Instruction/ maintenance manual of the product FortiGate 4000 Fortinet
Go to page of 332
FortiGate – 4000 User Manual POWER ON/OFF LAN 1 LAN 2 PWR/KVMSTATUS KVM/ACCESS POWER ON/OFF LAN 1 LAN 2 PWR/KVMSTATUS KVM/ACCESS POWER ON/OFF LAN 1 LAN 2 PWR/KVMSTATUS KVM ACCESS POWER ON/OFF LAN 1 .
© Copyright 2004 Fortine t Inc. All rights reserved . No part of this publication incl uding text, examples , diagrams or illustrations may be reproduced, transmitted, or translated in any form or by an y means, electro nic, mechanical, manual, optical or otherwise, for any purpose, without prio r written permiss ion of Fort inet Inc.
Contents FortiGate-4000 Installation and Configuration Guide 3 Table of Contents Introduction ............. ................................ .................................................. ........... 15 Antivirus protection .......................
Contents 4 Fortinet Inc. Installing hardware ................ ................ ............. ................ ............. ................ ............. ..... 37 Choosing a suitable environm ent ...................... ............. ............. ...
Contents FortiGate-4000 Installation and Configuration Guide 5 Using the command line interface... ................ ................ ................ ................ ............. ..... 64 Configuring the FortiGate unit to operate in NAT/Route mode .
Contents 6 Fortinet Inc. Managing an HA cluster..... ................ ................ ............. ................ ................ ............. ..... 87 Configuring cluster interface monitoring .............. ................. ................ ..
Contents FortiGate-4000 Installation and Configuration Guide 7 System status ................ ............. ................ ............. ................. ............ ............. ............. 118 Viewing CPU and memory status .. ................
Contents 8 Fortinet Inc. Network configuration .............. ................................. ................ ............... ......... 141 Configuring zones . ................ ............. ................ ............. ................ .........
Contents FortiGate-4000 Installation and Configuration Guide 9 RIP configuration ........... ................ ............................................ ............... ......... 167 RIP settings....... ................. ............. ..............
Contents 10 Fortinet Inc. Addresses ................... ................ ............. ............. ................ ............. ................ ............ . 2 0 2 Adding addresses ................ ............. ................ ............. ..
Contents FortiGate-4000 Installation and Configuration Guide 11 Configuring LDAP support .... ................ ............. ................ ................ ............. ................ 231 Adding LDAP servers . ............. ................ ....
Contents 12 Fortinet Inc. Network Intrusion Detection System (NIDS) .... ............................ ............ ....... 271 Detecting attacks ............... ............. ................ ............. ................ ............. ..............
Contents FortiGate-4000 Installation and Configuration Guide 13 Script filtering ........ ................ ............. ............. ................ ............. ............. ................ ... ... 297 Enabling script filtering ............ ...
Contents 14 Fortinet Inc..
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 15 Introduction FortiGate A ntivirus Firew alls support netw ork-based deployment of application-level services, including antivirus protection and full-scan con tent filtering.
16 Fortinet Inc. Antivirus protection Introduction Antivirus protection FortiGate I CSA-certified a ntivirus prot ection scans web (HTTP) , file transfe r (FTP), and email (SMTP , POP3, and IMAP) content as it p asses through the FortiGate unit.
Introduction Email filtering FortiGate-4000 Installation and Configuration Guide 17 Email filtering FortiGate email filtering can scan all IM AP and POP3 email content for un wanted senders or unwanted content.
18 Fortinet Inc. VLANs and virtual domains Introduction NAT/Route mode In NA T/Route mode, you can create NA T mode policies and Route mode policies. • NA T mode policies use network address translation to hide the addresses in a more secure network from u s ers in a less secure network.
Introduction VPN FortiGate-4000 Installation and Configuration Guide 19 VPN Using FortiGate virtual private network ing (VPN), you can provide a secure connection between wid ely separated office netw orks or secu rely link telec ommuters or travellers to an of fice network.
20 Fortinet Inc. Secure installation, configurat ion, and management Introduction Secure inst allation, configuration, and management The first tim e you powe r on the F ortiGate uni t, it is already configured with default IP addresses and security po licies.
Introduction Document conventions FortiGate-4000 Installation and Configuration Guide 21 Command line interface Y ou can access the FortiGate command line inter face (CLI) by connecting a management compute r serial port to the Fo rtiGate RS-232 serial console connector .
22 Fortinet Inc. Fortinet documentation Introduction execute restore config <filename_str> Y ou enter restore config myfile.bak <xxx_str> indicates an ASCII string variable ke yword. <xxx_integer> indicates an inte ger variable keyword.
Introduction Customer service a nd technical support FortiGate-4000 Installation and Configuration Guide 23 • V olume 4: FortiGat e NIDS Guide Describes how to configure the FortiGate NI DS to dete ct and pr otect the Fo rtiGate unit from network-based att acks.
24 Fortinet Inc. Customer service and technical support Introduction.
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 25 Getting st arted This chapter describes u npacking, setting up, and powering on a FortiGate-4000 Antivirus Firewall.
26 Fortinet Inc. Warnings and cautions Getting started W arnings and cautions Y ou should be aware of the following cautions and warnings before operating the FortiGate-4000 antivirus firewall. Warning T urning off all power switches may not tur n off all power to the FortiGate-4000 uni t.
Getting started Physical description FortiGate-4000 Installation and Configuration Guide 27 Figure 2: FortiGate-4000 package contents Physical description The FortiGate-4000 chassis is a 4U 19-inch ra.
28 Fortinet Inc. Front panel features Getting started Front p anel features Figure 3 shows the location of the FortiGate-4000 chassis fron t panel compo nents. The front panel c ontains and prov ides acces s to up to 10 FortiBla de-4010 m odules and the KVM switch module.
Getting started Front panel features FortiGate-4000 Installation and Configuration Guide 29 FortiBlade-4010 module Each FortiBlade-4010 module is an independent FortiGate-4000 antivirus firewall capable of opera ting at gigabit netw ork speeds. Y ou can install up to 10 FortiBlade-40 10 modules in the Fort iGate-4000 chassis.
30 Fortinet Inc. Front panel features Getting started KVM switch module Use the KVM switch module to switch se rial connections to the CLI of each FortiBlade-4010 module insta lled in the FortiGate-4000 chassis.
Getting started Rear panel features FortiGate-4000 Installation and Configuration Guide 31 Rear p anel features The FortiGate-4000 chassis rear panel cont ains and provides access to 4 cooling fan trays, 7 power su pply modules, 3 power s upply connectors, the manageme nt module, and the 10/100 out of band manage ment module.
32 Fortinet Inc. Rear panel features Getting started Figure 7: FortiGate-4000S rear panel Power supplies and power connections The FortiGate-40 00 chassis cont ains 7 power supply modules. Each power supply can provide a maximum of 350 watts for a tot a l of 2100 watts, in 6+1 hot-swap redundant configura tion that includes load balancing.
Getting started Rear panel features FortiGate-4000 Installation and Configuration Guide 33 Cooling fan trays The FortiGate-4000 chassis is cooled usin g four ho t swappable cooling fan trays. Each tray includes one 10-cm ball bear ing fan unit. Figure 9 illustrates a cooling fan tray .
34 Fortinet Inc. Rear panel features Getting started 10/100 out of band ma nagement module The 10/100 out of b and management module provides dedicated et hernet co nnection to manage each For tiBlade-4010 module inst alled in the FortiGate-4000 chassis.
Getting started Rear panel features FortiGate-4000 Installation and Configuration Guide 35 Pass-through inte rface module T wo pass-through inte rface modules are inst alled on the Fort iGate-4000P . The internal p ass-through interface modu le connects to each FortiBlade-4010 internal interface.
36 Fortinet Inc. Rear panel features Getting started The internal switched interface mod ule pr ovides two gigabit connections to the internal inte rfaces of the FortiBlade-4010 modules insta lled in the FortiGate-4000 chassis.
Getting started Installing hardware FortiGate-4000 Installation and Configuration Guide 37 Inst alling hardware This section describes ho w to install FortiGate -4000 hardware.
38 Fortinet Inc. Installing hardwar e Getting started Figure 14: Rail mounting location s Installing FortiBlade-4010 modules Install a FortiBlade- 4010 module by removing a FortiGate- 4000 unit slot cover and replacing it with a FortiBl ade-4010 module.
Getting started Installing hardware FortiGate-4000 Installation and Configuration Guide 39 FortiGate-4000P network connections Use the following steps to connect your in ternal and external networ ks to the FortiGate-4000P p ass-through interface modules that support 1000Base-T connections.
40 Fortinet Inc. Turning FortiGate -4000 chassis power on and off Getting started Out of band management connections Y ou can manage the FortiBlade-4010 module s by co nnecting to the 10/100 ou t of band management module .
Getting started Hot swapping modules FortiGate-4000 Installation and Configuration Guide 41 2 Connect the three power cables to the powe r connection module on the FortiGate-4000 chassis ba ck panel. 3 Connect the power cables to power outlet s. 4 T urn on the power switch on each power supply module.
42 Fortinet Inc. Hot swapping modules Getting started Hot swapping FortiBlade-4010 modules Follow this procedure to hot swap the FortiBlade-4010 mo dules. For information about the FortiBlade-4010 module, see “FortiBlade-4010 m odule” on p age 29 .
Getting started Hot swapping modules FortiGate-4000 Installation and Configuration Guide 43 7 Slide the power supply module into the slot until the lock clicks into place. 8 T urn on the power supply . 9 Replace the locking strip. 10 Quickly toggle the chassis po wer supply switch to turn on the power supp ly module.
44 Fortinet Inc. Connecting to the web-based manager Getting started 2 Unscrew the two locking screws to remove the module’s locking strip. 3 Loosen its two mounting knot s. Do not remove the mounting knot s. 4 Pull out the manage ment module. 5 Insert the new management module into the chassis.
Getting started Connecting to the web-based manager FortiGate-4000 Installation and Configuration Guide 45 Connecting to the FortiGate- 4000 internal interface module T o connect to the web-based mana.
46 Fortinet Inc. Connecting to the web-based manager Getting started Figure 16: FortiGate login Connecting to the FortiGate-4000 10/ 100 out of band ma nagement module T o connect to the web-based man.
Getting started Connecting to th e Command Line Interface (CLI) FortiGate-4000 Installation and Configuration Guide 47 T o change the out of band management IP address 1 After logging into the FortiGate-4000 unit, go to System > Network > OOB Management .
48 Fortinet Inc. Factory default configuration Getting started 8 Press Enter to connect to the CLI of the Fo rtiGate-4000 unit. The following prompt is displayed: FortiGate-4000 login: 9 Ty p e admin and press Enter twice. The following prompt is displayed: Type ? for a list of commands.
.
50 Fortinet Inc. Factory default configuration Getting started T a ble 14: Factory default firewall configuration Internal Address Internal_All IP: 0.0.0.0 Represents all of the IP addresses on the in ternal network. Mask: 0.0.0.0 External Address External_All IP: 0.
Getting started Factory default configuration FortiGate-4000 Installation a nd Configuration Guid e 51 Factory default content profiles Y ou can use content pr ofiles to app ly different prot ection sett ings for con tent traffic that is controlled by fi rewall policies.
52 Fortinet Inc. Factory default configuration Getting started Web content profile Use the web content profile to apply antiv irus scanning and web content blocking to HTTP content traffic. Y ou can add this cont ent profile to firewall policies that control HTTP traffic.
Getting started Planning the FortiGate configura tion FortiGate-4000 Installation and Configuration Guide 53 Unfiltered content profile Use the unfilte red conten t profile if yo u do not wa nt to apply content protection t o traffic.
54 Fortinet Inc. Planning the FortiGa te configuration Getting started For each FortiGate-4000 un it, the following interfaces are available for processing network traf fic in NA T/Route mode: • External: the interface to th e extern al network (usually the Internet).
Getting started Planning the FortiGate configura tion FortiGate-4000 Installation and Configuration Guide 55 Y ou typically use a FortiGate-4000 unit in T ransparent mo de on a private network behind an existing firewall or behind a router .
56 Fortinet Inc. Planning the FortiGa te configuration Getting started Figure 19: HA network configuration in NA T/Route mode Figure 20: HA network configu ration in T ran sparent mode FortiGate-4000P.
Getting started Planning the FortiGate configura tion FortiGate-4000 Installation and Configuration Guide 57 Figure 21: F ortiGate-4000 P HA configura tion FortiGate-4000S HA configuration In the Fort.
58 Fortinet Inc. Planning the FortiGa te configuration Getting started Figure 22: FortiGa te-4000P config uration with loa d balance rs FortiGate-4000 Unit Internal Internal Network.
Getting started Fo rtiGate model maximum values matrix FortiGate-4000 Installation and Configuration Guide 59 FortiGate model maximum values matrix T a ble 19: FortiGate maximum values ma trix FortiGa.
60 Fortinet Inc. Next steps Getting started Next step s Now that your FortiGate unit is operating , y ou can proceed to configure it to connect to networks: • If you are goin g to operate the F ort iGate unit in NA T/Route mode, go to “NA T /Route mo de installation” on page 61 .
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 61 NA T/Route mode inst allation This chapter describes how to install the FortiGate un it in NA T/Route mode.
62 Fortinet Inc. Preparing to configure NAT/Route mode NAT/Route mode installa tion Advanced NAT/Route mode settings Use Ta b l e 2 1 to gather the information that yo u need to customize advanced FortiGate N A T/ Route mo de settings. External interface IP: _____.
NAT/Route mode installati on Using the setup wizard FortiGate-4000 Installation and Configuration Guide 63 Out of band management interface Use Ta b l e 2 2 to record the IP address, netmask, and default gateway of the FortiGate-4000 o ut of band manage ment interface if you are configur ing this interface during installation.
64 Fortinet Inc. Using the command line interface NAT/Route mode installa tion Using the command line interface As an alternative to using the setup wizard, you ca n configure the FortiGate unit using the command line interface (CLI).
NAT/Route mode installati on Connecting the FortiGa te unit to your networks FortiGate-4000 Installation and Configuration Guide 65 6 Optionally , set the secondary DNS server IP addresses. Enter set system dns secondary <IP address> Example set system dns secondary 293.
66 Fortinet Inc. Configuring your networks NAT/Route mode installation Configuring your networks If you are running the FortiGate unit in NA T/Route mode, your networks must be configured to route all Internet traf fic to t he IP address of the FortiGate interface to which they are connected.
NAT/Route mode installation Completing the configura tion FortiGate-4000 Installation a nd Configuration Guid e 67 Registering your FortiGate unit After pur chasing and inst alling a new For tiGat e unit, you can register the u nit by goin g to the System Update Support page, or usin g a web browser to connect to http://support.
68 Fortinet Inc. Completing the configuration NAT/Route mode installation.
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 69 T ransp arent mode inst allation This chapter describes how to install your FortiGate unit in Transp arent mo de.
70 Fortinet Inc. Using the setu p wizard Transparen t mode instal lation Out of band management interface Use Ta b l e 2 4 to record the IP address, netmask, and default gateway of the FortiGate-4000 o ut of band manage ment interface if you are configur ing this interface during installation.
Transparent mode installatio n Using the command line interface FortiGate-4000 Installation and Configuration Guide 71 Reconnecting to the web-based manager If you chan ged the IP address of the manag ement inter face while yo u were usin g the setup wizard, you must recon nect to the web-based manager using the new IP address.
72 Fortinet Inc. Completing the configuration T ransparent mod e installation Configure the Transparen t mode default gateway 1 Make sure that you are logge d into the CLI. 2 Set the default route to the default gateway that you reco rded in T able 23 on p age 69 .
Transparent mode installatio n Connecting the FortiGate un it to your networks FortiGate-4000 Installation and Configuration Guide 73 3 Select Anti-Virus & Web filter to enab le antivirus prot ection for t his policy . 4 Select the Scan Content Profile.
74 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation T ransp arent mode configuration examples A FortiGate unit operating in T ransparent mode still requir es a basic configuration to operate as a node on the IP networ k.
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-4000 Installation and Configuration Guide 75 Example default route to an external network Figure 23 shows a FortiGa te unit wher e all destinat ions, includ ing the ma nagement computer , are located on the extern al net work.
76 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Web-based manager exampl e configuration steps T o configure basic T ransparent mode se ttings and a default route using the web-based manager 1 Go to System > St atus .
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-4000 Installation and Configuration Guide 77 Figure 24: St atic route to an external destination General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode .
78 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation 2 Go to System > Network > Management . • Change the Man agement IP and Netma sk: IP: 192.168.1.1 Mask: 255.255.2 55.0 • Select Apply . 3 Go to System > Network > Routing .
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-4000 Installation and Configuration Guide 79 Figure 25: St atic route to an internal destination General configuration steps 1 Set the unit to operate in T ransparent mode.
80 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Web-based manager exampl e configuration steps T o configure the FortiGate basic settings, a static route, and a default route using the web-based manager : 1 Go to System > St atus .
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 81 High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP).
82 Fortinet Inc. Configuring an HA clu ster High availabili ty An active-passive (A -P) HA cluster , also referr ed to as ho t standby HA, cons ists of a primary FortiGate unit that processes traf fic, and one or more subordinate FortiGate units.
High availability Configuring an HA cluster FortiGate-4000 Installation and Configuration Guide 83 6 Select the HA mode. Select Active-Active mode to crea te an Active-Active HA clust er . Select Active-Passive mode to crea te an Active-Passive H A cluster .
84 Fortinet Inc. Configuring an HA clu ster High availabili ty Figure 26: Example Active-Active HA con figuration 11 If you are configuring a NA T/Route mode cluste r , power of f the FortiGate unit and then repeat this procedur e for all the FortiGate uni t s in the cluster .
High availability Configuring an HA cluster FortiGate-4000 Installation and Configuration Guide 85 T o connect the cluster 1 Connect the cluster unit s: For FortiGat e-4000S: • Connect your internal network to t he internal switched inte rface module.
86 Fortinet Inc. Configuring an HA clu ster High availabili ty Figure 28: FortiGate -4000P HA network c onfiguration Adding a new FortiGate unit to a functioning cluster Y ou can add a new FortiGate unit to a fu nctioning clus ter at an y time.
High availability Managing an HA cluster FortiGate-4000 Installation and Configuration Guide 87 Managing an HA cluster The configurations of all of the FortiGate uni ts in the cluster are synchronized so that the FortiGate units can functi on as a cluster .
88 Fortinet Inc. Managing an HA clu ster High availabili ty This section describes: • Configuring cluster interface monitor ing • Viewin g the stat us of cluster members • Monitoring cluster m e.
High availability Managing an HA cluster FortiGate-4000 Installation and Configuration Guide 89 Figure 29: Example cluster members lis t Monitoring cluster members T o monitor health informa ti on for each cluster member 1 Connect to the cluster and lo g into the web-based manager.
90 Fortinet Inc. Managing an HA clu ster High availabili ty 4 Select Virus & Intrusions. The cluster displays virus and intrusions status for each cluster member . The primary unit is identified as Local and the other unit s in the cluster are listed b y serial number .
High availability Managing an HA cluster FortiGate-4000 Installation and Configuration Guide 91 3 Select the se rial number of one of the units in the clus ter to display the logs for this cluster unit. Y ou can view logs saved to memory or logs saved to the hard d isk, depending on the configuration of the cluster unit.
92 Fortinet Inc. Managing an HA clu ster High availabili ty Managing individual cluster units Y ou can connect to the CLI of each unit in the cluster . This procedure descri bes how to log into the primary u nit CLI and from there connect to the CLI of subordinate cluster units.
High availability Managing an HA cluster FortiGate-4000 Installation and Configuration Guide 93 Synchronizing the cl uster configuration Cluster synchronization keeps all unit s in the cluster synchro nized with the master unit.
94 Fortinet Inc. Managing an HA clu ster High availabili ty Upgrading firmware T o upgrade the firmware of the FortiGate unit s in a cluster , you must upgrade the firmware of each unit sep a rately . In most cases, if you are upgrading to a new firmware build within the same firmware version (for example, upgrading from 2.
High availability Advanced HA opti ons FortiGate-4000 Installation and Configuration Guide 95 Replacing a FortiGate unit after failover A failover can occur be cause of a hardware or sof tware problem . When a failover occurs, you can atte mpt to restart the failed FortiGate u n it by cycling its power .
96 Fortinet Inc. Advanced HA options High availabili ty Configuring the priority of each FortiGate unit in the cluster In addition to selecting a permanent primar y FortiGate unit, you ca n set the priorities of each of the subordinate unit s in the cluster to control the failover path.
High availability Active-Active cl uster packet flow FortiGate-4000 Installation and Configuration Guide 97 This command has the following results: • The first connection is processed by th e primar.
98 Fortinet Inc. Active-Active cluster packet flow High availabili ty In NA T/Route mode, the HA cluster works as a gateway when it responds to ARP requests . Therefore, the clie nt and the server only know the gateway MAC a ddress (MAC_V), which is a virtual M AC address created by the HA clus ter .
High availability Active-Active cl uster packet flow FortiGate-4000 Installation and Configuration Guide 99 Transparent mo de packet flow In transp arent mode, six MAC addresses are involved in active.
100 Fortinet Inc. Active-Active cluster packet flow High availabili ty.
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 101 System st atus Y ou can connect to the web-based manager and view the cur rent system status of the FortiGate unit.
102 Fortinet Inc. Changing the FortiGat e host name System status Changing the FortiGate host name The FortiGate host name ap pears on the S tatus p age and in the FortiGate CLI prompt. The host name is al so used as the SNMP system name. Fo r information about the SNMP system name, see “Config uring SNMP” on pa ge 180 .
System status Changing the Forti Gate firmware FortiGate-4000 Installation and Configuration Guide 103 Upgrading to a new firmware version Use the following procedures to upgra de the FortiGate unit to a newer firmware version.
104 Fortinet Inc. Changing the FortiGate fi rmware System status 4 Make sure the FortiGate uni t c an connect to the TFTP server . Y ou can use the following command to ping the computer running the TFTP server . For example, if the IP address of the TFTP server is 192.
System status Changing the Forti Gate firmware FortiGate-4000 Installation and Configuration Guide 105 If you are reverting to a previous FortiOS ve rsion (for example, reverting from F ortiOS v2.50 to FortiOS v2.36) you might not be able to restore the pr evious configuration from the backup configuration file.
106 Fortinet Inc. Changing the FortiGate fi rmware System status If you are reverting to a previous FortiOS ve rsion (for example, reverting from F ortiOS v2.50 to FortiOS v2.36) you might not be ab le to restore your previous configu ration from the backup configuration file.
System status Changing the Forti Gate firmware FortiGate-4000 Installation and Configuration Guide 107 11 Update antivirus and atta ck definitions. For information, see “Manually initiating antiviru.
108 Fortinet Inc. Changing the FortiGate fi rmware System status 5 T o confirm that the FortiGate unit can co nnect to the TFTP server , use the following command to ping the computer running the TFTP server . For example, if the IP address of the TFTP server is 192.
System status Changing the Forti Gate firmware FortiGate-4000 Installation and Configuration Guide 109 11 Enter the firmware image filen ame and press Enter . The TFTP server up loads the firmware imag e file to the FortiGate unit and messages similar to the following are displayed: • FortiGate unit running v2.
11 0 Fortinet Inc. Changing the FortiGate fi rmware System status T o run th is procedur e you: • access the CLI by connecting to the Fo rtiGate console port using a null-modem cable, • install a TFTP server that you can conn ect to from the F ortiGate int ernal interfac e.
System status Changing the Forti Gate firmware FortiGate-4000 Installation and Configuration Guide 111 9 T ype the address of th e TFTP server and press Ente r . The following m essage appears: Enter Local Address [192.168.1.188]: 10 T ype the address of th e internal interfac e of the FortiGate unit and pr ess Enter .
11 2 Fortinet Inc. Changing the FortiGate fi rmware System status T o install a backup f irmware image 1 Connect to the CLI using the null-modem cable and FortiGate console por t. 2 Make sure that the TFTP server is running. 3 Copy the new firmware image file to the root directory of your TFTP server .
System status Changing the Forti Gate firmware FortiGate-4000 Installation and Configuration Guide 11 3 Switching to the ba ckup firmware image Use this procedure to switch th e FortiGate unit to operating with a backup firmwar e image that you previously in stalled.
11 4 Fortinet Inc. Manual virus definition updates System status T o switch back to the default firmware image 1 Connect to the CLI using the null-modem cable and FortiGate console por t. 2 Enter the following co mmand to restart the FortiGate unit: execute reboot As the FortiGate units st arts, a series of system st artup messages are displayed.
System status Manual attack definition updates FortiGate-4000 Installation a nd Configuration Guid e 11 5 Manual att ack definition up dates The S tatus page of the Fo rtiGate web-base d manager displays the curr ent inst alled versions of the FortiGate Attack Definition s use d by the Networ k Intrusion Detection System (NIDS).
11 6 Fortinet Inc. Restoring system settings System status T o back up system settings 1 Go to System > St atus . 2 Select System Settings Backup. 3 Select Backup Sy stem Setting s. 4 T ype a name and location for the file. The system settings file is backed up to the manag ement computer .
System status Changing to T ransparent mode FortiGate-4000 Installation a nd Configuration Guid e 11 7 For information about restor ing system settings, see “Restoring system settings” on pag e 1 16 . Changing to T ransp arent mode Use the follo wing proced ure to cha nge the Fo rtiGate unit from NA T/Route mode to T r ansparent mode.
11 8 Fortinet Inc. Restarting the FortiGate unit System status 4 Select OK. The FortiGate unit changes operation mod e. 5 T o reconnect to the web-base d manager you must connect to the interface config ured by defaul t for mana gement access. By default in NA T/Ro ute mode, you can co nnect to th e internal in terface.
System status System status FortiGate-4000 Installation and Configuration Guide 11 9 Viewing CPU and memory status Current CPU and mem ory status indicates how cl ose the FortiGa te unit is to running at full capacity . The web-based manager displays CPU and memory usage for cor e processes only .
120 Fortinet Inc. System status System status Viewing sessions and network status Use the session and network st atus display to track how many network sessions the FortiGate u nit is process ing and to s ee what effect the num ber of sess ions has on th e available network bandwid th.
System status System status FortiGate-4000 Installation and Configuration Guide 121 Viewing virus and intrusions status Use the virus and intrusions st atus display to track when viruses are found by the FortiGate antivirus system and to tra ck when the NIDS detect s a network-based attack.
122 Fortinet Inc. Session list System status Session list The session list displays information abo ut the communications sessions cu rrently being processed by the FortiGate unit.
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 123 V irus and att ack definitions up dates and registration Y ou can configure .
124 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration The Update p age on the web-based manage r displays the following antiviru s and attack defin ition update information.
Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-4000 Installation and Configuration Guide 125 Manually initiating antivirus and attack definitions updates Y ou can use the following procedure to update the antivirus an d attack definit ions at any time.
126 Fortinet Inc. Scheduling updates Virus and attack defi nitions updates and registra tion Configuring update logging Use the follo wing proced ure to con figure Fort iGate loggin g to record log mess ages when the Fo rtiGate un it updates antivirus and a ttack definitions.
Virus and attack definitions upda tes and registration Scheduling updates FortiGate-4000 Installation and Configuration Guide 127 4 Select Apply . The FortiGate unit star ts the next sche dule d update according to the new update schedule. Whenever the FortiGate unit runs a scheduled update, the event is recor ded in the FortiGate e vent log.
128 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Enabling scheduled updat es through a proxy server If your FortiGate unit must connect to the Internet t.
Virus and attack definitions updates and registration Enabling push updates FortiGate-4000 Installation and Configuration Guide 129 When the network configuratio n permits, c onfig uring push update s is recommended in addition to configuring scheduled updates.
130 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Example: push update s through a NAT device This examp le describes how to conf igure a Fo rtiGate NA T device to forwar d push updates to a FortiGat e unit installed on its internal network.
Virus and attack definitions updates and registration Enabling push updates FortiGate-4000 Installation and Configuration Guide 131 General procedure Use the following steps to config ure the Fo rtiGa.
132 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Figure 38: Pus h update port forwarding virtual I P Adding a firewall policy for the port forwarding virtual IP T o configure the FortiGate NA T device12 18-6.
Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-4000 Installation and Configuration Guide 133 4 Set IP to the external IP address added to the virtual IP . For the examp le topology , enter 64.2 30.123. 149.
134 Fortinet Inc. Registering Forti Gate units Virus and attack defi nitions updates and registra tion All registration information is stored in the Fortinet Customer Support dat abase. This information is used to make sure tha t your registered FortiGate units can be kept up to date.
Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-4000 Installation and Configuration Guide 135 • The product model an d serial number for each For tiGate unit that you want to register . The serial number is located on a label on the bottom of the FortiGate unit.
136 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on 7 Select Finish. If you have not entered a F ortiCare Support Contract number (SCN) you can retu rn to the previous pa ge to enter the number .
Virus and attack definitions updates and registration Updating registration informati on FortiGate-4000 Installation and Configuration Guide 137 7 Select Support Login. 8 When you receive your new password, enter your use r name and new p assword to log into the Fortinet suppor t web site.
138 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on 7 Enter the serial number of the For tiGate unit. 8 If you have purchased a FortiCare Support Co ntract for this FortiGate unit, en ter the support contract number .
Virus and attack definitions updates and registration Updating registration informati on FortiGate-4000 Installation and Configuration Guide 139 3 Enter your Fort inet support use r name and password. 4 Select Login. 5 Select My Profile. 6 Select Edit Profile.
140 Fortinet Inc. Registering a FortiGate unit after an RMA Vi rus and attack defi nitions updates and registra tion For information about how to in stall the downloaded files, see “Manual virus definition updates” on p age 1 14 and “Manual att ack definition updates” on pag e 1 15 .
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 141 Network configuration Y ou can use the System Network page to change any of .
142 Fortinet Inc. Configuring interfac es Network configuration Adding zones The new zone does not appe ar in the policy grid until you add an interface to it, see “T o add an inte rface to a zone ” below , and add a firewall address for it (see “Adding addresses” on p age 202 ).
Network configuration Configuring interfaces FortiGate-4000 Installation and Configuration Guide 143 Viewing the interface list T o view the interface list 1 Go to System > Network > Interface .
144 Fortinet Inc. Configuring interfac es Network configuration T o add an interface to a zone 1 Go to System > Network > Interface . 2 Choose the interface or VLAN subint erface to add to a zone and select Modify . 3 From the Belong to Zone list, select the zone that you want to add the interface to.
Network configuration Configuring interfaces FortiGate-4000 Installation and Configuration Guide 145 4 Clear the Retr ieve default gateway and DNS from server check box if you do not wan t the FortiGate unit to obta in a default gat eway IP addr ess and DNS server IP addresses from the DHCP server .
146 Fortinet Inc. Configuring interfac es Network configuration 7 Select Apply . The FortiGate unit attempts to cont act the PPPoE server from the in terface to set the IP address, netmask, defaul t gate way IP address, and DNS server IP addresses. 8 Select S tatus: to refresh th e addressin g mode status m essage.
Network configuration Configuring interfaces FortiGate-4000 Installation and Configuration Guide 147 Controlling administrati ve access to an interface For a FortiGate unit running in NA T/R out e mod.
148 Fortinet Inc. Configuring interfac es Network configuration Changing the MTU size to improve network performance T o impro ve network p erformanc e, you can change the maximum t ransmission un it (MTU) of the packet s that the FortiGate unit transmits from any interface.
Network configuration Out of band management FortiGate-4000 Installation and Configuration Guide 149 • Enable secure administrative access to this interface using only HTTPS or SSH, • Do not change the system idle timeo ut from the default value of 5 minutes ( see “T o set the system idle timeout” on page 1 76 ).
150 Fortinet Inc. VLAN overview Network configuration 5 Select Log for the interface if you wa nt to record log messages whenever and administrator connect s to the out of band managemen t interface.
Network configuration VLANs in NAT/Route mode FortiGate-4000 Installation and Configuration Guide 151 A VLAN segregates device s logically instead of physically . Each VLAN is treated as a broadcast domain. Devices in VLAN 1 can co nn ect with other devices in VLAN 1, but cannot connect with devices in other VLAN s.
152 Fortinet Inc. VLANs in NAT/Route mode Network configuration Rules for VLAN IP addresses IP addresses of all FortiGate interfaces canno t overlap. That is, the IP a ddresses of all interfaces must be on differ ent subnet s. This rule applies to both physical interfaces and to VLAN subinterfaces.
Network configuration Virtual domains in Transparent mode FortiGate-4000 Installation and Configuration Guide 153 V irtual domains in T r ansp arent mode In T ransparent mode, T he FortiGate u nit can apply fir ewall policies an d services, s uch as virus scanning, to traf fic on an IEEE 802.
154 Fortinet Inc. Virtual domains in Transparen t mode Network configuration Figure 44: FortiGate unit with two virtual doma ins Virtual domain properties A virtual domain has the following exclu sive properties: • VLAN name, •V L A N I D , • VLAN interf ace assign ment, • VLAN zone assign ment (optional), • Firewall policy .
Network configuration Virtual domains in Transparent mode FortiGate-4000 Installation and Configuration Guide 155 Adding a virtual domain Use the following procedure to add a virtua l domain to the FortiGate unit. Y ou must add at least one virtual domain to support VLANs in T ransparent mode.
156 Fortinet Inc. Virtual domains in Transparen t mode Network configuration Adding zones to virtual domains Add zones to a virtual domain to group together related VLAN subinter faces. Use zones to simplify firewall po licy creation if you have many VLAN subinterfaces in a virtual domain.
Network configuration Virtual domains in Transparent mode FortiGate-4000 Installation and Configuration Guide 157 6 Select OK to save your changes. Y ou can al so use the procedur e “Adding VLAN sub.
158 Fortinet Inc. Adding DNS server IP addres ses Network configuration Deleting virtual domains Y ou must remove all VLAN subinterfaces and zones that have been added to the virtual domain before you ca n delete the virtual domain.
Network configuration Configuring routing FortiGate-4000 Installation and Configuration Guide 159 Adding a default route Y ou can add a default route for network traf fic leaving the external interface. T o add a default route 1 Go to System > Network > Routing T able .
160 Fortinet Inc. Configuring routing Network configuration 6 Set Device #1 to the FortiGate interface or VLAN subinterface through which to route traffic to connect to Gateway #1. Y ou can select the name of an interface, VLAN subinterface, or Auto (the default).
Network configuration Configuring routing FortiGate-4000 Installation and Configuration Guide 161 5 Select OK to save the new route. 6.
162 Fortinet Inc. Configuring DHCP servi ces Network configurati on Using policy routing you can bui ld a routing policy dat abase (RPDB) that selects the appropriate route for tr affic by applying a se t of routing rules.
Network configuration Configuring DHCP services FortiGate-4000 Installation and Configuration Guide 163 Configuring a DHCP relay agent In a DHCP relay configuration, the Fort iGate unit forwards DHCP request s from DHCP clients through th e FortiGate unit to a DHCP server .
164 Fortinet Inc. Configuring DHCP servi ces Network configurati on Y ou can add multiple scopes to an interface so that th e DHCP server added to that interface can supply IP addresses to compute rs on multiple subnets.
Network configuration Configuring DHCP services FortiGate-4000 Installation and Configuration Guide 165 Adding a reserve IP to a DHCP server If you have configured an inte rfac e as a DHCP server , you can reserve an IP address for a pa rticular device on the n etwork acco rding to the MAC address of the device.
166 Fortinet Inc. Configuring DHCP servi ces Network configurati on.
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 167 RIP configuration The FortiGate implement ation of the Routing Information Protocol (RIP) support s both RIP version 1 as defined by RFC 1058, a nd RIP ver sion 2 as defined by RFC 2453.
168 Fortinet Inc. RIP settings RIP configuration 5 Change the following RIP time r settings, as re quired. RIP timer de faults are effective in most configurations. Y ou should only have to change these timers to tr oubleshoot netw ork routing problems.
RIP configuration Configuring RIP for FortiGate interfaces FortiGate-4000 Installation and Configuration Guide 169 Figure 47: Configuring RIP settings Configuring RIP for FortiGate interfaces Y ou can customize a RIP configuration for each F ortiGate inte rface.
170 Fortinet Inc. Configuring RIP for Forti Gate interfaces RIP configuration 4 Select OK to save the R IP config uration for the selected interface. Figure 48: Example RIP configuration for an internal interface Password Enter the password to be used for RIP version 2 authentication.
RIP configuration Adding RIP filters FortiGate-4000 Installation and Configuration Guide 171 Adding RIP filters Use the Filter pag e to create RIP filter list s and assign RIP filter list s to the neighbor s filter , inco ming rout e filter , or outgo ing route filter .
172 Fortinet Inc. Adding RIP filters RIP configuration 3 For Filter Name, type a nam e for the RIP filter list. The name can be 15 characters long an d can contai n upper and lower case letters, numbers, and special char acters. The name cannot cont ain sp aces.
RIP configuration Adding RIP filters FortiGate-4000 Installation and Configuration Guide 173 Assigning a RIP fi lter list to the outgoing filter The outgoing filter allows or denie s addi ng rout es to outgoing RIP update packet s. Y ou can assign a single RIP filter list to the outgoing filter .
174 Fortinet Inc. Adding RIP filters RIP configuration.
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 175 System configuration Use the System Config page to make any of the following.
176 Fortinet Inc. Changing system options System configuration 9 Select Apply . Figure 49: Example date and time setti ng Changing system options On the System Config Options page, you can: • Set the system idle timeout. • Set the authentication timeout.
System configuration Changing system opti ons FortiGate-4000 Installation and Configuration Guide 177 3 Select Apply . Auth T imeout controls the amount of inacti ve time that the fi rewall waits before requiring users to authen ticate again. For more informatio n, see “Users and authenti cation” on page 227 .
178 Fortinet Inc. Adding and editing administrato r accounts System configuration Adding and editing administrator account s When the FortiGate unit is initia lly installed, it is configur ed with a single administr ator account with the user name admin.
System configuration Adding and editing administrator accounts FortiGate-4000 Installation and Configuration Guide 179 Editing administrator accounts The admin account user can change indi vidual admi.
180 Fortinet Inc. Configuring SNMP System configuration Configuring SNMP Y ou can configure the FortiGate SNMP agen t to report system information and send traps to SNMP managers . Using an SNMP ma nager , y ou can access SNMP traps and data from any Forti Gate interface or VL AN subinterface configured for SNMP management access.
System configuration Configuring SNMP FortiGate-4000 Installation and Configuration Guide 181 T o configure SNMP access to an interface in T ransparent mode 1 Go to System > Network > Management . 2 Choose the interface that th e SNMP manager connect s to and select SNMP .
182 Fortinet Inc. Configuring SNMP System configuration Figure 50: Sample SNMP configuration FortiGate MIBs The FortiGate SNMP agent suppo rts FortiGat e propriet ary MIBs as well as standa rd RFC 1213 and RFC 2665 MIBs. The FortiGate MIBs are listed in Ta b l e 2 8 .
System configuration Configuring SNMP FortiGate-4000 Installation and Configuration Guide 183 FortiGate traps The FortiGa te agent ca n send t raps to up to thre e SNMP tr ap receiver s on your network that are configur ed to receive tr ap s from the FortiGate unit.
184 Fortinet Inc. Configuring SNMP System configuration VPN traps NIDS traps Antivirus traps Logging traps T a ble 31: FortiGate VPN traps T rap message Description VPN tunnel is up An IPSec VPN tunnel starts up and begins processing network traf- fic.
System configuration Configuring SNMP FortiGate-4000 Installation and Configuration Guide 185 Fortinet MIB fields The Fortinet MIB contain s fields for co nfiguration settings and current st atus information for all parts of the FortiGate pr oduct.
186 Fortinet Inc. Configuring SNMP System configuration Users and authentication configuration VPN configuration and status NIDS configuration Antivirus configur ation Web filter configuration T a ble 37: User and authentication MIB fields FnUserLoca lT able Local user list.
System configuration Replacement messa ges FortiGate-4000 Installation and Configuration Guide 187 Logging and reporting configuration Replacement messages Replacement messages are adde d to content p.
188 Fortinet Inc. Replacement messages System configuration Customizing replacement messages Each of the replacement messages in the replace ment message list is created by combining replacement message se ctions. Y ou can use these sections as building blocks to create your own replacement messages.
System configuration Replacement messa ges FortiGate-4000 Installation and Configuration Guide 189 Customizing alert emails Customize alert emails to control the content disp layed in alert email messages sent to system administrators. T o customize alert emails 1 Go to System > Config > Replacement Mes sages .
190 Fortinet Inc. Replacement messages System configuration %%SOURCE_IP%% The IP add ress from which the block file was received. For email this is the IP address of the email server that sent the email containing the blocked file. For HTTP this is the IP address of web page that sent the blocked file.
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 191 Firewall configuration Firewall policies control all traf fic passing th rough the FortiGate unit. Firewall policies are instructions tha t the FortiGate unit uses to decide what to do with a connection request.
192 Fortinet Inc. Default firewall configuration Firewall configuration • IP/MAC binding • Content prof iles Default firewall configuration By default, the users on your intern al ne twork can connect thro ugh the FortiGate unit to the Internet. The fir ewall blocks all other connections.
Firewall confi guration Default firewall configurati on FortiGate-4000 Installation and Configuration Guide 193 VLAN subinterfaces Y ou can also add VLAN subinterfaces to the FortiGate configuration to control connections between VLANs.
194 Fortinet Inc. Adding firewall policies Firewall configuration Y ou can also add firewall policies that perform network address translation (NA T). T o use NA T to translate destination addresses, you must a dd virtual IPs. V irtual IPs map addresses on one network to a translated address on another networ k.
Firewall confi guration Adding firewall policies FortiGate-4000 Installation and Configuration Guide 195 3 Select New to add a new policy . Y ou can also select Insert Policy before on a policy in the list to add the new policy above a specific policy .
196 Fortinet Inc. Adding firewall policies Firewall configuration Firewall policy options This section describes the o ptions th at you can add to fir ewall policies. Source Select an address o r address group that matches the source address of the p acket.
Firewall confi guration Adding firewall policies FortiGate-4000 Installation and Configuration Guide 197 NAT Configure the policy fo r NA T . NA T translates the source address and the sour ce port of packets accepted by the policy . I f you select NA T , y ou can also select Dynamic IP Pool and Fixed Port .
198 Fortinet Inc. Adding firewall policies Firewall configuration Authentication Select Authentication and select a user gr oup to require users to enter a user name and password b efore the firewall accept s the connection. Select the user gr oup to control the user s that can auth enticate with this policy .
Firewall confi guration Adding firewall policies FortiGate-4000 Installation and Configuration Guide 199 Figure 54: Adding a T ransp arent mode policy Log Traffic Select Log Traf fic to write me ssages to the t raffic log whenever th e policy proces ses a connection.
200 Fortinet Inc. Configuring policy lists Firewall co nfiguration Configuring policy list s The firewall matches policies by searching for a match starting at the top of the po licy list and moving down until it finds the firs t match. Y ou must arrange policies in the policy list from more spec ific to more general.
Firewall confi guration Configuring poli cy lists FortiGate-4000 Installation a nd Configuration Guid e 201 Changing the order of po licies in a policy list T o change the order of a policy in a policy list 1 Go to Firewa ll > Policy . 2 Select the policy list that you want to change the o rder of.
202 Fortinet Inc. Addresses Firewall configurati on Addresses All policies require source and de stination addresses. T o add addresses to a policy , you must first add addresses to the address list for the interfaces, zones, or VLAN subinterfaces o f the policy .
Firewall confi guration Addresses FortiGate-4000 Installation and Configuration Guide 203 6 Enter the Netmask. The netmask corre sponds to the type of address th at you are adding. For exam ple: • The netmask for the IP address of a si ngle computer should be 255.
204 Fortinet Inc. Addresses Firewall configurati on Deleting addresses Deleting an address removes it from an address list. T o delete an address that has been added to a policy , you must first remove the address from the policy . T o delete an address 1 Go to Firewall > Address .
Firewall confi guration Services FortiGate-4000 Installation and Configuration Guide 205 Figure 56: Adding an in ternal ad dress group Services Use services to determine the types of communication accepted or denied by the firewall. Y ou can add any of t he predefined services to a policy .
206 Fortinet Inc. Services Firewall configuration GRE Generic Routing Encapsulation. A protocol that allows an arbitrary network p rotocol to be transmitte d over any other arbi trary network protocol, by encapsulating the packet s of the protocol within GRE packets.
Firewall confi guration Services FortiGate-4000 Installation and Configuration Guide 207 LDAP Lightweight Directory Access Protocol is a set of protocols used to access information directories. tcp 389 NetMeeting NetMeeting allows users to teleconference using the Internet as th e transmission medium.
208 Fortinet Inc. Services Firewall configuration Adding custom TC P and UDP services Add a custom TCP or UDP service if you need to create a policy fo r a service that is not in the predef ined service list. T o add a custom TCP or UDP service 1 Go to Firewall > Service > Cus tom .
Firewall confi guration Services FortiGate-4000 Installation and Configuration Guide 209 Adding custom ICMP services Add a custom ICMP service if you need to cr eate a policy for a service that is not in the predefin ed service list . T o add a custom ICMP service 1 Go to Firewall > Service > Cus tom .
210 Fortinet Inc. Schedules Firewall configura tion 3 T ype a Group Name to identify the group . This name appears in the service list when you add a policy and cannot be the same as a predefined service nam e. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _.
Firewall confi guration Schedules FortiGate-4000 Installation a nd Configuration Guid e 21 1 Creating one-time schedules Y ou can create a one-time schedule that activates or deactivates a policy for a specified pe riod of time .
212 Fortinet Inc. Schedules Firewall configura tion Creating recurring schedules Y ou can create a recurring schedule that acti vates or deactivates policies at specified times of the day or on specified days of t he week. For example, you might want to prevent Internet use outs ide working hours by creating a recurrin g schedule.
Firewall confi guration Virtual IPs FortiGate-4000 Installation and Configuration Guide 213 Adding schedules to policies After you create schedules, you can ad d them to policies to schedule when the policies are active .
214 Fortinet Inc. Virtual IPs Firewall configuration This section describes: • Adding static NA T virtual IPs • Adding port fo rwarding vir tual IPs • Adding policies with virtual IPs Adding static NAT virtual IPs T o add a static NA T virtual IP 1 Go to Firewall > Virtual IP .
Firewall confi guration Virtual IPs FortiGate-4000 Installation and Configuration Guide 215 7 In Map to IP , type the real IP address on the destination networ k, for example, the IP address of a web server on an intern al network. 8 Select OK to save the v irtual IP .
216 Fortinet Inc. Virtual IPs Firewall configuration 6 Enter the External IP Address that you want to map to an addr ess on the destination zone. Y ou can set the external IP address to the IP address of the external interface selected in step 4 or to any other address.
Firewall confi guration Virtual IPs FortiGate-4000 Installation and Configuration Guide 217 Figure 61: Adding a port forwarding virtu al IP Adding policies wi th virtual IPs Use the followin g proced ure to add a policy that uses a virt ual IP to fo rward packets.
218 Fortinet Inc. IP pools Firewall configura tion 4 Select OK to save the policy . IP pools An IP pool (also called a dynamic IP pool) is a range of IP ad dresses added to a firewall interface. If you add IP pools to an interface, you can select Dynamic IP Pool when you configure a policy with the destinati on set to this interface.
Firewall confi guration IP pools FortiGate-4000 Installation and Configuration Guide 219 Figure 62: Adding an IP Pool IP Pools for firewall pol icies that use fixed ports Some network configurations do not operate correctly if a NA T policy translates the source port of packet s used by the connec tion.
220 Fortinet Inc. IP/MAC binding Firewall configuration IP/MAC binding IP/MAC binding protect s the FortiGate unit and your network from IP spoofing att acks. IP spoofing attacks try to use the IP address of a trusted computer to connect to, or through, the FortiGate unit from a dif ferent computer .
Firewall confi guration IP/MAC binding FortiGate-4000 Installation and Configuration Guide 221 For example, if the IP/MAC pair IP 1.1.1. 1 and 12 :34:56:78:90:ab:cd is added to the IP/MAC binding list: • A packet with IP addre ss 1.1.1.1 a nd MAC address 12:34: 56:78:90:ab:cd is allowed to go on to be matched with a firewall policy .
222 Fortinet Inc. IP/MAC binding Firewall configuration 3 Enter the IP Address and th e MAC Address. Y ou can bind multiple IP addresses to the same MAC address. Y ou cannot bind multiple MAC addresses to the same IP address. However , you can set the IP address to 0.
Firewall confi guration Content profiles FortiGate-4000 Installation and Configuration Guide 223 Figure 63: IP/MAC settings Content profiles Use content profiles to app ly diff erent prot ection settings for content traf fic that is controlled by firewall policies.
224 Fortinet Inc. Content profiles Firewall configuration Default content profiles The FortiGate unit has the following four default content profiles that are displayed on the Firewall Cont ent Profile page. Y ou can use the de fault content pr ofiles or create your own.
Firewall confi guration Content profiles FortiGate-4000 Installation and Configuration Guide 225 6 Enable the email filter protec tion options that you want. 7 Enable the fragmented email and oversized file an d email options that you want. 8 Select OK.
226 Fortinet Inc. Content profiles Firewall configuration Adding content prof iles to policies Y ou can add content profiles to policies with action set to allo w or encrypt and with service set to ANY , HTTP , FTP , IMAP , POP3, SMTP , or a service gr oup that includes these services.
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 227 Users and authentication FortiGate un its support user authe ntication to the FortiGate user database, a RADIUS server , a nd an LD AP server .
228 Fortinet Inc. Setting authentication timeout Users and authenticati on This chapter describes : • Setting authentication timeout • Adding user names and co nfiguring authentication • Configu.
Users and authentication Adding user names and con figuring authentica tion FortiGate-4000 Installation a nd Configuration Guid e 229 5 Select the T ry other servers if connect to selected server fail.
230 Fortinet Inc. Configuring RADIUS supp ort Users and authentication Configuring RADIUS support If you have configur ed RADIUS support and a user is required to authenticate using a RADIUS server , the FortiGate unit cont ac ts the RADIUS server for authentication.
Users and authentication Configuring LDAP suppo rt FortiGate-4000 Installation and Configuration Guide 231 Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server , the FortiGate unit contact s the LDAP server for authentication.
232 Fortinet Inc. Configuring user g roups Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server . Enter the base distinguishe d name for the server using the correct X.500 or LDAP format. The FortiGate u nit passes this distinguished name unchanged to the server .
Users and authentication Configuring user groups FortiGate-4000 Installation and Configuration Guide 233 • IPSec VPN Phase 1 configurations for dial up users. Only users in the selec ted user group can authenticate to use th e VPN tunnel. • XAuth for IPSec VPN Phase 1 configurations.
234 Fortinet Inc. Configuring user g roups Users and authentication 3 Enter a Group Name to identify th e user group. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _. Other sp ecial characters and sp aces are not allowed.
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 235 IPSec VPN A Virtua l Private Network (VPN) is an extension of a private network that encompasses links across sh ared or public networks such as the Intern et.
236 Fortinet Inc. Key management IPSec VPN Key management There are three basic elem ents in any en cryption system: • an algorithm that change s info rmation into code, • a cryptographic key that serves as a secret starting point for the algorithm, • a management system to control the ke y .
IPSec VPN Manual key IPSec VPNs FortiGate-4000 Installation and Configuration Guide 237 In some respect s, certificates are simpler to manage than manual keys or pre-shared keys. For this reason, certificates are best suited to large network deployments.
238 Fortinet Inc. Manual key IPSec VPNs IPSec VPN 5 Enter the Remote SPI. The Remote Security Parameter Index is a hexade cimal number of up to eight digit s (digits can be 0 to 9, a to f) in the rang e bb8 to FFFFFFF . This number must be added to the Local SPI at the opposite end of the tunnel.
IPSec VPN AutoIKE IPSec VPNs FortiGate-4000 Installation and Configuration Guide 239 AutoIKE IPSec VPNs FortiGate unit s support two methods of Au tomatic Internet Key Exchange (AutoIKE) for establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates.
240 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 3 T ype a Gateway Name for the remot e VPN peer . The remote VPN pee r can be either a gatewa y to another netw ork or an individual client on the In ternet. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _.
IPSec VPN AutoIKE IPSec VPNs FortiGate-4000 Installation and Configuration Guide 241 10 Configure the Local ID the that the FortiGate un it sends to the remote VPN peer . • Preshared key: If the FortiGate unit is fu nctioning as a client and uses its ID to authenticate it self to the remote VPN peer , enter an ID.
242 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Optionally , configure NA T Traver sal. 5 Optionally , configure Dead Peer Detection . Use these settings to monitor the st atus of the connec tion between VPN peer s. DPD allows dead connections to be cleane d up and new VPN tunnels est ablished.
IPSec VPN AutoIKE IPSec VPNs FortiGate-4000 Installation and Configuration Guide 243 Figure 69: Adding a ph ase 1 con figuration ( St andard options) Figure 70: Adding a ph ase 1 con figuration ( Adva.
244 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN Adding a phase 2 configurat ion for an AutoIKE VPN Add a phas e 2 configu ration to spec ify the paramete rs used to c reate and maintain a VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer (the VPN gateway or client).
IPSec VPN AutoIKE IPSec VPNs FortiGate-4000 Installation and Configuration Guide 245 10 Enable Autokey Kee p Alive if you want to kee p the VPN tunnel ru nning even if no da ta is being processed. 11 Select a concentra tor if you want the tunn el to be part of a hub and spoke VPN configuration.
246 Fortinet Inc. Managing digital certificates IPSec VPN Managing digit al certificates Use digital cer tificates to make sure that both participants in an IPSec communication session are trustworthy , prior to setting up an encrypted VPN tunn el between the particip ants.
IPSec VPN Managing digital certificates FortiGate-4000 Installation and Configuration Guide 247 6 Configure the key . 7 Select OK to generate the private and pub lic key p air and the certificate re quest. The private/public key p air are generated and the certificate request is displayed on the Local Certificates list with a status of Pend ing.
248 Fortinet Inc. Managing digital certificates IPSec VPN Downloading the certificate request Use the followin g proced ure to dow nload a ce rtificate request from the FortiGate unit to the management compute r . T o download the certificate reque st 1 Go to VPN > Certificates > Local Certificates .
IPSec VPN Configuring encrypt policies FortiGate-4000 Installation and Configuration Guide 249 Obtaining CA certificates For the VPN peers to authenticate themselves to each other , they must both obtain a CA certificate from th e same certificate author ity .
250 Fortinet Inc. Configuring encrypt policies IPSec VPN In addition to defining membership in th e VPN by address, you can configure the encrypt policy for services such as DNS, FTP , and POP3, and to allow connectio ns according to a predefined schedule ( by the time of the day or the day of the week, month, or year).
IPSec VPN Configuring encrypt policies FortiGate-4000 Installation and Configuration Guide 251 Adding a destination address The destination addr ess can be a VPN client address on the Inte rnet or the addr ess of a network behin d a remote VPN gatew ay .
252 Fortinet Inc. Configuring encrypt policies IPSec VPN For information about configu ring the remaining policy settin gs, see “Adding firewall policies” on page 19 4 .
IPSec VPN IPSec VPN concentrators FortiGate-4000 Installation and Configuration Guide 253 Figure 73: Adding an encryp t policy IPSec VPN concentrators In a hub-and-spoke networ k, all VPN tunnels terminate at a single VPN peer called a hub. The pee rs that connect to th e hub are know n as spokes.
254 Fortinet Inc. IPSec VPN concentrators IPSec VPN If the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (but not to the other spokes) . It also requires policies tha t control it s encrypted connectio ns to the other spokes and it s non-encrypted co nnections to other networks, such as the Internet.
IPSec VPN IPSec VPN concentrators FortiGate-4000 Installation and Configuration Guide 255 See “Adding an encrypt policy” on p age 251 . 5 Arrange the policie s in the following order: • encrypt .
256 Fortinet Inc. IPSec VPN concentrators IPSec VPN VPN spoke general co nfiguration steps A remote VPN pe er that fu nctions as a spoke re quires the f ollowing conf iguration: • A tunnel (Auto IKE phase 1 an d phase 2 conf iguration or manu al key configura tion) for the hub.
IPSec VPN Monitoring and Troublesh ooting VPNs FortiGate-4000 Installation a nd Configuration Guid e 257 See “Adding an encrypt policy” on p age 251 .
258 Fortinet Inc. Monitoring and Troubleshooti ng VPNs IPSec VPN Viewing dialup VP N connection status Y ou can use the dialup monitor to view the status of dialup VPNs. The dialup monitor lists the remote gateways and th e active VPN tunnels for each gateway .
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 259 PPTP and L2TP VPN Y ou can use PPTP and L2TP to create a virtual pr ivate network (VPN) between a remote client computer that is runn ing Wi ndows and your internal netwo rk.
260 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN Configuring the FortiGat e unit as a PPTP gateway Use the followin g proced ures to con figure the FortiGate u nit as a PPTP gate way: T o add users and user group s Add a user for each PPTP clie nt.
PPTP and L2TP VPN Configuring PPTP FortiGate-4000 Installation and Configuration Guide 261 3 Select New to add an addr ess. 4 Enter the Address Name, IP Address, and NetMask for an addr ess in the PPTP address range. 5 Select OK to sa ve the sour ce address.
262 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 6 Set Service to match the traffic ty pe inside the PP TP VPN tunnel. For example, if PPTP user s can ac cess a web server , select HTTP . 7 Set Action to ACCEPT . 8 Select NA T if address tr anslation is required.
PPTP and L2TP VPN Configuring PPTP FortiGate-4000 Installation and Configuration Guide 263 T o connect to the PPTP VPN 1 S tart the dialup connection that yo u configured in the previous procedure. 2 Enter your PPTP VPN Us er Name and Password. 3 Select Connect.
264 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 5 Name the connectio n and select Next. 6 If the Public Network dialog box appears, choose the appropriate ini tial connection and select Next. 7 In the VPN Server Selection dialog, enter the IP addr ess or host name of the FortiGate unit to connect to and select Next.
PPTP and L2TP VPN Configuring L2TP FortiGate-4000 Installation and Configuration Guide 265 Configuring L2TP Some implement ations of L2TP support elem ents of IPSec.
266 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN T o add source addresses Add a sour ce address for ever y address in the L2TP addr ess range. 1 Go to Firewall > Address . 2 Select the interface to which L2T P clients connect. This can be an interface, VLAN subinterfa ce, or zone.
PPTP and L2TP VPN Configuring L2TP FortiGate-4000 Installation and Configuration Guide 267 2 Select the policy list that you want to add the policy to (usually , External -> Internal). 3 Select New to add a policy . 4 Set Source to the group that match es the L2TP address range.
268 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 4 Go to the Options tab and select IP security properties. 5 Make sure that Do not use IPSEC is selected.
PPTP and L2TP VPN Configuring L2TP FortiGate-4000 Installation and Configuration Guide 269 7 In the VPN Server Selection dialog, enter the IP addr ess or host name of the FortiGate unit to connect to and select Next. 8 Select Finish. T o configure the VPN connection 1 Right-click the icon that you created.
270 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 8 Add the following registry value to this key: Value Name: ProhibitIpSec Data Type: REG_DWORD Value: 1 9 Save the changes and restar t the computer for the changes to t ake effect.
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 271 Network Intrusion Detection System (NIDS) The FortiGat e NIDS is a re al-tim.
272 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Selecting the interfaces to monitor T o select the interfaces to monitor for att acks 1 Go to NIDS > Detection > General . 2 Select the interfaces to monitor for ne twork attacks.
Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-4000 Installation and Configuration Guide 273 Viewing the signature list Y ou can display the current list of NIDS signature group s and the members of a signature group. T o view the signature list 1 Go to NIDS > Detection > Signature List .
274 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Figure 80: Example signatur e group members list Disabling NIDS attack signatures By default, all NIDS attack signatures ar e enabled . Y ou can use the NIDS signature list to disable detection of some atta cks.
Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-4000 Installation and Configuration Guide 275 T o add user-defined signatures 1 Go to NIDS > Detection > User Defined Signature List .
276 Fortinet Inc. Preventing attacks Network Intrusion Detection System (NIDS) Preventing att acks NIDS attack prev ention prot ects the FortiGat e unit an d the netwo rks connect ed to it from common TCP , ICMP , UDP , and IP attacks. Y ou can enable NIDS attack prevention to prevent a set of default att a cks with default threshold values.
Network Intrusion Detection S ystem (NIDS) Preventing attacks FortiGate-4000 Installation and Configuration Guide 277 Setting signature threshold values Y ou can change the default threshold values for the NIDS Prevention signatures listed in Ta b l e 4 8 .
278 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS) T o set Prevention signat ure threshold values 1 Go to NIDS > Prevention . 2 Select Modify beside the signature for which you want to set the Threshold value. Signatures that do not ha ve threshol d valu es do not have Modify icons.
Network Intrusion Detection System (NIDS) Logging attacks FortiGate-4000 Installation and Configuration Guide 279 The FortiGate unit uses an alert email queu e in which each new message is compared with the p revious messages. If the new messag e is not a duplicate, the FortiGate unit sends it immedia tely and put s a copy in the queue .
280 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS).
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 281 Antivirus protection Y ou can enable antivirus protection in firewall policies. Y ou can select a content profile that controls how the antivir us protection behaves.
282 Fortinet Inc. Antivirus scanning Antivirus protection Antivirus scanning Virus scan ning intercepts mo st files (including files compressed with up to 12 laye rs of compression using zip, rar , gzip, tar , upx, and OLE) in the content streams for which you enable antiviru s protection .
Antivirus protection File blocking FortiGate-4000 Installation and Configuration Guide 283 Figure 82: Example content profile for virus scan ning File blocking Enable file b locking to re move all files that are a potential threat and to provide th e best protection fr om active computer virus attacks.
284 Fortinet Inc. File blocking Antivirus protection By default, w hen blocki ng is enabled, the FortiG ate unit bl ocks the follo wing file patterns: • executable files (*.bat, *.com, and *.exe) • compressed or archive files (*.gz, *.rar , *.tar , *.
Antivirus protection Blocking oversized files and emails FortiGate-4000 Installation and Configuration Guide 285 Blocking oversized files and emails Y ou can configure the FortiGate unit to buff er 1 to 15 percent of available memory to store oversized files and email.
286 Fortinet Inc. Viewing the virus list Antivirus protection V iewing the virus list Y ou can view the names of the viruses and worms in the current viru s definition list. T o view the virus list 1 Go to Anti-Virus > Config > Virus List . 2 Scroll through the virus and wo rm list to view the names of all viruses and worms in the list.
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 287 W eb filtering When you enable Anti-V irus & Web filter in a firewall policy , you select a content profile that controls how web filterin g behave s for HTTP traf fic.
288 Fortinet Inc. Content blocking Web filtering 3 Configure web filtering settin gs to control how the FortiGate unit app lies web filtering to the HTTP traf fic allowed by policies.
Web filtering Content blocking FortiGate-4000 Installation and Configuration Guide 289 4 T ype a banned word or phrase. If you type a single word (for ex ample, banned ), the FortiGate unit blocks all web pages that contain that word. If you type a phrase (for example, banned phrase ), the FortiGate unit blocks web pages th at conta in both word s.
290 Fortinet Inc. Content blocking Web filtering Backing up the Banned Word list Y ou can back up the banned word list by downloading it to a text file on the management compu ter . T o back up the banned word list 1 Go to Web Filter > Cont ent Block .
Web filtering URL blocking FortiGate-4000 Installation and Configuration Guide 291 5 Select Return to display the updated Banned W ord List. 6 Y ou can continue to maintain the Banned W ord List by making chang es to the text file and uploading it again as nece ssary .
292 Fortinet Inc. URL blocking Web filtering 4 Ensure that th e Enable ch eckbox has been select ed and then select OK. 5 Select OK to add the URL to the Web URL block list. Y ou can enter multiple URLs and then select Check All to enable all items in the Web URL block list.
Web filtering URL blocking FortiGate-4000 Installation and Configuration Guide 293 Downloading the Web URL block list Y ou can back up the Web URL block list by downloading it to a text file on the management compu ter . T o download a Web URL bloc k list 1 Go to Web Filter > Web URL Block .
294 Fortinet Inc. Configuring Cerberian URL filtering Web filtering 8 Y ou can continue to maintain the We b URL bl ock list by making chan ges to the text file and uploading it again. Configuring FortiGate Web pattern blocking Y ou can configure FortiGate web pattern bl ocking to block web p ages that match a URL pattern.
Web filtering Configuring Cerberian URL filtering FortiGate-4000 Installation and Configuration Guide 295 Installing a Cerberian license key Before you ca n use the C erberian we b filter , yo u must install a license key . The license key determines th e number of end users allowe d to use Cerberian web filtering through the Fort iGate unit.
296 Fortinet Inc. Configuring Cerberian URL filtering Web filtering Y ou can add users to the default group and apply any polici es to the group. Use the default group to add: • All the users who are not assigned alias names on the FortiGate unit. • All the users who are no t assigned to ot her user groups.
Web filtering Script filtering FortiGate-4000 Installation and Configuration Guide 297 Script filtering Y ou can configure the FortiGate unit to re move Java applets, cookies, and ActiveX scripts from the HT ML web pages.
298 Fortinet Inc. Exempt URL list Web filtering Exempt URL list Add URLs to the exempt URL list to allow legitimate traf fic that might otherwise be blocked by content or URL blocking.
Web filtering Exempt URL list FortiGate-4000 Installation and Configuration Guide 299 Figure 88: Example URL Exempt list Downloading the URL Exempt List Y ou can back up the URL Exempt List by downloading it to a text file on the management compu ter .
300 Fortinet Inc. Exempt URL list Web filtering 3 Select Upload URL Exempt List . 4 T ype the path and filename of your URL Exe m pt List text file, or select Browse and locate the file. 5 Select OK to upload the f ile to the FortiGate unit. 6 Select Return to display the updated URL Exemp t List.
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 301 Email filter Email filtering is enabled in firewall policies.
302 Fortinet Inc. Email banned word list Email filter Email banned word list When the FortiGate unit detect s an email that contains a word or phr ase in the banned word list, the FortiGate unit adds a t ag to the subject line of the email and writes a message to the event log.
Email filter Email banned word list FortiGate-4000 Installation and Configuration Guide 303 Downloading the email banned word list Y ou can back up the banned word list by downloading it to a text file on the management compu ter: T o download the banned word list 1 Go to Email Filter > Content Block .
304 Fortinet Inc. Email block list Email filter Email block list Y ou can configure the FortiGate unit to ta g all IMAP and POP3 protocol traf fic sent from unwanted email addresse s.
Email filter Email exempt li st FortiGate-4000 Installation and Configuration Guide 305 Uploading an email block list Y ou can create a email block list in a text ed itor and then upload the text file to the FortiGate unit. Add one p attern to each line of the text file.
306 Fortinet Inc. Adding a subject tag Email filter Adding address patterns to the email exempt list T o add an address p attern to the email exempt list 1 Go to Email Filter > Exempt List . 2 Select New . 3 T ype the add ress pattern that you wan t to exempt.
FortiGate-4000 Inst all ation and Configuration Guide V ersion 2.50 FortiGate-4000 Installation and Configuration Guide 307 Logging and reporting Y ou can configure the FortiGate unit to log network activity from routine configuration changes and traf fic sessions to emergency event s.
308 Fortinet Inc. Recording logs Logging and reporting Recording logs on a remote computer Y ou can configure the FortiGate unit to re cord log messages on a remote computer . The remote computer must be configu red with a syslog server . T o record logs on a remote computer 1 Go to Log&Report > Log Settin g .
Logging and repo rting Recording logs FortiGate-4000 Installation and Configuration Guide 309 5 Select Config Policy . T o configure the FortiGate unit to filter the types of logs and events to record, use the procedures in “Filtering log messag es” on page 310 an d “Configuring traf fic logging” on page 31 1 .
310 Fortinet Inc. Filtering log me ssages Logging and reporting Filtering log messages Y ou can configure the logs t hat you want to record and the message categories that you want to record in each log. T o filter log entries 1 Go to Log&Report > Log Settin g .
Logging and repo rting Configuring traffic loggi ng FortiGate-4000 Installation and Configuration Guide 31 1 4 Select the message categories that you wa nt the FortiGa te unit to record if you selected Event Log, V irus Log, Web Filter ing Log, Att ack Log, Email Filter Log, or Update in step 3 .
312 Fortinet Inc. Configuring traffic loggi ng Logging and reporting This section describes: • Enabling traffic logging • Configuring traffic filter settings • Adding traf fic filter entries Enabling traf fic logging Y ou can enable logging on any interface, VLAN subinterface, and firewal l policy .
Logging and repo rting Configuring traffic loggi ng FortiGate-4000 Installation and Configuration Guide 313 Configuring traffic filter settings Y ou can configure the information re corded in all tr affic log messages. T o configure traffic filter settings 1 Go to Log&Report > Log Settin g > T raffic Filter .
314 Fortinet Inc. Viewing logs saved to memory Loggin g and reporting 4 Select OK. The traf fic filter list displays the new traffi c address entry with the settings that you selected in “Enabling traf fic logging” on page 312 .
Logging and repo rting Configu ring aler t email FortiGate-4000 Installation and Configuration Guide 315 4 T o view a specific line in the log, type a li ne number in the Go to line field and select . 5 T o navigate through the log messa ge pages, select Go to next p age or Go to previous page .
316 Fortinet Inc. Configu ring aler t email Logging and reporting Adding alert email addresses Because the F ortiGate unit uses th e SMTP ser ver name t o connect t o the mail se rver , the FortiGate unit must look up this name on your DNS se rver . Befo re you config ure alert email, make sure that you configur e at least one DNS serv er .
Logging and repo rting Configu ring aler t email FortiGate-4000 Installation and Configuration Guide 317 Enabling alert email Y ou can configure the FortiGate unit to send alert email in re sponse to virus incidents, intrusion attempts, and critical firewall or VPN event s or violations.
318 Fortinet Inc. Configu ring aler t email Logging and reporting.
FortiGate-4000 Installation and Configuration Guide 319 FortiGate-4000 Inst allation and Co nfiguration Guide V ersion 2.50 Glossary Connection : A link between machines, applications, processes, and so on t hat can be logical, phys ical, or both.
320 Fortinet Inc. Glossary LAN, Local Area Network : A computer n etwork that spans a relatively small area. Most LANs connect worksta tions and personal computers. Each computer on a LAN is able to ac cess data and devices a nywhere on the LAN. This means that many users can share data as well as physical re sources such as printers.
Glossary FortiGate-4000 Installation and Configuration Guide 321 SSH , Secure shell : A secure T elnet replacement that you can use to log into another computer over a network and run commands. SSH provides str ong secure authentication and secure communications over insecure channels.
322 Fortinet Inc. Glossary.
FortiGate-4000 Installation and Configuration Guide 323 FortiGate-4000 Inst allation and Configuration Guide V ersion 2.50 Index A accept policy 196 action policy option 196 active log searching 315 A.
324 Fortinet Inc. Index attack updates configuring 127 scheduling 126 through a proxy server 128 authentication 198, 227 configuring 228 enabling 232 LDAP server 231 RADIUS server 230 timeout 176 auto.
Index FortiGate-4000 Installation and Configuration Guide 325 dialup PPTP configuring Windows 2000 client 263 configuring Windows 98 clien t 262 configuring Windows XP client 263 dialup VPN viewing co.
326 Fortinet Inc. Index H HA 81 connecting a NAT/Route mode cluster 84 introduction 19 managing HA group 87 NAT/Rout e mode 82 replacing FortiGate unit a fter fail-over 95 hard disk full alert email 3.
Index FortiGate-4000 Installation and Configuration Guide 327 log setting filtering log entries 126, 310 traffic fil ter 313 log to memory configuring 309 viewing saved logs 314 Log Traffic firewall p.
328 Fortinet Inc. Index oversized files and email blocking 285 P password adding 228 changing administrator account 179 Fortinet support 1 38 recovering a lost Fortinet support 136 PAT 215 pattern web.
Index FortiGate-4000 Installation and Configuration Guide 329 reserved IP adding to a DHCP server 165 resolve IP 313 traffic fil ter 313 restarting 118 restoring system settings 116 restoring system s.
330 Fortinet Inc. Index static NAT virtual IP 213 adding 214 static ro ute adding 159 status CPU 119 interface 143 intrusions 121 IPSec VPN tunnel 257 memory 119 network 120 sessions 120 viewing dialu.
Index FortiGate-4000 Installation and Configuration Guide 331 URL block list adding URL 294, 304 clearing 292 downloading 290, 293, 299, 304 uploading 290, 293, 299, 305 URL block message 288 URL bloc.
332 Fortinet Inc. Index worm list displaying 286 worm protection 286 Z zone adding 142 adding to a virtual domain 156 configuring 141.
An important point after buying a device Fortinet FortiGate 4000 (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought Fortinet FortiGate 4000 yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data Fortinet FortiGate 4000 - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, Fortinet FortiGate 4000 you will learn all the available features of the product, as well as information on its operation. The information that you get Fortinet FortiGate 4000 will certainly help you make a decision on the purchase.
If you already are a holder of Fortinet FortiGate 4000, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime Fortinet FortiGate 4000.
However, one of the most important roles played by the user manual is to help in solving problems with Fortinet FortiGate 4000. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device Fortinet FortiGate 4000 along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center
