1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Firewall
  5. FortiGate FortiGate-3600
  6. Installation manual

Fortinet FortiGate FortiGate-3600 Installation Manual

Fortinet fortigate fortigate-3600: install guide
Hide thumbs Also See for FortiGate FortiGate-3600:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administration Manual, Installation Manual
FortiGate 3600

Installation Guide

Esc
Enter
1
2
Version 2.80 MR5
01 November 2004
01-28005-0027-20041101
POWER
1
2
3
Hi-Temp
4
5/HA
INT
EXT
3
4
5/HA
INTERNAL
EXTERNAL

Advertisement

Table of Contents
loading

Related Manuals for Fortinet FortiGate FortiGate-3600

Summary of Contents for Fortinet FortiGate FortiGate-3600

  • Page 1: Installation Guide

    FortiGate 3600 Installation Guide Enter 5/HA Version 2.80 MR5 01 November 2004 01-28005-0027-20041101 POWER Hi-Temp 5/HA INTERNAL EXTERNAL...
  • Page 2 CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.

  • Page 3: Table Of Contents

    Command line interface ... 7 Setup wizard ... 7 Document conventions ... 7 Fortinet documentation ... 9 Comments on Fortinet technical documentation... 9 Customer service and technical support... 10 Getting started ... 11 Package contents ... 11 Mounting ... 12 Turning the FortiGate unit power on and off ...
  • Page 4 High availability configuration settings ... 45 Configuring FortiGate units for HA using the web-based manager ... 47 Configuring FortiGate units for HA using the CLI... 48 Connecting the cluster to your networks... 49 Installing and configuring the cluster... 50 Index ... 53 01-28005-0027-20041101 Fortinet Inc.

  • Page 5: Introduction

    • • The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks.

  • Page 6: Secure Installation, Configuration, And Management

    The saved configuration can be restored at any time. Figure 1: Example of the FortiGate web-based manager login the web-based manager, the front panel control buttons and LCD, the command line interface (CLI), or the setup wizard. 01-28005-0027-20041101 Introduction Fortinet Inc.

  • Page 7: Command Line Interface

    Introduction Command line interface You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network that is connected to the FortiGate unit, including the Internet.
  • Page 8 In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove. 01-28005-0027-20041101 Introduction Fortinet Inc.

  • Page 9: Fortinet Documentation

    FortiGate unit. For a complete list of FortiGate documentation visit Fortinet Technical Support at http://support.fortinet.com. Comments on Fortinet technical documentation You can send information about errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com. FortiGate-3600 Installation Guide...

  • Page 10: Customer Service And Technical Support

    Fortinet technical support web site at http://support.fortinet.com. You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and change your registration information at any time. Fortinet email support is available from the following addresses: amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin...

  • Page 11: Getting Started

    Factory default FortiGate configuration settings Planning the FortiGate configuration Next steps FortiGate-3600 Antivirus Firewall one red crossover ethernet cable (Fortinet part number CC300248) one gray regular ethernet cable (Fortinet part number CC300249) one null modem cable (Fortinet part number CC300247) FortiGate-3600 QuickStart Guide...

  • Page 12: Mounting

    The FortiGate-1000 unit may overload your supply circuit and impact your overcurrent protection and supply wiring. Use appropriate equipment nameplate ratings to address this concern. Make sure that the FortiGate-1000 unit has reliable earthing. Fortinet recommends direct connections to the branch circuit. 01-28005-0027-20041101...

  • Page 13: Turning The Fortigate Unit Power On And Off

    Getting started Environmental specifications • • • • Air flow • • Mechanical loading • Turning the FortiGate unit power on and off To power on the FortiGate unit Connect the power cables to the power connections on the back of the FortiGate unit. Connect the power cables to power outlets.

  • Page 14: Connecting To The Web-Based Manager

    The interface is connected at 1000 Mbps. No link established. execute shutdown a computer with an ethernet connection, Internet Explorer version 4.0 or higher, a crossover cable or an ethernet hub and two ethernet cables. 01-28005-0027-20041101 Getting started Fortinet Inc.

  • Page 15: Connecting To The Command Line Interface (Cli)

    Type admin in the Name field and select Login. The Register Now window is displayed. It is important to register the Fortigate unit so that Fortinet can contact the unit for firmware updates. You must register to receive updates to the FortiGate antivirus and attack definitions.

  • Page 16: Factory Default Fortigate Configuration Settings

    FortiGate unit onto the network in Transparent mode. Once the network configuration is complete, you can perform additional configuration tasks such as setting system time, configuring virus and attack definition updates, and registering the FortiGate unit. None None 01-28005-0027-20041101 Getting started Fortinet Inc.

  • Page 17: Factory Default Nat/Route Mode Network Configuration

    Getting started The factory default protection profiles can be used to apply different levels of antivirus protection, web content filtering, spam filtering, and IPS to the network traffic that is controlled by firewall policies. • • • • Factory default NAT/Route mode network configuration When the FortiGate unit is first powered on, it is running in NAT/Route mode and has the basic network configuration listed in connect to the FortiGate unit web-based manager and establish the configuration...

  • Page 18: Factory Default Transparent Mode Network Configuration

    Primary DNS Server: Secondary DNS Server: Internal External Port 1 Port 2 Port 3 Port 4 Port 5/HA 01-28005-0027-20041101 Getting started 192.168.100.1 external 207.192.200.1 207.192.200.129 admin (none) 10.10.10.1 255.255.255.0 207.194.200.1 207.194.200.129 HTTPS, Ping Ping Ping Ping Ping Ping Ping Fortinet Inc.

  • Page 19: Factory Default Protection Profiles

    Getting started Table 4: Default firewall configuration Configuration setting Name Firewall address Pre-defined service Recurring schedule Protection Profiles The factory default firewall configuration is the same in NAT/Route and Transparent mode. Factory default protection profiles Use protection profiles to apply different protection settings for traffic that is controlled by firewall policies.

  • Page 20: Planning The Fortigate Configuration

    NAT/Route mode (the default) or Transparent mode. NAT/Route mode In NAT/Route mode, the FortiGate unit is visible to the network. Like a router, all its interfaces are on different subnets. The following interfaces are available in NAT/Route mode: •...

  • Page 21: Nat/Route Mode With Multiple External Network Connections

    Getting started You can add firewall policies to control whether communications through the FortiGate unit operate in NAT or Route mode. Firewall policies control the flow of traffic based on the source address, destination address, and service of each packet. In NAT mode, the FortiGate unit performs network address translation before it sends the packet to the destination network.

  • Page 22: Transparent Mode

    The management IP address is also used for antivirus and attack definition updates. You typically use the FortiGate unit in Transparent mode on a private network behind an existing firewall or behind a router. The FortiGate unit performs firewall functions, IPSec VPN, virus scanning, IPS, web content filtering, and Spam filtering.

  • Page 23: Configuration Options

    Getting started Configuration options Once you have selected Transparent or NAT/Route mode operation, you can complete the configuration plan and begin to configure the FortiGate unit. You can use the web-based manager GUI, the control buttons and LCD, or the command line interface (CLI) for the basic configuration of the FortiGate unit.

  • Page 24: Next Steps

    If you are going to operate the FortiGate unit in Transparent mode, go to “Transparent mode installation” on page If you are going to operate the or more FortiGate units in HA mode, go to availability installation” on page 01-28005-0027-20041101 Getting started “High Fortinet Inc.

  • Page 25: Nat/Route Mode Installation

    NAT/Route mode installation This chapter describes how to install the FortiGate unit in NAT/Route mode. For information about installing a FortiGate unit in Transparent mode, see mode installation” on page units in HA mode, see about installing the FortiGate unit in NAT/Route mode, see configuration”...

  • Page 26: Dhcp Or Pppoe Configuration

    The default gateway directs all non-local traffic to this interface and to the external network. Primary DNS Server: Secondary DNS Server: 01-28005-0027-20041101 NAT/Route mode installation _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ Table 2 Fortinet Inc.

  • Page 27: Using The Web-Based Manager

    NAT/Route mode installation Using the web-based manager You can use the web-based manager for the initial configuration of the FortiGate unit. You can also continue to use the web-based manager for all FortiGate unit settings. For information about connecting to the web-based manager, see web-based manager”...

  • Page 28: Using The Front Control Buttons And Lcd

    The default route is not required if the interface connected to the external network is configured using DHCP or PPPoE. Go to System > Router > Static. If the Static Route table contains a default route (IP and Mask set to 0.0.0.0), select the Delete icon to delete this route.

  • Page 29: Using The Command Line Interface

    NAT/Route mode installation After you set the last digit of the IP address, press Enter. Use the down arrow to highlight Netmask. Press Enter and set the internal Netmask. After you set the last digit of the Netmask, press Enter. Press Esc to return to the Main Menu.
  • Page 30 <204.23.1.5> <255.255.255.0> config system interface edit external set mode dhcp config system interface edit external set mode pppoe set connection enable set username <name_str> set password <psswrd> 01-28005-0027-20041101 NAT/Route mode installation 26. Enter: Table 5 on page Fortinet Inc.
  • Page 31 <address_ip> set secondary <address_ip> config system dns set primary 293.44.75.21 set secondary 293.44.75.22 config router static edit 1 set dst 0.0.0.0 0.0.0.0 set gateway <gateway_IP> set device <interface> config router static edit 1 set dst 0.0.0.0 0.0.0.0...

  • Page 32: Using The Setup Wizard

    POP3 server IMAP server, or FTP server installed on an internal network, add the IP addresses of the servers here. 01-28005-0027-20041101 NAT/Route mode installation for other settings. Table 5 on page Table 5 on page _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ Fortinet Inc.

  • Page 33: Starting The Setup Wizard

    NAT/Route mode installation Table 8: Setup wizard settings Antivirus Starting the setup wizard In the web-based manager, select Easy Setup Wizard. Figure 8: Select the Easy Setup Wizard Follow the instructions on the wizard pages and use the information that you gathered Select the Next button to step through the wizard pages.
  • Page 34 Figure 9: FortiGate-3600 NAT/Route mode connections Other Network Internal for connecting to the internal network, External for connecting to your public switch or router and the Internet. 2, 3, and 4 for connecting to networks, 5/HA to connect to another FortiGate-3600 for high availability (see availability installation”...

  • Page 35: Configuring The Networks

    NAT/Route mode installation Configuring the networks If you are running the FortiGate unit in NAT/Route mode, the networks must be configured to route all Internet traffic to the IP address of the FortiGate interface to which they are connected. If you are using the FortiGate unit as the DHCP server for your internal network, configure the computers on your internal network for DHCP.
  • Page 36 After purchasing and installing a new FortiGate unit, you can register the unit by going to the System Update Support page, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. To register, enter your contact information and the serial numbers of the FortiGate units that you or your organization have purchased.

  • Page 37: Transparent Mode Installation

    Transparent mode installation This chapter describes how to install a FortiGate unit in Transparent mode. If you want to install the FortiGate unit in NAT/Route mode, see page availability installation” on page FortiGate unit in Transparent mode, see page This chapter describes: •...

  • Page 38: Using The Web-Based Manager

    The management IP address and netmask must be valid for the network from which you will manage the FortiGate unit. Add a default gateway if the FortiGate unit must connect to a router to reach the management computer. Primary DNS Server: Secondary DNS Server: _____._____._____._____...

  • Page 39: Reconnecting To The Web-Based Manager

    Otherwise, you can reconnect to the web-based manager by browsing to https://10.10.10.1. If you connect to the management interface through a router, make sure that you have added a default gateway for that router to the management IP default gateway field.

  • Page 40: Using The Command Line Interface

    Operation mode: Transparent Table 9 on page 38. Enter: config system manageip set ip <address_ip> <netmask> config system manageip set ip 10.10.10.2 255.255.255.0 get system manageip 01-28005-0027-20041101 Transparent mode installation 15. Use the to complete the following Fortinet Inc.

  • Page 41: Using The Setup Wizard

    FortiGate-3600 Installation Guide config system dns set primary <address_ip> set secondary <address_ip> config system dns set primary 293.44.75.21 set secondary 293.44.75.22 config router static edit 1 set dst 0.0.0.0 0.0.0.0 set gateway <address_gateway> set device <interface> config router static edit 1 set dst 0.0.0.0 0.0.0.0...

  • Page 42: Reconnecting To The Web-Based Manager

    Otherwise, you can reconnect to the web-based manager by browsing to https://10.10.10.1. If you connect to the management interface through a router, make sure that you have added a default gateway for that router to the management IP default gateway field.

  • Page 43: Next Steps

    Select Set Time and set the FortiGate system date and time. Set the hour, minute, second, month, day, and year as required. Select Apply. FortiGate-3600 Installation Guide Internal Network Switch, or router P or t 1 Enter Port 3 FortiGate-3600...
  • Page 44 After purchasing and installing a new FortiGate unit, you can register the unit by going to the System Update Support page, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. To register, enter your contact information and the serial numbers of the FortiGate units that you or your organization have purchased.

  • Page 45: High Availability Installation

    High availability installation This chapter describes how to install two or more FortiGate units in an HA cluster. HA installation involves three basic steps: • • • For information about HA, see the FortiGate Administration Guide and the FortiOS High Availability technical note. Priorities of heartbeat device and monitor priorities The procedures in this chapter do not include steps for changing the priorities of heartbeat devices or for configuring monitor priorities settings.
  • Page 46 Load balancing according to IP address and port. If the FortiGate units are connected using switches, select IP Port to distribute traffic to units in a cluster based on the Source IP, Source Port, Destination IP, and Destination port of the packet. 01-28005-0027-20041101 High availability installation Fortinet Inc.

  • Page 47: Configuring Fortigate Units For Ha Using The Web-Based Manager

    High availability installation Configuring FortiGate units for HA using the web-based manager Use the following procedure to configure each FortiGate unit for HA operation. To change the FortiGate unit host name Changing the host name is optional, but you can use host names to identify individual cluster units.

  • Page 48: Configuring Fortigate Units For Ha Using The Cli

    <password_str> set schedule {hub | ip | ipport | leastconnection | none | random | round-robin | weight-round-robin} “Connecting the cluster to your networks” on page config system global set opmode transparent 01-28005-0027-20041101 High availability installation Fortinet Inc.

  • Page 49: Connecting The Cluster To Your Networks

    Then you must connect these interfaces to their networks using the same hub or switch. Fortinet recommends using switches for all cluster connections for the best performance. Inserting an HA cluster into your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through the cluster.

  • Page 50: Installing And Configuring The Cluster

    “Transparent mode installation” on page 37 01-28005-0027-20041101 High availability installation Internal External POWER Hi-Temp 5/HA 5/HA INTERNAL EXTERNAL Hub or Switch POWER Hi-Temp 5/HA 5/HA INTERNAL EXTERNAL Internal External Internet to install the cluster on your network. Router “NAT/Route Fortinet Inc.
  • Page 51 High availability installation When you connect to the cluster, you are actually connecting to the primary cluster unit. The cluster automatically synchronizes all configuration changes to the subordinate units in the cluster as the changes are made. The only configuration settings that are not synchronized are the HA configuration (except for the interface heartbeat device and monitoring configuration) and the FortiGate host name.
  • Page 52 Installing and configuring the cluster High availability installation 01-28005-0027-20041101 Fortinet Inc.

  • Page 53: Index

    (Transparent mode) 41 environmental specifications 13 firewall setup wizard 6, 27, 32, 38, 41 starting 27, 33, 38, 42 Fortinet customer service 10 front keypad and LCD configuring IP address 39 configuring FortiGate units for HA operation 45 connecting an HA cluster 49, 50...
  • Page 54 Index 01-28005-0027-20041101 Fortinet Inc.

Table of Contents