Page 1 FortiGate 5000 series CONSOLE PWR ACC CONSOLE PWR ACC CONSOLE PWR ACC CONSOLE PWR ACC CONSOLE PWR ACC ShMC ALARMS FortiGate-5000 series Administration Guide Administration Guide PSU A PSU B STA IPM STA IPM STA IPM STA IPM STA IPM POWER CRITICAL MAJOR...
Page 2 CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
Page 3: Table Of Contents
Secure installation, configuration, and management ... 19 Document conventions ... 20 FortiGate documentation ... 21 Fortinet Knowledge Center ... 22 Comments on Fortinet technical documentation... 22 Related documentation ... 22 FortiManager documentation ... 22 FortiClient documentation ... 23 FortiMail documentation... 23 FortiLog documentation ...
Page 4 Service ... 79 DHCP service settings ... 80 Server ... 81 DHCP server settings ... 82 Exclude range ... 83 DHCP exclude range settings... 84 IP/MAC binding ... 84 DHCP IP/MAC binding settings ... 85 Dynamic IP... 85 01-28008-0013-20050204 Fortinet Inc.
Page 5 SNMP... 105 Configuring SNMP ... 106 SNMP community ... 107 FortiGate MIBs... 109 FortiGate traps ... 110 Fortinet MIB fields ... 112 Replacement messages ... 114 Replacement messages list ... 115 Changing replacement messages ... 116 FortiManager... 117 System Admin ... 119 Administrators ...
Page 6 New prefix list entry... 167 Route-map list... 167 New Route-map ... 168 Route-map list entry... 169 Key chain list... 170 New key chain... 170 Key chain list entry... 171 Monitor ... 172 Routing monitor list ... 172 01-28008-0013-20050204 Fortinet Inc.
Page 7 CLI configuration... 173 get router info ospf ... 173 get router info protocols ... 173 get router info rip... 174 config router ospf ... 174 config router static6... 197 Firewall... 199 Policy ... 200 How policy matching works... 200 Policy list ... 200 Policy options...
Page 8 Phase 1 advanced settings... 259 Phase 2... 260 Phase 2 list ... 261 Phase 2 basic settings ... 261 Phase 2 advanced options... 262 Manual key... 263 Manual key list ... 264 Manual key options ... 264 01-28008-0013-20050204 Fortinet Inc.
Page 9 Concentrator ... 266 Concentrator list... 266 Concentrator options... 267 Ping Generator... 267 Ping generator options... 268 Monitor ... 268 Dialup monitor... 269 Static IP and dynamic DNS monitor... 269 PPTP... 270 PPTP range ... 270 L2TP ... 271 L2TP range ... 271 Certificates ...
Page 10 Configuring the web URL block list ... 324 Web pattern block list... 324 Web pattern block options ... 325 Configuring web pattern block ... 325 URL exempt ... 325 URL exempt list... 326 URL exempt list options ... 326 Configuring URL exempt... 326 01-28008-0013-20050204 Fortinet Inc.
Page 11 Category block ... 327 FortiGuard managed web filtering service ... 327 Category block configuration options... 328 Configuring web category block... 329 Category block reports... 329 Category block reports options ... 330 Generating a category block report... 330 Category block CLI configuration... 330 Script filter ...
Page 12 Log access... 361 Disk log file access ... 361 Viewing log messages ... 362 Searching log messages... 365 CLI configuration... 366 fortilog setting... 366 syslogd setting ... 367 FortiGuard categories ... 371 Glossary ... 377 Index ... 383 01-28008-0013-20050204 Fortinet Inc.
Page 13: Introduction
• • The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks.
Page 14: Antivirus Protection
The FortiGate-5020 system, the first in the FortiGate-5000 series, scales from 1 to 2 FortiGate-5001 modules enabling customers to add incremental performance and to operate the FortiGate-5020 in HA mode. 01-28008-0013-20050204 CONSOLE PWR ACC STA IPM CONSOLE STA IPM PWR ACC Introduction PSU A PSU B Fortinet Inc.
Page 15: Web Content Filtering
Mail messages can be identified as spam or clear. FortiShield is an antispam system from Fortinet that includes an IP address black list, a URL black list, and spam filtering tools. The IP address black list contains IP addresses of email servers known to be used to generate Spam.
Page 16: Firewall
In NAT/Route mode, the FortiGate unit is a Layer 3 device. This means that each of its interfaces is associated with a different IP subnet and that it appears to other devices as a router. This is how a firewall is normally deployed. In NAT/Route mode, you can create NAT mode policies and Route mode policies.
Page 17: Vlans And Virtual Domains
Introduction Transparent mode provides the same basic firewall protection as NAT mode. The FortiGate unit passes or blocks the packets it receives according to firewall policies. The FortiGate unit can be inserted in the network at any point without having to make changes to your network or its components.
Page 18: High Availability
• High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster.
Page 19: Secure Installation, Configuration, And Management
Introduction Active-active (A-A) HA load balances virus scanning among all the FortiGate units in the cluster. An active-active HA cluster consists of a primary FortiGate unit that processes traffic and one or more secondary units that also process traffic. The primary FortiGate unit uses a load balancing algorithm to distribute virus scanning to all the FortiGate units in the HA cluster.
Page 20: Document Conventions
<xxx_ipv4mask> indicates a dotted decimal IPv4 address followed by a dotted decimal IPv4 netmask. <xxx_ipv6> indicates a dotted decimal IPv6 address. <xxx_v6mask> indicates a dotted decimal IPv6 netmask. <xxx_ipv6mask> indicates a dotted decimal IPv6 address followed by a dotted decimal IPv6 netmask. 01-28008-0013-20050204 Introduction Fortinet Inc.
Page 21: Fortigate Documentation
Introduction • • • FortiGate documentation Information about FortiGate products is available from the following guides: • • • FortiGate-5000 series Administration Guide Vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords. For example: set opmode {nat | transparent} You can enter set opmode nat or set opmode transparent.
Page 22: Fortinet Knowledge Center
The most recent Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains short how-to articles, FAQs, technical notes, product and feature guides, and much more. Visit the Fortinet Knowledge Center at http://kc.forticare.com. Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.
Page 23: Forticlient Documentation
Introduction FortiClient documentation • • FortiMail documentation • • • FortiLog documentation • • FortiGate-5000 series Administration Guide FortiClient Host Security User Guide Describes how to use FortiClient Host Security software to set up a VPN connection from your computer to remote networks, scan your computer for viruses, and restrict access to your computer and applications by setting up firewall policies.
Page 24: Customer Service And Technical Support
Fortinet Technical Support web site at http://support.fortinet.com. You can also register Fortinet products and service contracts from http://support.fortinet.com and change your registration information at any time. Technical support is available through email from any of the following addresses.
Page 25: Web-Based Manager
FortiGate-5000 series Administration Guide Version 2.80 MR8 Web-based manager Using HTTP or a secure HTTPS connection from any computer running a web browser, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages. You can configure the FortiGate unit for HTTP and HTTPS administration from any FortiGate interface.
Page 26: Button Bar Features
The button bar in the upper right corner of the web-based manager provides access to several important FortiGate features. Figure 2: Web-based manager button bar Contact Customer Support The Contact Customer Support button opens the Fortinet support web page in a new browser window. From this page you can • •...
Page 27: Online Help
Web-based manager Online Help The Online Help button opens web-based help for the current web-based manager page. There are hyperlinks to related topics and procedures related to the controls on the current web-based manager page. Figure 3: Online Help window You can view other parts of the help system as you like.
Page 28: Console Access
If you simply close the browser or leave the web-based manager, you remain logged-in until the idle timeout (default 5 minutes) expires. Connect to the FortiGate unit using the CLI. Disconnect from the FortiGate unit. Clear the screen. 01-28008-0013-20050204 Web-based manager Fortinet Inc.
Page 29: Web-Based Manager Pages
Page Configure system facilities, such as network interfaces, virtual domains, DHCP services, time and set system options. Configure the router. Configure firewall policies and protection profiles that apply the network protection features. Also configure virtual IP addresses and IP pools.
Page 30: Lists
Clear a log file. Column Select log columns to display. Settings Delete Delete an item. This icon appears in lists where the item is deletable and you have write permission on the page. 01-28008-0013-20050204 Web-based manager Delete Edit Fortinet Inc.
Page 31: Status Bar
Web-based manager Status bar The status bar is at the bottom of the web-based manager screen. Figure 7: Status bar The status bar shows • • FortiGate-5000 series Administration Guide Download Download a log file or back up a configuration file. or Backup Edit Edit a configuration.
Page 32: Organization Of This Manual
System Status System Network System DHCP System Config System Admin System Maintenance System Virtual Domain Router Firewall User Antivirus Web filter 01-28008-0013-20050204 Web-based manager Spam filter Log & Report FortiGuard categories Fortinet Inc.
Page 33: System Status
FortiGate-5000 series Administration Guide Version 2.80 MR8 System Status You can connect to the web-based manager and view the current system status of the FortiGate unit. The status information that is displayed includes the system status, unit information, system resources, and session log. This chapter includes: •...
Page 34: Viewing System Status
Contains reminders such as “Change Password” or “Product Registration”. Select the reminder to see the detailed reminder message. “Access profiles” on page 01-28008-0013-20050204 System Status 123. Fortinet Inc.
Page 35: Interface Status
System Status Host Name Firmware Version Antivirus Definitions The current installed version of the FortiGate Antivirus Definitions. Attack Definitions Serial Number Operation Mode Recent Virus Detections Time Src / Dst Service Virus Detected Content Summary The Content Summary shows information about Content Archiving, configured in firewall protection profiles.
Page 36: System Resources
CPU usage for the previous minute. Session history for the previous minute. Network utilization for the previous minute. The virus detection history over the last 20 hours. The intrusion detection history over the last 20 hours. 01-28008-0013-20050204 System Status Fortinet Inc.
Page 37: Changing Unit Information
Note: For information about configuring the FortiGate unit for automatic antivirus definitions updates, see Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status > Status.
Page 38 Note: For information about configuring the FortiGate unit for automatic attack definitions updates, see Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status > Status.
Page 39: Session List
System Status To change to NAT/Route mode After you change the FortiGate unit from the NAT/Route mode to Transparent mode, most of the configuration resets to Transparent mode factory defaults, except for HA settings (see To change to NAT/Route mode: Go to System >...
Page 40: Changing The Fortigate Firmware
FortiGate administrators whose access profiles contain system configuration read and write privileges and the FortiGate admin user can change the FortiGate firmware. After you download a FortiGate firmware image from Fortinet, you can use the procedures listed in The service protocol of the connection, for example, udp, tcp, or icmp.
Page 41: Upgrading To A New Firmware Version
System Status Table 1: Firmware upgrade procedures Procedure Upgrading to a new firmware version Reverting to a previous firmware version Installing firmware images from a system reboot using the CLI Testing a new firmware image before installing it Installing and using a backup firmware image Upgrading to a new firmware version...
Page 42: Upgrading The Firmware Using The Cli
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build183-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build183-FORTINET.out...
Page 43: Reverting To A Previous Firmware Version
System Status Reconnect to the CLI. To confirm that the new firmware image is successfully installed, enter: get system status Use the procedure antivirus and attack definitions, or from the CLI, enter: execute update_now Reverting to a previous firmware version Use the following procedures to revert your FortiGate unit to a previous firmware version.
Page 44: Reverting To A Previous Firmware Version Using The Cli
“Backing up and Restoring” on page “To update antivirus and attack definitions” on page 131 to update the antivirus and attack definitions. 01-28008-0013-20050204 System Status “Backup and restore” on “To update antivirus and 126. to make sure that antivirus execute Fortinet Inc.
Page 45: Installing Firmware Images From A System Reboot Using The Cli
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build158-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build158-FORTINET.out...
Page 46 Back up web content and email filtering lists. For information, see “Web filter” on page 319 “To update antivirus and attack definitions” on page 131 01-28008-0013-20050204 System Status 126. “Spam filter” on page 333. to make sure that antivirus Fortinet Inc.
Page 47 System Status Type y. As the FortiGate units starts, a series of system startup messages is displayed. When one of the following messages appears: • • Immediately press any key to interrupt the system startup. Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must log in and repeat the If you successfully interrupt the startup process, one of the following messages appears:...
Page 48: Testing A New Firmware Image Before Installing It
“Upgrading to a new firmware version” on page 01-28008-0013-20050204 “Backup and restore” on page “Backing up and restoring custom signature “Backup and restore” on page “Backup and restore” on page 125. 130. System Status 125. 125. “Updating Fortinet Inc.
Page 49 System Status For this procedure you: • • Note: The default interface for TFTP server firmware downloads is port8. You can specify a different interface after you restart the FortiGate unit as described in the following procedure. To test a new firmware image Connect to the CLI using a null-modem cable and FortiGate console port.
Page 50 FortiGate unit running v2.x BIOS Do You Want To Save The Image? [Y/n] Type N. FortiGate unit running v3.x BIOS Save as Default firmware/Run image without saving:[D/R] Save as Default firmware/Backup firmware/Run image without saving:[D/B/R] 01-28008-0013-20050204 System Status Fortinet Inc.
Page 51: Installing And Using A Backup Firmware Image
System Status You can log into the CLI or the web-based manager using any administrative account. To confirm that the new firmware image has been loaded, from the CLI enter: get system status You can test the new firmware image as required. Installing and using a backup firmware image If the FortiGate unit is running BIOS version v3.x, you can install a backup firmware image.
Page 52: Switching To The Backup Firmware Image
Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options. 01-28008-0013-20050204 System Status to switch to a backup Fortinet Inc.
Page 53: Switching Back To The Default Firmware Image
System Status Enter the following command to restart the FortiGate unit: execute reboot As the FortiGate units starts, a series of system startup messages are displayed. When the following message appears: Press any key to enter configuration menu... Immediately press any key to interrupt the system startup. Note: You have only 3 seconds to press any key.
Page 54 Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options. 01-28008-0013-20050204 System Status Fortinet Inc.
Page 55: System Network
FortiGate-5000 series Administration Guide Version 2.80 MR8 System Network System network settings control how the FortiGate unit connects to and interacts with your network. Basic network settings start with configuring FortiGate interfaces to connect to your network and configuring the FortiGate DNS settings. More advanced network settings include adding VLAN subinterfaces and zones to the FortiGate network configuration.
Page 56: Interface Settings
Bring Down or Bring Up. For more information, “To bring down an interface that is administratively up” on page 62 “To start up an interface that is administratively down” on page Delete, edit, and view icons. 01-28008-0013-20050204 System Network “VLAN Fortinet Inc.
Page 57 System Network Figure 12: Interface settings See the following procedures for configuring interfaces: • • • • • • • • • • • • • Name The name of the Interface. Interface Select the name of the physical interface to add the VLAN subinterface to. All VLAN subinterfaces must be associated with a physical interface.
Page 58 Interface The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN subinterface. For more information on VLANs, see Virtual Domain Select a virtual domain to add the interface or VLAN subinterface to this virtual domain.
Page 59 System Network PPPoE If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoE request. You can disable connect to server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE request.
Page 60 Ping server Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface. Adding a ping server is required for routing failover. See...
Page 61: Configuring Interfaces
System Network SNMP TELNET To improve network performance, you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits from any interface. Ideally, this MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets.
Page 62 67. You cannot add an interface to a zone if you have added firewall policies for “To add a virtual domain” on page 01-28008-0013-20050204 “To add a zone” on 145. You cannot add an interface to a virtual System Network Fortinet Inc.
Page 63 System Network To change the static IP address of an interface You can change the static IP address of any FortiGate interface. Go to System > Network > Interface. Choose an interface and select Edit. Set Addressing Mode to Manual. Change the IP address and Netmask as required.
Page 64 DNS server. In the Password field, type the associated password. Select OK. To add a ping server to an interface Go to System > Network > Interface. Choose an interface and select Edit. 01-28008-0013-20050204 System Network Fortinet Inc.
Page 65 System Network Set Ping Server to the IP address of the next hop router on the network connected to the interface. Select the Enable check box. Select OK to save the changes. To control administrative access to an interface For a FortiGate unit running in NAT/Route mode, you can control administrative access to an interface to control how administrators access the FortiGate unit and the FortiGate interfaces to which administrators can connect.
Page 66: Zone
Edit/View icons. Select to edit or view a zone. Delete icon. Select to remove a zone. Enter the name to identify the zone. Select Block intra-zone traffic to block traffic between interfaces or VLAN subinterfaces in the same zone. 01-28008-0013-20050204 System Network Fortinet Inc.
Page 67: Management
System Network To add a zone If you have added a virtual domain, go to System > Virtual Domain > Current Virtual Domain and select the virtual domain to which you want to add the zone. Go to System > Network > Zone. Select Create New.
Page 68: Dns
FortiGate unit from. Enter the default gateway address. Select the virtual domain from which you want to perform system management. 01-28008-0013-20050204 89). This must be a valid IP System Network “To Fortinet Inc.
Page 69: Routing Table (Transparent Mode)
The destination IP address for this route. The netmask for this route. The IP address of the next hop router to which this route directs traffic. The the relative preferability of this route. 1 is most preferred. Delete icon. Select to remove a route.
Page 70: Transparent Mode Route Settings
Enter the destination IP address and netmask for this route. Enter the IP address of the next hop router to which this route directs traffic The the relative preferability of this route. 1 is most preferred.
Page 71: Fortigate Units And Vlans
VLAN tags to packets. Packets passing between devices in the same VLAN can be handled by layer 2 switches. Packets passing between devices in different VLANs must be handled by a layer 3 device such as router, firewall, or layer 3 switch.
Page 72: Rules For Vlan Ids
VLANs in NAT/Route mode In NAT/Route mode, the FortiGate units support VLANs for constructing VLAN trunks between an IEEE 802.1Q-compliant switch (or router) and the FortiGate unit. Normally the FortiGate unit internal interface connects to a VLAN trunk on an internal switch, and the external interface connects to an upstream Internet router untagged.
Page 73: Adding Vlan Subinterfaces
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096. Each VLAN subinterface must also be configured with its own IP address and netmask.
Page 74: Vlans In Transparent Mode
FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal VLANs. The FortiGate external interface forwards tagged packets through the trunk to an external VLAN switch or router which could be connected to the Internet. The FortiGate unit can be configured to apply different policies for traffic on each VLAN in the trunk.
Page 75 VLAN subinterfaces. In this configuration the FortiGate unit could be added to this network to provide virus scanning, web content filtering, and other services to each VLAN. Figure 23: FortiGate unit in Transparent mode FortiGate-5000 series Administration Guide VLAN Switch or router VLAN1 Internal VLAN1 VLAN2...
Page 76: Rules For Vlan Ids
“To start up an interface that is administratively down” on page Delete icon. Select to delete a VLAN subinterface. View/Edit icon. Select to view or edit an interface or VLAN subinterface. 01-28008-0013-20050204 System Network “To control for information about Fortinet Inc.
Page 77 The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4096. You add VLAN subinterfaces to the physical interface that receives VLAN- tagged packets.
Page 78: Fortigate Ipv6 Support
The interface functions as two interfaces, one for IPv4-addressed packets and another for IPv6-addressed packets. FortiGate units support static routing, periodic router advertisements, and tunneling of IPv6-addressed traffic over an IPv4-addressed network. All of these features must be configured through the Command Line Interface (CLI). See the FortiGate CLI...
Page 79: System Dhcp
FortiGate-5000 series Administration Guide Version 2.80 MR8 System DHCP You can configure DHCP server or DHCP relay agent functionality on any FortiGate interface or VLAN subinterface. A FortiGate interface can act as either a DHCP server or as a DHCP relay agent. An interface cannot provide both functions at the same time.
Page 80: Dhcp Service Settings
Select DHCP Server if you want the FortiGate unit to be the DHCP server. “To configure an interface to be a DHCP server” on page 01-28008-0013-20050204 System DHCP “To configure an interface as a Fortinet Inc.
Page 81: Server
System DHCP Set type to Regular. Enter the DHCP Server IP address. Select OK. To configure an interface to be a DHCP server You can configure a DHCP server for any FortiGate interface. As a DHCP server, the interface dynamically assigns IP addresses to hosts on the network connected to the interface.
Page 82: Dhcp Server Settings
Code is the DHCP option code in the range 1 to 255. Option is an even number of hexadecimal characters and is not required for some option codes. For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions. 01-28008-0013-20050204 System DHCP Fortinet Inc.
Page 83: Exclude Range
DHCP request was received and uses this DHCP server to assign an IP configuration to the computer that made the DHCP request. The DHCP configuration packets are sent back to the router and the router relays them to the DHCP client.
Page 84: Dhcp Exclude Range Settings
Select Create New to add a DHCP IP/MAC binding pair. The name for the IP and MAC address pair. The IP address for the IP and MAC address pair. The IP address must be within the configured IP range. 01-28008-0013-20050204 System DHCP Fortinet Inc.
Page 85: Dhcp Ip/Mac Binding Settings
System DHCP DHCP IP/MAC binding settings Figure 33: IP/MAC binding options Name IP Address MAC Address To add a DHCP IP/MAC binding pair Go to System > DHCP > IP/MAC Binding. Select Create New. Add a name for the IP/MAC pair. Add the IP address and MAC address.
Page 86 Dynamic IP System DHCP 01-28008-0013-20050204 Fortinet Inc.
Page 87: System Config
FortiGate-5000 series Administration Guide Version 2.80 MR8 System Config Use the System Config page to make any of the following changes to the FortiGate system configuration: • • • • • • System time Go to System > Config > Time to set the FortiGate system time. For effective scheduling and logging, the FortiGate system time must be accurate.
Page 88: Options
NTP server. A typical Syn Interval would be 1440 minutes for the FortiGate unit to synchronize its time once a day. Timeout settings including the idle timeout and authentication timeout The language displayed by the web-based manager Dead gateway detection interval and failover detection 01-28008-0013-20050204 System Config Fortinet Inc.
Page 89 System Config Figure 35: System config options Idle Timeout Auth Timeout Language Detection Interval Fail-over Detection Set the ping server dead gateway detection failover number. Enter the To set the system idle timeout Go to System > Config > Options. For Idle Timeout, type a number in minutes.
Page 90: Ha Overview
HA cluster. Other units in the cluster will take over if one of the units fails. “To add a ping server to an interface” on page HA overview HA configuration Configuring an HA cluster Managing an HA cluster 01-28008-0013-20050204 System Config “HA modes” Fortinet Inc.
Page 91 The FortiGate Clustering Protocol (FGCP) Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster.
Page 92: Ha Configuration
• • • • • “To switch between load balancing virus scanning sessions and all sessions” on 102. and the Fortinet Knowledge “PPTP range” on page 270 Standalone Mode High Availability Cluster Members Mode Group ID Unit Priority Override Master...
Page 93: Standalone Mode
System Config Figure 36: HA configuration Standalone Mode Standalone mode is the default operation mode. If Standalone mode is selected the FortiGate unit is not operating in HA mode. Select Standalone Mode if you want to stop a cluster unit from operating in HA mode. High Availability Select High Availability to operate the FortiGate unit in HA mode.
Page 94 Table 3 lists the virtual MAC address set for each group ID. MAC Address 00-09-0f-06-ff-00 00-09-0f-06-ff-01 00-09-0f-06-ff-02 00-09-0f-06-ff-03 00-09-0f-06-ff-3f Unit priority 01-28008-0013-20050204 System Config Table 4. Cluster unit A will always Fortinet Inc.
Page 95 System Config Override Master Configure a cluster unit to always override the current primary unit and become the primary unit. Enable override master for the cluster unit that you have given the highest unit priority. Enabling override master means that this cluster unit always becomes the primary unit.
Page 96 IP Port to distribute traffic to cluster units based on the source IP, source port, destination IP, and destination port of the packet. “To switch between load balancing virus scanning sessions and all sessions” on 102. 01-28008-0013-20050204 System Config Fortinet Inc.
Page 97 System Config Table 5: Default heartbeat device configuration FortiGate model FortiGate-5000 By default a FortiGate-5000 HA cluster uses Port 9 and Port 10 for heartbeat communication. Port 9 and Port 10 are not visible on the FortiGate-5000 faceplate or on the web-based manager, but they are visible on the CLI. You can use the CLI to view and change the heartbeat priority configuration for Port 9 and Port 10.
Page 98: Configuring An Ha Cluster
To connect a FortiGate HA cluster To add a new unit to a functioning cluster To configure weighted-round-robin weights To switch between load balancing virus scanning sessions and all sessions 01-28008-0013-20050204 “Override Master” on page 95), this FortiGate unit System Config Fortinet Inc.
Page 99 System Config Note: The following procedure does not include steps for configuring heartbeat devices and interface monitoring. Both of these HA settings should be configured after the cluster is up and running. Note: By default, port 9 and port 10 are configured as heartbeat devices. These interfaces are only used for HA cluster communication and are not physically accessible.
Page 100 Then you must connect these interfaces to their networks using the same hub or switch. Fortinet recommends using switches for all cluster connections for the best performance.
Page 101: Set Weight
System Config Power on all of the cluster units. As the cluster units start, they negotiate to choose the primary unit and the subordinate units. This negotiation occurs with no user intervention and normally just takes a few seconds. You can now configure the cluster as if it is a single FortiGate unit. To add a new unit to a functioning cluster Configure the new cluster unit for HA operation with the same HA configuration as the other units in the cluster.
Page 102: Managing An Ha Cluster
The next three connections are processed by the second subordinate unit (priority 2, weight 3) config system ha set load-balance-all enable “FortiGate HA traps” on page “To view the status of each cluster member” on page 103 01-28008-0013-20050204 System Config “HA MIB 112. 104. Fortinet Inc.
Page 103 System Config You can manage individual cluster units by using SSH to connect to the CLI of the cluster. From the CLI you can use the execute ha manage command to connect to the CLI of each unit in the cluster. You can also manage individual cluster units by using a null-modem cable to connect to the primary cluster unit.
Page 104 Cluster Members list. The host name and serial number of the primary cluster unit changes. The new primary unit logs the following messages to the event log: HA slave became master Detected HA member dead 01-28008-0013-20050204 System Config Fortinet Inc.
Page 105: Snmp
FortiGate system information and can receive FortiGate traps. To monitor FortiGate system information and receive FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. FortiGate-5000 series Administration Guide The cluster contains fewer FortiGate units.
Page 106: Configuring Snmp
Configuring SNMP SNMP community FortiGate MIBs FortiGate traps Fortinet MIB fields Enable the FortiGate SNMP agent. Enter descriptive information about the FortiGate unit. The description can be up to 35 characters long. Enter the physical location of the FortiGate unit. The system location description can be up to 35 characters long.
Page 107: Snmp Community
System Config SNMP community An SNMP community is a grouping of equipment for network administration purposes. Add SNMP communities so that SNMP managers can connect to the FortiGate unit to view system information and receive SNMP traps. You can add up to three SNMP communities.
Page 108 SNMP manager is not on the same subnet as the FortiGate unit. This can occur if the SNMP manager is on the Internet or behind a router. Select Add to add more SNMP managers. You can add up to 8 SNMP managers to a single community.
Page 109: Fortigate Mibs
Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIBs to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.
Page 110: Fortigate Traps
SNMP Table 7: FortiGate MIBs MIB file name or RFC Description fortinet.trap.2.80.mib The Fortinet trap MIB is a proprietary MIB that is required for your RFC-1213 (MIB II) RFC-2665 (Ethernet- like MIB) FortiGate traps The FortiGate agent can send traps to SNMP managers that you have added to SNMP communities.
Page 111 System Config Table 9: FortiGate system traps Trap message CPU usage high (SysCpuHigh) Disk low <FortiGate_serial_no> <interface_name> HA state HA switch Memory low (SysMemLow) The <interface_name> Interface IP is changed to <new_IP> (Serial No.: <FortiGate_serial_no>) (IntfIpChange) Table 10: FortiGate VPN traps Trap message VPN tunnel is up (VpnTunnelUp)
Page 112: Fortinet Mib Fields
The tables below list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.2.80.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Page 113 System Config Table 16: HA MIB fields MIB field groupId priority override autoSync schedule stats Table 17: Administrator accounts MIB field index name addr mask perm Table 18: Local users MIB field index name auth state FortiGate-5000 series Administration Guide Description HA group ID.
Page 114: Replacement Messages
The source port of the active IP session. The destination IP address of the active IP session. The destination port of the active IP session. The expiry time or time-to-live in seconds for the session. 01-28008-0013-20050204 System Config Fortinet Inc.
Page 115: Replacement Messages List
System Config Replacement messages list Figure 42: Replacement messages list Name Description To change a replacement message Go to System > Config > Replacement Messages. Select the category of replacement message to edit by clicking on the blue triangle for that category.
Page 116: Changing Replacement Messages
For HTTP this is the IP address of web page that sent the virus. The email address of the sender of the message from which the file was removed. 01-28008-0013-20050204 System Config Table 21 lists the Fortinet Inc.
Page 117: Fortimanager
The name of the web filtering service. The name of the content category of the web site. The Fortinet logo. and a FortiManager Server. The remote ID of the FortiManager IPSec tunnel. The IP Address of the FortiManager Server.
Page 118 FortiManager System Config 01-28008-0013-20050204 Fortinet Inc.
Page 119: System Admin
System > DHCP System > Config System > Maintenance > Backup System > Maintenance > Support Log & Report > Log Config Log & Report > Log Access Router Firewall Anti-Virus Web Filter User System > Admin System > Maintenance > Update Center System >...
Page 120 Fortinet Inc.
Page 121: Administrators
System Admin This chapter describes: • • Administrators Use the admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels. Administrators list Figure 45: Administrators list Create New Name Trusted hosts Permission...
Page 122 Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see profiles, see “Access profile list” on page 01-28008-0013-20050204 System Admin “Using trusted hosts” on page 122. 123. Fortinet Inc.
Page 123: Access Profiles
System Admin When you set trusted hosts for all administrators, the FortiGate unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.
Page 124: Access Profile Options
Network update feature. To allow an administrator to modify this feature, enable both Read and Write. Select both Read and Write to allow an administrator to access the system shutdown, reboot and reset to factory default functions. 01-28008-0013-20050204 System Admin Fortinet Inc.
Page 125: System Maintenance
FortiGate-5000 series Administration Guide Version 2.80 MR8 System Maintenance Use the web-based manager to maintain the FortiGate unit. Backup and restore You can back up system configuration, VPN certificate, web and spam filtering files to the management computer. You can also restore system configuration, VPN certificate, web and spam filtering files from previously downloaded backup files.
Page 126: Backing Up And Restoring
IPS User-Defined Upload or download IPS signatures. Signatures All Certificates Restore or back up all VPN certificates in a single password- protected file. See VPN certificates” on page 01-28008-0013-20050204 System Maintenance “To restore VPN certificates” “To back up 127. Fortinet Inc.
Page 127 System Maintenance Select OK to restore all configuration files to the FortiGate unit. The FortiGate unit restarts, loading the new configuration files. Reconnect to the web-based manager and review your configuration to confirm that the uploaded configuration files have taken effect. To back up individual categories Go to System >...
Page 128: Update Center
• • • To receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet support web page. “To enable scheduled updates” on page 133. User-initiated updates from the FDN, Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus...
Page 129 System Maintenance Figure 51: Update center FortiProtect Distribution Network Push Update Refresh Use override server address Update FortiGate-5000 series Administration Guide The status of the connection to the FortiProtect Distribution Network (FDN). A green indicator means that the FortiGate unit can connect to the FDN. You can configure the FortiGate unit for scheduled updates.
Page 130: Updating Antivirus And Attack Definitions
The update attempt occurs at a randomly determined time within the selected hour. Select Update Now to manually initiate an update. Select Apply to save update settings. 01-28008-0013-20050204 System Maintenance 134. Fortinet Inc.
Page 131 System Maintenance To update antivirus and attack definitions Go to System > Maintenance > Update center. Select Update Now to update the antivirus and attack definitions and engines. If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following: Your update request has been sent.
Page 132 <proxy-address_ip> set port <proxy-port> set username <username_str> set password <password_str> set status enable config system autoupdate tunneling set address 67.35.50.34 set port 8080 set username proxy_user set password proxy_pwd set status enable 01-28008-0013-20050204 System Maintenance Fortinet Inc.
Page 133: Enabling Push Updates
System Maintenance There are no special tunneling requirements if you have configured an override server address to connect to the FDN. Enabling push updates The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. You must register the FortiGate unit before it can receive push updates.
Page 134: Enabling Push Updates Through A Nat Device
In the External Interface section, select the external interface that the FDN connects In the Type section, select Port Forwarding. In the External IP Address section, type the external IP address that the FDN connects to. Type the External Service Port that the FDN connects to. 01-28008-0013-20050204 System Maintenance Fortinet Inc.
Page 135: Support
You can select Refresh to make sure that push updates work. Push Update changes to Available. Support You can use the Support page to report problems with the FortiGate unit to Fortinet Support or to register your FortiGate unit with the FortiProtect Distribution Server (FDS).
Page 136: Sending A Bug Report
Authentication Select Report Bug to submit problems with the FortiGate unit to Fortinet Support. Enter the contact information so that FortiNet support can reply to your bug report. Items marked with an * are required. unit. Send diagnostic information about the FortiGate unit, including its current configuration, to Fortinet for analysis.
Page 137: Registering A Fortigate Unit
FortiGate units that you or your organization purchased. You can register multiple FortiGate units in a single session without re-entering your contact information. Once registration is completed, Fortinet sends a Support Login user name and password to your email address. You can use this user name and password to log on to the Fortinet support web site to: •...
Page 138 For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing. To activate the FortiCare Support Contract, you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information.
Page 139: Shutdown
A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiGate unit. Your Fortinet support user name and password is sent to the email address provided with your contact information.
Page 140 The FortiGate unit restarts with the configuration that it had when it was first powered Reconnect to the web-based manager and review the system configuration to confirm that it has been reset to the default settings. 01-28008-0013-20050204 System Maintenance Fortinet Inc.
Page 141: System Virtual Domain
FortiGate-5000 series Administration Guide Version 2.80 MR8 System Virtual Domain FortiGate virtual domains provide multiple logical firewalls and routers in a single FortiGate unit. Using virtual domains, one FortiGate unit can provide exclusive firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network.
Page 142: Virtual Domain Properties
System Virtual Domain 147) “To select a management virtual 146) “To configure routing for a virtual 148) “To configure the routing 148) 148) “To add IP pools to a virtual “To add Virtual IPs to a virtual 150) Fortinet Inc. 149)
Page 143: Shared Configuration Settings
System Virtual Domain Shared configuration settings The following configuration settings are shared by all virtual domains. Even if you have configured multiple virtual domains, there are no changes to how you configure the following settings. • • • • • •...
Page 144: Administration And Management
A check mark icon in this column indicates that this is the domain used for system management. Delete icon. Select to delete a virtual domain. You cannot delete the root virtual domain or a domain that is used for system management. 01-28008-0013-20050204 System Virtual Domain Fortinet Inc.
Page 145: Adding A Virtual Domain
Selecting a management virtual domain In NAT/Router mode, you select a virtual domain to be used for system management. In Transparent mode, you must also define a management IP. The interface that you want to use for management access must have Administrative Access enabled. See “To control administrative access to an interface”...
Page 146: Configuring Virtual Domains
Adding interfaces, VLAN subinterfaces, and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec VPN for a virtual domain 01-28008-0013-20050204 System Virtual Domain Fortinet Inc.
Page 147 System Virtual Domain Go to System > Network > Interface. Set Virtual domain to All or to the name of the virtual domain that currently contains the interface. Select Edit for the physical interface you want to move. Choose the Virtual Domain to which to move the interface. Select OK.
Page 148: Configuring Routing For A Virtual Domain
66. Any zones that you add are added to the current virtual “Router” on page 151. Network traffic entering this virtual domain is routed only “Routing table (Transparent Mode)” on page 01-28008-0013-20050204 System Virtual Domain 69. Network traffic entering this Fortinet Inc.
Page 149 System Virtual Domain Select Create new to add firewall policies to the current virtual domain. interfaces, VLAN subinterfaces, or zones added to the current virtual domain. The firewall policies that you add are only visible when you are viewing the current virtual domain.
Page 150: Configuring Ipsec Vpn For A Virtual Domain
Select Change following the current virtual domain name above the table. Choose the virtual domain for which to configure VPN. Select OK. Go to VPN. Configure IPSec VPN, PPTP, L2TP, and certificates as required. See page 255. 01-28008-0013-20050204 System Virtual Domain “VPN” on Fortinet Inc.
Page 151: Router
You configure routes by defining the destination IP address and netmask of packets that the FortiGate unit is intended to intercept, and specifying a (gateway) IP address for those packets. The gateway address specifies the next hop router to which traffic will be routed.
Page 152 • • • The Gateway setting specifies the IP address of the next hop router interface to the FortiGate external interface. The interface behind the router (192.168.10.1) is the default gateway for FortiGate_1. In some cases, there may be routers behind the FortiGate unit. If the destination IP address of a packet is not on the local network but is on a network behind one of those routers, the FortiGate routing table must include a static route to that network.
Page 153: Static Route List
Router Figure 57: Destinations on networks behind internal routers To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.30.0/24...
Page 154: Static Route Options
The destination IP address for this route. The netmask for this route. The IP address of the first next hop router to which this route directs traffic. The name of the FortiGate interface through which to route traffic. The administrative distance for the route.
Page 155: Policy
Router To move static routes Go to Router > Static > Static Route. Select the Move to icon beside the route you want to move. Current Order shows the existing number for this route. Figure 60: Move a static route For Move to, select either Before or After and type the number that you want to place this route before or after.
Page 156: Policy Route Options
Match packets that have this destination IP address and netmask. Match packets that have this destination port range. To match a single port, enter the same port number for both From and To. Send packets that match this policy route to this next hop router. 01-28008-0013-20050204 Router...
Page 157: General
Router RIP is a distance-vector routing protocol intended for small, relatively homogeneous, networks. RIP uses hop count as its routing metric. Each network is usually counted as one hop. The network diameter is limited to 15 hops. General Figure 63: RIP General settings...
Page 158: Networks List
Static Metric Route-map To configure RIP general settings Go to Router > RIP > General. Select the default RIP Version. Change the Default Metric if required. Select Enable Default-information-originate if the configuration requires advertising a default static route into RIP.
Page 159: Networks Options
Figure 65: RIP Networks configuration To configure a RIP network definition Go to Router > RIP > Networks. Select Create New to add a new RIP network definition or select the Edit icon to edit an existing RIP network definition.
Page 160: Interface Options
In text mode the key is sent in clear text over the network. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the network. 01-28008-0013-20050204 Router...
Page 161: Distribute List
Password Key-chain To configure a RIP interface Go to Router > RIP > Interface. Select the edit icon beside an Interface to configure that interface. Select a Send Version if you want to override the default send version for this interface.
Page 162: Distribute List Options
Interface Enable To configure a distribute list Go to Router > RIP > Distribute List. Select Create New to add a new distribute list or select the edit icon beside an existing distribute list to edit that distribute list. Set Direction to In or Out.
Page 163: Offset List
Router Offset list Use offset lists to add the specified offset to the metric of a route. Note: By default, all offset lists for the root virtual domain are displayed. If you create additional virtual domains, the offset lists belonging to the current virtual domain only are displayed. To view the settings associated with a different virtual domain, go to System >...
Page 164: Router Objects
Check or clear the Enable check box to enable or disable this offset list. Select OK. Router objects Router objects are a set of tools used by routing protocols and features. Access list Access lists are filters used by FortiGate routing features.
Page 165: New Access List
Router New access list Figure 73: Access list name configuration To add an access list name Go to Router > Router Objects > Access List. Select Create New. Enter a name for the access list. Select OK. New access list entry...
Page 166: Prefix List
New Prefix list Figure 76: Prefix list name configuration To add a prefix list name Go to Router > Router Objects > Prefix List. Select Create New. Enter a name for the prefix list. Select OK. Add a new prefix list name. An access list and a prefix list cannot have the same name.
Page 167: New Prefix List Entry
Less or equal to To configure a prefix list entry Go to Router > Router Objects > Prefix List. Select the Add prefix-list entry icon to add a new prefix list entry or select the edit icon beside an existing prefix list entry to edit that entry.
Page 168: New Route-Map
New Route-map Figure 79: Route map name configuration To add a route map name Go to Router > Router Objects > Route-map. Select Create New. Enter a name for the route map. Select OK. Add a new route map name.
Page 169: Route-Map List Entry
Match a route if the destination address is included in the selected access list or prefix list. Match a route that has a next hop router address included in the selected access list or prefix list. Match a route with the specified metric. The metric can be a number from 1 to 16.
Page 170: Key Chain List
New key chain Figure 82: Key chain name configuration To add a key chain name Go to Router > Router Objects > Key-chain. for information on setting the FortiGate system date and Add a new key chain. The key chain name.
Page 171: Key Chain List Entry
Start To configure a key chain entry Go to Router > Router Objects > Key-chain. Select the Add key-chain entry icon to add a new key chain entry or select the Edit icon beside an existing key chain entry to edit that entry.
Page 172: Monitor
Up Time To filter the routing monitor display Go to Router > Monitor > Routing Monitor. Select a type of route to display or select all to display routes of all types. For example, select Connected to display all the directly connected routes, or select RIP to display all the routes learned from RIP.
Page 173: Cli Configuration
CLI commands see the FortiGate CLI Reference Guide. get router info ospf Use this command to display information about OSPF. Command syntax router info ospf command keywords and variables Keywords border-routers database interface...
Page 174: Get Router Info Rip
An OSPF autonomous system (AS) or routing domain is a group of areas connected to a backbone area. A router connected to more than one area is an area border router (ABR). Routing information is contained in a link state database. Routing information is communicated between routers using link state advertisements (LSAs).
Page 175 Router Note: In the following table, only the router-id keyword is required. All other keywords are optional. ospf command keywords and variables Keywords and variables abr-type {cisco | ibm | shortcut | standard} database-overflow {disable | enable} database-overflow- max-lsas <lsas_integer>...
Page 176 <address_ipv4> spf-timers <delay_integer> <hold_integer> Example This example shows how to set the OSPF router ID to 1.1.1.1: Description Specify the default metric that OSPF should use for redistributed routes. The valid range for metric_integer is 1 to 16777214. Configure the administrative distance for all OSPF routes.
Page 177 This example shows how to display the OSPF configuration. config area Access the config area subcommand using the config router ospf command. Use this command to set OSPF area related parameters. Routers in an OSPF autonomous system (AS) or routing domain are organized into logical groupings called areas.
Page 178 Enable or disable redistributing routes into a NSSA area. 01-28008-0013-20050204 Router Default Availability All models. none All models. All models. disable All models. All models. All models. enable Fortinet Inc.
Page 179 This example shows how to display the settings for area 15.1.1.1. FortiGate-5000 series Administration Guide Description A NSSA border router can translate the Type 7 LSAs used for external route information within the NSSA to Type 5 LSAs used for distributing external route information to other parts of the OSPF routing domain.
Page 180 Set the direction for the filter. Enter in to filter incoming packets. Enter out to filter outgoing packets. Enter the name of the access list or prefix list to use for this filter list. 01-28008-0013-20050204 166. Default Availability null Router “Access All models. All models. Fortinet Inc.
Page 181 The range id_integer can be 0 to 4294967295. FortiGate-5000 series Administration Guide config router ospf config area edit 15.1.1.1 config filter-list config router ospf config area edit 15.1.1.1...
Page 182 Enable or disable using a substitute prefix. disable All models. config router ospf config area edit 15.1.1.1 config range config router ospf config area edit 15.1.1.1 01-28008-0013-20050204 Default enable 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 edit 1 set prefix 1.1.0.0 255.255.0.0 Router Availability All models. All models. All models. Fortinet Inc.
Page 183 Virtual links can only be set up between two area border routers (ABRs). config virtual link command syntax pattern Note: Only the peer keyword is required. All other keywords are optional. FortiGate-5000 series Administration Guide config router ospf config area edit 15.1.1.1 show config virtual-link edit <name_str>...
Page 184 1 to 255. key_str is an alphanumeric string of up to 16 characters. 01-28008-0013-20050204 Router Default Availability All models. none All models. default. authentication must be set to text. All models. All models. All models. default. authentication must be set to md5. Fortinet Inc.
Page 185 This example shows how to display the settings for area 15.1.1.1. This example shows how to display the configuration for area 15.1.1.1. FortiGate-5000 series Administration Guide Description The router id of the remote ABR. 0.0.0.0 is not allowed. The time, in seconds, to wait before sending a LSA retransmission. The...
Page 186 CLI configuration config distribute-list Access the config distribute-list subcommand using the config router ospf command. Use this command to use an access list to filter the networks in routing updates. Routes not matched by any of the distribute lists will not be advertised.
Page 187 This example shows how to display the settings for distribute list 2. This example shows how to display the configuration for distribute list 2. config neighbor Access the config neighbor subcommand using the config router ospf command. Use this command to manually configure an OSPF neighbor on nonbroadcast networks.
Page 188 The valid range for priority_integer is 0 to 255. config router ospf config neighbor edit 1 set ip 192.168.21.63 config router ospf config neighbor edit 1 01-28008-0013-20050204 Router Default Availability All models. 0.0.0.0 All models. All models. All models. Fortinet Inc.
Page 189: Config Network
Router This example shows how to display the configuration for neighbor 1. config network Access the config network subcommand using the config router ospf command. Use this command to identify the interfaces to include in the specified OSPF area. The prefix keyword can define one or multiple interfaces.
Page 190 This example shows how to display the settings for network 2. This example shows how to display the configuration for network 2. config ospf-interface Access the config ospf-interface subcommand using the config router ospf command. Use this command to change interface related OSPF settings.
Page 191 In text mode the key is sent in clear text over the network. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the network. If you configure authentication for the interface, authentication for areas is not used.
Page 192 576 to 65535. 01-28008-0013-20050204 Router Default Availability All models. All models. disable All models. All models. All models. null All models. 0.0.0.0 No default. All models. authentication must be set to md5. 1500 All models. Fortinet Inc.
Page 193 “config neighbor” on page 187. Set the router priority for this interface. Router priority is used during the election of a designated router (DR) and backup designated router (BDR). An interface with router priority set to 0 can not be elected DR or BDR.
Page 194 192.168.20.3 set authentication text set authentication-key a2b3c4d5e config router ospf config ospf-interface edit test config router ospf config ospf-interface edit test show 01-28008-0013-20050204 Router Default Availability All models. enable All models. Fortinet Inc.
Page 195: Config Redistribute
Router config redistribute Access the config redistribute subcommand using the config router ospf command. Use the config redistribute command to advertise routes learned from RIP, static routes, or a direct connection to the destination network. config redistribute command syntax pattern...
Page 196 Use this command to summarize external routes for redistribution into OSPF. This command works only for summarizing external routes on an Autonomous System Boundary Router (ASBR). For information on summarization between areas, see “config range” on page route, you reduce the size of the OSPF link-state database.
Page 197: Config Router Static6
10.0.0.0 255.0.0.0 get router ospf show router ospf config router static6 edit <sequence_integer> set <keyword> <variable> config router static6 edit <sequence_integer> unset <keyword> config router static6 delete <sequence_integer> get router static6 [<sequence_integer>] show router static6 [<sequence_integer>] 01-28008-0013-20050204 CLI configuration...
Page 198 Enter ::/0 for the destination IPV6 address and netmask to add a default route. The IPV6 address of the first next hop router to which this route directs traffic. config router static6 edit 2 set dev internal set dst 12AB:0:0:CD30::/60...
Page 199: Firewall
FortiGate-5000 series Administration Guide Version 2.80 MR8 Firewall Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions that the FortiGate unit uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (by port number).
Page 200: Policy
Policy list You can add, delete, edit, re-order, enable, and disable policies in the policy list. Figure 85: Sample policy list How policy matching works Policy list Policy options Advanced policy options Configuring firewall policies 01-28008-0013-20050204 Firewall Fortinet Inc.
Page 201 Firewall The policy list has the following icons and features. Create new Source Dest Schedule Service Action Enable source -> destination (n) Policy list headings indicating the traffic to which the policy Figure 86: Move to options FortiGate-5000 series Administration Guide Select Create New to add a firewall policy.
Page 202: Policy Options
Select the name of a firewall address or address group that matches the destination address of the packets to be matched with this policy. 225. 01-28008-0013-20050204 “Interface” on page 55 for information about zones. “Address” on page 209. “Virtual IP” Fortinet Inc. Firewall...
Page 203 Firewall Schedule Select a schedule that controls when the policy is available to be matched with connections. See Service Select the name of a service or service group that matches the service or protocol of the packets to be matched with this policy. You can select from a wide range of predefined services or add custom services and service groups.
Page 204: Advanced Policy Options
If you do not select Dynamic IP pool, a policy with Fixed Port selected can only allow one connection at a time. 232. “Authentication” on page 351. 01-28008-0013-20050204 “IP pool” on page “Protection profile” 205. “Log & Report” on Firewall 229. Fortinet Inc.
Page 205 Firewall Figure 88: Advanced policy options Authentication You must add users and a firewall protection profile to a user group before you can select Authentication. For information about adding and configuring user groups, see “User group” on page Select Authentication and select one or more user groups to require users to enter a user name and password before the firewall accepts the connection.
Page 206: Traffic Shaping
Less important services should be assigned a low priority. The firewall provides bandwidth to low- priority connections only when bandwidth is not needed for high-priority connections. 01-28008-0013-20050204 Firewall Fortinet Inc.
Page 207: Configuring Firewall Policies
Firewall You can configure policies to apply DSCP values for both original (or forward) traffic and reverse (or reply) traffic. These values are optional and may be enabled independently from each other. When both are disabled, no changes to the DS field are made.
Page 208: Policy Cli Configuration
Note: This command has more keywords than are listed in this Guide. See the FortiGate CLI Reference Guide for a complete list of commands and keywords. Command syntax pattern config firewall policy edit <id_integer> set <keyword> <variable> 01-28008-0013-20050204 Firewall Fortinet Inc.
Page 209: Address
Firewall firewall policy command keywords and variables Keywords and variables Description http_retry_count <retry_integer> natip <address_ipv4mask> Address You can add, edit, and delete firewall addresses as required. You can also organize related addresses into address groups to simplify policy creation. A firewall address can be configured with a name, an IP address, and a netmask, or a name and IP address range.
Page 210: Address List
Enter a name to identify the firewall address. Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall policies. Select the type of address. Each type reveals the corresponding fields to configure. address range separated by a hyphen 01-28008-0013-20050204 Firewall Fortinet Inc.
Page 211: Configuring Addresses
Firewall An IP/Mask address can represent: • • • An IP address can be: • • • The netmask corresponds to the type of address that you are adding. For example: • • • • • An IP Range address represents: •...
Page 212: Address Group List
Address group options are configurable when creating or editing an address group. Figure 93: Address group options Select Create New to add an address group. The name of the address group. The addresses in the address group. The Delete and Edit/View icons. 01-28008-0013-20050204 Firewall Fortinet Inc.
Page 213: Configuring Address Groups
Firewall Address group has the following options: Group Name Available Addresses Members Configuring address groups To organize addresses into an address group Go to Firewall > Address > Group. Select Create New. Enter a group name to identify the address group. Select an address from the Available Addresses list and select the right arrow to move the address into the group.
Page 214: Predefined Service List
GRE packets. Authentication Header. AH provides source host authentication and data integrity, but not secrecy. This protocol is used for authentication by IPSec remote gateways set to aggressive mode. 01-28008-0013-20050204 Firewall Protocol Port Fortinet Inc.
Page 215 Firewall Table 24: FortiGate predefined services (Continued) Service name DHCP FINGER GOPHER H323 HTTP HTTPS IMAP Internet- Locator-Service L2TP LDAP NetMeeting FortiGate-5000 series Administration Guide Description Encapsulating Security Payload. This service is used by manual key and AutoIKE VPN tunnels for communicating encrypted data. AutoIKE key VPN tunnels use ESP after establishing the tunnel using IKE.
Page 216 Syslog service for remote logging. A protocol supporting conversations between two or more users. All TCP ports. 01-28008-0013-20050204 Firewall Protocol Port 5632 icmp icmp icmp icmp 1723 26000, 27000, 27910, 27960 7070 161-162 161-162 517-518 0-65535 Fortinet Inc.
Page 217: Custom Service List
Firewall Table 24: FortiGate predefined services (Continued) Service name TELNET TFTP UUCP VDOLIVE WAIS WINFRAME X-WINDOWS Custom service list Add a custom service if you need to create a policy for a service that is not in the predefined service list. Figure 95: Sample custom service list The custom services list has the following icons and features.
Page 218 The name of the ICMP custom service. Select the protocol type of the service you are adding (ICMP). Enter the ICMP type number for the service. Enter the ICMP code number for the service if required. 01-28008-0013-20050204 Firewall Fortinet Inc.
Page 219: Configuring Custom Services
Firewall Name Protocol Type Protocol Number The IP protocol number for the service. Configuring custom services To add a custom TCP or UDP service Go to Firewall > Service > Custom. Select Create New. Enter a name for the new custom TCP or UDP service. Select TCP or UDP as the Protocol Type.
Page 220: Service Group List
Service group options are configurable when creating or editing a service group. Figure 100:Service group options Select Create New to add a service group. The name to identify the service group. The services added to the service group. The Delete and Edit/View icons. 01-28008-0013-20050204 Firewall Fortinet Inc.
Page 221: Configuring Service Groups
Firewall Service group has the following options. Group Name Available Services Members Configuring service groups To organize services into a service group Go to Firewall > Service > Group. Select Create New. Enter a group name to identify the service group. Select a service from the Available Services list and select the right arrow to move the service into the group.
Page 222: One-Time Schedule List
The stop date and time for the schedule. The Delete and Edit/View icons. Enter the name to identify the one-time schedule. Enter the start date and time for the schedule. Enter the stop date and time for the schedule. 01-28008-0013-20050204 Firewall Fortinet Inc.
Page 223: Configuring One-Time Schedules
Firewall Configuring one-time schedules To add a one-time schedule Go to Firewall > Schedule > One-time. Select Create New. Type a name for the schedule. Select the start date and time for the schedule. Set start and stop time to 00 for the schedule to be active for the entire day. One-time schedules use a 24-hour clock.
Page 224: Recurring Schedule Options
Enter the name to identify the recurring schedule. Select the days of the week that you want the schedule to be active. Select the start time for the recurring schedule. Select the stop time for the recurring schedule. 01-28008-0013-20050204 Firewall Fortinet Inc.
Page 225: Virtual Ip
Firewall To edit a recurring schedule Go to Firewall > Schedule > Recurring. Select the Edit icon beside the recurring schedule you want to modify. Modify the schedule as required. Note: To change the one-time schedule name you must delete the schedule and add it with a new name.
Page 226: Virtual Ip List
The external IP address mapped to an address on the destination network. The external port number of the service from the IP. The real IP address on the destination network. The port number added to packets when they are forwarded (not required). The Delete and Edit/View icons. 01-28008-0013-20050204 Firewall Fortinet Inc.
Page 227: Configuring Virtual Ips
Firewall Virtual IP has the following options. Name External Interface Select the virtual IP external interface from the list. Type External IP Address External Service Port Map to IP Map to Port Protocol Configuring virtual IPs To add a static NAT virtual IP Go to Firewall >...
Page 228 If you select port2, the static NAT virtual IP can be added to policies for connections from the port2 interface or any zone containing the port1 interface, to any other interface, VLAN subinterface, or zone. or to any other address. 01-28008-0013-20050204 Firewall Fortinet Inc.
Page 229: Ip Pool
Firewall To add a dynamic port forwarding virtual IP Go to Firewall > Virtual IP. Select Create New. Enter a name for the dynamic port forwarding virtual IP. Select the virtual IP External Interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network.
Page 230: Ip Pool List
IP pools and dynamic NAT Select Create New to add an IP pool. The start IP defines the start of an address range. The end IP defines the end of an address range. The Delete and Edit/View icons. 01-28008-0013-20050204 Firewall Fortinet Inc.
Page 231: Configuring Ip Pools
Firewall Virtual IP has the following options. Interface Name IP Range/Subnet Enter the IP address range for the IP pool. Configuring IP pools To add an IP pool Go to Firewall > IP Pool. Select the interface to which to add the IP pool. You can select a firewall interface or a VLAN subinterface.
Page 232: Ip Pools And Dynamic Nat
Configure spam filtering for IMAP, POP3, and SMTP policies Enable IPS for all services Configure content archiving for HTTP, FTP, IMAP, POP3, and SMTP policies Protection profile list Default protection profiles Protection profile options Configuring protection profiles Profile CLI configuration 01-28008-0013-20050204 Firewall Fortinet Inc.
Page 233: Protection Profile List
Firewall Protection profile list Figure 110:Sample list showing the default protection profiles The Protection Profile list has the following icons and features. Create New Delete Edit Note: You cannot delete a protection profile (the Delete icon is not visible) if it is selected in a firewall policy or included in a user group.
Page 234: Protection Profile Options
Enable or disable quarantining for each protocol. You can quarantine suspect files to view them or submit files to Fortinet for analysis. 01-28008-0013-20050204 Firewall 234.
Page 235: Configuring Web Filtering Options
Firewall Pass fragmented emails Enable or disable passing fragmented email for mail protocols Oversized file/email Add signature to outgoing emails Configuring web filtering options Figure 113:Protection profile web filtering options The following options are available for web filtering through the protection profile. See “Web filter”...
Page 236: Configuring Web Category Filtering Options
The FortiGuard web filtering service provides many categories by which to filter web traffic. You can set the action to take on web pages for each category. Choose from allow, block, or monitor. FortiGuard categories are described in categories” on page 01-28008-0013-20050204 Firewall “FortiGuard 371. Fortinet Inc.
Page 237: Configuring Spam Filtering Options
Firewall Configuring spam filtering options Figure 115:Protection profile spam filtering options The following options are available for spam filtering through the protection profile. IP address FortiShield check URL FortiShield check IP address BWL check RBL & ORDBL check HELO DNS lookup E-mail address BWL check Return e-mail DNS check Enable or disable checking that the domain specified in the reply-to...
Page 238 FortiLog unit for each protocol. Content meta-information can include date and time, source and destination information, request and response size, and scan result. Content archive is only available if FortiLog is enabled under Log&Report > Log Config > Log Settings. 01-28008-0013-20050204 Firewall “IPS” on Fortinet Inc.
Page 239: Configuring Protection Profiles
Firewall Configuring protection profiles To add a protection profile If the default protection profiles do not provide the settings you require, you can create custom protection profiles. Go to Firewall > Protection Profile. Select Create New. Enter a name for the profile. Configure the protection profile options.
Page 240: Profile Cli Configuration
Command syntax pattern config firewall profile edit <profilename_str> set <keyword> <variable> config firewall profile edit <profilename_str> unset <keyword> config firewall profile delete <profilename_str> get firewall profile [<profilename_str>] show firewall profile [<profilename_str>] 01-28008-0013-20050204 Firewall Fortinet Inc.
Page 241 Firewall firewall profile command keywords and variables Keywords and variables {block content-archive no-content-summary oversize quarantine scan splice} http {bannedword block catblock chunkedbypass content-archive no-content-summary oversize quarantine rangeblock scan scriptfilter urlblock urlexempt} FortiGate-5000 series Administration Guide Description Select the actions that this profile will use for filtering FTP traffic for a policy.
Page 242 01-28008-0013-20050204 Firewall Default Availability All models. fragmail splice Fortinet Inc.
Page 243: User
FortiGate-5000 series Administration Guide Version 2.80 MR8 User You can control access to network resources by defining lists of authorized users, called user groups. To use a particular resource, such as a network or a VPN tunnel, the user must belong to one of the user groups that is allowed access. The user then must correctly enter a user name and password to prove his or her identity.
Page 244: Setting Authentication Timeout
Select Disable to prevent this user from authenticating. Select Password to require the user to authenticate using a password. Enter the password that this user must use to authenticate. The password should be at least six characters long. 01-28008-0013-20050204 User Fortinet Inc.
Page 245: Radius
User LDAP Radius To add a user name and configure authentication Go to User > Local. Select Create New to add a new user name or select the Edit icon to edit an existing configuration. Type the User Name. Select the authentication type for this user. Select OK.
Page 246: Radius Server Options
FortiGate unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiGate unit. The Delete and Edit icons. Enter a name to identify the RADIUS server. Enter the RADIUS server secret. 01-28008-0013-20050204 User Fortinet Inc.
Page 247: Ldap Server List
User The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords. FortiGate LDAP supports all LDAP servers compliant with LDAP v3. FortiGate LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers.
Page 248 For example, you could use the following base distinguished name: ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is domain component. You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units: ou=accounts,ou=marketing,dc=fortinet,dc=com 01-28008-0013-20050204 User Fortinet Inc.
Page 249: User Group
User User group To enable authentication, you must add user names, RADIUS servers, and LDAP servers to one or more user groups. You can then assign a firewall protection profile to the user group. You can configure authentication as follows: •...
Page 250: User Group Options
The list of users, RADIUS servers, or LDAP servers that can be added to a user group. The list of users, RADIUS servers, or LDAP servers added to a user group. Select a protection profile for this user group. 01-28008-0013-20050204 User Fortinet Inc.
Page 251: Cli Configuration
User To delete a user group You cannot delete a user group that is included in a firewall policy, a dialup user phase 1 configuration, or a PPTP or L2TP configuration. Go to User > User Group. Select Delete beside the user group that you want to delete. Select OK.
Page 252: Peergrp
Enter the names of peers to add to the peer group. Separate names by spaces. To add or remove names from the group you must re-enter the whole list with the additions or deletions required. 01-28008-0013-20050204 User Default Availability No default. All models. Fortinet Inc.
Page 253 User Example This example shows how to add peers to the peergrp EU_branches. This example shows how to display the list of configured peer groups. This example shows how to display the settings for the peergrp EU_branches. This example shows how to display the configuration for all the peers groups. This example shows how to display the configuration for the peergrp EU_branches.
Page 254 CLI configuration User 01-28008-0013-20050204 Fortinet Inc.
Page 255: Vpn
FortiGate-5000 series Administration Guide Version 2.80 MR8 FortiGate units support the following protocols to authenticate and encrypt traffic: • • • This chapter contains information about the following VPN topics: • • • • • • • • • • •...
Page 256: Phase 1
Select Create New to create a new phase 1 configuration. The names of existing phase 1 configurations. The IP address or domain name of a remote peer, or Dialup for a dialup client. Main or Aggressive. 01-28008-0013-20050204 Guide. “Manual key” on Fortinet Inc.
Page 257: Phase 1 Basic Settings
Encryption Algorithm Delete and Edit icons Phase 1 basic settings Figure 127:Phase 1 basic settings Gateway Name Type a name for the remote VPN peer or client. Enter a name that reflects the Remote Gateway IP Address Dynamic DNS Mode Authentication Method FortiGate-5000 series Administration Guide...
Page 258 The group must be added to the FortiGate configuration through the config user peer and config user peergrp CLI commands before it can be selected. For more information, see the “config user” chapter of the FortiGate CLI Reference Guide. 01-28008-0013-20050204 Fortinet Inc.
Page 259: Phase 1 Advanced Settings
Phase 1 advanced settings Figure 128:Phase 1 advanced settings P1 Proposal DH Group FortiGate-5000 series Administration Guide Select the encryption and authentication algorithms that will be used to generate keys for protecting negotiations. Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations.
Page 260: Phase 2
Enable this option to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. “Phase 2 list” on page 261 “Phase 2 basic settings” on page 261 “Phase 2 advanced options” on page 262 FortiGate VPN 263. 01-28008-0013-20050204 Guide. “Manual key” on Fortinet Inc.
Page 261: Phase 2 List
Phase 2 list Figure 129:IPSec VPN Phase 2 list Create New Tunnel Name Remote Gateway Lifetime (sec/kb) Status Timeout Delete and Edit icons Phase 2 basic settings Figure 130:Phase 2 basic settings Tunnel Name Remote Gateway Concentrator FortiGate-5000 series Administration Guide Select Create New to create a new phase 2 tunnel configuration.
Page 262: Phase 2 Advanced Options
SHA1-Secure Hash Algorithm 1, which produces a 160-bit message digest. To specify one combination only, set the Encryption and Authentication options of the second combination to NULL. To specify a third combination, use the add button beside the fields for the second combination. 01-28008-0013-20050204 Fortinet Inc.
Page 263: Manual Key
Enable replay detection Enable perfect forward secrecy (PFS) DH Group Keylife Autokey Keep Alive DHCP-IPSec Internet browsing Quick Mode Identities Manual key If required, you can manually define cryptographic keys for establishing an IPSec VPN tunnel. You would define manual keys in situations where: •...
Page 264: Manual Key List
Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the SA that handles inbound traffic on the local FortiGate unit. The valid range is from 0xbb8 to 0xffffffff. This value must match the Local SPI value in the manual key configuration at the remote peer. 01-28008-0013-20050204 Fortinet Inc.
Page 265 Remote Gateway Encryption Algorithm Figure 133:Adding a manual key VPN tunnel Encryption Key Authentication Algorithm FortiGate-5000 series Administration Guide Type the IP address of the public interface to the remote peer. The address identifies the recipient of ESP datagrams. Select one of the following symmetric-key encryption algorithms: •...
Page 266: Concentrator
“Concentrator list” on page 266 “Concentrator options” on page 267 Select Create New to define a new concentrator for an IPSec hub-and- spoke configuration. The tunnels that are associated with the concentrator. Delete or edit a concentrator configuration. 01-28008-0013-20050204 266. Fortinet Inc.
Page 267: Concentrator Options
Concentrator options Figure 135:Creating a concentrator for a hub-and-spoke configuration Concentrator Name Available Tunnels Members Ping Generator The ping generator generates traffic in an IPSec VPN tunnel to keep the tunnel connection open when no traffic is being generated inside the tunnel. For example, the ping generator is useful in scenarios where a dialup client or dynamic DNS peer connects from an IP address that changes periodically—traffic may be suspended while the IP address changes.
Page 268: Ping Generator Options
If you want to generate traffic on a second VPN tunnel simultaneously, enter a second IP address from which traffic may originate locally. Enter the IP address of the second computer to ping “Dialup monitor” on page 269 “Static IP and dynamic DNS monitor” on page 269 01-28008-0013-20050204 Fortinet Inc.
Page 269: Dialup Monitor
To establish or take down a VPN tunnel Go to VPN > IPSEC > Monitor. In the list of tunnels, select the Bring down tunnel or Bring up tunnel button in the row that corresponds to the tunnel that you want to bring down or up. If you take down an active tunnel while a dialup client such as FortiClient is still connected, FortiClient will continue to show the tunnel connected and idle.
Page 270: Pptp
Start or stop the selected VPN tunnel. If you stop the tunnel, the remote VPN peer may have to reconnect to establish a new VPN session. Display the previous or next page of VPN-tunnel status listings. 278. 01-28008-0013-20050204 “PPTP configuration Fortinet Inc.
Page 271: L2Tp
Figure 139:PPTP range Enable PPTP Starting IP Ending IP User Group Disable PPTP L2TP A FortiGate unit can be configured to act as an L2TP network server. The FortiGate implementation of L2TP enables a remote dialup client to establish an L2TP tunnel with the FortiGate unit directly.
Page 272: Certificates
The status of the local certificate. PENDING designates a certificate request that should be downloaded and signed. Select to display certificate details such as the certificate name, issuer, subject, and valid certificate dates. See 01-28008-0013-20050204 “Importing CA FortiGate VPN Guide. “Certificate request” on “Importing signed certificates” Figure 142. Fortinet Inc.
Page 273: Certificate Request
Delete icon Download icon Figure 142:Certificate details Certificate request To obtain a personal or site certificate, you must send a request to a CA that provides digital certificates that adhere to the X.509 standard. The FortiGate unit provides a way for you to generate the request. The generated request includes information such as the FortiGate unit’s public static IP address, domain name, or email address.
Page 274: Importing Signed Certificates
Contact email address. The CA may choose to deliver the digital certificate to this address. Only RSA is supported. Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate but more secure. Not all IPSec VPN products support all three key sizes. 01-28008-0013-20050204 Fortinet Inc.
Page 275: Ca Certificate List
CA certificate list Follow the CA instructions to download their root certificate, and then install the root certificate on the FortiGate unit. The installed CA certificates are displayed in the CA certificate list. Figure 145:CA certificate list Import Name Subject View Certificate Detail icon Delete icon...
Page 276: Vpn Configuration Procedures
“Configuring L2TP VPNs” describes how to configure the FortiGate unit to operate as an L2TP network server. “Monitoring and Testing VPN Tunnels” outlines some general monitoring and testing procedures for VPNs. “Phase 2” on page 263. 01-28008-0013-20050204 FortiGate VPN “Phase 1” on page 256. 260. 276. “Manual key” on Fortinet Inc.
Page 277 In the IP Range/Subnet field, type the corresponding IP address and subnet mask (for example, 172.16.5.0/24 for a subnet, or 172.16.5.1/32 for a server or host) or IP address range (for example, 192.168.10.[80-100]). Select OK. To define an IP destination address Go to Firewall >...
Page 278: Pptp Configuration Procedures
To perform Steps 3 and 4, see the 243. FortiGate VPN 243. FortiGate VPN 243. FortiGate VPN 01-28008-0013-20050204 “User” on “PPTP range” on page 270. Guide. “User” on “PPTP range” on page 270. Guide. “User” on “L2TP range” on page 271. Guide. Fortinet Inc.
Page 279: Cli Configuration
CLI configuration This section provides information about features that must be configured through CLI commands. CLI commands provide additional network options that cannot be configured through the web-based manager. For complete descriptions and examples of how to use CLI commands, see the FortiGate CLI Reference Guide. •...
Page 280 1000 set dpd-idleworry 150 set dpd-retrycount 5 set dpd-retryinterval 30 01-28008-0013-20050204 Default Availability All models. dpd must be set to enable. All models. seconds dpd must be set to enable. Fortinet Inc.
Page 281: Ipsec Phase2
ipsec phase2 Use the config vpn ipsec phase2 CLI command to add or edit an IPSec VPN phase 2 configuration. Command syntax pattern ipsec phase2 command keywords and variables Keywords and variables bindtoif <interface-name_str> single-source {disable | enable} ipsec vip A FortiGate unit can act as a proxy by answering ARP requests locally and forwarding the associated traffic to the intended destination host over an IPSec VPN tunnel.
Page 282 The name of the FortiGate interface to the destination network. config vpn ipsec vip edit 1 set ip 192.168.12.1 set out-interface external next edit 2 set ip 192.168.12.2 set out-interface external 01-28008-0013-20050204 283. Default Availability 0.0.0.0 All models. null All models. Fortinet Inc.
Page 283: Configuring Ipsec Virtual Ip Addresses
Note: Typing next lets you define another VIP address without leaving the vip shell. This example shows how to display the settings for the vpn ipsec vip command. This example shows how to display the settings for the VIP entry named 1. This example shows how to display the current configuration of all existing VIP entries.
Page 284 281). For example, to enable access to Host_1 on the Finance network config vpn ipsec vip edit 1 set ip 192.168.12.1 set out-interface external 01-28008-0013-20050204 “Phase 2” on page “Adding firewall 276). 260). “ipsec “ipsec Fortinet Inc.
Page 285: Ips
IPS (attack) engines and definitions through the FortiProtect Distribution Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see FortiGate-5000 series Administration Guide 234.
Page 286: Signature
The FortiGate IPS matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Fortinet’s FortiProtect infrastructure ensures the rapid identification of new threats and the development of new attack signatures. You can configure the FortiGate unit to automatically check for and download an updated attack definition file containing the latest signatures, or you can manually download the updated attack definition file.
Page 287: Predefined Signature List
If logging is disabled and action is set to Pass, the signature is effectively disabled. The FortiGate unit drops the packet that triggered the signature. Fortinet recommends using an action other than Drop for TCP connection based attacks.
Page 288: Configuring Predefined Signatures
The FortiGate unit drops the packet that triggered the signature, removes the session from the FortiGate session table, and does not send a reset. The FortiGate unit lets the packet that triggered the signature and all other packets in the session pass through the firewall. 01-28008-0013-20050204 Fortinet Inc.
Page 289: Configuring Parameters For Dissector Signatures
Select the Enable box to enable the signature or clear the Enable box to disable the signature. Select the Logging box to enable logging for this signature or clear the Logging box to disable logging for this signature. Select the Action for the FortiGate unit to take when traffic matches this signature. (See Select OK.
Page 290: Custom
Select the Enable custom signature box to enable the custom signature group or clear the Enable custom signature box to disable the custom signature group. Select Create New to create a new custom signature. Remove all the custom signatures from the custom signature group. 01-28008-0013-20050204 Fortinet Inc.
Page 291: Adding Custom Signatures
Reset to recommended settings? Name Revision Enable Logging Action Modify Adding custom signatures To add a custom signature Go to IPS > Signature > Custom. Select Create New to add a new custom signature or select the Edit icon to edit an existing custom signature.
Page 292: Anomaly
The logging status for each anomaly. A white check mark in a green circle indicates logging is enabled for the anomaly. A white X in a grey circle indicates logging is disabled for the anomaly. 01-28008-0013-20050204 “Anomaly CLI configuration” on Fortinet Inc.
Page 293: Configuring An Anomaly
If logging is disabled and action is set to Pass, the anomaly is effectively disabled. Drop The FortiGate unit drops the packet that triggered the anomaly. Fortinet recommends using an action other than Drop for TCP connection based attacks.
Page 294 FortiGate session table, and does not send a reset. Session Pass The FortiGate unit lets the packet that triggered the anomaly and all other packets in the session pass through the firewall. Session Traffic over the specified threshold triggers the anomaly. 01-28008-0013-20050204 Fortinet Inc.
Page 295: Anomaly Cli Configuration
Anomaly CLI configuration Note: This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide. (config ips anomaly) config limit Note: This command has more keywords than are listed in this Guide.
Page 296: Configuring Ips Logging And Alert Email
You can change the default fail open setting using the CLI: Enable ips_open to cause the IPS to fail open and disable ips_open to cause the IPS to fail closed. “Log & Report” on page config sys global set ips-open [enable | disable] 01-28008-0013-20050204 351. Fortinet Inc.
Page 297: Antivirus
Antivirus > Quarantine View and sort the list of quarantined files, configure file patterns to upload automatically to Fortinet for analysis, and configure quarantining options in AntiVirus. Antivirus > Config > Config Set the size thresholds for files and emails for each protocol in Antivirus.
Page 298: File Block
IPS (attack) engines and definitions, as well as the local spam DNSBL, through the FortiProtect Distribution Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see This chapter describes: •...
Page 299: File Block List
Antivirus File block list The file block list is preconfigured with a default list of file patterns: • • • • • • • • • • Figure 158:Default file block list File block list has the following icons and features: Create New Apply Pattern...
Page 300: Configuring The File Block List
You can also submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to Fortinet for analysis. This section describes: •...
Page 301: Quarantined Files List Options
EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL. Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded.
Page 302: Autosubmit List
(* or ?). File patterns are applied for AutoSubmit regardless of file blocking settings. You can also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly from the quarantined files list. The FortiGate unit uses encrypted email to autosubmit files to an SMTP server through port 25.
Page 303: Config
Antivirus Config Go to Config to set quarantine configuration options including whether to quarantine blocked or infected files and from which service. You can also configure the time to live and file size values, and enable AutoSubmit settings. Figure 162:Quarantine configuration Quarantine configuration has the following options: Options Age limit...
Page 304: Config
So a file may be blocked or logged as oversized even if the attachment is several megabytes less than the configured oversize threshold. Virus list Config Grayware Grayware options 37. To find out how to use the Fortinet Update Center, see 128. Figure 01-28008-0013-20050204 “Changing unit 164.
Page 305: Grayware
Antivirus Figure 164:Example threshold configuration You can enable oversized file blocking in a firewall protection profile. To access protection profiles go to Firewall > Protection Profile, select Anti-Virus > Oversized File/Email and choose to pass or block oversized email and files for each protocol. Further file size limits for uncompressed files can be configured as an advanced feature via the CLI.
Page 306 Select enable to block download programs. Download components are usually run at Windows startup and are designed to install or download other software, especially advertising and dial software. 01-28008-0013-20050204 Antivirus Fortinet Inc.
Page 307: Cli Configuration
When the free memory once again reaches 30% or greater of the total memory, the system returns to nonconserve mode. For more information see the Antivirus failopen and optimization Fortinet Knowledge Center article. Command syntax pattern...
Page 308: System Global Optimize
FortiGate unit for either antivirus scanning or straight throughput traffic. When optimize is set to antivirus, the FortiGate unit uses symmetric multiprocessing to spread the antivirus tasks to several CPUs, making scanning faster. For more information see the Antivirus failopen and optimization Fortinet Knowledge Center article. Command syntax pattern...
Page 309: Config Antivirus Quarantine
Antivirus Table 29: antivirus heuristic command keywords and variables Keywords and variables mode {pass | block | disable} Example This example shows how to disable heuristic scanning. This example shows how to display the settings for the antivirus heuristic command. This example shows how to display the configuration for the antivirus heuristic command.
Page 310: Config Antivirus Service Http
01-28008-0013-20050204 Antivirus Default Availability FortiGate imap models smtp numbered pop3 200 and http higher. FortiGate default. models numbered 200 and higher. Default Availability 10 (MB) All models. Fortinet Inc.
Page 311: Config Antivirus Service Ftp
Antivirus antivirus service http command keywords and variables Keywords and variables port <port_integer> uncompsizelimit <MB_integer> How file size limits work The memfilesizelimit is applied first to all incoming files, compressed or uncompressed. If the file is larger than the limit the file is passed or blocked according to the user configuration in the firewall profile.
Page 312 Enter a value in megabytes between 1 and the total memory size. Enter 0 for no limit (not recommended). “How file size limits work” on page 01-28008-0013-20050204 Default 10 (MB) All models. 10 (MB) All models. 311. Antivirus Availability All models. Fortinet Inc.
Page 313: Config Antivirus Service Pop3
Antivirus Example This example shows how to set the maximum file size buffered to memory for scanning at 25 MB, the maximum uncompressed file size that can be buffered to memory at 100 MB, and how to enable antivirus scanning on ports 20 and 21 for FTP traffic.
Page 314 20 set uncompsizelimit 60 set port 110 set port 111 set port 992 get antivirus service pop3 show antivirus service pop3 01-28008-0013-20050204 Default 10 (MB) 10 (MB) 311. Antivirus Availability All models. All models. All models. Fortinet Inc.
Page 315: Config Antivirus Service Imap
Antivirus config antivirus service imap Use this command to configure how the FortiGate unit handles antivirus scanning of large files in IMAP traffic and what ports the FortiGate unit scans for IMAP. Command syntax pattern antivirus service imap command keywords and variables Keywords and variables memfilesizelimit...
Page 316: Config Antivirus Service Smtp
50 set port 143 set port 993 get antivirus service imap show antivirus service imap config antivirus service smtp set <keyword> <variable> config antivirus service smtp unset <keyword> get antivirus service [smtp] show antivirus service [smtp] 01-28008-0013-20050204 Antivirus Fortinet Inc.
Page 317 Antivirus antivirus service smtp command keywords and variables Keywords and variables memfilesizelimit <MB_integer> port <port_integer> uncompsizelimit <MB_integer> How file size limits work Example This example shows how to set the maximum file size that can be buffered to memory for scanning at 100 MB, the maximum uncompressed file size that can be buffered to memory for scanning at 1 GB (1000 MB), and how to enable antivirus scanning on ports 25, and 465 for SMTP traffic.
Page 318 CLI configuration Antivirus 01-28008-0013-20050204 Fortinet Inc.
Page 319: Web Filter
FortiGate-5000 series Administration Guide Version 2.80 MR8 Web filter Web filter provides configuration access to the Web filtering and Web category filtering options you enable when you create a firewall Protection Profile. To access protection profile web filter options go to Firewall > Protection Profile, select edit or Create New, and select Web Filtering or Web Category Filtering.
Page 320 This chapter describes: • • • • • 232. For information about adding protection profiles to firewall policies, see Content block URL block URL exempt Category block Script filter 01-28008-0013-20050204 Web Filter setting “Protection profile” on 239. Web filter “To Fortinet Inc.
Page 321: Content Block
Web filter Content block Control web content by blocking specific words or word patterns. The FortiGate unit blocks web pages containing banned words and displays a replacement message instead. You can use Perl regular expressions or wildcards to add banned word patterns to the list.
Page 322: Configuring The Web Content Block List
“Using Perl regular expressions” on page Select the character set for the banned word. Choose from: Chinese Simplified, Chinese Traditional, French, Japanese, Korean, Thai, or Western. Select Enable to activate the banned word in the list. 01-28008-0013-20050204 Web filter 347. Fortinet Inc.
Page 323: Web Url Block List
Web filter Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.badsite.com. Instead, you can use firewall policies to deny FTP connections. This section describes: •...
Page 324: Configuring The Web Url Block List
FortiGate web pattern blocking supports standard regular expressions. You can add up to 20 patterns to the web pattern block list. Note: Enable Web filtering > Web URL Block in your firewall Protection Profile to activate the web pattern block settings. 324. 01-28008-0013-20050204 Web filter “Web pattern Fortinet Inc.
Page 325: Web Pattern Block Options
Web filter Figure 170:Sample web pattern block list Web pattern block options Web pattern block has the following icons and features: Create New Pattern Configuring web pattern block To add a pattern to the web pattern block list Go to Web Filter > URL Block. Select Web Pattern Block.
Page 326: Url Exempt List
Select this icon to scroll the URL exempt list down. Select this icon to delete the entire URL exempt list. The current list of exempt URLs. Select the check box to enable all the URLs in the list. The Delete and Edit/View icons. 01-28008-0013-20050204 Web filter Fortinet Inc.
Page 327: Category Block
• FortiGuard managed web filtering service FortiGuard is a managed web filtering solution provided by Fortinet. FortiGuard sorts hundreds of millions of web pages into a wide range of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard Service Point to determine the category of a requested web page and then follows the firewall policy configured for that user or interface.
Page 328: Category Block Configuration Options
FortiGuard licensing Every FortiGate unit comes with a free 30-day FortiGuard trial license. FortiGuard license management is done by Fortinet servers, so there is no need to enter a license number. The FortiGate unit automatically contacts a FortiGuard Service Point when you enable FortiGuard category blocking.
Page 329: Configuring Web Category Block
Web filter Configuring web category block To enable FortiGuard web filtering Go to Web Filter > Category Block. Select Enable Service. Select Check status to make sure the FortiGate unit can access the FortiGuard server. After a moment, the FortiGuard status should change from Unknown to Available. If the FortiGuard status is unavailable, wait and try again.
Page 330: Category Block Reports Options
The number of allowed web addresses accessed in the selected time frame. The number of blocked web addresses accessed in the selected time frame. The number of monitored web addresses accessed in the selected time frame. 01-28008-0013-20050204 Web filter Fortinet Inc.
Page 331: Script Filter
The hostname of the FortiGuard Service Point. The FortiGate comes preconfigured with the host name. Use this command only if you need to change the host name. config webfilter catblock set ftgd_hostname guard.example.net get webfilter catblock show webfilter catblock 01-28008-0013-20050204 Script filter Default guard.fortinet.com...
Page 332: Web Script Filter Options
You can configure the following options for script filtering: Javascript Cookies ActiveX Select Javascript to block all Javascript-based pages or applications. Select Cookies to block web sites from placing cookies on individual computers. Select ActiveX to block all ActiveX applications. 01-28008-0013-20050204 Web filter Fortinet Inc.
Page 333: Spam Filter
Table 31: Spam Filter and Protection Profile spam filtering configuration Protection Profile spam filtering options IP address FortiShield check Enable or disable Fortinet’s antispam service called FortiShield. FortiShield is Fortinet’s own DNSBL server that provides spam IP address and URL blacklists. Fortinet keeps the FortiShield IP and URLs up-to-date as new spam source are found.
Page 334 You can configure the language and whether to search the email body, subject, or both. You can configure the action to take as spam or clear for each word. “Protection profile” on 239. Spam filter “To Fortinet Inc.
Page 335: Fortishield
• FortiShield Spam filtering FortiShield is an antispam system from Fortinet that includes an IP address black list, a URL black list, and spam filtering tools. The IP address black list contains IP addresses of email servers known to be used to generate Spam. The URL black list contains URLs of website found in Spam email.
Page 336 FortiShield licensing Every FortiGate unit comes with a free 30-day FortiShield trial license. FortiShield license management is done by Fortinet servers, so there is no need to enter a license number. The FortiGate unit automatically contacts a FortiShield Service Point when you enable FortiShield.
Page 337: Fortishield Options
Use the procedure FortiShield in a protection profile. FortiShield options If you have ordered FortiShield through Fortinet technical support or are using the free 30-day trial, you only need to enable the service to start configuring and using FortiShield. Figure 177:FortiShield configuration You can configure or view the following settings for the FortiShield service: Enable Service Select to enable the FortiShield service.
Page 338: Fortishield Cli Configuration
Point. The FortiGate unit comes preconfigured with the host name. Use this command only if you need to change the host name. config spamfilter fortishield set hostname shield.example.net get spamfilter fortishield show spamfilter fortishield 01-28008-0013-20050204 Spam filter Default antispam.fortigate.com Fortinet Inc.
Page 339: Ip Address
Spam filter IP address The FortiGate unit uses the IP address list to filter incoming email. The FortiGate unit compares the IP address of the sender to the list in sequence. If a match is found, the corresponding protection profile action is taken. If no match is found, the email is passed on to the next spam filter.
Page 340: Dnsbl & Ordbl
ORDBL server, it must be able to look up this name on the DNS server. For information on configuring DNS, see This section describes: • • • “DNS” on page DNSBL & ORDBL list DNSBL & ORDBL options Configuring the DNSBL & ORDBL list 01-28008-0013-20050204 Spam filter Fortinet Inc.
Page 341: Dnsbl & Ordbl List
Spam filter DNSBL & ORDBL list You can configure the FortiGate unit to filter email by accessing DNSBL or ORDBL servers. You can mark a match by each server as spam or reject. Figure 180:Sample DNSBL & ORDBL list DNSBL & ORDBL options DNSBL &...
Page 342: Email Address
Mark as Spam to apply the spam action configured in the protection profile, or Mark as Clear to let the email pass to the next filter. The Delete and Edit/View icons. 01-28008-0013-20050204 347. “Using Perl regular expressions” on page Spam filter 347. Fortinet Inc.
Page 343: Mime Headers
Spam filter Figure 183:Adding an email address Enter the email address or pattern you want to add. Select a pattern type for the list entry. If required, select before or after another email address in the list to place the new email address in the correct position.
Page 344: Mime Headers List
Mark as Clear to let the email pass to the next filter, or Mark as Reject (SMTP only) to drop the session. The Delete and Edit/View icons. 01-28008-0013-20050204 “Using Perl regular expressions” on page Spam filter 347. Fortinet Inc.
Page 345: Configuring The Mime Headers List
Spam filter Configuring the MIME headers list To add a MIME header to the list Go to Spam Filter > MIME headers. Select Create New. Figure 185:Adding a MIME header Enter the MIME header key. Enter the MIME header value. Select a pattern type for the list entry.
Page 346: Banned Word List
Traditional Chinese, French, Japanese, Korean, Thai, or Western. The location which the FortiGate unit searches for the banned word: subject, body, or all. The selected action to take on email with banned words. The Delete and Edit/View icons. 01-28008-0013-20050204 Spam filter “Using Perl regular 347. Fortinet Inc.
Page 347: Configuring The Banned Word List
Spam filter Figure 187:Adding a banned word Pattern Pattern Type Language Where Action Enable Configuring the banned word list To add or edit a banned word Go to Spam Filter > Banned Word. Select Create New to add a banned word or select Edit for the banned word you want to modify.
Page 348 [abc] fortinet.com not only matches fortinet.com but also matches fortinetacom, fortinetbcom, fortinetccom and so on. To mach fortinet.com, the regular expression should be: fortinet\.com forti*\.com matches fortiiii.com but does not match fortinet.com Matches abc (that exact character sequence, but anywhere in the string)
Page 349 Spam filter Table 32: Perl regular expression formats [Aa]bc [abc]+ [^abc]+ \d\d 100\s*mk abc\b perl\B Examples To block any word in a phrase /block|any|word/ To block purposely misspelled words Spammers often insert other characters between the letters of a word to fool spam blocking software.
Page 350 Using Perl regular expressions Spam filter 01-28008-0013-20050204 Fortinet Inc.
Page 351: Log & Report
FortiGate-5000 series Administration Guide Version 2.80 MR8 Log & Report FortiGate units provide extensive logging capabilities for traffic, system and network protection functions. You can set the severity level of the messages that are logged, and you can choose the types of events that are logged. All types of log messages, except traffic and content, can be saved in internal memory.
Page 352: Log Config
FortiGate units and other firewall units. To enable content archiving with a firewall to select the FortiLog option and define its IP address. The FortiGate disk (if the FortiGate unit has one). 01-28008-0013-20050204 Log & Report Protection profile, you need Fortinet Inc.
Page 353 Log & Report Memory Syslog WebTrends Figure 189:Log setting options for all log locations To configure Log Setting Go to Log&Report > Log Config > Log Setting. Select the check box to enable logging to a location. Select the blue arrow beside the location. The setting options appear.
Page 354 Enter the port number used by the FTP server. The default port is 21, which is the standard FTP port. Enter the user name required to connect to the FTP server. Enter the password required to connect to the FTP server. 01-28008-0013-20050204 Table 33, “Logging 354. Log & Report Fortinet Inc.
Page 355: Syslog Settings
Log & Report Remote Directory Log files to upload To configure log file uploading Select the blue arrow to expand Log file upload settings. Select Upload When Rolling. Enter the IP address of the logging server. Enter the port number on the logging server. The default is 21 (FTP). Enter the Username and Password required on the logging server.
Page 356: Alert E-Mail Options
The interval to wait before sending an alert e-mail for critical level log messages. The interval to wait before sending an alert e-mail for error level log messages. The interval to wait before sending an alert e-mail for warning level log messages. 01-28008-0013-20050204 Log & Report Fortinet Inc.
Page 357: Log Filter Options
Log & Report Notification Information Apply Note: If more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email. You can select specific events to trigger alert email in Log Filter, described in filter options”...
Page 358: Traffic Log
The FortiGate unit logs all traffic that violates the firewall policy settings. for more information. The FortiGate unit logs all system-related events, such as ping server failure and gateway status. The FortiGate unit logs all IPSec negotiation events, such as progress and error reports. 01-28008-0013-20050204 Log & Report “Enabling Fortinet Inc.
Page 359 Log & Report DHCP service event L2TP/PPTP/PPPoE service event Admin event HA activity event Firewall authentication event Pattern update event Anti-virus log The Anti-virus Log records virus incidents in Web, FTP, and email traffic, such as when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized file or email.
Page 360: Configuring Log Filters
The FortiGate unit logs all instances of blocked email in SMTP traffic. The FortiGate unit logs all instances of blocked email in POP3 traffic. The FortiGate unit logs all instances of blocked email in IMAP traffic. 01-28008-0013-20050204 Log & Report Fortinet Inc.
Page 361: Log Access
Log & Report Log access Log Access provides access to log messages saved to the FortiGate disk or to the memory buffer. You can delete, view, search, and navigate logs. Note: FortiGate units do not save some types of logs to memory. You can view these log messages with Log Access only if your FortiGate unit contains a hard disk drive.
Page 362: Viewing Log Messages
Type 365. Select the log location for which you want to view logs: disk or memory. Go to previous page icon. View to the previous page in the log file. 01-28008-0013-20050204 Log & Report “Searching log messages” on Fortinet Inc.
Page 363 Log & Report View per page Line: / Search Advanced Search Select to search log messages by date, time and keywords. Raw or Formatted To view log messages in the FortiGate memory buffer Go to Log&Report > Log Access. Select the log type you wish to view. Select Memory from the Type list.
Page 364 Move selected field up one position in the Show these fields list. Move selected field down one position in the Show these fields list. 01-28008-0013-20050204 Log & Report Fortinet Inc.
Page 365: Searching Log Messages
Log & Report Searching log messages There are two ways to search log messages: a simple keyword search or an advanced search that enables you to use multiple keywords and specify a time range. To perform a simple keyword search Display the log messages you want to search.
Page 366: Cli Configuration
Enter the IP address of the FortiLog unit. Enter enable to enable logging to a FortiLog unit. 01-28008-0013-20050204 Log & Report Default Availability disable All models. All models. default. All models. default. All models. default. disable All models. Fortinet Inc.
Page 367: Syslogd Setting
Log & Report Example This example shows how to enable logging to a FortiLog unit, set the FortiLog IP address, add a local ID, and add a pre-shared key for an IPSec VPN tunnel. This example shows how to display the log setting for logging to a FortiLog unit. This example shows how to display the configuration for logging to a FortiLog unit.
Page 368 Network Time Protocol (NTP) daemon messages generated internally by the syslog daemon 01-28008-0013-20050204 Log & Report Default Availability All models. local7 All models. No default. All models. All models. disable Fortinet Inc.
Page 369 Log & Report Example This example shows how to enable logging to a remote syslog server, configure an IP address and port for the server, and set the facility type to user. This example shows how to display the log setting for logging to a remote syslog server.
Page 370 CLI configuration Log & Report 01-28008-0013-20050204 Fortinet Inc.
Page 371: Fortiguard Categories
FortiGate-5000 series Administration Guide Version 2.80 MR8 FortiGuard categories FortiGuard is a web filtering solution provided by Fortinet. FortiGuard sorts thousands of Web pages into a wide variety of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard server to determine the category of a requested Web page and then follows the policy configured for that user or interface.
Page 372 Sites with content that is gratuitously offensive or shocking, but not violent or frightening. Includes sites devoted in part or whole to scatology and similar topics or to improper language, humor, or behavior. 01-28008-0013-20050204 FortiGuard categories Fortinet Inc.
Page 373 FortiGuard categories Table 35: FortiGuard categories Category name 16. Weapons Potentially Non-productive 17. Advertisement 18. Brokerage and Trading 19. Freeware and Software Download 20. Games 21. Internet Communication 22. Pay to Surf 23. Web-based Email Potentially Bandwidth Consuming 24. File Sharing and Storage 25.
Page 374 Political Organizations -- Sites sponsored by or providing information about political parties and interest groups focused on elections or legislation. 01-28008-0013-20050204 FortiGuard categories Fortinet Inc.
Page 375 FortiGuard categories Table 35: FortiGuard categories Category name 39. Reference Materials 40. Religion 41. Search Engines and Portals 42. Shopping and Auction 43. Social Organizations 44. Society and Lifestyles 45. Special Events 46. Sports 47. Travel 48. Vehicles FortiGate-5000 series Administration Guide Description Sites that offer reference-shelf content such as atlases, dictionaries, encyclopedias, formularies,...
Page 376 IP addresses. Private IP Addresses -- IP addresses defined in RFC 1918, 'Address Allocation for Private Intranets. Web Hosting -- Sites of organizations that provide hosting services, or top-level domain pages of Web communities. 01-28008-0013-20050204 FortiGuard categories Fortinet Inc.
Page 377: Glossary
VPN peer uses its identity as part of the authentication process. See also main mode. AH, Authentication Header: An IPSec security protocol. Fortinet IPSec uses ESP in tunnel mode, not AH. See ESP. ARP, Address Resolution Protocol: A protocol that resolves a logical IP address to a physical Ethernet address.
Page 378 The FortiGate interface that connects to an internal (private) network. Internet: The network that encompasses the world. As a generic term, it refers to any collection of interdependent networks. IP, Internet Protocol: The component of TCP/IP that handles routing. 01-28008-0013-20050204 Fortinet Inc.
Page 379 Any packets larger than the MTU are divided into smaller packets before they are sent. NAT, Network Address Translation: A way of routing IPv4 packets transparently. Using NAT, a router or FortiGate unit between a private and public network translates private IP addresses to public addresses and the other way around.
Page 380 A hardware device that connects computers on the Internet together and routes traffic between them. A router may connect a LAN and/or DMZ to the Internet. routing: The process of determining which path to use for sending packets to a destination.
Page 381 SNMP, Simple Network Management Protocol: A set of protocols for managing networks. SNMP agents store and return data about themselves to SNMP requesters. spam: Unsolicited email. SSH, Secure Shell: An application that enables users to log into a remote computer and run commands securely.
Page 382 Glossary 01-28008-0013-20050204 Fortinet Inc.
Page 383: Index
FortiGate-5000 series Administration Guide Version 2.80 MR8 Index abr-type 175 accept action firewall policy 203 access-list 186 action firewall policy 201, 203 Spam filter banned word 346, 347 Spam filter DNSBL and ORDBL 341 Spam filter IP address 339 Spam filter MIME headers 344 action type Spam filter email address 342 Action, Policy 277...
Page 384 346, 347 where 346, 347 banned word check protection profile 237 banned word list Spam filter 346 banned word options Spam filter 346 service 215 grayware category 306 bindtoif 281 block unrated websites (HTTP only) protection profile 236 01-28008-0013-20050204 Fortinet Inc.
Page 385 blocked web category report 330 border-routers 173 browsing the Internet through a VPN tunnel 263 CA certificates 274 cache FortiGuard 328 FortiShield 337 categories FortiGuard 327, 371 category protection profile 236 web category report 330 category block 327 configuration options 328 reports 329, 330 category blocking 327 Certificate Name 258, 274...
Page 386 342 adding an email address or domain to the Spam filter email address list 342 pattern type 342 Spam filter 342 email address BWL check protection profile 237 email address list Spam filter 342 01-28008-0013-20050204 Fortinet Inc.
Page 387 email address options Spam filter 342 email scanning oversize threshold 304 enable firewall policy 201, 208 Spam filter banned word 347 enable AutoSubmit quarantine 303 enable cache FortiShield 337 enable category block (HTTP only) protection profile 236 Enable perfect forward secrecy (PFS) 263 Enable replay detection 263 enable service FortiShield 337...
Page 388 (reply) DSCP value 207 schedule 201, 203 service 201, 203 source 201 source address name 202 source interface/zone 202 traffic priority 206 traffic shaping 206 VPN tunnel 203 firewall protection profile default protection profiles 233 list 233 options 234 01-28008-0013-20050204 Fortinet Inc.
Page 389 330 reports 329 service points 327 TTL 328 Fortilog logging settings 353 fortilog setting 366 Fortinet customer service 24 FortiProtect Distribution Network 128 FortiProtect Distribution Server 128 FortiShield cache 337 changing the FortiShield hostname 338 CLI configuration 338...
Page 390 PPTP 92 primary cluster unit 90 primary unit 90 priorities of heartbeat device 96 random (schedule) 95 round-robin 95 schedule 95 standalone mode 93 unit priority 94 view the status of each cluster member 103 weighted-round-robin 95 01-28008-0013-20050204 Fortinet Inc.
Page 391 HA cluster members active sessions 104 back to HA configuration page 103 cluster ID 103 CPU usage 104 go 103 intrusion detected 104 memory usage 104 monitor 103 network utilization 104 refresh every 103 status 103 total bytes 104 total packets 104 up time 103 virus detected 104 header...
Page 392 Local SPI, Manual Key 264 Log & report 351 Log file upload settings 354 Log filter options 357 Log settings 352 log traffic firewall policy 204 Logging 361 logging 20 predefined signature 287 logs managing for individual cluster units 104 01-28008-0013-20050204 Fortinet Inc.
Page 393 NetMeeting service 215 network address translation introduction 16 network intrusion detection 17 network utilization HA cluster members 104 network-type 193 next hop router 65 service 215 grayware category 306 NNTP service 216 nonconserve mode antivirus 307 none HA schedule 95...
Page 394 Phase 1 basic settings 257 Phase 1 list 256 Phase 2 260 Phase 2 advanced options 262 Phase 2 basic settings 261 Phase 2 list 261 PING service 216 ping generator IPSec VPN 267 plugin grayware category 306 01-28008-0013-20050204 Fortinet Inc.
Page 395 policy accept action 203 action 201, 203 adding 207 address name 202 advanced 204 allow inbound 203 allow outbound 203 authentication 205 changing the position in the policy list 208 comments 207 configuring 207 create new 201 deleting 207 deny action 203 dest 201 destination address name 202 destination interface/zone 202...
Page 396 301 date 301 DC 301 download 301 duplicates 301 file name 301 filter 301 options 301 service 301 sort by 301 status 301 status description 301 submit 301 TTL 301 upload status 301 Quick Mode Identities 263 01-28008-0013-20050204 Fortinet Inc.
Page 397 216 RLOGIN service 216 Round-Robin HA schedule 95 route 173 routemap 195 router next hop 65 router-id 176 routing configuring 69 policy 155 scan anomaly type 292 default protection profile 233 schedule automatic antivirus and attack definition updates 131...
Page 398 218 source session limit anomaly type 292 spam action protection profile 238 Spam filter 333 adding a server to the DNSBL and ORDBL list 341 adding an email address or domain to the Spam filter email 01-28008-0013-20050204 Fortinet Inc.
Page 399 address list 342 adding MIME headers to the Spam filter MIME header list adding words to the Spam filter banned word list 347 banned word 345 banned word list 346 banned word options 346 DNSBL 340 DNSBL list 341 DNSBL options 341 email address 342 email address list 342 email address options 342...
Page 400 226 map to IP 226, 227 map to port 226, 227 options 226 port forwarding 225 protocol 227 service port 226 static NAT 225 type 227 virtual-links 173 virus virus list information 298 virus list updates 298 01-28008-0013-20050204 Fortinet Inc.
Page 401 virus detected HA cluster members 104 virus list 304 virus protection worm protection 14 virus protection See also antivirus 297 virus scan protection profile 234 VLAN overview 70 VLAN subinterface bringing down 62 bringing up 62 starting 62 introduction 17 VPN certificates restore 127 upload 127...
Page 402 Index 01-28008-0013-20050204 Fortinet Inc.

This manual is also suitable for:

Fortigate fortigate-5003 Fortigate fortigate-5000 Fortigate fortigate-5001a Fortigate fortigate-5001fa2 Fortigate fortigate-5001sx Fortigate fortigate-5002fb2 ... Show all

Fortinet FortiGate FortiGate-5001 Administration Manual

Introduction

Web-Based Manager

System Status

System Network

System DHCP

System Config

System Admin

System Maintenance

System Virtual Domain

Router

Firewall

User

Vpn

Ips

Quick Links

Related Manuals for Fortinet FortiGate FortiGate-5001

Summary of Contents for Fortinet FortiGate FortiGate-5001