Installation and FortiWiFi 60 Configuration Guide INTERNAL WLAN WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 Version 2.80 MR8 28 January 2005 01-28008-0030-20050128...
Page 2
Products mentioned in this document are trademarks or registered trademarks of their respective holders. Regulatory Compliance FCC Class A Part 15 CSA/CUS For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
Page 4
Priorities of heartbeat device and monitor priorities ... 61 Configuring FortiGate units for HA operation... 61 High availability configuration settings ... 61 Configuring FortiGate units for HA using the web-based manager ... 63 Configuring FortiGate units for HA using the CLI... 64 01-28008-0030-20050128 Fortinet Inc.
Page 5
Connecting the cluster to your networks... 65 Installing and configuring the cluster... 67 Configuring the modem interface ... 69 Selecting a modem mode ... 69 Redundant mode configuration... 69 Standalone mode configuration ... 70 Configuring modem settings ... 71 Connecting and disconnecting the modem in Standalone mode... 72 Defining a Ping Server ...
Page 6
Contents 01-28008-0030-20050128 Fortinet Inc.
The FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include: • • The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis.
The saved configuration can be restored at any time. Figure 1: FortiGate web-based manager and setup wizard the web-based manager, the command line interface (CLI), or the setup wizard. 01-28008-0030-20050128 Introduction Fortinet Inc.
Introduction Command line interface You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network that is connected to the FortiGate unit, including the Internet.
VPN. FortiGate online help Provides a context-sensitive and searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work. FortiGate CLI Reference Guide 01-28008-0030-20050128 Introduction Fortinet Inc.
The most recent Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains short how-to articles, FAQs, technical notes, product and feature guides, and much more. Visit the Fortinet Knowledge Center at http://kc.forticare.com. Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.
Fortinet technical support web site at http://support.fortinet.com. You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and change your registration information at any time. Fortinet email support is available from the following addresses:...
Page 13
Introduction amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore, eu_support@fortinet.com For information on Fortinet telephone support, see http://support.fortinet.com. When requesting technical support, please provide the following information: •...
Page 14
Customer service and technical support Introduction 01-28008-0030-20050128 Fortinet Inc.
Getting started This section describes unpacking, setting up, and powering on a FortiGate Antivirus Firewall unit. This section includes: • • • • • • • • • FortiWiFi-60 Installation Guide FortiWiFi-60 Installation Guide Version 2.80 MR8 Package contents Mounting Turning the FortiGate unit power on and off Connecting to the web-based manager Connecting to the command line interface (CLI)
Power requirements • • FortiWiFi-60 Antivirus Firewall one orange crossover ethernet cable (Fortinet part number CC300248) one gray regular ethernet cable (Fortinet part number CC300249) null-modem cable (Fortinet part number CC300247) FortiWiFi-60 Quick Start Guide CD containing the FortiGate user documentation...
Getting started Environmental specifications • • • Wireless Connectivity • • • Basic WiFi installation guidelines Because the FortiWiFi-60 is a radio device, it is susceptible to common causes of interference that can reduce throughput and range. Follow these basic guidelines to ensure the best possible performance: •...
Page 18
The FortiGate unit is powered off. Traffic on WAN link. The correct cable is in use and the connected equipment has power. Network activity at this interface. No link established. The interface is connected at 100 Mbps. Getting started Fortinet Inc.
Getting started Connecting to the web-based manager Use the following procedure to connect to the web-based manager for the first time. Configuration changes made with the web-based manager are effective immediately without resetting the firewall or interrupting service. To connect to the web-based manager, you need: •...
Type ? to list available commands. For information about how to use the CLI, see the FortiGate CLI Reference Guide. a computer with an available communications port, the null-modem cable included in your FortiGate package, terminal emulation software such as HyperTerminal for Windows. None None 01-28008-0030-20050128 Getting started Fortinet Inc.
Getting started Quick installation using factory defaults You can quickly set up your FortiGate unit for a home or small office using the web- based manager and the factory default FortiGate configuration. All you need to do is set your network computers to obtain an IP address automatically and to obtain DNS server IP addresses automatically (using DHCP), access the web-based manager, and configure the required settings for the FortiGate WAN1 interface.
Getting started Table 3: FortiGate DHCP Server default configuration Name Interface Default Gateway IP Range Network Mask Lease Duration DNS Server 1 Factory default NAT/Route mode network configuration When the FortiGate unit is first powered on, it is running in NAT/Route mode and has the basic network configuration listed in you to connect to the FortiGate unit web-based manager and establish the configuration required to connect the FortiGate unit to the network.
Getting started Table 6: Default firewall configuration Configuration setting Name Firewall policy Firewall address Pre-defined service Recurring schedule Protection Profiles The factory default firewall configuration is the same in NAT/Route and Transparent mode. Factory default protection profiles Use protection profiles to apply different protection settings for traffic that is controlled by firewall policies.
To apply no scanning, blocking or IPS. Use if you do not want to apply content protection to content traffic. You can add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. 01-28008-0030-20050128 Getting started Fortinet Inc.
Getting started NAT/Route mode In NAT/Route mode, the FortiGate unit is visible to the network. Like a router, all its interfaces are on different subnets. The following interfaces are available in NAT/Route mode: • • • • • • You must configure routing to support the redundant WAN1 and WAN2 internet connections.
NAT mode policies controlling traffic between internal and external networks. 01-28008-0030-20050128 FortiWiFi-60 Unit in NAT/Route mode Internal network INTERNAL WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 Internal 192.168.1.1 Getting started 192.168.1.3 Fortinet Inc.
Getting started Figure 8: Example Transparent mode network configuration You can connect up to four network segments to the FortiGate unit to control traffic between these network segments. • • • Note: The modem interface is not available in Transparent mode. •...
If you are going to operate the FortiGate unit in Transparent mode, go to “Transparent mode installation” on page If you are going to operate two or more FortiGate units in HA mode, go to availability installation” on page 01-28008-0030-20050128 Getting started “High Fortinet Inc.
Using a wireless network In a wired network, computers are connected through a series of cables that transfer information. In a wireless network, information is transferred over radio waves. There are factors that affect the transmission of data “on the air” that you must take into account when setting up a wireless network.
Using a wireless network DMZ Network Internal Network D M Z Internal INTERNAL WLAN WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN2 Broadband (cable or DSL) Internet Web Server Mail Server Fortinet Inc.
Using a wireless network To avoid RF interference: • • • • • Using multiple access points If you cannot avoid some of these impediments due to the shape of the office or building materials used, you may need to use multiple FortiWiFi-60 APs to help distribute the radio signal around the room.
Message Integrity Code (MIC also known as Michael) is incorporated into each packet. It uses an 8 byte message integrity code that is encrypted using the MAC addresses and data from each frame to provide a more secure packet transmission. 01-28008-0030-20050128 Using a wireless network Fortinet Inc.
Wireless users should configure their computers to connect to the network that broadcasts this network name. For security reasons, do not leave the default name of “fortinet” as the network name. Broadcasting enables wireless users to find a network. The FortiWiFi-60 unit includes an option not to broadcast the SSID.
WLAN LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN1 Broadband (cable or DSL) Internet 01-28008-0030-20050128 Using a wireless network DMZ Network Web Server Mail Server D M Z WAN1 WAN2 LINK 100 LINK 100 WAN2 Fortinet Inc.
Using a wireless network Figure 12: FortiWiFi-60 in Client mode Changing the operating mode To change the wireless operating mode Go to System > Wireless. For the Operation mode, select Change. Select the desired operation mode and select OK. Setting up the FortiWiFi-60 as an Access Point This section describes how to quickly configure the FortiWiFi-60 unit as an AP to allow network access for wireless workstations located on the same wireless LAN as the unit.
Set the SSID Broadcast to either enable or disable. Select a Security Mode. Note: It is highly recommended you do not select “None”. Selecting None will leave your wireless network prone to hackers. 01-28008-0030-20050128 Using a wireless network Fortinet Inc.
Using a wireless network Enter a key or pre-shared key depending on the Security Mode selected. Select the MAC Filter tab. Enable MAC filtering if desired. Enter the MAC addresses and select to Add or Deny them from the wireless network. Note: You will need to distribute the information entered in step 2 and step 5 with the wireless users so they can connect to the wireless network.
Page 40
Setting up the FortiWiFi-60 as an Access Point Using a wireless network 01-28008-0030-20050128 Fortinet Inc.
NAT/Route mode installation This chapter describes how to install the FortiGate unit in NAT/Route mode. For information about installing a FortiGate unit in Transparent mode, see mode installation” on page units in HA mode, see about installing the FortiGate unit in NAT/Route mode, see configuration”...
The default gateway directs all non-local traffic to this interface and to the external network. Primary DNS Server: Secondary DNS Server: 01-28008-0030-20050128 NAT/Route mode installation _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ Table 8 Fortinet Inc.
NAT/Route mode installation Using the web-based manager You can use the web-based manager for the initial configuration of the FortiGate unit. You can also continue to use the web-based manager for all FortiGate unit settings. For information about connecting to the web-based manager, see web-based manager”...
Set the IP address and netmask of the internal interface to the internal IP address and netmask that you recorded in config system admin edit admin set password <psswrd> Table 7 on page 01-28008-0030-20050128 NAT/Route mode installation “Connecting to the command line Table 7 on page 42 to complete the following 42. Enter: Fortinet Inc.
Page 45
NAT/Route mode installation Example Set the IP address and netmask of the WAN1 interface to the IP address and netmask that you recorded in To set the static IP address and netmask, enter: Example To set the WAN1 interface to use DHCP, enter: To set the WAN1 interface to use PPPoE, enter: Use the same syntax to set the IP address of each FortiGate interface as required.
Page 46
Set the default route to the Default Gateway IP address. Enter: config router static edit 1 set dst 0.0.0.0 0.0.0.0 set gateway <gateway_IP> set device <interface> config router static edit 1 set dst 0.0.0.0 0.0.0.0 set gateway 204.23.1.2 set device wan1 01-28008-0030-20050128 NAT/Route mode installation Fortinet Inc.
NAT/Route mode installation Using the setup wizard From the web-based manager, you can use the setup wizard to complete the initial configuration of the FortiGate unit. For information about connecting to the web-based manager, see If you are configuring the FortiGate unit to operate in NAT/Route mode (the default), you can use the setup wizard to: •...
Create a protection profile that enables virus scanning, for HTTP, FTP, IMAP, POP3, and SMTP (recommended). Add this protection profile to a default firewall policy. Do not configure antivirus protection. to fill in the wizard fields. Fortinet Inc.
Page 49
NAT/Route mode installation The following network connections are available on the FortiGate-60 unit: • • • • • • Note: You can also connect the WAN1 and WAN2 interfaces to different Internet connections to provide a redundant connection to the Internet. To connect the FortiGate unit: Connect the Internal interface connectors to PCs and other network devices in your internal network.
For the external network, route all packets to the FortiGate WAN1 or WAN 2 interface. 01-28008-0030-20050128 NAT/Route mode installation Internal INTERNAL WLAN WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN2 Broadband (cable or DSL) Internet DMZ Network Web Server Mail Server Fortinet Inc.
NAT/Route mode installation Configuring the Modem interface In NAT/Route mode, you use the modem interface as either a redundant interface or standalone interface to the Internet. • • When connecting to the ISP, in either configuration, the FortiGate unit modem can automatically dial up to three dialup accounts until the modem connects to an ISP.
Page 52
After purchasing and installing a new FortiGate unit, you can register the unit by going to the System Update Support page, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. To register, enter your contact information and the serial numbers of the FortiGate units that you or your organization have purchased.
Transparent mode installation This chapter describes how to install a FortiGate unit in Transparent mode. If you want to install the FortiGate unit in NAT/Route mode, see page availability installation” on page unit in Transparent mode, see This chapter describes: •...
FortiGate unit. Add a default gateway if the FortiGate unit must connect to a router to reach the management computer. Primary DNS Server: Secondary DNS Server: _____._____._____._____ 01-28008-0030-20050128 Transparent mode installation _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ “Connecting to the Table 10 on Fortinet Inc.
Transparent mode installation To configure DNS server settings Go to System > Network > DNS. Enter the IP address of the primary DNS server. Enter the IP address of the secondary DNS server. Select OK. To configure the default gateway Go to System >...
Page 56
<address_ip> set secondary <address_ip> config system dns set primary 293.44.75.21 set secondary 293.44.75.22 config router static edit 1 set dst 0.0.0.0 0.0.0.0 set gateway <address_gateway> set device <interface> 01-28008-0030-20050128 Transparent mode installation Table 10 on page Fortinet Inc.
Transparent mode installation Example If the default gateway IP is 204.23.1.2 and this gateway is connected to port 2: Using the setup wizard From the web-based manager, you can use the setup wizard to begin the initial configuration of the FortiGate unit. For information about connecting to the web-based manager, see The first time you connect to the FortiGate unit, it is configured to run in NAT/Route mode.
01-28008-0030-20050128 Transparent mode installation Internal Network Other Network Internal DM Z Hub or Switch INTERNAL WLAN WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN1 Public Switch or Router Internet Fortinet Inc.
After purchasing and installing a new FortiGate unit, you can register the unit by going to the System Update Support page, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. To register, enter your contact information and the serial numbers of the FortiGate units that you or your organization have purchased.
Page 60
FDN. Select Scheduled Update and configure a schedule for receiving antivirus and attack definition updates. Select Apply. You can also select Update Now to receive the latest virus and attack definition updates. 01-28008-0030-20050128 Transparent mode installation Fortinet Inc.
High availability installation This chapter describes how to install two or more FortiGate units in an HA cluster. HA installation involves three basic steps: • • • For information about HA, see the FortiGate Administration Guide and the FortiOS High Availability technical note. Priorities of heartbeat device and monitor priorities The procedures in this chapter do not include steps for changing the priorities of heartbeat devices or for configuring monitor priorities settings.
Page 62
FortiGate unit with the highest serial number becomes the primary cluster unit. You can configure a FortiGate unit to always become the primary unit in the cluster by giving it a high priority and by selecting Override master. 01-28008-0030-20050128 High availability installation Fortinet Inc.
High availability installation Table 11: High availability settings (Continued) Schedule Configuring FortiGate units for HA using the web-based manager Use the following procedure to configure each FortiGate unit for HA operation. To change the FortiGate unit host name Changing the host name is optional, but you can use host names to identify individual cluster units.
Connect to the CLI. Change the host name. “Connecting the cluster to your networks” on page “Connecting to the command line interface (CLI)” on page config system global set hostname <name_str> 01-28008-0030-20050128 High availability installation “Connecting the cluster to your networks” Fortinet Inc.
You must connect all matching interfaces in the cluster to the same hub or switch. Then you must connect these interfaces to their networks using the same hub or switch. Fortinet recommends using switches for all cluster connections for the best performance. FortiWiFi-60 Installation Guide...
Page 66
LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 Hub or Switch INTERNAL WLAN WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 Internal WAN1 Internet Router Fortinet Inc.
High availability installation Power on all the FortiGate units in the cluster. As the units start, they negotiate to choose the primary cluster unit and the subordinate units. This negotiation occurs with no user intervention and normally just takes a few seconds. Installing and configuring the cluster When negotiation is complete the you can configure the cluster as if it was a single FortiGate unit.
Page 68
Installing and configuring the cluster High availability installation 01-28008-0030-20050128 Fortinet Inc.
Configuring the modem interface The FortiWiFi-60 includes the option of an external modem for use as either a redundant interface or a standalone interface in NAT/Route mode. • • When connecting to an ISP in either configuration, the modem can automatically dial up to three dialup accounts until the modem connects to an ISP.
Go to System > Network > Modem. From the Redundant for list, select the ethernet interface that the modem is replacing. “Defining a Ping Server” on page “Adding firewall policies for modem connections” on page 01-28008-0030-20050128 Configuring the modem interface Fortinet Inc.
Configuring the modem interface Configure other modem settings as required. Make sure there is correct information in one or more Dialup Accounts. Configure firewall policies for connections to the modem interface. Select Dial Up. The FortiGate unit initiates dialing into each dialup account in turn until the modem connects to an ISP.
The user name (maximum 63 characters) sent to the ISP. The password sent to the ISP. 01-28008-0030-20050128 Configuring the modem interface Fortinet Inc.
Configuring the modem interface Select Dial Now. The FortiGate unit initiates dialing into each dialup account in turn until the modem connects to an ISP. Modem status is one of the following: not active active A green check mark indicates the active dialup account. The IP address and netmask assigned to the modem interface appears on the System Network Interface page of the web-based manager.
You can configure firewall policies to control the flow of packets between the modem interface and the other interfaces on the FortiGate unit. For information about adding firewall policies, see the FortiGate Administration Guide. 01-28008-0030-20050128 Configuring the modem interface Fortinet Inc.
39 modem 74 firewall setup wizard 8, 43, 47, 54, 57 starting 43, 48, 54, 57 Fortinet customer service 12 configuring FortiGate units for HA operation 61 connecting an HA cluster 65, 67 hang up 71 High availability 61...