Fortinet FortiGate FortiGate-50R Installation And Configuration Manual
  1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Firewall
  5. FortiGate FortiGate-50R
  6. Installation and configuration manual
Fortinet FortiGate FortiGate-50R Installation And Configuration Manual

Fortinet FortiGate FortiGate-50R Installation And Configuration Manual

Antivirus firewall
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Installation and
FortiGate 50R

Configuration Guide

POWER
INTERNAL
EXTERNAL
STATUS
FortiGate User Manual Volume 1
Version 2.50 MR2
18 August 2003

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FortiGate FortiGate-50R and is the answer not in the manual?

Questions and answers

Related Manuals for Fortinet FortiGate FortiGate-50R

Summary of Contents for Fortinet FortiGate FortiGate-50R

  • Page 1: Configuration Guide

    Installation and FortiGate 50R Configuration Guide POWER INTERNAL EXTERNAL STATUS FortiGate User Manual Volume 1 Version 2.50 MR2 18 August 2003...
  • Page 2 Products mentioned in this document are trademarks or registered trademarks of their respective holders. Regulatory Compliance FCC Class A Part 15 CSA/CUS For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.

  • Page 3: Table Of Contents

    NAT/Route mode ... 11 Transparent mode... 11 About this document ... 12 Document conventions ... 13 Fortinet documentation ... 14 Comments on Fortinet technical documentation... 14 Customer service and technical support... 15 Getting started ... 17 Package contents ... 18 Mounting ... 18 Powering on ...
  • Page 4 Displaying the FortiGate up time... 64 Backing up system settings ... 64 Restoring system settings... 65 Restoring system settings to factory defaults ... 65 Changing to Transparent mode ... 65 Changing to NAT/Route mode... 66 Restarting the FortiGate unit... 66 Fortinet Inc.
  • Page 5 FortiCare Service Contracts... 81 Registering the FortiGate unit ... 82 Updating registration information ... 84 Recovering a lost Fortinet support password... 84 Viewing the list of registered FortiGate units ... 84 Registering a new FortiGate unit ... 85 Adding or changing a FortiCare Support Contract number... 85 Changing your Fortinet support password ...
  • Page 6 Policy matching in detail ... 120 Changing the order of policies in a policy list... 121 Enabling and disabling policies... 121 Addresses ... 122 Adding addresses ... 122 Editing addresses ... 123 Deleting addresses ... 123 Organizing addresses into address groups ... 124 Fortinet Inc.
  • Page 7 Services ... 125 Predefined services ... 125 Providing access to custom services ... 127 Grouping services ... 128 Schedules ... 129 Creating one-time schedules ... 129 Creating recurring schedules ... 130 Adding a schedule to a policy ... 131 Virtual IPs... 131 Adding static NAT virtual IPs ...
  • Page 8 Configuring a Windows XP client for PPTP ... 184 Configuring L2TP ... 185 Configuring the FortiGate unit as a L2TP gateway ... 186 Configuring a Windows 2000 client for L2TP... 189 Configuring a Windows XP client for L2TP ... 190 Fortinet Inc.
  • Page 9 Network Intrusion Detection System (NIDS) ... 193 Detecting attacks ... 193 Selecting the interfaces to monitor... 194 Disabling the NIDS... 194 Configuring checksum verification ... 194 Viewing the signature list ... 195 Viewing attack descriptions... 195 Enabling and disabling NIDS attack signatures ... 196 Adding user-defined signatures ...
  • Page 10 Enabling traffic logging... 224 Configuring traffic filter settings... 225 Adding traffic filter entries ... 225 Configuring alert email ... 226 Adding alert email addresses... 226 Testing alert email... 227 Enabling alert email ... 227 Glossary ... 229 Index ... 233 Fortinet Inc.

  • Page 11: Introduction

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 Introduction The FortiGate-50 Antivirus Firewall is an easy-to-deploy and easy-to-administer solution that delivers exceptional value and performance for small office and home office (SOHO) applications. The FortiGate-50R is limited to a maximum of 10 users. Your FortiGate-50 is a dedicated easily managed security device that delivers a full suite of capabilities that include: •...

  • Page 12: About This Document

    Logging and reporting describes how to configure logging and alert email to track activity through the FortiGate. Glossary defines many of the terms used in this document. Introduction describes configuring describes how to configure the Fortinet Inc.

  • Page 13: Document Conventions

    Introduction Document conventions This guide uses the following conventions to describe CLI command syntax. • • • FortiGate-50R Installation and Configuration Guide angle brackets < > to indicate variable keywords For example: execute restore config <filename_str> You enter restore config myfile.bak <xxx_str>...

  • Page 14: Fortinet Documentation

    The FortiGate online help also contains procedures for using the FortiGate web-based manager to configure and manage your FortiGate unit. Comments on Fortinet technical documentation You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com. Volume 1: FortiGate Installation and Configuration Guide Describes installation and basic configuration for the FortiGate unit.

  • Page 15: Customer Service And Technical Support

    Fortinet technical support web site at http://support.fortinet.com. You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and modify your registration information at any time. Fortinet email support is available from the following addresses: amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin...
  • Page 16 Customer service and technical support Introduction Fortinet Inc.

  • Page 17: Getting Started

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 Getting started This chapter describes unpacking, setting up, and powering on your FortiGate Antivirus Firewall. When you have completed the procedures in this chapter, you can proceed to one of the following: •...

  • Page 18: Package Contents

    Getting started Ethernet Cables: Orange - Crossover Grey - Straight-through Null-Modem Cable (RS-232) AC Adapter FortiGate-50 POWER INTERNAL EXTERNAL STATUS QuickStart Guide Copyright 2003 Fortinet Incorporated. All rights reserved. Trademarks Products mentioned in this document are trademarks. Documentation Fortinet Inc.

  • Page 19: Powering On

    Getting started Environmental specifications • • • Powering on To power on the FortiGate-50 unit: Connect the AC adapter to the power connection at the back of the FortiGate-50 unit. Connect the AC adapter to a power outlet. The FortiGate-50 unit starts up. The Power and Status lights light. The Status light flashes while the FortiGate-50 unit is starting up and remains lit when the system is up and running.

  • Page 20: Connecting To The Web-Based Manager

    The Register Now window is displayed. Use the information on this window to register your FortiGate unit so that Fortinet can contact you for firmware updates. You must also register to receive updates to the FortiGate virus and attack definitions.

  • Page 21: Connecting To The Command Line Interface (Cli)

    Getting started Figure 2: FortiGate login Connecting to the command line interface (CLI) As an alternative to the web-based manager, you can install and configure the FortiGate unit using the CLI. Configuration changes made with the CLI are effective immediately without the need to reset the firewall or interrupt service. To connect to the FortiGate CLI, you need: •...

  • Page 22: Factory Default Fortigate Configuration Settings

    • • • • • None None Factory Default DHCP configuration Factory default NAT/Route mode network configuration Factory default Transparent mode network configuration Factory default firewall configuration Factory default content profiles Getting started Fortinet Inc.

  • Page 23: Factory Default Dhcp Configuration

    Getting started Factory Default DHCP configuration When the FortiGate unit is first powered on, the external interface is configured to receive its IP address by connecting to a DHCP server. If your ISP provides IP addresses using DHCP, no other configuration is required for this interface. The FortiGate unit can also function as a DHCP server for your internal network.

  • Page 24: Factory Default Transparent Mode Network Configuration

    NAT is selected for the NAT/Route mode default policy so that the policy applies network address translation to the traffic processed by the policy. NAT is not available for Transparent mode policies. Getting started admin (none) 10.10.10.1 255.255.255.0 207.194.200.1 207.194.200.129 HTTPS, Ping Ping Fortinet Inc.

  • Page 25: Factory Default Content Profiles

    Getting started Table 5: Factory default firewall configuration (Continued) Factory default content profiles You can use content profiles to apply different protection settings for content traffic controlled by firewall policies. You can use content profiles for: • • • • •...
  • Page 26 Web Exempt List Email Block List Email Exempt List Email Content Block Oversized File/Email Block Pass Fragmented Emails Getting started HTTP IMAP POP3 block block block block HTTP IMAP POP3 pass pass pass pass SMTP block SMTP pass Fortinet Inc.
  • Page 27 Getting started Web content profile Use the web content profile to apply antivirus scanning and Web content blocking to HTTP content traffic. You can add this content profile to firewall policies that control HTTP traffic. Table 8: Web content profile Options Antivirus Scan File Block...

  • Page 28: Planning Your Fortigate Configuration

    FortiGate unit can be configured in either of two modes: NAT/Route mode (the default) or Transparent mode. NAT/Route mode In NAT/Route mode, the unit is visible to the network. Like a router, all of its interfaces are on different subnets. The following interfaces are available in NAT/Route mode: •...

  • Page 29: Configuration Options

    Getting started Figure 4: Example Transparent mode network configuration Configuration options Once you have selected Transparent or NAT/Route mode operation, you can complete your configuration plan, and begin configuring the FortiGate unit. You can use the web-based manager setup wizard or the command line interface (CLI) for the basic configuration of the FortiGate unit.

  • Page 30: Fortigate Model Maximum Values Matrix

    50000 50000 3000 6000 10000 10000 1000 1000 1000 1000 2000 2000 5000 5000 1500 3000 5000 5000 1024* 1024* 2048* 2048* Getting started 3000 3600 50000 50000 10000 10000 1000 1000 5000 5000 5000 5000 8192* 8192* Fortinet Inc.

  • Page 31: Next Steps

    Getting started Next steps Now that your FortiGate unit is operating, you can proceed to configure it to connect to networks: • • FortiGate-50R Installation and Configuration Guide If you are going to operate the FortiGate unit in NAT/Route mode, go to “NAT/Route mode installation”...
  • Page 32 Next steps Getting started Fortinet Inc.

  • Page 33: Nat/Route Mode Installation

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 NAT/Route mode installation This chapter describes how to install the FortiGate unit in NAT/Route mode. To install the FortiGate unit in Transparent mode, see page This chapter describes: • • • • •...

  • Page 34: Changing The Default Configuration

    FTP server installed on an internal network, add the IP addresses of the servers here. NAT/Route mode installation “Connecting the FortiGate unit to your _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ Fortinet Inc.

  • Page 35: Advanced Nat/Route Mode Settings

    NAT/Route mode installation Advanced NAT/Route mode settings FortiGate NAT/Route mode settings. Table 13: Advanced FortiGate NAT/Route mode settings DHCP server Using the setup wizard From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiGate unit. To connect to the web-based manager, see “Connecting to the web-based manager”...

  • Page 36: Using The Command Line Interface

    Optionally, set the secondary DNS server IP addresses. Enter set system dns secondary <IP address> Example set system dns secondary 293.44.75.22 NAT/Route mode installation Table 12 on page 34 Table 12 on page 34. Enter: Table 12 on page “Connecting to the to complete the Fortinet Inc.

  • Page 37: Connecting The Fortigate Unit To Your Networks

    Connect the Internal interface to the hub or switch connected to your internal network. Connect the External interface to the Internet. Connect to the public switch or router provided by your Internet Service Provider. If you are a DSL or cable subscriber, connect the External interface to the internal or LAN connection of your DSL or cable modem.

  • Page 38: Configuring Your Networks

    Registering your FortiGate After purchasing and installing a new FortiGate unit, you can register the unit by going to System > Update > Support, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. 101. to edit this policy.

  • Page 39: Configuring Virus And Attack Definition Updates

    NAT/Route mode installation Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased. Registration is quick and easy. You can register multiple FortiGate units in a single session without re-entering your contact information.
  • Page 40 Completing the configuration NAT/Route mode installation Fortinet Inc.

  • Page 41: Transparent Mode Installation

    The management IP address and netmask must be valid for the network from which you will manage the FortiGate unit. Add a default gateway if the FortiGate unit must connect to a router to reach the management computer. Primary DNS Server: Secondary DNS Server: _____._____._____._____...

  • Page 42: Using The Setup Wizard

    Otherwise, you can reconnect to the web-based manager by browsing to https://10.10.10.1. If you connect to the management interface through a router, make sure that you have added a default gateway for that router to the management IP default gateway field.

  • Page 43: Changing To Transparent Mode

    Transparent mode installation Changing to Transparent mode Log into the CLI if you are not already logged in. Switch to Transparent mode. Enter: set system opmode transparent After a few seconds, the login prompt appears. Type admin and press Enter. The following prompt appears: Type ? for a list of commands.

  • Page 44: Connecting The Fortigate Unit To Your Networks

    Connect the Internal interface to the hub or switch connected to your internal network. Connect the External interface to the Internet. Connect to the public switch or router provided by your Internet Service Provider. Figure 6: FortiGate-50 network connections In Transparent mode, the FortiGate unit does not change the layer 3 topology. This means that all of its interfaces are on the same IP subnet and that it appears to other devices as a bridge.

  • Page 45: Completing The Configuration

    After purchasing and installing a new FortiGate unit, you can register the unit by going to System > Update > Support, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased.

  • Page 46: Transparent Mode Configuration Examples

    • • A route is required whenever the FortiGate unit connects to a router to reach a destination. If all of the destinations are located on the external network, you may be required to enter only a single default route. If, however, the network topology is more complex, you may be required to enter one or more static routes in addition to the default route.

  • Page 47: Example Default Route To An External Network

    To reach these destinations, the FortiGate unit must connect to the “upstream” router leading to the external network. To facilitate this connection, you must enter a single default route that points to the upstream router as the next hop/default gateway.

  • Page 48: Example Static Route To An External Destination

    • • CLI configuration steps To configure the Fortinet basic settings and a default route using the CLI: Change the system to operate in Transparent Mode. Add the Management IP address and Netmask. Add the default route to the external network.

  • Page 49: General Configuration Steps

    Transparent mode installation Note: This is an example configuration only. To configure a static route, you require a destination IP address. Figure 8: Static route to an external destination General configuration steps Set the FortiGate unit to operate in Transparent mode. Configure the Management IP address and Netmask of the FortiGate unit.
  • Page 50 • • CLI configuration steps To configure the Fortinet basic settings and a static route using the CLI: Set the system to operate in Transparent Mode. Add the Management IP address and Netmask. Add the static route to the primary FortiResponse server.

  • Page 51: Example Static Route To An Internal Destination

    To reach the FDN, you need to enter a single default route that points to the upstream router as the next hop/default gateway. To reach the management computer, you need to enter a single static route that leads directly to it.
  • Page 52 Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2 Select OK. set system opmode transparent set system management ip 192.168.1.1 255.255.255.0 set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 192.168.1.3 set system route number 2 gw1 192.168.1.2 Transparent mode installation Fortinet Inc.

  • Page 53: System Status

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 System status You can connect to the web-based manager and go to System > Status to view the current status of your FortiGate unit. The status information that is displayed includes the current firmware version, the current virus and attack definitions, and the FortiGate unit serial number.

  • Page 54: Changing The Fortigate Host Name

    The new host name appears on the System Status page and is added to the SNMP System Name. Changing the FortiGate firmware After you download a FortiGate firmware image from Fortinet, you can use the procedures in Table 1: Firmware upgrade procedures...

  • Page 55: Upgrade To A New Firmware Version

    System status Upgrade to a new firmware version Use the following procedures to upgrade your FortiGate to a newer firmware version. Upgrading the firmware using the web-based manager Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing.

  • Page 56: Revert To A Previous Firmware Version

    Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v250-build045-FORTINET.out...

  • Page 57: Reverting To A Previous Firmware Version Using The Cli

    System status Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. When you have installed new firmware, use the procedure page 75 Go to System > Status. Select Firmware Upgrade Enter the path and filename of the previous firmware image file, or select Browse and locate the file.
  • Page 58 Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v250-build045-FORTINET.out...

  • Page 59: Install A Firmware Image From A System Reboot Using The Cli

    System status Install a firmware image from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiGate unit to default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or to re-install the current firmware.
  • Page 60 Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,B,Q,or H: System status command. execute reboot Fortinet Inc.

  • Page 61: Test A New Firmware Image Before Installing It

    System status Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear. • • The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete.
  • Page 62 FortiGate unit running v3.x BIOS [G]: Get firmware image from TFTP server. [F]: Format boot device. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,Q,or H: System status command. execute reboot Fortinet Inc.

  • Page 63: Manual Virus Definition Updates

    System > Update and selecting Update Now. Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager.

  • Page 64: Manual Attack Definition Updates

    System > Update and selecting Update Now. Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager.

  • Page 65: Restoring System Settings

    System status Restoring system settings You can restore system settings by uploading a previously downloaded system settings text file: Go to System > Status. Select System Settings Restore. Enter the path and filename of the system settings file, or select Browse and locate the file.

  • Page 66: Changing To Nat/Route Mode

    The FortiGate unit shuts down and all traffic flow stops. The FortiGate unit can only be restarted after shutdown by turning the power off, then “Connecting to the web-based manager” on page 20 “Connecting to the System status Fortinet Inc.

  • Page 67: System Status

    System status System status You can use the system status monitor to display FortiGate system health information. The system health information includes memory usage, the number of active communication sessions, and the amount of network bandwidth currently in use. The web-based manager displays current statistics as well as statistics for the previous minute.

  • Page 68: Viewing Sessions And Network Status

    The line graph scales are shown in the upper left corner of the graph. Figure 2: Sessions and network status monitor System status Fortinet Inc.

  • Page 69: Viewing Virus And Intrusions Status

    System status Set the automatic refresh interval and select Go to control how often the web-based manager updates the display. More frequent updates use system resources and increase network traffic. However, this only occurs when you are viewing the display using the web-based manager. Select Refresh to manually update the information displayed.

  • Page 70: Session List

    The source IP address of the connection. The source port of the connection. The destination IP address of the connection. The destination port of the connection. The time, in seconds, before the connection expires. Stop an active communication session. System status or Page Down Fortinet Inc.

  • Page 71: Virus And Attack Definitions Updates And Registration

    Network (FDN) to update the antivirus and attack definitions and antivirus engine. You have the following update options: • • • To receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet Support web page. This chapter describes: • • • •...

  • Page 72: Connecting To The Fortiresponse Distribution Network

    Configuring update logging Adding an override server Manually updating antivirus and attack definitions Configuring push updates Push updates through a NAT device Scheduled updates through a proxy server Virus and attack definitions updates and registration “Configuring push updates” on Fortinet Inc.

  • Page 73: Configuring Scheduled Updates

    Virus and attack definitions updates and registration To make sure the FortiGate unit can connect to the FDN: Go to System > Config > Time and make sure the time zone is set to the correct time zone for your area. Go to System >...

  • Page 74: Configuring Update Logging

    The Fortigate unit records a log message whenever an update attempt is successful. The FortiGate unit records a log messages whenever it cannot connect to the FDN or whenever it receives an error message from the FDN. Virus and attack definitions updates and registration Fortinet Inc.

  • Page 75: Adding An Override Server

    Virus and attack definitions updates and registration Adding an override server If you cannot connect to the FDN or if your organization provides antivirus and attack updates using their own FortiResponse server, you can use the following procedure to add the IP address of an override FortiResponse server. Go to System >...

  • Page 76: Push Updates Through A Nat Device

    FortiGate unit using either port 9443 or an override push port that you assign. Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic (for example, set using PPPoE or DHCP). Virus and attack definitions updates and registration Fortinet Inc.
  • Page 77 Virus and attack definitions updates and registration Example: push updates through a NAT device This example describes how to configure a FortiGate NAT device to forward push updates to a FortiGate unit installed on its internal network. For the FortiGate unit on the internal network to receive push updates, the FortiGate NAT device must be configured with a port forwarding virtual IP.
  • Page 78 If the FortiGate unit is operating in Transparent mode, enter the management IP address. For the example topology, enter 192.168.1.99. Set the Map to Port to 9443. Set Protocol to UDP. Select OK. Virus and attack definitions updates and registration Fortinet Inc.
  • Page 79 Virus and attack definitions updates and registration Figure 3: Push update port forwarding virtual IP Adding a firewall policy for the port forwarding virtual IP To configure the FortiGate NAT device: Add a new external to internal firewall policy. Configure the policy with the following settings: Source Destination Schedule...

  • Page 80: Scheduled Updates Through A Proxy Server

    HTTPS and perhaps some other similar services. Because FortiGate autoupdates use HTTPS on port 8890 to connect to the FDN, your proxy server may have to be configured to allow connections on this port. Virus and attack definitions updates and registration Fortinet Inc.

  • Page 81: Registering Fortigate Units

    For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing. FortiGate-50R Installation and Configuration Guide...

  • Page 82: Registering The Fortigate Unit

    Your contact information including: • First and last name • Company name • Email address (Your Fortinet support login user name and password will be sent to this email address.) • Address • Contact phone number A security question and an answer to the security question.
  • Page 83 A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiGate unit. Your Fortinet support user name and password is sent to the email address provided with your Contact information.

  • Page 84: Updating Registration Information

    Updating registration information Updating registration information You can use your Fortinet support user name and password to log on to the Fortinet Support web site at any time to view or update your Fortinet support information. This section describes: •...

  • Page 85: Registering A New Fortigate Unit

    Figure 7: Sample list of registered FortiGate units Registering a new FortiGate unit Go to System > Update > Support and select Support Login. Enter your Fortinet support user name and password. Select Login. Select Add Registration. Select the model number of the Product Model to register.

  • Page 86: Changing Your Fortinet Support Password

    Make the required changes to your contact information. Make the required changes to your security question and answer. Select Update Profile. Your changes are saved to the Fortinet technical support database. If you changed your contact information, the changes are displayed. Downloading virus and attack definitions updates Use the following procedure to manually download virus and attack definitions updates.

  • Page 87: Registering A Fortigate Unit After An Rma

    FortiGate unit is still protected by hardware coverage, you can return the FortiGate unit that is not functioning to your reseller or distributor. The RMA is recorded and you will receive a replacement unit. Fortinet adds the RMA information to the Fortinet support database. When you receive the replacement unit you can use the following procedure to update your product registration information.
  • Page 88 Registering a FortiGate unit after an RMA Virus and attack definitions updates and registration Fortinet Inc.

  • Page 89: Network Configuration

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 Network configuration Go to System > Network to make any of the following changes to the FortiGate network settings: • • • • Configuring interfaces Use the following procedures to configure interfaces: •...

  • Page 90: Viewing The Interface List

    If the link status is a green arrow, the interface is up and can accept network traffic. If the link status is a red arrow, the interface is down and cannot accept traffic. To bring an interface up, see the procedure for the interface to change. Network configuration “Bringing up an interface”. Fortinet Inc.

  • Page 91: Adding A Ping Server To An Interface

    Go to System > Network > Interface. Select Modify Set Ping Server to the IP address of the next hop router on the network connected to the interface. Select Enable. The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to make sure that the FortiGate unit can connect to the this IP address.

  • Page 92: Configuring Traffic Logging For Connections To An Interface

    For the external interface, select Modify Set Addressing mode to DHCP and select OK to change to DHCP mode. Both the IP address and Netmask change to 0.0.0.0. for the interface for which to configure logging. Network configuration Fortinet Inc.

  • Page 93: Configuring The External Interface For Pppoe

    Network configuration Select Connect to DHCP server to automatically connect to a DHCP server. If you do not select Connect to DHCP server, the FortiGate unit will not connect to a DHCP server. You can deselect this option if you are configuring the FortiGate unit offline.

  • Page 94: Configuring The Management Interface (Transparent Mode)

    To allow a remote SNMP manager to request SNMP information by connecting to the management interface. See “Configuring SNMP” on page To allow Telnet connections to the CLI using the management interface. Telnet connections are not secure and can be intercepted by a third party. Network configuration 106. Fortinet Inc.

  • Page 95: Adding Dns Server Ip Addresses

    Network configuration Figure 2: Configuring the management interface Adding DNS server IP addresses Several FortiGate functions, including sending email alerts and URL blocking, use DNS. To set the DNS server addresses: Go to System > Network > DNS. Change the primary and secondary DNS server addresses as required. Select Apply to save your changes.

  • Page 96: Adding A Default Route

    Gateway #1 is the IP address of the primary destination for the route. Gateway #1 must be on the same subnet as a Fortigate interface. If you are adding a static route from the FortiGate unit to a single destination router, you only need to specify one gateway.

  • Page 97: Adding Routes In Transparent Mode

    Network configuration Set Device #1 to the FortiGate interface through which to route traffic to connect to Gateway #1. You can select the name of an interface or Auto (the default). If you select the name of an interface, the traffic is routed to that interface. If you select Auto the system selects the interface according to the following rules: •...

  • Page 98: Configuring The Routing Table

    “Adding a ping server to an interface” on page to remove a route from the routing table. Source address Protocol, service type, or port range Incoming or source interface Network configuration 91, and to change its order in the routing Fortinet Inc.

  • Page 99: Providing Dhcp Services To Your Internal Network

    Network configuration The gateway added to a policy route must also be added to a destination route. When the FortiGate unit matches packets with a route in the RPDB, the FortiGate unit looks in the destination routing table for the gateway that was added to the policy route. If a match is found, the FortiGate routes the packet using the matched destination route.
  • Page 100 For more information about IP/MAC binding, see page To view the dynamic IP list: Go to System > Network > DHCP. Select Dynamic IP List. The dynamic IP list is displayed. Figure 5: Example Dynamic IP list 137. Network configuration “IP/MAC binding” on Fortinet Inc.

  • Page 101: System Configuration

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 System configuration Go to System > Config to make any of the following changes to the FortiGate system configuration: • • • • • Setting system date and time For effective scheduling and logging, the FortiGate system time should be accurate. You can either manually set the FortiGate system time or you can configure the FortiGate unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.

  • Page 102: Changing Web-Based Manager Options

    The default idle time out is 5 minutes. The maximum idle time out is 480 minutes (8 hours). Set the system idle timeout. Set the authentication timeout. Select the language for the web-base manager. Modify the dead gateway detection settings. System configuration Fortinet Inc.
  • Page 103 System configuration To set the Auth timeout For Auth Timeout, type a number in minutes. Select Apply. Auth Timeout controls the amount of inactive time that the firewall waits before requiring users to authenticate again. For more information, see authentication” on page The default Auth Timeout is 15 minutes.

  • Page 104: Adding And Editing Administrator Accounts

    FortiGate unit, and shut down the FortiGate unit. There is only one admin user. edit, or delete administrator accounts. Can change own administrator account password. Cannot make changes to system settings from the System > Status page. Can view the FortiGate configuration. System configuration Fortinet Inc.

  • Page 105: Editing Administrator Accounts

    System configuration Editing administrator accounts The admin account user can change individual administrator account passwords, configure the IP addresses from which administrators can access the web-based manager, and change the administrator permission levels. Administrator account users with Read & Write access can change their own administrator passwords.

  • Page 106: Configuring Snmp

    SNMP v1 and v2c compliant SNMP manager have read-only access to FortiGate system information and can received FortiGate traps. To monitor FortiGate system information and receive FortiGate traps you must compile the Fortinet proprietary MIBs and the standard MIBs into the SNMP manager.

  • Page 107: Fortigate Mibs

    Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIBs to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you will not have to re-compile them.

  • Page 108: Fortigate Traps

    The FortiGate agent can send traps to up to three SNMP trap receivers on your network that are configured to receive traps from the FortiGate unit. For these SNMP managers to receive traps, you must load and compile the Fortinet trap MIB onto the SNMP manager. The FortiGate agent sends the traps listed in...

  • Page 109: Customizing Replacement Messages

    System configuration This section describes: • • Figure 3: Sample replacement message Customizing replacement messages Each of the replacement messages in the replacement message list is created by combining replacement message sections. You can use these sections as building blocks to create your own replacement messages. You can edit any of the replacement messages in the replacement message list and add and edit the replacement message sections as required.

  • Page 110: Customizing Alert Emails

    IP address of web page that sent the virus. The IP address of the computer that would have received the virus. For POP3 this is the IP address of the user’s computer that attempted to download the email containing the virus. Fortinet Inc.
  • Page 111 System configuration Table 4: Alert email message sections Block alert Section Start Allowed Tags Critical event Section Start Allowed Tags Section End FortiGate-50R Installation and Configuration Guide %%EMAIL_FROM%% The email address of the sender of the message in which the virus was found. %%EMAIL_TO%% The email address of the intended receiver of the message in which the virus was found.
  • Page 112 Customizing replacement messages System configuration Fortinet Inc.

  • Page 113: Firewall Configuration

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 Firewall configuration Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions used by the FortiGate unit to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (port number).

  • Page 114: Default Firewall Configuration

    Internal_All, added to the internal interface, this address matches all addresses on the internal network. External_All, added to the external interface, this address matches all addresses on the external network. 122. “Content profiles” on page “Virtual IPs” on page 131. Firewall configuration 140. Fortinet Inc.

  • Page 115: Services

    Firewall configuration Services Policies can also control connections based on the service or destination port number of packets. The default policy accepts connections to using any service or destination port number. The firewall is configured with over 40 predefined services. You can add these services to a policy for more control over the services that can be used by connections through the firewall.

  • Page 116: Firewall Policy Options

    Select an address or address group that matches the destination address of the packet. Before you can add this address to a policy, you must add it to the destination interface. To add an address, see “Addresses” on page 122. “Addresses” on page Firewall configuration 122. Fortinet Inc.
  • Page 117 Firewall configuration For NAT/Route mode policies where the address on the destination network is hidden from the source network using NAT, the destination can also be a virtual IP that maps the destination address of the packet to a hidden destination address. See IPs”...

  • Page 118: Traffic Shaping

    Less important services should be assigned a low priority. The firewall provides bandwidth to low- priority connections only when bandwidth is not needed for high-priority connections. “Configuring user groups” on page Firewall configuration 151. You must add user groups before Fortinet Inc.
  • Page 119 Firewall configuration If you want users to authenticate to use other services (for example POP3 or IMAP) you can create a service group that includes the services for which you want to require authentication as well as HTTP, Telnet, and FTP. Then users could authenticate with the policy using HTTP, Telnet, or FTP before using the other service.

  • Page 120: Configuring Policy Lists

    221. Policy matching in detail Changing the order of policies in a policy list Enabling and disabling policies Firewall configuration “Logging and reporting” on Fortinet Inc.

  • Page 121: Changing The Order Of Policies In A Policy List

    Firewall configuration A policy that is an exception to the default policy, for example, a policy to block FTP connections, must be placed above the default policy in the Int->Ext policy list. In this example, all FTP connection attempts from the internal network would then match the FTP policy and be blocked.

  • Page 122: Addresses

    Organizing addresses into address groups The IP address of a single computer (for example, 192.45.46.45). The IP address of a subnetwork (for example, 192.168.1.0 for a class C subnet). 0.0.0.0 to represent all possible IP addresses Firewall configuration Fortinet Inc.

  • Page 123: Editing Addresses

    Firewall configuration Enter the NetMask. The netmask should correspond to the type of address that you are adding. For example: • • • • • Note: To add an address to represent any address on a network set the IP Address to 0.0.0.0 and the Netmask to 0.0.0.0 To add an address Select OK to add the address.

  • Page 124: Organizing Addresses Into Address Groups

    To remove addresses from the address group, select an address from the Members list and select the left arrow to remove it from the group. Select OK to add the address group. Figure 8: Adding an internal address group Firewall configuration Fortinet Inc.

  • Page 125: Services

    Firewall configuration Services Use services to control the types of communication accepted or denied by the firewall. You can add any of the predefined services to a policy. You can also create your own custom services and add services to service groups. This section describes: •...
  • Page 126 Internet. For connections used by the popular Quake multi-player computer game. Firewall configuration Protocol Port 1720, 1503 6660-6669 1701 1720 111, 2049 5632 icmp 1723 26000, 27000, 27910, 27960 Fortinet Inc.

  • Page 127: Providing Access To Custom Services

    Firewall configuration Table 5: FortiGate predefined services (Continued) Service name RAUDIO RLOGIN SMTP SNMP SYSLOG TALK TELNET TFTP UUCP VDOLIVE WAIS WINFRAME X-WINDOWS Providing access to custom services Add a custom service if you need to create a policy for a service that is not in the predefined service list.

  • Page 128: Grouping Services

    To remove services from the service group, select a service from the Members list and select the left arrow to remove it from the group. Select OK to add the service group. Figure 9: Adding a service group Firewall configuration to remove each Fortinet Inc.

  • Page 129: Schedules

    Firewall configuration Schedules Use scheduling to control when policies are active or inactive. You can create one-time schedules and recurring schedules. You can use one-time schedules to create policies that are effective once for the period of time specified in the schedule. Recurring schedules repeat weekly.

  • Page 130: Creating Recurring Schedules

    Select the days of the week on which the schedule should be active. Set the Start and Stop hours in between which the schedule should be active. Recurring schedules use the 24-hour clock. Select OK to save the recurring schedule. Figure 11: Adding a recurring schedule Firewall configuration Fortinet Inc.

  • Page 131: Adding A Schedule To A Policy

    Firewall configuration Adding a schedule to a policy After you have created schedules, you can add them to policies to schedule when the policies are active. You can add the new schedules to policies when you create the policy, or you can edit existing policies and add a new schedule to them. Go to Firewall >...

  • Page 132: Adding Static Nat Virtual Ips

    IP address set for this external interface using PPPoE or DHCP. Figure 12: Adding a static NAT virtual IP Adding static NAT virtual IPs Adding port forwarding virtual IPs Adding policies with virtual IPs Firewall configuration is set using PPPoE or Fortinet Inc.

  • Page 133: Adding Port Forwarding Virtual Ips

    Firewall configuration In the Map to IP field, enter the real IP address on the destination network, for example, the IP address of a web server on an internal network. Note: The firewall translates the source address of outbound packets from the host with the Map to IP address to the virtual IP External IP Address, instead of the firewall external address.

  • Page 134: Adding Policies With Virtual Ips

    Set action to ACCEPT to accept connections to the internal server. You can also select DENY to deny access. Select NAT if the firewall is protecting the private addresses on the destination network from the source network. Firewall configuration Fortinet Inc.

  • Page 135: Ip Pools

    Firewall configuration Authentication Log Traffic Anti-Virus & Web filter Select OK to save the policy. IP pools An IP pool (also called a dynamic IP pool) is a range of IP addresses added to a firewall interface. If you add IP pools to an interface, you can select Dynamic IP Pool when you configure a policy with the destination set to this interface.

  • Page 136: Ip Pools For Firewall Policies That Use Fixed Ports

    IP address from the IP pool to be the source address for the connection. As a result connections to the Internet will appear to be originating from all of the IP addresses in the IP pool. Firewall configuration Fortinet Inc.

  • Page 137: Ip/Mac Binding

    Firewall configuration IP/MAC binding IP/MAC binding protects the FortiGate unit and your network from IP spoofing attacks. IP spoofing attempts to use the IP address of a trusted computer to connect to or through the FortiGate unit from a different computer. The IP address of a computer can easily be changed to a trusted address, but MAC addresses are added to Ethernet cards at the factory and cannot easily be changed.

  • Page 138: Configuring Ip/Mac Binding For Packets Going To The Firewall

    A packet with both the IP address and MAC address not defined in the IP/MAC binding table: • is allowed to connect to the firewall if IP/MAC binding is set to Allow traffic, • is blocked if IP/MAC binding is set to Block traffic. Firewall configuration Fortinet Inc.

  • Page 139: Viewing The Dynamic Ip/Mac List

    Firewall configuration Enter the IP address and the MAC address. You can bind multiple IP addresses to the same MAC address. You cannot bind multiple MAC addresses to the same IP address. However, you can set the IP address to 0.0.0.0 for multiple MAC addresses. This means that all packets with these MAC addresses are matched with the IP/MAC binding list.

  • Page 140: Content Profiles

    Configure oversized file and email blocking for HTTP, FTP, POP3, SMTP, and IMAP policies Passing fragmented email for POP3, SMTP, and IMAP policies Default content profiles Adding a content profile Adding a content profile to a policy Firewall configuration Fortinet Inc.

  • Page 141: Default Content Profiles

    You should only enable file blocking when a virus has been found that is so new that virus scanning does not detect it. See blocking” on page 205. Block unwanted web pages and web sites. This option adds Fortinet URL blocking (see “URL blocking” on page filtering (see “Using the Cerberian web filter”...

  • Page 142: Adding A Content Profile To A Policy

    Block or pass files and email that exceed thresholds configured as a percent of system memory. See “Blocking oversized files and emails” on page 206. Allow email messages that have been fragmented to bypass antivirus scanning. See “Exempting fragmented email from blocking” on page 206. Firewall configuration 218. Fortinet Inc.
  • Page 143 Firewall configuration Select New to add a new policy, or choose a policy and select Edit Select Anti-Virus & Web filter. Select a content profile. Configure the remaining policy settings if required. Select OK. Repeat this procedure for any policies for which to enable network protection. FortiGate-50R Installation and Configuration Guide Content profiles...
  • Page 144 Content profiles Firewall configuration Fortinet Inc.

  • Page 145: Users And Authentication

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 Users and authentication FortiGate units support user authentication to the FortiGate user database, to a RADIUS server, and to an LDAP server. You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database.

  • Page 146: Setting Authentication Timeout

    Require the user to authenticate to a RADIUS server. Select the name of the RADIUS server to which the user must authenticate. You can only select a RADIUS server that has been added to the FortiGate RADIUS configuration. “Configuring RADIUS support” on page Users and authentication 149. 148. Fortinet Inc.

  • Page 147: Deleting User Names From The Internal Database

    Users and authentication Select Try other servers if connect to selected server fails if you have selected Radius and you want the FortiGate unit to try to connect to other RADIUS servers added to the FortiGate RADIUS configuration. Select OK. Figure 17: Adding a user name Deleting user names from the internal database You cannot delete user names that have been added to user groups.

  • Page 148: Configuring Radius Support

    You cannot delete RADIUS servers that have been added to user groups. Go to User > RADIUS. Select Delete Select OK. Adding RADIUS servers Deleting RADIUS servers beside the RADIUS server name that you want to delete. Users and authentication Fortinet Inc.

  • Page 149: Configuring Ldap Support

    Users and authentication Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authentication with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server.

  • Page 150: Deleting Ldap Servers

    Figure 19: Example LDAP configuration Deleting LDAP servers You cannot delete LDAP servers that have been added to user groups. Go to User > LDAP. Select Delete Select OK. beside the LDAP server name that you want to delete. Users and authentication Fortinet Inc.

  • Page 151: Configuring User Groups

    Users and authentication Configuring user groups To enable authentication, you must add user names, RADIUS servers and LDAP servers to one or more user groups. You can then select a user group when you require authentication. You can select a user group to configure authentication for: •...

  • Page 152: Deleting User Groups

    You cannot delete user groups that have been selected in a policy, a dialup user phase1 configuration, or in a PPTP or L2TP configuration. To delete a user group: Go to User > User Group Select Delete Select OK. beside the user group that you want to delete. Users and authentication Fortinet Inc.

  • Page 153: Ipsec Vpn

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 IPSec VPN A Virtual Private Network (VPN) is an extension of a private network that encompasses links across shared or public networks such as the Internet. For example, a company that has two offices in different cities, each with its own private network, can employ a VPN to create a secure tunnel between the offices.

  • Page 154: Key Management

    IPSec supports the automated generation and negotiation of keys using the Internet Key Exchange protocol. This method of key management is typically referred to as AutoIKE. Fortinet supports AutoIKE with pre-shared keys and AutoIKE with certificates. AutoIKE with pre-shared keys When both peers in a session have been configured with the same pre-shared key, they can use it to authenticate themselves to each other.

  • Page 155: Manual Key Ipsec Vpns

    IPSec VPN Manual key IPSec VPNs When manual keys are employed, complementary security parameters must be entered at both ends of the tunnel. In addition to encryption and authentication algorithms and keys, the security parameter index (SPI) is required. The SPI is an arbitrary value that defines the structure of the communication between the peers.
  • Page 156 16 characters. Enter a 40 character (20 byte) hexadecimal number (0-9, A-F). Separate the number into two segments—the first of 16 characters; the second of 24 characters. “Adding a VPN concentrator” on page IPSec VPN 173. Fortinet Inc.

  • Page 157: Autoike Ipsec Vpns

    IPSec VPN AutoIKE IPSec VPNs Fortunate supports two methods of Automatic Internet Key Exchange (AutoIKE) for the purpose of establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates. • • • General configuration steps for an AutoIKE VPN An AutoIKE VPN configuration consists of phase 1 and phase 2 configuration parameters, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel.
  • Page 158 If you select RSA Signature, select a local certificate that has been digitally signed by the certificate authority (CA). To add a local certificate to the FortiGate unit, see “Obtaining a signed local certificate” on page IPSec VPN 163. Fortinet Inc.
  • Page 159 CHAP. (Use PAP with all implementations of LDAP and some implementations of Microsoft RADIUS). Use MIXED if the authentication server supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet Remote VPN Client.). Select a group of users to be authenticated by XAuth. The individual users within the group can be authenticated locally or by one or more LDAP or RADIUS servers.
  • Page 160 VPN peer pro-actively probes its state. After this period of time expires, the local peer will send a DPD probe to determine the status of the link even if there is no traffic between the local peer and the remote peer. IPSec VPN Fortinet Inc.

  • Page 161: Adding A Phase 2 Configuration For An Autoike Vpn

    IPSec VPN Figure 21: Adding a phase 1 configuration Adding a phase 2 configuration for an AutoIKE VPN Add a phase 2 configuration to specify the parameters used to create and maintain a VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer (the VPN gateway or client).
  • Page 162 Select OK to save the AutoIKE key VPN tunnel. “Adding a phase 1 configuration for an AutoIKE VPN” on page 175. “Adding a VPN concentrator” on page 173 IPSec VPN 157. “Redundant IPSec Fortinet Inc.

  • Page 163: Managing Digital Certificates

    VPN tunnel being set up between the participants. Fortinet uses a manual procedure to obtain certificates. This involves copying and pasting text files from your local computer to the certificate authority, and from the certificate authority to your local computer.
  • Page 164 FortiGate unit (such as Manufacturing or MF). Enter the legal name of the organization that is requesting the certificate for the FortiGate unit (such as Fortinet). Enter the name of the city or town where the FortiGate unit is located (such as Vancouver).
  • Page 165 IPSec VPN Figure 23: Adding a Local Certificate Downloading the certificate request With this procedure, you download the certificate request from the FortiGate unit to the management computer. To download the certificate request: Go to VPN > Local Certificates. Select Download Select Save.
  • Page 166 Go to VPN > Local Certificates. Select Import. add a base64 encoded PKCS#10 certificate request to the CA web server, paste the certificate request to the CA web server, submit the certificate request to the CA web server. IPSec VPN Fortinet Inc.

  • Page 167: Obtaining A Ca Certificate

    IPSec VPN Enter the path or browse to locate the signed local certificate on the management computer. Select OK. The signed local certificate will be displayed on the Local Certificates list with a status of OK. Obtaining a CA certificate For the VPN peers to authenticate themselves to each other, they must both obtain a CA certificate from the same certificate authority.

  • Page 168: Configuring Encrypt Policies

    Content profiles to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services in the VPN. Logging so that the FortiGate unit logs all connections that use the VPN. Adding a source address Adding a destination address Adding an encrypt policy IPSec VPN Fortinet Inc.

  • Page 169: Adding A Source Address

    IPSec VPN Adding a source address The source address is located within the internal network of the local VPN peer. It can be a single computer address or the address of a network. Go to Firewall > Address. Select an internal interface. (Methods will differ slightly between FortiGate models.) Select New to add an address.
  • Page 170 Destination. (This will be a public IP address.) — The tunnel, and the traffic within the tunnel, can only be initiated at the end which implements Outbound NAT. IPSec VPN Fortinet Inc.

  • Page 171: Ipsec Vpn Concentrators

    IPSec VPN IPSec VPN concentrators In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer known as a hub. The peers that connect to the hub are known as spokes. The hub functions as a concentrator on the network, managing the VPN connections between the spokes. The advantage of a hub-and-spoke network is that the spokes are simpler to configure because they require fewer policy rules.
  • Page 172 The VPN spoke address. ENCRYPT The VPN spoke tunnel name. Select allow inbound. Select inbound NAT if required. “Adding an encrypt policy” on page encrypt policies default non-encrypt policy (Internal_All -> External_All) 155. 157. 169. 173. 169. IPSec VPN Fortinet Inc.

  • Page 173: Adding A Vpn Concentrator

    IPSec VPN Adding a VPN concentrator To add a VPN concentrator configuration: Go to VPN > IPSec > Concentrator. Select New to add a VPN concentrator. Enter the name of the new concentrator in the Concentrator Name field. To add tunnels to the VPN concentrator, select a VPN tunnel from the Available Tunnels list and select the right arrow.

  • Page 174: Vpn Spoke General Configuration Steps

    Do not enable. Select inbound NAT if required. “Adding an encrypt policy” on page The local VPN spoke address. External_All “Manual key IPSec VPNs” on page “AutoIKE IPSec VPNs” on page 169. 169. IPSec VPN 155. 157. Fortinet Inc.

  • Page 175: Redundant Ipsec Vpns

    IPSec VPN Action VPN Tunnel Allow inbound Allow outbound Do not enable. Inbound NAT Outbound NAT Select outbound NAT if required. Arrange the policies in the following order: • • • Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks, such as the Internet.
  • Page 176 Internal->External and an Internal- >DMZ policy. The source and destination of both policies must be the same. Add a different AutoIKE key tunnel to each policy. “Adding an encrypt policy” on page 157. 161. 169. 169. 169. IPSec VPN Fortinet Inc.

  • Page 177: Monitoring And Troubleshooting Vpns

    IPSec VPN Monitoring and Troubleshooting VPNs This section provides a number of general maintenance and monitoring procedures for VPNs. This section describes: • • • Viewing VPN tunnel status You can use the IPSec VPN tunnel list to view the status of all IPSec AutoIKE key VPN tunnels.

  • Page 178: Testing A Vpn

    The VPN tunnel initializes automatically when the client makes a connection attempt. You can start the tunnel and test it at the same time by pinging from the client to an address on the internal network. IPSec VPN Fortinet Inc.

  • Page 179: Pptp And L2Tp Vpn

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 PPTP and L2TP VPN You can use PPTP and L2TP to create a virtual private network (VPN) between a remote client PC running the Windows operating system and your internal network. Because they are is a Windows standards, PPTP and L2TP do not require third-party software on the client computer.

  • Page 180: Configuring The Fortigate Unit As A Pptp Gateway

    Select the User Group that you added in page Select Apply to enable PPTP through the FortiGate unit. “Adding user names and configuring authentication” on page “Configuring user groups” on page 180. PPTP and L2TP VPN 146. 151. “Adding users and user groups” on Fortinet Inc.
  • Page 181 PPTP and L2TP VPN Figure 30: Example PPTP Range configuration Adding a source address Add a source address for every address in the PPTP address range. Go to Firewall > Address. Select the interface to which PPTP clients connect. Select New to add an address. Enter the Address Name, IP Address, and NetMask for an address in the PPTP address range.

  • Page 182: Configuring A Windows 98 Client For Pptp

    Go to Start > Settings > Control Panel > Network. Select Add. Select Adapter. Select Add. Select Microsoft as the manufacturer. Select Microsoft Virtual Private Networking Adapter. Select OK twice. Insert diskettes or CDs as required. PPTP and L2TP VPN Fortinet Inc.

  • Page 183: Configuring A Windows 2000 Client For Pptp

    PPTP and L2TP VPN Restart the computer. Configuring a PPTP dialup connection Go to My Computer > Dial-Up Networking > Configuration. Double-click Make New Connection. Name the connection and select Next. Enter the IP address or host name of the FortiGate unit to connect to and select Next. Select Finish.

  • Page 184: Configuring A Windows Xp Client For Pptp

    PPTP encryption is not supported for RADIUS server authentication. Select Advanced to configure advanced settings. Select Settings. Select Challenge Handshake Authentication Protocol (CHAP). Make sure that none of the other settings are selected. Select the Networking tab. PPTP and L2TP VPN Fortinet Inc.

  • Page 185: Configuring L2Tp

    PPTP and L2TP VPN Make sure that the following options are selected: • • Make sure that the following options are not selected: • • Select OK. Connecting to the PPTP VPN Connect to your ISP. Start the VPN connection that you configured in the previous procedure. Enter your PPTP VPN User Name and Password.

  • Page 186: Configuring The Fortigate Unit As A L2Tp Gateway

    Select the User Group that you added in page Select Apply to enable L2TP through the FortiGate unit. “Adding user names and configuring authentication” on page “Configuring user groups” on page 186. PPTP and L2TP VPN 146. 151. “Adding users and user groups” on Fortinet Inc.
  • Page 187 PPTP and L2TP VPN Figure 32: Sample L2TP address range configuration Adding a source address Add a source address for every address in the L2TP address range. Go to Firewall > Address. Select the interface to which L2TP clients connect. Select New to add an address.
  • Page 188 Set Action to ACCEPT. Select NAT if address translation is required. You can also configure traffic shaping, logging, and antivirus and web filter settings for L2TP policies. Select OK to save the firewall policy. PPTP and L2TP VPN Fortinet Inc.

  • Page 189: Configuring A Windows 2000 Client For L2Tp

    PPTP and L2TP VPN Configuring a Windows 2000 client for L2TP Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiGate L2TP VPN. Configuring an L2TP dialup connection Go to Start > Settings > Network and Dial-up Connections. Double-click Make New Connection to start the Network Connection Wizard and select Next.

  • Page 190: Configuring A Windows Xp Client For L2Tp

    FortiGate unit to connect to and select Next. Select Finish. Configuring the VPN connection Right-click the icon that you have created. Select Properties > Security. Select Typical to configure typical settings. Select Require data encryption. PPTP and L2TP VPN Fortinet Inc.
  • Page 191 PPTP and L2TP VPN Note: If a RADIUS server is used for authentication do not select Require data encryption. L2TP encryption is not supported for RADIUS server authentication. Select Advanced to configure advanced settings. Select Settings. Select Challenge Handshake Authentication Protocol (CHAP). Make sure that none of the other settings are selected.
  • Page 192 In the connect window, enter the User Name and Password that you use to connect to your dialup network connection. This user name and password is not the same as your VPN user name and password. PPTP and L2TP VPN Fortinet Inc.

  • Page 193: Network Intrusion Detection System (Nids)

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 Network Intrusion Detection System (NIDS) The FortiGate NIDS is a real-time network intrusion detection sensor that uses attack signature definitions to both detect and prevent a wide variety of suspicious network traffic and direct network-based attacks. Also, whenever an attack occurs, the FortiGate NIDS can record the event in a log plus send an alert email to the system administrator.

  • Page 194: Selecting The Interfaces To Monitor

    For example, you might not need to run checksum verification if your FortiGate unit is installed behind a router that also does checksum verification. Go to NIDS > Detection > General.

  • Page 195: Viewing The Signature List

    Open a web browser and enter this URL: http://www.fortinet.com/ids/ID<attack-ID> Remember to include the attack ID. For example, to view the Fortinet Attack Analysis web page for the ssh CRC32 overflow /bin/sh attack (ID 101646338), use the following URL: http://www.fortinet.com/ids/ID101646338 Note: Each attack log message includes a URL that links directly to the FortiResponse Attack Analysis web page for that attack.

  • Page 196: Enabling And Disabling Nids Attack Signatures

    Note: To save your NIDS attack signature settings, Fortinet recommends that you back up your FortiGate configuration before you update the firmware and restore the saved configuration after the update.

  • Page 197: Preventing Attacks

    Network Intrusion Detection System (NIDS) Figure 35: Example user-defined signature list Downloading the user-defined signature list You can back up the user-defined signature list by downloading it to a text file on the management computer. Go to NIDS > Detection > User Defined Signature List. Select Download.

  • Page 198: Enabling Nids Attack Prevention Signatures

    NIDS attack prevention signature to disable all signatures in the NIDS attack prevention Table 6. The threshold depends on the type of attack. For flooding attacks, the Network Intrusion Detection System (NIDS) to enable only the default NIDS attack prevention Fortinet Inc.
  • Page 199 Network Intrusion Detection System (NIDS) For example, setting the icmpflood signature threshold to 500 will allow 500 echo requests from a source address, to which the system sends echo replies. If the number of requests is 501 or higher, the FortiGate unit will block the attacker to eliminate disruption of system operations.

  • Page 200: Configuring Synflood Signature Values

    Logging attack messages to the attack log Reducing the number of NIDS attack log and email messages Network Intrusion Detection System (NIDS) Minimum Maximum value value 3000 10240 Fortinet Inc. Default value 1024...

  • Page 201: Reducing The Number Of Nids Attack Log And Email Messages

    Network Intrusion Detection System (NIDS) Reducing the number of NIDS attack log and email messages Intrusion attempts may generate an excessive number of attack messages. To help you distinguish real warnings from false alarms, the FortiGate unit provides methods to reduce the number of unnecessary messages. Based on the frequency that messages are generated, the FortiGate unit will automatically delete duplicates.
  • Page 202 Logging attacks Network Intrusion Detection System (NIDS) Fortinet Inc.

  • Page 203: Antivirus Protection

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 Antivirus protection Antivirus protection is enabled in firewall policies. When you enable antivirus protection for a firewall policy, you select a content profile that controls how the antivirus protection behaves. Content profiles control the type of traffic protected (HTTP, FTP, IMAP, POP3, SMTP), the type of antivirus protection and the treatment of fragmented email and oversized files or email.

  • Page 204: Antivirus Scanning

    Figure 37: Example content profile for virus scanning cdimage floppy image .ace .bzip2 .Tar+Gzip+Bzip2 “Adding a content profile” on page “Adding a content profile to a policy” on page Antivirus protection 141. 142. Fortinet Inc.

  • Page 205: File Blocking

    Antivirus protection File blocking Enable file blocking to remove all files that pose a potential threat and to provide the best protection from active computer virus attacks. Blocking files is the only protection available from a virus that is so new that antivirus scanning cannot detect it. You would not normally run the FortiGate unit with blocking enabled.

  • Page 206: Blocking Oversized Files And Emails

    To display the virus list, go to Anti-Virus > Config > Virus List. Scroll through the virus and worm list to view the names of all viruses and worms in the list. Antivirus protection Fortinet Inc.

  • Page 207: Web Filtering

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 Web filtering Web filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how web filtering behaves for HTTP traffic.

  • Page 208: Content Blocking

    You can enter multiple banned words or phrases and then select Check All activate all items in the banned word list. Note: Banned Word must be selected in the content profile for web pages containing banned words to be blocked. “Customizing replacement messages” on page Web filtering 108. Fortinet Inc.

  • Page 209: Url Blocking

    Web filtering Figure 38: Example banned word list URL blocking You can block the unwanted web URLs using both the FortiGate web filter and the Cerberian web filter. • • Using the FortiGate web filter You can configure the FortiGate unit to block all pages on a website by adding the top- level URL or IP address.
  • Page 210 Go to Web Filter > URL Block. Select Clear URL Block List list. and Page Down to navigate through the URL block list. to remove all URLs and patterns from the URL block Web filtering to enable all Fortinet Inc.
  • Page 211 Web filtering Downloading the URL block list You can back up the URL block list by downloading it to a text file on the management computer. Go to Web Filter > URL Block. Select Download URL Block List The FortiGate unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file.

  • Page 212: Using The Cerberian Web Filter

    Select Cerberian URL Filtering. Select New. “Installing a Cerberian license key on the 212. 212. “Using the Cerberian web filter” on page 212 “Using the Cerberian web filter” on page Web filtering “Adding a Cerberian user to 212. Fortinet Inc.
  • Page 213 Web filtering Enter the IP address and netmask of the user computers. You can enter the IP address of a single user. For example, 192.168.100.19 255.255.255.255. You can also enter a subnet of a group of users. For example, 192.168.100.0 255.255.255.0. Enter an alias for the user.

  • Page 214: Script Filtering

    Select the script filter options that you want to enable. You can block Java applets, cookies, and ActiveX. Select Apply. Figure 41: Example script filter settings to block Java applets and ActiveX Enabling the script filter Selecting script filter options Web filtering Fortinet Inc.

  • Page 215: Exempt Url List

    Web filtering Exempt URL list Add URLs to the exempt URL list to allow legitimate traffic that might otherwise be blocked by content or URL blocking. For example, if content blocking is set to block pornography-related words and a reputable website runs a story on pornography, web pages from the reputable website would be blocked.
  • Page 216 Exempt URL list Web filtering Fortinet Inc.

  • Page 217: Email Filter

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 Email filter Email filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how email filtering behaves for email (IMAP and POP3) traffic. Content profiles control the following types of protection to identify unwanted email: •...

  • Page 218: Email Banned Word List

    FortiGate unit inserts plus signs (+) in place of spaces (for example, banned+phrase). If you type a phrase in quotes (for example, “banned word”), the FortiGate unit tags all email in which the words are found together as a phrase. Email filter Fortinet Inc.

  • Page 219: Email Block List

    Email filter Email block list You can configure the FortiGate unit to tag all IMAP and POP3 protocol traffic sent from unwanted email addresses. When the FortiGate unit detects an email sent from an unwanted address pattern, the FortiGate unit adds a tag to the subject line of the email and writes a message to the email filter log.

  • Page 220: Adding Address Patterns To The Email Exempt List

    To exempt email sent from an entire organization category, type the top-level domain name. For example, type net to exempt email sent from all organizations that use .net as the top-level domain. Email filter to activate all patterns Fortinet Inc.

  • Page 221: Logging And Reporting

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 Logging and reporting You can configure the FortiGate unit to log network activity from routine configuration changes and traffic sessions to emergency events. You can also configure the FortiGate unit to send alert email messages to inform system administrators about events such as network attacks, virus incidents, and firewall and VPN events.

  • Page 222: Recording Logs On A Netiq Webtrends Server

    For each Log type, select the activities for which you want the FortiGate unit to record log messages. Select OK. “Configuring traffic logging” on page “Filtering log messages” on page 222 224. 221. Logging and reporting “Filtering log messages” on 224. “Configuring traffic logging” “Recording logs” on Fortinet Inc.
  • Page 223 Logging and reporting Select the log types that you want FortiGate unit to record. Traffic Log Event Log Virus Log Web Filtering Log Record activity events, such as URL and content blocking, and exemption Attack Log Email Filter Log Update Select the message categories that you want the FortiGate unit to record if you selected Event Log, Virus Log, Web Filtering Log, Attack Log, Email Filter Log, or Update in step 3.

  • Page 224: Configuring Traffic Logging

    IP addresses to host names, record session or packet information, display the port number or service. Enabling traffic logging Configuring traffic filter settings Adding traffic filter entries in the Modify column beside the interface for which you want to Logging and reporting Fortinet Inc.

  • Page 225: Configuring Traffic Filter Settings

    Logging and reporting Configuring traffic filter settings Use the following procedure to configure the information recorded in all traffic log messages. Go to Log&Report > Log Setting > Traffic Filter. Select the settings that you want to apply to all Traffic Log messages. Resolve IP Type Display...

  • Page 226: Configuring Alert Email

    Select the service group or individual service for which you want the FortiGate unit to log traffic messages. “Enabling traffic logging” on page Adding alert email addresses Testing alert email Enabling alert email Logging and reporting 224. Fortinet Inc.

  • Page 227: Testing Alert Email

    Logging and reporting To add alert email addresses Go to Log&Report > Alert Mail > Configuration. Select Authentication if your email server requires an SMTP password. In the SMTP Server field, type the name of the SMTP server to which the FortiGate unit should send email, in the format smtp.domain.com.
  • Page 228 Configuring alert email Logging and reporting Fortinet Inc.

  • Page 229: Glossary

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 Glossary Connection: A link between machines, applications, processes, and so on that can be logical, physical, or both. DMZ, Demilitarized Zone: Used to host Internet services without allowing unauthorized access to an internal (private) network.
  • Page 230 ISP system. Router: A device that connects LANs into an internal network and routes traffic between them. Routing: The process of determining a path to use to send data to its destination.
  • Page 231 SSH, Secure shell: A secure Telnet replacement that you can use to log into another computer over a network and run commands. SSH provides strong secure authentication and secure communications over insecure channels. Subnet: A portion of a network that shares a common address component.
  • Page 232 Glossary Fortinet Inc.

  • Page 233: Index

    FortiGate-50R Installation and Configuration Guide Version 2.50 MR2 Index accept policy 117 action policy option 117 ActiveX 214 removing from web pages 214 address 122 adding 122 editing 123 group 124 IP/MAC binding 138 virtual IP 131 address group 124 example 124 address name 122 admin access level...
  • Page 234 95 DNS IP DHCP setting 99 domain DHCP 99 downloading attack definition updates 86, 87 virus definition updates 86, 87 dynamic IP list viewing 100 dynamic IP pool IP pool 117 dynamic IP/MAC list 137 viewing 139 Fortinet Inc.
  • Page 235 IP address SNMP 107 fixed port 117 FortiCare service contracts 81 support contract number 85 Fortinet customer service 15 Fortinet support recovering a lost password 84 FortiResponse Distribution Network 72 connecting to 72 FortiResponse Distribution Server 72...
  • Page 236 154 matching policy 120 maximum bandwidth 118 messages replacement 107 FortiGate 107 monitor system status 67, 68, 69 monitored interfaces 194 MTU size 93 changing 93 definition 230 improving network performance 93 policy option 117 push updates 76 Fortinet Inc.
  • Page 237 74, 75 oversized files and email blocking 206 password adding 146 changing administrator account 105 Fortinet support 86 recovering a lost Fortinet support 84 PAT 133 permission administrator account 105 FortiGate-50R Installation and Configuration Guide policy accept 117 Anti-Virus & Web filter 119...
  • Page 238 104 read only access level administrator account 104 recording logs 221 recording logs on NetIQ WebTrends server 222 recovering a lost Fortinet support password 84 recurring schedule 130 creating 130 registered FortiGate units viewing the list of 84 registering...
  • Page 239 squidGuard 211 SSH 127, 231 SSL 229 service definition 126 starting IP DHCP 23, 99 PPTP 180, 186 static IP/MAC list 137 static NAT virtual IP 131 adding 132 static route adding 96 status IPSec VPN tunnel 177 viewing dialup connection status 177 viewing VPN tunnel status 177 subnet definition 231...
  • Page 240 Windows XP configuring for L2TP 190 configuring for PPTP 184 connecting to L2TP VPN 192 connecting to PPTP VPN 185 WINS DHCP server 99 wizard firewall setup 35, 42 starting 35, 42 worm list displaying 206 worm protection 206 Fortinet Inc.

This manual is also suitable for:

Fortigate 50r

Table of Contents