Page 1: Configuration Guide
Installation and FortiGate 60R Configuration Guide INTERNAL STATUS WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 FortiGate User Manual Volume 1 Version 2.50 MR2 18 August 2003...
Page 2 Products mentioned in this document are trademarks or registered trademarks of their respective holders. Regulatory Compliance FCC Class A Part 15 CSA/CUS For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
Page 3: Table Of Contents
Logging and Reporting... 21 About this document ... 22 Document conventions ... 23 Fortinet documentation ... 24 Comments on Fortinet technical documentation... 24 Customer service and technical support... 25 Getting started ... 27 Package contents ... 28 Mounting ... 28 Powering on ...
Page 4 Reconnecting to the web-based manager ... 60 Using the command line interface... 61 Changing to Transparent mode ... 61 Configuring the Transparent mode management IP address ... 61 Configure the Transparent mode default gateway... 61 Connecting the FortiGate unit to your networks... 62 Fortinet Inc.
Page 5 Completing the configuration ... 63 Setting the date and time ... 63 Enabling antivirus protection... 63 Registering your FortiGate... 63 Configuring virus and attack definition updates ... 64 Transparent mode configuration examples... 64 Default routes and static routes ... 64 Example default route to an external network...
Page 6 FortiCare Service Contracts... 99 Registering the FortiGate unit ... 100 Updating registration information ... 102 Recovering a lost Fortinet support password... 102 Viewing the list of registered FortiGate units ... 102 Registering a new FortiGate unit ... 103 Adding or changing a FortiCare Support Contract number... 103 Changing your Fortinet support password ...
Page 7 Adding RIP filters ... 124 Adding a single RIP filter... 124 Adding a RIP filter list... 125 Adding a neighbors filter ... 126 Adding a routes filter ... 126 System configuration ... 127 Setting system date and time... 127 Changing web-based manager options ... 128 Adding and editing administrator accounts ...
Page 8 Deleting LDAP servers... 176 Configuring user groups... 177 Adding user groups... 177 Deleting user groups... 178 IPSec VPN... 179 Key management... 180 Manual Keys ... 180 Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ... 180 Fortinet Inc.
Page 9 Manual key IPSec VPNs... 181 General configuration steps for a manual key VPN ... 181 Adding a manual key VPN tunnel ... 181 AutoIKE IPSec VPNs ... 183 General configuration steps for an AutoIKE VPN ... 183 Adding a phase 1 configuration for an AutoIKE VPN... 183 Adding a phase 2 configuration for an AutoIKE VPN...
Page 10 Using the Cerberian web filter... 238 Script filtering ... 240 Enabling the script filter... 240 Selecting script filter options ... 240 Exempt URL list ... 241 Adding URLs to the exempt URL list ... 241 Email filter... 243 General configuration steps ... 243 Fortinet Inc.
Page 11 Email banned word list... 244 Adding words and phrases to the banned word list ... 244 Email block list ... 245 Adding address patterns to the email block list... 245 Email exempt list... 245 Adding address patterns to the email exempt list ... 246 Adding a subject tag ...
Page 12 Contents Fortinet Inc.
Page 13: Introduction
• • Your FortiGate Antivirus Firewall employs Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks.
Page 14: Web Content Filtering
PKZip format, detect viruses in e-mail that has been encoded using uuencode format, detect viruses in e-mail that has been encoded using MIME encoding, log all actions taken while scanning. Introduction Fortinet Inc.
Page 15: Firewall
Introduction You can configure Email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentional tagging of email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned word lists.
Page 16: Transparent Mode
To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log and can be configured to send alert emails. Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually, or you can configure the FortiGate to automatically check for and download attack definition updates.
Page 17: Secure Installation, Configuration, And Management
Introduction • • • • • • Secure installation, configuration, and management Installation is quick and simple. The first time you turn on the FortiGate unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the setup wizard to customize FortiGate IP addresses for your network, and the FortiGate unit is set to protect your network.
Page 18: Command Line Interface
This Installation and Configuration Guide contains information about basic and advanced CLI commands. You can find a more complete description of connecting to and using the FortiGate CLI in the FortiGate CLI Reference Guide. Introduction Fortinet Inc.
Page 19: Logging And Reporting
System > Update page displays more information about the current update status. See “Updating antivirus and attack definitions” on page Direct connection to the Fortinet tech support web page from the web-based manager. You can register your FortiGate unit and get access to other technical support resources. See “Registering FortiGate units”...
Page 20: Firewall
Phase 2 • AES encryption Encryption policies select service Generate and import local certificates Import CA certificates “RIP configuration” on page 119. 134. “Default firewall configuration” “Virtual IPs” on page 158. “Content profiles” on page 175. Introduction 167. Fortinet Inc.
Page 21: Nids
Introduction NIDS See the FortiGate NIDS Guide for a complete description of FortiGate NIDS functionality. New features include: • • • • Antivirus See the FortiGate Content Protection Guide for a complete description of FortiGate antivirus functionality. New features include: •...
Page 22: About This Document
Logging and reporting describes how to configure logging and alert email to track activity through the FortiGate. Glossary defines many of the terms used in this document. Introduction describes configuring describes how to configure the Fortinet Inc.
Page 23: Document Conventions
Introduction Document conventions This guide uses the following conventions to describe CLI command syntax. • • • FortiGate-60R Installation and Configuration Guide angle brackets < > to indicate variable keywords For example: execute restore config <filename_str> You enter restore config myfile.bak <xxx_str>...
Page 24: Fortinet Documentation
The FortiGate online help also contains procedures for using the FortiGate web-based manager to configure and manage your FortiGate unit. Comments on Fortinet technical documentation You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com. Volume 1: FortiGate Installation and Configuration Guide Describes installation and basic configuration for the FortiGate unit.
Page 25: Customer Service And Technical Support
Fortinet technical support web site at http://support.fortinet.com. You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and modify your registration information at any time. Fortinet email support is available from the following addresses: amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin...
Page 26 Customer service and technical support Introduction Fortinet Inc.
Page 27: Getting Started
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 Getting started This chapter describes unpacking, setting up, and powering on your FortiGate Antivirus Firewall. When you have completed the procedures in this chapter, you can proceed to one of the following: •...
Page 28: Package Contents
(RS-232) FortiGate-60 INTERNAL STATUS WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 QuickStart Guide Copyright 2003 Fortinet Incorporated. All rights reserved. Trademarks Products mentioned in this document are trademarks. Documentation Fortinet Inc.
Page 29: Powering On
Getting started Power requirements • • Environmental specifications • • • Powering on To power on the FortiGate-60 unit: Connect the AC adapter to the power connection at the back of the FortiGate-60 unit. Connect the AC adapter to the power cable. Connect the power cable to a power outlet.
Page 30: Connecting To The Web-Based Manager
The Register Now window is displayed. Use the information on this window to register your FortiGate unit so that Fortinet can contact you for firmware updates. You must also register to receive updates to the FortiGate virus and attack definitions.
Page 31: Connecting To The Command Line Interface (Cli)
Getting started Connecting to the command line interface (CLI) As an alternative to the web-based manager, you can install and configure the FortiGate unit using the CLI. Configuration changes made with the CLI are effective immediately without the need to reset the firewall or interrupt service. To connect to the FortiGate CLI, you need: •...
Page 32: Factory Default Dhcp Configuration
Factory Default DHCP configuration Factory default NAT/Route mode network configuration Factory default Transparent mode network configuration Factory default firewall configuration Factory default content profiles 117. 192.168.1.1 192.168.1.254 255.255.255.0 604800 seconds 192.168.1.99 192.168.1.99 - 192.168.1.99 Getting started “Providing DHCP services to your Fortinet Inc.
Page 33: Factory Default Nat/Route Mode Network Configuration
Getting started Factory default NAT/Route mode network configuration When the FortiGate unit is first powered on, it is running in NAT/Route mode and has the basic network configuration listed in connect to the FortiGate unit web-based manager and establish the configuration required to connect the FortiGate unit to your network.
Page 34: Factory Default Firewall Configuration
You can configure FortiGate logging and select Log Traffic to record all connections through the firewall that are accepted by this policy. Getting started “Scan content profile” on for more information about the scan Fortinet Inc.
Page 35: Factory Default Content Profiles
Getting started Factory default content profiles You can use content profiles to apply different protection settings for content traffic controlled by firewall policies. You can use content profiles for: • • • • • Using content profiles you can build up protection configurations that can be easily applied to different types of Firewall policies.
Page 36 Web Exempt List Email Block List Email Exempt List Email Content Block Oversized File/Email Block Pass Fragmented Emails Getting started HTTP IMAP POP3 pass pass pass pass HTTP IMAP POP3 pass pass pass pass SMTP pass SMTP pass Fortinet Inc.
Page 37: Planning Your Fortigate Configuration
FortiGate unit can be configured in either of two modes: NAT/Route mode (the default) or Transparent mode. NAT/Route mode In NAT/Route mode, the unit is visible to the network. Like a router, all of its interfaces are on different subnets. The following interfaces are available in NAT/Route mode: •...
Page 38: Transparent Mode
The management IP address is also used for antivirus and attack definition updates. You would typically use the FortiGate unit in Transparent mode on a private network behind an existing firewall or behind a router. The FortiGate unit performs firewalling as well as antivirus and content scanning but not VPN.
Page 39: Configuration Options
PPPoE) address. Using the CLI, you can also add DNS server IP addresses and a default route for the WAN1 interface. FortiGate-60R Installation and Configuration Guide WAN1 can connect to the external firewall or router. Internal can connect to the internal network. DMZ and WAN2 can connect to other network segments.
Page 40: Fortigate Model Maximum Values Matrix
50000 50000 3000 6000 10000 10000 1000 1000 1000 1000 2000 2000 5000 5000 1500 3000 5000 5000 1024* 1024* 2048* 2048* Getting started 3000 3600 50000 50000 10000 10000 1000 1000 5000 5000 5000 5000 8192* 8192* Fortinet Inc.
Page 41: Next Steps
Getting started Next steps Now that your FortiGate unit is operating, you can proceed to configure it to connect to networks: • • FortiGate-60R Installation and Configuration Guide If you are going to operate the FortiGate unit in NAT/Route mode, go to “NAT/Route mode installation”...
Page 42 Next steps Getting started Fortinet Inc.
Page 43: Nat/Route Mode Installation
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 NAT/Route mode installation This chapter describes how to install the FortiGate unit in NAT/Route mode. To install the FortiGate unit in Transparent mode, see page This chapter describes: • • • • •...
Page 44: Changing The Default Configuration
FTP server installed on an internal network, add the IP addresses of the servers here. NAT/Route mode installation “Connecting the FortiGate unit to your _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ Fortinet Inc.
Page 45: Advanced Nat/Route Mode Settings
NAT/Route mode installation Advanced NAT/Route mode settings FortiGate NAT/Route mode settings. Table 13: Advanced FortiGate NAT/Route mode settings WAN1 interface WAN2 interface DHCP server DMZ interface you are configuring it during installation. Table 14: DMZ interface (Optional) DMZ IP: FortiGate-60R Installation and Configuration Guide Table 13 to gather the information that you need to customize advanced If your Internet Service Provider (ISP) supplies you with...
Page 46: Using The Setup Wizard
Table 12 on page 44 “Connecting the FortiGate unit to your networks” on page Table 12 on page 44 Table 12 on page NAT/Route mode installation to fill in the wizard fields. “Connecting to the to complete the 44. Enter: Fortinet Inc.
Page 47 NAT/Route mode installation Set the IP address and netmask of the WAN1 interface to the IP address and netmask that you recorded in To set the manual IP address and netmask, enter: set system interface wan1 mode static ip <IP address> <netmask> Example set system interface wan1 mode static ip 204.23.1.5 255.255.255.0 To set the WAN1 interface to use DHCP, enter:...
Page 48: Connecting The Fortigate Unit To Your Networks
Four Internal ports for connecting to your internal network, One WAN1 port for connecting to your public switch or router and the Internet, One WAN 2 port for connecting to a second public switch or router and the Internet for a redundant Internet connection, One DMZ port for connecting to a DMZ network.
Page 49: Configuring Your Networks
NAT/Route mode installation Figure 6: FortiGate-60 NAT/Route mode connections Configuring your networks If you are operating the FortiGate unit in NAT/Route mode, your networks must be configured to route all Internet traffic to the IP address of the FortiGate interface to which they are connected.
Page 50: Completing The Configuration
For Anti-Virus & Web Filter you can select a different Content Profile. content profiles. 127. to edit this policy. “Factory default content profiles” on page 35 NAT/Route mode installation “Setting system date and time” on for descriptions of the default Fortinet Inc.
Page 51: Registering Your Fortigate
After purchasing and installing a new FortiGate unit, you can register the unit by going to System > Update > Support, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased.
Page 52: Configuring Ping Servers
Use the following procedure to make Gateway 1 the ping server for the WAN1 interface and Gateway 2 the ping server for the WAN2 interface. Go to System > Network > Interface. Configuring Ping servers Destination based routing examples Policy routing examples Firewall policy example NAT/Route mode installation Fortinet Inc.
Page 53: Destination Based Routing Examples
NAT/Route mode installation For the WAN1 interface, select Modify • • • For the WAN2 interface, select Modify • • • Using the CLI Add a ping server to the WAN1 interface. set system interface wan1 config detectserver 1.1.1.1 gwdetect enable Add a ping server to the WAN2 interface.
Page 54: Load Sharing
The first route directs all traffic destined for the 100.100.100.0 network to gateway 1 with the IP address 1.1.1.1. If this router is down, traffic destined for the 100.100.100.0 network is re-directed to gateway 2 with the IP address 2.2.2.1.
Page 55 NAT/Route mode installation Select New to add a route for connections to the network of ISP1. • • • • • • Select New to add a route for connections to the network of ISP2. • • • • • •...
Page 56: Policy Routing Examples
Set system route policy 2 src 0.0.0.0 0.0.0.0 dst 0.0.0.0 0.0.0.0 gw 2.2.2.1 Routing traffic from internal subnets to different external networks Routing a service to an external network NAT/Route mode installation Figure 7 on page “Policy routing” on page 116. Fortinet Inc.
Page 57: Firewall Policy Example
NAT/Route mode installation Firewall policy example Firewall policies control how traffic flows through the FortiGate unit. Once routing for multiple internet connections has been configured you must create firewall policies to control which traffic is allowed through the FortiGate unit and the interfaces through which this traffic can connect.
Page 58 Because redundant policies have not been added, SMTP traffic from the Internet network is always connected to ISP1. If the connection to ISP1 fails the SMTP connection is not available. NAT/Route mode installation Figure 7 on page 52 Fortinet Inc.
Page 59: Transparent Mode Installation
The management IP address and netmask must be valid for the network from which you will manage the FortiGate unit. Add a default gateway if the FortiGate unit must connect to a router to reach the management computer. Primary DNS Server: Secondary DNS Server: _____._____._____._____...
Page 60: Using The Setup Wizard
Otherwise, you can reconnect to the web-based manager by browsing to https://10.10.10.1. If you connect to the management interface through a router, make sure that you have added a default gateway for that router to the management IP default gateway field.
Page 61: Using The Command Line Interface
Transparent mode installation Using the command line interface As an alternative to the setup wizard, you can configure the FortiGate unit using the command line interface (CLI). To connect to the CLI, see line interface (CLI)” on page page 59 Changing to Transparent mode Log into the CLI if you are not already logged in.
Page 62: Connecting The Fortigate Unit To Your Networks
Connect the WAN1 interface to the Internet. Connect to the public switch or router provided by your Internet Service Provider. If you are a DSL or cable subscriber, connect the WAN1 interface to the internal or LAN connection of your DSL or cable modem.
Page 63: Completing The Configuration
After purchasing and installing a new FortiGate unit, you can register the unit by going to System > Update > Support, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased.
Page 64: Configuring Virus And Attack Definition Updates
• • A route is required whenever the FortiGate unit connects to a router to reach a destination. If all of the destinations are located on the external network, you may be required to enter only a single default route. If, however, the network topology is more complex, you may be required to enter one or more static routes in addition to the default route.
Page 65: Example Default Route To An External Network
To reach these destinations, the FortiGate unit must connect to the “upstream” router leading to the external network. To facilitate this connection, you must enter a single default route that points to the upstream router as the next hop/default gateway.
Page 66: Example Static Route To An External Destination
• • CLI configuration steps To configure the Fortinet basic settings and a default route using the CLI: Change the system to operate in Transparent Mode. Add the Management IP address and Netmask. Add the default route to the external network.
Page 67: General Configuration Steps
Transparent mode installation To connect to the FDN, you would typically enter a single default route to the external network. However, to provide an extra degree of security, you could enter static routes to a specific FortiResponse server in addition to a default route to the external network.
Page 68 • • CLI configuration steps To configure the Fortinet basic settings and a static route using the CLI: Set the system to operate in Transparent Mode. Add the Management IP address and Netmask. Add the static route to the primary FortiResponse server.
Page 69: Example Static Route To An Internal Destination
To reach the FDN, you need to enter a single default route that points to the upstream router as the next hop/default gateway. To reach the management computer, you need to enter a single static route that leads directly to it.
Page 70 Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2 Select OK. set system opmode transparent set system management ip 192.168.1.1 255.255.255.0 set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 192.168.1.3 set system route number 2 gw1 192.168.1.2 Transparent mode installation Fortinet Inc.
Page 71: System Status
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 System status You can connect to the web-based manager and go to System > Status to view the current status of your FortiGate unit. The status information that is displayed includes the current firmware version, the current virus and attack definitions, and the FortiGate unit serial number.
Page 72: Changing The Fortigate Host Name
The new host name appears on the System Status page and is added to the SNMP System Name. Changing the FortiGate firmware After you download a FortiGate firmware image from Fortinet, you can use the procedures in Table 1: Firmware upgrade procedures...
Page 73: Upgrade To A New Firmware Version
System status Upgrade to a new firmware version Use the following procedures to upgrade your FortiGate to a newer firmware version. Upgrading the firmware using the web-based manager Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
Page 74: Revert To A Previous Firmware Version
Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v250-build045-FORTINET.out...
Page 75: Reverting To A Previous Firmware Version Using The Cli
System status Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. When you have installed new firmware, use the procedure page 93 Go to System > Status. Select Firmware Upgrade Enter the path and filename of the previous firmware image file, or select Browse and locate the file.
Page 76 Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v250-build045-FORTINET.out...
Page 77: Install A Firmware Image From A System Reboot Using The Cli
System status Install a firmware image from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiGate unit to default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or to re-install the current firmware.
Page 78 Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,B,Q,or H: System status command. execute reboot Fortinet Inc.
Page 79: Test A New Firmware Image Before Installing It
System status Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear. • • The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete.
Page 80 FortiGate unit running v3.x BIOS [G]: Get firmware image from TFTP server. [F]: Format boot device. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,Q,or H: System status command. execute reboot Fortinet Inc.
Page 81: Manual Virus Definition Updates
System > Update and selecting Update Now. Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager.
Page 82: Manual Attack Definition Updates
System > Update and selecting Update Now. Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager.
Page 83: Restoring System Settings
System status Restoring system settings You can restore system settings by uploading a previously downloaded system settings text file: Go to System > Status. Select System Settings Restore. Enter the path and filename of the system settings file, or select Browse and locate the file.
Page 84: Changing To Nat/Route Mode
The FortiGate unit shuts down and all traffic flow stops. The FortiGate unit can only be restarted after shutdown by turning the power off, then “Connecting to the web-based manager” on page 30 “Connecting to the System status Fortinet Inc.
Page 85: System Status
System status System status You can use the system status monitor to display FortiGate system health information. The system health information includes memory usage, the number of active communication sessions, and the amount of network bandwidth currently in use. The web-based manager displays current statistics as well as statistics for the previous minute.
Page 86: Viewing Sessions And Network Status
The line graph scales are shown in the upper left corner of the graph. Figure 2: Sessions and network status monitor System status Fortinet Inc.
Page 87: Viewing Virus And Intrusions Status
System status Set the automatic refresh interval and select Go to control how often the web-based manager updates the display. More frequent updates use system resources and increase network traffic. However, this only occurs when you are viewing the display using the web-based manager. Select Refresh to manually update the information displayed.
Page 88: Session List
The source IP address of the connection. The source port of the connection. The destination IP address of the connection. The destination port of the connection. The time, in seconds, before the connection expires. Stop an active communication session. System status or Page Down Fortinet Inc.
Page 89: Virus And Attack Definitions Updates And Registration
Network (FDN) to update the antivirus and attack definitions and antivirus engine. You have the following update options: • • • To receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet Support web page. This chapter describes: • • • •...
Page 90: Connecting To The Fortiresponse Distribution Network
Configuring update logging Adding an override server Manually updating antivirus and attack definitions Configuring push updates Push updates through a NAT device Scheduled updates through a proxy server Virus and attack definitions updates and registration “Configuring push updates” on Fortinet Inc.
Page 91: Configuring Scheduled Updates
Virus and attack definitions updates and registration To make sure the FortiGate unit can connect to the FDN: Go to System > Config > Time and make sure the time zone is set to the correct time zone for your area. Go to System >...
Page 92: Configuring Update Logging
The Fortigate unit records a log message whenever an update attempt is successful. The FortiGate unit records a log messages whenever it cannot connect to the FDN or whenever it receives an error message from the FDN. Virus and attack definitions updates and registration Fortinet Inc.
Page 93: Adding An Override Server
Virus and attack definitions updates and registration Adding an override server If you cannot connect to the FDN or if your organization provides antivirus and attack updates using their own FortiResponse server, you can use the following procedure to add the IP address of an override FortiResponse server. Go to System >...
Page 94: Push Updates Through A Nat Device
FortiGate unit using either port 9443 or an override push port that you assign. Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic (for example, set using PPPoE or DHCP). Virus and attack definitions updates and registration Fortinet Inc.
Page 95 Virus and attack definitions updates and registration Example: push updates through a NAT device This example describes how to configure a FortiGate NAT device to forward push updates to a FortiGate unit installed on its internal network. For the FortiGate unit on the internal network to receive push updates, the FortiGate NAT device must be configured with a port forwarding virtual IP.
Page 96 If the FortiGate unit is operating in Transparent mode, enter the management IP address. For the example topology, enter 192.168.1.99. Set the Map to Port to 9443. Set Protocol to UDP. Select OK. Virus and attack definitions updates and registration Fortinet Inc.
Page 97 Virus and attack definitions updates and registration Figure 3: Push update port forwarding virtual IP Adding a firewall policy for the port forwarding virtual IP To configure the FortiGate NAT device: Add a new external to internal firewall policy. Configure the policy with the following settings: Source Destination Schedule...
Page 98: Scheduled Updates Through A Proxy Server
HTTPS and perhaps some other similar services. Because FortiGate autoupdates use HTTPS on port 8890 to connect to the FDN, your proxy server may have to be configured to allow connections on this port. Virus and attack definitions updates and registration Fortinet Inc.
Page 99: Registering Fortigate Units
For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing. FortiGate-60R Installation and Configuration Guide...
Page 100: Registering The Fortigate Unit
Your contact information including: • First and last name • Company name • Email address (Your Fortinet support login user name and password will be sent to this email address.) • Address • Contact phone number A security question and an answer to the security question.
Page 101 A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiGate unit. Your Fortinet support user name and password is sent to the email address provided with your Contact information.
Page 102: Updating Registration Information
Updating registration information Updating registration information You can use your Fortinet support user name and password to log on to the Fortinet Support web site at any time to view or update your Fortinet support information. This section describes: •...
Page 103: Registering A New Fortigate Unit
Figure 7: Sample list of registered FortiGate units Registering a new FortiGate unit Go to System > Update > Support and select Support Login. Enter your Fortinet support user name and password. Select Login. Select Add Registration. Select the model number of the Product Model to register.
Page 104: Changing Your Fortinet Support Password
Make the required changes to your contact information. Make the required changes to your security question and answer. Select Update Profile. Your changes are saved to the Fortinet technical support database. If you changed your contact information, the changes are displayed. Downloading virus and attack definitions updates Use the following procedure to manually download virus and attack definitions updates.
Page 105: Registering A Fortigate Unit After An Rma
FortiGate unit is still protected by hardware coverage, you can return the FortiGate unit that is not functioning to your reseller or distributor. The RMA is recorded and you will receive a replacement unit. Fortinet adds the RMA information to the Fortinet support database. When you receive the replacement unit you can use the following procedure to update your product registration information.
Page 106 Registering a FortiGate unit after an RMA Virus and attack definitions updates and registration Fortinet Inc.
Page 107: Network Configuration
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 Network configuration Go to System > Network to make any of the following changes to the FortiGate network settings: • • • • Configuring interfaces Use the following procedures to configure interfaces: •...
Page 108: Viewing The Interface List
If the link status is a green arrow, the interface is up and can accept network traffic. If the link status is a red arrow, the interface is down and cannot accept traffic. To bring an interface up, see the procedure for the interface to change. Network configuration “Bringing up an interface”. Fortinet Inc.
Page 109: Adding A Ping Server To An Interface
Go to System > Network > Interface. Select Modify Set Ping Server to the IP address of the next hop router on the network connected to the interface. Select Enable. The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to make sure that the FortiGate unit can connect to the this IP address.
Page 110: Configuring Traffic Logging For Connections To An Interface
For the wan1 or wan2 interface, select Modify Set Addressing mode to DHCP and select OK to change to DHCP mode. Both the IP address and Netmask change to 0.0.0.0. for the interface for which to configure logging. Network configuration Fortinet Inc.
Page 111: Configuring The Wan1 And Wan2 Interfaces For Pppoe
Network configuration Select Connect to DHCP server to automatically connect to a DHCP server. If you do not select Connect to DHCP server, the FortiGate unit will not connect to a DHCP server. You can deselect this option if you are configuring the FortiGate unit offline.
Page 112: Configuring The Management Interface (Transparent Mode)
To allow a remote SNMP manager to request SNMP information by connecting to the management interface. See “Configuring SNMP” on page To allow Telnet connections to the CLI using the management interface. Telnet connections are not secure and can be intercepted by a third party. Network configuration 132. Fortinet Inc.
Page 113: Adding Dns Server Ip Addresses
Network configuration Figure 2: Configuring the management interface Adding DNS server IP addresses Several FortiGate functions, including sending email alerts and URL blocking, use DNS. To set the DNS server addresses: Go to System > Network > DNS. Change the primary and secondary DNS server addresses as required. Select Apply to save your changes.
Page 114: Adding A Default Route
Gateway #1 is the IP address of the primary destination for the route. Gateway #1 must be on the same subnet as a Fortigate interface. If you are adding a static route from the FortiGate unit to a single destination router, you only need to specify one gateway.
Page 115: Adding Routes In Transparent Mode
Network configuration Set Device #1 to the FortiGate interface through which to route traffic to connect to Gateway #1. You can select the name of an interface or Auto (the default). If you select the name of an interface, the traffic is routed to that interface. If you select Auto the system selects the interface according to the following rules: •...
Page 116: Configuring The Routing Table
“Adding a ping server to an interface” on page to remove a route from the routing table. Source address Protocol, service type, or port range Incoming or source interface Network configuration 109, and to change its order in the routing Fortinet Inc.
Page 117: Providing Dhcp Services To Your Internal Network
Network configuration The gateway added to a policy route must also be added to a destination route. When the FortiGate unit matches packets with a route in the RPDB, the FortiGate unit looks in the destination routing table for the gateway that was added to the policy route. If a match is found, the FortiGate routes the packet using the matched destination route.
Page 118 For more information about IP/MAC binding, see page To view the dynamic IP list: Go to System > Network > DHCP. Select Dynamic IP List. The dynamic IP list is displayed. Figure 5: Example Dynamic IP list 164. Network configuration “IP/MAC binding” on Fortinet Inc.
Page 119: Rip Configuration
For example, Router 1 could tell Router 2 that it has a route for network A. Router 2 knows that it got this information from Router 1, so when Router 2 sends its updates to Router 1, Router 2 will not include the route to network A in its update.
Page 120: Rip Settings
Add an output delay if you are configuring RIP on a FortiGate unit that could be sending packets to a router that cannot receive the packets at the rate the FortiGate unit is sending them. The default output delay is 0 milliseconds.
Page 121 RIP configuration Update Invalid Holddown Flush Select Apply to save your changes. Figure 1: Configuring RIP settings FortiGate-60R Installation and Configuration Guide The time interval in seconds between sending routing table updates. The default is 30 seconds. The time interval in seconds after which a route is declared invalid. Invalid should be at least three times the value of Update.
Page 122: Configuring Rip For Fortigate Interfaces
16 characters long. Defines how the FortiGate authenticates RIP2 packets. Select None, Clear, or MD5. None means do not send the password. Clear means send the password is plain text. MD5 means use MD5 authentication. RIP configuration Fortinet Inc.
Page 123: Adding Rip Neighbors
MD5 is applied to create the MD5 digest of the routing message. The password is replaced in the routing message with this MD5 digest and this message is broadcast. When a router receives the routing message, it replaces the MD5 digest with the password, computes the MD5 digest of this new messaged and then compares the result with the MD5 digest sent with the original message.
Page 124: Adding Rip Filters
Go to System > RIP > Neighbor. Select New to add a RIP neighbor. Add the IP address of a neighbor router that you want the FortiGate unit to exchange routing information with. Select Enable Send RIP1 to send RIP1 messages to the neighbor.
Page 125: Adding A Rip Filter List
RIP configuration If you want to filter multiple routes, use a RIP filter list. See page Go to System > RIP > Filter. Select New to add a RIP filter. Configure the RIP filter. Filter Name Blank Filter Mask Action Interface Select OK to save the RIP filter.
Page 126: Adding A Neighbors Filter
For Routes Filter, select the name of the RIP filter or RIP filter list to become the routes filter. Select Apply. Routes sent by the FortiGate unit are filtered using the selected RIP filter or RIP filter list. Figure 3: Example RIP Filter configuration RIP configuration Fortinet Inc.
Page 127: System Configuration
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 System configuration Go to System > Config to make any of the following changes to the FortiGate system configuration: • • • • • Setting system date and time For effective scheduling and logging, the FortiGate system time should be accurate. You can either manually set the FortiGate system time or you can configure the FortiGate unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.
Page 128: Changing Web-Based Manager Options
The default idle time out is 5 minutes. The maximum idle time out is 480 minutes (8 hours). Set the system idle timeout. Set the authentication timeout. Select the language for the web-base manager. Modify the dead gateway detection settings. System configuration Fortinet Inc.
Page 129 System configuration To set the Auth timeout For Auth Timeout, type a number in minutes. Select Apply. Auth Timeout controls the amount of inactive time that the firewall waits before requiring users to authenticate again. For more information, see authentication” on page The default Auth Timeout is 15 minutes.
Page 130: Adding And Editing Administrator Accounts
FortiGate unit, and shut down the FortiGate unit. There is only one admin user. edit, or delete administrator accounts. Can change own administrator account password. Cannot make changes to system settings from the System > Status page. Can view the FortiGate configuration. System configuration Fortinet Inc.
Page 131: Editing Administrator Accounts
System configuration Editing administrator accounts The admin account user can change individual administrator account passwords, configure the IP addresses from which administrators can access the web-based manager, and change the administrator permission levels. Administrator account users with Read & Write access can change their own administrator passwords.
Page 132: Configuring Snmp
SNMP v1 and v2c compliant SNMP manager have read-only access to FortiGate system information and can received FortiGate traps. To monitor FortiGate system information and receive FortiGate traps you must compile the Fortinet proprietary MIBs and the standard MIBs into the SNMP manager.
Page 133: Fortigate Mibs
Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIBs to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you will not have to re-compile them.
Page 134: Fortigate Traps
The FortiGate agent can send traps to up to three SNMP trap receivers on your network that are configured to receive traps from the FortiGate unit. For these SNMP managers to receive traps, you must load and compile the Fortinet trap MIB onto the SNMP manager. The FortiGate agent sends the traps listed in...
Page 135: Customizing Replacement Messages
System configuration This section describes: • • Figure 3: Sample replacement message Customizing replacement messages Each of the replacement messages in the replacement message list is created by combining replacement message sections. You can use these sections as building blocks to create your own replacement messages. You can edit any of the replacement messages in the replacement message list and add and edit the replacement message sections as required.
Page 136: Customizing Alert Emails
IP address of web page that sent the virus. The IP address of the computer that would have received the virus. For POP3 this is the IP address of the user’s computer that attempted to download the email containing the virus. Fortinet Inc.
Page 137 System configuration Table 4: Alert email message sections Block alert Section Start Allowed Tags Critical event Section Start Allowed Tags Section End FortiGate-60R Installation and Configuration Guide %%EMAIL_FROM%% The email address of the sender of the message in which the virus was found. %%EMAIL_TO%% The email address of the intended receiver of the message in which the virus was found.
Page 138 Customizing replacement messages System configuration Fortinet Inc.
Page 139: Firewall Configuration
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 Firewall configuration Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions used by the FortiGate unit to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (port number).
Page 140: Default Firewall Configuration
WAN1_All, added to the WAN1 interface, this address matches all addresses on the external or WAN1 network. DMZ_All, added to the DMZ interface, this address matches all addresses on the DMZ network. Firewall configuration “Content profiles” on page 167. 108. Fortinet Inc.
Page 141: Services
Firewall configuration You can add more addresses to each interface to improve the control you have over connections through the firewall. For more information about addresses, see “Addresses” on page You can also add firewall policies that perform network address translation (NAT). To use NAT to translate destination addresses, you must add virtual IPs.
Page 142: Adding Firewall Policies
Arranging policies in a policy list is described in Figure 5: Adding a NAT/Route policy “Firewall policy options” on page 143 Firewall configuration on a policy in the list to add the new for information about policy options. “Configuring policy lists” on page 147. Fortinet Inc.
Page 143: Firewall Policy Options
Firewall configuration Firewall policy options This section describes the options that you can add to firewall policies. Source Select an address or address group that matches the source address of the packet. Before you can add this address to a policy, you must add it to the source interface. To add an address, see Destination Select an address or address group that matches the destination address of the...
Page 144: Traffic Shaping
Less important services should be assigned a low priority. The firewall provides bandwidth to low- priority connections only when bandwidth is not needed for high-priority connections. Firewall configuration 162. Fortinet Inc.
Page 145 Firewall configuration Authentication Select Authentication and select a user group to require users to enter a user name and password before the firewall accepts the connection. Select the user group to control the users that can authenticate with this policy. To add and configure user groups, see you can select Authentication.
Page 146 Select Log Traffic to write messages to the traffic log whenever the policy processes a connection. For more information about logging, see page Comments Optionally add a description or other information about the policy. The comment can be up to 63 characters long, including spaces. 247. Firewall configuration “Logging and reporting” on Fortinet Inc.
Page 147: Configuring Policy Lists
Firewall configuration Configuring policy lists The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. You must arrange policies in the policy list from more specific to more general. For example, the default policy is a very general policy because it matches all connection attempts.
Page 148: Enabling And Disabling Policies
A single IP address (for example, IP Address: 192.168.20.1 and Netmask: 255.255.255.255) All possible IP addresses (represented by IP Address: 0.0.0.0 and Netmask: 0.0.0.0) Firewall configuration to change its order in the policy list. “System status” on page Fortinet Inc.
Page 149: Adding Addresses
Firewall configuration This section describes: • • • • Adding addresses Go to Firewall > Address. Select New to add a new address. Enter an Address Name to identify the address. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _.
Page 150: Editing Addresses
Addresses list and select the right arrow to add it to the Members list. To remove addresses from the address group, select an address from the Members list and select the left arrow to remove it from the group. Select OK to add the address group. Firewall configuration Fortinet Inc.
Page 151: Services
Firewall configuration Figure 8: Adding an internal address group Services Use services to control the types of communication accepted or denied by the firewall. You can add any of the predefined services to a policy. You can also create your own custom services and add services to service groups.
Page 152 Lightweight Directory Access Protocol is a set of protocols used to access information directories. NetMeeting allows users to teleconference using the Internet as the transmission medium. Firewall configuration Protocol Port 5190-5194 1720, 1503 6660-6669 1701 1720 Fortinet Inc.
Page 153 Firewall configuration Table 5: FortiGate predefined services (Continued) Service name NNTP OSPF PC-Anywhere PING POP3 PPTP QUAKE RAUDIO RLOGIN SMTP SNMP SYSLOG TALK TELNET TFTP FortiGate-60R Installation and Configuration Guide Description Network File System allows network users to access shared files stored on computers of different types.
Page 154: Providing Access To Custom Services
For VDO Live streaming multimedia traffic. Wide Area Information Server. An Internet search protocol. For WinFrame communications between computers running Windows NT. For remote communications between an X-Window server and X-Window clients. Firewall configuration Protocol Port 7000-7010 1494 6000-6063 to remove each Fortinet Inc.
Page 155: Schedules
Firewall configuration To add services to the service group, select a service from the Available Services list and select the right arrow to copy it to the Members list. To remove services from the service group, select a service from the Members list and select the left arrow to remove it from the group.
Page 156: Creating Recurring Schedules
Select the days of the week on which the schedule should be active. Set the Start and Stop hours in between which the schedule should be active. Recurring schedules use the 24-hour clock. Select OK to save the recurring schedule. Firewall configuration Fortinet Inc.
Page 157: Adding A Schedule To A Policy
Firewall configuration Figure 11: Adding a recurring schedule Adding a schedule to a policy After you have created schedules, you can add them to policies to schedule when the policies are active. You can add the new schedules to policies when you create the policy, or you can edit existing policies and add a new schedule to them.
Page 158: Virtual Ips
This technique is called port forwarding or port address translation (PAT). You can also use port forwarding to change the destination port of the forwarded packets. Adding static NAT virtual IPs Adding port forwarding virtual IPs Adding policies with virtual IPs Firewall configuration Fortinet Inc.
Page 159: Adding Port Forwarding Virtual Ips
Firewall configuration In the External IP Address field, enter the external IP address to be mapped to an address on the destination network. For example, if the virtual IP provides access from the Internet to a web server on a destination network, the external IP address must be a static IP address obtained from your ISP for your web server.
Page 160 Select the protocol to be used by the forwarded packets. Select OK to save the port forwarding virtual IP. or to any other address. Firewall configuration is set using PPPoE or Fortinet Inc.
Page 161: Adding Policies With Virtual Ips
Firewall configuration Figure 13: Adding a port forwarding virtual IP Adding policies with virtual IPs Use the following procedure to add a policy that uses a virtual IP to forward packets. Go to Firewall > Policy. Select the type of policy to add. •...
Page 162: Ip Pools
Select these options to log port-forwarded traffic and apply antivirus and web filter protection to this traffic. Adding an IP pool IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT Firewall configuration Fortinet Inc.
Page 163: Ip Pools For Firewall Policies That Use Fixed Ports
Firewall configuration Select OK to save the IP pool. Figure 14: Adding an IP Pool IP Pools for firewall policies that use fixed ports Some network configurations will not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service.
Page 164: Ip/Mac Binding
117. The dynamic IP/MAC binding table is not available in Configuring IP/MAC binding for packets going through the firewall Configuring IP/MAC binding for packets going to the firewall Adding IP/MAC addresses Viewing the dynamic IP/MAC list Enabling IP/MAC binding Firewall configuration “Providing DHCP services to your Fortinet Inc.
Page 165: Configuring Ip/Mac Binding For Packets Going To The Firewall
Firewall configuration For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the IP/MAC binding list: • • • • Configuring IP/MAC binding for packets going to the firewall Use the following procedure to use IP/MAC binding to filter packets that would normally connect with the firewall (for example, when an administrator is connecting to the FortiGate unit for management).
Page 166: Viewing The Dynamic Ip/Mac List
Select Allow traffic to allow all packets with IP and MAC address pairs that are not added to the IP/MAC binding list. Select Block traffic to block packets with IP and MAC address pairs that are not added to the IP/MAC binding list. Select Apply to save your changes. Firewall configuration Fortinet Inc.
Page 167: Content Profiles
Firewall configuration Figure 15: IP/MAC settings Content profiles Use content profiles to apply different protection settings for content traffic controlled by firewall policies. You can use content profiles to: • • • • • Using content profiles you can build up protection configurations that can be easily applied to different types of Firewall policies.
Page 168: Default Content Profiles
You should only enable file blocking when a virus has been found that is so new that virus scanning does not detect it. See blocking” on page 231. Block unwanted web pages and web sites. This option adds Fortinet URL blocking (see “URL blocking” on page filtering (see “Using the Cerberian web filter”...
Page 169: Adding A Content Profile To A Policy
Firewall configuration Email Content Block Add a subject tag to email that contains unwanted words or phrases. Enable fragmented email and oversized file and email options. Oversized File/Email Block Pass Fragmented Email Select OK. Figure 16: Example content profile Adding a content profile to a policy You can add content profiles to policies with action set to allow or encrypt and with Service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes these services.
Page 170 Select New to add a new policy, or choose a policy and select Edit Select Anti-Virus & Web filter. Select a content profile. Configure the remaining policy settings if required. Select OK. Repeat this procedure for any policies for which to enable network protection. Firewall configuration Fortinet Inc.
Page 171: Users And Authentication
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 Users and authentication FortiGate units support user authentication to the FortiGate user database, to a RADIUS server, and to an LDAP server. You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database.
Page 172: Setting Authentication Timeout
Require the user to authenticate to a RADIUS server. Select the name of the RADIUS server to which the user must authenticate. You can only select a RADIUS server that has been added to the FortiGate RADIUS configuration. “Configuring RADIUS support” on page Users and authentication 175. 174. Fortinet Inc.
Page 173: Deleting User Names From The Internal Database
Users and authentication Select Try other servers if connect to selected server fails if you have selected Radius and you want the FortiGate unit to try to connect to other RADIUS servers added to the FortiGate RADIUS configuration. Select OK. Figure 17: Adding a user name Deleting user names from the internal database You cannot delete user names that have been added to user groups.
Page 174: Configuring Radius Support
You cannot delete RADIUS servers that have been added to user groups. Go to User > RADIUS. Select Delete Select OK. Adding RADIUS servers Deleting RADIUS servers beside the RADIUS server name that you want to delete. Users and authentication Fortinet Inc.
Page 175: Configuring Ldap Support
Users and authentication Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authentication with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server.
Page 176: Deleting Ldap Servers
Figure 19: Example LDAP configuration Deleting LDAP servers You cannot delete LDAP servers that have been added to user groups. Go to User > LDAP. Select Delete Select OK. beside the LDAP server name that you want to delete. Users and authentication Fortinet Inc.
Page 177: Configuring User Groups
Users and authentication Configuring user groups To enable authentication, you must add user names, RADIUS servers and LDAP servers to one or more user groups. You can then select a user group when you require authentication. You can select a user group to configure authentication for: •...
Page 178: Deleting User Groups
You cannot delete user groups that have been selected in a policy, a dialup user phase1 configuration, or in a PPTP or L2TP configuration. To delete a user group: Go to User > User Group Select Delete Select OK. beside the user group that you want to delete. Users and authentication Fortinet Inc.
Page 179: Ipsec Vpn
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 IPSec VPN A Virtual Private Network (VPN) is an extension of a private network that encompasses links across shared or public networks such as the Internet. For example, a company that has two offices in different cities, each with its own private network, can employ a VPN to create a secure tunnel between the offices.
Page 180: Key Management
IPSec supports the automated generation and negotiation of keys using the Internet Key Exchange protocol. This method of key management is typically referred to as AutoIKE. Fortinet supports AutoIKE with pre-shared keys and AutoIKE with certificates. AutoIKE with pre-shared keys When both peers in a session have been configured with the same pre-shared key, they can use it to authenticate themselves to each other.
Page 181: Manual Key Ipsec Vpns
IPSec VPN Manual key IPSec VPNs When manual keys are employed, complementary security parameters must be entered at both ends of the tunnel. In addition to encryption and authentication algorithms and keys, the security parameter index (SPI) is required. The SPI is an arbitrary value that defines the structure of the communication between the peers.
Page 182 16 characters. Enter a 40 character (20 byte) hexadecimal number (0-9, A-F). Separate the number into two segments—the first of 16 characters; the second of 24 characters. “Adding a VPN concentrator” on page IPSec VPN 199. Fortinet Inc.
Page 183: Autoike Ipsec Vpns
IPSec VPN AutoIKE IPSec VPNs Fortunate supports two methods of Automatic Internet Key Exchange (AutoIKE) for the purpose of establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates. • • • General configuration steps for an AutoIKE VPN An AutoIKE VPN configuration consists of phase 1 and phase 2 configuration parameters, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel.
Page 184 If you select RSA Signature, select a local certificate that has been digitally signed by the certificate authority (CA). To add a local certificate to the FortiGate unit, see “Obtaining a signed local certificate” on page IPSec VPN 189. Fortinet Inc.
Page 185 CHAP. (Use PAP with all implementations of LDAP and some implementations of Microsoft RADIUS). Use MIXED if the authentication server supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet Remote VPN Client.). Select a group of users to be authenticated by XAuth. The individual users within the group can be authenticated locally or by one or more LDAP or RADIUS servers.
Page 186 VPN peer pro-actively probes its state. After this period of time expires, the local peer will send a DPD probe to determine the status of the link even if there is no traffic between the local peer and the remote peer. IPSec VPN Fortinet Inc.
Page 187: Adding A Phase 2 Configuration For An Autoike Vpn
IPSec VPN Figure 21: Adding a phase 1 configuration Adding a phase 2 configuration for an AutoIKE VPN Add a phase 2 configuration to specify the parameters used to create and maintain a VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer (the VPN gateway or client).
Page 188 Select OK to save the AutoIKE key VPN tunnel. “Adding a phase 1 configuration for an AutoIKE VPN” on page 201. “Adding a VPN concentrator” on page 199 IPSec VPN 183. “Redundant IPSec Fortinet Inc.
Page 189: Managing Digital Certificates
VPN tunnel being set up between the participants. Fortinet uses a manual procedure to obtain certificates. This involves copying and pasting text files from your local computer to the certificate authority, and from the certificate authority to your local computer.
Page 190 FortiGate unit (such as Manufacturing or MF). Enter the legal name of the organization that is requesting the certificate for the FortiGate unit (such as Fortinet). Enter the name of the city or town where the FortiGate unit is located (such as Vancouver).
Page 191 IPSec VPN Figure 23: Adding a Local Certificate Downloading the certificate request With this procedure, you download the certificate request from the FortiGate unit to the management computer. To download the certificate request: Go to VPN > Local Certificates. Select Download Select Save.
Page 192 Go to VPN > Local Certificates. Select Import. add a base64 encoded PKCS#10 certificate request to the CA web server, paste the certificate request to the CA web server, submit the certificate request to the CA web server. IPSec VPN Fortinet Inc.
Page 193: Obtaining A Ca Certificate
IPSec VPN Enter the path or browse to locate the signed local certificate on the management computer. Select OK. The signed local certificate will be displayed on the Local Certificates list with a status of OK. Obtaining a CA certificate For the VPN peers to authenticate themselves to each other, they must both obtain a CA certificate from the same certificate authority.
Page 194: Configuring Encrypt Policies
Content profiles to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services in the VPN. Logging so that the FortiGate unit logs all connections that use the VPN. Adding a source address Adding a destination address Adding an encrypt policy IPSec VPN Fortinet Inc.
Page 195: Adding A Source Address
IPSec VPN Adding a source address The source address is located within the internal network of the local VPN peer. It can be a single computer address or the address of a network. Go to Firewall > Address. Select an internal interface. (Methods will differ slightly between FortiGate models.) Select New to add an address.
Page 196 Destination. (This will be a public IP address.) — The tunnel, and the traffic within the tunnel, can only be initiated at the end which implements Outbound NAT. IPSec VPN Fortinet Inc.
Page 197: Ipsec Vpn Concentrators
IPSec VPN IPSec VPN concentrators In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer known as a hub. The peers that connect to the hub are known as spokes. The hub functions as a concentrator on the network, managing the VPN connections between the spokes. The advantage of a hub-and-spoke network is that the spokes are simpler to configure because they require fewer policy rules.
Page 198 The VPN spoke address. ENCRYPT The VPN spoke tunnel name. Select allow inbound. Select inbound NAT if required. “Adding an encrypt policy” on page encrypt policies default non-encrypt policy (Internal_All -> External_All) 181. 183. 195. 199. 195. IPSec VPN Fortinet Inc.
Page 199: Adding A Vpn Concentrator
IPSec VPN Adding a VPN concentrator To add a VPN concentrator configuration: Go to VPN > IPSec > Concentrator. Select New to add a VPN concentrator. Enter the name of the new concentrator in the Concentrator Name field. To add tunnels to the VPN concentrator, select a VPN tunnel from the Available Tunnels list and select the right arrow.
Page 200: Vpn Spoke General Configuration Steps
Do not enable. Select inbound NAT if required. “Adding an encrypt policy” on page The local VPN spoke address. External_All “Manual key IPSec VPNs” on page “AutoIKE IPSec VPNs” on page 195. 195. IPSec VPN 181. 183. Fortinet Inc.
Page 201: Redundant Ipsec Vpns
IPSec VPN Action VPN Tunnel Allow inbound Allow outbound Do not enable. Inbound NAT Outbound NAT Select outbound NAT if required. Arrange the policies in the following order: • • • Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks, such as the Internet.
Page 202 Internal->External and an Internal- >DMZ policy. The source and destination of both policies must be the same. Add a different AutoIKE key tunnel to each policy. “Adding an encrypt policy” on page 183. 187. 195. 195. 195. IPSec VPN Fortinet Inc.
Page 203: Monitoring And Troubleshooting Vpns
IPSec VPN Monitoring and Troubleshooting VPNs This section provides a number of general maintenance and monitoring procedures for VPNs. This section describes: • • • Viewing VPN tunnel status You can use the IPSec VPN tunnel list to view the status of all IPSec AutoIKE key VPN tunnels.
Page 204: Testing A Vpn
The VPN tunnel initializes automatically when the client makes a connection attempt. You can start the tunnel and test it at the same time by pinging from the client to an address on the internal network. IPSec VPN Fortinet Inc.
Page 205: Pptp And L2Tp Vpn
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 PPTP and L2TP VPN You can use PPTP and L2TP to create a virtual private network (VPN) between a remote client PC running the Windows operating system and your internal network. Because they are is a Windows standards, PPTP and L2TP do not require third-party software on the client computer.
Page 206: Configuring The Fortigate Unit As A Pptp Gateway
Select the User Group that you added in page Select Apply to enable PPTP through the FortiGate unit. “Adding user names and configuring authentication” on page “Configuring user groups” on page 206. PPTP and L2TP VPN 172. 177. “Adding users and user groups” on Fortinet Inc.
Page 207 PPTP and L2TP VPN Figure 30: Example PPTP Range configuration Adding a source address Add a source address for every address in the PPTP address range. Go to Firewall > Address. Select the interface to which PPTP clients connect. Select New to add an address. Enter the Address Name, IP Address, and NetMask for an address in the PPTP address range.
Page 208: Configuring A Windows 98 Client For Pptp
Go to Start > Settings > Control Panel > Network. Select Add. Select Adapter. Select Add. Select Microsoft as the manufacturer. Select Microsoft Virtual Private Networking Adapter. Select OK twice. Insert diskettes or CDs as required. PPTP and L2TP VPN Fortinet Inc.
Page 209: Configuring A Windows 2000 Client For Pptp
PPTP and L2TP VPN Restart the computer. Configuring a PPTP dialup connection Go to My Computer > Dial-Up Networking > Configuration. Double-click Make New Connection. Name the connection and select Next. Enter the IP address or host name of the FortiGate unit to connect to and select Next. Select Finish.
Page 210: Configuring A Windows Xp Client For Pptp
PPTP encryption is not supported for RADIUS server authentication. Select Advanced to configure advanced settings. Select Settings. Select Challenge Handshake Authentication Protocol (CHAP). Make sure that none of the other settings are selected. Select the Networking tab. PPTP and L2TP VPN Fortinet Inc.
Page 211: Configuring L2Tp
PPTP and L2TP VPN Make sure that the following options are selected: • • Make sure that the following options are not selected: • • Select OK. Connecting to the PPTP VPN Connect to your ISP. Start the VPN connection that you configured in the previous procedure. Enter your PPTP VPN User Name and Password.
Page 212: Configuring The Fortigate Unit As A L2Tp Gateway
Select the User Group that you added in page Select Apply to enable L2TP through the FortiGate unit. “Adding user names and configuring authentication” on page “Configuring user groups” on page 212. PPTP and L2TP VPN 172. 177. “Adding users and user groups” on Fortinet Inc.
Page 213 PPTP and L2TP VPN Figure 32: Sample L2TP address range configuration Adding a source address Add a source address for every address in the L2TP address range. Go to Firewall > Address. Select the interface to which L2TP clients connect. Select New to add an address.
Page 214 Set Action to ACCEPT. Select NAT if address translation is required. You can also configure traffic shaping, logging, and antivirus and web filter settings for L2TP policies. Select OK to save the firewall policy. PPTP and L2TP VPN Fortinet Inc.
Page 215: Configuring A Windows 2000 Client For L2Tp
PPTP and L2TP VPN Configuring a Windows 2000 client for L2TP Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiGate L2TP VPN. Configuring an L2TP dialup connection Go to Start > Settings > Network and Dial-up Connections. Double-click Make New Connection to start the Network Connection Wizard and select Next.
Page 216: Configuring A Windows Xp Client For L2Tp
FortiGate unit to connect to and select Next. Select Finish. Configuring the VPN connection Right-click the icon that you have created. Select Properties > Security. Select Typical to configure typical settings. Select Require data encryption. PPTP and L2TP VPN Fortinet Inc.
Page 217 PPTP and L2TP VPN Note: If a RADIUS server is used for authentication do not select Require data encryption. L2TP encryption is not supported for RADIUS server authentication. Select Advanced to configure advanced settings. Select Settings. Select Challenge Handshake Authentication Protocol (CHAP). Make sure that none of the other settings are selected.
Page 218 In the connect window, enter the User Name and Password that you use to connect to your dialup network connection. This user name and password is not the same as your VPN user name and password. PPTP and L2TP VPN Fortinet Inc.
Page 219: Network Intrusion Detection System (Nids)
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 Network Intrusion Detection System (NIDS) The FortiGate NIDS is a real-time network intrusion detection sensor that uses attack signature definitions to both detect and prevent a wide variety of suspicious network traffic and direct network-based attacks. Also, whenever an attack occurs, the FortiGate NIDS can record the event in a log plus send an alert email to the system administrator.
Page 220: Selecting The Interfaces To Monitor
For example, you might not need to run checksum verification if your FortiGate unit is installed behind a router that also does checksum verification. Go to NIDS > Detection > General.
Page 221: Viewing The Signature List
Open a web browser and enter this URL: http://www.fortinet.com/ids/ID<attack-ID> Remember to include the attack ID. For example, to view the Fortinet Attack Analysis web page for the ssh CRC32 overflow /bin/sh attack (ID 101646338), use the following URL: http://www.fortinet.com/ids/ID101646338 Note: Each attack log message includes a URL that links directly to the FortiResponse Attack Analysis web page for that attack.
Page 222: Enabling And Disabling Nids Attack Signatures
Note: To save your NIDS attack signature settings, Fortinet recommends that you back up your FortiGate configuration before you update the firmware and restore the saved configuration after the update.
Page 223: Preventing Attacks
Network Intrusion Detection System (NIDS) Figure 35: Example user-defined signature list Downloading the user-defined signature list You can back up the user-defined signature list by downloading it to a text file on the management computer. Go to NIDS > Detection > User Defined Signature List. Select Download.
Page 224: Enabling Nids Attack Prevention Signatures
NIDS attack prevention signature to disable all signatures in the NIDS attack prevention Table 6. The threshold depends on the type of attack. For flooding attacks, the Network Intrusion Detection System (NIDS) to enable only the default NIDS attack prevention Fortinet Inc.
Page 225 Network Intrusion Detection System (NIDS) For example, setting the icmpflood signature threshold to 500 will allow 500 echo requests from a source address, to which the system sends echo replies. If the number of requests is 501 or higher, the FortiGate unit will block the attacker to eliminate disruption of system operations.
Page 226: Configuring Synflood Signature Values
Logging attack messages to the attack log Reducing the number of NIDS attack log and email messages Network Intrusion Detection System (NIDS) Minimum Maximum value value 3000 10240 Fortinet Inc. Default value 1024...
Page 227: Reducing The Number Of Nids Attack Log And Email Messages
Network Intrusion Detection System (NIDS) Reducing the number of NIDS attack log and email messages Intrusion attempts may generate an excessive number of attack messages. To help you distinguish real warnings from false alarms, the FortiGate unit provides methods to reduce the number of unnecessary messages. Based on the frequency that messages are generated, the FortiGate unit will automatically delete duplicates.
Page 228 Logging attacks Network Intrusion Detection System (NIDS) Fortinet Inc.
Page 229: Antivirus Protection
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 Antivirus protection Antivirus protection is enabled in firewall policies. When you enable antivirus protection for a firewall policy, you select a content profile that controls how the antivirus protection behaves. Content profiles control the type of traffic protected (HTTP, FTP, IMAP, POP3, SMTP), the type of antivirus protection and the treatment of fragmented email and oversized files or email.
Page 230: Antivirus Scanning
Figure 37: Example content profile for virus scanning cdimage floppy image .ace .bzip2 .Tar+Gzip+Bzip2 “Adding a content profile” on page “Adding a content profile to a policy” on page Antivirus protection 168. 169. Fortinet Inc.
Page 231: File Blocking
Antivirus protection File blocking Enable file blocking to remove all files that pose a potential threat and to provide the best protection from active computer virus attacks. Blocking files is the only protection available from a virus that is so new that antivirus scanning cannot detect it. You would not normally run the FortiGate unit with blocking enabled.
Page 232: Blocking Oversized Files And Emails
To display the virus list, go to Anti-Virus > Config > Virus List. Scroll through the virus and worm list to view the names of all viruses and worms in the list. Antivirus protection Fortinet Inc.
Page 233: Web Filtering
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 Web filtering Web filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how web filtering behaves for HTTP traffic.
Page 234: Content Blocking
You can enter multiple banned words or phrases and then select Check All activate all items in the banned word list. Note: Banned Word must be selected in the content profile for web pages containing banned words to be blocked. “Customizing replacement messages” on page Web filtering 134. Fortinet Inc.
Page 235: Url Blocking
Web filtering Figure 38: Example banned word list URL blocking You can block the unwanted web URLs using both the FortiGate web filter and the Cerberian web filter. • • Using the FortiGate web filter You can configure the FortiGate unit to block all pages on a website by adding the top- level URL or IP address.
Page 236 Go to Web Filter > URL Block. Select Clear URL Block List list. and Page Down to navigate through the URL block list. to remove all URLs and patterns from the URL block Web filtering to enable all Fortinet Inc.
Page 237 Web filtering Downloading the URL block list You can back up the URL block list by downloading it to a text file on the management computer. Go to Web Filter > URL Block. Select Download URL Block List The FortiGate unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file.
Page 238: Using The Cerberian Web Filter
Select Cerberian URL Filtering. Select New. “Installing a Cerberian license key on the 238. 238. “Using the Cerberian web filter” on page 238 “Using the Cerberian web filter” on page Web filtering “Adding a Cerberian user to 238. Fortinet Inc.
Page 239 Web filtering Enter the IP address and netmask of the user computers. You can enter the IP address of a single user. For example, 192.168.100.19 255.255.255.255. You can also enter a subnet of a group of users. For example, 192.168.100.0 255.255.255.0. Enter an alias for the user.
Page 240: Script Filtering
Select the script filter options that you want to enable. You can block Java applets, cookies, and ActiveX. Select Apply. Figure 41: Example script filter settings to block Java applets and ActiveX Enabling the script filter Selecting script filter options Web filtering Fortinet Inc.
Page 241: Exempt Url List
Web filtering Exempt URL list Add URLs to the exempt URL list to allow legitimate traffic that might otherwise be blocked by content or URL blocking. For example, if content blocking is set to block pornography-related words and a reputable website runs a story on pornography, web pages from the reputable website would be blocked.
Page 242 Exempt URL list Web filtering Fortinet Inc.
Page 243: Email Filter
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 Email filter Email filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how email filtering behaves for email (IMAP and POP3) traffic. Content profiles control the following types of protection to identify unwanted email: •...
Page 244: Email Banned Word List
FortiGate unit inserts plus signs (+) in place of spaces (for example, banned+phrase). If you type a phrase in quotes (for example, “banned word”), the FortiGate unit tags all email in which the words are found together as a phrase. Email filter Fortinet Inc.
Page 245: Email Block List
Email filter Email block list You can configure the FortiGate unit to tag all IMAP and POP3 protocol traffic sent from unwanted email addresses. When the FortiGate unit detects an email sent from an unwanted address pattern, the FortiGate unit adds a tag to the subject line of the email and writes a message to the email filter log.
Page 246: Adding Address Patterns To The Email Exempt List
To exempt email sent from an entire organization category, type the top-level domain name. For example, type net to exempt email sent from all organizations that use .net as the top-level domain. Email filter to activate all patterns Fortinet Inc.
Page 247: Logging And Reporting
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 Logging and reporting You can configure the FortiGate unit to log network activity from routine configuration changes and traffic sessions to emergency events. You can also configure the FortiGate unit to send alert email messages to inform system administrators about events such as network attacks, virus incidents, and firewall and VPN events.
Page 248: Recording Logs On A Remote Computer
For each Log type, select the activities for which you want the FortiGate unit to record log messages. Select OK. “Configuring traffic logging” on page “Filtering log messages” on page 249 251. Logging and reporting “Filtering log messages” on 251. “Configuring traffic logging” Fortinet Inc.
Page 249: Recording Logs In System Memory
Logging and reporting Recording logs in system memory If your FortiGate unit does not contain a hard disk, you can use the following procedure to configure the FortiGate unit to reserve some system memory for storing current event, attack, antivirus, web filter and email filter log messages. Logging to memory allows quick access to only the most recent log entries.
Page 250 Figure 43: Example log filter configuration Record activity events, such as detection of email that contains unwanted content and email from unwanted senders. Record log messages when the FortiGate connects to the FDN to download antivirus and attack updates. Logging and reporting Fortinet Inc.
Page 251: Configuring Traffic Logging
Logging and reporting Configuring traffic logging You can configure the FortiGate unit to record traffic log messages for connections to: • • The FortiGate unit can filter traffic logs for any source and destination address and service. You can also enable the following global settings: •...
Page 252: Configuring Traffic Filter Settings
(A-Z, a-z), and the special characters - and _. Spaces and other special characters are not allowed. Type the source IP address and netmask for which you want the FortiGate unit to log traffic messages. The address can be an individual computer, subnetwork, or network. Logging and reporting Fortinet Inc.
Page 253: Viewing Logs Saved To Memory
Logging and reporting Destination IP Address Destination Netmask Service Select OK. The traffic filter list displays the new traffic address entry with the settings that you selected in Figure 45: Example new traffic address entry Viewing logs saved to memory If the FortiGate is configured to save log messages in system memory, you can use the web-based manager to view, search, and clear the log messages.
Page 254: Searching Logs
To search for any text in a log message. Keyword searching is case-sensitive. To search log messages created during the selected year, month, day, and hour. Adding alert email addresses Testing alert email Enabling alert email Logging and reporting Fortinet Inc.
Page 255: Testing Alert Email
Logging and reporting In the SMTP Server field, type the name of the SMTP server to which the FortiGate unit should send email, in the format smtp.domain.com. The SMTP server can be located on any network connected to the FortiGate unit. In the SMTP User field, type a valid email address in the format user@domain.com.
Page 256 Configuring alert email Logging and reporting Fortinet Inc.
Page 257: Glossary
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 Glossary Connection: A link between machines, applications, processes, and so on that can be logical, physical, or both. DMZ, Demilitarized Zone: Used to host Internet services without allowing unauthorized access to an internal (private) network.
Page 258 ISP system. Router: A device that connects LANs into an internal network and routes traffic between them. Routing: The process of determining a path to use to send data to its destination.
Page 259 SSH, Secure shell: A secure Telnet replacement that you can use to log into another computer over a network and run commands. SSH provides strong secure authentication and secure communications over insecure channels. Subnet: A portion of a network that shares a common address component.
Page 260 Glossary Fortinet Inc.
Page 261: Index
FortiGate-60R Installation and Configuration Guide Version 2.50 MR2 Index accept policy 143 action policy option 143 active log searching 254 ActiveX 240 removing from web pages 240 address 148 adding 149 editing 150 group 150 IP/MAC binding 165 virtual IP 158 address group 150 example 151 address name 149...
Page 262 113 DNS IP DHCP setting 117 domain DHCP 117 downloading attack definition updates 104, 105 virus definition updates 104, 105 dynamic IP list viewing 118 dynamic IP pool IP pool 144 dynamic IP/MAC list 164 viewing 166 Fortinet Inc.
Page 263 IP address SNMP 133 fixed port 144 FortiCare service contracts 99 support contract number 103 Fortinet customer service 25 Fortinet support recovering a lost password 102 FortiResponse Distribution Network 90 connecting to 90 FortiResponse Distribution Server 90...
Page 264 MAC address 258 IP/MAC binding 164 malicious scripts removing from web pages 240, 246 management interface Transparent mode 112 management IP address transparent mode 61 manual keys introduction 180 matching policy 147 maximum bandwidth 144 messages replacement 133 Fortinet Inc.
Page 265 232 FortiGate-60R Installation and Configuration Guide password adding 172 changing administrator account 131 Fortinet support 104 recovering a lost Fortinet support 102 PAT 159 permission administrator account 131 policy accept 143 Anti-Virus & Web filter 145...
Page 266 130 recording logs 247 recording logs in system memory 249 recording logs on NetIQ WebTrends server 248 recovering a lost Fortinet support password 102 recurring schedule 157 creating 156 registered FortiGate units viewing the list of 102 registering...
Page 267 session clearing 88 set time 127 setup wizard 46, 60 starting 46, 60 shutting down 84 signature threshold values 224 SMTP 153 configuring alert email 255 definition 258 SNMP configuring 132 contact information 132 definition 258 first trap receiver IP address 133 get community 132 MIBs 133 system location 132...
Page 268 PPTP VPN 210 Windows 98 configuring for PPTP 208 connecting to PPTP VPN 209 Windows XP configuring for L2TP 216 configuring for PPTP 210 connecting to L2TP VPN 218 connecting to PPTP VPN 211 WINS DHCP server 117 Fortinet Inc.
Page 269 wizard firewall setup 46, 60 starting 46, 60 FortiGate-60R Installation and Configuration Guide worm list displaying 232 worm protection 232 Index...
Page 270 Index Fortinet Inc.

This manual is also suitable for:

Fortigate 60r

Fortinet FortiGate FortiGate-60R Installation And Configuration Manual

Introduction

Getting Started

Nat/Route Mode Installation

Transparent Mode Installation

System Status

Virus and Attack Definitions Updates and Registration

Network Configuration

RIP Configuration

System Configuration

Firewall Configuration

Users and Authentication

Ipsec VPN

PPTP and L2TP VPN

Network Intrusion Detection System (NIDS)

Quick Links

Configuration Guide

Need help?

Questions and answers

Related Manuals for Fortinet FortiGate FortiGate-60R

Summary of Contents for Fortinet FortiGate FortiGate-60R