ospf config ospf-interface edit test show 01-28011-0254-20051115 Router Default Availability All models. enable All models. Fortinet Inc.
Page 199: Config Redistribute
Router config redistribute Access the config redistribute subcommand using the config router ospf command. Use the config redistribute command to advertise routes learned from RIP, static routes, or a direct connection to the destination network. config redistribute command syntax pattern...
Page 200 Use this command to summarize external routes for redistribution into OSPF. This command works only for summarizing external routes on an Autonomous System Boundary Router (ASBR). For information on summarization between areas, see “config range” on page route, you reduce the size of the OSPF link-state database.
Page 201: Config Router Static6
10.0.0.0 255.0.0.0 get router ospf show router ospf config router static6 edit <sequence_integer> set <keyword> <variable> config router static6 edit <sequence_integer> unset <keyword> config router static6 delete <sequence_integer> get router static6 [<sequence_integer>] show router static6 [<sequence_integer>] 01-28011-0254-20051115 CLI configuration...
Page 202 Enter ::/0 for the destination IPV6 address and netmask to add a default route. The IPV6 address of the first next hop router to which this route directs traffic. config router static6 edit 2 set dev internal set dst 12AB:0:0:CD30::/60...
Page 203: Firewall
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 Firewall Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions that the FortiGate unit uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (by port number).
Page 204: Policy
You can add, delete, edit, re-order, enable, and disable policies in the policy list. Figure 86: Sample policy list How policy matching works Policy list Policy options Advanced policy options Configuring firewall policies Policy CLI configuration 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 205: Policy Options
Firewall The policy list has the following icons and features. Create new Source Dest Schedule Service Action Enable source -> destination (n) Policy list headings indicating the traffic to which the policy Figure 87: Move to options Policy options Policy options are configurable when creating or editing a firewall policy. FortiGate-1000A/FA2 Administration Guide Select Create New to add a firewall policy.
Page 206 Select the name of a firewall address or address group that matches the destination address of the packets to be matched with this policy. 230. 01-28011-0254-20051115 “Interface” on page 55 for information about zones. “Address” on page 213. “Virtual IP” Fortinet Inc. Firewall...
Page 207 Firewall Schedule Select a schedule that controls when the policy is available to be matched with connections. See Service Select the name of a service or service group that matches the service or protocol of the packets to be matched with this policy. You can select from a wide range of predefined services or add custom services and service groups.
Page 208: Advanced Policy Options
If you do not select Dynamic IP pool, a policy with Fixed Port selected can only allow one connection at a time. 237. “Authentication” on page 361. 01-28011-0254-20051115 “IP pool” on page “Protection profile” 209. “Log & Report” on Firewall 234. Fortinet Inc.
Page 209 Firewall Figure 89: Advanced policy options Authentication You must add users and a firewall protection profile to a user group before you can select Authentication. For information about adding and configuring user groups, see “User group” on page Select Authentication and select one or more user groups to require users to enter a user name and password before the firewall accepts the connection.
Page 210: Traffic Shaping
Less important services should be assigned a low priority. The firewall provides bandwidth to low- priority connections only when bandwidth is not needed for high-priority connections. 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 211: Configuring Firewall Policies
Firewall You can configure policies to apply DSCP values for both original (or forward) traffic and reverse (or reply) traffic. These values are optional and may be enabled independently from each other. When both are disabled, no changes to the DS field are made.
Page 212: Policy Cli Configuration
Note: This command has more keywords than are listed in this Guide. See the FortiGate CLI Reference Guide for a complete list of commands and keywords. Command syntax pattern config firewall policy edit <id_integer> set <keyword> <variable> 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 213: Address
Firewall firewall policy command keywords and variables Keywords and variables Description http_retry_count <retry_integer> natip <address_ipv4mask> Address You can add, edit, and delete firewall addresses as required. You can also organize related addresses into address groups to simplify policy creation. A firewall address can be configured with a name, an IP address, and a netmask, or a name and IP address range.
Page 214: Address List
The Delete and Edit/View icons. Enter a name to identify the firewall address. Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall policies. address range separated by a hyphen 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 215: Configuring Addresses
Firewall An IP/Mask address can represent: • • • An IP address can be: • • • The netmask corresponds to the type of address that you are adding. For example: • • • • • An IP Range address represents: •...
Page 216: Address Group List
Address group options are configurable when creating or editing an address group. Select Create New to add an address group. The name of the address group. The addresses in the address group. The Delete and Edit/View icons. 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 217: Configuring Address Groups
Firewall Figure 94: Address group options Address group has the following options: Group Name Available Addresses Members Configuring address groups To organize addresses into an address group Go to Firewall > Address > Group. Select Create New. Enter a group name to identify the address group. Select an address from the Available Addresses list and select the right arrow to move the address into the group.
Page 218: Service
• • • • • • • Predefined service list Figure 95: Predefined service list Predefined service list Custom service list Custom service options Configuring custom services Service group list Service group options Configuring service groups 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 219 Firewall The predefined services list has the following icons and features. Name Detail Table 29 any policy. Table 29: FortiGate predefined services Service name DHCP FINGER GOPHER H323 HTTP HTTPS FortiGate-1000A/FA2 Administration Guide The name of the predefined services. The protocol for each predefined service. lists the FortiGate predefined firewall services.
Page 220 Internet. For connections used by the popular Quake multi-player computer game. For streaming real audio multimedia traffic. 01-28011-0254-20051115 Firewall Protocol Port 6660-6669 1701 1720 111, 2049 5632 icmp icmp icmp icmp 1723 26000, 27000, 27910, 27960 7070 Fortinet Inc.
Page 221: Custom Service List
Firewall Table 29: FortiGate predefined services (Continued) Service name RLOGIN SIP- MSNmessenger SMTP SNMP SYSLOG TALK TELNET TFTP UUCP VDOLIVE WAIS WINFRAME X-WINDOWS Custom service list Add a custom service if you need to create a policy for a service that is not in the predefined service list.
Page 222: Custom Service Options
If the service uses one port number, enter this number in both the low and high fields. low and high port numbers. If the service uses one port number, enter this number in both the low and high fields. 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 223: Configuring Custom Services
Firewall ICMP custom service options Figure 98: ICMP custom service options Name Protocol Type Type Code IP custom service options Figure 99: IP custom service options Name Protocol Type Protocol Number The IP protocol number for the service. Configuring custom services To add a custom TCP or UDP service Go to Firewall >...
Page 224: Service Group List
To make it easier to add policies, you can create groups of services and then add one policy to allow or block access for all the services in the group. A service group can contain predefined services and custom services in any combination. You cannot add service groups to another service group. 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 225: Service Group Options
Firewall Figure 100:Sample service group list The service group list has the following icons and features. Create New Group Name Members Service group options Service group options are configurable when creating or editing a service group. Figure 101:Service group options Service group has the following options.
Page 226: Schedule
Internet at all times. You can add a one-time schedule to block access to the Internet during a holiday period. One-time schedule list One-time schedule options Configuring one-time schedules Recurring schedule list Recurring schedule options Configuring recurring schedules 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 227: One-Time Schedule Options
Firewall Figure 102:Sample one-time schedule list The one-time schedule list has the following icons and features. Create New Name Start Stop One-time schedule options Figure 103:One-time schedule options One-time schedule has the following options. Name Start Stop Configuring one-time schedules To add a one-time schedule Go to Firewall >...
Page 228: Recurring Schedule List
The name of the recurring schedule. The initials of the days of the week on which the schedule is active. The start time of the recurring schedule. The stop time of the recurring schedule. The Delete and Edit/View icons. 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 229: Recurring Schedule Options
Firewall Recurring schedule options Figure 105:Recurring schedule options Recurring schedule has the following options. Name Select Start Stop Configuring recurring schedules To add a recurring schedule Go to Firewall > Schedule > Recurring. Select Create New. Enter a name for the schedule. Select the days of the week that you want the schedule to be active.
Page 230: Virtual Ip
Similar to port forwarding, dynamic port forwarding is used to translate any address and a specific port number on a source network to a hidden address and, optionally a different port number on a destination network. Virtual IP list Virtual IP options Configuring virtual IPs 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 231: Virtual Ip Options
Firewall The virtual IP list has the following icons and features. Create New Name Service Port Map to IP Map to Port Virtual IP options Different options appear depending on the type of virtual IP you want to define. Choose from Static NAT or port forwarding. Figure 107:Virtual IP options;...
Page 232: Configuring Virtual Ips
Enter the port number to be added to packets when they are forwarded. (Port forwarding only.) Select the protocol (TCP or UDP) that you want the forwarded packets to use. (Port forwarding only.) Table 30 on page 233 contains example virtual IP external interface settings 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 233 Firewall Table 30: Virtual IP external interface examples External Interface Description internal external To add port forwarding virtual IPs Go to Firewall > Virtual IP. Select Create New. Enter a name for the port forwarding virtual IP. Select the virtual IP External Interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network.
Page 234: Ip Pool
You can enable Dynamic IP Pool in a firewall policy to translate the source address of outgoing packets to an address randomly selected from the IP pool. An IP pool list appears when the policy destination interface is the same as the IP pool interface. 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 235: Ip Pool List
Firewall You can add an IP pool if you want to add NAT mode policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface. If you add an IP pool to port1, you can select Dynamic IP pool for policies with the port1 interface as the destination.
Page 236: Ip Pool Options
For the IP pool that you want to edit, select Edit beside it. Modify the IP pool as required. Select OK to save the changes. Select the interface to which to add an IP pool. Enter a name for the IP pool. 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 237: Ip Pools For Firewall Policies That Use Fixed Ports
Firewall IP Pools for firewall policies that use fixed ports Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service. You can select fixed port for NAT policies to prevent source port translation.
Page 238: Protection Profile List
You can add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 239: Protection Profile Options
Enable or disable quarantining for each protocol. You can quarantine suspect files to view them or submit files to Fortinet for analysis. 01-28011-0254-20051115 Protection profile 239.
Page 240: Configuring Web Filtering Options
Enabling this option will prevent the unintentional download of virus files hidden in fragmented files. Note that some types of files, such as PDF, fragment files to increase download speed and enabling this option can cause download interruptions. 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 241: Configuring Web Category Filtering Options
Firewall Configuring web category filtering options Figure 115:Protection profile web category filtering options (FortiGuard) The following options are available for web category filtering through the protection profile. See options. Enable category block (HTTP only) Block unrated websites (HTTP only) Provide details for blocked HTTP 4xx and 5xx errors (HTTP only) Rate images by URL (blocked...
Page 242: Configuring Spam Filtering Options
A or MX record. Enable or disable checking source MIME headers against the configured spam filter MIME header list. Enable or disable checking source email against the configured spam filter banned word list. 01-28011-0254-20051115 Firewall for more for more Fortinet Inc.
Page 243 Firewall Spam Action Append to Append with Note: Some popular email clients cannot filter messages based on the MIME header. Check your email client features before deciding how to tag spam. Configuring IPS options Figure 117:Protection profile IPS options The following options are available for IPS through the protection profile. See page 293 IPS Signature IPS Anomaly...
Page 244: Configuring Protection Profiles
FortiLog unit for each protocol. Content meta-information can include date and time, source and destination information, request and response size, and scan result. Content archive is only available if FortiLog is enabled under Log&Report > Log Config > Log Settings. 01-28011-0254-20051115 Firewall Fortinet Inc.
Page 245: Profile Cli Configuration
Firewall To add a protection profile to a policy You can enable protection profiles for firewall policies with action set to allow or encrypt and with service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes these services. Go to Firewall >...
Page 246 If you want to remove an option from the list or add an option to the list, you must retype the list with the option removed or added. 01-28011-0254-20051115 Firewall Default Availability All models. splice No default. All models. Fortinet Inc.
Page 247 Firewall firewall profile command keywords and variables (Continued) Keywords and variables smtp {bannedword block content-archive fragmail no-content-summary oversize quarantine scan spamemailbwl spamfsip spamfsurl spamhdrcheck spamhelodns spamipbwl spamraddrdns spamrbl splice} This example shows how to display the settings for the firewall profile command.
Page 248 Protection profile Firewall 01-28011-0254-20051115 Fortinet Inc.
Page 249: User
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 User You can control access to network resources by defining lists of authorized users, called user groups. To use a particular resource, such as a network or a VPN tunnel, the user must belong to one of the user groups that is allowed access. The user then must correctly enter a user name and password to prove his or her identity.
Page 250: Setting Authentication Timeout
Select Disable to prevent this user from authenticating. Select Password to require the user to authenticate using a password. Enter the password that this user must use to authenticate. The password should be at least six characters long. 01-28011-0254-20051115 User Fortinet Inc.
Page 251: Radius
User LDAP Radius To add a user name and configure authentication Go to User > Local. Select Create New to add a new user name or select the Edit icon to edit an existing configuration. Type the User Name. Select the authentication type for this user. Select OK.
Page 252: Radius Server Options
FortiGate unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiGate unit. The Delete and Edit icons. Enter a name to identify the RADIUS server. Enter the RADIUS server secret. 01-28011-0254-20051115 User Fortinet Inc.
Page 253: Ldap Server List
User The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords. FortiGate LDAP supports all LDAP servers compliant with LDAP v3. FortiGate LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers.
Page 254 For example, you could use the following base distinguished name: ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is domain component. You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units: ou=accounts,ou=marketing,dc=fortinet,dc=com 01-28011-0254-20051115 User Fortinet Inc.
Page 255: User Group
User User group To enable authentication, you must add user names, RADIUS servers, and LDAP servers to one or more user groups. You can then assign a firewall protection profile to the user group. You can configure authentication as follows: •...
Page 256: User Group Options
The list of users, RADIUS servers, or LDAP servers that can be added to a user group. The list of users, RADIUS servers, or LDAP servers added to a user group. Select a protection profile for this user group. 01-28011-0254-20051115 User Fortinet Inc.
Page 257: Cli Configuration
User To delete a user group You cannot delete a user group that is included in a firewall policy, a dialup user phase 1 configuration, or a PPTP or L2TP configuration. Go to User > User Group. Select Delete beside the user group that you want to delete. Select OK.
Page 258: Peergrp
Enter the names of peers to add to the peer group. Separate names by spaces. To add or remove names from the group you must re-enter the whole list with the additions or deletions required. 01-28011-0254-20051115 User Default Availability No default. All models. Fortinet Inc.
Page 259 User This example shows how to display the list of configured peer groups. This example shows how to display the settings for the peergrp EU_branches. This example shows how to display the configuration for all the peers groups. This example shows how to display the configuration for the peergrp EU_branches. FortiGate-1000A/FA2 Administration Guide config user peergrp edit EU_branches...
Page 260 CLI configuration User 01-28011-0254-20051115 Fortinet Inc.
Page 261: Vpn
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 FortiGate units support the following protocols to authenticate and encrypt traffic: • • • This chapter contains information about the following VPN topics: • • • • • • • • • • • FortiGate-1000A/FA2 Administration Guide Internet Protocol Security (IPSec) Point-to-Point Tunneling Protocol (PPTP)
Page 262: Phase 1
Select Create New to create a new phase 1 configuration. The names of existing phase 1 configurations. The IP address or domain name of a remote peer, or Dialup for a dialup client. Main or Aggressive. 01-28011-0254-20051115 Guide. “Manual key” on Fortinet Inc.
Page 263: Phase 1 Basic Settings
Encryption Algorithm Delete and Edit icons Phase 1 basic settings Figure 128:Phase 1 basic settings Gateway Name Remote Gateway IP Address Dynamic DNS Mode Authentication Method FortiGate-1000A/FA2 Administration Guide The names of the encryption and authentication algorithms used by each phase 1 configuration.
Page 264 “Configuring the phase 1 IKE exchange” sections of the 01-28011-0254-20051115 “Certificates” FortiGate VPN Authenticating FortiClient Note. “User” on page 249. For more FortiGate VPN FortiGate CLI Reference Guide. If the Guide. When the remote peers and FortiGate VPN Guide. Fortinet Inc.
Page 265: Phase 1 Advanced Settings
Phase 1 advanced settings Figure 129:Phase 1 advanced settings P1 Proposal FortiGate-1000A/FA2 Administration Guide Select the encryption and authentication algorithms that will be used to generate keys for protecting negotiations. Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations.
Page 266: Phase 2
If you enabled NAT traversal, enter a keepalive frequency setting. The value represents an interval from 0 to 900 seconds. Enable this option to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. 01-28011-0254-20051115 Fortinet Inc.
Page 267: Phase 2 List
To configure phase 2 settings Go to VPN > IPSEC > Phase 2. Follow the general guidelines in these sections: • • • For information about how to choose the correct phase 2 settings for your particular situation, refer to the Note: The procedures in this section assume that you want the FortiGate unit to generate unique IPSec encryption and authentication keys automatically.
Page 268: Phase 2 Basic Settings
If the tunnel will be included in a hub-and-spoke configuration, you may select the concentrator from the list. The hub must be added to the FortiGate configuration before it can be selected here. See 01-28011-0254-20051115 “Phase 1” on “Concentrator” on page 272. Fortinet Inc.
Page 269 P2 Proposal Enable replay detection Enable perfect forward secrecy (PFS) DH Group Keylife Autokey Keep Alive DHCP-IPSec FortiGate-1000A/FA2 Administration Guide Select the encryption and authentication algorithms that will be used to change data into encrypted code. Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations.
Page 270: Manual Key
Prior knowledge of the encryption and/or authentication key is required (that is, one of the VPN peers requires a specific IPSec encryption and/or authentication key). Encryption and authentication needs to be disabled. 01-28011-0254-20051115 Fortinet Inc.
Page 271: Manual Key List
Follow the guidelines in these sections: • • Manual key list Figure 133:IPSec VPN Manual Key list Create New Remote Gateway Encryption Algorithm Authentication Algorithm Delete and Edit icons Manual key options VPN Tunnel Name Type a name for the VPN tunnel. Local SPI Remote SPI Remote Gateway...
Page 272: Concentrator
If the tunnel will be included in a hub-and-spoke configuration, you may select the concentrator from the list. The hub must be added to the FortiGate configuration before it can be selected here. See “Concentrator” on page 272. 01-28011-0254-20051115 Fortinet Inc.
Page 273: Concentrator List
In a hub-and-spoke network, all VPN tunnels terminate at the hub. The peers that connect to the hub are known as “spokes”. The hub functions as a concentrator on the network, managing all VPN connections between the spokes. VPN traffic passes from one tunnel to the other through the hub.
Page 274: Ping Generator
VPN peer (for example, 172.16.5.1/32). For a dialup-client or Internet-browsing configuration where the remote VPN client is configured to acquire a virtual IP address, the destination address must correspond to the virtual IP address that can be acquired. 01-28011-0254-20051115 Fortinet Inc.
Page 275: Ping Generator Options
Ping generator options Figure 137:Ping generator Enable Source IP 1 Destination IP 1 Source IP 2 Destination IP 2 Monitor You can use the monitor to view activity on IPSec VPN tunnels and start or stop those tunnels. The display provides a list of addresses, proxy IDs, and timeout information for all active tunnels.
Page 276 Destination field displays the IP address of the remote private network. Start or stop the current dialup tunnel. If you stop the tunnel, the dialup user may have to reconnect to establish a new VPN session. Display the previous or next page of dialup-tunnel status listings. 01-28011-0254-20051115 Fortinet Inc.
Page 277: Static Ip And Dynamic Dns Monitor
Static IP and dynamic DNS monitor The list of tunnels provides information about VPN connections to remote peers that have static IP addresses or domain names. You can use this list to view status and IP addressing information for each tunnel configuration. You can also start and stop individual tunnels from the list.
Page 278: Pptp Range
Type the starting address in the range of reserved IP addresses. Type the ending address in the range of reserved IP addresses. Select the name of the PPTP user group that you defined. Select the option to disable PPTP support. 285. 01-28011-0254-20051115 “L2TP configuration Fortinet Inc.
Page 279: Certificates
Figure 141:L2TP range Enable L2TP Starting IP Ending IP User Group Disable L2TP Certificates Digital certificates are downloadable files that you can install on the FortiGate unit and on remote peers and clients for authentication purposes. An X.509 digital certificate contains information that has been digitally signed by a trusted third party known as a certificate authority (CA).
Page 280: Certificate Request
Delete a certificate from the FortiGate configuration. Select to save a copy of the certificate request to a local computer. Send the request to your CA to obtain a certificate for the FortiGate unit. 01-28011-0254-20051115 “Certificate request” on “Importing signed certificates” Figure 143. Fortinet Inc.
Page 281: Importing Signed Certificates
Figure 144:Generating a certificate signing request Certification Name Subject Information Organization Unit Organization Locality (City) State/Province Country e-mail Key Type Key Size Importing signed certificates Your CA will provide you with a signed certificate to install on the FortiGate unit. When you receive the signed certificate from the CA, save the certificate on a PC that has management access to the FortiGate unit.
Page 282: Ca Certificate List
Information about the CA. Select to display certificate details. Delete a CA certificate from the FortiGate configuration. Select if you want to save a copy of the CA root certificate to a local computer. 01-28011-0254-20051115 “Importing CA certificates” on Fortinet Inc.
Page 283: Vpn Configuration Procedures
Figure 147:Importing a CA certificate Browse to the location on the management PC where the certificate has been saved, select the certificate, and then select OK. Select OK. VPN configuration procedures procedures needed to create different types of VPN configurations. The guide contains the following chapters: •...
Page 284: Adding Firewall Policies For Ipsec Vpn Tunnels
IP packets may be delivered. The name may correspond to a VIP-address range for dialup clients. Keep the default setting (always) unless changes are needed to meet specific requirements. Keep the default setting (ANY) unless changes are needed to meet your specific requirements. 01-28011-0254-20051115 Fortinet Inc.
Page 285: Pptp Configuration Procedures
Action VPN Tunnel You may enable a protection profile, and/or event logging, or select advanced settings to shape traffic or differentiate services. See the “Firewall” chapter of the FortiGate Administration Guide. Select OK. Place the policy in the policy list above any other policies having similar source and destination addresses.
Page 286: Cli Configuration
Command syntax pattern ipsec phase1 ipsec phase2 ipsec vip config vpn ipsec phase1 edit <name_str> set <keyword> <variable> config vpn ipsec phase1 edit <name_str> unset <keyword> 01-28011-0254-20051115 FortiGate VPN Guide. Fortinet Inc.
Page 287 ipsec phase1 command keywords and variables Keywords and variables dpd-idlecleanup <seconds_integer> dpd-idleworry <seconds_integer> dpd-retrycount <retry_integer> dpd-retryinterval <seconds_integer> FortiGate-1000A/FA2 Administration Guide Description The DPD long idle setting when dpd is set to enable. Set the time, in seconds, that a link must remain unused before the local VPN peer pro-actively probes its state.
Page 288: Ipsec Phase2
1000 set dpd-idleworry 150 set dpd-retrycount 5 set dpd-retryinterval 30 config vpn ipsec phase2 edit <name_str> set <keyword> <variable> config vpn ipsec phase2 edit <name_str> unset <keyword> config vpn ipsec phase2 delete <name_str> 01-28011-0254-20051115 Fortinet Inc.
Page 289: Ipsec Vip
ipsec phase2 command keywords and variables Keywords and variables bindtoif <interface-name_str> single-source {disable | enable} ipsec vip A FortiGate unit can act as a proxy by answering ARP requests locally and forwarding the associated traffic to the intended destination host over an IPSec VPN tunnel. The feature is intended to enable IPSec VPN communications between two hosts that coordinate the same private address space on physically separate networks.
Page 290: Configuring Ipsec Virtual Ip Addresses
1 set ip 192.168.12.1 set out-interface external next edit 2 set ip 192.168.12.2 set out-interface external get vpn ipsec vip get vpn ipsec vip 1 show vpn ipsec vip 01-28011-0254-20051115 Default Availability 0.0.0.0 All models. null All models. Fortinet Inc.
Page 291 Consider the following example, which shows two physically separate networks. The IP addresses of the computers on both networks are in the 192.168.12.0/24 range, but no two IP addresses are the same. An IPSec VPN has been configured between FortiGate_1 and FortiGate_2. The FortiGate configuration permits Host_1 on the Finance network to transmit data to Host_2 on the HR network through the IPSec VPN tunnel.
Page 292 1 set ip 192.168.12.2 set out-interface external 289). For example, to enable access to Host_1 on the Finance network config vpn ipsec vip edit 1 set ip 192.168.12.1 set out-interface external 01-28011-0254-20051115 “ipsec Fortinet Inc.
Page 293: Ips
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 The FortiGate Intrusion Prevention System (IPS) combines signature and anomaly intrusion detection and prevention with low latency and excellent reliability. The FortiGate unit can record suspicious traffic in logs, can send alert email to system administrators, and can log, pass, drop, reset, or clear suspicious packets or sessions.
Page 294: Signature
The FortiGate IPS matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Fortinet’s FortiProtect infrastructure ensures the rapid identification of new threats and the development of new attack signatures. You can configure the FortiGate unit to automatically check for and download an updated attack definition file containing the latest signatures, or you can manually download the updated attack definition file.
Page 295: Predefined Signatures
Predefined signatures Predefined signatures are arranged into groups based on the type of attack. By default, all signature groups are enabled while some signatures within groups are not. Check the default settings to ensure they meet the requirements of your network traffic.
Page 296: Configuring Predefined Signatures
When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The session is not touched. Fortinet recommends using an action other than Drop for TCP connection based attacks. When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet.
Page 297 Select the Configure icon next to the predefined signature group that you want to enable or disable. Figure 150:Enabling or disabling a predefined signature group Select the enable box to enable the predefined signature group or clear the enable box to disable the predefined signature group. Select OK.
Page 298: Configuring Parameters For Dissector Signatures
If the codepoint is set to a number from 1 to 63, the codepoint for the session is changed to the specified value. If the codepoint is set to -1 (the default) no change is made to the codepoint in the IP header. 01-28011-0254-20051115 Fortinet Inc.
Page 299: Custom Signature List
Custom signatures provide the power and flexibility to customize the FortiGate IPS for diverse network environments. The FortiGate predefined signatures cover common attacks. If you are using an unusual or specialized application or an uncommon platform, you can add custom signatures based on the security alerts released by the application and platform vendors.
Page 300: Adding Custom Signatures
If the number of concurrent sessions from a single source is over a threshold, the source session limit is reached. If the number of concurrent sessions to a single destination is over a threshold, the destination session limit is reached. 01-28011-0254-20051115 Table 32 “Backing up Fortinet Inc.
Page 301: Anomaly List
You can enable or disable logging for each anomaly, and you can control the IPS action in response to detecting an anomaly. In many cases you can also configure the thresholds that the anomaly uses to detect traffic patterns that could represent an attack.
Page 302 Drop When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The firewall session is not touched. Fortinet recommends using an action other than Drop for TCP connection based attacks. Reset When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet.
Page 303: Ips Cli Configuration
threshold To configure the settings of an anomaly Go to IPS > Anomaly. Select the Edit icon for the signature you want to configure. Select the Enable box to enable the anomaly or clear the Enable box to disable the anomaly.
Page 304: Configuring System Settings
This means that crucial network traffic will not be blocked and the Firewall will continue to operate while the problem is resolved. config sys global ip_signature {enable | disable} 01-28011-0254-20051115 Default disable Default enable Fortinet Inc.
Page 305: Configuring Anomaly Settings
Keywords and variables ip_signature {enable | disable} system global ips-size Set the size of the IPS buffer. Command syntax pattern Keywords and variables ips-size <ips_buffer_size> Configuring anomaly settings (config ips anomaly) config limit Note: This command has more keywords than are listed in this Guide. See the FortiGate CLI Reference Guide for a complete list of commands and keywords.
Page 306 The ip address and netmask of the source or destination network. Set the threshold that triggers this anomaly. config ips anomaly tcp_src_session config limit edit subnet1 set ipaddress 1.1.1.0 255.255.255.0 set threshold 300 01-28011-0254-20051115 Default Availability All models. default. All models. default. Fortinet Inc.
Page 307: Antivirus
Antivirus > Quarantine View and sort the list of quarantined files, configure file patterns to upload automatically to Fortinet for analysis, and configure quarantining options in AntiVirus. Antivirus > Config > Config Set the size thresholds for files and emails for each protocol in Antivirus.
Page 308: File Block
IPS (attack) engines and definitions, as well as the local spam DNSBL, through the FortiProtect Distribution Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see This chapter describes: •...
Page 309: File Block List
Antivirus This section describes: • • File block list The file block list is preconfigured with a default list of file patterns: • • • • • • • • • • Figure 159:Default file block list File block list has the following icons and features: Create New Apply Pattern...
Page 310: Configuring The File Block List
You can also submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to Fortinet for analysis. This section describes: •...
Page 311: Quarantined Files List Options
EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL. Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded.
Page 312: Autosubmit List
(* or ?). File patterns are applied for AutoSubmit regardless of file blocking settings. You can also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly from the quarantined files list. The FortiGate unit uses encrypted email to autosubmit files to an SMTP server through port 25.
Page 313: Config
Antivirus Select Enable. Select OK. Note: To enable automatic uploading of the configured file patterns you must go to Anti-Virus > Quarantine > Config, select Enable AutoSubmit, and select Use File Pattern. Config Go to Config to set quarantine configuration options including whether to quarantine blocked or infected files and from which service.
Page 314: Config
Heuristics is configurable through the CLI only. See page 317. Select Apply to save the configuration. Virus list Config Grayware Grayware options 38. To find out how to use the Fortinet Update Center, see 132. Figure 01-28011-0254-20051115 “CLI configuration” on “Changing unit 165. Antivirus...
Page 315: Grayware
Antivirus Note: For email scanning, the oversize threshold refers to the final size of the email after encoding by the email client, including attachments. Email clients may use a variety of encoding types and some encoding types translate into larger file sizes than the original attachment. The most common encoding, base64, translates 3 bytes of binary data into 4 bytes of base64 data.
Page 316 Select enable to block remote administration tools. Remote administration tools allow outside users to remotely change and monitor a computer on a network. 01-28011-0254-20051115 Antivirus Fortinet Inc.
Page 317: Cli Configuration
When the free memory once again reaches 30% or greater of the total memory, the system returns to nonconserve mode. For more information see the Antivirus failopen and optimization Fortinet Knowledge Center article. Command syntax pattern...
Page 318: System Global Optimize
FortiGate unit for either antivirus scanning or straight throughput traffic. When optimize is set to antivirus, the FortiGate unit uses symmetric multiprocessing to spread the antivirus tasks to several CPUs, making scanning faster. For more information see the Antivirus failopen and optimization Fortinet Knowledge Center article. Command syntax pattern...
Page 319: Config Antivirus Heuristic
Antivirus Example This example shows how to set the FortiGate unit to optimize operations for antivirus scanning. config antivirus heuristic The FortiGate heuristic antivirus engine performs tests on files to detect virus-like behavior or known virus indicators. Heuristic scanning is performed last, after file blocking and virus scanning have found no matches.
Page 320: Config Antivirus Quarantine
Quarantine files found by heuristic scanning in traffic for the specified protocols. config antivirus service http set <keyword> <variable> 01-28011-0254-20051115 Antivirus Default Availability FortiGate imap models smtp numbered pop3 200 and http higher. FortiGate default. models numbered 200 and higher. Fortinet Inc.
Page 321 Antivirus antivirus service http command keywords and variables Keywords and variables memfilesizelimit <MB_integer> port <port_integer> uncompsizelimit <MB_integer> How file size limits work The memfilesizelimit is applied first to all incoming files, compressed or uncompressed. If the file is larger than the limit the file is passed or blocked according to the user configuration in the firewall profile.
Page 322: Config Antivirus Service Ftp
70 set port 80 set port 443 get antivirus service http show antivirus service http config antivirus service ftp set <keyword> <variable> config antivirus service ftp unset <keyword> get antivirus service [ftp] show antivirus service [ftp] 01-28011-0254-20051115 Antivirus Fortinet Inc.
Page 323 Antivirus antivirus service ftp command keywords and variables Keywords and variables memfilesizelimit <MB_integer> port <port_integer> uncompsizelimit <MB_integer> How file size limits work Example This example shows how to set the maximum file size buffered to memory for scanning at 25 MB, the maximum uncompressed file size that can be buffered to memory at 100 MB, and how to enable antivirus scanning on ports 20 and 21 for FTP traffic.
Page 324: Config Antivirus Service Pop3
Enter a value in megabytes between 1 and the total memory size. Enter 0 for no limit (not recommended). “How file size limits work” on page 01-28011-0254-20051115 Default 10 (MB) 10 (MB) 321. Antivirus Availability All models. All models. All models. Fortinet Inc.
Page 325: Config Antivirus Service Imap
Antivirus Example This example shows how to set the maximum file size that can be buffered to memory for scanning at 20 MB, the maximum uncompressed file size that can be buffered to memory for scanning at 60 MB, and how to enable antivirus scanning on ports 110, 111, and 992 for POP3 traffic.
Page 326 25 set uncompsizelimit 50 set port 143 set port 993 get antivirus service imap show antivirus service imap 01-28011-0254-20051115 Default 10 (MB) 10 (MB) 321. Antivirus Availability All models. All models. All models. Fortinet Inc.
Page 327: Config Antivirus Service Smtp
Antivirus config antivirus service smtp Use this command to configure how the FortiGate unit handles antivirus scanning of large files in SMTP traffic, what ports the FortiGate unit scans for SMTP, and how the FortiGate unit handles interaction with an SMTP server for delivery of email with infected email file attachments.
Page 328 This example shows how to display the configuration for antivirus SMTP traffic. config antivirus service smtp set memfilesizelimit 100 set uncompsizelimit 1000 set port 25 set port 465 get antivirus service smtp show antivirus service smtp 01-28011-0254-20051115 Antivirus Fortinet Inc.
Page 329: Web Filter
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 Web filter Web filter provides configuration access to the Web filtering and Web category filtering options you enable when you create a firewall Protection Profile. To access protection profile web filter options go to Firewall > Protection Profile, select edit or Create New, and select Web Filtering or Web Category Filtering.
Page 330 This chapter describes: • • • • • 237. For information about adding protection profiles to firewall policies, see Content block URL block URL exempt Category block Script filter 01-28011-0254-20051115 Web Filter setting “Protection profile” on 245. Web filter “To Fortinet Inc.
Page 331: Content Block
Web filter Content block Control web content by blocking specific words or word patterns. The FortiGate unit blocks web pages containing banned words and displays a replacement message instead. You can use Perl regular expressions or wildcards to add banned word patterns to the list.
Page 332: Configuring The Web Content Block List
“Using Perl regular expressions” on page Select the character set for the banned word. Choose from: Chinese Simplified, Chinese Traditional, French, Japanese, Korean, Thai, or Western. Select Enable to activate the banned word in the list. 01-28011-0254-20051115 Web filter 358. Fortinet Inc.
Page 333: Web Url Block List
Web filter Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.badsite.com. Instead, you can use firewall policies to deny FTP connections. This section describes: •...
Page 334: Configuring The Web Url Block List
FortiGate web pattern blocking supports standard regular expressions. You can add up to 20 patterns to the web pattern block list. Note: Enable Web filtering > Web URL Block in your firewall Protection Profile to activate the web pattern block settings. 334. 01-28011-0254-20051115 Web filter “Web pattern Fortinet Inc.
Page 335: Web Pattern Block Options
Web filter Figure 171:Sample web pattern block list Web pattern block options Web pattern block has the following icons and features: Create New Pattern Configuring web pattern block To add a pattern to the web pattern block list Go to Web Filter > URL Block. Select Web Pattern Block.
Page 336: Url Exempt List
Select this icon to scroll the URL exempt list down. Select this icon to delete the entire URL exempt list. The current list of exempt URLs. Select the check box to enable all the URLs in the list. The Delete and Edit/View icons. 01-28011-0254-20051115 Web filter Fortinet Inc.
Page 337: Category Block
• FortiGuard-Web Filtering service FortiGuard-Web Filtering is a managed web filtering solution provided by Fortinet. FortiGuard-Web Filtering sorts hundreds of millions of web pages into a wide range of categories that users can allow, block, or monitor. The FortiGate unit accesses the...
Page 338: Category Block Configuration Options
FortiGuard-Web Filtering licensing Every FortiGate unit comes with a free 30-day FortiGuard-Web Filtering trial license. FortiGuard-Web Filtering license management is done by Fortinet servers, so there is no need to enter a license number. The FortiGate unit automatically contacts a FortiGuard-Web Filtering Service Point when you enable FortiGuard-Web Filtering category blocking.
Page 339: Configuring Web Category Block
Web filter To have a URL’s... Configuring web category block To enable FortiGuard-Web Filtering Go to Web Filter > Category Block. Select Enable Service. Select Check status to make sure the FortiGate unit can access the FortiGuard-Web Filtering server. After a moment, the FortiGuard-Web Filtering status should change from Unknown to Available.
Page 340: Category Block Reports Options
The number of allowed web addresses accessed in the selected time frame. The number of blocked web addresses accessed in the selected time frame. The number of monitored web addresses accessed in the selected time frame. 01-28011-0254-20051115 Web filter Fortinet Inc.
Page 341: Script Filter
The hostname of the FortiGuard Service Point. The FortiGate comes preconfigured with the host name. Use this command only if you need to change the host name. config webfilter catblock set ftgd_hostname guard.example.net get webfilter catblock show webfilter catblock 01-28011-0254-20051115 Script filter Default guard.fortinet.com...
Page 342: Web Script Filter Options
You can configure the following options for script filtering: Javascript Cookies ActiveX Select Javascript to block all Javascript-based pages or applications. Select Cookies to block web sites from placing cookies on individual computers. Select ActiveX to block all ActiveX applications. 01-28011-0254-20051115 Web filter Fortinet Inc.
Page 343: Spam Filter
Table 36: Spam Filter and Protection Profile spam filtering configuration Protection Profile spam filtering options IP address FortiGuard-Antispam Service check Enable or disable Fortinet’s antispam service called FortiGuard-Antispam Service. FortiGuard-Antispam Service is Fortinet’s own DNSBL server that provides spam IP address and URL blacklists.
Page 344 You can configure the language and whether to search the email body, subject, or both. You can configure the action to take as spam or clear for each word. “Protection profile” on 245. Spam filter “To Fortinet Inc.
Page 345: Order Of Spam Filter Operations
Spam filter This chapter describes: • • • • • • • • Order of spam filter operations The order in which incoming mail is passed through the spam filters is determined by the protocol used to transfer the mail: For SMTP IP address BWL check - Last hop IP RBL &...
Page 346: Fortiguard-Antispam Service
• FortiGuard-Antispam Service Spam filtering FortiGuard-Antispam Service is an antispam system from Fortinet that includes an IP address black list, a URL black list, and spam filtering tools. The IP address black list contains IP addresses of email servers known to be used to generate Spam. The URL black list contains URLs of website found in Spam email.
Page 347: Fortiguard-Antispam Service Options
Spam filter Both FortiGuard-Antispam Service processes are completely automated and configured by Fortinet. With constant monitoring and dynamic updates, FortiGuard- Antispam Service is always current. You can enable or disable FortiGuard-Antispam Service in a firewall protection profile. See page FortiGuard-Antispam Service Service Points FortiGuard-Antispam Service Service Points provide worldwide coverage.
Page 348: Configuring The Fortiguard-Antispam Service
The cache is enabled by default. Time to live. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again. “Configuring spam filtering options” on page 01-28011-0254-20051115 Spam filter 242. Fortinet Inc.
Page 349: Fortiguard-Antispam Service Cli Configuration
Spam filter FortiGuard-Antispam Service CLI configuration Use the hostname keyword for the spamfilter fortishield command if you ever need to change the default hostname for the FortiGuard-Antispam Service Service Point. The FortiGuard-Antispam Service Service Point name cannot be changed using the web-based manager. You can configure all the FortiGuard- Antispam Service settings using from the CLI.
Page 350: Ip Address
Mark as Spam to apply the spam action configured in the protection profile, Mark as Clear to let the email pass to the next filter, or Mark as Reject (SMTP only) to drop the session. The Delete and Edit/View icons. 01-28011-0254-20051115 Spam filter Fortinet Inc.
Page 351: Dnsbl & Ordbl
Spam filter Select Create New. Figure 180:Adding an IP address Enter the IP address/mask you want to add. If required, select before or after another IP address in the list to place the new IP address in the correct position. Select the action to take on email from the IP address.
Page 352: Dnsbl & Ordbl List
The action to take on email matched by the DNSBLs and ORDBLs. Actions are: Mark as Spam to apply the spam action configured in the protection profile, or Mark as Reject to drop the session. The Delete and Edit/View icons. 01-28011-0254-20051115 Spam filter Fortinet Inc.
Page 353: Email Address
Spam filter Email address The FortiGate unit uses the email address list to filter incoming email. The FortiGate unit compares the email address or domain of the sender to the list in sequence. If a match is found, the corresponding protection profile action is taken. If no match is found, the email is passed on to the next spam filter.
Page 354: Mime Headers
You can use Perl regular expressions or wildcards to add MIME header patterns to the list. See Note: MIME header entries are case sensitive. X-mailer: outgluck X-Distribution: bulk Content_Type: text/html Content_Type: image/jpg “Using Perl regular expressions” on page 01-28011-0254-20051115 Spam filter 358. Fortinet Inc.
Page 355: Mime Headers List
Spam filter This section describes: • • • MIME headers list You can configure the FortiGate unit to filter email with specific MIME header key-value pairs. You can mark each MIME header as clear or spam. Figure 185:Sample MIME headers list MIME headers options MIME headers list has the following icons and features: Create New...
Page 356: Banned Word
Perl regular expressions. See expressions” on page “Using Perl regular expressions” on page Banned word list Banned word options Configuring the banned word list 358. 01-28011-0254-20051115 Spam filter 358. “Using Perl regular Fortinet Inc.
Page 357: Banned Word Options
Spam filter Figure 187:Sample banned word List Banned word options Banned word has the following icons and features: Create new Total Pattern Pattern Type Language Where Action When you select Create New or Edit you can configure the following settings for the banned word.
Page 358: Using Perl Regular Expressions
‘*’ means 0 or more times. For example, the wildcard match pattern forti*.com should therefore be fort.*\.com. fortinet.com not only matches fortinet.com but also matches fortinetacom, fortinetbcom, fortinetccom and so on. To mach fortinet.com, the regular expression should be: fortinet\.com forti*\.com matches fortiiii.com but does not match fortinet.com...
Page 359 Spam filter Word boundary In Perl regular expressions, the pattern does not have an implicit word boundary. For example, the regular expression “test” not only matches the word “test” but also matches any word that contains the “test” such as “atest”, “mytest”, “testimony”, “atestb”.
Page 360 ‘/’ will be parsed as a list of regexp options ('i', 'x', etc). An error occurs If the second '/' is missing. In regular expressions, the leading and trailing space is treated as part of the regular expression. 01-28011-0254-20051115 Spam filter Fortinet Inc.
Page 361: Log & Report
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 Log & Report FortiGate units provide extensive logging capabilities for traffic, system and network protection functions. You can set the severity level of the messages that are logged, and you can choose the types of events that are logged. All types of log messages, except traffic and content, can be saved in internal memory.
Page 362: Log Config
Log config High Availability cluster logging Log access CLI configuration Log Setting options Alert E-mail options Log filter options Configuring log filters Enabling traffic logging 01-28011-0254-20051115 Log & Report FortiGate Log Fortinet Knowledge Center web site. Fortinet Inc.
Page 363 Log & Report FortiLog Disk Memory Syslog WebTrends Figure 190:Log setting options for all log locations To configure Log Setting Go to Log&Report > Log Config > Log Setting. Select the check box to enable logging to a location. Select the blue arrow beside the location. The setting options appear.
Page 364 Enter the port number used by the FTP server. The default port is 21, which is the standard FTP port. Enter the user name required to connect to the FTP server. Enter the password required to connect to the FTP server. 01-28011-0254-20051115 Table 38, “Logging 364. Log & Report Fortinet Inc.
Page 365: Syslog Settings
Log & Report Remote Directory Log files to upload To configure log file uploading Select the blue arrow to expand Log file upload settings. Select Upload When Rolling. Enter the IP address of the logging server. Enter the port number on the logging server. The default is 21 (FTP). Enter the Username and Password required on the logging server.
Page 366: Alert E-Mail Options
The interval to wait before sending an alert e-mail for alert level log messages. The interval to wait before sending an alert e-mail for critical level log messages. The interval to wait before sending an alert e-mail for error level log messages. 01-28011-0254-20051115 Log & Report Fortinet Inc.
Page 367: Log Filter Options
Log & Report Warning Notification Information Apply Note: If more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email. You can select specific events to trigger alert email in Log Filter, described in filter options”...
Page 368: Traffic Log
You can apply the following filters: The FortiGate unit logs all traffic that is allowed according to the firewall policy settings. The FortiGate unit logs all traffic that violates the firewall policy settings. for more information. 01-28011-0254-20051115 Log & Report “Enabling Fortinet Inc.
Page 369 Log & Report System Activity event IPSec negotiation event DHCP service event L2TP/PPTP/PPPoE service event Admin event HA activity event Firewall authentication event Pattern update event Anti-virus log The Anti-virus Log records virus incidents in Web, FTP, and email traffic, such as when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized file or email.
Page 370: Configuring Log Filters
The FortiGate unit logs all instances of blocked email in SMTP traffic. The FortiGate unit logs all instances of blocked email in POP3 traffic. The FortiGate unit logs all instances of blocked email in IMAP traffic. 01-28011-0254-20051115 Log & Report Fortinet Inc.
Page 371: High Availability Cluster Logging
Log & Report To enable traffic logging for a firewall policy You can enable traffic logging for a firewall policy. All connections accepted by the firewall policy are recorded in the traffic log. Go to Firewall > Policy. Select the Edit icon for a policy. Select Log Traffic.
Page 372 Clear log icon. Delete the log entries from the log file (but not the file). Download icon. Download the log as a text or CSV file. View icon. Display the log file through the web-based manager. 01-28011-0254-20051115 Log & Report Fortinet Inc.
Page 373: Viewing Log Messages
Log & Report Select the View icon for the disk file you want to display. For detailed information about searching logs, see page Viewing log messages You can view and navigate log messages saved to FortiGate hard disk drives or to the memory buffer.
Page 374 Move selected field up one position in the Show these fields list. Move selected field down one position in the Show these fields list. 01-28011-0254-20051115 Log & Report Fortinet Inc.
Page 375: Searching Log Messages
Log & Report To change the columns in the log message display While viewing log messages, select the Column Settings icon. The Column Settings window opens. To add fields, select them in the Available fields list and select the right arrow button. To remove fields, select them in the Show these fields list and select the left arrow button.
Page 376: Cli Configuration
FortiLog unit across the Internet. Using an IPSec VPN tunnel means that all log messages sent by the FortiGate are encrypted and secure. 01-28011-0254-20051115 Log & Report Default Availability disable All models. All models. default. Fortinet Inc.
Page 377: Syslogd Setting
Log & Report log fortilog setting command keywords and variables (Continued) Keywords and variables psksecret <str_psk> server <address_ipv4> status {disable | enable} Note: The IPSec VPN settings for the FortiGate unit must match the VPN settings on the FortiLog unit. Example This example shows how to enable logging to a FortiLog unit, set the FortiLog IP address, add a local ID, and add a pre-shared key for an IPSec VPN tunnel.
Page 378 Enter the IP address of the syslog server that stores the logs. Enter enable to enable logging to a remote syslog server. 01-28011-0254-20051115 Log & Report Default Availability All models. disable All models. local7 Table All models. No default. All models. All models. disable Fortinet Inc.
Page 379 Log & Report Table 39: Facility types Facility type alert audit auth authpriv clock cron daemon kernel local0 – local7 mail news syslog Example This example shows how to enable logging to a remote syslog server, configure an IP address and port for the server, and set the facility type to user. This example shows how to display the log setting for logging to a remote syslog server.
Page 380 CLI configuration Log & Report 01-28011-0254-20051115 Fortinet Inc.
Page 381: Fortiguard Categories
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 FortiGuard categories FortiGuard is a web filtering solution provided by Fortinet. FortiGuard sorts thousands of Web pages into a wide variety of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard server to determine the category of a requested Web page and then follows the policy configured for that user or interface.
Page 382 Sites with content that is gratuitously offensive or shocking, but not violent or frightening. Includes sites devoted in part or whole to scatology and similar topics or to improper language, humor, or behavior. 01-28011-0254-20051115 FortiGuard categories Fortinet Inc.
Page 383 FortiGuard categories Table 40: FortiGuard categories Category name 16. Weapons Potentially Non-productive 17. Advertisement 18. Brokerage and Trading 19. Freeware and Software Download 20. Games 21. Internet Communication 22. Pay to Surf 23. Web-based Email Potentially Bandwidth Consuming 24. File Sharing and Storage 25.
Page 384 Political Organizations -- Sites sponsored by or providing information about political parties and interest groups focused on elections or legislation. 01-28011-0254-20051115 FortiGuard categories Fortinet Inc.
Page 385 FortiGuard categories Table 40: FortiGuard categories Category name 39. Reference Materials 40. Religion 41. Search Engines and Portals 42. Shopping and Auction 43. Social Organizations 44. Society and Lifestyles 45. Special Events 46. Sports 47. Travel 48. Vehicles FortiGate-1000A/FA2 Administration Guide Description Sites that offer reference-shelf content such as atlases, dictionaries, encyclopedias, formularies,...
Page 386 IP addresses. Private IP Addresses -- IP addresses defined in RFC 1918, 'Address Allocation for Private Intranets. Web Hosting -- Sites of organizations that provide hosting services, or top-level domain pages of Web communities. 01-28011-0254-20051115 FortiGuard categories Fortinet Inc.
Page 387: Glossary
VPN peer uses its identity as part of the authentication process. See also main mode. AH, Authentication Header: An IPSec security protocol. Fortinet IPSec uses ESP in tunnel mode, not AH. See ESP. ARP, Address Resolution Protocol: A protocol that resolves a logical IP address to a physical Ethernet address.
Page 388 The FortiGate interface that connects to an internal (private) network. Internet: The network that encompasses the world. As a generic term, it refers to any collection of interdependent networks. IP, Internet Protocol: The component of TCP/IP that handles routing. 01-28011-0254-20051115 Fortinet Inc.
Page 389 Any packets larger than the MTU are divided into smaller packets before they are sent. NAT, Network Address Translation: A way of routing IPv4 packets transparently. Using NAT, a router or FortiGate unit between a private and public network translates private IP addresses to public addresses and the other way around.
Page 390 A hardware device that connects computers on the Internet together and routes traffic between them. A router may connect a LAN and/or DMZ to the Internet. routing: The process of determining which path to use for sending packets to a destination.
Page 391 SNMP, Simple Network Management Protocol: A set of protocols for managing networks. SNMP agents store and return data about themselves to SNMP requesters. spam: Unsolicited email. SSH, Secure Shell: An application that enables users to log into a remote computer and run commands securely.
Page 392 Glossary 01-28011-0254-20051115 Fortinet Inc.
Page 393: Index
FortiGate-1000A/FA2 Administration Guide Version 2.80 MR11 Index abr-type 179 accept action firewall policy 207 access-list 190 action firewall policy 205, 207 Spam filter banned word 357 Spam filter DNSBL and ORDBL 352 Spam filter IP address 350 Spam filter MIME headers 355 action type Spam filter email address 353 Action, Policy 285...
Page 394 357 where 357 banned word check protection profile 242 banned word list Spam filter 356 banned word options Spam filter 357 service 219 grayware category 317 bindtoif 289 block unrated websites (HTTP only) protection profile 241 01-28011-0254-20051115 Fortinet Inc.
Page 395 blocked web category report 340 border-routers 177 browsing the Internet through a VPN tunnel 270 CA certificates 281 cache FortiGuard 338 FortiShield 348 categories FortiGuard 337, 381 category protection profile 241 web category report 340 category block 337 configuration options 338 reports 339, 340 category blocking 337 Certificate Name 281...
Page 396 IP pool 237 dynamic port forwarding 230 dynamic port forwarding virtual IP adding 234 email address action type 353 adding an email address or domain to the Spam filter email address list 353 pattern type 353 Spam filter 353 01-28011-0254-20051115 Fortinet Inc.
Page 397 email address BWL check protection profile 242 email address list Spam filter 353 email address options Spam filter 353 email scanning oversize threshold 315 enable firewall policy 205, 212 Spam filter banned word 357 enable AutoSubmit quarantine 314 enable cache FortiShield 348 enable category block (HTTP only) protection profile 241...
Page 398 (reply) DSCP value 211 schedule 205, 207 service 205, 207 source 205 source address name 206 source interface/zone 206 traffic priority 210 traffic shaping 210 VPN tunnel 207 firewall protection profile default protection profiles 238 list 238 options 239 01-28011-0254-20051115 Fortinet Inc.
Page 399 340 reports 339 service points 337 TTL 339 Fortilog logging settings 363 fortilog setting 376 Fortinet customer service 24 Fortinet Knowledge Center 24 FortiProtect Distribution Network 132 FortiProtect Distribution Server 132 FortiShield cache 348 changing the FortiShield hostname 349...
Page 400 PPTP 94 primary cluster unit 93 primary unit 93 priorities of heartbeat device 98 random (schedule) 98 round-robin 98 schedule 98 standalone mode 96 unit priority 97 view the status of each cluster member 105 weighted-round-robin 98 01-28011-0254-20051115 Fortinet Inc.
Page 401 HA cluster members active sessions 106 back to HA configuration page 106 cluster ID 106 CPU usage 106 go 106 intrusion detected 106 memory usage 106 monitor 106 network utilization 106 refresh every 106 status 106 total bytes 106 total packets 106 up time 106 virus detected 106 header...
Page 402 184 load balancing HA 93 Local certificate list 279 Local certificate options 280 Local ID 266 Local SPI, Manual Key 271 Log & report 361 Log file upload settings 364 Log filter options 367 Log settings 362 01-28011-0254-20051115 Fortinet Inc.
Page 403 NetMeeting service 220 network address translation introduction 16 network intrusion detection 17 network utilization HA cluster members 106 network-type 197 next hop router 65 service 220 grayware category 316 NNTP service 220 nonconserve mode antivirus 317 none HA schedule 98...
Page 404 Phase 1 basic settings 263 Phase 1 list 262 Phase 2 266 Phase 2 advanced options 268 Phase 2 basic settings 268 Phase 2 list 267 PING service 220 ping generator IPSec VPN 274 plugin grayware category 316 01-28011-0254-20051115 Fortinet Inc.
Page 405 policy accept action 207 action 205, 207 adding 211 address name 206 advanced 208 allow inbound 207 allow outbound 207 authentication 209 changing the position in the policy list 212 comments 211 configuring 211 create new 205 deleting 211 deny action 207 dest 205 destination address name 206 destination interface/zone 206...
Page 406 311 date 311 DC 311 download 312 duplicates 312 file name 311 filter 311 options 311 service 311 sort by 311 status 311 status description 311 submit 312 TTL 311 upload status 311 Quick Mode Identities 270 01-28011-0254-20051115 Fortinet Inc.
Page 407 221 RLOGIN service 221 Round-Robin HA schedule 98 route 177 routemap 199 router next hop 65 router-id 180 routing configuring 70 policy 159 scan anomaly type 300 default protection profile 238 schedule automatic antivirus and attack definition updates 135...
Page 408 311 source firewall policy 205 source address name firewall policy 206 source interface/zone firewall policy 206 source IP address example 284 source port 222 source session limit anomaly type 300 spam action protection profile 243 01-28011-0254-20051115 Fortinet Inc.
Page 409 Spam filter 343 adding a server to the DNSBL and ORDBL list 352 adding an email address or domain to the Spam filter email address list 353 adding MIME headers to the Spam filter MIME header list adding words to the Spam filter banned word list 357 banned word 356 banned word list 356 banned word options 357...
Page 410 336 web filter 335 URL FortiShield check protection profile 242 user groups configuring 255 user-defined TCP services 222 Username 276 UUCP service 221 value Spam filter MIME headers 355 VDOLIVE service 221 virtual domain properties 146 01-28011-0254-20051115 Fortinet Inc.
Page 411 virtual IP 230 adding 232, 233, 234 adding a dynamic port forwarding virtual IP 234 adding a port forwarding virtual IP 233 adding a static NAT virtual IP 232 configuring 232 create new 231 deleting 234 editing 234 external interface 231 external IP address 231 external service port 232 firewall 230...
Page 412 333 web-based manager introduction 19 language 91, 92 timeout 91 WebTrends logging settings 365 weighted round-robin HA schedule 98 weighted-round-robin configuring weights 103 where Spam filter banned word 357 WINFRAME service 221 XAuth 266 X-WINDOWS service 221 01-28011-0254-20051115 Fortinet Inc.

This manual is also suitable for:

Fortigate fortigate-1000afa2 Fortigate 1000a Fortigate 1000afa2

Fortinet FortiGate FortiGate-1000A Administration Manual

Introduction

Web-Based Manager

System Status

System Network

System DHCP

System Config

System Admin

System Maintenance

System Virtual Domain

Router

Firewall

User

Vpn

Ips

Quick Links

Related Manuals for Fortinet FortiGate FortiGate-1000A

Summary of Contents for Fortinet FortiGate FortiGate-1000A