Instruction/ maintenance manual of the product 100 Fortinet
Go to page of 272
FortiGate 100 Installation and Configuration Guide INTERNAL EXTERNAL DMZ POWER STA TUS FortiGate User Manual V olume 1 Ve r s i o n 2 . 5 0 M R 2 18 August 2003.
© Copyright 2003 Fortine t Inc. All rights reserved. No part of this publication incl uding text, examples, di agrams or illustration s may be reproduced, transmitted, or translated in any form or by any means, electronic, m echanical, m anual, optical or otherwise, for any purpose, without prio r written pe rmission of F ortinet I nc.
Contents FortiGate-100 Installation and Configuration Guide 3 Table of Contents Introduction ............. ................................ .................................................. ........... 13 Antivirus protection ............... ........
Contents 4 Fortinet Inc. Planning your FortiGate configurat ion .. ................ ................ ................ ................. ........... 37 NAT/Route mode .............. ................ ................ ................ ................ ..
Contents FortiGate-100 Installation and Configuration Guide 5 Completing the configuration ...................... .... ............. ............. ................ ................ ........ 61 Setting the date and time ........................ .......
Contents 6 Fortinet Inc. Virus and attack definitions upda tes and registration ......... ................. ........... 91 Updating antivirus and attack definit ions .... .... ......... ................. ............ ................. ........... 91 Connecting to the FortiResponse Distribution Network .
Contents FortiGate-100 Installation and Configuration Guide 7 Configuring routing...... ................ ................ ................. ................ ................ ................ ... 1 15 Adding a default route .......... ................ .
Contents 8 Fortinet Inc. Configuring policy lists .......... ................ ................ ................ ................ ................. ......... 14 9 Policy matching in detail ...................... ................ ................. .....
Contents FortiGate-100 Installation and Configuration Guide 9 Configuring LDAP support ....... ................ ................ ................. ................ ................ ...... 177 Adding LDAP servers . ................. ................ ..
Contents 10 Fortinet Inc. Configuring L2TP ..................... ................ ................ ................. ................ ................ ...... 21 3 Configuring the FortiGate unit as a L2TP gateway ........................ ..............
Contents FortiGate-100 Installation and Configuration Guide 11 Exempt URL list ............. ................. ................ ................ ................ ............. ................ ... 2 43 Adding URLs to the exempt URL list ............. .
Contents 12 Fortinet Inc..
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 13 Introduction The FortiGate Antivirus Firewall suppor ts network-based deployment of application-leve l services—in cluding antivirus pr otection and fu ll-scan conten t filtering.
14 Fortinet Inc. Introduction For extra prot ection, you also config ure antivi rus protection to block files of specified file types from passing thr ough the FortiGate unit. Y ou can use the fe ature to stop files that may cont ain new viruses. If the FortiGate unit cont ains a hard disk, infected or blocked files can be quarantined.
Introduction NAT/Route mode FortiGate-100 Installation and Configuration Guide 15 Y ou can configure Email blocking to tag email from all or so me senders within organizations that are known to send sp am email.
16 Fortinet Inc. Transparent mode Introduction Transparent mode T ransparent mode pro vides the same basic firewall protection as NA T mode. Packets received by the FortiGate unit are intellig ently forwarded or blocked according to firewall policies.
Introduction Web-based manager FortiGate-100 Installation and Configuration Guide 17 • PPTP fo r easy connectivity with the VPN standar d supported by the most popular operating systems. • L2TP for easy connectivity with a more secure VPN st andard also supported by many popular operatin g systems.
18 Fortinet Inc. Command line interface Introduction Figure 1: The FortiGate web-based ma nager and se tup wizard Command line interface Y ou can access the FortiGate command line interface (CLI) by connecting a management compute r serial port to the Fo rtiGate RS-232 serial Console connector .
Introduction Logging and reporting FortiGate-100 Installation and Configuration Guide 19 Logging and reporting The FortiGate support s logging of various cate gories of traffic and of co nfiguration changes.
20 Fortinet Inc. Firewall Introduction DHCP server • Addition of a WINS server to DHCP configurat ion. • Reserve IP/MAC pair combinatio ns for DHCP servers (CLI only). RIP • New RIP v1 and v2 functionality . See “RIP configuration” on page 121 .
Introduction NIDS FortiGate-100 Installation and Configuration Guide 21 NIDS See the FortiGate NIDS Guide for a complete description of F ortiGate NIDS functionality .
22 Fortinet Inc. Logging and Rep orting Introduction About this document This inst allation and configuration guide describes how to inst all and configure the FortiGate-100. This documen t contains the following information: • Getting started describes unp acking, mounting, and powering on the FortiGate.
Introduction Logging and Repo rting FortiGate-100 Installation and Configuration Guide 23 Document conventions This guide uses the fo llowing conventio ns to descr ibe CLI comma nd syntax. • angle brac kets < > to indicate variable keywords For example: execute restore config <filename_str> Y ou enter restore config myfile.
24 Fortinet Inc. Comments on Fortinet technica l docume ntation Introduction Fortinet document ation Information about FortiGate product s is av ailable from the follo wing FortiGate User Manual volumes: • V olume 1: FortiGate Inst allation and Configuration Guide Describes installation and basic configurat ion for the FortiG ate unit.
Introduction Comments on Fortine t technical documenta tion FortiGate-100 Installation and Configuration Guide 25 Customer service and technical support For antiviru s and attack def inition up dates,.
26 Fortinet Inc. Comments on Fortinet technica l docume ntation Introduction.
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 27 Getting st arted This chapter describes un packing, sett ing up, and powering on your FortiGate Antivirus Firewall.
28 Fortinet Inc. Getting started Package content s The FortiGate-100 p ackage contains the followin g items: • FortiGate -100 Antivirus Firewall • one orange crossover ethern et cable • one gray.
Getting started FortiGate-100 Installation and Configuration Guide 29 Environmental specifications • Operating temperature: 32 to 10 4°F (0 to 40°C) • S torage temperature: -13 to 158°F (-25 to.
30 Fortinet Inc. Getting started Connecting to the web-based manager Use the followin g procedur e to conne ct to the web-based manager for the first time. Configuration changes ma de with the web- based mana ger are effective immediate ly without the need to reset the firewall or inte rrupt service.
Getting started FortiGate-100 Installation and Configuration Guide 31 Connecting to the command line interface (CLI) As an alternative to the web-based ma nager , you can install and configur e the FortiGate unit using the CLI.
32 Fortinet Inc. Factory default NAT/Route mode ne twork configuration Getting started If you are planning on operating the FortiGa te unit in Tr ansparent mode, you can switch to transparent mode from the factory default configuration and then configure the FortiGate unit onto your network in T ransparent mode.
Getting started Factory default Tra nsparent mode network configurati on FortiGate-100 Installation and Configuration Guide 33 Factory default Transparent mode network configuration If you switch the FortiGate unit to T ransparent mode, it has the defau lt network configuration listed in Ta b l e 3 .
34 Fortinet Inc. Factory default content pro files Getting started Factory default content profiles Y ou ca n use cont ent profiles to apply different pr otection s ettings for c ontent traffic controlled by firewall policies.
Getting started Factory default co ntent profiles FortiGate-100 Installation and Configuration Guide 35 Strict content profile Use the strict content prof ile to apply maximum content protection to HTTP , FTP , IMAP , PO P3, and SMTP content traffic.
36 Fortinet Inc. Factory default content pro files Getting started Web content profile Use the web content profile to apply antivir us scanning and Web content blockin g to HTTP content traffic. Y ou can add this cont ent profile to firewall policies that control HTTP traffic.
Getting started NAT/Route mode FortiGate-100 Installation and Configuration Guide 37 Planning your FortiGate configuration Before beginning to configure th e FortiGate unit, you need to plan how to integrate th e unit into your net work.
38 Fortinet Inc. NAT/Route mode with multiple external network connecti ons Getting started NAT/Route mode with multiple external network connections In NA T/Route mode, you can config ure th e FortiGate unit with multiple redundant connections to the external netw ork (usually the Int ernet).
Getting started Configuration options FortiGate-100 Installation and Configuration Guide 39 Y ou can connect up to three network segment s to the FortiGate unit to control traffic between these network segment s. • External can connect to the external firewall or router .
40 Fortinet Inc. Configuration opti ons Getting started FortiGate model maximum values matrix T able 9: FortiGate maximum values matrix FortiGate model 50 60 100 200 300 400 500 1000 2000 3000 3600 Po.
Getting started Configuration options FortiGate-100 Installation and Configuration Guide 41 Next step s Now that your FortiGate unit is operating , y ou can proceed to configure it to connect to networks: • If you are goin g to operate the For t iGate unit in NA T/Route mode, go to “NA T/Route m ode installation” on page 43 .
42 Fortinet Inc. Configuration opti ons Getting started.
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 43 NA T/Route mode inst allation This chapter describes ho w to install the FortiGate unit in NA T/Route mode. T o install the FortiGate unit in T ranspar ent mode, see “T ranspare nt mode installation” on pag e 57 .
44 Fortinet Inc. Advanced NAT/Route mode settin gs NAT/Rout e mode installat ion Advanced NAT/Route mode settings Use Ta b l e 1 1 to gather the information that you need to customize advanced FortiGate N A T/Route mo de settings .
NAT/Route mode installati on Starting the setup wizard FortiGate-100 Installation and Configuration Guide 45 Using the setup wizard From the web-based manager, you can use the setup wizar d to create the initial configuration of your FortiGate unit. T o connect to the web-based manager, see “Connecting to th e web-based manager” on p age 30 .
46 Fortinet Inc. Configur ing the FortiGate u nit to operate in NAT/R oute mode NAT/Rout e mode installatio n 3 Set the IP address and netma sk of the external interfa ce to the external IP address and netmask that you recor ded in T able 10 on p age 43 .
NAT/Route mode installation Configuring the Fo rtiGate unit to oper ate in NAT/Route mode FortiGate-100 Installation and Configuration Guide 47 Connecting the FortiGate unit to your networks When you have com pleted the init ial configuration , you can connect th e FortiGate u nit between yo ur internal network and the Interne t.
48 Fortinet Inc. Configuring the DMZ inte rface NAT/Route mode installa tion Configuring your networks If you are running the FortiGate unit in NA T/Route mode, your networ ks must be configured to route all Internet traf fic to t he IP address of the FortiGate interface to which they are connected.
NAT/Route mode installation Enabling antivi rus protection FortiGate-100 Installation and Configuration Guide 49 Enabling antivirus protection T o enable antivirus protection to protec t users on yo ur internal network from downloading a virus fro m the Intern et: 1 Go to Firewall > Policy > Int -> Ext .
50 Fortinet Inc. Configuring virus and attack definiti on updates NAT/Route mode installati on This section provides some examples of routing and fir ewall configurations to configure the FortiGate unit fo r multiple internet connections.
NAT/Route mode installati on Configuring Ping servers FortiGate-100 Installation and Configuration Guide 51 Configuring Ping servers Use the followin g procedur e to make Gateway 1 t he ping serve r for the ex ternal interface and Gate way 2 the ping server for the DMZ interface.
52 Fortinet Inc. Destination based routing exampl es NAT/Route mode installati on Using the CLI 1 Add the route to the routing t able. set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1 dev1 external gw2 2.2.2.1 dev2 dmz Load sharing Y ou can also configure destination routing to direct traf fic through both gateways at the same time.
NAT/Route mode installati on Dest ination based routing examples FortiGate-100 Installation and Configuration Guide 53 3 Select New to add a route for connections to the network of ISP1. • Destination IP: 100.100.100.0 • Mask: 255.255.255.0 • Gateway #1: 1.
54 Fortinet Inc. Policy routing examples NAT/Route mode installati on Policy routing examples Policy routing can be added to increase the control you have over how packets are routed.
NAT/Route mode installati on Firewall policy exa mple FortiGate-100 Installation and Configuration Guide 55 Firewall policy example Firewall policies control how traf fic flows th rough the FortiGate unit.
56 Fortinet Inc. Firewall policy example NAT/Route mode installati on Restricting access to a singl e Internet connection In some case s you might want to limit s ome traffic to only be ing able to use one Internet connection.
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 57 T ransp arent mode inst allation This chapter describes ho w to install your F ortiGate unit in T ransparent m ode.
58 Fortinet Inc. Changing to T ransparent mode Transparent mode installati on Using the setup wizard From the web-based manager, you can use the setup wizar d to create the initial configuration of your FortiGate unit. T o connect to the web-based manager, see “Connecting to th e web-based manager” on p age 30 .
Transparent mode i nstallation Changing to T ransparent mode FortiGate-100 Installation and Configuration Guide 59 Using the command line interface As an alternative to the setup wizard, you can configure the FortiGate unit using the command line interface (CLI) .
60 Fortinet Inc. Configure the Transparen t mode default gateway Transparent mode installa tion Connecting the FortiGate unit to your networks When you have com pleted the init ial configuration , you can connect th e FortiGate u nit between your inter nal network and the Internet.
Transparent mode installatio n Setting the date and time FortiGate-100 Installation and Configuration Guide 61 A FortiGate unit in T ransparent mode can also perform firewallin g. Even though it take s no part in the layer 3 topology , it can examine layer 3 header informa tion and make decisions on whether to block or pass traffic.
62 Fortinet Inc. Default routes and st atic routes Transparent mode installati on The FortiGate unit uses HTTPS on port 8890 to check for updates. The FortiGate external interface must have a p ath to the FortiResponse Distr ibution Network (FDN) using port 8890.
Transparent mode i nstallation Example default route to an external network FortiGate-100 Installation and Configuration Guide 63 Example default route to an external network Figure 10 shows a FortiGa te unit wher e all destinat ions, including the manag ement computer , are located on the external net work .
64 Fortinet Inc. Example static route to an e xternal destination Transparent mode installati on 3 Configure the default route to the external network. Web-based manager exampl e configuration steps T o configure basic T ransparent mode setting s and a default route using the web-based manager : 1 Go to System > St atus .
Transparent mode i nstallation Example st atic route to an external destination FortiGate-100 Installation and Configuration Guide 65 Figure 1 1 : St atic route to an external destination General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode.
66 Fortinet Inc. Example static route to an e xternal destination Transparent mode installati on Web-based manager exampl e configuration steps T o configure the basic FortiGate settings and a static route using the web-based manager: 1 Go to System > St atus .
Transparent mode installation Example static route to an internal destinati on FortiGate-100 Installation and Configuration Guide 67 Example static route to an internal destination Figure 12 shows a FortiGa te unit where the FDN is locate d on an external subnet and the management computer is located on a remote, interna l subnet.
68 Fortinet Inc. Example static route to an in ternal destination Transparent mode installa tion Web-based manager exampl e configuration steps T o configure the FortiGate basic settings, a static route, and a d efault route using the web-based manager : 1 Go to System > St atus .
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 69 System st atus Y ou can connect to the web-based manager and go to System > S tatus to view the current status of your FortiGate unit.
70 Fortinet Inc. System status Changing the FortiGate host name The FortiGate host name ap pears on the System > S tatu s page and on the FortiGate CLI prompt. The host name is also used as the SNMP System Name (see “Configuring SNMP” on p age 134 ).
System status Upgrade to a ne w firmware versi on FortiGate-100 Installation and Configuration Guide 71 Upgrade to a new firmware version Use the following procedure s to upgrade your FortiGate to a newer firmware version. Upgrading the firmware usi ng the web-based manager 1 Copy the firmware image file to your manage ment computer .
72 Fortinet Inc. Revert to a previous firmware version System status 5 Enter the following command to copy the fir mware image from the TFTP server to the FortiGate: execute restore image <name_str.
System status Revert to a previous firmware version FortiGate-100 Installation and Configuration Guide 73 1 Copy the firmware image file to your manage ment computer . 2 Login to the FortiGate web- based manage r as the admin administrative user . 3 Go to System > St atus .
74 Fortinet Inc. Revert to a previous firmware version System status T o use the followin g procedure you must have a TFTP server that you can conn ect to from the FortiGate unit. 1 Make sure that the TFTP server is running. 2 Copy the new firmware image file to the root directory of the TFT P server .
System status Install a firmware ima ge from a system reboot using the CLI FortiGate-100 Installation and Configuration Guide 75 12 T o confirm that the antivirus and att ack definitions have been upd.
76 Fortinet Inc. Install a firmwa re image from a system reboot using the CLI System status 6 Enter the following co mmand to restart the FortiGate unit: execute reboot As the FortiGate units st arts, a seri es of system startup messages are displaye d.
System status Test a new fi rmware image before installing it FortiGate-100 Installation and Configuration Guide 77 11 Enter the firmware image file name an d press Enter . The TFTP server up loads the firmware image file to the FortiGate u nit and messages similar to the following appear .
78 Fortinet Inc. Test a new firmware image befo re installing it System status T o test a new firmware image: 1 Connect to the CLI using a null modem cable and FortiGate console port. 2 Make sure the TFTP se rver is running. 3 Copy the new firmware image file to the root directory of the TFT P server .
System status Installing and using a backup firmware image FortiGate-100 Installation and Configuration Guide 79 The following m essage appears: Enter File Name [image.out]: 11 Enter the firmware image file name an d press Enter . The TFTP server up loads the firmware image file to the FortiGate u nit and messages similar to the following appear .
80 Fortinet Inc. Installing and using a backup firmware image System status 4 T o confirm that the FortiGate unit can co nnect to the TFTP se rver , use the following command to ping the computer running the TFTP server . For example, if the TFTP server ’s IP ad dress is 192.
System status Installing and using a backup firmware image FortiGate-100 Installation and Configuration Guide 81 Switching to the ba ckup firmware image Use this procedure to switch yo ur FortiG ate unit to operating with a backup firmware image that you have pre vious installed.
82 Fortinet Inc. Installing and using a backup firmware image System status Switching back to the default firmware image Use this proced ure to switch your For tiGate unit to ope rating with the bac kup firmware image that had been running as the default fi rmware image.
System status Installing and using a backup firmware image FortiGate-100 Installation and Configuration Guide 83 5 Select OK to copy the antivirus defini tions update file to the FortiGate unit. The FortiGate u nit updates the antiviru s defin itions.
84 Fortinet Inc. Installing and using a backup firmware image System status 2 Select System Settings Backup. 3 Select Backup Sy stem Setting s. 4 T ype a name and location for the file. The system settings file is backed up to the manag ement computer .
System status Installing and using a backup firmware image FortiGate-100 Installation and Configuration Guide 85 Changing to T ransp arent mode Use the followin g procedur e to switch th e FortiGate unit from NA T /Route mode to T ransparent mode .
86 Fortinet Inc. Viewing CPU and memory status System status Shutting down the FortiGate unit 1 Go to System > S t atus . 2 Select Shutdown. The FortiGate unit shut s down and all traffic flow stop s. The FortiGate unit can only be rest arted afte r shutdown by turning the powe r off, then on.
System status Viewing sessions and network status FortiGate-100 Installation and Configuration Guide 87 Figure 1: CPU and memo ry st atus monito r CPU and memory inte nsive processes such as encryptin.
88 Fortinet Inc. Viewing virus and intrusions status System status 2 Select Sessions & Network. Sessions and network st atus is displayed. The display includes bar graph s of the current number of sessions and current network utilizatio n as well as line graphs of session and network utilizatio n usage for t he last minute.
System status Viewing virus and intrusions status FortiGate-100 Installation and Configuration Guide 89 Figure 3: Sessions and ne twork st atus monitor 3 Set the automatic refresh interva l and select Go to control how of ten the web-based manager updates the display .
90 Fortinet Inc. Viewing virus and intrusions status System status Figure 4: Example session list To I P The destination IP a ddress of the connection. To P o r t The destination port of th e connection. Expire The time, in seconds, before the connection expires.
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 91 V irus and att ack definitions up dates and registration Y ou can configure the FortiGate unit to c onnect to the FortiResponse Distribution Network (FDN) to update the antivirus and attack definitions and antivirus engine.
92 Fortinet Inc. Connecting to the FortiResponse Distribution Network Vir us and attack de finitions updates and registration The System > Update p age web-based manage r displays the following ant.
Virus and attack definitions updates and registration Configuring scheduled updates FortiGate-100 Installation and Configuration Guide 93 T o make sure the FortiGate unit ca n connect to the FDN: 1 Go to System > Config > Time and make su re the time zone is set to the correct time zone for your area.
94 Fortinet Inc. Configuring update logging Virus and attack defi nitions updates and registrati on 4 Select Apply . The FortiGate unit star ts the next sche duled update accordin g to the new update schedule. Whenever a scheduled u pdate is run, the ev ent is recorded in the FortiGate event log.
Virus and attack definitions updates and registration Adding an override server FortiGate-100 Installation and Configuration Guide 95 Adding an override server If you cannot connect to the F DN or if .
96 Fortinet Inc. Push updates through a NAT device Virus and attack defi nitions updates and registration To enable push updates 1 Go to System > Up date . 2 Select Allow Push Update. 3 Select Apply . About push updates When you config ure a FortiGate un it to a llow push updates, the FortiGate unit sends a SETUP message to the F DN.
Virus and attack definitions updates and registration Push updates through a NAT device FortiGate-100 Installation and Configuration Guide 97 Example: push update s through a NAT device This examp le describes how to conf igure a FortiG ate NA T device to forwar d push updates to a FortiGat e unit installed on its internal networ k.
98 Fortinet Inc. Push updates through a NAT device Virus and attack defi nitions updates and registration General procedure Use the following steps to config ure the Fo rtiGate NA T device and the For.
Virus and attack definitions updates and registration Push updates through a NAT device FortiGate-100 Installation and Configuration Guide 99 Figure 3: Push update port forwarding virtual IP Adding a firewall policy for the port forwarding virtual IP T o configure the FortiGate NA T device: 1 Add a new external to internal firewall policy .
100 Fortinet Inc. Scheduled updates th rough a proxy server Virus a nd attack de finitions updates and registra tion 5 Set Port to the External Servic e Port added to the virtual IP . For the example top ology , enter 45001. 6 Select Apply . The FortiGate unit sends the override push IP address and Po rt to the FDN.
Virus and attack definitions updates and registration FortiCare Service Contracts FortiGate-100 Installation and Configuration Guide 101 There are no special tun neling requirement s if you have configured an override server address to connect to the FDN.
102 Fortinet Inc. Registering the FortiGate uni t Virus and at ta ck definitions updates and registration T o activate the For tiCare Support Contract, you must register the For tiGate unit and add the FortiCare Support Contr act number to the registration information.
Virus and attack definitions upda tes and r egistration Registering the FortiGate unit FortiGate-100 Installation and Configuration Guide 103 Figure 5: Registering a FortiGate unit (c ontact information and security question) 3 Provide a security question and an answe r to the security question.
104 Fortinet Inc. Recovering a lost Fortinet suppor t password Virus and attack defi nitions updates and registrati on Up dating registration information Y ou can use your Fortinet support user nam e and password to log on to the Fortinet Support web site at any time to view or update your Fortinet support infor mation.
Virus and attack definitions upda tes and regi stration Registering a new FortiGate unit FortiGate-100 Installation and Configuration Guide 105 Figure 7: Sample list of registered FortiGa te units Registering a new FortiGate unit 1 Go to System > Up date > Support and select Support Login .
106 Fortinet Inc. Changing your Fortinet support password Virus and attack definition s updates and registration 7 Select Finish. The list of FortiGate product s that you have registered is displayed. The list now includes the new suppor t contract information.
Virus and attack definitions upda tes and registration Downloading viru s and attack defi nitions updates FortiGate-100 Installation and Configuration Guide 107 Figure 8: Downloading virus and attack .
108 Fortinet Inc. Downloading virus and attack defin itions updates Viru s and atta ck definitions updates and registration.
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 109 Network configuration Go to System > Network to make any of the followin.
11 0 Fortinet Inc. Viewing the interface list Network configuration Viewing the interface list Use the follo wing proced ure to view the interfac e list.
Network configuration Adding a ping server to an interface FortiGate-100 Installation and Configuration Guide 111 Y ou can also configure management access and add a pi ng server to the secondary IP address.
11 2 Fortinet Inc. Configuring traffic loggi ng for connection s to an interface Network configuration Configuring traffic logging fo r connections to an interface 1 Go to System > Network > Interface . 2 Select Modify for the interface for which to configure lo gging.
Network configuration Configuring the external interface for PPPoE FortiGate-100 Installation and Configuration Guide 11 3 4 Select Connect to DHCP server to au tomatically connect to a DHCP server . If you do not select Connect to DHCP serv er , the FortiGate unit will not connect to a DHCP server .
11 4 Fortinet Inc. Configuring the man agement interface (Tra nsparent mod e) Network configuration T o change the M TU size of the pack e ts leaving the external interface: 1 Go to System > Network > Interface . 2 For the external interf ace, select Modify .
Network configuration Configuring the ma nagement interface (Transparent mode) FortiGate-100 Installation and Configuration Guide 11 5 Figure 2: Configuring the management interfac e Adding DNS server IP addresses Several FortiGat e functions, incl uding se nding email alerts and URL blocking, use DNS.
11 6 Fortinet Inc. Adding a default route Network configuration Adding a default route Use the following procedure to add a default route for network traf fic leaving the external inter face. 1 Go to System > Network > Routing T able . 2 Select New to add a new route.
Network configuration Adding routes in T ransparent mode FortiGate-100 Installation and Configuration Guide 11 7 6 Set Device #1 to the FortiGate interface th r ough which to route traf fic to connect to Gateway #1. Y ou can select the name of an interface or Au to (the default).
11 8 Fortinet Inc. Configu ring the routing table Network configuration Configuring the routing table The routing ta ble shows the destination IP address and mask of each route you add as well as the gateways and devices added to the route. The routing t able also displays the gateway connectio n status.
Network configuration Policy routing FortiGate-100 Installation and Configuration Guide 11 9 The gateway added to a policy route must al so be adde d to a destination route.
120 Fortinet Inc. Policy routing Network configuration Figure 4: Sample DHCP settin gs Viewing the dy namic IP list If you have configured the FortiGate unit as a DHCP server , you can view a list of IP addresses that the DHCP serv er has added, their corres ponding MAC addresses, and the expiry time and date for these addre sses.
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 121 RIP configuration The FortiGate implement ation of the Routing Inform ation Protocol (RIP) supports both RIP version 1 (as defined by RFC 1058) and RIP version 2 (also called RIP2 and defined by RFC 2453).
122 Fortinet Inc. RIP configuration This chapter describes how to configur e FortiGate RIP: • RIP settings • Configuring RIP for FortiGate interfaces • Adding RIP neighbors • Adding RIP filters RIP settings Configure RIP settings to enable basic RIP functio nality and metrics and to configure RIP timers.
RIP configuration FortiGate-100 Installation and Configuration Guide 123 7 Select Apply to sa ve your changes. Figure 1: Configuring RIP settings Up date The time interval in seconds betwee n sending routing table updates. The default is 30 seconds. Invalid The time interval in seconds after which a route is declared invalid.
124 Fortinet Inc. RIP configuration Configuring RIP for FortiGate interfaces Y ou can create a unique RIP configuration for each FortiGate inte rface. This allows you to customize RIP for th e network to w hich each in terface is co nnected.
RIP configuration FortiGate-100 Installation and Configuration Guide 125 4 Select OK to save the R IP config uration for the selected interface. Figure 2: Example RIP configuration for an internal interface Adding RIP neighbors Add RIP neighbors to de fine a neighboring router with which to exchange routing information.
126 Fortinet Inc. Adding a single RIP filter RIP configuration 3 Add the IP address of a neighbor router that you wan t the FortiGat e unit to exchange routing information with. 4 Select Enable Se nd RIP1 to sen d RIP1 message s to the neig hbor . 5 Select Enable Se nd RIP2 to sen d RIP2 message s to the neig hbor .
RIP configuration Adding a RIP filter list FortiGate-100 Installation and Configuration Guide 127 4 Select OK to save the RIP f ilter . Adding a RIP filter list Add a RIP filter list to filter multiple routes. A RIP filter list consist s of a RIP filter name and a series of route prefixes.
128 Fortinet Inc. Adding a neighbors filter RIP configuration Adding a neighbors filter Y ou can select a single RIP filter or a RI P filter list to be the neighbors filter . 1 Go to System > RIP > Filter . 2 Add RIP filters and RIP f ilter list s as required.
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 129 System configuration Go to System > Config to make any of the following .
130 Fortinet Inc. System configuration 8 S pecify how often the FortiGate unit should synchronize its time with the NTP server . A typical Syn Interval would be 1440 minute s for the FortiGate unit to synchronize its time once a day . 9 Select Apply .
System configuration FortiGate-100 Installation and Configuration Guide 131 T o set the Auth timeout 1 For Auth T imeout, type a number in minutes. 2 Select Apply . Auth T imeout controls the amount of inacti ve time that the fi rewall waits before requiring users to authen ticate again.
132 Fortinet Inc. Adding new administrator a ccounts System configuration Adding and editing administrator account s When the FortiGate unit is initia lly installed, it is configur ed with a single administr ator account with the user name admin. From this administrator account, you can add and edit administra tor accounts.
System configuration Editing administrator accounts FortiGate-100 Installation and Configuration Guide 133 Editing administrator accounts The admin account user can change indi vidual administrator ac.
134 Fortinet Inc. Configuri ng the FortiGate unit fo r SNMP monitoring System configurat ion Configuring SNMP Configure the FortiGate SNMP agent to report system information and send trap s to SNMP managers. The FortiGate SNMP agent supp orts SNMP v1 and v2c.
System configuration FortiGate MIBs FortiGate-100 Installation and Configuration Guide 135 4 Select Apply . Figure 2: Sample SNMP configuration FortiGate MIBs The FortiGate SNMP agent suppo rts FortiGate proprie tary MIBs as well as sta ndard RFC 1213 and RFC 2665 MIBs.
136 Fortinet Inc. FortiGate traps System configuration FortiGate traps The FortiGa te agent ca n send traps to up to three S NMP trap r eceivers on your network that are configur ed to receive tr aps from the FortiGate unit. For these SNMP managers to receive trap s, you must load and compile the For tinet trap MIB onto the SNMP manager .
System configuration Custom izing replacement messa ges FortiGate-100 Installation and Configuration Guide 137 This section describes: • Customizing replacement messages • Customizing alert emails.
138 Fortinet Inc. Customizing alert emails System configura tion Customizing alert emails Customize alert emails to control the content disp layed in alert email messages sent to system administrators. 1 Go to System > Config > Replacement Mes sages .
System configuration Customizing alert emails FortiGate-100 Installation and Configuration Guide 139 %%EMAIL_FROM%% The email address of the send er of the message in which the virus was found. %%EMAIL_TO%% The email address of the intended receiver of the message in which the virus was found.
140 Fortinet Inc. Customizing alert emails System configura tion.
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 141 Firewall configuration Firewall policies control all traf fic passing through th e FortiGate unit. Firewall policies are instructions used by the Fort iGate un it to decide what to do with a connection request.
142 Fortinet Inc. Addresses Firewall configurati on Default firewall configuration By default, the users on your intern al ne twork can connect through the For tiGate unit to the Internet.
Firewall confi guration Services FortiGate-100 Installation and Configuration Guide 143 Services Policies can also control connections based o n the service or destination port number of packet s. The default policy accept s connec tions to using any service or destination port number .
144 Fortinet Inc. Content profiles Firewall configuration Adding firewall policies Add Firewall policies to con trol connections and traffic between FortiGate interf aces. 1 Go to Firewall > Polic y . 2 Select the policy list to whic h you want to add the policy .
Firewall confi guration Firewall policy options FortiGate-100 Installation and Configuration Guide 145 Firewall policy options This section describes the o ptions th at you can add to firewall policies. Source Select an address o r address group that matches the source ad dress of the packet.
146 Fortinet Inc. Firewall policy options Firewall configuration VPN Tunnel Select a VPN tunnel for an ENCRYP T policy . Y ou can select an AutoIKE key or Manual Key tunnel.
Firewall confi guration Firewall policy options FortiGate-100 Installation and Configuration Guide 147 Authentication Select Authentication and select a user gr oup to require users to enter a user name and password b efore the firewall accepts the connection.
148 Fortinet Inc. Firewall policy options Firewall configuration Figure 6: Adding a Transp arent mode p olicy Log Traffic Select Log Traf fic to writ e messages to th e traffic log whenev er the policy proc esses a connection. For more informatio n about logging, see “Logging and r eporting” on page 249 .
Firewall confi guration Policy matching in deta il FortiGate-100 Installation and Configuration Guide 149 Configuring policy list s The firewall matches policies by searching for a match starting at th e top of the policy list and moving down until it finds the firs t match.
150 Fortinet Inc. Enabling and disabling poli cies Firewall configuration 4 T ype a number in the Move to field to specify where in the policy list to move th e policy and select OK. Enabling and disabling policies Y ou can enable and disable policies in the po licy list to control wh ether the policy is active or not.
Firewall confi guration Adding addresses FortiGate-100 Installation and Configuration Guide 151 This section describes: • Adding addresses • Editing addresses • Deleting addresses • Organizing addresses into address gr oups Adding addresses 1 Go to Firewall > Address .
152 Fortinet Inc. Editing addresses Firewall configuration Figure 7: Adding an internal add ress Editing addresses Edit an address to change its IP addr ess and netmask. Y ou cannot edit the address name. T o chan ge the address name , you must delete the ad dress entry and then add the address ag ain with a new name.
Firewall confi guration Predefined services FortiGate-100 Installation and Configuration Guide 153 2 Select the interface to which to add the address group. 3 Enter a Group Name to iden tify the address group. The name can cont ain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _.
154 Fortinet Inc. Predefined services Firewall configuration T able 5: FortiGate predefined services Service name Description Protocol Port ANY Match connections on any port. A connection that uses any of the predefined services is allowed through the firewall.
Firewall confi guration Predefined services FortiGate-100 Installation and Configuration Guide 155 IRC Interne t Relay Chat allows people connected to the Internet to join live discussions. tcp 6660-6669 L2TP L 2TP is a PPP-based tunnel protocol for remote access.
156 Fortinet Inc. Providing access to custom services Firewall configuration Providing access to custom services Add a custom service if you need to create a policy fo r a service that is not in the predefined service list. 1 Go to Firewall > Service > Custom .
Firewall confi guration Grouping services FortiGate-100 Installation and Configuration Guide 157 2 Select New . 3 Enter a Group Name to iden tify the group. This name appears in the service list when you add a policy and cannot be the same as a predefined service nam e.
158 Fortinet Inc. Creating one-time schedules Firewall configuration Creating one-time schedules Y ou can create a one-time schedule that activates or deactivates a policy for a specified perio d of time. For exam ple, your firewall might be configured with the default policy that allows acce ss to all services on the In ternet at all times.
Firewall confi guration Adding a schedule to a policy FortiGate-100 Installation and Configuration Guide 159 3 Enter a Name for the schedule. The name can cont ain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _.
160 Fortinet Inc. Adding static NAT virtual IPs Firewall configuration For example, to use a one-time schedule to deny access to a policy , add a policy that matches the policy to be denied in every way . Choose the one-time schedule that you added and set Action to DENY .
Firewall configuratio n Adding port forwarding vi rtual IPs FortiGate-100 Installation and Configuration Guide 161 6 In the External IP Address field, enter th e external IP address to be mapped to an address on the destination ne twork.
162 Fortinet Inc. Adding port forwarding virtual IPs Firewall configuration 4 Select the virtual IP External Interface. The External Interf ace is the interface connected to the source network that receives the p ackets to be forwarded to the destination ne twork.
Firewall confi guration Adding policies with vi rtual IPs FortiGate-100 Installation and Configuration Guide 163 Figure 13: Adding a port forwardi ng virtual IP Adding policies wi th virtual IPs Use the followin g procedur e to add a policy that use s a virtua l IP to forwar d packets.
164 Fortinet Inc. Adding an IP pool Firewall configuration 4 Select OK to save the policy . IP pools An IP pool (also called a dynamic IP pool) is a range of IP ad dresses added to a firewall interface. If you add IP pools to an interface, you can select Dynamic IP Pool when you configure a policy with the destinati on set to this interface.
Firewall configuratio n IP Pools for firewall policies that use fixed ports FortiGate-100 Installation and Configuration Guide 165 5 Select OK to save the IP pool.
166 Fortinet Inc. Configuring IP/MAC binding for pa ckets going through the firewall Firewall configuration IP/MAC binding IP/MAC binding protect s the FortiGate unit and your network from IP spoofing a ttacks. IP spoofing attempts to use the IP address of a trusted computer to connect to or through the FortiGate unit from a different computer .
Firewall configuratio n Configuring IP/MAC binding for packets going to the firewall FortiGate-100 Installation and Configuration Guide 167 For example, if the IP/MAC pair IP 1.1.1. 1 and 12 :34:56:78:90:ab:cd is added to the IP/MAC binding list: • A packet with IP addre ss 1.
168 Fortinet Inc. Viewing the dynamic IP/MAC list Firewall configuration 3 Enter the IP address and the MAC addre ss. Y ou can bind multiple IP addresses to the same MAC address. Y ou cannot bi nd multiple MAC addresses to the same IP address. However , you can set the IP addres s to 0.
Firewall confi guration Enabling IP/MAC bindi ng FortiGate-100 Installation and Configuration Guide 169 Figure 15: I P/MAC settings Content profiles Use content profiles to app ly differen t prot ection settings for content traf fic controlled by firewall policies.
170 Fortinet Inc. Default content profiles Firewall configuration Default content profiles The FortiGate unit has the following four defa ult content profiles under Fir ewall > Content Profile .
Firewall confi guration Adding a conte nt profile to a p olicy FortiGate-100 Installation and Configuration Guide 171 7 Enable fragmented email and oversized file and email options.
172 Fortinet Inc. Adding a content profile to a policy Firewall configurati on 3 Select New to add a new policy , or choos e a policy and select Edit . 4 Select Anti-Virus & W eb filter . 5 Select a content profile. 6 Configure the remaining policy settings if required.
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 173 Users and authentication FortiGate unit s support user authenticati on to the F ortiGate us er database, to a RADIUS serve r , and to an LDAP se rver .
174 Fortinet Inc. Adding user names and configuring aut henti cation Users and authentication This chapter describes: • Setting authentication timeout • Adding user names and co nfiguring authenti.
Users and authentication Deleting user names from the inte rnal database FortiGate-100 Installation and Configuration Guide 175 5 Select T ry other servers if connect to sele cted server fa ils if you hav e selected Radius and you want the FortiGate unit to try to conn ect to other RADIUS servers added to the FortiGate RADI US configura tion.
176 Fortinet Inc. Adding RADIUS servers Users and authentication Configuring RADIUS support If you have configur ed RADIUS support and a user is required to authenticate using a RADIUS server , the FortiGate unit cont ac ts the RADIUS server for authe ntication.
Users and authentication Adding LDAP servers FortiGate-100 Installation and Configuration Guide 177 Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server , the FortiGate unit contact s the LDAP server for authentication.
178 Fortinet Inc. Deleting LDAP servers Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server . Enter the base distinguishe d name for the server using the correct X.500 or LDAP format. The FortiGate u nit passes this distinguishe d name unchanged to the server .
Users and authentication Adding user gro ups FortiGate-100 Installation and Configuration Guide 179 Configuring user group s T o enable authentication, yo u mu st add user names, RADIUS servers and LDAP servers to one or more user gr oups. Y ou can then select a user group when you require authenticati on.
180 Fortinet Inc. Deleting user groups Users and authentication Figure 20: Adding a user grou p 3 Enter a Group Name to identify th e user group. The name can cont ain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _.
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 181 IPSec VPN A Virtua l Private Network (VPN) is an extension of a private networ k that encompasses links across sh ared or public networks such as the Intern et.
182 Fortinet Inc. Manual Keys IPSec VPN Key management There are three basic elem ents in any encryption system: • an algorithm which changes informa tion into code, • a cryptographic key which serves as a secret starting point for the a lgorithm, • a management system to control the ke y .
IPSec VPN General configuration step s for a manual key VPN FortiGate-100 Installation and Configuration Guide 183 Manual key IPSec VPNs When manu al keys are employed, c omplementary secu rity parameters must be entered at both ends of the tunnel.
184 Fortinet Inc. Adding a manual key VPN tunne l IPSec VPN 5 Enter the Remote SPI. The Remote Security Parameter Index is a hexade cimal number of up to eight digits (digits can be 0 to 9, a to f) in the rang e bb8 to FFFFFFF . This number must be added to the Local SPI at the opposite end of the tunnel.
IPSec VPN General configuration steps for an AutoIKE VPN FortiGate-100 Installation and Configuration Guide 185 AutoIKE IPSec VPNs Fortunate support s two methods of Automa tic Internet Key Exch ange (Auto IKE) for the purpose of establish ing IPSec VPN tu nnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates.
186 Fortinet Inc. Adding a phase 1 configuration for an AutoIKE VPN IPSec VPN 3 Enter a Gateway Name for the remote VPN peer . The remote VPN pee r can be either a gateway to an other networ k or an individual client on the In ternet.
IPSec VPN Adding a phase 1 configuration for an AutoIKE VPN FortiGate-100 Installation and Configuration Guide 187 10 Optionally , enter th e Local ID of the FortiG ate unit. The entry is required if the FortiGate unit is functioning as a client and uses its local ID to authenticate itself to the remote VPN peer .
188 Fortinet Inc. Adding a phase 1 configuration for an AutoIKE VPN IPSec VPN 4 Optionally , configure NA T Tr aversal. 5 Optionally , configure Dead Peer Detection. Use these settings to monitor the st atus of the connection betwee n VPN peers. DPD allows dead connections to be cleane d up and new VPN tunnels established .
IPSec VPN Adding a phase 2 configuration for an AutoIKE VPN FortiGate-100 Installation and Configuration Guide 189 Figure 21: Adding a phase 1 configuration Adding a phase 2 configurat ion for an Auto.
190 Fortinet Inc. Adding a phase 2 configuration for an AutoIKE VPN IPSec VPN 4 Select a Remote Gateway to as sociate with the VPN tunnel. A remote gateway can be either a gateway to another network or an individu al client on the Internet. Remote gateways are added as part of the phase 1 configuration.
IPSec VPN Obtaining a signed local certificate FortiGate-100 Installation and Configuration Guide 191 Figure 22: Adding a phase 2 configuration Managing digit a l certificates Digital certifica tes ar.
192 Fortinet Inc. Obtaining a si gned local certificate IPSec VPN Generating the certificate request With this procedure, you gen erate a privat e and public key pair . The public key is the base component of the certificate request. T o generate the certificate requ est: 1 Go to VPN > Local Certificates .
IPSec VPN Obtaining a signed local certificate FortiGate-100 Installation and Configuration Guide 193 Figure 23: Adding a Local Certif icate Downloading the certificate request With this procedure, you down load the cert ificate requ est from th e FortiGate unit to the management computer .
194 Fortinet Inc. Obtaining a si gned local certificate IPSec VPN 4 Request the signed local certificate. Follow the CA web server instructions to: • add a base64 encod ed PKCS#10 certif icate request to the CA web server , • paste the certificate re quest to the CA web server , • submit the certificate request to the CA web server .
IPSec VPN Obtaining a C A certificate FortiGate-100 Installation and Configuration Guide 195 3 Enter the path or browse to locate the signed local certificate on the management computer . 4 Select OK. The signed local certificate will be displayed on the Local Cert ificates list with a status of OK.
196 Fortinet Inc. Obtaining a C A certificate IPSec VPN Configuring encrypt policies A VPN connects the local, intern al network to a remote, external network. The principal role of the encrypt policy is to define (and limit) which addresses on th ese networks can use the VPN.
IPSec VPN Adding a source address FortiGate-100 Installation and Configuration Guide 197 Adding a source address The source address is located with in the inte rnal network of the local VPN peer . It can be a single computer addre ss or the address of a network.
198 Fortinet Inc. Adding an encrypt policy IPSec VPN Refer to the FortiGate Inst allation and Configuration Guide to configure the remain ing policy settings.
IPSec VPN VPN concentrator (hub) general configuration steps FortiGate-100 Installation and Configuration Guide 199 IPSec VPN concentrators In a hub-and-spoke ne twork, all VPN tunnels terminate at a single VPN pe er known as a hub. The peer s that connect to th e hub are known as spoke s.
200 Fortinet Inc. VPN concentrator (hub) general configuration steps IPSec VPN T o create a VPN concentrator configuratio n: 1 Configure a tunnel fo r each spoke.
IPSec VPN Adding a VPN concentrator FortiGate-100 Installation and Configuration Guide 201 Adding a VPN concentrator T o add a VPN concentrator configuration: 1 Go to VPN > IPSec > Concentrator . 2 Select New to ad d a VPN conc entrator . 3 Enter the name of the new conce ntrator in the Concentrator Name field.
202 Fortinet Inc. VPN spoke general configuration steps IPSec VPN VPN spoke general co nfiguration steps A remote VPN pee r that is functio ning as a spoke r equires the followin g configuration : • A tunnel (Auto IKE phase 1 and phase 2 conf iguration or manu al key configuration) for the hub.
IPSec VPN Co nfiguring redundant IPSe c VPN FortiGate-100 Installation and Configuration Guide 203 See “Adding an encrypt policy” on p age 197 . 6 Arrange the policie s in the following order: •.
204 Fortinet Inc. Configuring redundant IPSec VPN IPSec VPN Configure the two FortiGate un its with symmetric al settings for their connections to the Internet.
IPSec VPN Viewing VPN tunne l status FortiGate-100 Installation and Configuration Guide 205 Monitoring and T roubleshooting VPNs This section provid es a number of gene ra l maintenance and monitoring procedures for VPNs.
206 Fortinet Inc. Testing a VPN IPSec VPN T o view dialup connection st atus: 1 Go to VPN > IPSec > Dialup . The Lifetime column displays how long the connection has been up.
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 207 PPTP and L2TP VPN Y ou can use PPTP and L2TP to crea te a virtual private network (VPN) between a remote client PC running the Windows op er ating sys tem and your internal ne twork.
208 Fortinet Inc. Configu ring the FortiGat e unit as a PPTP gateway PPTP and L2TP VPN Figure 29: PPTP VPN between a Windows client and the F ortiGate unit Configuring the FortiGat e unit as a PPTP ga.
PPTP and L2TP VPN Configuring the FortiGate unit as a PPTP gateway FortiGate-100 Installation and Configuration Guide 209 Figure 30: Example PPTP Range configuratio n Adding a source address Add a sour ce address for every a ddress in the PP TP address range.
210 Fortinet Inc. Configuring a Windows 9 8 clie nt for PPTP PPTP and L2TP VPN Adding a destination address Add an address to which PP TP users can connect. 1 Go to Firewall > Address . 2 Select the internal interface or the DMZ interface. (Methods w ill differ slightly between FortiGate m odels.
PPTP and L2TP VPN Configuring a Windows 2000 client for PPTP FortiGate-100 Installation and Configuration Guide 21 1 8 Insert diskettes or CDs as required. 9 Restart the com puter . Configuring a PPTP dialup connection 1 Go to My Computer > Dial-Up Networking > Configuratio n .
212 Fortinet Inc. Configuring a Windows XP clie nt for PPTP PPTP and L2TP VPN 9 Uncheck Requir e da ta encryption. 10 Select OK. Connecting to the PPTP VPN 1 S tart the dialup connection that you configured in the previou s procedure. 2 Enter your PPTP VPN Us er Name and Password.
PPTP and L2TP VPN Configuring a Windows XP client for PPTP FortiGate-100 Installation and Configuration Guide 213 9 Select the Networking tab. 10 Make sure that the follow ing option s are select ed: .
214 Fortinet Inc. Configuring the FortiGate unit as a L2TP gateway PPTP and L2TP VPN Figure 31: L2TP VPN between a Windows client and the F ortiGate unit Configuring the FortiGat e unit as a L2TP gate.
PPTP and L2TP VPN Configuring the FortiGate uni t as a L2TP gateway FortiGate-100 Installation and Configuration Guide 215 Figure 32: Sample L2TP addre ss range configurat ion 6 Add the addresses from the L2TP ad dress ran ge to the external interface address list.
216 Fortinet Inc. Configuring the FortiGate unit as a L2TP gateway PPTP and L2TP VPN 3 Enter a Group Name to iden tify the address group. The name can cont ain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _.
PPTP and L2TP VPN Configuring a Windows 2000 client fo r L2TP FortiGate-100 Installation and Configuration Guide 217 Configuring a Windows 2000 client for L2TP Use the following p rocedure to co nfigure a client computer ru nning Window s 2000 so that it can connect to a FortiGate L2TP VPN.
218 Fortinet Inc. Configuring a Wind ows XP client for L2TP PPTP an d L2TP VPN 8 Add the following registry value to this key: Value Name: ProhibitIpSec Data Type: REG_DWORD Value: 1 9 Save your changes and rest art the computer for the ch anges to take ef fect.
PPTP and L2TP VPN Configuring a Windows XP client for L2 TP FortiGate-100 Installation and Configuration Guide 219 5 Select Advanced to configure ad vanced settings. 6 Select Settings. 7 Select Challenge Handshake Authen tication Protocol (CHAP). 8 Make sure that none of the other settings are selected.
220 Fortinet Inc. Configuring a Wind ows XP client for L2TP PPTP an d L2TP VPN Connecting to the L2TP VPN 1 Connect to your ISP . 2 S tart the VPN connection that you co nfigu red in the previous procedure. 3 Enter your L2TP VPN User Name and Password.
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 221 Network Intrusion Detection System (NIDS) The FortiGat e NIDS is a re al-ti.
222 Fortinet Inc. Selecting the i nterfaces to monitor Net work Intrusion Detection System (NIDS) Selecting the interfaces to monitor 1 Go to NIDS > Detection > General . 2 Select the interfaces to monitor for ne twork attacks. Y ou can select one or more interfaces.
Network Intrusion Detection System (NIDS) Viewing the signature list FortiGate-100 Installation and Configuration Guide 223 Viewing the signature list T o display the current list of NIDS signature group s and to view the members of a signature group: 1 Go to NIDS > Detection > Signature List .
224 Fortinet Inc. Enabling and disabling NIDS attack signatures Network Intrusion Detection System (NIDS) Enabling and disabling NI DS attack signatures By default, all NIDS attack signatures ar e enabled . Y ou can use the NIDS signatu re list to disable detection of some atta cks.
Network Intrusion Detection System (N IDS) Enabling NIDS attack prevention FortiGate-100 Installation and Configuration Guide 225 Figure 35: Example user-defined sign ature list Downloading the user-defined signature list Y ou can back up the user-defined signature lis t by downloading it to a text file on the management compu ter .
226 Fortinet Inc. Enabling NIDS attack prevention signatures Network Intrusion Detection System (NIDS) Enabling NIDS attack prevention signatures The NIDS Prevention mo dule contains signat ur es that are designed to protect your network against attacks.
Network Intrusion Detection System (NIDS) Setting signature thre shold values FortiGate-100 Installation and Configuration Guide 227 For example, setting the icmpflood signat ure threshold to 500 will allow 500 echo requests from a source address, to which the system sends echo replies.
228 Fortinet Inc. Configuring synflood signature va lues Network Intrusion Detection System (NIDS) Configuring synflood signature values For synflood signatures, yo u can set the thre shold, queue size, and keep alive values. 1 Go to NIDS > Prevention .
Network Intrusion Detection System (NIDS) Reducing the number of NIDS atta ck log and email me ssages FortiGate-100 Installation and Configuration Guide 229 Reducing the number of NIDS attack log and email messages Intrusion attempt s may generate an excessive number of att ack messages.
230 Fortinet Inc. Reducing the number of NIDS attack log and emai l messages Network Intrusion Detection System (NIDS).
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 231 Antivirus protection Antivirus protection is enabled in fire wall policies. When you enable antivirus protection for a firewall polic y , you select a content profile that controls how the antivirus protection behaves.
232 Fortinet Inc. Antivirus protection Antivirus scanning Virus scan ning intercepts most files (including files compr essed with up to 12 layers of compression using zip, rar , gzip, tar , upx, and OLE) in the conten t streams for which antivirus protection as been enabled.
Antivirus protection Blocking files in firewall traffic FortiGate-100 Installation and Configuration Guide 233 File blocking Enable file blocking to remove all files that pose a potential threat and to provide the best protection fr om active computer virus att acks.
234 Fortinet Inc. Configuring limits for oversized files and email Antivirus protecti on Blocking oversized files and emails Y ou can configure the FortiGate unit to buff er 1 to 15 percent of available memory to store oversized files and email.
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 235 W eb filtering Web filtering is enabled in firewall policies. When you enable Anti-V irus & Web filter in a firewall policy , you select a content profile that controls how web filterin g behaves for HTTP traffic.
236 Fortinet Inc. Adding words and phrases to the banned word list Web filtering 4 Configure the messages that users rec eive when the FortiGate unit blocks unwanted content or unwanted URLs. See “Customizing replacement messages” on p age 136 . 5 Configure the FortiGate unit to send an alert email when it blocks or deletes an infected file.
Web filtering Using the FortiG ate web filter FortiGate-100 Installation and Configuration Guide 237 Figure 38: Exam ple banned word li st URL blocking Y ou can block the unwanted web URLs usin g both the F ortiGate we b filter and th e Cerberian web filter .
238 Fortinet Inc. Using the Fo rtiGate web filt er Web filtering 3 T ype the URL/Pattern to block. T ype a top-level URL or IP address to block access to all pages on a website. For example, www.badsite.com or 122.133.144.155 blocks access to all pages at this website.
Web filtering Using the FortiG ate web filter FortiGate-100 Installation and Configuration Guide 239 Downloading the URL block list Y ou can back up the URL block list by downloading it to a text file on the management computer . 1 Go to Web Filter > URL Block .
240 Fortinet Inc. Using the Cerberian web filter Web filtering Using the Cer berian web filter The FortiGate unit support s Cerberian web filtering. For information about Cerberian web filter , see www .
Web filtering Using the Cerberian web filter FortiGate-100 Installation and Configuration Guide 241 4 Enter the IP address and netmask of the user comp uters. Y o u can enter the IP address of a single user . For example, 192.168.100.19 255.255 .255.255.
242 Fortinet Inc. Enabling the script fi lter Web filtering 5 Create a new or select an existing c o ntent profile and enable W eb URL Block. 6 Go to Firewall > Polic y . 7 Create a new or select an existing policy that will use the content profile.
Web filtering Adding URLs to the exempt URL list FortiGate-100 Installation and Configuration Guide 243 Exempt URL list Add URLs to the exempt URL list to allow legitimate traf fic that might otherwise be blocked by content or URL blocking.
244 Fortinet Inc. Adding URLs to the exempt URL list Web filtering.
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 245 Email filter Email filtering is enabled in firewall policies.
246 Fortinet Inc. Adding words and phrases to the banned word list Email filter Email banned word list When the FortiGate unit detect s email that contains a word or ph rase in the banned word list, the FortiGate unit adds a t ag to the subject line of the email and writes a message to the event log.
Email filter Adding address patt erns to the email blo ck list FortiGate-100 Installation and Configuration Guide 247 Email block list Y ou can configure the FortiGate unit to ta g all IMAP and POP3 protocol tra ffic sent from unwanted email addresse s.
248 Fortinet Inc. Adding address patterns to the email exemp t list Email filter Adding address patterns to the email exempt list 1 Go to Email Filter > Exempt List . 2 Select New to add an address pattern to the em ail exempt list. 3 T ype the addr ess pattern to ex empt.
FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-100 Installation and Configuration Guide 249 Logging and reporting Y ou can configure the FortiGate unit to log network activity from routine configuration changes and traf fic sessions to emergency events.
250 Fortinet Inc. Recording logs on a remote comp uter Logging and reporting Recording logs on a remote computer Use the following procedure to configure the FortiGate unit to record log messages on a remote computer . The remote computer must be configured with a syslog server .
Logging and report ing Recording logs in system memory FortiGate-100 Installation and Configuration Guide 251 Recording logs in system memory If your Fo rtiGate unit does not co ntain a hard disk, y o.
252 Fortinet Inc. Recording logs in system memory Logging and reporting 4 Select the message categories that you wa nt the FortiGa te unit to record if you selected Event Log, V irus Log, W eb Filter ing Lo g, Attack Log, Email Filter Log, or Update in step 3 .
Logging and repo rting Enabling traffic loggi ng FortiGate-100 Installation and Configuration Guide 253 Configuring traffic logging Y ou can configure the FortiGate unit to reco rd traffic log message.
254 Fortinet Inc. Configuring traffic filter setti ngs Logging and reporting Configuring traffic filter settings Use the follo wing proced ure to configu re the in formation reco rded in all traffic log messages. 1 Go to Log&Report > Log Settin g > T raffic Filt er .
Logging and repo rting Viewing logs FortiGate-100 Installation and Configuration Guide 255 4 Select OK. The traf fic filter list displays the new traffi c address entry with the settings that you selected in “Enabling traf fic logging” on pa ge 253 .
256 Fortinet Inc. Searching logs Logging and reporti ng Searching logs Use the followin g procedur e to search lo g message s saved in sys tem memory: 1 Go to Log&Report > Logging . 2 Select Event Log, Attack Log, Antivirus Lo g, Web Filter Log, or Email Filter Log.
Logging and repo rting Testing ale rt email FortiGate-100 Installation and Configuration Guide 257 3 In the SMTP Server field, type the name of the SMTP server to which the For tiGate unit should send em ail, in the format smtp.domain.com . The SMTP server can be located on any network connected to the FortiGate unit.
258 Fortinet Inc. Enabling al ert email Logging and reporting.
FortiGate-100 Installation and Configuration Guide 259 FortiGate-100 Inst allation and Configuration Guide V ersion 2.50 MR2 Glossary Connection : A link between machines, applications, processes, and so on t hat can be lo gical, physical, or both.
260 Fortinet Inc. Glossary LAN, Local Area Network : A computer n etwork that spans a relatively small area. Most LANs connect worksta tions and personal computers. Each computer on a LAN is able to ac cess data and devices a nywhere on the LAN. This means that many users can share data as well as physical re sources such as printers.
Glossary FortiGate-100 Installation and Configuration Guide 261 SSH , Secure shell : A secure T elnet replacement that you can use to log into another computer over a network and run commands. SSH provides str ong secure authentication and secure communications over insecure channels.
262 Fortinet Inc. Glossary.
FortiGate-100 Installation and Configuration Guide 263 FortiGate-100 Inst allation and Co nfiguration Guide V ersion 2.50 MR2 Index A accept policy 145 action policy option 145 active log searching 25.
264 Fortinet Inc. Index B backing up system settings 83 bandwidth guaranteed 146 maximum 146 banned word l ist adding words 2 36, 246 blacklist URL 239 block traffic IP/MAC binding 167 blocking access.
Index FortiGate-100 Installation and Configuration Guide 265 E email alert testing 257 email filter log 252 enabling policy 150 encrypt policy 145 encrypt policy allow inbound 146 allow outbound 146 I.
266 Fortinet Inc. Index IDS log viewing 255 IKE 259 IMAP 154, 259 Inbound NAT encrypt policy 146 interface RIP 124 internal address example 152 internal address group example 153 internal network conf.
Index FortiGate-100 Installation and Configuration Guide 267 maximum bandwidth 146 messages replacement 135 MIB FortiGate 135 mode Transparent 16 monitor system status 86, 87, 88, 89 monitored in terf.
268 Fortinet Inc. Index prevention NIDS 225 protocol service 154 system status 89 proxy server 100 push updates 100 push updates configuring 95 through a NAT device 96 through a proxy server 100 R RAD.
Index FortiGate-100 Installation and Configuration Guide 269 session clearing 89 set time 129 setup wizard 45, 58 starting 4 5, 58 shutting down 86 signature threshold values 226 SMTP 155 configuring .
270 Fortinet Inc. Index U UDP configuring checksum verification 222 unwanted content blocking 236, 24 6 update 252 attack 94 push 95 updated antivirus 94 updating attack definitions 91 , 95 virus defi.
Index FortiGate-100 Installation and Configuration Guide 271 wizard firewall setu p 45, 58 starting 4 5, 58 worm list displaying 234 worm protection 234.
272 Fortinet Inc. Index.
An important point after buying a device Fortinet 100 (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought Fortinet 100 yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data Fortinet 100 - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, Fortinet 100 you will learn all the available features of the product, as well as information on its operation. The information that you get Fortinet 100 will certainly help you make a decision on the purchase.
If you already are a holder of Fortinet 100, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime Fortinet 100.
However, one of the most important roles played by the user manual is to help in solving problems with Fortinet 100. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device Fortinet 100 along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center