Installation InstructionTable of ContentsContents3Contents 33Introduction 73Installing the FortiGate unit 153Factory defaults 254Configuring the FortiGate unit 314FortiGate Firmware 535Index 635Introduction7About the FortiGate units7FortiGate-30007FortiGate-36008Register your FortiGate unit8Fortinet Family Products8FortiGuard Subscription Services8FortiClient9FortiMail9FortiAnalyzer9FortiReporter9FortiBridge10FortiManager10About this document10Document conventions10Typographic conventions11FortiGate documentation11Fortinet Tools and Documentation CD12Fortinet Knowledge Center12Comments on Fortinet technical documentation12Customer service and technical support13Installing the FortiGate unit15Package Contents15FortiGate-300015Mounting16FortiGate-360016Mounting17Air Flow17Mechanical loading17Powering on the FortiGate unit17Powering off the FortiGate unit19Connecting the FortiGate unit19Web-based manager19Front control buttons and LCD19Command line interface19Connecting to the web-based manager20Connecting to the web-based manager using port 120Connecting to the web-based manager using the internal interface21System Dashboard22Connecting to the CLI22LCD front control buttons23Using the front control buttons and LCD23Factory defaults25Factory default NAT/Route mode network configuration26Factory default Transparent mode network configuration27Factory default firewall configuration27Factory default protection profiles28Restoring the default settings28Restoring the default settings using the web-based manager29Restoring the default settings using the CLI29Configuring the FortiGate unit31Planning the FortiGate configuration31NAT/Route mode31NAT/Route mode with multiple external network connections32Transparent mode33Preventing the public FortiGate interface from responding to ping requests34NAT/Route mode installation35Preparing to configure the FortiGate unit in NAT/Route mode35DHCP or PPPoE configuration36Using the web-based manager37Configuring basic settings37Adding a default route38Verifying the web-based manager configuration38Verify the connection38Using the front control buttons and LCD38Adding a default gateway using the LCD39Verifying the front control buttons and LCD configuration40Verify the connection40Using the command line interface40Configuring the FortiGate unit to operate in NAT/Route mode40Adding a default route42Verifying the CLI configuration42Verify the connection42Connecting the FortiGate unit to the network(s)43Configuring the networks43Transparent mode installation44Preparing to configure Transparent mode44Using the web-based manager44Using the front control buttons and LCD45Adding a default gateway using the LCD46Verifying the front control buttons and LCD configuration46Verify connection46Using the command line interface46Reconnecting to the web-based manager47Connecting the FortiGate unit to your network47Verify the connection48Next steps48Set the date and time48Updating antivirus and IPS signatures49Updating antivirus and IPS signatures from the web-based manager50Updating the IPS signatures from the CLI50Scheduling antivirus and IPS updates50Adding an override server51FortiGate Firmware53Upgrading to a new firmware version53Upgrading the firmware using the web-based manager53Upgrading the firmware using the CLI54Reverting to a previous firmware version55Reverting to a previous firmware version using the web-based manager55Reverting to a previous firmware version using the CLI56Installing firmware images from a system reboot using the CLI57Restoring the previous configuration59Testing a new firmware image before installing it60Index63A63C63D63F63L63M63N63P63R63S63T63U63V63W64Size: 1.33 MBPages: 66Language: EnglishOpen manual
User GuideTable of ContentsTable of Contents3Introduction13About FortiGate Antivirus Firewalls13Antivirus protection14Web content filtering15Spam filtering15Firewall15NAT/Route mode16Transparent mode16VLANs and virtual domains17Intrusion Prevention System (IPS)17VPN18High availability18Secure installation, configuration, and management19Web-based manager19Command line interface19Logging and reporting20Document conventions21FortiGate documentation22Comments on Fortinet technical documentation22Related documentation23FortiManager documentation23FortiClient documentation23FortiMail documentation23FortiLog documentation24Customer service and technical support25System status27Console access27Status28Viewing system status28System status29Unit Information29Recent Virus Detections29Interface Status29System Resources30History30Recent Intrusion Detections31Changing unit information31Session list33Changing the FortiGate firmware34Upgrading to a new firmware version35Upgrading the firmware using the web-based manager35Upgrading the firmware using the CLI36Reverting to a previous firmware version37Reverting to a previous firmware version using the web-based manager37Reverting to a previous firmware version using the CLI38Installing firmware images from a system reboot using the CLI39Restoring the previous configuration42Testing a new firmware image before installing it42Installing and using a backup firmware image44Installing a backup firmware image45Switching to the backup firmware image46Switching back to the default firmware image47System network49Interface49Interface settings50Name51Interface51VLAN ID51Virtual Domain52Addressing mode52Manual52DHCP52PPPoE53DDNS54Ping server54Administrative access54MTU55Log55Configuring interfaces55Zone59Zone settings60Management61DNS62Routing table (Transparent Mode)63Routing table list63Transparent mode route settings64VLAN overview64FortiGate units and VLANs65VLANs in NAT/Route mode65Rules for VLAN IDs66Rules for VLAN IP addresses66Adding VLAN subinterfaces67VLANs in Transparent mode68Rules for VLAN IDs70Transparent mode virtual domains and VLANs70Transparent mode VLAN list71Transparent mode VLAN settings71FortiGate IPv6 support73System DHCP75Service75DHCP service settings76Server77DHCP server settings78Exclude range79DHCP exclude range settings80IP/MAC binding80DHCP IP/MAC binding settings81Dynamic IP81System config83System time83Options84HA86HA configuration87Standalone Mode88High Availability88Cluster Members88Mode88Group ID89Unit Priority89Override Master90Password90Schedule90Priorities of Heartbeat Device91Heartbeat device IP addresses92Monitor priorities92Configuring an HA cluster93Managing an HA cluster96SNMP100Configuring SNMP100SNMP community101FortiGate MIBs103FortiGate traps104Fortinet MIB fields106Replacement messages108Replacement messages list109Changing replacement messages110FortiManager111System administration113Administrators113Administrators list114Administrators options114Using trusted hosts115Access profiles115Access profile list116Access profile options116System maintenance119Backup and restore119Backing up and Restoring120Update center122Updating antivirus and attack definitions124Enabling push updates127Push updates when FortiGate IP addresses change127Enabling push updates through a NAT device128Support129Sending a bug report130Registering a FortiGate unit131Shutdown133System virtual domain135Virtual domain properties136Exclusive virtual domain properties136Shared configuration settings137Administration and management138Virtual domains138Adding a virtual domain139Selecting a virtual domain139Selecting a management virtual domain139Configuring virtual domains140Adding interfaces, VLAN subinterfaces, and zones to a virtual domain140Configuring routing for a virtual domain142Configuring firewall policies for a virtual domain142Configuring IPSec VPN for a virtual domain144Router145Static145Static route list147Static route options148Policy149Policy route list149Policy route options150RIP150General151Networks list152Networks options153Interface list153Interface options154Distribute list155Distribute list options156Offset list157Offset list options157Router objects158Access list158New access list158New access list entry159Prefix list159New Prefix list160New prefix list entry161Route-map list161New Route-map162Route-map list entry163Key chain list164New key chain164Key chain list entry165Monitor166Routing monitor list166CLI configuration167get router info ospf167Command syntax167Examples167get router info protocols167Command syntax167get router info rip168Command syntax168Examples168config router ospf168Command syntax pattern168Example170config area171config area command syntax pattern171Example173config filter-list174config filter-list command syntax pattern174Example175config range175config range command syntax pattern175Example176config virtual-link177config virtual link command syntax pattern177Example179config distribute-list179config distribute-list command syntax pattern180Example180config neighbor181config neighbor command syntax pattern181Example182config network183config network command syntax pattern183Example183config ospf-interface184config ospf-interface command syntax pattern184Example188config redistribute188config redistribute command syntax pattern189Example189config summary-address189config summary-address command syntax pattern190Example190config router static6191Command syntax pattern191Example192Firewall193Policy194How policy matching works194Policy list194Policy options195Advanced policy options198Authentication198Traffic Shaping199Differentiated Services199Comments200Configuring firewall policies200Policy CLI configuration201Command syntax pattern201Address202Address list203Address options203Configuring addresses204Address group list205Address group options205Configuring address groups206Service206Predefined service list207Custom service list210Custom service options210TCP and UDP custom service options211ICMP custom service options211IP custom service options211Configuring custom services212Service group list213Service group options213Configuring service groups214Schedule214One-time schedule list215One-time schedule options215Configuring one-time schedules216Recurring schedule list216Recurring schedule options217Configuring recurring schedules217Virtual IP218Virtual IP list219Virtual IP options219Configuring virtual IPs220IP pool222IP pool list223IP pool options223Configuring IP pools224IP Pools for firewall policies that use fixed ports224IP pools and dynamic NAT225Protection profile225Protection profile list226Default protection profiles226Protection profile options227Configuring antivirus options227Configuring web filtering options228Configuring web category filtering options229Configuring spam filtering options230Configuring IPS options231Configuring content archive options231Configuring protection profiles231CLI configuration232profile233Command syntax pattern233Users and authentication237Setting authentication timeout238Local238Local user list238Local user options238RADIUS239RADIUS server list239RADIUS server options240LDAP240LDAP server list241LDAP server options241User group243User group list243User group options244CLI configuration245peer245Command syntax pattern245Example245peergrp246Command syntax pattern246Example246VPN249Phase 1250Phase 1 list250Phase 1 basic settings251Phase 1 advanced options252Configuring XAuth253Phase 2254Phase 2 list254Phase 2 basic settings255Phase 2 advanced options256Manual key257Manual key list258Manual key options258Concentrator259Concentrator list259Concentrator options260Ping Generator260Ping generator options261Monitor261Dialup monitor262Static IP and dynamic DNS monitor262PPTP263Setting up a PPTP-based VPN263Enabling PPTP and specifying a PPTP range264Configuring a Windows 2000 client for PPTP265Configuring a Windows XP client for PPTP265PPTP passthrough266L2TP267Setting up a L2TP-based VPN268Enabling L2TP and specifying an L2TP range268Configuring a Windows 2000 client for L2TP269Configuring a Windows XP client for L2TP270Certificates272Viewing the certificate list273Generating a certificate request273Installing a signed certificate275Enabling VPN access for specific certificate holders276CLI configuration277ipsec phase1277Command syntax pattern277Example279ipsec phase2279Command syntax pattern279Example280ipsec vip280Command syntax pattern280Example281Authenticating peers with preshared keys282Gateway-to-gateway VPN282Dialup VPN283Dynamic DNS VPN283Manual key IPSec VPN284Adding firewall policies for IPSec VPN tunnels284Setting the encryption policy direction284Setting the source address for encrypted traffic284Setting the destination address for encrypted traffic285Adding an IPSec firewall encryption policy285Internet browsing through a VPN tunnel285Configuring Internet browsing through a VPN tunnel286IPSec VPN in Transparent mode287Special rules287Hub and spoke VPNs288Configuring the hub288Adding a VPN concentrator289Configuring spokes290Redundant IPSec VPNs291Configuring redundant IPSec VPNs291Configuring IPSec virtual IP addresses292Troubleshooting294IPS295Protection profile configuration295IPS updates and information295Signature296Predefined296Predefined signature list297Configuring predefined signatures298Configuring parameters for dissector signatures299Custom300Custom signature list300Adding custom signatures301Backing up and restoring custom signature files301Anomaly302Anomaly list302Configuring an anomaly303Anomaly CLI configuration305(config ips anomaly) config limit305Command syntax pattern305Example305Configuring IPS logging and alert email306Default fail open setting306Antivirus307Protection profile configuration308Order of antivirus operations308Virus list updates and information308File block308File block list309Configuring the file block list310Quarantine310Quarantined files list310Quarantined files list options311AutoSubmit list312AutoSubmit list options312Configuring the AutoSubmit list312Config313Config314Virus list314Config314Grayware315Grayware options315CLI configuration316system global av_failopen316Command syntax pattern317Example317system global optimize317Command syntax pattern317Example318heuristic318Command syntax pattern318Example319quarantine319Command syntax pattern319antivirus quarantine command keywords and variables320service http320Command syntax pattern320Example320service ftp321Command syntax pattern321Example321service pop3322Command syntax pattern322Example322service imap322Command syntax pattern323Example323service smtp323Command syntax pattern324Example324Web filter325Protection profile configuration326Order of web filter operations326Content block326Web content block list327Web content block options327Configuring the web content block list328URL block328Web URL block list329Web URL block options329Configuring the web URL block list329Web pattern block list330Web pattern block options331Configuring web pattern block331URL exempt331URL exempt list332URL exempt list options332Configuring URL exempt332Category block333FortiGuard managed web filtering service333FortiGuard categories and ratings333FortiGuard Service Points333FortiGuard licensing334FortiGuard configuration334Category block configuration options334Configuring web category block335Category block reports335Category block reports options336Generating a category block report336Category block CLI configuration336Command syntax pattern337Example337Script filter337Web script filter options338Spam filter339Protection profile configuration340Order of spam filter operations341FortiShield IP address black list and spam filter341IP address342IP address list342IP address options342Configuring the IP address list342RBL & ORDBL343RBL & ORDBL list344RBL & ORDBL options344Configuring the RBL & ORDBL list344Email address345Email address list345Email address options345Configuring the email address list345MIME headers346MIME headers list347MIME headers options347Configuring the MIME headers list347Banned word348Banned word list348Banned word options349Configuring the banned word list350Using Perl regular expressions350Regular expression vs. wildcard match pattern350Word boundary351Case sensitivity351Examples352Log & Report353Log config354Log Setting options354FortiLog settings355Disk settings356Memory settings357Syslog settings357WebTrends settings357Alert E-mail options358Log filter options359Traffic log360Event log360Anti-virus log361Web filter log361Attack log362Spam filter log362Configuring log filters362Enabling traffic logging362Log access364Disk log file access364Viewing log messages365Choosing columns366Searching log messages368CLI configuration369fortilog setting369Command syntax pattern369Example370syslogd setting370Command syntax pattern370Example372FortiGuard categories373FortiGate maximum values379Glossary383Index387Size: 4.87 MBPages: 394Language: EnglishOpen manual