Page 1: Configuration Guide
FortiGate 50A Configuration Guide STATUS INTERNAL LINK 100 FortiGate User Manual Volume 1 Version 2.50 29 February 2004 Installation and EXTERNAL LINK 100...
Page 2 CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
Page 3: Table Of Contents
NAT/Route mode and Transparent mode... 13 NAT/Route mode ... 13 Transparent mode... 13 Document conventions ... 14 Fortinet documentation ... 15 Comments on Fortinet technical documentation... 15 Customer service and technical support... 16 Getting started ... 17 Package contents ... 18 Mounting ... 18 Powering on ...
Page 4 Displaying the FortiGate up time... 64 Backing up system settings ... 64 Restoring system settings... 64 Restoring system settings to factory defaults ... 65 Changing to Transparent mode ... 65 Changing to NAT/Route mode... 66 Restarting the FortiGate unit... 66 Fortinet Inc.
Page 5 FortiCare Service Contracts... 84 Registering the FortiGate unit ... 85 Updating registration information ... 86 Recovering a lost Fortinet support password... 86 Viewing the list of registered FortiGate units ... 87 Registering a new FortiGate unit ... 88 Adding or changing a FortiCare Support Contract number... 88 Changing your Fortinet support password ...
Page 6 Assigning a RIP filter list to the neighbors filter... 118 Assigning a RIP filter list to the incoming filter ... 118 Assigning a RIP filter list to the outgoing filter... 119 System configuration ... 121 Setting system date and time... 121 Fortinet Inc.
Page 7 Configuring the FortiGate unit for SNMP monitoring ... 126 Configuring FortiGate SNMP support ... 126 FortiGate MIBs... 128 FortiGate traps ... 129 Fortinet MIB fields ... 130 Replacement messages ... 133 Customizing replacement messages ... 133 Customizing alert emails... 134 Firewall configuration...
Page 8 Manual Keys ... 180 Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ... 180 Manual key IPSec VPNs... 181 General configuration steps for a manual key VPN ... 181 Adding a manual key VPN tunnel ... 181 Fortinet Inc.
Page 9 AutoIKE IPSec VPNs ... 182 General configuration steps for an AutoIKE VPN ... 183 Adding a phase 1 configuration for an AutoIKE VPN... 183 Adding a phase 2 configuration for an AutoIKE VPN... 188 Managing digital certificates... 190 Obtaining a signed local certificate ... 190 Obtaining CA certificates ...
Page 10 Email filter... 245 General configuration steps ... 245 Email banned word list... 246 Adding words and phrases to the email banned word list... 246 Downloading the email banned word list ... 247 Uploading the email banned word list ... 247 Fortinet Inc.
Page 11 Email block list ... 248 Adding address patterns to the email block list... 248 Downloading the email block list ... 248 Uploading an email block list ... 249 Email exempt list... 249 Adding address patterns to the email exempt list ... 250 Adding a subject tag ...
Page 12 Contents Fortinet Inc.
Page 13: Introduction
FortiGate-50A Installation and Configuration Guide Version 2.50 Introduction The FortiGate-50A Antivirus Firewall is an easy-to-deploy and easy-to- administer solution that delivers exceptional value and performance for small office and home office (SOHO) applications. Your FortiGate-50A is a dedicated easily managed security device that delivers a full suite of capabilities that include: •...
Page 14: Document Conventions
You can enter set system opmode nat or set system opmode transparent square brackets [ ] to indicate that a keyword is optional For example: get firewall ipmacbinding [dhcpipmac] You can enter get firewall ipmacbinding or get firewall ipmacbinding dhcpipmac Introduction Fortinet Inc.
Page 15: Fortinet Documentation
The FortiGate online help also contains procedures for using the FortiGate web-based manager to configure and manage your FortiGate unit. Comments on Fortinet technical documentation You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com. FortiGate-50A Installation and Configuration Guide Volume 1: FortiGate Installation and Configuration Guide Describes installation and basic configuration for the FortiGate unit.
Page 16: Customer Service And Technical Support
Fortinet technical support web site at http://support.fortinet.com. You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and modify your registration information at any time. Fortinet email support is available from the following addresses: amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin...
Page 17: Getting Started
FortiGate-50A Installation and Configuration Guide Version 2.50 Getting started This chapter describes unpacking, setting up, and powering on a FortiGate Antivirus Firewall unit. When you have completed the procedures in this chapter, you can proceed to one of the following: •...
Page 18: Package Contents
USER MANUAL Documentation Getting started Ethernet Cables: Orange - Crossover Null-Modem Cable (RS-232) FortiGate-50A STATUS External Internal LINK 100 LINK 100 QuickStart Guide Copyright 2004 Fortinet Incorporated. All rights reserved. Trademarks Products mentioned in this document are trademarks. Fortinet Inc.
Page 19: Environmental Specifications
Getting started Environmental specifications • • • Powering on To power on the FortiGate-50A unit Connect the AC adapter to the power connection at the back of the FortiGate-50 unit. Connect the AC adapter to a power outlet. The FortiGate-50A starts up. The Power and Status lights light. The Status light flashes while the unit is starting up and turns off when the system is up and running.
Page 20: Connecting To The Command Line Interface (Cli)
The Register Now window is displayed. Use the information in this window to register your FortiGate unit so that Fortinet can contact you for firmware updates. You must also register to receive updates to the FortiGate virus and attack definitions.
Page 21 Getting started Note: The following procedure describes how to connect to the CLI using Windows HyperTerminal software. You can use any terminal emulation program. To connect to the CLI Connect the null modem cable to the communications port of your computer and to the FortiGate Console port.
Page 22: Factory Default Fortigate Configuration Settings
Factory default DHCP configuration Factory default NAT/Route mode network configuration Factory default Transparent mode network configuration Factory default firewall configuration Factory default content profiles 104. 192.168.1.1 192.168.1.254 255.255.255.0 604800 seconds 192.168.1.99 192.168.1.99 - 192.168.1.99 Getting started “Configuring DHCP services” on Fortinet Inc.
Page 23: Factory Default Nat/Route Mode Network Configuration
Getting started Factory default NAT/Route mode network configuration When the FortiGate unit is first powered on, it is running in NAT/Route mode and has the basic network configuration listed in connect to the FortiGate unit web-based manager and establish the configuration required to connect the FortiGate unit to the network.
Page 24 You can configure FortiGate logging and select Log Traffic to record all connections through the firewall that are accepted by this policy. Getting started “Scan content profile” on for more information about the scan Fortinet Inc.
Page 25: Factory Default Content Profiles
Getting started Factory default content profiles You can use content profiles to apply different protection settings for content traffic that is controlled by firewall policies. You can use content profiles for: • • • • • Using content profiles, you can build protection configurations that can be applied to different types of firewall policies.
Page 26 Web Exempt List Email Block List Email Exempt List Email Content Block Oversized File/Email Block Pass Fragmented Emails Getting started HTTP IMAP POP3 pass pass pass pass HTTP IMAP POP3 pass pass pass pass SMTP pass SMTP pass Fortinet Inc.
Page 27: Planning The Fortigate Configuration
Getting started Unfiltered content profile Use the unfiltered content profile if you do not want to apply content protection to traffic. You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. Table 9: Unfiltered content profile Options Antivirus Scan...
Page 28: Transparent Mode
LINK 100 external networks. FortiGate-50A Unit in Transparent mode Internal network STATUS INTERNAL EXTERNAL LINK 100 LINK 100 10.10.10.1 Internal Management IP Transparent mode policies controlling traffic between internal and external networks Getting started Internal network 192.168.1.3 10.10.10.3 Fortinet Inc.
Page 29 Getting started In NAT/Route mode you can also change the configuration of the FortiGate DHCP server to supply IP addresses for the computers on your internal network. You can also configure the FortiGate to allow Internet access to your internal Web, FTP, or email servers.
Page 30: Fortigate Model Maximum Values Matrix
5000 5000 3000 3000 1000 1000 1000 1000 1000 3000 4096* 4096* 4096* 4096* 20000 20000 50000 50000 6000 6000 10000 10000 1000 1000 1000 1000 Getting started 3600 4000 4096* 4096* 50000 50000 10000 10000 1000 1000 Fortinet Inc.
Page 31: Next Steps
Web filter and Limit varies depending on available system memory. Fortinet recommends limiting total size of web and email filter lists to 4 Mbytes or less. If you want to use larger web filter lists, consider using Cerberian web email filter lists filtering.
Page 32 Next steps Getting started Fortinet Inc.
Page 33: Nat/Route Mode Installation
FortiGate-50A Installation and Configuration Guide Version 2.50 NAT/Route mode installation This chapter describes how to install the FortiGate unit in NAT/Route mode. To install the FortiGate unit in Transparent mode, see page This chapter describes: • • • • • •...
Page 34: Changing The Default Configuration
FTP server installed on an internal network, add the IP addresses of the servers here. NAT/Route mode installation “Connecting the FortiGate unit to your _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ Fortinet Inc.
Page 35: Advanced Nat/Route Mode Settings
NAT/Route mode installation Advanced NAT/Route mode settings FortiGate NAT/Route mode settings. Table 13: Advanced FortiGate NAT/Route mode settings DHCP server Using the setup wizard From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiGate unit. To connect to the web-based manager, see “Connecting to the web-based manager”...
Page 36: Using The Command Line Interface
Set the primary DNS server IP addresses. Enter set system dns primary <IP address> Example set system dns primary 293.44.75.21 NAT/Route mode installation Table 12 on page 34 Table 12 on page 34. Enter: Table 12 on page “Connecting to the to complete the Fortinet Inc.
Page 37: Connecting The Fortigate Unit To Your Networks
NAT/Route mode installation Optionally, set the secondary DNS server IP addresses. Enter set system dns secondary <IP address> Example set system dns secondary 293.44.75.22 Set the default route to the Default Gateway IP address (not required for DHCP and PPPoE). set system route number <route_no>...
Page 38: Configuring Your Networks
You can also add you own content profiles. See page 121. to edit this policy. “Factory default content profiles” on page 25 167. NAT/Route mode installation “Setting system date and time” on for descriptions of the default “Adding content profiles” on Fortinet Inc.
Page 39: Registering Your Fortigate Unit
After purchasing and installing a new FortiGate unit, you can register the unit by going to System > Update > Support, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased.
Page 40 Completing the configuration NAT/Route mode installation Fortinet Inc.
Page 41: Transparent Mode Installation
FortiGate-50A Installation and Configuration Guide Version 2.50 Transparent mode installation This chapter describes how to install your FortiGate unit in Transparent mode. If you want to install the FortiGate unit in NAT/Route mode, see installation” on page This chapter describes: •...
Page 42: Using The Setup Wizard
(CLI)” on page page 41 20. Use the information that you gathered in to complete the following procedures. Transparent mode installation Table 14 on page 41 to fill in the wizard fields. “Connecting to the command Table 14 on Fortinet Inc.
Page 43: Changing To Transparent Mode
Transparent mode installation Changing to Transparent mode Log into the CLI if you are not already logged in. Switch to Transparent mode. Enter: set system opmode transparent After a few seconds, the login prompt appears. Type admin and press Enter. The following prompt appears: Type ? for a list of commands.
Page 44 3 topology, it can examine layer 3 header information and make decisions on whether to block or pass traffic. Internal Network Management Computer Hub, Switch or Router Internal STATUS INTERNAL EXTERNAL LINK 100 LINK 100 FortiGate-50A External Public Switch or Router Internet Transparent mode installation Fortinet Inc.
Page 45: Completing The Configuration
After purchasing and installing a new FortiGate unit, you can register the unit by going to System > Update > Support, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased.
Page 46: Transparent Mode Configuration Examples
Default routes and static routes Example default route to an external network Example static route to an external destination Example static route to an internal destination 0.0.0.0 (IP address) 0.0.0.0 (Netmask) 172.100.100.0 (IP address) 255.255.255.0 (Netmask) Transparent mode installation Fortinet Inc.
Page 47: Example Default Route To An External Network
Transparent mode installation Example default route to an external network Figure 7 computer, are located on the external network. To reach these destinations, the FortiGate unit must connect to the “upstream” router leading to the external network. To facilitate this connection, you must enter a single default route that points to the upstream router as the next hop/default gateway.
Page 48: Example Static Route To An External Destination
• • CLI configuration steps To configure the Fortinet basic settings and a default route using the CLI: Change the system to operate in Transparent Mode. Add the Management IP address and Netmask. Add the default route to the external network.
Page 49 Transparent mode installation Note: This is an example configuration only. To configure a static route, you require a destination IP address. Figure 8: Static route to an external destination Gateway IP 192.168.1.2 Management IP 192.168.1.1 FortiGate-50A General configuration steps Set the FortiGate unit to operate in Transparent mode. Configure the Management IP address and Netmask of the FortiGate unit.
Page 50 • • CLI configuration steps To configure the Fortinet basic settings and a static route using the CLI: Set the system to operate in Transparent Mode. Add the Management IP address and Netmask. Add the static route to the primary FortiResponse server.
Page 51: Example Static Route To An Internal Destination
Transparent mode installation Example static route to an internal destination Figure 9 the management computer is located on a remote, internal subnet. To reach the FDN, you need to enter a single default route that points to the upstream router as the next hop/default gateway.
Page 52 Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2 Select OK. set system opmode transparent set system management ip 192.168.1.1 255.255.255.0 set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 192.168.1.3 set system route number 2 gw1 192.168.1.2 Transparent mode installation Fortinet Inc.
Page 53: System Status
FortiGate-50A Installation and Configuration Guide Version 2.50 System status You can connect to the web-based manager and view the current system status of the FortiGate unit. The status information that is displayed includes the current firmware version, the current virus and attack definitions, and the FortiGate unit serial number. If you log into the web-based manager using the admin administrator account, you can make any of the following changes to the FortiGate system settings: •...
Page 54: Changing The Fortigate Host Name
The new host name is displayed on the Status page, and in the CLI prompt, and is added to the SNMP System Name. Changing the FortiGate firmware After you download a FortiGate firmware image from Fortinet, you can use the procedures listed in Table 1: Firmware upgrade procedures...
Page 55: Upgrading To A New Firmware Version
System status Upgrading to a new firmware version Use the following procedures to upgrade the FortiGate unit to a newer firmware version. Upgrading the firmware using the web-based manager Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
Page 56: Reverting To A Previous Firmware Version
Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v250-build045-FORTINET.out...
Page 57: Reverting To A Previous Firmware Version Using The Cli
System status If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore the previous configuration from the backup configuration file. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
Page 58 Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v250-build045-FORTINET.out...
Page 59: Installing Firmware Images From A System Reboot Using The Cli
System status To confirm that the antivirus and attack definitions have been updated, enter the following command to display the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information. get system objver Installing firmware images from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiGate unit to default settings.
Page 60 Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options. System status execute reboot command. Fortinet Inc.
Page 61: Restoring The Previous Configuration
System status Restoring the previous configuration Change the internal interface addresses if required. You can do this from the CLI using the command: set system interface After changing the interface addresses, you can access the FortiGate unit from the web-based manager and restore the configuration. •...
Page 62 You can test the new firmware image as required. Get firmware image from TFTP server. Format boot device. Quit menu and continue to boot with default firmware. Display this list of options. System status execute reboot command. Fortinet Inc.
Page 63: Manual Virus Definition Updates
Update Now. To update the antivirus definitions manually Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status.
Page 64: Displaying The Fortigate Serial Number
Select OK to restore the system settings file to the FortiGate unit. The FortiGate unit restarts, loading the new system settings. Reconnect to the web-based manager and review your configuration to confirm that the uploaded system settings have taken effect. System status Fortinet Inc.
Page 65: Restoring System Settings To Factory Defaults
System status Restoring system settings to factory defaults Use the following procedure to restore system settings to the values set at the factory. This procedure does not change the firmware version or the antivirus or attack definitions. Caution: This procedure deletes all changes that you have made to the FortiGate configuration and reverts the system to its original configuration, including resetting interface addresses.
Page 66: Changing To Nat/Route Mode
Go to System > Status. Select Shutdown. The FortiGate unit shuts down and all traffic flow stops. The admin administrator account password (see accounts” on page 123) Custom replacement messages (see “Adding and editing administrator “Replacement messages” on page System status 133) Fortinet Inc.
Page 67: System Status
System status System status You can use the system status monitor to display FortiGate system health information. The system health information includes memory usage, the number of active communication sessions, and the amount of network bandwidth currently in use. The web-based manager displays current statistics as well as statistics for the previous minute.
Page 68: Viewing Sessions And Network Status
Set the automatic refresh interval and select Go to control how often the web-based manager updates the display. More frequent updates use system resources and increase network traffic. However, this only occurs when you are viewing the display using the web-based manager. System status Fortinet Inc.
Page 69: Viewing Virus And Intrusions Status
System status Select Refresh to manually update the information displayed. Figure 2: Sessions and network status monitor Viewing virus and intrusions status Use the virus and intrusions status display to track when viruses are found by the FortiGate antivirus system and to track when the NIDS detects a network-based attack.
Page 70: Session List
If you are logged in as an administrative user with read and write privileges or as the admin user, you can select Clear to update the session list. to stop an active session. System status or Page Down Fortinet Inc.
Page 71 System status Each line of the session list displays the following information. Protocol From IP From Port To IP To Port Expire Clear Figure 4: Example session list FortiGate-50A Installation and Configuration Guide The service protocol of the connection, for example, udp, tcp, or icmp. The source IP address of the connection.
Page 72 Session list System status Fortinet Inc.
Page 73: Virus And Attack Definitions Updates And Registration
Network (FDN) to update the antivirus and attack definitions and the antivirus engine. You have the following update options: • • • To receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet support web page. This chapter describes: • • • •...
Page 74: Connecting To The Fortiresponse Distribution Network
FortiGate was not able to connect to the FDN and other error conditions. Connecting to the FortiResponse Distribution Network Manually initiating antivirus and attack definitions updates Configuring update logging “Scheduling updates” on page Virus and attack definitions updates and registration “Enabling Fortinet Inc.
Page 75: Manually Initiating Antivirus And Attack Definitions Updates
Virus and attack definitions updates and registration Table 1: Connections to the FDN Connections FortiResponse Distribution Network Push Update Manually initiating antivirus and attack definitions updates You can use the following procedure to update the antivirus and attack definitions at any time.
Page 76: Configuring Update Logging
Once a day. You can specify the time of day to check for updates. Once a week. You can specify the day of the week and the time of day to check for updates. Virus and attack definitions updates and registration “Recording logs” on page 251. Fortinet Inc.
Page 77: Adding An Override Server
Virus and attack definitions updates and registration Select Apply. The FortiGate unit starts the next scheduled update according to the new update schedule. Whenever the FortiGate unit runs a scheduled update, the event is recorded in the FortiGate event log. Figure 1: Configuring automatic antivirus and attack definitions updates Adding an override server If you cannot connect to the FDN, or if your organization provides antivirus and attack...
Page 78: Enabling Scheduled Updates Through A Proxy Server
Note: Push updates are not supported if the FortiGate unit must use a proxy server to connect to the FDN. For more information, see page “Registering the FortiGate unit” on page “Enabling scheduled updates through a proxy server” on Virus and attack definitions updates and registration Fortinet Inc.
Page 79: Enabling Push Updates
Virus and attack definitions updates and registration When the network configuration permits, configuring push updates is recommended in addition to configuring scheduled updates. On average the FortiGate unit receives new updates sooner through push updates than if the FortiGate unit receives only scheduled updates.
Page 80 Internet Push Update to IP address 64.230.123.149 and port 45001 External IP 64.230.123.149 Enter External IP or Management IP 192.168.1.99 STATUS INTERNAL EXTERNAL LINK 100 LINK 100 Internal Network FortiResponse Distribution Network (FDN) Virtual IP Maps 64.230.123.149:45001 192.168.1.99:9443 Fortinet Inc.
Page 81 Virus and attack definitions updates and registration General procedure Use the following steps to configure the FortiGate NAT device and the FortiGate unit on the internal network so that the FortiGate unit on the internal network can receive push updates: Add a port forwarding virtual IP to the FortiGate NAT device.
Page 82 To configure the FortiGate unit on the internal network Go to System > Update. Select the Allow Push Update check box. Select the Use override push check box. Virus and attack definitions updates and registration External_All The virtual IP added above. Always Accept Selected. Fortinet Inc.
Page 83: Registering Fortigate Units
FortiGate units that you or your organization purchased. You can register multiple FortiGate units in a single session without re-entering your contact information. Once registration is completed, Fortinet sends a Support Login user name and password to your email address. You can use this user name and password to log on to the Fortinet support web site to: •...
Page 84: Forticare Service Contracts
For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing. To activate the FortiCare Support Contract, you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information.
Page 85: Registering The Fortigate Unit
Your contact information including: • First and last name • Company name • Email address (Your Fortinet support login user name and password will be sent to this email address.) • Address • Contact phone number A security question and an answer to the security question.
Page 86: Updating Registration Information
Updating registration information You can use your Fortinet support user name and password to log on to the Fortinet Support web site at any time to view or update your Fortinet support information. This section describes: •...
Page 87: Viewing The List Of Registered Fortigate Units
If you entered the correct answer to the security question, an email containing a new password is sent to your email address. You can use your current user name and this password to log into the Fortinet support web site. Select Support Login.
Page 88: Registering A New Fortigate Unit
To register a new FortiGate unit Go to System > Update > Support. Select Support Login. Enter your Fortinet support user name and password. Select Login. Select Add Registration. Select the model number of the product model that you want to register.
Page 89: Changing Your Fortinet Support Password
Make the required changes to your contact information. Make the required changes to your security question and answer. Select Update Profile. Your changes are saved to the Fortinet technical support database. If you changed your contact information, the changes are displayed. FortiGate-50A Installation and Configuration Guide...
Page 90: Downloading Virus And Attack Definitions Updates
FortiGate unit. To download virus and attack definitions updates Go to System > Update > Support. Select Support Login. Enter your Fortinet support user name and password. Select Login. Select Download Virus/Attack Update. If required, select the FortiOS version.
Page 91: Registering A Fortigate Unit After An Rma
FortiGate unit is protected by hardware coverage, you can return the FortiGate unit that is not functioning to your reseller or distributor. The RMA is recorded and you will receive a replacement unit. Fortinet adds the RMA information to the Fortinet support database. When you receive the replacement unit you can use the following procedure to update your product registration information.
Page 92 Registering a FortiGate unit after an RMA Virus and attack definitions updates and registration Fortinet Inc.
Page 93: Network Configuration
FortiGate-50A Installation and Configuration Guide Version 2.50 Network configuration You can use the System Network page to change any of the following FortiGate network settings: • • • • • Configuring interfaces Use the following procedures to configure FortiGate interfaces: •...
Page 94: Viewing The Interface List
If the administrative status is a red arrow, the interface is administratively down and cannot accept traffic. To change the administrative status, see “Changing the administrative status of an interface” on page Network configuration for information Fortinet Inc.
Page 95: Configuring An Interface For Dhcp
Network configuration Change the IP address and Netmask as required. The IP address of the interface must be on the same subnet as the network the interface is connecting to. Two interfaces cannot have the same IP address and cannot have IP addresses on the same subnet.
Page 96: Configuring An Interface For Pppoe
The FortiGate unit is attempting to connect to the DHCP server. The FortiGate unit retrieves an IP address, netmask, and other settings from the PPPoE server. The FortiGate unit was unable to retrieve an IP address and other information from the PPPoE server. Network configuration Fortinet Inc.
Page 97: Adding A Ping Server To An Interface
Network configuration You can also configure management access and add a ping server to the secondary IP address. set system interface <intf_str> config secallowaccess ping https ssh snmp http telnet set system interface <intf_str> config secgwdetect enable Adding a ping server to an interface Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface.
Page 98: Changing The Mtu Size To Improve Network Performance
To allow a remote SNMP manager to request SNMP information by connecting to this interface. See “Configuring SNMP” on page To allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party. Network configuration 125. Fortinet Inc.
Page 99: Configuring The Management Interface In Transparent Mode
Network configuration Configuring the management interface in Transparent mode Configure the management interface in Transparent mode to set the management IP address of the FortiGate unit. Administrators connect to this IP address to administer the FortiGate unit. The FortiGate also uses this IP address to connect to the FDN for virus and attack updates (see You can also configure the management interface to control how administrators connect to the FortiGate unit for administration and the FortiGate interfaces to which...
Page 100: Adding Dns Server Ip Addresses
Adding a default route Adding destination-based routes to the routing table Adding routes in Transparent mode Configuring the routing table Policy routing Network configuration Fortinet Inc.
Page 101: Adding Destination-Based Routes To The Routing Table
Network configuration Adding destination-based routes to the routing table You can add destination-based routes to the FortiGate routing table to control the destination of traffic exiting the FortiGate unit. You configure routes by adding destination IP addresses and netmasks and adding gateways for these destination addresses.
Page 102: Adding Routes In Transparent Mode
If the Gateway #2 IP address is not on the same subnet as a FortiGate interface, the system routes the traffic to the external interface, using the default route. “Adding a ping server to an interface” on page Network configuration “Configuring the routing table”. Fortinet Inc.
Page 103: Policy Routing
Network configuration To configure the routing table Go to System > Network > Routing Table. Choose the route that you want to move and select Move to the routing table. Type a number in the Move to field to specify where in the routing table to move the route and select OK.
Page 104: Configuring Dhcp Services
Go to System > Network > DHCP. Select Service. Select the interface to be the DHCP relay agent. Select DHCP Relay Agent. Enter the DHCP Server IP address. Select Apply. Configuring a DHCP relay agent Configuring a DHCP server Network configuration Fortinet Inc.
Page 105: Configuring A Dhcp Server
Network configuration Configuring a DHCP server As a DHCP server, the FortiGate unit dynamically assigns IP addresses to hosts located on connected subnets. You can configure a DHCP server for any FortiGate interface. You can also configure a DHCP server for more than one FortiGate interface.
Page 106 Enter the addresses of up to 3 DNS servers that the DHCP server assigns to the DHCP clients. Add the IP addresses of one or two WINS servers to be assigned to DHCP clients. that cannot be assigned to DHCP clients. Network configuration Fortinet Inc.
Page 107: Configuring The Modem Interface
Network configuration Name Note: The reserved IP cannot be assigned to any other device. You can only add a given IP address or MAC address once. Select OK. Viewing a DHCP server dynamic IP list You can view the list of IP addresses that the DHCP server has assigned, their corresponding MAC addresses, and the expiry time and date for these addresses.
Page 108: Connecting A Modem To The Fortigate Unit
To configure modem settings Go to System > Network > Modem. Select Enable USB Modem. Change any of the following dialup connection settings: STATUS USB connector USB-to-serial converter serial connector V.92 Internet Network configuration INTERNAL EXTERNAL LINK 100 LINK 100 Fortinet Inc.
Page 109: Connecting To A Dialup Account
Network configuration Redial Limit Holddown Timer Redundant for Enter the following Dialup Account 1 settings: Phone Number The phone number required to connect to the dialup account. Do not add User Name Password If you have multiple dialup accounts, enter Phone Number, User Name, and Password for Dialup Account 2 and Dialup Account 3.
Page 110: Viewing Modem Status
The modem interface is attempting to connect to the ISP, or is connected to the ISP. “Configuring modem settings” on page “Adding a ping server to an interface” on page “Adding firewall policies for modem connections” on page Network configuration 108. 111. Fortinet Inc.
Page 111: Adding Firewall Policies For Modem Connections
Network configuration If the connection to the dialup account fails, the FortiGate unit redials the modem. The modem redials the number of times specified by the redial limit, or until it connects to a dialup account. In standalone mode the modem interface replaces the external ethernet interface. When configuring the modem, you must set Redundant for to the name of the ethernet interface that the modem interface replaces.
Page 112 Configuring the modem interface Network configuration Fortinet Inc.
Page 113: Rip Configuration
FortiGate-50A Installation and Configuration Guide Version 2.50 RIP configuration The FortiGate implementation of the Routing Information Protocol (RIP) supports both RIP version 1 as defined by RFC 1058, and RIP version 2 as defined by RFC 2453. RIP version 2 enables RIP messages to carry more information, and to support simple authentication and subnet masks.
Page 114 The time in seconds that must elapse after the last update for a route before RIP removes the route from the routing table. Flush should be greater than the value of Invalid to allow the route to go into the holddown state. The default for Flush is 240 seconds. RIP configuration Fortinet Inc.
Page 115: Configuring Rip For Fortigate Interfaces
RIP configuration Figure 1: Configuring RIP settings Configuring RIP for FortiGate interfaces You can customize a RIP configuration for each FortiGate interface. This allows you to customize RIP for the network to which each interface is connected. To configure RIP for FortiGate interfaces Go to System >...
Page 116 More traffic will use routes to the interface with the lower metric. Metric can be from 1 to 16 with 16 equalling unreachable. RIP configuration Fortinet Inc.
Page 117: Adding Rip Filters
RIP configuration Adding RIP filters Use the Filter page to create RIP filter lists and assign RIP filter lists to the neighbors filter, incoming route filter, or outgoing route filter. The neighbors filter allows or denies updates from other routers. The incoming filter accepts or rejects routes in an incoming RIP update packet.
Page 118: Assigning A Rip Filter List To The Neighbors Filter
For Incoming Routes Filter, select the name of the RIP filter list to assign to the incoming filter. Select Apply. Add Prefix to add an entry to the filter list. to add entries to the RIP filter list. RIP configuration Fortinet Inc.
Page 119: Assigning A Rip Filter List To The Outgoing Filter
RIP configuration Assigning a RIP filter list to the outgoing filter The outgoing filter allows or denies adding routes to outgoing RIP update packets. You can assign a single RIP filter list to the outgoing filter. To assign a RIP filter list to the outgoing filter Go to System >...
Page 120 Adding RIP filters RIP configuration Fortinet Inc.
Page 121: System Configuration
FortiGate-50A Installation and Configuration Guide Version 2.50 System configuration Use the System Config page to make any of the following changes to the FortiGate system configuration: • • • • • Setting system date and time For effective scheduling and logging, the FortiGate system time must be accurate. You can either manually set the FortiGate system time or you can configure the FortiGate unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.
Page 122: Changing System Options
Go to System > Config > Options. For Auth Timeout, type a number in minutes. Set the system idle timeout. Set the authentication timeout. Select the language for the web-base manager. Modify the dead gateway detection settings. System configuration Fortinet Inc.
Page 123: Adding And Editing Administrator Accounts
System configuration Select Apply. Auth Timeout controls the amount of inactive time that the firewall waits before requiring users to authenticate again. For more information, see authentication” on page The default Auth Timeout is 15 minutes. The maximum Auth Timeout is 480 minutes (8 hours).
Page 124: Adding New Administrator Accounts
FortiGate unit, and shut down the FortiGate unit. There is only one admin user. edit, or delete administrator accounts. Can change own administrator account password. Cannot make changes to system settings from the System Status page. Can view the FortiGate configuration. System configuration Fortinet Inc.
Page 125: Configuring Snmp
FortiGate system information and can receive FortiGate traps. To monitor FortiGate system information and receive FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of...
Page 126: Configuring The Fortigate Unit For Snmp Monitoring
FortiGate SNMP agent. Configuring the FortiGate unit for SNMP monitoring Configuring FortiGate SNMP support FortiGate MIBs FortiGate traps Fortinet MIB fields Configuring SNMP access to an interface Configuring SNMP community settings System configuration Fortinet Inc.
Page 127 System configuration To configure SNMP community settings Go to System > Config > SNMP v1/v2c. Select the Enable SNMP check box. Configure the following SNMP settings: System Name System Location Contact Information Add the contact information for the person responsible for this FortiGate Get Community Trap Community Trap Receiver IP...
Page 128: Fortigate Mibs
Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIBs to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.
Page 129: Fortigate Traps
The FortiGate agent can send traps to up to three SNMP trap receivers on your network that are configured to receive traps from the FortiGate unit. For these SNMP managers to receive traps, you must load and compile the Fortinet trap MIB onto the SNMP manager.
Page 130: Logging Traps
MIB fields and describes the configuration and status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Page 131: System Configuration And Status
System configuration System configuration and status Table 8: System MIB fields MIB field fnSysStatus fnSysUpdate fnSysNetwork fnSysConfig fnSysSnmp Firewall configuration Table 9: Firewall MIB fields MIB field fnFirewallPolicy fnFirewallAddress fnFirewallService fnFirewallSchedule fnFirewallVirtualIP fnFirewallIpPool fnFirewallIPMACBinding fnFirewallContProfiles Users and authentication configuration Table 10: User and authentication MIB fields FnUserLocalTable FnUserRadiusSrvTable FnUserGrpTable...
Page 132: Antivirus Configuration
Antivirus quarantine configuration. Antivirus configuration including the current virus definition virus list. Web filter URL block list. Web filter script blocking configuration. Web filter exempt URL list. Log setting configuration. Log setting traffic filter configuration. Alert email configuration. System configuration Fortinet Inc.
Page 133: Replacement Messages
System configuration Replacement messages Replacement messages are added to content passing through the firewall to replace: • • • You can edit the content of replacement messages. You can also edit the content added to alert email messages to control the information that appears in alert emails for virus incidents, NIDS events, critical system events, and disk full events.
Page 134: Customizing Alert Emails
Used when quarantine is enabled (permitted for all scan services and block services for email only). <**QUARANTINE**> %%QUARFILE The name of the file that was quarantined. NAME%% <**/QUARANTINE**> lists the replacement message sections that can be added to alert email System configuration Fortinet Inc.
Page 135 System configuration Table 17: Alert email message sections NIDS event Section Start Allowed Tags Section End Virus alert Section Start Allowed Tags Section End Block alert Section Start Allowed Tags Section End FortiGate-50A Installation and Configuration Guide Used for NIDS event alert email messages <**NIDS_EVENT**>...
Page 136 Replacement messages Critical event Section Start Allowed Tags Section End Used for critical firewall event alert emails. <**CRITICAL_EVENT**> %%CRITICAL_EVENT The firewall critical event message <**/CRITICAL_EVENT**> System configuration Fortinet Inc.
Page 137: Firewall Configuration
FortiGate-50A Installation and Configuration Guide Version 2.50 Firewall configuration Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions that the FortiGate unit uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (port number).
Page 138: Default Firewall Configuration
Content profiles Internal_All, added to the internal interface, this address matches all addresses on the internal network. External_All, added to the external interface, this address matches all addresses on the external network. Firewall configuration “Content profiles” on page 166. Fortinet Inc.
Page 139: Services
Firewall configuration The firewall uses these addresses to match the source and destination addresses of packets received by the firewall. The default policy matches all connections from the internal network because it includes the Internal_All address. The default policy also matches all connections to the external network because it includes the External_All address.
Page 140: Adding Firewall Policies
“Schedules” on page “Services” on page 149. Firewall configuration on a policy in the list to add the new “Firewall policy options” on page “Configuring policy lists” “Addresses” on page 146. “Addresses” on page 154. 140. 146. “Virtual Fortinet Inc.
Page 141 Firewall configuration Figure 5: Adding a NAT/Route policy Action Select how you want the firewall to respond when the policy matches a connection attempt. ACCEPT DENY ENCRYPT FortiGate-50A Installation and Configuration Guide Accept the connection. If you select ACCEPT, you can also configure NAT and Authentication for the policy.
Page 142: Traffic Shaping
You can use traffic shaping to guarantee the amount of bandwidth available through the firewall for a policy. Guarantee bandwidth (in Kbytes) to make sure that there is enough bandwidth available for a high-priority service. Firewall configuration “IP pools” on page 161. Fortinet Inc.
Page 143 Firewall configuration Maximum Bandwidth Traffic Priority Authentication Select Authentication and select a user group to require users to enter a user name and password before the firewall accepts the connection. Select the user group to control the users that can authenticate with this policy. For information about adding and configuring user groups, see add user groups before you can select Authentication.
Page 144: Configuring Policy Lists
The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. You must arrange policies in the policy list from more specific to more general. Firewall configuration “Logging and reporting” on page Fortinet Inc. 251.
Page 145: Policy Matching In Detail
Firewall configuration For example, the default policy is a very general policy because it matches all connection attempts. When you create exceptions to that policy, you must add them to the policy list above the default policy. No policy below the default policy will ever be matched.
Page 146: Enabling And Disabling Policies
The address of a subnet (for example, for a class C subnet, IP address: 192.168.20.0 and Netmask: 255.255.255.0). A single IP address (for example, IP Address: 192.168.20.1 and Netmask: 255.255.255.255) All possible IP addresses (represented by IP Address: 0.0.0.0 and Netmask: 0.0.0.0) Firewall configuration “System Fortinet Inc.
Page 147: Adding Addresses
Firewall configuration This section describes: • • • • Adding addresses To add an address Go to Firewall > Address. Select the interface that you want to add the address to. Select New to add a new address. Enter an Address Name to identify the address. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _.
Page 148: Editing Addresses
- and _. Other special characters and spaces are not allowed. To add addresses to the address group, select an address from the Available Addresses list and select the right arrow to add it to the Members list. Firewall configuration Fortinet Inc.
Page 149: Services
Firewall configuration To remove addresses from the address group, select an address from the Members list and select the left arrow to remove it from the group. Select OK to add the address group. Figure 8: Adding an internal address group Services Use services to determine the types of communication accepted or denied by the firewall.
Page 150 Internet Locator Service includes LDAP, User Locator Service, and LDAP over TLS/SSL. Internet Relay Chat allows people connected to the Internet to join live discussions. L2TP is a PPP-based tunnel protocol for remote access. Firewall configuration Protocol Port 5190-5194 1720, 1503 6660-6669 1701 Fortinet Inc.
Page 151 Firewall configuration Table 18: FortiGate predefined services (Continued) Service name LDAP NetMeeting NNTP OSPF PC-Anywhere PING TIMESTAMP INFO_REQUEST ICMP information request messages. INFO_ADDRESS ICMP address mask request messages. POP3 PPTP QUAKE RAUDIO RLOGIN SMTP SNMP SYSLOG TALK FortiGate-50A Installation and Configuration Guide Description Lightweight Directory Access Protocol is a set of protocols used to access information...
Page 152: Adding Custom Tcp And Udp Services
Wide Area Information Server. An Internet search protocol. For WinFrame communications between computers running Windows NT. For remote communications between an X-Window server and X-Window clients. Firewall configuration Protocol Port 0-65535 0-65535 7000-7010 1494 6000-6063 to remove each extra row. Fortinet Inc.
Page 153: Adding Custom Icmp Services
Firewall configuration Adding custom ICMP services Add a custom ICMP service if you need to create a policy for a service that is not in the predefined service list. To add a custom ICMP service Go to Firewall > Service > Custom. Select ICMP from the Protocol list.
Page 154: Schedules
This section describes: • • • Creating one-time schedules Creating recurring schedules Adding schedules to policies Firewall configuration Fortinet Inc.
Page 155: Creating One-Time Schedules
Firewall configuration Creating one-time schedules You can create a one-time schedule that activates or deactivates a policy for a specified period of time. For example, your firewall might be configured with the default policy that allows access to all services on the Internet at all times. You can add a one-time schedule to block access to the Internet during a holiday period.
Page 156: Adding Schedules To Policies
After you create schedules, you can add them to policies to schedule when the policies are active. You can add the new schedules to policies when you create the policy, or you can edit existing policies and add a new schedule to them. Firewall configuration Fortinet Inc.
Page 157: Virtual Ips
Firewall configuration To add a schedule to a policy Go to Firewall > Policy. Create a new policy or edit a policy to change its schedule. Configure the policy as required. Add a schedule by selecting it from the Schedule list. Select OK to save the policy.
Page 158: Adding Static Nat Virtual Ips
NAT virtual IP can be added to Int->Ext policies. To map an external address to an internal address. If you select external, the static NAT virtual IP can be added to Ext->Int policies. Firewall configuration Table 19 is set using PPPoE or Fortinet Inc.
Page 159: Adding Port Forwarding Virtual Ips
Firewall configuration Figure 12: Adding a static NAT virtual IP Adding port forwarding virtual IPs To add port forwarding virtual IPs Go to Firewall > Virtual IP. Select New to add a virtual IP. Type a Name for the virtual IP. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _.
Page 160 Select the protocol (TCP or UDP) that you want the forwarded packets to use. Select OK to save the port forwarding virtual IP. Figure 13: Adding a port forwarding virtual IP Firewall configuration Fortinet Inc.
Page 161: Adding Policies With Virtual Ips
Firewall configuration Adding policies with virtual IPs Use the following procedure to add a policy that uses a virtual IP to forward packets. To add a policy with a virtual IP Go to Firewall > Policy. Select the type of policy that you want to add. •...
Page 162: Adding An Ip Pool
You can assign one of your organization’s Internet IP addresses to the external interface of the FortiGate unit. If the FortiGate unit is operating in NAT/Route mode, all connections from your network to the Internet appear to come from this IP address. Firewall configuration Fortinet Inc.
Page 163: Ip/Mac Binding
Firewall configuration If you want connections to originate from all your Internet IP addresses, you can add this address range to an IP pool for the external interface. Then you can select Dynamic IP Pool for all policies with the external interface as the destination. For each connection, the firewall dynamically selects an IP address from the IP pool to be the source address for the connection.
Page 164: Configuring Ip/Mac Binding For Packets Going To The Firewall
A packet with both the IP address and MAC address not defined in the IP/MAC binding table: • is allowed to connect to the firewall if IP/MAC binding is set to Allow traffic, • is blocked if IP/MAC binding is set to Block traffic. Firewall configuration Fortinet Inc.
Page 165: Adding Ip/Mac Addresses
Firewall configuration Adding IP/MAC addresses To add an IP/MAC address Go to Firewall > IP/MAC Binding > Static IP/MAC. Select New to add an IP address/MAC address pair. Enter the IP Address and the MAC Address. You can bind multiple IP addresses to the same MAC address. You cannot bind multiple MAC addresses to the same IP address.
Page 166: Content Profiles
Configure email filtering for IMAP and POP3 policies Configure oversized file and email blocking for HTTP, FTP, POP3, SMTP, and IMAP policies Pass fragmented email for POP3, SMTP, and IMAP policies Default content profiles Adding content profiles Adding content profiles to policies Firewall configuration Fortinet Inc.
Page 167: Default Content Profiles
Firewall configuration Default content profiles The FortiGate unit has the following four default content profiles that are displayed on the Firewall Content Profile page. You can use the default content profiles or create your own. Strict Scan Unfiltered Adding content profiles If the default content profiles do not provide the protection that you require, you can create custom content profiles.
Page 168 See “Blocking oversized files and emails” on page 228. Allow email messages that have been fragmented to bypass antivirus scanning. See “Exempting fragmented email from blocking” on page 228. Firewall configuration “Exempt “Email “Email 246. Fortinet Inc.
Page 169: Adding Content Profiles To Policies
Firewall configuration Adding content profiles to policies You can add content profiles to policies with action set to allow or encrypt and with service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes these services. To add a content profile to a policy Go to Firewall >...
Page 170 Content profiles Firewall configuration Fortinet Inc.
Page 171: Users And Authentication
FortiGate-50A Installation and Configuration Guide Version 2.50 Users and authentication FortiGate units support user authentication to the FortiGate user database, a RADIUS server, and an LDAP server. You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database. You can also add the names of RADIUS and LDAP servers.
Page 172: Setting Authentication Timeout
Enter the password that this user must use to authenticate. The password should be at least six characters long. The password can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Users and authentication Fortinet Inc.
Page 173: Deleting User Names From The Internal Database
Users and authentication LDAP Radius Select the Try other servers if connect to selected server fails check box if you have selected Radius and you want the FortiGate unit to try to connect to other RADIUS servers added to the FortiGate RADIUS configuration. Select OK.
Page 174: Configuring Radius Support
You cannot delete a RADIUS server that has been added to a user group. To delete a RADIUS server Go to User > RADIUS. Select Delete Select OK. Adding RADIUS servers Deleting RADIUS servers beside the RADIUS server name that you want to delete. Users and authentication Fortinet Inc.
Page 175: Configuring Ldap Support
Users and authentication Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authenticate with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server.
Page 176: Deleting Ldap Servers
You cannot delete an LDAP server that has been added to a user group. To delete an LDAP server Go to User > LDAP. Select Delete Select OK. beside the LDAP server name that you want to delete. Users and authentication Fortinet Inc.
Page 177: Configuring User Groups
Users and authentication Configuring user groups To enable authentication, you must add user names, RADIUS servers, and LDAP servers to one or more user groups. You can then select a user group when you require authentication. You can select a user group to configure authentication for: •...
Page 178: Deleting User Groups
You cannot delete user groups that have been selected in a policy, a dialup user phase 1 configuration, or a PPTP or L2TP configuration. To delete a user group Go to User > User Group Select Delete Select OK. beside the user group that you want to delete. Users and authentication Fortinet Inc.
Page 179: Ipsec Vpn
FortiGate-50A Installation and Configuration Guide Version 2.50 IPSec VPN A Virtual Private Network (VPN) is an extension of a private network that encompasses links across shared or public networks such as the Internet. For example, a company that has two offices in different cities, each with its own private network, can use a VPN to create a secure tunnel between the offices.
Page 180: Key Management
IPSec supports the automated generation and negotiation of keys using the Internet Key Exchange protocol. This method of key management is referred to as AutoIKE. Fortinet supports AutoIKE with pre-shared keys and AutoIKE with certificates. AutoIKE with pre-shared keys If both peers in a session are configured with the same pre-shared key, they can use it to authenticate themselves to each other.
Page 181: Manual Key Ipsec Vpns
IPSec VPN Manual key IPSec VPNs When using manual keys, complementary security parameters must be entered at both ends of the tunnel. In addition to encryption and authentication algorithms and keys, the security parameter index (SPI) is required. The SPI is an arbitrary value that defines the structure of the communication between the peers.
Page 182: Autoike Ipsec Vpns
16 characters; the second of 24 characters. “Adding a VPN concentrator” on page General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPN Adding a phase 2 configuration for an AutoIKE VPN IPSec VPN 198. Fortinet Inc.
Page 183: General Configuration Steps For An Autoike Vpn
IPSec VPN General configuration steps for an AutoIKE VPN An AutoIKE VPN configuration consists of phase 1 and phase 2 configuration parameters, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel. To create an AutoIKE VPN configuration Note: Prior to configuring an AutoIKE VPN that uses digital certificates, you must add the CA and local certificates to the FortiGate unit.
Page 184 16 randomly chosen alphanumeric characters. RSA Signature: Select a local certificate that has been digitally signed by the certificate authority (CA). To add a local certificate to the FortiGate unit, see “Obtaining a signed local certificate” on page IPSec VPN 190. Fortinet Inc.
Page 185: Configuring Advanced Options
IPSec VPN Configure the Local ID the that the FortiGate unit sends to the remote VPN peer. • • Configuring advanced options To configure phase 1 advanced options Select Advanced Options. Select a Peer Option if you want to authenticate remote VPN peers by the ID that they transmit during phase 1.
Page 186 Microsoft RADIUS). Use MIXED if the authentication server supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet Remote VPN Client.). Select a group of users to be authenticated by XAuth. The individual users within the group can be authenticated locally or by one or more LDAP or RADIUS servers.
Page 187 IPSec VPN Figure 21: Adding a phase 1 configuration (Standard options) Figure 22: Adding a phase 1 configuration (Advanced options) FortiGate-50A Installation and Configuration Guide AutoIKE IPSec VPNs...
Page 188: Adding A Phase 2 Configuration For An Autoike Vpn
When the key expires, a new key is generated without interrupting service. P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to 99999 Kbytes. “Adding a phase 1 configuration for an AutoIKE VPN” on page IPSec VPN 183. Fortinet Inc.
Page 189 IPSec VPN Enable Autokey Keep Alive if you want to keep the VPN tunnel running even if no data is being processed. Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration. If you use the procedure, to a concentrator, the next time you open the tunnel, the Concentrator field displays the name of the concentrator to which you added the tunnel.
Page 190: Managing Digital Certificates
VPN tunnel between the participants. Fortinet uses a manual procedure to obtain certificates. This involves copying and pasting text files from your local computer to the certificate authority, and from the certificate authority to your local computer.
Page 191 FortiGate unit (such as Manufacturing or MF). Enter the legal name of the organization that is requesting the certificate for the FortiGate unit (such as Fortinet). Enter the name of the city or town where the FortiGate unit is located (such as Vancouver).
Page 192: Obtaining Ca Certificates
CA certificate from the same certificate authority. The CA certificate provides the VPN peers with a means to validate the digital certificates that they receive from other devices. to download the local certificate to the management computer. IPSec VPN Fortinet Inc.
Page 193: Importing Ca Certificates
IPSec VPN The FortiGate unit obtains the CA certificate to validate the digital certificate that it receives from the remote VPN peer. The remote VPN peer obtains the CA certificate to validate the digital certificate that it receives from the FortiGate unit. Note: The CA certificate must adhere to the X.509 standard.
Page 194: Adding A Source Address
Content profiles to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services in the VPN. Logging so that the FortiGate unit logs all connections that use the VPN. Adding a source address Adding a destination address Adding an encrypt policy IPSec VPN Fortinet Inc.
Page 195: Adding An Encrypt Policy
IPSec VPN Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the remote VPN peer. Select OK to save the destination address. Adding an encrypt policy To add an encrypt policy Go to Firewall >...
Page 196: Ipsec Vpn Concentrators
VPNs. If this peer fails, encrypted communication in the network is impossible. A hub-and-spoke VPN network requires a special configuration. Setup varies depending on the role of the VPN peer. IPSec VPN Fortinet Inc.
Page 197: Vpn Concentrator (Hub) General Configuration Steps
IPSec VPN If the VPN peer is a FortiGate unit functioning as the hub, or concentrator, it requires a VPN configuration connecting it to each spoke (AutoIKE phase 1 and 2 settings or manual key settings, plus encrypt policies). It also requires a concentrator configuration that groups the hub-and-spoke tunnels together.
Page 198: Adding A Vpn Concentrator
Select OK to add the VPN concentrator. Internal_All The VPN spoke address. ENCRYPT The VPN spoke tunnel name. Select allow inbound. Select inbound NAT if required. “Adding an encrypt policy” on page encrypt policies default non-encrypt policy (Internal_All -> External_All) 195. IPSec VPN Fortinet Inc.
Page 199: Vpn Spoke General Configuration Steps
IPSec VPN Figure 26: Adding a VPN concentrator VPN spoke general configuration steps A remote VPN peer that functions as a spoke requires the following configuration: • • • • • To create a VPN spoke configuration Configure a tunnel between the spoke and the hub. Choose between a manual key tunnel or an AutoIKE tunnel.
Page 200 The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt policies.) Select allow inbound. Select inbound NAT if required. “Adding an encrypt policy” on page outbound encrypt policies inbound encrypt policy default non-encrypt policy (Internal_All -> External_All) 195. 195. IPSec VPN Fortinet Inc.
Page 201: Monitoring And Troubleshooting Vpns
IPSec VPN Monitoring and Troubleshooting VPNs • • • Viewing VPN tunnel status You can use the IPSec VPN tunnel list to view the status of all IPSec AutoIKE key VPN tunnels. For each tunnel, the list shows the status and the tunnel time out. To view VPN tunnel status Go to VPN >...
Page 202: Testing A Vpn
You can start the tunnel and test it at the same time by pinging from the client to an address on the internal network. The actual IP address or subnet address of the local peer. IPSec VPN Fortinet Inc.
Page 203: Pptp And L2Tp Vpn
FortiGate-50A Installation and Configuration Guide Version 2.50 PPTP and L2TP VPN You can use PPTP and L2TP to create a virtual private network (VPN) between a remote client computer that is running Windows and your internal network. Because PPTP and L2TP are supported by Windows you do not require third-party software on the client computer.
Page 204 Select OK to save the source address. Repeat for all addresses in the PPTP address range. 172. 177. “To add users and user groups” on page PPTP and L2TP VPN “Adding user names and “Configuring user 203. Fortinet Inc.
Page 205 PPTP and L2TP VPN Note: If the PPTP address range is comprised of an entire subnet, add an address for this subnet. Do not add an address group. To add a source address group Organize the source addresses into an address group. Go to Firewall >...
Page 206: Configuring A Windows 98 Client For Pptp
Uncheck Use default gateway on remote network. Select OK twice. To connect to the PPTP VPN Start the dialup connection that you configured in the previous procedure. Enter your PPTP VPN User Name and Password. Select Connect. PPTP and L2TP VPN Fortinet Inc.
Page 207: Configuring A Windows 2000 Client For Pptp
PPTP and L2TP VPN Configuring a Windows 2000 client for PPTP Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiGate PPTP VPN. To configure a PPTP dialup connection Go to Start > Settings > Network and Dial-up Connections. Double-click Make New Connection to start the Network Connection Wizard and select Next.
Page 208 This user name and password is not the same as your VPN user name and password. TCP/IP QoS Packet Scheduler File and Printer Sharing for Microsoft Networks Client for Microsoft Networks PPTP and L2TP VPN Fortinet Inc.
Page 209: Configuring L2Tp
PPTP and L2TP VPN Configuring L2TP Some implementations of L2TP support elements of IPSec. These elements must be disabled when L2TP is used with a FortiGate unit. Note: L2TP VPNs are only supported in NAT/Route mode. This section describes: • •...
Page 210 Addresses list and select the right arrow to add it to the Members list. To remove addresses from the address group, select an address from the Members list and select the left arrow to remove it from the group. Select OK to add the address group. PPTP and L2TP VPN Fortinet Inc.
Page 211: Configuring A Windows 2000 Client For L2Tp
PPTP and L2TP VPN To add a destination address Add an address to which L2TP users can connect. Go to Firewall > Address. Select the internal interface. Select New to add an address. Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer.
Page 212 In the connect window, enter the User Name and Password that you use to connect to your dialup network connection. This user name and password is not the same as your VPN user name and password. PPTP and L2TP VPN Fortinet Inc.
Page 213: Configuring A Windows Xp Client For L2Tp
PPTP and L2TP VPN Configuring a Windows XP client for L2TP Use the following procedure to configure a client computer running Windows XP so that it can connect to a FortiGate L2TP VPN. To configure an L2TP VPN dialup connection Go to Start >...
Page 214 In the connect window, enter the User Name and Password that you use to connect to your dialup network connection. This user name and password is not the same as your VPN user name and password. PPTP and L2TP VPN Fortinet Inc.
Page 215: Network Intrusion Detection System (Nids)
FortiGate-50A Installation and Configuration Guide Version 2.50 Network Intrusion Detection System (NIDS) The FortiGate NIDS is a real-time network intrusion detection sensor that uses attack signature definitions to both detect and prevent a wide variety of suspicious network traffic and direct network-based attacks. Also, whenever an attack occurs, the FortiGate NIDS can record the event in a log and send an alert email to the system administrator.
Page 216: Selecting The Interfaces To Monitor
FortiGate unit is installed behind a router that also does checksum verification. To configure checksum verification Go to NIDS > Detection > General. Select the type of traffic that you want to run Checksum Verifications on. Select Apply. Figure 31: Example NIDS detection configuration Network Intrusion Detection System (NIDS) Fortinet Inc.
Page 217: Viewing The Signature List
Open a web browser and enter the following URL: http://www.fortinet.com/ids/ID<attack-ID> Make sure that you include the attack ID. For example, to view the Fortinet Attack Analysis web page for the ssh CRC32 overflow /bin/sh attack (ID 101646338), use the following URL: http://www.fortinet.com/ids/ID101646338 Note: Each attack log message includes a URL that links directly to the FortiResponse Attack Analysis web page for that attack.
Page 218: Disabling Nids Attack Signatures
Note: To save your NIDS attack signature settings, Fortinet recommends that you back up your FortiGate configuration before you update the firmware and restore the saved configuration after the update.
Page 219 Network Intrusion Detection System (NIDS) To add user-defined signatures Go to NIDS > Detection > User Defined Signature List. Select Upload Caution: Uploading the user-defined signature list overwrites the existing file. Type the path and filename of the text file for the user-defined signature list or select Browse and locate the file.
Page 220: Preventing Attacks
Enabling NIDS attack prevention signatures Setting signature threshold values to enable all signatures in the NIDS attack prevention signature to disable all signatures in the NIDS attack prevention Network Intrusion Detection System (NIDS) to enable only the default NIDS attack prevention Fortinet Inc.
Page 221: Setting Signature Threshold Values
Network Intrusion Detection System (NIDS) Setting signature threshold values You can change the default threshold values for the NIDS Prevention signatures listed threshold is the maximum number of packets received per second. For overflow attacks, the threshold is the buffer size for the command. For large ICMP attacks, the threshold is the ICMP packet size limit to pass through.
Page 222: Logging Attacks
NIDS Signature Group Members list. beside the signature for which you want to set the Threshold value. Logging attack messages to the attack log Reducing the number of NIDS attack log and email messages Network Intrusion Detection System (NIDS) icons. Fortinet Inc.
Page 223 Network Intrusion Detection System (NIDS) The FortiGate unit uses an alert email queue in which each new message is compared with the previous messages. If the new message is not a duplicate, the FortiGate unit sends it immediately and puts a copy in the queue. If the new message is a duplicate, the FortiGate unit deletes it and increases an internal counter for the number of message copies in the queue.
Page 224 Logging attacks Network Intrusion Detection System (NIDS) Fortinet Inc.
Page 225: Antivirus Protection
FortiGate-50A Installation and Configuration Guide Version 2.50 Antivirus protection You can enable antivirus protection in firewall policies. You can select a content profile that controls how the antivirus protection behaves. Content profiles control the type of traffic protected (HTTP, FTP, IMAP, POP3, SMTP), the type of antivirus protection and the treatment of fragmented email and oversized files or email.
Page 226: Antivirus Scanning
Add this content profile to firewall policies to apply virus scanning to the traffic controlled by the firewall policy. Figure 34: Example content profile for virus scanning cdimage floppy image .ace .bzip2 .Tar+Gzip+Bzip2 “Adding content profiles to policies” on page Antivirus protection “Adding content profiles” on page 169. 167. Fortinet Inc.
Page 227: File Blocking
Antivirus protection File blocking Enable file blocking to remove all files that are a potential threat and to provide the best protection from active computer virus attacks. Blocking files is the only protection from a virus that is so new that antivirus scanning cannot detect it. You would not normally operate the FortiGate unit with blocking enabled.
Page 228: Blocking Oversized Files And Emails
Select a content profile that has Pass Fragmented Emails enabled for the traffic that you want the FortiGate unit to scan. Antivirus protection Fortinet Inc.
Page 229: Viewing The Virus List
Antivirus protection Viewing the virus list You can view the names of the viruses and worms in the current virus definition list. To view the virus list Go to Anti-Virus > Config > Virus List. Scroll through the virus and worm list to view the names of all viruses and worms in the list.
Page 230 Viewing the virus list Antivirus protection Fortinet Inc.
Page 231: Web Filtering
FortiGate-50A Installation and Configuration Guide Version 2.50 Web filtering When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how web filtering behaves for HTTP traffic. Content profiles control the following types of content filtering: •...
Page 232: Content Blocking
“Recording logs” on page “Configuring alert email” on page Adding words and phrases to the Banned Word list Clearing the Banned Word list Backing up the Banned Word list Restoring the Banned Word list Web filtering 133. 251. 257. Fortinet Inc.
Page 233: Clearing The Banned Word List
Web filtering Note: Banned Word must be selected in the content profile for web pages containing banned words to be blocked. Figure 35: Example banned word list Clearing the Banned Word list Go to Web Filter > Content Block. Select Clear List list.
Page 234 Note: Banned Word must be selected in the content profile for web pages containing banned words to be blocked. Description Disabled Enabled ASCII Simplified Chinese Traditional Chinese Japanese Korean banned 1 0 banned+phrase+1 1 3 "banned+phrase+2" 1 1 Web filtering Fortinet Inc.
Page 235: Url Blocking
Web filtering URL blocking You can block the unwanted web URLs using FortiGate Web URL blocking, FortiGate Web pattern blocking, and Cerberian web filtering. • • • Configuring FortiGate Web URL blocking You can configure FortiGate Web URL blocking to block all pages on a website by adding the top-level URL or IP address.
Page 236: Uploading A Url Block List
1 or no number when you upload the text file. and Page Down to navigate through the Web URL block list. to remove all URLs and patterns from the Web URL Web filtering to enable all items in the Fortinet Inc.
Page 237: Configuring Fortigate Web Pattern Blocking
Web filtering Figure 38: Example URL block list text file You can either create the URL block list or add a URL list created by a third-party URL block or blacklist service. For example, you can download the squidGuard blacklists available at http://www.squidguard.org/blacklist/ as a starting point for creating a URL block list.
Page 238: Configuring Cerberian Url Filtering
Cerberian web filter. To add a Cerberian user Go to Web Filter > URL Block. Select Cerberian URL Filtering. Select New. Installing a Cerberian license key Adding a Cerberian user Configuring Cerberian web filter Enabling Cerberian URL filtering Web filtering Fortinet Inc.
Page 239: Configuring Cerberian Web Filter
Web filtering Enter the IP address and netmask of the user computers. You can enter the IP address of a single user. For example, 192.168.100.19 255.255.255.255. You can also enter a subnet of a group of users. For example, 192.168.100.0 255.255.255.0. Enter an alias for the user.
Page 240: Script Filtering
Select the script filter options that you want to enable. You can block Java applets, cookies, and ActiveX. Select Apply. Figure 39: Example script filter settings to block Java applets and ActiveX Enabling script filtering Selecting script filter options Web filtering Fortinet Inc.
Page 241: Exempt Url List
Web filtering Exempt URL list Add URLs to the exempt URL list to allow legitimate traffic that might otherwise be blocked by content or URL blocking. For example, if content blocking is set to block pornography-related words and a reputable website runs a story on pornography, web pages from the reputable website are blocked.
Page 242: Downloading The Url Exempt List
FortiGate unit. In a text editor, create the list of URLs to exempt. Using the web-based manager, go to Web Filter > URL Exempt. Description Disabled Enabled www.goodsite.com 1 www.goodsite.com/index 1 127.33.44.55 1 Web filtering Fortinet Inc.
Page 243 Web filtering Select Upload URL Exempt List Type the path and filename of your URL Exempt List text file, or select Browse and locate the file. Select OK to upload the file to the FortiGate unit. Select Return to display the updated URL Exempt List. You can continue to maintain the URL Exempt List by making changes to the text file and uploading it again as necessary.
Page 244 Exempt URL list Web filtering Fortinet Inc.
Page 245: Email Filter
FortiGate-50A Installation and Configuration Guide Version 2.50 Email filter Email filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how email filtering behaves for email (IMAP and POP3) traffic. Content profiles control the following types of protection to identify unwanted email: •...
Page 246: Email Banned Word List
FortiGate unit inserts plus signs (+) in place of spaces (for example, banned+phrase). If you type a phrase in quotes (for example, “banned word”), the FortiGate unit tags all email in which the words are found together as a phrase. Email filter Fortinet Inc.
Page 247: Downloading The Email Banned Word List
Email filter Downloading the email banned word list You can back up the banned word list by downloading it to a text file on the management computer: To download the banned word list Go to Email Filter > Content Block. Select Download.
Page 248: Email Block List
To tag email from a specific subdomain, type the subdomain name. For example, mail.abccompany.com. To tag email from an entire organization category, type the top-level domain name. For example, type com to tag email sent from all organizations that use .com as the top-level domain. Email filter Fortinet Inc.
Page 249: Uploading An Email Block List
Email filter Uploading an email block list You can create a email block list in a text editor and then upload the text file to the FortiGate unit. Add one pattern to each line of the text file. You can follow the pattern with a space and then a 1 to enable or a zero (0) to disable the pattern.
Page 250: Adding Address Patterns To The Email Exempt List
To exempt email sent from a specific subdomain, type the subdomain name. For example, mail.abccompany.com. To exempt email sent from an entire organization category, type the top-level domain name. For example, type net to exempt email sent from all organizations that use .net as the top-level domain. Email filter Fortinet Inc.
Page 251: Logging And Reporting
FortiGate-50A Installation and Configuration Guide Version 2.50 Logging and reporting You can configure the FortiGate unit to log network activity from routine configuration changes and traffic sessions to emergency events. You can also configure the FortiGate unit to send alert email messages to inform system administrators about events such as network attacks, virus incidents, and firewall and VPN events.
Page 252: Recording Logs On A Netiq Webtrends Server
For each Log type, select the activities for which you want the FortiGate unit to record log messages. “Configuring traffic logging” on page “Log message levels” on page “Filtering log messages” on page 253 254. Logging and reporting 253. “Filtering log messages” on 254. 253. “Configuring traffic logging” Fortinet Inc.
Page 253: Log Message Levels
Logging and reporting Log message levels Table 23 Table 23: FortiGate log message levels Levels 0 - Emergency 1 - Alert 2 - Critical 3 - Error 4 - Warning 5 - Notice 6 - Information Filtering log messages You can configure the logs that you want to record and the message categories that you want to record in each log.
Page 254: Configuring Traffic Logging
The traffic filter list displays the name, source address and destination address, and the protocol type of the traffic to be filtered. An interface A firewall policy resolve IP addresses to host names, display the port number or service. Logging and reporting Fortinet Inc.
Page 255: Enabling Traffic Logging
Logging and reporting This section describes: • • • Enabling traffic logging You can enable logging on any interface and firewall policy. Enabling traffic logging for an interface If you enable traffic logging for an interface, all connections to and through the interface are recorded in the traffic log.
Page 256: Adding Traffic Filter Entries
FortiGate unit to log traffic messages. The address can be an individual computer, subnetwork, or network. Select the service group or individual service for which you want the FortiGate unit to log traffic messages. “Enabling traffic logging” on page Logging and reporting 255. Fortinet Inc.
Page 257: Configuring Alert Email
Logging and reporting Figure 46: Example new traffic address entry Configuring alert email You can configure the FortiGate unit to send alert email to up to three email addresses when there are virus incidents, block incidents, network intrusions, and other firewall or VPN events or violations.
Page 258: Testing Alert Email
AutoIKE Key VPN tunnels. Select Send alert email when disk is full to have the FortiGate unit send an alert email when the hard disk is almost full. Select Apply. Logging and reporting Fortinet Inc.
Page 259: Glossary
FortiGate-50A Installation and Configuration Guide Version 2.50 Glossary Connection: A link between machines, applications, processes, and so on that can be logical, physical, or both. DMZ, Demilitarized Zone: Used to host Internet services without allowing unauthorized access to an internal (private) network. Typically, the DMZ contains servers accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers and DNS servers.
Page 260 SNMP, Simple Network Management Protocol: A set of protocols for managing networks. SNMP works by sending messages to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. Fortinet Inc.
Page 261 SSH, Secure shell: A secure Telnet replacement that you can use to log into another computer over a network and run commands. SSH provides strong secure authentication and secure communications over insecure channels. Subnet: A portion of a network that shares a common address component.
Page 262 Glossary Fortinet Inc.
Page 263: Index
FortiGate-50A Installation and Configuration Guide Version 2.50 Index accept policy 141 action policy option 141 ActiveX 240 removing from web pages 240 address 146 adding 147 editing 148 group 148 IP/MAC binding 165 virtual IP 157 address group 148 example 149 address name 147 addressing mode DHCP 95...
Page 264 IP list 107 dialup account connecting the modem 109 dialup L2TP configuring Windows 2000 client 211 configuring Windows XP client 213 dialup PPTP configuring Windows 2000 client 207 configuring Windows 98 client 206 configuring Windows XP client 207 Fortinet Inc.
Page 265 IP address SNMP 127 fixed port 142 FortiCare service contracts 84 support contract number 88 Fortinet customer service 16 Fortinet support recovering a lost password 86 FortiResponse Distribution Network 74 connecting to 74 FortiResponse Distribution Server 74...
Page 266 LDAP example configuration 176 LDAP server adding server address 175 deleting 176 lease duration DHCP 22, 106 log message levels 253 log setting filtering log entries 76, 253 traffic filter 255 Log Traffic firewall policy 144 policy 144 Fortinet Inc.
Page 267 logging 251 attack log 253 configuring traffic settings 255 connections to an interface 98 email filter log 253 enabling alert email 258 event log 253 filtering log messages 253 log to remote host 251 log to WebTrends 252 message levels 253 recording 251 selecting what to log 253 traffic log 253...
Page 268 Index password adding 172 changing administrator account 125 Fortinet support 89 recovering a lost Fortinet support 86 PAT 159 pattern web pattern blocking 237 permission administrator account 125 ping server adding to an interface 97 policy accept 141 Anti-Virus & Web filter 143...
Page 269 restarting 66 restoring system settings 64 restoring system settings to factory default 65 reverting firmware to an older version 59 configuring 113 filters 117 interface configuration 115 settings 113 registering a FortiGate unit 91 route adding default 100 adding to routing table 101 adding to routing table (Transparent mode) 102 destination 101 device 101...
Page 270 URL list 241, 250 adding to URL block list 237, 248 blocking access 235, 248 URL block list adding URL 237, 248 clearing 236 downloading 233, 236, 242, 248 uploading 233, 236, 242, 249 URL block message 232 Fortinet Inc.
Page 271 URL blocking 235 exempt URL list 241, 249 web pattern blocking 237 URL exempt list see also exempt URL list 241, 249 use selectors from policy quick mode identifier 189 use wildcard selectors quick mode identifier 189 user authentication 171 user groups configuring 177 deleting 178...
Page 272 Index Fortinet Inc.

Fortinet FortiGate 50A Installation And Configuration Manual

Introduction

Getting Started

Nat/Route Mode Installation

Transparent Mode Installation

System Status

Virus and Attack Definitions Updates and Registration

Network Configuration

RIP Configuration

System Configuration

Firewall Configuration

Users and Authentication

Ipsec VPN

PPTP and L2TP VPN

Network Intrusion Detection System (NIDS)

Antivirus Protection

Web Filtering

Quick Links

Configuration Guide

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Fortinet FortiGate 50A

Summary of Contents for Fortinet FortiGate 50A