Page 1 Administration Guide FortiGate 500A CONSOLE 10/100 10/100/1000 Enter FortiGate-500A Administration Guide Version 2.80 MR6 5 November 2004 01-28006-0100-20041105...
Page 2 CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
Page 3: Table Of Contents
High availability ... 18 Secure installation, configuration, and management ... 18 Document conventions ... 20 FortiGate documentation ... 21 Comments on Fortinet technical documentation... 21 Related documentation ... 22 FortiManager documentation ... 22 FortiClient documentation ... 22 FortiMail documentation... 22 FortiLog documentation ...
Page 4 Managing an HA cluster... 95 SNMP... 98 Configuring SNMP ... 99 SNMP community ... 100 FortiGate MIBs... 102 FortiGate traps ... 103 Fortinet MIB fields ... 105 Replacement messages ... 107 Replacement messages list ... 107 Changing replacement messages ... 108 01-28006-0100-20041105 Fortinet Inc.
Page 5 Configuring routing for a virtual domain ... 142 Configuring firewall policies for a virtual domain ... 142 Configuring IPSec VPN for a virtual domain ... 144 Router ... 145 Static ... 145 Static route list ... 147 Static route options ... 148 Policy ...
Page 6 ... 168 config router static6... 191 Firewall... 193 Policy ... 194 How policy matching works... 194 Policy list ... 194 Policy options... 196 Advanced policy options ... 198 Configuring firewall policies ... 200 Policy CLI configuration ... 201 01-28006-0100-20041105 Fortinet Inc.
Page 7 Address... 202 Address list ... 203 Address options ... 203 Configuring addresses ... 204 Address group list ... 205 Address group options ... 205 Configuring address groups... 206 Service ... 206 Predefined service list... 207 Custom service list... 210 Custom service options... 210 Configuring custom services...
Page 8 Setting up a PPTP-based VPN ... 263 Enabling PPTP and specifying a PPTP range ... 264 Configuring a Windows 2000 client for PPTP ... 265 Configuring a Windows XP client for PPTP ... 265 PPTP passthrough... 266 01-28006-0100-20041105 Fortinet Inc.
Page 9 L2TP ... 267 Setting up a L2TP-based VPN... 268 Enabling L2TP and specifying an L2TP range... 268 Configuring a Windows 2000 client for L2TP... 269 Configuring a Windows XP client for L2TP ... 270 Certificates ... 272 Viewing the certificate list... 273 Generating a certificate request...
Page 10 Configuring the web URL block list ... 329 Web pattern block list... 330 Web pattern block options ... 331 Configuring web pattern block ... 331 URL exempt ... 331 URL exempt list... 332 URL exempt list options ... 332 Configuring URL exempt... 332 01-28006-0100-20041105 Fortinet Inc.
Page 11 Category block ... 333 FortiGuard managed web filtering service ... 333 Category block configuration options... 334 Configuring web category block... 335 Category block reports... 335 Category block reports options ... 336 Generating a category block report... 336 Category block CLI configuration... 336 Script filter ...
Page 12 Disk log file access ... 364 Viewing log messages ... 365 Searching log messages... 368 CLI configuration... 369 fortilog setting... 369 syslogd setting ... 370 FortiGuard categories ... 373 FortiGate maximum values ... 379 Glossary ... 383 Index ... 387 01-28006-0100-20041105 Fortinet Inc.
Page 13: Introduction
• • The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks.
Page 14: Antivirus Protection
PKZip format, detect viruses in email that has been encoded using uuencode format, detect viruses in email that has been encoded using MIME encoding, log all actions taken while scanning. 01-28006-0100-20041105 Introduction CONSOLE 10/100 10/100/1000 Enter Fortinet Inc.
Page 15: Web Content Filtering
Introduction Web content filtering FortiGate web content filtering can scan all HTTP content protocol streams for URLs, URL patterns, and web page content. If there is a match between a URL on the URL block list, or a web page contains a word or phrase that is in the content block list, the FortiGate unit blocks the web page.
Page 16: Transparent Mode
In NAT/Route mode, the FortiGate unit is a Layer 3 device. This means that each of its interfaces is associated with a different IP subnet and that it appears to other devices as a router. This is how a firewall is normally deployed. In NAT/Route mode, you can create NAT mode policies and Route mode policies.
Page 17: Vlans And Virtual Domains
Introduction VLANs and virtual domains Fortigate Antivirus Firewalls support IEEE 802.1Q-compliant virtual LAN (VLAN) tags. Using VLAN technology, a single FortiGate unit can provide security services to, and control connections between, multiple security domains according to the VLAN IDs added to VLAN packets. The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between each security domain.
Page 18: High Availability
• High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster.
Page 19: Command Line Interface
Introduction You can also create a basic configuration using the FortiGate front panel control buttons and LCD. Web-based manager Using HTTP or a secure HTTPS connection from any computer running Internet Explorer, you can configure and manage the FortiGate unit. The web-based manager supports multiple languages.
Page 20: Document Conventions
A space to separate options that can be entered in any combination and must be separated by spaces. For example: set allowaccess {ping https ssh snmp http telnet} You can enter any of the following: set allowaccess ping set allowaccess ping https ssh 01-28006-0100-20041105 Introduction Fortinet Inc.
Page 21: Fortigate Documentation
• • • • • • Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com. FortiGate-500A Administration Guide set allowaccess https ping ssh set allowaccess snmp...
Page 22: Related Documentation
Related documentation Related documentation Additional information about Fortinet products is available from the following related documentation. FortiManager documentation • • • FortiClient documentation • • FortiMail documentation • • • FortiManager QuickStart Guide Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings.
Page 23: Fortilog Documentation
Fortinet Technical Support web site at http://support.fortinet.com. You can also register Fortinet products and service contracts from http://support.fortinet.com and change your registration information at any time. Technical support is available through email from any of the following addresses.
Page 24 Customer service and technical support Introduction 01-28006-0100-20041105 Fortinet Inc.
Page 25: System Status
System status You can connect to the web-based manager and view the current system status of the FortiGate unit. The status information that is displayed includes the system status, unit information, system resources, and session log. This chapter includes: • •...
Page 26: Status
Viewing system status Changing unit information Select to control how often the web-based manager updates the system status display. Select to set the selected automatic refresh interval. Select to manually update the system status display. 01-28006-0100-20041105 114. System status Fortinet Inc.
Page 27: Unit Information
System status System status UP Time System Time Log Disk Notification Unit Information Admin users and administrators whose access profiles contain system configuration read and write privileges can change or update the unit information. For information on access profiles, see Host Name Firmware Version Antivirus Definitions The current installed version of the FortiGate Antivirus Definitions.
Page 28: System Resources
CPU usage for the previous minute. Session history for the previous minute. Network utilization for the previous minute. The virus detection history over the last 20 hours. The intrusion detection history over the last 20 hours. 01-28006-0100-20041105 System status Fortinet Inc.
Page 29: Changing Unit Information
Note: For information about configuring the FortiGate unit for automatic antivirus definitions updates, see Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. FortiGate-500A Administration Guide The time at which the recent intrusion was detected.
Page 30 Note: For information about configuring the FortiGate unit for automatic attack definitions updates, see Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status > Status.
Page 31: Session List
System status Note: If the web-based manager IP address was on a different subnet in NAT/Route mode, you may have to change the IP address of your computer to the same subnet as the management IP address. To change to NAT/Route mode After you change the FortiGate unit from the NAT/Route mode to Transparent mode, most of the configuration resets to Transparent mode factory defaults, except for HA settings (see...
Page 32: Changing The Fortigate Firmware
FortiGate administrators whose access profiles contain system configuration read and write privileges and the FortiGate admin user can change the FortiGate firmware. After you download a FortiGate firmware image from Fortinet, you can use the procedures listed in Total number of sessions currently being conducted through the FortiGate unit.
Page 33: Upgrading To A New Firmware Version
System status Table 1: Firmware upgrade procedures Procedure Upgrading to a new firmware version Reverting to a previous firmware version Installing firmware images from a system reboot using the CLI Testing a new firmware image before installing it Installing and using a backup firmware image Upgrading to a new firmware version...
Page 34: Upgrading The Firmware Using The Cli
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build183-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build183-FORTINET.out...
Page 35: Reverting To A Previous Firmware Version
System status The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes. Reconnect to the CLI. To confirm that the new firmware image is successfully installed, enter: get system status Use the procedure antivirus and attack definitions, or from the CLI, enter: execute update_now...
Page 36: Reverting To A Previous Firmware Version Using The Cli
“Backing up and Restoring” on page “To update antivirus and attack definitions” on page 123 to update the antivirus and attack definitions. 01-28006-0100-20041105 System status “Backup and restore” on “To update antivirus and 118. to make sure that antivirus execute Fortinet Inc.
Page 37: Installing Firmware Images From A System Reboot Using The Cli
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build158-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build158-FORTINET.out...
Page 38 Back up web content and email filtering lists. For information, see “Web filter” on page 325 “To update antivirus and attack definitions” on page 123 01-28006-0100-20041105 System status 118. “Spam filter” on page 339. to make sure that antivirus Fortinet Inc.
Page 39 System status Type y. As the FortiGate units starts, a series of system startup messages is displayed. When one of the following messages appears: • • Immediately press any key to interrupt the system startup. Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must log in and repeat the If you successfully interrupt the startup process, one of the following messages appears:...
Page 40: Testing A New Firmware Image Before Installing It
“Updating antivirus and attack definitions” on page “Upgrading to a new firmware version” on page 01-28006-0100-20041105 “Backup and restore” on page “Backing up and restoring custom signature “Backup and restore” on page “Backup and restore” on page 117. 122. System status 117. 117. Fortinet Inc.
Page 41 System status For this procedure you: • • To test a new firmware image Connect to the CLI using a null-modem cable and FortiGate console port. Make sure the TFTP server is running. Copy the new firmware image file to the root directory of the TFTP server. Make sure that port1 is connected to the same network as the TFTP server.
Page 42: Installing And Using A Backup Firmware Image
FortiGate unit running v3.x BIOS Save as Default firmware/Run image without saving:[D/R] Save as Default firmware/Backup firmware/Run image without saving:[D/B/R] Installing a backup firmware image Switching to the backup firmware image Switching back to the default firmware image 01-28006-0100-20041105 System status Fortinet Inc.
Page 43: Installing A Backup Firmware Image
System status Installing a backup firmware image To run this procedure you: • • To install a backup firmware image Connect to the CLI using the null-modem cable and FortiGate console port. Make sure that the TFTP server is running. Copy the new firmware image file to the root directory of your TFTP server.
Page 44: Switching To The Backup Firmware Image
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must log in and repeat the 01-28006-0100-20041105 System status to switch to a backup command. execute reboot Fortinet Inc.
Page 45: Switching Back To The Default Firmware Image
System status If you successfully interrupt the startup process, the following message appears: [G]: [F]: [B]: [Q]: [H]: Enter G,F,B,Q,or H: Type B to load the backup firmware image. The FortiGate unit loads the backup firmware image and restarts. When the FortiGate unit restarts, it is running the backup firmware version and the configuration is set to factory default.
Page 46 Changing the FortiGate firmware System status 01-28006-0100-20041105 Fortinet Inc.
Page 47: System Network
System network System network settings control how the FortiGate unit connects to and interacts with your network. Basic network settings start with configuring FortiGate interfaces to connect to your network and configuring the FortiGate DNS settings. More advanced network settings include adding VLAN subinterfaces and zones to the FortiGate network configuration.
Page 48: Interface Settings
Bring Down or Bring Up. For more information, “To bring down an interface that is administratively up” on page 54 “To start up an interface that is administratively down” on page Delete, edit, and view icons. 01-28006-0100-20041105 System network “VLAN Fortinet Inc.
Page 49 System network Figure 6: Interface settings See the following procedures for configuring interfaces: • • • • • • • • • • • • Name The name of the Interface. Interface Select the name of the physical interface to add the VLAN subinterface to. All VLAN subinterfaces must be associated with a physical interface.
Page 50 Interface The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN subinterface. For more information on VLANs, see Virtual Domain Select a virtual domain to add the interface or VLAN subinterface to this virtual domain.
Page 51 System network PPPoE If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoE request. You can disable connect to server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE request.
Page 52 Ping server Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface. Adding a ping server is required for routing failover. See The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to make sure that the FortiGate unit can connect to this IP address.
Page 53: Configuring Interfaces
System network SNMP TELNET To improve network performance, you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits from any interface. Ideally, this MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets.
Page 54 58. You cannot add an interface to a zone if you have added firewall policies for “To add a virtual domain” on page 01-28006-0100-20041105 “To add a zone” on 139. You cannot add an interface to a virtual System network Fortinet Inc.
Page 55 System network Set Addressing Mode to Manual. Change the IP address and Netmask as required. Select OK to save your changes. If you changed the IP address of the interface to which you are connecting to manage the FortiGate unit, you must reconnect to the web-based manager using the new interface IP address.
Page 56 To add a ping server to an interface Go to System > Network > Interface. Choose an interface and select Edit. Set Ping Server to the IP address of the next hop router on the network connected to the interface. Select the Enable check box.
Page 57: Zone
System network Controlling administrative access for an interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet. However, allowing remote administration from the Internet could compromise the security of your FortiGate unit. You should avoid allowing administrative access for an interface connected to the Internet unless this is required for your configuration.
Page 58: Zone Settings
Edit/View icons. Select to edit or view a zone. Delete icon. Select to remove a zone. Enter the name to identify the zone. Select Block intra-zone traffic to block traffic between interfaces or VLAN subinterfaces in the same zone. 01-28006-0100-20041105 System network Fortinet Inc.
Page 59: Management
System network Select the Block intra-zone traffic check box if you want to block traffic between interfaces or VLAN subinterfaces in the same zone. Select the names of the interfaces or VLAN subinterfaces to add to the zone. Select OK. To delete a zone You can only delete zones that have the Delete icon beside them in the zone list.
Page 60 FortiGate unit from. Enter the default gateway address. Select the virtual domain from which you want to perform system management. 01-28006-0100-20041105 83). This must be a valid IP System network “To Fortinet Inc.
Page 61: Dns
The destination IP address for this route. The netmask for this route. The IP address of the next hop router to which this route directs traffic. The the relative preferability of this route. 1 is most preferred. Delete icon. Select to remove a route.
Page 62: Transparent Mode Route Settings
Enter the destination IP address and netmask for this route. Enter the IP address of the next hop router to which this route directs traffic The the relative preferability of this route. 1 is most preferred.
Page 63: Fortigate Units And Vlans
VLAN tags to packets. Packets passing between devices in the same VLAN can be handled by layer 2 switches. Packets passing between devices in different VLANs must be handled by a layer 3 device such as router, firewall, or layer 3 switch.
Page 64: Vlans In Nat/Route Mode
Internet. In NAT/Route mode, the FortiGate units support VLANs for constructing VLAN trunks between an IEEE 802.1Q-compliant switch (or router) and the FortiGate unit. Normally the FortiGate unit internal interface connects to a VLAN trunk on an internal switch, and the external interface connects to an upstream Internet router untagged.
Page 65: Adding Vlan Subinterfaces
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096. Each VLAN subinterface must also be configured with its own IP address and netmask.
Page 66: Vlans In Transparent Mode
FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal VLANs. The FortiGate external interface forwards tagged packets through the trunk to an external VLAN switch or router which could be connected to the Internet. The FortiGate unit can be configured to apply different policies for traffic on each VLAN in the trunk.
Page 67 Figure 17 three VLAN subinterfaces. In this configuration the FortiGate unit could be added to this network to provide virus scanning, web content filtering, and other services to each VLAN. FortiGate-500A Administration Guide VLAN Switch or router VLAN1 Internal VLAN1 VLAN2...
Page 68: Rules For Vlan Ids
Enter VLAN POWER switch Internet “System virtual domain” on page 135 01-28006-0100-20041105 VLAN 3 VLAN ID = 300 VLAN 1 VLAN 2 VLAN 3 External VLAN 1 VLAN VLAN 2 Trunk VLAN 3 Untagged packets Router System network Fortinet Inc.
Page 69: Transparent Mode Vlan List
System network Transparent mode VLAN list In Transparent mode, go to System > Network > Interface to add VLAN subinterfaces. Figure 18: Sample Transparent mode VLAN list Create New Virtual Domain Select a virtual domain to display the VLAN interfaces added to this virtual Name Access Status...
Page 70 The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4096. You add VLAN subinterfaces to the physical interface that receives VLAN- tagged packets.
Page 71: Fortigate Ipv6 Support
The interface functions as two interfaces, one for IPv4-addressed packets and another for IPv6-addressed packets. FortiGate units support static routing, periodic router advertisements, and tunneling of IPv6-addressed traffic over an IPv4-addressed network. All of these features must be configured through the Command Line Interface (CLI). See the FortiGate CLI...
Page 72 FortiGate IPv6 support System network 01-28006-0100-20041105 Fortinet Inc.
Page 73: System Dhcp
System DHCP You can configure DHCP server or DHCP relay agent functionality on any FortiGate interface or VLAN subinterface. A FortiGate interface can act as either a DHCP server or as a DHCP relay agent. An interface cannot provide both functions at the same time. Note: To configure DHCP server or DHCP relay functionality on an interface, the FortiGate unit must be in NAT/Route mode and the interface must have a static IP address.
Page 74: Dhcp Service Settings
Select DHCP Server if you want the FortiGate unit to be the DHCP server. “To configure an interface to be a DHCP server” on page 01-28006-0100-20041105 System DHCP “To configure an interface as a Fortinet Inc.
Page 75: Server
System DHCP To configure an interface to be a DHCP server You can configure a DHCP server for any FortiGate interface. As a DHCP server, the interface dynamically assigns IP addresses to hosts on the network connected to the interface. You can also configure a DHCP server for more than one FortiGate interface.
Page 76: Dhcp Server Settings
For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions. 75), you must configure a DHCP server for 01-28006-0100-20041105 System DHCP “To configure Fortinet Inc.
Page 77: Exclude Range
DHCP request was received and uses this DHCP server to assign an IP configuration to the computer that made the DHCP request. The DHCP configuration packets are sent back to the router and the router relays them to the DHCP client.
Page 78: Dhcp Exclude Range Settings
The IP address for the IP and MAC address pair. The IP address must be within the configured IP range. Delete icon. Delete an IP/MAC binding pair. Edit/View icon. View or modify an IP/MAC binding pair. 01-28006-0100-20041105 System DHCP Fortinet Inc.
Page 79: Dhcp Ip/Mac Binding Settings
System DHCP DHCP IP/MAC binding settings Figure 27: IP/MAC binding options Name IP Address MAC Address To add a DHCP IP/MAC binding pair Go to System > DHCP > IP/MAC Binding. Select Create New. Add a name for the IP/MAC pair. Add the IP address and MAC address.
Page 80 Dynamic IP System DHCP 01-28006-0100-20041105 Fortinet Inc.
Page 81: System Config
System config Use the System Config page to make any of the following changes to the FortiGate system configuration: • • • • • • System time Go to System > Config > Time to set the FortiGate system time. For effective scheduling and logging, the FortiGate system time must be accurate.
Page 82: Options
NTP server. A typical Syn Interval would be 1440 minutes for the FortiGate unit to synchronize its time once a day. Timeout settings including the idle timeout and authentication timeout The language displayed by the web-based manager Dead gateway detection interval and failover detection 01-28006-0100-20041105 System config Fortinet Inc.
Page 83 System config Figure 29: System config options Idle Timeout Auth Timeout Language LCD Panel Detection Interval Fail-over Detection Set the ping server dead gateway detection failover number. Enter the To set the system idle timeout Go to System > Config > Options. For Idle Timeout, type a number in minutes.
Page 84 FortiGate unit assumes that the gateway is no longer functioning. Select Apply. Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster.
Page 85 System config Link failover Device failover If one of the FortiGate units in an HA cluster fails, all functions, all established HA heartbeat failover a.HA does not provide session failover for PPPoE, DHCP, PPTP, and L2TP services. FortiGate units can be configured to operate in active-passive (A-P) or active-active (A-A) HA mode.
Page 86: Ha Configuration
When the cluster is operating, you can select Cluster Members to view the status of all FortiGate units in the cluster. Status information includes the cluster ID, status, up time, weight, and monitor information. For more information, see each cluster member” on page 01-28006-0100-20041105 System config “To view the status of Fortinet Inc.
Page 87 System config Mode All members of the HA cluster must be set to the same HA mode. Active-Active Active-Passive Failover HA. The primary FortiGate unit in the cluster processes all Group ID The group ID range is from 0 to 63. All members of the HA cluster must have the same group ID.
Page 88 If you have more than one FortiGate HA cluster on the same network, each cluster should have a different password. Schedule If you are configuring an active-active cluster, select a load balancing schedule. Unit priority 01-28006-0100-20041105 System config Fortinet Inc.
Page 89 System config None Least- Connection Round-Robin Weighted Round-Robin Random IP Port Priorities of Heartbeat Device Enable or disable HA heartbeat communication and set the heartbeat priority for each interface in the cluster. By default HA heartbeat communication is set for two interfaces. You can disable HA heartbeat communication for either of these interfaces or enable HA heartbeat for other interfaces.
Page 90 IP address. This IP address does not affect the heartbeat traffic. In Transparent mode, you can connect the interface to your network. Default heartbeat device Port 3 Port 4 01-28006-0100-20041105 System config Default priority Fortinet Inc.
Page 91: Configuring An Ha Cluster
System config Monitor priorities Monitor priorities and link failover is not supported for the lan interface. Enable or disable monitoring a FortiGate interface to verify that the interface is functioning properly and connected to its network. If a monitored interface fails or is disconnected from its network the interface leaves the cluster.
Page 92 “To connect a FortiGate HA cluster” on page “To change FortiGate host name” on page “Unit Priority” on page “Override Master” on page “Schedule” on page “To connect a FortiGate HA cluster” on page 01-28006-0100-20041105 System config 29. Use host names to identify Fortinet Inc.
Page 93 Then you must connect these interfaces to their networks using the same hub or switch. Fortinet recommends using switches for all cluster connections for the best performance. The FortiGate units in the cluster use cluster ethernet interfaces to communicate cluster session information, synchronize the cluster configuration, and report individual cluster member status.
Page 94 Port 1 CONSOLE Enter Hub or Switch CONSOLE Enter Port 1 01-28006-0100-20041105 Port 2 10/100 10/100/1000 Port 4 Hub or Switch Port 4 10/100 10/100/1000 Port 2 Internet System config Router Fortinet Inc.
Page 95: Managing An Ha Cluster
System config To configure weighted-round-robin weights By default, in active-active HA mode the weighted round-robin schedule assigns the same weight to each FortiGate unit in the cluster. If you configure a cluster to use the weighted round-robin schedule, from the CLI you can use config system ha weight to configure a weight value for each cluster unit.
Page 96 Indicates the status of each cluster unit. A green check mark indicates that the cluster unit is operating normally. A red X indicates that the cluster unit cannot communicate with the primary unit. 01-28006-0100-20041105 System config for more information. Fortinet Inc.
Page 97 System config Up Time Monitor CPU Usage Memory Usage Active Sessions Total Packets Virus Detected Network Utilization The total network bandwidth being used by all of the cluster unit Total Bytes Intrusion Detected The number of intrusions or attacks detected by the cluster unit. To view and manage logs for individual cluster units Connect to the cluster and log into the web-based manager.
Page 98: Snmp
FortiGate system information and can receive FortiGate traps. To monitor FortiGate system information and receive FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. The cluster contains fewer FortiGate units. The failed unit no longer appears on the Cluster Members list.
Page 99: Configuring Snmp
Configuring SNMP SNMP community FortiGate MIBs FortiGate traps Fortinet MIB fields Enable the FortiGate SNMP agent. Enter descriptive information about the FortiGate unit. The description can be up to 35 characters long. Enter the physical location of the FortiGate unit. The system location description can be up to 35 characters long.
Page 100: Snmp Community
Figure 35: SNMP community options (part 2) Community Name Hosts Enter a name to identify the SNMP community. Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit. 01-28006-0100-20041105 System config Fortinet Inc.
Page 101 SNMP manager is not on the same subnet as the FortiGate unit. This can occur if the SNMP manager is on the Internet or behind a router. Select Add to add more SNMP managers. You can add up to 8 SNMP managers to a single community.
Page 102: Fortigate Mibs
Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIBs to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.
Page 103: Fortigate Traps
The FortiGate agent can send traps to SNMP managers that you have added to SNMP communities. For SNMP managers to receive traps, you must load and compile the Fortinet trap MIB (file name fortinet.trap.2.80.mib) onto the SNMP manager. All traps include the trap message as well as the FortiGate unit serial number.
Page 104 On a FortiGate unit with a hard drive, hard drive usage exceeds 90%. On a FortiGate unit without a hard drive, log to memory usage has exceeds 90%. Description The different unit in the HA cluster became the primary unit. 01-28006-0100-20041105 System config Fortinet Inc.
Page 105: Fortinet Mib Fields
The tables below list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.2.80.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Page 106 The source port of the active IP session. The destination IP address of the active IP session. The destination port of the active IP session. The expiry time or time-to-live in seconds for the session. 01-28006-0100-20041105 System config Fortinet Inc.
Page 107: Replacement Messages
System config Replacement messages Change replacement messages to customize alert email and information that the FortiGate unit adds to content streams such as email messages, web pages, and FTP sessions. The FortiGate unit adds replacement messages to a variety of content streams.
Page 108: Changing Replacement Messages
For email this is the IP address of the email server that sent the email containing the virus. For HTTP this is the IP address of web page that sent the virus. 01-28006-0100-20041105 System config Table 20 lists the Fortinet Inc.
Page 109: Fortimanager
The name of the web filtering service. The name of the content category of the web site. The Fortinet logo. and a FortiManager Server. The remote ID of the FortiManager IPSec tunnel. The IP Address of the FortiManager Server.
Page 110 FortiManager System config 01-28006-0100-20041105 Fortinet Inc.
Page 111: System Administration
System administration When the FortiGate unit is first installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administrator accounts. You can also control the access level of each of these administrator accounts and control the IP address from which the administrator account can connect to the FortiGate unit.
Page 112: Administrators
Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see profiles, see “Access profile list” on page 01-28006-0100-20041105 System administration “Using trusted hosts” on page 113. 114. Fortinet Inc.
Page 113 System administration To configure an administrator account Go to System > Admin > Administrators. Select Create New to add an administrator account or select the Edit icon to make changes to an existing administrator account. Type a login name for the administrator account. Type and confirm a password for the administrator account.
Page 114: Access Profiles
Allow or deny access to the system status, interface, virtual domain, HA, routing, option, SNMP, time, and replacement message features. Allow or deny access to the log setting, log access, and alert email features. Allow or deny access to the authorized users feature. 01-28006-0100-20041105 System administration Fortinet Inc.
Page 115 System administration Admin Users FortiProtect Update System Shutdown To configure an access profile Go to System > Admin > Access Profile. Select Create New to add an access profile, or select the edit icon to edit an existing access profile. Enter a name for the access profile.
Page 116 Access profiles System administration 01-28006-0100-20041105 Fortinet Inc.
Page 117: System Maintenance
System maintenance Use the web-based manager to maintain the FortiGate unit. Backup and restore You can back up system configuration, VPN certificate, web and spam filtering files to the management computer. You can also restore system configuration, VPN certificate, web and spam filtering files from previously downloaded backup files. Figure 44: Backup and restore list Category Latest Backup...
Page 118: Backing Up And Restoring
IPS User-Defined Upload or download IPS signatures. Signatures All Certificates Restore or back up all VPN certificates in a single password- protected file. See VPN certificates” on page 01-28006-0100-20041105 System maintenance “To restore VPN certificates” “To back up 119. Fortinet Inc.
Page 119 System maintenance Select OK to restore all configuration files to the FortiGate unit. The FortiGate unit restarts, loading the new configuration files. Reconnect to the web-based manager and review your configuration to confirm that the uploaded configuration files have taken effect. To back up individual categories Go to System >...
Page 120: Update Center
• • • To receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet support web page. “To enable scheduled updates” on page 125. User-initiated updates from the FDN, Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus...
Page 121 System maintenance Figure 45: Update center FortiProtect Distribution Network Push Update Refresh Use override server address FortiGate-500A Administration Guide The status of the connection to the FortiProtect Distribution Network (FDN). Available means that the FortiGate unit can connect to the FDN. You can configure the FortiGate unit for scheduled updates.
Page 122: Updating Antivirus And Attack Definitions
The update attempt occurs at a randomly determined time within the selected hour. Select Update Now to manually initiate an update. Select Apply to save update settings. 01-28006-0100-20041105 System maintenance Fortinet Inc.
Page 123 System maintenance To update antivirus and attack definitions Go to System > Maintenance > Update center. Select Update Now to update the antivirus and attack definitions and engines. If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following: Your update request has been sent.
Page 124 <proxy-address_ip> set port <proxy-port> set username <username_str> set password <password_str> set status enable config system autoupdate tunneling set address 67.35.50.34 set port 8080 set username proxy_user set password proxy_pwd set status enable 01-28006-0100-20041105 System maintenance Fortinet Inc.
Page 125: Enabling Push Updates
System maintenance There are no special tunneling requirements if you have configured an override server address to connect to the FDN. Enabling push updates The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. You must register the FortiGate unit before it can receive push updates.
Page 126: Enabling Push Updates Through A Nat Device
In the External Interface section, select the external interface that the FDN connects In the Type section, select Port Forwarding. In the External IP Address section, type the external IP address that the FDN connects to. Type the External Service Port that the FDN connects to. 01-28006-0100-20041105 System maintenance Fortinet Inc.
Page 127 System maintenance In the Map to IP section, type the IP address of the FortiGate unit on the internal network. If the FortiGate unit is operating in NAT/Route mode, enter the IP address of the external interface. If the FortiGate unit is operating in Transparent mode, enter the management IP address.
Page 128: Support
Support Support You can use the Support page to report problems with the FortiGate unit to Fortinet Support or to register your FortiGate unit with the FortiProtect Distribution Server (FDS). Figure 46: Support Report Bug FDS Registration Select FDS Registration to register the FortiGate unit with FortiNet.
Page 129: Registering A Fortigate Unit
After purchasing and installing a new FortiGate unit, you can register the unit using the web-based manager by going to the System Update Support page, or by using a web browser to connect to http://support.fortinet.com and selecting Product Registration. Registration consists of entering your contact information and the serial numbers of the FortiGate units that you or your organization purchased.
Page 130 For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing. To activate the FortiCare Support Contract, you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information.
Page 131 A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiGate unit. Your Fortinet support user name and password is sent to the email address provided with your contact information.
Page 132: Shutdown
Caution: This procedure deletes all changes that you have made to the FortiGate configuration and reverts the system to its original configuration, including resetting interface addresses. Go to System > Maintenance > Shutdown. Select Reset to factory default. 01-28006-0100-20041105 System maintenance Fortinet Inc.
Page 133 System maintenance Select Apply. The FortiGate unit restarts with the configuration that it had when it was first powered Reconnect to the web-based manager and review the system configuration to confirm that it has been reset to the default settings. FortiGate-500A Administration Guide 01-28006-0100-20041105 Shutdown...
Page 134 Shutdown System maintenance 01-28006-0100-20041105 Fortinet Inc.
Page 135: System Virtual Domain
System virtual domain FortiGate virtual domains provide multiple logical firewalls and routers in a single FortiGate unit. Using virtual domains, one FortiGate unit can provide exclusive firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network.
Page 136: Virtual Domain Properties
System virtual domain 141) “To select a management virtual 140) “To configure routing for a virtual 142) “To configure the routing 142) 142) “To add IP pools to a virtual “To add Virtual IPs to a virtual 144) Fortinet Inc. 143)
Page 137: Shared Configuration Settings
System virtual domain Shared configuration settings The following configuration settings are shared by all virtual domains. Even if you have configured multiple virtual domains, there are no changes to how you configure the following settings. • • • • • •...
Page 138: Administration And Management
A check mark icon in this column indicates that this is the domain used for system management. Delete icon. Select to delete a virtual domain. You cannot delete the root virtual domain or a domain that is used for system management. 01-28006-0100-20041105 System virtual domain Fortinet Inc.
Page 139: Adding A Virtual Domain
Selecting a management virtual domain In NAT/Router mode, you select a virtual domain to be used for system management. In Transparent mode, you must also define a management IP. The interface that you want to use for management access must have Administrative Access enabled. See “To control administrative access to an interface”...
Page 140: Configuring Virtual Domains
Go to System > Network > Interface. Adding interfaces, VLAN subinterfaces, and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec VPN for a virtual domain 01-28006-0100-20041105 System virtual domain Fortinet Inc.
Page 141 System virtual domain Set Virtual domain to All or to the name of the virtual domain that currently contains the interface. Select Edit for the physical interface you want to move. Choose the Virtual Domain to which to move the interface. Select OK.
Page 142: Configuring Routing For A Virtual Domain
57. Any zones that you add are added to the current virtual “Router” on page 145. Network traffic entering this virtual domain is routed only “Routing table (Transparent Mode)” on page 01-28006-0100-20041105 System virtual domain 61. Network traffic entering this Fortinet Inc.
Page 143 System virtual domain Select Create new to add firewall policies to the current virtual domain. interfaces, VLAN subinterfaces, or zones added to the current virtual domain. The firewall policies that you add are only visible when you are viewing the current virtual domain.
Page 144: Configuring Ipsec Vpn For A Virtual Domain
Select Change following the current virtual domain name above the table. Choose the virtual domain for which to configure VPN. Select OK. Go to VPN. Configure IPSec VPN, PPTP, L2TP, and certificates as required. See page 249. 01-28006-0100-20041105 System virtual domain “VPN” on Fortinet Inc.
Page 145: Router
You configure routes by defining the destination IP address and netmask of packets that the FortiGate unit is intended to intercept, and specifying a (gateway) IP address for those packets. The gateway address specifies the next hop router to which traffic will be routed.
Page 146 • • • The Gateway setting specifies the IP address of the next hop router interface to the FortiGate external interface. The interface behind the router (192.168.10.1) is the default gateway for FortiGate_1. In some cases, there may be routers behind the FortiGate unit. If the destination IP address of a packet is not on the local network but is on a network behind one of those routers, the FortiGate routing table must include a static route to that network.
Page 147: Static Route List
Router Figure 51: Destinations on networks behind internal routers To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.30.0/24...
Page 148: Static Route Options
The destination IP address for this route. The netmask for this route. The IP address of the first next hop router to which this route directs traffic. The name of the FortiGate interface through which to route traffic. The administrative distance for the route.
Page 149: Policy
Router Figure 54: Move a static route For Move to, select either Before or After and type the number that you want to place this route before or after. Select OK. The route is displayed in the new location on the static route list.
Page 150: Policy Route Options
Match packets that have this destination IP address and netmask. Match packets that have this destination port range. To match a single port, enter the same port number for both From and To. Send packets that match this policy route to this next hop router. 01-28006-0100-20041105 Router...
Page 151: General
Router RIP is a distance-vector routing protocol intended for small, relatively homogeneous, networks. RIP uses hop count as its routing metric. Each network is usually counted as one hop. The network diameter is limited to 15 hops. General Figure 57: RIP General settings...
Page 152: Networks List
Static Metric Route-map To configure RIP general settings Go to Router > RIP > General. Select the default RIP Version. Change the Default Metric if required. Select Enable Default-information-originate if the configuration requires advertising a default static route into RIP.
Page 153: Networks Options
Figure 59: RIP Networks configuration To configure a RIP network Go to Router > RIP > Networks. Select Create New to add a new RIP network or select the edit icon beside an existing RIP network to edit that RIP network.
Page 154: Interface Options
In text mode the key is sent in clear text over the network. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the network. 01-28006-0100-20041105 Router...
Page 155: Distribute List
Password Key-chain To configure a RIP interface Go to Router > RIP > Interface. Select the edit icon beside an Interface to configure that interface. Select a Send Version if you want to override the default send version for this interface.
Page 156: Distribute List Options
Interface Enable To configure a distribute list Go to Router > RIP > Distribute List. Select Create New to add a new distribute list or select the edit icon beside an existing distribute list to edit that distribute list. Set Direction to In or Out.
Page 157: Offset List
Interface Enable To configure an offset list Go to Router > RIP > Offset List. Select Create New to add a new offset list or select the edit icon beside an existing offset list to edit that offset list. FortiGate-500A Administration Guide Add a new offset list.
Page 158: Router Objects
Check or clear the Enable check box to enable or disable this offset list. Select OK. Router objects Router objects are a set of tools used by routing protocols and features. Access list Access lists are filters used by FortiGate routing features.
Page 159: New Access List Entry
Router To add an access list name Go to Router > Router Objects > Access List. Select Create New. Enter a name for the access list. Select OK. New access list entry Figure 68: Access list entry configuration list Entry...
Page 160: New Prefix List
Prefix New Prefix list Figure 70: Prefix list name configuration To add a prefix list name Go to Router > Router Objects > Prefix List. Select Create New. Enter a name for the prefix list. Select OK. Add a new prefix list name. An access list and a prefix list cannot have the same name.
Page 161: New Prefix List Entry
Less or equal to To configure a prefix list entry Go to Router > Router Objects > Prefix List. Select the Add prefix-list entry icon to add a new prefix list entry or select the edit icon beside an existing prefix list entry to edit that entry.
Page 162: Route-Map List
Route-map rules New Route-map Figure 73: Route map name configuration To add a route map name Go to Router > Router Objects > Route-map. Select Create New. Enter a name for the route map. Select OK. Add a new route map name.
Page 163: Route-Map List Entry
Match a route if the destination address is included in the selected access list or prefix list. Match a route that has a next hop router address included in the selected access list or prefix list. Match a route with the specified metric. The metric can be a number from 1 to 16.
Page 164: Key Chain List
New key chain Figure 76: Key chain name configuration To add a key chain name Go to Router > Router Objects > Key-chain. Select Create New. for information on setting the FortiGate system date and Add a new key chain.
Page 165: Key Chain List Entry
Start To configure a key chain entry Go to Router > Router Objects > Key-chain. Select the Add key-chain entry icon to add a new key chain entry or select the Edit icon beside an existing key chain entry to edit that entry.
Page 166: Monitor
Up Time To filter the routing monitor display Go to Router > Monitor > Routing Monitor. Select a type of route to display or select all to display routes of all types. For example, select Connected to display all the directly connected routes, or select RIP to display all the routes learned from RIP.
Page 167: Cli Configuration
Show the current state of active routing protocols. Command syntax FortiGate-500A Administration Guide get router info ospf {border-routers | database | interface | neighbor | route | virtual-links} Show OSPF routing table entries that have an Area Border Router (ABR) or Autonomous System Boundary Router (ASBR) as a destination.
Page 168: Get Router Info Rip
An OSPF autonomous system (AS) or routing domain is a group of areas connected to a backbone area. A router connected to more than one area is an area border router (ABR). Routing information is contained in a link state database. Routing information is communicated between routers using link state advertisements (LSAs).
Page 169 Router Note: In the following table, only the router-id keyword is required. All other keywords are optional. ospf command keywords and variables Keywords and variables abr-type {cisco | ibm | shortcut | standard} database-overflow {disable | enable} database-overflow- max-lsas <lsas_integer>...
Page 170 <address_ipv4> spf-timers <delay_integer> <hold_integer> Example This example shows how to set the OSPF router ID to 1.1.1.1: This example shows how to display the OSPF settings. Description Specify the default metric that OSPF should use for redistributed routes. The valid range for metric_integer is 1 to 16777214.
Page 171 This example shows how to display the OSPF configuration. config area Access the config area subcommand using the config router ospf command. Use this command to set OSPF area related parameters. Routers in an OSPF autonomous system (AS) or routing domain are organized into logical groupings called areas.
Page 172 Enable or disable redistributing routes into a NSSA area. 01-28006-0100-20041105 Router Default Availability All models. none All models. All models. disable All models. All models. All models. enable Fortinet Inc.
Page 173 This example shows how to display the settings for area 15.1.1.1. FortiGate-500A Administration Guide Description A NSSA border router can translate the Type 7 LSAs used for external route information within the NSSA to Type 5 LSAs used for distributing external route information to other parts of the OSPF routing domain.
Page 174 Set the direction for the filter. Enter in to filter incoming packets. Enter out to filter outgoing packets. Enter the name of the access list or prefix list to use for this filter list. 01-28006-0100-20041105 Router 159. Default Availability All models. All models. default. Fortinet Inc.
Page 175 The range id_integer can be 0 to 4294967295. FortiGate-500A Administration Guide config router ospf config area edit 15.1.1.1 config filter-list config router ospf config area edit 15.1.1.1...
Page 176 Enable or disable using a substitute prefix. disable All models. config router ospf config area edit 15.1.1.1 config range config router ospf config area edit 15.1.1.1 01-28006-0100-20041105 Default enable default default. edit 1 set prefix 1.1.0.0 255.255.0.0 Router Availability All models. All models. All models. Fortinet Inc.
Page 177 Virtual links can only be set up between two area border routers (ABRs). config virtual link command syntax pattern Note: Only the peer keyword is required. All other keywords are optional. FortiGate-500A Administration Guide config router ospf config area edit 15.1.1.1 show config virtual-link edit <name_str>...
Page 178 15 characters. The time, in seconds, to wait for a hello packet before declaring a router down. The value of the dead- interval should be four times the value of the hello-interval. Both ends of the virtual link must use the same value for dead- interval.
Page 179 This example shows how to configure a virtual link. This example shows how to display the settings for area 15.1.1.1. This example shows how to display the configuration for area 15.1.1.1. config distribute-list Access the config distribute-list subcommand using the config router ospf command. FortiGate-500A Administration Guide Description The time, in seconds, to wait before sending a LSA retransmission.
Page 180 Enter the name of the access list to use for this distribute list. Advertise only the routes discovered by the specified protocol and that are permitted by the named access list. 01-28006-0100-20041105 Router Default Availability No default. All models. All models. connected Fortinet Inc.
Page 181 This example shows how to display the settings for distribute list 2. This example shows how to display the configuration for distribute list 2. config neighbor Access the config neighbor subcommand using the config router ospf command. Use this command to manually configure an OSPF neighbor on nonbroadcast networks.
Page 182 1 set ip 192.168.21.63 config router ospf config neighbor edit 1 config router ospf config neighbor edit 1 show 01-28006-0100-20041105 Router Default Availability All models. 0.0.0.0 All models. All models. All models. Fortinet Inc.
Page 183: Config Network
Router config network Access the config network subcommand using the config router ospf command. Use this command to identify the interfaces to include in the specified OSPF area. The prefix keyword can define one or multiple interfaces. config network command syntax pattern...
Page 184 This example shows how to display the settings for network 2. This example shows how to display the configuration for network 2. config ospf-interface Access the config ospf-interface subcommand using the config router ospf command. Use this command to change interface related OSPF settings.
Page 185 Enable or disable flooding LSAs out of this interface. The time, in seconds, to wait for a hello packet before declaring a router down. The value of the dead-interval should be four times the value of the hello-interval. All routers on the network must use the same value for dead- interval.
Page 186 MTUs so that they match. 01-28006-0100-20041105 Router Default Availability All models. No default. All models. No default. All models. No default. All models. authentication must be set to md5. 1500 All models. All models. disable Fortinet Inc.
Page 187 “config neighbor” on page 181. Set the router priority for this interface. Router priority is used during the election of a designated router (DR) and backup designated router (BDR). An interface with router priority set to 0 can not be elected DR or BDR.
Page 188: Config Redistribute
This example shows how to display the configuration for the OSPF interface configuration named test. config redistribute Access the config redistribute subcommand using the config router ospf command. Use the config redistribute command to advertise routes learned from RIP, static routes, or a direct connection to the destination network.
Page 189 This example shows how to display the OSPF settings. This example shows how to display the OSPF configuration. config summary-address Access the config summary-address subcommand using the config router ospf command. FortiGate-500A Administration Guide config redistribute {connected | static | rip} set <keyword>...
Page 190 Use this command to summarize external routes for redistribution into OSPF. This command works only for summarizing external routes on an Autonomous System Boundary Router (ASBR). For information on summarization between areas, see “config range” on page route, you reduce the size of the OSPF link-state database.
Page 191: Config Router Static6
Enter ::/0 for the destination IPV6 address and netmask to add a default route. The IPV6 address of the first next hop router to which this route directs traffic. 01-28006-0100-20041105 CLI configuration Default Availability All models.
Page 192 This example shows how to display the configuration for IPV6 static route 2. config router static6 edit 2 set dev internal set dst 12AB:0:0:CD30::/60 set gateway 12AB:0:0:CD30:123:4567:89AB:CDEF get router static6 get router static6 2 show router static6 show router static6 2 01-28006-0100-20041105 Router Fortinet Inc.
Page 193: Firewall
Firewall Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions that the FortiGate unit uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (by port number).
Page 194: Policy
Policy list You can add, delete, edit, re-order, enable, and disable policies in the policy list. Figure 79: Sample policy list How policy matching works Policy list Policy options Advanced policy options Configuring firewall policies 01-28006-0100-20041105 Firewall Fortinet Inc.
Page 195 Firewall The policy list has the following icons and features. Create new Source Dest Schedule Service Action Enable source -> destination (n) Policy list headings indicating the traffic to which the policy Figure 80: Move to options FortiGate-500A Administration Guide Select Create New to add a firewall policy.
Page 196: Policy Options
Select a service or protocol to which the policy will apply. You can select from a wide range of predefined services or add custom services and service groups. See 01-28006-0100-20041105 Firewall “Addresses” on page “Virtual IP” on page 202. “Schedule” on page 214. “Service” on page 206. Fortinet Inc. 218.
Page 197 Firewall Action VPN Tunnel Protection Profile Log Traffic Advanced FortiGate-500A Administration Guide Select how you want the firewall to respond when the policy matches a connection attempt. • ACCEPT: Select accept to accept connections matched by the policy. You can also configure NAT and Authentication for the policy. •...
Page 198: Advanced Policy Options
HTTP, Telnet, and FTP. Then users could authenticate with the policy using HTTP, Telnet, or FTP before using the other service. 243. 01-28006-0100-20041105 Firewall Fortinet Inc.
Page 199: Traffic Shaping
Firewall In most cases you should make sure that users can use DNS through the firewall without authentication. If DNS is not available users cannot connect to a web, FTP, or Telnet server using a domain name. Traffic Shaping Traffic Shaping controls the bandwidth available to and sets the priority of the traffic processed by the policy.
Page 200: Configuring Firewall Policies
Set the DSCP value for reply packets. For example, for an Internal External policy the value is applied to incoming reply packets -> before they exit the internal interface and returned to the originator. 194. 01-28006-0100-20041105 Firewall “Policy options” on page 196. “How policy matching Fortinet Inc.
Page 201: Policy Cli Configuration
Firewall To change the position of a policy in the list Go to Firewall > Policy. Select the Move To icon beside the policy you want to move. Select the position for the policy. Select OK. To disable a policy Disable a policy to temporarily prevent the firewall from selecting the policy.
Page 202: Address
192.168.110.* to represent all addresses on the subnet Address list Address options Configuring addresses Address group list Address group options Configuring address groups 01-28006-0100-20041105 Firewall Default Availability All models. 0.0.0.0 Encrypt 0.0.0.0 policy, with outbound enabled. Fortinet Inc.
Page 203: Address List
Firewall Address list You can add addresses to the list and edit existing addresses. The FortiGate unit comes configured with the default ‘All’ address which represents any IP address on the network. Figure 84: Sample address list The address list has the following icons and features. Create New Name Address...
Page 204: Configuring Addresses
The netmask for a class B subnet should be 255.255.0.0. The netmask for a class C subnet should be 255.255.255.0. The netmask for all addresses should be 0.0.0.0 A range of IP addresses in a subnet (for example, 192.168.20.1 to 192.168.20.10) 01-28006-0100-20041105 Firewall Fortinet Inc.
Page 205: Address Group List
Firewall Address group list You can organize related addresses into address groups to make it easier to configure policies. For example, if you add three addresses and then configure them in an address group, you can configure a single policy using all three addresses. Note: If an address group is included in a policy, it cannot be deleted unless it is first removed from the policy.
Page 206: Configuring Address Groups
This section describes: • • • • • • • Predefined service list Custom service list Custom service options Configuring custom services Service group list Service group options Configuring service groups 01-28006-0100-20041105 Firewall Fortinet Inc.
Page 207: Predefined Service List
Firewall Predefined service list Figure 88: Predefined service list The predefined services list has the following icons and features. Name Detail Table 21 to any policy. Table 21: FortiGate predefined services Service name DHCP FortiGate-500A Administration Guide The name of the predefined services. The protocol for each predefined service.
Page 208 Open Shortest Path First (OSPF) routing protocol. OSPF is a common link state routing protocol. PC-Anywhere is a remote control and file transfer protocol. 01-28006-0100-20041105 Firewall Protocol Port 1720, 1503 6660-6669 1701 1720 111, 2049 5632 Fortinet Inc.
Page 209 Firewall Table 21: FortiGate predefined services (Continued) Service name ICMP_ANY PING TIMESTAMP INFO_REQUEST ICMP information request messages. INFO_ADDRESS ICMP address mask request messages. POP3 PPTP QUAKE RAUDIO RLOGIN SIP- MSNmessenger SMTP SNMP SYSLOG TALK TELNET TFTP UUCP VDOLIVE FortiGate-500A Administration Guide Description Internet Control Message Protocol is a message control and error-reporting protocol...
Page 210: Custom Service List
The Delete and Edit/View icons. The name of the TCP or UDP custom service. Select the protocol type of the service you are adding: TCP or UDP. TCP and UDP options are the same. 01-28006-0100-20041105 Firewall Protocol Port 1494 6000-6063 Fortinet Inc.
Page 211: Configuring Custom Services
Firewall Source Port Destination Port Specify the Destination Port number range for the service by entering the ICMP custom service options Figure 91: ICMP custom service options Name Protocol Type Type Code IP custom service options Figure 92: IP custom service options Name Protocol Type Protocol Number The IP protocol number for the service.
Page 212 Select the Edit icon beside the service you want to edit. Modify the custom service as required. Note: To change the custom service name you must delete the service and add it with a new name. Select OK. 01-28006-0100-20041105 Firewall Fortinet Inc.
Page 213: Service Group List
Firewall Service group list To make it easier to add policies, you can create groups of services and then add one policy to allow or block access for all the services in the group. A service group can contain predefined services and custom services in any combination. You cannot add service groups to another service group.
Page 214: Configuring Service Groups
This section describes: • • • • • • One-time schedule list One-time schedule options Configuring one-time schedules Recurring schedule list Recurring schedule options Configuring recurring schedules 01-28006-0100-20041105 Firewall Fortinet Inc.
Page 215: One-Time Schedule List
Firewall One-time schedule list You can create a one-time schedule that activates or deactivates a policy for a specified period of time. For example, your firewall might be configured with the default policy that allows access to all services on the Internet at all times. You can add a one-time schedule to block access to the Internet during a holiday period.
Page 216: Recurring Schedule List
Start Select Create New to add a recurring schedule. The name of the recurring schedule. The initials of the days of the week on which the schedule is active. The start time of the recurring schedule. 01-28006-0100-20041105 Firewall Fortinet Inc.
Page 217: Recurring Schedule Options
Firewall Stop Recurring schedule options Figure 98: Recurring schedule options Recurring schedule has the following options. Name Select Start Stop Configuring recurring schedules To add a recurring schedule Go to Firewall > Schedule > Recurring. Select Create New. Enter a name for the schedule. Select the days of the week that you want the schedule to be active.
Page 218: Virtual Ip
Similar to port forwarding, dynamic port forwarding is used to translate any address and a specific port number on a source network to a hidden address and, optionally a different port number on a destination network. Virtual IP list Virtual IP options Configuring virtual IPs 01-28006-0100-20041105 Firewall Fortinet Inc.
Page 219: Virtual Ip List
Firewall Virtual IP list Figure 99: Sample virtual IP list The virtual IP list has the following icons and features. Create New Name Service Port Map to IP Map to Port Virtual IP options Different options appear depending on the type of virtual IP you want to define. Choose from Static NAT or port forwarding.
Page 220: Configuring Virtual Ips
Enter the port number to be added to packets when they are forwarded. (Port forwarding only.) Select the protocol (TCP or UDP) that you want the forwarded packets to use. (Port forwarding only.) Table 22 on page 221 contains example virtual IP external interface settings 01-28006-0100-20041105 Firewall Fortinet Inc.
Page 221 Firewall You can now add the virtual IP to firewall policies. Table 22: Virtual IP external interface examples External Interface Description port1 port2 To add port forwarding virtual IPs Go to Firewall > Virtual IP. Select Create New. Enter a name for the port forwarding virtual IP. Select the virtual IP External Interface from the list.
Page 222 Select the Delete icon beside the virtual IP you want to delete. Select OK. To edit a virtual IP Go to Firewall > Virtual IP. Select the Edit icon beside the virtual IP you want to modify. Select OK. “PPTP passthrough” on page 266 01-28006-0100-20041105 for more information. Fortinet Inc. Firewall...
Page 223: Ip Pool
Firewall IP pool An IP pool (also called a dynamic IP pool) is a range of IP addresses added to a firewall interface. You can enable Dynamic IP Pool in a firewall policy to translate the source address of outgoing packets to an address randomly selected from the IP pool. An IP pool list appears when the policy destination interface is the same as the IP pool interface.
Page 224: Ip Pool Options
For the IP pool that you want to edit, select Edit beside it. Modify the IP pool as required. Select OK to save the changes. Select the interface to which to add an IP pool. Enter a name for the IP pool. 01-28006-0100-20041105 Firewall Fortinet Inc.
Page 225: Ip Pools For Firewall Policies That Use Fixed Ports
Firewall IP Pools for firewall policies that use fixed ports Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service. You can select fixed port for NAT policies to prevent source port translation.
Page 226: Protection Profile List
You can add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. 01-28006-0100-20041105 Firewall Fortinet Inc.
Page 227: Protection Profile Options
Enable or disable quarantining for each protocol. You can quarantine suspect files to view them or submit files to Fortinet for analysis. 01-28006-0100-20041105 Protection profile 227.
Page 228: Configuring Web Filtering Options
Enabling this option will prevent the unintentional download of virus files hidden in fragmented files. Note that some types of files, such as PDF, fragment files to increase download speed and enabling this option can cause download interruptions. 01-28006-0100-20041105 Firewall Fortinet Inc.
Page 229: Configuring Web Category Filtering Options
Firewall Configuring web category filtering options Figure 108:Protection profile web category filtering options (FortiGuard) The following options are available for web category filtering through the protection profile. See options. Enable category block (HTTP only) Block unrated websites (HTTP only) Provide details for blocked HTTP 4xx and 5xx errors (HTTP only) Allow websites when a rating...
Page 230: Configuring Spam Filtering Options
Enable or disable checking traffic against configured Real-time Blackhole List and Open Relay Database List servers. Enable or disable the Fortinet spam filtering IP address blacklist: FortiShield. See on page 341 Enable or disable looking up the source domain name (from the SMTP HELO command) in the Domain Name Server.
Page 231: Configuring Protection Profiles
Firewall Note: Some popular email clients cannot filter messages based on the MIME header. Check your email client features before deciding how to tag spam. Configuring IPS options Figure 110:Protection profile IPS options The following options are available for IPS through the protection profile. See page 295 IPS Signature IPS Anomaly...
Page 232: Cli Configuration
Note: This guide only describes Command Line Interface (CLI) commands, keywords, or variables (in bold) that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide. 01-28006-0100-20041105 Firewall Fortinet Inc.
Page 233 Firewall profile Use this command to add, edit or delete protection profiles. Use protection profiles to apply different protection settings for traffic controlled by firewall policies. Command syntax pattern FortiGate-500A Administration Guide config firewall profile edit <profilename_str> set <keyword> <variable> config firewall profile edit <profilename_str>...
Page 234 If you want to remove an option from the list or add an option to the list, you must retype the list with the option removed or added. 01-28006-0100-20041105 Firewall Default Availability No default. All models. Fortinet Inc.
Page 235 Firewall firewall profile command keywords and variables (Continued) Keywords and variables http {bannedword block catblock chunkedbypass content_log oversize quarantine scan scriptfilter urlblock urlexempt} smtp {bannedword block content_log fragmail oversize quarantine scan spamemailbwl spamhdrcheck spamhelodns spamipbwl spamraddrdns spamrbl splice} FortiGate-500A Administration Guide Description Select the actions that this profile will use for filtering HTTP traffic for a...
Page 236 This example shows how to display the configuration for the firewall profile command. This example shows how to display the configuration for the spammail profile. get firewall profile get firewall profile spammail show firewall profile show firewall profile spammail 01-28006-0100-20041105 Firewall Fortinet Inc.
Page 237: Users And Authentication
Users and authentication You can control access to network resources by defining lists of authorized users, called user groups. To use a particular resource, such as a network or a VPN tunnel, the user must belong to one of the user groups that is allowed access. The user then must correctly enter a user name and password to prove his or her identity.
Page 238: Setting Authentication Timeout
Select Disable to prevent this user from authenticating. Select Password to require the user to authenticate using a password. Enter the password that this user must use to authenticate. The password should be at least six characters long. 01-28006-0100-20041105 Users and authentication Fortinet Inc.
Page 239: Radius
Users and authentication LDAP Radius To add a user name and configure authentication Go to User > Local. Select Create New to add a new user name or select the Edit icon to edit an existing configuration. Type the User Name. Select the authentication type for this user.
Page 240: Radius Server Options
Select the Delete icon beside the RADIUS server name that you want to delete. Select OK. The Delete and Edit icons. Enter a name to identify the RADIUS server. Enter the RADIUS server secret. 01-28006-0100-20041105 Users and authentication Fortinet Inc.
Page 241: Ldap
Users and authentication LDAP If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authenticate with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server.
Page 242 For example, you could use the following base distinguished name: ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is domain component. You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units: ou=accounts,ou=marketing,dc=fortinet,dc=com 01-28006-0100-20041105 Users and authentication Fortinet Inc.
Page 243: User Group
Users and authentication User group To enable authentication, you must add user names, RADIUS servers, and LDAP servers to one or more user groups. You can then assign a firewall protection profile to the user group. You can configure authentication as follows: •...
Page 244: User Group Options
The list of users, RADIUS servers, or LDAP servers that can be added to a user group. The list of users, RADIUS servers, or LDAP servers added to a user group. Select a protection profile for this user group. 01-28006-0100-20041105 Users and authentication Fortinet Inc.
Page 245: Cli Configuration
Users and authentication Select Delete beside the user group that you want to delete. Select OK. CLI configuration This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide.
Page 246: Peergrp
EU_branches set member Sophia_branch Valencia_branch Cardiff_branch get user peergrp 01-28006-0100-20041105 Users and authentication Default Availability No default. All models. Fortinet Inc.
Page 247 Users and authentication This example shows how to display the settings for the peergrp EU_branches. This example shows how to display the configuration for all the peers groups. This example shows how to display the configuration for the peergrp EU_branches. FortiGate-500A Administration Guide get user peergrp EU_branches show user peergrp...
Page 248 CLI configuration Users and authentication 01-28006-0100-20041105 Fortinet Inc.
Page 249: Vpn
FortiGate units support the following protocols to authenticate and encrypt traffic: • • • This chapter contains information about the following VPN topics: • • • • • • • • • • • • • • • • • •...
Page 250: Phase 1
1, Dialup if this is a dialup Phase 1 configuration, and the domain name if this is a dynamic DNS phase 1. Main mode or Aggressive mode. The names of the encryption and authentication algorithms used by each phase 1 configuration. Edit, view, or delete phase 1 configurations. 01-28006-0100-20041105 Fortinet Inc.
Page 251: Phase 1 Basic Settings
Phase 1 basic settings Figure 121:Phase 1 basic settings Gateway Name Type a name for the remote VPN peer. The remote peer can be either a Remote Gateway IP Address Dynamic DNS Mode Authentication Method FortiGate-500A Administration Guide gateway to another network or an individual client on the Internet. Select a Remote Gateway address type.
Page 252: Phase 1 Advanced Options
The group must be added to the FortiGate configuration through the config user peer and config user peergrp CLI commands before it can be selected here. For more information, see the “config user” chapter of the CLI Reference Guide. 01-28006-0100-20041105 “Enabling VPN access for 276. Fortinet Inc.
Page 253: Configuring Xauth
Encryption Authentication The FortiGate unit supports the following authentication methods: DH Group Keylife Local ID XAuth Nat-traversal Keepalive Frequency Dead Peer Detection Configuring XAuth XAuth authenticates users in a separate exchange held between Phases 1 and 2. XAuth: Enable as Client Username Password FortiGate-500A Administration Guide...
Page 254: Phase 2
Microsoft RADIUS). Use MIXED if the authentication server supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet Remote VPN Client.). Select a group of users to be authenticated by XAuth. The individual users within the group can be authenticated locally or by one or more LDAP or RADIUS servers.
Page 255: Phase 2 Basic Settings
Status Timeout Phase 2 basic settings Figure 124:Phase 2 basic settings Tunnel Name Remote Gateway Concentrator FortiGate-500A Administration Guide The current status of the tunnel. Down, tunnel is not processing traffic. Up, the tunnel is currently processing traffic. Unknown, status of Dialup tunnels.
Page 256: Phase 2 Advanced Options
You can configure the FortiGate unit to send an alert email when it detects a replay packet. For more information, see Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires. 01-28006-0100-20041105 “Alert E-mail options” on page 358. Fortinet Inc.
Page 257: Manual Key
DH Group Keylife Autokey Keep Alive DHCP-IPSec Internet browsing Quick Mode Identities Manual key Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiGate unit and a remote VPN peer that uses a manual key. The FortiGate unit must be configured to use the same encryption and authentication algorithms used by the remote peer.
Page 258: Manual Key List
Enter the external IP address of the FortiGate unit or other IPSec gateway at the opposite end of the tunnel. Select an Encryption Algorithm from the list. Use the same algorithm at both ends of the tunnel. 01-28006-0100-20041105 Fortinet Inc.
Page 259: Concentrator
Encryption Key Enter the Encryption Key. Authentication Algorithm Authentication Concentrator Concentrator Configure IPSec VPN concentrators to create hub and spoke configurations. IPSec VPN concentrators are only available in NAT/Route mode. To configure a concentrator Go to VPN > IPSEC > Concentrator and add a concentrator. Add the required Phase 2 configurations to the concentrator.
Page 260: Concentrator Options
A concentrator can have more than one tunnel in its list of members. Provides a list of tunnels that are members of the concentrator. To remove a tunnel from the list, select the tunnel in the Members list and select the left arrow. 01-28006-0100-20041105 Fortinet Inc.
Page 261: Ping Generator Options
Ping generator options Figure 130:Ping generator Enable Source IP 1 Destination IP 1 Source IP 2 Destination IP 2 To configure the ping generator Go to VPN > IPSEC > Ping Generator. Select Enable. In the Source IP 1 box, type the private IP address from which traffic may originate locally.
Page 262: Dialup Monitor
The IP address range from which the dialup user can connect. This is usually the current IP address of the dialup user’s computer. Stop the current dialup tunnel. The dialup user may have to reconnect to establish a new VPN session. 01-28006-0100-20041105 Fortinet Inc.
Page 263: Pptp
Name Remote gateway The IP address and UDP port of the remote gateway. For dynamic DNS Timeout Proxy ID Source The IP address range that VPN users of this tunnel can connect to. Proxy ID Destination Bring down tunnel icon Bring up tunnel icon PPTP...
Page 264: Enabling Pptp And Specifying A Pptp Range
The start of the IP range. For example, 192.168.1.10. The end of the IP range. For example, 192.168.1.20. Select the user group that contains the remote PPTP VPN clients. Select this option to disable the PPTP support. 01-28006-0100-20041105 204. 200. PPTP. PPTP. Fortinet Inc.
Page 265: Configuring A Windows 2000 Client For Pptp
Configuring a Windows 2000 client for PPTP To configure a PPTP dialup connection Go to Start > Settings > Network and Dial-up Connections. Double-click Make New Connection to start the Network Connection Wizard and select Next. For Network Connection Type, select Connect to a private network through the Internet and select Next.
Page 266: Pptp Passthrough
Go to Firewall > Virtual IP. Select Create New. Enter a name for the virtual IP, for example PPTP_pass. Set the External Interface to external. TCP/IP QoS Packet Scheduler File and Printer Sharing for Microsoft Networks Client for Microsoft Networks 01-28006-0100-20041105 Fortinet Inc.
Page 267: L2Tp
Select Port Forwarding. Set the External IP Address to 0.0.0.0. The 0.0.0.0 External IP Address matches any IP address. Alternatively, if PPTP users always connect to the same IP address, you can specify that IP address. Set the External Service Port to 1723. Set the Map to IP address to 192.168.23.1.
Page 268: Setting Up A L2Tp-Based Vpn
“To add an address” on page “To add a firewall policy” on page Configuring a Windows 2000 client for Configuring a Windows XP client for 01-28006-0100-20041105 “To add an address” on page 204. 200. L2TP. L2TP. “Users and 268. 204. Fortinet Inc.
Page 269: Configuring A Windows 2000 Client For L2Tp
Figure 134:L2TP range Enable L2TP Starting IP Ending IP User Group Disable L2TP To enable L2TP on the FortiGate unit Go to VPN > L2TP > L2TP Range. Select Enable L2TP. Complete the fields as required. Select Apply. Configuring a Windows 2000 client for L2TP To configure an L2TP dialup connection Go to Start >...
Page 270: Configuring A Windows Xp Client For L2Tp
Select Create a connection to the network of your workplace and select Next. Select Virtual Private Network Connection and select Next. Name the connection and select Next. If the Public Network dialog box appears, choose the appropriate initial connection and select Next. 01-28006-0100-20041105 Fortinet Inc.
Page 271 In the VPN Server Selection dialog, enter the IP address or host name of the FortiGate unit to connect to and select Next. Select Finish. To configure the VPN connection Right-click the icon that you have created. Select Properties > Security. Select Typical to configure typical settings.
Page 272: Certificates
FortiGate unit for decrypting messages sent by the remote peer. Conversely, the remote peer provides its public key to the FortiGate unit, which uses the key to encrypt messages destined for the remote peer. 01-28006-0100-20041105 Fortinet Inc.
Page 273: Viewing The Certificate List
Details are provided in the following sections: • • • • Viewing the certificate list Initially, no certificates are installed. To view the certificate list Go to VPN > Certificates > Local Certificates. Figure 135:Certificate list Generate Import Name Subject Status Generating a certificate request To obtain a personal or site certificate, you must send the request to a CA that...
Page 274 Follow the CA instructions to place a base-64 encoded PKCS#10 certificate request and upload the certificate request. Follow the CA instructions to download their root certificate, and then install the root certificate on the FortiGate unit. 01-28006-0100-20041105 further identify the object being certified. Fortinet Inc.
Page 275: Installing A Signed Certificate
Figure 136:Generating a certificate signing request Certificate Name Type a certificate name. Subject Information Optional Information Key Type Key Size Installing a signed certificate Your CA provides you with a digital certificate to install on the FortiGate unit. You must also obtain and install the CA’s root certificate on the FortiGate unit.
Page 276: Enabling Vpn Access For Specific Certificate Holders
To enable access for a specific certificate holder or a group of certificate holders Use this procedure to enhance access security if you are using digital certificates to authenticate peers. Go to VPN > IPSEC > Phase 1. “Backing up and Restoring” on page 01-28006-0100-20041105 118. Fortinet Inc.
Page 277: Cli Configuration
Under Peer Options, select one of these options: • • If you want to define the DN of the FortiGate unit, select Advanced, and from the Local ID list, select the DN of the FortiGate unit. Select OK. CLI configuration This guide only covers Command Line Interface (CLI) commands, keywords, or variables (in bold) that are not represented in the web-based manager.
Page 278 01-28006-0100-20041105 Default Availability All models. seconds dpd must be set to enable. All models. seconds dpd must be set to enable. All models. dpd must be set to enable. All models. seconds dpd must be set to enable. Fortinet Inc.
Page 279: Ipsec Phase2
Example Use the following command to edit an IPSec VPN phase 1 configuration with the following characteristics: • • • • • • • • • • • ipsec phase2 In addition to the advanced IPSec Phase 2 settings, the config vpn ipsec phase2 CLI command provides a way to bind the VPN tunnel selected in a Phase 2 configuration to a specific network interface.
Page 280: Ipsec Vip
Type the name of the local FortiGate interface. config vpn ipsec phase2 edit Tunnel_1 set bindtoif internal “Configuring IPSec virtual IP addresses” on page config vpn ipsec vip edit <vip_integer> set <keyword> <variable> 01-28006-0100-20041105 Default Availability All models. default. 292. Fortinet Inc.
Page 281 ipsec vip command keywords and variables Keywords and variables ip <address_ipv4> out-interface <interface-name_str> Example The following commands add IPSec VIP entries for two remote hosts that can be accessed by a FortiGate unit through an IPSec VPN tunnel on the external interface of the FortiGate unit.
Page 282: Authenticating Peers With Preshared Keys
“Phase 1” on page 250. “Adding firewall policies for IPSec VPN tunnels” on page “Phase 1” on page 250. “Phase 2” on page 254. “Adding firewall policies for IPSec VPN tunnels” on page 01-28006-0100-20041105 “Phase 2” on page 254. 284. 284. Fortinet Inc.
Page 283: Dialup Vpn
Dialup VPN Dialup VPN allows remote users with dynamic IP addresses to use VPN to connect to a private network. Dialup VPNs use AutoIKE and can be preshared key or certificate VPNs. To configure dialup VPN Add a phase 1 configuration to define the parameters used to authenticate the remote VPN peer.
Page 284: Manual Key Ipsec Vpn
To add a source address, see page “Manual key” on page 257. “Manual key” on page 257. “Adding firewall policies for IPSec VPN tunnels” on page “Policy” on page 194 204. 01-28006-0100-20041105 284. for information about firewall policies. “To add an address” on Fortinet Inc.
Page 285: Setting The Destination Address For Encrypted Traffic
Setting the destination address for encrypted traffic The destination address determines which remote peers and clients will be allowed to access the specified source address. In general: • • • To add a destination address, see Adding an IPSec firewall encryption policy Use the following procedure to add an IPSec firewall encryption policy.
Page 286: Configuring Internet Browsing Through A Vpn Tunnel
If required, add additional firewall policies to support internet browsing. Configure the remote VPN clients to deny split tunneling. “Phase 1” on page 250. “Phase 2” on page 284. 01-28006-0100-20041105 254. “System DHCP” on page “Adding firewall policies for IPSec Fortinet Inc.
Page 287: Ipsec Vpn In Transparent Mode
The unit must have sufficient routing information to reach the management station. For any traffic to reach external destinations, a static (default) route to the router must be present in the FortiGate routing table. The router forwards packets to the Internet.
Page 288: Hub And Spoke Vpns
The source address must be Internal_All. Use the following configuration for the encrypt policies: add the VPN tunnels. add a VPN concentrator. add a firewall policy. “To add an address” on page “To add an address” on page 01-28006-0100-20041105 204. 204. Fortinet Inc.
Page 289: Adding A Vpn Concentrator
Source Destination Action VPN Tunnel Allow inbound Allow outbound Select allow outbound. Inbound NAT Outbound NAT Select outbound NAT if required. Arrange the policies in the following order: • • Adding a VPN concentrator The VPN concentrator collects the hub-and-spoke tunnels into a group. This allows VPN traffic to pass from one tunnel to the other through the FortiGate unit.
Page 290: Configuring Spokes
The remote VPN spoke address. ENCRYPT The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt policies.) Do not enable. Select inbound NAT if required. “To add a firewall policy” on page 01-28006-0100-20041105 204. 204. 200. Fortinet Inc.
Page 291: Redundant Ipsec Vpns
Source Destination Action VPN Tunnel Allow inbound Allow outbound Do not enable. Inbound NAT Outbound NAT Select outbound NAT if required. Arrange the policies in the following order: • • • Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks, such as the Internet.
Page 292: Configuring Ipsec Virtual Ip Addresses
The source and destination of both policies must be the same. Add a different AutoIKE key tunnel to each policy. “To add a firewall policy” on page 01-28006-0100-20041105 250. “To add an address” on page 200. 204. Fortinet Inc.
Page 293 Consider the following example, which shows two physically separate networks. The IP addresses of the computers on both networks are in the 192.168.12.0/24 range, but no two IP addresses are the same. An IPSec VPN has been configured between FortiGate_1 and FortiGate_2. The FortiGate configuration permits Host_1 on the Finance network to transmit data to Host_2 on the HR network through the IPSec VPN tunnel.
Page 294: Troubleshooting
Make sure you select the correct DH group on both ends. Enable PFS. Change the policy to internal-to-external. Re-enter the source and destination address. The encryption policy must be placed above other non-encryption policies. “ipsec Fortinet Inc.
Page 295: Ips
IPS (attack) engines and definitions through the FortiProtect Distribution Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see FortiGate-500A Administration Guide FortiGate-500A Administration Guide Version 2.80 MR6...
Page 296: Signature
The FortiGate IPS matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Fortinet’s FortiProtect infrastructure ensures the rapid identification of new threats and the development of new attack signatures. You can configure the FortiGate unit to automatically check for and download an updated attack definition file containing the latest signatures, or you can manually download the updated attack definition file.
Page 297: Predefined Signature List
If logging is disabled and action is set to Pass, the signature is effectively disabled. The FortiGate unit drops the packet that triggered the signature. Fortinet recommends using an action other than Drop for TCP connection based attacks.
Page 298: Configuring Predefined Signatures
The FortiGate unit drops the packet that triggered the signature, removes the session from the FortiGate session table, and does not send a reset. The FortiGate unit lets the packet that triggered the signature and all other packets in the session pass through the firewall. 01-28006-0100-20041105 Fortinet Inc.
Page 299: Configuring Parameters For Dissector Signatures
Select the Enable box to enable the signature or clear the Enable box to disable the signature. Select the Logging box to enable logging for this signature or clear the Logging box to disable logging for this signature. Select the Action for the FortiGate unit to take when traffic matches this signature. (See Select OK.
Page 300: Custom
(the default) no change is made to the codepoint in the IP header. Select the Enable custom signature box to enable the custom signature group or clear the Enable custom signature box to disable the custom signature group. Select Create New to create a new custom signature. 01-28006-0100-20041105 Fortinet Inc.
Page 301: Adding Custom Signatures
Clear all custom signatures Reset to recommended settings? Name Revision Enable Logging Action Modify Adding custom signatures To add a custom signature Go to IPS > Signature > Custom. Select Create New to add a new custom signature or select the Edit icon to edit an existing custom signature.
Page 302: Anomaly
The logging status for each anomaly. A white check mark in a green circle indicates logging is enabled for the anomaly. A white X in a grey circle indicates logging is disabled for the anomaly. 01-28006-0100-20041105 “Anomaly CLI configuration” on Fortinet Inc.
Page 303: Configuring An Anomaly
If logging is disabled and action is set to Pass, the anomaly is effectively disabled. Drop The FortiGate unit drops the packet that triggered the anomaly. Fortinet recommends using an action other than Drop for TCP connection based attacks.
Page 304 FortiGate session table, and does not send a reset. Session Pass The FortiGate unit lets the packet that triggered the anomaly and all other packets in the session pass through the firewall. Session Traffic over the specified threshold triggers the anomaly. 01-28006-0100-20041105 Fortinet Inc.
Page 305: Anomaly Cli Configuration
Anomaly CLI configuration Note: This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide. (config ips anomaly) config limit Note: This command has more keywords than are listed in this Guide.
Page 306: Configuring Ips Logging And Alert Email
You can change the default fail open setting using the CLI: Enable ips_open to cause the IPS to fail open and disable ips_open to cause the IPS to fail closed. “Log & Report” on page config sys global set ips-open [enable | disable] 01-28006-0100-20041105 353. Fortinet Inc.
Page 307: Antivirus
Antivirus > Quarantine View and sort the list of quarantined files, configure file patterns to upload automatically to Fortinet for analysis, and configure quarantining options in AntiVirus. Antivirus > Config > Config Set the size thresholds for files and emails for each protocol in Antivirus.
Page 308: File Block
IPS (attack) engines and definitions, as well as the local spam RBL, through the FortiProtect Distribution Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see This chapter describes: •...
Page 309: File Block List
Antivirus This section describes: • • File block list The file block list is preconfigured with a default list of file patterns: • • • • • • • • • Figure 151:Default file block list File block list has the following icons and features: Create New Apply Pattern...
Page 310: Configuring The File Block List
You can also submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to FortiNet for analysis. This section describes: •...
Page 311: Quarantined Files List Options
EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL. Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded.
Page 312: Autosubmit List
(* or ?). File patterns are applied for AutoSubmit regardless of file blocking settings. You can also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly from the quarantined files list. The FortiGate unit uses encrypted email to autosubmit files to an SMTP server through port 25.
Page 313: Config
Antivirus Config Go to Config to set quarantine configuration options including whether to quarantine blocked or infected files and from which service. You can also configure the time to live and file size values, and enable AutoSubmit settings. Figure 155:Quarantine configuration Quarantine configuration has the following options: Options Age limit...
Page 314: Config
1 to 25 MB. The range for each FortiGate unit is displayed in the web-based manager as shown in Virus list Config Grayware Grayware options 29. To find out how to use the Fortinet Update Center, see 120. Figure 01-28006-0100-20041105 “Changing unit 157.
Page 315: Grayware
Antivirus You can enable oversized file blocking in a firewall protection profile. To access protection profiles go to Firewall > Protection Profile, select Anti-Virus > Oversized File/Email and choose to pass or block oversized email and files for each protocol. Grayware Grayware programs are unsolicited commercial software programs that get installed on computers, often without the user’s consent or knowledge.
Page 316: Cli Configuration
Select enable to block download programs. Download components are usually run at Windows startup and are designed to install or download other software, especially advertising and dial software. 01-28006-0100-20041105 Antivirus Fortinet Inc.
Page 317 Antivirus Use the heuristic command to change the heuristic scanning mode. Command syntax pattern Table 26: antivirus heuristic command keywords and variables Keywords and variables mode {pass | block | disable} Example This example shows how to disable heuristic scanning. This example shows how to display the settings for the antivirus heuristic command.
Page 318: Quarantine
Quarantine files found by heuristic scanning in traffic for the specified protocols. 01-28006-0100-20041105 Antivirus Default Availability FortiGate imap models smtp numbered pop3 200 and http higher. FortiGate default. models numbered 200 and higher. Fortinet Inc.
Page 319: Service Http
Antivirus service http Use this command to configure how the FortiGate unit handles antivirus scanning of large files and what ports the FortiGate unit virus scans for HTTP traffic. Note: This command has more keywords than are listed in this Guide. See the FortiGate CLI Reference Guide for a complete list of commands and keywords.
Page 320: Service Ftp
You can use ports from the range 1-65535. You can add up to 20 ports. config antivirus service ftp set port 22 set port 23 get antivirus service ftp show antivirus service ftp 01-28006-0100-20041105 Antivirus Default Availability All models. Fortinet Inc.
Page 321: Service Pop3
Antivirus service pop3 Use this command to configure how the FortiGate unit handles antivirus scanning of large files and what ports the FortiGate unit virus scans for POP3 traffic. Note: This command has more keywords than are listed in this Guide. See the FortiGate CLI Reference Guide for a complete list of commands and keywords.
Page 322: Service Imap
You can use ports from the range 1-65535. You can add up to 20 ports. config antivirus service imap set port 10585 set port 10686 set port 10787 get antivirus service imap show antivirus service imap 01-28006-0100-20041105 Antivirus Default Availability All models. Fortinet Inc.
Page 323: Service Smtp
Antivirus service smtp Use this command to configure how the FortiGate unit handles antivirus scanning of large files in SMTP traffic and what ports the FortiGate unit scans for SMTP. Note: This command has more keywords than are listed in this Guide. See the FortiGate CLI Reference Guide for a complete list of commands and keywords.
Page 324 CLI configuration Antivirus 01-28006-0100-20041105 Fortinet Inc.
Page 325: Web Filter
Web filter Web filter provides configuration access to the Web filtering and Web category filtering options you enable when you create a firewall Protection Profile. To access protection profile web filter options go to Firewall > Protection Profile, select edit or Create New, and select Web Filtering or Web Category Filtering. See “Protection profile options”...
Page 326 URL exempt Category block Script filter 01-28006-0100-20041105 Web Filter setting Web Filter > Category Block > Configuration Enable or disable FortiGuard and enable and set the size limit for the cache. “Protection profile” on 232. Web filter “To Fortinet Inc.
Page 327: Content Block
Web filter Content block Control web content by blocking specific words or word patterns. The FortiGate unit blocks web pages containing banned words and displays a replacement message instead. You can use Perl regular expressions or wildcards to add banned word patterns to the list.
Page 328: Configuring The Web Content Block List
“Using Perl regular expressions” on page Select the character set for the banned word. Choose from: Chinese Simplified, Chinese Traditional, French, Japanese, Korean, Thai, or Western. Select Enable to activate the banned word in the list. 01-28006-0100-20041105 Web filter 350. Fortinet Inc.
Page 329: Web Url Block List
Web filter Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.badsite.com. Instead, you can use firewall policies to deny FTP connections. This section describes: •...
Page 330: Web Pattern Block List
FortiGate web pattern blocking supports standard regular expressions. You can add up to 20 patterns to the web pattern block list. Note: Enable Web filtering > Web URL Block in your firewall Protection Profile to activate the web pattern block settings. 01-28006-0100-20041105 Web filter Fortinet Inc.
Page 331: Web Pattern Block Options
Web filter Figure 163:Sample web pattern block list Web pattern block options Web pattern block has the following icons and features: Create New Pattern Configuring web pattern block To add a pattern to the web pattern block list Go to Web Filter > URL Block. Select Web Pattern Block.
Page 332: Url Exempt List
Select this icon to scroll the URL exempt list down. Select this icon to delete the entire URL exempt list. The current list of exempt URLs. Select the check box to enable all the URLs in the list. The Delete and Edit/View icons. 01-28006-0100-20041105 Web filter Fortinet Inc.
Page 333: Category Block
• FortiGuard managed web filtering service FortiGuard is a managed web filtering solution provided by Fortinet. FortiGuard sorts hundreds of millions of web pages into a wide range of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard Service Point to determine the category of a requested web page and then follows the firewall policy configured for that user or interface.
Page 334: Category Block Configuration Options
FortiGuard licensing Every FortiGate unit comes with a free 30-day FortiGuard trial license. FortiGuard license management is done by Fortinet servers, so there is no need to enter a license number. The FortiGate unit will then automatically contact a FortiGuard Service Point when you enable FortiGuard category blocking.
Page 335: Configuring Web Category Block
Web filter To have a URL’s... Apply Configuring web category block To enable FortiGuard web filtering Go to Web Filter > Category Block. Select Enable Service. Select Check status to make sure the FortiGate unit can access the FortiGuard server. After a moment, the FortiGuard status should change from Unknown to Available.
Page 336: Category Block Reports Options
The number of allowed web addresses accessed in the selected time frame. The number of blocked web addresses accessed in the selected time frame. The number of monitored web addresses accessed in the selected time frame. 01-28006-0100-20041105 Web filter Fortinet Inc.
Page 337 Use this command only if you need to change the host name. config webfilter catblock set ftgd_hostname guard.example.net get webfilter catblock show webfilter catblock 01-28006-0100-20041105 Category block Default Availability guard.fortinet.com All models. service fortiguar d only.
Page 338: Script Filter
You can configure the following options for script filtering: Javascript Cookies ActiveX Select Javascript to block all Javascript-based pages or applications. Select Cookies to block web sites from placing cookies on individual computers. Select ActiveX to block all ActiveX applications. 01-28006-0100-20041105 Web filter Fortinet Inc.
Page 339: Spam Filter
Real-time Blackhole List and Open Relay Database List servers. IP address FortiShield check Enable or disable Fortinet’s antispam IP address black list: FortiShield. This service works like an RBL server and is continuously updated to block spam sources. See “FortiShield IP address black list and spam...
Page 340 You can configure the language and whether to search the email body, subject, or both. You can configure the action to take as spam or clear for each word. “Protection profile” on 232. Spam filter “To Fortinet Inc.
Page 341: Order Of Spam Filter Operations
Both FortiShield antispam processes are completely automated and configured by Fortinet. With constant monitoring and dynamic updates, FortiShield is always current. You can enable or disable FortiShield in a firewall protection profile. See spam filtering options” on page This chapter describes: •...
Page 342: Ip Address
Mark as Spam to apply the spam action configured in the protection profile, Mark as Clear to let the email pass to the next filter, or Mark as Reject (SMTP only) to drop the session. The Delete and Edit/View icons. 01-28006-0100-20041105 Spam filter Fortinet Inc.
Page 343: Configuring The Ip Address List
Spam filter Configuring the IP address list To add an IP address to the IP address list Go to Spam Filter > IP Address. Select Create New. Figure 171:Adding an IP address Enter the IP address/mask you want to add. If required, select before or after another IP address in the list to place the new IP address in the correct position.
Page 344: Rbl & Ordbl List
The action to take on email matched by the RBLs and ORDBLs. Actions are: Mark as Spam to apply the spam action configured in the protection profile, or Mark as Reject to drop the session. The Delete and Edit/View icons. 01-28006-0100-20041105 Spam filter Fortinet Inc.
Page 345: Email Address
Spam filter Select Enable. Select OK. Email address The FortiGate unit uses the email address list to filter incoming email. The FortiGate unit compares the email address or domain of the sender to the list in sequence. If a match is found, the corresponding protection profile action is taken. If no match is found, the email is passed on to the next spam filter.
Page 346: Configuring The Email Address List
If no match is found, the email is passed on to the next spam filter. You can use Perl regular expressions or wildcards to add MIME header patterns to the list. See X-mailer: outgluck X-Distribution: bulk Content_Type: text/html Content_Type: image/jpg “Using Perl regular expressions” on page 01-28006-0100-20041105 Spam filter 350. Fortinet Inc.
Page 347: Mime Headers List
Spam filter Note: MIME header entries are case sensitive. This section describes: • • • MIME headers list You can configure the FortiGate unit to filter email with specific MIME header key-value pairs. You can mark each MIME header as clear or spam. Figure 176:Sample MIME headers list MIME headers options MIME headers list has the following icons and features:...
Page 348: Banned Word
Perl regular expressions. See expressions” on page “Using Perl regular expressions” on page Banned word list Banned word options Configuring the banned word list 350. 01-28006-0100-20041105 Spam filter 350. “Using Perl regular Fortinet Inc.
Page 349: Banned Word Options
Spam filter Figure 178:Sample banned word List Banned word options Banned word has the following icons and features: Create new Total Pattern Pattern Type Language Where Action When you select Create New or Edit you can configure the following settings for the banned word.
Page 350: Configuring The Banned Word List
Mark as Clear to allow the email (since Banned Word is the last filter). Select to enable scanning for the banned word. fortinet.com not only matches fortinet.com but also matches fortinetacom, fortinetbcom, fortinetccom and so on. To mach fortinet.com, the regular expression should be: fortinet\.com forti*\.com matches fortiiii.com but does not match fortinet.com...
Page 351 Spam filter Word boundary In Perl regular expressions, the pattern does not have an implicit word boundary. For example, the regular expression “test” not only matches the word “test” but also matches any word that contains the “test” such as “atest”, “mytest”, “testimony”, “atestb”.
Page 352 ‘/’ will be parsed as a list of regexp options ('i', 'x', etc). An error occurs If the second '/' is missing. In regular expressions, the leading and trailing space is treated as part of the regular expression. 01-28006-0100-20041105 Spam filter Fortinet Inc.
Page 353: Log & Report
FortiGate-500A Administration Guide Version 2.80 MR6 Log & Report FortiGate units provide extensive logging capabilities for traffic, system and network protection functions. You can set the severity level of the messages that are logged, and you can choose the types of events that are logged. All types of log messages, except traffic and content, can be saved in internal memory.
Page 354: Log Config
A FortiLog unit. The FortiLog unit is a log analyzer and manager that can combine the log information from various FortiGate units and other firewall units. To enable content archiving with a firewall to select the FortiLog option and define its IP address. 01-28006-0100-20041105 Log & Report Protection profile, you need Fortinet Inc.
Page 355 Log & Report Memory Syslog WebTrends Figure 181:Log setting options for all log locations To configure Log Setting Go to Log&Report > Log Config > Log Setting. Select the check box to enable logging to a location. Select the blue arrow beside the location. The setting options appear.
Page 356 Select the log files to upload to the FTP server. You can upload the Traffic Log file, Event Log file, Antivirus Log file, Web Filter Log file, Attack Log file, Spam Filter Log file, and Content Archive file. 01-28006-0100-20041105 Log & Report Table 36, “Logging Fortinet Inc.
Page 357: Syslog Settings
Log & Report To configure log file uploading Select the blue arrow to expand Log file upload settings. Select Upload When Rolling. Enter the IP address of the logging server. Enter the port number on the logging server. The default is 21 (FTP). Enter the Username and Password required on the logging server.
Page 358: Alert E-Mail Options
The interval to wait before sending an alert e-mail for error level log messages. The interval to wait before sending an alert e-mail for warning level log messages. The interval to wait before sending an alert e-mail for notification level log messages. 01-28006-0100-20041105 Log & Report Fortinet Inc.
Page 359: Log Filter Options
Log & Report Information Apply Note: If more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email. You can select specific events to trigger alert email in Log Filter, described in filter options”...
Page 360: Traffic Log
You can apply the following filters: The FortiGate unit logs all traffic that is allowed according to the firewall policy settings. The FortiGate unit logs all traffic that violates the firewall policy settings. for more information. 01-28006-0100-20041105 Log & Report “Enabling Fortinet Inc.
Page 361 Log & Report System Activity event IPSec negotiation event DHCP service event L2TP/PPTP/PPPoE service event Admin event HA activity event Firewall authentication event Pattern update event Anti-virus log The Anti-virus Log records virus incidents in Web, FTP, and email traffic, such as when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized file or email.
Page 362: Configuring Log Filters
The FortiGate unit logs all instances of blocked email in SMTP traffic. The FortiGate unit logs all instances of blocked email in POP3 traffic. The FortiGate unit logs all instances of blocked email in IMAP traffic. 01-28006-0100-20041105 Log & Report Fortinet Inc.
Page 363 Log & Report To enable traffic logging for a firewall policy You can enable traffic logging for a firewall policy. All connections accepted by the firewall policy are recorded in the traffic log. Go to Firewall > Policy. Select the Edit icon for a policy. Select Log Traffic.
Page 364: Log Access
Clear log icon. Delete the log entries from the log file (but not the file). Download icon. Download the log as a text or CSV file. View icon. Display the log file through the web-based manager. 01-28006-0100-20041105 Log & Report Fortinet Inc.
Page 365: Viewing Log Messages
Log & Report You can clear or delete, download, or view the log files by selecting the corresponding icon. To download log files from the FortiGate disk When downloading a log file, you can save the log in plain text or CSV format. Go to Log&Report >...
Page 366 Type a search word and select Go. Column settings button. Select to choose columns for log display. Select Raw to switch to an unformatted log message display. Select Formatted to switch to a log message display organized into columns. 01-28006-0100-20041105 Log & Report Fortinet Inc.
Page 367 Log & Report Choosing columns You can customize your log messages display using the Column Settings window. The column settings apply only when the formatted (not raw) display is selected. Figure 186:Column settings for viewing log messages Available fields The fields that you can add to the log message display. Show these fields in this order...
Page 368: Searching Log Messages
The log message list shows only the logs that meet your log search criteria. 365. 365. The message must contain all of the keywords The message must contain at least one of the keywords The message must contain none of the keywords 01-28006-0100-20041105 Log & Report “Viewing log “Viewing log Fortinet Inc.
Page 369: Cli Configuration
Log & Report CLI configuration This guide only covers Command Line Interface (CLI) commands and command keywords that are not represented in the web-based manager. For complete descriptions of working with CLI commands see the FortiGate CLI Reference Guide. fortilog setting Note: The command keywords for fortilog setting that are not represented in the web- based manager are localid and psksecret.
Page 370: Syslogd Setting
Enter enable to enable the FortiGate unit to produce the log in Comma Separated Value (CSV) format. If you do not enable CSV format the FortiGate unit produces plain text files. 01-28006-0100-20041105 Log & Report Default Availability All models. disable Fortinet Inc.
Page 371 Log & Report log syslogd setting command keywords and variables Keywords and variables facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news...
Page 372 If the show command returns you to the prompt, the settings are at default. config log syslogd setting set status enable set server 220.210.200.190 set port 601 set facility user get log syslogd setting show log syslogd setting 01-28006-0100-20041105 Log & Report Fortinet Inc.
Page 373: Fortiguard Categories
FortiGuard categories FortiGuard is a web filtering solution provided by Fortinet. FortiGuard sorts thousands of Web pages into a wide variety of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard server to determine the category of a requested Web page and then follows the policy configured for that user or interface.
Page 374 Sites with content that is gratuitously offensive or shocking, but not violent or frightening. Includes sites devoted in part or whole to scatology and similar topics or to improper language, humor, or behavior. 01-28006-0100-20041105 FortiGuard categories Fortinet Inc.
Page 375 FortiGuard categories Table 38: FortiGuard categories Category name 16. Weapons Potentially Non-productive 17. Advertisement 18. Brokerage and Trading 19. Freeware and Software Download 20. Games 21. Internet Communication 22. Pay to Surf 23. Web-based Email Potentially Bandwidth Consuming 24. File Sharing and Storage 25.
Page 376 Political Organizations -- Sites sponsored by or providing information about political parties and interest groups focused on elections or legislation. 01-28006-0100-20041105 FortiGuard categories Fortinet Inc.
Page 377 FortiGuard categories Table 38: FortiGuard categories Category name 39. Reference Materials 40. Religion 41. Search Engines and Portals 42. Shopping and Auction 43. Social Organizations 44. Society and Lifestyles 45. Special Events 46. Sports 47. Travel 48. Vehicles FortiGate-500A Administration Guide Description Sites that offer reference-shelf content such as atlases, dictionaries, encyclopedias, formularies,...
Page 378 IP addresses. Private IP Addresses -- IP addresses defined in RFC 1918, 'Address Allocation for Private Intranets. Web Hosting -- Sites of organizations that provide hosting services, or top-level domain pages of Web communities. 01-28006-0100-20041105 FortiGuard categories Fortinet Inc.
Page 379: Fortigate Maximum Values
FortiGate maximum values The following table contains the maximum number of table, field, and list entries for FortiGate features. Feature system vdom (NAT/Route) system vdom (Transparent) system zone** system interface system interface secondaryip system interface ip6 prefix list system ipv6_tunnel system accprofile system admin system snmp...
Page 380 1000 1000 6000 6000 10000 10000 10000 10000 10000 1024 1024 2000 2000 5000 5000 5000 8000 20000 30000 50000 50000 50000 50000 3000 3000 5000 5000 5000 4000 5000 1000 1000 1024 1024 5000 5000 5000 5000 Fortinet Inc.
Page 381 key**...
Page 382 2, 25, 50, 100, or 250 VDOMs, determined by firmware. FortiGate model 100A 200A 300A 400A 10, 25, 50, 100, or 250 VDOMs, determined by firmware. 01-28006-0100-20041105 FortiGate maximum values 1000 3000 3600 500A 1000 1000 1000 4000 5000 1000 1000 Fortinet Inc.
Page 383: Glossary
Glossary Connection: A link between machines, applications, processes, and so on that can be logical, physical, or both. DMZ, Demilitarized Zone: Used to host Internet services without allowing unauthorized access to an internal (private) network. Typically, the DMZ contains servers accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers and DNS servers.
Page 384 ISP system. Router: A device that connects LANs into an internal network and routes traffic between them. Routing: The process of determining a path to use to send data to its destination.
Page 385 SSH, Secure shell: A secure Telnet replacement that you can use to log into another computer over a network and run commands. SSH provides strong secure authentication and secure communications over insecure channels. Subnet: A portion of a network that shares a common address component.
Page 386 Glossary 01-28006-0100-20041105 Fortinet Inc.
Page 387: Index
Index abr-type 169 access-list 180 active sessions HA monitor 97 address 202 virtual IP 218 administrator account netmask 112, 113 trusted host 113 advertise 176, 190 alert email enabling 359 options 358 anomaly 302 list 302 antivirus 307 antivirus updates 123 through a proxy server 124 area 183 attack updates...
Page 388 33 upgrading using the CLI 34, 36 upgrading using the web-base manager 33, 35 Fortilog logging settings 355 fortilog setting 369 Fortinet customer service 23 FortiProtect Distribution Network 120 FortiProtect Distribution Server 120 from IP system status 32...
Page 389 HA monitor 96 GRE protocol 266 group ID HA 87 grouping services 213 groups user 243 guaranteed bandwidth 199, 200 HA 84, 86 add a new unit to a functioning cluster 94 cluster ID 96 cluster members 86 configuration 86 configure a FortiGate unit for HA operation 91 configure weighted-round-robin weights 95 connect a FortiGate HA cluster 93...
Page 390 81 one-time schedule creating 215, 217 Optional Information 275 options changing system options 82 OSPF 168 out-interface 281 override master HA 88 P2 Proposal 256 passive-interface 170 passthrough PPTP 266 Password 253 01-28006-0100-20041105 Fortinet Inc.
Page 391 37 rfc1583-compatible 170 Round-Robin HA schedule 89 routemap 189 router next hop 56 router-id 170 routing 384 configuring 61 policy 149 routing table 384 schedule 214 automatic antivirus and attack definition updates 123 creating one-time 215, 217...
Page 392 33 upgrading firmware using the CLI 34, 36 firmware using the web-based manager 33, 35 Uploading a local certificate 275 URL block 328 URL exempt 331 URL options 329 User Group 254 user groups configuring 243 01-28006-0100-20041105 Fortinet Inc.
Page 393 User-defined signatures 300 user-defined TCP services 210, 211 user-defined UDP services 210, 211 Username 253, 262 virtual domain properties 136 virtual IP 218 dynamic port forwarding 222 port forwarding 218 static NAT 218 virus detected HA monitor 97 virus protection worm protection 14 VLAN overview 62...
Page 394 Index 01-28006-0100-20041105 Fortinet Inc.

Fortinet FortiGate FortiGate-500A Administration Manual

Introduction

System Status

System Network

System DHCP

System Config

System Administration

System Maintenance

System Virtual Domain

Router

Firewall

Users and Authentication

Vpn

Ips

Quick Links

Related Manuals for Fortinet FortiGate FortiGate-500A

Summary of Contents for Fortinet FortiGate FortiGate-500A