Page 1 Administration Guide FortiGate 100A INTERNAL WAN 1 WAN 2 STATUS DMZ 1 DMZ 2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 FortiGate-100A Administration Guide Version 2.80 MR7 3 December 2004 01-28007-0068-20041203...
Page 2 CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
Page 3: Table Of Contents
Secure installation, configuration, and management ... 18 Document conventions ... 19 FortiGate documentation ... 21 Fortinet Knowledge Center ... 21 Comments on Fortinet technical documentation... 21 Related documentation ... 22 FortiManager documentation ... 22 FortiClient documentation ... 22 FortiMail documentation... 22 FortiLog documentation ...
Page 4 HA configuration ... 85 Configuring an HA cluster ... 90 Managing an HA cluster... 94 SNMP... 97 Configuring SNMP ... 98 SNMP community ... 99 FortiGate MIBs... 101 FortiGate traps ... 102 Fortinet MIB fields ... 103 01-28007-0068-20041203 Fortinet Inc.
Page 5 Configuring routing for a virtual domain ... 138 Configuring firewall policies for a virtual domain ... 138 Configuring IPSec VPN for a virtual domain ... 140 Router ... 141 Static ... 141 Static route list ... 143 Static route options ... 144 FortiGate-100A Administration Guide 01-28007-0068-20041203 Contents...
Page 6 ... 164 config router static6... 187 Firewall... 189 Policy ... 190 How policy matching works... 190 Policy list ... 190 Policy options... 191 Advanced policy options ... 194 Configuring firewall policies ... 196 Policy CLI configuration ... 197 01-28007-0068-20041203 Fortinet Inc.
Page 7 Protection profile options ... 223 Configuring protection profiles ... 228 Profile CLI configuration... 229 Users and authentication ... 233 Setting authentication timeout... 234 Local ... 234 Local user list ... 234 Local user options... 234 FortiGate-100A Administration Guide 01-28007-0068-20041203 Contents...
Page 8 PPTP... 260 PPTP range ... 260 L2TP ... 261 L2TP range ... 261 Certificates ... 262 Local certificate list... 262 Certificate request... 263 Importing signed certificates ... 264 CA certificate list ... 265 Importing CA certificates... 265 01-28007-0068-20041203 Fortinet Inc.
Page 9 299 config antivirus quarantine ... 300 config antivirus service http... 300 config antivirus service ftp... 302 config antivirus service pop3... 304 config antivirus service imap ... 305 config antivirus service smtp ... 307 FortiGate-100A Administration Guide 01-28007-0068-20041203 Contents...
Page 10 RBL & ORDBL ... 328 RBL & ORDBL list... 329 RBL & ORDBL options... 329 Configuring the RBL & ORDBL list ... 329 Email address ... 330 Email address list... 330 Email address options... 330 Configuring the email address list... 331 01-28007-0068-20041203 Fortinet Inc.
Page 11 Enabling traffic logging... 348 Log access... 349 Viewing log messages ... 349 Searching log messages... 351 CLI configuration... 352 fortilog setting... 352 syslogd setting ... 354 FortiGuard categories ... 357 Glossary ... 363 Index ... 367 FortiGate-100A Administration Guide 01-28007-0068-20041203 Contents...
Page 12 Contents 01-28007-0068-20041203 Fortinet Inc.
Page 13: Introduction
• • The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks.
Page 14: Antivirus Protection
Antivirus protection The FortiGate-100A also supports advanced features such as multiple WAN and DMZ interfaces, 802.1Q VLAN, virtual domains, high availability (HA), and the RIP and OSPF routing protocols. Antivirus protection FortiGate ICSA-certified antivirus protection scans web (HTTP), file transfer (FTP), and email (SMTP, POP3, and IMAP) content as it passes through the FortiGate unit.
Page 15: Spam Filtering
• • • The FortiGate firewall can operate in NAT/Route mode or Transparent mode. FortiGate-100A Administration Guide control all incoming and outgoing network traffic, control encrypted VPN traffic, apply antivirus protection and web content filtering, block or allow access for all policy options,...
Page 16: Vlans And Virtual Domains
In NAT/Route mode, the FortiGate unit is a Layer 3 device. This means that each of its interfaces is associated with a different IP subnet and that it appears to other devices as a router. This is how a firewall is normally deployed. In NAT/Route mode, you can create NAT mode policies and Route mode policies.
Page 17: Intrusion Prevention System (Ips)
• • • • • • • FortiGate-100A Administration Guide Industry standard and ICSA-certified IPSec VPN, including: • IPSec VPN in NAT/Route and Transparent mode, • IPSec, ESP security in tunnel mode, • DES, 3DES (triple-DES), and AES hardware accelerated encryption, •...
Page 18: High Availability
High availability High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster.
Page 19: Document Conventions
IPS to the system memory. Document conventions This guide uses the following conventions to describe CLI command syntax. • FortiGate-100A Administration Guide report traffic that connects to the firewall, report network services used, report traffic that was permitted by firewall policies,...
Page 20 In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove. 01-28007-0068-20041203 Introduction Fortinet Inc.
Page 21: Fortigate Documentation
The most recent Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains short how-to articles, FAQs, technical notes, product and feature guides, and much more. Visit the Fortinet Knowledge Center at http://kc.forticare.com. Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.
Page 22: Related Documentation
FortiManager documentation Related documentation Additional information about Fortinet products is available from the following related documentation. FortiManager documentation • • • FortiClient documentation • • FortiMail documentation • • • FortiManager QuickStart Guide Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings.
Page 23: Fortilog Documentation
Fortinet Technical Support web site at http://support.fortinet.com. You can also register Fortinet products and service contracts from http://support.fortinet.com and change your registration information at any time. Technical support is available through email from any of the following addresses.
Page 24 FortiLog documentation Introduction 01-28007-0068-20041203 Fortinet Inc.
Page 25: System Status
The management computer must have Java version 1.3 or higher installed. For information on how to use the CLI, see the FortiGate CLI Reference Guide. Figure 1: Console access FortiGate-100A Administration Guide FortiGate-100A Administration Guide Version 2.80 MR7 Console access Status Session list Changing the FortiGate firmware...
Page 26: Status
Select Connect to connect to the CLI. Select Disconnect to disconnect from the CLI. Select Clear screen to start a new page. “Access profiles” on page Viewing system status Changing unit information 01-28007-0068-20041203 “HA configuration” on page 111. System status Fortinet Inc.
Page 27: Unit Information
The Details pages provide a link to either the FortiLog unit or to the Log & Report > Log Config > Log Setting page where you can configure logging to a FortiLog unit. FortiGate-100A Administration Guide Select to control how often the web-based manager updates the system status display.
Page 28: Interface Status
FortiGate unit. Select History to view a graphical representation of the last minute of CPU, memory, sessions, and network usage. This page also shows the virus and intrusion detections over the last 20 hours. 01-28007-0068-20041203 System status Fortinet Inc.
Page 29: Changing Unit Information
• • • • • FortiGate-100A Administration Guide CPU usage for the previous minute. Session history for the previous minute. Network utilization for the previous minute. The virus detection history over the last 20 hours. The intrusion detection history over the last 20 hours.
Page 30 Note: For information about configuring the FortiGate unit for automatic antivirus definitions updates, see Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status > Status.
Page 31 Note: If the management IP address was on a different subnet in Transparent mode, you may have to change the IP address of your computer to the same subnet as the interface configured for management access. FortiGate-100A Administration Guide “HA” on page 84).
Page 32: Session List
The source port of the connection. The destination IP address of the connection. The destination port of the connection. The time, in seconds, before the connection expires. Delete icon. Select to stop an active communication session. 01-28007-0068-20041203 System status Fortinet Inc.
Page 33: Changing The Fortigate Firmware
FortiGate administrators whose access profiles contain system configuration read and write privileges and the FortiGate admin user can change the FortiGate firmware. After you download a FortiGate firmware image from Fortinet, you can use the procedures listed in Table 1: Firmware upgrade procedures...
Page 34: Upgrading The Firmware Using The Cli
Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image <name_str> <tftp_ipv4> “Update center” on page “To update antivirus and attack definitions” on page 120 to update the antivirus and attack definitions. 01-28007-0068-20041203 System status 118. to make Fortinet Inc.
Page 35: Reverting To A Previous Firmware Version
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build183-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build183-FORTINET.out...
Page 36: Reverting To A Previous Firmware Version Using The Cli
“Backing up and Restoring” on page “To update antivirus and attack definitions” on page 120 to update the antivirus and attack definitions. 01-28007-0068-20041203 System status “Backup and restore” on “To update antivirus and 116. to make sure that antivirus execute Fortinet Inc.
Page 37 Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build158-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build158-FORTINET.out...
Page 38: Installing Firmware Images From A System Reboot Using The Cli
Back up web content and email filtering lists. For information, see “Web filter” on page 309 “To update antivirus and attack definitions” on page 120 01-28007-0068-20041203 System status 120, or from 116. “Spam filter” on page 323. to make sure that antivirus Fortinet Inc.
Page 39 Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: FortiGate-100A Administration Guide Installing firmware images from a system reboot using the CLI FortiGate unit running v2.x BIOS Press Any Key To Download Boot Image.
Page 40: Restoring The Previous Configuration
To update the virus and attack definitions to the most recent version, see antivirus and attack definitions” on page 01-28007-0068-20041203 “Backup and restore” on page “Backing up and restoring custom signature “Backup and restore” on page “Backup and restore” on page 115. 120. System status 115. 115. “Updating Fortinet Inc.
Page 41: Testing A New Firmware Image Before Installing It
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must log in and repeat the FortiGate-100A Administration Guide “Upgrading to a new firmware version” on page...
Page 42 FortiGate unit running v2.x BIOS Do You Want To Save The Image? [Y/n] Type N. FortiGate unit running v3.x BIOS Save as Default firmware/Run image without saving:[D/R] Save as Default firmware/Backup firmware/Run image without saving:[D/B/R] 01-28007-0068-20041203 System status Fortinet Inc.
Page 43: Installing And Using A Backup Firmware Image
[B]: [Q]: [H]: Enter G,F,B,Q,or H: FortiGate-100A Administration Guide Installing a backup firmware image Switching to the backup firmware image Switching back to the default firmware image access the CLI by connecting to the FortiGate console port using a null-modem...
Page 44: Switching To The Backup Firmware Image
As the FortiGate units starts, a series of system startup messages are displayed. When the following message appears: Press any key to enter configuration menu... Immediately press any key to interrupt the system startup. 01-28007-0068-20041203 System status to switch to a backup Fortinet Inc.
Page 45: Switching Back To The Default Firmware Image
Type B to load the backup firmware image. The FortiGate unit loads the backup firmware image and restarts. When the FortiGate unit restarts it is running the backup firmware version with a restored configuration. FortiGate-100A Administration Guide Get firmware image from TFTP server. Format boot device.
Page 46 Installing and using a backup firmware image System status 01-28007-0068-20041203 Fortinet Inc.
Page 47: System Network
Note: Unless stated otherwise, in this section the term interface can refer to a physical FortiGate interface or to a FortiGate VLAN subinterface. • • FortiGate-100A Administration Guide FortiGate-100A Administration Guide Version 2.80 MR7 Interface Zone Management Routing table (Transparent Mode)
Page 48: Interface Settings
Bring Down or Bring Up. For more information, “To bring down an interface that is administratively up” on page 54 “To start up an interface that is administratively down” on page Delete, edit, and view icons. 01-28007-0068-20041203 System network “VLAN Fortinet Inc.
Page 49 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. You cannot change the VLAN ID of an existing VLAN subinterface. FortiGate-100A Administration Guide To bring down an interface that is administratively up To start up an interface that is administratively down...
Page 50 Interface settings The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN subinterface. For more information on VLANs, see Virtual Domain Select a virtual domain to add the interface or VLAN subinterface to this virtual domain.
Page 51 Distance Retrieve default gateway from server Override internal FortiGate-100A Administration Guide initializing No activity. connecting The interface is attempting to connect to the DHCP server. connected The interface retrieves an IP address, netmask, and other settings from the DHCP server.
Page 52 Ping server Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface. Adding a ping server is required for routing failover. See The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to make sure that the FortiGate unit can connect to this IP address.
Page 53: Configuring Interfaces
• • • • • FortiGate-100A Administration Guide To allow SSH connections to the CLI through this interface. To allow a remote SNMP manager to request SNMP information by connecting to this interface. See “Configuring SNMP” on page To allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party.
Page 54 59. You cannot add an interface to a zone if you have added firewall policies for “To add a virtual domain” on page 01-28007-0068-20041203 “To add a zone” on 135. You cannot add an interface to a virtual System network Fortinet Inc.
Page 55 IP address from the PPPoE server. Select the Override Internal DNS check box if you want the FortiGate unit to obtain a DNS server IP address from the PPPoE server. FortiGate-100A Administration Guide for information on PPPoE settings. 01-28007-0068-20041203 Configuring interfaces “PPPoE”...
Page 56 DNS server. In the Password field, type the associated password. Select OK. To add a ping server to an interface Go to System > Network > Interface. Choose an interface and select Edit. 01-28007-0068-20041203 System network Fortinet Inc.
Page 57 System network Set Ping Server to the IP address of the next hop router on the network connected to the interface. Select the Enable check box. Select OK to save the changes. To control administrative access to an interface For a FortiGate unit running in NAT/Route mode, you can control administrative access to an interface to control how administrators access the FortiGate unit and the FortiGate interfaces to which administrators can connect.
Page 58: Zone
Edit/View icons. Select to edit or view a zone. Delete icon. Select to remove a zone. Enter the name to identify the zone. Select Block intra-zone traffic to block traffic between interfaces or VLAN subinterfaces in the same zone. 01-28007-0068-20041203 System network Fortinet Inc.
Page 59: Management
(see You can also configure interfaces to control how administrators connect to the FortiGate unit for administration. See on page FortiGate-100A Administration Guide “Update center” on page “To control administrative access to an interface” 01-28007-0068-20041203 Zone settings...
Page 60 FortiGate unit from. Enter the default gateway address. Select the virtual domain from which you want to perform system management. 01-28007-0068-20041203 83). This must be a valid IP System network “To Fortinet Inc.
Page 61: Dns
Go to System > Network > DNS. Change the primary and secondary DNS server IP addresses as required. Select Apply to save the changes. FortiGate-100A Administration Guide “DHCP” on page 50. See When DHCP is used on an interface, also obtain the DNS server IP address.
Page 62: Routing Table (Transparent Mode)
Move To icon. Select to change the order of a route in the list. Enter the destination IP address and netmask for this route. Enter the IP address of the next hop router to which this route directs traffic The the relative preferability of this route. 1 is most preferred.
Page 63: Vlan Overview
VLAN identifier as well as other information. VLANs allow highly flexible, efficient network segmentation, enabling users and resources to be grouped logically, regardless of physical locations. Figure 14: Basic VLAN topology FortiGate-100A Administration Guide Internet Untagged packets Enter...
Page 64: Fortigate Units And Vlans
VLAN tags to packets. Packets passing between devices in the same VLAN can be handled by layer 2 switches. Packets passing between devices in different VLANs must be handled by a layer 3 device such as router, firewall, or layer 3 switch.
Page 65: Adding Vlan Subinterfaces
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096. Each VLAN subinterface must also be configured with its own IP address and netmask.
Page 66: Vlans In Transparent Mode
FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal VLANs. The FortiGate external interface forwards tagged packets through the trunk to an external VLAN switch or router which could be connected to the Internet. The FortiGate unit can be configured to apply different policies for traffic on each VLAN in the trunk.
Page 67 Figure 17 three VLAN subinterfaces. In this configuration the FortiGate unit could be added to this network to provide virus scanning, web content filtering, and other services to each VLAN. FortiGate-100A Administration Guide VLAN Switch or router VLAN1 Internal VLAN1...
Page 68: Rules For Vlan Ids
Enter VLAN POWER switch Internet “System virtual domain” on page 131 01-28007-0068-20041203 VLAN 3 VLAN ID = 300 VLAN 1 VLAN 2 VLAN 3 External VLAN 1 VLAN VLAN 2 Trunk VLAN 3 Untagged packets Router System network Fortinet Inc.
Page 69: Transparent Mode Vlan List
VLAN subinterface. Use VLAN settings to configure a new VLAN subinterface or to change the configuration of a FortiGate interface or VLAN subinterface. Figure 19: VLAN settings FortiGate-100A Administration Guide Select Create New to add a VLAN subinterface to a FortiGate interface. domain.
Page 70 The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4096. You add VLAN subinterfaces to the physical interface that receives VLAN- tagged packets.
Page 71: Fortigate Ipv6 Support
The interface functions as two interfaces, one for IPv4-addressed packets and another for IPv6-addressed packets. FortiGate units support static routing, periodic router advertisements, and tunneling of IPv6-addressed traffic over an IPv4-addressed network. All of these features must be configured through the Command Line Interface (CLI). See the FortiGate CLI...
Page 72 Transparent mode VLAN settings System network 01-28007-0068-20041203 Fortinet Inc.
Page 73: System Dhcp
FortiGate interface. You can configure each interface to be a DHCP relay or a DHCP server or you can turn off DHCP services. Figure 20: DHCP service list Interface Service FortiGate-100A Administration Guide FortiGate-100A Administration Guide Version 2.80 MR7 Service Server Exclude range IP/MAC binding Dynamic IP List of FortiGate interfaces.
Page 74: Dhcp Service Settings
Select DHCP Server if you want the FortiGate unit to be the DHCP server. “To configure an interface to be a DHCP server” on page 01-28007-0068-20041203 System DHCP “To configure an interface as a Fortinet Inc.
Page 75: Server
Name Interface Default Gateway Delete Edit/View icon FortiGate-100A Administration Guide “To configure a DHCP server for an interface” on page Add a new DHCP server. Name of the DHCP server. The interface for which the DHCP server is configured. The DHCP server configuration default gateway Delete a DHCP server configuration.
Page 76: Dhcp Server Settings
For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions. 75), you must configure a DHCP server for 01-28007-0068-20041203 System DHCP “To configure Fortinet Inc.
Page 77: Exclude Range
DHCP request was received and uses this DHCP server to assign an IP configuration to the computer that made the DHCP request. The DHCP configuration packets are sent back to the router and the router relays them to the DHCP client.
Page 78: Dhcp Exclude Range Settings
The IP address for the IP and MAC address pair. The IP address must be within the configured IP range. Delete icon. Delete an IP/MAC binding pair. Edit/View icon. View or modify an IP/MAC binding pair. 01-28007-0068-20041203 System DHCP Fortinet Inc.
Page 79: Dhcp Ip/Mac Binding Settings
Go to System > DHCP > Dynamic IP. Select the interface for which you want to view the list. FortiGate-100A Administration Guide Enter a name for the IP/MAC address pair. Enter the IP address for the IP and MAC address pair. The IP address must be within the configured IP range.
Page 80 DHCP IP/MAC binding settings System DHCP 01-28007-0068-20041203 Fortinet Inc.
Page 81: System Config
FortiGate unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server. Figure 28: System time System Time Refresh Time Zone FortiGate-100A Administration Guide FortiGate-100A Administration Guide Version 2.80 MR7 System time Options SNMP Replacement messages FortiManager The current FortiGate system date and time.
Page 82: Options
NTP server. A typical Syn Interval would be 1440 minutes for the FortiGate unit to synchronize its time once a day. Timeout settings including the idle timeout and authentication timeout The language displayed by the web-based manager Dead gateway detection interval and failover detection 01-28007-0068-20041203 System config Fortinet Inc.
Page 83 From the Languages list, select a language for the web-based manager to use. Select Apply. FortiGate-100A Administration Guide Set the idle time out to control the amount of inactive time before the administrator must log in again. The maximum admintimeout is 480 minutes (8 hours).
Page 84 FortiGate unit assumes that the gateway is no longer functioning. Select Apply. Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster.
Page 85: Ha Configuration
Select Standalone Mode if you want to stop a cluster unit from operating in HA mode. High Availability Select High Availability to operate the FortiGate unit in HA mode. After selecting High Availability, complete the remainder of the HA configuration. FortiGate-100A Administration Guide 01-28007-0068-20041203 HA configuration...
Page 86: Cluster Members
All other FortiGate units in the cluster passively monitor the cluster status and remain synchronized with the primary FortiGate unit. MAC Address 00-09-0f-06-ff-00 00-09-0f-06-ff-01 00-09-0f-06-ff-02 00-09-0f-06-ff-03 00-09-0f-06-ff-3f 01-28007-0068-20041203 System config “To view the status of Table 3 lists the virtual MAC address Fortinet Inc.
Page 87 HA cluster. The maximum password length is 15 characters. If you have more than one FortiGate HA cluster on the same network, each cluster should have a different password. FortiGate-100A Administration Guide Unit priority 01-28007-0068-20041203 HA configuration Table 4.
Page 88 Load balancing according to IP address and port. If the cluster units are connected using switches, select IP Port to distribute traffic to units in a cluster based on the source IP, source port, destination IP, and destination port of the packet. 01-28007-0068-20041203 System config Fortinet Inc.
Page 89 IP address. This IP address does not affect the heartbeat traffic. In Transparent mode, you can connect the interface to your network. FortiGate-100A Administration Guide Default heartbeat device External...
Page 90: Configuring An Ha Cluster
Note: The following procedure does not include steps for configuring interface heartbeat devices and interface monitoring. Both of these HA settings should be configured after the cluster is up and running. “Override Master” on page 01-28007-0068-20041203 System config 87), this FortiGate unit Fortinet Inc.
Page 91 Power off the FortiGate unit. Repeat this procedure for all of the FortiGate units in the cluster then continue with connect a FortiGate HA cluster” on page FortiGate-100A Administration Guide “To change FortiGate host name” on page “Unit Priority” on page “Override Master”...
Page 92 Then you must connect these interfaces to their networks using the same hub or switch. Fortinet recommends using switches for all cluster connections for the best performance. The FortiGate units in the cluster use cluster ethernet interfaces to communicate cluster session information, synchronize the cluster configuration, and report individual cluster member status.
Page 93 Power on the new FortiGate unit. When the unit starts it negotiates to join the cluster. After it joins the cluster, the cluster synchronizes the new unit configuration with the configuration of the primary unit. FortiGate-100A Administration Guide Internet WAN1...
Page 94: Managing An Ha Cluster
The next three connections are processed by the first subordinate unit (priority 1, weight 3) The next three connections are processed by the second subordinate unit (priority 2, weight 3) “FortiGate HA traps” on page 01-28007-0068-20041203 System config “HA MIB 103. Fortinet Inc.
Page 95 Cluster ID Status Up Time Monitor FortiGate-100A Administration Guide “To view the status of each cluster member” on page 95 “To manage individual cluster units” on page 97 Select to control how often the web-based manager updates the system status display.
Page 96 Cluster Members list. The host name and serial number of the primary cluster unit changes. The new primary unit logs the following messages to the event log: HA slave became master Detected HA member dead 01-28007-0068-20041203 System config Fortinet Inc.
Page 97: Snmp
FortiGate system information and can receive FortiGate traps. To monitor FortiGate system information and receive FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. FortiGate-100A Administration Guide The cluster contains fewer FortiGate units.
Page 98: Configuring Snmp
Configuring SNMP SNMP community FortiGate MIBs FortiGate traps Fortinet MIB fields Enable the FortiGate SNMP agent. Enter descriptive information about the FortiGate unit. The description can be up to 35 characters long. Enter the physical location of the FortiGate unit. The system location description can be up to 35 characters long.
Page 99: Snmp Community
Figure 34: SNMP community options (part 1) Figure 35: SNMP community options (part 2) Community Name Hosts FortiGate-100A Administration Guide Enter a name to identify the SNMP community. Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit.
Page 100 SNMP manager is not on the same subnet as the FortiGate unit. This can occur if the SNMP manager is on the Internet or behind a router. Select Add to add more SNMP managers. You can add up to 8 SNMP managers to a single community.
Page 101: Fortigate Mibs
Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIBs to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.
Page 102: Fortigate Traps
The FortiGate agent can send traps to SNMP managers that you have added to SNMP communities. For SNMP managers to receive traps, you must load and compile the Fortinet trap MIB (file name fortinet.trap.2.80.mib) onto the SNMP manager. All traps include the trap message as well as the FortiGate unit serial number.
Page 103: Fortinet Mib Fields
The tables below list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.2.80.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Page 104 Fortinet MIB fields Table 14: System MIB fields MIB field model serial version versionAv versionNids haMode opMode cpuUsage memUsage sesCount Table 15: HA MIB fields MIB field groupId priority override autoSync schedule stats Description FortiGate model number, for example, 400 for the FortiGate-400.
Page 105 FortiGate-100A Administration Guide Description The index number of the administrator account added to the FortiGate unit. The user name of an administrator account added to the FortiGate unit. Up to three trusted host IP addresses for the administrator account.
Page 106: Replacement Messages
Description of the replacement message type. The web-based manager describes where each replacement message is used by the FortiGate unit. Edit/View icon. Select to change a replacement message. 01-28007-0068-20041203 System config Fortinet Inc.
Page 107: Changing Replacement Messages
%%CRITICAL_EVENT%% Added to alert email critical event email messages. %%PROTOCOL%% %%SOURCE_IP%% %%DEST_IP%% FortiGate-100A Administration Guide Description The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking.
Page 108: Fortimanager
The name of the web filtering service. The name of the content category of the web site. The Fortinet logo. and a FortiManager Server. The remote ID of the FortiManager IPSec tunnel. The IP Address of the FortiManager Server.
Page 109: System Administration
Use the admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels. FortiGate-100A Administration Guide FortiGate-100A Administration Guide Version 2.80 MR7 Can access the system status, interface, virtual domain, HA, routing, option, SNMP, time, and replacement message features.
Page 110: Administrators List
Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see profiles, see “Access profile list” on page 01-28007-0068-20041203 System administration “Using trusted hosts” on page 111. 112. Fortinet Inc.
Page 111: Access Profiles
Go to System > Admin > Access Profile to add access profiles for FortiGate administrators. Each administrator account belongs to an access profile. You can create access profiles that deny access to or allow read only, write only, or both read and write access to FortiGate features. FortiGate-100A Administration Guide 01-28007-0068-20041203 Administrators options...
Page 112: Access Profile List
Allow or deny access to the authorized users feature. Allow or deny access to the administrative users feature. Allow or deny access to the FortiProtect Distribution Network update feature. Allow or deny access to the system shutdown and reboot functionality. 01-28007-0068-20041203 System administration Fortinet Inc.
Page 113 Select Create New to add an access profile, or select the edit icon to edit an existing access profile. Enter a name for the access profile. Select or clear the Access Control check boxes as required. Select OK. FortiGate-100A Administration Guide 01-28007-0068-20041203 Access profile options...
Page 114 Access profile options System administration 01-28007-0068-20041203 Fortinet Inc.
Page 115: System Maintenance
All Configuration Files System settings FortiGate-100A Administration Guide FortiGate-100A Administration Guide Version 2.80 MR7 The list of files that can be backed up and restored. The date and time of the last backup. The Restore/Upload, Backup and Reset to factory default icons.
Page 116: Backing Up And Restoring
IPS User-Defined Upload or download IPS signatures. Signatures All Certificates Restore or back up all VPN certificates in a single password- protected file. See VPN certificates” on page 01-28007-0068-20041203 System maintenance “To restore VPN certificates” “To back up 117. Fortinet Inc.
Page 117 For VPN Certificates, All Certificates, select the Restore icon. Enter the password used when creating the backup file. Enter the path and filename of the backup file, or select Browse and locate the file. Select OK. FortiGate-100A Administration Guide 01-28007-0068-20041203 Backing up and Restoring...
Page 118: Update Center
• • • To receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet support web page. “To enable scheduled updates” on page 123. User-initiated updates from the FDN, Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus...
Page 119 Use override server address Update FortiGate-100A Administration Guide The status of the connection to the FortiProtect Distribution Network (FDN). A green indicator means that the FortiGate unit can connect to the FDN. You can configure the FortiGate unit for scheduled updates. See scheduled updates”...
Page 120: Updating Antivirus And Attack Definitions
The update attempt occurs at a randomly determined time within the selected hour. Select Update Now to manually initiate an update. Select Apply to save update settings. 01-28007-0068-20041203 System maintenance 124. Fortinet Inc.
Page 121 Select the Use override server address check box. Type the fully qualified domain name or IP address of a FortiProtect server. FortiGate-100A Administration Guide Once every 1 to 23 hours. Select the number of hours and minutes between each update request.
Page 122 <proxy-address_ip> set port <proxy-port> set username <username_str> set password <password_str> set status enable config system autoupdate tunneling set address 67.35.50.34 set port 8080 set username proxy_user set password proxy_pwd set status enable 01-28007-0068-20041203 System maintenance Fortinet Inc.
Page 123: Enabling Push Updates
FortiGate unit sends this SETUP message and the FDN receives it, the FDN can maintain the most up-to-date interface 2 IP address for the FortiGate unit. FortiGate-100A Administration Guide “To register a FortiGate unit” on page “To enable scheduled updates through a proxy server” on 122.
Page 124: Enabling Push Updates Through A Nat Device
In the External Interface section, select the external interface that the FDN connects In the Type section, select Port Forwarding. In the External IP Address section, type the external IP address that the FDN connects to. Type the External Service Port that the FDN connects to. 01-28007-0068-20041203 System maintenance Fortinet Inc.
Page 125: Support
You can select Refresh to make sure that push updates work. Push Update changes to Available. Support You can use the Support page to report problems with the FortiGate unit to Fortinet Support or to register your FortiGate unit with the FortiProtect Distribution Server (FDS).
Page 126: Sending A Bug Report
Test Select Report Bug to submit problems with the FortiGate unit to Fortinet Support. Enter the contact information so that FortiNet support can reply to your bug report. Items marked with an * are required. unit. Send diagnostic information about the FortiGate unit, including its current configuration, to Fortinet for analysis.
Page 127: Registering A Fortigate Unit
FortiGate units that you or your organization purchased. You can register multiple FortiGate units in a single session without re-entering your contact information. Once registration is completed, Fortinet sends a Support Login user name and password to your email address. You can use this user name and password to log on to the Fortinet support web site to: •...
Page 128 For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing. To activate the FortiCare Support Contract, you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information.
Page 129: Shutdown
A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiGate unit. Your Fortinet support user name and password is sent to the email address provided with your contact information.
Page 130 The FortiGate unit restarts with the configuration that it had when it was first powered Reconnect to the web-based manager and review the system configuration to confirm that it has been reset to the default settings. 01-28007-0068-20041203 System maintenance Fortinet Inc.
Page 131: System Virtual Domain
The FortiGate unit supports 2 virtual domains: root and one addition virtual domain. This chapter describes: • • • FortiGate-100A Administration Guide FortiGate-100A Administration Guide Version 2.80 MR7 “Shared configuration settings” on page Virtual domain properties Virtual domains Configuring virtual domains 01-28007-0068-20041203...
Page 132: Virtual Domain Properties
System virtual domain 137) “To select a management virtual 136) “To configure routing for a virtual 138) “To configure the routing 138) 138) “To add IP pools to a virtual “To add Virtual IPs to a virtual 140) Fortinet Inc. 139)
Page 133: Shared Configuration Settings
• • • • • • • • • • • • • FortiGate-100A Administration Guide Unit configuration • Host Name • Firmware Version • Antivirus Definitions and engine • Attack Definitions and engine • Serial Number • Operation Mode Network configuration •...
Page 134: Administration And Management
A check mark icon in this column indicates that this is the domain used for system management. Delete icon. Select to delete a virtual domain. You cannot delete the root virtual domain or a domain that is used for system management. 01-28007-0068-20041203 System virtual domain Fortinet Inc.
Page 135: Adding A Virtual Domain
Selecting a management virtual domain In NAT/Router mode, you select a virtual domain to be used for system management. In Transparent mode, you must also define a management IP. The interface that you want to use for management access must have Administrative Access enabled. See “To control administrative access to an interface”...
Page 136: Configuring Virtual Domains
Go to System > Network > Interface. Adding interfaces, VLAN subinterfaces, and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec VPN for a virtual domain 01-28007-0068-20041203 System virtual domain Fortinet Inc.
Page 137 Select Change following the current virtual domain name above the table. Choose the virtual domain to add zones to. FortiGate-100A Administration Guide Adding interfaces, VLAN subinterfaces, and zones to a virtual domain “To add a VLAN subinterface in Transparent mode” on 01-28007-0068-20041203 “To add a VLAN...
Page 138: Configuring Routing For A Virtual Domain
58. Any zones that you add are added to the current virtual “Router” on page 141. Network traffic entering this virtual domain is routed only “Routing table (Transparent Mode)” on page 01-28007-0068-20041203 System virtual domain 62. Network traffic entering this Fortinet Inc.
Page 139 Select OK. Go to Firewall > Virtual IP. Add new virtual IPs as required for the current virtual domain. See page FortiGate-100A Administration Guide “Policy” on page 190. You can only add firewall policies for the physical “Address” on page 198.
Page 140: Configuring Ipsec Vpn For A Virtual Domain
Select Change following the current virtual domain name above the table. Choose the virtual domain for which to configure VPN. Select OK. Go to VPN. Configure IPSec VPN, PPTP, L2TP, and certificates as required. See page 245. 01-28007-0068-20041203 System virtual domain “VPN” on Fortinet Inc.
Page 141: Router
You configure routes by defining the destination IP address and netmask of packets that the FortiGate unit is intended to intercept, and specifying a (gateway) IP address for those packets. The gateway address specifies the next hop router to which traffic will be routed.
Page 142 • • • The Gateway setting specifies the IP address of the next hop router interface to the FortiGate external interface. The interface behind the router (192.168.10.1) is the default gateway for FortiGate_1. In some cases, there may be routers behind the FortiGate unit. If the destination IP address of a packet is not on the local network but is on a network behind one of those routers, the FortiGate routing table must include a static route to that network.
Page 143: Static Route List
FortiGate dmz interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.20.0/24 Gateway: 192.168.10.1 Device: internal Distance: 10 Static route list Figure 52: Static routes FortiGate-100A Administration Guide Internet FortiGate_1 internal Router_1 192.168.10.1 Network_1 192.168.20.0/24...
Page 144: Static Route Options
The destination IP address for this route. The netmask for this route. The IP address of the first next hop router to which this route directs traffic. The name of the FortiGate interface through which to route traffic. The administrative distance for the route.
Page 145: Policy
Create New Add a new policy route. Incoming Outgoing Source Destination The policy route matches packets that have this destination IP address and FortiGate-100A Administration Guide Source address Protocol, service type, or port range Incoming or source interface The sequence number for this policy route.
Page 146: Policy Route Options
Match packets that have this destination IP address and netmask. Match packets that have this destination port range. To match a single port, enter the same port number for both From and To. Send packets that match this policy route to this next hop router. 01-28007-0068-20041203 Router...
Page 147: General
Timeout Redistribute: Connected Metric FortiGate-100A Administration Guide Enable sending and receiving RIP version 1 packets, RIP version 2 packets, or both for all RIP-enabled interfaces. You can override this setting on a per interface basis. See For non-default routes in the static routing table and directly connected networks the default metric is the metric that the FortiGate unit advertises to adjacent routers.
Page 148: Networks List
Static Metric Route-map To configure RIP general settings Go to Router > RIP > General. Select the default RIP Version. Change the Default Metric if required. Select Enable Default-information-originate if the configuration requires advertising a default static route into RIP.
Page 149: Networks Options
Create New Interface Send Version Receive Version Split-Horizon Authentication FortiGate-100A Administration Guide Add a new RIP interface. The FortiGate interface name. The RIP send version for this interface. The RIP receive version for this interface. The split horizon type. The authentication type.
Page 150: Interface Options
In text mode the key is sent in clear text over the network. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the network. 01-28007-0068-20041203 Router...
Page 151: Distribute List
For more information on configuring access lists and prefix lists, see Figure 62: RIP Distribute list FortiGate-100A Administration Guide Enter a password (key) to use for authentication for RIP version 2 packets sent and received by this interface. Enter a password here when you only want to configure one key.
Page 152: Distribute List Options
Interface Enable To configure a distribute list Go to Router > RIP > Distribute List. Select Create New to add a new distribute list or select the edit icon beside an existing distribute list to edit that distribute list. Set Direction to In or Out.
Page 153: Offset List
Go to Router > RIP > Offset List. Select Create New to add a new offset list or select the edit icon beside an existing offset list to edit that offset list. FortiGate-100A Administration Guide Add a new offset list. The direction for the offset list.
Page 154: Router Objects
Check or clear the Enable check box to enable or disable this offset list. Select OK. Router objects Router objects are a set of tools used by routing protocols and features. Access list Access lists are filters used by FortiGate routing features.
Page 155: New Access List Entry
Router To add an access list name Go to Router > Router Objects > Access List. Select Create New. Enter a name for the access list. Select OK. New access list entry Figure 68: Access list entry configuration list Entry...
Page 156: New Prefix List
Prefix New Prefix list Figure 70: Prefix list name configuration To add a prefix list name Go to Router > Router Objects > Prefix List. Select Create New. Enter a name for the prefix list. Select OK. Add a new prefix list name. An access list and a prefix list cannot have the same name.
Page 157: New Prefix List Entry
Less or equal to To configure a prefix list entry Go to Router > Router Objects > Prefix List. Select the Add prefix-list entry icon to add a new prefix list entry or select the edit icon beside an existing prefix list entry to edit that entry.
Page 158: New Route-Map
Route-map rules New Route-map Figure 73: Route map name configuration To add a route map name Go to Router > Router Objects > Route-map. Select Create New. Enter a name for the route map. Select OK. Add a new route map name.
Page 159: Route-Map List Entry
Match a route if the destination address is included in the selected access list or prefix list. Match a route that has a next hop router address included in the selected access list or prefix list. Match a route with the specified metric. The metric can be a number from 1 to 16.
Page 160: Key Chain List
New key chain Figure 76: Key chain name configuration To add a key chain name Go to Router > Router Objects > Key-chain. Select Create New. for information on setting the FortiGate system date and Add a new key chain.
Page 161: Key Chain List Entry
Under Accept Lifetime, select the required hour, minute, second, year, month and day to start using this key for received routing updates. FortiGate-100A Administration Guide The key chain name and the ID number for this key chain entry. The key (password) can be up to 35 characters long.
Page 162: Monitor
Up Time To filter the routing monitor display Go to Router > Monitor > Routing Monitor. Select a type of route to display or select all to display routes of all types. For example, select Connected to display all the directly connected routes, or select RIP to display all the routes learned from RIP.
Page 163: Cli Configuration
Examples get router info protocols Show the current state of active routing protocols. Command syntax FortiGate-100A Administration Guide get router info ospf <keyword> Show OSPF routing table entries that have an Area Border Router (ABR) or Autonomous System Boundary Router (ASBR) as a destination.
Page 164: Get Router Info Rip
An OSPF autonomous system (AS) or routing domain is a group of areas connected to a backbone area. A router connected to more than one area is an area border router (ABR). Routing information is contained in a link state database. Routing information is communicated between routers using link state advertisements (LSAs).
Page 165 Router Note: In the following table, only the router-id keyword is required. All other keywords are optional. ospf command keywords and variables Keywords and variables abr-type {cisco | ibm | shortcut | standard} database-overflow {disable | enable} database-overflow- max-lsas <lsas_integer>...
Page 166 <address_ipv4> spf-timers <delay_integer> <hold_integer> Example This example shows how to set the OSPF router ID to 1.1.1.1: This example shows how to display the OSPF settings. Description Specify the default metric that OSPF should use for redistributed routes. The valid range for metric_integer is 1 to 16777214.
Page 167 This example shows how to display the OSPF configuration. config area Access the config area subcommand using the config router ospf command. Use this command to set OSPF area related parameters. Routers in an OSPF autonomous system (AS) or routing domain are organized into logical groupings called areas.
Page 168 Enable or disable redistributing routes into a NSSA area. 01-28007-0068-20041203 Router Default Availability All models. none All models. All models. disable All models. All models. All models. enable Fortinet Inc.
Page 169 This example shows how to configure a stub area with the id 15.1.1.1, a stub type of summary, a default cost of 20, and MD5 authentication. This example shows how to display the settings for area 15.1.1.1. FortiGate-100A Administration Guide Description A NSSA border router can translate the...
Page 170 Set the direction for the filter. Enter in to filter incoming packets. Enter out to filter outgoing packets. Enter the name of the access list or prefix list to use for this filter list. 01-28007-0068-20041203 155. Default Availability default. Router “Access All models. All models. Fortinet Inc.
Page 171 ABR advertises a summary route that includes all the networks within the area that are within the specified range. config range command syntax pattern The range id_integer can be 0 to 4294967295. FortiGate-100A Administration Guide config router ospf config area edit 15.1.1.1...
Page 172 Enable or disable using a substitute prefix. disable All models. config router ospf config area edit 15.1.1.1 config range config router ospf config area edit 15.1.1.1 01-28007-0068-20041203 Default enable default default. edit 1 set prefix 1.1.0.0 255.255.0.0 Router Availability All models. All models. All models. Fortinet Inc.
Page 173 Virtual links can only be set up between two area border routers (ABRs). config virtual link command syntax pattern Note: Only the peer keyword is required. All other keywords are optional. FortiGate-100A Administration Guide config router ospf config area edit 15.1.1.1...
Page 174 15 characters. The time, in seconds, to wait for a hello packet before declaring a router down. The value of the dead- interval should be four times the value of the hello-interval. Both ends of the virtual link must use the same value for dead- interval.
Page 175 This example shows how to configure a virtual link. This example shows how to display the settings for area 15.1.1.1. This example shows how to display the configuration for area 15.1.1.1. config distribute-list Access the config distribute-list subcommand using the config router ospf command. FortiGate-100A Administration Guide Description The time, in seconds, to wait before sending a LSA retransmission.
Page 176 Enter the name of the access list to use for this distribute list. Advertise only the routes discovered by the specified protocol and that are permitted by the named access list. 01-28007-0068-20041203 Router Default Availability No default. All models. All models. connected Fortinet Inc.
Page 177 This example shows how to display the settings for distribute list 2. This example shows how to display the configuration for distribute list 2. config neighbor Access the config neighbor subcommand using the config router ospf command. Use this command to manually configure an OSPF neighbor on nonbroadcast networks.
Page 178 1 set ip 192.168.21.63 config router ospf config neighbor edit 1 config router ospf config neighbor edit 1 show 01-28007-0068-20041203 Router Default Availability All models. 0.0.0.0 All models. All models. All models. Fortinet Inc.
Page 179: Config Network
Router config network Access the config network subcommand using the config router ospf command. Use this command to identify the interfaces to include in the specified OSPF area. The prefix keyword can define one or multiple interfaces. config network command syntax pattern...
Page 180 This example shows how to display the settings for network 2. This example shows how to display the configuration for network 2. config ospf-interface Access the config ospf-interface subcommand using the config router ospf command. Use this command to change interface related OSPF settings.
Page 181 {md5 | none | text} authentication-key <password_str> cost <cost_integer> database-filter-out {disable | enable} dead-interval <seconds_integer> FortiGate-100A Administration Guide Description Use the authentication keyword to define the authentication used for OSPF packets sent and received by this interface. If you select none, no authentication is used.
Page 182 MTUs so that they match. 01-28007-0068-20041203 Router Default Availability All models. No default. All models. No default. All models. No default. All models. authentication must be set to md5. 1500 All models. All models. disable Fortinet Inc.
Page 183 <priority_integer> retransmit-interval <seconds_integer> status {disable | enable} transmit-delay <seconds_integer> FortiGate-100A Administration Guide Description Specify the type of network to which the interface is connected. OSPF supports four different types of network. This command specifies the behavior of the OSPF interface according to the network type.
Page 184: Config Redistribute
This example shows how to display the configuration for the OSPF interface configuration named test. config redistribute Access the config redistribute subcommand using the config router ospf command. Use the config redistribute command to advertise routes learned from RIP, static routes, or a direct connection to the destination network.
Page 185 This example shows how to display the OSPF settings. This example shows how to display the OSPF configuration. config summary-address Access the config summary-address subcommand using the config router ospf command. FortiGate-100A Administration Guide config redistribute {connected | static | rip} set <keyword>...
Page 186 Use this command to summarize external routes for redistribution into OSPF. This command works only for summarizing external routes on an Autonomous System Boundary Router (ASBR). For information on summarization between areas, see “config range” on page route, you reduce the size of the OSPF link-state database.
Page 187: Config Router Static6
Keywords and variables device <interface-name_str> <destination- address_ipv6mask> gateway <gateway- address_ipv6mask> FortiGate-100A Administration Guide show router ospf config router static6 edit <sequence_integer> set <keyword> <variable> config router static6 edit <sequence_integer> unset <keyword> config router static6 delete <sequence_integer>...
Page 188 This example shows how to display the configuration for IPV6 static route 2. config router static6 edit 2 set dev internal set dst 12AB:0:0:CD30::/60 set gateway 12AB:0:0:CD30:123:4567:89AB:CDEF get router static6 get router static6 2 show router static6 show router static6 2 01-28007-0068-20041203 Router Fortinet Inc.
Page 189: Firewall
• • • FortiGate-100A Administration Guide FortiGate-100A Administration Guide Version 2.80 MR7 Configure antivirus protection for HTTP, FTP, IMAP, POP3, and SMTP policies Configure web filtering for HTTP policies Configure web category filtering for HTTP policies Configure spam filtering for IMAP, POP3, and SMTP policies...
Page 190: Policy
Policy list You can add, delete, edit, re-order, enable, and disable policies in the policy list. Figure 79: Sample policy list How policy matching works Policy list Policy options Advanced policy options Configuring firewall policies 01-28007-0068-20041203 Firewall Fortinet Inc.
Page 191: Policy Options
Figure 80: Move to options Policy options Policy options are configurable when creating or editing a firewall policy. FortiGate-100A Administration Guide Select Create New to add a firewall policy. The policy identifier. Policies are numbered in the order they are added to the policy list.
Page 192 Select a service or protocol to which the policy will apply. You can select from a wide range of predefined services or add custom services and service groups. See 01-28007-0068-20041203 Firewall “Addresses” on page “Virtual IP” on page 198. “Schedule” on page 211. “Service” on page 203. Fortinet Inc. 214.
Page 193 Action VPN Tunnel Protection Profile Log Traffic Advanced FortiGate-100A Administration Guide Select how you want the firewall to respond when the policy matches a connection attempt. • ACCEPT: Select accept to accept connections matched by the policy. You can also configure NAT and Authentication for the policy.
Page 194: Advanced Policy Options
HTTP, Telnet, and FTP. Then users could authenticate with the policy using HTTP, Telnet, or FTP before using the other service. 239. 01-28007-0068-20041203 Firewall Fortinet Inc.
Page 195: Traffic Shaping
These values are optional and may be enabled independently from each other. When both are disabled, no changes to the DS field are made. FortiGate-100A Administration Guide You can use traffic shaping to guarantee the amount of bandwidth available through the firewall for a policy. Guarantee bandwidth (in Kbytes) to make sure that there is enough bandwidth available for a high-priority service.
Page 196: Configuring Firewall Policies
Set the DSCP value for reply packets. For example, for an Internal -> External policy the value is applied to incoming reply packets before they exit the internal interface and returned to the originator. 190. 01-28007-0068-20041203 Firewall “Policy options” on page 191. “How policy matching Fortinet Inc.
Page 197: Policy Cli Configuration
Note: This command has more keywords than are listed in this Guide. See the FortiGate CLI Reference Guide for a complete list of commands and keywords. Command syntax pattern FortiGate-100A Administration Guide config firewall policy edit <id_integer> set <keyword> <variable>...
Page 198: Address
64.195.45.0/24 x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120 x.x.x.[x-x], for example 192.168.110.[100-120] x.x.x.*, for example 192.168.110.* to represent all addresses on the subnet 01-28007-0068-20041203 Firewall Default Availability All models. All models. 0.0.0.0 0.0.0.0 Encrypt policy, with outbound enabled. Fortinet Inc.
Page 199: Address List
Address options Add an address representing an IP address and subnet mask or an IP address range. Figure 85: Address options Address has the following options: Address Name FortiGate-100A Administration Guide Address list Address options Configuring addresses Address group list...
Page 200: Configuring Addresses
The netmask for a class B subnet should be 255.255.0.0. The netmask for a class C subnet should be 255.255.255.0. The netmask for all addresses should be 0.0.0.0 A range of IP addresses in a subnet (for example, 192.168.20.1 to 192.168.20.10) 01-28007-0068-20041203 Firewall Fortinet Inc.
Page 201: Address Group List
Group Name Members Address group options Address group options are configurable when creating or editing an address group. FortiGate-100A Administration Guide Select Create New to add an address group. The name of the address group. The addresses in the address group.
Page 202: Configuring Address Groups
IPs must all have unique names to avoid confusion in firewall policies. The list of configured and default firewall addresses. Use the arrows to move addresses between the lists. The list of addresses in the group. Use the arrows to move addresses between the lists. 01-28007-0068-20041203 Firewall Fortinet Inc.
Page 203: Service
Figure 88: Predefined service list The predefined services list has the following icons and features. Name Detail Table 21 any policy. FortiGate-100A Administration Guide Predefined service list Custom service list Custom service options Configuring custom services Service group list Service group options Configuring service groups The name of the predefined services.
Page 204 ISAKMP for IPSEC. Internet Message Access Protocol is a protocol used for retrieving email messages. Internet Locator Service includes LDAP, User Locator Service, and LDAP over TLS/SSL. 01-28007-0068-20041203 Firewall Protocol Port 5190-5194 1720, 1503 Fortinet Inc.
Page 205 POP3 PPTP QUAKE RAUDIO RLOGIN SIP- MSNmessenger FortiGate-100A Administration Guide Description Internet Relay Chat allows people connected to the Internet to join live discussions. L2TP is a PPP-based tunnel protocol for remote access. Lightweight Directory Access Protocol is a set of protocols used to access information directories.
Page 206: Custom Service List
Select a protocol and then Create New to add a custom service. The name of the custom service. The protocol and port numbers for each custom service. The Delete and Edit/View icons. 01-28007-0068-20041203 Firewall Protocol Port 161-162 161-162 517-518 0-65535 0-65535 7000-7010 1494 6000-6063 Fortinet Inc.
Page 207: Custom Service Options
Name Protocol Type Type Code FortiGate-100A Administration Guide The name of the TCP or UDP custom service. Select the protocol type of the service you are adding: TCP or UDP. TCP and UDP options are the same. Specify the Source Port number range for the service by entering the low and high port numbers.
Page 208: Configuring Custom Services
Enter a name for the new custom IP service. Select IP as the Protocol Type. Enter the IP protocol number for the service. The name of the IP custom service. Select the protocol type of the service you are adding: IP. 01-28007-0068-20041203 Firewall Fortinet Inc.
Page 209: Service Group List
Members Service group options Service group options are configurable when creating or editing a service group. FortiGate-100A Administration Guide Select Create New to add a service group. The name to identify the service group. The services added to the service group.
Page 210: Configuring Service Groups
Enter a name to identify the address group. The list of configured and predefined services. Use the arrows to move services between the lists. The list of services in the group. Use the arrows to move services between the lists. 01-28007-0068-20041203 Firewall Fortinet Inc.
Page 211: Schedule
Figure 95: Sample one-time schedule list The one-time schedule list has the following icons and features. Create New Name Start Stop FortiGate-100A Administration Guide One-time schedule list One-time schedule options Configuring one-time schedules Recurring schedule list Recurring schedule options Configuring recurring schedules Select Create New to add a one-time schedule.
Page 212: One-Time Schedule Options
Note: To change the one-time schedule name you must delete the schedule and add it with a new name. Select OK to save the changes. Enter the name to identify the one-time schedule. Enter the start date and time for the schedule. Enter the stop date and time for the schedule. 01-28007-0068-20041203 Firewall Fortinet Inc.
Page 213: Recurring Schedule List
Name Select Start Stop FortiGate-100A Administration Guide Select Create New to add a recurring schedule. The name of the recurring schedule. The initials of the days of the week on which the schedule is active. The start time of the recurring schedule.
Page 214: Configuring Recurring Schedules
DMZ network. To allow connections from the Internet to the web server, you must then add an external->DMZ firewall policy and set Destination to the virtual IP. 01-28007-0068-20041203 Firewall Fortinet Inc.
Page 215: Virtual Ip List
Different options appear depending on the type of virtual IP you want to define. Choose from Static NAT or port forwarding. FortiGate-100A Administration Guide Used to translate an address on a source network to a hidden address on a destination network. Static NAT translates the source address of return packets to the address on the source network.
Page 216: Configuring Virtual Ips
Enter the real IP address on the destination network. Enter the port number to be added to packets when they are forwarded. (Port forwarding only.) Select the protocol (TCP or UDP) that you want the forwarded packets to use. (Port forwarding only.) 01-28007-0068-20041203 Firewall Fortinet Inc.
Page 217 You can select any firewall interface or a VLAN subinterface. Select Port Forwarding. FortiGate-100A Administration Guide Table 22 on page 217 contains example virtual IP external interface settings To map an internal address to a wan1, wan2, DMZ1, or DMZ2 address. If you select internal, the static NAT virtual IP can be added to Internal->WAN1, Internal->WAN2, Internal->DMZ, and...
Page 218 Enter the Map to Port number to be added to packets when they are forwarded. If you do not want to translate the port, enter the same number as the External Service Port. or to any other address. 01-28007-0068-20041203 Firewall Fortinet Inc.
Page 219: Ip Pool
• This section describes: • • • • • FortiGate-100A Administration Guide x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120 x.x.x.[x-x], for example 192.168.110.[100-120] IP pool list IP pool options Configuring IP pools IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT...
Page 220: Ip Pool List
The start IP defines the start of an address range. The end IP defines the end of an address range. The Delete and Edit/View icons. Select the interface to which to add an IP pool. Enter a name for the IP pool. 01-28007-0068-20041203 Firewall Fortinet Inc.
Page 221: Ip Pools For Firewall Policies That Use Fixed Ports
IP address from the IP pool to be the source address for the connection. As a result, connections to the Internet appear to be originating from any of the IP addresses in the IP pool. FortiGate-100A Administration Guide IP Pools for firewall policies that use fixed ports 01-28007-0068-20041203...
Page 222: Protection Profile
Protection profile list Default protection profiles Protection profile options Configuring protection profiles Profile CLI configuration Select Create New to add an IP pool. The start IP defines the start of an address range. The Delete and Edit/View icons. 01-28007-0068-20041203 Firewall Fortinet Inc.
Page 223: Default Protection Profiles
Web Category Filtering Spam Filtering Content Archive FortiGate-100A Administration Guide To apply maximum protection to HTTP, FTP, IMAP, POP3, and SMTP traffic. You may not wish to use the strict protection profile under normal circumstances but it is available if you have extreme problems with viruses and require maximum screening.
Page 224 Enable or disable quarantining for each protocol. You can quarantine suspect files to view them or submit files to Fortinet for analysis. (IMAP, POP3, SMTP). Fragmented email cannot be scanned for viruses.
Page 225: Configuring Web Filtering Options
Configuring web category filtering options Figure 108:Protection profile web category filtering options (FortiGuard) FortiGate-100A Administration Guide for more web filter configuration options. Enable or disable web page blocking for HTTP traffic based on the banned words and patterns in the content block list.
Page 226: Configuring Spam Filtering Options
Choose from allow, block, or monitor. “Spam filter” on page 323 for more spam filter configuration options. Enable or disable the Fortinet spam filtering IP address blacklist: FortiShield. See service. Black/white list check. Enable or disable checking incoming IP addresses against the configured spam filter IP address list.
Page 227 IPS Signature IPS Anomaly Configuring content archive options Figure 111:Protection profile content archive options FortiGate-100A Administration Guide or from address has an A or MX record. Enable or disable checking source MIME headers against the configured spam filter MIME header list.
Page 228: Configuring Protection Profiles
FortiLog unit for each protocol. Content meta-information can include date and time, source and destination information, request and response size, and scan result. Content archive is only available if FortiLog is enabled under Log&Report > Log Config > Log Settings. 01-28007-0068-20041203 Firewall Fortinet Inc.
Page 229: Profile Cli Configuration
Guide. Use this command to add, edit or delete protection profiles. Use protection profiles to apply different protection settings for traffic controlled by firewall policies. Command syntax pattern FortiGate-100A Administration Guide config firewall profile edit <profilename_str> set <keyword> <variable> config firewall profile edit <profilename_str>...
Page 230 If you want to remove an option from the list or add an option to the list, you must retype the list with the option removed or added. 01-28007-0068-20041203 Firewall Default Availability All models. splice No default. All models. Fortinet Inc.
Page 231 This example shows how to display the configuration for the firewall profile command. This example shows how to display the configuration for the spammail profile. FortiGate-100A Administration Guide Description Select the actions that this profile will use for filtering SMTP traffic for a policy.
Page 232 Profile CLI configuration Firewall 01-28007-0068-20041203 Fortinet Inc.
Page 233: Users And Authentication
This chapter describes: • • • • • FortiGate-100A Administration Guide FortiGate-100A Administration Guide Version 2.80 MR7 any firewall policy with Action set to ACCEPT IPSec, PPTP and L2TP VPN configurations “LDAP” on page “Local” on page 239. Setting authentication timeout...
Page 234: Setting Authentication Timeout
Select Disable to prevent this user from authenticating. Select Password to require the user to authenticate using a password. Enter the password that this user must use to authenticate. The password should be at least six characters long. 01-28007-0068-20041203 Users and authentication Fortinet Inc.
Page 235: Radius
Figure 114:RADIUS server list Create New Name FortiGate-100A Administration Guide Select LDAP to require the user to authenticate to an LDAP server. Select the name of the LDAP server to which the user must authenticate. You can only select an LDAP server that has been added to the FortiGate LDAP configuration.
Page 236: Radius Server Options
FortiGate unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiGate unit. The Delete and Edit icons. Enter a name to identify the RADIUS server. Enter the RADIUS server secret. 01-28007-0068-20041203 Users and authentication Fortinet Inc.
Page 237: Ldap Server List
Name Server Name/IP Enter the domain name or IP address of the LDAP server. Server Port FortiGate-100A Administration Guide Add a new LDAP server. The port used to communicate with the LDAP server. The common name identifier for the LDAP server. 20 characters maximum.
Page 238 For example, you could use the following base distinguished name: ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is domain component. You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units: ou=accounts,ou=marketing,dc=fortinet,dc=com 01-28007-0068-20041203 Users and authentication Fortinet Inc.
Page 239: User Group
Create New Group Name Members Protection Profile The protection profile associated with this user group. FortiGate-100A Administration Guide Firewall policies that require authentication: You can choose the user groups that are allowed to authenticate with these policies. IPSec VPN Phase 1 configurations for dialup users: Only users in the selected user group can authenticate to use the VPN tunnel.
Page 240: User Group Options
The list of users, RADIUS servers, or LDAP servers that can be added to a user group. The list of users, RADIUS servers, or LDAP servers added to a user group. Select a protection profile for this user group. 01-28007-0068-20041203 Users and authentication Fortinet Inc.
Page 241: Cli Configuration
Keywords and variables cn-type {FDQN | email | ipv4 | string} subject Example This example shows how to add the branch_office peer. FortiGate-100A Administration Guide config user peer edit <name_str> set <keyword> <variable> config user peer edit <name_str> unset <keyword>...
Page 242: Peergrp
Separate names by spaces. To add or remove names from the group you must re-enter the whole list with the additions or deletions required. 01-28007-0068-20041203 Users and authentication Default Availability No default. All models. Fortinet Inc.
Page 243 This example shows how to display the settings for the peergrp EU_branches. This example shows how to display the configuration for all the peers groups. This example shows how to display the configuration for the peergrp EU_branches. FortiGate-100A Administration Guide config user peergrp edit EU_branches...
Page 244 Users and authentication 01-28007-0068-20041203 Fortinet Inc.
Page 245: Vpn
• • • • • • • • FortiGate-100A Administration Guide FortiGate-100A Administration Guide Version 2.80 MR7 Internet Protocol Security (IPSec) Point-to-Point Tunneling Protocol (PPTP) Layer Two Tunneling Protocol (L2TP) Phase 1 Phase 2 Manual key Concentrator Ping Generator Monitor...
Page 246: Phase 1
Select Create New to create a new phase 1 configuration. The names of existing phase 1 configurations. The IP address or domain name of a remote peer, or Dialup for a dialup client. Main or Aggressive. 01-28007-0068-20041203 Guide. “Manual key” on Fortinet Inc.
Page 247: Phase 1 Basic Settings
IP Address Dynamic DNS Mode Authentication Method FortiGate-100A Administration Guide The names of the encryption and authentication algorithms used by each phase 1 configuration. Edit, view, or delete phase 1 configurations. origination of the remote connection. Select the nature of the remote connection: •...
Page 248 The group must be added to the FortiGate configuration through the config user peer and config user peergrp CLI commands before it can be selected. For more information, see the “config user” chapter of the FortiGate CLI Reference Guide. 01-28007-0068-20041203 Fortinet Inc.
Page 249: Phase 1 Advanced Settings
Phase 1 advanced settings Figure 122:Phase 1 advanced settings P1 Proposal FortiGate-100A Administration Guide Select the encryption and authentication algorithms that will be used to generate keys for protecting negotiations. Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations.
Page 250: Phase 2
If you enabled NAT traversal, enter a keepalive frequency setting. The value represents an interval from 0 to 900 seconds. Enable this option to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. 01-28007-0068-20041203 Fortinet Inc.
Page 251: Phase 2 List
Remote Gateway Lifetime (sec/kb) Status Timeout Phase 2 basic settings Figure 124:Phase 2 basic settings FortiGate-100A Administration Guide “Phase 2 list” on page 251 “Phase 2 basic settings” on page 251 “Phase 2 advanced options” on page 252 FortiGate VPN 253.
Page 252: Phase 2 Advanced Options
• AES128-A 128-bit block algorithm that uses a 128-bit key. • AES192-A 128-bit block algorithm that uses a 192-bit key. • AES256-A 128-bit block algorithm that uses a 256-bit key. 01-28007-0068-20041203 “Phase 1” on “Concentrator” on page 256. Fortinet Inc.
Page 253: Manual Key
If required, you can manually define cryptographic keys for establishing an IPSec VPN tunnel. You would define manual keys in situations where: • • FortiGate-100A Administration Guide You can select either of the following message digests to check the authenticity of messages during an encrypted session: •...
Page 254: Manual Key List
Select Create New to create a new manual key configuration. The IP address of the remote peer or client. The names of the encryption algorithms used in the configuration. The names of the authentication algorithms used in the configuration. Edit, view, or delete manual key configurations. 01-28007-0068-20041203 Fortinet Inc.
Page 255: Manual Key Options
Encryption Algorithm Encryption Key FortiGate-100A Administration Guide Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the SA that handles outbound traffic on the local FortiGate unit. The valid range is from 0xbb8 to 0xffffffff. This value must match the Remote SPI value in the manual key configuration at the remote peer.
Page 256: Concentrator
If the tunnel will be included in a hub-and-spoke configuration, you may select the concentrator from the list. The hub must be added to the FortiGate configuration before it can be selected here. See “Concentrator” on page “Concentrator list” on page 256 “Concentrator options” on page 257 01-28007-0068-20041203 256. Fortinet Inc.
Page 257: Concentrator Options
To configure the ping generator Go to VPN > IPSEC > Ping Generator. FortiGate-100A Administration Guide Select Create New to define a new concentrator for an IPSec hub-and- spoke configuration. The tunnels that are associated with the concentrator.
Page 258: Ping Generator Options
If you want to generate traffic on a second VPN tunnel simultaneously, enter a second IP address from which traffic may originate locally. Enter the IP address of the second computer to ping “Dialup monitor” on page 259 “Static IP and dynamic DNS monitor” on page 259 01-28007-0068-20041203 Fortinet Inc.
Page 259: Dialup Monitor
You can also start and stop individual tunnels from the list. Figure 132:Static IP and dynamic DNS monitor FortiGate-100A Administration Guide Stop all dialup tunnels and stop the traffic passing through all dialup tunnels. Dialup users may have to reconnect to establish new VPN sessions.
Page 260: Pptp
IP addresses. The IP address of the remote peer. Take down the selected VPN tunnel. The remote VPN peer may have to reconnect to establish a new VPN session. Establish the selected VPN tunnel. 268. 01-28007-0068-20041203 “PPTP configuration Fortinet Inc.
Page 261: L2Tp
Ending IP User Group Disable L2TP FortiGate-100A Administration Guide You must add a user group before you can select the option. Type the starting address in the range of reserved IP addresses. Type the ending address in the range of reserved IP addresses.
Page 262: Certificates
Select to save a copy of the certificate request to a local computer. Send the request to your CA to obtain a certificate for the FortiGate unit. 01-28007-0068-20041203 “Importing CA FortiGate VPN Guide. “Certificate request” on “Importing signed certificates” Figure 136. Fortinet Inc.
Page 263: Certificate Request
FortiGate unit’s public static IP address, domain name, or email address. To generate a certificate request Go to VPN > Certificates > Local Certificates. Select Generate. Figure 137:Generating a certificate signing request FortiGate-100A Administration Guide 01-28007-0068-20041203 Certificate request...
Page 264: Importing Signed Certificates
Contact email address. The CA may choose to deliver the digital certificate to this address. Only RSA is supported. Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate but more secure. Not all IPSec VPN products support all three key sizes. 01-28007-0068-20041203 Fortinet Inc.
Page 265: Ca Certificate List
Figure 140:Importing a CA certificate Browse to the location on the management PC where the certificate has been saved, select the certificate, and then select OK. Select OK. FortiGate-100A Administration Guide Select to import a CA root certificate. See page 265.
Page 266: Vpn Configuration Procedures
“Configuring L2TP VPNs” describes how to configure the FortiGate unit to operate as an L2TP network server. “Monitoring and Testing VPN Tunnels” outlines some general monitoring and testing procedures for VPNs. “Phase 2” on page 253. 01-28007-0068-20041203 FortiGate VPN “Phase 1” on page 246. 250. 266. “Manual key” on Fortinet Inc.
Page 267 Interface/Zone Address Name Schedule Service Action VPN Tunnel FortiGate-100A Administration Guide Source Select the local interface to the internal (private) network. Destination Select the local interface to the external (public) network. Source Select the name that corresponds to the local network, server(s), or host(s) from which IP packets may originate.
Page 268: Pptp Configuration Procedures
To perform Steps 3 and 4, see the 233. FortiGate VPN 233. FortiGate VPN 233. FortiGate VPN 01-28007-0068-20041203 “Users and “PPTP range” on page 260. Guide. “Users and “PPTP range” on page 260. Guide. “Users “L2TP range” on page 261. Guide. Fortinet Inc.
Page 269: Cli Configuration
Command syntax pattern ipsec phase1 command keywords and variables Keywords and variables dpd-idlecleanup <seconds_integer> dpd-idleworry <seconds_integer> FortiGate-100A Administration Guide config vpn ipsec phase1 edit <name_str> set <keyword> <variable> config vpn ipsec phase1 edit <name_str> unset <keyword> Description The DPD long idle setting when dpd is set to enable.
Page 270 1000 set dpd-idleworry 150 set dpd-retrycount 5 set dpd-retryinterval 30 01-28007-0068-20041203 Default Availability All models. dpd must be set to enable. All models. seconds dpd must be set to enable. Fortinet Inc.
Page 271: Ipsec Phase2
Keywords and variables bindtoif <interface-name_str> dstaddr <name_str> dstport <port_integer> protocol <protocol_integer> FortiGate-100A Administration Guide config vpn ipsec phase2 edit <name_str> set <keyword> <variable> config vpn ipsec phase2 edit <name_str> unset <keyword> config vpn ipsec phase2 delete <name_str>...
Page 272: Ipsec Vip
The srcport range is 1 to 65535. To specify all ports, type 0. 01-28007-0068-20041203 Default Availability All models. policy disable All models. All models. default. selector must be set specify. All models. default. selector must be set specify. Fortinet Inc.
Page 273 FortiGate unit through an IPSec VPN tunnel on the external interface of the FortiGate unit. Similar commands must be entered on the FortiGate unit at the other end of the IPSec VPN tunnel. FortiGate-100A Administration Guide “Configuring IPSec virtual IP addresses” on page config vpn ipsec vip edit <vip_integer>...
Page 274: Configuring Ipsec Virtual Ip Addresses
Figure 141:A typical site-to-site configuration using the IPSec VIP feature get vpn ipsec vip get vpn ipsec vip 1 show vpn ipsec vip FortiGate_1 external Enter Host_1 192.168.12.1 Finance Network 192.168.12.0/24 01-28007-0068-20041203 HR Network 192.168.12.0/24 Host_2 192.168.12.2 external Internet FortiGate_2 Enter Fortinet Inc.
Page 275 IP addresses can be accessed at the local end of the VPN tunnel (see vip” on page from Host_2 on the HR network, enter the following CLI commands on FortiGate_2: FortiGate-100A Administration Guide “Phase 1” on page 246 272). For example, to enable access to Host_2 on the HR network from...
Page 276 01-28007-0068-20041203 Fortinet Inc.
Page 277: Ips
Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see FortiGate-100A Administration Guide FortiGate-100A Administration Guide Version 2.80 MR7 01-28007-0068-20041203 Table 23 describes the IPS settings 223.
Page 278: Signature
The FortiGate IPS matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Fortinet’s FortiProtect infrastructure ensures the rapid identification of new threats and the development of new attack signatures. You can configure the FortiGate unit to automatically check for and download an updated attack definition file containing the latest signatures, or you can manually download the updated attack definition file.
Page 279: Predefined Signature List
If logging is disabled and action is set to Pass, the signature is effectively disabled. The FortiGate unit drops the packet that triggered the signature. Fortinet recommends using an action other than Drop for TCP connection based attacks.
Page 280: Configuring Predefined Signatures
The FortiGate unit drops the packet that triggered the signature, removes the session from the FortiGate session table, and does not send a reset. The FortiGate unit lets the packet that triggered the signature and all other packets in the session pass through the firewall. 01-28007-0068-20041203 Fortinet Inc.
Page 281: Configuring Parameters For Dissector Signatures
Configuring parameters for dissector signatures The following predefined dissector signatures have configurable parameters. • • • • • Figure 145:Example of dissector signature parameters: tcp_reassembler Figure 146:Example of dissector signature parameters: p2p FortiGate-100A Administration Guide Table 24.) http_decoder rpc_decoder tcp_reassembler 01-28007-0068-20041203 Predefined...
Page 282: Custom
(the default) no change is made to the codepoint in the IP header. Select the Enable custom signature box to enable the custom signature group or clear the Enable custom signature box to disable the custom signature group. Select Create New to create a new custom signature. 01-28007-0068-20041203 Fortinet Inc.
Page 283: Adding Custom Signatures
Backing up and restoring custom signature files For information on backing up and restoring the custom signature list, see and Restoring” on page FortiGate-100A Administration Guide Remove all the custom signatures from the custom signature group. Reset all the custom signatures to the recommended settings.
Page 284: Anomaly
The logging status for each anomaly. A white check mark in a green circle indicates logging is enabled for the anomaly. A white X in a grey circle indicates logging is disabled for the anomaly. 01-28007-0068-20041203 “Anomaly CLI configuration” on Fortinet Inc.
Page 285: Configuring An Anomaly
If logging is disabled and action is set to Pass, the anomaly is effectively disabled. Drop The FortiGate unit drops the packet that triggered the anomaly. Fortinet recommends using an action other than Drop for TCP connection based attacks.
Page 286 FortiGate session table, and does not send a reset. Session Pass The FortiGate unit lets the packet that triggered the anomaly and all other packets in the session pass through the firewall. Session Traffic over the specified threshold triggers the anomaly. 01-28007-0068-20041203 Fortinet Inc.
Page 287: Anomaly Cli Configuration
Keywords and variables ipaddress <address_ipv4mask> threshold <threshold_integer> Example Use the following command to configure the limit for the tcp_src_session anomaly. FortiGate-100A Administration Guide config limit edit <name_str> set <keyword> <variable> config limit edit <name_str> unset <keyword> config limit delete <name_str>...
Page 288: Configuring Ips Logging And Alert Email
You can change the default fail open setting using the CLI: Enable ips_open to cause the IPS to fail open and disable ips_open to cause the IPS to fail closed. “Log & Report” on page config sys global set ips-open [enable | disable] 01-28007-0068-20041203 339. Fortinet Inc.
Page 289: Antivirus
Add signature to outgoing emails Create and enable a signature to append to outgoing emails (SMTP only). FortiGate-100A Administration Guide FortiGate-100A Administration Guide Version 2.80 MR7 describes the antivirus settings and where to configure and access them. To 223. 01-28007-0068-20041203 “Protection profile options”...
Page 290: File Block
IPS (attack) engines and definitions, as well as the local spam RBL, through the FortiProtect Distribution Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see This chapter describes: •...
Page 291: File Block List
File block list has the following icons and features: Create New Apply Pattern Check All HTTP FortiGate-100A Administration Guide File block list Configuring the file block list executable files (*.bat, *.com, and *.exe) compressed or archive files (*.gz, *.rar, *.tar, *.tgz, and *.zip) dynamic link libraries (*.dll) HTML application (*.hta)
Page 292: Configuring The File Block List
You can also submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to FortiNet for analysis. This section describes: •...
Page 293: Quarantined Files List Options
EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL. Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded.
Page 294: Autosubmit List
(* or ?). File patterns are applied for AutoSubmit regardless of file blocking settings. You can also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly from the quarantined files list. The FortiGate unit uses encrypted email to autosubmit files to an SMTP server through port 25.
Page 295: Config
Low disk space Select the action to take when the local disk is full: overwrite the oldest file or Enable AutoSubmit Apply FortiGate-100A Administration Guide Quarantine Infected Files: Select the protocols from which to quarantine infected files identified by antivirus scanning. Quarantine Suspicious Files: Select the protocols from which to quarantine suspicious files identified by heuristics.
Page 296: Config
So a file may be blocked or logged as oversized even if the attachment is several megabytes less than the configured oversize threshold. Virus list Config Grayware Grayware options 29. To find out how to use the Fortinet Update Center, see 118. Figure 01-28007-0068-20041203 “Changing unit 158.
Page 297: Grayware
Grayware categories are populated with known executable files. Each time the FortiGate unit receives a virus and attack definitions update, the grayware categories and contents are updated. Figure 159:Sample grayware options FortiGate-100A Administration Guide “CLI configuration” on page 01-28007-0068-20041203 Grayware...
Page 298 Select enable to block download programs. Download components are usually run at Windows startup and are designed to install or download other software, especially advertising and dial software. 01-28007-0068-20041203 Antivirus Fortinet Inc.
Page 299: Cli Configuration
Table 26: antivirus heuristic command keywords and variables Keywords and variables mode {pass | block | disable} Example This example shows how to disable heuristic scanning. FortiGate-100A Administration Guide config antivirus heuristic set <keyword> <variable> config antivirus heuristic unset <keyword> get antivirus heuristic...
Page 300: Config Antivirus Quarantine
Quarantine files found by heuristic scanning in traffic for the specified protocols. config antivirus service http set <keyword> <variable> 01-28007-0068-20041203 Antivirus Default Availability FortiGate imap models smtp numbered pop3 200 and http higher. FortiGate default. models numbered 200 and higher. Fortinet Inc.
Page 301 If any one of the uncompressed files is larger than the limit, the file is passed without scanning, but the total size of all uncompressed files within the original file can be greater than the uncompsizelimit. FortiGate-100A Administration Guide config antivirus service http unset <keyword>...
Page 302: Config Antivirus Service Ftp
70 set port 80 set port 443 get antivirus service http show antivirus service http config antivirus service ftp set <keyword> <variable> config antivirus service ftp unset <keyword> get antivirus service [ftp] show antivirus service [ftp] 01-28007-0068-20041203 Antivirus Fortinet Inc.
Page 303 This example shows how to display the antivirus FTP traffic settings. This example shows how to display the configuration for antivirus FTP traffic. FortiGate-100A Administration Guide Description Set the maximum file size that can be buffered to memory for virus scanning.
Page 304: Config Antivirus Service Pop3
Enter a value in megabytes between 1 and the total memory size. Enter 0 for no limit (not recommended). “How file size limits work” on page 01-28007-0068-20041203 Default 10 (MB) 10 (MB) 301. Antivirus Availability All models. All models. All models. Fortinet Inc.
Page 305: Config Antivirus Service Imap
Use this command to configure how the FortiGate unit handles antivirus scanning of large files in IMAP traffic and what ports the FortiGate unit scans for IMAP. Command syntax pattern FortiGate-100A Administration Guide config antivirus service pop3 set memfilesizelimit 20...
Page 306 25 set uncompsizelimit 50 set port 143 set port 993 get antivirus service imap show antivirus service imap 01-28007-0068-20041203 Default 10 (MB) 10 (MB) 301. Antivirus Availability All models. All models. All models. Fortinet Inc.
Page 307: Config Antivirus Service Smtp
<MB_integer> port <port_integer> uncompsizelimit <MB_integer> How file size limits work FortiGate-100A Administration Guide config antivirus service smtp set <keyword> <variable> config antivirus service smtp unset <keyword> get antivirus service [smtp] show antivirus service [smtp] Description Set the maximum file size that can be buffered to memory for virus scanning.
Page 308 This example shows how to display the configuration for antivirus SMTP traffic. config antivirus service smtp set memfilesizelimit 100 set uncompsizelimit 1000 set port 25 set port 465 get antivirus service smtp show antivirus service smtp 01-28007-0068-20041203 Antivirus Fortinet Inc.
Page 309: Web Filter
Enabling this option will prevent the unintentional download of virus files, but can cause download interruptions. FortiGate-100A Administration Guide FortiGate-100A Administration Guide Version 2.80 MR7 01-28007-0068-20041203 223. Web Filter setting Web Filter > Content Block Add words and patterns to block web pages containing those words or patterns.
Page 310 URL exempt Category block Script filter 01-28007-0068-20041203 Web Filter setting Web Filter > Category Block > Configuration Enable or disable FortiGuard and enable and set the size limit for the cache. “Protection profile” on 229. Web filter “To Fortinet Inc.
Page 311: Content Block
Create new total Banned word Pattern type Language FortiGate-100A Administration Guide “Using Perl regular expressions” on page Web content block list Web content block options Configuring the web content block list Select Create New to add a banned word to the web content block list.
Page 312: Configuring The Web Content Block List
“Using Perl regular expressions” on page Select the character set for the banned word. Choose from: Chinese Simplified, Chinese Traditional, French, Japanese, Korean, Thai, or Western. Select Enable to activate the banned word in the list. 01-28007-0068-20041203 Web filter 335. Fortinet Inc.
Page 313: Web Url Block List
Figure 162:Sample Web URL block list Web URL block options Web URL block has the following icons and features: Create New total FortiGate-100A Administration Guide Web URL block list Web URL block options Configuring the web URL block list Web pattern block list...
Page 314: Configuring The Web Url Block List
FortiGate web pattern blocking supports standard regular expressions. You can add up to 20 patterns to the web pattern block list. Note: Enable Web filtering > Web URL Block in your firewall Protection Profile to activate the web pattern block settings. 314. 01-28007-0068-20041203 Web filter “Web pattern Fortinet Inc.
Page 315: Web Pattern Block Options
This section describes: • • • FortiGate-100A Administration Guide Select Create New to add a new pattern to the web pattern block list. The current list of blocked patterns. Select the check box to enable all the web patterns in the list.
Page 316: Url Exempt List
Select this icon to scroll the URL exempt list down. Select this icon to delete the entire URL exempt list. The current list of exempt URLs. Select the check box to enable all the URLs in the list. The Delete and Edit/View icons. 01-28007-0068-20041203 Web filter Fortinet Inc.
Page 317: Category Block
• FortiGuard managed web filtering service FortiGuard is a managed web filtering solution provided by Fortinet. FortiGuard sorts hundreds of millions of web pages into a wide range of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard Service Point to determine the category of a requested web page and then follows the firewall policy configured for that user or interface.
Page 318: Category Block Configuration Options
FortiGuard licensing Every FortiGate unit comes with a free 30-day FortiGuard trial license. FortiGuard license management is done by Fortinet servers, so there is no need to enter a license number. The FortiGate unit will then automatically contact a FortiGuard Service Point when you enable FortiGuard category blocking.
Page 319: Configuring Web Category Block
You can view reports for a range of hours or days, or you can view a complete report of all activity. Figure 169:Sample report FortiGate-100A Administration Guide Time to live. The number of seconds to store URL ratings in the cache before contacting the server again.
Page 320: Category Block Reports Options
The number of allowed web addresses accessed in the selected time frame. The number of blocked web addresses accessed in the selected time frame. The number of monitored web addresses accessed in the selected time frame. 01-28007-0068-20041203 Web filter Fortinet Inc.
Page 321: Script Filter
If the show command returns you to the prompt, the settings are at default. Script filter You can configure the FortiGate unit to filter certain web scripts. You can filter Java applets, cookies, and ActiveX controls from web pages. FortiGate-100A Administration Guide config webfilter catblock set <keyword> <variable> config webfilter catblock unset <keyword>...
Page 322: Web Script Filter Options
You can configure the following options for script filtering: Javascript Cookies ActiveX Select Javascript to block all Javascript-based pages or applications. Select Cookies to block web sites from placing cookies on individual computers. Select ActiveX to block all ActiveX applications. 01-28007-0068-20041203 Web filter Fortinet Inc.
Page 323: Spam Filter
FortiGate-100A Administration Guide FortiGate-100A Administration Guide Version 2.80 MR7 describes the spam filter settings and where to configure and access them. 01-28007-0068-20041203 “Protection profile options” on page Spam filter setting Spam Filter >...
Page 324 You can configure the language and whether to search the email body, subject, or both. You can configure the action to take as spam or clear for each word. “Protection profile” on 229. Spam filter “To Fortinet Inc.
Page 325: Fortishield
• FortiShield FortiShield is an antispam system from Fortinet that uses an IP address black list and spam filtering tools. FortiShield compiles the IP address list from email captured by spam probes located around the world. Spam probes are email addresses purposely configured to attract spam and identify known spam sources to create the antispam IP address list.
Page 326: Fortishield Options
You can enable or disable FortiShield in a firewall protection profile. See spam filtering options” on page FortiShield options If you have ordered FortiShield through Fortinet technical support or are using the free 30-day trial, you only need to enable the service to start configuring and using FortiShield.
Page 327: Ip Address
Figure 172:Sample IP address list IP address options IP address list has the following icons and features: Create New Total IP address/Mask FortiGate-100A Administration Guide x.x.x.x/x.x.x.x, for example 62.128.69.100/255.255.255.0 x.x.x.x/x, for example 62.128.69.100/24 IP address list IP address options Configuring the IP address list Select Create New to add an IP address to the IP address list.
Page 328: Configuring The Ip Address List
Mark as Spam to apply the spam action configured in the protection profile, Mark as Clear to let the email pass to the next filter, or Mark as Reject (SMTP only) to drop the session. The Delete and Edit/View icons. 01-28007-0068-20041203 Spam filter Fortinet Inc.
Page 329: Rbl & Ordbl List
Configuring the RBL & ORDBL list To add a server to the RBL & ORDBL list Go to Spam Filter > RBL & ORDBL. Select Create New. FortiGate-100A Administration Guide “DNS” on page RBL & ORDBL list RBL & ORDBL options Configuring the RBL &...
Page 330: Email Address
Configuring the email address list Select Create New to add an email address to the email address list. The number of items in the list. The Page up, Page down, and Remove all entries icons. 01-28007-0068-20041203 Spam filter 335. Fortinet Inc.
Page 331: Configuring The Email Address List
Spammers will often insert comments into header values or leave them blank. These malformed headers can fool some spam and virus filters. FortiGate-100A Administration Guide The current list of email addresses. The pattern type used in the email address entry. Choose from wildcard or regular expression.
Page 332: Mime Headers List
Mark as Clear to let the email pass to the next filter, or Mark as Reject (SMTP only) to drop the session. The Delete and Edit/View icons. 01-28007-0068-20041203 335. “Using Perl regular expressions” on page Spam filter 335. Fortinet Inc.
Page 333: Configuring The Mime Headers List
/bad language/i will block all instances of bad language regardless of case. Wildcard patterns are not case sensitive. This section describes: • • • FortiGate-100A Administration Guide “Using Perl regular expressions” on page Banned word list Banned word options Configuring the banned word list 01-28007-0068-20041203 Configuring the MIME headers list 335.
Page 334: Banned Word List
Traditional Chinese, French, Japanese, Korean, Thai, or Western. The location which the FortiGate unit searches for the banned word: subject, body, or all. The selected action to take on email with banned words. The Delete and Edit/View icons. 01-28007-0068-20041203 Spam filter “Using Perl regular 335. Fortinet Inc.
Page 335: Configuring The Banned Word List
Perl regular expressions. See http://www.perldoc.com/perl5.8.0/pod/perlre.html for detailed information about using Perl regular expressions. FortiGate-100A Administration Guide Enter the word or phrase you want to include in the banned word list. Select the pattern type for the banned word. Choose from wildcard or regular expression.
Page 336 [abc] fortinet.com not only matches fortinet.com but also matches fortinetacom, fortinetbcom, fortinetccom and so on. To mach fortinet.com, the regular expression should be: fortinet\.com forti*\.com matches fortiiii.com but does not match fortinet.com Matches abc (that exact character sequence, but anywhere in the string)
Page 337 /student loans/i /you’re already approved/i /special[\+\-\*=<>\.\,;!\?%&~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i FortiGate-100A Administration Guide either of Abc and abc any (nonempty) string of a's, b's and c's (such as a, abba, acbabcacaa) any (nonempty) string which does not contain any of a, b and c (such as defg) any two decimal digits, such as 42;...
Page 338 Configuring the banned word list Spam filter 01-28007-0068-20041203 Fortinet Inc.
Page 339: Log & Report
FortiGate-100A Administration Guide Version 2.80 MR7 Log & Report FortiGate units provide extensive logging capabilities for traffic, system and network protection functions. You can set the severity level of the messages that are logged, and you can choose the types of events that are logged.
Page 340: Log Config
A FortiLog unit. The FortiLog unit is a log analyzer and manager that can combine the log information from various FortiGate units and other firewall units. To enable content archiving with a firewall to select the FortiLog option and define its IP address. 01-28007-0068-20041203 Log & Report Protection profile, you need Fortinet Inc.
Page 341 Local ID: Pre-shared key Table 31 FortiGate-100A Administration Guide The FortiGate system memory. The FortiGate system memory has a limited capacity and only displays the most recent log entries. Traffic and content logs cannot be stored in the memory buffer. When the memory is full, the FortiGate unit begins to overwrite the oldest messages.
Page 342 Select the log files to upload to the FTP server. You can upload the Traffic Log file, Event Log file, Antivirus Log file, Web Filter Log file, Attack Log file, Spam Filter Log file, and Content Archive file. 01-28007-0068-20041203 Log & Report Table 31, “Logging Fortinet Inc.
Page 343: Syslog Settings
Traffic log messages do not generally have a severity level higher than Notification. Also, FortiGate-100A Administration Guide The FortiGate unit logs all messages at and above the logging severity level you select. For example, if you select Error, the unit logs Error, Critical, Alert and Emergency level messages.
Page 344: Alert E-Mail Options
The interval to wait before sending an alert e-mail for notification level log messages. The interval to wait before sending an alert e-mail for information level log messages. Select Apply to activate any additions or changes to configuration. 01-28007-0068-20041203 Log & Report Fortinet Inc.
Page 345: Log Filter Options
For each logging location you enable, you can create a customized log filter based on the log types described in the following sections. Note: Log locations must be enabled in Log Setting to be available for selection in the Log Filter. FortiGate-100A Administration Guide 345. 01-28007-0068-20041203 Log filter options...
Page 346: Traffic Log
You can apply the following filters: The FortiGate unit logs all traffic that is allowed according to the firewall policy settings. The FortiGate unit logs all traffic that violates the firewall policy settings. for more information. 01-28007-0068-20041203 Log & Report “Enabling Fortinet Inc.
Page 347 Monitored category ratings Category rating errors FortiGate-100A Administration Guide The FortiGate unit logs all system-related events, such as ping server failure and gateway status. The FortiGate unit logs all IPSec negotiation events, such as progress and error reports. The FortiGate unit logs all DHCP-events, such as the request and response log.
Page 348: Configuring Log Filters
The FortiGate unit logs all instances of blocked email in SMTP traffic. The FortiGate unit logs all instances of blocked email in POP3 traffic. The FortiGate unit logs all instances of blocked email in IMAP traffic. 01-28007-0068-20041203 Log & Report Fortinet Inc.
Page 349: Log Access
Figure 186:Sample list of logs stored on the FortiGate disk Viewing log messages You can view log messages saved to the memory buffer. Figure 187:Viewing log messages FortiGate-100A Administration Guide Viewing log messages Searching log messages 01-28007-0068-20041203 Viewing log messages...
Page 350 Select Raw to switch to an unformatted log message display. Select Formatted to switch to a log message display organized into columns. -> Right arrow button. Select to move selected fields from Available fields list to Show these fields list. 01-28007-0068-20041203 Log & Report Fortinet Inc.
Page 351: Searching Log Messages
Display the log messages you want to search. For more information, see messages” on page Select Advanced Search. The Log Search window is displayed. FortiGate-100A Administration Guide <- Left arrow button. Select to move selected fields from the Show these fields list to the Available fields list.
Page 352: Cli Configuration
The message must contain all of the keywords The message must contain at least one of the keywords The message must contain none of the keywords config log fortilog setting set <keyword> <variable> config log fortilog setting unset <keyword> 01-28007-0068-20041203 Log & Report Fortinet Inc.
Page 353 This example shows how to display the log setting for logging to a FortiLog unit. This example shows how to display the configuration for logging to a FortiLog unit. If the show command returns you to the prompt, the settings are at default. FortiGate-100A Administration Guide get log fortilog setting show log fortilog setting...
Page 354: Syslogd Setting
Enter the IP address of the syslog server that stores the logs. Enter enable to enable logging to a remote syslog server. 01-28007-0068-20041203 Log & Report Default Availability All models. disable All models. local7 Table All models. No default. All models. All models. disable Fortinet Inc.
Page 355 This example shows how to display the configuration for logging to a remote syslog server. If the show command returns you to the prompt, the settings are at default. FortiGate-100A Administration Guide Description security/authorization messages security/authorization messages (private) clock daemon...
Page 356 Log & Report 01-28007-0068-20041203 Fortinet Inc.
Page 357: Fortiguard Categories
FortiGuard categories FortiGuard is a web filtering solution provided by Fortinet. FortiGuard sorts thousands of Web pages into a wide variety of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard server to determine the category of a requested Web page and then follows the policy configured for that user or interface.
Page 358 Sites with content that is gratuitously offensive or shocking, but not violent or frightening. Includes sites devoted in part or whole to scatology and similar topics or to improper language, humor, or behavior. 01-28007-0068-20041203 FortiGuard categories Fortinet Inc.
Page 359 24. File Sharing and Storage 25. Streaming Media Potentially Security Violating 26. Malicious Web Sites 27. Spyware FortiGate-100A Administration Guide Description Sites that provide information about, promote, or support the sale of weapons and related items.Sport Hunting and Gun Clubs -- Sites that provide...
Page 360 Political Organizations -- Sites sponsored by or providing information about political parties and interest groups focused on elections or legislation. 01-28007-0068-20041203 FortiGuard categories Fortinet Inc.
Page 361 44. Society and Lifestyles 45. Special Events 46. Sports 47. Travel 48. Vehicles FortiGate-100A Administration Guide Description Sites that offer reference-shelf content such as atlases, dictionaries, encyclopedias, formularies, white and yellow pages, and public statistical data. Traditional Religions -- Sites that provide information...
Page 362 IP addresses. Private IP Addresses -- IP addresses defined in RFC 1918, 'Address Allocation for Private Intranets. Web Hosting -- Sites of organizations that provide hosting services, or top-level domain pages of Web communities. 01-28007-0068-20041203 FortiGuard categories Fortinet Inc.
Page 363: Glossary
VPN peer uses its identity as part of the authentication process. See also main mode. AH, Authentication Header: An IPSec security protocol. Fortinet IPSec uses ESP in tunnel mode, not AH. See ESP. ARP, Address Resolution Protocol: A protocol that resolves a logical IP address to a physical Ethernet address.
Page 364 MB, Megabyte: A unit of storage (1 048 576 bytes). MIB, Management Information Base: A database of objects that can be monitored by an SNMP network manager. modem: A device that converts digital signals into analog signals and back again for transmission over telephone lines. 01-28007-0068-20041203 Fortinet Inc.
Page 365 A hardware device that connects computers on the Internet together and routes traffic between them. A router may connect a LAN and/or DMZ to the Internet. routing: The process of determining which path to use for sending packets to a destination.
Page 366 VPN devices cannot be intercepted. worm: A harmful program that replicates itself until it fills a computer or network, which can shut the system down. 01-28007-0068-20041203 Fortinet Inc.
Page 367: Index
195, 196 maximum 195, 196 banned word spam 333 bindtoif 271 FortiGate-100A Administration Guide FortiGate-100A Administration Guide Version 2.80 MR7 border-routers 163 browsing the Internet through a VPN tunnel 253 CA certificates 264 Certificate Name 248, 264 CLI 18...
Page 368 33 upgrading using the CLI 34, 36 upgrading using the web-base manager 33, 35 Fortilog logging settings 341 fortilog setting 352 Fortinet customer service 23 FortiProtect Distribution Network 118 FortiProtect Distribution Server 118 from IP system status 32...
Page 369 96 up time 95 virus detected 96 heartbeat failover 84 heartbeat device IP addresses HA 89 hello-interval 174, 182 FortiGate-100A Administration Guide High Availability 85 high availability introduction 18 http 230 HTTPS 18, 204 HA schedule 88 ICMP 205...
Page 370 211, 212, 213 options changing system options 82 OSPF 164 out-interface 273 override master HA 87 P1 Proposal, Phase 1 249 P2 Proposal, Phase 2 252 passive-interface 166 password HA 87 Pattern block options 315 01-28007-0068-20041203 Fortinet Inc.
Page 371 IP address changes 123 management IP address changes 124 through a NAT device 124 through a proxy server 122 Quarantine 292 FortiGate-100A Administration Guide Quarantine list 292 Quick Mode Identities 253 random HA schedule 88 RBL and ORDBL 328 read &...
Page 372 HA 86 up time HA monitor 95 update push 123 upgrade firmware 33 upgrading firmware using the CLI 34, 36 firmware using the web-based manager 33, 35 Uploading a local certificate 264 URL block 312 URL exempt 315 01-28007-0068-20041203 Fortinet Inc.
Page 373 14 VLAN overview 63 VLAN subinterface bringing down 54 bringing up 54 starting 54 introduction 17 FortiGate-100A Administration Guide VPN certificates restore 117 upload 117 VPN Tunnel, Policy 267 VPNs 245 web content filtering introduction 14 Web filter 309, 357...
Page 374 Index 01-28007-0068-20041203 Fortinet Inc.

Fortinet FortiGate 100A Administration Manual

Introduction

System Status

System Network

System DHCP

System Config

System Administration

System Maintenance

System Virtual Domain

Router

Firewall

Users and Authentication

Vpn

Ips

Antivirus

Quick Links

Related Manuals for Fortinet FortiGate 100A

Summary of Contents for Fortinet FortiGate 100A