Page 1 FortiGate 50A FortiGate-50A Administration Guide Administration Guide STATUS INTERNAL EXTERNAL LINK 100 LINK 100 Version 2.80 MR6 5 November 2004 01-28006-0001-20041105...
Page 2 CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
Page 3: Table Of Contents
Intrusion Prevention System (IPS)... 16 VPN... 17 Secure installation, configuration, and management ... 17 Document conventions ... 19 FortiGate documentation ... 20 Comments on Fortinet technical documentation... 20 Related documentation ... 21 FortiManager documentation ... 21 FortiClient documentation ... 21 FortiMail documentation... 21 FortiLog documentation ...
Page 4 DHCP IP/MAC binding settings ... 79 Dynamic IP... 79 System config ... 81 System time ... 81 Options... 82 SNMP... 84 Configuring SNMP ... 85 SNMP community ... 85 FortiGate MIBs... 88 FortiGate traps ... 88 Fortinet MIB fields ... 90 01-28006-0001-20041105 Fortinet Inc.
Page 5 Configuring routing for a virtual domain ... 126 Configuring firewall policies for a virtual domain ... 126 Configuring IPSec VPN for a virtual domain ... 128 Router ... 129 Static ... 129 Static route list ... 131 Static route options ... 132...
Page 6 ... 152 config router static6... 175 Firewall... 177 Policy ... 178 How policy matching works... 178 Policy list ... 179 Policy options... 179 Advanced policy options ... 182 Configuring firewall policies ... 184 Policy CLI configuration ... 185 01-28006-0001-20041105 Fortinet Inc.
Page 7 Address... 186 Address list ... 187 Address options ... 187 Configuring addresses ... 188 Address group list ... 189 Address group options ... 189 Configuring address groups... 190 Service ... 190 Predefined service list... 191 Custom service list... 194 Custom service options... 194 Configuring custom services...
Page 8 Setting up a PPTP-based VPN ... 247 Enabling PPTP and specifying a PPTP range ... 248 Configuring a Windows 2000 client for PPTP ... 249 Configuring a Windows XP client for PPTP ... 249 PPTP passthrough... 250 01-28006-0001-20041105 Fortinet Inc.
Page 9 L2TP ... 251 Setting up a L2TP-based VPN... 252 Enabling L2TP and specifying an L2TP range... 252 Configuring a Windows 2000 client for L2TP... 253 Configuring a Windows XP client for L2TP ... 254 Certificates ... 256 Viewing the certificate list... 257 Generating a certificate request...
Page 10 Configuring the web URL block list ... 313 Web pattern block list... 314 Web pattern block options ... 315 Configuring web pattern block ... 315 URL exempt ... 315 URL exempt list... 316 URL exempt list options ... 316 Configuring URL exempt... 316 01-28006-0001-20041105 Fortinet Inc.
Page 11 Category block ... 317 FortiGuard managed web filtering service ... 317 Category block configuration options... 318 Configuring web category block... 319 Category block reports... 319 Category block reports options ... 320 Generating a category block report... 320 Category block CLI configuration... 320 Script filter ...
Page 12 Contents CLI configuration... 350 fortilog setting... 350 syslogd setting ... 351 FortiGuard categories ... 355 FortiGate maximum values ... 361 Glossary ... 365 Index ... 369 01-28006-0001-20041105 Fortinet Inc.
Page 13: Introduction
• • The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks.
Page 14: Antivirus Protection
PKZip format, detect viruses in email that has been encoded using uuencode format, detect viruses in email that has been encoded using MIME encoding, log all actions taken while scanning. 01-28006-0001-20041105 Introduction Fortinet Inc.
Page 15: Spam Filtering
In NAT/Route mode, the FortiGate unit is a Layer 3 device. This means that each of its interfaces is associated with a different IP subnet and that it appears to other devices as a router. This is how a firewall is normally deployed. FortiGate-50A Administration Guide...
Page 16: Vlans And Virtual Domains
NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network. Route mode policies accept or deny connections between networks without performing address translation. 01-28006-0001-20041105 Introduction Fortinet Inc.
Page 17: Vpn
Introduction Using FortiGate virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network. FortiGate VPN features include the following: • • • • • • •...
Page 18: Command Line Interface
IPSec tunnel negotiation, virus detection, attacks, and web page blocking, report attacks detected by the IPS, send alert email to system administrators to report virus incidents, intrusions, and firewall or VPN events or violations. 01-28006-0001-20041105 Introduction Fortinet Inc.
Page 19: Document Conventions
Introduction Document conventions This guide uses the following conventions to describe CLI command syntax. • • • • FortiGate-50A Administration Guide Angle brackets < > to indicate variables. For example: execute restore config <filename_str> You enter: execute restore config myfile.bak <xxx_str>...
Page 20: Fortigate Documentation
• • • • Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com. set allowaccess snmp In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.
Page 21: Related Documentation
Introduction Related documentation Additional information about Fortinet products is available from the following related documentation. FortiManager documentation • • • FortiClient documentation • • FortiMail documentation • • • FortiGate-50A Administration Guide FortiManager QuickStart Guide Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings.
Page 22: Fortilog Documentation
FortiLog unit as a NAS server. FortiLog online help Provides a searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work. 01-28006-0001-20041105 Introduction Fortinet Inc.
Page 23: Customer Service And Technical Support
Fortinet Technical Support web site at http://support.fortinet.com. You can also register Fortinet products and service contracts from http://support.fortinet.com and change your registration information at any time. Technical support is available through email from any of the following addresses.
Page 24 Customer service and technical support Introduction 01-28006-0001-20041105 Fortinet Inc.
Page 25: System Status
System status You can connect to the web-based manager and view the current system status of the FortiGate unit. The status information that is displayed includes the system status, unit information, system resources, and session log. This chapter includes: • •...
Page 26: Status
Select to set the selected automatic refresh interval. Select to manually update the system status display. The time in days, hours, and minutes since the FortiGate unit was last started. The current time according to the FortiGate unit internal clock. 01-28006-0001-20041105 System status Fortinet Inc.
Page 27: Unit Information
System status Log Disk Notification Unit Information Admin users and administrators whose access profiles contain system configuration read and write privileges can change or update the unit information. For information on access profiles, see Host Name Firmware Version Antivirus Definitions The current installed version of the FortiGate Antivirus Definitions. Attack Definitions Serial Number Operation Mode...
Page 28 The time at which the recent intrusion was detected. The source and destination addresses of the attack. The service from which the attack was delivered; HTTP, FTP, IMAP, POP3, or SMTP. The name of the attack. 01-28006-0001-20041105 System status Fortinet Inc.
Page 29: Changing Unit Information
Note: For information about configuring the FortiGate unit for automatic antivirus definitions updates, see Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status > Status.
Page 30 Note: For information about configuring the FortiGate unit for automatic attack definitions updates, see Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status > Status.
Page 31: Session List
System status Select OK. The FortiGate unit changes operation mode. To reconnect to the web-based manager, you must connect to the interface configured by default for management access. By default in NAT/Route mode, you can connect to the internal interface. The default internal interface IP address is 192.168.1.99.
Page 32: Changing The Fortigate Firmware
FortiGate administrators whose access profiles contain system configuration read and write privileges and the FortiGate admin user can change the FortiGate firmware. After you download a FortiGate firmware image from Fortinet, you can use the procedures listed in Table 1: Firmware upgrade procedures...
Page 33: Upgrading The Firmware Using The Cli
System status To upgrade the firmware using the web-based manager Copy the firmware image file to your management computer. Log into the web-based manager as the admin administrative user. Note: To use this procedure you must login using the admin administrator account, or an administrator account that has system configuration read and write privileges.
Page 34: Reverting To A Previous Firmware Version
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build183-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build183-FORTINET.out...
Page 35: Reverting To A Previous Firmware Version Using The Cli
System status To revert to a previous firmware version using the web-based manager Copy the firmware image file to the management computer. Log into the FortiGate web-based manager. Note: To use this procedure you must login using the admin administrator account, or an administrator account that has system configuration read and write privileges.
Page 36 Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build158-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build158-FORTINET.out...
Page 37: Installing Firmware Images From A System Reboot Using The Cli
System status To confirm that the new firmware image has been loaded, enter: get system status To restore your previous configuration if needed, use the command: execute restore config <name_str> <tftp_ipv4> Update antivirus and attack definitions. For information, see the CLI, enter: execute update_now Installing firmware images from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiGate unit to...
Page 38 [F]: Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,B,Q,or H: 01-28006-0001-20041105 System status execute reboot command. Fortinet Inc.
Page 39: Restoring The Previous Configuration
System status Type an IP address that the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network that the interface is connected to. Make sure you do not enter the IP address of another device on this network.
Page 40: Testing A New Firmware Image Before Installing It
The TFTP server should be on the same subnet as the internal interface. FortiGate unit running v2.x BIOS Press Any Key To Download Boot Image. FortiGate unit running v3.x BIOS Press any key to display configuration menu... 01-28006-0001-20041105 System status execute reboot command. Fortinet Inc.
Page 41 System status If you successfully interrupt the startup process, one of the following messages appears: • • Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: Type an IP address that can be used by the FortiGate unit to connect to the FTP...
Page 42 Changing the FortiGate firmware System status 01-28006-0001-20041105 Fortinet Inc.
Page 43: System Network
System network System network settings control how the FortiGate unit connects to and interacts with your network. Basic network settings start with configuring FortiGate interfaces to connect to your network and configuring the FortiGate DNS settings. More advanced network settings include adding VLAN subinterfaces and zones to the FortiGate network configuration.
Page 44: Interface Settings
Bring Down or Bring Up. For more information, “To bring down an interface that is administratively up” on page 50 “To start up an interface that is administratively down” on page Delete, edit, and view icons. 01-28006-0001-20041105 System network “VLAN Fortinet Inc.
Page 45 System network Figure 6: Interface settings See the following procedures for configuring interfaces: • • • • • • • • • • • • Name The name of the Interface. Interface Select the name of the physical interface to add the VLAN subinterface to. All VLAN subinterfaces must be associated with a physical interface.
Page 46 Interface The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN subinterface. For more information on VLANs, see Virtual Domain Select a virtual domain to add the interface or VLAN subinterface to this virtual domain.
Page 47 System network PPPoE If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoE request. You can disable connect to server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE request.
Page 48 Ping server Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface. Adding a ping server is required for routing failover. See The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to make sure that the FortiGate unit can connect to this IP address.
Page 49: Configuring Interfaces
System network SNMP TELNET To improve network performance, you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits from any interface. Ideally, this MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets.
Page 50 54. You cannot add an interface to a zone if you have added firewall policies for “To add a virtual domain” on page 01-28006-0001-20041105 “To add a zone” on 123. You cannot add an interface to a virtual System network Fortinet Inc.
Page 51 System network To change the static IP address of an interface You can change the static IP address of any FortiGate interface. Go to System > Network > Interface. Choose an interface and select Edit. Set Addressing Mode to Manual. Change the IP address and Netmask as required.
Page 52 To add a ping server to an interface Go to System > Network > Interface. Choose an interface and select Edit. Set Ping Server to the IP address of the next hop router on the network connected to the interface. Select the Enable check box.
Page 53: Zone
System network Controlling administrative access for an interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet. However, allowing remote administration from the Internet could compromise the security of your FortiGate unit. You should avoid allowing administrative access for an interface connected to the Internet unless this is required for your configuration.
Page 54: Zone Settings
Edit/View icons. Select to edit or view a zone. Delete icon. Select to remove a zone. Enter the name to identify the zone. Select Block intra-zone traffic to block traffic between interfaces or VLAN subinterfaces in the same zone. 01-28006-0001-20041105 System network Fortinet Inc.
Page 55: Management
System network Select the Block intra-zone traffic check box if you want to block traffic between interfaces or VLAN subinterfaces in the same zone. Select the names of the interfaces or VLAN subinterfaces to add to the zone. Select OK. To delete a zone You can only delete zones that have the Delete icon beside them in the zone list.
Page 56: Dns
FortiGate unit from. Enter the default gateway address. Select the virtual domain from which you want to perform system management. 01-28006-0001-20041105 83). This must be a valid IP System network “To Fortinet Inc.
Page 57: Routing Table (Transparent Mode)
System network You can configure primary and secondary DNS server addresses, or you can configure the FortiGate unit to obtain DNS server addresses automatically. To obtain addresses automatically, at least one interface must use the DHCP or PPPoE addressing mode. See If you enable DNS Forwarding on an interface, hosts on the attached network can use the interface IP address as their DNS server.
Page 58: Transparent Mode Route Settings
Move To icon. Select to change the order of a route in the list. Enter the destination IP address and netmask for this route. Enter the IP address of the next hop router to which this route directs traffic The the relative preferability of this route. 1 is most preferred.
Page 59: Configuring The Modem Interface
System network Configuring the modem interface You can connect a modem to the FortiGate unit and use it as either a backup interface or standalone interface in NAT/Route mode. • • When connecting to the ISP, in either configuration, the FortiGate unit modem can automatically dial up to three dialup accounts until the modem connects to an ISP.
Page 60: Configuring Modem Settings
The user name (maximum 63 characters) sent to the ISP. The password sent to the ISP. 01-28006-0001-20041105 System network Fortinet Inc.
Page 61: Connecting And Disconnecting The Modem
System network To configure modem settings You can configure and use the modem in NAT/Route mode only. Go to System > Network > Modem. Select Enable USB Modem. Change any of the following dialup connection settings: Enter the following Dialup Account 1 settings: If you have multiple dialup accounts, enter Phone Number, User Name, and Password for Dialup Account 2 and Dialup Account 3.
Page 62: Standalone Mode Configuration
From the Redundant for list, select the ethernet interface that the modem is replacing. “Configuring modem settings” on page “To add a ping server to an interface” on page “Adding firewall policies for modem connections” on page 01-28006-0001-20041105 System network Fortinet Inc.
Page 63: Adding Firewall Policies For Modem Connections
System network Configure other modem settings as required. Make sure there is correct information in one or more Dialup Accounts. Select Dial Up. The FortiGate unit initiates dialing into each dialup account in turn until the modem connects to an ISP. Configure firewall policies for connections to the modem interface.
Page 64: Fortigate Units And Vlans
VLAN tags to packets. Packets passing between devices in the same VLAN can be handled by layer 2 switches. Packets passing between devices in different VLANs must be handled by a layer 3 device such as router, firewall, or layer 3 switch.
Page 65: Rules For Vlan Ids
System network In NAT/Route mode, the FortiGate units support VLANs for constructing VLAN trunks between an IEEE 802.1Q-compliant switch (or router) and the FortiGate unit. Normally the FortiGate unit internal interface connects to a VLAN trunk on an internal switch, and the external interface connects to an upstream Internet router untagged.
Page 66: Adding Vlan Subinterfaces
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096. Each VLAN subinterface must also be configured with its own IP address and netmask.
Page 67: Vlans In Transparent Mode
FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal VLANs. The FortiGate external interface forwards tagged packets through the trunk to an external VLAN switch or router which could be connected to the Internet. The FortiGate unit can be configured to apply different policies for traffic on each VLAN in the trunk.
Page 68 VLAN3 VLAN3 shows a FortiGate unit operating in Transparent mode and configured with 01-28006-0001-20041105 FortiGate unit External root virtual domain VLAN1 VLAN2 VLAN1 VLAN3 VLAN Switch VLAN trunk New virtual domain VLAN2 VLAN3 System network Internet or router Fortinet Inc.
Page 69: Rules For Vlan Ids
Enter VLAN POWER switch Internet “System virtual domain” on page 119 01-28006-0001-20041105 VLANs in Transparent mode VLAN 3 VLAN ID = 300 VLAN 1 VLAN 2 VLAN 3 External VLAN 1 VLAN VLAN 2 Trunk VLAN 3 Untagged packets Router...
Page 70: Transparent Mode Vlan List
Delete icon. Select to delete a VLAN subinterface. View/Edit icon. Select to view or edit an interface or VLAN subinterface. “Interface settings” on page 44 01-28006-0001-20041105 for information about for descriptions of all VLAN settings. System network “To control Fortinet Inc.
Page 71 The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4096. You add VLAN subinterfaces to the physical interface that receives VLAN- tagged packets.
Page 72: Fortigate Ipv6 Support
The interface functions as two interfaces, one for IPv4-addressed packets and another for IPv6-addressed packets. FortiGate units support static routing, periodic router advertisements, and tunneling of IPv6-addressed traffic over an IPv4-addressed network. All of these features must be configured through the Command Line Interface (CLI). See the FortiGate CLI...
Page 73: System Dhcp
System DHCP You can configure DHCP server or DHCP relay agent functionality on any FortiGate interface or VLAN subinterface. A FortiGate interface can act as either a DHCP server or as a DHCP relay agent. An interface cannot provide both functions at the same time. Note: To configure DHCP server or DHCP relay functionality on an interface, the FortiGate unit must be in NAT/Route mode and the interface must have a static IP address.
Page 74: Dhcp Service Settings
Select DHCP Server if you want the FortiGate unit to be the DHCP server. “To configure an interface to be a DHCP server” on page 01-28006-0001-20041105 System DHCP “To configure an interface as a Fortinet Inc.
Page 75: Server
System DHCP Set type to Regular. Enter the DHCP Server IP address. Select OK. To configure an interface to be a DHCP server You can configure a DHCP server for any FortiGate interface. As a DHCP server, the interface dynamically assigns IP addresses to hosts on the network connected to the interface.
Page 76: Dhcp Server Settings
For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions. 75), you must configure a DHCP server for 01-28006-0001-20041105 System DHCP “To configure Fortinet Inc.
Page 77: Exclude Range
DHCP request was received and uses this DHCP server to assign an IP configuration to the computer that made the DHCP request. The DHCP configuration packets are sent back to the router and the router relays them to the DHCP client.
Page 78: Dhcp Exclude Range Settings
The IP address for the IP and MAC address pair. The IP address must be within the configured IP range. Delete icon. Delete an IP/MAC binding pair. Edit/View icon. View or modify an IP/MAC binding pair. 01-28006-0001-20041105 System DHCP Fortinet Inc.
Page 79: Dhcp Ip/Mac Binding Settings
System DHCP DHCP IP/MAC binding settings Figure 29: IP/MAC binding options Name IP Address MAC Address To add a DHCP IP/MAC binding pair Go to System > DHCP > IP/MAC Binding. Select Create New. Add a name for the IP/MAC pair. Add the IP address and MAC address.
Page 80 Dynamic IP System DHCP 01-28006-0001-20041105 Fortinet Inc.
Page 81: System Config
System config Use the System Config page to make any of the following changes to the FortiGate system configuration: • • • • • System time Go to System > Config > Time to set the FortiGate system time. For effective scheduling and logging, the FortiGate system time must be accurate. You can either manually set the FortiGate system time or you can configure the FortiGate unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.
Page 82: Options
NTP server. A typical Syn Interval would be 1440 minutes for the FortiGate unit to synchronize its time once a day. Timeout settings including the idle timeout and authentication timeout The language displayed by the web-based manager Dead gateway detection interval and failover detection 01-28006-0001-20041105 System config Fortinet Inc.
Page 83 System config Figure 31: System config options Idle Timeout Auth Timeout Language Detection Interval Fail-over Detection Set the ping server dead gateway detection failover number. Enter the To set the system idle timeout Go to System > Config > Options. For Idle Timeout, type a number in minutes.
Page 84: Snmp
FortiGate system information and can receive FortiGate traps. To monitor FortiGate system information and receive FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of...
Page 85: Configuring Snmp
System config Configuring SNMP Go to System > Config > SNMP v1/v2c to configure the SNMP agent. Figure 32: Configuring SNMP SNMP Agent Description Location Contact Apply Create New Communities Name Queries Traps Enable Delete icon Edit/View icon SNMP community An SNMP community is a grouping of equipment for network administration purposes.
Page 86 SNMP manager is not on the same subnet as the FortiGate unit. This can occur if the SNMP manager is on the Internet or behind a router. Select Add to add more SNMP managers. You can add up to 8 SNMP managers to a single community.
Page 87 System config Queries Traps SNMP Event To configure SNMP access to an interface in NAT/Route mode Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or more FortiGate interfaces to accept SNMP connections. See control administrative access to an interface”...
Page 88: Fortigate Mibs
Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIBs to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.
Page 89 System config Table 4: Generic FortiGate traps Trap message ColdStart WarmStart LinkUp LinkDown Table 5: FortiGate system traps Trap message CPU usage high (SysCpuHigh) Disk low <FortiGate_serial_no> <interface_name> HA state HA switch Memory low (SysMemLow) The <interface_name> Interface IP is changed to <new_IP>...
Page 90: Fortinet Mib Fields
The tables below list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.2.80.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Page 91 System config Table 12: HA MIB fields MIB field groupId priority override autoSync schedule stats Table 13: Administrator accounts MIB field index name addr mask perm Table 14: Local users MIB field index name auth state FortiGate-50A Administration Guide Description HA group ID.
Page 92: Replacement Messages
The source port of the active IP session. The destination IP address of the active IP session. The destination port of the active IP session. The expiry time or time-to-live in seconds for the session. 01-28006-0001-20041105 System config Fortinet Inc.
Page 93: Replacement Messages List
System config Replacement messages list Figure 35: Replacement messages list Name Description To change a replacement message Go to System > Config > Replacement Messages. Select the category of replacement message to edit by clicking on the blue triangle for that category.
Page 94: Changing Replacement Messages
For email this is the IP address of the email server that sent the email containing the virus. For HTTP this is the IP address of web page that sent the virus. 01-28006-0001-20041105 System config Table 17 lists the Fortinet Inc.
Page 95: Fortimanager
The name of the web filtering service. The name of the content category of the web site. The Fortinet logo. and a FortiManager Server. The remote ID of the FortiManager IPSec tunnel. The IP Address of the FortiManager Server.
Page 96 FortiManager System config 01-28006-0001-20041105 Fortinet Inc.
Page 97: System Administration
System administration When the FortiGate unit is first installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administrator accounts. You can also control the access level of each of these administrator accounts and control the IP address from which the administrator account can connect to the FortiGate unit.
Page 98: Administrators List
FortiGate unit. You can specify up to three trusted hosts. Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see profiles, see “Access profile list” on page 01-28006-0001-20041105 System administration “Using trusted hosts” on page 100. Fortinet Inc.
Page 99: Access Profiles
System administration Type a login name for the administrator account. Type and confirm a password for the administrator account. Optionally type a Trusted Host IP address and netmask from which the administrator can log into the web-based manager. Select the access profile for the administrator. Select OK.
Page 100: Access Profile List
Allow or deny access to the authorized users feature. Allow or deny access to the administrative users feature. Allow or deny access to the FortiProtect Distribution Network update feature. Allow or deny access to the system shutdown and reboot functionality. 01-28006-0001-20041105 System administration Fortinet Inc.
Page 101 System administration To configure an access profile Go to System > Admin > Access Profile. Select Create New to add an access profile, or select the edit icon to edit an existing access profile. Enter a name for the access profile. Select or clear the Access Control check boxes as required.
Page 102 Access profiles System administration 01-28006-0001-20041105 Fortinet Inc.
Page 103: System Maintenance
System maintenance Use the web-based manager to maintain the FortiGate unit. Backup and restore You can back up system configuration, VPN certificate, web and spam filtering files to the management computer. You can also restore system configuration, VPN certificate, web and spam filtering files from previously downloaded backup files. Figure 43: Backup and restore list Category Latest Backup...
Page 104: Backing Up And Restoring
IPS User-Defined Upload or download IPS signatures. Signatures All Certificates Restore or back up all VPN certificates in a single password- protected file. See VPN certificates” on page 01-28006-0001-20041105 System maintenance “To restore VPN certificates” “To back up 105. Fortinet Inc.
Page 105 System maintenance Select OK to restore all configuration files to the FortiGate unit. The FortiGate unit restarts, loading the new configuration files. Reconnect to the web-based manager and review your configuration to confirm that the uploaded configuration files have taken effect. To back up individual categories Go to System >...
Page 106: Update Center
• • • To receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet support web page. “To enable scheduled updates” on page 111. User-initiated updates from the FDN, Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus...
Page 107 System maintenance Figure 44: Update center FortiProtect Distribution Network Push Update Refresh Use override server address FortiGate-50A Administration Guide The status of the connection to the FortiProtect Distribution Network (FDN). Available means that the FortiGate unit can connect to the FDN. You can configure the FortiGate unit for scheduled updates.
Page 108: Updating Antivirus And Attack Definitions
The update attempt occurs at a randomly determined time within the selected hour. Select Update Now to manually initiate an update. Select Apply to save update settings. 01-28006-0001-20041105 System maintenance Fortinet Inc.
Page 109 System maintenance To update antivirus and attack definitions Go to System > Maintenance > Update center. Select Update Now to update the antivirus and attack definitions and engines. If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following: Your update request has been sent.
Page 110 <proxy-address_ip> set port <proxy-port> set username <username_str> set password <password_str> set status enable config system autoupdate tunneling set address 67.35.50.34 set port 8080 set username proxy_user set password proxy_pwd set status enable 01-28006-0001-20041105 System maintenance Fortinet Inc.
Page 111: Enabling Push Updates
System maintenance There are no special tunneling requirements if you have configured an override server address to connect to the FDN. Enabling push updates The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. You must register the FortiGate unit before it can receive push updates.
Page 112: Enabling Push Updates Through A Nat Device
In the External Interface section, select the external interface that the FDN connects In the Type section, select Port Forwarding. In the External IP Address section, type the external IP address that the FDN connects to. Type the External Service Port that the FDN connects to. 01-28006-0001-20041105 System maintenance Fortinet Inc.
Page 113: Support
You can select Refresh to make sure that push updates work. Push Update changes to Available. Support You can use the Support page to report problems with the FortiGate unit to Fortinet Support or to register your FortiGate unit with the FortiProtect Distribution Server (FDS).
Page 114: Sending A Bug Report
Test Select Report Bug to submit problems with the FortiGate unit to Fortinet Support. Enter the contact information so that FortiNet support can reply to your bug report. Items marked with an * are required. unit. Send diagnostic information about the FortiGate unit, including its current configuration, to Fortinet for analysis.
Page 115: Registering A Fortigate Unit
FortiGate units that you or your organization purchased. You can register multiple FortiGate units in a single session without re-entering your contact information. Once registration is completed, Fortinet sends a Support Login user name and password to your email address. You can use this user name and password to log on to the Fortinet support web site to: •...
Page 116 For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing. To activate the FortiCare Support Contract, you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information.
Page 117: Shutdown
A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiGate unit. Your Fortinet support user name and password is sent to the email address provided with your contact information.
Page 118 The FortiGate unit restarts with the configuration that it had when it was first powered Reconnect to the web-based manager and review the system configuration to confirm that it has been reset to the default settings. 01-28006-0001-20041105 System maintenance Fortinet Inc.
Page 119: System Virtual Domain
System virtual domain FortiGate virtual domains provide multiple logical firewalls and routers in a single FortiGate unit. Using virtual domains, one FortiGate unit can provide exclusive firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network.
Page 120: Virtual Domain Properties
System virtual domain 125) “To select a management virtual 124) “To configure routing for a virtual 126) “To configure the routing 126) 126) “To add IP pools to a virtual “To add Virtual IPs to a virtual 128) Fortinet Inc. 127)
Page 121: Shared Configuration Settings
System virtual domain Shared configuration settings The following configuration settings are shared by all virtual domains. Even if you have configured multiple virtual domains, there are no changes to how you configure the following settings. • • • • • •...
Page 122: Administration And Management
A check mark icon in this column indicates that this is the domain used for system management. Delete icon. Select to delete a virtual domain. You cannot delete the root virtual domain or a domain that is used for system management. 01-28006-0001-20041105 System virtual domain Fortinet Inc.
Page 123: Adding A Virtual Domain
Selecting a management virtual domain In NAT/Router mode, you select a virtual domain to be used for system management. In Transparent mode, you must also define a management IP. The interface that you want to use for management access must have Administrative Access enabled. See “To control administrative access to an interface”...
Page 124: Configuring Virtual Domains
Go to System > Network > Interface. Adding interfaces, VLAN subinterfaces, and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec VPN for a virtual domain 01-28006-0001-20041105 System virtual domain Fortinet Inc.
Page 125 System virtual domain Set Virtual domain to All or to the name of the virtual domain that currently contains the interface. Select Edit for the physical interface you want to move. Choose the Virtual Domain to which to move the interface. Select OK.
Page 126: Configuring Routing For A Virtual Domain
53. Any zones that you add are added to the current virtual “Router” on page 129. Network traffic entering this virtual domain is routed only “Routing table (Transparent Mode)” on page 01-28006-0001-20041105 System virtual domain 57. Network traffic entering this Fortinet Inc.
Page 127 System virtual domain Select Create new to add firewall policies to the current virtual domain. interfaces, VLAN subinterfaces, or zones added to the current virtual domain. The firewall policies that you add are only visible when you are viewing the current virtual domain.
Page 128: Configuring Ipsec Vpn For A Virtual Domain
Select Change following the current virtual domain name above the table. Choose the virtual domain for which to configure VPN. Select OK. Go to VPN. Configure IPSec VPN, PPTP, L2TP, and certificates as required. See page 233. 01-28006-0001-20041105 System virtual domain “VPN” on Fortinet Inc.
Page 129: Router
You configure routes by defining the destination IP address and netmask of packets that the FortiGate unit is intended to intercept, and specifying a (gateway) IP address for those packets. The gateway address specifies the next hop router to which traffic will be routed.
Page 130 • • • The Gateway setting specifies the IP address of the next hop router interface to the FortiGate external interface. The interface behind the router (192.168.10.1) is the default gateway for FortiGate_1. In some cases, there may be routers behind the FortiGate unit. If the destination IP address of a packet is not on the local network but is on a network behind one of those routers, the FortiGate routing table must include a static route to that network.
Page 131: Static Route List
Router Figure 50: Destinations on networks behind internal routers To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.30.0/24...
Page 132: Static Route Options
The destination IP address for this route. The netmask for this route. The IP address of the first next hop router to which this route directs traffic. The name of the FortiGate interface through which to route traffic. The administrative distance for the route.
Page 133: Policy
Router Figure 53: Move a static route For Move to, select either Before or After and type the number that you want to place this route before or after. Select OK. The route is displayed in the new location on the static route list.
Page 134: Policy Route Options
Match packets that have this destination IP address and netmask. Match packets that have this destination port range. To match a single port, enter the same port number for both From and To. Send packets that match this policy route to this next hop router. 01-28006-0001-20041105 Router...
Page 135: General
Router RIP is a distance-vector routing protocol intended for small, relatively homogeneous, networks. RIP uses hop count as its routing metric. Each network is usually counted as one hop. The network diameter is limited to 15 hops. General Figure 56: RIP General settings...
Page 136: Networks List
Static Metric Route-map To configure RIP general settings Go to Router > RIP > General. Select the default RIP Version. Change the Default Metric if required. Select Enable Default-information-originate if the configuration requires advertising a default static route into RIP.
Page 137: Networks Options
Figure 58: RIP Networks configuration To configure a RIP network Go to Router > RIP > Networks. Select Create New to add a new RIP network or select the edit icon beside an existing RIP network to edit that RIP network.
Page 138: Interface Options
In text mode the key is sent in clear text over the network. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the network. 01-28006-0001-20041105 Router...
Page 139: Distribute List
Password Key-chain To configure a RIP interface Go to Router > RIP > Interface. Select the edit icon beside an Interface to configure that interface. Select a Send Version if you want to override the default send version for this interface.
Page 140: Distribute List Options
Interface Enable To configure a distribute list Go to Router > RIP > Distribute List. Select Create New to add a new distribute list or select the edit icon beside an existing distribute list to edit that distribute list. Set Direction to In or Out.
Page 141: Offset List
Interface Enable To configure an offset list Go to Router > RIP > Offset List. Select Create New to add a new offset list or select the edit icon beside an existing offset list to edit that offset list. FortiGate-50A Administration Guide Add a new offset list.
Page 142: Router Objects
Check or clear the Enable check box to enable or disable this offset list. Select OK. Router objects Router objects are a set of tools used by routing protocols and features. Access list Access lists are filters used by FortiGate routing features.
Page 143: New Access List Entry
Router To add an access list name Go to Router > Router Objects > Access List. Select Create New. Enter a name for the access list. Select OK. New access list entry Figure 67: Access list entry configuration list Entry...
Page 144: New Prefix List
Prefix New Prefix list Figure 69: Prefix list name configuration To add a prefix list name Go to Router > Router Objects > Prefix List. Select Create New. Enter a name for the prefix list. Select OK. Add a new prefix list name. An access list and a prefix list cannot have the same name.
Page 145: New Prefix List Entry
Less or equal to To configure a prefix list entry Go to Router > Router Objects > Prefix List. Select the Add prefix-list entry icon to add a new prefix list entry or select the edit icon beside an existing prefix list entry to edit that entry.
Page 146: New Route-Map
Route-map rules New Route-map Figure 72: Route map name configuration To add a route map name Go to Router > Router Objects > Route-map. Select Create New. Enter a name for the route map. Select OK. Add a new route map name.
Page 147: Route-Map List Entry
Match a route if the destination address is included in the selected access list or prefix list. Match a route that has a next hop router address included in the selected access list or prefix list. Match a route with the specified metric. The metric can be a number from 1 to 16.
Page 148: Key Chain List
New key chain Figure 75: Key chain name configuration To add a key chain name Go to Router > Router Objects > Key-chain. Select Create New. for information on setting the FortiGate system date and Add a new key chain.
Page 149: Key Chain List Entry
Start To configure a key chain entry Go to Router > Router Objects > Key-chain. Select the Add key-chain entry icon to add a new key chain entry or select the Edit icon beside an existing key chain entry to edit that entry.
Page 150: Monitor
Up Time To filter the routing monitor display Go to Router > Monitor > Routing Monitor. Select a type of route to display or select all to display routes of all types. For example, select Connected to display all the directly connected routes, or select RIP to display all the routes learned from RIP.
Page 151: Cli Configuration
Show the current state of active routing protocols. Command syntax FortiGate-50A Administration Guide get router info ospf {border-routers | database | interface | neighbor | route | virtual-links} Show OSPF routing table entries that have an Area Border Router (ABR) or Autonomous System Boundary Router (ASBR) as a destination.
Page 152: Get Router Info Rip
An OSPF autonomous system (AS) or routing domain is a group of areas connected to a backbone area. A router connected to more than one area is an area border router (ABR). Routing information is contained in a link state database. Routing information is communicated between routers using link state advertisements (LSAs).
Page 153 Router Note: In the following table, only the router-id keyword is required. All other keywords are optional. ospf command keywords and variables Keywords and variables abr-type {cisco | ibm | shortcut | standard} database-overflow {disable | enable} database-overflow- max-lsas <lsas_integer>...
Page 154 <address_ipv4> spf-timers <delay_integer> <hold_integer> Example This example shows how to set the OSPF router ID to 1.1.1.1: Description Specify the default metric that OSPF should use for redistributed routes. The valid range for metric_integer is 1 to 16777214. Configure the administrative distance for all OSPF routes.
Page 155 This example shows how to display the OSPF configuration. config area Access the config area subcommand using the config router ospf command. Use this command to set OSPF area related parameters. Routers in an OSPF autonomous system (AS) or routing domain are organized into logical groupings called areas.
Page 156 Enable or disable redistributing routes into a NSSA area. 01-28006-0001-20041105 Router Default Availability All models. none All models. All models. disable All models. All models. All models. enable Fortinet Inc.
Page 157 This example shows how to display the settings for area 15.1.1.1. FortiGate-50A Administration Guide Description A NSSA border router can translate the Type 7 LSAs used for external route information within the NSSA to Type 5 LSAs used for distributing external route information to other parts of the OSPF routing domain.
Page 158 Set the direction for the filter. Enter in to filter incoming packets. Enter out to filter outgoing packets. Enter the name of the access list or prefix list to use for this filter list. 01-28006-0001-20041105 Router 143. Default Availability All models. All models. default. Fortinet Inc.
Page 159 The range id_integer can be 0 to 4294967295. FortiGate-50A Administration Guide config router ospf config area edit 15.1.1.1 config filter-list config router ospf config area edit 15.1.1.1...
Page 160 Enable or disable using a substitute prefix. disable All models. config router ospf config area edit 15.1.1.1 config range config router ospf config area edit 15.1.1.1 01-28006-0001-20041105 Default enable default default. edit 1 set prefix 1.1.0.0 255.255.0.0 Router Availability All models. All models. All models. Fortinet Inc.
Page 161 Virtual links can only be set up between two area border routers (ABRs). config virtual link command syntax pattern Note: Only the peer keyword is required. All other keywords are optional. FortiGate-50A Administration Guide config router ospf config area edit 15.1.1.1 show config virtual-link edit <name_str>...
Page 162 15 characters. The time, in seconds, to wait for a hello packet before declaring a router down. The value of the dead- interval should be four times the value of the hello-interval. Both ends of the virtual link must use the same value for dead- interval.
Page 163 This example shows how to configure a virtual link. This example shows how to display the settings for area 15.1.1.1. This example shows how to display the configuration for area 15.1.1.1. config distribute-list Access the config distribute-list subcommand using the config router ospf command. FortiGate-50A Administration Guide Description The time, in seconds, to wait before sending a LSA retransmission.
Page 164 Enter the name of the access list to use for this distribute list. Advertise only the routes discovered by the specified protocol and that are permitted by the named access list. 01-28006-0001-20041105 Router Default Availability No default. All models. All models. connected Fortinet Inc.
Page 165 This example shows how to display the settings for distribute list 2. This example shows how to display the configuration for distribute list 2. config neighbor Access the config neighbor subcommand using the config router ospf command. Use this command to manually configure an OSPF neighbor on nonbroadcast networks.
Page 166 1 set ip 192.168.21.63 config router ospf config neighbor edit 1 config router ospf config neighbor edit 1 show 01-28006-0001-20041105 Router Default Availability All models. 0.0.0.0 All models. All models. All models. Fortinet Inc.
Page 167: Config Network
Router config network Access the config network subcommand using the config router ospf command. Use this command to identify the interfaces to include in the specified OSPF area. The prefix keyword can define one or multiple interfaces. config network command syntax pattern...
Page 168 This example shows how to display the settings for network 2. This example shows how to display the configuration for network 2. config ospf-interface Access the config ospf-interface subcommand using the config router ospf command. Use this command to change interface related OSPF settings.
Page 169 Enable or disable flooding LSAs out of this interface. The time, in seconds, to wait for a hello packet before declaring a router down. The value of the dead-interval should be four times the value of the hello-interval. All routers on the network must use the same value for dead- interval.
Page 170 MTUs so that they match. 01-28006-0001-20041105 Router Default Availability All models. No default. All models. No default. All models. No default. All models. authentication must be set to md5. 1500 All models. All models. disable Fortinet Inc.
Page 171 “config neighbor” on page 165. Set the router priority for this interface. Router priority is used during the election of a designated router (DR) and backup designated router (BDR). An interface with router priority set to 0 can not be elected DR or BDR.
Page 172: Config Redistribute
This example shows how to display the configuration for the OSPF interface configuration named test. config redistribute Access the config redistribute subcommand using the config router ospf command. Use the config redistribute command to advertise routes learned from RIP, static routes, or a direct connection to the destination network.
Page 173 This example shows how to display the OSPF settings. This example shows how to display the OSPF configuration. config summary-address Access the config summary-address subcommand using the config router ospf command. FortiGate-50A Administration Guide config redistribute {connected | static | rip} set <keyword>...
Page 174 Use this command to summarize external routes for redistribution into OSPF. This command works only for summarizing external routes on an Autonomous System Boundary Router (ASBR). For information on summarization between areas, see “config range” on page route, you reduce the size of the OSPF link-state database.
Page 175: Config Router Static6
Enter ::/0 for the destination IPV6 address and netmask to add a default route. The IPV6 address of the first next hop router to which this route directs traffic. 01-28006-0001-20041105 CLI configuration Default Availability All models.
Page 176 This example shows how to display the configuration for IPV6 static route 2. config router static6 edit 2 set dev internal set dst 12AB:0:0:CD30::/60 set gateway 12AB:0:0:CD30:123:4567:89AB:CDEF get router static6 get router static6 2 show router static6 show router static6 2 01-28006-0001-20041105 Router Fortinet Inc.
Page 177: Firewall
Firewall Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions that the FortiGate unit uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (by port number).
Page 178: Policy
Note: Policies that require authentication must be added to the policy list above matching policies that do not; otherwise, the policy that does not require authentication is selected first. How policy matching works Policy list Policy options Advanced policy options Configuring firewall policies 01-28006-0001-20041105 Firewall Fortinet Inc.
Page 179: Policy List
Firewall Policy list You can add, delete, edit, re-order, enable, and disable policies in the policy list. Figure 78: Sample policy list The policy list has the following icons and features. Create new Source Dest Schedule Service Action Enable source -> destination (n) Policy list headings indicating the traffic to which the policy Figure 79: Move to options Policy options Policy options are configurable when creating or editing a firewall policy.
Page 180 Select a service or protocol to which the policy will apply. You can select from a wide range of predefined services or add custom services and service groups. See 01-28006-0001-20041105 Firewall “Addresses” on page “Virtual IP” on page 186. “Schedule” on page 198. “Service” on page 190. Fortinet Inc. 202.
Page 181 Firewall Action VPN Tunnel Protection Profile Log Traffic Advanced FortiGate-50A Administration Guide Select how you want the firewall to respond when the policy matches a connection attempt. • ACCEPT: Select accept to accept connections matched by the policy. You can also configure NAT and Authentication for the policy. •...
Page 182: Advanced Policy Options
HTTP, Telnet, and FTP. Then users could authenticate with the policy using HTTP, Telnet, or FTP before using the other service. 227. 01-28006-0001-20041105 Firewall Fortinet Inc.
Page 183: Traffic Shaping
Firewall In most cases you should make sure that users can use DNS through the firewall without authentication. If DNS is not available users cannot connect to a web, FTP, or Telnet server using a domain name. Traffic Shaping Traffic Shaping controls the bandwidth available to and sets the priority of the traffic processed by the policy.
Page 184: Configuring Firewall Policies
Set the DSCP value for reply packets. For example, for an Internal -> External policy the value is applied to incoming reply packets before they exit the internal interface and returned to the originator. 178. 01-28006-0001-20041105 Firewall “Policy options” on page 179. “How policy matching Fortinet Inc.
Page 185: Policy Cli Configuration
Firewall Select the position for the policy. Select OK. To disable a policy Disable a policy to temporarily prevent the firewall from selecting the policy. Disabling a policy does not stop active communications sessions that have been allowed by the policy.
Page 186: Address
192.168.110.* to represent all addresses on the subnet Address list Address options Configuring addresses Address group list Address group options Configuring address groups 01-28006-0001-20041105 Firewall Default Availability All models. 0.0.0.0 0.0.0.0 Encrypt policy, with outbound enabled. Fortinet Inc.
Page 187: Address List
Firewall Address list You can add addresses to the list and edit existing addresses. The FortiGate unit comes configured with the default ‘All’ address which represents any IP address on the network. Figure 83: Sample address list The address list has the following icons and features. Create New Name Address...
Page 188: Configuring Addresses
The netmask for a class B subnet should be 255.255.0.0. The netmask for a class C subnet should be 255.255.255.0. The netmask for all addresses should be 0.0.0.0 A range of IP addresses in a subnet (for example, 192.168.20.1 to 192.168.20.10) 01-28006-0001-20041105 Firewall Fortinet Inc.
Page 189: Address Group List
Firewall Address group list You can organize related addresses into address groups to make it easier to configure policies. For example, if you add three addresses and then configure them in an address group, you can configure a single policy using all three addresses. Note: If an address group is included in a policy, it cannot be deleted unless it is first removed from the policy.
Page 190: Configuring Address Groups
This section describes: • • • • • • • Predefined service list Custom service list Custom service options Configuring custom services Service group list Service group options Configuring service groups 01-28006-0001-20041105 Firewall Fortinet Inc.
Page 191: Predefined Service List
Firewall Predefined service list Figure 87: Predefined service list The predefined services list has the following icons and features. Name Detail Table 18 to any policy. Table 18: FortiGate predefined services Service name DHCP FortiGate-50A Administration Guide The name of the predefined services. The protocol for each predefined service.
Page 192 Open Shortest Path First (OSPF) routing protocol. OSPF is a common link state routing protocol. PC-Anywhere is a remote control and file transfer protocol. 01-28006-0001-20041105 Firewall Protocol Port 1720, 1503 6660-6669 1701 1720 111, 2049 5632 Fortinet Inc.
Page 193 Firewall Table 18: FortiGate predefined services (Continued) Service name ICMP_ANY PING TIMESTAMP INFO_REQUEST ICMP information request messages. INFO_ADDRESS ICMP address mask request messages. POP3 PPTP QUAKE RAUDIO RLOGIN SIP- MSNmessenger SMTP SNMP SYSLOG TALK TELNET TFTP UUCP VDOLIVE FortiGate-50A Administration Guide Description Internet Control Message Protocol is a message control and error-reporting protocol...
Page 194: Custom Service List
The Delete and Edit/View icons. The name of the TCP or UDP custom service. Select the protocol type of the service you are adding: TCP or UDP. TCP and UDP options are the same. 01-28006-0001-20041105 Firewall Protocol Port 1494 6000-6063 Fortinet Inc.
Page 195: Configuring Custom Services
Firewall Source Port Destination Port Specify the Destination Port number range for the service by entering the ICMP custom service options Figure 90: ICMP custom service options Name Protocol Type Type Code IP custom service options Figure 91: IP custom service options Name Protocol Type Protocol Number The IP protocol number for the service.
Page 196 Select the Edit icon beside the service you want to edit. Modify the custom service as required. Note: To change the custom service name you must delete the service and add it with a new name. Select OK. 01-28006-0001-20041105 Firewall Fortinet Inc.
Page 197: Service Group List
Firewall Service group list To make it easier to add policies, you can create groups of services and then add one policy to allow or block access for all the services in the group. A service group can contain predefined services and custom services in any combination. You cannot add service groups to another service group.
Page 198: Configuring Service Groups
This section describes: • • • • • • One-time schedule list One-time schedule options Configuring one-time schedules Recurring schedule list Recurring schedule options Configuring recurring schedules 01-28006-0001-20041105 Firewall Fortinet Inc.
Page 199: One-Time Schedule List
Firewall One-time schedule list You can create a one-time schedule that activates or deactivates a policy for a specified period of time. For example, your firewall might be configured with the default policy that allows access to all services on the Internet at all times. You can add a one-time schedule to block access to the Internet during a holiday period.
Page 200: Recurring Schedule List
Start Select Create New to add a recurring schedule. The name of the recurring schedule. The initials of the days of the week on which the schedule is active. The start time of the recurring schedule. 01-28006-0001-20041105 Firewall Fortinet Inc.
Page 201: Recurring Schedule Options
Firewall Stop Recurring schedule options Figure 97: Recurring schedule options Recurring schedule has the following options. Name Select Start Stop Configuring recurring schedules To add a recurring schedule Go to Firewall > Schedule > Recurring. Select Create New. Enter a name for the schedule. Select the days of the week that you want the schedule to be active.
Page 202: Virtual Ip
Similar to port forwarding, dynamic port forwarding is used to translate any address and a specific port number on a source network to a hidden address and, optionally a different port number on a destination network. Virtual IP list Virtual IP options Configuring virtual IPs 01-28006-0001-20041105 Firewall Fortinet Inc.
Page 203: Virtual Ip List
Firewall Virtual IP list Figure 98: Sample virtual IP list The virtual IP list has the following icons and features. Create New Name Service Port Map to IP Map to Port Virtual IP options Different options appear depending on the type of virtual IP you want to define. Choose from Static NAT or port forwarding.
Page 204: Configuring Virtual Ips
Enter the port number to be added to packets when they are forwarded. (Port forwarding only.) Select the protocol (TCP or UDP) that you want the forwarded packets to use. (Port forwarding only.) Table 19 on page 205 contains example virtual IP external interface settings 01-28006-0001-20041105 Firewall Fortinet Inc.
Page 205 Firewall You can now add the virtual IP to firewall policies. Table 19: Virtual IP external interface examples External Interface Description internal external To add port forwarding virtual IPs Go to Firewall > Virtual IP. Select Create New. Enter a name for the port forwarding virtual IP. Select the virtual IP External Interface from the list.
Page 206: Ip Pool
You can add an IP pool if you want to add NAT mode policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface. “PPTP passthrough” on page 250 01-28006-0001-20041105 for more information. Fortinet Inc. Firewall...
Page 207: Ip Pool List
Firewall For example, if you add an IP pool to the internal interface, you can select Dynamic IP pool for External->Internal policies. You can add multiple IP pools to any interface and select the IP pool to use when configuring a firewall policy. You can enter an IP address range using the following formats.
Page 208: Configuring Ip Pools
You can use IP pools for dynamic NAT. For example, your organization might have purchased a range of Internet addresses but you might have only one Internet connection on the external interface of your FortiGate unit. Enter a name for the IP pool. 01-28006-0001-20041105 Firewall Fortinet Inc.
Page 209: Protection Profile
Firewall You can assign one of your organization’s Internet IP addresses to the external interface of the FortiGate unit. If the FortiGate unit is operating in NAT/Route mode, all connections from your network to the Internet appear to come from this IP address. If you want connections to originate from all your Internet IP addresses, you can add this address range to an IP pool for the external interface.
Page 210: Default Protection Profiles
“Configuring web filtering options” on page “Configuring web category filtering options” on page “Configuring spam filtering options” on page “Configuring IPS options” on page “Configuring content archive options” on page 01-28006-0001-20041105 Firewall 211. 211. 212. 213. 214. 214. Fortinet Inc.
Page 211: Configuring Web Filtering Options
Enable or disable quarantining for each protocol. You can quarantine suspect files to view them or submit files to Fortinet for analysis. (IMAP, POP3, SMTP). Fragmented email cannot be scanned for viruses.
Page 212: Configuring Web Category Filtering Options
Allow web pages that return a rating error from the web filtering service. The FortiGuard web filtering service provides many categories by which to filter web traffic. You can set the action to take on web pages for each category. Choose from allow, block, or monitor. 01-28006-0001-20041105 Firewall Fortinet Inc.
Page 213: Configuring Spam Filtering Options
Enable or disable checking traffic against configured Real-time Blackhole List and Open Relay Database List servers. Enable or disable the Fortinet spam filtering IP address blacklist: FortiShield. See on page 325 Enable or disable looking up the source domain name (from the SMTP HELO command) in the Domain Name Server.
Page 214: Configuring Protection Profiles
Content meta-information can include date and time, source and destination information, request and response size, and scan result. Content archive is only available if FortiLog is enabled under Log&Report > Log Config > Log Settings. 01-28006-0001-20041105 Firewall “IPS” on Fortinet Inc.
Page 215: Cli Configuration
Firewall Note: If both Virus Scan and File Block are enabled, the FortiGate unit blocks files that match enabled file patterns before they are scanned for viruses. To delete a protection profile Go to Firewall > Protection Profile. Select the Delete icon beside the protection profile you want to delete. Select OK.
Page 216 Command syntax pattern config firewall profile edit <profilename_str> set <keyword> <variable> config firewall profile edit <profilename_str> unset <keyword> config firewall profile delete <profilename_str> get firewall profile [<profilename_str>] show firewall profile [<profilename_str>] 01-28006-0001-20041105 Firewall Fortinet Inc.
Page 217 Firewall firewall profile command keywords and variables Keywords and variables {block content_log oversize quarantine scan splice} FortiGate-50A Administration Guide Description Select the actions that this profile will use for filtering FTP traffic for a policy. Entering splice enables the FortiGate unit to simultaneously buffer a file for scanning and upload the file to an FTP server.
Page 218 If you want to remove an option from the list or add an option to the list, you must retype the list with the option removed or added. 01-28006-0001-20041105 Firewall Default Availability No default. All models. fragmail All models. Fortinet Inc.
Page 219 Firewall This example shows how to display the settings for the firewall profile command. This example shows how to display the settings for the spammail profile. This example shows how to display the configuration for the firewall profile command. This example shows how to display the configuration for the spammail profile. FortiGate-50A Administration Guide get firewall profile get firewall profile spammail...
Page 220 Protection profile Firewall 01-28006-0001-20041105 Fortinet Inc.
Page 221: Users And Authentication
Users and authentication You can control access to network resources by defining lists of authorized users, called user groups. To use a particular resource, such as a network or a VPN tunnel, the user must belong to one of the user groups that is allowed access. The user then must correctly enter a user name and password to prove his or her identity.
Page 222: Setting Authentication Timeout
Select Disable to prevent this user from authenticating. Select Password to require the user to authenticate using a password. Enter the password that this user must use to authenticate. The password should be at least six characters long. 01-28006-0001-20041105 Users and authentication Fortinet Inc.
Page 223: Radius
Users and authentication LDAP Radius To add a user name and configure authentication Go to User > Local. Select Create New to add a new user name or select the Edit icon to edit an existing configuration. Type the User Name. Select the authentication type for this user.
Page 224: Radius Server Options
Select the Delete icon beside the RADIUS server name that you want to delete. Select OK. Add a new RADIUS server. The RADIUS server name. The Delete and Edit icons. Enter a name to identify the RADIUS server. Enter the RADIUS server secret. 01-28006-0001-20041105 Users and authentication Fortinet Inc.
Page 225: Ldap
Users and authentication LDAP If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authenticate with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server.
Page 226 For example, you could use the following base distinguished name: ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is domain component. You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units: ou=accounts,ou=marketing,dc=fortinet,dc=com 01-28006-0001-20041105 Users and authentication Fortinet Inc.
Page 227: User Group
Users and authentication User group To enable authentication, you must add user names, RADIUS servers, and LDAP servers to one or more user groups. You can then assign a firewall protection profile to the user group. You can configure authentication as follows: •...
Page 228: User Group Options
The list of users, RADIUS servers, or LDAP servers that can be added to a user group. The list of users, RADIUS servers, or LDAP servers added to a user group. Select a protection profile for this user group. 01-28006-0001-20041105 Users and authentication Fortinet Inc.
Page 229: Cli Configuration
Users and authentication Go to User > User Group. Select Delete beside the user group that you want to delete. Select OK. CLI configuration This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide.
Page 230: Peergrp
EU_branches set member Sophia_branch Valencia_branch Cardiff_branch get user peergrp 01-28006-0001-20041105 Users and authentication Default Availability No default. All models. Fortinet Inc.
Page 231 Users and authentication This example shows how to display the settings for the peergrp EU_branches. This example shows how to display the configuration for all the peers groups. This example shows how to display the configuration for the peergrp EU_branches. FortiGate-50A Administration Guide get user peergrp EU_branches show user peergrp...
Page 232 CLI configuration Users and authentication 01-28006-0001-20041105 Fortinet Inc.
Page 233: Vpn
FortiGate units support the following protocols to authenticate and encrypt traffic: • • • This chapter contains information about the following VPN topics: • • • • • • • • • • • • • • • • • •...
Page 234: Phase 1
1, Dialup if this is a dialup Phase 1 configuration, and the domain name if this is a dynamic DNS phase 1. Main mode or Aggressive mode. The names of the encryption and authentication algorithms used by each phase 1 configuration. Edit, view, or delete phase 1 configurations. 01-28006-0001-20041105 Fortinet Inc.
Page 235: Phase 1 Basic Settings
Phase 1 basic settings Figure 120:Phase 1 basic settings Gateway Name Type a name for the remote VPN peer. The remote peer can be either a Remote Gateway IP Address Dynamic DNS Mode Authentication Method FortiGate-50A Administration Guide gateway to another network or an individual client on the Internet. Select a Remote Gateway address type.
Page 236: Phase 1 Advanced Options
The group must be added to the FortiGate configuration through the config user peer and config user peergrp CLI commands before it can be selected here. For more information, see the “config user” chapter of the CLI Reference Guide. 01-28006-0001-20041105 “Enabling VPN access for 260. Fortinet Inc.
Page 237: Configuring Xauth
Encryption Authentication The FortiGate unit supports the following authentication methods: DH Group Keylife Local ID XAuth Nat-traversal Keepalive Frequency Dead Peer Detection Configuring XAuth XAuth authenticates users in a separate exchange held between Phases 1 and 2. XAuth: Enable as Client Username Password FortiGate-50A Administration Guide...
Page 238: Phase 2
Microsoft RADIUS). Use MIXED if the authentication server supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet Remote VPN Client.). Select a group of users to be authenticated by XAuth. The individual users within the group can be authenticated locally or by one or more LDAP or RADIUS servers.
Page 239: Phase 2 Basic Settings
Status Timeout Phase 2 basic settings Figure 123:Phase 2 basic settings Tunnel Name Remote Gateway Concentrator FortiGate-50A Administration Guide The current status of the tunnel. Down, tunnel is not processing traffic. Up, the tunnel is currently processing traffic. Unknown, status of Dialup tunnels.
Page 240: Phase 2 Advanced Options
You can configure the FortiGate unit to send an alert email when it detects a replay packet. For more information, see Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires. 01-28006-0001-20041105 “Alert E-mail options” on page 342. Fortinet Inc.
Page 241: Manual Key
DH Group Keylife Autokey Keep Alive DHCP-IPSec Internet browsing Quick Mode Identities Manual key Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiGate unit and a remote VPN peer that uses a manual key. The FortiGate unit must be configured to use the same encryption and authentication algorithms used by the remote peer.
Page 242: Manual Key List
Enter the external IP address of the FortiGate unit or other IPSec gateway at the opposite end of the tunnel. Select an Encryption Algorithm from the list. Use the same algorithm at both ends of the tunnel. 01-28006-0001-20041105 Fortinet Inc.
Page 243: Concentrator
Encryption Key Enter the Encryption Key. Authentication Algorithm Authentication Concentrator Concentrator Configure IPSec VPN concentrators to create hub and spoke configurations. IPSec VPN concentrators are only available in NAT/Route mode. To configure a concentrator Go to VPN > IPSEC > Concentrator and add a concentrator. Add the required Phase 2 configurations to the concentrator.
Page 244: Concentrator Options
A concentrator can have more than one tunnel in its list of members. Provides a list of tunnels that are members of the concentrator. To remove a tunnel from the list, select the tunnel in the Members list and select the left arrow. 01-28006-0001-20041105 Fortinet Inc.
Page 245: Ping Generator Options
Ping generator options Figure 129:Ping generator Enable Source IP 1 Destination IP 1 Source IP 2 Destination IP 2 To configure the ping generator Go to VPN > IPSEC > Ping Generator. Select Enable. In the Source IP 1 box, type the private IP address from which traffic may originate locally.
Page 246: Dialup Monitor
The IP address range from which the dialup user can connect. This is usually the current IP address of the dialup user’s computer. Stop the current dialup tunnel. The dialup user may have to reconnect to establish a new VPN session. 01-28006-0001-20041105 Fortinet Inc.
Page 247: Pptp
Name Remote gateway The IP address and UDP port of the remote gateway. For dynamic DNS Timeout Proxy ID Source The IP address range that VPN users of this tunnel can connect to. Proxy ID Destination Bring down tunnel icon Bring up tunnel icon PPTP...
Page 248: Enabling Pptp And Specifying A Pptp Range
The start of the IP range. For example, 192.168.1.10. The end of the IP range. For example, 192.168.1.20. Select the user group that contains the remote PPTP VPN clients. Select this option to disable the PPTP support. 01-28006-0001-20041105 188. 184. PPTP. PPTP. Fortinet Inc.
Page 249: Configuring A Windows 2000 Client For Pptp
Configuring a Windows 2000 client for PPTP To configure a PPTP dialup connection Go to Start > Settings > Network and Dial-up Connections. Double-click Make New Connection to start the Network Connection Wizard and select Next. For Network Connection Type, select Connect to a private network through the Internet and select Next.
Page 250: Pptp Passthrough
Go to Firewall > Virtual IP. Select Create New. Enter a name for the virtual IP, for example PPTP_pass. Set the External Interface to external. TCP/IP QoS Packet Scheduler File and Printer Sharing for Microsoft Networks Client for Microsoft Networks 01-28006-0001-20041105 Fortinet Inc.
Page 251: L2Tp
Select Port Forwarding. Set the External IP Address to 0.0.0.0. The 0.0.0.0 External IP Address matches any IP address. Alternatively, if PPTP users always connect to the same IP address, you can specify that IP address. Set the External Service Port to 1723. Set the Map to IP address to 192.168.23.1.
Page 252: Setting Up A L2Tp-Based Vpn
“To add an address” on page “To add a firewall policy” on page Configuring a Windows 2000 client for Configuring a Windows XP client for 01-28006-0001-20041105 “To add an address” on page 188. 184. L2TP. L2TP. “Users and 252. 188. Fortinet Inc.
Page 253: Configuring A Windows 2000 Client For L2Tp
Figure 133:L2TP range Enable L2TP Starting IP Ending IP User Group Disable L2TP To enable L2TP on the FortiGate unit Go to VPN > L2TP > L2TP Range. Select Enable L2TP. Complete the fields as required. Select Apply. Configuring a Windows 2000 client for L2TP To configure an L2TP dialup connection Go to Start >...
Page 254: Configuring A Windows Xp Client For L2Tp
Go to Start > Settings. Select Network and Internet Connections. Select Create a connection to the network of your workplace and select Next. Select Virtual Private Network Connection and select Next. Name the connection and select Next. 01-28006-0001-20041105 Fortinet Inc.
Page 255 If the Public Network dialog box appears, choose the appropriate initial connection and select Next. In the VPN Server Selection dialog, enter the IP address or host name of the FortiGate unit to connect to and select Next. Select Finish. To configure the VPN connection Right-click the icon that you have created.
Page 256: Certificates
FortiGate unit for decrypting messages sent by the remote peer. Conversely, the remote peer provides its public key to the FortiGate unit, which uses the key to encrypt messages destined for the remote peer. 01-28006-0001-20041105 Fortinet Inc.
Page 257: Viewing The Certificate List
Details are provided in the following sections: • • • • Viewing the certificate list Initially, no certificates are installed. To view the certificate list Go to VPN > Certificates > Local Certificates. Figure 134:Certificate list Generate Import Name Subject Status Generating a certificate request To obtain a personal or site certificate, you must send the request to a CA that...
Page 258 Follow the CA instructions to place a base-64 encoded PKCS#10 certificate request and upload the certificate request. Follow the CA instructions to download their root certificate, and then install the root certificate on the FortiGate unit. 01-28006-0001-20041105 further identify the object being certified. Fortinet Inc.
Page 259: Installing A Signed Certificate
Figure 135:Generating a certificate signing request Certificate Name Type a certificate name. Subject Information Optional Information Key Type Key Size Installing a signed certificate Your CA provides you with a digital certificate to install on the FortiGate unit. You must also obtain and install the CA’s root certificate on the FortiGate unit.
Page 260: Enabling Vpn Access For Specific Certificate Holders
To enable access for a specific certificate holder or a group of certificate holders Use this procedure to enhance access security if you are using digital certificates to authenticate peers. “Backing up and Restoring” on page 01-28006-0001-20041105 104. Fortinet Inc.
Page 261: Cli Configuration
Go to VPN > IPSEC > Phase 1. Under Peer Options, select one of these options: • • If you want to define the DN of the FortiGate unit, select Advanced, and from the Local ID list, select the DN of the FortiGate unit. Select OK.
Page 262 01-28006-0001-20041105 Default Availability All models. seconds dpd must be set to enable. All models. seconds dpd must be set to enable. All models. dpd must be set to enable. All models. seconds dpd must be set to enable. Fortinet Inc.
Page 263: Ipsec Phase2
Example Use the following command to edit an IPSec VPN phase 1 configuration with the following characteristics: • • • • • • • • • • • ipsec phase2 In addition to the advanced IPSec Phase 2 settings, the config vpn ipsec phase2 CLI command provides a way to bind the VPN tunnel selected in a Phase 2 configuration to a specific network interface.
Page 264: Ipsec Vip
Type the name of the local FortiGate interface. config vpn ipsec phase2 edit Tunnel_1 set bindtoif internal “Configuring IPSec virtual IP addresses” on page config vpn ipsec vip edit <vip_integer> set <keyword> <variable> 01-28006-0001-20041105 Default Availability All models. default. 276. Fortinet Inc.
Page 265 ipsec vip command keywords and variables Keywords and variables ip <address_ipv4> out-interface <interface-name_str> Example The following commands add IPSec VIP entries for two remote hosts that can be accessed by a FortiGate unit through an IPSec VPN tunnel on the external interface of the FortiGate unit.
Page 266: Authenticating Peers With Preshared Keys
“Phase 1” on page 234. “Adding firewall policies for IPSec VPN tunnels” on page “Phase 1” on page 234. “Phase 2” on page 238. “Adding firewall policies for IPSec VPN tunnels” on page 01-28006-0001-20041105 “Phase 2” on page 238. 268. 268. Fortinet Inc.
Page 267: Dialup Vpn
Dialup VPN Dialup VPN allows remote users with dynamic IP addresses to use VPN to connect to a private network. Dialup VPNs use AutoIKE and can be preshared key or certificate VPNs. To configure dialup VPN Add a phase 1 configuration to define the parameters used to authenticate the remote VPN peer.
Page 268: Manual Key Ipsec Vpn
To add a source address, see page “Manual key” on page 241. “Manual key” on page 241. “Adding firewall policies for IPSec VPN tunnels” on page “Policy” on page 178 188. 01-28006-0001-20041105 268. for information about firewall policies. “To add an address” on Fortinet Inc.
Page 269: Setting The Destination Address For Encrypted Traffic
Setting the destination address for encrypted traffic The destination address determines which remote peers and clients will be allowed to access the specified source address. In general: • • • To add a destination address, see Adding an IPSec firewall encryption policy Use the following procedure to add an IPSec firewall encryption policy.
Page 270: Configuring Internet Browsing Through A Vpn Tunnel
If required, add additional firewall policies to support internet browsing. Configure the remote VPN clients to deny split tunneling. “Phase 1” on page 234. “Phase 2” on page 268. 01-28006-0001-20041105 238. “System DHCP” on page “Adding firewall policies for IPSec Fortinet Inc.
Page 271: Ipsec Vpn In Transparent Mode
The unit must have sufficient routing information to reach the management station. For any traffic to reach external destinations, a static (default) route to the router must be present in the FortiGate routing table. The router forwards packets to the Internet.
Page 272: Hub And Spoke Vpns
The source address must be Internal_All. Use the following configuration for the encrypt policies: add the VPN tunnels. add a VPN concentrator. add a firewall policy. “To add an address” on page “To add an address” on page 01-28006-0001-20041105 188. 188. Fortinet Inc.
Page 273: Adding A Vpn Concentrator
Source Destination Action VPN Tunnel Allow inbound Allow outbound Select allow outbound. Inbound NAT Outbound NAT Select outbound NAT if required. Arrange the policies in the following order: • • Adding a VPN concentrator The VPN concentrator collects the hub-and-spoke tunnels into a group. This allows VPN traffic to pass from one tunnel to the other through the FortiGate unit.
Page 274: Configuring Spokes
The remote VPN spoke address. ENCRYPT The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt policies.) Do not enable. Select inbound NAT if required. “To add a firewall policy” on page 01-28006-0001-20041105 188. 188. 184. Fortinet Inc.
Page 275: Redundant Ipsec Vpns
Source Destination Action VPN Tunnel Allow inbound Allow outbound Do not enable. Inbound NAT Outbound NAT Select outbound NAT if required. Arrange the policies in the following order: • • • Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks, such as the Internet.
Page 276: Configuring Ipsec Virtual Ip Addresses
The source and destination of both policies must be the same. Add a different AutoIKE key tunnel to each policy. “To add a firewall policy” on page 01-28006-0001-20041105 234. “To add an address” on page 184. 188. Fortinet Inc.
Page 277 Consider the following example, which shows two physically separate networks. The IP addresses of the computers on both networks are in the 192.168.12.0/24 range, but no two IP addresses are the same. An IPSec VPN has been configured between FortiGate_1 and FortiGate_2. The FortiGate configuration permits Host_1 on the Finance network to transmit data to Host_2 on the HR network through the IPSec VPN tunnel.
Page 278: Troubleshooting
Make sure you select the correct DH group on both ends. Enable PFS. Change the policy to internal-to-external. Re-enter the source and destination address. The encryption policy must be placed above other non-encryption policies. “ipsec Fortinet Inc.
Page 279: Ips
IPS (attack) engines and definitions through the FortiProtect Distribution Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see FortiGate-50A Administration Guide FortiGate-50A Administration Guide Version 2.80 MR6...
Page 280: Signature
The FortiGate IPS matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Fortinet’s FortiProtect infrastructure ensures the rapid identification of new threats and the development of new attack signatures. You can configure the FortiGate unit to automatically check for and download an updated attack definition file containing the latest signatures, or you can manually download the updated attack definition file.
Page 281: Predefined Signature List
If logging is disabled and action is set to Pass, the signature is effectively disabled. The FortiGate unit drops the packet that triggered the signature. Fortinet recommends using an action other than Drop for TCP connection based attacks.
Page 282: Configuring Predefined Signatures
The FortiGate unit drops the packet that triggered the signature, removes the session from the FortiGate session table, and does not send a reset. The FortiGate unit lets the packet that triggered the signature and all other packets in the session pass through the firewall. 01-28006-0001-20041105 Fortinet Inc.
Page 283: Configuring Parameters For Dissector Signatures
Select the Enable box to enable the signature or clear the Enable box to disable the signature. Select the Logging box to enable logging for this signature or clear the Logging box to disable logging for this signature. Select the Action for the FortiGate unit to take when traffic matches this signature. (See Select OK.
Page 284: Custom
(the default) no change is made to the codepoint in the IP header. Select the Enable custom signature box to enable the custom signature group or clear the Enable custom signature box to disable the custom signature group. Select Create New to create a new custom signature. 01-28006-0001-20041105 Fortinet Inc.
Page 285: Adding Custom Signatures
Clear all custom signatures Reset to recommended settings? Name Revision Enable Logging Action Modify Adding custom signatures To add a custom signature Go to IPS > Signature > Custom. Select Create New to add a new custom signature or select the Edit icon to edit an existing custom signature.
Page 286: Anomaly
The logging status for each anomaly. A white check mark in a green circle indicates logging is enabled for the anomaly. A white X in a grey circle indicates logging is disabled for the anomaly. 01-28006-0001-20041105 “Anomaly CLI configuration” on Fortinet Inc.
Page 287: Configuring An Anomaly
If logging is disabled and action is set to Pass, the anomaly is effectively disabled. Drop The FortiGate unit drops the packet that triggered the anomaly. Fortinet recommends using an action other than Drop for TCP connection based attacks.
Page 288 FortiGate session table, and does not send a reset. Session Pass The FortiGate unit lets the packet that triggered the anomaly and all other packets in the session pass through the firewall. Session Traffic over the specified threshold triggers the anomaly. 01-28006-0001-20041105 Fortinet Inc.
Page 289: Anomaly Cli Configuration
Anomaly CLI configuration Note: This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide. (config ips anomaly) config limit Note: This command has more keywords than are listed in this Guide.
Page 290: Configuring Ips Logging And Alert Email
You can change the default fail open setting using the CLI: Enable ips_open to cause the IPS to fail open and disable ips_open to cause the IPS to fail closed. “Log & Report” on page config sys global set ips-open [enable | disable] 01-28006-0001-20041105 337. Fortinet Inc.
Page 291: Antivirus
Antivirus > Quarantine View and sort the list of quarantined files, configure file patterns to upload automatically to Fortinet for analysis, and configure quarantining options in AntiVirus. Antivirus > Config > Config Set the size thresholds for files and emails for each protocol in Antivirus.
Page 292: File Block
IPS (attack) engines and definitions, as well as the local spam RBL, through the FortiProtect Distribution Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see This chapter describes: •...
Page 293: File Block List
Antivirus This section describes: • • File block list The file block list is preconfigured with a default list of file patterns: • • • • • • • • • Figure 150:Default file block list File block list has the following icons and features: Create New Apply Pattern...
Page 294: Configuring The File Block List
You can also submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to FortiNet for analysis. This section describes: •...
Page 295: Quarantined Files List Options
EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL. Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded.
Page 296: Autosubmit List
(* or ?). File patterns are applied for AutoSubmit regardless of file blocking settings. You can also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly from the quarantined files list. The FortiGate unit uses encrypted email to autosubmit files to an SMTP server through port 25.
Page 297: Config
Antivirus Config Go to Config to set quarantine configuration options including whether to quarantine blocked or infected files and from which service. You can also configure the time to live and file size values, and enable AutoSubmit settings. Figure 154:Quarantine configuration Quarantine configuration has the following options: Options Age limit...
Page 298: Config
1 to 25 MB. The range for each FortiGate unit is displayed in the web-based manager as shown in Virus list Config Grayware Grayware options 29. To find out how to use the Fortinet Update Center, see 106. Figure 01-28006-0001-20041105 “Changing unit 156.
Page 299: Grayware
Antivirus You can enable oversized file blocking in a firewall protection profile. To access protection profiles go to Firewall > Protection Profile, select Anti-Virus > Oversized File/Email and choose to pass or block oversized email and files for each protocol. Grayware Grayware programs are unsolicited commercial software programs that get installed on computers, often without the user’s consent or knowledge.
Page 300: Cli Configuration
Select enable to block download programs. Download components are usually run at Windows startup and are designed to install or download other software, especially advertising and dial software. 01-28006-0001-20041105 Antivirus Fortinet Inc.
Page 301: Quarantine
Antivirus Use the heuristic command to change the heuristic scanning mode. Command syntax pattern Table 23: antivirus heuristic command keywords and variables Keywords and variables mode {pass | block | disable} Example This example shows how to disable heuristic scanning. This example shows how to display the settings for the antivirus heuristic command.
Page 302: Service Http
You can use ports from the range 1-65535. You can add up to 20 ports. 01-28006-0001-20041105 Antivirus Default Availability FortiGate imap models smtp numbered pop3 200 and http higher. FortiGate default. models numbered 200 and higher. Default Availability All models. Fortinet Inc.
Page 303: Service Ftp
Antivirus Example This example shows how to add antivirus scanning for HTTP traffic on ports 70, 90, and 443. Adding more ports for scanning does not erase the default, port 80. Use the unset command to remove all ports from the list. This example shows how to display the antivirus HTTP traffic settings.
Page 304: Service Pop3
[pop3] Description Configure antivirus scanning on a nonstandard port number or multiple port numbers for POP3. You can use ports from the range 1-65535. You can add up to 20 ports. 01-28006-0001-20041105 Antivirus Default Availability All models. Fortinet Inc.
Page 305: Service Imap
Antivirus Example This example shows how to add antivirus scanning for POP3 traffic on ports 992 and 993. Adding more ports for scanning does not erase the default, port 110. Use the unset command to remove all ports from the list. This example shows how to display the antivirus POP3 traffic settings.
Page 306: Service Smtp
[smtp] Description Configure antivirus scanning on a nonstandard port number or multiple port numbers for SMTP. You can use ports from the range 1-65535. You can add up to 20 ports. 01-28006-0001-20041105 Antivirus Default Availability All models. Fortinet Inc.
Page 307 Antivirus Example This example shows how to add antivirus scanning on port and 465 and enable file splice for SMTP traffic. Adding more ports for scanning does not erase the default, port 25. Use the unset command to remove all ports from the list. This example shows how to display the antivirus SMTP traffic settings.
Page 308 CLI configuration Antivirus 01-28006-0001-20041105 Fortinet Inc.
Page 309: Web Filter
Web filter Web filter provides configuration access to the Web filtering and Web category filtering options you enable when you create a firewall Protection Profile. To access protection profile web filter options go to Firewall > Protection Profile, select edit or Create New, and select Web Filtering or Web Category Filtering. See “Protection profile options”...
Page 310: Content Block
“Using Perl regular expressions” on page 01-28006-0001-20041105 Web Filter setting Web Filter > Category Block > Configuration Enable or disable FortiGuard and enable and set the size limit for the cache. “Protection profile” on 215. 334. Web filter “To Fortinet Inc.
Page 311: Web Content Block List
Web filter Note: Perl regular expression patterns are case sensitive for Web Filter content block. To make a word or phrase case insensitive, use the regular expression /i. For example, /bad language/i will block all instances of bad language regardless of case. Wildcard patterns are not case sensitive.
Page 312: Configuring The Web Content Block List
“Using Perl regular expressions” on page Select the character set for the banned word. Choose from: Chinese Simplified, Chinese Traditional, French, Japanese, Korean, Thai, or Western. Select Enable to activate the banned word in the list. 01-28006-0001-20041105 Web filter 334. Fortinet Inc.
Page 313: Web Url Block List
Web filter Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.badsite.com. Instead, you can use firewall policies to deny FTP connections. This section describes: •...
Page 314: Web Pattern Block List
FortiGate web pattern blocking supports standard regular expressions. You can add up to 20 patterns to the web pattern block list. Note: Enable Web filtering > Web URL Block in your firewall Protection Profile to activate the web pattern block settings. 01-28006-0001-20041105 Web filter Fortinet Inc.
Page 315: Web Pattern Block Options
Web filter Figure 162:Sample web pattern block list Web pattern block options Web pattern block has the following icons and features: Create New Pattern Configuring web pattern block To add a pattern to the web pattern block list Go to Web Filter > URL Block. Select Web Pattern Block.
Page 316: Url Exempt List
Select this icon to scroll the URL exempt list down. Select this icon to delete the entire URL exempt list. The current list of exempt URLs. Select the check box to enable all the URLs in the list. The Delete and Edit/View icons. 01-28006-0001-20041105 Web filter Fortinet Inc.
Page 317: Category Block
• FortiGuard managed web filtering service FortiGuard is a managed web filtering solution provided by Fortinet. FortiGuard sorts hundreds of millions of web pages into a wide range of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard Service Point to determine the category of a requested web page and then follows the firewall policy configured for that user or interface.
Page 318: Category Block Configuration Options
FortiGuard licensing Every FortiGate unit comes with a free 30-day FortiGuard trial license. FortiGuard license management is done by Fortinet servers, so there is no need to enter a license number. The FortiGate unit will then automatically contact a FortiGuard Service Point when you enable FortiGuard category blocking.
Page 319: Configuring Web Category Block
Web filter To have a URL’s... Apply Configuring web category block To enable FortiGuard web filtering Go to Web Filter > Category Block. Select Enable Service. Select Check status to make sure the FortiGate unit can access the FortiGuard server. After a moment, the FortiGuard status should change from Unknown to Available.
Page 320: Category Block Reports Options
The number of allowed web addresses accessed in the selected time frame. The number of blocked web addresses accessed in the selected time frame. The number of monitored web addresses accessed in the selected time frame. 01-28006-0001-20041105 Web filter Fortinet Inc.
Page 321: Script Filter
Use this command only if you need to change the host name. config webfilter catblock set ftgd_hostname guard.example.net get webfilter catblock show webfilter catblock 01-28006-0001-20041105 Script filter Default Availability guard.fortinet.com All models. service fortiguar d only.
Page 322: Web Script Filter Options
You can configure the following options for script filtering: Javascript Cookies ActiveX Select Javascript to block all Javascript-based pages or applications. Select Cookies to block web sites from placing cookies on individual computers. Select ActiveX to block all ActiveX applications. 01-28006-0001-20041105 Web filter Fortinet Inc.
Page 323: Spam Filter
Real-time Blackhole List and Open Relay Database List servers. IP address FortiShield check Enable or disable Fortinet’s antispam IP address black list: FortiShield. This service works like an RBL server and is continuously updated to block spam sources. See “FortiShield IP address black list and spam...
Page 324 You can configure the language and whether to search the email body, subject, or both. You can configure the action to take as spam or clear for each word. “Protection profile” on 215. Spam filter “To Fortinet Inc.
Page 325: Order Of Spam Filter Operations
Both FortiShield antispam processes are completely automated and configured by Fortinet. With constant monitoring and dynamic updates, FortiShield is always current. You can enable or disable FortiShield in a firewall protection profile. See spam filtering options” on page This chapter describes: •...
Page 326: Ip Address
Mark as Spam to apply the spam action configured in the protection profile, Mark as Clear to let the email pass to the next filter, or Mark as Reject (SMTP only) to drop the session. The Delete and Edit/View icons. 01-28006-0001-20041105 Spam filter Fortinet Inc.
Page 327: Configuring The Ip Address List
Spam filter Configuring the IP address list To add an IP address to the IP address list Go to Spam Filter > IP Address. Select Create New. Figure 170:Adding an IP address Enter the IP address/mask you want to add. If required, select before or after another IP address in the list to place the new IP address in the correct position.
Page 328: Rbl & Ordbl List
The action to take on email matched by the RBLs and ORDBLs. Actions are: Mark as Spam to apply the spam action configured in the protection profile, or Mark as Reject to drop the session. The Delete and Edit/View icons. 01-28006-0001-20041105 Spam filter Fortinet Inc.
Page 329: Email Address
Spam filter Select Enable. Select OK. Email address The FortiGate unit uses the email address list to filter incoming email. The FortiGate unit compares the email address or domain of the sender to the list in sequence. If a match is found, the corresponding protection profile action is taken. If no match is found, the email is passed on to the next spam filter.
Page 330: Configuring The Email Address List
If no match is found, the email is passed on to the next spam filter. You can use Perl regular expressions or wildcards to add MIME header patterns to the list. See X-mailer: outgluck X-Distribution: bulk Content_Type: text/html Content_Type: image/jpg “Using Perl regular expressions” on page 01-28006-0001-20041105 Spam filter 334. Fortinet Inc.
Page 331: Mime Headers List
Spam filter Note: MIME header entries are case sensitive. This section describes: • • • MIME headers list You can configure the FortiGate unit to filter email with specific MIME header key-value pairs. You can mark each MIME header as clear or spam. Figure 175:Sample MIME headers list MIME headers options MIME headers list has the following icons and features:...
Page 332: Banned Word
Perl regular expressions. See expressions” on page “Using Perl regular expressions” on page Banned word list Banned word options Configuring the banned word list 334. 01-28006-0001-20041105 Spam filter 334. “Using Perl regular Fortinet Inc.
Page 333: Banned Word Options
Spam filter Figure 177:Sample banned word List Banned word options Banned word has the following icons and features: Create new Total Pattern Pattern Type Language Where Action When you select Create New or Edit you can configure the following settings for the banned word.
Page 334: Configuring The Banned Word List
Mark as Clear to allow the email (since Banned Word is the last filter). Select to enable scanning for the banned word. fortinet.com not only matches fortinet.com but also matches fortinetacom, fortinetbcom, fortinetccom and so on. To mach fortinet.com, the regular expression should be: fortinet\.com forti*\.com matches fortiiii.com but does not match fortinet.com...
Page 335 Spam filter Word boundary In Perl regular expressions, the pattern does not have an implicit word boundary. For example, the regular expression “test” not only matches the word “test” but also matches any word that contains the “test” such as “atest”, “mytest”, “testimony”, “atestb”.
Page 336 ‘/’ will be parsed as a list of regexp options ('i', 'x', etc). An error occurs If the second '/' is missing. In regular expressions, the leading and trailing space is treated as part of the regular expression. 01-28006-0001-20041105 Spam filter Fortinet Inc.
Page 337: Log & Report
FortiGate-50A Administration Guide Version 2.80 MR6 Log & Report FortiGate units provide extensive logging capabilities for traffic, system and network protection functions. You can set the severity level of the messages that are logged, and you can choose the types of events that are logged. All types of log messages except traffic and content can be saved in internal memory.
Page 338: Log Config
A FortiLog unit. The FortiLog unit is a log analyzer and manager that can combine the log information from various FortiGate units and other firewall units. To enable content archiving with a firewall to select the FortiLog option and define its IP address. 01-28006-0001-20041105 Log & Report Protection profile, you need Fortinet Inc.
Page 339 Log & Report Memory Syslog WebTrends Figure 180:Log setting options for all log locations To configure Log Setting Go to Log&Report > Log Config > Log Setting. Select the check box to enable logging to a location. Select the blue arrow beside the location. The setting options appear.
Page 340 Select the log files to upload to the FTP server. You can upload the Traffic Log file, Event Log file, Antivirus Log file, Web Filter Log file, Attack Log file, Spam Filter Log file, and Content Archive file. 01-28006-0001-20041105 Log & Report Table 33, “Logging Fortinet Inc.
Page 341: Syslog Settings
Log & Report To configure log file uploading Select the blue arrow to expand Log file upload settings. Select Upload When Rolling. Enter the IP address of the logging server. Enter the port number on the logging server. The default is 21 (FTP). Enter the Username and Password required on the logging server.
Page 342: Alert E-Mail Options
The interval to wait before sending an alert e-mail for notification level log messages. The interval to wait before sending an alert e-mail for information level log messages. Select Apply to activate any additions or changes to configuration. 01-28006-0001-20041105 Log & Report Fortinet Inc.
Page 343: Log Filter Options
Log & Report Note: If more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email. You can select specific events to trigger alert email in Log Filter, described in filter options”...
Page 344: Traffic Log
The FortiGate unit logs all system-related events, such as ping server failure and gateway status. The FortiGate unit logs all IPSec negotiation events, such as progress and error reports. The FortiGate unit logs all DHCP-events, such as the request and response log. 01-28006-0001-20041105 Log & Report “Enabling Fortinet Inc.
Page 345 Log & Report L2TP/PPTP/PPPoE service event Admin event HA activity event Firewall authentication event Pattern update event Anti-virus log The Anti-virus Log records virus incidents in Web, FTP, and email traffic, such as when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized file or email.
Page 346: Configuring Log Filters
The FortiGate unit logs all instances of blocked email in SMTP traffic. The FortiGate unit logs all instances of blocked email in POP3 traffic. The FortiGate unit logs all instances of blocked email in IMAP traffic. 01-28006-0001-20041105 Log & Report Fortinet Inc.
Page 347: Log Access
Log & Report Log access Log Access provides access to log messages saved to the memory buffer. You can view and search logs. This section describes: • • Figure 183:Sample list of logs stored on the FortiGate disk Viewing log messages You can view log messages saved to the memory buffer.
Page 348 Move selected field up one position in the Show these fields list. Move selected field down one position in the Show these fields list. 01-28006-0001-20041105 Log & Report Fortinet Inc.
Page 349: Searching Log Messages
Log & Report To change the columns in the log message display While viewing log messages, select the Column Settings icon. The Column Settings window opens. To add fields, select them in the Available fields list and select the right arrow button. To remove fields, select them in the Show these fields list and select the left arrow button.
Page 350: Cli Configuration
FortiLog unit across the Internet. Using an IPSec VPN tunnel means that all log messages sent by the FortiGate are encrypted and secure. 01-28006-0001-20041105 Log & Report Default Availability disable All models. All models. default. Fortinet Inc.
Page 351: Syslogd Setting
Log & Report log fortilog setting command keywords and variables (Continued) Keywords and variables psksecret <str_psk> server <address_ipv4> status {disable | enable} Note: The IPSec VPN settings for the FortiGate unit must match the VPN settings on the FortiLog unit. Example This example shows how to enable logging to a FortiLog unit, set the FortiLog IP address, add a local ID, and add a pre-shared key for an IPSec VPN tunnel.
Page 352 Enter the IP address of the syslog server that stores the logs. Enter enable to enable logging to a remote syslog server. 01-28006-0001-20041105 Log & Report Default Availability All models. disable All models. local7 Table All models. No default. All models. All models. disable Fortinet Inc.
Page 353 Log & Report Table 34: Facility types Facility type alert audit auth authpriv clock cron daemon kernel local0 – local7 mail news syslog Example This example shows how to enable logging to a remote syslog server, configure an IP address and port for the server, and set the facility type to user. This example shows how to display the log setting for logging to a remote syslog server.
Page 354 CLI configuration Log & Report 01-28006-0001-20041105 Fortinet Inc.
Page 355: Fortiguard Categories
FortiGuard categories FortiGuard is a web filtering solution provided by Fortinet. FortiGuard sorts thousands of Web pages into a wide variety of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard server to determine the category of a requested Web page and then follows the policy configured for that user or interface.
Page 356 Sites with content that is gratuitously offensive or shocking, but not violent or frightening. Includes sites devoted in part or whole to scatology and similar topics or to improper language, humor, or behavior. 01-28006-0001-20041105 FortiGuard categories Fortinet Inc.
Page 357 FortiGuard categories Table 35: FortiGuard categories Category name 16. Weapons Potentially Non-productive 17. Advertisement 18. Brokerage and Trading 19. Freeware and Software Download 20. Games 21. Internet Communication 22. Pay to Surf 23. Web-based Email Potentially Bandwidth Consuming 24. File Sharing and Storage 25.
Page 358 Political Organizations -- Sites sponsored by or providing information about political parties and interest groups focused on elections or legislation. 01-28006-0001-20041105 FortiGuard categories Fortinet Inc.
Page 359 FortiGuard categories Table 35: FortiGuard categories Category name 39. Reference Materials 40. Religion 41. Search Engines and Portals 42. Shopping and Auction 43. Social Organizations 44. Society and Lifestyles 45. Special Events 46. Sports 47. Travel 48. Vehicles FortiGate-50A Administration Guide Description Sites that offer reference-shelf content such as atlases, dictionaries, encyclopedias, formularies,...
Page 360 IP addresses. Private IP Addresses -- IP addresses defined in RFC 1918, 'Address Allocation for Private Intranets. Web Hosting -- Sites of organizations that provide hosting services, or top-level domain pages of Web communities. 01-28006-0001-20041105 FortiGuard categories Fortinet Inc.
Page 361: Fortigate Maximum Values
FortiGate maximum values The following table contains the maximum number of table, field, and list entries for FortiGate features. Feature system vdom (NAT/Route) system vdom (Transparent) system zone** system interface system interface secondaryip system interface ip6 prefix list system ipv6_tunnel system accprofile system admin system snmp...
Page 362 1000 1000 6000 6000 10000 10000 10000 10000 10000 1024 1024 2000 2000 5000 5000 5000 8000 20000 30000 50000 50000 50000 50000 3000 3000 5000 5000 5000 4000 5000 1000 1000 1024 1024 5000 5000 5000 5000 Fortinet Inc.
Page 363 key**...
Page 364 2, 25, 50, 100, or 250 VDOMs, determined by firmware. FortiGate model 100A 200A 300A 400A 10, 25, 50, 100, or 250 VDOMs, determined by firmware. 01-28006-0001-20041105 FortiGate maximum values 1000 3000 3600 500A 1000 1000 1000 4000 5000 1000 1000 Fortinet Inc.
Page 365: Glossary
Glossary Connection: A link between machines, applications, processes, and so on that can be logical, physical, or both. DMZ, Demilitarized Zone: Used to host Internet services without allowing unauthorized access to an internal (private) network. Typically, the DMZ contains servers accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers and DNS servers.
Page 366 ISP system. Router: A device that connects LANs into an internal network and routes traffic between them. Routing: The process of determining a path to use to send data to its destination.
Page 367 SSH, Secure shell: A secure Telnet replacement that you can use to log into another computer over a network and run commands. SSH provides strong secure authentication and secure communications over insecure channels. Subnet: A portion of a network that shares a common address component.
Page 368 Glossary 01-28006-0001-20041105 Fortinet Inc.
Page 369: Index
Index abr-type 153 access-list 164 address 186 virtual IP 202 administrator account netmask 98, 99 trusted host 99 advertise 160, 174 alert email enabling 343 options 342 anomaly 286 list 286 antivirus 291 antivirus updates 109 through a proxy server 110 area 167 attack updates scheduling 109...
Page 370 32 upgrading using the CLI 33, 35 upgrading using the web-base manager 32, 34 Fortilog logging settings 339 fortilog setting 350 Fortinet customer service 23 FortiProtect Distribution Network 106 FortiProtect Distribution Server 106 from IP system status 31...
Page 371 ICMP 193, 365 idle timeout web-based manager 83 IKE 365 IMAP 192, 365 interface 170 administrative status 44, 70 bringing down 50 bringing up 50 RIP 152 starting 50 Internet browsing through a VPN tunnel 241, 269 Internet key exchange 365 ip 166, 170, 265 IP Address 235 IP address 326...
Page 372 Remote Gateway 235, 238, 239, 242 Remote gateway 246, 247 Remote SPI 242 reporting 18 restarting 106 restore configuration 104 retransmit-interval 163, 171 reverting firmware to an older version 37 rfc1583-compatible 154 routemap 173 router next hop 52 router-id 154 01-28006-0001-20041105 Fortinet Inc.
Page 373 routing 366 configuring 57 policy 133 routing table 366 schedule 198 automatic antivirus and attack definition updates 109 creating one-time 199, 201 creating recurring 200 scheduled antivirus and attack updates 110 scheduled updates through a proxy server 110 scheduling 109 Script filter 321 server 351, 352 Server type 238...
Page 374 L2TP VPN connection 255 configuring PPTP dialup connection 249 configuring PPTP VPN connection 249 connecting to L2TP VPN 256 connecting to PPTP VPN 250 disabling IPSec for L2TP 255 XAuth 237 Enable as Client 237 Enable as Server 238 01-28006-0001-20041105 Fortinet Inc.

Fortinet FortiGate FortiGate-50A Administration Manual

Introduction

System Status

System Network

System DHCP

System Config

System Administration

System Maintenance

System Virtual Domain

Router

Firewall

Users and Authentication

Vpn

Ips

Quick Links

Related Manuals for Fortinet FortiGate FortiGate-50A

Summary of Contents for Fortinet FortiGate FortiGate-50A