Contents Contents Introduction ..................17 Introducing the FortiGate units ..............18 FortiGate-5000 series chassis ..............18 About the FortiGate-5000 series modules ..........19 FortiGate-3600A..................19 FortiGate-3600 .................... 20 FortiGate-3000 .................... 20 FortiGate-1000A..................20 FortiGate-1000AFA2 ................... 21 FortiGate-1000 .................... 21 FortiGate-800 ....................21 FortiGate-800F ....................
Page 4
Contents Web-based manager................ 33 Button bar features ..................34 Contact Customer Support ................. 34 Using the Online Help ................. 34 Logout ......................36 Web-based manager pages ................37 Web-based manager menu ................ 37 Lists......................38 Icons ......................38 System Status .................. 41 Status page ......................
Page 5
Contents System Network ................69 Interface......................69 Switch Mode....................71 Interface settings..................72 Configuring an ADSL interface..............74 Creating an 802.3ad aggregate interface............ 75 Creating a redundant interface..............76 Creating a wireless interface ............... 77 Configuring DHCP on an interface .............. 78 Configuring an interface for PPPoE or PPPoA ...........
Page 6
Configuring SNMP ..................127 Configuring an SNMP community............. 128 Fortinet MIBs..................... 130 FortiGate traps ..................131 Fortinet MIB fields ..................133 Replacement messages................136 Replacement messages list ..............137 Changing replacement messages ............138 Changing the authentication login page............ 139 Changing the FortiGuard web filtering block override page ......
Page 8
Contents OSPF....................... 194 OSPF autonomous systems ..............194 Defining an OSPF AS ................195 Viewing and editing basic OSPF settings ..........196 Selecting advanced OSPF options ............198 Defining OSPF areas ................199 Specifying OSPF networks ............... 200 Selecting operating parameters for an OSPF interface ......201 BGP.........................
Page 9
Contents Firewall Service ................239 Viewing the predefined service list.............. 239 Viewing the custom service list ..............243 Configuring custom services ............... 243 Viewing the service group list ..............245 Configuring service groups................245 Firewall Schedule................247 Viewing the one-time schedule list .............. 247 Configuring one-time schedules..............
Page 10
Contents Configuring a protection profile..............272 Antivirus options..................273 Web filtering options ................. 275 FortiGuard-Web filtering options ............... 276 Spam filtering options ................277 IPS options....................279 Content archive options ................279 IM and P2P options................... 280 Logging options..................281 VoIP options....................
Page 11
Contents CA Certificates ....................315 Importing CA certificates ................316 CRL ......................... 317 Importing a certificate revocation list ............317 User ....................319 Configuring user authentication ..............319 Setting authentication timeout ..............320 Setting user authentication protocol support..........320 Local user accounts ..................321 Configuring a user account ...............
Page 12
Contents Config ......................345 Viewing the virus list ................. 345 Viewing the grayware list ................346 Antivirus CLI configuration ................347 system global optimize................347 config antivirus heuristic................348 config antivirus quarantine ................ 348 config antivirus service <service_name> ..........348 Intrusion Protection...............
Page 13
Contents Content block....................364 Viewing the web content block list catalog ..........364 Creating a new web content block list ............365 Viewing the web content block list ............365 Configuring the web content block list............366 Viewing the web content exempt list catalog ..........367 Creating a new web content exempt list ...........
Page 14
Contents Advanced antispam configuration............... 392 config spamfilter mheader................. 392 config spamfilter rbl................... 393 Using Perl regular expressions..............393 Regular expression vs. wildcard match pattern ........393 Word boundary ..................394 Case sensitivity ..................394 Perl regular expression formats ..............394 Example regular expressions..............
Page 15
Contents Log types......................415 Traffic log ....................415 Event log ....................416 Antivirus log....................417 Web filter log ..................... 417 Attack log ....................418 Spam filter log ................... 418 IM and P2P log..................418 VoIP log..................... 419 Log Access..................... 419 Accessing log messages stored in memory ..........
Page 16
Contents FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Introduction Introduction Welcome and thank you for selecting Fortinet products for your real-time network protection. FortiGate™ ASIC-accelerated multi-threat security systems improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network.
FA N T R AY FortiGate-5140 chassis You can install up to 14 FortiGate-5000 series modules in the 14 slots of the FortiGate-5140 ATCA chassis. The FortiGate-5140 is a 12U chassis that contains two redundant hot swappable DC power entry modules that connect to -48 VDC Data Center DC power.
Introducing the FortiGate units FortiGate-5020 chassis You can install one or two FortiGate-5000 series modules in the two slots of the FortiGate-5020 ATCA chassis. The FortiGate-5020 is a 4U chassis that contains two redundant AC to DC power supplies that connect to AC power. The FortiGate-5020 chassis also includes an internal cooling fan tray.
The FortiGate-1000A automatically keeps up to date information on Fortinet’s FortiGuard Subscription Services by the FortiGuard Distribution Network, ensuring around-the-clock protection against the latest viruses, worms, trojans and other threats. The FortiGate-1000A has flexible architecture to quickly adapt to emerging technologies such as IM, P2P or VOIP including identity theft methods such as spyware, phishing and pharming attacks.
The FortiGate-1000AFA2 features two extra optical fiber ports with Fortinet’s FortiAccel™ technology, enhancing small packet performance. The FortiGate-1000AFA2 also delivers critical security functions in a hardened security platform, tuned for reliability, usability, rapid deployment, low operational costs and most importantly a superior detection rate against known and unknown anomalies.
Introducing the FortiGate units Introduction FortiGate-500A The FortiGate-500A unit provides the carrier-class levels of performance and CONSOLE 10/100 10/100/1000 Enter reliability demanded by large enterprises and service providers. With a total of 10 network connections, (including a 4-port LAN switch), and high-availability features with automatic failover with no session loss, the FortiGate-500A is the choice for mission critical applications.
Introduction Introducing the FortiGate units FortiGate-300 The FortiGate-300 unit is designed for larger enterprises. The FortiGate- Enter 300 unit features high availability (HA), which includes automatic failover with no session loss. This feature makes the FortiGate-300 an excellent choice for mission-critical applications. FortiGate-200A The FortiGate-200A unit is an easy-to-deploy and...
Introducing the FortiGate units Introduction FortiGate-60/60M/ADSL The FortiGate-60 unit is designed for telecommuters remote offices, and retail stores. The FortiGate-60 INTERNAL WAN1 WAN2 STATUS unit includes an external modem LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 port that can be used as a backup or stand alone connection to the...
Fortinet family of products Fortinet family of products Fortinet offers a family of products that includes both software and hardware appliances for a complete network security solution including mail, logging, reporting, network management, and security along with FortiGate Unified Threat Manager Systems.
FortiGuard Antispam/Antivirus support, heuristic scanning, greylisting, and Bayesian scanning. Built on Fortinet’s award winning FortiOS and FortiASIC technology, FortiMail antivirus technology extends full content inspection capabilities to detect the most advanced email threats.
The most recent version of this document is available from the FortiGate page of Fortinet Technical Documentation web site. The information in this document is also available in a slightly different form as FortiGate web-based manager online help. You can find more information about FortiOS v3.0 from the...
Page 28
About this document Introduction • System Chassis (FortiGate-5000 series) describes information displayed on the system chassis web-based manager pages about all of the hardware components in your FortiGate-5140 or FortiGate-5050 chassis. • Router Static explains how to define static routes and create route policies. A static route causes packets to be forwarded to a destination other than the factory configured default gateway.
<BODY><H4>You must authenticate to use this service.</H4> Program output Welcome! Variables <address_ipv4> FortiGate documentation The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com. The following FortiGate product documentation is available: •...
Page 30
FortiGate CLI commands. • FortiGate Log Message Reference Available exclusively from the Fortinet Knowledge Center, the FortiGate Log Message Reference describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units.
Fortinet Tools and Documentation CD All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current for your product at shipping time. For the latest versions of all Fortinet documentation see the Fortinet Technical Documentation web site at http://docs.forticare.com.
Page 32
Customer service and technical support Introduction FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Web-based manager Web-based manager This section describes the features of the user-friendly web-based manager administrative interface of your FortiGate unit. Using HTTP or a secure HTTPS connection from any computer running a web browser, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages.
Center. • Log into Customer Support (Support Login). • Register your FortiGate unit (Product Registration). • Find out about Fortinet Training and Certification. • Visit the FortiGuard Center. To register your FortiGate unit, go to Product Registration and follow the instructions.
Page 35
Display the next page in the online help. Email Send an email to Fortinet Technical Documentation at techdoc@fortinet.com. You can use this email address to let us know if you have a comment about or correction for the online help or any other Fortinet technical documentation product.
Go to the next page. Alt+7 Send an email to Fortinet Technical Documentation at techdoc@fortinet.com. You can use this email address to let us know if you have a comment about or correction for the online help or any other Fortinet technical documentation product.
Web-based manager Web-based manager pages Web-based manager pages The web-based manager interface consists of a menu and pages, many of which have multiple tabs. When you select a menu item, such as System, it expands to reveal a submenu. When you select one of the submenu items, the associated page opens at its first tab.
Web-based manager pages Web-based manager AntiSpam Configure email spam filtering. IM, P2P & VoIP Configure monitoring and control of internet messaging, peer-to-peer messaging, and voice over IP (VoIP) traffic. Log & Report Configure logging, alert email, and FortiGuard Log and Analysis. View log messages and reports.
Page 39
Web-based manager Web-based manager pages Table 2: web-based manager icons (Continued) Icon Name Description Description The tooltip for this icon displays the Description field for this table entry. Download Download a log file or back up a configuration file. or Backup Download Download a Certificate Signing Request.
System Status Status page System Status This section describes the System Status page, the dashboard of your FortiGate unit. At a glance you can view the current system status of the FortiGate unit including serial number, uptime, FortiGuard™ license information, system resource usage, alert messages and network statistics.
Page 42
Status page System Status The System Status page is completely customizable. You can select which displays to show, where they are located on the page, and if they are minimized or maximized. Each display has an icon associated with it for easy recognition when minimized.
System Status Status page System information Figure 9: Example FortiGate-5001 System Information Serial Number The serial number of the current FortiGate unit. The serial number is specific to the FortiGate unit and does not change with firmware upgrades. Uptime The time in days, hours, and minutes since the FortiGate unit was last started.
Status page System Status Virtual Domain The status of virtual domains on your FortiGate unit. Select enable or disable to change the status of virtual domains. If you change the state of virtual domains, your session will be terminated and you will need to login. For more information see “Using virtual domains”...
Page 45
The number of virtual domains the unit supports. For FortiGate models 3000 or higher, you can select the Purchase More link to purchase a license key through Fortinet Support to increase the maximum number of VDOMs. See “License” on page 172.
Page 46
Status page System Status Figure 12: Customize CLI Console window Preview See how your changes will appear on the CLI console. Text Select this control, then choose a color from the color matrix to the right to change the color of the text in the CLI console. Background Select this control, then choose a color from the color matrix to the right to change the color of the background in the CLI console.
Page 47
System Status Status page History icon View a graphical representation of the last minute of CPU, memory, sessions, and network usage. This page also shows the virus and intrusion detections over the last 20 hours. For more information “Viewing operational history” on page CPU Usage The current CPU status displayed as a dial gauge and as a percentage.
Page 48
Status page System Status Reboot Select to shutdown and restart the FortiGate unit. You will be prompted to enter a reason for the reboot that will be entered into the logs. Shutdown Select to shutdown the FortiGate unit. You will be prompted for confirmation.
System Status Changing system information The information displayed in the statistics section is saved in log files that can be saved to a FortiAnalyzer unit, saved locally or backed up to an external source. You can use this data to see trends in network activity or attacks over time and deal with it accordingly.
Changing system information System Status Figure 17: Time Settings System Time The current FortiGate system date and time. Refresh Update the display of the current FortiGate system date and time. Time Zone Select the current FortiGate system time zone. Automatically adjust Select to automatically adjust the FortiGate system clock when your time zone changes between daylight saving time and standard clock for daylight...
System Status Changing the FortiGate firmware Changing the FortiGate firmware FortiGate administrators whose access profiles permit maintenance read and write access can change the FortiGate firmware. Firmware changes either upgrade to a newer version or revert to an earlier version. Follow the appropriate procedure for the firmware change you want to perform: •...
Viewing operational history System Status Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure “To update antivirus and attack definitions” on page 167 make sure that antivirus and attack definitions are up to date.
161. Updating the FortiGuard AV Definitions manually Download the latest AV definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status.
Viewing Statistics System Status In the License Information section, in the IPS Definitions field of the FortiGuard Subscriptions, select Update. The Intrusion Prevention System Definitions Update dialog box appears. In the Update File field, type the path and filename for the attack definitions update file, or select Browse and locate the attack definitions update file.
System Status Viewing Statistics Source Port The source port of the connection. Destination The destination IP address of the connection. Address Destination Port The destination port of the connection. Policy ID The number of the firewall policy allowing this session or blank if the session involves only one FortiGate interface (admin session, for example).
Viewing Statistics System Status Viewing archived FTP content information Go to System > Status. In the Content Archive section, select Details for FTP. Date and Time The time of access. Destination The IP address of the FTP server that was accessed. User The User ID that logged into the FTP server.
Page 57
System Status Viewing Statistics The intended recipient’s email address or IP address. Service The service type, such as POP or HTTP. Virus The name of the virus that was detected. Viewing attacks blocked Go to System > Status. In the Attack Log section, select Details for IPS. Date and Time The time that the attack was detected.
Topology viewer System Status Topology viewer The Topology viewer provides a way to diagram and document the networks connected to your FortiGate unit. It is available on all FortiGate units except models numbered 50 and 60. The Topology Viewer window The Topology window consists of a large “canvas”...
Page 59
System Status Topology viewer View and edit controls The toolbar at the top left of the Topology page shows controls for viewing and editing topology diagrams. Table 3: View/Edit controls for Topology Viewer Refresh the displayed diagram. Zoom in. Select to show a smaller portion of the drawing area in the main viewport, making objects appear larger.
System Status Customizing the topology diagram Select the Customize button to open the Topology Customization window. Modify the settings as needed and select OK when you are finished. Figure 21: Topology Customization window Preview A simulated topology diagram showing the effect of the selected appearance options.
Using virtual domains Virtual domains Using virtual domains This section describes how to use virtual domains to operate your FortiGate unit as multiple virtual units, providing separate firewall and routing services to multiple networks. The following topics are included in this section: •...
Virtual domains Using virtual domains By default, your FortiGate unit supports a maximum of 10 VDOMs in any combination of NAT/Route and Transparent modes. For FortiGate models numbered 3000 and higher, you can purchase a license key to increase the maximum number of VDOMs to 25, 50, 100 or 250.
Using virtual domains Virtual domains • User settings • Users • User groups • RADIUS and LDAP servers • Microsoft Windows Active Directory servers • P2P Statistics (view/reset) • Logging configuration, log access and log reports Global configuration settings The following configuration settings affect all virtual domains. When virtual domains are enabled, only the default super admin can access global settings.
Enabling VDOMs Using virtual domains Enabling VDOMs Using the default admin administration account, you can enable multiple VDOM operation on the FortiGate unit. To enable virtual domains Log in to the web-based manager as admin. Go to System > Status. In System Information, next to Virtual Domain select Enable.
Using virtual domains Configuring VDOMs and global settings Working with VDOMs and global settings When you log in as admin and virtual domains are enabled you are automatically in global configuration, as demonstrated by the VDOM option under System. Select System > VDOM to work with virtual domains. Figure 22: VDOM list Create New Select to add a new VDOM.
Configuring VDOMs and global settings Using virtual domains VLAN subinterfaces often need to be in a different VDOM than their physical interface. To do this, the super admin must first create the VDOM, then create the VLAN subinterface, and assign it to the required VDOM. System >...
Using virtual domains Configuring VDOMs and global settings A regular administrator assigned to a VDOM can log in to the web-based manager or the CLI only on interfaces that belong to that VDOM. The super admin can connect to the web-based manager or CLI through any interface on the FortiGate unit that permits management access.
Page 68
Configuring VDOMs and global settings Using virtual domains FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
System Network Interface System Network This section describes how to configure your FortiGate unit to operate in your network. Basic network settings include configuring FortiGate interfaces and DNS settings. More advanced configuration includes adding VLAN subinterfaces and zones to the FortiGate network configuration. The following topics are included in this section: •...
Page 70
Interface System Network Figure 23: Interface list - regular administrator view Figure 24: Interface list - admin view with virtual domains enabled Create New Select Create New to create a VLAN subinterface. On models 800 and higher, you can also create an IEEE 802.3ad aggregated interface.
System Network Interface Name The names of the physical interfaces on your FortiGate unit. The name and number of a physical interface depends on the model. Some names indicate the default function of the interface such as Internal, External and DMZ. Other names are generic such as port1. FortiGate models numbered 50 and 60 provide a modem interface.
Interface System Network Figure 25: Switch Mode Management Switch Mode Select Switch Mode. Only one internal interface is displayed. This is the default mode. Interface Mode Select Interface Mode. All internal interfaces on the switch are displayed as individually configurable interfaces. Select to save your changes and return to the Interface screen.
Page 73
System Network Interface Name Enter a name for the interface. You cannot change the name of an existing interface. Type On models 800 and higher, you can create VLAN, 802.3ad Aggregate, and Redundant interfaces. On models WiFi-60A and WiFi-60AM, you can create wireless interfaces and VLAN subinterfaces.
Interface System Network PING Interface responds to pings. Use this setting to verify your installation and for testing. HTTP Allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party.
System Network Interface Figure 28: Settings for an ADSL interface Address mode Select the addressing mode that your ISP specifies. IPOA IP over ATM. Enter the IP address and netmask that your ISP provides. Ethernet over ATM, also known as Bridged mode. Enter the IP address and netmask that your ISP provides.
Interface System Network Figure 29: Settings for an 802.3ad aggregate interface To create an 802.3ad Aggregate interface Go to System > Network > Interface. Select Create New. In the Name field, enter a name for the aggregated interface. The interface name must not be the same as any other interface, zone or VDOM. From the Type list, select 802.3ad Aggregate.
System Network Interface • it is not referenced in any firewall policy, VIP, IP Pool or multicast policy • it is not monitored by HA When an interface is included in a redundant interface, it is not listed on the System >...
Interface System Network In the Wireless Settings section, enter the following information: Figure 31: Wireless interface settings SSID Enter the wireless network name that the FortiWiFi-60 unit broadcasts. Users who want to use the wireless network must configure their computers to connect to the network that broadcasts this network name.
Page 79
System Network Interface Figure 32: Interface DHCP settings Figure 33: ADSL interface DHCP settings Status Displays DHCP status messages as the FortiGate unit connects to the DHCP server and gets addressing information. Select Status to refresh the addressing mode status message. This is only displayed if you selected Edit.
Interface System Network Override internal DNS Enable Override internal DNS to use the DNS addresses retrieved from the DHCP server instead of the DNS server IP addresses on the DNS page. On models numbered 100 and lower, you should also enable Obtain DNS server address automatically in System >...
System Network Interface Status Displays PPPoE or PPPoA status messages as the FortiGate unit connects to the PPPoE or PPPoA server and gets addressing information. Select Status to refresh the addressing mode status message. This is only displayed if you selected Edit. Status can be one of the following 4 messages.
Interface System Network If at any time your Fortigate unit cannot contact the DDNS server, it will retry three times at one minute intervals and then change to retrying at three minute intervals. This is to prevent flooding the DDNS server. Figure 36: DDNS service configuration Server Select a DDNS server to use.
System Network Interface Name The name of the IPSec interface. Virtual Domain Select the VDOM of the IPSec interface. If you want to use dynamic routing with the tunnel or be able to ping the tunnel interface, enter IP addresses for the local and remote Remote IP ends of the tunnel.
Page 84
Interface System Network Do not change the system idle timeout from the default value of 5 minutes (see “Settings” on page 153). For more information on configuring administrative access in Transparent mode, “Operation mode and VDOM management access” on page 141.
Page 85
System Network Interface Note: If you change the MTU, you need to reboot the FortiGate unit to update the MTU value of VLAN subinterfaces on the modified interface. Note: In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces to match the new MTU.
Page 86
Interface System Network IP/Netmask Enter the IP address/subnet mask in the IP/Netmask field. The IP address must be on the same subnet as the network to which the interface connects. Two interfaces cannot have IP addresses on the same subnet. This field is only available when Manual addressing mode is selected.
System Network Zone Zone You can use zones to group related interfaces and VLAN subinterfaces. Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. If you group interfaces and VLAN subinterfaces into a zone, you can configure policies for connections to and from this zone, but not between interfaces in the zone. You can add zones, rename and edit zones, and delete zones from the zone list.
Network Options System Network Network Options Network options include DNS server and dead gateway detection settings. These options are set on the Configuring Network Options screen. Go to System > Network > Options to configure DNS servers and Dead Gateway Detection settings. Figure 41: Networking Options - FortiGate models 200 and higher Figure 42: Networking Options - models numbered 100 and lower Obtain DNS server address...
System Network Network Options Enable DNS forwarding from This option applies only to FortiGate models 100 and lower operating in NAT/Route mode. Select the interfaces that forward DNS requests they receive to the DNS servers that you configured. Dead Gateway Detection Dead gateway detection confirms connectivity using a ping server added to an interface configuration.
Routing table (Transparent Mode) System Network Routing table (Transparent Mode) In Transparent mode, go to System > Network > Routing Table to add static routes from the FortiGate unit to local routers. Figure 43: Routing table Create New Add a new route. Route number.
System Network Configuring the modem interface Configuring the modem interface On FortiGate models with modem support, you can use the modem as either a backup interface or a standalone interface in NAT/Route mode. • In redundant (backup) mode, the modem interface automatically takes over from a selected ethernet interface when that ethernet interface is unavailable.
Page 92
Configuring the modem interface System Network Figure 46: Modem settings (Redundant) Enable Modem Select to enable the FortiGate modem. Modem status The modem status shows one of: “not active”, “connecting”, “connected”, “disconnecting” or “hung up” (Standalone mode only). Dial Now/Hang Up (Standalone mode only) Select Dial Now to manually connect to a dialup account.
System Network Configuring the modem interface Phone Number The phone number required to connect to the dialup account. Do not add spaces to the phone number. Make sure to include standard special characters for pauses, country codes, and other functions as required by your modem to connect to your dialup account.
Configuring the modem interface System Network Configure firewall policies for connections to the modem interface. “Adding firewall policies for modem connections” on page Standalone mode configuration In standalone mode, the modem connects to a dialup account to provide a connection to the Internet. You can configure the modem to dial when the FortiGate unit restarts or when there are unrouted packets.
System Network Configuring the modem interface Connecting and disconnecting the modem The modem must be in Standalone mode. To connect to a dialup account Go to System > Network > Modem. Select Enable USB Modem. Make sure there is correct information in one or more Dialup Accounts. Select Apply if you make any configuration changes.
VLAN overview System Network VLAN overview A VLAN is group of PCs, servers, and other network devices that communicate as if they were on the same LAN segment, independent of where they are located. For example, the workstations and servers for an accounting department could be scattered throughout an office or city and connected to numerous network segments, but still belong to the same VLAN.
System Network VLANs in NAT/Route mode Using VLANs, a single FortiGate unit can provide security services and control connections between multiple security domains. Traffic from each security domain is given a different VLAN ID. The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between security domains.
VLANs in NAT/Route mode System Network Figure 37 shows a simplified NAT/Route mode VLAN configuration. In this example, the FortiGate internal interface connects to a VLAN switch using an 802.1Q trunk and is configured with two VLAN subinterfaces (VLAN 100 and VLAN 200).
System Network VLANs in Transparent mode Select the physical interface that receives the VLAN packets intended for this VLAN subinterface. Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. If you are the super admin, select the virtual domain to add this VLAN subinterface to.
Page 100
VLANs in Transparent mode System Network If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you can configure a FortiGate unit operating in Transparent mode to provide security for network traffic passing between different VLANs. To support VLAN traffic in Transparent mode, you add virtual domains to the FortiGate unit configuration.
System Network VLANs in Transparent mode Figure 50: FortiGate unit in Transparent mode Internet Router Untagged packets VLAN Switch VL AN 1 VLAN Trunk VL AN 2 VL AN 3 FortiGate unit in Transparent mode VL AN 1 VLAN Trunk VL AN 2 VL AN 3 VLAN Switch...
Page 102
VLANs in Transparent mode System Network To add a VLAN subinterface in Transparent mode The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4096.
Page 103
System Network VLANs in Transparent mode Figure 51: FortiGate unit with two virtual domains in Transparent mode FortiGate unit VLAN1 External root virtual domain Internal VLAN1 VLAN1 VLAN2 VLAN1 VLAN2 VLAN1 VLAN3 Internet VLAN3 VLAN2 VLAN VLAN New virtual domain VLAN Switch trunk trunk...
FortiGate IPv6 support System Network Troubleshooting ARP Issues Address Resolution Protocol (ARP) traffic is vital to communication on a network and is enabled on FortiGate interfaces by default. Normally you want ARP packets to pass through the FortiGate unit, especially if it is sitting between a client and a server or between a client and a router.
System Wireless The FortiWiFi wireless LAN interface System Wireless This section describes how to configure the Wireless LAN interfaces on FortiWiFi units. The following topics are included in this section: • The FortiWiFi wireless LAN interface • Channel assignments • System wireless settings (FortiWiFi-60) •...
Channel assignments System Wireless Channel assignments The following tables list the channel assignments for wireless LANs. Table 5: IEEE 802.11a (5-GHz Band) channel numbers Regulatory Areas Channel Frequency number (MHz) Americas Europe Taiwan Singapore Japan 5170 – – – 5180 –...
System Wireless System wireless settings (FortiWiFi-60) Table 7: IEEE 802.11g (2.4-GHz Band) channel numbers Regulatory Areas Americas EMEA Israel Japan Channel Frequency number (MHz) ODFM CCK ODFM CCK ODFM CCK ODFM 2412 – – 2417 – – 2422 – – 2427 –...
Page 108
System wireless settings (FortiWiFi-60) System Wireless Geography Select your country or region. This determines which channels are available. You can select Americas, EMEA, Israel, or Japan. If you are in any other region, select World. Channel Select a channel for your FortiWiFi-60 wireless network. Users of the wireless network must configure their computers to use this channel.
System Wireless System wireless settings (FortiWiFi-60A and 60AM) System wireless settings (FortiWiFi-60A and 60AM) Go to System > Wireless > Settings to configure wireless LAN settings. Figure 54: Wireless parameters - FortiWiFi-60A and FortiWiFi-60AM Operation Mode The current operating mode. Access Point mode makes the FortiWiFi unit act as a wireless access point to which multiple clients can connect.
Wireless MAC Filter System Wireless Wireless MAC Filter Go to System > Wireless > MAC Filter to allow or deny wireless access to users based on their MAC address. Figure 55: Wireless MAC Filter MAC Filter Enable Enable the MAC Filter. Access for PCs not Select whether to allow or deny access to unlisted MAC addresses.
System Wireless Wireless Monitor Wireless Monitor Go to System > Wireless > Monitor to see who is connected to your wireless LAN. This feature is available only if you are operating the wireless interface in WPA security mode. Figure 56: Wireless Monitor (FortiWiFi-60) Figure 57: Wireless Monitor (FortiWiFi-60A and 60AM) Statistics Statistical information about wireless performance for each...
Page 112
Wireless Monitor System Wireless FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
System DHCP FortiGate DHCP servers and relays System DHCP This section describes how to use DHCP to provide convenient automatic network configuration for your clients. The following topics are included in this section: • FortiGate DHCP servers and relays • Configuring DHCP services •...
Configuring DHCP services System DHCP Configuring DHCP services Go to System > DHCP > Service to configure DHCP services. On each FortiGate interface, you can configure a DHCP relay and add DHCP servers as needed. On FortiGate models 50 and 60, a DHCP server is configured, by default, on the Internal interface, as follows: IP Range 192.168.1.110 to 192.168.1.210...
System DHCP Configuring DHCP services Configuring an interface as a DHCP relay agent Go to System > DHCP > Service and select an edit icon to view or modify the DHCP relay configuration for an interface. Figure 59: Edit DHCP relay settings for an interface Interface Name The name of the interface.
Viewing address leases System DHCP Name Enter a name for the DHCP server. Enable Enable the DHCP server. Type Select Regular or IPSEC DHCP server. You cannot configure a Regular DHCP server on an interface that has a dynamic IP address. IP Range Enter the start and end for the range of IP addresses that this DHCP server assigns to DHCP clients.
System DHCP Viewing address leases The MAC address of the device to which the IP address is assigned. Expire Expiry date and time of the DHCP lease. Reserving IP addresses for specific clients You can reserve an IP address for a specific client identified by the client device MAC address and the connection type, regular Ethernet or IPSec.
Page 118
Viewing address leases System DHCP FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
FortiGate HA Overview, the FortiGate HA Guide, and the Fortinet Knowledge Center. Note: For FortiOS v3.0 MR2 and previous versions, this HA section included extensive detail about HA. Starting with FortiOS v3.0 MR3 you should refer to the...
Page 120
System Config If HA is already enabled, go to System > Config > HA to display the cluster members list. Select edit for the FortiGate unit with Role of master (also called the primary unit). When you edit the HA configuration of the primary unit, all changes are synchronized to the other cluster units.
Page 121
System Config Figure 63: FortiGate-5001SX HA virtual cluster configuration Mode Select an HA mode for the cluster or return the FortiGate units in the cluster to standalone mode. When configuring a cluster, you must set all members of the HA cluster to the same HA mode. You can select Standalone (to disable HA), Active-Passive, or Active-Active.
System Config Group Name Add a name to identify the cluster. The maximum group name length is 7 characters. The group name must be the same for all cluster units before the cluster units can form a cluster. After a cluster is operating you can change the group name.
Page 123
System Config Figure 64: Example FortiGate-5001SX cluster members list Download Debug Log Edit Up and Down Arrows Disconnect from Cluster If virtual domains are enabled, you can display the cluster members list to view the status of the operating virtual clusters. The virtual cluster members list shows the status of both virtual clusters including the virtual domains added to each virtual cluster.
Page 124
126. Download debug log Download an encrypted debug log to a file. You can send this debug log file to Fortinet Technical Support (http://support.fortinet.com) to help diagnose problems with the cluster or with individual cluster units. FortiGate Version 3.0 MR4 Administration Guide...
System Config Viewing HA statistics From the cluster members list you can select View HA statistics to display the serial number, status, and monitor information for each cluster unit. To view HA statistics, go to System > Config > HA and select View HA Statistics. Figure 66: Example HA statistics (active-passive cluster) Refresh every Select to control how often the web-based manager updates the HA...
System Config Changing subordinate unit host name and device priority To change the host name and device priority of a subordinate unit in an operating cluster, go to System > Config > HA to display the cluster members list. Select Edit for any slave (subordinate) unit in the cluster members list.
SNMP managers have read-only access to FortiGate system information and can receive FortiGate traps. To monitor FortiGate system information and receive FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinet- supported standard MIBs into your SNMP manager.
SNMP System Config Queries The status of SNMP queries for each SNMP community. The query status can be enabled or disabled. Traps The status of SNMP traps for each SNMP community. The trap status can be enabled or disabled. Enable Select Enable to activate an SNMP community.
Page 129
System Config SNMP Figure 71: SNMP community options (part 2) Community Name Enter a name to identify the SNMP community. Hosts Enter the IP address and Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit. IP Address The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiGate unit.
Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIB to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.
FortiGate traps The FortiGate agent can send traps to SNMP managers that you have added to SNMP communities. To receive traps, you must load and compile the Fortinet 3.0 MIB into the SNMP manager. All traps include the trap message as well as the FortiGate unit serial number and hostname.
Page 132
SNMP System Config Table 12: FortiGate IPS traps Trap message Description IPS Anomaly IPS anomaly detected. fnTrapIpsAnomaly IPS Signature IPS signature detected. fnTrapIpsSignature) Table 13: FortiGate antivirus traps Trap message Description Virus detected The FortiGate unit detects a virus and removes the infected (fnTrapAvEvent) file from an HTTP or FTP download or from an email message.
The tables below list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.3.00.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Page 134
SNMP System Config Table 19: Administrator accounts MIB field Description fnAdminNumber The number of administrators on the FortiGate unit. fnAdminTable Table of administrators. fnAdminIndex Administrator account index number. fnAdminName The user name of the administrator account. fnAdminAddr An address of a trusted host or subnet from which this administrator account can be used.
Page 135
System Config SNMP Table 24: Virtual domains MIB field Description fnVdNumber The number of virtual domains on the FortiGate unit. fnVdTable Table of virtual domains. fnVdIndex Internal virtual domain index number on the FortiGate unit. fnVdName The name of the virtual domain. Table 25: Active IP sessions MIB field Description...
For example, if a virus is found in an email message, the file is removed from the email and replaced with a replacement message. The same applies to pages blocked by web filtering and email blocked by spam filtering. Note: Disclaimer replacement messages provided by Fortinet are examples only. FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
System Config Replacement messages Replacement messages list Figure 72: Replacement messages list Note: FortiOS uses HTTP to send the Authentication Disclaimer page for the user to accept before the firewall policy is in effect. Therefore, the user must initiate an HTTP traffic first in order to trigger the Authentication Disclaimer page.
This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages. The FortiGuard - Web Filtering logo. %%FORTIGUARD_WF%% The Fortinet logo. %%FORTINET%% The HTTP error code. “404” for example. %%HTTP_ERR_CODE%% The HTTP error description.
System Config Replacement messages Table 28: Replacement message tags (Continued) Description auth-keepalive-page automatically connects to this URL every %%KEEPALIVEURL%% %%TIMEOUT%% seconds to renew the connection policy. The IPS attack message. %%NIDSEVENT%% is added to alert %%NIDSEVENT%% email intrusion messages. The link to the FortiGuard Web Filtering override form. This is %%OVERRIDE%% visible only if the user belongs to a group that is permitted to create FortiGuard web filtering overrides.
Replacement messages System Config • The form must contain the following visible controls: • <INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25> • <INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25> Example The following is an example of a simple authentication page that meets the requirements listed above. <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>...
System Config Operation mode and VDOM management access Operation mode and VDOM management access You can change the operation mode of each VDOM independently of other VDOMs. This allows any combination of NAT/Route and Transparent operating modes on the FortiGate unit VDOMs. Management access to a VDOM can be restricted based on which interfaces and protocols can be used to connect to the FortiGate unit.
Operation mode and VDOM management access System Config Interface IP/Netmask Enter a valid IP address and netmask for the network from which you want to manage the FortiGate unit. Device Select the interface to which the Interface IP/Netmask settings apply. Default Gateway Enter the default gateway required to reach other networks from the FortiGate unit.
System Admin Administrators System Admin This section describes how to configure administrator accounts on your FortiGate unit. Administrators access the FortiGate unit to configure its operation. In its factory default configuration, the unit has one administrator, admin. After connecting to the web-based manager or the CLI, you can configure additional administrators with various levels of access to different parts of the FortiGate unit configuration.
Administrators System Admin You can authenticate an administrator using a password stored on the FortiGate unit or on a RADIUS server. Optionally, you can store all administrator accounts on a RADIUS server, except for the default ‘admin’ account. RADIUS-based accounts on the same RADIUS server share the same access profile. Configuring RADIUS authentication for administrators If you want to use a RADIUS server to authenticate administrators in your VDOM, you must configure the authentication before you create the administrator...
Page 145
System Admin Administrators Figure 74: Administrators list Create New Add an administrator account. Name The login name for an administrator account. Trusted hosts The IP address and netmask of trusted hosts from which the administrator can log in. For more information, see “Using trusted hosts”...
Administrators System Admin Configuring an administrator account Use the default ‘admin’ account, an account with the super_admin access profile, or an administrator with Access Control Read Write to create a new administrator. Go to System > Admin > Administrators and select Create New. Figure 75: Administrator account configuration - local authentication Figure 76: Administrator account configuration - RADIUS authentication Figure 77: Administrator account configuration - PKI authentication...
Page 147
System Admin Administrators Administrator Enter the login name for the administrator account. RADIUS Select to authenticate the administrator using a RADIUS server. RADIUS authentication for administrators must be configured first. See “Configuring RADIUS authentication for administrators” on page 144. User Group If you are using RADIUS authentication, select the administrator user group that has the appropriate RADIUS server as a member.
Access profiles System Admin Select the type of authentication: If you are using RADIUS authentication for this administrator: • Select RADIUS. • Select Wildcard if you want all accounts on the RADIUS server to be administrators of this FortiGate unit. •...
Page 149
System Admin Access profiles Table 29: Access profile control of access to Web-based manager pages Access control Affected web-based manager pages Admin Users System > Admin System > Admin > FortiManager System > Admin > Settings Antivirus Configuration AntiVirus Auth Users User Firewall Configuration Firewall...
Page 150
Access profiles System Admin Table 30: Access profile control of access to CLI commands Access control Available CLI commands Admin Users (admingrp) system admin system accprofile Antivirus Configuration (avgrp) antivirus Auth Users (authgrp) user Firewall Configuration (fwgrp) firewall Use the set fwgrp custom, config fwgrp-permission commands to set some firewall permissions individually.
System Admin Access profiles Table 30: Access profile control of access to CLI commands Spamfilter Configuration (spamgrp) spamfilter System Configuration (sysgrp) system except accprofile, admin, arp- table, autoupdate, fortianalyzer, interface, and zone execute date execute ha execute ping execute ping-options execute ping6 execute time execute traceroute...
Access profiles System Admin Configuring an access profile Use the admin account or an account with Admin Users read and write access to edit an access profile. Go to System > Admin > Access Profile and select Create New. Figure 79: Access profile option Profile Name Enter the name of the access profile.
System Admin FortiManager FortiManager Go to System > Admin > FortiManager to configure the FortiGate unit to be managed through a FortiManager server. Communication between the FortiGate unit and the FortiManager server is via an IPSec VPN that is invisibly pre-configured on the FortiGate unit.
Monitoring administrators System Admin Web Administration Ports HTTP Enter the TCP port to be used for administrative HTTP access. The default is 80. HTTPS Enter the TCP port to be used for administrative HTTPS access. The default is 443. Telnet Port Enter the telnet port to be used for administrative access.
Page 155
System Admin Monitoring administrators Figure 83: Administrators logged in monitor window Disconnect Select to disconnect the selected administrators. This is available only if your access profile gives you System Configuration write permission. Refresh Select to update the list. Close Select to close the window. check box Select and then select Disconnect to log off this administrator.
Page 156
Monitoring administrators System Admin FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
System Maintenance Backup and restore System Maintenance This section describes how to back up and restore your system configuration and how to configure automatic updates from the FortiGuard Distribution Network. This section includes the following topics: • Backup and restore •...
Page 158
Backup and restore System Maintenance Figure 84: Backup and restore options Figure 85: Backup and Restore Last Backup The date and time of the last backup to local PC. Backing up to USB does not save the time of backup. Backup Back up the current configuration.
Page 159
System Maintenance Backup and restore Encrypt Select to encrypt the backup file. Enter a password in the Password field and enter it again in the Confirm field. You configuration file will need this password to restore the file. To backup VPN certificates, encryption must be enabled on the backup file.
Page 160
CLI commands. Download Debug Log Download an encrypted debug log to a file. You can send this debug log to Fortinet Technical Support to help diagnose problems with your FortiGate unit. FortiGate Version 3.0 MR4 Administration Guide...
Update status including version numbers, expiry dates, and update dates and times, • Push updates through a NAT device. You must register the FortiGate unit on the Fortinet support web page. To register your FortiGate unit, go to Product Registration and follow the instructions.
System Maintenance FortiGuard-Antispam Service FortiGuard-Antispam is an antispam system from Fortinet that includes an IP address black list, a URL black list, and spam filtering tools. The IP address black list contains IP addresses of email servers known to be used to generate spam.
Page 163
System Maintenance FortiGuard Center Figure 89: Support Contract and FortiGuard Subscription Services section Support Contract The availability or status of your FortiGate unit support contract. The status displayed can be one of: Unreachable, Not Registered or Valid Contract. If Valid Contract is shown, the FortiOS version, expiry date of contract, and Support Level are also displayed.
Page 164
Select the blue arrow to display or hide this section. Select to send attack details to FSN to improve IPS signature quality. Fortinet recommends that you enable this feature. AntiVirus and IPS Downloads Select the blue arrow next to AntiVirus and IPS Downloads to access this section.
Page 165
System Maintenance FortiGuard Center Enter a new IP address to connect to the FDN push server. Available only if Allow Push Update and Use override push are enabled. port Select a new port to use to connect to the FDN push server. Available only if Use override push and IP address are set.
FortiGuard Center System Maintenance Use Alternate Port Select to use port 8888 to communicate with FortiGuard-Antispam servers. (8888) Test Availability Select to test the connection to the FortiGuard-Antispam server. Results are shown below the button and on the Status indicators. please click here Select to re-evaluate a URL’s category rating on the FortiGuard Web Filter service.
Page 167
System Maintenance FortiGuard Center Make sure that the time zone is set correctly for the region in which your FortiGate unit is located. Go to System > Maintenance > FortiGuard Center. Select Refresh. The FortiGate unit tests its connection to the FDN. The test results are displayed at the top of the System Update page.
FortiGuard Center System Maintenance Type the fully qualified domain name or IP address of a FortiGuard server. Select Apply. The FortiGate unit tests the connection to the override server. If the FortiGuard Distribution Network availability icon changes from grey, the FortiGate unit has successfully connected to the override server.
Page 169
System Maintenance FortiGuard Center Push updates when FortiGate IP addresses change The SETUP message that the FortiGate unit sends when you enable push updates includes the IP address of the FortiGate interface to which the FDN connects. The interface used for push updates is the interface configured in the default route of the static routing table.
Page 170
FortiGuard Center System Maintenance Figure 93: Example network: Push updates through a NAT device Server Internet NAT Device Push Updates Internal Network General procedure Use the following steps to configure the FortiGate unit on the internal network and the NAT device so that the FortiGate unit on the internal network can receive push updates: Register and license the FortiGate unit on the internal network so that it can receive push updates.
Page 171
System Maintenance FortiGuard Center Select Use override push IP and enter the IP address of the external interface of the NAT device. Do not change the push update port unless UDP port 9443 is blocked or used by other services on your network. Select Apply.
If your FortiGate unit is model 3000 or higher, you can purchase a license key from Fortinet to increase the maximum number of VDOMs to 25, 50, 100 or 250. By default, FortiGate units support a maximum of 10 VDOMs.
Go to System > Chassis > SMC to view the status of the shelf manager cards (SMCs) installed in the FortiGate-5000 series chassis. The SMC list is the same for the FortiGate-5140 chassis and the FortiGate-5050 chassis. The SMC list shows basic status information about the shelf manager cards in the chassis.
FortiSwitch-5003 module. The slot containing the FortiGate-5000 module that you are connecting to is highlighted in yellow. If the FortiGate-5000 series module that you are connecting to is installed in a FortiGate-5050 chassis, the blades list contains 5 rows. For a FortiGate-5140 chassis the blades list contains 14 rows.
Page 175
(for example 3.3V) and the actual measured voltage (for example, 3.288V). The acceptable voltage range depends on the sensor. The voltages that are displayed are different for different FortiGate-5000 series modules. For example: For FortiGate-5005FA2 modules: • CPU1 Voltage: 1.1956V •...
Chassis monitoring event log messages System Chassis (FortiGate-5000 series) Chassis monitoring event log messages FortiGate-5000 series modules can send the log messages shown in Table 31 when chassis monitoring detects temperatures, voltages, or fan speeds that are outside of normal operating parameters. The messages in...
Router Static Routing concepts Router Static This section explains some general routing concepts, how to define static routes and route policies. A route provides the FortiGate unit with the information it needs to forward a packet to a particular destination on the network. A static route causes packets to be forwarded to a destination other than the factory configured default gateway.
Routing concepts Router Static How the routing table is built In the factory default configuration, the FortiGate routing table contains a single static default route. You can add routing information to the routing table by defining additional static routes. The table may include several different routes to the same destination—the IP addresses of the next-hop router specified in those routes or the FortiGate interfaces associated with those routes may vary.
Router Static Routing concepts All entries in the routing table are associated with an administrative distance. If the routing table contains several entries that point to the same destination (the entries may have different gateways or interface associations), the FortiGate unit compares the administrative distances of those entries, selects the entries having the lowest distances, and installs them as routes in the FortiGate forwarding table.
Static Route Router Static Note: You can display the sequence numbers of static routes in the routing table through the CLI: type config router static, and then type get. The sequence number of a route is equivalent to the edit <ID_integer> value that one enters when defining a static route through the CLI.
Router Static Static Route When you add a static route to the Static Route list, the FortiGate unit evaluates the information to determine if it represents a different route compared to any other route already present in the FortiGate routing table. If no route having the same destination exists in the routing table, the FortiGate unit adds the route to the routing table.
Page 182
Static Route Router Static Figure 99: Making a router the default gateway Internet Router 192.168.10.1 external FortiGate_1 Internal network 192.168.20.0/24 To route outbound packets from the internal network to destinations that are not on network 192.168.20.0/24, you would edit the default route and include the following settings: •...
Page 183
Router Static Static Route Figure 100:Destinations on networks behind internal routers Internet FortiGate_1 internal 192.168.10.1 192.168.11.1 Router_1 Router_2 Network_1 Network_2 192.168.20.0/24 192.168.30.0/24 To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.30.0/24 Gateway: 192.168.11.1...
Static Route Router Static If the FortiGate unit reaches the next-hop router through a different interface (compared to the interface that is currently selected in the Device field), select the name of the interface from the Device field. In the Distance field, optionally adjust the administrative distance value. Select OK.
Router Static Policy Route Policy Route Whenever a packet arrives at a FortiGate unit interface, the FortiGate unit determines whether the packet was received on a legitimate interface by doing a reverse lookup using the source IP address in the packet header. If the FortiGate unit cannot communicate with the computer at the source IP address through the interface on which the packet was received, the FortiGate unit drops the packet.
Policy Route Router Static Source The IP source addresses and network masks that cause policy routing to occur. Destination The IP destination addresses and network masks that cause policy routing to occur. Delete icon Select to delete a policy route. Edit icon Select to edit a policy route.
Router Static Policy Route Outgoing Interface Select the name of the interface through which packets affected by the policy will be routed. Gateway Address Type the IP address of the next-hop router that the FortiGate unit can access through the specified interface. A value of 0.0.0.0 is not valid.
Router Dynamic Router Dynamic This section explains how to configure dynamic protocols to route traffic through large or complex networks. Dynamic routing protocols enable the FortiGate unit to automatically share information about routes with neighboring routers and learn about routes and networks advertised by neighboring routers. The FortiGate unit supports these dynamic routing protocols: •...
Router Dynamic How RIP works When RIP is enabled, the FortiGate unit broadcasts requests for RIP updates from each of its RIP-enabled interfaces. Neighboring routers respond with information from their routing tables. The FortiGate unit adds routes from neighbors to its own routing table only if those routes are not already recorded in the routing table.
Page 191
Router Dynamic Figure 105:Basic RIP settings Delete Delete Edit RIP Version Select the level of RIP compatibility needed at the FortiGate unit. You can enable global RIP settings on all FortiGate interfaces connected to RIP- enabled networks: • Select 1 to send and receive RIP version 1 packets. •...
Figure 106:Advanced Options (RIP) Default Metric Enter the default hop count that the FortiGate unit should assign to routes that are added to the Fortinet routing table. The range is from 1 to 16. This value also applies to Redistribute unless otherwise specified.
RIP interface options enable you to override the global RIP settings that apply to all Fortinet interfaces connected to RIP-enabled networks. For example, if you want to suppress RIP advertising on an interface that is connected to a subnet of a RIP-enabled network, you can enable the interface to operate passively.
OSPF Router Dynamic Figure 107 shows the New/Edit RIP Interface dialog box belonging to a FortiGate unit that has an interface named “internal”. The names of the interfaces on your FortiGate unit may be different. Interface Select the name of the FortiGate interface to which these settings apply.
Router Dynamic OSPF OSPF-enabled routers generate link-state advertisements and send them to their neighbors whenever the status of a neighbor changes or a new neighbor comes online. As long as the OSPF network is stable, link-state advertisements between OSPF neighbors do not occur. A Link-State Advertisement (LSA) identifies the interfaces of all OSPF-enabled routers in an area, and provides information that enables OSPF-enabled routers to select the shortest path to a destination.
OSPF Router Dynamic If you need to adjust the default settings of an OSPF-enabled interface, select Create New under Interfaces. Select the OSPF operating parameters for the interface. See “Selecting operating parameters for an OSPF interface” on page 201. Repeat Steps 6 and 7 if required for additional OSPF-enabled interfaces. Optionally select advanced OSPF options for the OSPF AS.
Page 197
Router Dynamic OSPF Area The unique 32-bit identifiers of areas in the AS, in dotted decimal notation. Area ID 0.0.0.0 references the backbone of the AS and cannot be changed or deleted. Type The types of areas in the AS: •...
OSPF Router Dynamic Selecting advanced OSPF options Advanced OSPF options let you specify metrics for redistributing routes that the FortiGate unit learns through some means other than OSPF link-state advertisements. For example, if the FortiGate unit is connected to a RIP or BGP network or you add a static route to the FortiGate routing table manually, you can configure the FortiGate unit to advertise those routes on OSPF-enabled interfaces.
Router Dynamic OSPF Defining OSPF areas An area logically defines part of the OSPF AS. Each area is identified by a 32-bit area ID expressed in decimal dot notation. Area ID 0.0.0.0 is reserved for the OSPF network backbone. You can classify the remaining areas of an AS in one of three ways: •...
OSPF Router Dynamic Area Type a 32-bit identifier for the area. The value must resemble an IP address in decimal-dot notation. Once the OSPF area has been created, the area IP value cannot be changed. Type Select an area type to classify the characteristics of the network that will be assigned to the area: •...
Router Dynamic OSPF Selecting operating parameters for an OSPF interface An OSPF interface definition contains specific operating parameters for a FortiGate OSPF-enabled interface. The definition includes the name of the interface (for example, external or VLAN_1), the IP address assigned to the interface, the method for authenticating LSA exchanges through the interface, and timer settings for sending and receiving OSPF Hello and dead-interval packets.
Router Dynamic Enter the IP address that has been assigned to the OSPF-enabled interface. The interface becomes OSPF-enabled because its IP address matches the OSPF network address space. For example, if you defined an OSPF network of 172.20.120.0/24 and port1 has been assigned the IP address 172.20.120.140, type 172.20.120.140.
Router Dynamic BGP updates advertise the best path to a destination network. When the FortiGate unit receives a BGP update, the FortiGate unit examines the Multi-Exit Discriminator (MED) attributes of potential routes to determine the best path to a destination network before recording the path in the FortiGate routing table. BGP has the capability to gracefully restart.
Multicast Router Dynamic Networks The IP addresses and network masks of networks to advertise to BGP peers. The FortiGate unit may have a physical or VLAN interface connected to those networks. IP/Netmask Enter the IP address and netmask of the network to be advertised.
Page 205
Router Dynamic Multicast To view and edit PIM settings, go to Router > Dynamic > Multicast. The web- based manager offers a simplified user interface to configure basic PIM options. Advanced PIM options can be configured through the CLI. For more information, see the “router”...
Multicast Router Dynamic Overriding the multicast settings on an interface Multicast (PIM) interface options enable you to set operating parameters for FortiGate interfaces connected to PIM domains. For example, you can enable dense mode on an interface that is connected to a PIM-enabled network segment. When sparse mode is enabled, you can adjust the priority number that is used to advertise Rendezvous Point (RP) and/or Designated Router (DR) candidacy on the interface.
Router Monitor Displaying routing information Router Monitor This section explains how to interpret the Routing Monitor list. The list displays the entries in the FortiGate routing table. The following topics are included in this section: • Displaying routing information • Searching the FortiGate routing table Displaying routing information By default, all routes are displayed in the Routing Monitor list.
Page 210
Displaying routing information Router Monitor Type Select one of these route types to search the routing table and display routes of the selected type only: • All displays all routes recorded in the routing table. • Connected displays all routes associated with direct connections to FortiGate interfaces.
Router Monitor Searching the FortiGate routing table Metric The metric associated with the route type. The metric of a route influences how the FortiGate unit dynamically adds it to the routing table: • Hop count is used for routes learned through RIP. •...
Page 212
Searching the FortiGate routing table Router Monitor FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Firewall Policy About firewall policies Firewall Policy Firewall policies control all traffic passing through the FortiGate unit. Add firewall policies to control connections and traffic between FortiGate interfaces, zones, and VLAN subinterfaces. The following topics are included in this section: •...
Viewing the firewall policy list Firewall Policy How policy matching works When the FortiGate unit receives a connection attempt at an interface, it selects a policy list to search through for a policy that matches the connection attempt. The FortiGate unit chooses the policy list based on the source and destination addresses of the connection attempt.
Firewall Policy Viewing the firewall policy list Figure 117:Sample policy list Edit Delete Insert Policy Before Filter Move To The policy list displays the following information by default: Create New Select to add a firewall policy. See “Adding a firewall policy” on page 215.
Configuring firewall policies Firewall Policy Configure the policy. For information about configuring policies, see “Configuring firewall policies” on page 216. Select OK. Arrange policies in the policy list so they have the expected results. For information about arranging policies in a policy list, see “How policy matching works”...
Page 217
Firewall Policy Configuring firewall policies You can also add IPSec encryption policies to enable IPSec tunnel mode VPN traffic and SSL VPN encryption policies to enable SSL VPN traffic. Firewall encryption policies determine which types of IP traffic will be permitted during an IPSec or SSL VPN session.
Page 218
Configuring firewall policies Firewall Policy Figure 121:Policy options - DENY policy Figure 122:Policy options - FortiClient check The source and destination Interface/Zone match the firewall policy with the source and destination of a communication session. The Address Name matches the source and destination address of the communication session Schedule defines when the firewall policy is enabled.
Firewall Policy Configuring firewall policies You can use the remaining firewall policy options (NAT, Protection Profile, Log Allowed Traffic, Log Violation Traffic, Authentication, and Traffic shaping) to set additional features. Log Violation Traffic can be applied to policies that deny traffic.
Page 220
Configuring firewall policies Firewall Policy Schedule Select a one-time or recurring schedule that controls when the policy is available to be matched with communication sessions. Schedules can be created in advance by going to Firewall > Schedule. See “Firewall Schedule” on page 247.
Page 221
Firewall Policy Configuring firewall policies Dynamic IP Pool Select to translate the source address to an address randomly selected from an IP Pool. An IP Pool can be a single IP address or an IP address range. An IP pool list appears if IP Pool addresses have been added to the destination interface.
Configuring firewall policies Firewall Policy Traffic Shaping Traffic Shaping controls the bandwidth available to, and sets the priority of the traffic processed by, the policy. Note: • Be sure to enable traffic shaping on all firewall policies. If you do not apply any traffic shaping rule to a policy, the policy is set to high priority by default.
Note: To allow the FortiGate unit to authenticate with an Active Directory server, the Fortinet Server Authentication Extensions (FSAE) must be installed on the Active Directory Domain Controller. FSAE is available from Fortinet Technical Support. For users to authenticate using other services (for example POP3 or IMAP), create a service group that includes the services for which to require authentication, as well as HTTP, Telnet, and FTP.
Page 224
Configuring firewall policies Firewall Policy The bandwidth available for traffic controlled by a policy is used for both the control and data sessions and is used for traffic in both directions. For example, if guaranteed bandwidth is applied to an internal to external FTP policy, and a user on an internal network uses FTP to put and get files, both the put and get sessions share the bandwidth available to the traffic controlled by the policy.
Page 225
Firewall Policy Configuring firewall policies Traffic shaping which is applied to a firewall policy, is enforced for traffic which may flow in either direction. Therefore a session which may be setup by an internal host to an external one, via a Internal -> External policy, will have Traffic shaping applied even if the data stream is then coming from external to internal.
Configuring firewall policies Firewall Policy Note: If you set both guaranteed bandwidth and maximum bandwidth to 0 (zero), the policy does not allow any traffic. IPSec firewall policy options When Action is set to IPSEC, the following options are available: Figure 124:IPSEC encryption policy VPN Tunnel Select the VPN tunnel name defined in the phase 1 configuration.
Firewall Policy Configuring firewall policies SSL Client Allow traffic generated by holders of a (shared) group certificate. The holders of the group certificate must be members of an SSL VPN user Certificate group, and the name of that user group must be present in the Allowed Restrictive field.
Firewall policy examples Firewall Policy Check FortiClient Installed Select to check that the source host is running FortiClient Host Security software. Enable the following reasons to and Running deny access as needed: • FortiClient is Not Installed • FortiClient is Not Licensed •...
Page 229
Firewall Policy Firewall policy examples Figure 127:Example SOHO network before FortiGate installation Company A requires secure connections for home-based workers. Like many companies, they rely heavily on email and Internet access to conduct business. They want a comprehensive security solution to detect and prevent network attacks, block viruses, and decrease spam.
Page 230
Firewall policy examples Firewall Policy Select OK Select Create New and enter or select the following settings for Home_User_2: Interface / Zone Source: internal Destination: wan1 Address Name Source: Destination: All CompanyA_network Schedule Always Service Action IPSEC VPN Tunnel Home2_Tunnel Allow Inbound Allow outbound Inbound NAT...
Firewall Policy Firewall policy examples Scenario two: enterprise sized business Located in a large city, the library system is anchored by a main downtown location serving most of the population, with more than a dozen branches spread throughout the city. Each branch is wired to the Internet but none are linked with each other by dedicated connections.
Page 232
Firewall policy examples Firewall Policy A few users may need special web and catalog server access to update information on those servers, depending on how they’re configured. Special access can be allowed based on IP address or user. The proposed topography has the main branch staff and the catalog access terminals going through a Fortigate HA cluster to the servers in a DMZ.
Firewall Address About firewall addresses Firewall Address Add, edit, and delete firewall addresses as required. Firewall addresses are added to the source and destination address fields of firewall policies. Firewall addresses are added to firewall policies to match the source or destination IP addresses of packets that are received by the FortiGate unit.
<host_name>.<second_level_domain_name>.<top_level_domain_name> • <host_name>.<top_level_domain_name> An FQDN can be: • www.fortinet.com • example.com Viewing the firewall address list If virtual domains are enabled on the FortiGate unit, addresses are configured separately for each virtual domain. To access addresses, select a virtual domain from the list in the main menu.
Firewall Address Configuring addresses Configuring addresses Addresses can also be created or edited during firewall policy configuration from the firewall policy window. One FQDN may be mapped to multiple machines for load balancing and HA. A single FQDN firewall policy can be created in which the FortiGate unit automatically resolves and maintains a record of all addresses to which the FQDN resolves.
Configuring address groups Firewall Address Figure 133:Sample address group list The address group list has the following icons and features: Create New Select to add an address group. Group Name The name of the address group. Members The addresses in the address group. Delete icon Select to remove the group from the list.
Firewall Service Viewing the predefined service list Firewall Service Use services to determine the types of communication accepted or denied by the firewall. Add any of the predefined services to a policy. Create custom services for each virtual domain and add services to service groups. The following topics are included in this section: •...
Page 240
Viewing the predefined service list Firewall Service Table 32 lists the FortiGate predefined firewall services. Add these services to any policy. Table 32: FortiGate predefined services Service name Description Protocol Port Authentication Header. AH provides source host authentication and data integrity, but not secrecy.
Page 241
Firewall Service Viewing the predefined service list Table 32: FortiGate predefined services (Continued) Service name Description Protocol Port ICMP_ANY Internet Control Message Protocol is a ICMP message control and error-reporting protocol between a host and gateway (Internet). IKE is the protocol to obtain authenticated keying material for use with ISAKMP for IPSEC.
Page 242
Viewing the predefined service list Firewall Service Table 32: FortiGate predefined services (Continued) Service name Description Protocol Port RLOGIN Rlogin service for remotely logging into a server. SAMBA Samba allows Microsoft Windows clients to utilize file and print services from TCP/IP-enabled hosts.
Firewall Service Viewing the custom service list Viewing the custom service list If virtual domains are enabled on the FortiGate unit, custom services are configured separately for each virtual domain. To access custom services, select a virtual domain from the list in the main menu. Add a custom service to create a policy for a service that is not in the predefined service list.
Page 244
Configuring custom services Firewall Service Name Enter a name for the custom service. Protocol Type Select the protocol type of the custom service: TCP/UDP. Protocol Select TCP or UDP as the protocol of the port range being added. Source Port Specify the Source Port number range for the service by entering the low and high port numbers.
Firewall Service Viewing the service group list Viewing the service group list If virtual domains are enabled on the FortiGate unit, service groups are created separately for each virtual domain. To access service groups, select a virtual domain from the list in the main menu. To make it easier to add policies, create groups of services and then add one policy to allow or block access for all the services in the group.
Page 246
Configuring service groups Firewall Service FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Firewall Schedule Viewing the one-time schedule list Firewall Schedule This section describes how to use schedules to control when policies are active or inactive. You can create one-time schedules or recurring schedules. One-time schedules are effective once for the period of time specified in the schedule. Recurring schedules repeat weekly.
Configuring one-time schedules Firewall Schedule Configuring one-time schedules One-time schedules can be created during firewall policy configuration by selecting Create New from the Schedule dropdown list. To add a one-time schedule, go to Firewall > Schedule > One-time. Figure 143:New One-time Schedule Name Enter the name to identify the one-time schedule.
Firewall Schedule Configuring recurring schedules Stop The stop time of the recurring schedule. Delete icon Select to remove the schedule from the list. The Delete icon only appears if the schedule is not being used in a firewall policy. Edit icon Select to edit the schedule.
Firewall Virtual IP Virtual IPs Firewall Virtual IP This section describes FortiGate Virtual IPs and IP Pools and how to configure and use them in firewall policies. The following topics are included in this section: • Virtual IPs • Viewing the virtual IP list •...
Page 252
Virtual IPs Firewall Virtual IP The packets sent from the client computer have a source IP of 192.168.37.55 and a destination IP of 192.168.37.4. The FortiGate unit receives these packets at its external interface. The virtual IP settings indicate a mapping from 192.168.37.4 to 10.10.10.42 so the packets’...
Page 253
Firewall Virtual IP Virtual IPs If the NAT check box is not selected when building the firewall policy, the resulting policy will perform destination network address translation (DNAT). DNAT accepts packets from an external network that are intended for a specific destination IP address, translates the destination address of the packets to a mapped IP address on another hidden network, and then forwards the packets through the FortiGate unit to the hidden destination network.
Page 254
Virtual IPs Firewall Virtual IP Static NAT Static NAT virtual IPs map an external IP address or IP address range on a source network to a mapped IP address or IP address range on a destination network. Static NAT virtual IPs use one-to-one mapping. A single external IP address is mapped to a single mapped IP address.
Firewall Virtual IP Viewing the virtual IP list Viewing the virtual IP list To view the virtual IP list, go to Firewall > Virtual IP > Virtual IP. Figure 149:Virtual IP list The virtual IP list has the following icons and features: Create New Select to add a virtual IP.
Configuring virtual IPs Firewall Virtual IP Mapped IP Enter the real IP address on the destination network to which the external IP address is mapped. Address/Range You can also enter an address range to forward packets to multiple IP addresses on the destination network. For a static NAT virtual IP, if you add a mapped IP address range the FortiGate unit calculates the external IP address range and adds the IP address range to the External IP Address/Range field.
Page 257
Firewall Virtual IP Configuring virtual IPs Figure 150:Static NAT virtual IP for a single IP address example To add a static NAT virtual IP for a single IP address Go to Firewall > Virtual IP > Virtual IP. Select Create New. Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network.
Configuring virtual IPs Firewall Virtual IP To add a static NAT virtual IP for a single IP address to a firewall policy Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP address packets pass through the FortiGate unit from the external interface to the dmz1 interface.
Page 259
Firewall Virtual IP Configuring virtual IPs Use the following procedure to add a virtual IP that allows users on the Internet to connect to three individual web servers on the DMZ network. In our example the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Configuring virtual IPs Firewall Virtual IP Adding static NAT port forwarding for a single IP address and a single port The IP address 192.168.37.4, port 80 on the Internet is mapped to 10.10.10.42, port 8000 on a private network. Attempts to communicate with 192.168.37.4, port 80 from the Internet are translated and sent to 10.10.10.42, port 8000 by the FortiGate unit.
Firewall Virtual IP Configuring virtual IPs Figure 155:Virtual IP options; Static NAT port forwarding virtual IP for a single IP address and a single port Select OK. To add static NAT virtual IP port forwarding for a single IP address and a single port to a firewall policy Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses, packets pass...
Page 262
Configuring virtual IPs Firewall Virtual IP Figure 156:Static NAT virtual IP port forwarding for an IP address range and a port range example To add static NAT virtual IP port forwarding for an IP address range and a port range Go to Firewall >...
Firewall Virtual IP Configuring virtual IPs To add static NAT virtual IP port forwarding for an IP address range and a port range to a firewall policy Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses, packets pass through the FortiGate unit from the external interface to the dmz1 interface.
Page 264
Configuring virtual IPs Firewall Virtual IP Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Firewall Virtual IP Configuring virtual IPs Service HTTP Action ACCEPT Select NAT. Select OK. Adding a load balance port forwarding virtual IP Connections to 192.168.37.4 on the Internet are mapped to 10.10.10.42 through 10.10.10.44 on a private network. The IP address mapping is determined by the FortiGate unit’s load balancing algorithm.
Configuring virtual IPs Firewall Virtual IP Real Servers If you select Server Load Balancing for the VIP type, enter the real server IP addresses. For details about real server settings, see “Configuring virtual IPs” on page 255. Port Forwarding Selected Protocol External Service Port The ports that traffic from the Internet will use.
Firewall Virtual IP Virtual IP Groups Set the External IP Address to 0.0.0.0. The 0.0.0.0 External IP Address matches any IP address. Enter the External Service Port number for which to configure dynamic port forwarding. The external service port number must match the destination port of the packets to be forwarded.
Configuring VIP groups Firewall Virtual IP Configuring VIP groups To add a VIP group, go to Firewall > Virtual IP > VIP Group and select Create new. To edit a VIP group, go to Firewall > Virtual IP > VIP Group and select the Edit icon for the VIP group to edit.
Firewall Virtual IP IP pools IP pools Use IP pools to add NAT policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface. An IP pool defines an address or a range of IP addresses, all of which respond to ARP requests on the interface to which the IP pool is added.
Viewing the IP pool list Firewall Virtual IP Viewing the IP pool list If virtual domains are enabled on the FortiGate unit, IP pools are created separately for each virtual domain. To access IP pools, select a virtual domain from the list on the main menu. IP pools are not available in Transparent mode. To view the IP pool list go to Firewall >...
Firewall Protection Profile What is a protection profile Firewall Protection Profile This section describes how to add protection profiles to NAT/Route mode and Transparent mode policies. The following topics are included in this section: • What is a protection profile •...
Viewing the protection profile list Firewall Protection Profile Default protection profiles The FortiGate unit is preconfigured with four protection profiles. Strict Apply maximum protection to HTTP, FTP, IMAP, POP3, and SMTP traffic. The strict protection profile may not be useful under normal circumstances but it is available when maximum protection is required.
Firewall Protection Profile Configuring a protection profile Figure 165:New Protection Profile Profile Name Enter a name for the protection profile. Comments If required, enter a description of the profile. AntiVirus “Antivirus options” on page 273. Web Filtering “Web filtering options” on page 275.
Page 274
Quarantine (log Enable or disable quarantine for each protocol. Quarantine suspect files to view them or submit files to Fortinet for analysis. The quarantine disk required) option is not displayed in the protection profile if the FortiGate does not have a hard drive or a configured FortiAnalyzer unit.
Firewall Protection Profile Configuring a protection profile Web filtering options Figure 167:Protection profile web filtering options The following options are available for web filtering through the protection profile. Web Content Block Enable or disable web page blocking for HTTP traffic based on the content block patterns in the content block list.
Configuring a protection profile Firewall Protection Profile FortiGuard-Web filtering options Figure 168:Protection profile FortiGuard-Web web filtering options The following options are available for web category filtering through the protection profile. Enable FortiGuard-Web Enable FortiGuard-Web™ category blocking. Filtering Enable FortiGuard-Web Enable category overrides. When selected, a list of groups is displayed.
Firewall Protection Profile Configuring a protection profile Rate URLs by domain and IP When enabled, this option sends both the URL and the IP address of the requested site for checking, providing address additional security against attempts to bypass the FortiGuard system.
Page 278
Configuring a protection profile Firewall Protection Profile The following options are available for spam filtering through the protection profile. FortiGuard-Antispam IP address Enable or disable the FortiGuard-Antispam™ filtering IP address blacklist. FortiGuard-Antispam check extracts the SMTP mail server source address and sends the IP address to a FortiGuard-Antispam server to see if this IP address matches the list of known spammers.
Firewall Protection Profile Configuring a protection profile Spam Action Action the spam filter will take. Tagged allows you to append a custom tag to the subject or header of email identified as spam. For SMTP, if you have virus scan or streaming mode (also known as splice) enabled, you will only be able to discard spam email.
Configuring a protection profile Firewall Protection Profile Note: NNTP and file archiving options cannot be selected. Support will be added in the future. The following options are available for content archive through the protection profile. Display content meta- Enable to have meta-information for each type of traffic display in the Statistics section of the FortiGate status page.
Firewall Protection Profile Configuring a protection profile Block Login Enable to prevent instant message users from logging in to AIM, ICQ, MSN, Yahoo, and SIMPLE services. Block File Transfers Enable to block file transfers for AIM, ICQ, MSN, and Yahoo protocols.
Adding a protection profile to a policy Firewall Protection Profile Web Filtering Content Block Enable logging of content blocking. URL Block Enable logging of blocked and exempted URLs. ActiveX Filter Enable logging of blocked Active X. Cookie Filter Enable logging of blocked cookies. Java Applet Filter Enable logging of blocked Java Applets.
Firewall Protection Profile Protection profile CLI configuration Select protection profile. Select a protection profile from the list. Configure the remaining policy settings, if required. Select OK. Repeat this procedure for any policies for which to enable network protection. Protection profile CLI configuration Use the config firewall profile CLI command to add, edit or delete protection profiles.
VPN IPSEC Overview of IPSec interface mode VPN IPSEC This section provides information about policy-based (tunnel-mode) and route- based (interface mode) Internet Protocol Security (IPSec) VPN options available through the web-based manager. FortiGate units implement the Encapsulated Security Payload (ESP) protocol. The encrypted packets look like ordinary packets that can be routed through any IP network.
Page 286
Overview of IPSec interface mode VPN IPSEC You can create the equivalent of a tunnel-mode concentrator in any of the following ways: • Define a firewall policy between each pair of IPSec interfaces that you want to concentrate. For dialup, the same interface can be both source and destination.
VPN IPSEC Auto Key Auto Key Two VPN peers (or a FortiGate dialup server and a VPN client) can be configured to generate unique Internet Key Exchange (IKE) keys automatically during the IPSec phase 1 and phase 2 exchanges. To configure the FortiGate unit to generate unique keys automatically in phase 1 and phase 2, go to VPN >...
Page 288
Auto Key VPN IPSEC • whether a special identifier, certificate distinguished name, or group name will be used to identify the remote VPN peer or client when a connection attempt is made To define basic IPSec phase 1 parameters, go to VPN > IPSEC > Auto Key (IKE) and select Create Phase 1.
Page 289
VPN IPSEC Auto Key Mode Select Main or Aggressive: • In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information. • In Aggressive mode, the phase 1 parameters are exchanged in single message with authentication information that is not encrypted.
Auto Key VPN IPSEC Accept this Authenticate remote peers or dialup clients using a security certificate. Select the certificate from the list adjacent to the option. peer certificate You must add peer certificates to the FortiGate configuration through only the User > PKI page before you can select them here. For more information, see PKI Certificates.
Page 291
VPN IPSEC Auto Key Enable IPSec Create a virtual interface for the local end of the VPN tunnel. Interface Mode This is not available in Transparent mode. Local Gateway IP If you selected Enable IPSec Interface Mode, you need to specify an IP address for the local end of the VPN tunnel.
Auto Key VPN IPSEC Local ID If the FortiGate unit will act as a VPN client and you are using peer IDs for authentication purposes, enter the identifier that the FortiGate unit will supply to the VPN server during the phase 1 exchange. If the FortiGate unit will act as a VPN client and you are using security certificates for authentication, select the distinguished name (DN) of the local server certificate that the FortiGate unit will use for...
VPN IPSEC Auto Key Figure 178:New Phase 2 Name Type a name to identify the phase 2 configuration. Phase 1 Select the phase 1 tunnel configuration. See “Creating a new phase 1 configuration” on page 287. The phase 1 configuration describes how remote VPN peers or clients will be authenticated on this tunnel, and how the connection to the remote peer or client will be secured.
Page 294
Auto Key VPN IPSEC P2 Proposal Select the encryption and authentication algorithms that will be used to change data into encrypted code. Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations. The remote peer must be configured to use at least one of the proposals that you define.
VPN IPSEC Auto Key Quick Mode Optionally specify the source and destination IP addresses to be used as selectors for IKE negotiations. If the FortiGate unit is a dialup server, the Selector default value 0.0.0.0/0 should be kept unless you need to circumvent problems caused by ambiguous IP addresses between one or more of the private networks making up the VPN.
Manual Key VPN IPSEC VPN Tunnel Select the tunnel that provides access to the private network behind the FortiGate unit. Inbound NAT Enable Configure other settings as required. Route-based VPN Internet browsing configuration Configure an additional firewall policy as follows: Source Interface/Zone Select the IPSec interface.
VPN IPSEC Manual Key Authentication The names of the authentication algorithms specified in the manual key configurations. Algorithm Delete and Edit Delete or edit a manual key configuration. icons Creating a new manual key configuration If one of the VPN devices uses specific authentication and/or encryption keys to establish a tunnel, both VPN devices must be configured to use identical authentication and/or encryption keys.
Page 298
Manual Key VPN IPSEC Remote Gateway Type the IP address of the public interface to the remote peer. The address identifies the recipient of ESP datagrams. Local Interface This option is available in NAT/Route mode only. Select the name of the physical, aggregate, or VLAN interface to which the IPSec tunnel will be bound.
VPN IPSEC Concentrator Concentrator In a hub-and-spoke configuration, policy-based VPN connections to a number of remote peers radiate from a single, central FortiGate unit. Site-to-site connections between the remote peers do not exist; however, VPN tunnels between any two of the remote peers can be established through the FortiGate unit “hub”.
Monitor VPN IPSEC Concentrator Name Type a name for the concentrator. Available Tunnels A list of defined IPSec VPN tunnels. Select a tunnel from the list and then select the right-pointing arrow. Repeat these steps until all of the tunnels associated with the spokes are included in the concentrator.
Page 301
VPN IPSEC Monitor Proxy ID Source The IP addresses of the hosts, servers, or private networks behind the FortiGate unit. A network range may be displayed if the source address in the firewall encryption policy was expressed as a range of IP addresses.
VPN PPTP PPTP Range VPN PPTP FortiGate units support PPTP to tunnel PPP traffic between two VPN peers. Windows or Linux PPTP clients can establish a PPTP tunnel with a FortiGate unit that has been configured to act as a PPTP server. As an alternative, you can configure the FortiGate unit to forward PPTP packets to a PPTP server on the network behind the FortiGate unit.
Page 304
PPTP Range VPN PPTP FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
VPN SSL Config VPN SSL This section provides information about the features of the VPN > SSL page in the web-based manager. The SSL VPN feature is supported on FortiGate units that run in NAT/Route mode only. Note: For detailed instructions about how to configure web-only mode or tunnel mode operation, see the FortiGate SSL VPN User Guide.
Page 306
Select the signed server certificate to use for authentication purposes. If you leave the default setting (Self-Signed), the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect. Require Client Certificate If you want to enable the use of group certificates for authenticating remote clients, select the option.
VPN SSL Monitor Monitor You can display a list of all active SSL VPN sessions. The list displays the user name of the remote user, the IP address of the remote client, and the time that the connection was made. The list also identifies which services are being provided. To view the list of active SSL VPN sessions, go to VPN >...
VPN Certificates Local Certificates VPN Certificates This section explains how to manage X.509 security certificates using the FortiGate web-based manager. Refer to this module to generate certificate requests, install signed certificates, import CA root certificates and certificate revocation lists, and back up and restore installed certificates and private keys. For additional background information, see the FortiGate Certificate Management User...
Local Certificates VPN Certificates View Certificate Display certificate details such as the certificate name, issuer, subject, and valid certificate dates. See Figure 189. Detail icon Delete icon Delete the selected certificate request or installed server certificate from the FortiGate configuration. This is available only if the certificate can be deleted.
Page 311
VPN Certificates Local Certificates Figure 190:Generate Certificate Signing Request Certification Name Type a certificate name. Typically, this would be the name of the FortiGate unit. To enable the export of a signed certificate as a PKCS12 file later on if required, do not include spaces in the name.
Local Certificates VPN Certificates Key Type Only RSA is supported. Key Size Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate but they provide better security. Enrollment Method File Based Select File Based to generate the certificate request. Online SCEP Select Online SCEP to obtain a signed SCEP-based certificate automatically over the network.
VPN Certificates Local Certificates Importing a signed server certificate Your CA will provide you with a signed server certificate to install on the FortiGate unit. When you receive the signed certificate from the CA, save the certificate on a computer that has management access to the FortiGate unit. To install the signed server certificate, go to VPN >...
Remote Certificates VPN Certificates Importing separate server certificate and private key files Use the Upload Certificate dialog box to import a server certificate and the associated private key file when the server certificate request and private key were not generated by the FortiGate unit. The two files to import must be available on the management computer.
VPN Certificates CA Certificates Import Import a public OCSP certificate. See “Importing CA certificates” on page 316. Name The names of existing Remote (OCSP) certificates. The FortiGate unit assigns unique names (REMOTE_Cert_1, REMOTE_Cert_2, REMOTE_Cert_3, and so on) to the Remote (OCSP) certificates when they are imported.
CA Certificates VPN Certificates Figure 196:CA Certificates list View Certificate Detail Download Import Import a CA root certificate. See “Importing CA certificates” on page 316. Name The names of existing CA root certificates. The FortiGate unit assigns unique names (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on) to the CA certificates when they are imported.
VPN Certificates A Certificate Revocation List (CRL) is a list of CA certificate subscribers paired with certificate status information. Installed CRLs are displayed in the CRL list. The FortiGate unit uses CRLs to ensure that the certificates belonging to CAs and remote clients are valid.
Page 318
VPN Certificates Figure 200:Import CRL HTTP Select to use an HTTP server to retrieve the CRL. Enter the URL of the HTTP server. LDAP Select to use an LDAP server to retrieve the CRL. Select the LDAP server from the drop-down list. SCEP Select to use an SCEP server to retrieve the CRL.
“Configuring a Windows AD server” on page 327. Users authenticated by Active Directory server do not need local user accounts on the FortiGate unit. You must install the Fortinet Server Authentication Extensions (FSAE) on your Windows network. To use certificate-based authentication for administrative access (HTTPS GUI), IPSec, SSL-VPN, and web-based authentication, configure using User >...
Configuring user authentication User Setting authentication timeout Authentication timeout controls how long an authenticated firewall connection can be idle before the user must authenticate again. To set authentication timeout Go to User > Authentication > Authentication. In Authentication Timeout, type a number, in minutes. The default authentication timeout is 30 minutes.
User Local user accounts Local user accounts Go to User > Local to add local user accounts and configure authentication. Figure 203:Local user list Create New Add a new local user account. User Name The local user name. Type The authentication type to use for this user. Delete icon Delete the user.
RADIUS servers User RADIUS servers If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the FortiGate unit sends the user’s credentials to the RADIUS server for authentication. If the RADIUS server can authenticate the user, the user is successfully authenticated with the FortiGate unit.
User LDAP servers LDAP servers If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authenticate with the FortiGate unit, the user enters a user name and password.
X.500 or LDAP format. The FortiGate unit passes this distinguished name unchanged to the server. For example, you could use the following base distinguished name: ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is domain component. You can also specify multiple instances of the same field in the...
User PKI authentication Figure 209:LDAP server Distinguished Name Query tree PKI authentication Public Key Infrastructure (PKI) authentication utilizes a certificate authentication library that takes a list of ‘peers’, ‘peer’ groups, and/or user groups and returns authentication ‘successful’ or ‘denied’ notifications. Users only need a valid certificate for successful authentication - no username or password are necessary.
On networks that use Windows Active Directory (AD) servers for authentication, FortiGate units can transparently authenticate users without asking them for their user name and password. You must install the Fortinet Server Authentication Extensions (FSAE) on the network and configure the FortiGate unit to retrieve information from the Windows AD server.
User User group Configuring a Windows AD server Go to User > Windows AD and select Create New or the Edit icon of an existing Windows AD server. Figure 213:Windows AD server configuration Name Type or edit the name of the Windows AD server. This name appears in the list of Windows AD servers when you create user groups.
User group User You can configure user groups to provide authenticated access to: • Firewall policies that require authentication “Adding authentication to firewall policies” on page 222. • SSL VPNs on the FortiGate unit “SSL-VPN firewall policy options” on page 226.
On a Microsoft Windows network, the FortiGate unit can allow access to members of Active Directory server user groups who have been authenticated on the Windows network. The Fortinet Server Authentication Extensions (FSAE) must be installed on the network domain controllers.
User group User Protection Profile The protection profile associated with this user group. Delete icon Delete the user group. Note: You cannot delete a user group that is included in a firewall policy, a dialup user phase 1 configuration, or a PPTP or L2TP configuration.
User User group FortiGuard Web Available only if Type is Firewall. Filtering Override Configure Web Filtering override capabilities for this group. “Configuring FortiGuard override options for a user group” on page 331. SSL-VPN User Group Available only if Type is SSL-VPN. Options For detailed instructions about how to configure web-only mode or tunnel mode operation, see the...
User group User Off-site URLs Select from the drop-down list whether the user can follow links to sites off of the blocked site: Allow User can follow links to other sites. Deny User can follow links only to destinations as defined by Override Type.
Page 333
Select to allow the client to connect only if it is running FortiClient Host Security AV software. For information about Installed and Running this software, see the Fortinet Technical Documentation web site. Check FortiClient FW Select to allow the client to connect only if it is running FortiClient Host Security FW software.
Configuring peers and peer groups User Table 33: AV/Firewall supported product detection Product Firewall Norton Internet Security 2006 Trend Micro PC-cillin McAfee Sophos Anti-Virus Panda Platinum 2006 Internet Security F-Secure Secure Resolutions Cat Computer Services AhnLab Kaspersky ZoneAlarm Configuring peers and peer groups You can define peers and peer groups used for authentication in some VPN configurations and for PKI certificate authentication.
AntiVirus Order of operations AntiVirus This section describes how to configure the antivirus options associated with firewall protection profiles. The following topics are included in this section: • Order of operations • Antivirus elements • Antivirus settings and controls • File pattern •...
If the file is passed by the file pattern it will have a virus scan applied to it. The virus definitions are keep up to date through the FortiNet Distribution Network. The list is updated on a regular basis so you do not have to wait for a firmware upgrade.
View and sort the list of quarantined files, protocol. Quarantine is only available on units configure file patterns to upload with a local disk, or with a configured automatically to Fortinet for analysis, and FortiAnalyzer unit. configure quarantining options in AntiVirus.
File pattern AntiVirus File pattern Configure file patterns to block all files that are a potential threat and to prevent active computer virus attacks. Files can be blocked by name, extension, or any other pattern. File pattern blocking provides the flexibility to block potentially harmful content.
AntiVirus File pattern Creating a new file pattern list To add a file pattern list to the file pattern list catalog, go to AntiVirus > File Pattern and select Create New. Figure 219:New File Pattern List dialog box Name Enter the name of the new list. Comment Enter a comment to describe the list, if required.
File pattern AntiVirus Using the allow action, this behavior can be reversed with all files being blocked unless explicitly passed. Simply enter all the file patterns to be passed with the allow attribute. At the end of the list, add an all-inclusive wildcard (*.*) with a block action.
Submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to Fortinet for analysis. FortiGate units without a local disk can quarantine blocked and infected files to a FortiAnalyzer unit.
The TTL information is not available if the files are quarantined on a FortiAnalyzer unit. Upload status Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded. Delete icon Select to remove the file from the list.
Figure 224:New File Pattern dialog box File Pattern Enter the file pattern or file name to be upload automatically to Fortinet. Enable Select to enable the file pattern Note: To enable automatic uploading of the configured file patterns, go to AntiVirus >...
Page 344
Quarantine AntiVirus Figure 226:Quarantine Configuration (FortiAnalyzer from FortiGate with local disk) Figure 227:Quarantine Configuration (FortiAnalyzer from FortiGate with no local disk) Note: NNTP options cannot be selected. Support will be added in the future. Quarantine configuration has the following options: Options Quarantine Infected Files: Select the protocols from which to quarantine infected files identified by antivirus scanning.
AntiVirus Config Enable Enable AutoSubmit: enables the AutoSubmit feature. Select one or both of the options below. AutoSubmit Use file pattern: Enables the automatic upload of files matching the file patterns in the AutoSubmit list. Use file status: Enables the automatic upload of quarantined files based on their status.
Config AntiVirus Viewing the grayware list Grayware programs are unsolicited commercial software programs that get installed on computers, often without the user’s consent or knowledge. Grayware programs are generally considered an annoyance, but these programs can cause system performance problems or be used for malicious ends. The FortiGate unit scans for known grayware executable programs in each enabled category.
CPUs, making scanning faster. This feature is available on models numbered 1000 and higher. For more information, see the Antivirus failopen and optimization Fortinet Knowledge Center article. FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Antivirus CLI configuration AntiVirus config antivirus heuristic The FortiGate heuristic antivirus engine performs tests on files to detect virus-like behavior or known virus indicators. Heuristic scanning is performed last, after file blocking and virus scanning have found no matches. In this way, heuristic scanning may detect new viruses, but may also produce some false positive results.
The FortiGate IPS matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Fortinet’s FortiGuard infrastructure ensures the rapid identification of new threats and the development of new attack signatures. FortiGuard services are a valuable customer resource and include automatic updates of virus and IPS (attack) engines and definitions through the FortiGuard Distribution Network (FDN).
About intrusion protection Intrusion Protection Create custom attack signatures for the FortiGate unit to use in addition to an extensive list of predefined attack signatures. Whenever the IPS detects or prevents an attack, it generates an attack message. Configure the FortiGate unit to add the message to the attack log and send an alert email to administrators.
Intrusion Protection Predefined signatures administrators may be overrun with attack log messages and not have the networking background required to configure the thresholds and other IPS settings. In addition, the other protection features in the FortiGate unit, such as antivirus (including grayware), spam filters, and web filters offer excellent protection for all networks.
Page 352
Drop When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The firewall session is not touched. Fortinet recommends using an action other than Drop for TCP connection based attacks. Reset When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet.
Intrusion Protection Predefined signatures Table 36: Actions to select for each predefined signature (Continued) Reset Server When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The FortiGate unit sends a reset to the server and drops the firewall session from the firewall session table.
Custom signatures Intrusion Protection For example. If you have a FortiGate unit that is controlling computers that only have access to an internal database and do not have access to the internet or email, there is no point having the Fortigate unit scanning for certain types of signatures such as email, IM, and P2P.
Intrusion Protection Custom signatures View custom Select filters then select Go to view only those custom signatures that match the filter criteria. Sort criteria can be <=, =, >= to All, Information, signatures with Low, Medium, High, or Critical. severity Create New Select to create a new custom signature.
Protocol Decoders Intrusion Protection Name Enter a name for the custom signature. Signature Enter the custom signature. For more information about custom signature syntax, see “Custom signature syntax” in the FortiGate Intrusion Protection System (IPS) Guide. Action Select an action from the list. Action can be Pass, Drop, Reset, Reset Client, Reset Server, Drop Session, Pass Session, or Clear Session.
Intrusion Protection Anomalies Upgrading IPS protocol decoder list IPS protocol decoders are included in the IPS upgrade package available through the FortiGuard Distribution Network (FDN). There is no need to wait for firmware upgrades. The IPS upgrade package will keep the IPS decoder list up to date with new threats such as the latest versions of existing IM/P2P as well as new applications.
Anomalies Intrusion Protection Viewing the traffic anomaly list To view the anomaly list, go to Intrusion Protection > Anomaly. Figure 235:A portion of the traffic anomaly list View traffic Select filters then select Go to view only those anomalies that match the filter criteria.
Intrusion Protection IPS CLI configuration Action Select an action from the dropdown list: Pass, Drop, Reset, Reset Client, Reset Server, Drop Session, Pass Session, Clear Session. See Table 36 descriptions of the actions. Severity Select a severity level from the dropdown list: Information, Low, Medium, High, or Critical.
Web Filter Order of web filtering Web Filter The three main sections of the web filtering function, the Web Filter Content Block, the URL Filter, and the FortiGuard Web filter, interact with each other in such a way as to provide maximum control and protection for the Internet users. This section contains the following topics: •...
276. Rating corrections as well as suggesting ratings for new pages can be submitted on the FortiGuard Center web page. Visit the Fortinet Knowledge Center for details and a link to the FortiGuard Center. The following tables compare web filtering options in protection profiles and the web filter menu.
Page 363
Web Filter Web filter controls Table 38: Web filter and Protection Profile web URL filtering configuration Protection Profile web filtering options Web Filter setting Web URL Filter Web Filter > URL Filter Enable or disable web page filtering for HTTP Add URLs and URL patterns to exempt traffic based on the URL filter list.
Content block Web Filter To access protection profile web filter options Go to Firewall > Protection Profile. Select edit or Create New. Select Web Filtering or Web Category Filtering. Note: If virtual domains are enabled on the FortiGate unit, web filtering features are configured globally.
Web Filter Content block Creating a new web content block list To add a web content block list to the web content block list catalog Go to Web Filter > Content Block. Select Create New. Figure 238:New Web Content Block list dialog box Name Enter the name of the new list.
Content block Web Filter Page down icon Select to view the next page. Remove All Select to clear the table. Entries icon Banned word The current list of patterns. Select the check box to enable all the patterns in the list. Pattern type The pattern type used in the pattern list entry.
Web Filter Content block Viewing the web content exempt list catalog You can add multiple web content exempt lists and then select the best web content exempt list for each protection profile. To view the web content block list catalog •...
Content block Web Filter Viewing the web content exempt list Web content exempt allows overriding of the web content block feature. If any patterns defined in the web content exempt list appear on a web page, the page will not be blocked even if the web content block feature would otherwise block it. To view the web content exempt list Go to Web Filter >...
Web Filter URL filter Configuring the web content exempt list Web content patterns can be one word or a text string up to 80 characters long. The maximum number of banned words in the list is 5000. To add or edit a content block pattern Go to Web Filter >...
URL filter Web Filter To view any individual URL filter list Go to Web Filter > URL Filter. Select the edit icon for the list you want to see. Figure 245:Sample URL filter list catalog The URL filter list catalogue has the following icons and features: To add a new list to the catalog, enter a name and select Add.
Web Filter URL filter To view the URL filter list Go to Web Filter > URL Filter. Select the edit icon of the URL filter list you want to view. Figure 247:URL filter list The URL filter list has the following icons and features: Name URL filter list name.
Page 372
URL filter Web Filter Type in a URL or IP address. Select the type of expression. Select the action to be taken. Select the Enable check box Select OK. Figure 248:New URL Filter Enter the URL. Do not include http:// Type Select a type from the dropdown list: Simple or Regex (regular expression).
FortiGuard - Web Filter FortiGuard-Web is a managed web filtering solution provided by Fortinet. FortiGuard-Web sorts hundreds of millions of web pages into a wide range of categories users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard-Web Service Point to determine the category of a requested web page then follows the firewall policy configured for that user or interface.
FortiGuard - Web Filter Web Filter Configuring FortiGuard-Web filtering To configure the FortiGuard-Web service • Go to System > Maintenance > FortiGuard Center. For additional information, see “Configuring the FortiGate unit for FDN and FortiGuard services” on page 162. Viewing the override list Users may require access to web sites that are blocked by a policy.
Web Filter FortiGuard - Web Filter Configuring override rules Override rules can be configured to allow access to blocked web sites based on directory, domain name, or category. To create an override rule for a directory or domain Go to Web Filter > FortiGuard-Web Filter > Override. Select Create New.
Page 376
FortiGuard - Web Filter Web Filter Figure 252:New Override Rule - Categories Type Select Categories. Categories Select the categories to which the override applies. A category group or a subcategory can be selected. Local categories are also displayed. Classifications Select the classifications to which the override applies. When selected, users can access web sites that provide content cache, and provide searches for image, audio, and video files.
Web Filter FortiGuard - Web Filter Creating local categories User-defined categories can be created to allow users to block groups of URLs on a per-profile basis. The categories defined here appear in the global URL category list when configuring a protection profile. Users can rate URLs based on the local categories.
FortiGuard - Web Filter Web Filter Figure 255:Category Filter Clear Filter Select to remove all filters. Category Name Select the blue arrow to expand the category. Enable Filter Select to enable the filter for the category or the individual sub- category.
Web Filter FortiGuard - Web Filter Figure 256:New Local Rating Enter the URL to be rated. Category Name Select the blue arrow to expand the category. Enable Filter Select to enable the filter for the category or the individual sub- category.
Page 380
FortiGuard - Web Filter Web Filter Figure 257:Sample FortiGuard Web Filtering report The following table describes the options for generating reports: Profile Select the protection profile for which to generate a report. Report Type Select the time frame for the report. Choose from hour, day, or all historical statistics.
FortiGuard-Antispam is one of the features designed to manage spam. FortiGuard is an antispam system from Fortinet that includes an IP address black list, a URL black list, and spam filtering tools. The FortiGuard Center accepts submission of spam email messages as well as well as reports of false positives.
Protection Profile spam filtering options AntiSpam setting IP address FortiGuard-Antispam check System > Maintenance > FortiGuard Centre Enable or disable Fortinet’s antispam service Enable FortiGuard-Antispam, check the called FortiGuard-Antispam. FortiGuard- status of the FortiGuard-Antispam server, Antispam is Fortinet’s own DNSBL server...
Page 383
Antispam Antispam Table 41: AntiSpam and Protection Profile spam filtering configuration (Continued) Protection Profile spam filtering options AntiSpam setting Enable or disable checking the source domain name against the registered IP address in the Domain Name Server. If the source domain name does not match the IP address the email is marked as spam and the action selected in the protection profile is taken.
Banned word Antispam To access protection profile Antispam options go to Firewall > Protection Profile, edit or Create New, Spam Filtering. Note: If virtual domains are enabled on the FortiGate unit, spam filtering features are configured globally. To access these features, select Global Configuration on the main menu.
Antispam Banned word Creating a new antispam banned word list To add an antispam banned word list to the antispam banned word list catalog, go to AntiSpam > Banned Word and select Create New. Figure 259:New AntiSpam Banned Word list dialog box Name Enter the name of the new list.
Banned word Antispam Pattern Type The pattern type used in the banned word list entry. Choose from wildcard or regular expression. For more information, see “Using Perl regular expressions” on page 393. Language The character set to which the banned word belongs: Simplified Chinese, Traditional Chinese, French, Japanese, Korean, Thai, or Western.
Antispam Black/White List Black/White List The FortiGate unit uses both an IP address list and an email address list to filter incoming email, if enabled in the protection profile. When doing an IP address list check, the FortiGate unit compares the IP address of the message’s sender to the IP address list in sequence.
Black/White List Antispam Creating a new antispam IP address list To add an antispam IP address list to the antispam IP address list catalog, go to AntiSpam > Black/White List and select Create New. Figure 263:New AntiSpam IP Address list dialog box Name Enter the name of the new list.
Antispam Black/White List Action The action to take on email from the configured IP address. Actions are: Mark as Spam to apply the configured spam action, Mark as Clear to bypass this and remaining spam filters, or Mark as Reject (SMTP only) to drop the session.
Black/White List Antispam The antispam email address list catalogue has the following icons and features: To add a new list to the catalog, enter a name and select Add. New lists are empty by default. Name The available antispam email address lists. # Entries The number of entries in each antispam email address list.
Antispam Black/White List Figure 268:Sample email address list The antispam email address list has the following icons and features: Name Antispam email address list name. To change the name, edit text in the name field and select OK. Comment Optional comment. To add or edit comment, enter text in comment field and select OK.
Advanced antispam configuration Antispam E-Mail Address Enter the email address. Pattern Type Select a pattern type: Wildcard or Regular Expression. For more information, see “Using Perl regular expressions” on page 393. Insert Select the location in the list to insert the email address. Action Select an action: •...
‘?’ character in wildcard match pattern. As a result: • fortinet.com not only matches fortinet.com but also fortinetacom, fortinetbcom, fortinetccom, and so on. To match a special character such as '.' and ‘*’ use the escape character ‘\’. For example: •...
Using Perl regular expressions Antispam • forti*.com matches fortiiii.com but does not match fortinet.com To match any character 0 or more times, use ‘.*’ where ‘.’ means any character and the ‘*’ means 0 or more times. For example, the wildcard match pattern forti*.com should therefore be fort.*\.com.
Antispam Using Perl regular expressions Table 42: Perl regular expression formats (Continued) 100\s*mk The strings “100” and “mk” optionally separated by any amount of white space (spaces, tabs, newlines) abc\b “abc” when followed by a word boundary (for example, in “abc!” but not in “abcd”) perl\B “perl”...
Page 396
Using Perl regular expressions Antispam FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Fortinet Distribution Network. There is no need to wait for firmware upgrade to stay ahead of the latest protocols. FortiOS 3.0 also provides ways for you to deal with unknown protocols even before upgrades are available.
IM, P2P & VoIP Configuring IM/P2P protocols Configuring IM/P2P protocols Different organizations require different policies regarding IM/P2P. The FortiGate unit allows you to configure your unit in the way that best serves your needs. How to enable and disable IM/P2P options This section will tell you the four main locations to enable or disable the IM/P2P options.
Configuring IM/P2P protocols IM, P2P & VoIP To control Log settings, select the blue arrow for Logging To control content archive settings, select the blue arrow for Content Archive To control FortiGuard web filtering, select the blue arrow for FortiGuard Web Filtering.
To detect new IM/P2P applications or new versions of the existing Note: applications, you only need update the IPS package, available through the FortiNet Distribution Network (FDN). No firmware upgrade is needed. Statistics You can view the IM, P2P and VoIP statistics to gain insight into how the protocols are being used within the network.
Statistics IM, P2P & VoIP Chat For each IM protocol, the following chat information is listed: • Total Chat Sessions • Total Messages. File Transfers For each IM protocol, the following file transfer information is listed: (File transfers) Since Last Reset and (File transfers) Blocked. Voice Chat For each IM protocol, the following voice chat information is listed: •...
IM, P2P & VoIP User Users For the selected protocol, the following user information is displayed: Current Users, (Users) Since Last Reset, and (Users) Blocked. Chat For the selected protocol, the following chat information is displayed: Total Chat Sessions, Server-based Chat, Group Chat, and Direct/Private Chat.
User IM, P2P & VoIP Viewing the User List The User List displays information about users who have been allowed access to (white list) or have been blocked from (black list) instant messaging services. Users can be added using Create New or from the temporary users list. To view the User List, go to IM/P2P >...
IM, P2P & VoIP User Configuring a policy for unknown IM users The User Policy determines the action to be taken with unknown users. Unknown users can be either allowed to use some or all of the IM protocols and added to a white list, or blocked from using some or all of the IM protocols and added to a black list.
Page 406
User IM, P2P & VoIP FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Log&Report FortiGate Logging Log&Report This section provides information on how to enable logging, viewing of log files and the viewing of reports available through the web-based manager. FortiGate units provide extensive logging capabilities for traffic, system and network protection functions. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network misuse and abuse.
Log severity levels Log&Report For better log storage and retrieval, the FortiGate unit can send log messages to a FortiAnalyzer™ unit. FortiAnalyzer units are network appliances that provide integrated log collection, analysis tools and data storage. Detailed log reports provide historical as well as current analysis of network and email activity, to help identify security issues and reduce network misuse.
Log&Report Storing Logs Storing Logs The type and frequency of log messages you intend to save dictates the type of log storage to use. For example, you can store a limited number of log messages in memory and older log messages are overwritten. Storing log messages to one or more locations, such as a FortiAnalyzer unit, may be better suited for your specific logging purposes.
FortiAnalyzer unit requires FortiAnalyzer 3.0 firmware to use the feature. Note: If your FortiGate unit is in Transparent mode, the interface using the automatic discovery feature will not carry traffic. Use the Fortinet Knowledge center article, Fortinet Discovery Protocol in Transparent mode, to enable the interface to also carry traffic when using the automatic discovery feature.
Log&Report Storing Logs Testing the FortiAnalyzer configuration After configuring FortiAnalyzer settings, you can test the connection between the FortiGate unit and the FortiAnalyzer unit to ensure the connection is working correctly. This enables you to see the connection between the FortiGate unit and the FortiAnalyzer unit including the settings specified for transmitting and receiving logs, reports, content archive, and quarantine files between the FortiGate unit and the FortiAnalyzer unit.
Storing Logs Log&Report Disk Space Allocated The amount of space designated for logs. Space Used Space The amount of used space. Total Free The amount of unused space. Space Privileges Displays the permissions of the device for sending and viewing logs and reports.
Log&Report Storing Logs Logging to a Syslog server The syslog is a remote computer running a syslog server. Syslog is an industry standard used to capture log information provided by network devices. Figure 278:Logging to a Syslog server To configure the FortiGate unit to send logs to a syslog server Go to Log&Report >...
Storing Logs Log&Report Keywords and variables Description Default server <address_ipv4> Enter the IP address of the WebTrends No default. server that stores the logs. Enter enable to enable logging to a status disable WebTrends server. {disable | enable} Example This example shows how to enable logging to a WebTrends server and to set an IP address for the server.
Log&Report High Availability cluster logging High Availability cluster logging When configuring logging with a High Availability (HA) cluster, configure the primary unit to send logs to a FortiAnalyzer unit or a Syslog server. The settings will apply to the subordinate units.The subordinate units send the log messages to the primary unit, and the primary unit sends all logs to the FortiAnalyzer unit or Syslog server.
Log types Log&Report To enable traffic logging for an interface or VLAN subinterface Go to System > Network > Interface. Select the Edit icon for an interface. Select Log. Select OK. Enabling firewall policy traffic logging Firewall policy traffic logging records the traffic that is both permitted and denied by the firewall policy, based on the protection profile.
Log&Report Log types SSL VPN The FortiGate unit logs all administrator events related to SSL VPN, such as SSL configuration and CA certificate loading and administrator event removal. SSL VPN session The FortiGate unit logs all session activity such as application launches and blocks, timeouts, verifications and so on.
Log types Log&Report Attack log The Attack Log records attacks detected and prevented by the FortiGate unit. The FortiGate unit logs the following: Attack Signature The FortiGate unit logs all detected and prevented attacks based on the attack signature, and the action taken by the FortiGate unit. Attack Anomaly The FortiGate unit logs all detected and prevented attacks based on unknown or suspicious traffic patterns, and the action taken by the...
Log&Report Log Access VoIP log You can now log Voice over Internet Protocol (VoIP) calls. You can also configure VoIP rate limiting for Session Initiated Protocol (SIP) and Skinny Client Control Protocol (SCCP) or Skinny protocol. SIP and SCCP are two types of VoIP protocols.
Log Access Log&Report Accessing log messages stored in memory From the Log Access page, you can access logs stored in the FortiGate system memory. Traffic logs are not stored in memory because of the amount of space required to log them. To view log messages in the FortiGate memory buffer Go to Log&Report >...
Log&Report Log Access View icon Display the log file through the web-based manager. Delete icon Select to delete rolled logs. It is recommended to download the rolled log file before deleting it because the rolled log file cannot be retrieve after deleting it.
Log Access Log&Report Accessing logs on the FortiGuard Log & Analysis server You can access logs on the FortiGuard Log & Analysis server from the Log Access page. The Log Access page contains a FortiGuard tab, enabling you to view all logs that are on the FortiGuard Log & Analysis server. To access logs on the FortiGuard Log &...
Log&Report Log Access Column settings Customize and filter the log messages display using the Column Settings icon. The column settings apply when viewing the formatted (not raw) log messages. Figure 282:Column settings for viewing log messages To customize the columns Go to Log&Report >...
Log Access Log&Report The filter settings you apply remains for the duration of the time you are logged in to the web-based manager. The log filters are reset when you log out of the web-based manager. Note: The filters can only be used when viewing log contents in the formatted view. To filter log messages Go to Log&Report >...
Log&Report Content Archive Content Archive The Content Archive menu enables you to view archived logs stored on the FortiAnalyzer unit from the FortiGate web-based manager. The Content Archive menu has four tabs, HTTP, FTP, Email, and IM where you can view each of these archived log types.
Alert Email Log&Report Alert Email The Alert Email feature enables the FortiGate unit to monitor logs for log messages, notifying by email of a specific activity or event logged. For example, if you require notification about administrator(s) logging in and out, you can configure an alert email that is sent whenever an administrator(s) logs in and out.
Page 427
Log&Report Alert Email SMTP user Enter the user name for logging on to the SMTP server to send alert email messages. You only need to do this if you have enabled the SMTP authentication. Password Enter the password for logging on to the SMTP server to send alert email.
Reports Log&Report Reports The FortiAnalyzer reporting features are now more integrated with the FortiGate unit. From the Log&Report menu, you can configure a simple FortiAnalyzer report, view the report, and print the report. You can even view content archive logs stored on the FortiAnalyzer unit.
Log&Report Reports Services By default all services are selected. When you refresh your browser or go to a different menu, all services revert to default settings. Deselect the services you do not want to include in the graphical analysis. • Browsing •...
Reports Log&Report Configuring a FortiAnalyzer report You can configure a FortiAnalyzer report from the Report Config menu. The Report Config menu also includes the CLI command, multi-report, enabling you to configure multiple FortiAnalyzer reports. The multi-report command is disabled by default. By default, only the default FortiAnalyzer report is available in the Report Config menu.
Page 431
Log&Report Reports Configuring the report properties Enter your company’s name, a header comment or a footer for the report. These are optional. Figure 286:Report properties options Configuring the report scope Select the time period and/or log filters for the report. You can select different time periods, for example, if you want the report to include log files from July 31, 2005 to September 9, 2005.
Page 432
Reports Log&Report Filter logs Select None to not apply a filter to the logs in the report. Select Custom to apply filters to the log report. Include logs that Select the matching criteria for the filter. match Select all to include logs in the report that match all filter settings. If information within a log does not match all the criteria, the FortiAnalyzer unit will not include the log in the report.
Page 433
Log&Report Reports Configuring the report types Select the type of information you want to include in the report: • Select Basic to include the most common report types. • Select All to include all report types. If data does not exist for a report type, that report will appear with the message “No matching log data for this report.”...
Page 434
Reports Log&Report Configuring the report output Select a destination and format(s) for the report. You can select from several different formats, including Text format. You can also select a different format for file output and email output. When configuring the FortiAnalyzer unit to email a report, you must configure the mail server on the FortiAnalyzer unit.
Page 435
Log&Report Reports Password Enter the password to log onto the FTP server. Upload report(s) in Select to compress the report files as gzip files before uploading to the FTP server. gzipped format Delete file(s) after Select to delete the report files from the FortiAnalyzer hard disk after the FortiAnalyzer unit completes the upload to the FTP uploading server.
Page 436
Reports Log&Report Figure 292:Report summary layout Customize Select the number of columns, charts to add to the layout, and edit or remove the charts. Chart Columns Select a number from the drop-down list to specify how many columns to include in the chart. You can choose only one column or up to four columns.
Log&Report Reports Editing FortiAnalyzer reports After a scheduled FortiAnalyzer report is configured and generated, you can then edit the report from the Report Config menu. The FortiAnalyzer tab enables you to edit the report, and view information about other scheduled FortiAnalyzer reports. You can view and edit scheduled reports from the FortiAnalyzer tab.
Viewing FortiAnalyzer reports from a FortiGate unit Log&Report Viewing FortiAnalyzer reports from a FortiGate unit The FortiAnalyzer unit can generate a number of specific reports for a FortiGate unit, and run these reports at scheduled times, or on demand. If you are using a FortiGate unit with FortiOS 3.0MR2 or higher, you can view any report generated from the FortiAnalyzer unit for that FortiGate unit on the Report Access page.
Index Index Numerics options 426 alert mail messages 137 802.3ad aggregate interface Alert Message Console creating 75 clearing messages 48 allow inbound firewall policy 226 ipsec policy 226 accept action allow outbound firewall policy 220 firewall policy 226 accessing log messages allow web sites when a rating error occurs hard disk 420 protection profile 276...
Page 440
Index view virus list 345 adding words to the Spam filter banned word list virus list 345 catalog 384 antivirus options web content block 366, 368 protection profile 273 banned word (Spam filter) antivirus updates 167 action 386 through a proxy server 168 language 386 list 385 service 240...
Page 441
IPSec interface mode 296 service 240 IPSec tunnel mode 299 documentation custom service commenting on 31 adding 243 Fortinet 29 adding a TCP or UDP custom service 243 download list 243 grayware category 347 custom signature quarantine files list 342...
Page 442
Index quarantine files list 342 Dynamic DNS fail open 359 IPSec interface mode 288 monitor 300 disruption in traffic 167 on network interface 81 FortiGuard Distribution Network 161 VPN IPSec monitor 300 HTTPS 166 dynamic IP pool NAT option override server 164 firewall policy 221 port 443 166 dynamic routing 189...
Page 443
Index accept action 220 L2TP 241 action 215 LDAP 241 adding 216 NetMeeting 241 adding a protection profile 282 NFS 241 Address Name 219 NNTP 241 allow inbound 226 NTP 241 allow outbound 226 OSPF 241 authentication 221, 222 PC-Anywhere 241 changing the position in the policy list 216 PING 241 comments 222...
Page 444
414 HA 119, 124 FortiMail 25 changing cluster unit host names 124 FortiManager 25 cluster member 124 Fortinet customer service 31 cluster members list 122 Fortinet documentation 29 configuration 119 Fortinet Family Products 25 connect a cluster unit 126...
Page 445
36 protection profile 274 searching the online help 35 inter-VDOM 65 heuristics introduction antivirus 348 Fortinet documentation 29 quarantine 348 intrusion detected high availability See HA 119 HA statistics 125 hijacker intrusion prevention system, see IPS...
Page 446
Index firewall policy 220 attack anomaly 418 attack signature 418 ipsec policy column settings 423 allow inbound 226 filter 423 inbound NAT 226 formatted 422 outbound NAT 226 instant message log 418 IPSec VPN messages 422 authentication for user group 328 P2P log 418 Auto Key 287 raw 422...
Page 447
Index Members IPSec tunnel mode 299 grayware category 347 memory usage NNTP HA statistics 125 service 241 messages, log 422 Not Registered 163 mheader 392 Not-so-stubby Area (NSSA) 199 MIB 130, 133 FortiGate 130 service 241 RFC 1213 130 RFC 2665 130 misc one-time schedule grayware category 347...
Page 448
Index allow outbound 226 authentication 221, 222 P1 Proposal changing the position in the policy list 216 Phase 1 IPSec interface mode 291 comments 222 P2 Proposal configuring 216 Phase 2 IPSec interface mode 294 create new 215 deleting 216 grayware category 347 deny action 220 log 418...
Page 449
Index previous logging, viruses 281 online help icon 35 options 272 oversized file/email 274 print pass fragmented email 274 online help icon 35 provide details for blocked HTTP errors 276 priority quarantine 274 cluster members 124 rate images by URL 276 product registration 34, 161 rate URLs by domain and IP address 277 products, family 25...
Page 450
Index autosubmit list 342 Remote Gateway autosubmit list file pattern 342 IPSec manual key setting 298 configuration 343 IPSec phase 1 setting 288 configuring the autosubmit list 343 VPN IPSec monitor field 300 enable AutoSubmit 345 Remote gateway enabling uploading autosubmit file patterns 343 VPN IPSec monitor field 301 heuristics 348 remote peer...
Page 452
Index custom IPS signatures 354 checking client certificates 306 IPS 351 configuration settings 305 monitoring sessions 307 setting the cipher suite 306 service 242 specifying server certificate 306 SIP-MSNmessenger specifying timeout values 306 service 242 terminating sessions 307 tunnel IP range 306 chassis monitoring 173 SSL VPN login message 140 SMTP...
Page 453
Index service 242 trusted host administrator account 148 system Administrators options 147 chassis monitoring 173 security issues 148 system configuration 119 system global av_failopen quarantine files list 342 antivirus 347 Tunnel Name system global optimize IPSec interface mode 296 antivirus 347 Tx Power system idle timeout 142 wireless setting 108...
Page 454
Index VDOM partitioning banned word 366, 368 HA 122 language 366, 368 pattern type 366, 368 viewing log messages on hard disk 420 protection profile 275 viewing logs on FortiGuard Log & Analysis server 422 web filter 366 Virtual Circuit Identification (VCI) 75 web content block list Virtual Domain Configuration 64 web filter 365...
Page 455
Index wireless, security 108 Wireless, SSID 108 XAuth WLAN IPSec interface mode 292 interface 105 X-WINDOWS interface, creating on WiFi-60 107 service 242 interface, creating on WiFi-60A 77 WPA 108 FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...
Page 456
Index FortiGate Version 3.0 MR4 Administration Guide 01-30004-0203-20070102...