FortinetメーカーFortiGate 400の使用説明書/サービス説明書
ページ先へ移動 of 308
FortiGate 400 Installation and Configuration Guide 4 / HA 3 CONSOLE 1 2 Esc Enter FortiGate User Manual V olume 1 Ve r s i o n 2 . 5 0 M R 2 18 August 2003.
© Copyright 2003 Fortine t Inc. All rights reserved . No part of this publication incl uding text, examples , diagrams or illustrations may be reproduced, transmitted, or translated in any form or by an y means, electro nic, mechanical, manual, optical or otherwise, for any purpose, without prio r written permiss ion of Fort inet Inc.
Contents FortiGate-400 Installation and Configuration Guide 3 Table of Contents Introduction ............. ................................ .................................................. ........... 15 Antivirus protection ........................
Contents 4 Fortinet Inc. Planning your FortiGate configurat ion ............... ................ ............. ................ ................ .. 39 NAT/Route mode ........... ................ ............. ................ ............. ...........
Contents FortiGate-400 Installation and Configuration Guide 5 Completing the configuration ................... ....... ...... ................ ............. ............. ............. ..... 64 Setting the date and time .................. ............
Contents 6 Fortinet Inc. System status .......... ................................ .................................................. ........... 93 Changing the FortiGate host name .......... ................ ................. ............ ..........
Contents FortiGate-400 Installation and Configuration Guide 7 Updating registration information ................ .... ......... ................. ............ ............. ............. 128 Recovering a lost Fortinet s upport password .............. .
Contents 8 Fortinet Inc. Adding RIP filters ............... ............. ................ ............. ................ ............. ................ ...... 154 Adding a single RIP filter ......... ............. ................ ............. .....
Contents FortiGate-400 Installation and Configuration Guide 9 Services ............ ............. ............. ................ ............. ................. ............ ............. .......... ... 182 Predefined services .................... ...
Contents 10 Fortinet Inc. IPSec VPN .................... ................................................. .............. ............... ......... 209 Key management ........... ............. ................ ............. ................. .........
Contents FortiGate-400 Installation and Configuration Guide 11 Network Intrusion Detection System (NIDS) .... ............................ ............ ....... 249 Detecting attacks ............... ............. ................ ............. ........
Contents 12 Fortinet Inc. URL blocking............... ............. ................ ............. ................ ............. ................ ............. 269 Using the FortiGate web filter ........... ............. ................ ............
Contents FortiGate-400 Installation and Configuration Guide 13 Glossary ............... ................................. ................................................. ............ 295 Index .............. ................................. .......
Contents 14 Fortinet Inc..
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 15 Introduction The FortiGate Antivirus Firewall suppor ts network-based dep loyment of application-leve l services—in cluding antiviru s protection and full-scan con tent filtering.
16 Fortinet Inc. Web content filtering Introduction For extra prot ection, you also con figure antivi rus protection to block files of specified file types from passing thr ough the FortiGate unit. Y ou can use the feature to stop files that may cont ain new viruses.
Introduction Firewall FortiGate-400 Installation and Configuration Guide 17 Y ou can configure Email blocking to tag email from all or so me senders within organizations that are known to send sp am email.
18 Fortinet Inc. VLAN Introduction Transparent mode T ransparent mode provides the same basic fire wall protection as NA T mode. Packets received by the FortiGate unit are intellig ently forwarded or blocked according to firewall policies.
Introduction VPN FortiGate-400 Installation and Configuration Guide 19 VPN Using FortiGate virtual private network ing (VPN), you can provide a secure connection between wid ely separated office netw orks or secu rely link telec ommuters or travellers to an of fice network.
20 Fortinet Inc. Secure installation, configurat ion, and management Introduction Secure inst allation, configuration, and management Installation is quick and simp le. Th e first time you turn on the FortiGate unit, it is already configured with de fault IP addres ses and security po licies.
Introduction Secure installation, configura tion, and management FortiGate-400 Installation and Configuration Guide 21 Command line interface Y ou can access the FortiGate command line interface (CLI) by connecting a management compute r serial port to the Fo rtiGate RS-232 serial Console connector .
22 Fortinet Inc. What’s new in Version 2.50 Introduction What’ s new in V ersion 2.50 This section present s a brief summary of so me of the new features in FortiOS v2.
Introduction What’s new in Version 2.50 FortiGate-400 Installation and Configuration Guide 23 HA • Active-active HA using switches and with the ability to s elect the schedule • T ransparent mode HA • A/V update for HA clusters • Configuration synchronizing fo r HA See “High av ailability” on page 75 .
24 Fortinet Inc. What’s new in Version 2.50 Introduction NIDS See the FortiGate NIDS Guide for a complete description of F ortiGate NIDS functionality .
Introduction About this document FortiGate-400 Installation and Configuration Guide 25 About this document This inst allation and con figuration guide descr ibes how to inst all and configure the FortiGate-400. This documen t contains the following infor mation: • Getting started describes unp acking, mounting, and powering on the FortiGate.
26 Fortinet Inc. Document co nventions Introduction Document conventions This guide uses the fo llowing conven tions to de scribe CLI co mmand syntax. • angle brac kets < > to indicate variable keywords For example: execute restore config <filename_str> Y ou enter restore config myfile.
Introduction Fortinet documentati on FortiGate-400 Installation and Configuration Guide 27 Fortinet document ation Information about FortiGate product s is av ailable from the follo wing FortiGate Use.
28 Fortinet Inc. Customer service and technical support Introduction Customer service and technical support For antiviru s and attack d efinition u p dates, firmware updates, updated product documentation , technical support informatio n , and other resources, please visit the Fortinet technical support we b site at http://support.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 29 Getting st arted This chapter describes unpacking, sett ing up, and powering on your FortiGate Antivirus Firewall.
30 Fortinet Inc. Package contents Getting started Package content s The FortiGate-400 p ackage contains the following items: • FortiGate -400 Antivirus Fir ewall • one orange crossover ethern et c.
Getting started Powering on FortiGate-400 Installation and Configuration Guide 31 Power requirements • Power dissipatio n: 180 W (max) • AC input volt age: 100 to 2 40 V AC • AC input current: 4.
32 Fortinet Inc. Connecting to the web-based manager Getting started Connecting to the web-based manager Use the followin g proced ure to con nect to the web-based manager for the first time. Configuration changes ma de with the web- based manager ar e effective imm ediately without the need to reset the firewall or inte rrupt serv ice.
Getting started Connecting to the command line in terface (CLI) FortiGate-400 Installation and Configuration Guide 33 Connecting to the command line interface (CLI) As an alternative to the web-based ma nager , you can install and configure the FortiGate unit using the CLI.
34 Fortinet Inc. Factory default FortiGate confi guration setting s Getting started If you are planning on operating the FortiGa te unit in T ransparent mode, you can switch to transparent mode from the factory default configuration and then configure the FortiGate unit onto your network in T ransparent mode.
Getting started Factory default FortiGate configurati on settings FortiGate-400 Installation and Configuration Guide 35 Factory default Transparent mode network configuration If you switch the FortiGate unit to T ranspar ent mode, it has the default network configuration listed in Ta b l e 3 .
36 Fortinet Inc. Factory default FortiGate confi guration setting s Getting started Factory default content profiles Y ou ca n use cont ent profiles to apply d ifferent protection settings for conten t traffic controlled by firewall policies.
Getting started Factory default FortiGate configurati on settings FortiGate-400 Installation and Configuration Guide 37 Strict content profile Use the strict content prof ile to apply maximum content protection to HTTP , FTP , IMAP , PO P3, and SMTP content traffic.
38 Fortinet Inc. Factory default FortiGate confi guration setting s Getting started Web content profile Use the web content profile to apply antivir us scanning and Web content blo cking to HTTP content traffic. Y ou can add this cont ent profile to firewall policies that control HTTP traffic.
Getting started Planning your Fort iGate configurati on FortiGate-400 Installation and Configuration Guide 39 Planning your FortiGate configuration Before beginning to configure th e FortiGate unit, you need to plan how to integrate the unit into your net work.
40 Fortinet Inc. Planning your FortiGa te configuration Getting started Figure 4: Example NA T/Route mode networ k configura tion NAT/Route mode with multiple external network connections In NA T/Route mode, yo u can configure th e Fort iGate unit with multiple redundant connections to the external net work (usually the Int ernet).
Getting started Planning your Fort iGate configurati on FortiGate-400 Installation and Configuration Guide 41 Transparent mode In T ransparent mode, the Fo rtiGate unit is invisible to the network. Similar to a network bridge, all of FortiGate interfaces must be on the same subnet.
42 Fortinet Inc. FortiGate model maximum valu es matrix Getting started CLI If you are configuring the FortiGate unit to operate in NA T/Route mode, you can add the administration p a ssword and all interface addresses. Using the CLI, you can also add DNS server IP add resses and a default route for the exter nal interfac e.
Getting started Next steps FortiGate-400 Installation and Configuration Guide 43 Next step s Now that your FortiGate unit is operating , y ou can proceed to configure it to connect to networks: • If you are goin g to operate the F ort iGate unit in NA T/Route mode, go to “NA T/Route mo de installation” on page 45 .
44 Fortinet Inc. Next steps Getting started.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 45 NA T/Route mode inst allation This chapter de scribes how to inst all your Fo rtiGate unit in NA T/Route mode. T o install your FortiGa te unit in T ransparent mode, see “T ransparent mode inst allation” on pag e 61 .
46 Fortinet Inc. Using the setu p wizard NAT/Route mode installati on Using the setup wizard From the web-based manager, you can use the setup wizar d to create the initial configuration of your FortiGate unit. T o connect to the web-based manager, see “Connecting to th e web-based manage r” on page 3 2 .
NAT/Route mode installati on Using the front control buttons an d LCD FortiGate-400 Installation and Configuration Guide 47 Using the front control buttons and LCD As an alternative to the setup wizard, use the information that you recorded in T able 10 on page 45 to complete the following pr ocedure.
48 Fortinet Inc. Using the command line interface NAT/Route mode installa tion 3 Set the IP address and netmask of interf ace 2 to the external IP address and netmask that you recorded in T able 10 on p age 45 . set system interface port2 mode static ip <IP_address> <netmask> Example set system interface por t2 mode static ip 204.
NAT/Route mode installati on Connecting the FortiGa te unit to your networks FortiGate-400 Installation and Configuration Guide 49 Connecting the FortiGate unit to your networks When you have com pleted the init ial configuratio n, you can conne ct the FortiGat e unit between yo ur internal network a nd the Inte rnet.
50 Fortinet Inc. Configuring your network NAT/Route mode installati on Figure 7: FortiGate-400 NA T/Route mode connection s Configuring your network If you are running the FortiGate unit in NA T/Route mode , your networks must be configured to route all Internet traf fic to t he IP address of the FortiGate interface to which they are connected.
NAT/Route mode installation Completing the configura tion FortiGate-400 Installation and Configuration Guide 51 Configuring interface 4/HA Use the followin g proced ure to con figure interf ace 4/HA t o connect to a network : 1 Log into the web-base d manager.
52 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation Configuring virus and attack definition updates Y ou can go to System > Update to configur e the FortiGate unit to automatically check to see if new versions of the virus definitions an d attack definitions are available.
NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-400 Installation and Configuration Guide 53 Figure 8: Example multiple Internet connection configuration Configuring Ping servers Use the following procedure to make Gateway 1 the ping server for po rt2 and Gateway 2 the ping server for port3.
54 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation Using the CLI 1 Add a ping ser ver to port2. set system interface port2 config detectserver 1.1.1.1 gwdetect enable 2 Add a ping ser ver to port3.
NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-400 Installation and Configuration Guide 55 Load sharing Y ou can also configure destination routing to direct traf fic through both gateways at the same time.
56 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation 3 Select New to add a route for connections to the network of ISP1. • Destination IP: 100.100.100.0 • Mask: 255.255.255.0 • Gateway #1: 1.1.
NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-400 Installation and Configuration Guide 57 Policy routing examples Policy routing can be added to increase the control you have over how packet s are routed.
58 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation Firewall policy example Firewall policies control how traf fic flows th rough the FortiGa te unit.
NAT/Route mode installation Configuration exam pl e: Multiple connections to the Internet FortiGate-400 Installation and Configuration Guide 59 Adding more firewall policies In most cas es your fire wall configura tion includes more than just the de fault policy .
60 Fortinet Inc. Configuration example: Multiple connections to the In ternet NAT/Route mode installation.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 61 T ransp arent mode inst allation This chapter describes how to install your FortiGate unit in Transp arent mo de.
62 Fortinet Inc. Using the setu p wizard Transparen t mode instal lation Using the setup wizard From the web-based manager, you can use the setup wizar d to create the initial configuration of your FortiGate unit. T o connect to the web-based manager, see “Connecting to th e web-based manage r” on page 3 2 .
Transparent mode installatio n Usin g the front control buttons an d LCD FortiGate-400 Installation and Configuration Guide 63 Using the front control buttons and LCD This procedure descr ibes how to use t he control buttons and LCD to configur e T ransparent mode IP addresses.
64 Fortinet Inc. Completing the configuration T ransparent mod e installation Configuring the Transparent mode management IP address 1 Log into the CLI if you are not alr eady logged in . 2 Set the management IP addr ess and netmask to the IP addr ess and netmask that you recorde d in T able 14 on p age 61 .
Transparent mode installatio n Connecting the FortiGate un it to your networks FortiGate-400 Installation and Configuration Guide 65 Registering your FortiGate After pur chasing and inst alling a new For tiGat e unit, you can register the u nit by goin g to System > Update > Support, or using a web browser to connect to http://support.
66 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 9: FortiGate-400 T ransparent mode connections T ransparent mode configuration examples A FortiGate unit operating in T ransparent mode still requir es a basic configuration to operate as a node on the IP networ k.
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-400 Installation and Configuration Guide 67 This section describes: • Default routes and st atic routes • Example.
68 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 10: Default rout e to an external network General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode . 2 Configure the Manag ement IP address and Netmask o f the FortiGate unit.
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-400 Installation and Configuration Guide 69 Web-based manager exampl e configuration steps T o configure basic T ransparent mode settings and a default route using the web-based manager : 1 Go to System > St atus .
70 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Figure 1 1: Static route to an external destination General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode . 2 Configure the Manag ement IP address and Netmask o f the FortiGate unit.
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-400 Installation and Configuration Guide 71 Web-based manager exampl e configuration steps T o configure the basic FortiGate settings and a static route using the web-based manager: 1 Go to System > St atus .
72 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation Example static route to an internal destination Figure 12 shows a FortiGa te unit where the FDN is located on an external subnet and the management computer is located on a r emote, internal subnet.
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-400 Installation and Configuration Guide 73 Web-based manager exampl e configuration steps T o configure the FortiGate basic settings, a static route, and a d efault route using the web-based manager : 1 Go to System > St atus .
74 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode instal lation.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 75 High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP).
76 Fortinet Inc. Active-active HA High availabili ty During star tup the members of an HA clus ter negotiate to select the primar y unit. The primary unit allows other FortiGate unit s to join the HA cluster as subordinate units and assigns each subordin ate unit a priority .
High availability HA in NAT/Route mode FortiGate-400 Installation and Configuration Guide 77 During star tup the members of the HA cluster ne gotiate to select the primary unit. The primary unit allows other FortiGate unit s to join the HA cluster as subordinate units and assigns each subordin ate unit a priority .
78 Fortinet Inc. HA in NAT/Route mode High availabili ty The 4/HA interface of each Fo rtiGate-400 unit must be co nf igured with a different IP address. The addre sses of the 4/HA interf aces must be on the same subnet and they must be configur ed for managemen t access.
High availability HA in NAT/Route mode FortiGate-400 Installation and Configuration Guide 79 4 Select the HA mode. Select Active-Passive mode to create an Active-Passive HA cluster , in which one Fort.
80 Fortinet Inc. HA in NAT/Route mode High availabili ty 8 Under Monitor on Interface, select the na mes of the interfaces to be monitored. Monitor FortiGate interfaces to mak e sure th ey are functioning properly and that they are connected to their networks.
High availability HA in NAT/Route mode FortiGate-400 Installation and Configuration Guide 81 The network eq uipment to use an d the proced ure to follow are the sa me, whether you are configuring the FortiGa te units for ac tive-active HA or active-passive HA.
82 Fortinet Inc. HA in Transparent mode High availabili ty Starting the HA cluster After all of the FortiGate unit s in the cluster are configur ed for HA and once the cluster is connected, use the following procedure to st art the HA cluster . 1 Power on all of the HA units in the cluster .
High availability HA in Transparent mo de FortiGate-400 Installation and Configuration Guide 83 5 Change the HA IP address and Netmask as required. 6 Optionally configure management access for other interfaces. 7 Select Apply . Now that you have configured the HA interfaces, procee d to “Configuring the HA cluster” .
84 Fortinet Inc. HA in Transparent mode High availabili ty 7 If you are config uring Active-Act ive HA, select a sche dule. The schedule controls load balancing am ong the FortiGate units in the active-active HA cluster . The schedule must be the same for all FortiGate unit s in the HA cluster .
High availability HA in Transparent mo de FortiGate-400 Installation and Configuration Guide 85 Figure 15: Sample a ctive-passive HA configuration 10 Repeat this procedure to add each FortiGate unit in the HA cluster . When you ha ve configured all o f the FortiGate unit s, proceed to “Connecting the HA cluster to your network” .
86 Fortinet Inc. Managing the HA cluster High availabili ty Starting the HA cluster After all of the FortiGate unit s in the cluster are configur ed for HA and once the cluster is connected, use the following procedure to st art the HA cluster . 1 Power on all of the HA units in the cluster .
High availability Managing the HA cluster FortiGate-400 Installation and Configuration Guide 87 Figure 16: Example cluster members lis t Monitoring cluster members T o monitor health information for each cluster member . 1 Connect to the cluster and lo g into the web-based manager.
88 Fortinet Inc. Managing the HA cluster High availabili ty 4 Select Virus & Intrusions. Virus and intr usions status is displayed fo r each clust er member . The primar y unit is identified as Local and the other unit s in the cluster are listed by serial number .
High availability Managing the HA cluster FortiGate-400 Installation and Configuration Guide 89 Managing individual cluster units Y ou can manage individual cluster units by connecting to each unit’s HA interface using either the web-base d manager or the CLI.
90 Fortinet Inc. Managing the HA cluster High availabili ty Use the following proc edure to make co nfiguration chan ges to the primar y FortiGate unit and then synchronize the co nfiguration of th e subordinate unit s. 1 Connect to the cluster and lo g into the web-based manager or CLI.
High availability Advanced HA opti ons FortiGate-400 Installation and Configuration Guide 91 Advanced HA options The following advanced HA options are available fro m the FortiGate CLI: • Selecting .
92 Fortinet Inc. Advanced HA options High availabili ty Configuring weighted-round-robin weights By default, in active-active HA mode the weighted round-robin schedule assigns the same weight to each FortiGate unit in the clus ter .
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 93 System st atus Y ou can connect to the web-based manager and go to System > S tatus to view the current status of your FortiGate unit.
94 Fortinet Inc. Changing the FortiGat e host name System status Changing the FortiGate host name The FortiGate host name ap pears on the System > S tatus p age and on the FortiGate CLI prompt. The host name is also used as the SNMP System Name (see “Configuring SNMP” on p a ge 162 ).
System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 95 Upgrade to a new firmware version Use the following procedure s to upgrade your FortiGate to a newer firm ware version. Upgrading the firmware usi ng the web-based manager 1 Copy the firmware image file to your manage ment computer .
96 Fortinet Inc. Changing the FortiGate fi rmware System status 5 Enter the following command to copy the fir mware image from the TFTP server to the FortiGate: execute restore image <name_str> .
System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 97 1 Copy the firmware image file to your manage ment computer . 2 Login to the FortiGate web- based manage r as the admin administra tive user . 3 Go to System > St atus .
98 Fortinet Inc. Changing the FortiGate fi rmware System status T o use the followin g procedure you must have a TFTP server that you can connect to from the FortiGate unit. 1 Make sure that the TFTP server is running. 2 Copy the new firmware image file to the root directory of the TFT P server .
System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 99 12 T o confirm that the antivirus and att ack definitions have been updated, enter the following command to display the an tivirus engi ne, virus and attack definitions version, contract ex piry , and last update attempt information.
100 Fortinet Inc. Changing the FortiGate fi rmware System status 6 Enter the following co mmand to restart the FortiGate unit: execute reboot As the FortiGate units st arts, a series of system st artup messages are displayed. When one of the following messages appears: • FortiGate unit running v2.
System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 101 11 Enter the firmware image file name an d press Enter . The TFTP server up loads the firmware imag e file to the FortiGate unit and messages similar to the following appear .
102 Fortinet Inc. Changing the FortiGate fi rmware System status T o test a new firmware image: 1 Connect to the CLI using a null modem cable and FortiGate con sole port. 2 Make sure the TFTP se rver is running. 3 Copy the new firmware image file to the root directory of the TFT P server .
System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 103 The following m essage appears: Enter File Name [image.out]: 11 Enter the firmware image file name an d press Enter . The TFTP server up loads the firmware imag e file to the FortiGate unit and messages similar to the following appear .
104 Fortinet Inc. Changing the FortiGate fi rmware System status 4 T o confirm that the FortiGate unit can co nnect to the TFTP se rver , use the following command to ping the computer running the TFTP serve r . For example, if the TFTP server ’s IP addr ess is 192.
System status Changing the Forti Gate firmware FortiGate-400 Installation and Configuration Guide 105 Switching to the ba ckup firmware image Use this procedure to switch yo ur FortiG ate unit to operatin g with a backup firmware image that you have p revious installed.
106 Fortinet Inc. Manual virus definition updates System status Switching back to the default firmware image Use this proced ure to switch your F ortiGate unit to o perating with the b ackup firmwar e image that had been running as the default fi rmware image.
System status Manual attack definition updates FortiGate-400 Installation and Configuration Guide 107 5 Select OK to copy the antivirus defini tions update file to the FortiGate unit. The FortiGate u nit updates the antiviru s definitions. This t akes about 1 mi nute.
108 Fortinet Inc. Backing up system settings System status Backing up system settings Y ou can back up system settings by down loading them to a text file on the management compu ter: 1 Go to System > St atus . 2 Select System Settings Backup. 3 Select Backup Sy stem Setting s.
System status Changing to T ransparent mode FortiGate-400 Installation and Configuration Guide 109 Changing to T ransp arent mode Use the followin g proced ure to switch the FortiG ate unit fro m NA T/Route mode to T ransparent mode.
11 0 Fortinet Inc. Shutting down the FortiGate unit System status Shutting down the FortiGate unit 1 Go to System > S tatus . 2 Select Shutdown. The FortiGate unit shut s down and all traf fic flow stops. The FortiGate unit can only be rest arted af te r shutdown by turning t he power off, then on.
System status System status FortiGate-400 Installation and Configuration Guide 111 Figure 1: CPU and memo ry st atus monitor CPU and memory inte nsive processes such a s encrypting and de crypting IPSec VPN traffic, virus scanning, and processing hig h levels of network traffic cont aining small packet s will increase CPU and memory usage.
11 2 Fortinet Inc. System status System status Network utilization displays the total netwo rk bandwidth being used through all FortiGate interf aces. N etwork utilization also di splays netw ork utilization as a percentag e of the maximum network band wid th that can be proce ssed by the FortiGate u nit.
System status Session list FortiGate-400 Installation and Configuration Guide 11 3 Figure 3: Sessions and ne twork st atus monitor 3 Set the automatic refresh interva l and select Go to control how of ten the web-based manager updates the display . More frequent updates use system resources and increase network traf fic.
11 4 Fortinet Inc. Session list System status Figure 4: Example session list To I P The destination IP a ddress of the connection . To P o r t The destination port of the connection. Expire The time, in seconds, before the connection expires. Clear S top an active communication session.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 11 5 V irus and att ack definitions up dates and registration Y ou can configur.
11 6 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration The System > Update p age web-based manage r displa ys the following antivirus a.
Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-400 Installation and Configuration Guide 11 7 T o make sure the FortiGate unit ca n connect to the FDN: 1 Go to System > Config > Time and make su re the time zone is set to the correct time zone for your area.
11 8 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration 4 Select Apply . The FortiGate unit star ts the next sche dule d update according to the new update schedule. Whenever a scheduled u pdate is run, the ev ent is record ed in the FortiGate event log.
Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-400 Installation and Configuration Guide 11 9 Adding an override server If you cannot connec.
120 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration To enable push updates 1 Go to System > Up date . 2 Select Allow Push Update. 3 Select Apply . About push updates When you config ure a FortiGat e unit to a llow push updates, the FortiGate unit sends a SETUP message to the F DN.
Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-400 Installation and Configuration Guide 121 Figure 2: Example network topology: Push update.
122 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration Adding a port forwarding virtual IP to the FortiGate NA T device Use the follo wing .
Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-400 Installation and Configuration Guide 123 Figure 3: Push update port forwarding virtual I.
124 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration 5 Set Port to the External Servic e Port added to the virtual IP . For the example top ology , enter 45001. 6 Select Apply . The FortiGate unit sends the override push IP address and Port to the FDN.
Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-400 Installation and Configuration Guide 125 There are no special tun neling requirement s if you have configured an override server address to connect to the FDN.
126 Fortinet Inc. Registering Forti Gate units Virus and attack defi nitions updates and registra tion T o activate the For tiCare Support Contract, you must regi ster the FortiGate unit and add the FortiCare Support Contr act number to the registration information.
Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-400 Installation and Configuration Guide 127 Figure 5: Registering a FortiGate unit (c ontact information and security question) 3 Provide a security question and an answe r to the security question.
128 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on Up dating registration information Y ou can use your Fortinet support user nam e and password to log on to the Fortinet Support web site at any time to view or update your Fortinet support infor mation.
Virus and attack definitions updates and registration Updating registration informati on FortiGate-400 Installation and Configuration Guide 129 Figure 7: Sample list of registered FortiGa te unit s Registering a new FortiGate unit 1 Go to System > Up date > Support and select Suppor t Login.
130 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on 7 Select Finish. The list of FortiGate product s that you have registered is displayed. Th e list now includes the new suppor t contract information.
Virus and attack definitions upda tes and registra tion Registering a Fort iGate unit after an RMA FortiGate-400 Installation and Configuration Guide 131 Figure 8: Downloading virus and attack definit.
132 Fortinet Inc. Registering a FortiGate unit after an RMA Vi rus and attack defi nitions updates and registra tion.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 133 Network configuration Go to System > Network to make any of the followin.
134 Fortinet Inc. Configuring zones Network configuration 3 T ype a Name for the zone. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _. Other sp ecial characters and sp aces are not allowed.
Network configuration Configuring interfaces FortiGate-400 Installation and Configuration Guide 135 Deleting zones Y ou must remove all interfaces and VLAN subinterfaces from a zone before you can delete the zone. Y ou can only dele te zones that have the Delete icon beside them in the zone list.
136 Fortinet Inc. Configuring interfac es Network configuration Changing an interface static IP address Use the follo wing proced ure to cha nge the static IP address o f any FortiG ate interface: 1 Go to System > Network > Interface . 2 Select Modify for t h e interface to change .
Network configuration Configuring interfaces FortiGate-400 Installation and Configuration Guide 137 Controlling management access to an interface 1 Go to System > Network > Interface . 2 Select Modify for the interface for which to co nfigure management access.
138 Fortinet Inc. Configuring interfac es Network configuration 4 Set the MTU size. Set the maximum p acket size in the range of 68 to 1500 bytes. Th e default MTU size is 1500. Experiment by lo wering the MTU to find an MTU size for best network performance.
Network configuration Configuring VLANs FortiGate-400 Installation and Configuration Guide 139 3 Add a default gateway IP a ddress if th e Fo rtiGate unit must connect to a default gateway to reac h the managem ent compute r . 4 Select the management Access methods for each interf ace.
140 Fortinet Inc. Configuring VLAN s Network configuration Figure 9: T ypical VLAN n etwork configuration In a typical VLAN config uration, a number of ph ysical networks could be connected to a single IEEE 802.
Network configuration Configuring VLANs FortiGate-400 Installation and Configuration Guide 141 Adding VLAN subinterfaces The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router . The VLAN ID can be any number between 1 and 409 6.
142 Fortinet Inc. Configuring VLAN s Network configuration 6 Enter the IP address and Netmask for the VLAN su binterface. 7 Optionally select a zone to add the VLAN subinterface to a zone.
Network configuration Configuring routi ng FortiGate-400 Installation and Configuration Guide 143 Configuring routing This section describes ho w to configure Fo rtiGate routing. Y ou can configure routing to add stat ic routes from the FortiGate unit to local routers.
144 Fortinet Inc. Configuring routing Network configuration T o support routing failo ver , the IP address of each gateway must be added to the ping server of t he interfa ce connec ted to the same netw ork as th e gateway . See “Adding a ping server to an interface” on page 136 .
Network configuration Configuring routi ng FortiGate-400 Installation and Configuration Guide 145 Adding routes in Transparent mode Use the follo wing proced ure to add routes when operating the FortiGate unit in T ransparent mode. 1 Go to System > Network > Routing .
146 Fortinet Inc. Configuring routing Network configuration Figure 1 1: Routing t able Policy routing Policy routing extend s the functions of de stination rout ing.
Network configuration Providing DHCP services to your internal network FortiGate-400 Installation and Configuration Guide 147 Providing DHCP services to your internal network If the FortiGate unit is .
148 Fortinet Inc. Providing DHCP services to your inte rnal network Network configuration.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 149 RIP configuration The FortiGate implement ation of the Routing Information Protocol (RIP) support s both RIP version 1 (as defined by RFC 1058) and RIP version 2 (also called RIP2 and defined by RFC 2453).
150 Fortinet Inc. RIP settings RIP configuration This chapter describes how to configur e FortiGate RIP: • RIP settings • Configuring RIP for FortiGate interfaces • Adding RIP neighbors • Adding RIP filters RIP settings Configure RIP settings to enable basic RIP functio nality and metrics and to configure RIP timers.
RIP configuration RIP settings FortiGate-400 Installation and Configuration Guide 151 7 Select Apply to sa ve your changes. Figure 1: Configuring RIP settings Up date The time interval in seconds between sendi ng routing table updates. The default is 30 seconds.
152 Fortinet Inc. Configuring RIP for Forti Gate interfaces RIP configuration Configuring RIP for FortiGate interfaces Y ou can create a unique RIP configuratio n for each FortiGate interface and VLA N subinterface. T his allows you to customize RIP for the network to which each interface or each VLA N subint erface is con nected.
RIP configuration Adding RIP neighbors FortiGate-400 Installation and Configuration Guide 153 4 Select OK to save the R IP config uration for the selected interface. Figure 2: Example RIP configuration for an internal interface Adding RIP neighbors Add RIP neighbors to de fine a neighbori ng router with which to exchange routing information.
154 Fortinet Inc. Adding RIP filters RIP configuration 3 Add the IP address of a neighbor router that you want the F ortiGate unit to exch ange routing information with. 4 Select Enable Se nd RIP1 to se nd RIP1 messa ges to the neighbor . 5 Select Enable Se nd RIP2 to se nd RIP2 messa ges to the neighbor .
RIP configuration Adding RIP filters FortiGate-400 Installation and Configuration Guide 155 4 Select OK to save the RIP f ilter . Adding a RIP filter list Add a RIP filter list to filter multiple routes. A RIP filter list consist s of a RIP filter name and a series of route prefixes.
156 Fortinet Inc. Adding RIP filters RIP configuration Adding a neighbors filter Y ou can select a single RIP filter or a RI P filter list to be the neighbors filter . 1 Go to System > RIP > Filter . 2 Add RIP filters and RIP f ilter list s as required.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 157 System configuration Go to System > Config to make any of the following .
158 Fortinet Inc. Changing web-based manager options System configuration 8 S pecify how often the FortiGate unit should synchronize its time with the NTP server . A typical Syn Interval would be 1440 minute s for the FortiGate unit to synchronize it s time once a day .
System configuration Chang ing web-base d manager options FortiGate-400 Installation and Configuration Guide 159 T o set the Auth timeou t 1 For Auth T imeout, type a number in minutes. 2 Select Apply . Auth T imeout controls the amount of inacti ve time that the fi rewall waits before requiring users to authen ticate again.
160 Fortinet Inc. Adding and editing administrato r accounts System configuration Adding and editing administrator account s When the FortiGate unit is initia lly installed, it is configur ed with a single administr ator account with the user name admin.
System configuration Adding and editing administrator accounts FortiGate-400 Installation and Configuration Guide 161 Editing administrator accounts The admin account user can change indi vidual admin.
162 Fortinet Inc. Configuring SNMP System configuration Configuring SNMP Configure the FortiGate SNMP agent to report system information and se nd traps to SNMP managers. The FortiGate SNMP agent supp orts SNMP v1 and v2c. RFC support includes RFC 1213 and RFC 2665.
System configuration Configuring SNMP FortiGate-400 Installation and Configuration Guide 163 4 Select Apply . Figure 2: Sample SNMP configuration FortiGate MIBs The FortiGate SNMP agent suppo rts FortiGat e propriet ary MIBs as well as standa rd RFC 1213 and RFC 2665 MIBs.
164 Fortinet Inc. Customizing replacement messages System configuration FortiGate traps The FortiGa te agent ca n send t raps to up to thre e SNMP tr ap receiver s on your network that are configur ed to receive tr ap s from the FortiGate unit.
System configuration Custom izing replacement messages FortiGate-400 Installation and Configuration Guide 165 This section describes: • Customizing replacement messages • Customizing alert emails .
166 Fortinet Inc. Customizing replacement messages System configuration Customizing alert emails Customize alert emails to control the content disp layed in alert email messages sent to system administrators. 1 Go to System > Config > Replacement Mes sages .
System configuration Custom izing replacement messages FortiGate-400 Installation and Configuration Guide 167 %%EMAIL_FROM%% The email address of the sender of the message in which the virus was found. %%EMAIL_TO%% The email address of the intended receiver of the message in which the virus was found.
168 Fortinet Inc. Customizing replacement messages System configuration.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 169 Firewall configuration Firewall policies control all traf fic passing th rough the FortiGate unit. Firewall policies are instructions used by the Fort iGate un it to decide what to do with a connection request.
170 Fortinet Inc. Default firewall configuration Firewall configuration Default firewall configuration By default, t he users on the netw ork connec ted to por t1 can co nnect throu gh the FortiGate unit to the network connected to po rt2. The firewall blocks all other connections.
Firewall confi guration Default firewall configurati on FortiGate-400 Installation and Configuration Guide 171 Zones Y ou can add zones to the FortiGate configuration to group together related interfaces and VLAN subinterfaces to simplify firewa ll policy creation.
172 Fortinet Inc. Adding firewall policies Firewall configuration Services Policies can also control connections based o n the service or destination port num ber of packet s. The defaul t policy accepts co nnec tions to using an y service or destination port number .
Firewall confi guration Adding firewall policies FortiGate-400 Installation and Configuration Guide 173 Figure 5: Adding a NA T/Route po licy Firewall policy options This section describes the o ptions th at you can add to fir ewall policies. Source Select an address o r address group that matches the source address of the p acket.
174 Fortinet Inc. Adding firewall policies Firewall configuration For NA T/Route mode po licies where the addre ss on the destination network is hidden from the source network using NA T , the destina tion can also be a virtual IP that maps the destinatio n address of the packet to a hidde n destination ad dress.
Firewall confi guration Adding firewall policies FortiGate-400 Installation and Configuration Guide 175 Traffic Shaping T raffic Shaping controls the bandwidth ava ilabl e to and sets the priority of the traf fic processed by the po licy .
176 Fortinet Inc. Adding firewall policies Firewall configuration In most cases you should make su re that users can use DNS through th e firewall without auth entication. If DNS is not availa bl e users cannot connect to a web, FTP , or T elnet server u sing a domain name.
Firewall confi guration Configuring poli cy lists FortiGate-400 Installation and Configuration Guide 177 Log Traffic Select Log Traf fic to write me ssages to the t raffic log whenever th e policy proces ses a connection. For more informatio n about logging, see “Logging and reporting” on page 281 .
178 Fortinet Inc. Configuring policy lists Firewall co nfiguration A policy that is an exception to the defa ul t policy , for example, a policy to block FTP connections, must be placed above the default policy in the port1 -> port2 policy list.
Firewall confi guration Addresses FortiGate-400 Installation and Configuration Guide 179 Addresses All policies require source and de stination addresses. T o add addresses to a policy , you must first add addresses to the address list for the interfaces, zones, or VLAN subinterfaces o f the policy .
180 Fortinet Inc. Addresses Firewall configurati on 6 Enter the NetMask. The netmask should cor respond to the type of address that you are addin g. For example: • The netmask for the IP address of a si ngle computer should be 255.255.255.255 . • The netmask for a class A subnet shou ld be 255.
Firewall confi guration Addresses FortiGate-400 Installation and Configuration Guide 181 3 Choose an address to delete and select Delete . 4 Select OK to delete the addre ss. Organizing addresses in to address groups Y ou can organize related addresses into address gr oups to make it easier to add policies.
182 Fortinet Inc. Services Firewall configuration Services Use services to control the types of communication accep ted or denied by the fire wall. Y ou can add any of the predefined se rvices to a policy . Y ou can also create your own custom services and add services to service group s.
Firewall confi guration Services FortiGate-400 Installation and Configuration Guide 183 H323 H.32 3 multimedia protocol. H.323 is a standard approved by the Internatio nal T elecommunicati on Union (ITU) that defines how audiovisual conferenci ng data is transmitted across networks.
184 Fortinet Inc. Services Firewall configuration Providing access to custom services Add a custom service if you need to create a policy fo r a service that is not in the predefined service list. 1 Go to Firewall > Service > Custo m . 2 Select New .
Firewall confi guration Services FortiGate-400 Installation and Configuration Guide 185 5 S pecify a Source and Destination Port number r ange for the service by enteri ng the low and high port numbers. If th e service uses one port number , enter this number in both the low and high fields.
186 Fortinet Inc. Schedules Firewall configura tion Schedules Use scheduling to control when policies ar e active or inactive. Y ou can create one-time schedu les and recurring schedules. Y ou can use one-time sched ules to create policies that are ef fect ive once fo r the perio d of time sp ecified in th e schedule.
Firewall confi guration Schedules FortiGate-400 Installation and Configuration Guide 187 Creating recurring schedules Y ou can create a recurring schedule tha t acti vates or deactivates policies at specified times of the day or on specified days of t he week.
188 Fortinet Inc. Virtual IPs Firewall configuration Adding a schedule to a policy After you have created schedules, you can add them to policies to schedule when the policies are active . Y ou can add th e new schedules to policie s when you create the policy , or you can ed it existing policies and add a new schedule to them.
Firewall confi guration Vi rtual IPs FortiGate-400 Installation and Configuration Guide 189 This section describes: • Adding static NA T virtual IPs • Adding port fo rwarding vir tual IPs • Adding policies with virtual IPs Adding static NAT virtual IPs 1 Go to Firewall > Virtual IP .
190 Fortinet Inc. Virtual IPs Firewall configuration 8 Select OK to save the v irtual IP . Y ou can now add the virtual IP to firewall policies. Adding port forwar ding virtual IPs 1 Go to Firewall > Virtual IP . 2 Select New to add a virtual IP . 3 Enter a Name for the virtual IP .
Firewall confi guration Vi rtual IPs FortiGate-400 Installation and Configuration Guide 191 Figure 13: Adding a port forwarding virtu al IP Adding policies wi th virtual IPs Use the followin g proced ure to add a policy that uses a virt ual IP to fo rward packets.
192 Fortinet Inc. IP pools Firewall configura tion 4 Select OK to save the policy . IP pools An IP pool (also called a dynamic IP pool) is a range of IP ad dresses added to a firewall interface. If you add IP pools to an interface, you can select Dynamic IP Pool when you configure a policy with the destinati on set to this interface.
Firewall confi guration IP/MAC binding FortiGate-400 Installation and Configuration Guide 193 Figure 14: Adding an IP Pool IP Pools for firewall pol icies that use fixed ports Some network configurations will not operate correctly if a NA T policy translates the source port of packet s used by the connec tion.
194 Fortinet Inc. IP/MAC binding Firewall configuration Y ou can enter the static IP addresses an d corresponding MAC addresses of trusted computers in the S tatic IP/MAC table. IP/MAC binding can be enab led for packet s connecting to the fir ewall or passing through the firewall.
Firewall confi guration IP/MAC binding FortiGate-400 Installation and Configuration Guide 195 Configuring IP/MAC binding for packets going to the firewall Use the followin g procedur e to use IP/ MAC .
196 Fortinet Inc. IP/MAC binding Firewall configuration Viewing the dyna mic IP/MAC list 1 Go to Firewall > IP/M AC Binding > Dynami c IP/MAC . Enabling IP/MAC binding 1 Go to Firewall > IP/M AC Binding > Setting .
Firewall confi guration Content profiles FortiGate-400 Installation and Configuration Guide 197 Content profiles Use content profiles to app ly diff erent prot ection settings for content traf fic controlled by firewall policies.
198 Fortinet Inc. Content profiles Firewall configuration 3 T ype a Profile Name. 4 Enable antivirus protection options. 5 Enable Web filtering options. 6 Enable Email filter protection options. 7 Enable fragmented email and oversized file and email options.
Firewall confi guration Content profiles FortiGate-400 Installation and Configuration Guide 199 Figure 16: Example con tent profile Adding a content pr ofile to a policy Y ou can add content profiles .
200 Fortinet Inc. Content profiles Firewall configuration.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 201 Users and authentication FortiGate unit s support user authenticati on to the FortiG ate user database, to a RADIUS serve r , and to an LDAP ser ver .
202 Fortinet Inc. Setting authentication timeout Users and authenticati on This chapter describes : • Setting authentication timeout • Adding user names and co nfiguring authentication • Configu.
Users and authentication Adding user names and con figuring authentica tion FortiGate-400 Installation and Configuration Guide 203 5 Select T ry other servers if conn ect to selected server fa ils if you have selected Radius and you want the FortiGate unit to try to conn ect to other RADIUS servers added to the FortiGate RADI US configura tion.
204 Fortinet Inc. Configuring RADIUS supp ort Users and authentication Configuring RADIUS support If you have configur ed RADIUS support and a user is required to authenticate using a RADIUS server , the FortiGate unit cont ac ts the RADIUS server for authentication.
Users and authentication Configuring LDAP suppo rt FortiGate-400 Installation and Configuration Guide 205 Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server , the FortiGate unit contact s the LDAP server for authentication.
206 Fortinet Inc. Configuri ng LDAP support Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server . Enter the base distinguishe d name for the server using the correct X.500 or LDAP format. The FortiGate u nit passes this distinguished name unchanged to the server .
Users and authentication Configuring user groups FortiGate-400 Installation and Configuration Guide 207 Configuring user group s T o enable authentication, yo u mu st add user names, RADIUS servers and LDAP servers to one or more user gr oups. Y ou can then select a user group wh en you require authenticati on.
208 Fortinet Inc. Configuring user g roups Users and authentication Figure 20: Adding a user group 3 Enter a Group Name to identify th e user group. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 209 IPSec VPN A Virtua l Private Network (VPN) is an extension of a private network that encompasses links across sh ared or public networks such as the Intern et.
210 Fortinet Inc. Key management IPSec VPN Key management There are three basic elem ents in any en cryption system: • an algorithm which changes informa tion into code, • a cryptographic key which serves as a secret starting point for the algor ithm, • a management system to control the ke y .
IPSec VPN Manual key IPSec VPNs FortiGate-400 Installation and Configuration Guide 21 1 Manual key IPSec VPNs When manu al keys are employed , compleme ntary security parameter s must be entered at both ends of the tunnel. In ad dition to encryption and authen tication algorithms and keys, the security parameter index (SPI) is required.
212 Fortinet Inc. Manual key IPSec VPNs IPSec VPN 5 Enter the Remote SPI. The Remote Security Parameter Index is a hexade cimal number of up to eight digit s (digits can be 0 to 9, a to f) in the rang e bb8 to FFFFFFF . This number must be added to the Local SPI at the opposite end of the tunnel.
IPSec VPN AutoIKE IPSec VPNs FortiGate-400 Installation and Configuration Guide 213 AutoIKE IPSec VPNs Fortunate support s two methods of Automa tic Internet Key Exch ange (AutoIKE) fo r the purpose of establish ing IPSec VPN tu nnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates.
214 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 3 Enter a Gateway Name for the remote VPN peer . The remote VPN pee r can be either a gatewa y to another netw ork or an individual client on the In ternet. The name can cont ain numbers (0-9), u ppercase and lowercase letters ( A-Z, a-z), and the special characters - and _.
IPSec VPN AutoIKE IPSec VPNs FortiGate-400 Installation and Configuration Guide 215 10 Optionally , enter th e Local ID of th e FortiGat e unit. The entry is required if the FortiGate unit is functioning as a client and uses its local ID to authenticate itself to the remote VPN peer .
216 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Optionally , configure NA T T raversal. 5 Optionally , configur e Dead Peer Detection . Use these settings to monitor the st atus of the connec tion between VPN peer s. DPD allows dead connections to be cleane d up and new VPN tunnels est ablished.
IPSec VPN AutoIKE IPSec VPNs FortiGate-400 Installation and Configuration Guide 217 Figure 21: Adding a phase 1 config uration Adding a phase 2 configurat ion for an AutoIKE VPN Add a phas e 2 configu.
218 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Select a Remote Gateway to as sociate with the VPN tunnel. A remote gateway can be either a gateway to another network or an individu al client on the Internet. Remote gateways are added as pa rt of the phase 1 configuration.
IPSec VPN Managing d igital certificates FortiGate-400 Installation and Configuration Guide 219 Figure 22: Adding a phase 2 config uration Managing digit al certificates Digital certifica tes are used.
220 Fortinet Inc. Managing digital certificates IPSec VPN Generating the certificate request With this procedure, you gen erate a privat e and public key p air . The public key is the base component of the certificate request. T o generate the certificate requ est: 1 Go to VPN > Local Certificates .
IPSec VPN Managing d igital certificates FortiGate-400 Installation and Configuration Guide 221 Figure 23: Adding a Local Certific ate Downloading the certificate request With this procedure, you down load the cert ificate request f rom the Fo rtiGate u nit to the management computer .
222 Fortinet Inc. Managing digital certificates IPSec VPN 4 Request the signed local certificate. Follow the CA web server instructions to: • add a base64 encod ed PKCS#10 certif icate requ est to the CA web server , • paste the certificate re quest to the CA web server , • submit the certificate request to the CA web server .
IPSec VPN Managing d igital certificates FortiGate-400 Installation and Configuration Guide 223 3 Enter the path or browse to locate the signed local certificate on the management computer . 4 Select OK. The signed local certificate will be displayed on the Local Cert ificates list with a status of OK.
224 Fortinet Inc. Configuring encrypt policies IPSec VPN Configuring encrypt policies A VPN connects the local, intern al network to a remote, external network. The principal role of the encrypt policy is to define (and limit) which addresses on th ese networks can use the VPN.
IPSec VPN Co nfiguring encrypt policies FortiGate-400 Installation and Configuration Guide 225 Adding a source address The source address is located with in the inte rnal ne twork of the local VPN peer . It can be a single computer addre ss or the address of a network.
226 Fortinet Inc. Configuring encrypt policies IPSec VPN Refer to the FortiGate Inst allation and Configuration Guide to configur e the remaining policy settings.
IPSec VPN IPSec VPN concen trators FortiGate-400 Installation and Configuration Guide 227 IPSec VPN concentrators In a hub-and-spoke ne twork, all VPN tunnels termin ate at a single VPN peer known as a hub. The peer s that connect to th e hub are known as sp okes.
228 Fortinet Inc. IPSec VPN concentrators IPSec VPN T o create a VPN concentrator configuratio n: 1 Configure a tunnel fo r each spoke. Choose betwe en a manual key tunnel or an AutoIKE tunnel.
IPSec VPN IPSec VPN concen trators FortiGate-400 Installation and Configuration Guide 229 Adding a VPN concentrator T o add a VPN concentrator configuration: 1 Go to VPN > IPSec > Concentrator . 2 Select New to ad d a VPN conc entrator . 3 Enter the name of the new conce ntrator in the Concentrator Name field.
230 Fortinet Inc. IPSec VPN concentrators IPSec VPN VPN spoke general co nfiguration steps A remote VPN pee r that is functio ning as a spok e requires the f ollowing configur ation: • A tunnel (Auto IKE phase 1 an d phase 2 conf iguration or manu al key configura tion) for the hub.
IPSec VPN Redundant IPSec VPNs FortiGate-400 Installation and Configuration Guide 231 See “Adding an encrypt policy” on p age 225 . 6 Arrange the policie s in the following order: • outbound enc.
232 Fortinet Inc. Redundant IPSec VPNs IPSec VPN Configure the two FortiGate un its with symmetric al settings for their connections to the Internet. For example, if the remote FortiG ate unit has tw o external int erfaces grou ped within one zon e, then the local FortiG ate unit sho uld have two externa l interfac es grouped within one zone.
IPSec VPN Monitoring and Troublesh ooting VPNs FortiGate-400 Installation and Configuration Guide 233 Monitoring and T roubleshooting VPNs This section provid es a number of ge ne ral maintenance and monitoring procedures for VPNs.
234 Fortinet Inc. Monitoring and Troubleshooti ng VPNs IPSec VPN T o view dialup connection st atus: 1 Go to VPN > IPSec > Dialup . The Lifetime column displays how long the connection has been up. The T imeout column displays the time before the next key exchange.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 235 PPTP and L2TP VPN Y ou can use PPTP and L2TP to crea te a virtual private network (VPN) between a remote client PC running the Windows op er ating system an d your inte rnal netw ork.
236 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN Figure 29: PPTP VPN between a Windows client and the FortiGate unit Configuring the FortiGat e unit as a PPTP gateway Use the followin g proced ures to con figure the FortiGate u nit as a PPTP gate way: Adding users and user groups T o add a user for each PP TP client: 1 Go to User > Local .
PPTP and L2TP VPN Configuring PPTP FortiGate-400 Installation and Configuration Guide 237 Figure 30: Example PPTP Range configu ration Adding a source address Add a sour ce address for ever y address in the PPT P address range. 1 Go to Firewall > Address .
238 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 5 T o remove addresses from the addr ess group, select an address from the Member s list and select the left arrow to remove it from the group. Select OK to add the address group . Adding a destination address Add an address to which PP TP users can connect.
PPTP and L2TP VPN Configuring PPTP FortiGate-400 Installation and Configuration Guide 239 4 Select Add. 5 Select Microsof t as the manufacturer . 6 Select Microsoft V irtual Private Networking Adapter . 7 Select OK twice. 8 Insert diskettes or CDs as required.
240 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 5 Set Connection Availability to On ly for myself and select Next. 6 Select Finish. 7 In the Connect window , select Properties. 8 Select the Security tab. 9 Uncheck Requir e da ta encryption. 10 Select OK.
PPTP and L2TP VPN Configuring L2TP FortiGate-400 Installation and Configuration Guide 241 5 Select Advanced to configure ad vanced settings. 6 Select Settings. 7 Select Challenge Handshake Authen tication Protocol (CHAP). 8 Make sure that none of the other settings are selected.
242 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN Figure 31: L2TP VPN between a Windows client and the FortiGate unit Configuring the FortiGat e unit as a L2TP gateway Use the follo wing proced ures to c onfigure th e FortiGa te unit as a n L2TP g ateway: Adding users and user groups T o add a user for each L2TP client: 1 Go to User > Local .
PPTP and L2TP VPN Configuring L2TP FortiGate-400 Installation and Configuration Guide 243 Figure 32: Sample L2TP addres s range configura tion 6 Add the addresses from the L2TP ad dress range to the External zo ne address list. The addresses can be grouped into an Exter nal address group.
244 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 2 Add a new address group to the interface to which L2TP clients co nnect. This can be an interface, VLAN subinterfa ce, or zone.
PPTP and L2TP VPN Configuring L2TP FortiGate-400 Installation and Configuration Guide 245 Configuring a Windows 2000 client for L2TP Use the following p rocedure to co nfigure a clie nt computer running Wi ndows 2000 s o that it can connect to a FortiGate L2TP VPN.
246 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 8 Add the following registry value to this key: Value Name: ProhibitIpSec Data Type: REG_DWORD Value: 1 9 Save your changes and rest art the computer for the changes to t ake ef fect.
PPTP and L2TP VPN Configuring L2TP FortiGate-400 Installation and Configuration Guide 247 5 Select Advanced to configure ad vanced settings. 6 Select Settings. 7 Select Challenge Handshake Authen tication Protocol (CHAP). 8 Make sure that none of the other settings are selected.
248 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN Connecting to the L2TP VPN 1 Connect to your ISP . 2 S tart the VPN connection that yo u co nfigured in the previous pr ocedure.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 249 Network Intrusion Detection System (NIDS) The FortiGat e NIDS is a re al-ti.
250 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Selecting the interfaces to monitor 1 Go to NIDS > Detection > General . 2 Select the interfaces to monitor for ne twork attacks. Y ou can select up to 4 interfaces and VLAN subinterfaces.
Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-400 Installation and Configuration Guide 251 Viewing the signature list T o display the current list of NIDS signature group s and to view the members of a signature group: 1 Go to NIDS > Detection > Signature List .
252 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Enabling and disabling NI DS attack signatures By default, all NIDS attack signatures ar e enabled . Y ou can use the NIDS signature list to disable detection of some atta cks.
Network Intrusion Detection S ystem (NIDS) Preventing attacks FortiGate-400 Installation and Configuration Guide 253 Figure 35: Example user -defined si gnature list Downloading the user-defined signature list Y ou can back up the user-defined signature lis t by downloading it to a text file on the management compu ter .
254 Fortinet Inc. Preventing attacks Network Intrusion Detection System (NIDS) Enabling NIDS attack prevention signatures The NIDS Prevention mo dule contain s signat ures that are designed to protect you r network against attacks. Some signatures are enabled by defa ult; others must be enabled.
Network Intrusion Detection S ystem (NIDS) Preventing attacks FortiGate-400 Installation and Configuration Guide 255 For example, setting the icmpflood signat ure threshold to 500 will allow 500 echo requests from a source address, to which the system sends echo replies.
256 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS) Configuring synflood signature values For synflood signatures, yo u can set the thre shold, queu e size, and keep alive values. 1 Go to NIDS > Prevention . 2 Select Modify for the synflood signature.
Network Intrusion Detection System (NIDS) Logging attacks FortiGate-400 Installation and Configuration Guide 257 Reducing the number of NIDS attack log and email messages Intrusion attempt s may generate an excessive number of attack messages.
258 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS).
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 259 Antivirus protection Antivirus protection is enabled in fire wall policies. When you enable antivirus protection for a firewall polic y , you select a content profile that controls how the antivirus protection behaves.
260 Fortinet Inc. Antivirus scanning Antivirus protection 6 Configure the FortiGate unit to send an alert email when it blocks or delet es an infected file.
Antivirus protection File blocking FortiGate-400 Installation and Configuration Guide 261 Figure 37: Example content profile for virus scan ning File blocking Enable file blocking to remove all files that pose a potential threat and to provide the best protection fr om active computer virus attacks.
262 Fortinet Inc. File blocking Antivirus protection By default, w hen blocki ng is enabled, the FortiG ate unit bl ocks the follo wing file patterns: • executable files (*.bat, *.com, and *.exe) • compressed or archive files (*.gz, *.rar , *.tar , *.
Antivirus protection Quarantine FortiGate-400 Installation and Configuration Guide 263 Quarantine FortiGate w ith hard dis ks can be co nfigur ed to quarantine blocked or infected files. The quarantined file s are removed from the content str eam and stored on the FortiGate hard disk.
264 Fortinet Inc. Quarantine Antivirus protection Viewing the qua rantine list 1 Go to Anti-Virus > Quaran tine . The quarantine list provides the following information.
Antivirus protection Quarantine FortiGate-400 Installation and Configuration Guide 265 Filtering the quarantine list Y ou can filter the quarantine list to: • Display only blocked files • Display .
266 Fortinet Inc. Blocking oversized files and emails Antivirus protection Blocking oversized files and emails Y ou can configure the FortiGate unit to buff er 1 to 15 percent of available memory to store oversized files and email.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 267 W eb filtering Web filtering is enabled in firewall policies. When you enable Anti-V irus & Web filter in a firewall policy , you select a content profile that controls how we b filtering behaves for HTTP traffic.
268 Fortinet Inc. Content blocking Web filtering 4 Configure the messages that users rec eive when the FortiGate unit blocks unwanted content or unwanted URLs. See “Customizing replacement messages” on page 164 . 5 Configure the FortiGate unit to send an alert email when it blocks or delet es an infected file.
Web filtering URL blocking FortiGate-400 Installation and Configuration Guide 269 Figure 38: Exam ple banned w ord list URL blocking Y ou can block the unwanted web URLs usin g both the F ortiGate we b filter and the Cerberian web filter .
270 Fortinet Inc. URL blocking Web filtering 3 T ype the URL/Pattern to block. T ype a top-level URL or IP address to block access to all pages on a website.
Web filtering URL blocking FortiGate-400 Installation and Configuration Guide 271 Downloading the URL block list Y ou can back up the URL block list by downloading it to a text file on the management computer . 1 Go to Web Filter > URL Block . 2 Select Download URL Block List .
272 Fortinet Inc. URL blocking Web filtering Using the Cer berian web fi lter The FortiGate unit support s Cerberian web filtering. For information about Cer berian web filter , see www .
Web filtering URL blocking FortiGate-400 Installation and Configuration Guide 273 2 Select Cerberian URL Filtering. 3 Select New . 4 Enter the IP address and netmask of the user comp uters. Y ou can enter the IP address of a single user . For example, 192.
274 Fortinet Inc. Script filtering Web filtering 3 Select the Cerberian URL Filtering option. 4 Go to Firewall > Content Profile. 5 Create a new or select an existing c o ntent profile and enable W eb URL Block. 6 Go to Firewall > Polic y . 7 Create a new or select an existing policy that will use the content profile.
Web filtering Exempt URL list FortiGate-400 Installation and Configuration Guide 275 Figure 41: Example script filter setting s to block Java applets and ActiveX Exempt URL list Add URLs to the exempt URL list to allow legitimate traf fic that might otherwise be blocked by content or URL blocking.
276 Fortinet Inc. Exempt URL list Web filtering 5 Select OK to add the URL to the exempt URL list. Y ou can enter multiple URLs and then select Check All to activa te all items in the exempt UR L list. Each page of the exempt URL list displays 100 URLs.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 277 Email filter Email filtering is enabled in firewall policies.
278 Fortinet Inc. Email banned word list Email filter Email banned word list When the FortiGate unit detect s email that contai ns a word or phrase in the banne d word list, the FortiGate unit adds a t ag to the subject line of the email and writes a message to the event log.
Email filter Email block list FortiGate-400 Installation and Configuration Guide 279 Email block list Y ou can configure the FortiGate unit to ta g all IMAP and POP3 protocol tra ffic sent from unwanted email addresse s.
280 Fortinet Inc. Adding a subject tag Email filter Adding address patterns to the email exempt list 1 Go to Email Filter > Exempt List . 2 Select New to add an address pattern to the em ail exempt list. 3 T ype the address pattern to ex empt. • T o exempt email sent from a specific email add ress, type the email address.
FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 FortiGate-400 Installation and Configuration Guide 281 Logging and reporting Y ou can configure the FortiGate unit to log network activity from routine configuration changes and traf fic sessions to emergency event s.
282 Fortinet Inc. Recording logs Logging and reporting This section describes: • Recording logs on a remote computer • Recording logs on a NetIQ W ebT rends server • Recording logs on the FortiG.
Logging and repo rting Recording logs FortiGate-400 Installation and Configuration Guide 283 4 Select the severity leve l for which you want to record log messages. The FortiGate will log all levels of severity down to but not lower than the level you choose.
284 Fortinet Inc. Filtering log me ssages Logging and reporting Recording logs in system memory If your Fo rtiGate unit does not contain a hard disk , you can use the fo llowing procedure to configure the FortiGate unit to rese rve some system memory for storing current event, at tack, antivirus , web filter and email filter log messages.
Logging and repo rting Filtering log me ssages FortiGate-400 Installation and Configuration Guide 285 4 Select the message categories that you wa nt the FortiGa te unit to record if you selected Event Log, V irus Log, Web Filter ing Log, Att ack Log, Email Filter Log, or Update in step 3 .
286 Fortinet Inc. Configuring traffic loggi ng Logging and reporting Configuring traffic logging Y ou can configure the FortiGate unit to reco rd traffic log messages for connections to: • Any interface • Any VLAN subinterface • Any firewall policy The FortiGate unit can filter traf fic logs for any source and destination address and service.
Logging and repo rting Configuring traffic loggi ng FortiGate-400 Installation and Configuration Guide 287 5 Repeat this procedure for each VLAN subinterface fo r which you want to enable logging.
288 Fortinet Inc. Configuring traffic loggi ng Logging and reporting Adding traffic filter entries Add entries to the traffic filter list to filter the messages that are recorded in the traf fic log. If you do not add any entries to the tr affic filte r list, the FortiGate records all traf fic log messages.
Logging and repo rting Viewing logs saved to memory FortiGate-400 Installation and Configuration Guide 289 V iewing logs saved to memory If the FortiGate is configured to save log messages in system memory , you can use the web-based manager to view , search, and clear the log message s.
290 Fortinet Inc. Viewing and managing logs saved to the hard disk Logging and reporting V iewing and managing logs saved to the hard disk If your FortiGate unit cont ains a hard disk for recording lo.
Logging and reporting Viewing and managing logs saved to the hard disk FortiGate-400 Installation and Configuration Guide 291 8 Select OK to run the sear ch. The web-based man ager displays the messa ges that match th e search criteria. Y ou can scroll throug h the message s or run another se arch.
292 Fortinet Inc. Configu ring aler t email Logging and reporting Deleting a saved log file Use the follo wing proced ure to delete a saved log file: 1 Go to Log&Report > Logging . 2 Select Traf fic Log, Event Log, Attack log, Ant ivirus Log, Web Filter Log, or Email Filter Log.
Logging and repo rting Configu ring aler t email FortiGate-400 Installation and Configuration Guide 293 6 T ype up to three destination email ad dresses in the Email T o fields. These are the actual email addresse s to wh ich the FortiGate unit sends alert email.
294 Fortinet Inc. Configu ring aler t email Logging and reporting.
FortiGate-400 Installation and Configuration Guide 295 FortiGate-400 Inst allation and Configuration Guide V ersion 2.50 MR2 Glossary Connection : A link between machines, applications, processes, and so on t hat can be logical, phys ical, or both.
296 Fortinet Inc. Glossary LAN, Local Area Network : A computer n etwork that spans a relatively small area. Most LANs connect worksta tions and personal computers. Each computer on a LAN is able to ac cess data and devices a nywhere on the LAN. This means that many users can share data as well as physical re sources such as printers.
Glossary FortiGate-400 Installation and Configuration Guide 297 SSH , Secure shell : A secure T elnet replacement that you can use to log into another computer over a network and run commands. SSH provides str ong secure authentication and secure communications over insecure channels.
298 Fortinet Inc. Glossary.
FortiGate-400 Installation and Configuration Guide 299 FortiGate-400 Inst allation and Co nfiguration Guide V ersion 2.50 MR2 Index Numerics 4/HA configuring for HA 77, 82 A accept policy 174 action p.
300 Fortinet Inc. Index AutoIKE 210 certificates 21 0 introduction 210 pre-shared keys 210 automatic antivirus and attack definition updates configuring 118 B backing up system settings 108 bandwidth .
Index FortiGate-400 Installation and Configuration Guide 301 E email alert testing 293 email filter log 285 enabling policy 178 encrypt policy 174 encrypt policy allow inbound 175 allow outbound 175 I.
302 Fortinet Inc. Index HTTPS 20, 139, 183, 295 I ICMP 183, 295 configuring checksum verification 250 idle timeout web-based manager 158 IDS log viewing 289 IKE 295 IMAP 183, 295 Inbound NAT encrypt p.
Index FortiGate-400 Installation and Configuration Guide 303 loggin g 21, 281 attack log 284 configuring traffic settings 286, 287 deleting all messages 291 deleting log files 292 downloading log file.
304 Fortinet Inc. Index ping management access 139 policy accept 174 Anti-Virus & Web filter 176 arranging in policy list 177 Comments 177 deny 174 disabling 178 enabling 178 enabling authenticati.
Index FortiGate-400 Installation and Configuration Guide 305 RMA registering a FortiGate unit 131 route adding default 143 adding to routing table 143 adding to routing table (Transparent mode) 145 de.
306 Fortinet Inc. Index system settings backing up 108 restoring 108 restoring to factory default 108 system status 93, 149 system status monitor 110, 111, 112, 113 T TCP configuring checksum verifica.
Index FortiGate-400 Installation and Configuration Guide 307 virus definitions updating 115, 119 virus incidents enabling alert email 293 virus list displaying 266 viewing 266 virus log 284 virus prot.
308 Fortinet Inc. Index.
デバイスFortinet FortiGate 400の購入後に(又は購入する前であっても)重要なポイントは、説明書をよく読むことです。その単純な理由はいくつかあります:
Fortinet FortiGate 400をまだ購入していないなら、この製品の基本情報を理解する良い機会です。まずは上にある説明書の最初のページをご覧ください。そこにはFortinet FortiGate 400の技術情報の概要が記載されているはずです。デバイスがあなたのニーズを満たすかどうかは、ここで確認しましょう。Fortinet FortiGate 400の取扱説明書の次のページをよく読むことにより、製品の全機能やその取り扱いに関する情報を知ることができます。Fortinet FortiGate 400で得られた情報は、きっとあなたの購入の決断を手助けしてくれることでしょう。
Fortinet FortiGate 400を既にお持ちだが、まだ読んでいない場合は、上記の理由によりそれを行うべきです。そうすることにより機能を適切に使用しているか、又はFortinet FortiGate 400の不適切な取り扱いによりその寿命を短くする危険を犯していないかどうかを知ることができます。
ですが、ユーザガイドが果たす重要な役割の一つは、Fortinet FortiGate 400に関する問題の解決を支援することです。そこにはほとんどの場合、トラブルシューティング、すなわちFortinet FortiGate 400デバイスで最もよく起こりうる故障・不良とそれらの対処法についてのアドバイスを見つけることができるはずです。たとえ問題を解決できなかった場合でも、説明書にはカスタマー・サービスセンター又は最寄りのサービスセンターへの問い合わせ先等、次の対処法についての指示があるはずです。