Installation and FortiGate 100 Configuration Guide POWER INTERNAL EXTERNAL STATUS FortiGate User Manual Volume 1 Version 2.50 MR2 18 August 2003...
Page 2
Products mentioned in this document are trademarks or registered trademarks of their respective holders. Regulatory Compliance FCC Class A Part 15 CSA/CUS For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
Logging and Reporting... 21 About this document ... 22 Document conventions ... 23 Fortinet documentation ... 24 Comments on Fortinet technical documentation... 24 Customer service and technical support... 25 Getting started ... 27 Package contents ... 28 Mounting ... 28 Powering on ...
Page 4
Reconnecting to the web-based manager ... 58 Using the command line interface... 59 Changing to Transparent mode ... 59 Configuring the Transparent mode management IP address ... 59 Configure the Transparent mode default gateway... 59 Connecting the FortiGate unit to your networks... 60 Fortinet Inc.
Page 5
Completing the configuration ... 61 Setting the date and time ... 61 Enabling antivirus protection... 61 Registering your FortiGate... 61 Configuring virus and attack definition updates ... 61 Transparent mode configuration examples... 62 Default routes and static routes ... 62 Example default route to an external network...
Page 6
FortiCare Service Contracts... 101 Registering the FortiGate unit ... 102 Updating registration information ... 104 Recovering a lost Fortinet support password... 104 Viewing the list of registered FortiGate units ... 104 Registering a new FortiGate unit ... 105 Adding or changing a FortiCare Support Contract number... 105 Changing your Fortinet support password ...
Page 7
Configuring routing... 115 Adding a default route... 116 Adding destination-based routes to the routing table... 116 Adding routes in Transparent mode... 117 Configuring the routing table... 118 Policy routing ... 118 Providing DHCP services to your internal network ... 119 RIP configuration ...
Page 8
Adding user names and configuring authentication ... 174 Adding user names and configuring authentication ... 174 Deleting user names from the internal database ... 175 Configuring RADIUS support ... 176 Adding RADIUS servers ... 176 Deleting RADIUS servers ... 176 Fortinet Inc.
Page 9
Configuring LDAP support ... 177 Adding LDAP servers... 177 Deleting LDAP servers... 178 Configuring user groups... 179 Adding user groups... 179 Deleting user groups... 180 IPSec VPN... 181 Key management... 182 Manual Keys ... 182 Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ... 182 Manual key IPSec VPNs...
Page 10
Adding words and phrases to the banned word list ... 236 URL blocking... 237 Using the FortiGate web filter ... 237 Using the Cerberian web filter... 240 Script filtering ... 242 Enabling the script filter... 242 Selecting script filter options ... 242 Fortinet Inc.
Page 11
Exempt URL list ... 243 Adding URLs to the exempt URL list ... 243 Email filter... 245 General configuration steps ... 245 Email banned word list... 246 Adding words and phrases to the banned word list ... 246 Email block list ... 247 Adding address patterns to the email block list...
• • Your FortiGate Antivirus Firewall employs Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks.
PKZip format, detect viruses in e-mail that has been encoded using uuencode format, detect viruses in e-mail that has been encoded using MIME encoding, log all actions taken while scanning. Introduction Fortinet Inc.
Introduction You can configure Email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentional tagging of email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned word lists.
To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log and can be configured to send alert emails. Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually, or you can configure the FortiGate to automatically check for and download attack definition updates.
Introduction • • • • • • Secure installation, configuration, and management Installation is quick and simple. The first time you turn on the FortiGate unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the setup wizard to customize FortiGate IP addresses for your network, and the FortiGate unit is set to protect your network.
This Installation and Configuration Guide contains information about basic and advanced CLI commands. You can find a more complete description of connecting to and using the FortiGate CLI in the FortiGate CLI Reference Guide. Introduction Fortinet Inc.
System > Update page displays more information about the current update status. See “Updating antivirus and attack definitions” on page Direct connection to the Fortinet tech support web page from the web-based manager. You can register your FortiGate unit and get access to other technical support resources. See “Registering FortiGate units”...
Phase 2 • AES encryption Encryption policies select service Generate and import local certificates Import CA certificates “RIP configuration” on page 121. 136. “Default firewall configuration” “Virtual IPs” on page 160. “Content profiles” on page 177. Introduction 169. Fortinet Inc.
Introduction NIDS See the FortiGate NIDS Guide for a complete description of FortiGate NIDS functionality. New features include: • • • • Antivirus See the FortiGate Content Protection Guide for a complete description of FortiGate antivirus functionality. New features include: •...
Logging and reporting describes how to configure logging and alert email to track activity through the FortiGate. Glossary defines many of the terms used in this document. Introduction describes configuring describes how to configure the Fortinet Inc.
Introduction Document conventions This guide uses the following conventions to describe CLI command syntax. • • • FortiGate-100 Installation and Configuration Guide angle brackets < > to indicate variable keywords For example: execute restore config <filename_str> You enter restore config myfile.bak <xxx_str>...
The FortiGate online help also contains procedures for using the FortiGate web-based manager to configure and manage your FortiGate unit. Comments on Fortinet technical documentation You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com. Volume 1: FortiGate Installation and Configuration Guide Describes installation and basic configuration for the FortiGate unit.
Fortinet technical support web site at http://support.fortinet.com. You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and modify your registration information at any time. Fortinet email support is available from the following addresses: amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin...
Page 26
Comments on Fortinet technical documentation Introduction Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Getting started This chapter describes unpacking, setting up, and powering on your FortiGate Antivirus Firewall. When you have completed the procedures in this chapter, you can proceed to one of the following: •...
USER MANUAL Getting started Ethernet Cables: Orange - Crossover Grey - Straight-through Null-Modem Cable (RS-232) FortiGate-100 INTERNAL EXTERNAL POWER STATUS QuickStart Guide Copyright 2003 Fortinet Incorporated. All rights reserved. Trademarks Products mentioned in this document are trademarks. Documentation Fortinet Inc.
Getting started Environmental specifications • • • Powering on To power on the FortiGate-100 unit: Connect the AC adapter to the power connection at the back of the FortiGate-100 unit. Connect the AC adapter to the power cable. Connect the power cable to a power outlet. The FortiGate-100 unit starts up.
The Register Now window is displayed. Use the information on this window to register your FortiGate unit so that Fortinet can contact you for firmware updates. You must also register to receive updates to the FortiGate virus and attack definitions.
Getting started Connecting to the command line interface (CLI) As an alternative to the web-based manager, you can install and configure the FortiGate unit using the CLI. Configuration changes made with the CLI are effective immediately without the need to reset the firewall or interrupt service. To connect to the FortiGate CLI, you need: •...
Getting started Factory default Transparent mode network configuration If you switch the FortiGate unit to Transparent mode, it has the default network configuration listed in Table 3: Factory default Transparent mode network configuration Administrator account Management IP Management access Factory default firewall configuration The factory default firewall configuration is the same in NAT/Route and Transparent mode.
Log Traffic is not selected. This policy does not record messages to the traffic log for the traffic processed by this policy. You can configure FortiGate logging and select Log Traffic to record all connections through the firewall that are accepted by this policy. Getting started Fortinet Inc.
Page 35
Getting started Strict content profile Use the strict content profile to apply maximum content protection to HTTP, FTP, IMAP, POP3, and SMTP content traffic. You would not use the strict content profile under normal circumstances, but it is available if you are having extreme problems with viruses and require maximum content screening protection.
Page 36
Web Exempt List Email Block List Email Exempt List Email Content Block Oversized File/Email Block Pass Fragmented Emails Getting started HTTP IMAP POP3 pass pass pass pass HTTP IMAP POP3 pass pass pass pass SMTP pass SMTP pass Fortinet Inc.
Getting started Planning your FortiGate configuration Before beginning to configure the FortiGate unit, you need to plan how to integrate the unit into your network. Among other things, you have to decide whether or not the unit will be visible to the network, which firewall functions it will provide, and how it will control the traffic flowing between its interfaces.
Figure 6: Example Transparent mode network configuration External is the default interface to the external network (usually the Internet). DMZ is the redundant interface to the external network. Internal is the interface to the internal network. Getting started Fortinet Inc.
Getting started You can connect up to three network segments to the FortiGate unit to control traffic between these network segments. • • • Configuration options Once you have selected Transparent or NAT/Route mode operation, you can complete your configuration plan, and begin configuring the FortiGate unit. You can use the web-based manager setup wizard or the command line interface (CLI) for the basic configuration of the FortiGate unit.
Getting started Next steps Now that your FortiGate unit is operating, you can proceed to configure it to connect to networks: • • FortiGate-100 Installation and Configuration Guide If you are going to operate the FortiGate unit in NAT/Route mode, go to “NAT/Route mode installation”...
Page 42
Configuration options Getting started Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 NAT/Route mode installation This chapter describes how to install the FortiGate unit in NAT/Route mode. To install the FortiGate unit in Transparent mode, see page This chapter describes: • • • • •...
The FortiGate unit contains a DHCP server that you can configure to automatically set the addresses of the computers on your internal network. Table 12 to record the IP address and netmask of the FortiGate DMZ interface if _____._____._____._____ NAT/Route mode installation _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ Netmask: _____._____._____._____ Fortinet Inc.
NAT/Route mode installation Using the setup wizard From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiGate unit. To connect to the web-based manager, see “Connecting to the web-based manager” on page Starting the setup wizard Select Easy Setup Wizard (the middle button in the upper-right corner of the web-based manager).
Page 46
Set the default route to the Default Gateway IP address (not required for DHCP and PPPoE). set system route number <route_no> dst 0.0.0.0 0.0.0.0 gw1 <gateway_ip> Example set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 204.23.1.2 NAT/Route mode installation Table 10 on page Table 12 on page 44. Enter: Fortinet Inc.
NAT/Route mode installation Connecting the FortiGate unit to your networks When you have completed the initial configuration, you can connect the FortiGate unit between your internal network and the Internet. There are three 10/100Base-TX connectors on the FortiGate-100: • • •...
FortiGate unit to automatically keep its time correct by synchronizing with a Network Time Protocol (NTP) server. To set the FortiGate system date and time, see page Go to Firewall > Policy > Int->Ext. 129. NAT/Route mode installation “Setting system date and time” on Fortinet Inc.
After purchasing and installing a new FortiGate unit, you can register the unit by going to System > Update > Support, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased.
Page 50
• • Figure 8: Example multiple Internet connection configuration 115) and FortiGate firewall configuration (see 141). Configuring Ping servers Destination based routing examples Policy routing examples Firewall policy example NAT/Route mode installation “Configuring routing” on “Firewall configuration” on Fortinet Inc.
NAT/Route mode installation Configuring Ping servers Use the following procedure to make Gateway 1 the ping server for the external interface and Gateway 2 the ping server for the DMZ interface. Go to System > Network > Interface. For the external interface, select Modify •...
Device #1: external Device #2: dmz Select OK. NAT/Route mode installation Device #1 Gateway #2 external 2.2.2.1 Device #1 Gateway #2 external 2.2.2.1 1.1.1.1 Figure 8 on page 50, users on the Internal Device #2 Device #2 external Fortinet Inc.
Page 53
NAT/Route mode installation Select New to add a route for connections to the network of ISP1. • • • • • • Select New to add a route for connections to the network of ISP2. • • • • • •...
Set system route policy 2 src 0.0.0.0 0.0.0.0 dst 0.0.0.0 0.0.0.0 gw 2.2.2.1 Routing traffic from internal subnets to different external networks Routing a service to an external network NAT/Route mode installation Figure 8 on page “Policy routing” on page 118. Fortinet Inc.
NAT/Route mode installation Firewall policy example Firewall policies control how traffic flows through the FortiGate unit. Once routing for multiple internet connections has been configured you must create firewall policies to control which traffic is allowed through the FortiGate unit and the interfaces through which this traffic can connect.
Page 56
Because redundant policies have not been added, SMTP traffic from the Internet network is always connected to ISP1. If the connection to ISP1 fails the SMTP connection is not available. NAT/Route mode installation Figure 8 on page 50 Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Transparent mode installation This chapter describes how to install your FortiGate unit in Transparent mode. If you want to install the FortiGate unit in NAT/Route mode, see installation” on page This chapter describes: •...
If you connect to the management interface through a router, make sure that you have added a default gateway for that router to the management IP default gateway field. Transparent mode installation Table 16 on page 57 to fill in the wizard fields. Fortinet Inc.
Transparent mode installation Using the command line interface As an alternative to the setup wizard, you can configure the FortiGate unit using the command line interface (CLI). To connect to the CLI, see line interface (CLI)” on page page 57 Changing to Transparent mode Log into the CLI if you are not already logged in.
Internal for connecting to your internal network External for connecting to the Internet DMZ for connecting to another network Transparent mode installation Fortinet Inc.
After purchasing and installing a new FortiGate unit, you can register the unit by going to System > Update > Support, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased.
Example default route to an external network Example static route to an external destination Example static route to an internal destination 0.0.0.0 (IP address) 0.0.0.0 (Netmask) 172.100.100.0 (IP address) 255.255.255.0 (Netmask) Transparent mode installation “Updating antivirus and attack Fortinet Inc.
Transparent mode installation Note: When adding routes to the FortiGate unit, add the default route last so that it appears on the bottom of the route list. This ensures that the unit will attempt to match more specific routes before selecting the default route. Example default route to an external network Figure 10 computer, are located on the external network.
• • CLI configuration steps To configure the Fortinet basic settings and a default route using the CLI: Change the system to operate in Transparent Mode. Add the Management IP address and Netmask. Add the default route to the external network.
Page 65
Transparent mode installation Note: This is an example configuration only. To configure a static route, you require a destination IP address. Figure 11: Static route to an external destination General configuration steps Set the FortiGate unit to operate in Transparent mode. Configure the Management IP address and Netmask of the FortiGate unit.
Page 66
• • CLI configuration steps To configure the Fortinet basic settings and a static route using the CLI: Set the system to operate in Transparent Mode. Add the Management IP address and Netmask. Add the static route to the primary FortiResponse server.
Transparent mode installation Example static route to an internal destination Figure 12 the management computer is located on a remote, internal subnet. To reach the FDN, you need to enter a single default route that points to the upstream router as the next hop/default gateway.
Page 68
Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2 Select OK. set system opmode transparent set system management ip 192.168.1.1 255.255.255.0 set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 192.168.1.3 set system route number 2 gw1 192.168.1.2 Transparent mode installation Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 System status You can connect to the web-based manager and go to System > Status to view the current status of your FortiGate unit. The status information that is displayed includes the current firmware version, the current virus and attack definitions, and the FortiGate unit serial number.
The new host name appears on the System Status page and is added to the SNMP System Name. Changing the FortiGate firmware After you download a FortiGate firmware image from Fortinet, you can use the procedures in Table 1: Firmware upgrade procedures...
System status Upgrade to a new firmware version Use the following procedures to upgrade your FortiGate to a newer firmware version. Upgrading the firmware using the web-based manager Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v250-build045-FORTINET.out...
Page 73
System status Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. When you have installed new firmware, use the procedure page 95 Copy the firmware image file to your management computer. Login to the FortiGate web-based manager as the admin administrative user.
Page 74
Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v250-build045-FORTINET.out...
System status To confirm that the antivirus and attack definitions have been updated, enter the following command to display the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information. get system objver Install a firmware image from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiGate unit to default settings.
Page 76
Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,B,Q,or H: System status command. execute reboot Fortinet Inc.
System status Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear. • • The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete.
Page 78
FortiGate unit running v3.x BIOS [G]: Get firmware image from TFTP server. [F]: Format boot device. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,Q,or H: System status command. execute reboot Fortinet Inc.
System status Note: The local IP address is only used to download the firmware image. After the firmware is installed the address of this interface is changed back to the default IP address for this interface. The following message appears: Enter File Name [image.out]: Enter the firmware image file name and press Enter.
Page 80
Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options. System status command. execute reboot Fortinet Inc.
Page 81
System status Switching to the backup firmware image Use this procedure to switch your FortiGate unit to operating with a backup firmware image that you have previous installed. When you switch the FortiGate unit to the backup firmware image, the FortiGate unit operates using the configuration that was saved with that firmware image.
System > Update and selecting Update Now. Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager.
System > Update and selecting Update Now. Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager.
The FortiGate unit restarts with the configuration that it had when it was first powered Reconnect to the web-based manager and review the system configuration to confirm that it has been reset to the default settings. To restore your system settings, see “Restoring system settings” on page System status Fortinet Inc.
System status Changing to Transparent mode Use the following procedure to switch the FortiGate unit from NAT/Route mode to Transparent mode. When the FortiGate unit has changed to Transparent mode its configuration resets to Transparent mode factory defaults. Go to System > Status. Select Change to Transparent Mode.
If CPU and memory use is high, the FortiGate unit is performing near its full capacity. Placing additional demands on the system could lead to traffic processing delays. Viewing CPU and memory status Viewing sessions and network status Viewing virus and intrusions status System status Fortinet Inc.
System status Figure 1: CPU and memory status monitor CPU and memory intensive processes such as encrypting and decrypting IPSec VPN traffic, virus scanning, and processing high levels of network traffic containing small packets will increase CPU and memory usage. Go to System >...
Virus and intrusions status is displayed. The display includes bar graphs of the number viruses and intrusions detected per hour as well as line graphs of the number of viruses and intrusions detected for the last 20 hours. System status Fortinet Inc.
System status Figure 3: Sessions and network status monitor Set the automatic refresh interval and select Go to control how often the web-based manager updates the display. More frequent updates use system resources and increase network traffic. However, this only occurs when you are viewing the display using the web-based manager. The line graph scales are shown on the upper right corner of the graph.
Page 90
To IP To Port Expire Clear Figure 4: Example session list The destination IP address of the connection. The destination port of the connection. The time, in seconds, before the connection expires. Stop an active communication session. System status Fortinet Inc.
Network (FDN) to update the antivirus and attack definitions and antivirus engine. You have the following update options: • • • To receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet Support web page. This chapter describes: • • • •...
Configuring update logging Adding an override server Manually updating antivirus and attack definitions Configuring push updates Push updates through a NAT device Scheduled updates through a proxy server Virus and attack definitions updates and registration “Configuring push updates” on Fortinet Inc.
Virus and attack definitions updates and registration To make sure the FortiGate unit can connect to the FDN: Go to System > Config > Time and make sure the time zone is set to the correct time zone for your area. Go to System >...
The Fortigate unit records a log message whenever an update attempt is successful. The FortiGate unit records a log messages whenever it cannot connect to the FDN or whenever it receives an error message from the FDN. Virus and attack definitions updates and registration Fortinet Inc.
Virus and attack definitions updates and registration Adding an override server If you cannot connect to the FDN or if your organization provides antivirus and attack updates using their own FortiResponse server, you can use the following procedure to add the IP address of an override FortiResponse server. Go to System >...
FortiGate unit using either port 9443 or an override push port that you assign. Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic (for example, set using PPPoE or DHCP). Virus and attack definitions updates and registration Fortinet Inc.
Page 97
Virus and attack definitions updates and registration Example: push updates through a NAT device This example describes how to configure a FortiGate NAT device to forward push updates to a FortiGate unit installed on its internal network. For the FortiGate unit on the internal network to receive push updates, the FortiGate NAT device must be configured with a port forwarding virtual IP.
Page 98
If the FortiGate unit is operating in Transparent mode, enter the management IP address. For the example topology, enter 192.168.1.99. Set the Map to Port to 9443. Set Protocol to UDP. Select OK. Virus and attack definitions updates and registration Fortinet Inc.
Page 99
Virus and attack definitions updates and registration Figure 3: Push update port forwarding virtual IP Adding a firewall policy for the port forwarding virtual IP To configure the FortiGate NAT device: Add a new external to internal firewall policy. Configure the policy with the following settings: Source Destination Schedule...
HTTPS and perhaps some other similar services. Because FortiGate autoupdates use HTTPS on port 8890 to connect to the FDN, your proxy server may have to be configured to allow connections on this port. Virus and attack definitions updates and registration Fortinet Inc.
For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing. FortiGate-100 Installation and Configuration Guide...
Your contact information including: • First and last name • Company name • Email address (Your Fortinet support login user name and password will be sent to this email address.) • Address • Contact phone number A security question and an answer to the security question.
Page 103
A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiGate unit. Your Fortinet support user name and password is sent to the email address provided with your Contact information.
Recovering a lost Fortinet support password Updating registration information You can use your Fortinet support user name and password to log on to the Fortinet Support web site at any time to view or update your Fortinet support information. This section describes: •...
Figure 7: Sample list of registered FortiGate units Registering a new FortiGate unit Go to System > Update > Support and select Support Login. Enter your Fortinet support user name and password. Select Login. Select Add Registration. Select the model number of the Product Model to register.
Make the required changes to your contact information. Make the required changes to your security question and answer. Select Update Profile. Your changes are saved to the Fortinet technical support database. If you changed your contact information, the changes are displayed. Downloading virus and attack definitions updates Use the following procedure to manually download virus and attack definitions updates.
FortiGate unit is still protected by hardware coverage, you can return the FortiGate unit that is not functioning to your reseller or distributor. The RMA is recorded and you will receive a replacement unit. Fortinet adds the RMA information to the Fortinet support database. When you receive the replacement unit you can use the following procedure to update your product registration information.
Page 108
Downloading virus and attack definitions updates Virus and attack definitions updates and registration Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Network configuration Go to System > Network to make any of the following changes to the FortiGate network settings: • • • • Configuring interfaces Use the following procedures to configure interfaces: •...
If the link status is a green arrow, the interface is up and can accept network traffic. If the link status is a red arrow, the interface is down and cannot accept traffic. To bring an interface up, see the procedure for the interface to change. Network configuration “Bringing up an interface”. Fortinet Inc.
Network configuration You can also configure management access and add a ping server to the secondary IP address. set system interface <intf_str> config secallowaccess ping https ssh snmp http telnet set system interface <intf_str> config secgwdetect enable Adding a ping server to an interface Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface.
For the external interface, select Modify Set Addressing mode to DHCP and select OK to change to DHCP mode. Both the IP address and Netmask change to 0.0.0.0. for the interface for which to configure logging. Network configuration Fortinet Inc.
Network configuration Select Connect to DHCP server to automatically connect to a DHCP server. If you do not select Connect to DHCP server, the FortiGate unit will not connect to a DHCP server. You can deselect this option if you are configuring the FortiGate unit offline.
To allow a remote SNMP manager to request SNMP information by connecting to the management interface. See “Configuring SNMP” on page To allow Telnet connections to the CLI using the management interface. Telnet connections are not secure and can be intercepted by a third party. Network configuration 134. Fortinet Inc.
Network configuration Figure 2: Configuring the management interface Adding DNS server IP addresses Several FortiGate functions, including sending email alerts and URL blocking, use DNS. To set the DNS server addresses: Go to System > Network > DNS. Change the primary and secondary DNS server addresses as required. Select Apply to save your changes.
If you are adding a static route from the FortiGate unit to a single destination router, you only need to specify one gateway. Optionally, add the IP address of Gateway #2 if want to route traffic to multiple gateways. Network configuration 111. “Adding a Fortinet Inc.
Network configuration Set Device #1 to the FortiGate interface through which to route traffic to connect to Gateway #1. You can select the name of an interface or Auto (the default). If you select the name of an interface, the traffic is routed to that interface. If you select Auto the system selects the interface according to the following rules: •...
“Adding a ping server to an interface” on page to remove a route from the routing table. Source address Protocol, service type, or port range Incoming or source interface Network configuration 111, and to change its order in the routing Fortinet Inc.
Network configuration The gateway added to a policy route must also be added to a destination route. When the FortiGate unit matches packets with a route in the RPDB, the FortiGate unit looks in the destination routing table for the gateway that was added to the policy route. If a match is found, the FortiGate routes the packet using the matched destination route.
Page 120
For more information about IP/MAC binding, see page To view the dynamic IP list: Go to System > Network > DHCP. Select Dynamic IP List. The dynamic IP list is displayed. Figure 5: Example Dynamic IP list 166. Network configuration “IP/MAC binding” on Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 RIP configuration The FortiGate implementation of the Routing Information Protocol (RIP) supports both RIP version 1 (as defined by RFC 1058) and RIP version 2 (also called RIP2 and defined by RFC 2453). RIP2 enables RIP messages to carry more information and support simple authentication.
Add an output delay if you are configuring RIP on a FortiGate unit that could be sending packets to a router that cannot receive the packets at the rate the FortiGate unit is sending them. The default output delay is 0 milliseconds. RIP configuration Fortinet Inc.
Page 123
RIP configuration Update Invalid Holddown Flush Select Apply to save your changes. Figure 1: Configuring RIP settings FortiGate-100 Installation and Configuration Guide The time interval in seconds between sending routing table updates. The default is 30 seconds. The time interval in seconds after which a route is declared invalid. Invalid should be at least three times the value of Update.
RIP configuration Note: MD5 authentication is used to verify the integrity of the routing message sent by the FortiGate unit. Using MD5 authentication, the password is added to the routing message and MD5 is applied to create the MD5 digest of the routing message. The password is replaced in the routing message with this MD5 digest and this message is broadcast.
Adding a single RIP filter Adding a RIP filter list Adding a neighbors filter Adding a routes filter 127. RIP configuration “Adding a RIP filter list” on Fortinet Inc.
RIP configuration Filter Name Blank Filter Mask Action Interface Select OK to save the RIP filter. Adding a RIP filter list Add a RIP filter list to filter multiple routes. A RIP filter list consists of a RIP filter name and a series of route prefixes.
For Routes Filter, select the name of the RIP filter or RIP filter list to become the routes filter. Select Apply. Routes sent by the FortiGate unit are filtered using the selected RIP filter or RIP filter list. Figure 3: Example RIP Filter configuration RIP configuration Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 System configuration Go to System > Config to make any of the following changes to the FortiGate system configuration: • • • • • Setting system date and time For effective scheduling and logging, the FortiGate system time should be accurate. You can either manually set the FortiGate system time or you can configure the FortiGate unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.
The default idle time out is 5 minutes. The maximum idle time out is 480 minutes (8 hours). Set the system idle timeout. Set the authentication timeout. Select the language for the web-base manager. Modify the dead gateway detection settings. System configuration Fortinet Inc.
Page 131
System configuration To set the Auth timeout For Auth Timeout, type a number in minutes. Select Apply. Auth Timeout controls the amount of inactive time that the firewall waits before requiring users to authenticate again. For more information, see authentication” on page The default Auth Timeout is 15 minutes.
FortiGate unit, and shut down the FortiGate unit. There is only one admin user. edit, or delete administrator accounts. Can change own administrator account password. Cannot make changes to system settings from the System > Status page. Can view the FortiGate configuration. System configuration Fortinet Inc.
System configuration Editing administrator accounts The admin account user can change individual administrator account passwords, configure the IP addresses from which administrators can access the web-based manager, and change the administrator permission levels. Administrator account users with Read & Write access can change their own administrator passwords.
SNMP v1 and v2c compliant SNMP manager have read-only access to FortiGate system information and can received FortiGate traps. To monitor FortiGate system information and receive FortiGate traps you must compile the Fortinet proprietary MIBs and the standard MIBs into the SNMP manager.
Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIBs to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you will not have to re-compile them.
The FortiGate agent can send traps to up to three SNMP trap receivers on your network that are configured to receive traps from the FortiGate unit. For these SNMP managers to receive traps, you must load and compile the Fortinet trap MIB onto the SNMP manager. The FortiGate agent sends the traps listed in...
System configuration This section describes: • • Figure 3: Sample replacement message Customizing replacement messages Each of the replacement messages in the replacement message list is created by combining replacement message sections. You can use these sections as building blocks to create your own replacement messages. You can edit any of the replacement messages in the replacement message list and add and edit the replacement message sections as required.
IP address of web page that sent the virus. The IP address of the computer that would have received the virus. For POP3 this is the IP address of the user’s computer that attempted to download the email containing the virus. Fortinet Inc.
Page 139
System configuration Table 4: Alert email message sections Block alert Section Start Allowed Tags Critical event Section Start Allowed Tags Section End FortiGate-100 Installation and Configuration Guide %%EMAIL_FROM%% The email address of the sender of the message in which the virus was found. %%EMAIL_TO%% The email address of the intended receiver of the message in which the virus was found.
Page 140
Customizing alert emails System configuration Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Firewall configuration Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions used by the FortiGate unit to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (port number).
External_All, added to the external interface, this address matches all addresses on the external network. DMZ_All, added to the DMZ interface, this address matches all addresses on the DMZ network. 150. “Virtual IPs” on page 160. Firewall configuration Fortinet Inc.
Firewall configuration Services Policies can also control connections based on the service or destination port number of packets. The default policy accepts connections to using any service or destination port number. The firewall is configured with over 40 predefined services. You can add these services to a policy for more control over the services that can be used by connections through the firewall.
Arranging policies in a policy list is described in Figure 5: Adding a NAT/Route policy “Firewall policy options” on page 145 Firewall configuration on a policy in the list to add the new for information about policy options. “Configuring policy lists” on page 149. Fortinet Inc.
Firewall configuration Firewall policy options This section describes the options that you can add to firewall policies. Source Select an address or address group that matches the source address of the packet. Before you can add this address to a policy, you must add it to the source interface. To add an address, see Destination Select an address or address group that matches the destination address of the...
Less important services should be assigned a low priority. The firewall provides bandwidth to low- priority connections only when bandwidth is not needed for high-priority connections. Firewall configuration 164. Fortinet Inc.
Page 147
Firewall configuration Authentication Select Authentication and select a user group to require users to enter a user name and password before the firewall accepts the connection. Select the user group to control the users that can authenticate with this policy. To add and configure user groups, see you can select Authentication.
Page 148
Select Log Traffic to write messages to the traffic log whenever the policy processes a connection. For more information about logging, see page Comments Optionally add a description or other information about the policy. The comment can be up to 63 characters long, including spaces. 249. Firewall configuration “Logging and reporting” on Fortinet Inc.
Firewall configuration Configuring policy lists The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. You must arrange policies in the policy list from more specific to more general. For example, the default policy is a very general policy because it matches all connection attempts.
The address of a subnet (for example, for a class C subnet, IP address: 192.168.20.0 and Netmask: 255.255.255.0). A single IP address (for example, IP Address: 192.168.20.1 and Netmask: 255.255.255.255) All possible IP addresses (represented by IP Address: 0.0.0.0 and Netmask: 0.0.0.0) Firewall configuration “System status” on page Fortinet Inc.
Firewall configuration This section describes: • • • • Adding addresses Go to Firewall > Address. Select the interface to which to add the address. Select New to add a new address. Enter an Address Name to identify the address. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _.
Address groups cannot have the same names as individual addresses. If an address group is included in a policy, it cannot be deleted unless it is first removed from the policy. Go to Firewall > Address > Group. Firewall configuration Fortinet Inc.
Firewall configuration Select the interface to which to add the address group. Enter a Group Name to identify the address group. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. To add addresses to the address group, select an address from the Available Addresses list and select the right arrow to add it to the Members list.
Page 154
ISAKMP for IPSEC. Internet Message Access Protocol is a protocol used for retrieving email messages. Internet Locator Service includes LDAP, User Locator Service, and LDAP over TLS/SSL. Firewall configuration Protocol Port 5190-5194 1720, 1503 Fortinet Inc.
Page 155
Firewall configuration Table 5: FortiGate predefined services (Continued) Service name L2TP LDAP NetMeeting NNTP OSPF PC-Anywhere PING POP3 PPTP QUAKE RAUDIO RLOGIN SMTP SNMP SYSLOG TALK FortiGate-100 Installation and Configuration Guide Description Internet Relay Chat allows people connected to the Internet to join live discussions. L2TP is a PPP-based tunnel protocol for remote access.
Wide Area Information Server. An Internet search protocol. For WinFrame communications between computers running Windows NT. For remote communications between an X-Window server and X-Window clients. Firewall configuration Protocol Port 0-65535 0-65535 7000-7010 1494 6000-6063 to remove each Fortinet Inc.
Firewall configuration Select New. Enter a Group Name to identify the group. This name appears in the service list when you add a policy and cannot be the same as a predefined service name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _.
You can also create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time. Go to Firewall > Schedule > Recurring. Select New to create a new schedule. Firewall configuration Fortinet Inc.
Firewall configuration Enter a Name for the schedule. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Select the days of the week on which the schedule should be active. Set the Start and Stop hours in between which the schedule should be active.
This technique is called port forwarding or port address translation (PAT). You can also use port forwarding to change the destination port of the forwarded packets. Adding static NAT virtual IPs Adding port forwarding virtual IPs Adding policies with virtual IPs Firewall configuration Fortinet Inc.
Firewall configuration In the External IP Address field, enter the external IP address to be mapped to an address on the destination network. For example, if the virtual IP provides access from the Internet to a web server on a destination network, the external IP address must be a static IP address obtained from your ISP for your web server.
Page 162
Select the protocol to be used by the forwarded packets. Select OK to save the port forwarding virtual IP. or to any other address. Firewall configuration is set using PPPoE or Fortinet Inc.
Firewall configuration Figure 13: Adding a port forwarding virtual IP Adding policies with virtual IPs Use the following procedure to add a policy that uses a virtual IP to forward packets. Go to Firewall > Policy. Select the type of policy to add. •...
Select these options to log port-forwarded traffic and apply antivirus and web filter protection to this traffic. Adding an IP pool IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT Firewall configuration Fortinet Inc.
Firewall configuration Select OK to save the IP pool. Figure 14: Adding an IP Pool IP Pools for firewall policies that use fixed ports Some network configurations will not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service.
119. The dynamic IP/MAC binding table is not available in Configuring IP/MAC binding for packets going through the firewall Configuring IP/MAC binding for packets going to the firewall Adding IP/MAC addresses Viewing the dynamic IP/MAC list Enabling IP/MAC binding Firewall configuration “Providing DHCP services to your Fortinet Inc.
Firewall configuration For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the IP/MAC binding list: • • • • Configuring IP/MAC binding for packets going to the firewall Use the following procedure to use IP/MAC binding to filter packets that would normally connect with the firewall (for example, when an administrator is connecting to the FortiGate unit for management).
Select Allow traffic to allow all packets with IP and MAC address pairs that are not added to the IP/MAC binding list. Select Block traffic to block packets with IP and MAC address pairs that are not added to the IP/MAC binding list. Select Apply to save your changes. Firewall configuration Fortinet Inc.
Firewall configuration Figure 15: IP/MAC settings Content profiles Use content profiles to apply different protection settings for content traffic controlled by firewall policies. You can use content profiles to: • • • • • Using content profiles you can build up protection configurations that can be easily applied to different types of Firewall policies.
You should only enable file blocking when a virus has been found that is so new that virus scanning does not detect it. See blocking” on page 233. Block unwanted web pages and web sites. This option adds Fortinet URL blocking (see “URL blocking” on page filtering (see “Using the Cerberian web filter”...
Firewall configuration Email Content Block Add a subject tag to email that contains unwanted words or phrases. Enable fragmented email and oversized file and email options. Oversized File/Email Block Pass Fragmented Email Select OK. Figure 16: Example content profile Adding a content profile to a policy You can add content profiles to policies with action set to allow or encrypt and with Service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes these services.
Page 172
Select New to add a new policy, or choose a policy and select Edit Select Anti-Virus & Web filter. Select a content profile. Configure the remaining policy settings if required. Select OK. Repeat this procedure for any policies for which to enable network protection. Firewall configuration Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Users and authentication FortiGate units support user authentication to the FortiGate user database, to a RADIUS server, and to an LDAP server. You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database.
Require the user to authenticate to a RADIUS server. Select the name of the RADIUS server to which the user must authenticate. You can only select a RADIUS server that has been added to the FortiGate RADIUS configuration. “Configuring RADIUS support” on page Users and authentication 177. 176. Fortinet Inc.
Users and authentication Select Try other servers if connect to selected server fails if you have selected Radius and you want the FortiGate unit to try to connect to other RADIUS servers added to the FortiGate RADIUS configuration. Select OK. Figure 17: Adding a user name Deleting user names from the internal database You cannot delete user names that have been added to user groups.
You cannot delete RADIUS servers that have been added to user groups. Go to User > RADIUS. Select Delete Select OK. Adding RADIUS servers Deleting RADIUS servers beside the RADIUS server name that you want to delete. Users and authentication Fortinet Inc.
Users and authentication Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authentication with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server.
Figure 19: Example LDAP configuration Deleting LDAP servers You cannot delete LDAP servers that have been added to user groups. Go to User > LDAP. Select Delete Select OK. beside the LDAP server name that you want to delete. Users and authentication Fortinet Inc.
Users and authentication Configuring user groups To enable authentication, you must add user names, RADIUS servers and LDAP servers to one or more user groups. You can then select a user group when you require authentication. You can select a user group to configure authentication for: •...
You cannot delete user groups that have been selected in a policy, a dialup user phase1 configuration, or in a PPTP or L2TP configuration. To delete a user group: Go to User > User Group Select Delete Select OK. beside the user group that you want to delete. Users and authentication Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 IPSec VPN A Virtual Private Network (VPN) is an extension of a private network that encompasses links across shared or public networks such as the Internet. For example, a company that has two offices in different cities, each with its own private network, can employ a VPN to create a secure tunnel between the offices.
IPSec supports the automated generation and negotiation of keys using the Internet Key Exchange protocol. This method of key management is typically referred to as AutoIKE. Fortinet supports AutoIKE with pre-shared keys and AutoIKE with certificates. AutoIKE with pre-shared keys When both peers in a session have been configured with the same pre-shared key, they can use it to authenticate themselves to each other.
IPSec VPN Manual key IPSec VPNs When manual keys are employed, complementary security parameters must be entered at both ends of the tunnel. In addition to encryption and authentication algorithms and keys, the security parameter index (SPI) is required. The SPI is an arbitrary value that defines the structure of the communication between the peers.
Page 184
16 characters. Enter a 40 character (20 byte) hexadecimal number (0-9, A-F). Separate the number into two segments—the first of 16 characters; the second of 24 characters. “Adding a VPN concentrator” on page IPSec VPN 201. Fortinet Inc.
IPSec VPN AutoIKE IPSec VPNs Fortunate supports two methods of Automatic Internet Key Exchange (AutoIKE) for the purpose of establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates. • • • General configuration steps for an AutoIKE VPN An AutoIKE VPN configuration consists of phase 1 and phase 2 configuration parameters, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel.
Page 186
If you select RSA Signature, select a local certificate that has been digitally signed by the certificate authority (CA). To add a local certificate to the FortiGate unit, see “Obtaining a signed local certificate” on page IPSec VPN 191. Fortinet Inc.
Page 187
CHAP. (Use PAP with all implementations of LDAP and some implementations of Microsoft RADIUS). Use MIXED if the authentication server supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet Remote VPN Client.). Select a group of users to be authenticated by XAuth. The individual users within the group can be authenticated locally or by one or more LDAP or RADIUS servers.
Page 188
VPN peer pro-actively probes its state. After this period of time expires, the local peer will send a DPD probe to determine the status of the link even if there is no traffic between the local peer and the remote peer. IPSec VPN Fortinet Inc.
IPSec VPN Figure 21: Adding a phase 1 configuration Adding a phase 2 configuration for an AutoIKE VPN Add a phase 2 configuration to specify the parameters used to create and maintain a VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer (the VPN gateway or client).
Page 190
Select OK to save the AutoIKE key VPN tunnel. “Adding a phase 1 configuration for an AutoIKE VPN” on page 203. “Adding a VPN concentrator” on page 201 IPSec VPN 185. “Redundant IPSec Fortinet Inc.
VPN tunnel being set up between the participants. Fortinet uses a manual procedure to obtain certificates. This involves copying and pasting text files from your local computer to the certificate authority, and from the certificate authority to your local computer.
Page 192
FortiGate unit (such as Manufacturing or MF). Enter the legal name of the organization that is requesting the certificate for the FortiGate unit (such as Fortinet). Enter the name of the city or town where the FortiGate unit is located (such as Vancouver).
Page 193
IPSec VPN Figure 23: Adding a Local Certificate Downloading the certificate request With this procedure, you download the certificate request from the FortiGate unit to the management computer. To download the certificate request: Go to VPN > Local Certificates. Select Download Select Save.
Page 194
Go to VPN > Local Certificates. Select Import. add a base64 encoded PKCS#10 certificate request to the CA web server, paste the certificate request to the CA web server, submit the certificate request to the CA web server. IPSec VPN Fortinet Inc.
IPSec VPN Enter the path or browse to locate the signed local certificate on the management computer. Select OK. The signed local certificate will be displayed on the Local Certificates list with a status of OK. Obtaining a CA certificate For the VPN peers to authenticate themselves to each other, they must both obtain a CA certificate from the same certificate authority.
Content profiles to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services in the VPN. Logging so that the FortiGate unit logs all connections that use the VPN. Adding a source address Adding a destination address Adding an encrypt policy IPSec VPN Fortinet Inc.
IPSec VPN Adding a source address The source address is located within the internal network of the local VPN peer. It can be a single computer address or the address of a network. Go to Firewall > Address. Select an internal interface. (Methods will differ slightly between FortiGate models.) Select New to add an address.
Page 198
Destination. (This will be a public IP address.) — The tunnel, and the traffic within the tunnel, can only be initiated at the end which implements Outbound NAT. IPSec VPN Fortinet Inc.
IPSec VPN IPSec VPN concentrators In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer known as a hub. The peers that connect to the hub are known as spokes. The hub functions as a concentrator on the network, managing the VPN connections between the spokes. The advantage of a hub-and-spoke network is that the spokes are simpler to configure because they require fewer policy rules.
Page 200
The VPN spoke address. ENCRYPT The VPN spoke tunnel name. Select allow inbound. Select inbound NAT if required. “Adding an encrypt policy” on page encrypt policies default non-encrypt policy (Internal_All -> External_All) 183. 185. 197. 201. 197. IPSec VPN Fortinet Inc.
IPSec VPN Adding a VPN concentrator To add a VPN concentrator configuration: Go to VPN > IPSec > Concentrator. Select New to add a VPN concentrator. Enter the name of the new concentrator in the Concentrator Name field. To add tunnels to the VPN concentrator, select a VPN tunnel from the Available Tunnels list and select the right arrow.
Do not enable. Select inbound NAT if required. “Adding an encrypt policy” on page The local VPN spoke address. External_All “Manual key IPSec VPNs” on page “AutoIKE IPSec VPNs” on page 197. 197. IPSec VPN 183. 185. Fortinet Inc.
IPSec VPN Action VPN Tunnel Allow inbound Allow outbound Do not enable. Inbound NAT Outbound NAT Select outbound NAT if required. Arrange the policies in the following order: • • • Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks, such as the Internet.
Page 204
Internal->External and an Internal- >DMZ policy. The source and destination of both policies must be the same. Add a different AutoIKE key tunnel to each policy. “Adding an encrypt policy” on page 185. 189. 197. 197. 197. IPSec VPN Fortinet Inc.
IPSec VPN Monitoring and Troubleshooting VPNs This section provides a number of general maintenance and monitoring procedures for VPNs. This section describes: • • • Viewing VPN tunnel status You can use the IPSec VPN tunnel list to view the status of all IPSec AutoIKE key VPN tunnels.
The VPN tunnel initializes automatically when the client makes a connection attempt. You can start the tunnel and test it at the same time by pinging from the client to an address on the internal network. IPSec VPN Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 PPTP and L2TP VPN You can use PPTP and L2TP to create a virtual private network (VPN) between a remote client PC running the Windows operating system and your internal network. Because they are is a Windows standards, PPTP and L2TP do not require third-party software on the client computer.
Select the User Group that you added in page Select Apply to enable PPTP through the FortiGate unit. “Adding user names and configuring authentication” on page “Configuring user groups” on page 208. PPTP and L2TP VPN 174. 179. “Adding users and user groups” on Fortinet Inc.
Page 209
PPTP and L2TP VPN Figure 30: Example PPTP Range configuration Adding a source address Add a source address for every address in the PPTP address range. Go to Firewall > Address. Select the interface to which PPTP clients connect. Select New to add an address. Enter the Address Name, IP Address, and NetMask for an address in the PPTP address range.
Installing PPTP support Go to Start > Settings > Control Panel > Network. Select Add. Select Adapter. Select Add. Select Microsoft as the manufacturer. Select Microsoft Virtual Private Networking Adapter. Select OK twice. PPTP and L2TP VPN Fortinet Inc.
PPTP and L2TP VPN Insert diskettes or CDs as required. Restart the computer. Configuring a PPTP dialup connection Go to My Computer > Dial-Up Networking > Configuration. Double-click Make New Connection. Name the connection and select Next. Enter the IP address or host name of the FortiGate unit to connect to and select Next. Select Finish.
Note: If a RADIUS server is used for authentication do not select Require data encryption. PPTP encryption is not supported for RADIUS server authentication. Select Advanced to configure advanced settings. Select Settings. Select Challenge Handshake Authentication Protocol (CHAP). Make sure that none of the other settings are selected. PPTP and L2TP VPN Fortinet Inc.
PPTP and L2TP VPN Select the Networking tab. Make sure that the following options are selected: • • Make sure that the following options are not selected: • • Select OK. Connecting to the PPTP VPN Connect to your ISP. Start the VPN connection that you configured in the previous procedure.
Select the User Group that you added in page Select Apply to enable L2TP through the FortiGate unit. “Adding user names and configuring authentication” on page “Configuring user groups” on page 214. PPTP and L2TP VPN 174. 179. “Adding users and user groups” on Fortinet Inc.
Page 215
PPTP and L2TP VPN Figure 32: Sample L2TP address range configuration Add the addresses from the L2TP address range to the external interface address list. The addresses can be grouped into an external address group. Add addresses to the destination interface address list to control the addresses to which L2TP clients can connect.
Page 216
Set Action to ACCEPT. Select NAT if address translation is required. You can also configure traffic shaping, logging, and antivirus and web filter settings for L2TP policies. Select OK to save the firewall policy. PPTP and L2TP VPN Fortinet Inc.
PPTP and L2TP VPN Configuring a Windows 2000 client for L2TP Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiGate L2TP VPN. Configuring an L2TP dialup connection Go to Start > Settings > Network and Dial-up Connections. Double-click Make New Connection to start the Network Connection Wizard and select Next.
FortiGate unit to connect to and select Next. Select Finish. Configuring the VPN connection Right-click the icon that you have created. Select Properties > Security. Select Typical to configure typical settings. Select Require data encryption. PPTP and L2TP VPN Fortinet Inc.
Page 219
PPTP and L2TP VPN Note: If a RADIUS server is used for authentication do not select Require data encryption. L2TP encryption is not supported for RADIUS server authentication. Select Advanced to configure advanced settings. Select Settings. Select Challenge Handshake Authentication Protocol (CHAP). Make sure that none of the other settings are selected.
Page 220
In the connect window, enter the User Name and Password that you use to connect to your dialup network connection. This user name and password is not the same as your VPN user name and password. PPTP and L2TP VPN Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Network Intrusion Detection System (NIDS) The FortiGate NIDS is a real-time network intrusion detection sensor that uses attack signature definitions to both detect and prevent a wide variety of suspicious network traffic and direct network-based attacks. Also, whenever an attack occurs, the FortiGate NIDS can record the event in a log plus send an alert email to the system administrator.
FortiGate unit is installed behind a router that also does checksum verification. Go to NIDS > Detection > General. Check the type of traffic on which to run Checksum Verifications. Select Apply. Figure 33: Example NIDS detection configuration Network Intrusion Detection System (NIDS) Fortinet Inc.
Open a web browser and enter this URL: http://www.fortinet.com/ids/ID<attack-ID> Remember to include the attack ID. For example, to view the Fortinet Attack Analysis web page for the ssh CRC32 overflow /bin/sh attack (ID 101646338), use the following URL: http://www.fortinet.com/ids/ID101646338 Note: Each attack log message includes a URL that links directly to the FortiResponse Attack Analysis web page for that attack.
Note: To save your NIDS attack signature settings, Fortinet recommends that you back up your FortiGate configuration before you update the firmware and restore the saved configuration after the update.
Network Intrusion Detection System (NIDS) Figure 35: Example user-defined signature list Downloading the user-defined signature list You can back up the user-defined signature list by downloading it to a text file on the management computer. Go to NIDS > Detection > User Defined Signature List. Select Download.
NIDS attack prevention signature to disable all signatures in the NIDS attack prevention Table 6. The threshold depends on the type of attack. For flooding attacks, the Network Intrusion Detection System (NIDS) to enable only the default NIDS attack prevention Fortinet Inc.
Page 227
Network Intrusion Detection System (NIDS) For example, setting the icmpflood signature threshold to 500 will allow 500 echo requests from a source address, to which the system sends echo replies. If the number of requests is 501 or higher, the FortiGate unit will block the attacker to eliminate disruption of system operations.
Logging attack messages to the attack log Reducing the number of NIDS attack log and email messages Network Intrusion Detection System (NIDS) Minimum Maximum value value 3000 10240 Fortinet Inc. Default value 1024...
Network Intrusion Detection System (NIDS) Reducing the number of NIDS attack log and email messages Intrusion attempts may generate an excessive number of attack messages. To help you distinguish real warnings from false alarms, the FortiGate unit provides methods to reduce the number of unnecessary messages. Based on the frequency that messages are generated, the FortiGate unit will automatically delete duplicates.
Page 230
Reducing the number of NIDS attack log and email messages Network Intrusion Detection System (NIDS) Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Antivirus protection Antivirus protection is enabled in firewall policies. When you enable antivirus protection for a firewall policy, you select a content profile that controls how the antivirus protection behaves. Content profiles control the type of traffic protected (HTTP, FTP, IMAP, POP3, SMTP), the type of antivirus protection and the treatment of fragmented email and oversized files or email.
Figure 37: Example content profile for virus scanning cdimage floppy image .ace .bzip2 .Tar+Gzip+Bzip2 “Adding a content profile” on page “Adding a content profile to a policy” on page Antivirus protection 170. 171. Fortinet Inc.
Antivirus protection File blocking Enable file blocking to remove all files that pose a potential threat and to provide the best protection from active computer virus attacks. Blocking files is the only protection available from a virus that is so new that antivirus scanning cannot detect it. You would not normally run the FortiGate unit with blocking enabled.
To display the virus list, go to Anti-Virus > Config > Virus List. Scroll through the virus and worm list to view the names of all viruses and worms in the list. Antivirus protection Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Web filtering Web filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how web filtering behaves for HTTP traffic.
You can enter multiple banned words or phrases and then select Check All activate all items in the banned word list. Note: Banned Word must be selected in the content profile for web pages containing banned words to be blocked. “Customizing replacement messages” on page Web filtering 136. Fortinet Inc.
Web filtering Figure 38: Example banned word list URL blocking You can block the unwanted web URLs using both the FortiGate web filter and the Cerberian web filter. • • Using the FortiGate web filter You can configure the FortiGate unit to block all pages on a website by adding the top- level URL or IP address.
Go to Web Filter > URL Block. Select Clear URL Block List list. and Page Down to navigate through the URL block list. to remove all URLs and patterns from the URL block Web filtering to enable all Fortinet Inc.
Web filtering Downloading the URL block list You can back up the URL block list by downloading it to a text file on the management computer. Go to Web Filter > URL Block. Select Download URL Block List The FortiGate unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file.
Select Cerberian URL Filtering. Select New. “Installing a Cerberian license key on the 240. 240. “Using the Cerberian web filter” on page 240 “Using the Cerberian web filter” on page Web filtering “Adding a Cerberian user to 240. Fortinet Inc.
Web filtering Enter the IP address and netmask of the user computers. You can enter the IP address of a single user. For example, 192.168.100.19 255.255.255.255. You can also enter a subnet of a group of users. For example, 192.168.100.0 255.255.255.0. Enter an alias for the user.
Select the script filter options that you want to enable. You can block Java applets, cookies, and ActiveX. Select Apply. Figure 41: Example script filter settings to block Java applets and ActiveX Enabling the script filter Selecting script filter options Web filtering Fortinet Inc.
Web filtering Exempt URL list Add URLs to the exempt URL list to allow legitimate traffic that might otherwise be blocked by content or URL blocking. For example, if content blocking is set to block pornography-related words and a reputable website runs a story on pornography, web pages from the reputable website would be blocked.
Page 244
Adding URLs to the exempt URL list Web filtering Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Email filter Email filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how email filtering behaves for email (IMAP and POP3) traffic. Content profiles control the following types of protection to identify unwanted email: •...
FortiGate unit inserts plus signs (+) in place of spaces (for example, banned+phrase). If you type a phrase in quotes (for example, “banned word”), the FortiGate unit tags all email in which the words are found together as a phrase. Email filter Fortinet Inc.
Email filter Email block list You can configure the FortiGate unit to tag all IMAP and POP3 protocol traffic sent from unwanted email addresses. When the FortiGate unit detects an email sent from an unwanted address pattern, the FortiGate unit adds a tag to the subject line of the email and writes a message to the email filter log.
To exempt email sent from an entire organization category, type the top-level domain name. For example, type net to exempt email sent from all organizations that use .net as the top-level domain. Email filter to activate all patterns Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Logging and reporting You can configure the FortiGate unit to log network activity from routine configuration changes and traffic sessions to emergency events. You can also configure the FortiGate unit to send alert email messages to inform system administrators about events such as network attacks, virus incidents, and firewall and VPN events.
For each Log type, select the activities for which you want the FortiGate unit to record log messages. Select OK. “Configuring traffic logging” on page “Filtering log messages” on page 251 253. Logging and reporting “Filtering log messages” on 253. “Configuring traffic logging” Fortinet Inc.
Logging and reporting Recording logs in system memory If your FortiGate unit does not contain a hard disk, you can use the following procedure to configure the FortiGate unit to reserve some system memory for storing current event, attack, antivirus, web filter and email filter log messages. Logging to memory allows quick access to only the most recent log entries.
Page 252
Figure 43: Example log filter configuration Record activity events, such as detection of email that contains unwanted content and email from unwanted senders. Record log messages when the FortiGate connects to the FDN to download antivirus and attack updates. Logging and reporting Fortinet Inc.
Logging and reporting Configuring traffic logging You can configure the FortiGate unit to record traffic log messages for connections to: • • The FortiGate unit can filter traffic logs for any source and destination address and service. You can also enable the following global settings: •...
(A-Z, a-z), and the special characters - and _. Spaces and other special characters are not allowed. Type the source IP address and netmask for which you want the FortiGate unit to log traffic messages. The address can be an individual computer, subnetwork, or network. Logging and reporting Fortinet Inc.
Logging and reporting Destination IP Address Destination Netmask Service Select OK. The traffic filter list displays the new traffic address entry with the settings that you selected in Figure 45: Example new traffic address entry Viewing logs saved to memory If the FortiGate is configured to save log messages in system memory, you can use the web-based manager to view, search, and clear the log messages.
To search for any text in a log message. Keyword searching is case-sensitive. To search log messages created during the selected year, month, day, and hour. Adding alert email addresses Testing alert email Enabling alert email Logging and reporting Fortinet Inc.
Logging and reporting In the SMTP Server field, type the name of the SMTP server to which the FortiGate unit should send email, in the format smtp.domain.com. The SMTP server can be located on any network connected to the FortiGate unit. In the SMTP User field, type a valid email address in the format user@domain.com.
Page 258
Enabling alert email Logging and reporting Fortinet Inc.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Glossary Connection: A link between machines, applications, processes, and so on that can be logical, physical, or both. DMZ, Demilitarized Zone: Used to host Internet services without allowing unauthorized access to an internal (private) network.
Page 260
SNMP, Simple Network Management Protocol: A set of protocols for managing networks. SNMP works by sending messages to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. Fortinet Inc.
Page 261
SSH, Secure shell: A secure Telnet replacement that you can use to log into another computer over a network and run commands. SSH provides strong secure authentication and secure communications over insecure channels. Subnet: A portion of a network that shares a common address component.
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Index accept policy 145 action policy option 145 active log searching 256 ActiveX 242 removing from web pages 242 address 150 adding 151 editing 152 group 152 IP/MAC binding 167 virtual IP 160 address group 152 example 153 address name 151...
Page 264
115 DNS IP DHCP setting 119 domain DHCP 119 downloading attack definition updates 106, 107 virus definition updates 106, 107 dynamic IP list viewing 120 dynamic IP pool IP pool 146 dynamic IP/MAC list 166 viewing 168 Fortinet Inc.
Page 265
IP address SNMP 135 fixed port 146 FortiCare service contracts 101 support contract number 105 Fortinet customer service 25 Fortinet support recovering a lost password 104 FortiResponse Distribution Network 92 connecting to 92 FortiResponse Distribution Server 92...
Page 266
NetIQ WebTrends server 250 MAC address 260 IP/MAC binding 166 malicious scripts removing from web pages 242, 248 management interface Transparent mode 114 management IP address transparent mode 59 manual keys introduction 182 matching policy 149 Fortinet Inc.
Page 267
FortiGate-100 Installation and Configuration Guide oversized files and email blocking 234 password adding 174 changing administrator account 133 Fortinet support 106 recovering a lost Fortinet support 104 PAT 161 permission administrator account 133 policy accept 145 Anti-Virus & Web filter 147...
Page 268
132 recording logs 249 recording logs in system memory 251 recording logs on NetIQ WebTrends server 250 recovering a lost Fortinet support password 104 recurring schedule 159 creating 158 registered FortiGate units viewing the list of 104 registering...
Page 269
session clearing 89 set time 129 setup wizard 45, 58 starting 45, 58 shutting down 86 signature threshold values 226 SMTP 155 configuring alert email 257 definition 260 SNMP configuring 134 contact information 134 definition 260 first trap receiver IP address 135 get community 134 MIBs 135 system location 134...
Page 270
PPTP VPN 212 Windows 98 configuring for PPTP 210 connecting to PPTP VPN 211 Windows XP configuring for L2TP 218 configuring for PPTP 212 connecting to L2TP VPN 220 connecting to PPTP VPN 213 WINS DHCP server 119 Fortinet Inc.