InstallationsanweisungenInhaltsverzeichnisTable of Contents3Introduction11NAT/Route mode and Transparent mode11NAT/Route mode11Transparent mode11About this document12Document conventions13Fortinet documentation14Comments on Fortinet technical documentation14Customer service and technical support15Getting started17Package contents18Mounting18Dimensions18Weight18Power requirements18Environmental specifications19Powering on19Connecting to the web-based manager20Connecting to the command line interface (CLI)21Factory default FortiGate configuration settings22Factory Default DHCP configuration23Factory default NAT/Route mode network configuration23Factory default Transparent mode network configuration24Factory default firewall configuration24Factory default content profiles25Strict content profile26Scan content profile26Web content profile27Unfiltered content profile27Planning your FortiGate configuration28NAT/Route mode28Transparent mode28Configuration options29Setup Wizard29CLI29FortiGate model maximum values matrix30Next steps31NAT/Route mode installation33Installing the FortiGate unit using the default configuration33Changing the default configuration34Preparing to configure NAT/Route mode34Advanced NAT/Route mode settings35Using the setup wizard35Starting the setup wizard35Reconnecting to the web-based manager35Using the command line interface36Configuring the FortiGate unit to operate in NAT/Route mode36Configuring NAT/Route mode IP addresses36Connecting the FortiGate unit to your networks37Configuring your networks38Completing the configuration38Setting the date and time38Changing antivirus protection38Registering your FortiGate38Configuring virus and attack definition updates39Transparent mode installation41Preparing to configure Transparent mode41Using the setup wizard42Changing to Transparent mode42Starting the setup wizard42Reconnecting to the web-based manager42Using the command line interface42Changing to Transparent mode43Configuring the Transparent mode management IP address43Configure the Transparent mode default gateway43Connecting the FortiGate unit to your networks44Completing the configuration45Setting the date and time45Enabling antivirus protection45Registering your FortiGate45Configuring virus and attack definition updates45Transparent mode configuration examples46Default routes and static routes46Example default route to an external network47General configuration steps47Web-based manager example configuration steps48CLI configuration steps48Example static route to an external destination48General configuration steps49Web-based manager example configuration steps50CLI configuration steps50Example static route to an internal destination51General configuration steps51Web-based manager example configuration steps52CLI configuration steps52System status53Changing the FortiGate host name54Changing the FortiGate firmware54Upgrade to a new firmware version55Upgrading the firmware using the web-based manager55Upgrading the firmware using the CLI55Revert to a previous firmware version56Reverting to a previous firmware version using the web-based manager56Reverting to a previous firmware version using the CLI57Install a firmware image from a system reboot using the CLI59Test a new firmware image before installing it61Manual virus definition updates63Manual attack definition updates64Displaying the FortiGate serial number64Displaying the FortiGate up time64Backing up system settings64Restoring system settings65Restoring system settings to factory defaults65Changing to Transparent mode65Changing to NAT/Route mode66Restarting the FortiGate unit66Shutting down the FortiGate unit66System status67Viewing CPU and memory status67Viewing sessions and network status68Viewing virus and intrusions status69Session list70Virus and attack definitions updates and registration71Updating antivirus and attack definitions71Connecting to the FortiResponse Distribution Network72Configuring scheduled updates73Configuring update logging74Adding an override server75Manually updating antivirus and attack definitions75Configuring push updates75To enable push updates76About push updates76Push updates and external dynamic IP addresses76Push updates through a NAT device76Example: push updates through a NAT device77Scheduled updates through a proxy server80Registering FortiGate units81FortiCare Service Contracts81Registering the FortiGate unit82Updating registration information84Recovering a lost Fortinet support password84Viewing the list of registered FortiGate units84Registering a new FortiGate unit85Adding or changing a FortiCare Support Contract number85Changing your Fortinet support password86Changing your contact information or security question86Downloading virus and attack definitions updates86Registering a FortiGate unit after an RMA87Network configuration89Configuring interfaces89Viewing the interface list90Bringing up an interface90Changing an interface static IP address90Adding a secondary IP address to an interface90Adding a ping server to an interface91Controlling management access to an interface91Configuring traffic logging for connections to an interface92Configuring the external interface with a static IP address92Configuring the external interface for DHCP92Configuring the external interface for PPPoE93Changing the external interface MTU size to improve network performance93Configuring the management interface (Transparent mode)94Adding DNS server IP addresses95Configuring routing95Adding a default route96Adding destination-based routes to the routing table96Adding routes in Transparent mode97Configuring the routing table98Policy routing98Policy routing command syntax99Providing DHCP services to your internal network99Viewing the dynamic IP list100System configuration101Setting system date and time101Changing web-based manager options102Adding and editing administrator accounts104Adding new administrator accounts104Editing administrator accounts105Configuring SNMP106Configuring the FortiGate unit for SNMP monitoring106Configuring FortiGate SNMP support106FortiGate MIBs107FortiGate traps108Customizing replacement messages108Customizing replacement messages109Customizing alert emails110Firewall configuration113Default firewall configuration114Addresses114Services115Schedules115Content profiles115Adding firewall policies115Firewall policy options116Source116Destination116Schedule117Service117Action117NAT117VPN Tunnel118Traffic Shaping118Authentication118Anti-Virus & Web filter119Log Traffic120Comments120Configuring policy lists120Policy matching in detail120Changing the order of policies in a policy list121Enabling and disabling policies121Disabling a policy121Enabling a policy121Addresses122Adding addresses122Editing addresses123Deleting addresses123Organizing addresses into address groups124Services125Predefined services125Providing access to custom services127Grouping services128Schedules129Creating one-time schedules129Creating recurring schedules130Adding a schedule to a policy131Virtual IPs131Adding static NAT virtual IPs132Adding port forwarding virtual IPs133Adding policies with virtual IPs134IP pools135Adding an IP pool135IP Pools for firewall policies that use fixed ports136IP pools and dynamic NAT136IP/MAC binding137Configuring IP/MAC binding for packets going through the firewall137Configuring IP/MAC binding for packets going to the firewall138Adding IP/MAC addresses138Viewing the dynamic IP/MAC list139Enabling IP/MAC binding139Content profiles140Default content profiles141Adding a content profile141Adding a content profile to a policy142Users and authentication145Setting authentication timeout146Adding user names and configuring authentication146Adding user names and configuring authentication146Deleting user names from the internal database147Configuring RADIUS support148Adding RADIUS servers148Deleting RADIUS servers148Configuring LDAP support149Adding LDAP servers149Deleting LDAP servers150Configuring user groups151Adding user groups151Deleting user groups152IPSec VPN153Key management154Manual Keys154Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates154AutoIKE with pre-shared keys154AutoIKE with certificates154Manual key IPSec VPNs155General configuration steps for a manual key VPN155Adding a manual key VPN tunnel155AutoIKE IPSec VPNs157General configuration steps for an AutoIKE VPN157Adding a phase 1 configuration for an AutoIKE VPN157Adding a phase 2 configuration for an AutoIKE VPN161Managing digital certificates163Obtaining a signed local certificate163Generating the certificate request164Downloading the certificate request165Requesting the signed local certificate165Retrieving the signed local certificate166Importing the signed local certificate166Obtaining a CA certificate167Retrieving a CA certificate167Importing a CA certificate167Configuring encrypt policies168Adding a source address169Adding a destination address169Adding an encrypt policy169IPSec VPN concentrators171VPN concentrator (hub) general configuration steps171Adding a VPN concentrator173VPN spoke general configuration steps174Redundant IPSec VPNs175Configuring redundant IPSec VPN175Monitoring and Troubleshooting VPNs177Viewing VPN tunnel status177Viewing dialup VPN connection status177Testing a VPN178PPTP and L2TP VPN179Configuring PPTP179Configuring the FortiGate unit as a PPTP gateway180Adding users and user groups180Enabling PPTP and specifying an address range180Adding a source address181Adding an address group181Adding a destination address182Adding a firewall policy182Configuring a Windows 98 client for PPTP182Installing PPTP support182Configuring a PPTP dialup connection183Connecting to the PPTP VPN183Configuring a Windows 2000 client for PPTP183Configuring a PPTP dialup connection183Connecting to the PPTP VPN184Configuring a Windows XP client for PPTP184Configuring a PPTP dialup connection184Configuring the VPN connection184Connecting to the PPTP VPN185Configuring L2TP185Configuring the FortiGate unit as a L2TP gateway186Adding users and user groups186Enabling L2TP and specifying an address range186Adding a source address187Adding an address group187Adding a destination address188Adding a firewall policy188Configuring a Windows 2000 client for L2TP189Configuring an L2TP dialup connection189Disabling IPSec189Connecting to the L2TP VPN190Configuring a Windows XP client for L2TP190Configuring an L2TP VPN dialup connection190Configuring the VPN connection190Disabling IPSec191Connecting to the L2TP VPN192Network Intrusion Detection System (NIDS)193Detecting attacks193Selecting the interfaces to monitor194Disabling the NIDS194Configuring checksum verification194Viewing the signature list195Viewing attack descriptions195Enabling and disabling NIDS attack signatures196Adding user-defined signatures196Downloading the user-defined signature list197Preventing attacks197Enabling NIDS attack prevention197Enabling NIDS attack prevention signatures198Setting signature threshold values198Configuring synflood signature values200Logging attacks200Logging attack messages to the attack log200Reducing the number of NIDS attack log and email messages201Automatic message reduction201Manual message reduction201Antivirus protection203General configuration steps203Antivirus scanning204File blocking205Blocking files in firewall traffic205Adding file patterns to block205Blocking oversized files and emails206Configuring limits for oversized files and email206Exempting fragmented email from blocking206Viewing the virus list206Web filtering207General configuration steps207Content blocking208Adding words and phrases to the banned word list208URL blocking209Using the FortiGate web filter209Adding URLs or URL patterns to the block list209Clearing the URL block list210Downloading the URL block list211Uploading a URL block list211Using the Cerberian web filter212General configuration steps212Installing a Cerberian license key on the FortiGate unit212Adding a Cerberian user to the FortiGate unit212Configuring Cerberian web filter213Enabling Cerberian URL filtering213Script filtering214Enabling the script filter214Selecting script filter options214Exempt URL list215Adding URLs to the exempt URL list215Email filter217General configuration steps217Email banned word list218Adding words and phrases to the banned word list218Email block list219Adding address patterns to the email block list219Email exempt list219Adding address patterns to the email exempt list220Adding a subject tag220Logging and reporting221Recording logs221Recording logs on a remote computer221Recording logs on a NetIQ WebTrends server222Filtering log messages222Configuring traffic logging224Enabling traffic logging224Enabling traffic logging for an interface224Enabling traffic logging for a firewall policy224Configuring traffic filter settings225Adding traffic filter entries225Configuring alert email226Adding alert email addresses226Testing alert email227Enabling alert email227Glossary229Index233Größe: 3,74 MBSeiten: 240Language: EnglishHandbuch öffnen
