Fortinet FortiGate FortiGate-500 Installation Manual
Fortinet FortiGate FortiGate-500 Installation Manual

Fortinet FortiGate FortiGate-500 Installation Manual

Fortinet fortigate fortigate-500: install guide
Hide thumbs Also See for FortiGate FortiGate-500:
Table of Contents

Advertisement

Installation Guide

FortiGate 500
INTERNAL
EXTERNAL
DMZ
HA
1
2
3
4
5
6
7
8
Esc
Enter
Version 2.80 MR4
30 August 2004
01-28004-0023-20040830

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FortiGate FortiGate-500 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for Fortinet FortiGate FortiGate-500

  • Page 1: Installation Guide

    Installation Guide FortiGate 500 INTERNAL EXTERNAL Enter Version 2.80 MR4 30 August 2004 01-28004-0023-20040830...
  • Page 2 CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
  • Page 3: Table Of Contents

    Command line interface ... 7 Setup wizard ... 7 Document conventions ... 7 Fortinet documentation ... 9 Comments on Fortinet technical documentation... 9 Customer service and technical support... 10 Getting started ... 11 Package contents ... 12 Mounting ... 12 Turning the FortiGate unit power on and off ...
  • Page 4 High availability configuration settings ... 51 Configuring FortiGate units for HA using the web-based manager ... 53 Configuring FortiGate units for HA using the CLI... 54 Connecting the cluster to your networks... 56 Installing and configuring the cluster... 57 Index ... 59 01-28004-0023-20040830 Fortinet Inc.
  • Page 5: Introduction

    • • The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks.
  • Page 6: Secure Installation, Configuration, And Management

    The saved configuration can be restored at any time. Figure 1: FortiGate web-based manager and setup wizard the web-based manager, the front panel control buttons and LCD, the command line interface (CLI), or the setup wizard. 01-28004-0023-20040830 Introduction Fortinet Inc.
  • Page 7: Command Line Interface

    Introduction Command line interface You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network that is connected to the FortiGate unit, including the Internet.
  • Page 8 In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove. 01-28004-0023-20040830 Introduction Fortinet Inc.
  • Page 9: Fortinet Documentation

    FortiGate unit. For a complete list of FortiGate documentation visit Fortinet Technical Support at http://support.fortinet.com. Comments on Fortinet technical documentation You can send information about errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com. FortiGate-500 Installation Guide...
  • Page 10: Customer Service And Technical Support

    Fortinet technical support web site at http://support.fortinet.com. You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and change your registration information at any time. Fortinet email support is available from the following addresses: amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin...
  • Page 11: Getting Started

    Getting started This section describes unpacking, setting up, and powering on a FortiGate Antivirus Firewall unit. This section includes: • • • • • • • • FortiGate-500 Installation Guide FortiGate-500 Installation Guide Version 2.80 MR4 Package contents Mounting Turning the FortiGate unit power on and off Connecting to the web-based manager Connecting to the command line interface (CLI) Factory default FortiGate configuration settings...
  • Page 12: Package Contents

    Dimensions • Weight • FortiGate-500 Antivirus Firewall one orange crossover ethernet cable (Fortinet part number CC300248) one blue regular ethernet cable (Fortinet part number CC300249) one null modem cable (Fortinet part number CC300247) FortiGate-500 QuickStart Guide one power cable CD containing the FortiGate user documentation...
  • Page 13: Turning The Fortigate Unit Power On And Off

    Getting started Power requirements • • • • Environmental specifications • • • • Air flow • • Mechanical loading • Turning the FortiGate unit power on and off To power on the FortiGate unit Make sure that the power switch on the back of the FortiGate unit is turned off. Connect the power cable to the power connection on the back of the FortiGate unit.
  • Page 14: Connecting To The Web-Based Manager

    The interface is connected at 100 Mbps. No link established. execute shutdown a computer with an ethernet connection, Internet Explorer version 4.0 or higher, a crossover cable or an ethernet hub and two ethernet cables. 01-28004-0023-20040830 Getting started Fortinet Inc.
  • Page 15: Connecting To The Command Line Interface (Cli)

    Getting started Figure 3: FortiGate login Type admin in the Name field and select Login. Connecting to the command line interface (CLI) As an alternative to the web-based manager, you can install and configure the FortiGate unit using the CLI. Configuration changes made with the CLI are effective immediately without resetting the firewall or interrupting service.
  • Page 16 Type admin and press Enter twice. The following prompt is displayed: Welcome ! Type ? to list available commands. For information about how to use the CLI, see the FortiGate CLI Reference Guide. None None 01-28004-0023-20040830 Getting started Fortinet Inc.
  • Page 17: Factory Default Fortigate Configuration Settings

    Getting started Factory default FortiGate configuration settings The FortiGate unit is shipped with a factory default configuration. The default configuration allows you to connect to and use the FortiGate web-based manager to configure the FortiGate unit onto the network. To configure the FortiGate unit onto the network you add an administrator password, change network interface IP addresses, add DNS server IP addresses, and configure basic routing, if required.
  • Page 18 Primary DNS Server Secondary DNS Server 01-28004-0023-20040830 Getting started 0.0.0.0 0.0.0.0 Ping 0.0.0.0 0.0.0.0 Ping 0.0.0.0 0.0.0.0 Ping 0.0.0.0 0.0.0.0 Ping 0.0.0.0 0.0.0.0 Ping 0.0.0.0 0.0.0.0 Ping 0.0.0.0 0.0.0.0 Ping 0.0.0.0 0.0.0.0 Ping 0.0.0.0 0.0.0.0 Ping 192.168.100.1 external 207.192.200.1 207.192.200.129 Fortinet Inc.
  • Page 19: Factory Default Transparent Mode Network Configuration

    Getting started Factory default Transparent mode network configuration In Transparent mode, the FortiGate unit has the default network configuration listed in Table Table 3: Factory default Transparent mode network configuration Administrator account Management IP Administrative access Factory default firewall configuration FortiGate firewall policies control how all traffic is processed by the FortiGate unit.
  • Page 20: Factory Default Protection Profiles

    Select from any of the 50 pre-defined services to control traffic through the FortiGate unit that uses that service. The recurring schedule is valid at any time. Control how the FortiGate unit applies virus scanning, web content filtering, spam filtering, and IPS. Fortinet Inc.
  • Page 21: Planning The Fortigate Configuration

    NAT/Route mode (the default) or Transparent mode. NAT/Route mode In NAT/Route mode, the FortiGate unit is visible to the network. Like a router, all its interfaces are on different subnets. The following interfaces are available in NAT/Route mode: •...
  • Page 22: Nat/Route Mode With Multiple External Network Connections

    DMZ is the interface to the DMZ network. 01-28004-0023-20040830 Internal network FortiGate-500 Unit Internal in NAT/Route mode 192.168.1.99 INTERNAL EXTERNAL Enter 10.10.10.1 traffic between internal and external networks. Getting started 192.168.1.3 Route mode policies controlling traffic between internal networks. DMZ network 10.10.10.2 Fortinet Inc.
  • Page 23: Transparent Mode

    The management IP address is also used for antivirus and attack definition updates. You typically use the FortiGate unit in Transparent mode on a private network behind an existing firewall or behind a router. The FortiGate unit performs firewall functions, IPSec VPN, virus scanning, IPS, web content filtering, and Spam filtering.
  • Page 24: Front Control Buttons And Lcd

    DNS server IP addresses add the DHCP server settings and IP addresses add various internal server IP addresses including web, IMAP, POP3, SMTP, and FTP servers set the antivirus protection to high, medium, or none 01-28004-0023-20040830 Getting started Fortinet Inc.
  • Page 25: Next Steps

    Getting started Next steps Now that your FortiGate unit is operating, you can proceed to configure it to connect to networks: • • • FortiGate-500 Installation Guide If you are going to operate the FortiGate unit in NAT/Route mode, go to “NAT/Route mode installation”...
  • Page 26 Next steps Getting started 01-28004-0023-20040830 Fortinet Inc.
  • Page 27: Nat/Route Mode Installation

    NAT/Route mode installation This chapter describes how to install the FortiGate unit in NAT/Route mode. For information about installing a FortiGate unit in Transparent mode, see mode installation” on page units in HA mode, see about installing the FortiGate unit in NAT/Route mode, see configuration”...
  • Page 28 Primary DNS Server: Secondary DNS Server: 01-28004-0023-20040830 NAT/Route mode installation _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ Fortinet Inc.
  • Page 29: Dhcp Or Pppoe Configuration

    NAT/Route mode installation DHCP or PPPoE configuration You can configure any FortiGate interface to acquire its IP address from a DHCP or PPPoE server. Your ISP may provide IP addresses using one of these protocols. To use the FortiGate DHCP server, you need to configure an IP address range and default route for the server.
  • Page 30 The default route is not required if the interface connected to the external network is configured using DHCP or PPPoE. Go to System > Router > Static. If the Static Route table contains a default route (IP and Mask set to 0.0.0.0), select the Delete icon to delete this route.
  • Page 31: Using The Front Control Buttons And Lcd

    NAT/Route mode installation Using the front control buttons and LCD Basic settings, including interface IP addresses, netmasks, default gateways, and the FortiGate operating mode can be configured using the LCD and front control buttons on the FortiGate unit. Use the information that you recorded in page 28 the LCD.
  • Page 32: Using The Command Line Interface

    <address_ip> <netmask> config system interface edit internal set mode static set ip <192.168.120.99> <255.255.255.0> 01-28004-0023-20040830 NAT/Route mode installation “Connecting to the command line Table 5 on page 28 to complete the following 28. Enter: Fortinet Inc.
  • Page 33 NAT/Route mode installation Set the IP address and netmask of the external interface to the external IP address and netmask that you recorded in Example To set the external interface to use DHCP, enter: To set the external interface to use PPPoE, enter: Use the same syntax to set the IP address of each FortiGate interface as required.
  • Page 34: Using The Setup Wizard

    IP addresses including web, IMAP, POP3, SMTP, and FTP servers set the antivirus protection to high, medium, or none lists the additional settings that you can configure with the setup wizard. See Table 6 on page 29 01-28004-0023-20040830 NAT/Route mode installation for other settings. Fortinet Inc.
  • Page 35: Starting The Setup Wizard

    NAT/Route mode installation Table 7: Setup wizard settings Password Internal Interface External Interface DHCP server Internal servers Antivirus Starting the setup wizard In the web-based manager, select Easy Setup Wizard. Figure 8: Select the Easy Setup Wizard Follow the instructions on the wizard pages and use the information that you gathered Select the Next button to step through the wizard pages.
  • Page 36: Reconnecting To The Web-Based Manager

    Internal for connecting to the internal network, External for connecting to your public switch or router and the Internet, DMZ for connecting to a DMZ network, HA for connecting to another FortiGate-500 for high availability (see availability installation”...
  • Page 37: User-Defined Interface Connections

    FortiGate-500 Installation Guide Internal Network Hub or Switch Internal INTERNAL EXTERNAL Enter External FortiGate-500 Public Switch or Router Internet Figure 10 shows an internal network connected to user-defined 01-28004-0023-20040830 Connecting the FortiGate unit to the network(s) DMZ Network Web Server Mail Server...
  • Page 38: Configuring The Networks

    Refer to the FortiGate Administration Guide for complete information on configuring, monitoring, and maintaining the FortiGate unit. Internal Network Hub or Switch User-defined Interface 1 INTERNAL EXTERNAL Enter User-defined FortiGate-500 Interface 4 Public Switch or Router Internet 01-28004-0023-20040830 NAT/Route mode installation Fortinet Inc.
  • Page 39 After purchasing and installing a new FortiGate unit, you can register the unit by going to the System Update Support page, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. To register, enter your contact information and the serial numbers of the FortiGate units that you or your organization have purchased.
  • Page 40 Select Apply. You can also select Update Now to receive the latest virus and attack definition updates. For more information about FortiGate settings please see the FortiGate Online Help or the FortiGate Administration Guide. 01-28004-0023-20040830 NAT/Route mode installation Fortinet Inc.
  • Page 41: Transparent Mode Installation

    Transparent mode installation This chapter describes how to install a FortiGate unit in Transparent mode. If you want to install the FortiGate unit in NAT/Route mode, see page availability installation” on page FortiGate unit in Transparent mode, see page This chapter describes: •...
  • Page 42: Using The Web-Based Manager

    The management IP address and netmask must be valid for the network from which you will manage the FortiGate unit. Add a default gateway if the FortiGate unit must connect to a router to reach the management computer. Primary DNS Server: Secondary DNS Server: _____._____._____._____...
  • Page 43: Reconnecting To The Web-Based Manager

    Otherwise, you can reconnect to the web-based manager by browsing to https://10.10.10.1. If you connect to the management interface through a router, make sure that you have added a default gateway for that router to the management IP default gateway field.
  • Page 44: Using The Command Line Interface

    “Connecting to the command line interface (CLI)” on page Table 8 on page 42 config system global set opmode transparent Welcome ! get system status Operation mode: Transparent 01-28004-0023-20040830 Transparent mode installation 15. Use the to complete the following Fortinet Inc.
  • Page 45 <address_ip> set secondary <address_ip> config system dns set primary 293.44.75.21 set secondary 293.44.75.22 config router static edit 1 set dst 0.0.0.0 0.0.0.0 set gateway <address_gateway> set device <interface> 01-28004-0023-20040830 Using the command line interface...
  • Page 46: Using The Setup Wizard

    Otherwise, you can reconnect to the web-based manager by browsing to https://10.10.10.1. If you connect to the management interface through a router, make sure that you have added a default gateway for that router to the management IP default gateway field.
  • Page 47: Connecting The Fortigate Unit To Your Network

    FortiGate-500 Installation Guide Internal for connecting to your internal network, External for connecting to an external firewall or router, DMZ for connecting to another network segment, HA and interfaces 1 to 8 for connecting up to nine additional network segments to your FortiGate-500.
  • Page 48: Next Steps

    After purchasing and installing a new FortiGate unit, you can register the unit by going to the System Update Support page, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. To register, enter your contact information and the serial numbers of the FortiGate units that you or your organization have purchased.
  • Page 49 Transparent mode installation To configure virus, attack, and spam definition updates You can configure the FortiGate unit to automatically receive new versions of the virus, attack, and spam definitions on a schedule through the web-based manager. You can also receive updates whenever a threat occurs by using Push Updates. Go to System >...
  • Page 50 Next steps Transparent mode installation 01-28004-0023-20040830 Fortinet Inc.
  • Page 51: High Availability Installation

    High availability installation This chapter describes how to install two or more FortiGate units in an HA cluster. HA installation involves three basic steps: • • • For information about HA, see the FortiGate Administration Guide and the FortiOS High Availability technical note. Priorities of heartbeat device and monitor priorities The procedures in this chapter do not include steps for changing the priorities of heartbeat devices or for configuring monitor priorities settings.
  • Page 52 FortiGate unit with the highest serial number becomes the primary cluster unit. You can configure a FortiGate unit to always become the primary unit in the cluster by giving it a high priority and by selecting Override master. 01-28004-0023-20040830 High availability installation Fortinet Inc.
  • Page 53: Configuring Fortigate Units For Ha Using The Web-Based Manager

    High availability installation Table 9: High availability settings (Continued) Schedule Configuring FortiGate units for HA using the web-based manager Use the following procedure to configure each FortiGate unit for HA operation. To change the FortiGate unit host name Changing the host name is optional, but you can use host names to identify individual cluster units.
  • Page 54: Configuring Fortigate Units For Ha Using The Cli

    Connect to the CLI. Change the host name. “Connecting the cluster to your networks” on page “Connecting to the command line interface (CLI)” on page config system global set hostname <name_str> 01-28004-0023-20040830 High availability installation “Connecting the cluster to your networks” Fortinet Inc.
  • Page 55 High availability installation To configure the FortiGate unit for HA operation Configure HA settings. Use the following command to: • • • • • • The FortiGate unit negotiates to establish an HA cluster. If you are configuring a NAT/Route mode cluster, power off the FortiGate unit and then repeat this procedure for all the FortiGate units in the cluster.
  • Page 56: Connecting The Cluster To Your Networks

    Then you must connect these interfaces to their networks using the same hub or switch. Fortinet recommends using switches for all cluster connections for the best performance. Inserting an HA cluster into your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through the cluster.
  • Page 57: Installing And Configuring The Cluster

    LINK 100 LINK 100 LINK 100 LINK 100 Hub or Switch INTERNAL STATUS WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 Internal WAN1 Internet to install the cluster on your network. Router “NAT/Route...
  • Page 58 The only configuration settings that are not synchronized are the HA configuration (except for the interface heartbeat device and monitoring configuration) and the FortiGate host name. For more information about configuring a cluster, see the FortiGate Administration Guide. 01-28004-0023-20040830 High availability installation Fortinet Inc.
  • Page 59: Index

    (Transparent mode) 45 environmental specifications 13 firewall setup wizard 6, 29, 34, 42, 46 starting 29, 35, 42, 46 Fortinet customer service 10 front keypad and LCD configuring IP address 43 configuring FortiGate units for HA operation 51 connecting an HA cluster 56, 57...
  • Page 60 Index web-based manager 6 connecting to 14 introduction 6 wizard setting up firewall 29, 34, 42, 46 starting 29, 35, 42, 46 01-28004-0023-20040830 Fortinet Inc.

Table of Contents