Page 1 Administration Guide FortiGate 60M INTERNAL STATUS WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 FortiGate-60M Administration Guide Version 2.80 MR7 17 December 2004 01-28007-0144-20041217...
Page 2 CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
Page 3: Table Of Contents
Secure installation, configuration, and management ... 19 Document conventions ... 20 FortiGate documentation ... 22 Fortinet Knowledge Center ... 22 Comments on Fortinet technical documentation... 22 Related documentation ... 23 FortiManager documentation ... 23 FortiClient documentation ... 23 FortiMail documentation... 23 FortiLog documentation ...
Page 4 DHCP IP/MAC binding settings ... 81 Dynamic IP... 81 System config ... 83 System time ... 83 Options... 84 HA ... 86 HA configuration ... 87 Configuring an HA cluster ... 92 Managing an HA cluster... 96 01-28007-0144-20041217 Fortinet Inc.
Page 5 SNMP... 99 Configuring SNMP ... 100 SNMP community ... 101 FortiGate MIBs... 103 FortiGate traps ... 104 Fortinet MIB fields ... 105 Replacement messages ... 108 Replacement messages list ... 108 Changing replacement messages ... 109 FortiManager... 110 System administration ... 111 Administrators ...
Page 6 Monitor ... 164 Routing monitor list ... 164 CLI configuration... 165 get router info ospf ... 165 get router info protocols ... 165 get router info rip... 166 config router ospf ... 166 config router static6... 189 01-28007-0144-20041217 Fortinet Inc.
Page 7 Firewall... 191 Policy ... 192 How policy matching works... 192 Policy list ... 193 Policy options... 193 Advanced policy options ... 196 Configuring firewall policies ... 198 Policy CLI configuration ... 199 Address... 200 Address list ... 201 Address options ... 201 Configuring addresses ...
Page 8 Phase 2 basic settings ... 253 Phase 2 advanced options... 254 Manual key... 255 Manual key list ... 256 Manual key options ... 257 Concentrator ... 258 Concentrator list... 258 Concentrator options... 259 Ping Generator... 259 Ping generator options... 260 01-28007-0144-20041217 Fortinet Inc.
Page 9 Monitor ... 260 Dialup monitor... 261 Static IP and dynamic DNS monitor... 261 PPTP... 262 PPTP range ... 262 L2TP ... 263 L2TP range ... 263 Certificates ... 264 Local certificate list... 264 Certificate request... 265 Importing signed certificates ... 266 CA certificate list ...
Page 10 Category block configuration options... 320 Configuring web category block... 321 Category block reports... 321 Category block reports options ... 322 Generating a category block report... 322 Category block CLI configuration... 322 Script filter ... 323 Web script filter options... 324 01-28007-0144-20041217 Fortinet Inc.
Page 11 Spam filter ... 325 FortiShield... 327 FortiShield options ... 328 Configuring the FortiShield cache... 328 IP address... 329 IP address list ... 329 IP address options ... 329 Configuring the IP address list ... 330 RBL & ORDBL ... 330 RBL &...
Page 12 Contents Index ... 369 01-28007-0144-20041217 Fortinet Inc.
Page 13: Introduction
• • The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks.
Page 14: Antivirus Protection
MIME encoding, log all actions taken while scanning. 01-28007-0144-20041217 Introduction INTERNAL STATUS WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 Fortinet Inc.
Page 15: Spam Filtering
Introduction FortiGate web content filtering also supports FortiGuard web category blocking. Using web category blocking you can restrict or allow access to web pages based on content ratings of web pages. You can configure URL blocking to block all or some of the pages on a web site. Using this feature, you can deny access to parts of a web site without denying access to it completely.
Page 16: Transparent Mode
In NAT/Route mode, the FortiGate unit is a Layer 3 device. This means that each of its interfaces is associated with a different IP subnet and that it appears to other devices as a router. This is how a firewall is normally deployed. In NAT/Route mode, you can create NAT mode policies and Route mode policies.
Page 17: Vlans And Virtual Domains
Introduction VLANs and virtual domains Fortigate Antivirus Firewalls support IEEE 802.1Q-compliant virtual LAN (VLAN) tags. Using VLAN technology, a single FortiGate unit can provide security services to, and control connections between, multiple security domains according to the VLAN IDs added to VLAN packets. The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between each security domain.
Page 18: High Availability
• High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster.
Page 19: Secure Installation, Configuration, And Management
Introduction Active-active (A-A) HA load balances virus scanning among all the FortiGate units in the cluster. An active-active HA cluster consists of a primary FortiGate unit that processes traffic and one or more secondary units that also process traffic. The primary FortiGate unit uses a load balancing algorithm to distribute virus scanning to all the FortiGate units in the HA cluster.
Page 20: Document Conventions
<xxx_ipv4mask> indicates a dotted decimal IPv4 address followed by a dotted decimal IPv4 netmask. <xxx_ipv6> indicates a dotted decimal IPv6 address. <xxx_v6mask> indicates a dotted decimal IPv6 netmask. <xxx_ipv6mask> indicates a dotted decimal IPv6 address followed by a dotted decimal IPv6 netmask. 01-28007-0144-20041217 Introduction Fortinet Inc.
Page 21 Introduction • • • FortiGate-60M Administration Guide Vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords. For example: set opmode {nat | transparent} You can enter set opmode nat or set opmode transparent. Square brackets [ ] to indicate that a keyword or variable is optional. For example: show system interface [<name_str>] To show the settings for all interfaces, you can enter show system interface.
Page 22: Fortigate Documentation
The most recent Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains short how-to articles, FAQs, technical notes, product and feature guides, and much more. Visit the Fortinet Knowledge Center at http://kc.forticare.com. Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.
Page 23: Related Documentation
Introduction Related documentation Additional information about Fortinet products is available from the following related documentation. FortiManager documentation • • • FortiClient documentation • • FortiMail documentation • • • FortiGate-60M Administration Guide FortiManager QuickStart Guide Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings.
Page 24: Fortilog Documentation
Fortinet Technical Support web site at http://support.fortinet.com. You can also register Fortinet products and service contracts from http://support.fortinet.com and change your registration information at any time. Technical support is available through email from any of the following addresses.
Page 25: System Status
System status You can connect to the web-based manager and view the current system status of the FortiGate unit. The status information that is displayed includes the system status, unit information, system resources, and session log. This chapter includes: • •...
Page 26: Status
Select Connect to connect to the CLI. Select Disconnect to disconnect from the CLI. Select Clear screen to start a new page. “Access profiles” on page Viewing system status Changing unit information 01-28007-0144-20041217 “HA configuration” on page 113. System status Fortinet Inc.
Page 27: Unit Information
System status Automatic Refresh Interval Refresh System status UP Time System Time Log Disk Notification Unit Information Admin users and administrators whose access profiles contain system configuration read and write privileges can change or update the unit information. For information on access profiles, see Host Name Firmware Version...
Page 28: Interface Status
FortiGate unit. Select History to view a graphical representation of the last minute of CPU, memory, sessions, and network usage. This page also shows the virus and intrusion detections over the last 20 hours. 01-28007-0144-20041217 System status Fortinet Inc.
Page 29: Changing Unit Information
System status Figure 3: Sample system resources history History The history page displays 6 graphs representing the following system resources and protection: CPU Usage History Memory Usage History Memory usage for the previous minute. Session History Network Utilization History Virus History Intrusion History Recent Intrusion Detections Time...
Page 30 Note: For information about configuring the FortiGate unit for automatic antivirus definitions updates, see Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status > Status.
Page 31 System status In the Attack Definitions field of the Unit Information section, select Update. The Intrusion Detection System Definitions Update dialog box appears. In the Update File field, type the path and filename for the attack definitions update file, or select Browse and locate the attack definitions update file. Select OK to copy the attack definitions update file to the FortiGate unit.
Page 32: Session List
The source port of the connection. The destination IP address of the connection. The destination port of the connection. The time, in seconds, before the connection expires. Delete icon. Select to stop an active communication session. 01-28007-0144-20041217 System status Fortinet Inc.
Page 33: Changing The Fortigate Firmware
FortiGate administrators whose access profiles contain system configuration read and write privileges and the FortiGate admin user can change the FortiGate firmware. After you download a FortiGate firmware image from Fortinet, you can use the procedures listed in Table 1: Firmware upgrade procedures...
Page 34: Upgrading The Firmware Using The Cli
For example, if the IP address of the TFTP server is 192.168.1.168: execute ping 192.168.1.168 “Update center” on page “To update antivirus and attack definitions” on page 123 to update the antivirus and attack definitions. 01-28007-0144-20041217 System status 120. to make Fortinet Inc.
Page 35: Reverting To A Previous Firmware Version
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build183-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build183-FORTINET.out...
Page 36: Reverting To A Previous Firmware Version Using The Cli
Back up the IPS custom signatures using the command execute backup ipsuserdefsig Back up web content and email filtering lists. “Backing up and Restoring” on page 01-28007-0144-20041217 System status “Backup and restore” on “To update antivirus and 118. Fortinet Inc.
Page 37 Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build158-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build158-FORTINET.out...
Page 38: Installing Firmware Images From A System Reboot Using The Cli
Back up web content and email filtering lists. For information, see “Web filter” on page 311 “To update antivirus and attack definitions” on page 123 01-28007-0144-20041217 System status 123, or from 118. “Spam filter” on page 325. to make sure that antivirus Fortinet Inc.
Page 39 System status Make sure that the internal interface is connected to the same network as the TFTP server. To confirm that the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168, enter: execute ping 192.168.1.168 Enter the following command to restart the FortiGate unit:...
Page 40: Restoring The Previous Configuration
To update the virus and attack definitions to the most recent version, see “Updating antivirus and attack definitions” on page 01-28007-0144-20041217 “Backup and restore” on page “Backing up and restoring custom signature “Backup and restore” on page “Backup and restore” on page 117. 122. System status 117. 117. Fortinet Inc.
Page 41: Testing A New Firmware Image Before Installing It
System status Testing a new firmware image before installing it You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed.
Page 42 FortiGate unit running v2.x BIOS Do You Want To Save The Image? [Y/n] Type N. FortiGate unit running v3.x BIOS Save as Default firmware/Run image without saving:[D/R] Save as Default firmware/Backup firmware/Run image without saving:[D/B/R] 01-28007-0144-20041217 System status Fortinet Inc.
Page 43 System status Changing the FortiGate firmware FortiGate-60M Administration Guide 01-28007-0144-20041217...
Page 44 Changing the FortiGate firmware System status 01-28007-0144-20041217 Fortinet Inc.
Page 45: System Network
System network System network settings control how the FortiGate unit connects to and interacts with your network. Basic network settings start with configuring FortiGate interfaces to connect to your network and configuring the FortiGate DNS settings. More advanced network settings include adding VLAN subinterfaces and zones to the FortiGate network configuration.
Page 46: Interface Settings
Bring Down or Bring Up. For more information, “To bring down an interface that is administratively up” on page 52 “To start up an interface that is administratively down” on page Delete, edit, and view icons. 01-28007-0144-20041217 System network “VLAN Fortinet Inc.
Page 47 System network Figure 6: Interface settings See the following procedures for configuring interfaces: • • • • • • • • • • • • • Name The name of the Interface. Interface Select the name of the physical interface to add the VLAN subinterface to. All VLAN subinterfaces must be associated with a physical interface.
Page 48 Interface The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN subinterface. For more information on VLANs, see Virtual Domain Select a virtual domain to add the interface or VLAN subinterface to this virtual domain.
Page 49 System network PPPoE If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoE request. You can disable connect to server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE request.
Page 50 Ping server Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface. Adding a ping server is required for routing failover. See The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to make sure that the FortiGate unit can connect to this IP address.
Page 51: Configuring Interfaces
System network SNMP TELNET To improve network performance, you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits from any interface. Ideally, this MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets.
Page 52 57. You cannot add an interface to a zone if you have added firewall policies for “To add a virtual domain” on page 01-28007-0144-20041217 “To add a zone” on 137. You cannot add an interface to a virtual System network Fortinet Inc.
Page 53 System network To change the static IP address of an interface You can change the static IP address of any FortiGate interface. Go to System > Network > Interface. Choose an interface and select Edit. Set Addressing Mode to Manual. Change the IP address and Netmask as required.
Page 54 DNS server. In the Password field, type the associated password. Select OK. To add a ping server to an interface Go to System > Network > Interface. Choose an interface and select Edit. 01-28007-0144-20041217 System network Fortinet Inc.
Page 55 System network Set Ping Server to the IP address of the next hop router on the network connected to the interface. Select the Enable check box. Select OK to save the changes. To control administrative access to an interface For a FortiGate unit running in NAT/Route mode, you can control administrative access to an interface to control how administrators access the FortiGate unit and the FortiGate interfaces to which administrators can connect.
Page 56: Zone
Edit/View icons. Select to edit or view a zone. Delete icon. Select to remove a zone. Enter the name to identify the zone. Select Block intra-zone traffic to block traffic between interfaces or VLAN subinterfaces in the same zone. 01-28007-0144-20041217 System network Fortinet Inc.
Page 57: Management
System network To add a zone If you have added a virtual domain, go to System > Virtual Domain > Current Virtual Domain and select the virtual domain to which you want to add the zone. Go to System > Network > Zone. Select Create New.
Page 58 FortiGate unit from. Enter the default gateway address. Select the virtual domain from which you want to perform system management. 01-28007-0144-20041217 85). This must be a valid IP System network “To Fortinet Inc.
Page 59: Dns
System network Several FortiGate functions, including Alert E-mail and URL blocking, use DNS. You can add the IP addresses of the DNS servers to which your FortiGate unit can connect. DNS server IP addresses are usually supplied by your ISP. You can configure primary and secondary DNS server addresses, or you can configure the FortiGate unit to obtain DNS server addresses automatically.
Page 60: Routing Table (Transparent Mode)
Move To icon. Select to change the order of a route in the list. Enter the destination IP address and netmask for this route. Enter the IP address of the next hop router to which this route directs traffic The the relative preferability of this route. 1 is most preferred.
Page 61: Configuring The Modem Interface
System network Set Gateway to the IP address of the next hop routing gateway. For an Internet connection, the next hop routing gateway routes traffic to the Internet. Select OK to save the route. Configuring the modem interface If the FortiGate unit is operating in NAT/Route mode, you can use the FortiGate modem interface as either a backup interface or standalone interface.
Page 62: Connecting And Disconnecting The Modem
The user name (maximum 63 characters) sent to the ISP. The password sent to the ISP. 01-28007-0144-20041217 System network Fortinet Inc.
Page 63: Backup Mode Configuration
System network To disconnect the modem Use the following procedure to disconnect the modem from a dialup account. Go to System > Network > Modem. Select Hang Up if you want to disconnect from the dialup account. To disconnect the modem Go to System >...
Page 64: Standalone Mode Configuration
FortiGate unit. For information about adding firewall policies, see “Configuring modem settings” on page “Adding firewall policies for modem connections” on page 202. When you add addresses, the modem interface “To add a firewall policy” on page 01-28007-0144-20041217 System network 198. Fortinet Inc.
Page 65: Vlan Overview
Figure 15: Basic VLAN topology FortiGate-60M Administration Guide Internet Untagged packets Enter VLAN 1 VLAN 2 POWER VLAN 1 VLAN 1 network 01-28007-0144-20041217 VLAN overview Firewall or Router VLAN trunk VLAN Switch or router VLAN 2 VLAN 2 network...
Page 66: Fortigate Units And Vlans
VLAN tags to packets. Packets passing between devices in the same VLAN can be handled by layer 2 switches. Packets passing between devices in different VLANs must be handled by a layer 3 device such as router, firewall, or layer 3 switch.
Page 67: Adding Vlan Subinterfaces
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096. Each VLAN subinterface must also be configured with its own IP address and netmask.
Page 68: Vlans In Transparent Mode
FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal VLANs. The FortiGate external interface forwards tagged packets through the trunk to an external VLAN switch or router which could be connected to the Internet. The FortiGate unit can be configured to apply different policies for traffic on each VLAN in the trunk.
Page 69 Figure 18 three VLAN subinterfaces. In this configuration the FortiGate unit could be added to this network to provide virus scanning, web content filtering, and other services to each VLAN. FortiGate-60M Administration Guide VLAN Switch or router VLAN1 Internal VLAN1 VLAN2...
Page 70: Rules For Vlan Ids
Enter VLAN POWER switch Internet “System virtual domain” on page 133 01-28007-0144-20041217 VLAN 3 VLAN ID = 300 VLAN 1 VLAN 2 VLAN 3 External VLAN 1 VLAN VLAN 2 Trunk VLAN 3 Untagged packets Router System network Fortinet Inc.
Page 71: Transparent Mode Vlan List
System network Transparent mode VLAN list In Transparent mode, go to System > Network > Interface to add VLAN subinterfaces. Figure 19: Sample Transparent mode VLAN list Create New Virtual Domain Select a virtual domain to display the VLAN interfaces added to this virtual Name Access Status...
Page 72 The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4096. You add VLAN subinterfaces to the physical interface that receives VLAN- tagged packets.
Page 73: Fortigate Ipv6 Support
The interface functions as two interfaces, one for IPv4-addressed packets and another for IPv6-addressed packets. FortiGate units support static routing, periodic router advertisements, and tunneling of IPv6-addressed traffic over an IPv4-addressed network. All of these features must be configured through the Command Line Interface (CLI). See the FortiGate CLI...
Page 74 FortiGate IPv6 support System network 01-28007-0144-20041217 Fortinet Inc.
Page 75: System Dhcp
System DHCP You can configure DHCP server or DHCP relay agent functionality on any FortiGate interface or VLAN subinterface. A FortiGate interface can act as either a DHCP server or as a DHCP relay agent. An interface cannot provide both functions at the same time. Note: To configure DHCP server or DHCP relay functionality on an interface, the FortiGate unit must be in NAT/Route mode and the interface must have a static IP address.
Page 76: Dhcp Service Settings
Select DHCP Server if you want the FortiGate unit to be the DHCP server. “To configure an interface to be a DHCP server” on page 01-28007-0144-20041217 System DHCP “To configure an interface as a Fortinet Inc.
Page 77: Server
System DHCP To configure an interface to be a DHCP server You can configure a DHCP server for any FortiGate interface. As a DHCP server, the interface dynamically assigns IP addresses to hosts on the network connected to the interface. You can also configure a DHCP server for more than one FortiGate interface.
Page 78: Dhcp Server Settings
For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions. 77), you must configure a DHCP server for 01-28007-0144-20041217 System DHCP “To configure Fortinet Inc.
Page 79: Exclude Range
DHCP request was received and uses this DHCP server to assign an IP configuration to the computer that made the DHCP request. The DHCP configuration packets are sent back to the router and the router relays them to the DHCP client.
Page 80: Dhcp Exclude Range Settings
The IP address for the IP and MAC address pair. The IP address must be within the configured IP range. Delete icon. Delete an IP/MAC binding pair. Edit/View icon. View or modify an IP/MAC binding pair. 01-28007-0144-20041217 System DHCP Fortinet Inc.
Page 81: Dhcp Ip/Mac Binding Settings
System DHCP DHCP IP/MAC binding settings Figure 28: IP/MAC binding options Name IP Address MAC Address To add a DHCP IP/MAC binding pair Go to System > DHCP > IP/MAC Binding. Select Create New. Add a name for the IP/MAC pair. Add the IP address and MAC address.
Page 82 Dynamic IP System DHCP 01-28007-0144-20041217 Fortinet Inc.
Page 83: System Config
System config Use the System Config page to make any of the following changes to the FortiGate system configuration: • • • • • • System time Go to System > Config > Time to set the FortiGate system time. For effective scheduling and logging, the FortiGate system time must be accurate.
Page 84: Options
NTP server. A typical Syn Interval would be 1440 minutes for the FortiGate unit to synchronize its time once a day. Timeout settings including the idle timeout and authentication timeout The language displayed by the web-based manager Dead gateway detection interval and failover detection 01-28007-0144-20041217 System config Fortinet Inc.
Page 85 System config Figure 30: System config options Idle Timeout Auth Timeout Language Detection Interval Fail-over Detection Set the ping server dead gateway detection failover number. Enter the To set the system idle timeout Go to System > Config > Options. For Idle Timeout, type a number in minutes.
Page 86 FortiGate unit assumes that the gateway is no longer functioning. Select Apply. Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster.
Page 87: Ha Configuration
System config An active-passive (A-P) HA cluster, also referred to as hot standby HA, consists of a primary FortiGate unit that processes traffic, and one or more subordinate FortiGate units. The subordinate FortiGate units are connected to the network and to the primary FortiGate unit but do not process traffic.
Page 88: Cluster Members
All other FortiGate units in the cluster passively monitor the cluster status and remain synchronized with the primary FortiGate unit. MAC Address 00-09-0f-06-ff-00 00-09-0f-06-ff-01 00-09-0f-06-ff-02 00-09-0f-06-ff-03 00-09-0f-06-ff-3f 01-28007-0144-20041217 System config “To view the status of Table 3 lists the virtual MAC address Fortinet Inc.
Page 89 System config You can use the unit priority to control the order in which cluster units become the primary cluster unit when a cluster unit fails. For example, if you have three FortiGate-3600s in a cluster you can set the unit priorities as shown in Cluster unit A will always be the primary cluster unit because it has the highest priority.
Page 90 Load balancing according to IP address and port. If the cluster units are connected using switches, select IP Port to distribute traffic to units in a cluster based on the source IP, source port, destination IP, and destination port of the packet. 01-28007-0144-20041217 System config Fortinet Inc.
Page 91 System config Enabling the HA heartbeat for more interfaces increases reliability. If an interface fails, the HA heartbeat can be diverted to another interface. HA heartbeat traffic can use a considerable amount of network bandwidth. If possible, enable HA heartbeat traffic on interfaces only used for HA heartbeat traffic or on interfaces connected to less busy networks.
Page 92: Configuring An Ha Cluster
To configure a FortiGate unit for HA operation To connect a FortiGate HA cluster To add a new unit to a functioning cluster To configure weighted-round-robin weights 01-28007-0144-20041217 “Override Master” on page 89), this FortiGate unit System config Fortinet Inc.
Page 93 System config Note: The following procedure does not include steps for configuring interface heartbeat devices and interface monitoring. Both of these HA settings should be configured after the cluster is up and running. Power on the FortiGate unit to be configured. Connect to the web-based manager.
Page 94 Then you must connect these interfaces to their networks using the same hub or switch. Fortinet recommends using switches for all cluster connections for the best performance. The FortiGate units in the cluster use cluster ethernet interfaces to communicate cluster session information, synchronize the cluster configuration, and report individual cluster member status.
Page 95 WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 Hub or Switch INTERNAL STATUS WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN1 Internet Router...
Page 96: Managing An Ha Cluster
The next three connections are processed by the first subordinate unit (priority 1, weight 3) The next three connections are processed by the second subordinate unit (priority 2, weight 3) “FortiGate HA traps” on page 01-28007-0144-20041217 System config “HA MIB 105. Fortinet Inc.
Page 97 System config You can use the web-based manager to monitor the status and logs of individual cluster members. See “To view and manage logs for individual cluster units” on page You can manage individual cluster units by using SSH to connect to the CLI of the cluster.
Page 98 Cluster Members list. The host name and serial number of the primary cluster unit changes. The new primary unit logs the following messages to the event log: HA slave became master Detected HA member dead 01-28007-0144-20041217 System config Fortinet Inc.
Page 99: Snmp
FortiGate system information and can receive FortiGate traps. To monitor FortiGate system information and receive FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. FortiGate-60M Administration Guide The cluster contains fewer FortiGate units.
Page 100: Configuring Snmp
Configuring SNMP SNMP community FortiGate MIBs FortiGate traps Fortinet MIB fields Enable the FortiGate SNMP agent. Enter descriptive information about the FortiGate unit. The description can be up to 35 characters long. Enter the physical location of the FortiGate unit. The system location description can be up to 35 characters long.
Page 101: Snmp Community
System config SNMP community An SNMP community is a grouping of equipment for network administration purposes. Add SNMP communities so that SNMP managers can connect to the FortiGate unit to view system information and receive SNMP traps. You can add up to three SNMP communities.
Page 102 SNMP manager is not on the same subnet as the FortiGate unit. This can occur if the SNMP manager is on the Internet or behind a router. Select Add to add more SNMP managers. You can add up to 8 SNMP managers to a single community.
Page 103: Fortigate Mibs
Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIBs to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.
Page 104: Fortigate Traps
The FortiGate agent can send traps to SNMP managers that you have added to SNMP communities. For SNMP managers to receive traps, you must load and compile the Fortinet trap MIB (file name fortinet.trap.2.80.mib) onto the SNMP manager. All traps include the trap message as well as the FortiGate unit serial number.
Page 105: Fortinet Mib Fields
The tables below list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.2.80.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Page 106 The number of attacks detected by the IPS running on the FortiGate unit in the last 20 hours. avCount The number of viruses detected by the antivirus system running on the FortiGate unit in the last 20 hours. 01-28007-0144-20041217 System config Fortinet Inc.
Page 107 System config Table 16: Administrator accounts MIB field index name addr mask perm Table 17: Local users MIB field index name auth state Table 18: Virtual domains MIB field index name auth state Table 19: Active IP sessions MIB field index proto fromAddr...
Page 108: Replacement Messages
Description of the replacement message type. The web-based manager describes where each replacement message is used by the FortiGate unit. Edit/View icon. Select to change a replacement message. 01-28007-0144-20041217 System config Fortinet Inc.
Page 109: Changing Replacement Messages
System config Changing replacement messages Figure 38: Sample HTTP virus replacement message Replacement messages can be text or HTML messages. You can add HTML code to HTML messages. In addition, replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.
Page 110: Fortimanager
The name of the web filtering service. The name of the content category of the web site. The Fortinet logo. and a FortiManager Server. The remote ID of the FortiManager IPSec tunnel. The IP Address of the FortiManager Server.
Page 111: System Administration
System administration When the FortiGate unit is first installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administrator accounts. You can also control the access level of each of these administrator accounts and control the IP address from which the administrator account can connect to the FortiGate unit.
Page 112: Administrators List
Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see profiles, see “Access profile list” on page 01-28007-0144-20041217 System administration “Using trusted hosts” on page 113. 114. Fortinet Inc.
Page 113: Access Profiles
System administration Type a login name for the administrator account. Type and confirm a password for the administrator account. Optionally type a Trusted Host IP address and netmask from which the administrator can log into the web-based manager. Select the access profile for the administrator. Select OK.
Page 114: Access Profile List
Allow or deny access to the authorized users feature. Allow or deny access to the administrative users feature. Allow or deny access to the FortiProtect Distribution Network update feature. Allow or deny access to the system shutdown and reboot functionality. 01-28007-0144-20041217 System administration Fortinet Inc.
Page 115 System administration To configure an access profile Go to System > Admin > Access Profile. Select Create New to add an access profile, or select the edit icon to edit an existing access profile. Enter a name for the access profile. Select or clear the Access Control check boxes as required.
Page 116 Access profiles System administration 01-28007-0144-20041217 Fortinet Inc.
Page 117: System Maintenance
System maintenance Use the web-based manager to maintain the FortiGate unit. Backup and restore You can back up system configuration, VPN certificate, web and spam filtering files to the management computer. You can also restore system configuration, VPN certificate, web and spam filtering files from previously downloaded backup files. Figure 45: Backup and restore list Category Latest Backup...
Page 118: Backing Up And Restoring
IPS User-Defined Upload or download IPS signatures. Signatures All Certificates Restore or back up all VPN certificates in a single password- protected file. See VPN certificates” on page 01-28007-0144-20041217 System maintenance “To restore VPN certificates” “To back up 119. Fortinet Inc.
Page 119 System maintenance Select OK to restore all configuration files to the FortiGate unit. The FortiGate unit restarts, loading the new configuration files. Reconnect to the web-based manager and review your configuration to confirm that the uploaded configuration files have taken effect. To back up individual categories Go to System >...
Page 120: Update Center
• • • To receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet support web page. “To enable scheduled updates” on page 125. User-initiated updates from the FDN, Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus...
Page 121 System maintenance Figure 46: Update center FortiProtect Distribution Network Push Update Refresh Use override server address Update FortiGate-60M Administration Guide The status of the connection to the FortiProtect Distribution Network (FDN). A green indicator means that the FortiGate unit can connect to the FDN. You can configure the FortiGate unit for scheduled updates.
Page 122: Updating Antivirus And Attack Definitions
The update attempt occurs at a randomly determined time within the selected hour. Select Update Now to manually initiate an update. Select Apply to save update settings. 01-28007-0144-20041217 System maintenance Fortinet Inc.
Page 123 System maintenance To update antivirus and attack definitions Go to System > Maintenance > Update center. Select Update Now to update the antivirus and attack definitions and engines. If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following: Your update request has been sent.
Page 124 <proxy-address_ip> set port <proxy-port> set username <username_str> set password <password_str> set status enable config system autoupdate tunneling set address 67.35.50.34 set port 8080 set username proxy_user set password proxy_pwd set status enable 01-28007-0144-20041217 System maintenance Fortinet Inc.
Page 125: Enabling Push Updates
System maintenance There are no special tunneling requirements if you have configured an override server address to connect to the FDN. Enabling push updates The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. You must register the FortiGate unit before it can receive push updates.
Page 126: Enabling Push Updates Through A Nat Device
In the External Interface section, select the external interface that the FDN connects In the Type section, select Port Forwarding. In the External IP Address section, type the external IP address that the FDN connects to. Type the External Service Port that the FDN connects to. 01-28007-0144-20041217 System maintenance Fortinet Inc.
Page 127: Support
You can select Refresh to make sure that push updates work. Push Update changes to Available. Support You can use the Support page to report problems with the FortiGate unit to Fortinet Support or to register your FortiGate unit with the FortiProtect Distribution Server (FDS).
Page 128: Sending A Bug Report
Test Select Report Bug to submit problems with the FortiGate unit to Fortinet Support. Enter the contact information so that FortiNet support can reply to your bug report. Items marked with an * are required. unit. Send diagnostic information about the FortiGate unit, including its current configuration, to Fortinet for analysis.
Page 129: Registering A Fortigate Unit
FortiGate units that you or your organization purchased. You can register multiple FortiGate units in a single session without re-entering your contact information. Once registration is completed, Fortinet sends a Support Login user name and password to your email address. You can use this user name and password to log on to the Fortinet support web site to: •...
Page 130 For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing. To activate the FortiCare Support Contract, you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information.
Page 131: Shutdown
A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiGate unit. Your Fortinet support user name and password is sent to the email address provided with your contact information.
Page 132 The FortiGate unit restarts with the configuration that it had when it was first powered Reconnect to the web-based manager and review the system configuration to confirm that it has been reset to the default settings. 01-28007-0144-20041217 System maintenance Fortinet Inc.
Page 133: System Virtual Domain
System virtual domain FortiGate virtual domains provide multiple logical firewalls and routers in a single FortiGate unit. Using virtual domains, one FortiGate unit can provide exclusive firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network.
Page 134: Virtual Domain Properties
System virtual domain 139) “To select a management virtual 138) “To configure routing for a virtual 140) “To configure the routing 140) 140) “To add IP pools to a virtual “To add Virtual IPs to a virtual 142) Fortinet Inc. 141)
Page 135: Shared Configuration Settings
System virtual domain Shared configuration settings The following configuration settings are shared by all virtual domains. Even if you have configured multiple virtual domains, there are no changes to how you configure the following settings. • • • • • •...
Page 136: Administration And Management
A check mark icon in this column indicates that this is the domain used for system management. Delete icon. Select to delete a virtual domain. You cannot delete the root virtual domain or a domain that is used for system management. 01-28007-0144-20041217 System virtual domain Fortinet Inc.
Page 137: Adding A Virtual Domain
Selecting a management virtual domain In NAT/Router mode, you select a virtual domain to be used for system management. In Transparent mode, you must also define a management IP. The interface that you want to use for management access must have Administrative Access enabled. See “To control administrative access to an interface”...
Page 138: Configuring Virtual Domains
Go to System > Network > Interface. Adding interfaces, VLAN subinterfaces, and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec VPN for a virtual domain 01-28007-0144-20041217 System virtual domain Fortinet Inc.
Page 139 System virtual domain Set Virtual domain to All or to the name of the virtual domain that currently contains the interface. Select Edit for the physical interface you want to move. Choose the Virtual Domain to which to move the interface. Select OK.
Page 140: Configuring Routing For A Virtual Domain
56. Any zones that you add are added to the current virtual “Router” on page 143. Network traffic entering this virtual domain is routed only “Routing table (Transparent Mode)” on page 01-28007-0144-20041217 System virtual domain 60. Network traffic entering this Fortinet Inc.
Page 141 System virtual domain Select Create new to add firewall policies to the current virtual domain. interfaces, VLAN subinterfaces, or zones added to the current virtual domain. The firewall policies that you add are only visible when you are viewing the current virtual domain.
Page 142: Configuring Ipsec Vpn For A Virtual Domain
Select Change following the current virtual domain name above the table. Choose the virtual domain for which to configure VPN. Select OK. Go to VPN. Configure IPSec VPN, PPTP, L2TP, and certificates as required. See page 247. 01-28007-0144-20041217 System virtual domain “VPN” on Fortinet Inc.
Page 143: Router
You configure routes by defining the destination IP address and netmask of packets that the FortiGate unit is intended to intercept, and specifying a (gateway) IP address for those packets. The gateway address specifies the next hop router to which traffic will be routed.
Page 144 • • • The Gateway setting specifies the IP address of the next hop router interface to the FortiGate external interface. The interface behind the router (192.168.10.1) is the default gateway for FortiGate_1. In some cases, there may be routers behind the FortiGate unit. If the destination IP address of a packet is not on the local network but is on a network behind one of those routers, the FortiGate routing table must include a static route to that network.
Page 145: Static Route List
Router Figure 52: Destinations on networks behind internal routers To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.30.0/24...
Page 146: Static Route Options
The destination IP address for this route. The netmask for this route. The IP address of the first next hop router to which this route directs traffic. The name of the FortiGate interface through which to route traffic. The administrative distance for the route.
Page 147: Policy
Router Figure 55: Move a static route For Move to, select either Before or After and type the number that you want to place this route before or after. Select OK. The route is displayed in the new location on the static route list.
Page 148: Policy Route Options
Match packets that have this destination IP address and netmask. Match packets that have this destination port range. To match a single port, enter the same port number for both From and To. Send packets that match this policy route to this next hop router. 01-28007-0144-20041217 Router...
Page 149: General
Router RIP is a distance-vector routing protocol intended for small, relatively homogeneous, networks. RIP uses hop count as its routing metric. Each network is usually counted as one hop. The network diameter is limited to 15 hops. General Figure 58: RIP General settings...
Page 150: Networks List
Static Metric Route-map To configure RIP general settings Go to Router > RIP > General. Select the default RIP Version. Change the Default Metric if required. Select Enable Default-information-originate if the configuration requires advertising a default static route into RIP.
Page 151: Networks Options
Figure 60: RIP Networks configuration To configure a RIP network Go to Router > RIP > Networks. Select Create New to add a new RIP network or select the edit icon beside an existing RIP network to edit that RIP network.
Page 152: Interface Options
In text mode the key is sent in clear text over the network. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the network. 01-28007-0144-20041217 Router...
Page 153: Distribute List
Password Key-chain To configure a RIP interface Go to Router > RIP > Interface. Select the edit icon beside an Interface to configure that interface. Select a Send Version if you want to override the default send version for this interface.
Page 154: Distribute List Options
Interface Enable To configure a distribute list Go to Router > RIP > Distribute List. Select Create New to add a new distribute list or select the edit icon beside an existing distribute list to edit that distribute list. Set Direction to In or Out.
Page 155: Offset List
Interface Enable To configure an offset list Go to Router > RIP > Offset List. Select Create New to add a new offset list or select the edit icon beside an existing offset list to edit that offset list. FortiGate-60M Administration Guide Add a new offset list.
Page 156: Router Objects
Check or clear the Enable check box to enable or disable this offset list. Select OK. Router objects Router objects are a set of tools used by routing protocols and features. Access list Access lists are filters used by FortiGate routing features.
Page 157: New Access List Entry
Router To add an access list name Go to Router > Router Objects > Access List. Select Create New. Enter a name for the access list. Select OK. New access list entry Figure 69: Access list entry configuration list Entry...
Page 158: New Prefix List
Prefix New Prefix list Figure 71: Prefix list name configuration To add a prefix list name Go to Router > Router Objects > Prefix List. Select Create New. Enter a name for the prefix list. Select OK. Add a new prefix list name. An access list and a prefix list cannot have the same name.
Page 159: New Prefix List Entry
Less or equal to To configure a prefix list entry Go to Router > Router Objects > Prefix List. Select the Add prefix-list entry icon to add a new prefix list entry or select the edit icon beside an existing prefix list entry to edit that entry.
Page 160: New Route-Map
Route-map rules New Route-map Figure 74: Route map name configuration To add a route map name Go to Router > Router Objects > Route-map. Select Create New. Enter a name for the route map. Select OK. Add a new route map name.
Page 161: Route-Map List Entry
Match a route if the destination address is included in the selected access list or prefix list. Match a route that has a next hop router address included in the selected access list or prefix list. Match a route with the specified metric. The metric can be a number from 1 to 16.
Page 162: Key Chain List
New key chain Figure 77: Key chain name configuration To add a key chain name Go to Router > Router Objects > Key-chain. Select Create New. for information on setting the FortiGate system date and Add a new key chain.
Page 163: Key Chain List Entry
Start To configure a key chain entry Go to Router > Router Objects > Key-chain. Select the Add key-chain entry icon to add a new key chain entry or select the Edit icon beside an existing key chain entry to edit that entry.
Page 164: Monitor
Up Time To filter the routing monitor display Go to Router > Monitor > Routing Monitor. Select a type of route to display or select all to display routes of all types. For example, select Connected to display all the directly connected routes, or select RIP to display all the routes learned from RIP.
Page 165: Cli Configuration
CLI commands see the FortiGate CLI Reference Guide. get router info ospf Use this command to display information about OSPF. Command syntax router info ospf command keywords and variables Keywords and variables Description border-routers database interface...
Page 166: Get Router Info Rip
An OSPF autonomous system (AS) or routing domain is a group of areas connected to a backbone area. A router connected to more than one area is an area border router (ABR). Routing information is contained in a link state database. Routing information is communicated between routers using link state advertisements (LSAs).
Page 167 Router Note: In the following table, only the router-id keyword is required. All other keywords are optional. ospf command keywords and variables Keywords and variables abr-type {cisco | ibm | shortcut | standard} database-overflow {disable | enable} database-overflow- max-lsas <lsas_integer>...
Page 168 <address_ipv4> spf-timers <delay_integer> <hold_integer> Example This example shows how to set the OSPF router ID to 1.1.1.1: This example shows how to display the OSPF settings. Description Specify the default metric that OSPF should use for redistributed routes. The valid range for metric_integer is 1 to 16777214.
Page 169 This example shows how to display the OSPF configuration. config area Access the config area subcommand using the config router ospf command. Use this command to set OSPF area related parameters. Routers in an OSPF autonomous system (AS) or routing domain are organized into logical groupings called areas.
Page 170 Enable or disable redistributing routes into a NSSA area. 01-28007-0144-20041217 Router Default Availability All models. none All models. All models. disable All models. All models. All models. enable Fortinet Inc.
Page 171 This example shows how to display the settings for area 15.1.1.1. FortiGate-60M Administration Guide Description A NSSA border router can translate the Type 7 LSAs used for external route information within the NSSA to Type 5 LSAs used for distributing external route information to other parts of the OSPF routing domain.
Page 172 Set the direction for the filter. Enter in to filter incoming packets. Enter out to filter outgoing packets. Enter the name of the access list or prefix list to use for this filter list. 01-28007-0144-20041217 157. Default Availability default. Router “Access All models. All models. Fortinet Inc.
Page 173 The range id_integer can be 0 to 4294967295. FortiGate-60M Administration Guide config router ospf config area edit 15.1.1.1 config filter-list config router ospf config area edit 15.1.1.1...
Page 174 Enable or disable using a substitute prefix. disable All models. config router ospf config area edit 15.1.1.1 config range config router ospf config area edit 15.1.1.1 01-28007-0144-20041217 Default enable default default. edit 1 set prefix 1.1.0.0 255.255.0.0 Router Availability All models. All models. All models. Fortinet Inc.
Page 175 Virtual links can only be set up between two area border routers (ABRs). config virtual link command syntax pattern Note: Only the peer keyword is required. All other keywords are optional. FortiGate-60M Administration Guide config router ospf config area edit 15.1.1.1 show config virtual-link edit <name_str>...
Page 176 15 characters. The time, in seconds, to wait for a hello packet before declaring a router down. The value of the dead- interval should be four times the value of the hello-interval. Both ends of the virtual link must use the same value for dead- interval.
Page 177 This example shows how to configure a virtual link. This example shows how to display the settings for area 15.1.1.1. This example shows how to display the configuration for area 15.1.1.1. config distribute-list Access the config distribute-list subcommand using the config router ospf command. FortiGate-60M Administration Guide Description The time, in seconds, to wait before sending a LSA retransmission.
Page 178 Enter the name of the access list to use for this distribute list. Advertise only the routes discovered by the specified protocol and that are permitted by the named access list. 01-28007-0144-20041217 Router Default Availability No default. All models. All models. connected Fortinet Inc.
Page 179 This example shows how to display the settings for distribute list 2. This example shows how to display the configuration for distribute list 2. config neighbor Access the config neighbor subcommand using the config router ospf command. Use this command to manually configure an OSPF neighbor on nonbroadcast networks.
Page 180 1 set ip 192.168.21.63 config router ospf config neighbor edit 1 config router ospf config neighbor edit 1 show 01-28007-0144-20041217 Router Default Availability All models. 0.0.0.0 All models. All models. All models. Fortinet Inc.
Page 181: Config Network
Router config network Access the config network subcommand using the config router ospf command. Use this command to identify the interfaces to include in the specified OSPF area. The prefix keyword can define one or multiple interfaces. config network command syntax pattern...
Page 182 This example shows how to display the settings for network 2. This example shows how to display the configuration for network 2. config ospf-interface Access the config ospf-interface subcommand using the config router ospf command. Use this command to change interface related OSPF settings.
Page 183 Enable or disable flooding LSAs out of this interface. The time, in seconds, to wait for a hello packet before declaring a router down. The value of the dead-interval should be four times the value of the hello-interval. All routers on the network must use the same value for dead- interval.
Page 184 MTUs so that they match. 01-28007-0144-20041217 Router Default Availability All models. No default. All models. No default. All models. No default. All models. authentication must be set to md5. 1500 All models. All models. disable Fortinet Inc.
Page 185 “config neighbor” on page 179. Set the router priority for this interface. Router priority is used during the election of a designated router (DR) and backup designated router (BDR). An interface with router priority set to 0 can not be elected DR or BDR.
Page 186: Config Redistribute
This example shows how to display the configuration for the OSPF interface configuration named test. config redistribute Access the config redistribute subcommand using the config router ospf command. Use the config redistribute command to advertise routes learned from RIP, static routes, or a direct connection to the destination network.
Page 187 This example shows how to display the OSPF settings. This example shows how to display the OSPF configuration. config summary-address Access the config summary-address subcommand using the config router ospf command. FortiGate-60M Administration Guide config redistribute {connected | static | rip} set <keyword>...
Page 188 Use this command to summarize external routes for redistribution into OSPF. This command works only for summarizing external routes on an Autonomous System Boundary Router (ASBR). For information on summarization between areas, see “config range” on page route, you reduce the size of the OSPF link-state database.
Page 189: Config Router Static6
Enter ::/0 for the destination IPV6 address and netmask to add a default route. The IPV6 address of the first next hop router to which this route directs traffic. 01-28007-0144-20041217 CLI configuration Default Availability All models.
Page 190 This example shows how to display the configuration for IPV6 static route 2. config router static6 edit 2 set dev internal set dst 12AB:0:0:CD30::/60 set gateway 12AB:0:0:CD30:123:4567:89AB:CDEF get router static6 get router static6 2 show router static6 show router static6 2 01-28007-0144-20041217 Router Fortinet Inc.
Page 191: Firewall
Firewall Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions that the FortiGate unit uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (by port number).
Page 192: Policy
Note: Policies that require authentication must be added to the policy list above matching policies that do not; otherwise, the policy that does not require authentication is selected first. How policy matching works Policy list Policy options Advanced policy options Configuring firewall policies 01-28007-0144-20041217 Firewall Fortinet Inc.
Page 193: Policy List
Firewall Policy list You can add, delete, edit, re-order, enable, and disable policies in the policy list. Figure 80: Sample policy list The policy list has the following icons and features. Create new Source Dest Schedule Service Action Enable source -> destination (n) Policy list headings indicating the traffic to which the policy Figure 81: Move to options Policy options Policy options are configurable when creating or editing a firewall policy.
Page 194 Select a service or protocol to which the policy will apply. You can select from a wide range of predefined services or add custom services and service groups. See 01-28007-0144-20041217 Firewall “Addresses” on page “Virtual IP” on page 200. “Schedule” on page 213. “Service” on page 205. Fortinet Inc. 216.
Page 195 Firewall Action VPN Tunnel Protection Profile Log Traffic Advanced FortiGate-60M Administration Guide Select how you want the firewall to respond when the policy matches a connection attempt. • ACCEPT: Select accept to accept connections matched by the policy. You can also configure NAT and Authentication for the policy. •...
Page 196: Advanced Policy Options
HTTP, Telnet, and FTP. Then users could authenticate with the policy using HTTP, Telnet, or FTP before using the other service. 241. 01-28007-0144-20041217 Firewall Fortinet Inc.
Page 197: Traffic Shaping
Firewall In most cases you should make sure that users can use DNS through the firewall without authentication. If DNS is not available users cannot connect to a web, FTP, or Telnet server using a domain name. Traffic Shaping Traffic Shaping controls the bandwidth available to and sets the priority of the traffic processed by the policy.
Page 198: Configuring Firewall Policies
Set the DSCP value for reply packets. For example, for an Internal -> External policy the value is applied to incoming reply packets before they exit the internal interface and returned to the originator. 192. 01-28007-0144-20041217 Firewall “Policy options” on page 193. “How policy matching Fortinet Inc.
Page 199: Policy Cli Configuration
Firewall Select the position for the policy. Select OK. To disable a policy Disable a policy to temporarily prevent the firewall from selecting the policy. Disabling a policy does not stop active communications sessions that have been allowed by the policy.
Page 200: Address
64.195.45.0/24 x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120 x.x.x.[x-x], for example 192.168.110.[100-120] x.x.x.*, for example 192.168.110.* to represent all addresses on the subnet 01-28007-0144-20041217 Firewall Default Availability All models. All models. 0.0.0.0 0.0.0.0 Encrypt policy, with outbound enabled. Fortinet Inc.
Page 201: Address List
Firewall This section describes: • • • • • • Address list You can add addresses to the list and edit existing addresses. The FortiGate unit comes configured with the default ‘All’ address which represents any IP address on the network. Figure 85: Sample address list The address list has the following icons and features.
Page 202: Configuring Addresses
The netmask for a class B subnet should be 255.255.0.0. The netmask for a class C subnet should be 255.255.255.0. The netmask for all addresses should be 0.0.0.0 A range of IP addresses in a subnet (for example, 192.168.20.1 to 192.168.20.10) 01-28007-0144-20041217 Firewall Fortinet Inc.
Page 203: Address Group List
Firewall Note: To change the address name you must delete the address and add it again with a new name. To avoid confusion in firewall policies, an address and a virtual IP cannot have the same name. Select OK. To delete an address Deleting an address removes it from the address list.
Page 204: Configuring Address Groups
IPs must all have unique names to avoid confusion in firewall policies. The list of configured and default firewall addresses. Use the arrows to move addresses between the lists. The list of addresses in the group. Use the arrows to move addresses between the lists. 01-28007-0144-20041217 Firewall Fortinet Inc.
Page 205: Service
Firewall Make any required changes. Note: To change the address group name you must delete the address group and add it with a new name. Select OK. Service Use services to determine the types of communication accepted or denied by the firewall.
Page 206 ISAKMP for IPSEC. Internet Message Access Protocol is a protocol used for retrieving email messages. Internet Locator Service includes LDAP, User Locator Service, and LDAP over TLS/SSL. 01-28007-0144-20041217 Firewall Protocol Port 5190-5194 1720, 1503 Fortinet Inc.
Page 207 Firewall Table 21: FortiGate predefined services (Continued) Service name L2TP LDAP NetMeeting NNTP OSPF PC-Anywhere ICMP_ANY PING TIMESTAMP INFO_REQUEST ICMP information request messages. INFO_ADDRESS ICMP address mask request messages. POP3 PPTP QUAKE RAUDIO RLOGIN SIP- MSNmessenger FortiGate-60M Administration Guide Description Internet Relay Chat allows people connected to the Internet to join live discussions.
Page 208: Custom Service List
Select a protocol and then Create New to add a custom service. The name of the custom service. The protocol and port numbers for each custom service. The Delete and Edit/View icons. 01-28007-0144-20041217 Firewall Protocol Port 161-162 161-162 517-518 0-65535 0-65535 7000-7010 1494 6000-6063 Fortinet Inc.
Page 209: Custom Service Options
Firewall Custom service options Different options appear depending on the protocol type of custom service you want to define. Choose from TCP, UDP, ICMP, or IP. TCP and UDP custom service options Figure 91: TCP and UDP custom service options Name Protocol Type Source Port...
Page 210: Configuring Custom Services
Enter a name for the new custom IP service. Select IP as the Protocol Type. Enter the IP protocol number for the service. The name of the IP custom service. Select the protocol type of the service you are adding: IP. 01-28007-0144-20041217 Firewall Fortinet Inc.
Page 211: Service Group List
Firewall Select OK. You can now add this custom service to a policy. To delete a custom service Go to Firewall > Service > Custom. Select the Delete icon beside the service you want to delete. Select OK. To edit a custom service Go to Firewall >...
Page 212: Configuring Service Groups
Enter a name to identify the address group. The list of configured and predefined services. Use the arrows to move services between the lists. The list of services in the group. Use the arrows to move services between the lists. 01-28007-0144-20041217 Firewall Fortinet Inc.
Page 213: Schedule
Firewall Note: To change the service group name you must delete the service group and add it with a new name. Select OK. Schedule Use schedules to control when policies are active or inactive. You can create one-time schedules and recurring schedules. You can use one-time schedules to create policies that are effective once for the period of time specified in the schedule.
Page 214: One-Time Schedule Options
Note: To change the one-time schedule name you must delete the schedule and add it with a new name. Select OK to save the changes. Enter the name to identify the one-time schedule. Enter the start date and time for the schedule. Enter the stop date and time for the schedule. 01-28007-0144-20041217 Firewall Fortinet Inc.
Page 215: Recurring Schedule List
Firewall Recurring schedule list You can create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week. For example, you might want to prevent game play during working hours by creating a recurring schedule. Note: If you create a recurring schedule with a stop time that occurs before the start time, the schedule starts at the start time and finishes at the stop time on the next day.
Page 216: Configuring Recurring Schedules
DMZ network. To allow connections from the Internet to the web server, you must then add a WAN1->DMZ or WAN2->DMZ firewall policy and set Destination to the virtual IP. 01-28007-0144-20041217 Firewall Fortinet Inc.
Page 217: Virtual Ip List
Firewall You can create three types of virtual IPs: Static NAT Port Forwarding Dynamic port forwarding Note: The maximum number of virtual IPs is 1024. This section describes: • • • Virtual IP list Figure 100:Sample virtual IP list The virtual IP list has the following icons and features. Create New Name Service Port...
Page 218: Configuring Virtual Ips
Enter the real IP address on the destination network. Enter the port number to be added to packets when they are forwarded. (Port forwarding only.) Select the protocol (TCP or UDP) that you want the forwarded packets to use. (Port forwarding only.) 01-28007-0144-20041217 Firewall Fortinet Inc.
Page 219 Firewall Select the virtual IP External Interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. You can select any firewall interface or a VLAN subinterface. You can set the virtual IP external interface to any FortiGate interface.
Page 220 Enter the Map to Port number to be added to packets when they are forwarded. If you do not want to translate the port, enter the same number as the External Service Port. or to any other address. 01-28007-0144-20041217 Firewall Fortinet Inc.
Page 221: Ip Pool
Firewall Select OK. To delete a virtual IP Go to Firewall > Virtual IP. Select the Delete icon beside the virtual IP you want to delete. Select OK. To edit a virtual IP Go to Firewall > Virtual IP. Select the Edit icon beside the virtual IP you want to modify. Select OK.
Page 222: Ip Pool List
The start IP defines the start of an address range. The end IP defines the end of an address range. The Delete and Edit/View icons. Select the interface to which to add an IP pool. Enter a name for the IP pool. 01-28007-0144-20041217 Firewall Fortinet Inc.
Page 223: Ip Pools For Firewall Policies That Use Fixed Ports
Firewall Select OK. To delete an IP pool Go to Firewall > IP Pool. Select the Delete icon beside the IP pool you want to delete. Select OK. To edit a IP pool Go to Firewall > IP Pool. For the IP pool that you want to edit, select Edit beside it. Modify the IP pool as required.
Page 224: Protection Profile
Protection profile list Default protection profiles Protection profile options Configuring protection profiles Profile CLI configuration Select Create New to add an IP pool. The start IP defines the start of an address range. The Delete and Edit/View icons. 01-28007-0144-20041217 Firewall Fortinet Inc.
Page 225: Default Protection Profiles
Firewall Default protection profiles The FortiGate unit comes preconfigured with four protection profiles. Strict Scan Unfiltered Protection profile options Figure 106:Adding a protection profile You can configure the following options when creating or editing a protection profile. Profile Name Anti-Virus Web Filtering Web Category Filtering Spam Filtering...
Page 226 Enable or disable quarantining for each protocol. You can quarantine suspect files to view them or submit files to Fortinet for analysis. (IMAP, POP3, SMTP). Fragmented email cannot be scanned for viruses.
Page 227: Configuring Web Filtering Options
Firewall Configuring web filtering options Figure 108:Protection profile web filtering options The following options are available for web filtering through the protection profile. See “Web filter” on page 311 Web Content Block Web URL Block Web Exempt List Web Script Filter Web resume download block Configuring web category filtering options...
Page 228: Configuring Spam Filtering Options
Choose from allow, block, or monitor. “Spam filter” on page 325 for more spam filter configuration options. Enable or disable the Fortinet spam filtering IP address blacklist: FortiShield. See service. Black/white list check. Enable or disable checking incoming IP addresses against the configured spam filter IP address list.
Page 229 Firewall Return e-mail DNS check Enable or disable checking that the domain specified in the reply-to MIME headers check Banned word check Spam Action Append to Append with Note: Some popular email clients cannot filter messages based on the MIME header. Check your email client features before deciding how to tag spam.
Page 230: Configuring Protection Profiles
FortiLog unit for each protocol. Content meta-information can include date and time, source and destination information, request and response size, and scan result. Content archive is only available if FortiLog is enabled under Log&Report > Log Config > Log Settings. 01-28007-0144-20041217 Firewall Fortinet Inc.
Page 231: Profile Cli Configuration
Firewall To add a protection profile to a policy You can enable protection profiles for firewall policies with action set to allow or encrypt and with service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes these services. Go to Firewall >...
Page 232 If you want to remove an option from the list or add an option to the list, you must retype the list with the option removed or added. 01-28007-0144-20041217 Firewall Default Availability All models. splice No default. All models. Fortinet Inc.
Page 233 Firewall firewall profile command keywords and variables (Continued) Keywords and variables smtp {bannedword block content-archive fragmail no-content-summary oversize quarantine scan spamemailbwl spamfsip spamhdrcheck spamhelodns spamipbwl spamraddrdns spamrbl splice} This example shows how to display the settings for the firewall profile command.
Page 234 Protection profile Firewall 01-28007-0144-20041217 Fortinet Inc.
Page 235: Users And Authentication
Users and authentication You can control access to network resources by defining lists of authorized users, called user groups. To use a particular resource, such as a network or a VPN tunnel, the user must belong to one of the user groups that is allowed access. The user then must correctly enter a user name and password to prove his or her identity.
Page 236: Setting Authentication Timeout
Select Disable to prevent this user from authenticating. Select Password to require the user to authenticate using a password. Enter the password that this user must use to authenticate. The password should be at least six characters long. 01-28007-0144-20041217 Users and authentication Fortinet Inc.
Page 237: Radius
Users and authentication LDAP Radius To add a user name and configure authentication Go to User > Local. Select Create New to add a new user name or select the Edit icon to edit an existing configuration. Type the User Name. Select the authentication type for this user.
Page 238: Radius Server Options
FortiGate unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiGate unit. The Delete and Edit icons. Enter a name to identify the RADIUS server. Enter the RADIUS server secret. 01-28007-0144-20041217 Users and authentication Fortinet Inc.
Page 239: Ldap Server List
Users and authentication The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords. FortiGate LDAP supports all LDAP servers compliant with LDAP v3. FortiGate LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers.
Page 240 For example, you could use the following base distinguished name: ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is domain component. You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units: ou=accounts,ou=marketing,dc=fortinet,dc=com 01-28007-0144-20041217 Users and authentication Fortinet Inc.
Page 241: User Group
Users and authentication User group To enable authentication, you must add user names, RADIUS servers, and LDAP servers to one or more user groups. You can then assign a firewall protection profile to the user group. You can configure authentication as follows: •...
Page 242: User Group Options
The list of users, RADIUS servers, or LDAP servers that can be added to a user group. The list of users, RADIUS servers, or LDAP servers added to a user group. Select a protection profile for this user group. 01-28007-0144-20041217 Users and authentication Fortinet Inc.
Page 243: Cli Configuration
Users and authentication To delete a user group You cannot delete a user group that is included in a firewall policy, a dialup user phase 1 configuration, or a PPTP or L2TP configuration. Go to User > User Group. Select Delete beside the user group that you want to delete. Select OK.
Page 244: Peergrp
Separate names by spaces. To add or remove names from the group you must re-enter the whole list with the additions or deletions required. 01-28007-0144-20041217 Users and authentication Default Availability No default. All models. Fortinet Inc.
Page 245 Users and authentication This example shows how to display the list of configured peer groups. This example shows how to display the settings for the peergrp EU_branches. This example shows how to display the configuration for all the peers groups. This example shows how to display the configuration for the peergrp EU_branches.
Page 246 CLI configuration Users and authentication 01-28007-0144-20041217 Fortinet Inc.
Page 247: Vpn
FortiGate units support the following protocols to authenticate and encrypt traffic: • • • This chapter contains information about the following VPN topics: • • • • • • • • • • • FortiGate-60M Administration Guide FortiGate-60M Administration Guide Version 2.80 MR7 Internet Protocol Security (IPSec) Point-to-Point Tunneling Protocol (PPTP) Layer Two Tunneling Protocol (L2TP)
Page 248: Phase 1
Select Create New to create a new phase 1 configuration. The names of existing phase 1 configurations. The IP address or domain name of a remote peer, or Dialup for a dialup client. Main or Aggressive. 01-28007-0144-20041217 Guide. “Manual key” on Fortinet Inc.
Page 249: Phase 1 Basic Settings
Encryption Algorithm Phase 1 basic settings Figure 122:Phase 1 basic settings Gateway Name Type a name for the remote VPN peer or client. Enter a name that reflects the Remote Gateway IP Address Dynamic DNS Mode Authentication Method FortiGate-60M Administration Guide The names of the encryption and authentication algorithms used by each phase 1 configuration.
Page 250 The group must be added to the FortiGate configuration through the config user peer and config user peergrp CLI commands before it can be selected. For more information, see the “config user” chapter of the FortiGate CLI Reference Guide. 01-28007-0144-20041217 Fortinet Inc.
Page 251: Phase 1 Advanced Settings
Phase 1 advanced settings Figure 123:Phase 1 advanced settings P1 Proposal FortiGate-60M Administration Guide Select the encryption and authentication algorithms that will be used to generate keys for protecting negotiations. Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations.
Page 252: Phase 2
If you enabled NAT traversal, enter a keepalive frequency setting. The value represents an interval from 0 to 900 seconds. Enable this option to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. 01-28007-0144-20041217 Fortinet Inc.
Page 253: Phase 2 List
Follow the general guidelines in these sections: • • • For information about how to choose the correct phase 2 settings for your particular situation, refer to the Note: The procedures in this section assume that you want the FortiGate unit to generate unique IPSec encryption and authentication keys automatically.
Page 254: Phase 2 Advanced Options
• AES128-A 128-bit block algorithm that uses a 128-bit key. • AES192-A 128-bit block algorithm that uses a 192-bit key. • AES256-A 128-bit block algorithm that uses a 256-bit key. 01-28007-0144-20041217 “Phase 1” on “Concentrator” on page 258. Fortinet Inc.
Page 255: Manual Key
Enable replay detection Enable perfect forward secrecy (PFS) DH Group Keylife Autokey Keep Alive DHCP-IPSec Internet browsing Quick Mode Identities Manual key If required, you can manually define cryptographic keys for establishing an IPSec VPN tunnel. You would define manual keys in situations where: •...
Page 256: Manual Key List
Select Create New to create a new manual key configuration. The IP address of the remote peer or client. The names of the encryption algorithms used in the configuration. The names of the authentication algorithms used in the configuration. Edit, view, or delete manual key configurations. 01-28007-0144-20041217 Fortinet Inc.
Page 257: Manual Key Options
Manual key options Figure 128:Adding a manual key VPN tunnel VPN Tunnel Name Type a name for the VPN tunnel. Local SPI Remote SPI Remote Gateway Encryption Algorithm Encryption Key FortiGate-60M Administration Guide Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the SA that handles outbound traffic on the local FortiGate unit.
Page 258: Concentrator
If the tunnel will be included in a hub-and-spoke configuration, you may select the concentrator from the list. The hub must be added to the FortiGate configuration before it can be selected here. See “Concentrator” on page “Concentrator list” on page 258 “Concentrator options” on page 259 01-28007-0144-20041217 258. Fortinet Inc.
Page 259: Concentrator Options
Create New Concentrator Name The names of existing IPSec VPN concentrators. Members Concentrator options Figure 130:Creating a concentrator for a hub-and-spoke configuration Concentrator Name Available Tunnels Members Ping Generator The ping generator generates traffic in an IPSec VPN tunnel to keep the tunnel connection open when no traffic is being generated inside the tunnel.
Page 260: Ping Generator Options
If you want to generate traffic on a second VPN tunnel simultaneously, enter a second IP address from which traffic may originate locally. Enter the IP address of the second computer to ping “Dialup monitor” on page 261 “Static IP and dynamic DNS monitor” on page 261 01-28007-0144-20041217 Fortinet Inc.
Page 261: Dialup Monitor
To establish or take down a VPN tunnel Go to VPN > IPSEC > Monitor. In the list of tunnels, select the Bring down tunnel or Bring up tunnel button in the row that corresponds to the tunnel that you want to bring down or up. If you take down an active tunnel while a dialup client such as FortiClient is still connected, FortiClient will continue to show the tunnel connected and idle.
Page 262: Pptp
IP addresses. The IP address of the remote peer. Take down the selected VPN tunnel. The remote VPN peer may have to reconnect to establish a new VPN session. Establish the selected VPN tunnel. 270. 01-28007-0144-20041217 “PPTP configuration Fortinet Inc.
Page 263: L2Tp
Enable PPTP Starting IP Ending IP User Group Disable PPTP L2TP A FortiGate unit can be configured to act as an L2TP network server. The FortiGate implementation of L2TP enables a remote dialup client to establish an L2TP tunnel with the FortiGate unit directly. For information about how to perform the related tasks, see procedures”...
Page 264: Certificates
Select to save a copy of the certificate request to a local computer. Send the request to your CA to obtain a certificate for the FortiGate unit. 01-28007-0144-20041217 “Importing CA FortiGate VPN Guide. “Certificate request” on “Importing signed certificates” Figure 137. Fortinet Inc.
Page 265: Certificate Request
Figure 137:Certificate details Certificate request To obtain a personal or site certificate, you must send a request to a CA that provides digital certificates that adhere to the X.509 standard. The FortiGate unit provides a way for you to generate the request. The generated request includes information such as the FortiGate unit’s public static IP address, domain name, or email address.
Page 266: Importing Signed Certificates
Contact email address. The CA may choose to deliver the digital certificate to this address. Only RSA is supported. Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate but more secure. Not all IPSec VPN products support all three key sizes. 01-28007-0144-20041217 Fortinet Inc.
Page 267: Ca Certificate List
CA certificate list Follow the CA instructions to download their root certificate, and then install the root certificate on the FortiGate unit. The installed CA certificates are displayed in the CA certificate list. Figure 140:CA certificate list Import Name Subject View Certificate Detail icon Download icon...
Page 268: Vpn Configuration Procedures
“Configuring L2TP VPNs” describes how to configure the FortiGate unit to operate as an L2TP network server. “Monitoring and Testing VPN Tunnels” outlines some general monitoring and testing procedures for VPNs. “Phase 2” on page 255. 01-28007-0144-20041217 FortiGate VPN “Phase 1” on page 248. 252. 268. “Manual key” on Fortinet Inc.
Page 269 In the Address Name field, type a name that represents the local network, server(s), or host(s) from which IP packets may originate on the private network behind the local FortiGate unit. In the IP Range/Subnet field, type the corresponding IP address and subnet mask (for example, 172.16.5.0/24 for a subnet, or 172.16.5.1/32 for a server or host) or IP address range (for example, 192.168.10.[80-100]).
Page 270: Pptp Configuration Procedures
To perform Steps 3 and 4, see the 235. FortiGate VPN 235. FortiGate VPN 235. FortiGate VPN 01-28007-0144-20041217 “Users and “PPTP range” on page 262. Guide. “Users and “PPTP range” on page 262. Guide. “Users “L2TP range” on page 263. Guide. Fortinet Inc.
Page 271: Cli Configuration
CLI configuration This section provides information about features that must be configured through CLI commands. CLI commands provide additional network options that cannot be configured through the web-based manager. For complete descriptions and examples of how to use CLI commands, see the FortiGate CLI Reference Guide. ipsec phase1 In the web-based manager, the Dead Peer Detection option can be enabled when you define advanced Phase 1 options.
Page 272 1000 set dpd-idleworry 150 set dpd-retrycount 5 set dpd-retryinterval 30 01-28007-0144-20041217 Default Availability All models. dpd must be set to enable. All models. seconds dpd must be set to enable. Fortinet Inc.
Page 273: Ipsec Phase2
ipsec phase2 Use the config vpn ipsec phase2 CLI command to add or edit an IPSec VPN phase 2 configuration. Command syntax pattern ipsec phase2 command keywords and variables Keywords and variables bindtoif <interface-name_str> dstaddr <name_str> dstport <port_integer> protocol <protocol_integer> FortiGate-60M Administration Guide config vpn ipsec phase2 edit <name_str>...
Page 274: Ipsec Vip
The srcport range is 1 to 65535. To specify all ports, type 0. 01-28007-0144-20041217 Default Availability All models. policy disable All models. All models. default. selector must be set specify. All models. default. selector must be set specify. Fortinet Inc.
Page 275 Note: The interface to the destination network must be associated with a VPN tunnel through a firewall encryption policy (action must be set to encrypt). The policy determines which VPN tunnel will be selected to forward traffic to the destination. When you create IPSec VIP entries, check the encryption policy on the FortiGate interface to the destination network to ensure that it meets your requirements.
Page 276: Configuring Ipsec Virtual Ip Addresses
Figure 142:A typical site-to-site configuration using the IPSec VIP feature get vpn ipsec vip get vpn ipsec vip 1 show vpn ipsec vip FortiGate_1 external Enter Host_1 192.168.12.1 Finance Network 192.168.12.0/24 01-28007-0144-20041217 HR Network 192.168.12.0/24 Host_2 192.168.12.2 external Internet FortiGate_2 Enter Fortinet Inc.
Page 277 When Host_1 attempts to send a packet to Host_2 for the first time, Host_1 issues an ARP request locally for the MAC address of Host_2. However, because Host_2 resides on a remote network, it does not respond. Instead, the FortiGate unit responds with its own MAC address.
Page 278 CLI configuration 01-28007-0144-20041217 Fortinet Inc.
Page 279: Ips
IPS (attack) engines and definitions through the FortiProtect Distribution Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see FortiGate-60M Administration Guide FortiGate-60M Administration Guide Version 2.80 MR7...
Page 280: Signature
The FortiGate IPS matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Fortinet’s FortiProtect infrastructure ensures the rapid identification of new threats and the development of new attack signatures. You can configure the FortiGate unit to automatically check for and download an updated attack definition file containing the latest signatures, or you can manually download the updated attack definition file.
Page 281: Predefined Signature List
If logging is disabled and action is set to Pass, the signature is effectively disabled. The FortiGate unit drops the packet that triggered the signature. Fortinet recommends using an action other than Drop for TCP connection based attacks.
Page 282: Configuring Predefined Signatures
The FortiGate unit drops the packet that triggered the signature, removes the session from the FortiGate session table, and does not send a reset. The FortiGate unit lets the packet that triggered the signature and all other packets in the session pass through the firewall. 01-28007-0144-20041217 Fortinet Inc.
Page 283: Configuring Parameters For Dissector Signatures
Select the Enable box to enable the signature or clear the Enable box to disable the signature. Select the Logging box to enable logging for this signature or clear the Logging box to disable logging for this signature. Select the Action for the FortiGate unit to take when traffic matches this signature. (See Select OK.
Page 284: Custom
(the default) no change is made to the codepoint in the IP header. Select the Enable custom signature box to enable the custom signature group or clear the Enable custom signature box to disable the custom signature group. Select Create New to create a new custom signature. 01-28007-0144-20041217 Fortinet Inc.
Page 285: Adding Custom Signatures
Clear all custom signatures Reset to recommended settings? Name Revision Enable Logging Action Modify Adding custom signatures To add a custom signature Go to IPS > Signature > Custom. Select Create New to add a new custom signature or select the Edit icon to edit an existing custom signature.
Page 286: Anomaly
The logging status for each anomaly. A white check mark in a green circle indicates logging is enabled for the anomaly. A white X in a grey circle indicates logging is disabled for the anomaly. 01-28007-0144-20041217 “Anomaly CLI configuration” on Fortinet Inc.
Page 287: Configuring An Anomaly
If logging is disabled and action is set to Pass, the anomaly is effectively disabled. Drop The FortiGate unit drops the packet that triggered the anomaly. Fortinet recommends using an action other than Drop for TCP connection based attacks.
Page 288 FortiGate session table, and does not send a reset. Session Pass The FortiGate unit lets the packet that triggered the anomaly and all other packets in the session pass through the firewall. Session Traffic over the specified threshold triggers the anomaly. 01-28007-0144-20041217 Fortinet Inc.
Page 289: Anomaly Cli Configuration
Anomaly CLI configuration Note: This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide. (config ips anomaly) config limit Note: This command has more keywords than are listed in this Guide.
Page 290: Configuring Ips Logging And Alert Email
You can change the default fail open setting using the CLI: Enable ips_open to cause the IPS to fail open and disable ips_open to cause the IPS to fail closed. “Log & Report” on page config sys global set ips-open [enable | disable] 01-28007-0144-20041217 341. Fortinet Inc.
Page 291: Antivirus
Antivirus > Quarantine View and sort the list of quarantined files, configure file patterns to upload automatically to Fortinet for analysis, and configure quarantining options in AntiVirus. Antivirus > Config > Config Set the size thresholds for files and emails for each protocol in Antivirus.
Page 292: File Block
IPS (attack) engines and definitions, as well as the local spam RBL, through the FortiProtect Distribution Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see This chapter describes: •...
Page 293: File Block List
Antivirus This section describes: • • File block list The file block list is preconfigured with a default list of file patterns: • • • • • • • • • Figure 153:Default file block list File block list has the following icons and features: Create New Apply Pattern...
Page 294: Configuring The File Block List
You can also submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to FortiNet for analysis. This section describes: •...
Page 295: Quarantined Files List Options
EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL. Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded.
Page 296: Autosubmit List
(* or ?). File patterns are applied for AutoSubmit regardless of file blocking settings. You can also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly from the quarantined files list. The FortiGate unit uses encrypted email to autosubmit files to an SMTP server through port 25.
Page 297: Config
Antivirus Config Go to Config to set quarantine configuration options including whether to quarantine blocked or infected files and from which service. You can also configure the time to live and file size values, and enable AutoSubmit settings. Figure 157:Quarantine configuration Quarantine configuration has the following options: Options Age limit...
Page 298: Config
So a file may be blocked or logged as oversized even if the attachment is several megabytes less than the configured oversize threshold. Virus list Config Grayware Grayware options 29. To find out how to use the Fortinet Update Center, see 120. Figure 01-28007-0144-20041217 “Changing unit 159.
Page 299: Grayware
Antivirus Figure 159:Example threshold configuration You can enable oversized file blocking in a firewall protection profile. To access protection profiles go to Firewall > Protection Profile, select Anti-Virus > Oversized File/Email and choose to pass or block oversized email and files for each protocol. Further file size limits for uncompressed files can be configured as an advanced feature via the CLI.
Page 300 Select enable to block download programs. Download components are usually run at Windows startup and are designed to install or download other software, especially advertising and dial software. 01-28007-0144-20041217 Antivirus Fortinet Inc.
Page 301: Cli Configuration
Antivirus CLI configuration Note: This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide. config antivirus heuristic The FortiGate heuristic antivirus engine performs tests on files to detect virus-like behavior or known virus indicators.
Page 302: Config Antivirus Quarantine
Quarantine files found by heuristic scanning in traffic for the specified protocols. config antivirus service http set <keyword> <variable> 01-28007-0144-20041217 Antivirus Default Availability FortiGate imap models smtp numbered pop3 200 and http higher. FortiGate default. models numbered 200 and higher. Fortinet Inc.
Page 303 Antivirus antivirus service http command keywords and variables Keywords and variables memfilesizelimit <MB_integer> port <port_integer> uncompsizelimit <MB_integer> How file size limits work The memfilesizelimit is applied first to all incoming files, compressed or uncompressed. If the file is larger than the limit the file is passed or blocked according to the user configuration in the firewall profile.
Page 304: Config Antivirus Service Ftp
70 set port 80 set port 443 get antivirus service http show antivirus service http config antivirus service ftp set <keyword> <variable> config antivirus service ftp unset <keyword> get antivirus service [ftp] show antivirus service [ftp] 01-28007-0144-20041217 Antivirus Fortinet Inc.
Page 305 Antivirus antivirus service ftp command keywords and variables Keywords and variables memfilesizelimit <MB_integer> port <port_integer> uncompsizelimit <MB_integer> How file size limits work Example This example shows how to set the maximum file size buffered to memory for scanning at 25 MB, the maximum uncompressed file size that can be buffered to memory at 100 MB, and how to enable antivirus scanning on ports 20 and 21 for FTP traffic.
Page 306: Config Antivirus Service Pop3
Enter a value in megabytes between 1 and the total memory size. Enter 0 for no limit (not recommended). “How file size limits work” on page 01-28007-0144-20041217 Default 10 (MB) 10 (MB) 303. Antivirus Availability All models. All models. All models. Fortinet Inc.
Page 307: Config Antivirus Service Imap
Antivirus Example This example shows how to set the maximum file size that can be buffered to memory for scanning at 20 MB, the maximum uncompressed file size that can be buffered to memory for scanning at 60 MB, and how to enable antivirus scanning on ports 110, 111, and 992 for POP3 traffic.
Page 308 25 set uncompsizelimit 50 set port 143 set port 993 get antivirus service imap show antivirus service imap 01-28007-0144-20041217 Default 10 (MB) 10 (MB) 303. Antivirus Availability All models. All models. All models. Fortinet Inc.
Page 309: Config Antivirus Service Smtp
Antivirus config antivirus service smtp Use this command to configure how the FortiGate unit handles antivirus scanning of large files in SMTP traffic, what ports the FortiGate unit scans for SMTP, and how the FortiGate unit handles interaction with an SMTP server for delivery of email with infected email file attachments.
Page 310 This example shows how to display the configuration for antivirus SMTP traffic. config antivirus service smtp set memfilesizelimit 100 set uncompsizelimit 1000 set port 25 set port 465 get antivirus service smtp show antivirus service smtp 01-28007-0144-20041217 Antivirus Fortinet Inc.
Page 311: Web Filter
Web filter Web filter provides configuration access to the Web filtering and Web category filtering options you enable when you create a firewall Protection Profile. To access protection profile web filter options go to Firewall > Protection Profile, select edit or Create New, and select Web Filtering or Web Category Filtering. See “Protection profile options”...
Page 312 URL exempt Category block Script filter 01-28007-0144-20041217 Web Filter setting Web Filter > Category Block > Configuration Enable or disable FortiGuard and enable and set the size limit for the cache. “Protection profile” on 231. Web filter “To Fortinet Inc.
Page 313: Content Block
Web filter Content block Control web content by blocking specific words or word patterns. The FortiGate unit blocks web pages containing banned words and displays a replacement message instead. You can use Perl regular expressions or wildcards to add banned word patterns to the list.
Page 314: Configuring The Web Content Block List
“Using Perl regular expressions” on page Select the character set for the banned word. Choose from: Chinese Simplified, Chinese Traditional, French, Japanese, Korean, Thai, or Western. Select Enable to activate the banned word in the list. 01-28007-0144-20041217 Web filter 337. Fortinet Inc.
Page 315: Web Url Block List
Web filter Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.badsite.com. Instead, you can use firewall policies to deny FTP connections. This section describes: •...
Page 316: Configuring The Web Url Block List
FortiGate web pattern blocking supports standard regular expressions. You can add up to 20 patterns to the web pattern block list. Note: Enable Web filtering > Web URL Block in your firewall Protection Profile to activate the web pattern block settings. 316. 01-28007-0144-20041217 Web filter “Web pattern Fortinet Inc.
Page 317: Web Pattern Block Options
Web filter Figure 165:Sample web pattern block list Web pattern block options Web pattern block has the following icons and features: Create New Pattern Configuring web pattern block To add a pattern to the web pattern block list Go to Web Filter > URL Block. Select Web Pattern Block.
Page 318: Url Exempt List
Select this icon to scroll the URL exempt list down. Select this icon to delete the entire URL exempt list. The current list of exempt URLs. Select the check box to enable all the URLs in the list. The Delete and Edit/View icons. 01-28007-0144-20041217 Web filter Fortinet Inc.
Page 319: Category Block
• FortiGuard managed web filtering service FortiGuard is a managed web filtering solution provided by Fortinet. FortiGuard sorts hundreds of millions of web pages into a wide range of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard Service Point to determine the category of a requested web page and then follows the firewall policy configured for that user or interface.
Page 320: Category Block Configuration Options
FortiGuard licensing Every FortiGate unit comes with a free 30-day FortiGuard trial license. FortiGuard license management is done by Fortinet servers, so there is no need to enter a license number. The FortiGate unit will then automatically contact a FortiGuard Service Point when you enable FortiGuard category blocking.
Page 321: Configuring Web Category Block
Web filter To have a URL’s... Configuring web category block To enable FortiGuard web filtering Go to Web Filter > Category Block. Select Enable Service. Select Check status to make sure the FortiGate unit can access the FortiGuard server. After a moment, the FortiGuard status should change from Unknown to Available. If the FortiGuard status is unavailable, wait and try again.
Page 322: Category Block Reports Options
The number of allowed web addresses accessed in the selected time frame. The number of blocked web addresses accessed in the selected time frame. The number of monitored web addresses accessed in the selected time frame. 01-28007-0144-20041217 Web filter Fortinet Inc.
Page 323: Script Filter
Use this command only if you need to change the host name. config webfilter catblock set ftgd_hostname guard.example.net get webfilter catblock show webfilter catblock 01-28007-0144-20041217 Script filter Default Availability guard.fortinet.com All models. service fortiguar d only.
Page 324: Web Script Filter Options
You can configure the following options for script filtering: Javascript Cookies ActiveX Select Javascript to block all Javascript-based pages or applications. Select Cookies to block web sites from placing cookies on individual computers. Select ActiveX to block all ActiveX applications. 01-28007-0144-20041217 Web filter Fortinet Inc.
Page 325: Spam Filter
Table 29: Spam Filter and Protection Profile spam filtering configuration Protection Profile spam filtering options IP address FortiShield check Enable or disable Fortinet’s antispam service: FortiShield. This service works like an RBL server and is continuously updated to block spam sources.
Page 326 You can configure the language and whether to search the email body, subject, or both. You can configure the action to take as spam or clear for each word. “Protection profile” on 231. Spam filter “To Fortinet Inc.
Page 327: Fortishield
• FortiShield FortiShield is an antispam system from Fortinet that uses an IP address black list and spam filtering tools. FortiShield compiles the IP address list from email captured by spam probes located around the world. Spam probes are email addresses purposely configured to attract spam and identify known spam sources to create the antispam IP address list.
Page 328: Fortishield Options
You can enable or disable FortiShield in a firewall protection profile. See spam filtering options” on page FortiShield options If you have ordered FortiShield through Fortinet technical support or are using the free 30-day trial, you only need to enable the service to start configuring and using FortiShield.
Page 329: Ip Address
Spam filter Select Apply. You can now enable FortiShield for any firewall protection profile you create. See “Configuring spam filtering options” on page Once you select Apply, the FortiShield license type and expiration date appears on the configuration screen (Spam Filter > FortiShield). IP address The FortiGate unit uses the IP address list to filter incoming email.
Page 330: Configuring The Ip Address List
Mark as Spam to apply the spam action configured in the protection profile, Mark as Clear to let the email pass to the next filter, or Mark as Reject (SMTP only) to drop the session. The Delete and Edit/View icons. 01-28007-0144-20041217 Spam filter Fortinet Inc.
Page 331: Rbl & Ordbl List
Spam filter Note: Because the FortiGate unit uses the server domain name to connect to the RBL or ORDBL server, it must be able to look up this name on the DNS server. For information on configuring DNS, see This section describes: •...
Page 332: Email Address
Configuring the email address list Select Create New to add an email address to the email address list. The number of items in the list. The Page up, Page down, and Remove all entries icons. 01-28007-0144-20041217 Spam filter 337. Fortinet Inc.
Page 333: Configuring The Email Address List
Spam filter Email address Pattern Type Action Configuring the email address list To add an email address or domain to the list Go to Spam Filter > E-mail Address. Select Create New. Figure 178:Adding an email address Enter the email address or pattern you want to add. Select a pattern type for the list entry.
Page 334: Mime Headers List
Mark as Clear to let the email pass to the next filter, or Mark as Reject (SMTP only) to drop the session. The Delete and Edit/View icons. 01-28007-0144-20041217 337. “Using Perl regular expressions” on page Spam filter 337. Fortinet Inc.
Page 335: Configuring The Mime Headers List
Spam filter Configuring the MIME headers list To add a MIME header to the list Go to Spam Filter > MIME headers. Select Create New. Figure 180:Adding a MIME header Enter the MIME header key. Enter the MIME header value. Select a pattern type for the list entry.
Page 336: Banned Word List
Traditional Chinese, French, Japanese, Korean, Thai, or Western. The location which the FortiGate unit searches for the banned word: subject, body, or all. The selected action to take on email with banned words. The Delete and Edit/View icons. 01-28007-0144-20041217 Spam filter “Using Perl regular 337. Fortinet Inc.
Page 337: Configuring The Banned Word List
Spam filter Figure 182:Adding a banned word Pattern Pattern Type Language Where Action Enable Configuring the banned word list To add or edit a banned word Go to Spam Filter > Banned Word. Select Create New to add a banned word or select Edit for the banned word you want to modify.
Page 338 [abc] fortinet.com not only matches fortinet.com but also matches fortinetacom, fortinetbcom, fortinetccom and so on. To mach fortinet.com, the regular expression should be: fortinet\.com forti*\.com matches fortiiii.com but does not match fortinet.com Matches abc (that exact character sequence, but anywhere in the string)
Page 339 Spam filter Table 30: Perl regular expression formats [Aa]bc [abc]+ [^abc]+ \d\d 100\s*mk abc\b perl\B Examples To block any word in a phrase /block|any|word/ To block purposely misspelled words Spammers often insert other characters between the letters of a word to fool spam blocking software.
Page 340 Using Perl regular expressions Spam filter 01-28007-0144-20041217 Fortinet Inc.
Page 341: Log & Report
FortiGate-60M Administration Guide Version 2.80 MR7 Log & Report FortiGate units provide extensive logging capabilities for traffic, system and network protection functions. You can set the severity level of the messages that are logged, and you can choose the types of events that are logged. All types of log messages except traffic and content can be saved in internal memory.
Page 342: Log Config
A FortiLog unit. The FortiLog unit is a log analyzer and manager that can combine the log information from various FortiGate units and other firewall units. To enable content archiving with a firewall to select the FortiLog option and define its IP address. 01-28007-0144-20041217 Log & Report Protection profile, you need Fortinet Inc.
Page 343 Log & Report Memory Syslog WebTrends Figure 184:Log setting options for all log locations To configure Log Setting Go to Log&Report > Log Config > Log Setting. Select the check box to enable logging to a location. Select the blue arrow beside the location. The setting options appear.
Page 344 Select the log files to upload to the FTP server. You can upload the Traffic Log file, Event Log file, Antivirus Log file, Web Filter Log file, Attack Log file, Spam Filter Log file, and Content Archive file. 01-28007-0144-20041217 Log & Report Table 31, “Logging Fortinet Inc.
Page 345: Syslog Settings
Log & Report To configure log file uploading Select the blue arrow to expand Log file upload settings. Select Upload When Rolling. Enter the IP address of the logging server. Enter the port number on the logging server. The default is 21 (FTP). Enter the Username and Password required on the logging server.
Page 346: Alert E-Mail Options
The interval to wait before sending an alert e-mail for notification level log messages. The interval to wait before sending an alert e-mail for information level log messages. Select Apply to activate any additions or changes to configuration. 01-28007-0144-20041217 Log & Report Fortinet Inc.
Page 347: Log Filter Options
Log & Report Note: If more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email. You can select specific events to trigger alert email in Log Filter, described in filter options”...
Page 348: Traffic Log
The FortiGate unit logs all system-related events, such as ping server failure and gateway status. The FortiGate unit logs all IPSec negotiation events, such as progress and error reports. The FortiGate unit logs all DHCP-events, such as the request and response log. 01-28007-0144-20041217 Log & Report “Enabling Fortinet Inc.
Page 349 Log & Report L2TP/PPTP/PPPoE service event Admin event HA activity event Firewall authentication event Pattern update event Anti-virus log The Anti-virus Log records virus incidents in Web, FTP, and email traffic, such as when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized file or email.
Page 350: Configuring Log Filters
The FortiGate unit logs all instances of blocked email in SMTP traffic. The FortiGate unit logs all instances of blocked email in POP3 traffic. The FortiGate unit logs all instances of blocked email in IMAP traffic. 01-28007-0144-20041217 Log & Report Fortinet Inc.
Page 351: Log Access
Log & Report Make sure you enable traffic log under Log Filter for a logging location and set the logging severity level to Notification or lower. Log access Log Access provides access to log messages saved to the memory buffer. You can view and search logs.
Page 352 Move selected field up one position in the Show these fields list. Move selected field down one position in the Show these fields list. 01-28007-0144-20041217 Log & Report Fortinet Inc.
Page 353: Searching Log Messages
Log & Report The Detailed Information column provides the entire raw log entry and is not needed unless the log contains information not available in any of the other, more specific columns. To change the columns in the log message display While viewing log messages, select the Column Settings icon.
Page 354: Cli Configuration
FortiLog unit across the Internet. Using an IPSec VPN tunnel means that all log messages sent by the FortiGate are encrypted and secure. 01-28007-0144-20041217 Log & Report Default Availability disable All models. All models. default. Fortinet Inc.
Page 355: Syslogd Setting
Log & Report log fortilog setting command keywords and variables (Continued) Keywords and variables psksecret <str_psk> server <address_ipv4> status {disable | enable} Note: The IPSec VPN settings for the FortiGate unit must match the VPN settings on the FortiLog unit. Example This example shows how to enable logging to a FortiLog unit, set the FortiLog IP address, add a local ID, and add a pre-shared key for an IPSec VPN tunnel.
Page 356 Enter the IP address of the syslog server that stores the logs. Enter enable to enable logging to a remote syslog server. 01-28007-0144-20041217 Log & Report Default Availability All models. disable All models. local7 Table All models. No default. All models. All models. disable Fortinet Inc.
Page 357 Log & Report Table 32: Facility types Facility type alert audit auth authpriv clock cron daemon kernel local0 – local7 mail news syslog Example This example shows how to enable logging to a remote syslog server, configure an IP address and port for the server, and set the facility type to user. This example shows how to display the log setting for logging to a remote syslog server.
Page 358 CLI configuration Log & Report 01-28007-0144-20041217 Fortinet Inc.
Page 359: Fortiguard Categories
FortiGuard categories FortiGuard is a web filtering solution provided by Fortinet. FortiGuard sorts thousands of Web pages into a wide variety of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard server to determine the category of a requested Web page and then follows the policy configured for that user or interface.
Page 360 Sites with content that is gratuitously offensive or shocking, but not violent or frightening. Includes sites devoted in part or whole to scatology and similar topics or to improper language, humor, or behavior. 01-28007-0144-20041217 FortiGuard categories Fortinet Inc.
Page 361 FortiGuard categories Table 33: FortiGuard categories Category name 16. Weapons Potentially Non-productive 17. Advertisement 18. Brokerage and Trading 19. Freeware and Software Download 20. Games 21. Internet Communication 22. Pay to Surf 23. Web-based Email Potentially Bandwidth Consuming 24. File Sharing and Storage 25.
Page 362 Political Organizations -- Sites sponsored by or providing information about political parties and interest groups focused on elections or legislation. 01-28007-0144-20041217 FortiGuard categories Fortinet Inc.
Page 363 FortiGuard categories Table 33: FortiGuard categories Category name 39. Reference Materials 40. Religion 41. Search Engines and Portals 42. Shopping and Auction 43. Social Organizations 44. Society and Lifestyles 45. Special Events 46. Sports 47. Travel 48. Vehicles FortiGate-60M Administration Guide Description Sites that offer reference-shelf content such as atlases, dictionaries, encyclopedias, formularies,...
Page 364 IP addresses. Private IP Addresses -- IP addresses defined in RFC 1918, 'Address Allocation for Private Intranets. Web Hosting -- Sites of organizations that provide hosting services, or top-level domain pages of Web communities. 01-28007-0144-20041217 FortiGuard categories Fortinet Inc.
Page 365: Glossary
VPN peer uses its identity as part of the authentication process. See also main mode. AH, Authentication Header: An IPSec security protocol. Fortinet IPSec uses ESP in tunnel mode, not AH. See ESP. ARP, Address Resolution Protocol: A protocol that resolves a logical IP address to a physical Ethernet address.
Page 366 MB, Megabyte: A unit of storage (1 048 576 bytes). MIB, Management Information Base: A database of objects that can be monitored by an SNMP network manager. modem: A device that converts digital signals into analog signals and back again for transmission over telephone lines. 01-28007-0144-20041217 Fortinet Inc.
Page 367 A hardware device that connects computers on the Internet together and routes traffic between them. A router may connect a LAN and/or DMZ to the Internet. routing: The process of determining which path to use for sending packets to a destination.
Page 368 VPN devices cannot be intercepted. worm: A harmful program that replicates itself until it fills a computer or network, which can shut the system down. 01-28007-0144-20041217 Fortinet Inc.
Page 369: Index
Index abr-type 167 access-list 178 Action, Policy 269 active sessions HA monitor 98 address 200 virtual IP 216 Address Name, Policy 269 administrator account netmask 112, 113 trusted host 113 advertise 174, 188 alert email enabling 347 options 346 anomaly 286 list 286 antivirus 291 antivirus updates 123...
Page 370 33 upgrading using the CLI 34, 36 upgrading using the web-base manager 33, 35 Fortilog logging settings 343 fortilog setting 354 Fortinet customer service 24 FortiProtect Distribution Network 120 FortiProtect Distribution Server 120 from IP system status 32...
Page 371 gateway 189 Gateway IP 248 Gateway Name 248, 249 HA monitor 97 group ID HA 88 grouping services 211 groups user 241 guaranteed bandwidth 197, 198 HA 86, 87 add a new unit to a functioning cluster 95 cluster ID 97 cluster members 88 configuration 87 configure a FortiGate unit for HA operation 92...
Page 372 NTP server 84 setting system date and time 83 one-time schedule creating 213, 214, 215 options changing system options 84 OSPF 166 out-interface 275 override master HA 89 P1 Proposal, Phase 1 251 P2 Proposal, Phase 2 254 01-28007-0144-20041217 Fortinet Inc.
Page 373 38 rfc1583-compatible 168 Round-Robin HA schedule 90 route 165 routemap 187 router next hop 55 router-id 168 routing configuring 60 policy 147 schedule 213 automatic antivirus and attack definition updates 123 creating one-time 213, 214, 215 creating recurring 215...
Page 374 HA 88 up time HA monitor 97 update push 125 upgrade firmware 33 upgrading firmware using the CLI 34, 36 firmware using the web-based manager 33, 35 Uploading a local certificate 266 URL block 314 URL exempt 317 01-28007-0144-20041217 Fortinet Inc.
Page 375 URL options 315 user groups configuring 241 User-defined signatures 284 user-defined TCP services 208, 209, 210 user-defined UDP services 208, 209, 210 Username 261 virtual domain properties 134 virtual IP 216 dynamic port forwarding 220 port forwarding 217 static NAT 217 virtual-links 165 virus detected HA monitor 98...
Page 376 Index 01-28007-0144-20041217 Fortinet Inc.

This manual is also suitable for:

Fortigate-60m

Fortinet FortiGate FortiGate-60M Administration Manual

Introduction

System Status

System Network

System DHCP

System Config

System Administration

System Maintenance

System Virtual Domain

Router

Firewall

Users and Authentication

Vpn

Ips

Antivirus

Quick Links

Related Manuals for Fortinet FortiGate FortiGate-60M

Summary of Contents for Fortinet FortiGate FortiGate-60M