Page 1 Administration Guide FortiWiFi 60 INTERNAL WLAN WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 FortiWiFi-60 Administration Guide Version 2.80 MR6 5 November 2004 01-28006-0014-20041105...
Page 2 CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
Page 3: Table Of Contents
High availability ... 18 Secure installation, configuration, and management ... 19 Document conventions ... 20 FortiWiFi documentation ... 22 Comments on Fortinet technical documentation... 22 Related documentation ... 22 FortiManager documentation ... 23 FortiClient documentation ... 23 FortiMail documentation... 23 FortiLog documentation ...
Page 4 DHCP server settings ... 82 Exclude range ... 83 DHCP exclude range settings... 84 IP/MAC binding ... 84 DHCP IP/MAC binding settings ... 85 Dynamic IP... 85 System config ... 87 System time ... 87 Options... 88 01-28006-0014-20041105 Fortinet Inc.
Page 5 SNMP... 103 Configuring SNMP ... 104 SNMP community ... 105 FortiWiFi MIBs ... 107 FortiWiFi traps... 108 Fortinet MIB fields ... 109 Replacement messages ... 112 Replacement messages list ... 112 Changing replacement messages ... 113 FortiManager... 114 System administration ... 115 Administrators ...
Page 6 Monitor ... 168 Routing monitor list ... 168 CLI configuration... 169 get router info ospf ... 169 get router info protocols ... 169 get router info rip... 170 config router ospf ... 170 config router static6... 193 01-28006-0014-20041105 Fortinet Inc.
Page 7 Firewall... 195 Policy ... 196 How policy matching works... 196 Policy list ... 197 Policy options... 198 Advanced policy options ... 200 Configuring firewall policies ... 202 Policy CLI configuration ... 203 Address... 204 Address list ... 205 Address options ... 205 Configuring addresses ...
Page 8 Phase 2 basic settings ... 257 Phase 2 advanced options... 258 Manual key... 259 Manual key list ... 260 Manual key options ... 260 Concentrator ... 261 Concentrator list... 261 Concentrator options... 262 Ping Generator... 262 Ping generator options... 263 01-28006-0014-20041105 Fortinet Inc.
Page 9 Monitor ... 263 Dialup monitor... 264 Static IP and dynamic DNS monitor... 264 PPTP... 265 Setting up a PPTP-based VPN ... 265 Enabling PPTP and specifying a PPTP range ... 266 Configuring a Windows 2000 client for PPTP ... 267 Configuring a Windows XP client for PPTP ...
Page 10 321 service pop3... 322 service imap... 323 service smtp... 324 Web filter... 327 Content block ... 328 Web content block list ... 329 Web content block options... 329 Configuring the web content block list ... 330 01-28006-0014-20041105 Fortinet Inc.
Page 11 URL block ... 330 Web URL block list... 331 Web URL block options ... 331 Configuring the web URL block list ... 331 Web pattern block list... 332 Web pattern block options ... 333 Configuring web pattern block ... 333 URL exempt ...
Page 12 Log access... 365 Viewing log messages ... 365 Searching log messages... 367 CLI configuration... 368 fortilog setting... 368 syslogd setting ... 369 FortiGuard categories ... 373 FortiGate maximum values ... 379 Glossary ... 383 Index ... 387 01-28006-0014-20041105 Fortinet Inc.
Page 13: Introduction
• • The FortiWiFi Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks.
Page 14: Antivirus Protection
The web and email content can be in normal network traffic or encrypted IPSec VPN traffic. 01-28006-0014-20041105 Introduction INTERNAL WAN1 WAN2 WLAN LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 Fortinet Inc.
Page 15: Web Content Filtering
Introduction ICSA Labs has certified that FortiWiFi Antivirus Firewalls: • • • • • Web content filtering FortiWiFi web content filtering can scan all HTTP content protocol streams for URLs, URL patterns, and web page content. If there is a match between a URL on the URL block list, or a web page contains a word or phrase that is in the content block list, the FortiWiFi unit blocks the web page.
Page 16: Transparent Mode
NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network. Route mode policies accept or deny connections between networks without performing address translation. 01-28006-0014-20041105 Introduction Fortinet Inc.
Page 17: Vlans And Virtual Domains
Introduction VLANs and virtual domains FortiWiFi Antivirus Firewalls support IEEE 802.1Q-compliant virtual LAN (VLAN) tags. Using VLAN technology, a single FortiWiFi unit can provide security services to, and control connections between, multiple security domains according to the VLAN IDs added to VLAN packets. The FortiWiFi unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between each security domain.
Page 18: High Availability
• High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiWiFi Clustering Protocol (FGCP). Each FortiWiFi unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiWiFi units to an HA cluster.
Page 19: Secure Installation, Configuration, And Management
Introduction Active-active (A-A) HA load balances virus scanning among all the FortiWiFi units in the cluster. An active-active HA cluster consists of a primary FortiWiFi unit that processes traffic and one or more secondary units that also process traffic. The primary FortiWiFi unit uses a load balancing algorithm to distribute virus scanning to all the FortiWiFi units in the HA cluster.
Page 20: Document Conventions
<xxx_ipv4> indicates a dotted decimal IPv4 address. <xxx_v4mask> indicates a dotted decimal IPv4 netmask. <xxx_ipv4mask> indicates a dotted decimal IPv4 address followed by a dotted decimal IPv4 netmask. <xxx_ipv6> indicates a dotted decimal IPv6 address. <xxx_v6mask> indicates a dotted decimal IPv6 netmask. 01-28006-0014-20041105 Introduction Fortinet Inc.
Page 21 Introduction • • • FortiWiFi-60 Administration Guide <xxx_ipv6mask> indicates a dotted decimal IPv6 address followed by a dotted decimal IPv6 netmask. Vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords. For example: set opmode {nat | transparent} You can enter set opmode nat or set opmode transparent.
Page 22: Fortiwifi Documentation
Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com. Related documentation Additional information about Fortinet products is available from the following related documentation. FortiWiFi QuickStart Guide Provides basic information about connecting and installing a FortiWiFi unit.
Page 23: Fortimanager Documentation
Introduction FortiManager documentation • • • FortiClient documentation • • FortiMail documentation • • • FortiLog documentation • • FortiWiFi-60 Administration Guide FortiManager QuickStart Guide Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings. FortiManager System Administration Guide Describes how to use the FortiManager System to manage FortiGate devices.
Page 24: Customer Service And Technical Support
Fortinet Technical Support web site at http://support.fortinet.com. You can also register Fortinet products and service contracts from http://support.fortinet.com and change your registration information at any time. Technical support is available through email from any of the following addresses.
Page 25: System Status
System status You can connect to the web-based manager and view the current system status of the FortiWiFi unit. The status information that is displayed includes the system status, unit information, system resources, and session log. This chapter includes: • •...
Page 26: Status
Select to set the selected automatic refresh interval. Select to manually update the system status display. The time in days, hours, and minutes since the FortiWiFi unit was last started. The current time according to the FortiWiFi unit internal clock. 01-28006-0014-20041105 117. System status Fortinet Inc.
Page 27: Unit Information
System status Log Disk Notification Unit Information Admin users and administrators whose access profiles contain system configuration read and write privileges can change or update the unit information. For information on access profiles, see Host Name Firmware Version Antivirus Definitions The current installed version of the FortiWiFi Antivirus Definitions. Attack Definitions Serial Number Operation Mode...
Page 28 The time at which the recent intrusion was detected. The source and destination addresses of the attack. The service from which the attack was delivered; HTTP, FTP, IMAP, POP3, or SMTP. The name of the attack. 01-28006-0014-20041105 System status Fortinet Inc.
Page 29: Changing Unit Information
Note: For information about configuring the FortiWiFi unit for automatic antivirus definitions updates, see Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status > Status.
Page 30 Note: For information about configuring the FortiWiFi unit for automatic attack definitions updates, see Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status > Status.
Page 31: Session List
System status In the Operation Mode field, select NAT/Route. Select OK. The FortiWiFi unit changes operation mode. To reconnect to the web-based manager, you must connect to the interface configured by default for management access. By default in NAT/Route mode, you can connect to the internal interface. The default internal interface IP address is 192.168.1.99.
Page 32: Changing The Fortiwifi Firmware
FortiWiFi administrators whose access profiles contain system configuration read and write privileges and the FortiWiFi admin user can change the FortiWiFi firmware. After you download a FortiWiFi firmware image from Fortinet, you can use the procedures listed in Table 1: Firmware upgrade procedures...
Page 33 System status To upgrade the firmware using the web-based manager Copy the firmware image file to your management computer. Log into the web-based manager as the admin administrative user. Note: To use this procedure you must login using the admin administrator account, or an administrator account that has system configuration read and write privileges.
Page 34: Reverting To A Previous Firmware Version
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build183-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build183-FORTINET.out...
Page 35: Backup Config
System status To revert to a previous firmware version using the web-based manager Copy the firmware image file to the management computer. Log into the FortiWiFi web-based manager. Note: To use this procedure you must login using the admin administrator account, or an administrator account that has system configuration read and write privileges.
Page 36 Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build158-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build158-FORTINET.out...
Page 37: Installing Firmware Images From A System Reboot Using The Cli
System status To confirm that the new firmware image has been loaded, enter: get system status To restore your previous configuration if needed, use the command: execute restore config <name_str> <tftp_ipv4> Update antivirus and attack definitions. For information, see the CLI, enter: execute update_now Installing firmware images from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiWiFi unit to...
Page 38 [F]: Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,B,Q,or H: 01-28006-0014-20041105 System status execute reboot command. Fortinet Inc.
Page 39: Restoring The Previous Configuration
System status Type an IP address that the FortiWiFi unit can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network that the interface is connected to. Make sure you do not enter the IP address of another device on this network.
Page 40: Testing A New Firmware Image Before Installing It
The TFTP server should be on the same subnet as the internal interface. FortiWiFi unit running v2.x BIOS Press Any Key To Download Boot Image. FortiWiFi unit running v3.x BIOS Press any key to display configuration menu... 01-28006-0014-20041105 System status execute reboot command. Fortinet Inc.
Page 41 System status If you successfully interrupt the startup process, one of the following messages appears: • • Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: Type an IP address that can be used by the FortiWiFi unit to connect to the FTP...
Page 42 Changing the FortiWiFi firmware System status 01-28006-0014-20041105 Fortinet Inc.
Page 43: System Network
System network System network settings control how the FortiWiFi unit connects to and interacts with your network. Basic network settings start with configuring FortiWiFi interfaces to connect to your network and configuring the FortiWiFi DNS settings. More advanced network settings include adding VLAN subinterfaces and zones to the FortiWiFi network configuration.
Page 44: Interface Settings
Bring Down or Bring Up. For more information, “To bring down an interface that is administratively up” on page 50 “To start up an interface that is administratively down” on page Delete, edit, and view icons. 01-28006-0014-20041105 System network “VLAN Fortinet Inc.
Page 45 System network Figure 6: Interface settings See the following procedures for configuring interfaces: • • • • • • • • • • • • Name The name of the Interface. Interface Select the name of the physical interface to add the VLAN subinterface to. All VLAN subinterfaces must be associated with a physical interface.
Page 46 The interface retrieves an IP address, netmask, and other settings from the DHCP server. failed The interface was unable to retrieve an IP address and other information from the DHCP server. 01-28006-0014-20041105 System network “System virtual domain” on page Fortinet Inc. 137.
Page 47 System network PPPoE If you configure the interface to use PPPoE, the FortiWiFi unit automatically broadcasts a PPPoE request. You can disable connect to server if you are configuring the FortiWiFi unit offline and you do not want the FortiWiFi unit to send the PPPoE request.
Page 48 “Configuring SNMP” on page To allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party. 01-28006-0014-20041105 System network “To add or edit a static route” on page 104. 150. Fortinet Inc.
Page 49: Configuring Interfaces
System network To improve network performance, you can change the maximum transmission unit (MTU) of the packets that the FortiWiFi unit transmits from any interface. Ideally, this MTU should be the same as the smallest MTU of all the networks between the FortiWiFi unit and the destination of the packets.
Page 50 54. You cannot add an interface to a zone if you have added firewall policies for “To add a virtual domain” on page 01-28006-0014-20041105 “To add a zone” on 141. You cannot add an interface to a virtual System network Fortinet Inc.
Page 51 System network Set Addressing Mode to Manual. Change the IP address and Netmask as required. Select OK to save your changes. If you changed the IP address of the interface to which you are connecting to manage the FortiWiFi unit, you must reconnect to the web-based manager using the new interface IP address.
Page 52 To control administrative access to an interface For a FortiWiFi unit running in NAT/Route mode, you can control administrative access to an interface to control how administrators access the FortiWiFi unit and the FortiWiFi interfaces to which administrators can connect. 01-28006-0014-20041105 System network Fortinet Inc.
Page 53: Zone
System network Controlling administrative access for an interface connected to the Internet allows remote administration of the FortiWiFi unit from any location on the Internet. However, allowing remote administration from the Internet could compromise the security of your FortiWiFi unit. You should avoid allowing administrative access for an interface connected to the Internet unless this is required for your configuration.
Page 54: Zone Settings
Edit/View icons. Select to edit or view a zone. Delete icon. Select to remove a zone. Enter the name to identify the zone. Select Block intra-zone traffic to block traffic between interfaces or VLAN subinterfaces in the same zone. 01-28006-0014-20041105 System network Fortinet Inc.
Page 55: Management
System network Select the Block intra-zone traffic check box if you want to block traffic between interfaces or VLAN subinterfaces in the same zone. Select the names of the interfaces or VLAN subinterfaces to add to the zone. Select OK. To delete a zone You can only delete zones that have the Delete icon beside them in the zone list.
Page 56: Dns
FortiWiFi unit from. Enter the default gateway address. Select the virtual domain from which you want to perform system management. 01-28006-0014-20041105 89). This must be a valid IP System network “To Fortinet Inc.
Page 57: Routing Table (Transparent Mode)
System network You can configure primary and secondary DNS server addresses, or you can configure the FortiWiFi unit to obtain DNS server addresses automatically. To obtain addresses automatically, at least one interface must use the DHCP or PPPoE addressing mode. See If you enable DNS Forwarding on an interface, hosts on the attached network can use the interface IP address as their DNS server.
Page 58: Transparent Mode Route Settings
Enter the destination IP address and netmask for this route. Enter the IP address of the next hop router to which this route directs traffic The the relative preferability of this route. 1 is most preferred. 01-28006-0014-20041105 System network Fortinet Inc.
Page 59: Configuring The Modem Interface
System network Configuring the modem interface You can connect a modem to the FortiWiFi unit and use it as either a backup interface or standalone interface in NAT/Route mode. • • When connecting to the ISP, in either configuration, the FortiWiFi unit modem can automatically dial up to three dialup accounts until the modem connects to an ISP.
Page 60: Configuring Modem Settings
The user name (maximum 63 characters) sent to the ISP. The password sent to the ISP. 01-28006-0014-20041105 System network Fortinet Inc.
Page 61: Connecting And Disconnecting The Modem
System network To configure modem settings You can configure and use the modem in NAT/Route mode only. Go to System > Network > Modem. Select Enable USB Modem. Change any of the following dialup connection settings: Enter the following Dialup Account 1 settings: If you have multiple dialup accounts, enter Phone Number, User Name, and Password for Dialup Account 2 and Dialup Account 3.
Page 62: Standalone Mode Configuration
From the Redundant for list, select the ethernet interface that the modem is replacing. “Configuring modem settings” on page “To add a ping server to an interface” on page “Adding firewall policies for modem connections” on page 01-28006-0014-20041105 System network Fortinet Inc.
Page 63: Adding Firewall Policies For Modem Connections
System network Configure other modem settings as required. Make sure there is correct information in one or more Dialup Accounts. Select Dial Up. The FortiWiFi unit initiates dialing into each dialup account in turn until the modem connects to an ISP. Configure firewall policies for connections to the modem interface.
Page 64: Fortiwifi Units And Vlans
VLAN packets and forward untagged packets to other networks, such as the Internet. Internet Untagged packets Enter VLAN 1 VLAN 2 POWER VLAN 1 VLAN 1 network 01-28006-0014-20041105 System network Firewall or Router VLAN trunk VLAN Switch or router VLAN 2 VLAN 2 network Fortinet Inc.
Page 65: Rules For Vlan Ids
System network In NAT/Route mode, the FortiWiFi units support VLANs for constructing VLAN trunks between an IEEE 802.1Q-compliant switch (or router) and the FortiWiFi unit. Normally the FortiWiFi unit internal interface connects to a VLAN trunk on an internal switch, and the external interface connects to an upstream Internet router untagged.
Page 66: Adding Vlan Subinterfaces
10.1.2.0 “System virtual domain” on page 137 “Zone” on page 53 “Interface settings” on page 01-28006-0014-20041105 FortiGate Fa0/24 192.168.110.126 802.1Q Trunk 10.1.2.2 for information about virtual domains. for information about zones. System network Enter Internal External 172.16.21.2 Internet Fortinet Inc.
Page 67: Vlans In Transparent Mode
System network To add firewall policies for VLAN subinterfaces Once you have added VLAN subinterfaces you can add firewall policies for connections between VLAN subinterfaces or from a VLAN subinterface to a physical interface. Go to Firewall > Address. Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets.
Page 68 VLAN3 VLAN3 shows a FortiGate unit operating in Transparent mode and configured with 01-28006-0014-20041105 FortiGate unit External root virtual domain VLAN1 VLAN2 VLAN1 VLAN3 VLAN Switch VLAN trunk New virtual domain VLAN2 VLAN3 System network Internet or router Fortinet Inc.
Page 69: Rules For Vlan Ids
System network Figure 19: FortiGate unit in Transparent mode Rules for VLAN IDs In Transparent mode two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the same VLAN IDs to different physical interfaces. There is no internal connection or link between two VLAN subinterfaces with same VLAN ID.
Page 70: Transparent Mode Vlan List
Delete icon. Select to delete a VLAN subinterface. View/Edit icon. Select to view or edit an interface or VLAN subinterface. “Interface settings” on page 44 01-28006-0014-20041105 for information about for descriptions of all VLAN settings. System network “To control Fortinet Inc.
Page 71 System network To add a VLAN subinterface in Transparent mode The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4096.
Page 72: Fortiwifi Ipv6 Support
Table 2: IPv6 CLI commands Feature Interface configuration, including periodic router advertisements Static routing IPv6 tunneling CLI Command config system interface See the keywords beginning with “ip6”. config ip6-prefix-list config router static6 config system ipv6_tunnel 01-28006-0014-20041105 System network Fortinet Inc.
Page 73: System Wireless
System wireless You can configure the FortiWiFi-60 WLAN interface so that users with wireless network cards can connect to this interface. From this wireless network, users can connect through the FortiWiFi-60 unit to the Internet or to internal or DMZ networks. The FortiWiFi-60 supports the following wireless network standards: •...
Page 74 Send (CTS) acknowledgement from another wireless device. Set the maximum size of a data packet before it is broken into two or more packets. Reducing the threshold can improve performance in environments that have high interference. 01-28006-0014-20041105 System wireless for channel information. 241. Fortinet Inc.
Page 75 System wireless Table 3: IEEE 802.11b (2.4-GHz Band) channel numbers Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure that the channel number complies with the regulatory standards of Mexico.
Page 76 Select Apply. To configure advanced wireless settings Go to System > Wireless > Settings. Select Advanced. Change settings if needed to address performance problems. Default values should work well for most situations. Select Apply. 01-28006-0014-20041105 System wireless Fortinet Inc.
Page 77: Wireless Mac Filter
System wireless Wireless MAC Filter Go to System > Wireless > MAC Filter to allow or deny wireless access to users based on their MAC address. Figure 23: Wireless MAC Filter MAC Filter Access for PCs not listed below MAC Address Allow List Deny List To configure the wireless MAC filter...
Page 78 Wireless MAC Filter System wireless 01-28006-0014-20041105 Fortinet Inc.
Page 79: System Dhcp
System DHCP You can configure DHCP server or DHCP relay agent functionality on any FortiWiFi interface or VLAN subinterface. A FortiWiFi interface can act as either a DHCP server or as a DHCP relay agent. An interface cannot provide both functions at the same time. Note: To configure DHCP server or DHCP relay functionality on an interface, the FortiWiFi unit must be in NAT/Route mode and the interface must have a static IP address.
Page 80: Dhcp Service Settings
Select DHCP Server if you want the FortiWiFi unit to be the DHCP server. “To configure an interface to be a DHCP server” on page 01-28006-0014-20041105 System DHCP “To configure an interface as a Fortinet Inc.
Page 81: Server
System DHCP Set type to Regular. Enter the DHCP Server IP address. Select OK. To configure an interface to be a DHCP server You can configure a DHCP server for any FortiWiFi interface. As a DHCP server, the interface dynamically assigns IP addresses to hosts on the network connected to the interface.
Page 82: Dhcp Server Settings
For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions. 81), you must configure a DHCP server for 01-28006-0014-20041105 System DHCP “To configure Fortinet Inc.
Page 83: Exclude Range
System DHCP Add a name for the DHCP server. Select the interface Configure the DHCP server. The IP range must match the subnet address of the network from which the DHCP request was received. Usually this would be the subnet connected to the interface for which you are added the DHCP server.
Page 84: Dhcp Exclude Range Settings
The IP address for the IP and MAC address pair. The IP address must be within the configured IP range. Delete icon. Delete an IP/MAC binding pair. Edit/View icon. View or modify an IP/MAC binding pair. 01-28006-0014-20041105 System DHCP Fortinet Inc.
Page 85: Dhcp Ip/Mac Binding Settings
System DHCP DHCP IP/MAC binding settings Figure 31: IP/MAC binding options Name IP Address MAC Address To add a DHCP IP/MAC binding pair Go to System > DHCP > IP/MAC Binding. Select Create New. Add a name for the IP/MAC pair. Add the IP address and MAC address.
Page 86 Dynamic IP System DHCP 01-28006-0014-20041105 Fortinet Inc.
Page 87: System Config
System config Use the System Config page to make any of the following changes to the FortiWiFi system configuration: • • • • • • System time Go to System > Config > Time to set the FortiWiFi system time. For effective scheduling and logging, the FortiWiFi system time must be accurate.
Page 88: Options
NTP server. A typical Syn Interval would be 1440 minutes for the FortiWiFi unit to synchronize its time once a day. Timeout settings including the idle timeout and authentication timeout The language displayed by the web-based manager Dead gateway detection interval and failover detection 01-28006-0014-20041105 System config Fortinet Inc.
Page 89 System config Figure 33: System config options Idle Timeout Auth Timeout Language Detection Interval Fail-over Detection Set the ping server dead gateway detection failover number. Enter the To set the system idle timeout Go to System > Config > Options. For Idle Timeout, type a number in minutes.
Page 90 FortiWiFi unit assumes that the gateway is no longer functioning. Select Apply. Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiWiFi unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiWiFi units to an HA cluster.
Page 91: Ha Configuration
System config An active-passive (A-P) HA cluster, also referred to as hot standby HA, consists of a primary FortiWiFi unit that processes traffic, and one or more subordinate FortiWiFi units. The subordinate FortiWiFi units are connected to the network and to the primary FortiWiFi unit but do not process traffic.
Page 92 All other FortiWiFi units in the cluster passively monitor the cluster status and remain synchronized with the primary FortiWiFi unit. MAC Address 00-09-0f-06-ff-00 00-09-0f-06-ff-01 00-09-0f-06-ff-02 00-09-0f-06-ff-03 00-09-0f-06-ff-3f 01-28006-0014-20041105 System config “To view the status of Table 5 lists the virtual MAC address Fortinet Inc.
Page 93 System config Unit Priority Optionally set the unit priority of the cluster unit. Each cluster unit can have a different unit priority (the unit priority is not synchronized among cluster members). During HA negotiation, the unit with the highest unit priority becomes the primary cluster unit. The unit priority range is 0 to 255.
Page 94 Load balancing according to IP address and port. If the cluster units are connected using switches, select IP Port to distribute traffic to units in a cluster based on the source IP, source port, destination IP, and destination port of the packet. 01-28006-0014-20041105 System config Fortinet Inc.
Page 95 System config You can enable heartbeat communications for physical interfaces, but not for VLAN subinterfaces. Enabling the HA heartbeat for more interfaces increases reliability. If an interface fails, the HA heartbeat can be diverted to another interface. HA heartbeat traffic can use a considerable amount of network bandwidth. If possible, enable HA heartbeat traffic on interfaces only used for HA heartbeat traffic or on interfaces connected to less busy networks.
Page 96: Configuring An Ha Cluster
To configure a FortiWiFi unit for HA operation To connect a FortiWiFi HA cluster To add a new unit to a functioning cluster To configure weighted-round-robin weights 01-28006-0014-20041105 “Override Master” on page 93), this FortiWiFi unit System config Fortinet Inc.
Page 97 System config Note: The following procedure does not include steps for configuring interface heartbeat devices and interface monitoring. Both of these HA settings should be configured after the cluster is up and running. Power on the FortiWiFi unit to be configured. Connect to the web-based manager.
Page 98 Then you must connect these interfaces to their networks using the same hub or switch. Fortinet recommends using switches for all cluster connections for the best performance. The FortiWiFi units in the cluster use cluster ethernet interfaces to communicate cluster session information, synchronize the cluster configuration, and report individual cluster member status.
Page 99 System config Figure 35: HA network configuration Power on all the FortiWiFi units in the cluster. As the units start, they negotiate to choose the primary cluster unit and the subordinate units. This negotiation occurs with no user intervention and normally just takes a few seconds.
Page 100: Managing An Ha Cluster
The next three connections are processed by the first subordinate unit (priority 1, weight 3) The next three connections are processed by the second subordinate unit (priority 2, weight 3) “FortiWiFi HA traps” on page 01-28006-0014-20041105 System config “HA MIB 109. Fortinet Inc.
Page 101 System config You can use the web-based manager to monitor the status and logs of individual cluster members. See “To view and manage logs for individual cluster units” on page You can manage individual cluster units by using SSH to connect to the CLI of the cluster.
Page 102 Cluster Members list. The host name and serial number of the primary cluster unit changes. The new primary unit logs the following messages to the event log: HA slave became master Detected HA member dead 01-28006-0014-20041105 System config Fortinet Inc.
Page 103: Snmp
FortiWiFi system information and can receive FortiWiFi traps. To monitor FortiWiFi system information and receive FortiWiFi traps you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. FortiWiFi-60 Administration Guide The cluster contains fewer FortiWiFi units.
Page 104: Configuring Snmp
Configuring SNMP SNMP community FortiWiFi MIBs FortiWiFi traps Fortinet MIB fields Enable the FortiWiFi SNMP agent. Enter descriptive information about the FortiWiFi unit. The description can be up to 35 characters long. Enter the physical location of the FortiWiFi unit. The system location description can be up to 35 characters long.
Page 105: Snmp Community
System config SNMP community An SNMP community is a grouping of equipment for network administration purposes. Add SNMP communities so that SNMP managers can connect to the FortiWiFi unit to view system information and receive SNMP traps. You can add up to three SNMP communities.
Page 106 Select the Enable check box to activate traps for each SNMP version. Enable each SNMP event for which the FortiWiFi unit should send traps to the SNMP managers in this community. 01-28006-0014-20041105 System config “To “To Fortinet Inc.
Page 107: Fortiwifi Mibs
Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIBs to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.
Page 108: Fortiwifi Traps
The FortiWiFi agent can send traps to SNMP managers that you have added to SNMP communities. For SNMP managers to receive traps, you must load and compile the Fortinet trap MIB (file name fortinet.trap.2.80.mib) onto the SNMP manager. All traps include the trap message as well as the FortiWiFi unit serial number.
Page 109: Fortinet Mib Fields
The tables below list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.2.80.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Page 110 The number of attacks detected by the IPS running on the FortiWiFi unit in the last 20 hours. avCount The number of viruses detected by the antivirus system running on the FortiWiFi unit in the last 20 hours. 01-28006-0014-20041105 System config Fortinet Inc.
Page 111 System config Table 18: Administrator accounts MIB field index name addr mask perm Table 19: Local users MIB field index name auth state Table 20: Virtual domains MIB field index name auth state Table 21: Active IP sessions MIB field index proto fromAddr...
Page 112: Replacement Messages
Description of the replacement message type. The web-based manager describes where each replacement message is used by the FortiWiFi unit. Edit/View icon. Select to change a replacement message. 01-28006-0014-20041105 System config Fortinet Inc.
Page 113: Changing Replacement Messages
System config Changing replacement messages Figure 41: Sample HTTP virus replacement message Replacement messages can be text or HTML messages. You can add HTML code to HTML messages. In addition, replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.
Page 114: Fortimanager
The name of the web filtering service. The name of the content category of the web site. The Fortinet logo. and a FortiManager Server. The remote ID of the FortiManager IPSec tunnel. The IP Address of the FortiManager Server.
Page 115: System Administration
System administration When the FortiWiFi unit is first installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administrator accounts. You can also control the access level of each of these administrator accounts and control the IP address from which the administrator account can connect to the FortiWiFi unit.
Page 116: Administrators List
Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see profiles, see “Access profile list” on page 01-28006-0014-20041105 System administration “Using trusted hosts” on page 117. 118. Fortinet Inc.
Page 117: Access Profiles
System administration Type a login name for the administrator account. Type and confirm a password for the administrator account. Optionally type a Trusted Host IP address and netmask from which the administrator can log into the web-based manager. Select the access profile for the administrator. Select OK.
Page 118: Access Profile List
Allow or deny access to the authorized users feature. Allow or deny access to the administrative users feature. Allow or deny access to the FortiProtect Distribution Network update feature. Allow or deny access to the system shutdown and reboot functionality. 01-28006-0014-20041105 System administration Fortinet Inc.
Page 119 System administration To configure an access profile Go to System > Admin > Access Profile. Select Create New to add an access profile, or select the edit icon to edit an existing access profile. Enter a name for the access profile. Select or clear the Access Control check boxes as required.
Page 120 Access profiles System administration 01-28006-0014-20041105 Fortinet Inc.
Page 121: System Maintenance
System maintenance Use the web-based manager to maintain the FortiWiFi unit. Backup and restore You can back up system configuration, VPN certificate, web and spam filtering files to the management computer. You can also restore system configuration, VPN certificate, web and spam filtering files from previously downloaded backup files. Figure 48: Backup and restore list Category Latest Backup...
Page 122: Backing Up And Restoring
IPS User-Defined Upload or download IPS signatures. Signatures All Certificates Restore or back up all VPN certificates in a single password- protected file. See VPN certificates” on page 01-28006-0014-20041105 System maintenance “To restore VPN certificates” “To back up 123. Fortinet Inc.
Page 123 System maintenance Select OK to restore all configuration files to the FortiWiFi unit. The FortiWiFi unit restarts, loading the new configuration files. Reconnect to the web-based manager and review your configuration to confirm that the uploaded configuration files have taken effect. To back up individual categories Go to System >...
Page 124: Update Center
• • • To receive scheduled updates and push updates, you must register the FortiWiFi unit on the Fortinet support web page. “To enable scheduled updates” on page 129. User-initiated updates from the FDN, Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus...
Page 125 System maintenance Figure 49: Update center FortiProtect Distribution Network Push Update Refresh Use override server address FortiWiFi-60 Administration Guide The status of the connection to the FortiProtect Distribution Network (FDN). Available means that the FortiWiFi unit can connect to the FDN. You can configure the FortiWiFi unit for scheduled updates.
Page 126: Updating Antivirus And Attack Definitions
The update attempt occurs at a randomly determined time within the selected hour. Select Update Now to manually initiate an update. Select Apply to save update settings. 01-28006-0014-20041105 System maintenance Fortinet Inc.
Page 127 System maintenance To update antivirus and attack definitions Go to System > Maintenance > Update center. Select Update Now to update the antivirus and attack definitions and engines. If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following: Your update request has been sent.
Page 128 <proxy-address_ip> set port <proxy-port> set username <username_str> set password <password_str> set status enable config system autoupdate tunneling set address 67.35.50.34 set port 8080 set username proxy_user set password proxy_pwd set status enable 01-28006-0014-20041105 System maintenance Fortinet Inc.
Page 129: Enabling Push Updates
System maintenance There are no special tunneling requirements if you have configured an override server address to connect to the FDN. Enabling push updates The FDN can push updates to FortiWiFi units to provide the fastest possible response to critical situations. You must register the FortiWiFi unit before it can receive push updates.
Page 130 In the External Interface section, select the external interface that the FDN connects In the Type section, select Port Forwarding. In the External IP Address section, type the external IP address that the FDN connects to. Type the External Service Port that the FDN connects to. 01-28006-0014-20041105 System maintenance Fortinet Inc.
Page 131: Support
You can select Refresh to make sure that push updates work. Push Update changes to Available. Support You can use the Support page to report problems with the FortiWiFi unit to Fortinet Support or to register your FortiWiFi unit with the FortiProtect Distribution Server (FDS).
Page 132: Sending A Bug Report
Test Select Report Bug to submit problems with the FortiWiFi unit to Fortinet Support. Enter the contact information so that FortiNet support can reply to your bug report. Items marked with an * are required. unit. Send diagnostic information about the FortiWiFi unit, including its current configuration, to Fortinet for analysis.
Page 133: Registering A Fortiwifi Unit
FortiWiFi units that you or your organization purchased. You can register multiple FortiWiFi units in a single session without re-entering your contact information. Once registration is completed, Fortinet sends a Support Login user name and password to your email address. You can use this user name and password to log on to the Fortinet support web site to: •...
Page 134 For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing. To activate the FortiCare Support Contract, you must register the FortiWiFi unit and add the FortiCare Support Contract number to the registration information.
Page 135: Shutdown
A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiWiFi unit. Your Fortinet support user name and password is sent to the email address provided with your contact information.
Page 136 The FortiWiFi unit restarts with the configuration that it had when it was first powered Reconnect to the web-based manager and review the system configuration to confirm that it has been reset to the default settings. 01-28006-0014-20041105 System maintenance Fortinet Inc.
Page 137: System Virtual Domain
System virtual domain FortiWiFi virtual domains provide multiple logical firewalls and routers in a single FortiWiFi unit. Using virtual domains, one FortiWiFi unit can provide exclusive firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network.
Page 138: Virtual Domain Properties
System virtual domain 143) “To select a management virtual 142) “To configure routing for a virtual 144) “To configure the routing 144) 144) “To add IP pools to a virtual “To add Virtual IPs to a virtual 146) Fortinet Inc. 145)
Page 139: Shared Configuration Settings
System virtual domain Shared configuration settings The following configuration settings are shared by all virtual domains. Even if you have configured multiple virtual domains, there are no changes to how you configure the following settings. • • • • • •...
Page 140: Administration And Management
A check mark icon in this column indicates that this is the domain used for system management. Delete icon. Select to delete a virtual domain. You cannot delete the root virtual domain or a domain that is used for system management. 01-28006-0014-20041105 System virtual domain Fortinet Inc.
Page 141: Adding A Virtual Domain
System virtual domain See the following procedures for configuring virtual domains: • • • • • • • • • • • Adding a virtual domain To add a virtual domain Go to System > Virtual domain. Select Create New. Enter a virtual domain Name.
Page 142: Configuring Virtual Domains
Adding interfaces, VLAN subinterfaces, and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec VPN for a virtual domain 01-28006-0014-20041105 System virtual domain Fortinet Inc.
Page 143 System virtual domain Go to System > Network > Interface. Set Virtual domain to All or to the name of the virtual domain that currently contains the interface. Select Edit for the physical interface you want to move. Choose the Virtual Domain to which to move the interface. Select OK.
Page 144: Configuring Routing For A Virtual Domain
53. Any zones that you add are added to the current virtual “Router” on page 147. Network traffic entering this virtual domain is routed only “Routing table (Transparent Mode)” on page 01-28006-0014-20041105 System virtual domain 57. Network traffic entering this Fortinet Inc.
Page 145 System virtual domain Select Create new to add firewall policies to the current virtual domain. interfaces, VLAN subinterfaces, or zones added to the current virtual domain. The firewall policies that you add are only visible when you are viewing the current virtual domain.
Page 146: Configuring Ipsec Vpn For A Virtual Domain
Select Change following the current virtual domain name above the table. Choose the virtual domain for which to configure VPN. Select OK. Go to VPN. Configure IPSec VPN, PPTP, L2TP, and certificates as required. See page 251. 01-28006-0014-20041105 System virtual domain “VPN” on Fortinet Inc.
Page 147: Router
Router This chapter describes how to configure FortiWiFi routing and RIP. It contains the following sections: • • • • • • Static A static route specifies where to forward packets that have a particular destination IP address. Static routes control traffic exiting the FortiWiFi unit—you can specify through which interface the packet will leave and to which device the packet should be routed.
Page 148 FortiGate_1 Enter Internal network 192.168.20.0/24 Destination IP/mask: 0.0.0.0/0.0.0.0 Gateway: 192.168.10.1 Device: Name of the interface connected to network 192.168.10.0/24 (e.g. external). Distance: 10 Figure 55, the FortiGate unit must be configured with static routes to 01-28006-0014-20041105 Router Fortinet Inc.
Page 149: Static Route List
Router Figure 55: Destinations on networks behind internal routers To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.30.0/24 Gateway: 192.168.10.2 Device: dmz...
Page 150: Static Route Options
Enter the administrative distance for the route. Using administrative distance you can specify the relative priorities of different routes to the same destination. A lower administrative distance indicates a more preferred route. Distance can be an integer from 1-255. 01-28006-0014-20041105 Router Fortinet Inc.
Page 151: Policy
Router Figure 58: Move a static route For Move to, select either Before or After and type the number that you want to place this route before or after. Select OK. The route is displayed in the new location on the static route list. Policy Using policy routing you can configure the FortiWiFi unit to route packets based on: •...
Page 152: Policy Route Options
Match packets that have this destination IP address and netmask. Match packets that have this destination port range. To match a single port, enter the same port number for both From and To. Send packets that match this policy route to this next hop router. 01-28006-0014-20041105 Router Fortinet Inc.
Page 153: General
Router RIP is a distance-vector routing protocol intended for small, relatively homogeneous, networks. RIP uses hop count as its routing metric. Each network is usually counted as one hop. The network diameter is limited to 15 hops. General Figure 61: RIP General settings RIP Version Default Metric Enable Default-...
Page 154: Networks List
Enter the metric to be used for the redistributed static routes. Enter the name of the route map to use for the redistributed static routes. For information on how to configure route maps, page 163. The Delete, and Edit icons. 01-28006-0014-20041105 Router “Route-map “Route-map list” on Fortinet Inc.
Page 155: Networks Options
Router Networks options Figure 63: RIP Networks configuration To configure a RIP network Go to Router > RIP > Networks. Select Create New to add a new RIP network or select the edit icon beside an existing RIP network to edit that RIP network. Enter the IP address and netmask for the network.
Page 156: Interface Options
In text mode the key is sent in clear text over the network. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the network. 01-28006-0014-20041105 Router Fortinet Inc.
Page 157: Distribute List
Router Password Key-chain To configure a RIP interface Go to Router > RIP > Interface. Select the edit icon beside an Interface to configure that interface. Select a Send Version if you want to override the default send version for this interface.
Page 158: Distribute List Options
Select the name of the interface to apply this distribute list to. If you do not specify an interface, this distribute list will be used for all interfaces. Select Enable to enable the distribute list. 01-28006-0014-20041105 Router Fortinet Inc.
Page 159: Offset List
Router Offset list Use offset lists to add the specified offset to the metric of a route. Note: By default, all offset lists for the root virtual domain are displayed. If you create additional virtual domains, the offset lists belonging to the current virtual domain only are displayed. To view the settings associated with a different virtual domain, go to System >...
Page 160: Router Objects
Add a new access list name. An access list and a prefix list cannot have the same name. The access list name. The action to take for the prefix in an access list entry. The prefix in an access list entry. The Delete, Add access-list entry, and Edit icons. 01-28006-0014-20041105 Router Fortinet Inc.
Page 161: New Access List Entry
Router To add an access list name Go to Router > Router Objects > Access List. Select Create New. Enter a name for the access list. Select OK. New access list entry Figure 72: Access list entry configuration list Entry Action Prefix Exact match...
Page 162: New Prefix List
The action to take for the prefix in a prefix list entry. The prefix in a prefix list entry. The greater than or equal to number. The less than or equal to number. The Delete, Add prefix-list entry, and Edit icons. 01-28006-0014-20041105 Router Fortinet Inc.
Page 163: New Prefix List Entry
Router New prefix list entry Figure 75: Prefix list entry configuration list Entry Action Prefix Greater or equal to Match prefix lengths that are greater than or equal to this number. The Less or equal to To configure a prefix list entry Go to Router >...
Page 164: New Route-Map
Add a new route map name. The route map name. The action to take for this entry in the route map. The rules for a route map entry. The Delete, Add route-map entry, and Edit icons. 01-28006-0014-20041105 Router Fortinet Inc.
Page 165: Route-Map List Entry
Router Route-map list entry Figure 78: Route map entry configuration Route-map entry Action Match: Interface Address Next-hop Metric Route Type Set: Next-hop Metric Metric Type To configure a route map entry Go to Router > Router Objects > Route Map. Select the Add route-map entry icon to add a new route map entry or select the edit icon beside an existing route map entry to edit that entry.
Page 166: Key Chain List
The time period in which to accept a key. The time period in which to send a key. The start and end times for the accept and send lifetimes. The Delete, Add key-chain entry, and Edit icons. 01-28006-0014-20041105 Router Fortinet Inc.
Page 167: Key Chain List Entry
Router Enter a name for the key chain. Select OK. Key chain list entry Figure 81: Key chain entry configuration Key-chain entry Accept Lifetime Send Lifetime Start To configure a key chain entry Go to Router > Router Objects > Key-chain. Select the Add key-chain entry icon to add a new key chain entry or select the Edit icon beside an existing key chain entry to edit that entry.
Page 168: Monitor
The subtype for the route. The network for the route. The administrative distance of the route. The metric for the route. The gateway used by the route. The interface used by the route. How long the route has been available. 01-28006-0014-20041105 Router Fortinet Inc.
Page 169: Cli Configuration
Router Specify the network for which to display routes. Specify a gateway to display the routes using that gateway. Select Apply Filter. Note: You can configure Type, Network, and Gateway filters individually or in any combination. CLI configuration This guide only covers Command Line Interface (CLI) commands, keywords, or variables (in bold) that are not represented in the web-based manager.
Page 170: Get Router Info Rip
<keyword> <variable> config router ospf unset <keyword> get router ospf show router ospf config area config distribute-list config neighbor config network config ospf-interface config redistribute config summary-address 01-28006-0014-20041105 Router Availability All models. All models. Fortinet Inc.
Page 171 Router Note: In the following table, only the router-id keyword is required. All other keywords are optional. ospf command keywords and variables Keywords and variables abr-type {cisco | ibm | shortcut | standard} database-overflow {disable | enable} database-overflow- max-lsas <lsas_integer> database-overflow- time-to-recover <seconds_integer>...
Page 172 CPU. A setting of 0 for spf-timers can quickly use up all available CPU. config router ospf set router-id 1.1.1.1 get router ospf 01-28006-0014-20041105 Router Default Availability All models. All models. All models. default. All models. disable All models. default. All models. 5 10 Fortinet Inc.
Page 173 Router This example shows how to display the OSPF configuration. config area Access the config area subcommand using the config router ospf command. Use this command to set OSPF area related parameters. Routers in an OSPF autonomous system (AS) or routing domain are organized into logical groupings called areas.
Page 174 Enable or disable redistributing routes into a NSSA area. 01-28006-0014-20041105 Router Default Availability All models. none All models. All models. disable All models. All models. All models. enable Fortinet Inc.
Page 175 Router area command keywords and variables (Continued) Keywords and variables nssa-translator- role {always | candidate | never} shortcut {default | disable | enable} stub-type {no-summary | summary} type {nssa | regular | stub} Example This example shows how to configure a stub area with the id 15.1.1.1, a stub type of summary, a default cost of 20, and MD5 authentication.
Page 176 Set the direction for the filter. Enter in to filter incoming packets. Enter out to filter outgoing packets. Enter the name of the access list or prefix list to use for this filter list. 01-28006-0014-20041105 Router 161. Default Availability All models. All models. default. Fortinet Inc.
Page 177 Router Example This example shows how to use an access list named acc_list1 to filter packets entering area 15.1.1.1. This example shows how to display the settings for area 15.1.1.1. This example shows how to display the configuration for area 15.1.1.1. config range Access the config range subcommand using the config area command.
Page 178 Enable or disable using a substitute prefix. disable All models. config router ospf config area edit 15.1.1.1 config range config router ospf config area edit 15.1.1.1 01-28006-0014-20041105 Default enable default default. edit 1 set prefix 1.1.0.0 255.255.0.0 Router Availability All models. All models. All models. Fortinet Inc.
Page 179 Router This example shows how to display the configuration for area 15.1.1.1. config virtual-link Access the config virtual-link subcommand using the config area command. Use virtual links to connect an area to the backbone when the area has no direct connection to the backbone.
Page 180 The router id of the remote ABR. 0.0.0.0 is not allowed. 01-28006-0014-20041105 Router Default Availability All models. none All models. default. authentication must be set to text. All models. All models. All models. default. authentication must be set to md5. All models. default. Fortinet Inc.
Page 181 Router virtual-link command keywords and variables (Continued) Keywords and variables retransmit- interval <seconds_integer> transmit-delay <seconds_integer> Example This example shows how to configure a virtual link. This example shows how to display the settings for area 15.1.1.1. This example shows how to display the configuration for area 15.1.1.1. config distribute-list Access the config distribute-list subcommand using the config router ospf command.
Page 182 Enter the name of the access list to use for this distribute list. Advertise only the routes discovered by the specified protocol and that are permitted by the named access list. 01-28006-0014-20041105 Router Default Availability No default. All models. All models. connected Fortinet Inc.
Page 183 Router This example shows how to display the settings for distribute list 2. This example shows how to display the configuration for distribute list 2. config neighbor Access the config neighbor subcommand using the config router ospf command. Use this command to manually configure an OSPF neighbor on nonbroadcast networks.
Page 184 1 set ip 192.168.21.63 config router ospf config neighbor edit 1 config router ospf config neighbor edit 1 show 01-28006-0014-20041105 Router Default Availability All models. 0.0.0.0 All models. All models. All models. Fortinet Inc.
Page 185 Router config network Access the config network subcommand using the config router ospf command. Use this command to identify the interfaces to include in the specified OSPF area. The prefix keyword can define one or multiple interfaces. config network command syntax pattern network command keywords and variables Keywords and variables...
Page 186 2 config router ospf config network edit 2 show config ospf-interface edit <interface-name_str> set <keyword> <variable> config ospf-interface edit <interface-name_str> unset <keyword> config ospf-interface delete <interface-name_str> config ospf-interface edit <interface-name_str> config ospf-interface edit <interface-name_str> show 01-28006-0014-20041105 Router Fortinet Inc.
Page 187 Router ospf-interface command keywords and variables Keywords and variables authentication {md5 | none | text} authentication-key <password_str> cost <cost_integer> database-filter-out {disable | enable} dead-interval <seconds_integer> FortiWiFi-60 Administration Guide Description Use the authentication keyword to define the authentication used for OSPF packets sent and received by this interface.
Page 188 MTUs so that they match. 01-28006-0014-20041105 Router Default Availability All models. No default. All models. No default. All models. No default. All models. authentication must be set to md5. 1500 All models. All models. disable Fortinet Inc.
Page 189 Router ospf-interface command keywords and variables (Continued) Keywords and variables network-type {broadcast | non- broadcast | point-to- multipoint | point-to-point} priority <priority_integer> retransmit-interval <seconds_integer> status {disable | enable} transmit-delay <seconds_integer> FortiWiFi-60 Administration Guide Description Specify the type of network to which the interface is connected.
Page 190 192.168.20.3 set authentication text set authentication-key a2b3c4d5e config router ospf config ospf-interface edit test config router ospf config ospf-interface edit test show 01-28006-0014-20041105 Router Fortinet Inc.
Page 191 Router config redistribute command syntax pattern redistribute command keywords and variables Keywords and variables Description metric <metric_integer> metric-type {1 | 2} Specify the external link type to be used routemap <name_str> Enter the name of the route map to use status {disable | enable} tag <tag_integer>...
Page 192 Specify a tag for the summary route. The valid range for tag_integer is 0 to 4294967295. config router ospf config summary-address edit 5 set prefix 10.0.0.0 255.0.0.0 get router ospf 01-28006-0014-20041105 Router Default Availability All models. enable All models. default. All models. Fortinet Inc.
Page 193: Config Router Static6
Router This example shows how to display the OSPF configuration. config router static6 Use this command to add, edit, or delete static routes for IPv6 traffic. Add static routes to control the destination of traffic exiting the FortiWiFi unit. You configure routes by adding destination IP addresses and netmasks and adding gateways for these destination addresses.
Page 194 This example shows how to display the configuration for IPV6 static route 2. config router static6 edit 2 set dev internal set dst 12AB:0:0:CD30::/60 set gateway 12AB:0:0:CD30:123:4567:89AB:CDEF get router static6 get router static6 2 show router static6 show router static6 2 01-28006-0014-20041105 Router Fortinet Inc.
Page 195: Firewall
Firewall Firewall policies control all traffic passing through the FortiWiFi unit. Firewall policies are instructions that the FortiWiFi unit uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (by port number).
Page 196: Policy
Note: Policies that require authentication must be added to the policy list above matching policies that do not; otherwise, the policy that does not require authentication is selected first. How policy matching works Policy list Policy options Advanced policy options Configuring firewall policies 01-28006-0014-20041105 Firewall Fortinet Inc.
Page 197: Policy List
Firewall Policy list You can add, delete, edit, re-order, enable, and disable policies in the policy list. Figure 83: Sample policy list The policy list has the following icons and features. Create new Source Dest Schedule Service Action Enable source -> destination (n) Policy list headings indicating the traffic to which the policy Figure 84: Move to options FortiWiFi-60 Administration Guide Select Create New to add a firewall policy.
Page 198: Policy Options
Select a service or protocol to which the policy will apply. You can select from a wide range of predefined services or add custom services and service groups. See 01-28006-0014-20041105 Firewall “Addresses” on page “Virtual IP” on page 204. “Schedule” on page 216. “Service” on page 208. Fortinet Inc. 220.
Page 199 Firewall Action VPN Tunnel Protection Profile Log Traffic Advanced FortiWiFi-60 Administration Guide Select how you want the firewall to respond when the policy matches a connection attempt. • ACCEPT: Select accept to accept connections matched by the policy. You can also configure NAT and Authentication for the policy. •...
Page 200: Advanced Policy Options
HTTP, Telnet, and FTP. Then users could authenticate with the policy using HTTP, Telnet, or FTP before using the other service. 245. 01-28006-0014-20041105 Firewall Fortinet Inc.
Page 201: Traffic Shaping
Firewall In most cases you should make sure that users can use DNS through the firewall without authentication. If DNS is not available users cannot connect to a web, FTP, or Telnet server using a domain name. Traffic Shaping Traffic Shaping controls the bandwidth available to and sets the priority of the traffic processed by the policy.
Page 202: Configuring Firewall Policies
Set the DSCP value for reply packets. For example, for an Internal -> External policy the value is applied to incoming reply packets before they exit the internal interface and returned to the originator. 196. 01-28006-0014-20041105 Firewall “Policy options” on page 198. “How policy matching Fortinet Inc.
Page 203: Policy Cli Configuration
Firewall Select the position for the policy. Select OK. To disable a policy Disable a policy to temporarily prevent the firewall from selecting the policy. Disabling a policy does not stop active communications sessions that have been allowed by the policy.
Page 204: Address
192.168.110.* to represent all addresses on the subnet Address list Address options Configuring addresses Address group list Address group options Configuring address groups 01-28006-0014-20041105 Firewall Default Availability All models. 0.0.0.0 0.0.0.0 Encrypt policy, with outbound enabled. Fortinet Inc.
Page 205: Address List
Firewall Address list You can add addresses to the list and edit existing addresses. The FortiWiFi unit comes configured with the default ‘All’ address which represents any IP address on the network. Figure 88: Sample address list The address list has the following icons and features. Create New Name Address...
Page 206: Configuring Addresses
The netmask for a class B subnet should be 255.255.0.0. The netmask for a class C subnet should be 255.255.255.0. The netmask for all addresses should be 0.0.0.0 A range of IP addresses in a subnet (for example, 192.168.20.1 to 192.168.20.10) 01-28006-0014-20041105 Firewall Fortinet Inc.
Page 207: Address Group List
Firewall Address group list You can organize related addresses into address groups to make it easier to configure policies. For example, if you add three addresses and then configure them in an address group, you can configure a single policy using all three addresses. Note: If an address group is included in a policy, it cannot be deleted unless it is first removed from the policy.
Page 208: Configuring Address Groups
This section describes: • • • • • • • Predefined service list Custom service list Custom service options Configuring custom services Service group list Service group options Configuring service groups 01-28006-0014-20041105 Firewall Fortinet Inc.
Page 209: Predefined Service List
Firewall Predefined service list Figure 92: Predefined service list The predefined services list has the following icons and features. Name Detail Table 23 any policy. Table 23: FortiWiFi predefined services Service name DHCP FortiWiFi-60 Administration Guide The name of the predefined services. The protocol for each predefined service.
Page 210 Open Shortest Path First (OSPF) routing protocol. OSPF is a common link state routing protocol. PC-Anywhere is a remote control and file transfer protocol. 01-28006-0014-20041105 Firewall Protocol Port 1720, 1503 6660-6669 1701 1720 111, 2049 5632 Fortinet Inc.
Page 211 Firewall Table 23: FortiWiFi predefined services (Continued) Service name ICMP_ANY PING TIMESTAMP INFO_REQUEST ICMP information request messages. INFO_ADDRESS ICMP address mask request messages. POP3 PPTP QUAKE RAUDIO RLOGIN SIP- MSNmessenger SMTP SNMP SYSLOG TALK TELNET TFTP UUCP VDOLIVE FortiWiFi-60 Administration Guide Description Internet Control Message Protocol is a message control and error-reporting protocol...
Page 212: Custom Service List
The Delete and Edit/View icons. The name of the TCP or UDP custom service. Select the protocol type of the service you are adding: TCP or UDP. TCP and UDP options are the same. 01-28006-0014-20041105 Firewall Protocol Port 1494 6000-6063 Fortinet Inc.
Page 213: Configuring Custom Services
Firewall Source Port Destination Port Specify the Destination Port number range for the service by entering the ICMP custom service options Figure 95: ICMP custom service options Name Protocol Type Type Code IP custom service options Figure 96: IP custom service options Name Protocol Type Protocol Number The IP protocol number for the service.
Page 214 Select the Edit icon beside the service you want to edit. Modify the custom service as required. Note: To change the custom service name you must delete the service and add it with a new name. Select OK. 01-28006-0014-20041105 Firewall Fortinet Inc.
Page 215: Service Group List
Firewall Service group list To make it easier to add policies, you can create groups of services and then add one policy to allow or block access for all the services in the group. A service group can contain predefined services and custom services in any combination. You cannot add service groups to another service group.
Page 216: Configuring Service Groups
This section describes: • • • • • • One-time schedule list One-time schedule options Configuring one-time schedules Recurring schedule list Recurring schedule options Configuring recurring schedules 01-28006-0014-20041105 Firewall Fortinet Inc.
Page 217: One-Time Schedule List
Firewall One-time schedule list You can create a one-time schedule that activates or deactivates a policy for a specified period of time. For example, your firewall might be configured with the default policy that allows access to all services on the Internet at all times. You can add a one-time schedule to block access to the Internet during a holiday period.
Page 218: Recurring Schedule List
Start Select Create New to add a recurring schedule. The name of the recurring schedule. The initials of the days of the week on which the schedule is active. The start time of the recurring schedule. 01-28006-0014-20041105 Firewall Fortinet Inc.
Page 219: Recurring Schedule Options
Firewall Stop Recurring schedule options Figure 102:Recurring schedule options Recurring schedule has the following options. Name Select Start Stop Configuring recurring schedules To add a recurring schedule Go to Firewall > Schedule > Recurring. Select Create New. Enter a name for the schedule. Select the days of the week that you want the schedule to be active.
Page 220: Virtual Ip
Similar to port forwarding, dynamic port forwarding is used to translate any address and a specific port number on a source network to a hidden address and, optionally a different port number on a destination network. Virtual IP list Virtual IP options Configuring virtual IPs 01-28006-0014-20041105 Firewall Fortinet Inc.
Page 221: Virtual Ip List
Firewall Virtual IP list Figure 103:Sample virtual IP list The virtual IP list has the following icons and features. Create New Name Service Port Map to IP Map to Port Virtual IP options Different options appear depending on the type of virtual IP you want to define. Choose from Static NAT or port forwarding.
Page 222: Configuring Virtual Ips
Enter the port number to be added to packets when they are forwarded. (Port forwarding only.) Select the protocol (TCP or UDP) that you want the forwarded packets to use. (Port forwarding only.) Table 24 on page 223 contains example virtual IP external interface settings 01-28006-0014-20041105 Firewall Fortinet Inc.
Page 223 Firewall You can now add the virtual IP to firewall policies. Table 24: Virtual IP external interface examples External Interface Description internal wan1 To add port forwarding virtual IPs Go to Firewall > Virtual IP. Select Create New. Enter a name for the port forwarding virtual IP. Select the virtual IP External Interface from the list.
Page 224: Ip Pool
IP pool. An IP pool list appears when the policy destination interface is the same as the IP pool interface. “PPTP passthrough” on page 268 01-28006-0014-20041105 for more information. Fortinet Inc. Firewall...
Page 225: Ip Pool List
Firewall You can add an IP pool if you want to add NAT mode policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface. For example, if you add an IP pool to the internal interface, you can select Dynamic IP pool for WAN1->Internal, WAN2->Internal and DMZ->Internal policies.
Page 226: Configuring Ip Pools
IP pool and assigns it to each connection. In this case the number of connections that the firewall can support is limited by the number of IP addresses in the IP pool. Select the interface to which to add an IP pool. Enter a name for the IP pool. 01-28006-0014-20041105 Firewall Fortinet Inc.
Page 227: Ip Pools And Dynamic Nat
Firewall IP pools and dynamic NAT You can use IP pools for dynamic NAT. For example, your organization might have purchased a range of Internet addresses but you might have only one Internet connection on the external interface of your FortiWiFi unit. You can assign one of your organization’s Internet IP addresses to the external interface of the FortiWiFi unit.
Page 228: Protection Profile List
You can add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. 01-28006-0014-20041105 Firewall Fortinet Inc.
Page 229 Enable or disable quarantining for each protocol. You can quarantine suspect files to view them or submit files to Fortinet for analysis. (IMAP, POP3, SMTP). Fragmented email cannot be scanned for viruses.
Page 230 Enabling this option will prevent the unintentional download of virus files hidden in fragmented files. Note that some types of files, such as PDF, fragment files to increase download speed and enabling this option can cause download interruptions. 01-28006-0014-20041105 Firewall Fortinet Inc.
Page 231 Enable or disable checking traffic against configured Real-time Blackhole List and Open Relay Database List servers. Enable or disable the Fortinet spam filtering IP address blacklist: FortiShield. See on page 343 Enable or disable looking up the source domain name (from the SMTP HELO command) in the Domain Name Server.
Page 232 The maximum length is 63 characters. for more IPS configuration options. Enable or disable signature based intrusion detection and prevention for all protocols. Enable or disable anomaly based intrusion detection and prevention for all protocols. 01-28006-0014-20041105 Firewall “IPS” on Fortinet Inc.
Page 233: Configuring Protection Profiles
Firewall The following options are available for content archive through the protection profile. Archive content meta-information Configuring protection profiles To add a protection profile If the default protection profiles do not provide the settings you require, you can create custom protection profiles. Go to Firewall >...
Page 234: Cli Configuration
Command syntax pattern config firewall profile edit <profilename_str> set <keyword> <variable> config firewall profile edit <profilename_str> unset <keyword> config firewall profile delete <profilename_str> get firewall profile [<profilename_str>] show firewall profile [<profilename_str>] 01-28006-0014-20041105 Firewall Fortinet Inc.
Page 235 Firewall firewall profile command keywords and variables Keywords and variables {block content_log oversize quarantine scan splice} FortiWiFi-60 Administration Guide Description Select the actions that this profile will use for filtering FTP traffic for a policy. Entering splice enables the FortiWiFi unit to simultaneously buffer a file for scanning and upload the file to an FTP server.
Page 236 If you want to remove an option from the list or add an option to the list, you must retype the list with the option removed or added. 01-28006-0014-20041105 Firewall Default Availability No default. All models. fragmail All models. Fortinet Inc.
Page 237 Firewall This example shows how to display the settings for the firewall profile command. This example shows how to display the settings for the spammail profile. This example shows how to display the configuration for the firewall profile command. This example shows how to display the configuration for the spammail profile. FortiWiFi-60 Administration Guide get firewall profile get firewall profile spammail...
Page 238 Protection profile Firewall 01-28006-0014-20041105 Fortinet Inc.
Page 239: Users And Authentication
Users and authentication You can control access to network resources by defining lists of authorized users, called user groups. To use a particular resource, such as a network or a VPN tunnel, the user must belong to one of the user groups that is allowed access. The user then must correctly enter a user name and password to prove his or her identity.
Page 240: Setting Authentication Timeout
Select Disable to prevent this user from authenticating. Select Password to require the user to authenticate using a password. Enter the password that this user must use to authenticate. The password should be at least six characters long. 01-28006-0014-20041105 Users and authentication Fortinet Inc.
Page 241: Radius
Users and authentication LDAP Radius To add a user name and configure authentication Go to User > Local. Select Create New to add a new user name or select the Edit icon to edit an existing configuration. Type the User Name. Select the authentication type for this user.
Page 242: Radius Server Options
FortiWiFi unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiWiFi unit. The Delete and Edit icons. Enter a name to identify the RADIUS server. Enter the RADIUS server secret. 01-28006-0014-20041105 Users and authentication Fortinet Inc.
Page 243: Ldap Server List
Users and authentication The FortiWiFi unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords. FortiWiFi LDAP supports all LDAP servers compliant with LDAP v3. FortiWiFi LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers.
Page 244 For example, you could use the following base distinguished name: ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is domain component. You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units: ou=accounts,ou=marketing,dc=fortinet,dc=com 01-28006-0014-20041105 Users and authentication Fortinet Inc.
Page 245: User Group
Users and authentication User group To enable authentication, you must add user names, RADIUS servers, and LDAP servers to one or more user groups. You can then assign a firewall protection profile to the user group. You can configure authentication as follows: •...
Page 246: User Group Options
The list of users, RADIUS servers, or LDAP servers that can be added to a user group. The list of users, RADIUS servers, or LDAP servers added to a user group. Select a protection profile for this user group. 01-28006-0014-20041105 Users and authentication Fortinet Inc.
Page 247: Cli Configuration
Users and authentication Go to User > User Group. Select Delete beside the user group that you want to delete. Select OK. CLI configuration This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide.
Page 248: Peergrp
EU_branches set member Sophia_branch Valencia_branch Cardiff_branch get user peergrp 01-28006-0014-20041105 Users and authentication Default Availability No default. All models. Fortinet Inc.
Page 249 Users and authentication This example shows how to display the settings for the peergrp EU_branches. This example shows how to display the configuration for all the peers groups. This example shows how to display the configuration for the peergrp EU_branches. FortiWiFi-60 Administration Guide get user peergrp EU_branches show user peergrp...
Page 250 CLI configuration Users and authentication 01-28006-0014-20041105 Fortinet Inc.
Page 251: Vpn
FortiWiFi units support the following protocols to authenticate and encrypt traffic: • • • This chapter contains information about the following VPN topics: • • • • • • • • • • • • • • • • • •...
Page 252: Phase 1
1, Dialup if this is a dialup Phase 1 configuration, and the domain name if this is a dynamic DNS phase 1. Main mode or Aggressive mode. The names of the encryption and authentication algorithms used by each phase 1 configuration. Edit, view, or delete phase 1 configurations. 01-28006-0014-20041105 Fortinet Inc.
Page 253: Phase 1 Basic Settings
Phase 1 basic settings Figure 125:Phase 1 basic settings Gateway Name Type a name for the remote VPN peer. The remote peer can be either a Remote Gateway IP Address Dynamic DNS Mode Authentication Method FortiWiFi-60 Administration Guide gateway to another network or an individual client on the Internet. Select a Remote Gateway address type.
Page 254: Phase 1 Advanced Options
The group must be added to the FortiWiFi configuration through the config user peer and config user peergrp CLI commands before it can be selected here. For more information, see the “config user” chapter of the CLI Reference Guide. 01-28006-0014-20041105 “Enabling VPN access for 278. Fortinet Inc.
Page 255: Configuring Xauth
Encryption Authentication The FortiWiFi unit supports the following authentication methods: DH Group Keylife Local ID XAuth Nat-traversal Keepalive Frequency Dead Peer Detection Configuring XAuth XAuth authenticates users in a separate exchange held between Phases 1 and 2. XAuth: Enable as Client Username Password FortiWiFi-60 Administration Guide...
Page 256: Phase 2
Microsoft RADIUS). Use MIXED if the authentication server supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet Remote VPN Client.). Select a group of users to be authenticated by XAuth. The individual users within the group can be authenticated locally or by one or more LDAP or RADIUS servers.
Page 257: Phase 2 Basic Settings
Status Timeout Phase 2 basic settings Figure 128:Phase 2 basic settings Tunnel Name Remote Gateway Concentrator FortiWiFi-60 Administration Guide The current status of the tunnel. Down, tunnel is not processing traffic. Up, the tunnel is currently processing traffic. Unknown, status of Dialup tunnels.
Page 258: Phase 2 Advanced Options
You can configure the FortiWiFi unit to send an alert email when it detects a replay packet. For more information, see Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires. 01-28006-0014-20041105 “Alert E-mail options” on page 360. Fortinet Inc.
Page 259: Manual Key
DH Group Keylife Autokey Keep Alive DHCP-IPSec Internet browsing Quick Mode Identities Manual key Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiWiFi unit and a remote VPN peer that uses a manual key. The FortiWiFi unit must be configured to use the same encryption and authentication algorithms used by the remote peer.
Page 260: Manual Key List
Enter the external IP address of the FortiWiFi unit or other IPSec gateway at the opposite end of the tunnel. Select an Encryption Algorithm from the list. Use the same algorithm at both ends of the tunnel. 01-28006-0014-20041105 Fortinet Inc.
Page 261: Concentrator
Encryption Key Enter the Encryption Key. Authentication Algorithm Authentication Concentrator Concentrator Configure IPSec VPN concentrators to create hub and spoke configurations. IPSec VPN concentrators are only available in NAT/Route mode. To configure a concentrator Go to VPN > IPSEC > Concentrator and add a concentrator. Add the required Phase 2 configurations to the concentrator.
Page 262: Concentrator Options
A concentrator can have more than one tunnel in its list of members. Provides a list of tunnels that are members of the concentrator. To remove a tunnel from the list, select the tunnel in the Members list and select the left arrow. 01-28006-0014-20041105 Fortinet Inc.
Page 263: Ping Generator Options
Ping generator options Figure 134:Ping generator Enable Source IP 1 Destination IP 1 Source IP 2 Destination IP 2 To configure the ping generator Go to VPN > IPSEC > Ping Generator. Select Enable. In the Source IP 1 box, type the private IP address from which traffic may originate locally.
Page 264: Dialup Monitor
The IP address range from which the dialup user can connect. This is usually the current IP address of the dialup user’s computer. Stop the current dialup tunnel. The dialup user may have to reconnect to establish a new VPN session. 01-28006-0014-20041105 Fortinet Inc.
Page 265: Pptp
Figure 136:Static IP and dynamic DNS Monitor Name Remote gateway The IP address and UDP port of the remote gateway. For dynamic DNS Timeout Proxy ID Source The IP address range that VPN users of this tunnel can connect to. Proxy ID Destination Bring down...
Page 266: Enabling Pptp And Specifying A Pptp Range
The end of the IP range. For example, 192.168.1.20. Select the user group that contains the remote PPTP VPN clients. Select this option to disable the PPTP support. 01-28006-0014-20041105 “To add an address” on page 206. 202. PPTP. PPTP. 206. Fortinet Inc.
Page 267: Configuring A Windows 2000 Client For Pptp
Configuring a Windows 2000 client for PPTP To configure a PPTP dialup connection Go to Start > Settings > Network and Dial-up Connections. Double-click Make New Connection to start the Network Connection Wizard and select Next. For Network Connection Type, select Connect to a private network through the Internet and select Next.
Page 268: Pptp Passthrough
Go to Firewall > Virtual IP. Select Create New. Enter a name for the virtual IP, for example PPTP_pass. Set the External Interface to external. TCP/IP QoS Packet Scheduler File and Printer Sharing for Microsoft Networks Client for Microsoft Networks 01-28006-0014-20041105 Fortinet Inc.
Page 269: L2Tp
Select Port Forwarding. Set the External IP Address to 0.0.0.0. The 0.0.0.0 External IP Address matches any IP address. Alternatively, if PPTP users always connect to the same IP address, you can specify that IP address. Set the External Service Port to 1723. Set the Map to IP address to 192.168.23.1.
Page 270: Setting Up A L2Tp-Based Vpn
“To add an address” on page “To add a firewall policy” on page Configuring a Windows 2000 client for Configuring a Windows XP client for 01-28006-0014-20041105 “To add an address” on page 206. 202. L2TP. L2TP. “Users and 270. 206. Fortinet Inc.
Page 271: Configuring A Windows 2000 Client For L2Tp
Figure 138:L2TP range Enable L2TP Starting IP Ending IP User Group Disable L2TP To enable L2TP on the FortiWiFi unit Go to VPN > L2TP > L2TP Range. Select Enable L2TP. Complete the fields as required. Select Apply. Configuring a Windows 2000 client for L2TP To configure an L2TP dialup connection Go to Start >...
Page 272: Configuring A Windows Xp Client For L2Tp
Go to Start > Settings. Select Network and Internet Connections. Select Create a connection to the network of your workplace and select Next. Select Virtual Private Network Connection and select Next. Name the connection and select Next. 01-28006-0014-20041105 Fortinet Inc.
Page 273 If the Public Network dialog box appears, choose the appropriate initial connection and select Next. In the VPN Server Selection dialog, enter the IP address or host name of the FortiWiFi unit to connect to and select Next. Select Finish. To configure the VPN connection Right-click the icon that you have created.
Page 274: Certificates
FortiWiFi unit for decrypting messages sent by the remote peer. Conversely, the remote peer provides its public key to the FortiWiFi unit, which uses the key to encrypt messages destined for the remote peer. 01-28006-0014-20041105 Fortinet Inc.
Page 275: Viewing The Certificate List
Details are provided in the following sections: • • • • Viewing the certificate list Initially, no certificates are installed. To view the certificate list Go to VPN > Certificates > Local Certificates. Figure 139:Certificate list Generate Import Name Subject Status Generating a certificate request To obtain a personal or site certificate, you must send the request to a CA that...
Page 276 Follow the CA instructions to place a base-64 encoded PKCS#10 certificate request and upload the certificate request. Follow the CA instructions to download their root certificate, and then install the root certificate on the FortiWiFi unit. 01-28006-0014-20041105 further identify the object being certified. Fortinet Inc.
Page 277: Installing A Signed Certificate
Figure 140:Generating a certificate signing request Certificate Name Type a certificate name. Subject Information Optional Information Key Type Key Size Installing a signed certificate Your CA provides you with a digital certificate to install on the FortiWiFi unit. You must also obtain and install the CA’s root certificate on the FortiWiFi unit.
Page 278: Enabling Vpn Access For Specific Certificate Holders
If the FortiWiFi unit participates in a gateway-to-gateway configuration and you want both peers to accept reciprocal connections, you must specify the DN of the FortiWiFi unit when you define the phase 1 parameters. “Backing up and Restoring” on page 01-28006-0014-20041105 122. Fortinet Inc.
Page 279: Cli Configuration
To enable access for a specific certificate holder or a group of certificate holders Use this procedure to enhance access security if you are using digital certificates to authenticate peers. Go to VPN > IPSEC > Phase 1. Under Peer Options, select one of these options: •...
Page 280 01-28006-0014-20041105 Default Availability All models. seconds dpd must be set to enable. All models. seconds dpd must be set to enable. All models. dpd must be set to enable. All models. seconds dpd must be set to enable. Fortinet Inc.
Page 281: Ipsec Phase2
Example Use the following command to edit an IPSec VPN phase 1 configuration with the following characteristics: • • • • • • • • • • • ipsec phase2 In addition to the advanced IPSec Phase 2 settings, the config vpn ipsec phase2 CLI command provides a way to bind the VPN tunnel selected in a Phase 2 configuration to a specific network interface.
Page 282: Ipsec Vip
Type the name of the local FortiWiFi interface. config vpn ipsec phase2 edit Tunnel_1 set bindtoif internal “Configuring IPSec virtual IP addresses” on page config vpn ipsec vip edit <vip_integer> set <keyword> <variable> 01-28006-0014-20041105 Default Availability All models. default. 294. Fortinet Inc.
Page 283 ipsec vip command keywords and variables Keywords and variables ip <address_ipv4> out-interface <interface-name_str> Example The following commands add IPSec VIP entries for two remote hosts that can be accessed by a FortiWiFi unit through an IPSec VPN tunnel on the external interface of the FortiWiFi unit.
Page 284: Authenticating Peers With Preshared Keys
“Phase 1” on page 252. “Adding firewall policies for IPSec VPN tunnels” on page “Phase 1” on page 252. “Phase 2” on page 256. “Adding firewall policies for IPSec VPN tunnels” on page 01-28006-0014-20041105 “Phase 2” on page 256. 286. 286. Fortinet Inc.
Page 285: Dialup Vpn
Dialup VPN Dialup VPN allows remote users with dynamic IP addresses to use VPN to connect to a private network. Dialup VPNs use AutoIKE and can be preshared key or certificate VPNs. To configure dialup VPN Add a phase 1 configuration to define the parameters used to authenticate the remote VPN peer.
Page 286: Manual Key Ipsec Vpn
To add a source address, see page “Manual key” on page 259. “Manual key” on page 259. “Adding firewall policies for IPSec VPN tunnels” on page “Policy” on page 196 206. 01-28006-0014-20041105 286. for information about firewall policies. “To add an address” on Fortinet Inc.
Page 287: Setting The Destination Address For Encrypted Traffic
Setting the destination address for encrypted traffic The destination address determines which remote peers and clients will be allowed to access the specified source address. In general: • • • To add a destination address, see Adding an IPSec firewall encryption policy Use the following procedure to add an IPSec firewall encryption policy.
Page 288: Configuring Internet Browsing Through A Vpn Tunnel
If required, add additional firewall policies to support internet browsing. Configure the remote VPN clients to deny split tunneling. “Phase 1” on page 252. “Phase 2” on page 286. 01-28006-0014-20041105 256. “System DHCP” on page “Adding firewall policies for IPSec Fortinet Inc.
Page 289: Ipsec Vpn In Transparent Mode
IPSec VPN in Transparent mode In Transparent mode, a FortiWiFi unit becomes transparent at the data link layer (OSI layer 2)—it looks like a network bridge. A FortiWiFi unit operating in Transparent mode requires the following basic configuration to operate as a node on the IP network: •...
Page 290: Hub And Spoke Vpns
The source address must be Internal_All. Use the following configuration for the encrypt policies: add the VPN tunnels. add a VPN concentrator. add a firewall policy. “To add an address” on page “To add an address” on page 01-28006-0014-20041105 206. 206. Fortinet Inc.
Page 291 Source Destination Action VPN Tunnel Allow inbound Allow outbound Select allow outbound. Inbound NAT Outbound NAT Select outbound NAT if required. Arrange the policies in the following order: • • Adding a VPN concentrator The VPN concentrator collects the hub-and-spoke tunnels into a group. This allows VPN traffic to pass from one tunnel to the other through the FortiWiFi unit.
Page 292: Configuring Spokes
The remote VPN spoke address. ENCRYPT The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt policies.) Do not enable. Select inbound NAT if required. “To add a firewall policy” on page 01-28006-0014-20041105 206. 206. 202. Fortinet Inc.
Page 293: Redundant Ipsec Vpns
Source Destination Action VPN Tunnel Allow inbound Allow outbound Do not enable. Inbound NAT Outbound NAT Select outbound NAT if required. Arrange the policies in the following order: • • • Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks, such as the Internet.
Page 294: Configuring Ipsec Virtual Ip Addresses
The source and destination of both policies must be the same. Add a different AutoIKE key tunnel to each policy. “To add a firewall policy” on page 01-28006-0014-20041105 252. “To add an address” on page 202. 206. Fortinet Inc.
Page 295 Consider the following example, which shows two physically separate networks. The IP addresses of the computers on both networks are in the 192.168.12.0/24 range, but no two IP addresses are the same. An IPSec VPN has been configured between FortiGate_1 and FortiGate_2. The FortiGate configuration permits Host_1 on the Finance network to transmit data to Host_2 on the HR network through the IPSec VPN tunnel.
Page 296: Troubleshooting
Make sure you select the correct DH group on both ends. Enable PFS. Change the policy to internal-to-external. Re-enter the source and destination address. The encryption policy must be placed above other non-encryption policies. “ipsec Fortinet Inc.
Page 297: Ips
IPS (attack) engines and definitions through the FortiProtect Distribution Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see FortiWiFi-60 Administration Guide FortiWiFi-60 Administration Guide Version 2.80 MR6...
Page 298: Signature
The FortiWiFi IPS matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Fortinet’s FortiProtect infrastructure ensures the rapid identification of new threats and the development of new attack signatures. You can configure the FortiWiFi unit to automatically check for and download an updated attack definition file containing the latest signatures, or you can manually download the updated attack definition file.
Page 299 If logging is disabled and action is set to Pass, the signature is effectively disabled. The FortiWiFi unit drops the packet that triggered the signature. Fortinet recommends using an action other than Drop for TCP connection based attacks.
Page 300 The FortiWiFi unit drops the packet that triggered the signature, removes the session from the FortiWiFi session table, and does not send a reset. The FortiWiFi unit lets the packet that triggered the signature and all other packets in the session pass through the firewall. 01-28006-0014-20041105 Fortinet Inc.
Page 301 Select the Enable box to enable the signature or clear the Enable box to disable the signature. Select the Logging box to enable logging for this signature or clear the Logging box to disable logging for this signature. Select the Action for the FortiWiFi unit to take when traffic matches this signature. (See Select OK.
Page 302: Custom
(the default) no change is made to the codepoint in the IP header. Select the Enable custom signature box to enable the custom signature group or clear the Enable custom signature box to disable the custom signature group. Select Create New to create a new custom signature. 01-28006-0014-20041105 Fortinet Inc.
Page 303 Clear all custom signatures Reset to recommended settings? Name Revision Enable Logging Action Modify Adding custom signatures To add a custom signature Go to IPS > Signature > Custom. Select Create New to add a new custom signature or select the Edit icon to edit an existing custom signature.
Page 304: Anomaly
The logging status for each anomaly. A white check mark in a green circle indicates logging is enabled for the anomaly. A white X in a grey circle indicates logging is disabled for the anomaly. 01-28006-0014-20041105 “Anomaly CLI configuration” on Fortinet Inc.
Page 305 If logging is disabled and action is set to Pass, the anomaly is effectively disabled. Drop The FortiWiFi unit drops the packet that triggered the anomaly. Fortinet recommends using an action other than Drop for TCP connection based attacks.
Page 306 FortiWiFi session table, and does not send a reset. Session Pass The FortiWiFi unit lets the packet that triggered the anomaly and all other packets in the session pass through the firewall. Session Traffic over the specified threshold triggers the anomaly. 01-28006-0014-20041105 Fortinet Inc.
Page 307: Anomaly Cli Configuration
Anomaly CLI configuration Note: This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide. (config ips anomaly) config limit Note: This command has more keywords than are listed in this Guide.
Page 308: Configuring Ips Logging And Alert Email
You can change the default fail open setting using the CLI: Enable ips_open to cause the IPS to fail open and disable ips_open to cause the IPS to fail closed. “Log & Report” on page config sys global set ips-open [enable | disable] 01-28006-0014-20041105 355. Fortinet Inc.
Page 309: Antivirus
Antivirus > Quarantine View and sort the list of quarantined files, configure file patterns to upload automatically to Fortinet for analysis, and configure quarantining options in AntiVirus. Antivirus > Config > Config Set the size thresholds for files and emails for each protocol in Antivirus.
Page 310: File Block
IPS (attack) engines and definitions, as well as the local spam RBL, through the FortiProtect Distribution Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see This chapter describes: •...
Page 311: File Block List
Antivirus This section describes: • • File block list The file block list is preconfigured with a default list of file patterns: • • • • • • • • • Figure 155:Default file block list File block list has the following icons and features: Create New Apply Pattern...
Page 312: Configuring The File Block List
You can also submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to FortiNet for analysis. This section describes: •...
Page 313: Quarantined Files List Options
EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL. Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded.
Page 314: Autosubmit List
(* or ?). File patterns are applied for AutoSubmit regardless of file blocking settings. You can also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly from the quarantined files list. The FortiWiFi unit uses encrypted email to autosubmit files to an SMTP server through port 25.
Page 315: Config
Antivirus Config Go to Config to set quarantine configuration options including whether to quarantine blocked or infected files and from which service. You can also configure the time to live and file size values, and enable AutoSubmit settings. Figure 159:Quarantine configuration Quarantine configuration has the following options: Options Age limit...
Page 316: Config
1 to 25 MB. The range for each FortiWiFi unit is displayed in the web-based manager as shown in Virus list Config Grayware Grayware options 29. To find out how to use the Fortinet Update Center, see 124. Figure 01-28006-0014-20041105 “Changing unit 161.
Page 317: Grayware
Antivirus You can enable oversized file blocking in a firewall protection profile. To access protection profiles go to Firewall > Protection Profile, select Anti-Virus > Oversized File/Email and choose to pass or block oversized email and files for each protocol. Grayware Grayware programs are unsolicited commercial software programs that get installed on computers, often without the user’s consent or knowledge.
Page 318: Cli Configuration
Select enable to block download programs. Download components are usually run at Windows startup and are designed to install or download other software, especially advertising and dial software. 01-28006-0014-20041105 Antivirus Fortinet Inc.
Page 319: Quarantine
Antivirus Use the heuristic command to change the heuristic scanning mode. Command syntax pattern Table 28: antivirus heuristic command keywords and variables Keywords and variables mode {pass | block | disable} Example This example shows how to disable heuristic scanning. This example shows how to display the settings for the antivirus heuristic command.
Page 320: Service Http
You can use ports from the range 1-65535. You can add up to 20 ports. 01-28006-0014-20041105 Antivirus Default Availability FortiGate imap models smtp numbered pop3 200 and http higher. FortiGate default. models numbered 200 and higher. Default Availability All models. Fortinet Inc.
Page 321: Service Ftp
Antivirus Example This example shows how to add antivirus scanning for HTTP traffic on ports 70, 90, and 443. Adding more ports for scanning does not erase the default, port 80. Use the unset command to remove all ports from the list. This example shows how to display the antivirus HTTP traffic settings.
Page 322: Service Pop3
[pop3] Description Configure antivirus scanning on a nonstandard port number or multiple port numbers for POP3. You can use ports from the range 1-65535. You can add up to 20 ports. 01-28006-0014-20041105 Antivirus Default Availability All models. Fortinet Inc.
Page 323: Service Imap
Antivirus Example This example shows how to add antivirus scanning for POP3 traffic on ports 992 and 993. Adding more ports for scanning does not erase the default, port 110. Use the unset command to remove all ports from the list. This example shows how to display the antivirus POP3 traffic settings.
Page 324: Service Smtp
[smtp] Description Configure antivirus scanning on a nonstandard port number or multiple port numbers for SMTP. You can use ports from the range 1-65535. You can add up to 20 ports. 01-28006-0014-20041105 Antivirus Default Availability All models. Fortinet Inc.
Page 325 Antivirus Example This example shows how to add antivirus scanning on port and 465 and enable file splice for SMTP traffic. Adding more ports for scanning does not erase the default, port 25. Use the unset command to remove all ports from the list. This example shows how to display the antivirus SMTP traffic settings.
Page 326 CLI configuration Antivirus 01-28006-0014-20041105 Fortinet Inc.
Page 327: Web Filter
Web filter Web filter provides configuration access to the Web filtering and Web category filtering options you enable when you create a firewall Protection Profile. To access protection profile web filter options go to Firewall > Protection Profile, select edit or Create New, and select Web Filtering or Web Category Filtering. See “Protection profile options”...
Page 328: Content Block
“Using Perl regular expressions” on page 01-28006-0014-20041105 Web Filter setting Web Filter > Category Block > Configuration Enable or disable FortiGuard and enable and set the size limit for the cache. “Protection profile” on 233. 352. Web filter “To Fortinet Inc.
Page 329: Web Content Block List
Web filter Note: Perl regular expression patterns are case sensitive for Web Filter content block. To make a word or phrase case insensitive, use the regular expression /i. For example, /bad language/i will block all instances of bad language regardless of case. Wildcard patterns are not case sensitive.
Page 330: Configuring The Web Content Block List
“Using Perl regular expressions” on page Select the character set for the banned word. Choose from: Chinese Simplified, Chinese Traditional, French, Japanese, Korean, Thai, or Western. Select Enable to activate the banned word in the list. 01-28006-0014-20041105 Web filter 352. Fortinet Inc.
Page 331: Web Url Block List
Web filter Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.badsite.com. Instead, you can use firewall policies to deny FTP connections. This section describes: •...
Page 332: Web Pattern Block List
FortiWiFi web pattern blocking supports standard regular expressions. You can add up to 20 patterns to the web pattern block list. Note: Enable Web filtering > Web URL Block in your firewall Protection Profile to activate the web pattern block settings. 01-28006-0014-20041105 Web filter Fortinet Inc.
Page 333: Web Pattern Block Options
Web filter Figure 167:Sample web pattern block list Web pattern block options Web pattern block has the following icons and features: Create New Pattern Configuring web pattern block To add a pattern to the web pattern block list Go to Web Filter > URL Block. Select Web Pattern Block.
Page 334: Url Exempt List
Select this icon to scroll the URL exempt list down. Select this icon to delete the entire URL exempt list. The current list of exempt URLs. Select the check box to enable all the URLs in the list. The Delete and Edit/View icons. 01-28006-0014-20041105 Web filter Fortinet Inc.
Page 335: Category Block
• FortiGuard managed web filtering service FortiGuard is a managed web filtering solution provided by Fortinet. FortiGuard sorts hundreds of millions of web pages into a wide range of categories that users can allow, block, or monitor. The FortiWiFi unit accesses the nearest FortiGuard Service Point to determine the category of a requested web page and then follows the firewall policy configured for that user or interface.
Page 336: Category Block Configuration Options
FortiGuard licensing Every FortiWiFi unit comes with a free 30-day FortiGuard trial license. FortiGuard license management is done by Fortinet servers, so there is no need to enter a license number. The FortiWiFi unit will then automatically contact a FortiGuard Service Point when you enable FortiGuard category blocking.
Page 337: Configuring Web Category Block
Web filter To have a URL’s... Apply Configuring web category block To enable FortiGuard web filtering Go to Web Filter > Category Block. Select Enable Service. Select Check status to make sure the FortiWiFi unit can access the FortiGuard server. After a moment, the FortiGuard status should change from Unknown to Available.
Page 338: Category Block Reports Options
The number of allowed web addresses accessed in the selected time frame. The number of blocked web addresses accessed in the selected time frame. The number of monitored web addresses accessed in the selected time frame. 01-28006-0014-20041105 Web filter Fortinet Inc.
Page 339: Script Filter
FortiWiFi comes preconfigured with the host name. Use this command only if you need to change the host name. config webfilter catblock set ftgd_hostname guard.example.net get webfilter catblock show webfilter catblock 01-28006-0014-20041105 Script filter Default Availability guard.fortinet.com All models. service fortiguard only.
Page 340: Web Script Filter Options
You can configure the following options for script filtering: Javascript Cookies ActiveX Select Javascript to block all Javascript-based pages or applications. Select Cookies to block web sites from placing cookies on individual computers. Select ActiveX to block all ActiveX applications. 01-28006-0014-20041105 Web filter Fortinet Inc.
Page 341: Spam Filter
Real-time Blackhole List and Open Relay Database List servers. IP address FortiShield check Enable or disable Fortinet’s antispam IP address black list: FortiShield. This service works like an RBL server and is continuously updated to block spam sources. See “FortiShield IP address black list and spam...
Page 342 You can configure the language and whether to search the email body, subject, or both. You can configure the action to take as spam or clear for each word. “Protection profile” on 233. Spam filter “To Fortinet Inc.
Page 343 Both FortiShield antispam processes are completely automated and configured by Fortinet. With constant monitoring and dynamic updates, FortiShield is always current. You can enable or disable FortiShield in a firewall protection profile. See spam filtering options” on page This chapter describes: •...
Page 344: Ip Address
Mark as Spam to apply the spam action configured in the protection profile, Mark as Clear to let the email pass to the next filter, or Mark as Reject (SMTP only) to drop the session. The Delete and Edit/View icons. 01-28006-0014-20041105 Spam filter Fortinet Inc.
Page 345: Rbl & Ordbl
Spam filter Figure 175:Adding an IP address Enter the IP address/mask you want to add. If required, select before or after another IP address in the list to place the new IP address in the correct position. Select the action to take on email from the IP address. Select OK.
Page 346: Rbl & Ordbl Options
The action to take on email matched by the RBLs and ORDBLs. Actions are: Mark as Spam to apply the spam action configured in the protection profile, or Mark as Reject to drop the session. The Delete and Edit/View icons. 01-28006-0014-20041105 Spam filter Fortinet Inc.
Page 347: Email Address
Spam filter Email address The FortiWiFi unit uses the email address list to filter incoming email. The FortiWiFi unit compares the email address or domain of the sender to the list in sequence. If a match is found, the corresponding protection profile action is taken. If no match is found, the email is passed on to the next spam filter.
Page 348: Mime Headers
You can use Perl regular expressions or wildcards to add MIME header patterns to the list. See Note: MIME header entries are case sensitive. X-mailer: outgluck X-Distribution: bulk Content_Type: text/html Content_Type: image/jpg “Using Perl regular expressions” on page 01-28006-0014-20041105 Spam filter 352. Fortinet Inc.
Page 349: Mime Headers List
Spam filter This section describes: • • • MIME headers list You can configure the FortiWiFi unit to filter email with specific MIME header key-value pairs. You can mark each MIME header as clear or spam. Figure 180:Sample MIME headers list MIME headers options MIME headers list has the following icons and features: Create New...
Page 350: Banned Word
Perl regular expressions. See expressions” on page “Using Perl regular expressions” on page Banned word list Banned word options Configuring the banned word list 352. 01-28006-0014-20041105 Spam filter 352. “Using Perl regular Fortinet Inc.
Page 351: Banned Word Options
Spam filter Figure 182:Sample banned word List Banned word options Banned word has the following icons and features: Create new Total Pattern Pattern Type Language Where Action When you select Create New or Edit you can configure the following settings for the banned word.
Page 352: Configuring The Banned Word List
Mark as Clear to allow the email (since Banned Word is the last filter). Select to enable scanning for the banned word. fortinet.com not only matches fortinet.com but also matches fortinetacom, fortinetbcom, fortinetccom and so on. To mach fortinet.com, the regular expression should be: fortinet\.com forti*\.com matches fortiiii.com but does not match fortinet.com...
Page 353 Spam filter Word boundary In Perl regular expressions, the pattern does not have an implicit word boundary. For example, the regular expression “test” not only matches the word “test” but also matches any word that contains the “test” such as “atest”, “mytest”, “testimony”, “atestb”.
Page 354 ‘/’ will be parsed as a list of regexp options ('i', 'x', etc). An error occurs If the second '/' is missing. In regular expressions, the leading and trailing space is treated as part of the regular expression. 01-28006-0014-20041105 Spam filter Fortinet Inc.
Page 355: Log & Report
FortiWiFi-60 Administration Guide Version 2.80 MR6 Log & Report FortiWiFi units provide extensive logging capabilities for traffic, system and network protection functions. You can set the severity level of the messages that are logged, and you can choose the types of events that are logged. All types of log messages except traffic and content can be saved in internal memory.
Page 356: Log Config
A FortiLog unit. The FortiLog unit is a log analyzer and manager that can combine the log information from various FortiWiFi units and other firewall units. To enable content archiving with a firewall to select the FortiLog option and define its IP address. 01-28006-0014-20041105 Log & Report Protection profile, you need Fortinet Inc.
Page 357 Log & Report Memory Syslog WebTrends Figure 185:Log setting options for all log locations To configure Log Setting Go to Log&Report > Log Config > Log Setting. Select the check box to enable logging to a location. Select the blue arrow beside the location. The setting options appear.
Page 358 Select the log files to upload to the FTP server. You can upload the Traffic Log file, Event Log file, Antivirus Log file, Web Filter Log file, Attack Log file, Spam Filter Log file, and Content Archive file. 01-28006-0014-20041105 Log & Report Table 38, “Logging Fortinet Inc.
Page 359: Syslog Settings
Log & Report To configure log file uploading Select the blue arrow to expand Log file upload settings. Select Upload When Rolling. Enter the IP address of the logging server. Enter the port number on the logging server. The default is 21 (FTP). Enter the Username and Password required on the logging server.
Page 360: Alert E-Mail Options
The interval to wait before sending an alert e-mail for error level log messages. The interval to wait before sending an alert e-mail for warning level log messages. The interval to wait before sending an alert e-mail for notification level log messages. 01-28006-0014-20041105 Log & Report Fortinet Inc.
Page 361: Log Filter Options
Log & Report Information Apply Note: If more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email. You can select specific events to trigger alert email in Log Filter, described in filter options”...
Page 362: Traffic Log
The FortiWiFi unit logs all system-related events, such as ping server failure and gateway status. The FortiWiFi unit logs all IPSec negotiation events, such as progress and error reports. The FortiWiFi unit logs all DHCP-events, such as the request and response log. 01-28006-0014-20041105 Log & Report “Enabling Fortinet Inc.
Page 363 Log & Report L2TP/PPTP/PPPoE service event Admin event HA activity event Firewall authentication event Pattern update event Anti-virus log The Anti-virus Log records virus incidents in Web, FTP, and email traffic, such as when the FortiWiFi unit detects an infected file, blocks a file type, or blocks an oversized file or email.
Page 364: Configuring Log Filters
The FortiWiFi unit logs all instances of blocked email in SMTP traffic. The FortiWiFi unit logs all instances of blocked email in POP3 traffic. The FortiWiFi unit logs all instances of blocked email in IMAP traffic. 01-28006-0014-20041105 Log & Report Fortinet Inc.
Page 365: Log Access
Log & Report Log access Log Access provides access to log messages saved to the memory buffer. You can view and search logs. This section describes: • • Figure 188:Sample list of logs stored on the FortiWiFi disk Viewing log messages You can view log messages saved to the memory buffer.
Page 366 Move selected field up one position in the Show these fields list. Move selected field down one position in the Show these fields list. 01-28006-0014-20041105 Log & Report Fortinet Inc.
Page 367: Searching Log Messages
Log & Report To change the columns in the log message display While viewing log messages, select the Column Settings icon. The Column Settings window opens. To add fields, select them in the Available fields list and select the right arrow button. To remove fields, select them in the Show these fields list and select the left arrow button.
Page 368: Cli Configuration
FortiLog unit across the Internet. Using an IPSec VPN tunnel means that all log messages sent by the FortiWiFi are encrypted and secure. 01-28006-0014-20041105 Log & Report Default Availability disable All models. All models. default. Fortinet Inc.
Page 369: Syslogd Setting
Log & Report log fortilog setting command keywords and variables (Continued) Keywords and variables psksecret <str_psk> server <address_ipv4> status {disable | enable} Note: The IPSec VPN settings for the FortiWiFi unit must match the VPN settings on the FortiLog unit. Example This example shows how to enable logging to a FortiLog unit, set the FortiLog IP address, add a local ID, and add a pre-shared key for an IPSec VPN tunnel.
Page 370 Enter the IP address of the syslog server that stores the logs. Enter enable to enable logging to a remote syslog server. 01-28006-0014-20041105 Log & Report Default Availability All models. disable All models. local7 Table All models. No default. All models. All models. disable Fortinet Inc.
Page 371 Log & Report Table 39: Facility types Facility type alert audit auth authpriv clock cron daemon kernel local0 – local7 mail news syslog Example This example shows how to enable logging to a remote syslog server, configure an IP address and port for the server, and set the facility type to user. This example shows how to display the log setting for logging to a remote syslog server.
Page 372 CLI configuration Log & Report 01-28006-0014-20041105 Fortinet Inc.
Page 373: Fortiguard Categories
FortiGuard categories FortiGuard is a web filtering solution provided by Fortinet. FortiGuard sorts thousands of Web pages into a wide variety of categories that users can allow, block, or monitor. The FortiWiFi unit accesses the nearest FortiGuard server to determine the category of a requested Web page and then follows the policy configured for that user or interface.
Page 374 Sites with content that is gratuitously offensive or shocking, but not violent or frightening. Includes sites devoted in part or whole to scatology and similar topics or to improper language, humor, or behavior. 01-28006-0014-20041105 FortiGuard categories Fortinet Inc.
Page 375 FortiGuard categories Table 40: FortiGuard categories Category name 16. Weapons Potentially Non-productive 17. Advertisement 18. Brokerage and Trading 19. Freeware and Software Download 20. Games 21. Internet Communication 22. Pay to Surf 23. Web-based Email Potentially Bandwidth Consuming 24. File Sharing and Storage 25.
Page 376 Political Organizations -- Sites sponsored by or providing information about political parties and interest groups focused on elections or legislation. 01-28006-0014-20041105 FortiGuard categories Fortinet Inc.
Page 377 FortiGuard categories Table 40: FortiGuard categories Category name 39. Reference Materials 40. Religion 41. Search Engines and Portals 42. Shopping and Auction 43. Social Organizations 44. Society and Lifestyles 45. Special Events 46. Sports 47. Travel 48. Vehicles FortiWiFi-60 Administration Guide Description Sites that offer reference-shelf content such as atlases, dictionaries, encyclopedias, formularies,...
Page 378 IP addresses. Private IP Addresses -- IP addresses defined in RFC 1918, 'Address Allocation for Private Intranets. Web Hosting -- Sites of organizations that provide hosting services, or top-level domain pages of Web communities. 01-28006-0014-20041105 FortiGuard categories Fortinet Inc.
Page 379: Fortigate Maximum Values
FortiGate maximum values The following table contains the maximum number of table, field, and list entries for FortiGate features. Feature system vdom (NAT/Route) system vdom (Transparent) system zone** system interface system interface secondaryip system interface ip6 prefix list system ipv6_tunnel system accprofile system admin system snmp...
Page 380 1000 1000 6000 6000 10000 10000 10000 10000 10000 1024 1024 2000 2000 5000 5000 5000 8000 20000 30000 50000 50000 50000 50000 3000 3000 5000 5000 5000 4000 5000 1000 1000 1024 1024 5000 5000 5000 5000 Fortinet Inc.
Page 381 FortiGate maximum values Feature vpn ipsec phase2** vpn ipsec manualkey** vpn ipsec concentrator** vpn ipsec concentrator member** vpn ipsec vip** antivirus filepattern antivirus heuristic rules antivirus quarfilepattern antispam bword antispam ipbwl antispam rbl antispam emailbwl antispam mheader ips anomaly limit ips custom log trafficfilter rule router access list**...
Page 382 2, 25, 50, 100, or 250 VDOMs, determined by firmware. FortiGate model 100A 200A 300A 400A 10, 25, 50, 100, or 250 VDOMs, determined by firmware. 01-28006-0014-20041105 FortiGate maximum values 1000 3000 3600 500A 1000 1000 1000 4000 5000 1000 1000 Fortinet Inc.
Page 383: Glossary
Glossary Connection: A link between machines, applications, processes, and so on that can be logical, physical, or both. DMZ, Demilitarized Zone: Used to host Internet services without allowing unauthorized access to an internal (private) network. Typically, the DMZ contains servers accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers and DNS servers.
Page 384 SNMP works by sending messages to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. 01-28006-0014-20041105 Fortinet Inc.
Page 385 SSH, Secure shell: A secure Telnet replacement that you can use to log into another computer over a network and run commands. SSH provides strong secure authentication and secure communications over insecure channels. Subnet: A portion of a network that shares a common address component.
Page 386 Glossary 01-28006-0014-20041105 Fortinet Inc.
Page 387: Index
Index abr-type 171 access-list 182 active sessions HA monitor 102 address 204 virtual IP 220 administrator account netmask 116, 117 trusted host 117 advanced wireless setting 74 advertise 178, 192 alert email enabling 361 options 360 anomaly 304 list 304 antivirus 309 antivirus updates 127 through a proxy server 128...
Page 388 32 upgrading using the CLI 33, 35 upgrading using the web-base manager 32, 34 Fortilog logging settings 357 fortilog setting 368 Fortinet customer service 24 FortiProtect Distribution Network 124 FortiProtect Distribution Server 124 01-28006-0014-20041105 Fortinet Inc.
Page 389 fragmentation threshold wireless setting 74 from IP system status 31 from port system status 31, 54 ftp 235 gateway 193 Gateway IP 252 Gateway Name 252, 253 geography wireless setting 74 HA monitor 101 GRE protocol 268 group ID HA 92 grouping services 215 groups user 245...
Page 390 384 mtu-ignore 188 introduction 16 push update 130 NAT/Route mode introduction 16 natip 204 Nat-traversal 255 netmask administrator account 116, 117 network address translation introduction 16 network intrusion detection 17 network utilization HA monitor 102 network-type 189 01-28006-0014-20041105 Fortinet Inc.
Page 391 next hop router 52 none HA schedule 94 nssa-default-information-originate 174 nssa-default-information-originate-metric 174 nssa-default-information-originate-metric-typ 174 nssa-redistribution 174 nssa-translator-role 175 NTP 210, 384 NTP server 88 setting system date and time 87 one-time schedule creating 217, 219 operation mode wireless setting 74 Optional Information 277 options changing system options 88...
Page 392 Syslog logging settings 359 system configuration 87 system date and time setting 87 system options changing 88 tag 191, 192 custom service 212, 213 technical support 24 threshold 307 time setting 87 time zone 88 Timeout 257, 264, 265 01-28006-0014-20041105 Fortinet Inc.
Page 393 timeout firewall authentication 89 idle 89 web-based manager 89 to IP system status 31 to port system status 31 total bytes HA monitor 102 total packets HA monitor 102 Traffic Priority 201 transmit-delay 181, 189 Transparent mode 16 traps SNMP 108 Troubleshooting 296 trusted host administrator account 117...
Page 394 74 RTS threshold 74 settings 73 SSID 74 SSID broadcast 74 to configure wireless settings 76 Tx power 74 wireless security mode 74 WLAN interface 73 XAuth 255 Enable as Client 255 Enable as Server 256 01-28006-0014-20041105 Fortinet Inc.

Fortinet FortiWiFi FortiWiFi-60 Administration Manual

Introduction

System Status

System Network

System Wireless

System DHCP

System Config

System Administration

System Maintenance

System Virtual Domain

Router

Firewall

Users and Authentication

Vpn

Ips

Quick Links

Related Manuals for Fortinet FortiWiFi FortiWiFi-60

Summary of Contents for Fortinet FortiWiFi FortiWiFi-60