User ManualTable of ContentsTable of Contents3Introduction13NAT/Route mode and Transparent mode13NAT/Route mode13Transparent mode13Document conventions14Fortinet documentation15Comments on Fortinet technical documentation15Customer service and technical support16Getting started17Package contents18Mounting18Dimensions18Weight18Power requirements18Environmental specifications19Powering on19Connecting to the web-based manager19Connecting to the command line interface (CLI)20Factory default FortiGate configuration settings22Factory default DHCP configuration22Factory default NAT/Route mode network configuration23Factory default Transparent mode network configuration23Factory default firewall configuration23Factory default content profiles25Strict content profile25Scan content profile26Web content profile26Unfiltered content profile27Planning the FortiGate configuration27NAT/Route mode27Transparent mode28Configuration options28Setup wizard28CLI29FortiGate model maximum values matrix30Next steps31NAT/Route mode installation33Installing the FortiGate unit using the default configuration33Changing the default configuration34Preparing to configure NAT/Route mode34Advanced NAT/Route mode settings35Using the setup wizard35Starting the setup wizard35Reconnecting to the web-based manager35Using the command line interface36Configuring the FortiGate unit to operate in NAT/Route mode36Configuring NAT/Route mode IP addresses36Connecting the FortiGate unit to your networks37Configuring your networks38Completing the configuration38Setting the date and time38Changing antivirus protection38Registering your FortiGate unit39Configuring virus and attack definition updates39Transparent mode installation41Preparing to configure Transparent mode41Using the setup wizard42Changing to Transparent mode42Starting the setup wizard42Reconnecting to the web-based manager42Using the command line interface42Changing to Transparent mode43Configuring the Transparent mode management IP address43Configure the Transparent mode default gateway43Connecting the FortiGate unit to your networks43Completing the configuration45Setting the date and time45Enabling antivirus protection45Registering your FortiGate45Configuring virus and attack definition updates45Transparent mode configuration examples46Default routes and static routes46Example default route to an external network47General configuration steps47Web-based manager example configuration steps48CLI configuration steps48Example static route to an external destination48General configuration steps49Web-based manager example configuration steps50CLI configuration steps50Example static route to an internal destination51General configuration steps51Web-based manager example configuration steps52CLI configuration steps52System status53Changing the FortiGate host name54Changing the FortiGate firmware54Upgrading to a new firmware version55Upgrading the firmware using the web-based manager55Upgrading the firmware using the CLI55Reverting to a previous firmware version56Reverting to a previous firmware version using the web-based manager56Reverting to a previous firmware version using the CLI57Installing firmware images from a system reboot using the CLI59Restoring the previous configuration61Testing a new firmware image before installing it61Manual virus definition updates63Manual attack definition updates63Displaying the FortiGate serial number64Displaying the FortiGate up time64Backing up system settings64Restoring system settings64Restoring system settings to factory defaults65Changing to Transparent mode65Changing to NAT/Route mode66Restarting the FortiGate unit66Shutting down the FortiGate unit66System status67Viewing CPU and memory status67Viewing sessions and network status68Viewing virus and intrusions status69Session list70Virus and attack definitions updates and registration73Updating antivirus and attack definitions73Connecting to the FortiResponse Distribution Network74Manually initiating antivirus and attack definitions updates75Configuring update logging76Scheduling updates76Enabling scheduled updates76Adding an override server77Enabling scheduled updates through a proxy server78Enabling push updates78Enabling push updates79Push updates when FortiGate IP addresses change79Enabling push updates through a NAT device79Example: push updates through a NAT device80Adding a port forwarding virtual IP to the FortiGate NAT device81Adding a firewall policy for the port forwarding virtual IP82Configuring the FortiGate unit with an override push IP and port82Registering FortiGate units83FortiCare Service Contracts84Registering the FortiGate unit85Updating registration information86Recovering a lost Fortinet support password86Viewing the list of registered FortiGate units87Registering a new FortiGate unit88Adding or changing a FortiCare Support Contract number88Changing your Fortinet support password89Changing your contact information or security question89Downloading virus and attack definitions updates90Registering a FortiGate unit after an RMA91Network configuration93Configuring interfaces93Viewing the interface list94Changing the administrative status of an interface94Configuring an interface with a manual IP address94Configuring an interface for DHCP95Configuring an interface for PPPoE96Adding a secondary IP address to an interface96Adding a ping server to an interface97Controlling administrative access to an interface97Changing the MTU size to improve network performance98Configuring traffic logging for connections to an interface98Configuring the management interface in Transparent mode99Adding DNS server IP addresses100Configuring routing100Adding a default route100Adding destination-based routes to the routing table101Adding routes in Transparent mode102Configuring the routing table102Policy routing103Policy routing command syntax104Configuring DHCP services104Configuring a DHCP relay agent104Configuring a DHCP server105Adding a DHCP server to an interface105Adding scopes to a DHCP server105Adding a reserve IP to a DHCP server106Viewing a DHCP server dynamic IP list107Configuring the modem interface107Connecting a modem to the FortiGate unit108Configuring modem settings108Connecting to a dialup account109Disconnecting the modem109Viewing modem status110Backup mode configuration110Standalone mode configuration110Adding firewall policies for modem connections111RIP configuration113RIP settings113Configuring RIP for FortiGate interfaces115Adding RIP filters117Adding a RIP filter list117Assigning a RIP filter list to the neighbors filter118Assigning a RIP filter list to the incoming filter118Assigning a RIP filter list to the outgoing filter119System configuration121Setting system date and time121Changing system options122Modifying the Dead Gateway Detection settings123Adding and editing administrator accounts123Adding new administrator accounts124Editing administrator accounts124Configuring SNMP125Configuring the FortiGate unit for SNMP monitoring126Configuring FortiGate SNMP support126Configuring SNMP access to an interface126Configuring SNMP community settings126FortiGate MIBs128FortiGate traps129General FortiGate traps129System traps129VPN traps130NIDS traps130Antivirus traps130Logging traps130Fortinet MIB fields130System configuration and status131Firewall configuration131Users and authentication configuration131VPN configuration and status132NIDS configuration132Antivirus configuration132Web filter configuration132Logging and reporting configuration132Replacement messages133Customizing replacement messages133Customizing alert emails134Firewall configuration137Default firewall configuration138Addresses138Services139Schedules139Content profiles139Adding firewall policies140Firewall policy options140Source140Destination140Schedule140Service140Action141NAT142VPN Tunnel142Traffic Shaping142Authentication143Anti-Virus & Web filter143Log Traffic144Comments144Configuring policy lists144Policy matching in detail145Changing the order of policies in a policy list145Enabling and disabling policies146Disabling policies146Enabling policies146Addresses146Adding addresses147Editing addresses148Deleting addresses148Organizing addresses into address groups148Services149Predefined services149Adding custom TCP and UDP services152Adding custom ICMP services153Adding custom IP services153Grouping services153Schedules154Creating one-time schedules155Creating recurring schedules155Adding schedules to policies156Virtual IPs157Adding static NAT virtual IPs158Adding port forwarding virtual IPs159Adding policies with virtual IPs161IP pools161Adding an IP pool162IP Pools for firewall policies that use fixed ports162IP pools and dynamic NAT162IP/MAC binding163Configuring IP/MAC binding for packets going through the firewall163Configuring IP/MAC binding for packets going to the firewall164Adding IP/MAC addresses165Viewing the dynamic IP/MAC list165Enabling IP/MAC binding165Content profiles166Default content profiles167Adding content profiles167Adding content profiles to policies169Users and authentication171Setting authentication timeout172Adding user names and configuring authentication172Adding user names and configuring authentication172Deleting user names from the internal database173Configuring RADIUS support174Adding RADIUS servers174Deleting RADIUS servers174Configuring LDAP support175Adding LDAP servers175Deleting LDAP servers176Configuring user groups177Adding user groups177Deleting user groups178IPSec VPN179Key management180Manual Keys180Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates180AutoIKE with pre-shared keys180AutoIKE with certificates180Manual key IPSec VPNs181General configuration steps for a manual key VPN181Adding a manual key VPN tunnel181AutoIKE IPSec VPNs182General configuration steps for an AutoIKE VPN183Adding a phase 1 configuration for an AutoIKE VPN183Configuring advanced options185Adding a phase 2 configuration for an AutoIKE VPN188Managing digital certificates190Obtaining a signed local certificate190Generating the certificate request190Downloading the certificate request192Importing the signed local certificate192Backing up and restoring the local certificate and private key192Obtaining CA certificates192Importing CA certificates193Configuring encrypt policies193Adding a source address194Adding a destination address194Adding an encrypt policy195IPSec VPN concentrators196VPN concentrator (hub) general configuration steps197Adding a VPN concentrator198VPN spoke general configuration steps199Monitoring and Troubleshooting VPNs201Viewing VPN tunnel status201Viewing dialup VPN connection status201Testing a VPN202PPTP and L2TP VPN203Configuring PPTP203Configuring the FortiGate unit as a PPTP gateway203Configuring a Windows 98 client for PPTP206Configuring a Windows 2000 client for PPTP207Configuring a Windows XP client for PPTP207Configuring L2TP209Configuring the FortiGate unit as an L2TP gateway209Configuring a Windows 2000 client for L2TP211Configuring a Windows XP client for L2TP213Network Intrusion Detection System (NIDS)215Detecting attacks215Selecting the interfaces to monitor216Disabling monitoring interfaces216Configuring checksum verification216Viewing the signature list217Viewing attack descriptions217Disabling NIDS attack signatures218Adding user-defined signatures218Downloading the user-defined signature list219Preventing attacks220Enabling NIDS attack prevention220Enabling NIDS attack prevention signatures220Setting signature threshold values221Logging attacks222Logging attack messages to the attack log222Reducing the number of NIDS attack log and email messages222Automatic message reduction222Manual message reduction223Antivirus protection225General configuration steps225Antivirus scanning226File blocking227Blocking files in firewall traffic227Adding file patterns to block227Blocking oversized files and emails228Configuring limits for oversized files and email228Exempting fragmented email from blocking228Viewing the virus list229Web filtering231General configuration steps231Content blocking232Adding words and phrases to the Banned Word list232Clearing the Banned Word list233Backing up the Banned Word list233Restoring the Banned Word list233URL blocking235Configuring FortiGate Web URL blocking235Adding URLs to the Web URL block list235Clearing the Web URL block list236Downloading the Web URL block list236Uploading a URL block list236Configuring FortiGate Web pattern blocking237Configuring Cerberian URL filtering238Installing a Cerberian license key238Adding a Cerberian user238Configuring Cerberian web filter239About the default group and policy239Enabling Cerberian URL filtering239Script filtering240Enabling script filtering240Selecting script filter options240Exempt URL list241Adding URLs to the URL Exempt list241Downloading the URL Exempt List242Uploading a URL Exempt List242Email filter245General configuration steps245Email banned word list246Adding words and phrases to the email banned word list246Downloading the email banned word list247Uploading the email banned word list247Email block list248Adding address patterns to the email block list248Downloading the email block list248Uploading an email block list249Email exempt list249Adding address patterns to the email exempt list250Adding a subject tag250Logging and reporting251Recording logs251Recording logs on a remote computer251Recording logs on a NetIQ WebTrends server252Log message levels253Filtering log messages253Configuring traffic logging254Enabling traffic logging255Enabling traffic logging for an interface255Enabling traffic logging for a firewall policy255Configuring traffic filter settings255Adding traffic filter entries256Configuring alert email257Adding alert email addresses257Testing alert email258Enabling alert email258Glossary259Index263Size: 3.34 MBPages: 272Language: EnglishOpen manual
