Page 1 ADMINISTRAT ION GUIDE FortiGate™ Version 3.0 MR4 www.fortinet.com...
Page 2 Version 3.0 MR4 2 January 2007 01-30004-0203-20070102 © Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
Page 3: Table Of Contents
Contents Contents Introduction ..................17 Introducing the FortiGate units ..............18 FortiGate-5000 series chassis ..............18 About the FortiGate-5000 series modules ..........19 FortiGate-3600A..................19 FortiGate-3600 .................... 20 FortiGate-3000 .................... 20 FortiGate-1000A..................20 FortiGate-1000AFA2 ................... 21 FortiGate-1000 .................... 21 FortiGate-800 ....................21 FortiGate-800F ....................
Page 4 Contents Web-based manager................ 33 Button bar features ..................34 Contact Customer Support ................. 34 Using the Online Help ................. 34 Logout ......................36 Web-based manager pages ................37 Web-based manager menu ................ 37 Lists......................38 Icons ......................38 System Status .................. 41 Status page ......................
Page 5 Contents System Network ................69 Interface......................69 Switch Mode....................71 Interface settings..................72 Configuring an ADSL interface..............74 Creating an 802.3ad aggregate interface............ 75 Creating a redundant interface..............76 Creating a wireless interface ............... 77 Configuring DHCP on an interface .............. 78 Configuring an interface for PPPoE or PPPoA ...........
Page 6 Configuring SNMP ..................127 Configuring an SNMP community............. 128 Fortinet MIBs..................... 130 FortiGate traps ..................131 Fortinet MIB fields ..................133 Replacement messages................136 Replacement messages list ..............137 Changing replacement messages ............138 Changing the authentication login page............ 139 Changing the FortiGuard web filtering block override page ......
Page 7 Troubleshooting FDN connectivity ............166 Updating antivirus and attack definitions........... 166 Enabling push updates................168 License ......................172 System Chassis (FortiGate-5000 series)........173 SMC (shelf manager card) ................173 Blades (FortiGate-5000 chassis slots)............174 Chassis monitoring event log messages ............ 176 Router Static ..................
Page 8 Contents OSPF....................... 194 OSPF autonomous systems ..............194 Defining an OSPF AS ................195 Viewing and editing basic OSPF settings ..........196 Selecting advanced OSPF options ............198 Defining OSPF areas ................199 Specifying OSPF networks ............... 200 Selecting operating parameters for an OSPF interface ......201 BGP.........................
Page 9 Contents Firewall Service ................239 Viewing the predefined service list.............. 239 Viewing the custom service list ..............243 Configuring custom services ............... 243 Viewing the service group list ..............245 Configuring service groups................245 Firewall Schedule................247 Viewing the one-time schedule list .............. 247 Configuring one-time schedules..............
Page 10 Contents Configuring a protection profile..............272 Antivirus options..................273 Web filtering options ................. 275 FortiGuard-Web filtering options ............... 276 Spam filtering options ................277 IPS options....................279 Content archive options ................279 IM and P2P options................... 280 Logging options..................281 VoIP options....................
Page 11 Contents CA Certificates ....................315 Importing CA certificates ................316 CRL ......................... 317 Importing a certificate revocation list ............317 User ....................319 Configuring user authentication ..............319 Setting authentication timeout ..............320 Setting user authentication protocol support..........320 Local user accounts ..................321 Configuring a user account ...............
Page 12 Contents Config ......................345 Viewing the virus list ................. 345 Viewing the grayware list ................346 Antivirus CLI configuration ................347 system global optimize................347 config antivirus heuristic................348 config antivirus quarantine ................ 348 config antivirus service <service_name> ..........348 Intrusion Protection...............
Page 13 Contents Content block....................364 Viewing the web content block list catalog ..........364 Creating a new web content block list ............365 Viewing the web content block list ............365 Configuring the web content block list............366 Viewing the web content exempt list catalog ..........367 Creating a new web content exempt list ...........
Page 14 Contents Advanced antispam configuration............... 392 config spamfilter mheader................. 392 config spamfilter rbl................... 393 Using Perl regular expressions..............393 Regular expression vs. wildcard match pattern ........393 Word boundary ..................394 Case sensitivity ..................394 Perl regular expression formats ..............394 Example regular expressions..............
Page 15 Contents Log types......................415 Traffic log ....................415 Event log ....................416 Antivirus log....................417 Web filter log ..................... 417 Attack log ....................418 Spam filter log ................... 418 IM and P2P log..................418 VoIP log..................... 419 Log Access..................... 419 Accessing log messages stored in memory ..........
Page 16 Contents FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 17: Introduction
Introduction Introduction Welcome and thank you for selecting Fortinet products for your real-time network protection. FortiGate™ ASIC-accelerated multi-threat security systems improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network.
Page 18: Introducing The Fortigate Units
FA N T R AY FortiGate-5140 chassis You can install up to 14 FortiGate-5000 series modules in the 14 slots of the FortiGate-5140 ATCA chassis. The FortiGate-5140 is a 12U chassis that contains two redundant hot swappable DC power entry modules that connect to -48 VDC Data Center DC power.
Page 19: About The Fortigate-5000 Series Modules
Introducing the FortiGate units FortiGate-5020 chassis You can install one or two FortiGate-5000 series modules in the two slots of the FortiGate-5020 ATCA chassis. The FortiGate-5020 is a 4U chassis that contains two redundant AC to DC power supplies that connect to AC power. The FortiGate-5020 chassis also includes an internal cooling fan tray.
Page 20: Fortigate-3600
The FortiGate-1000A automatically keeps up to date information on Fortinet’s FortiGuard Subscription Services by the FortiGuard Distribution Network, ensuring around-the-clock protection against the latest viruses, worms, trojans and other threats. The FortiGate-1000A has flexible architecture to quickly adapt to emerging technologies such as IM, P2P or VOIP including identity theft methods such as spyware, phishing and pharming attacks.
Page 21: Fortigate-1000Afa2
The FortiGate-1000AFA2 features two extra optical fiber ports with Fortinet’s FortiAccel™ technology, enhancing small packet performance. The FortiGate-1000AFA2 also delivers critical security functions in a hardened security platform, tuned for reliability, usability, rapid deployment, low operational costs and most importantly a superior detection rate against known and unknown anomalies.
Page 22: Fortigate-500A
Introducing the FortiGate units Introduction FortiGate-500A The FortiGate-500A unit provides the carrier-class levels of performance and CONSOLE 10/100 10/100/1000 Enter reliability demanded by large enterprises and service providers. With a total of 10 network connections, (including a 4-port LAN switch), and high-availability features with automatic failover with no session loss, the FortiGate-500A is the choice for mission critical applications.
Page 23: Fortigate-300
Introduction Introducing the FortiGate units FortiGate-300 The FortiGate-300 unit is designed for larger enterprises. The FortiGate- Enter 300 unit features high availability (HA), which includes automatic failover with no session loss. This feature makes the FortiGate-300 an excellent choice for mission-critical applications. FortiGate-200A The FortiGate-200A unit is an easy-to-deploy and...
Page 24: Fortigate-60/60M/Adsl
Introducing the FortiGate units Introduction FortiGate-60/60M/ADSL The FortiGate-60 unit is designed for telecommuters remote offices, and retail stores. The FortiGate-60 INTERNAL WAN1 WAN2 STATUS unit includes an external modem LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 port that can be used as a backup or stand alone connection to the...
Page 25: Fortinet Family Of Products
Fortinet family of products Fortinet family of products Fortinet offers a family of products that includes both software and hardware appliances for a complete network security solution including mail, logging, reporting, network management, and security along with FortiGate Unified Threat Manager Systems.
Page 26: Fortimanager
FortiGuard Antispam/Antivirus support, heuristic scanning, greylisting, and Bayesian scanning. Built on Fortinet’s award winning FortiOS and FortiASIC technology, FortiMail antivirus technology extends full content inspection capabilities to detect the most advanced email threats.
Page 27: About This Document
The most recent version of this document is available from the FortiGate page of Fortinet Technical Documentation web site. The information in this document is also available in a slightly different form as FortiGate web-based manager online help. You can find more information about FortiOS v3.0 from the...
Page 28 About this document Introduction • System Chassis (FortiGate-5000 series) describes information displayed on the system chassis web-based manager pages about all of the hardware components in your FortiGate-5140 or FortiGate-5050 chassis. • Router Static explains how to define static routes and create route policies. A static route causes packets to be forwarded to a destination other than the factory configured default gateway.
Page 29: Document Conventions
<BODY><H4>You must authenticate to use this service.</H4> Program output Welcome! Variables <address_ipv4> FortiGate documentation The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com. The following FortiGate product documentation is available: •...
Page 30 FortiGate CLI commands. • FortiGate Log Message Reference Available exclusively from the Fortinet Knowledge Center, the FortiGate Log Message Reference describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units.
Page 31: Fortinet Tools And Documentation Cd
Fortinet Tools and Documentation CD All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current for your product at shipping time. For the latest versions of all Fortinet documentation see the Fortinet Technical Documentation web site at http://docs.forticare.com.
Page 32 Customer service and technical support Introduction FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 33: Web-Based Manager
Web-based manager Web-based manager This section describes the features of the user-friendly web-based manager administrative interface of your FortiGate unit. Using HTTP or a secure HTTPS connection from any computer running a web browser, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages.
Page 34: Button Bar Features
Center. • Log into Customer Support (Support Login). • Register your FortiGate unit (Product Registration). • Find out about Fortinet Training and Certification. • Visit the FortiGuard Center. To register your FortiGate unit, go to Product Registration and follow the instructions.
Page 35 Display the next page in the online help. Email Send an email to Fortinet Technical Documentation at techdoc@fortinet.com. You can use this email address to let us know if you have a comment about or correction for the online help or any other Fortinet technical documentation product.
Page 36: Logout
Go to the next page. Alt+7 Send an email to Fortinet Technical Documentation at techdoc@fortinet.com. You can use this email address to let us know if you have a comment about or correction for the online help or any other Fortinet technical documentation product.
Page 37: Web-Based Manager Pages
Web-based manager Web-based manager pages Web-based manager pages The web-based manager interface consists of a menu and pages, many of which have multiple tabs. When you select a menu item, such as System, it expands to reveal a submenu. When you select one of the submenu items, the associated page opens at its first tab.
Page 38: Lists
Web-based manager pages Web-based manager AntiSpam Configure email spam filtering. IM, P2P & VoIP Configure monitoring and control of internet messaging, peer-to-peer messaging, and voice over IP (VoIP) traffic. Log & Report Configure logging, alert email, and FortiGuard Log and Analysis. View log messages and reports.
Page 39 Web-based manager Web-based manager pages Table 2: web-based manager icons (Continued) Icon Name Description Description The tooltip for this icon displays the Description field for this table entry. Download Download a log file or back up a configuration file. or Backup Download Download a Certificate Signing Request.
Page 40 Web-based manager pages Web-based manager FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 41: System Status
System Status Status page System Status This section describes the System Status page, the dashboard of your FortiGate unit. At a glance you can view the current system status of the FortiGate unit including serial number, uptime, FortiGuard™ license information, system resource usage, alert messages and network statistics.
Page 42 Status page System Status The System Status page is completely customizable. You can select which displays to show, where they are located on the page, and if they are minimized or maximized. Each display has an icon associated with it for easy recognition when minimized.
Page 43: System Information
System Status Status page System information Figure 9: Example FortiGate-5001 System Information Serial Number The serial number of the current FortiGate unit. The serial number is specific to the FortiGate unit and does not change with firmware upgrades. Uptime The time in days, hours, and minutes since the FortiGate unit was last started.
Page 44: License Information
Status page System Status Virtual Domain The status of virtual domains on your FortiGate unit. Select enable or disable to change the status of virtual domains. If you change the state of virtual domains, your session will be terminated and you will need to login. For more information see “Using virtual domains”...
Page 45 The number of virtual domains the unit supports. For FortiGate models 3000 or higher, you can select the Purchase More link to purchase a license key through Fortinet Support to increase the maximum number of VDOMs. See “License” on page 172.
Page 46 Status page System Status Figure 12: Customize CLI Console window Preview See how your changes will appear on the CLI console. Text Select this control, then choose a color from the color matrix to the right to change the color of the text in the CLI console. Background Select this control, then choose a color from the color matrix to the right to change the color of the background in the CLI console.
Page 47 System Status Status page History icon View a graphical representation of the last minute of CPU, memory, sessions, and network usage. This page also shows the virus and intrusion detections over the last 20 hours. For more information “Viewing operational history” on page CPU Usage The current CPU status displayed as a dial gauge and as a percentage.
Page 48 Status page System Status Reboot Select to shutdown and restart the FortiGate unit. You will be prompted to enter a reason for the reboot that will be entered into the logs. Shutdown Select to shutdown the FortiGate unit. You will be prompted for confirmation.
Page 49: Changing System Information
System Status Changing system information The information displayed in the statistics section is saved in log files that can be saved to a FortiAnalyzer unit, saved locally or backed up to an external source. You can use this data to see trends in network activity or attacks over time and deal with it accordingly.
Page 50: Changing The Fortigate Unit Host Name
Changing system information System Status Figure 17: Time Settings System Time The current FortiGate system date and time. Refresh Update the display of the current FortiGate system date and time. Time Zone Select the current FortiGate system time zone. Automatically adjust Select to automatically adjust the FortiGate system clock when your time zone changes between daylight saving time and standard clock for daylight...
Page 51: Changing The Fortigate Firmware
System Status Changing the FortiGate firmware Changing the FortiGate firmware FortiGate administrators whose access profiles permit maintenance read and write access can change the FortiGate firmware. Firmware changes either upgrade to a newer version or revert to an earlier version. Follow the appropriate procedure for the firmware change you want to perform: •...
Page 52: Viewing Operational History
Viewing operational history System Status Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure “To update antivirus and attack definitions” on page 167 make sure that antivirus and attack definitions are up to date.
Page 53: Manually Updating Fortiguard Definitions
161. Updating the FortiGuard AV Definitions manually Download the latest AV definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status.
Page 54: Viewing Statistics
Viewing Statistics System Status In the License Information section, in the IPS Definitions field of the FortiGuard Subscriptions, select Update. The Intrusion Prevention System Definitions Update dialog box appears. In the Update File field, type the path and filename for the attack definitions update file, or select Browse and locate the attack definitions update file.
Page 55: Viewing The Content Archive Information
System Status Viewing Statistics Source Port The source port of the connection. Destination The destination IP address of the connection. Address Destination Port The destination port of the connection. Policy ID The number of the firewall policy allowing this session or blank if the session involves only one FortiGate interface (admin session, for example).
Page 56: Viewing The Attack Log
Viewing Statistics System Status Viewing archived FTP content information Go to System > Status. In the Content Archive section, select Details for FTP. Date and Time The time of access. Destination The IP address of the FTP server that was accessed. User The User ID that logged into the FTP server.
Page 57 System Status Viewing Statistics The intended recipient’s email address or IP address. Service The service type, such as POP or HTTP. Virus The name of the virus that was detected. Viewing attacks blocked Go to System > Status. In the Attack Log section, select Details for IPS. Date and Time The time that the attack was detected.
Page 58: Topology Viewer
Topology viewer System Status Topology viewer The Topology viewer provides a way to diagram and document the networks connected to your FortiGate unit. It is available on all FortiGate units except models numbered 50 and 60. The Topology Viewer window The Topology window consists of a large “canvas”...
Page 59 System Status Topology viewer View and edit controls The toolbar at the top left of the Topology page shows controls for viewing and editing topology diagrams. Table 3: View/Edit controls for Topology Viewer Refresh the displayed diagram. Zoom in. Select to show a smaller portion of the drawing area in the main viewport, making objects appear larger.
Page 60: Customizing The Topology Diagram
System Status Customizing the topology diagram Select the Customize button to open the Topology Customization window. Modify the settings as needed and select OK when you are finished. Figure 21: Topology Customization window Preview A simulated topology diagram showing the effect of the selected appearance options.
Page 61: Using Virtual Domains
Using virtual domains Virtual domains Using virtual domains This section describes how to use virtual domains to operate your FortiGate unit as multiple virtual units, providing separate firewall and routing services to multiple networks. The following topics are included in this section: •...
Page 62: Vdom Configuration Settings
Virtual domains Using virtual domains By default, your FortiGate unit supports a maximum of 10 VDOMs in any combination of NAT/Route and Transparent modes. For FortiGate models numbered 3000 and higher, you can purchase a license key to increase the maximum number of VDOMs to 25, 50, 100 or 250.
Page 63: Global Configuration Settings
Using virtual domains Virtual domains • User settings • Users • User groups • RADIUS and LDAP servers • Microsoft Windows Active Directory servers • P2P Statistics (view/reset) • Logging configuration, log access and log reports Global configuration settings The following configuration settings affect all virtual domains. When virtual domains are enabled, only the default super admin can access global settings.
Page 64: Enabling Vdoms
Enabling VDOMs Using virtual domains Enabling VDOMs Using the default admin administration account, you can enable multiple VDOM operation on the FortiGate unit. To enable virtual domains Log in to the web-based manager as admin. Go to System > Status. In System Information, next to Virtual Domain select Enable.
Page 65: Working With Vdoms And Global Settings
Using virtual domains Configuring VDOMs and global settings Working with VDOMs and global settings When you log in as admin and virtual domains are enabled you are automatically in global configuration, as demonstrated by the VDOM option under System. Select System > VDOM to work with virtual domains. Figure 22: VDOM list Create New Select to add a new VDOM.
Page 66: Assigning An Administrator To A Vdom
Configuring VDOMs and global settings Using virtual domains VLAN subinterfaces often need to be in a different VDOM than their physical interface. To do this, the super admin must first create the VDOM, then create the VLAN subinterface, and assign it to the required VDOM. System >...
Page 67: Changing The Management Vdom
Using virtual domains Configuring VDOMs and global settings A regular administrator assigned to a VDOM can log in to the web-based manager or the CLI only on interfaces that belong to that VDOM. The super admin can connect to the web-based manager or CLI through any interface on the FortiGate unit that permits management access.
Page 68 Configuring VDOMs and global settings Using virtual domains FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 69: System Network
System Network Interface System Network This section describes how to configure your FortiGate unit to operate in your network. Basic network settings include configuring FortiGate interfaces and DNS settings. More advanced configuration includes adding VLAN subinterfaces and zones to the FortiGate network configuration. The following topics are included in this section: •...
Page 70 Interface System Network Figure 23: Interface list - regular administrator view Figure 24: Interface list - admin view with virtual domains enabled Create New Select Create New to create a VLAN subinterface. On models 800 and higher, you can also create an IEEE 802.3ad aggregated interface.
Page 71: Switch Mode
System Network Interface Name The names of the physical interfaces on your FortiGate unit. The name and number of a physical interface depends on the model. Some names indicate the default function of the interface such as Internal, External and DMZ. Other names are generic such as port1. FortiGate models numbered 50 and 60 provide a modem interface.
Page 72: Interface Settings
Interface System Network Figure 25: Switch Mode Management Switch Mode Select Switch Mode. Only one internal interface is displayed. This is the default mode. Interface Mode Select Interface Mode. All internal interfaces on the switch are displayed as individually configurable interfaces. Select to save your changes and return to the Interface screen.
Page 73 System Network Interface Name Enter a name for the interface. You cannot change the name of an existing interface. Type On models 800 and higher, you can create VLAN, 802.3ad Aggregate, and Redundant interfaces. On models WiFi-60A and WiFi-60AM, you can create wireless interfaces and VLAN subinterfaces.
Page 74: Configuring An Adsl Interface
Interface System Network PING Interface responds to pings. Use this setting to verify your installation and for testing. HTTP Allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party.
Page 75: Creating An 802.3Ad Aggregate Interface
System Network Interface Figure 28: Settings for an ADSL interface Address mode Select the addressing mode that your ISP specifies. IPOA IP over ATM. Enter the IP address and netmask that your ISP provides. Ethernet over ATM, also known as Bridged mode. Enter the IP address and netmask that your ISP provides.
Page 76: Creating A Redundant Interface
Interface System Network Figure 29: Settings for an 802.3ad aggregate interface To create an 802.3ad Aggregate interface Go to System > Network > Interface. Select Create New. In the Name field, enter a name for the aggregated interface. The interface name must not be the same as any other interface, zone or VDOM. From the Type list, select 802.3ad Aggregate.
Page 77: Creating A Wireless Interface
System Network Interface • it is not referenced in any firewall policy, VIP, IP Pool or multicast policy • it is not monitored by HA When an interface is included in a redundant interface, it is not listed on the System >...
Page 78: Configuring Dhcp On An Interface
Interface System Network In the Wireless Settings section, enter the following information: Figure 31: Wireless interface settings SSID Enter the wireless network name that the FortiWiFi-60 unit broadcasts. Users who want to use the wireless network must configure their computers to connect to the network that broadcasts this network name.
Page 79 System Network Interface Figure 32: Interface DHCP settings Figure 33: ADSL interface DHCP settings Status Displays DHCP status messages as the FortiGate unit connects to the DHCP server and gets addressing information. Select Status to refresh the addressing mode status message. This is only displayed if you selected Edit.
Page 80: Configuring An Interface For Pppoe Or Pppoa
Interface System Network Override internal DNS Enable Override internal DNS to use the DNS addresses retrieved from the DHCP server instead of the DNS server IP addresses on the DNS page. On models numbered 100 and lower, you should also enable Obtain DNS server address automatically in System >...
Page 81: Configuring Dynamic Dns Service For An Interface
System Network Interface Status Displays PPPoE or PPPoA status messages as the FortiGate unit connects to the PPPoE or PPPoA server and gets addressing information. Select Status to refresh the addressing mode status message. This is only displayed if you selected Edit. Status can be one of the following 4 messages.
Page 82: Configuring A Virtual Ipsec Interface
Interface System Network If at any time your Fortigate unit cannot contact the DDNS server, it will retry three times at one minute intervals and then change to retrying at three minute intervals. This is to prevent flooding the DDNS server. Figure 36: DDNS service configuration Server Select a DDNS server to use.
Page 83: Additional Configuration For Interfaces
System Network Interface Name The name of the IPSec interface. Virtual Domain Select the VDOM of the IPSec interface. If you want to use dynamic routing with the tunnel or be able to ping the tunnel interface, enter IP addresses for the local and remote Remote IP ends of the tunnel.
Page 84 Interface System Network Do not change the system idle timeout from the default value of 5 minutes (see “Settings” on page 153). For more information on configuring administrative access in Transparent mode, “Operation mode and VDOM management access” on page 141.
Page 85 System Network Interface Note: If you change the MTU, you need to reboot the FortiGate unit to update the MTU value of VLAN subinterfaces on the modified interface. Note: In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces to match the new MTU.
Page 86 Interface System Network IP/Netmask Enter the IP address/subnet mask in the IP/Netmask field. The IP address must be on the same subnet as the network to which the interface connects. Two interfaces cannot have IP addresses on the same subnet. This field is only available when Manual addressing mode is selected.
Page 87: Zone
System Network Zone Zone You can use zones to group related interfaces and VLAN subinterfaces. Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. If you group interfaces and VLAN subinterfaces into a zone, you can configure policies for connections to and from this zone, but not between interfaces in the zone. You can add zones, rename and edit zones, and delete zones from the zone list.
Page 88: Network Options
Network Options System Network Network Options Network options include DNS server and dead gateway detection settings. These options are set on the Configuring Network Options screen. Go to System > Network > Options to configure DNS servers and Dead Gateway Detection settings. Figure 41: Networking Options - FortiGate models 200 and higher Figure 42: Networking Options - models numbered 100 and lower Obtain DNS server address...
Page 89: Dns Servers
System Network Network Options Enable DNS forwarding from This option applies only to FortiGate models 100 and lower operating in NAT/Route mode. Select the interfaces that forward DNS requests they receive to the DNS servers that you configured. Dead Gateway Detection Dead gateway detection confirms connectivity using a ping server added to an interface configuration.
Page 90: Routing Table (Transparent Mode)
Routing table (Transparent Mode) System Network Routing table (Transparent Mode) In Transparent mode, go to System > Network > Routing Table to add static routes from the FortiGate unit to local routers. Figure 43: Routing table Create New Add a new route. Route number.
Page 91: Configuring The Modem Interface
System Network Configuring the modem interface Configuring the modem interface On FortiGate models with modem support, you can use the modem as either a backup interface or a standalone interface in NAT/Route mode. • In redundant (backup) mode, the modem interface automatically takes over from a selected ethernet interface when that ethernet interface is unavailable.
Page 92 Configuring the modem interface System Network Figure 46: Modem settings (Redundant) Enable Modem Select to enable the FortiGate modem. Modem status The modem status shows one of: “not active”, “connecting”, “connected”, “disconnecting” or “hung up” (Standalone mode only). Dial Now/Hang Up (Standalone mode only) Select Dial Now to manually connect to a dialup account.
Page 93: Redundant Mode Configuration
System Network Configuring the modem interface Phone Number The phone number required to connect to the dialup account. Do not add spaces to the phone number. Make sure to include standard special characters for pauses, country codes, and other functions as required by your modem to connect to your dialup account.
Page 94: Standalone Mode Configuration
Configuring the modem interface System Network Configure firewall policies for connections to the modem interface. “Adding firewall policies for modem connections” on page Standalone mode configuration In standalone mode, the modem connects to a dialup account to provide a connection to the Internet. You can configure the modem to dial when the FortiGate unit restarts or when there are unrouted packets.
Page 95: Connecting And Disconnecting The Modem
System Network Configuring the modem interface Connecting and disconnecting the modem The modem must be in Standalone mode. To connect to a dialup account Go to System > Network > Modem. Select Enable USB Modem. Make sure there is correct information in one or more Dialup Accounts. Select Apply if you make any configuration changes.
Page 96: Vlan Overview
VLAN overview System Network VLAN overview A VLAN is group of PCs, servers, and other network devices that communicate as if they were on the same LAN segment, independent of where they are located. For example, the workstations and servers for an accounting department could be scattered throughout an office or city and connected to numerous network segments, but still belong to the same VLAN.
Page 97: Vlans In Nat/Route Mode
System Network VLANs in NAT/Route mode Using VLANs, a single FortiGate unit can provide security services and control connections between multiple security domains. Traffic from each security domain is given a different VLAN ID. The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between security domains.
Page 98: Adding Vlan Subinterfaces
VLANs in NAT/Route mode System Network Figure 37 shows a simplified NAT/Route mode VLAN configuration. In this example, the FortiGate internal interface connects to a VLAN switch using an 802.1Q trunk and is configured with two VLAN subinterfaces (VLAN 100 and VLAN 200).
Page 99: Vlans In Transparent Mode
System Network VLANs in Transparent mode Select the physical interface that receives the VLAN packets intended for this VLAN subinterface. Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. If you are the super admin, select the virtual domain to add this VLAN subinterface to.
Page 100 VLANs in Transparent mode System Network If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you can configure a FortiGate unit operating in Transparent mode to provide security for network traffic passing between different VLANs. To support VLAN traffic in Transparent mode, you add virtual domains to the FortiGate unit configuration.
Page 101: Rules For Vlan Ids
System Network VLANs in Transparent mode Figure 50: FortiGate unit in Transparent mode Internet Router Untagged packets VLAN Switch VL AN 1 VLAN Trunk VL AN 2 VL AN 3 FortiGate unit in Transparent mode VL AN 1 VLAN Trunk VL AN 2 VL AN 3 VLAN Switch...
Page 102 VLANs in Transparent mode System Network To add a VLAN subinterface in Transparent mode The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4096.
Page 103 System Network VLANs in Transparent mode Figure 51: FortiGate unit with two virtual domains in Transparent mode FortiGate unit VLAN1 External root virtual domain Internal VLAN1 VLAN1 VLAN2 VLAN1 VLAN2 VLAN1 VLAN3 Internet VLAN3 VLAN2 VLAN VLAN New virtual domain VLAN Switch trunk trunk...
Page 104: Troubleshooting Arp Issues
FortiGate IPv6 support System Network Troubleshooting ARP Issues Address Resolution Protocol (ARP) traffic is vital to communication on a network and is enabled on FortiGate interfaces by default. Normally you want ARP packets to pass through the FortiGate unit, especially if it is sitting between a client and a server or between a client and a router.
Page 105: System Wireless
System Wireless The FortiWiFi wireless LAN interface System Wireless This section describes how to configure the Wireless LAN interfaces on FortiWiFi units. The following topics are included in this section: • The FortiWiFi wireless LAN interface • Channel assignments • System wireless settings (FortiWiFi-60) •...
Page 106: Channel Assignments
Channel assignments System Wireless Channel assignments The following tables list the channel assignments for wireless LANs. Table 5: IEEE 802.11a (5-GHz Band) channel numbers Regulatory Areas Channel Frequency number (MHz) Americas Europe Taiwan Singapore Japan 5170 – – – 5180 –...
Page 107: System Wireless Settings (Fortiwifi-60)
System Wireless System wireless settings (FortiWiFi-60) Table 7: IEEE 802.11g (2.4-GHz Band) channel numbers Regulatory Areas Americas EMEA Israel Japan Channel Frequency number (MHz) ODFM CCK ODFM CCK ODFM CCK ODFM 2412 – – 2417 – – 2422 – – 2427 –...
Page 108 System wireless settings (FortiWiFi-60) System Wireless Geography Select your country or region. This determines which channels are available. You can select Americas, EMEA, Israel, or Japan. If you are in any other region, select World. Channel Select a channel for your FortiWiFi-60 wireless network. Users of the wireless network must configure their computers to use this channel.
Page 109: System Wireless Settings (Fortiwifi-60A And 60Am)
System Wireless System wireless settings (FortiWiFi-60A and 60AM) System wireless settings (FortiWiFi-60A and 60AM) Go to System > Wireless > Settings to configure wireless LAN settings. Figure 54: Wireless parameters - FortiWiFi-60A and FortiWiFi-60AM Operation Mode The current operating mode. Access Point mode makes the FortiWiFi unit act as a wireless access point to which multiple clients can connect.
Page 110: Wireless Mac Filter
Wireless MAC Filter System Wireless Wireless MAC Filter Go to System > Wireless > MAC Filter to allow or deny wireless access to users based on their MAC address. Figure 55: Wireless MAC Filter MAC Filter Enable Enable the MAC Filter. Access for PCs not Select whether to allow or deny access to unlisted MAC addresses.
Page 111: Wireless Monitor
System Wireless Wireless Monitor Wireless Monitor Go to System > Wireless > Monitor to see who is connected to your wireless LAN. This feature is available only if you are operating the wireless interface in WPA security mode. Figure 56: Wireless Monitor (FortiWiFi-60) Figure 57: Wireless Monitor (FortiWiFi-60A and 60AM) Statistics Statistical information about wireless performance for each...
Page 112 Wireless Monitor System Wireless FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 113: System Dhcp
System DHCP FortiGate DHCP servers and relays System DHCP This section describes how to use DHCP to provide convenient automatic network configuration for your clients. The following topics are included in this section: • FortiGate DHCP servers and relays • Configuring DHCP services •...
Page 114: Configuring Dhcp Services
Configuring DHCP services System DHCP Configuring DHCP services Go to System > DHCP > Service to configure DHCP services. On each FortiGate interface, you can configure a DHCP relay and add DHCP servers as needed. On FortiGate models 50 and 60, a DHCP server is configured, by default, on the Internal interface, as follows: IP Range 192.168.1.110 to 192.168.1.210...
Page 115: Configuring An Interface As A Dhcp Relay Agent
System DHCP Configuring DHCP services Configuring an interface as a DHCP relay agent Go to System > DHCP > Service and select an edit icon to view or modify the DHCP relay configuration for an interface. Figure 59: Edit DHCP relay settings for an interface Interface Name The name of the interface.
Page 116: Viewing Address Leases
Viewing address leases System DHCP Name Enter a name for the DHCP server. Enable Enable the DHCP server. Type Select Regular or IPSEC DHCP server. You cannot configure a Regular DHCP server on an interface that has a dynamic IP address. IP Range Enter the start and end for the range of IP addresses that this DHCP server assigns to DHCP clients.
Page 117: Reserving Ip Addresses For Specific Clients
System DHCP Viewing address leases The MAC address of the device to which the IP address is assigned. Expire Expiry date and time of the DHCP lease. Reserving IP addresses for specific clients You can reserve an IP address for a specific client identified by the client device MAC address and the connection type, regular Ethernet or IPSec.
Page 118 Viewing address leases System DHCP FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 119: System Config
FortiGate HA Overview, the FortiGate HA Guide, and the Fortinet Knowledge Center. Note: For FortiOS v3.0 MR2 and previous versions, this HA section included extensive detail about HA. Starting with FortiOS v3.0 MR3 you should refer to the...
Page 120 System Config If HA is already enabled, go to System > Config > HA to display the cluster members list. Select edit for the FortiGate unit with Role of master (also called the primary unit). When you edit the HA configuration of the primary unit, all changes are synchronized to the other cluster units.
Page 121 System Config Figure 63: FortiGate-5001SX HA virtual cluster configuration Mode Select an HA mode for the cluster or return the FortiGate units in the cluster to standalone mode. When configuring a cluster, you must set all members of the HA cluster to the same HA mode. You can select Standalone (to disable HA), Active-Passive, or Active-Active.
Page 122: Cluster Members List
System Config Group Name Add a name to identify the cluster. The maximum group name length is 7 characters. The group name must be the same for all cluster units before the cluster units can form a cluster. After a cluster is operating you can change the group name.
Page 123 System Config Figure 64: Example FortiGate-5001SX cluster members list Download Debug Log Edit Up and Down Arrows Disconnect from Cluster If virtual domains are enabled, you can display the cluster members list to view the status of the operating virtual clusters. The virtual cluster members list shows the status of both virtual clusters including the virtual domains added to each virtual cluster.
Page 124 126. Download debug log Download an encrypted debug log to a file. You can send this debug log file to Fortinet Technical Support (http://support.fortinet.com) to help diagnose problems with the cluster or with individual cluster units. FortiGate Version 3.0 MR4 Administration Guide...
Page 125: Viewing Ha Statistics
System Config Viewing HA statistics From the cluster members list you can select View HA statistics to display the serial number, status, and monitor information for each cluster unit. To view HA statistics, go to System > Config > HA and select View HA Statistics. Figure 66: Example HA statistics (active-passive cluster) Refresh every Select to control how often the web-based manager updates the HA...
Page 126: Changing Subordinate Unit Host Name And Device Priority
System Config Changing subordinate unit host name and device priority To change the host name and device priority of a subordinate unit in an operating cluster, go to System > Config > HA to display the cluster members list. Select Edit for any slave (subordinate) unit in the cluster members list.
Page 127: Snmp
SNMP managers have read-only access to FortiGate system information and can receive FortiGate traps. To monitor FortiGate system information and receive FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinet- supported standard MIBs into your SNMP manager.
Page 128: Configuring An Snmp Community
SNMP System Config Queries The status of SNMP queries for each SNMP community. The query status can be enabled or disabled. Traps The status of SNMP traps for each SNMP community. The trap status can be enabled or disabled. Enable Select Enable to activate an SNMP community.
Page 129 System Config SNMP Figure 71: SNMP community options (part 2) Community Name Enter a name to identify the SNMP community. Hosts Enter the IP address and Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit. IP Address The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiGate unit.
Page 130: Fortinet Mibs
Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIB to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.
Page 131: Fortigate Traps
FortiGate traps The FortiGate agent can send traps to SNMP managers that you have added to SNMP communities. To receive traps, you must load and compile the Fortinet 3.0 MIB into the SNMP manager. All traps include the trap message as well as the FortiGate unit serial number and hostname.
Page 132 SNMP System Config Table 12: FortiGate IPS traps Trap message Description IPS Anomaly IPS anomaly detected. fnTrapIpsAnomaly IPS Signature IPS signature detected. fnTrapIpsSignature) Table 13: FortiGate antivirus traps Trap message Description Virus detected The FortiGate unit detects a virus and removes the infected (fnTrapAvEvent) file from an HTTP or FTP download or from an email message.
Page 133: Fortinet Mib Fields
The tables below list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.3.00.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Page 134 SNMP System Config Table 19: Administrator accounts MIB field Description fnAdminNumber The number of administrators on the FortiGate unit. fnAdminTable Table of administrators. fnAdminIndex Administrator account index number. fnAdminName The user name of the administrator account. fnAdminAddr An address of a trusted host or subnet from which this administrator account can be used.
Page 135 System Config SNMP Table 24: Virtual domains MIB field Description fnVdNumber The number of virtual domains on the FortiGate unit. fnVdTable Table of virtual domains. fnVdIndex Internal virtual domain index number on the FortiGate unit. fnVdName The name of the virtual domain. Table 25: Active IP sessions MIB field Description...
Page 136: Replacement Messages
For example, if a virus is found in an email message, the file is removed from the email and replaced with a replacement message. The same applies to pages blocked by web filtering and email blocked by spam filtering. Note: Disclaimer replacement messages provided by Fortinet are examples only. FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 137: Replacement Messages List
System Config Replacement messages Replacement messages list Figure 72: Replacement messages list Note: FortiOS uses HTTP to send the Authentication Disclaimer page for the user to accept before the firewall policy is in effect. Therefore, the user must initiate an HTTP traffic first in order to trigger the Authentication Disclaimer page.
Page 138: Changing Replacement Messages
This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages. The FortiGuard - Web Filtering logo. %%FORTIGUARD_WF%% The Fortinet logo. %%FORTINET%% The HTTP error code. “404” for example. %%HTTP_ERR_CODE%% The HTTP error description.
Page 139: Changing The Authentication Login Page
System Config Replacement messages Table 28: Replacement message tags (Continued) Description auth-keepalive-page automatically connects to this URL every %%KEEPALIVEURL%% %%TIMEOUT%% seconds to renew the connection policy. The IPS attack message. %%NIDSEVENT%% is added to alert %%NIDSEVENT%% email intrusion messages. The link to the FortiGuard Web Filtering override form. This is %%OVERRIDE%% visible only if the user belongs to a group that is permitted to create FortiGuard web filtering overrides.
Page 140: Changing The Fortiguard Web Filtering Block Override Page
Replacement messages System Config • The form must contain the following visible controls: • <INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25> • <INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25> Example The following is an example of a simple authentication page that meets the requirements listed above. <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>...
Page 141: Operation Mode And Vdom Management Access
System Config Operation mode and VDOM management access Operation mode and VDOM management access You can change the operation mode of each VDOM independently of other VDOMs. This allows any combination of NAT/Route and Transparent operating modes on the FortiGate unit VDOMs. Management access to a VDOM can be restricted based on which interfaces and protocols can be used to connect to the FortiGate unit.
Page 142: Management Access
Operation mode and VDOM management access System Config Interface IP/Netmask Enter a valid IP address and netmask for the network from which you want to manage the FortiGate unit. Device Select the interface to which the Interface IP/Netmask settings apply. Default Gateway Enter the default gateway required to reach other networks from the FortiGate unit.
Page 143: System Admin
System Admin Administrators System Admin This section describes how to configure administrator accounts on your FortiGate unit. Administrators access the FortiGate unit to configure its operation. In its factory default configuration, the unit has one administrator, admin. After connecting to the web-based manager or the CLI, you can configure additional administrators with various levels of access to different parts of the FortiGate unit configuration.
Page 144: Configuring Radius Authentication For Administrators
Administrators System Admin You can authenticate an administrator using a password stored on the FortiGate unit or on a RADIUS server. Optionally, you can store all administrator accounts on a RADIUS server, except for the default ‘admin’ account. RADIUS-based accounts on the same RADIUS server share the same access profile. Configuring RADIUS authentication for administrators If you want to use a RADIUS server to authenticate administrators in your VDOM, you must configure the authentication before you create the administrator...
Page 145 System Admin Administrators Figure 74: Administrators list Create New Add an administrator account. Name The login name for an administrator account. Trusted hosts The IP address and netmask of trusted hosts from which the administrator can log in. For more information, see “Using trusted hosts”...
Page 146: Configuring An Administrator Account
Administrators System Admin Configuring an administrator account Use the default ‘admin’ account, an account with the super_admin access profile, or an administrator with Access Control Read Write to create a new administrator. Go to System > Admin > Administrators and select Create New. Figure 75: Administrator account configuration - local authentication Figure 76: Administrator account configuration - RADIUS authentication Figure 77: Administrator account configuration - PKI authentication...
Page 147 System Admin Administrators Administrator Enter the login name for the administrator account. RADIUS Select to authenticate the administrator using a RADIUS server. RADIUS authentication for administrators must be configured first. See “Configuring RADIUS authentication for administrators” on page 144. User Group If you are using RADIUS authentication, select the administrator user group that has the appropriate RADIUS server as a member.
Page 148: Access Profiles
Access profiles System Admin Select the type of authentication: If you are using RADIUS authentication for this administrator: • Select RADIUS. • Select Wildcard if you want all accounts on the RADIUS server to be administrators of this FortiGate unit. •...
Page 149 System Admin Access profiles Table 29: Access profile control of access to Web-based manager pages Access control Affected web-based manager pages Admin Users System > Admin System > Admin > FortiManager System > Admin > Settings Antivirus Configuration AntiVirus Auth Users User Firewall Configuration Firewall...
Page 150 Access profiles System Admin Table 30: Access profile control of access to CLI commands Access control Available CLI commands Admin Users (admingrp) system admin system accprofile Antivirus Configuration (avgrp) antivirus Auth Users (authgrp) user Firewall Configuration (fwgrp) firewall Use the set fwgrp custom, config fwgrp-permission commands to set some firewall permissions individually.
Page 151: Viewing The Access Profiles List
System Admin Access profiles Table 30: Access profile control of access to CLI commands Spamfilter Configuration (spamgrp) spamfilter System Configuration (sysgrp) system except accprofile, admin, arp- table, autoupdate, fortianalyzer, interface, and zone execute date execute ha execute ping execute ping-options execute ping6 execute time execute traceroute...
Page 152: Configuring An Access Profile
Access profiles System Admin Configuring an access profile Use the admin account or an account with Admin Users read and write access to edit an access profile. Go to System > Admin > Access Profile and select Create New. Figure 79: Access profile option Profile Name Enter the name of the access profile.
Page 153: Fortimanager
System Admin FortiManager FortiManager Go to System > Admin > FortiManager to configure the FortiGate unit to be managed through a FortiManager server. Communication between the FortiGate unit and the FortiManager server is via an IPSec VPN that is invisibly pre-configured on the FortiGate unit.
Page 154: Monitoring Administrators
Monitoring administrators System Admin Web Administration Ports HTTP Enter the TCP port to be used for administrative HTTP access. The default is 80. HTTPS Enter the TCP port to be used for administrative HTTPS access. The default is 443. Telnet Port Enter the telnet port to be used for administrative access.
Page 155 System Admin Monitoring administrators Figure 83: Administrators logged in monitor window Disconnect Select to disconnect the selected administrators. This is available only if your access profile gives you System Configuration write permission. Refresh Select to update the list. Close Select to close the window. check box Select and then select Disconnect to log off this administrator.
Page 156 Monitoring administrators System Admin FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 157: System Maintenance
System Maintenance Backup and restore System Maintenance This section describes how to back up and restore your system configuration and how to configure automatic updates from the FortiGuard Distribution Network. This section includes the following topics: • Backup and restore •...
Page 158 Backup and restore System Maintenance Figure 84: Backup and restore options Figure 85: Backup and Restore Last Backup The date and time of the last backup to local PC. Backing up to USB does not save the time of backup. Backup Back up the current configuration.
Page 159 System Maintenance Backup and restore Encrypt Select to encrypt the backup file. Enter a password in the Password field and enter it again in the Confirm field. You configuration file will need this password to restore the file. To backup VPN certificates, encryption must be enabled on the backup file.
Page 160 CLI commands. Download Debug Log Download an encrypted debug log to a file. You can send this debug log to Fortinet Technical Support to help diagnose problems with your FortiGate unit. FortiGate Version 3.0 MR4 Administration Guide...
Page 161: Fortiguard Center
Update status including version numbers, expiry dates, and update dates and times, • Push updates through a NAT device. You must register the FortiGate unit on the Fortinet support web page. To register your FortiGate unit, go to Product Registration and follow the instructions.
Page 162: Configuring The Fortigate Unit For Fdn And Fortiguard Services
System Maintenance FortiGuard-Antispam Service FortiGuard-Antispam is an antispam system from Fortinet that includes an IP address black list, a URL black list, and spam filtering tools. The IP address black list contains IP addresses of email servers known to be used to generate spam.
Page 163 System Maintenance FortiGuard Center Figure 89: Support Contract and FortiGuard Subscription Services section Support Contract The availability or status of your FortiGate unit support contract. The status displayed can be one of: Unreachable, Not Registered or Valid Contract. If Valid Contract is shown, the FortiOS version, expiry date of contract, and Support Level are also displayed.
Page 164 Select the blue arrow to display or hide this section. Select to send attack details to FSN to improve IPS signature quality. Fortinet recommends that you enable this feature. AntiVirus and IPS Downloads Select the blue arrow next to AntiVirus and IPS Downloads to access this section.
Page 165 System Maintenance FortiGuard Center Enter a new IP address to connect to the FDN push server. Available only if Allow Push Update and Use override push are enabled. port Select a new port to use to connect to the FDN push server. Available only if Use override push and IP address are set.
Page 166: Troubleshooting Fdn Connectivity
FortiGuard Center System Maintenance Use Alternate Port Select to use port 8888 to communicate with FortiGuard-Antispam servers. (8888) Test Availability Select to test the connection to the FortiGuard-Antispam server. Results are shown below the button and on the Status indicators. please click here Select to re-evaluate a URL’s category rating on the FortiGuard Web Filter service.
Page 167 System Maintenance FortiGuard Center Make sure that the time zone is set correctly for the region in which your FortiGate unit is located. Go to System > Maintenance > FortiGuard Center. Select Refresh. The FortiGate unit tests its connection to the FDN. The test results are displayed at the top of the System Update page.
Page 168: Enabling Push Updates
FortiGuard Center System Maintenance Type the fully qualified domain name or IP address of a FortiGuard server. Select Apply. The FortiGate unit tests the connection to the override server. If the FortiGuard Distribution Network availability icon changes from grey, the FortiGate unit has successfully connected to the override server.
Page 169 System Maintenance FortiGuard Center Push updates when FortiGate IP addresses change The SETUP message that the FortiGate unit sends when you enable push updates includes the IP address of the FortiGate interface to which the FDN connects. The interface used for push updates is the interface configured in the default route of the static routing table.
Page 170 FortiGuard Center System Maintenance Figure 93: Example network: Push updates through a NAT device Server Internet NAT Device Push Updates Internal Network General procedure Use the following steps to configure the FortiGate unit on the internal network and the NAT device so that the FortiGate unit on the internal network can receive push updates: Register and license the FortiGate unit on the internal network so that it can receive push updates.
Page 171 System Maintenance FortiGuard Center Select Use override push IP and enter the IP address of the external interface of the NAT device. Do not change the push update port unless UDP port 9443 is blocked or used by other services on your network. Select Apply.
Page 172: License
If your FortiGate unit is model 3000 or higher, you can purchase a license key from Fortinet to increase the maximum number of VDOMs to 25, 50, 100 or 250. By default, FortiGate units support a maximum of 10 VDOMs.
Page 173: System Chassis (Fortigate-5000 Series)
Go to System > Chassis > SMC to view the status of the shelf manager cards (SMCs) installed in the FortiGate-5000 series chassis. The SMC list is the same for the FortiGate-5140 chassis and the FortiGate-5050 chassis. The SMC list shows basic status information about the shelf manager cards in the chassis.
Page 174: Blades (Fortigate-5000 Chassis Slots)
FortiSwitch-5003 module. The slot containing the FortiGate-5000 module that you are connecting to is highlighted in yellow. If the FortiGate-5000 series module that you are connecting to is installed in a FortiGate-5050 chassis, the blades list contains 5 rows. For a FortiGate-5140 chassis the blades list contains 14 rows.
Page 175 (for example 3.3V) and the actual measured voltage (for example, 3.288V). The acceptable voltage range depends on the sensor. The voltages that are displayed are different for different FortiGate-5000 series modules. For example: For FortiGate-5005FA2 modules: • CPU1 Voltage: 1.1956V •...
Page 176: Chassis Monitoring Event Log Messages
Chassis monitoring event log messages System Chassis (FortiGate-5000 series) Chassis monitoring event log messages FortiGate-5000 series modules can send the log messages shown in Table 31 when chassis monitoring detects temperatures, voltages, or fan speeds that are outside of normal operating parameters. The messages in...
Page 177: Router Static
Router Static Routing concepts Router Static This section explains some general routing concepts, how to define static routes and route policies. A route provides the FortiGate unit with the information it needs to forward a packet to a particular destination on the network. A static route causes packets to be forwarded to a destination other than the factory configured default gateway.
Page 178: How The Routing Table Is Built
Routing concepts Router Static How the routing table is built In the factory default configuration, the FortiGate routing table contains a single static default route. You can add routing information to the routing table by defining additional static routes. The table may include several different routes to the same destination—the IP addresses of the next-hop router specified in those routes or the FortiGate interfaces associated with those routes may vary.
Page 179: How Route Sequence Affects Route Priority
Router Static Routing concepts All entries in the routing table are associated with an administrative distance. If the routing table contains several entries that point to the same destination (the entries may have different gateways or interface associations), the FortiGate unit compares the administrative distances of those entries, selects the entries having the lowest distances, and installs them as routes in the FortiGate forwarding table.
Page 180: Equal Cost Multipath (Ecmp) Routes
Static Route Router Static Note: You can display the sequence numbers of static routes in the routing table through the CLI: type config router static, and then type get. The sequence number of a route is equivalent to the edit <ID_integer> value that one enters when defining a static route through the CLI.
Page 181: Default Route And Default Gateway
Router Static Static Route When you add a static route to the Static Route list, the FortiGate unit evaluates the information to determine if it represents a different route compared to any other route already present in the FortiGate routing table. If no route having the same destination exists in the routing table, the FortiGate unit adds the route to the routing table.
Page 182 Static Route Router Static Figure 99: Making a router the default gateway Internet Router 192.168.10.1 external FortiGate_1 Internal network 192.168.20.0/24 To route outbound packets from the internal network to destinations that are not on network 192.168.20.0/24, you would edit the default route and include the following settings: •...
Page 183 Router Static Static Route Figure 100:Destinations on networks behind internal routers Internet FortiGate_1 internal 192.168.10.1 192.168.11.1 Router_1 Router_2 Network_1 Network_2 192.168.20.0/24 192.168.30.0/24 To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.30.0/24 Gateway: 192.168.11.1...
Page 184: Adding A Static Route To The Routing Table
Static Route Router Static If the FortiGate unit reaches the next-hop router through a different interface (compared to the interface that is currently selected in the Device field), select the name of the interface from the Device field. In the Distance field, optionally adjust the administrative distance value. Select OK.
Page 185: Policy Route
Router Static Policy Route Policy Route Whenever a packet arrives at a FortiGate unit interface, the FortiGate unit determines whether the packet was received on a legitimate interface by doing a reverse lookup using the source IP address in the packet header. If the FortiGate unit cannot communicate with the computer at the source IP address through the interface on which the packet was received, the FortiGate unit drops the packet.
Page 186: Adding A Route Policy
Policy Route Router Static Source The IP source addresses and network masks that cause policy routing to occur. Destination The IP destination addresses and network masks that cause policy routing to occur. Delete icon Select to delete a policy route. Edit icon Select to edit a policy route.
Page 187: Moving A Route Policy
Router Static Policy Route Outgoing Interface Select the name of the interface through which packets affected by the policy will be routed. Gateway Address Type the IP address of the next-hop router that the FortiGate unit can access through the specified interface. A value of 0.0.0.0 is not valid.
Page 188 Policy Route Router Static FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 189: Router Dynamic
Router Dynamic Router Dynamic This section explains how to configure dynamic protocols to route traffic through large or complex networks. Dynamic routing protocols enable the FortiGate unit to automatically share information about routes with neighboring routers and learn about routes and networks advertised by neighboring routers. The FortiGate unit supports these dynamic routing protocols: •...
Page 190: How Rip Works
Router Dynamic How RIP works When RIP is enabled, the FortiGate unit broadcasts requests for RIP updates from each of its RIP-enabled interfaces. Neighboring routers respond with information from their routing tables. The FortiGate unit adds routes from neighbors to its own routing table only if those routes are not already recorded in the routing table.
Page 191 Router Dynamic Figure 105:Basic RIP settings Delete Delete Edit RIP Version Select the level of RIP compatibility needed at the FortiGate unit. You can enable global RIP settings on all FortiGate interfaces connected to RIP- enabled networks: • Select 1 to send and receive RIP version 1 packets. •...
Page 192: Selecting Advanced Rip Options
Figure 106:Advanced Options (RIP) Default Metric Enter the default hop count that the FortiGate unit should assign to routes that are added to the Fortinet routing table. The range is from 1 to 16. This value also applies to Redistribute unless otherwise specified.
Page 193: Overriding The Rip Operating Parameters On An Interface
RIP interface options enable you to override the global RIP settings that apply to all Fortinet interfaces connected to RIP-enabled networks. For example, if you want to suppress RIP advertising on an interface that is connected to a subnet of a RIP-enabled network, you can enable the interface to operate passively.
Page 194: Ospf
OSPF Router Dynamic Figure 107 shows the New/Edit RIP Interface dialog box belonging to a FortiGate unit that has an interface named “internal”. The names of the interfaces on your FortiGate unit may be different. Interface Select the name of the FortiGate interface to which these settings apply.
Page 195: Defining An Ospf As
Router Dynamic OSPF OSPF-enabled routers generate link-state advertisements and send them to their neighbors whenever the status of a neighbor changes or a new neighbor comes online. As long as the OSPF network is stable, link-state advertisements between OSPF neighbors do not occur. A Link-State Advertisement (LSA) identifies the interfaces of all OSPF-enabled routers in an area, and provides information that enables OSPF-enabled routers to select the shortest path to a destination.
Page 196: Viewing And Editing Basic Ospf Settings
OSPF Router Dynamic If you need to adjust the default settings of an OSPF-enabled interface, select Create New under Interfaces. Select the OSPF operating parameters for the interface. See “Selecting operating parameters for an OSPF interface” on page 201. Repeat Steps 6 and 7 if required for additional OSPF-enabled interfaces. Optionally select advanced OSPF options for the OSPF AS.
Page 197 Router Dynamic OSPF Area The unique 32-bit identifiers of areas in the AS, in dotted decimal notation. Area ID 0.0.0.0 references the backbone of the AS and cannot be changed or deleted. Type The types of areas in the AS: •...
Page 198: Selecting Advanced Ospf Options
OSPF Router Dynamic Selecting advanced OSPF options Advanced OSPF options let you specify metrics for redistributing routes that the FortiGate unit learns through some means other than OSPF link-state advertisements. For example, if the FortiGate unit is connected to a RIP or BGP network or you add a static route to the FortiGate routing table manually, you can configure the FortiGate unit to advertise those routes on OSPF-enabled interfaces.
Page 199: Defining Ospf Areas
Router Dynamic OSPF Defining OSPF areas An area logically defines part of the OSPF AS. Each area is identified by a 32-bit area ID expressed in decimal dot notation. Area ID 0.0.0.0 is reserved for the OSPF network backbone. You can classify the remaining areas of an AS in one of three ways: •...
Page 200: Specifying Ospf Networks
OSPF Router Dynamic Area Type a 32-bit identifier for the area. The value must resemble an IP address in decimal-dot notation. Once the OSPF area has been created, the area IP value cannot be changed. Type Select an area type to classify the characteristics of the network that will be assigned to the area: •...
Page 201: Selecting Operating Parameters For An Ospf Interface
Router Dynamic OSPF Selecting operating parameters for an OSPF interface An OSPF interface definition contains specific operating parameters for a FortiGate OSPF-enabled interface. The definition includes the name of the interface (for example, external or VLAN_1), the IP address assigned to the interface, the method for authenticating LSA exchanges through the interface, and timer settings for sending and receiving OSPF Hello and dead-interval packets.
Page 202: Bgp
Router Dynamic Enter the IP address that has been assigned to the OSPF-enabled interface. The interface becomes OSPF-enabled because its IP address matches the OSPF network address space. For example, if you defined an OSPF network of 172.20.120.0/24 and port1 has been assigned the IP address 172.20.120.140, type 172.20.120.140.
Page 203: Viewing And Editing Bgp Settings
Router Dynamic BGP updates advertise the best path to a destination network. When the FortiGate unit receives a BGP update, the FortiGate unit examines the Multi-Exit Discriminator (MED) attributes of potential routes to determine the best path to a destination network before recording the path in the FortiGate routing table. BGP has the capability to gracefully restart.
Page 204: Multicast
Multicast Router Dynamic Networks The IP addresses and network masks of networks to advertise to BGP peers. The FortiGate unit may have a physical or VLAN interface connected to those networks. IP/Netmask Enter the IP address and netmask of the network to be advertised.
Page 205 Router Dynamic Multicast To view and edit PIM settings, go to Router > Dynamic > Multicast. The web- based manager offers a simplified user interface to configure basic PIM options. Advanced PIM options can be configured through the CLI. For more information, see the “router”...
Page 206: Overriding The Multicast Settings On An Interface
Multicast Router Dynamic Overriding the multicast settings on an interface Multicast (PIM) interface options enable you to set operating parameters for FortiGate interfaces connected to PIM domains. For example, you can enable dense mode on an interface that is connected to a PIM-enabled network segment. When sparse mode is enabled, you can adjust the priority number that is used to advertise Rendezvous Point (RP) and/or Designated Router (DR) candidacy on the interface.
Page 207 Router Dynamic Multicast FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 208 Multicast Router Dynamic FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 209: Router Monitor
Router Monitor Displaying routing information Router Monitor This section explains how to interpret the Routing Monitor list. The list displays the entries in the FortiGate routing table. The following topics are included in this section: • Displaying routing information • Searching the FortiGate routing table Displaying routing information By default, all routes are displayed in the Routing Monitor list.
Page 210 Displaying routing information Router Monitor Type Select one of these route types to search the routing table and display routes of the selected type only: • All displays all routes recorded in the routing table. • Connected displays all routes associated with direct connections to FortiGate interfaces.
Page 211: Searching The Fortigate Routing Table
Router Monitor Searching the FortiGate routing table Metric The metric associated with the route type. The metric of a route influences how the FortiGate unit dynamically adds it to the routing table: • Hop count is used for routes learned through RIP. •...
Page 212 Searching the FortiGate routing table Router Monitor FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 213: Firewall Policy
Firewall Policy About firewall policies Firewall Policy Firewall policies control all traffic passing through the FortiGate unit. Add firewall policies to control connections and traffic between FortiGate interfaces, zones, and VLAN subinterfaces. The following topics are included in this section: •...
Page 214: How Policy Matching Works
Viewing the firewall policy list Firewall Policy How policy matching works When the FortiGate unit receives a connection attempt at an interface, it selects a policy list to search through for a policy that matches the connection attempt. The FortiGate unit chooses the policy list based on the source and destination addresses of the connection attempt.
Page 215: Adding A Firewall Policy
Firewall Policy Viewing the firewall policy list Figure 117:Sample policy list Edit Delete Insert Policy Before Filter Move To The policy list displays the following information by default: Create New Select to add a firewall policy. See “Adding a firewall policy” on page 215.
Page 216: Moving A Policy To A Different Position In The Policy List
Configuring firewall policies Firewall Policy Configure the policy. For information about configuring policies, see “Configuring firewall policies” on page 216. Select OK. Arrange policies in the policy list so they have the expected results. For information about arranging policies in a policy list, see “How policy matching works”...
Page 217 Firewall Policy Configuring firewall policies You can also add IPSec encryption policies to enable IPSec tunnel mode VPN traffic and SSL VPN encryption policies to enable SSL VPN traffic. Firewall encryption policies determine which types of IP traffic will be permitted during an IPSec or SSL VPN session.
Page 218 Configuring firewall policies Firewall Policy Figure 121:Policy options - DENY policy Figure 122:Policy options - FortiClient check The source and destination Interface/Zone match the firewall policy with the source and destination of a communication session. The Address Name matches the source and destination address of the communication session Schedule defines when the firewall policy is enabled.
Page 219: Firewall Policy Options
Firewall Policy Configuring firewall policies You can use the remaining firewall policy options (NAT, Protection Profile, Log Allowed Traffic, Log Violation Traffic, Authentication, and Traffic shaping) to set additional features. Log Violation Traffic can be applied to policies that deny traffic.
Page 220 Configuring firewall policies Firewall Policy Schedule Select a one-time or recurring schedule that controls when the policy is available to be matched with communication sessions. Schedules can be created in advance by going to Firewall > Schedule. See “Firewall Schedule” on page 247.
Page 221 Firewall Policy Configuring firewall policies Dynamic IP Pool Select to translate the source address to an address randomly selected from an IP Pool. An IP Pool can be a single IP address or an IP address range. An IP pool list appears if IP Pool addresses have been added to the destination interface.
Page 222: Adding Authentication To Firewall Policies
Configuring firewall policies Firewall Policy Traffic Shaping Traffic Shaping controls the bandwidth available to, and sets the priority of the traffic processed by, the policy. Note: • Be sure to enable traffic shaping on all firewall policies. If you do not apply any traffic shaping rule to a policy, the policy is set to high priority by default.
Page 223: Adding Traffic Shaping To Firewall Policies
Note: To allow the FortiGate unit to authenticate with an Active Directory server, the Fortinet Server Authentication Extensions (FSAE) must be installed on the Active Directory Domain Controller. FSAE is available from Fortinet Technical Support. For users to authenticate using other services (for example POP3 or IMAP), create a service group that includes the services for which to require authentication, as well as HTTP, Telnet, and FTP.
Page 224 Configuring firewall policies Firewall Policy The bandwidth available for traffic controlled by a policy is used for both the control and data sessions and is used for traffic in both directions. For example, if guaranteed bandwidth is applied to an internal to external FTP policy, and a user on an internal network uses FTP to put and get files, both the put and get sessions share the bandwidth available to the traffic controlled by the policy.
Page 225 Firewall Policy Configuring firewall policies Traffic shaping which is applied to a firewall policy, is enforced for traffic which may flow in either direction. Therefore a session which may be setup by an internal host to an external one, via a Internal -> External policy, will have Traffic shaping applied even if the data stream is then coming from external to internal.
Page 226: Ipsec Firewall Policy Options
Configuring firewall policies Firewall Policy Note: If you set both guaranteed bandwidth and maximum bandwidth to 0 (zero), the policy does not allow any traffic. IPSec firewall policy options When Action is set to IPSEC, the following options are available: Figure 124:IPSEC encryption policy VPN Tunnel Select the VPN tunnel name defined in the phase 1 configuration.
Page 227: Options To Check Forticlient On Hosts
Firewall Policy Configuring firewall policies SSL Client Allow traffic generated by holders of a (shared) group certificate. The holders of the group certificate must be members of an SSL VPN user Certificate group, and the name of that user group must be present in the Allowed Restrictive field.
Page 228: Firewall Policy Examples
Firewall policy examples Firewall Policy Check FortiClient Installed Select to check that the source host is running FortiClient Host Security software. Enable the following reasons to and Running deny access as needed: • FortiClient is Not Installed • FortiClient is Not Licensed •...
Page 229 Firewall Policy Firewall policy examples Figure 127:Example SOHO network before FortiGate installation Company A requires secure connections for home-based workers. Like many companies, they rely heavily on email and Internet access to conduct business. They want a comprehensive security solution to detect and prevent network attacks, block viruses, and decrease spam.
Page 230 Firewall policy examples Firewall Policy Select OK Select Create New and enter or select the following settings for Home_User_2: Interface / Zone Source: internal Destination: wan1 Address Name Source: Destination: All CompanyA_network Schedule Always Service Action IPSEC VPN Tunnel Home2_Tunnel Allow Inbound Allow outbound Inbound NAT...
Page 231: Scenario Two: Enterprise Sized Business
Firewall Policy Firewall policy examples Scenario two: enterprise sized business Located in a large city, the library system is anchored by a main downtown location serving most of the population, with more than a dozen branches spread throughout the city. Each branch is wired to the Internet but none are linked with each other by dedicated connections.
Page 232 Firewall policy examples Firewall Policy A few users may need special web and catalog server access to update information on those servers, depending on how they’re configured. Special access can be allowed based on IP address or user. The proposed topography has the main branch staff and the catalog access terminals going through a Fortigate HA cluster to the servers in a DMZ.
Page 233 Firewall Policy Firewall policy examples Main office ‘staff to DMZ’ policy: Source Interface Internal Source Address Destination Interface Destination Address Servers Schedule Always Action Accept Branches ‘staff to Internet’ policy: Source Interface Branches Source Address Branch Staff Destination Interface External Destination Address Schedule Always...
Page 234 Firewall policy examples Firewall Policy FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 235: Firewall Address
Firewall Address About firewall addresses Firewall Address Add, edit, and delete firewall addresses as required. Firewall addresses are added to the source and destination address fields of firewall policies. Firewall addresses are added to firewall policies to match the source or destination IP addresses of packets that are received by the FortiGate unit.
Page 236: Viewing The Firewall Address List
<host_name>.<second_level_domain_name>.<top_level_domain_name> • <host_name>.<top_level_domain_name> An FQDN can be: • www.fortinet.com • example.com Viewing the firewall address list If virtual domains are enabled on the FortiGate unit, addresses are configured separately for each virtual domain. To access addresses, select a virtual domain from the list in the main menu.
Page 237: Configuring Addresses
Firewall Address Configuring addresses Configuring addresses Addresses can also be created or edited during firewall policy configuration from the firewall policy window. One FQDN may be mapped to multiple machines for load balancing and HA. A single FQDN firewall policy can be created in which the FortiGate unit automatically resolves and maintains a record of all addresses to which the FQDN resolves.
Page 238: Configuring Address Groups
Configuring address groups Firewall Address Figure 133:Sample address group list The address group list has the following icons and features: Create New Select to add an address group. Group Name The name of the address group. Members The addresses in the address group. Delete icon Select to remove the group from the list.
Page 239: Firewall Service
Firewall Service Viewing the predefined service list Firewall Service Use services to determine the types of communication accepted or denied by the firewall. Add any of the predefined services to a policy. Create custom services for each virtual domain and add services to service groups. The following topics are included in this section: •...
Page 240 Viewing the predefined service list Firewall Service Table 32 lists the FortiGate predefined firewall services. Add these services to any policy. Table 32: FortiGate predefined services Service name Description Protocol Port Authentication Header. AH provides source host authentication and data integrity, but not secrecy.
Page 241 Firewall Service Viewing the predefined service list Table 32: FortiGate predefined services (Continued) Service name Description Protocol Port ICMP_ANY Internet Control Message Protocol is a ICMP message control and error-reporting protocol between a host and gateway (Internet). IKE is the protocol to obtain authenticated keying material for use with ISAKMP for IPSEC.
Page 242 Viewing the predefined service list Firewall Service Table 32: FortiGate predefined services (Continued) Service name Description Protocol Port RLOGIN Rlogin service for remotely logging into a server. SAMBA Samba allows Microsoft Windows clients to utilize file and print services from TCP/IP-enabled hosts.
Page 243: Viewing The Custom Service List
Firewall Service Viewing the custom service list Viewing the custom service list If virtual domains are enabled on the FortiGate unit, custom services are configured separately for each virtual domain. To access custom services, select a virtual domain from the list in the main menu. Add a custom service to create a policy for a service that is not in the predefined service list.
Page 244 Configuring custom services Firewall Service Name Enter a name for the custom service. Protocol Type Select the protocol type of the custom service: TCP/UDP. Protocol Select TCP or UDP as the protocol of the port range being added. Source Port Specify the Source Port number range for the service by entering the low and high port numbers.
Page 245: Viewing The Service Group List
Firewall Service Viewing the service group list Viewing the service group list If virtual domains are enabled on the FortiGate unit, service groups are created separately for each virtual domain. To access service groups, select a virtual domain from the list in the main menu. To make it easier to add policies, create groups of services and then add one policy to allow or block access for all the services in the group.
Page 246 Configuring service groups Firewall Service FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 247: Firewall Schedule
Firewall Schedule Viewing the one-time schedule list Firewall Schedule This section describes how to use schedules to control when policies are active or inactive. You can create one-time schedules or recurring schedules. One-time schedules are effective once for the period of time specified in the schedule. Recurring schedules repeat weekly.
Page 248: Configuring One-Time Schedules
Configuring one-time schedules Firewall Schedule Configuring one-time schedules One-time schedules can be created during firewall policy configuration by selecting Create New from the Schedule dropdown list. To add a one-time schedule, go to Firewall > Schedule > One-time. Figure 143:New One-time Schedule Name Enter the name to identify the one-time schedule.
Page 249: Configuring Recurring Schedules
Firewall Schedule Configuring recurring schedules Stop The stop time of the recurring schedule. Delete icon Select to remove the schedule from the list. The Delete icon only appears if the schedule is not being used in a firewall policy. Edit icon Select to edit the schedule.
Page 250 Configuring recurring schedules Firewall Schedule FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 251: Firewall Virtual Ip
Firewall Virtual IP Virtual IPs Firewall Virtual IP This section describes FortiGate Virtual IPs and IP Pools and how to configure and use them in firewall policies. The following topics are included in this section: • Virtual IPs • Viewing the virtual IP list •...
Page 252 Virtual IPs Firewall Virtual IP The packets sent from the client computer have a source IP of 192.168.37.55 and a destination IP of 192.168.37.4. The FortiGate unit receives these packets at its external interface. The virtual IP settings indicate a mapping from 192.168.37.4 to 10.10.10.42 so the packets’...
Page 253 Firewall Virtual IP Virtual IPs If the NAT check box is not selected when building the firewall policy, the resulting policy will perform destination network address translation (DNAT). DNAT accepts packets from an external network that are intended for a specific destination IP address, translates the destination address of the packets to a mapped IP address on another hidden network, and then forwards the packets through the FortiGate unit to the hidden destination network.
Page 254 Virtual IPs Firewall Virtual IP Static NAT Static NAT virtual IPs map an external IP address or IP address range on a source network to a mapped IP address or IP address range on a destination network. Static NAT virtual IPs use one-to-one mapping. A single external IP address is mapped to a single mapped IP address.
Page 255: Viewing The Virtual Ip List
Firewall Virtual IP Viewing the virtual IP list Viewing the virtual IP list To view the virtual IP list, go to Firewall > Virtual IP > Virtual IP. Figure 149:Virtual IP list The virtual IP list has the following icons and features: Create New Select to add a virtual IP.
Page 256: Adding A Static Nat Virtual Ip For A Single Ip Address
Configuring virtual IPs Firewall Virtual IP Mapped IP Enter the real IP address on the destination network to which the external IP address is mapped. Address/Range You can also enter an address range to forward packets to multiple IP addresses on the destination network. For a static NAT virtual IP, if you add a mapped IP address range the FortiGate unit calculates the external IP address range and adds the IP address range to the External IP Address/Range field.
Page 257 Firewall Virtual IP Configuring virtual IPs Figure 150:Static NAT virtual IP for a single IP address example To add a static NAT virtual IP for a single IP address Go to Firewall > Virtual IP > Virtual IP. Select Create New. Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network.
Page 258: Adding A Static Nat Virtual Ip For An Ip Address Range
Configuring virtual IPs Firewall Virtual IP To add a static NAT virtual IP for a single IP address to a firewall policy Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP address packets pass through the FortiGate unit from the external interface to the dmz1 interface.
Page 259 Firewall Virtual IP Configuring virtual IPs Use the following procedure to add a virtual IP that allows users on the Internet to connect to three individual web servers on the DMZ network. In our example the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Page 260: Adding Static Nat Port Forwarding For A Single Ip Address And A Single Port
Configuring virtual IPs Firewall Virtual IP Adding static NAT port forwarding for a single IP address and a single port The IP address 192.168.37.4, port 80 on the Internet is mapped to 10.10.10.42, port 8000 on a private network. Attempts to communicate with 192.168.37.4, port 80 from the Internet are translated and sent to 10.10.10.42, port 8000 by the FortiGate unit.
Page 261: Adding Static Nat Port Forwarding For An Ip Address Range And A Port Range
Firewall Virtual IP Configuring virtual IPs Figure 155:Virtual IP options; Static NAT port forwarding virtual IP for a single IP address and a single port Select OK. To add static NAT virtual IP port forwarding for a single IP address and a single port to a firewall policy Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses, packets pass...
Page 262 Configuring virtual IPs Firewall Virtual IP Figure 156:Static NAT virtual IP port forwarding for an IP address range and a port range example To add static NAT virtual IP port forwarding for an IP address range and a port range Go to Firewall >...
Page 263: Adding A Load Balance Virtual Ip For An Ip Address Range Or Real Servers
Firewall Virtual IP Configuring virtual IPs To add static NAT virtual IP port forwarding for an IP address range and a port range to a firewall policy Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses, packets pass through the FortiGate unit from the external interface to the dmz1 interface.
Page 264 Configuring virtual IPs Firewall Virtual IP Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Page 265: Adding A Load Balance Port Forwarding Virtual Ip
Firewall Virtual IP Configuring virtual IPs Service HTTP Action ACCEPT Select NAT. Select OK. Adding a load balance port forwarding virtual IP Connections to 192.168.37.4 on the Internet are mapped to 10.10.10.42 through 10.10.10.44 on a private network. The IP address mapping is determined by the FortiGate unit’s load balancing algorithm.
Page 266: Adding Dynamic Virtual Ips
Configuring virtual IPs Firewall Virtual IP Real Servers If you select Server Load Balancing for the VIP type, enter the real server IP addresses. For details about real server settings, see “Configuring virtual IPs” on page 255. Port Forwarding Selected Protocol External Service Port The ports that traffic from the Internet will use.
Page 267: Virtual Ip Groups
Firewall Virtual IP Virtual IP Groups Set the External IP Address to 0.0.0.0. The 0.0.0.0 External IP Address matches any IP address. Enter the External Service Port number for which to configure dynamic port forwarding. The external service port number must match the destination port of the packets to be forwarded.
Page 268: Configuring Vip Groups
Configuring VIP groups Firewall Virtual IP Configuring VIP groups To add a VIP group, go to Firewall > Virtual IP > VIP Group and select Create new. To edit a VIP group, go to Firewall > Virtual IP > VIP Group and select the Edit icon for the VIP group to edit.
Page 269: Ip Pools
Firewall Virtual IP IP pools IP pools Use IP pools to add NAT policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface. An IP pool defines an address or a range of IP addresses, all of which respond to ARP requests on the interface to which the IP pool is added.
Page 270: Viewing The Ip Pool List
Viewing the IP pool list Firewall Virtual IP Viewing the IP pool list If virtual domains are enabled on the FortiGate unit, IP pools are created separately for each virtual domain. To access IP pools, select a virtual domain from the list on the main menu. IP pools are not available in Transparent mode. To view the IP pool list go to Firewall >...
Page 271: Firewall Protection Profile
Firewall Protection Profile What is a protection profile Firewall Protection Profile This section describes how to add protection profiles to NAT/Route mode and Transparent mode policies. The following topics are included in this section: • What is a protection profile •...
Page 272: Default Protection Profiles
Viewing the protection profile list Firewall Protection Profile Default protection profiles The FortiGate unit is preconfigured with four protection profiles. Strict Apply maximum protection to HTTP, FTP, IMAP, POP3, and SMTP traffic. The strict protection profile may not be useful under normal circumstances but it is available when maximum protection is required.
Page 273: Antivirus Options
Firewall Protection Profile Configuring a protection profile Figure 165:New Protection Profile Profile Name Enter a name for the protection profile. Comments If required, enter a description of the profile. AntiVirus “Antivirus options” on page 273. Web Filtering “Web filtering options” on page 275.
Page 274 Quarantine (log Enable or disable quarantine for each protocol. Quarantine suspect files to view them or submit files to Fortinet for analysis. The quarantine disk required) option is not displayed in the protection profile if the FortiGate does not have a hard drive or a configured FortiAnalyzer unit.
Page 275: Web Filtering Options
Firewall Protection Profile Configuring a protection profile Web filtering options Figure 167:Protection profile web filtering options The following options are available for web filtering through the protection profile. Web Content Block Enable or disable web page blocking for HTTP traffic based on the content block patterns in the content block list.
Page 276: Fortiguard-Web Filtering Options
Configuring a protection profile Firewall Protection Profile FortiGuard-Web filtering options Figure 168:Protection profile FortiGuard-Web web filtering options The following options are available for web category filtering through the protection profile. Enable FortiGuard-Web Enable FortiGuard-Web™ category blocking. Filtering Enable FortiGuard-Web Enable category overrides. When selected, a list of groups is displayed.
Page 277: Spam Filtering Options
Firewall Protection Profile Configuring a protection profile Rate URLs by domain and IP When enabled, this option sends both the URL and the IP address of the requested site for checking, providing address additional security against attempts to bypass the FortiGuard system.
Page 278 Configuring a protection profile Firewall Protection Profile The following options are available for spam filtering through the protection profile. FortiGuard-Antispam IP address Enable or disable the FortiGuard-Antispam™ filtering IP address blacklist. FortiGuard-Antispam check extracts the SMTP mail server source address and sends the IP address to a FortiGuard-Antispam server to see if this IP address matches the list of known spammers.
Page 279: Ips Options
Firewall Protection Profile Configuring a protection profile Spam Action Action the spam filter will take. Tagged allows you to append a custom tag to the subject or header of email identified as spam. For SMTP, if you have virus scan or streaming mode (also known as splice) enabled, you will only be able to discard spam email.
Page 280: Im And P2P Options
Configuring a protection profile Firewall Protection Profile Note: NNTP and file archiving options cannot be selected. Support will be added in the future. The following options are available for content archive through the protection profile. Display content meta- Enable to have meta-information for each type of traffic display in the Statistics section of the FortiGate status page.
Page 281: Logging Options
Firewall Protection Profile Configuring a protection profile Block Login Enable to prevent instant message users from logging in to AIM, ICQ, MSN, Yahoo, and SIMPLE services. Block File Transfers Enable to block file transfers for AIM, ICQ, MSN, and Yahoo protocols.
Page 282: Voip Options
Adding a protection profile to a policy Firewall Protection Profile Web Filtering Content Block Enable logging of content blocking. URL Block Enable logging of blocked and exempted URLs. ActiveX Filter Enable logging of blocked Active X. Cookie Filter Enable logging of blocked cookies. Java Applet Filter Enable logging of blocked Java Applets.
Page 283: Protection Profile Cli Configuration
Firewall Protection Profile Protection profile CLI configuration Select protection profile. Select a protection profile from the list. Configure the remaining policy settings, if required. Select OK. Repeat this procedure for any policies for which to enable network protection. Protection profile CLI configuration Use the config firewall profile CLI command to add, edit or delete protection profiles.
Page 284 Protection profile CLI configuration Firewall Protection Profile FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 285: Vpn Ipsec
VPN IPSEC Overview of IPSec interface mode VPN IPSEC This section provides information about policy-based (tunnel-mode) and route- based (interface mode) Internet Protocol Security (IPSec) VPN options available through the web-based manager. FortiGate units implement the Encapsulated Security Payload (ESP) protocol. The encrypted packets look like ordinary packets that can be routed through any IP network.
Page 286 Overview of IPSec interface mode VPN IPSEC You can create the equivalent of a tunnel-mode concentrator in any of the following ways: • Define a firewall policy between each pair of IPSec interfaces that you want to concentrate. For dialup, the same interface can be both source and destination.
Page 287: Auto Key
VPN IPSEC Auto Key Auto Key Two VPN peers (or a FortiGate dialup server and a VPN client) can be configured to generate unique Internet Key Exchange (IKE) keys automatically during the IPSec phase 1 and phase 2 exchanges. To configure the FortiGate unit to generate unique keys automatically in phase 1 and phase 2, go to VPN >...
Page 288 Auto Key VPN IPSEC • whether a special identifier, certificate distinguished name, or group name will be used to identify the remote VPN peer or client when a connection attempt is made To define basic IPSec phase 1 parameters, go to VPN > IPSEC > Auto Key (IKE) and select Create Phase 1.
Page 289 VPN IPSEC Auto Key Mode Select Main or Aggressive: • In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information. • In Aggressive mode, the phase 1 parameters are exchanged in single message with authentication information that is not encrypted.
Page 290: Defining Phase 1 Advanced Settings
Auto Key VPN IPSEC Accept this Authenticate remote peers or dialup clients using a security certificate. Select the certificate from the list adjacent to the option. peer certificate You must add peer certificates to the FortiGate configuration through only the User > PKI page before you can select them here. For more information, see PKI Certificates.
Page 291 VPN IPSEC Auto Key Enable IPSec Create a virtual interface for the local end of the VPN tunnel. Interface Mode This is not available in Transparent mode. Local Gateway IP If you selected Enable IPSec Interface Mode, you need to specify an IP address for the local end of the VPN tunnel.
Page 292: Creating A New Phase 2 Configuration
Auto Key VPN IPSEC Local ID If the FortiGate unit will act as a VPN client and you are using peer IDs for authentication purposes, enter the identifier that the FortiGate unit will supply to the VPN server during the phase 1 exchange. If the FortiGate unit will act as a VPN client and you are using security certificates for authentication, select the distinguished name (DN) of the local server certificate that the FortiGate unit will use for...
Page 293: Defining Phase 2 Advanced Settings
VPN IPSEC Auto Key Figure 178:New Phase 2 Name Type a name to identify the phase 2 configuration. Phase 1 Select the phase 1 tunnel configuration. See “Creating a new phase 1 configuration” on page 287. The phase 1 configuration describes how remote VPN peers or clients will be authenticated on this tunnel, and how the connection to the remote peer or client will be secured.
Page 294 Auto Key VPN IPSEC P2 Proposal Select the encryption and authentication algorithms that will be used to change data into encrypted code. Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations. The remote peer must be configured to use at least one of the proposals that you define.
Page 295: Internet Browsing Configuration
VPN IPSEC Auto Key Quick Mode Optionally specify the source and destination IP addresses to be used as selectors for IKE negotiations. If the FortiGate unit is a dialup server, the Selector default value 0.0.0.0/0 should be kept unless you need to circumvent problems caused by ambiguous IP addresses between one or more of the private networks making up the VPN.
Page 296: Manual Key
Manual Key VPN IPSEC VPN Tunnel Select the tunnel that provides access to the private network behind the FortiGate unit. Inbound NAT Enable Configure other settings as required. Route-based VPN Internet browsing configuration Configure an additional firewall policy as follows: Source Interface/Zone Select the IPSec interface.
Page 297: Creating A New Manual Key Configuration
VPN IPSEC Manual Key Authentication The names of the authentication algorithms specified in the manual key configurations. Algorithm Delete and Edit Delete or edit a manual key configuration. icons Creating a new manual key configuration If one of the VPN devices uses specific authentication and/or encryption keys to establish a tunnel, both VPN devices must be configured to use identical authentication and/or encryption keys.
Page 298 Manual Key VPN IPSEC Remote Gateway Type the IP address of the public interface to the remote peer. The address identifies the recipient of ESP datagrams. Local Interface This option is available in NAT/Route mode only. Select the name of the physical, aggregate, or VLAN interface to which the IPSec tunnel will be bound.
Page 299: Concentrator
VPN IPSEC Concentrator Concentrator In a hub-and-spoke configuration, policy-based VPN connections to a number of remote peers radiate from a single, central FortiGate unit. Site-to-site connections between the remote peers do not exist; however, VPN tunnels between any two of the remote peers can be established through the FortiGate unit “hub”.
Page 300: Monitor
Monitor VPN IPSEC Concentrator Name Type a name for the concentrator. Available Tunnels A list of defined IPSec VPN tunnels. Select a tunnel from the list and then select the right-pointing arrow. Repeat these steps until all of the tunnels associated with the spokes are included in the concentrator.
Page 301 VPN IPSEC Monitor Proxy ID Source The IP addresses of the hosts, servers, or private networks behind the FortiGate unit. A network range may be displayed if the source address in the firewall encryption policy was expressed as a range of IP addresses.
Page 302 Monitor VPN IPSEC FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 303: Vpn Pptp
VPN PPTP PPTP Range VPN PPTP FortiGate units support PPTP to tunnel PPP traffic between two VPN peers. Windows or Linux PPTP clients can establish a PPTP tunnel with a FortiGate unit that has been configured to act as a PPTP server. As an alternative, you can configure the FortiGate unit to forward PPTP packets to a PPTP server on the network behind the FortiGate unit.
Page 304 PPTP Range VPN PPTP FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 305: Vpn Ssl
VPN SSL Config VPN SSL This section provides information about the features of the VPN > SSL page in the web-based manager. The SSL VPN feature is supported on FortiGate units that run in NAT/Route mode only. Note: For detailed instructions about how to configure web-only mode or tunnel mode operation, see the FortiGate SSL VPN User Guide.
Page 306 Select the signed server certificate to use for authentication purposes. If you leave the default setting (Self-Signed), the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect. Require Client Certificate If you want to enable the use of group certificates for authenticating remote clients, select the option.
Page 307: Monitor
VPN SSL Monitor Monitor You can display a list of all active SSL VPN sessions. The list displays the user name of the remote user, the IP address of the remote client, and the time that the connection was made. The list also identifies which services are being provided. To view the list of active SSL VPN sessions, go to VPN >...
Page 308 Monitor VPN SSL FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 309: Vpn Certificates
VPN Certificates Local Certificates VPN Certificates This section explains how to manage X.509 security certificates using the FortiGate web-based manager. Refer to this module to generate certificate requests, install signed certificates, import CA root certificates and certificate revocation lists, and back up and restore installed certificates and private keys. For additional background information, see the FortiGate Certificate Management User...
Page 310: Generating A Certificate Request
Local Certificates VPN Certificates View Certificate Display certificate details such as the certificate name, issuer, subject, and valid certificate dates. See Figure 189. Detail icon Delete icon Delete the selected certificate request or installed server certificate from the FortiGate configuration. This is available only if the certificate can be deleted.
Page 311 VPN Certificates Local Certificates Figure 190:Generate Certificate Signing Request Certification Name Type a certificate name. Typically, this would be the name of the FortiGate unit. To enable the export of a signed certificate as a PKCS12 file later on if required, do not include spaces in the name.
Page 312: Downloading And Submitting A Certificate Request
Local Certificates VPN Certificates Key Type Only RSA is supported. Key Size Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate but they provide better security. Enrollment Method File Based Select File Based to generate the certificate request. Online SCEP Select Online SCEP to obtain a signed SCEP-based certificate automatically over the network.
Page 313: Importing A Signed Server Certificate
VPN Certificates Local Certificates Importing a signed server certificate Your CA will provide you with a signed server certificate to install on the FortiGate unit. When you receive the signed certificate from the CA, save the certificate on a computer that has management access to the FortiGate unit. To install the signed server certificate, go to VPN >...
Page 314: Importing Separate Server Certificate And Private Key Files
Remote Certificates VPN Certificates Importing separate server certificate and private key files Use the Upload Certificate dialog box to import a server certificate and the associated private key file when the server certificate request and private key were not generated by the FortiGate unit. The two files to import must be available on the management computer.
Page 315: Importing Remote (Ocsp) Certificates
VPN Certificates CA Certificates Import Import a public OCSP certificate. See “Importing CA certificates” on page 316. Name The names of existing Remote (OCSP) certificates. The FortiGate unit assigns unique names (REMOTE_Cert_1, REMOTE_Cert_2, REMOTE_Cert_3, and so on) to the Remote (OCSP) certificates when they are imported.
Page 316: Importing Ca Certificates
CA Certificates VPN Certificates Figure 196:CA Certificates list View Certificate Detail Download Import Import a CA root certificate. See “Importing CA certificates” on page 316. Name The names of existing CA root certificates. The FortiGate unit assigns unique names (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on) to the CA certificates when they are imported.
Page 317: Crl
VPN Certificates A Certificate Revocation List (CRL) is a list of CA certificate subscribers paired with certificate status information. Installed CRLs are displayed in the CRL list. The FortiGate unit uses CRLs to ensure that the certificates belonging to CAs and remote clients are valid.
Page 318 VPN Certificates Figure 200:Import CRL HTTP Select to use an HTTP server to retrieve the CRL. Enter the URL of the HTTP server. LDAP Select to use an LDAP server to retrieve the CRL. Select the LDAP server from the drop-down list. SCEP Select to use an SCEP server to retrieve the CRL.
Page 319: User
“Configuring a Windows AD server” on page 327. Users authenticated by Active Directory server do not need local user accounts on the FortiGate unit. You must install the Fortinet Server Authentication Extensions (FSAE) on your Windows network. To use certificate-based authentication for administrative access (HTTPS GUI), IPSec, SSL-VPN, and web-based authentication, configure using User >...
Page 320: Setting Authentication Timeout
Configuring user authentication User Setting authentication timeout Authentication timeout controls how long an authenticated firewall connection can be idle before the user must authenticate again. To set authentication timeout Go to User > Authentication > Authentication. In Authentication Timeout, type a number, in minutes. The default authentication timeout is 30 minutes.
Page 321: Local User Accounts
User Local user accounts Local user accounts Go to User > Local to add local user accounts and configure authentication. Figure 203:Local user list Create New Add a new local user account. User Name The local user name. Type The authentication type to use for this user. Delete icon Delete the user.
Page 322: Radius Servers
RADIUS servers User RADIUS servers If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the FortiGate unit sends the user’s credentials to the RADIUS server for authentication. If the RADIUS server can authenticate the user, the user is successfully authenticated with the FortiGate unit.
Page 323: Ldap Servers
User LDAP servers LDAP servers If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authenticate with the FortiGate unit, the user enters a user name and password.
Page 324: Configuring An Ldap Server
X.500 or LDAP format. The FortiGate unit passes this distinguished name unchanged to the server. For example, you could use the following base distinguished name: ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is domain component. You can also specify multiple instances of the same field in the...
Page 325: Pki Authentication
User PKI authentication Figure 209:LDAP server Distinguished Name Query tree PKI authentication Public Key Infrastructure (PKI) authentication utilizes a certificate authentication library that takes a list of ‘peers’, ‘peer’ groups, and/or user groups and returns authentication ‘successful’ or ‘denied’ notifications. Users only need a valid certificate for successful authentication - no username or password are necessary.
Page 326: Configuring Pki Users
On networks that use Windows Active Directory (AD) servers for authentication, FortiGate units can transparently authenticate users without asking them for their user name and password. You must install the Fortinet Server Authentication Extensions (FSAE) on the network and configure the FortiGate unit to retrieve information from the Windows AD server.
Page 327: Configuring A Windows Ad Server
User User group Configuring a Windows AD server Go to User > Windows AD and select Create New or the Edit icon of an existing Windows AD server. Figure 213:Windows AD server configuration Name Type or edit the name of the Windows AD server. This name appears in the list of Windows AD servers when you create user groups.
Page 328: User Group Types
User group User You can configure user groups to provide authenticated access to: • Firewall policies that require authentication “Adding authentication to firewall policies” on page 222. • SSL VPNs on the FortiGate unit “SSL-VPN firewall policy options” on page 226.
Page 329: User Group List
On a Microsoft Windows network, the FortiGate unit can allow access to members of Active Directory server user groups who have been authenticated on the Windows network. The Fortinet Server Authentication Extensions (FSAE) must be installed on the network domain controllers.
Page 330: Configuring A User Group
User group User Protection Profile The protection profile associated with this user group. Delete icon Delete the user group. Note: You cannot delete a user group that is included in a firewall policy, a dialup user phase 1 configuration, or a PPTP or L2TP configuration.
Page 331: Configuring Fortiguard Override Options For A User Group
User User group FortiGuard Web Available only if Type is Firewall. Filtering Override Configure Web Filtering override capabilities for this group. “Configuring FortiGuard override options for a user group” on page 331. SSL-VPN User Group Available only if Type is SSL-VPN. Options For detailed instructions about how to configure web-only mode or tunnel mode operation, see the...
Page 332: Configuring Ssl Vpn User Group Options
User group User Off-site URLs Select from the drop-down list whether the user can follow links to sites off of the blocked site: Allow User can follow links to other sites. Deny User can follow links only to destinations as defined by Override Type.
Page 333 Select to allow the client to connect only if it is running FortiClient Host Security AV software. For information about Installed and Running this software, see the Fortinet Technical Documentation web site. Check FortiClient FW Select to allow the client to connect only if it is running FortiClient Host Security FW software.
Page 334: Configuring Peers And Peer Groups
Configuring peers and peer groups User Table 33: AV/Firewall supported product detection Product Firewall Norton Internet Security 2006 Trend Micro PC-cillin McAfee Sophos Anti-Virus Panda Platinum 2006 Internet Security F-Secure Secure Resolutions Cat Computer Services AhnLab Kaspersky ZoneAlarm Configuring peers and peer groups You can define peers and peer groups used for authentication in some VPN configurations and for PKI certificate authentication.
Page 335: Antivirus
AntiVirus Order of operations AntiVirus This section describes how to configure the antivirus options associated with firewall protection profiles. The following topics are included in this section: • Order of operations • Antivirus elements • Antivirus settings and controls • File pattern •...
Page 336: Fortiguard Antivirus
If the file is passed by the file pattern it will have a virus scan applied to it. The virus definitions are keep up to date through the FortiNet Distribution Network. The list is updated on a regular basis so you do not have to wait for a firmware upgrade.
Page 337: Antivirus Settings And Controls
View and sort the list of quarantined files, protocol. Quarantine is only available on units configure file patterns to upload with a local disk, or with a configured automatically to Fortinet for analysis, and FortiAnalyzer unit. configure quarantining options in AntiVirus.
Page 338: File Pattern
File pattern AntiVirus File pattern Configure file patterns to block all files that are a potential threat and to prevent active computer virus attacks. Files can be blocked by name, extension, or any other pattern. File pattern blocking provides the flexibility to block potentially harmful content.
Page 339: Creating A New File Pattern List
AntiVirus File pattern Creating a new file pattern list To add a file pattern list to the file pattern list catalog, go to AntiVirus > File Pattern and select Create New. Figure 219:New File Pattern List dialog box Name Enter the name of the new list. Comment Enter a comment to describe the list, if required.
Page 340: Configuring The File Pattern List
File pattern AntiVirus Using the allow action, this behavior can be reversed with all files being blocked unless explicitly passed. Simply enter all the file patterns to be passed with the allow attribute. At the end of the list, add an all-inclusive wildcard (*.*) with a block action.
Page 341: Quarantine
Submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to Fortinet for analysis. FortiGate units without a local disk can quarantine blocked and infected files to a FortiAnalyzer unit.
Page 342: Viewing The Autosubmit List
The TTL information is not available if the files are quarantined on a FortiAnalyzer unit. Upload status Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded. Delete icon Select to remove the file from the list.
Page 343: Configuring The Autosubmit List
Figure 224:New File Pattern dialog box File Pattern Enter the file pattern or file name to be upload automatically to Fortinet. Enable Select to enable the file pattern Note: To enable automatic uploading of the configured file patterns, go to AntiVirus >...
Page 344 Quarantine AntiVirus Figure 226:Quarantine Configuration (FortiAnalyzer from FortiGate with local disk) Figure 227:Quarantine Configuration (FortiAnalyzer from FortiGate with no local disk) Note: NNTP options cannot be selected. Support will be added in the future. Quarantine configuration has the following options: Options Quarantine Infected Files: Select the protocols from which to quarantine infected files identified by antivirus scanning.
Page 345: Config
AntiVirus Config Enable Enable AutoSubmit: enables the AutoSubmit feature. Select one or both of the options below. AutoSubmit Use file pattern: Enables the automatic upload of files matching the file patterns in the AutoSubmit list. Use file status: Enables the automatic upload of quarantined files based on their status.
Page 346: Viewing The Grayware List
Config AntiVirus Viewing the grayware list Grayware programs are unsolicited commercial software programs that get installed on computers, often without the user’s consent or knowledge. Grayware programs are generally considered an annoyance, but these programs can cause system performance problems or be used for malicious ends. The FortiGate unit scans for known grayware executable programs in each enabled category.
Page 347: Antivirus Cli Configuration
CPUs, making scanning faster. This feature is available on models numbered 1000 and higher. For more information, see the Antivirus failopen and optimization Fortinet Knowledge Center article. FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 348: Config Antivirus Heuristic
Antivirus CLI configuration AntiVirus config antivirus heuristic The FortiGate heuristic antivirus engine performs tests on files to detect virus-like behavior or known virus indicators. Heuristic scanning is performed last, after file blocking and virus scanning have found no matches. In this way, heuristic scanning may detect new viruses, but may also produce some false positive results.
Page 349: Intrusion Protection
The FortiGate IPS matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Fortinet’s FortiGuard infrastructure ensures the rapid identification of new threats and the development of new attack signatures. FortiGuard services are a valuable customer resource and include automatic updates of virus and IPS (attack) engines and definitions through the FortiGuard Distribution Network (FDN).
Page 350: Ips Settings And Controls
About intrusion protection Intrusion Protection Create custom attack signatures for the FortiGate unit to use in addition to an extensive list of predefined attack signatures. Whenever the IPS detects or prevents an attack, it generates an attack message. Configure the FortiGate unit to add the message to the attack log and send an alert email to administrators.
Page 351: Predefined Signatures
Intrusion Protection Predefined signatures administrators may be overrun with attack log messages and not have the networking background required to configure the thresholds and other IPS settings. In addition, the other protection features in the FortiGate unit, such as antivirus (including grayware), spam filters, and web filters offer excellent protection for all networks.
Page 352 Drop When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The firewall session is not touched. Fortinet recommends using an action other than Drop for TCP connection based attacks. Reset When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet.
Page 353: Configuring Predefined Signatures
Intrusion Protection Predefined signatures Table 36: Actions to select for each predefined signature (Continued) Reset Server When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The FortiGate unit sends a reset to the server and drops the firewall session from the firewall session table.
Page 354: Custom Signatures
Custom signatures Intrusion Protection For example. If you have a FortiGate unit that is controlling computers that only have access to an internal database and do not have access to the internet or email, there is no point having the Fortigate unit scanning for certain types of signatures such as email, IM, and P2P.
Page 355: Creating Custom Signatures
Intrusion Protection Custom signatures View custom Select filters then select Go to view only those custom signatures that match the filter criteria. Sort criteria can be <=, =, >= to All, Information, signatures with Low, Medium, High, or Critical. severity Create New Select to create a new custom signature.
Page 356: Protocol Decoders
Protocol Decoders Intrusion Protection Name Enter a name for the custom signature. Signature Enter the custom signature. For more information about custom signature syntax, see “Custom signature syntax” in the FortiGate Intrusion Protection System (IPS) Guide. Action Select an action from the list. Action can be Pass, Drop, Reset, Reset Client, Reset Server, Drop Session, Pass Session, or Clear Session.
Page 357: Upgrading Ips Protocol Decoder List
Intrusion Protection Anomalies Upgrading IPS protocol decoder list IPS protocol decoders are included in the IPS upgrade package available through the FortiGuard Distribution Network (FDN). There is no need to wait for firmware upgrades. The IPS upgrade package will keep the IPS decoder list up to date with new threats such as the latest versions of existing IM/P2P as well as new applications.
Page 358: Viewing The Traffic Anomaly List
Anomalies Intrusion Protection Viewing the traffic anomaly list To view the anomaly list, go to Intrusion Protection > Anomaly. Figure 235:A portion of the traffic anomaly list View traffic Select filters then select Go to view only those anomalies that match the filter criteria.
Page 359: Ips Cli Configuration
Intrusion Protection IPS CLI configuration Action Select an action from the dropdown list: Pass, Drop, Reset, Reset Client, Reset Server, Drop Session, Pass Session, Clear Session. See Table 36 descriptions of the actions. Severity Select a severity level from the dropdown list: Information, Low, Medium, High, or Critical.
Page 360 IPS CLI configuration Intrusion Protection FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 361: Web Filter
Web Filter Order of web filtering Web Filter The three main sections of the web filtering function, the Web Filter Content Block, the URL Filter, and the FortiGuard Web filter, interact with each other in such a way as to provide maximum control and protection for the Internet users. This section contains the following topics: •...
Page 362: Web Filter Controls
276. Rating corrections as well as suggesting ratings for new pages can be submitted on the FortiGuard Center web page. Visit the Fortinet Knowledge Center for details and a link to the FortiGuard Center. The following tables compare web filtering options in protection profiles and the web filter menu.
Page 363 Web Filter Web filter controls Table 38: Web filter and Protection Profile web URL filtering configuration Protection Profile web filtering options Web Filter setting Web URL Filter Web Filter > URL Filter Enable or disable web page filtering for HTTP Add URLs and URL patterns to exempt traffic based on the URL filter list.
Page 364: Content Block
Content block Web Filter To access protection profile web filter options Go to Firewall > Protection Profile. Select edit or Create New. Select Web Filtering or Web Category Filtering. Note: If virtual domains are enabled on the FortiGate unit, web filtering features are configured globally.
Page 365: Creating A New Web Content Block List
Web Filter Content block Creating a new web content block list To add a web content block list to the web content block list catalog Go to Web Filter > Content Block. Select Create New. Figure 238:New Web Content Block list dialog box Name Enter the name of the new list.
Page 366: Configuring The Web Content Block List
Content block Web Filter Page down icon Select to view the next page. Remove All Select to clear the table. Entries icon Banned word The current list of patterns. Select the check box to enable all the patterns in the list. Pattern type The pattern type used in the pattern list entry.
Page 367: Viewing The Web Content Exempt List Catalog
Web Filter Content block Viewing the web content exempt list catalog You can add multiple web content exempt lists and then select the best web content exempt list for each protection profile. To view the web content block list catalog •...
Page 368: Viewing The Web Content Exempt List
Content block Web Filter Viewing the web content exempt list Web content exempt allows overriding of the web content block feature. If any patterns defined in the web content exempt list appear on a web page, the page will not be blocked even if the web content block feature would otherwise block it. To view the web content exempt list Go to Web Filter >...
Page 369: Configuring The Web Content Exempt List
Web Filter URL filter Configuring the web content exempt list Web content patterns can be one word or a text string up to 80 characters long. The maximum number of banned words in the list is 5000. To add or edit a content block pattern Go to Web Filter >...
Page 370: Creating A New Url Filter List
URL filter Web Filter To view any individual URL filter list Go to Web Filter > URL Filter. Select the edit icon for the list you want to see. Figure 245:Sample URL filter list catalog The URL filter list catalogue has the following icons and features: To add a new list to the catalog, enter a name and select Add.
Page 371: Configuring The Url Filter List
Web Filter URL filter To view the URL filter list Go to Web Filter > URL Filter. Select the edit icon of the URL filter list you want to view. Figure 247:URL filter list The URL filter list has the following icons and features: Name URL filter list name.
Page 372 URL filter Web Filter Type in a URL or IP address. Select the type of expression. Select the action to be taken. Select the Enable check box Select OK. Figure 248:New URL Filter Enter the URL. Do not include http:// Type Select a type from the dropdown list: Simple or Regex (regular expression).
Page 373: Moving Urls In The Url Filter List
FortiGuard - Web Filter FortiGuard-Web is a managed web filtering solution provided by Fortinet. FortiGuard-Web sorts hundreds of millions of web pages into a wide range of categories users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard-Web Service Point to determine the category of a requested web page then follows the firewall policy configured for that user or interface.
Page 374: Configuring Fortiguard-Web Filtering
FortiGuard - Web Filter Web Filter Configuring FortiGuard-Web filtering To configure the FortiGuard-Web service • Go to System > Maintenance > FortiGuard Center. For additional information, see “Configuring the FortiGate unit for FDN and FortiGuard services” on page 162. Viewing the override list Users may require access to web sites that are blocked by a policy.
Page 375: Configuring Override Rules
Web Filter FortiGuard - Web Filter Configuring override rules Override rules can be configured to allow access to blocked web sites based on directory, domain name, or category. To create an override rule for a directory or domain Go to Web Filter > FortiGuard-Web Filter > Override. Select Create New.
Page 376 FortiGuard - Web Filter Web Filter Figure 252:New Override Rule - Categories Type Select Categories. Categories Select the categories to which the override applies. A category group or a subcategory can be selected. Local categories are also displayed. Classifications Select the classifications to which the override applies. When selected, users can access web sites that provide content cache, and provide searches for image, audio, and video files.
Page 377: Creating Local Categories
Web Filter FortiGuard - Web Filter Creating local categories User-defined categories can be created to allow users to block groups of URLs on a per-profile basis. The categories defined here appear in the global URL category list when configuring a protection profile. Users can rate URLs based on the local categories.
Page 378: Configuring Local Ratings
FortiGuard - Web Filter Web Filter Figure 255:Category Filter Clear Filter Select to remove all filters. Category Name Select the blue arrow to expand the category. Enable Filter Select to enable the filter for the category or the individual sub- category.
Page 379: Category Block Cli Configuration
Web Filter FortiGuard - Web Filter Figure 256:New Local Rating Enter the URL to be rated. Category Name Select the blue arrow to expand the category. Enable Filter Select to enable the filter for the category or the individual sub- category.
Page 380 FortiGuard - Web Filter Web Filter Figure 257:Sample FortiGuard Web Filtering report The following table describes the options for generating reports: Profile Select the protection profile for which to generate a report. Report Type Select the time frame for the report. Choose from hour, day, or all historical statistics.
Page 381: Antispam
FortiGuard-Antispam is one of the features designed to manage spam. FortiGuard is an antispam system from Fortinet that includes an IP address black list, a URL black list, and spam filtering tools. The FortiGuard Center accepts submission of spam email messages as well as well as reports of false positives.
Page 382: Anti-Spam Filter Controls
Protection Profile spam filtering options AntiSpam setting IP address FortiGuard-Antispam check System > Maintenance > FortiGuard Centre Enable or disable Fortinet’s antispam service Enable FortiGuard-Antispam, check the called FortiGuard-Antispam. FortiGuard- status of the FortiGuard-Antispam server, Antispam is Fortinet’s own DNSBL server...
Page 383 Antispam Antispam Table 41: AntiSpam and Protection Profile spam filtering configuration (Continued) Protection Profile spam filtering options AntiSpam setting Enable or disable checking the source domain name against the registered IP address in the Domain Name Server. If the source domain name does not match the IP address the email is marked as spam and the action selected in the protection profile is taken.
Page 384: Banned Word
Banned word Antispam To access protection profile Antispam options go to Firewall > Protection Profile, edit or Create New, Spam Filtering. Note: If virtual domains are enabled on the FortiGate unit, spam filtering features are configured globally. To access these features, select Global Configuration on the main menu.
Page 385: Creating A New Antispam Banned Word List
Antispam Banned word Creating a new antispam banned word list To add an antispam banned word list to the antispam banned word list catalog, go to AntiSpam > Banned Word and select Create New. Figure 259:New AntiSpam Banned Word list dialog box Name Enter the name of the new list.
Page 386: Configuring The Antispam Banned Word List
Banned word Antispam Pattern Type The pattern type used in the banned word list entry. Choose from wildcard or regular expression. For more information, see “Using Perl regular expressions” on page 393. Language The character set to which the banned word belongs: Simplified Chinese, Traditional Chinese, French, Japanese, Korean, Thai, or Western.
Page 387: Black/White List
Antispam Black/White List Black/White List The FortiGate unit uses both an IP address list and an email address list to filter incoming email, if enabled in the protection profile. When doing an IP address list check, the FortiGate unit compares the IP address of the message’s sender to the IP address list in sequence.
Page 388: Creating A New Antispam Ip Address List
Black/White List Antispam Creating a new antispam IP address list To add an antispam IP address list to the antispam IP address list catalog, go to AntiSpam > Black/White List and select Create New. Figure 263:New AntiSpam IP Address list dialog box Name Enter the name of the new list.
Page 389: Configuring The Antispam Ip Address List
Antispam Black/White List Action The action to take on email from the configured IP address. Actions are: Mark as Spam to apply the configured spam action, Mark as Clear to bypass this and remaining spam filters, or Mark as Reject (SMTP only) to drop the session.
Page 390: Creating A New Antispam Email Address List
Black/White List Antispam The antispam email address list catalogue has the following icons and features: To add a new list to the catalog, enter a name and select Add. New lists are empty by default. Name The available antispam email address lists. # Entries The number of entries in each antispam email address list.
Page 391: Configuring The Antispam Email Address List
Antispam Black/White List Figure 268:Sample email address list The antispam email address list has the following icons and features: Name Antispam email address list name. To change the name, edit text in the name field and select OK. Comment Optional comment. To add or edit comment, enter text in comment field and select OK.
Page 392: Advanced Antispam Configuration
Advanced antispam configuration Antispam E-Mail Address Enter the email address. Pattern Type Select a pattern type: Wildcard or Regular Expression. For more information, see “Using Perl regular expressions” on page 393. Insert Select the location in the list to insert the email address. Action Select an action: •...
Page 393: Config Spamfilter Rbl
‘?’ character in wildcard match pattern. As a result: • fortinet.com not only matches fortinet.com but also fortinetacom, fortinetbcom, fortinetccom, and so on. To match a special character such as '.' and ‘*’ use the escape character ‘\’. For example: •...
Page 394: Word Boundary
Using Perl regular expressions Antispam • forti*.com matches fortiiii.com but does not match fortinet.com To match any character 0 or more times, use ‘.*’ where ‘.’ means any character and the ‘*’ means 0 or more times. For example, the wildcard match pattern forti*.com should therefore be fort.*\.com.
Page 395: Example Regular Expressions
Antispam Using Perl regular expressions Table 42: Perl regular expression formats (Continued) 100\s*mk The strings “100” and “mk” optionally separated by any amount of white space (spaces, tabs, newlines) abc\b “abc” when followed by a word boundary (for example, in “abc!” but not in “abcd”) perl\B “perl”...
Page 396 Using Perl regular expressions Antispam FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 397: Im, P2P & Voip
Fortinet Distribution Network. There is no need to wait for firmware upgrade to stay ahead of the latest protocols. FortiOS 3.0 also provides ways for you to deal with unknown protocols even before upgrades are available.
Page 398 Overview IM, P2P & VoIP Table 43: IM/P2P applications covered by IPS in FortiOS 3.0 Applications Instant Messaging AIM (Firewall > Protection Profile > IM/P2P) AIM, AIM Triton ICQ (Firewall > Protection Profile > IM/P2P) MSN (Firewall > Protection Profile > IM/P2P) MSN Messenger qq (Intrusion Protection >...
Page 399: Configuring Im/P2P Protocols
IM, P2P & VoIP Configuring IM/P2P protocols Configuring IM/P2P protocols Different organizations require different policies regarding IM/P2P. The FortiGate unit allows you to configure your unit in the way that best serves your needs. How to enable and disable IM/P2P options This section will tell you the four main locations to enable or disable the IM/P2P options.
Page 400: How To Configure Im/P2P Decoder Log Settings
Configuring IM/P2P protocols IM, P2P & VoIP To control Log settings, select the blue arrow for Logging To control content archive settings, select the blue arrow for Content Archive To control FortiGuard web filtering, select the blue arrow for FortiGuard Web Filtering.
Page 401: Statistics
To detect new IM/P2P applications or new versions of the existing Note: applications, you only need update the IPS package, available through the FortiNet Distribution Network (FDN). No firmware upgrade is needed. Statistics You can view the IM, P2P and VoIP statistics to gain insight into how the protocols are being used within the network.
Page 402: Viewing Statistics By Protocol
Statistics IM, P2P & VoIP Chat For each IM protocol, the following chat information is listed: • Total Chat Sessions • Total Messages. File Transfers For each IM protocol, the following file transfer information is listed: (File transfers) Since Last Reset and (File transfers) Blocked. Voice Chat For each IM protocol, the following voice chat information is listed: •...
Page 403: User
IM, P2P & VoIP User Users For the selected protocol, the following user information is displayed: Current Users, (Users) Since Last Reset, and (Users) Blocked. Chat For the selected protocol, the following chat information is displayed: Total Chat Sessions, Server-based Chat, Group Chat, and Direct/Private Chat.
Page 404: Viewing The User List
User IM, P2P & VoIP Viewing the User List The User List displays information about users who have been allowed access to (white list) or have been blocked from (black list) instant messaging services. Users can be added using Create New or from the temporary users list. To view the User List, go to IM/P2P >...
Page 405: Configuring A Policy For Unknown Im Users
IM, P2P & VoIP User Configuring a policy for unknown IM users The User Policy determines the action to be taken with unknown users. Unknown users can be either allowed to use some or all of the IM protocols and added to a white list, or blocked from using some or all of the IM protocols and added to a black list.
Page 406 User IM, P2P & VoIP FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 407: Log&Report
Log&Report FortiGate Logging Log&Report This section provides information on how to enable logging, viewing of log files and the viewing of reports available through the web-based manager. FortiGate units provide extensive logging capabilities for traffic, system and network protection functions. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network misuse and abuse.
Page 408: Log Severity Levels
Log severity levels Log&Report For better log storage and retrieval, the FortiGate unit can send log messages to a FortiAnalyzer™ unit. FortiAnalyzer units are network appliances that provide integrated log collection, analysis tools and data storage. Detailed log reports provide historical as well as current analysis of network and email activity, to help identify security issues and reduce network misuse.
Page 409: Storing Logs
Log&Report Storing Logs Storing Logs The type and frequency of log messages you intend to save dictates the type of log storage to use. For example, you can store a limited number of log messages in memory and older log messages are overwritten. Storing log messages to one or more locations, such as a FortiAnalyzer unit, may be better suited for your specific logging purposes.
Page 410: Connecting To Fortianalyzer Using Automatic Discovery
FortiAnalyzer unit requires FortiAnalyzer 3.0 firmware to use the feature. Note: If your FortiGate unit is in Transparent mode, the interface using the automatic discovery feature will not carry traffic. Use the Fortinet Knowledge center article, Fortinet Discovery Protocol in Transparent mode, to enable the interface to also carry traffic when using the automatic discovery feature.
Page 411: Testing The Fortianalyzer Configuration
Log&Report Storing Logs Testing the FortiAnalyzer configuration After configuring FortiAnalyzer settings, you can test the connection between the FortiGate unit and the FortiAnalyzer unit to ensure the connection is working correctly. This enables you to see the connection between the FortiGate unit and the FortiAnalyzer unit including the settings specified for transmitting and receiving logs, reports, content archive, and quarantine files between the FortiGate unit and the FortiAnalyzer unit.
Page 412: Logging To Memory
Storing Logs Log&Report Disk Space Allocated The amount of space designated for logs. Space Used Space The amount of used space. Total Free The amount of unused space. Space Privileges Displays the permissions of the device for sending and viewing logs and reports.
Page 413: Logging To A Syslog Server
Log&Report Storing Logs Logging to a Syslog server The syslog is a remote computer running a syslog server. Syslog is an industry standard used to capture log information provided by network devices. Figure 278:Logging to a Syslog server To configure the FortiGate unit to send logs to a syslog server Go to Log&Report >...
Page 414: Logging To Fortiguard Log And Analysis Server
Storing Logs Log&Report Keywords and variables Description Default server <address_ipv4> Enter the IP address of the WebTrends No default. server that stores the logs. Enter enable to enable logging to a status disable WebTrends server. {disable | enable} Example This example shows how to enable logging to a WebTrends server and to set an IP address for the server.
Page 415: High Availability Cluster Logging
Log&Report High Availability cluster logging High Availability cluster logging When configuring logging with a High Availability (HA) cluster, configure the primary unit to send logs to a FortiAnalyzer unit or a Syslog server. The settings will apply to the subordinate units.The subordinate units send the log messages to the primary unit, and the primary unit sends all logs to the FortiAnalyzer unit or Syslog server.
Page 416: Event Log
Log types Log&Report To enable traffic logging for an interface or VLAN subinterface Go to System > Network > Interface. Select the Edit icon for an interface. Select Log. Select OK. Enabling firewall policy traffic logging Firewall policy traffic logging records the traffic that is both permitted and denied by the firewall policy, based on the protection profile.
Page 417: Antivirus Log
Log&Report Log types SSL VPN The FortiGate unit logs all administrator events related to SSL VPN, such as SSL configuration and CA certificate loading and administrator event removal. SSL VPN session The FortiGate unit logs all session activity such as application launches and blocks, timeouts, verifications and so on.
Page 418: Attack Log
Log types Log&Report Attack log The Attack Log records attacks detected and prevented by the FortiGate unit. The FortiGate unit logs the following: Attack Signature The FortiGate unit logs all detected and prevented attacks based on the attack signature, and the action taken by the FortiGate unit. Attack Anomaly The FortiGate unit logs all detected and prevented attacks based on unknown or suspicious traffic patterns, and the action taken by the...
Page 419: Voip Log
Log&Report Log Access VoIP log You can now log Voice over Internet Protocol (VoIP) calls. You can also configure VoIP rate limiting for Session Initiated Protocol (SIP) and Skinny Client Control Protocol (SCCP) or Skinny protocol. SIP and SCCP are two types of VoIP protocols.
Page 420: Accessing Log Messages Stored In Memory
Log Access Log&Report Accessing log messages stored in memory From the Log Access page, you can access logs stored in the FortiGate system memory. Traffic logs are not stored in memory because of the amount of space required to log them. To view log messages in the FortiGate memory buffer Go to Log&Report >...
Page 421: Accessing Logs Stored On The Fortianalyzer Unit
Log&Report Log Access View icon Display the log file through the web-based manager. Delete icon Select to delete rolled logs. It is recommended to download the rolled log file before deleting it because the rolled log file cannot be retrieve after deleting it.
Page 422: Accessing Logs On The Fortiguard Log & Analysis Server
Log Access Log&Report Accessing logs on the FortiGuard Log & Analysis server You can access logs on the FortiGuard Log & Analysis server from the Log Access page. The Log Access page contains a FortiGuard tab, enabling you to view all logs that are on the FortiGuard Log & Analysis server. To access logs on the FortiGuard Log &...
Page 423: Column Settings
Log&Report Log Access Column settings Customize and filter the log messages display using the Column Settings icon. The column settings apply when viewing the formatted (not raw) log messages. Figure 282:Column settings for viewing log messages To customize the columns Go to Log&Report >...
Page 424: Deleting Logs Stored On The Fortiguard Log & Analysis Server
Log Access Log&Report The filter settings you apply remains for the duration of the time you are logged in to the web-based manager. The log filters are reset when you log out of the web-based manager. Note: The filters can only be used when viewing log contents in the formatted view. To filter log messages Go to Log&Report >...
Page 425: Content Archive
Log&Report Content Archive Content Archive The Content Archive menu enables you to view archived logs stored on the FortiAnalyzer unit from the FortiGate web-based manager. The Content Archive menu has four tabs, HTTP, FTP, Email, and IM where you can view each of these archived log types.
Page 426: Alert Email
Alert Email Log&Report Alert Email The Alert Email feature enables the FortiGate unit to monitor logs for log messages, notifying by email of a specific activity or event logged. For example, if you require notification about administrator(s) logging in and out, you can configure an alert email that is sent whenever an administrator(s) logs in and out.
Page 427 Log&Report Alert Email SMTP user Enter the user name for logging on to the SMTP server to send alert email messages. You only need to do this if you have enabled the SMTP authentication. Password Enter the password for logging on to the SMTP server to send alert email.
Page 428: Reports
Reports Log&Report Reports The FortiAnalyzer reporting features are now more integrated with the FortiGate unit. From the Log&Report menu, you can configure a simple FortiAnalyzer report, view the report, and print the report. You can even view content archive logs stored on the FortiAnalyzer unit.
Page 429: Fortianalyzer Reports
Log&Report Reports Services By default all services are selected. When you refresh your browser or go to a different menu, all services revert to default settings. Deselect the services you do not want to include in the graphical analysis. • Browsing •...
Page 430: Configuring A Fortianalyzer Report
Reports Log&Report Configuring a FortiAnalyzer report You can configure a FortiAnalyzer report from the Report Config menu. The Report Config menu also includes the CLI command, multi-report, enabling you to configure multiple FortiAnalyzer reports. The multi-report command is disabled by default. By default, only the default FortiAnalyzer report is available in the Report Config menu.
Page 431 Log&Report Reports Configuring the report properties Enter your company’s name, a header comment or a footer for the report. These are optional. Figure 286:Report properties options Configuring the report scope Select the time period and/or log filters for the report. You can select different time periods, for example, if you want the report to include log files from July 31, 2005 to September 9, 2005.
Page 432 Reports Log&Report Filter logs Select None to not apply a filter to the logs in the report. Select Custom to apply filters to the log report. Include logs that Select the matching criteria for the filter. match Select all to include logs in the report that match all filter settings. If information within a log does not match all the criteria, the FortiAnalyzer unit will not include the log in the report.
Page 433 Log&Report Reports Configuring the report types Select the type of information you want to include in the report: • Select Basic to include the most common report types. • Select All to include all report types. If data does not exist for a report type, that report will appear with the message “No matching log data for this report.”...
Page 434 Reports Log&Report Configuring the report output Select a destination and format(s) for the report. You can select from several different formats, including Text format. You can also select a different format for file output and email output. When configuring the FortiAnalyzer unit to email a report, you must configure the mail server on the FortiAnalyzer unit.
Page 435 Log&Report Reports Password Enter the password to log onto the FTP server. Upload report(s) in Select to compress the report files as gzip files before uploading to the FTP server. gzipped format Delete file(s) after Select to delete the report files from the FortiAnalyzer hard disk after the FortiAnalyzer unit completes the upload to the FTP uploading server.
Page 436 Reports Log&Report Figure 292:Report summary layout Customize Select the number of columns, charts to add to the layout, and edit or remove the charts. Chart Columns Select a number from the drop-down list to specify how many columns to include in the chart. You can choose only one column or up to four columns.
Page 437: Editing Fortianalyzer Reports
Log&Report Reports Editing FortiAnalyzer reports After a scheduled FortiAnalyzer report is configured and generated, you can then edit the report from the Report Config menu. The FortiAnalyzer tab enables you to edit the report, and view information about other scheduled FortiAnalyzer reports. You can view and edit scheduled reports from the FortiAnalyzer tab.
Page 438: Viewing Fortianalyzer Reports From A Fortigate Unit
Viewing FortiAnalyzer reports from a FortiGate unit Log&Report Viewing FortiAnalyzer reports from a FortiGate unit The FortiAnalyzer unit can generate a number of specific reports for a FortiGate unit, and run these reports at scheduled times, or on demand. If you are using a FortiGate unit with FortiOS 3.0MR2 or higher, you can view any report generated from the FortiAnalyzer unit for that FortiGate unit on the Report Access page.
Page 439: Index
Index Index Numerics options 426 alert mail messages 137 802.3ad aggregate interface Alert Message Console creating 75 clearing messages 48 allow inbound firewall policy 226 ipsec policy 226 accept action allow outbound firewall policy 220 firewall policy 226 accessing log messages allow web sites when a rating error occurs hard disk 420 protection profile 276...
Page 440 Index view virus list 345 adding words to the Spam filter banned word list virus list 345 catalog 384 antivirus options web content block 366, 368 protection profile 273 banned word (Spam filter) antivirus updates 167 action 386 through a proxy server 168 language 386 list 385 service 240...
Page 441 IPSec interface mode 296 service 240 IPSec tunnel mode 299 documentation custom service commenting on 31 adding 243 Fortinet 29 adding a TCP or UDP custom service 243 download list 243 grayware category 347 custom signature quarantine files list 342...
Page 442 Index quarantine files list 342 Dynamic DNS fail open 359 IPSec interface mode 288 monitor 300 disruption in traffic 167 on network interface 81 FortiGuard Distribution Network 161 VPN IPSec monitor 300 HTTPS 166 dynamic IP pool NAT option override server 164 firewall policy 221 port 443 166 dynamic routing 189...
Page 443 Index accept action 220 L2TP 241 action 215 LDAP 241 adding 216 NetMeeting 241 adding a protection profile 282 NFS 241 Address Name 219 NNTP 241 allow inbound 226 NTP 241 allow outbound 226 OSPF 241 authentication 221, 222 PC-Anywhere 241 changing the position in the policy list 216 PING 241 comments 222...
Page 444 414 HA 119, 124 FortiMail 25 changing cluster unit host names 124 FortiManager 25 cluster member 124 Fortinet customer service 31 cluster members list 122 Fortinet documentation 29 configuration 119 Fortinet Family Products 25 connect a cluster unit 126...
Page 445 36 protection profile 274 searching the online help 35 inter-VDOM 65 heuristics introduction antivirus 348 Fortinet documentation 29 quarantine 348 intrusion detected high availability See HA 119 HA statistics 125 hijacker intrusion prevention system, see IPS...
Page 446 Index firewall policy 220 attack anomaly 418 attack signature 418 ipsec policy column settings 423 allow inbound 226 filter 423 inbound NAT 226 formatted 422 outbound NAT 226 instant message log 418 IPSec VPN messages 422 authentication for user group 328 P2P log 418 Auto Key 287 raw 422...
Page 447 Index Members IPSec tunnel mode 299 grayware category 347 memory usage NNTP HA statistics 125 service 241 messages, log 422 Not Registered 163 mheader 392 Not-so-stubby Area (NSSA) 199 MIB 130, 133 FortiGate 130 service 241 RFC 1213 130 RFC 2665 130 misc one-time schedule grayware category 347...
Page 448 Index allow outbound 226 authentication 221, 222 P1 Proposal changing the position in the policy list 216 Phase 1 IPSec interface mode 291 comments 222 P2 Proposal configuring 216 Phase 2 IPSec interface mode 294 create new 215 deleting 216 grayware category 347 deny action 220 log 418...
Page 449 Index previous logging, viruses 281 online help icon 35 options 272 oversized file/email 274 print pass fragmented email 274 online help icon 35 provide details for blocked HTTP errors 276 priority quarantine 274 cluster members 124 rate images by URL 276 product registration 34, 161 rate URLs by domain and IP address 277 products, family 25...
Page 450 Index autosubmit list 342 Remote Gateway autosubmit list file pattern 342 IPSec manual key setting 298 configuration 343 IPSec phase 1 setting 288 configuring the autosubmit list 343 VPN IPSec monitor field 300 enable AutoSubmit 345 Remote gateway enabling uploading autosubmit file patterns 343 VPN IPSec monitor field 301 heuristics 348 remote peer...
Page 451 Index HA 210 IMAP 241 INFO_ADDRESS 241 router monitor INFO_REQUEST 241 HA 210 Internet-Locator-Service 241 routing IRC 241 configuring 90 L2TP 241 ECMP 180 LDAP 241 monitor 209 NetMeeting 241 static 180 NFS 241 routing table 209 NNTP 241 RTF document 434 NTP 241 RTS threshold organizing services into groups 245...
Page 452 Index custom IPS signatures 354 checking client certificates 306 IPS 351 configuration settings 305 monitoring sessions 307 setting the cipher suite 306 service 242 specifying server certificate 306 SIP-MSNmessenger specifying timeout values 306 service 242 terminating sessions 307 tunnel IP range 306 chassis monitoring 173 SSL VPN login message 140 SMTP...
Page 453 Index service 242 trusted host administrator account 148 system Administrators options 147 chassis monitoring 173 security issues 148 system configuration 119 system global av_failopen quarantine files list 342 antivirus 347 Tunnel Name system global optimize IPSec interface mode 296 antivirus 347 Tx Power system idle timeout 142 wireless setting 108...
Page 454 Index VDOM partitioning banned word 366, 368 HA 122 language 366, 368 pattern type 366, 368 viewing log messages on hard disk 420 protection profile 275 viewing logs on FortiGuard Log & Analysis server 422 web filter 366 Virtual Circuit Identification (VCI) 75 web content block list Virtual Domain Configuration 64 web filter 365...
Page 455 Index wireless, security 108 Wireless, SSID 108 XAuth WLAN IPSec interface mode 292 interface 105 X-WINDOWS interface, creating on WiFi-60 107 service 242 interface, creating on WiFi-60A 77 WPA 108 FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 456 Index FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 457 www.fortinet.com...
Page 458 www.fortinet.com...

Fortinet Fortigate-5000 series Administration Manual

Introduction

Introducing the Fortigate Units

Fortinet Family of Products

About this Document

Fortigate Documentation

Customer Service and Technical Support

Web-Based Manager

Button Bar Features

Web-Based Manager Pages

System Status

Status Page

Changing System Information

Changing the Fortigate Firmware

Viewing Operational History

Manually Updating Fortiguard Definitions

Viewing Statistics

Topology Viewer

Using Virtual Domains

Virtual Domains

Enabling Vdoms

Configuring Vdoms and Global Settings

System Network

Interface

Zone

Network Options

Routing Table (Transparent Mode)

Configuring the Modem Interface

VLAN Overview

Vlans in Nat/Route Mode

Vlans in Transparent Mode

Fortigate Ipv6 Support

System Wireless

The Fortiwifi Wireless LAN Interface

Channel Assignments

System Wireless Settings (Fortiwifi-60)

System Wireless Settings (Fortiwifi-60A and 60AM)

Wireless MAC Filter

Wireless Monitor

System DHCP

Fortigate DHCP Servers and Relays

Configuring DHCP Services

Viewing Address Leases

Ha

System Config

Snmp

Replacement Messages

Operation Mode and VDOM Management Access

System Admin

Administrators

Access Profiles

Fortimanager

Settings

Monitoring Administrators

System Maintenance

Backup and Restore

Fortiguard Center

License

System Chassis (Fortigate-5000 Series)

SMC (Shelf Manager Card)

Blades (Fortigate-5000 Chassis Slots)

Chassis Monitoring Event Log Messages

Router Static

Routing Concepts

Static Route

Policy Route

Router Dynamic

Rip

Ospf

Bgp

Multicast

Router Monitor

Displaying Routing Information

Searching the Fortigate Routing Table

Firewall Policy

About Firewall Policies

Viewing the Firewall Policy List

Configuring Firewall Policies

Firewall Policy Examples

Firewall Address