Fortinet FortiGate-800 Bedienungsanleitung

FortiGate 800Installation andConfiguration GuideEsc EnterCONSOLEINTERNAL EXTERNAL DMZ HA 1234 USB8PWRFortiGate User Manual Volume 1Version 2.50January

Contents10 Fortinet Inc.IPSec VPN... 231Key

100 Fortinet Inc.Changing the FortiGate firmware System status5 To confirm that the FortiGate unit can connect to the TFTP server, use the following c

System status Changing the FortiGate firmwareFortiGate-800 Installation and Configuration Guide 10111 Enter the firmware image filename and press En

102 Fortinet Inc.Changing the FortiGate firmware System statusTo run this procedure you:• access the CLI by connecting to the FortiGate console port u

System status Changing the FortiGate firmwareFortiGate-800 Installation and Configuration Guide 1039 Type the address of the TFTP server and press E

104 Fortinet Inc.Changing the FortiGate firmware System statusTo install a backup firmware image1 Connect to the CLI using the null-modem cable and Fo

System status Changing the FortiGate firmwareFortiGate-800 Installation and Configuration Guide 105Switching to the backup firmware imageUse this pr

106 Fortinet Inc.Manual virus definition updates System statusSwitching back to the default firmware imageUse this procedure to switch the FortiGate u

System status Manual attack definition updatesFortiGate-800 Installation and Configuration Guide 1074 Type the path and filename for the antivirus d

108 Fortinet Inc.Displaying the FortiGate up time System statusDisplaying the FortiGate up time1 Go to System > Status.The FortiGate up time displa

System status Restoring system settings to factory defaultsFortiGate-800 Installation and Configuration Guide 109Restoring system settings to factor

ContentsFortiGate-800 Installation and Configuration Guide 11Network Intrusion Detection System (NIDS) ...

110 Fortinet Inc.Changing to NAT/Route mode System statusChanging to NAT/Route modeUse the following procedure to change the FortiGate unit from Trans

System status System statusFortiGate-800 Installation and Configuration Guide 111System statusYou can use the system status monitor to display Forti

112 Fortinet Inc.System status System statusFigure 19: CPU and memory status monitorViewing sessions and network statusUse the session and network sta

System status System statusFortiGate-800 Installation and Configuration Guide 1134 Select Refresh to manually update the information displayed.Figur

114 Fortinet Inc.Session list System statusFigure 21: Sessions and network status monitorSession listThe session list displays information about the c

System status Session listFortiGate-800 Installation and Configuration Guide 115Each line of the session list displays the following information.Fig

116 Fortinet Inc.Session list System status

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 117Virus and attack definitions upd

118 Fortinet Inc.Updating antivirus and attack definitions Virus and attack definitions updates and registrationThe Update page on the web-based manag

Virus and attack definitions updates and registration Updating antivirus and attack definitionsFortiGate-800 Installation and Configuration Guide 11

Contents12 Fortinet Inc.URL blocking...

120 Fortinet Inc.Scheduling updates Virus and attack definitions updates and registrationConfiguring update loggingUse the following procedure to conf

Virus and attack definitions updates and registration Scheduling updatesFortiGate-800 Installation and Configuration Guide 1214 Select Apply.The For

122 Fortinet Inc.Enabling push updates Virus and attack definitions updates and registrationEnabling scheduled updates through a proxy serverIf your F

Virus and attack definitions updates and registration Enabling push updatesFortiGate-800 Installation and Configuration Guide 123When the network co

124 Fortinet Inc.Enabling push updates Virus and attack definitions updates and registrationEnabling push updates through a NAT deviceIf the FDN can c

Virus and attack definitions updates and registration Enabling push updatesFortiGate-800 Installation and Configuration Guide 125Figure 24: Example

126 Fortinet Inc.Enabling push updates Virus and attack definitions updates and registrationAdding a port forwarding virtual IP to the FortiGate NAT d

Virus and attack definitions updates and registration Enabling push updatesFortiGate-800 Installation and Configuration Guide 127Figure 25: Push upd

128 Fortinet Inc.Registering FortiGate units Virus and attack definitions updates and registration4 Set IP to the external IP address added to the vir

Virus and attack definitions updates and registration Registering FortiGate unitsFortiGate-800 Installation and Configuration Guide 129All registrati

ContentsFortiGate-800 Installation and Configuration Guide 13Viewing logs saved to memory ...

130 Fortinet Inc.Registering FortiGate units Virus and attack definitions updates and registrationRegistering the FortiGate unitBefore registering a F

Virus and attack definitions updates and registration Updating registration informationFortiGate-800 Installation and Configuration Guide 1314 Selec

132 Fortinet Inc.Updating registration information Virus and attack definitions updates and registrationRecovering a lost Fortinet support passwordIf

Virus and attack definitions updates and registration Updating registration informationFortiGate-800 Installation and Configuration Guide 133Figure

134 Fortinet Inc.Updating registration information Virus and attack definitions updates and registration6 Select the Serial Number of the FortiGate un

Virus and attack definitions updates and registration Updating registration informationFortiGate-800 Installation and Configuration Guide 135Downloa

136 Fortinet Inc.Registering a FortiGate unit after an RMA Virus and attack definitions updates and registrationRegistering a FortiGate unit after an

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 137Network configurationYou can use

138 Fortinet Inc.Configuring interfaces Network configurationAdding zonesThe new zone does not appear in the policy grid until you add an interface to

Network configuration Configuring interfacesFortiGate-800 Installation and Configuration Guide 139Viewing the interface listTo view the interface li

Contents14 Fortinet Inc.

140 Fortinet Inc.Configuring interfaces Network configurationTo add an interface to a zone1 Go to System > Network > Interface.2 Choose the inte

Network configuration Configuring interfacesFortiGate-800 Installation and Configuration Guide 1414 Clear the Retrieve default gateway and DNS from

142 Fortinet Inc.Configuring interfaces Network configuration7 Select Apply. The FortiGate unit attempts to contact the PPPoE server from the interfac

Network configuration Configuring interfacesFortiGate-800 Installation and Configuration Guide 143Controlling administrative access to an interfaceF

144 Fortinet Inc.Configuring interfaces Network configurationChanging the MTU size to improve network performanceTo improve network performance, you c

Network configuration VLAN overviewFortiGate-800 Installation and Configuration Guide 145• Enable secure administrative access to this interface usi

146 Fortinet Inc.VLANs in NAT/Route mode Network configurationIn a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3 route

Network configuration Virtual domains in Transparent modeFortiGate-800 Installation and Configuration Guide 147Adding VLAN subinterfacesThe VLAN ID

148 Fortinet Inc.Virtual domains in Transparent mode Network configurationTo support VLANs in Transparent mode, you add virtual domains to the FortiGa

Network configuration Virtual domains in Transparent modeFortiGate-800 Installation and Configuration Guide 149Virtual domain propertiesA virtual do

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 15IntroductionFortiGate Antivirus F

150 Fortinet Inc.Virtual domains in Transparent mode Network configurationAdding VLAN subinterfaces to a virtual domainUse the following procedure to

Network configuration Virtual domains in Transparent modeFortiGate-800 Installation and Configuration Guide 151Figure 32: FortiGate unit containing

152 Fortinet Inc.Virtual domains in Transparent mode Network configurationAdding firewall policies for virtual domainsOnce the network configuration f

Network configuration Adding DNS server IP addressesFortiGate-800 Installation and Configuration Guide 153Deleting virtual domains You must remove a

154 Fortinet Inc.Configuring routing Network configurationAdding a default routeYou can add a default route for network traffic leaving the external i

Network configuration Configuring routingFortiGate-800 Installation and Configuration Guide 1556 Set Device #1 to the FortiGate interface or VLAN su

156 Fortinet Inc.Configuring routing Network configuration5 Select OK to save the new route.6 Repeat steps 1 to 5 to add more routes as required.Confi

Network configuration Configuring DHCP servicesFortiGate-800 Installation and Configuration Guide 157Using policy routing you can build a routing po

158 Fortinet Inc.Configuring DHCP services Network configurationConfiguring a DHCP relay agentIn a DHCP relay configuration, the FortiGate unit forwar

Network configuration Configuring DHCP servicesFortiGate-800 Installation and Configuration Guide 159You can add multiple scopes to an interface so

16 Fortinet Inc.Antivirus protection IntroductionAntivirus protectionFortiGate ICSA-certified antivirus protection scans web (HTTP), file transfer (FT

160 Fortinet Inc.Configuring DHCP services Network configurationAdding a reserve IP to a DHCP serverIf you have configured an interface as a DHCP serv

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 161RIP configurationThe FortiGate i

162 Fortinet Inc.RIP settings RIP configuration5 Change the following RIP timer settings, as required.RIP timer defaults are effective in most configu

RIP configuration Configuring RIP for FortiGate interfacesFortiGate-800 Installation and Configuration Guide 163Figure 34: Configuring RIP settingsC

164 Fortinet Inc.Configuring RIP for FortiGate interfaces RIP configuration4 Select OK to save the RIP configuration for the selected interface.Figure

RIP configuration Adding RIP filtersFortiGate-800 Installation and Configuration Guide 165Adding RIP filtersUse the Filter page to create RIP filter

166 Fortinet Inc.Adding RIP filters RIP configuration3 For Filter Name, type a name for the RIP filter list.The name can be 15 characters long and can

RIP configuration Adding RIP filtersFortiGate-800 Installation and Configuration Guide 167Assigning a RIP filter list to the outgoing filterThe outg

168 Fortinet Inc.Adding RIP filters RIP configuration

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 169System configurationUse the Syst

Introduction Email filteringFortiGate-800 Installation and Configuration Guide 17Email filteringFortiGate email filtering can scan all IMAP and POP3

170 Fortinet Inc.Changing system options System configuration9 Select Apply.Figure 36: Example date and time settingChanging system optionsOn the Syst

System configuration Changing system optionsFortiGate-800 Installation and Configuration Guide 1713 Select Apply.Auth Timeout controls the amount of

172 Fortinet Inc.Adding and editing administrator accounts System configurationAdding and editing administrator accountsWhen the FortiGate unit is ini

System configuration Configuring SNMPFortiGate-800 Installation and Configuration Guide 173Editing administrator accountsThe admin account user can

174 Fortinet Inc.Configuring SNMP System configurationRFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB

System configuration Configuring SNMPFortiGate-800 Installation and Configuration Guide 175To configure SNMP community settings1 Go to System > C

176 Fortinet Inc.Configuring SNMP System configurationFigure 37: Sample SNMP configurationFortiGate MIBsThe FortiGate SNMP agent supports FortiGate pr

System configuration Configuring SNMPFortiGate-800 Installation and Configuration Guide 177FortiGate trapsThe FortiGate agent can send traps to up t

178 Fortinet Inc.Configuring SNMP System configurationVPN trapsNIDS trapsAntivirus trapsLogging trapsTable 23: FortiGate VPN trapsTrap message Descrip

System configuration Configuring SNMPFortiGate-800 Installation and Configuration Guide 179Fortinet MIB fieldsThe Fortinet MIB contains fields for c

18 Fortinet Inc.VLANs and virtual domains IntroductionNAT/Route modeIn NAT/Route mode, you can create NAT mode policies and Route mode policies.• NAT

180 Fortinet Inc.Configuring SNMP System configurationUsers and authentication configurationVPN configuration and statusNIDS configurationAntivirus co

System configuration Replacement messagesFortiGate-800 Installation and Configuration Guide 181Logging and reporting configurationReplacement messag

182 Fortinet Inc.Replacement messages System configurationCustomizing replacement messagesEach of the replacement messages in the replacement message

System configuration Replacement messagesFortiGate-800 Installation and Configuration Guide 183Customizing alert emailsCustomize alert emails to con

184 Fortinet Inc.Replacement messages System configuration%%SOURCE_IP%% The IP address from which the block file was received. For email this is the I

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 185Firewall configurationFirewall p

186 Fortinet Inc.Default firewall configuration Firewall configurationThis chapter describes:• Default firewall configuration• Adding firewall policie

Firewall configuration Default firewall configurationFortiGate-800 Installation and Configuration Guide 187InterfacesAdd policies to control connect

188 Fortinet Inc.Default firewall configuration Firewall configurationAddressesTo add policies between interfaces, VLAN subinterfaces, and zones, the

Firewall configuration Adding firewall policiesFortiGate-800 Installation and Configuration Guide 189Content profilesAdd content profiles to policie

Introduction VPNFortiGate-800 Installation and Configuration Guide 19VPNUsing FortiGate virtual private networking (VPN), you can provide a secure c

190 Fortinet Inc.Adding firewall policies Firewall configurationFigure 40: Adding a NAT/Route policyFirewall policy optionsThis section describes the

Firewall configuration Adding firewall policiesFortiGate-800 Installation and Configuration Guide 191DestinationSelect an address or address group t

192 Fortinet Inc.Adding firewall policies Firewall configurationNATConfigure the policy for NAT. NAT translates the source address and the source port

Firewall configuration Adding firewall policiesFortiGate-800 Installation and Configuration Guide 193AuthenticationSelect Authentication and select

194 Fortinet Inc.Adding firewall policies Firewall configurationFigure 41: Adding a Transparent mode policyLog TrafficSelect Log Traffic to write mess

Firewall configuration Configuring policy listsFortiGate-800 Installation and Configuration Guide 195Configuring policy listsThe firewall matches po

196 Fortinet Inc.Configuring policy lists Firewall configurationChanging the order of policies in a policy listTo change the order of a policy in a po

Firewall configuration AddressesFortiGate-800 Installation and Configuration Guide 197AddressesAll policies require source and destination addresses

198 Fortinet Inc.Addresses Firewall configuration6 Enter the Netmask.The netmask corresponds to the type of address that you are adding. For example:•

Firewall configuration AddressesFortiGate-800 Installation and Configuration Guide 199Deleting addressesDeleting an address removes it from an addre

© Copyright 2004 Fortinet Inc. All rights reserved.No part of this publication including text, examples, diagrams or illustrations may be reproduced,t

20 Fortinet Inc.Secure installation, configuration, and management IntroductionSecure installation, configuration, and managementThe first time you po

200 Fortinet Inc.Services Firewall configurationFigure 43: Adding an internal address groupServicesUse services to determine the types of communicatio

Firewall configuration ServicesFortiGate-800 Installation and Configuration Guide 201GRE Generic Routing Encapsulation. A protocol that allows an ar

202 Fortinet Inc.Services Firewall configurationLDAP Lightweight Directory Access Protocol is a set of protocols used to access information directorie

Firewall configuration ServicesFortiGate-800 Installation and Configuration Guide 203Adding custom TCP and UDP servicesAdd a custom TCP or UDP servi

204 Fortinet Inc.Services Firewall configurationAdding custom ICMP servicesAdd a custom ICMP service if you need to create a policy for a service that

Firewall configuration SchedulesFortiGate-800 Installation and Configuration Guide 2053 Type a Group Name to identify the group. This name appears i

206 Fortinet Inc.Schedules Firewall configurationCreating one-time schedulesYou can create a one-time schedule that activates or deactivates a policy

Firewall configuration SchedulesFortiGate-800 Installation and Configuration Guide 207Creating recurring schedulesYou can create a recurring schedul

208 Fortinet Inc.Virtual IPs Firewall configurationAdding schedules to policiesAfter you create schedules, you can add them to policies to schedule wh

Firewall configuration Virtual IPsFortiGate-800 Installation and Configuration Guide 209This section describes:• Adding static NAT virtual IPs• Addi

Introduction Secure installation, configuration, and managementFortiGate-800 Installation and Configuration Guide 21Command line interfaceYou can acc

210 Fortinet Inc.Virtual IPs Firewall configuration7 In Map to IP, type the real IP address on the destination network, for example, the IP address of

Firewall configuration Virtual IPsFortiGate-800 Installation and Configuration Guide 2116 Enter the External IP Address that you want to map to an a

212 Fortinet Inc.Virtual IPs Firewall configurationFigure 48: Adding a port forwarding virtual IPAdding policies with virtual IPsUse the following pro

Firewall configuration IP poolsFortiGate-800 Installation and Configuration Guide 2134 Select OK to save the policy.IP poolsAn IP pool (also called

214 Fortinet Inc.IP/MAC binding Firewall configurationFigure 49: Adding an IP PoolIP Pools for firewall policies that use fixed portsSome network conf

Firewall configuration IP/MAC bindingFortiGate-800 Installation and Configuration Guide 215You can enter the static IP addresses and corresponding M

216 Fortinet Inc.IP/MAC binding Firewall configurationFor example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the IP/MAC bindi

Firewall configuration IP/MAC bindingFortiGate-800 Installation and Configuration Guide 2173 Enter the IP Address and the MAC Address.You can bind m

218 Fortinet Inc.Content profiles Firewall configurationFigure 50: IP/MAC settingsContent profilesUse content profiles to apply different protection s

Firewall configuration Content profilesFortiGate-800 Installation and Configuration Guide 219Default content profilesThe FortiGate unit has the foll

22 Fortinet Inc.Document conventions IntroductionDocument conventionsThis guide uses the following conventions to describe CLI command syntax.• angle

220 Fortinet Inc.Content profiles Firewall configuration6 Enable the email filter protection options that you want.7 Enable the fragmented email and o

Firewall configuration Content profilesFortiGate-800 Installation and Configuration Guide 221Adding content profiles to policiesYou can add content

222 Fortinet Inc.Content profiles Firewall configuration

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 223Users and authenticationFortiGat

224 Fortinet Inc.Setting authentication timeout Users and authenticationThis chapter describes:• Setting authentication timeout• Adding user names and

Users and authentication Adding user names and configuring authenticationFortiGate-800 Installation and Configuration Guide 2255 Select the Try othe

226 Fortinet Inc.Configuring RADIUS support Users and authenticationConfiguring RADIUS supportIf you have configured RADIUS support and a user is requ

Users and authentication Configuring LDAP supportFortiGate-800 Installation and Configuration Guide 227Configuring LDAP supportIf you have configure

228 Fortinet Inc.Configuring LDAP support Users and authentication7 Enter the distinguished name used to look up entries on the LDAP server.Enter the

Users and authentication Configuring user groupsFortiGate-800 Installation and Configuration Guide 229Configuring user groupsTo enable authenticatio

Introduction Customer service and technical supportFortiGate-800 Installation and Configuration Guide 23• Volume 4: FortiGate NIDS GuideDescribes ho

230 Fortinet Inc.Configuring user groups Users and authenticationFigure 55: Adding a user group3 Enter a Group Name to identify the user group.The nam

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 231IPSec VPNA Virtual Private Netwo

232 Fortinet Inc.Key management IPSec VPNKey managementThere are three basic elements in any encryption system:• an algorithm that changes information

IPSec VPN Manual key IPSec VPNsFortiGate-800 Installation and Configuration Guide 233In some respects, certificates are simpler to manage than manua

234 Fortinet Inc.Manual key IPSec VPNs IPSec VPN5 Enter the Remote SPI. The Remote Security Parameter Index is a hexadecimal number of up to eight dig

IPSec VPN AutoIKE IPSec VPNsFortiGate-800 Installation and Configuration Guide 235AutoIKE IPSec VPNsFortiGate units support two methods of Automatic

236 Fortinet Inc.AutoIKE IPSec VPNs IPSec VPN3 Type a Gateway Name for the remote VPN peer.The remote VPN peer can be either a gateway to another netw

IPSec VPN AutoIKE IPSec VPNsFortiGate-800 Installation and Configuration Guide 23710 Configure the Local ID the that the FortiGate unit sends to the

238 Fortinet Inc.AutoIKE IPSec VPNs IPSec VPN4 Optionally, configure NAT Traversal.5 Optionally, configure Dead Peer Detection.Use these settings to m

IPSec VPN AutoIKE IPSec VPNsFortiGate-800 Installation and Configuration Guide 239Figure 56: Adding a phase 1 configuration (Standard options)Figure

24 Fortinet Inc.Customer service and technical support Introduction

240 Fortinet Inc.AutoIKE IPSec VPNs IPSec VPNAdding a phase 2 configuration for an AutoIKE VPNAdd a phase 2 configuration to specify the parameters us

IPSec VPN AutoIKE IPSec VPNsFortiGate-800 Installation and Configuration Guide 24110 Enable Autokey Keep Alive if you want to keep the VPN tunnel ru

242 Fortinet Inc.Managing digital certificates IPSec VPNManaging digital certificatesUse digital certificates to make sure that both participants in a

IPSec VPN Managing digital certificatesFortiGate-800 Installation and Configuration Guide 2436 Configure the key.7 Select OK to generate the private

244 Fortinet Inc.Managing digital certificates IPSec VPNDownloading the certificate requestUse the following procedure to download a certificate reque

IPSec VPN Configuring encrypt policiesFortiGate-800 Installation and Configuration Guide 245Obtaining CA certificatesFor the VPN peers to authentica

246 Fortinet Inc.Configuring encrypt policies IPSec VPNIn addition to defining membership in the VPN by address, you can configure the encrypt policy

IPSec VPN Configuring encrypt policiesFortiGate-800 Installation and Configuration Guide 247Adding a destination addressThe destination address can

248 Fortinet Inc.Configuring encrypt policies IPSec VPNFor information about configuring the remaining policy settings, see “Adding firewall policies”

IPSec VPN IPSec VPN concentratorsFortiGate-800 Installation and Configuration Guide 249Figure 60: Adding an encrypt policyIPSec VPN concentrators In

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 25Getting startedThis chapter descr

250 Fortinet Inc.IPSec VPN concentrators IPSec VPNIf the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (but not to the

IPSec VPN IPSec VPN concentratorsFortiGate-800 Installation and Configuration Guide 251See “Adding an encrypt policy” on page 247.5 Arrange the poli

252 Fortinet Inc.IPSec VPN concentrators IPSec VPNVPN spoke general configuration stepsA remote VPN peer that functions as a spoke requires the follow

IPSec VPN Redundant IPSec VPNsFortiGate-800 Installation and Configuration Guide 253See “Adding an encrypt policy” on page 247.6 Arrange the policie

254 Fortinet Inc.Redundant IPSec VPNs IPSec VPNConfiguring redundant IPSec VPNsPrior to configuring the VPN, make sure that both FortiGate units have

IPSec VPN Monitoring and Troubleshooting VPNsFortiGate-800 Installation and Configuration Guide 255Monitoring and Troubleshooting VPNs• Viewing VPN

256 Fortinet Inc.Monitoring and Troubleshooting VPNs IPSec VPNFigure 63: Dialup MonitorTesting a VPNTo confirm that a VPN between two networks has bee

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 257PPTP and L2TP VPNYou can use PPT

258 Fortinet Inc.Configuring PPTP PPTP and L2TP VPNConfiguring the FortiGate unit as a PPTP gatewayUse the following procedures to configure the Forti

PPTP and L2TP VPN Configuring PPTPFortiGate-800 Installation and Configuration Guide 2593 Select New to add an address.4 Enter the Address Name, IP

26 Fortinet Inc.Package contents Getting startedPackage contentsThe FortiGate-800 package contains the following items:• FortiGate-800 Antivirus Firew

260 Fortinet Inc.Configuring PPTP PPTP and L2TP VPN6 Set Service to match the traffic type inside the PPTP VPN tunnel. For example, if PPTP users can

PPTP and L2TP VPN Configuring PPTPFortiGate-800 Installation and Configuration Guide 261To connect to the PPTP VPN1 Start the dialup connection that

262 Fortinet Inc.Configuring PPTP PPTP and L2TP VPN5 Name the connection and select Next. 6 If the Public Network dialog box appears, choose the appro

PPTP and L2TP VPN Configuring L2TPFortiGate-800 Installation and Configuration Guide 263Configuring L2TPSome implementations of L2TP support element

264 Fortinet Inc.Configuring L2TP PPTP and L2TP VPNFigure 65: Sample L2TP address range configurationTo add source addressesAdd a source address for e

PPTP and L2TP VPN Configuring L2TPFortiGate-800 Installation and Configuration Guide 2656 Select OK to add the address group.To add a destination ad

266 Fortinet Inc.Configuring L2TP PPTP and L2TP VPN7 In the Connect window, select Properties.8 Select the Security tab.9 Make sure that Require data

PPTP and L2TP VPN Configuring L2TPFortiGate-800 Installation and Configuration Guide 2674 In the connect window, enter the User Name and Password th

268 Fortinet Inc.Configuring L2TP PPTP and L2TP VPNTo disable IPSec1 Select the Networking tab.2 Select Internet Protocol (TCP/IP) properties.3 Double

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 269Network Intrusion Detection Syst

Getting started Powering onFortiGate-800 Installation and Configuration Guide 27Power requirements• Power dissipation: 300 W (max)• AC input voltage

270 Fortinet Inc.Detecting attacks Network Intrusion Detection System (NIDS)Selecting the interfaces to monitorTo select the interfaces to monitor for

Network Intrusion Detection System (NIDS) Detecting attacksFortiGate-800 Installation and Configuration Guide 271Viewing the signature listYou can d

272 Fortinet Inc.Detecting attacks Network Intrusion Detection System (NIDS)Figure 67: Example signature group members listDisabling NIDS attack signa

Network Intrusion Detection System (NIDS) Detecting attacksFortiGate-800 Installation and Configuration Guide 273To add user-defined signatures1 Go

274 Fortinet Inc.Preventing attacks Network Intrusion Detection System (NIDS)Preventing attacksNIDS attack prevention protects the FortiGate unit and

Network Intrusion Detection System (NIDS) Preventing attacksFortiGate-800 Installation and Configuration Guide 275Setting signature threshold values

276 Fortinet Inc.Logging attacks Network Intrusion Detection System (NIDS)To set Prevention signature threshold values1 Go to NIDS > Prevention.2 S

Network Intrusion Detection System (NIDS) Logging attacksFortiGate-800 Installation and Configuration Guide 277The FortiGate unit uses an alert emai

278 Fortinet Inc.Logging attacks Network Intrusion Detection System (NIDS)

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 279Antivirus protectionYou can enab

28 Fortinet Inc.Connecting to the web-based manager Getting startedConnecting to the web-based managerUse the following procedure to connect to the we

280 Fortinet Inc.Antivirus scanning Antivirus protection6 Configure the FortiGate unit to send an alert email when it blocks or deletes an infected fi

Antivirus protection File blockingFortiGate-800 Installation and Configuration Guide 281Figure 69: Example content profile for virus scanningFile bl

282 Fortinet Inc.File blocking Antivirus protectionBy default, when blocking is enabled, the FortiGate unit blocks the following file patterns:• execu

Antivirus protection QuarantineFortiGate-800 Installation and Configuration Guide 283QuarantineFortiGate units with a hard disk can quarantine block

284 Fortinet Inc.Quarantine Antivirus protection5 Add this content profile to firewall policies.See “Adding content profiles to policies” on page 221.

Antivirus protection QuarantineFortiGate-800 Installation and Configuration Guide 285Filtering the quarantine listYou can filter the quarantine list

286 Fortinet Inc.Blocking oversized files and emails Antivirus protection3 Type the Age Limit (TTL) in hours to specify how long files are left in qua

Antivirus protection Exempting fragmented email from blockingFortiGate-800 Installation and Configuration Guide 287Exempting fragmented email from b

288 Fortinet Inc.Viewing the virus list Antivirus protection

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 289Web filteringWhen you enable Ant

Getting started Connecting to the command line interface (CLI)FortiGate-800 Installation and Configuration Guide 29Connecting to the command line in

290 Fortinet Inc.Content blocking Web filtering3 Configure web filtering settings to control how the FortiGate unit applies web filtering to the HTTP

Web filtering Content blockingFortiGate-800 Installation and Configuration Guide 2914 Type a banned word or phrase.If you type a single word (for ex

292 Fortinet Inc.Content blocking Web filteringBacking up the Banned Word listYou can back up the banned word list by downloading it to a text file on

Web filtering URL blockingFortiGate-800 Installation and Configuration Guide 2935 Select Return to display the updated Banned Word List.6 You can co

294 Fortinet Inc.URL blocking Web filtering4 Ensure that the Enable checkbox has been selected and then select OK.5 Select OK to add the URL to the We

Web filtering URL blockingFortiGate-800 Installation and Configuration Guide 295Downloading the Web URL block listYou can back up the Web URL block

296 Fortinet Inc.Configuring Cerberian URL filtering Web filtering8 You can continue to maintain the Web URL block list by making changes to the text

Web filtering Configuring Cerberian URL filteringFortiGate-800 Installation and Configuration Guide 297Installing a Cerberian license keyBefore you

298 Fortinet Inc.Configuring Cerberian URL filtering Web filteringYou can add users to the default group and apply any policies to the group.Use the d

Web filtering Script filteringFortiGate-800 Installation and Configuration Guide 299Script filteringYou can configure the FortiGate unit to remove J

ContentsFortiGate-800 Installation and Configuration Guide 3Table of ContentsIntroduction ...

30 Fortinet Inc.Factory default FortiGate configuration settings Getting startedFactory default FortiGate configuration settingsThe FortiGate unit is

300 Fortinet Inc.Exempt URL list Web filteringExempt URL listAdd URLs to the exempt URL list to allow legitimate traffic that might otherwise be block

Web filtering Exempt URL listFortiGate-800 Installation and Configuration Guide 301Figure 75: Example URL Exempt listDownloading the URL Exempt List

302 Fortinet Inc.Exempt URL list Web filtering3 Select Upload URL Exempt List .4 Type the path and filename of your URL Exempt List text file, or sel

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 303Email filterEmail filtering is e

304 Fortinet Inc.Email banned word list Email filterEmail banned word listWhen the FortiGate unit detects an email that contains a word or phrase in t

Email filter Email banned word listFortiGate-800 Installation and Configuration Guide 305Downloading the email banned word listYou can back up the b

306 Fortinet Inc.Email block list Email filterEmail block listYou can configure the FortiGate unit to tag all IMAP and POP3 protocol traffic sent from

Email filter Email exempt listFortiGate-800 Installation and Configuration Guide 307Uploading an email block listYou can create a email block list i

308 Fortinet Inc.Adding a subject tag Email filterAdding address patterns to the email exempt listTo add an address pattern to the email exempt list1

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 309Logging and reportingYou can con

Getting started Factory default FortiGate configuration settingsFortiGate-800 Installation and Configuration Guide 31Factory default Transparent mod

310 Fortinet Inc.Recording logs Logging and reportingRecording logs on a remote computerYou can configure the FortiGate unit to record log messages on

Logging and reporting Recording logsFortiGate-800 Installation and Configuration Guide 3115 Select Config Policy.To configure the FortiGate unit to

312 Fortinet Inc.Recording logs Logging and reportingRecording logs in system memoryIf your FortiGate unit does not contain a hard disk, you can confi

Logging and reporting Filtering log messagesFortiGate-800 Installation and Configuration Guide 313Filtering log messagesYou can configure the logs t

314 Fortinet Inc.Configuring traffic logging Logging and reportingFigure 79: Example log filter configurationConfiguring traffic loggingYou can config

Logging and reporting Configuring traffic loggingFortiGate-800 Installation and Configuration Guide 315Enabling traffic loggingYou can enable loggin

316 Fortinet Inc.Configuring traffic logging Logging and reportingConfiguring traffic filter settingsYou can configure the information recorded in all

Logging and reporting Viewing logs saved to memoryFortiGate-800 Installation and Configuration Guide 3174 Select OK.The traffic filter list displays

318 Fortinet Inc.Viewing and managing logs saved to the hard disk Logging and reporting4 To view a specific line in the log, type a line number in the

Logging and reporting Viewing and managing logs saved to the hard diskFortiGate-800 Installation and Configuration Guide 319Viewing logsLog messages

32 Fortinet Inc.Factory default FortiGate configuration settings Getting startedFactory default firewall configurationThe factory default firewall con

320 Fortinet Inc.Viewing and managing logs saved to the hard disk Logging and reportingDownloading a log file to the management computerYou can downlo

Logging and reporting Configuring alert emailFortiGate-800 Installation and Configuration Guide 321Configuring alert emailYou can configure the Fort

322 Fortinet Inc.Configuring alert email Logging and reportingEnabling alert emailYou can configure the FortiGate unit to send alert email in response

FortiGate-800 Installation and Configuration Guide 323FortiGate-800 Installation and Configuration Guide Version 2.50GlossaryConnection: A link betwe

324 Fortinet Inc.GlossaryLAN, Local Area Network: A computer network that spans a relatively small area. Most LANs connect workstations and personal c

GlossaryFortiGate-800 Installation and Configuration Guide 325SSH, Secure shell: A secure Telnet replacement that you can use to log into another c

326 Fortinet Inc.Glossary

FortiGate-800 Installation and Configuration Guide 327FortiGate-800 Installation and Configuration Guide Version 2.50IndexAacceptpolicy 191actionpoli

328 Fortinet Inc.Indexattack updatesconfiguring 121scheduling 120through a proxy server 122authentication 193, 223configuring 224enabling 229LDAP serv

IndexFortiGate-800 Installation and Configuration Guide 329DHCPadding a DHCP server to an interface 158adding a reserved IP to a DHCP server 160add

Getting started Factory default FortiGate configuration settingsFortiGate-800 Installation and Configuration Guide 33Factory default content profile

330 Fortinet Inc.IndexFortiResponse Distribution Network 118connecting to 118FortiResponse Distribution Server 118from IPsystem status 115from portsys

IndexFortiGate-800 Installation and Configuration Guide 331IPSec VPNauthentication for user group 229AutoIKE 232certificates 232disabling 266, 268m

332 Fortinet Inc.IndexmodeTransparent 18monitorsystem status 114monitored interfaces 270monitoringsystem status 111MTU size 144changing 144definition

IndexFortiGate-800 Installation and Configuration Guide 333PPTP dialup connectionconfiguring Windows 2000 client 261configuring Windows 98 client 2

334 Fortinet Inc.Indexschedule 205applying to policy 208automatic antivirus and attack definition updates 120creating one-time 206creating recurring 2

IndexFortiGate-800 Installation and Configuration Guide 335system settingsbacking up 108restoring 108restoring to factory default 109system status

336 Fortinet Inc.Indexviewingdialup connection status 255logs 318, 319logs saved to memory 317VPN tunnel status 255virtual domainadding 149adding a VL

34 Fortinet Inc.Factory default FortiGate configuration settings Getting startedScan content profileUse the scan content profile to apply antivirus sc

Getting started Factory default FortiGate configuration settingsFortiGate-800 Installation and Configuration Guide 35Web content profileUse the web

36 Fortinet Inc.Planning the FortiGate configuration Getting startedPlanning the FortiGate configurationBefore you configure the FortiGate unit, you n

Getting started Planning the FortiGate configurationFortiGate-800 Installation and Configuration Guide 37NAT/Route mode with multiple external netwo

38 Fortinet Inc.Planning the FortiGate configuration Getting startedFigure 6: Example Transparent mode network configurationYou can connect up to 8 ne

Getting started FortiGate model maximum values matrixFortiGate-800 Installation and Configuration Guide 39Front keypad and LCDIf you are configuring

Contents4 Fortinet Inc.NAT/Route mode installation... 41Preparing to conf

40 Fortinet Inc.Next steps Getting startedNext stepsNow that your FortiGate unit is operating, you can proceed to configure it to connect to networks:

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 41NAT/Route mode installationThis c

42 Fortinet Inc.Preparing to configure NAT/Route mode NAT/Route mode installationAdvanced NAT/Route mode settingsUse Tab le 11 to gather the informat

NAT/Route mode installation Using the setup wizardFortiGate-800 Installation and Configuration Guide 43DMZ and user-defined interfacesUse Tab le 12

44 Fortinet Inc.Using the front control buttons and LCD NAT/Route mode installationUsing the front control buttons and LCDAs an alternative to the set

NAT/Route mode installation Using the command line interfaceFortiGate-800 Installation and Configuration Guide 453 Set the IP address and netmask of

46 Fortinet Inc.Connecting the FortiGate unit to your networks NAT/Route mode installation9 Set the default route to the Default Gateway IP address (n

NAT/Route mode installation Connecting the FortiGate unit to your networksFortiGate-800 Installation and Configuration Guide 47Figure 7: FortiGate-8

48 Fortinet Inc.Configuring your networks NAT/Route mode installationFigure 8: Example FortiGate-800 user-defined interface connectionsConfiguring you

NAT/Route mode installation Completing the configurationFortiGate-800 Installation and Configuration Guide 49Completing the configurationUse the inf

ContentsFortiGate-800 Installation and Configuration Guide 5Transparent mode configuration examples...

50 Fortinet Inc.Configuration example: Multiple connections to the Internet NAT/Route mode installationRegistering your FortiGate unitAfter purchasing

NAT/Route mode installation Configuration example: Multiple connections to the InternetFortiGate-800 Installation and Configuration Guide 51Figure 9

52 Fortinet Inc.Configuration example: Multiple connections to the Internet NAT/Route mode installationUsing the CLI1 Add a ping server to the externa

NAT/Route mode installation Configuration example: Multiple connections to the InternetFortiGate-800 Installation and Configuration Guide 53Load sha

54 Fortinet Inc.Configuration example: Multiple connections to the Internet NAT/Route mode installation3 Select New to add a route for connections to

NAT/Route mode installation Configuration example: Multiple connections to the InternetFortiGate-800 Installation and Configuration Guide 55Policy r

56 Fortinet Inc.Configuration example: Multiple connections to the Internet NAT/Route mode installationFirewall policy exampleFirewall policies contro

NAT/Route mode installation Configuration example: Multiple connections to the InternetFortiGate-800 Installation and Configuration Guide 57Restrict

58 Fortinet Inc.Configuration example: Multiple connections to the Internet NAT/Route mode installation

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 59Transparent mode installationThis

Contents6 Fortinet Inc.Displaying the FortiGate up time... 108Disp

60 Fortinet Inc.Using the setup wizard Transparent mode installationUsing the setup wizardFrom the web-based manager, you can use the setup wizard to

Transparent mode installation Using the front control buttons and LCDFortiGate-800 Installation and Configuration Guide 61Using the front control bu

62 Fortinet Inc.Completing the configuration Transparent mode installationConfiguring the Transparent mode management IP address1 Make sure that you a

Transparent mode installation Connecting the FortiGate unit to your networksFortiGate-800 Installation and Configuration Guide 63Registering your Fo

64 Fortinet Inc.Transparent mode configuration examples Transparent mode installationFigure 10: FortiGate-800 Transparent mode connectionsTransparent

Transparent mode installation Transparent mode configuration examplesFortiGate-800 Installation and Configuration Guide 65This section describes:• D

66 Fortinet Inc.Transparent mode configuration examples Transparent mode installationFigure 11: Default route to an external networkGeneral configura

Transparent mode installation Transparent mode configuration examplesFortiGate-800 Installation and Configuration Guide 67Web-based manager example

68 Fortinet Inc.Transparent mode configuration examples Transparent mode installationFigure 12: Static route to an external destinationGeneral configu

Transparent mode installation Transparent mode configuration examplesFortiGate-800 Installation and Configuration Guide 692 Go to System > Networ

ContentsFortiGate-800 Installation and Configuration Guide 7Network configuration...

70 Fortinet Inc.Transparent mode configuration examples Transparent mode installationFigure 13: Static route to an internal destinationGeneral configu

Transparent mode installation Transparent mode configuration examplesFortiGate-800 Installation and Configuration Guide 71Web-based manager example

72 Fortinet Inc.Transparent mode configuration examples Transparent mode installation

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 73High availabilityFortinet achieve

74 Fortinet Inc.Configuring an HA cluster High availabilityAn active-passive (A-P) HA cluster, also referred to as hot standby HA, consists of a prima

High availability Configuring an HA clusterFortiGate-800 Installation and Configuration Guide 756 Select the HA mode.Select Active-Active mode to cr

76 Fortinet Inc.Configuring an HA cluster High availabilityFigure 14: Example Active-Active HA configuration11 If you are configuring a NAT/Route mode

High availability Configuring an HA clusterFortiGate-800 Installation and Configuration Guide 77Inserting an HA cluster into your network temporaril

78 Fortinet Inc.Managing an HA cluster High availability2 Power on all the FortiGate units in the cluster.As the units power on they negotiate to choo

High availability Managing an HA clusterFortiGate-800 Installation and Configuration Guide 79You can also use SNMP to manage the cluster by configur

Contents8 Fortinet Inc.Adding RIP filters ...

80 Fortinet Inc.Managing an HA cluster High availabilityTo monitor cluster interfaces1 Connect to the cluster and log into the web-based manager.2 Go

High availability Managing an HA clusterFortiGate-800 Installation and Configuration Guide 813 Select Sessions & Network.The cluster displays se

82 Fortinet Inc.Managing an HA cluster High availabilityViewing cluster sessionsTo view the cluster communication sessions1 Connect to the cluster and

High availability Managing an HA clusterFortiGate-800 Installation and Configuration Guide 83Monitoring cluster units for failoverIf the primary uni

84 Fortinet Inc.Managing an HA cluster High availabilityTo manage a cluster unit1 Use SSH to connect to the cluster and log into the CLI.Connect to an

High availability Managing an HA clusterFortiGate-800 Installation and Configuration Guide 85Synchronizing the cluster configurationCluster synchron

86 Fortinet Inc.Managing an HA cluster High availability4 Repeat steps 2 and 3 for all the subordinate units in the HA cluster.Upgrading firmwareTo up

High availability Advanced HA optionsFortiGate-800 Installation and Configuration Guide 87Replacing a FortiGate unit after failoverA failover can oc

88 Fortinet Inc.Advanced HA options High availabilityset system ha override enableEnable override so that the permanent primary unit overrides any oth

High availability Active-Active cluster packet flowFortiGate-800 Installation and Configuration Guide 89Weight values are entered in order according

ContentsFortiGate-800 Installation and Configuration Guide 9Services ...

90 Fortinet Inc.Active-Active cluster packet flow High availabilityNAT/Route mode packet flowIn NAT/Route mode, five MAC addresses are involved in act

High availability Active-Active cluster packet flowFortiGate-800 Installation and Configuration Guide 91The following are examples of switches that

92 Fortinet Inc.Active-Active cluster packet flow High availability

FortiGate-800 Installation and Configuration Guide Version 2.50FortiGate-800 Installation and Configuration Guide 93System statusYou can connect to t

94 Fortinet Inc.Changing the FortiGate host name System statusChanging the FortiGate host nameThe FortiGate host name appears on the Status page and i

System status Changing the FortiGate firmwareFortiGate-800 Installation and Configuration Guide 95Upgrading to a new firmware versionUse the followi

96 Fortinet Inc.Changing the FortiGate firmware System status4 Make sure the FortiGate unit can connect to the TFTP server.You can use the following c

System status Changing the FortiGate firmwareFortiGate-800 Installation and Configuration Guide 97If you are reverting to a previous FortiOS version

98 Fortinet Inc.Changing the FortiGate firmware System statusIf you are reverting to a previous FortiOS version (for example, reverting from FortiOS v

System status Changing the FortiGate firmwareFortiGate-800 Installation and Configuration Guide 9911 Update antivirus and attack definitions. For in