Installation InstructionTable of ContentsTable of Contents3Introduction13Antivirus protection13Web content filtering14Email filtering14Firewall15NAT/Route mode15Transparent mode16Network intrusion detection16VPN16Secure installation, configuration, and management17Web-based manager17Command line interface18Logging and reporting19What’s new in Version 2.5019System administration19Network configuration19Routing19DHCP server20RIP20SNMP20Replacement messages20Firewall20Users and authentication20VPN20NIDS21Antivirus21Web Filter21Email filter21Logging and Reporting21About this document22Document conventions23Fortinet documentation24Comments on Fortinet technical documentation24Customer service and technical support25Getting started27Package contents28Mounting28Dimensions28Weight28Power requirements29Environmental specifications29Powering on29Connecting to the web-based manager30Connecting to the command line interface (CLI)31Factory default FortiGate configuration settings31Factory Default DHCP configuration32Factory default NAT/Route mode network configuration33Factory default Transparent mode network configuration33Factory default firewall configuration34Factory default content profiles35Strict content profile35Scan content profile36Web content profile36Unfiltered content profile37Planning your FortiGate configuration37NAT/Route mode37Transparent mode38Configuration options39Setup Wizard39CLI39FortiGate model maximum values matrix40Next steps41NAT/Route mode installation43Installing the FortiGate unit using the default configuration43Changing the default configuration44Preparing to configure NAT/Route mode44Advanced NAT/Route mode settings45DMZ interface45Using the setup wizard46Starting the setup wizard46Reconnecting to the web-based manager46Using the command line interface46Configuring the FortiGate unit to operate in NAT/Route mode46Configuring NAT/Route mode IP addresses46Connecting the FortiGate unit to your networks48Configuring your networks49Completing the configuration50Configuring the DMZ interface50Configuring the WAN2 interface50Setting the date and time50Changing antivirus protection50Registering your FortiGate51Configuring virus and attack definition updates51Configuration example: Multiple connections to the Internet51Configuring Ping servers52Destination based routing examples53Primary and backup links to the Internet53Load sharing54Load sharing and primary and secondary connections54Policy routing examples56Routing traffic from internal subnets to different external networks56Routing a service to an external network56Firewall policy example57Adding a redundant default policy57Adding more firewall policies57Restricting access to a single Internet connection58Transparent mode installation59Preparing to configure Transparent mode59Using the setup wizard60Changing to Transparent mode60Starting the setup wizard60Reconnecting to the web-based manager60Using the command line interface61Changing to Transparent mode61Configuring the Transparent mode management IP address61Configure the Transparent mode default gateway61Connecting the FortiGate unit to your networks62Completing the configuration63Setting the date and time63Enabling antivirus protection63Registering your FortiGate63Configuring virus and attack definition updates64Transparent mode configuration examples64Default routes and static routes64Example default route to an external network65General configuration steps66Web-based manager example configuration steps66CLI configuration steps66Example static route to an external destination66General configuration steps67Web-based manager example configuration steps68CLI configuration steps68Example static route to an internal destination69General configuration steps69Web-based manager example configuration steps70CLI configuration steps70System status71Changing the FortiGate host name72Changing the FortiGate firmware72Upgrade to a new firmware version73Upgrading the firmware using the web-based manager73Upgrading the firmware using the CLI73Revert to a previous firmware version74Reverting to a previous firmware version using the web-based manager74Reverting to a previous firmware version using the CLI75Install a firmware image from a system reboot using the CLI77Test a new firmware image before installing it79Manual virus definition updates81Manual attack definition updates82Displaying the FortiGate serial number82Displaying the FortiGate up time82Backing up system settings82Restoring system settings83Restoring system settings to factory defaults83Changing to Transparent mode83Changing to NAT/Route mode84Restarting the FortiGate unit84Shutting down the FortiGate unit84System status85Viewing CPU and memory status85Viewing sessions and network status86Viewing virus and intrusions status87Session list88Virus and attack definitions updates and registration89Updating antivirus and attack definitions89Connecting to the FortiResponse Distribution Network90Configuring scheduled updates91Configuring update logging92Adding an override server93Manually updating antivirus and attack definitions93Configuring push updates93To enable push updates94About push updates94Push updates and WAN1 dynamic IP addresses94Push updates through a NAT device94Example: push updates through a NAT device95Scheduled updates through a proxy server98Registering FortiGate units99FortiCare Service Contracts99Registering the FortiGate unit100Updating registration information102Recovering a lost Fortinet support password102Viewing the list of registered FortiGate units102Registering a new FortiGate unit103Adding or changing a FortiCare Support Contract number103Changing your Fortinet support password104Changing your contact information or security question104Downloading virus and attack definitions updates104Registering a FortiGate unit after an RMA105Network configuration107Configuring interfaces107Viewing the interface list108Bringing up an interface108Changing an interface static IP address108Adding a secondary IP address to an interface108Adding a ping server to an interface109Controlling management access to an interface109Configuring traffic logging for connections to an interface110Configuring the wan1 and wan2 interfaces with a static IP address110Configuring the wan1 or wan2 interfaces for DHCP110Configuring the wan1 and wan2 interfaces for PPPoE111Changing the wan1 and wan2 interface MTU size to improve network performance111Configuring the management interface (Transparent mode)112Adding DNS server IP addresses113Configuring routing113Adding a default route114Adding destination-based routes to the routing table114Adding routes in Transparent mode115Configuring the routing table116Policy routing116Policy routing command syntax117Providing DHCP services to your internal network117Viewing the dynamic IP list118RIP configuration119RIP settings120Configuring RIP for FortiGate interfaces122Adding RIP neighbors123Adding RIP filters124Adding a single RIP filter124Adding a RIP filter list125Adding a neighbors filter126Adding a routes filter126System configuration127Setting system date and time127Changing web-based manager options128Adding and editing administrator accounts130Adding new administrator accounts130Editing administrator accounts131Configuring SNMP132Configuring the FortiGate unit for SNMP monitoring132Configuring FortiGate SNMP support132FortiGate MIBs133FortiGate traps134Customizing replacement messages134Customizing replacement messages135Customizing alert emails136Firewall configuration139Default firewall configuration140Interfaces140Addresses140Services141Schedules141Content profiles141Adding firewall policies142Firewall policy options143Source143Destination143Schedule143Service143Action143NAT143VPN Tunnel144Traffic Shaping144Authentication145Anti-Virus & Web filter145Log Traffic146Comments146Configuring policy lists147Policy matching in detail147Changing the order of policies in a policy list147Enabling and disabling policies148Disabling a policy148Enabling a policy148Addresses148Adding addresses149Editing addresses150Deleting addresses150Organizing addresses into address groups150Services151Predefined services151Providing access to custom services154Grouping services154Schedules155Creating one-time schedules155Creating recurring schedules156Adding a schedule to a policy157Virtual IPs158Adding static NAT virtual IPs158Adding port forwarding virtual IPs159Adding policies with virtual IPs161IP pools162Adding an IP pool162IP Pools for firewall policies that use fixed ports163IP pools and dynamic NAT163IP/MAC binding164Configuring IP/MAC binding for packets going through the firewall164Configuring IP/MAC binding for packets going to the firewall165Adding IP/MAC addresses165Viewing the dynamic IP/MAC list166Enabling IP/MAC binding166Content profiles167Default content profiles168Adding a content profile168Adding a content profile to a policy169Users and authentication171Setting authentication timeout172Adding user names and configuring authentication172Adding user names and configuring authentication172Deleting user names from the internal database173Configuring RADIUS support174Adding RADIUS servers174Deleting RADIUS servers174Configuring LDAP support175Adding LDAP servers175Deleting LDAP servers176Configuring user groups177Adding user groups177Deleting user groups178IPSec VPN179Key management180Manual Keys180Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates180AutoIKE with pre-shared keys180AutoIKE with certificates180Manual key IPSec VPNs181General configuration steps for a manual key VPN181Adding a manual key VPN tunnel181AutoIKE IPSec VPNs183General configuration steps for an AutoIKE VPN183Adding a phase 1 configuration for an AutoIKE VPN183Adding a phase 2 configuration for an AutoIKE VPN187Managing digital certificates189Obtaining a signed local certificate189Generating the certificate request190Downloading the certificate request191Requesting the signed local certificate191Retrieving the signed local certificate192Importing the signed local certificate192Obtaining a CA certificate193Retrieving a CA certificate193Importing a CA certificate193Configuring encrypt policies194Adding a source address195Adding a destination address195Adding an encrypt policy195IPSec VPN concentrators197VPN concentrator (hub) general configuration steps197Adding a VPN concentrator199VPN spoke general configuration steps200Redundant IPSec VPNs201Configuring redundant IPSec VPN201Monitoring and Troubleshooting VPNs203Viewing VPN tunnel status203Viewing dialup VPN connection status203Testing a VPN204PPTP and L2TP VPN205Configuring PPTP205Configuring the FortiGate unit as a PPTP gateway206Adding users and user groups206Enabling PPTP and specifying an address range206Adding a source address207Adding an address group207Adding a destination address208Adding a firewall policy208Configuring a Windows 98 client for PPTP208Installing PPTP support208Configuring a PPTP dialup connection209Connecting to the PPTP VPN209Configuring a Windows 2000 client for PPTP209Configuring a PPTP dialup connection209Connecting to the PPTP VPN210Configuring a Windows XP client for PPTP210Configuring a PPTP dialup connection210Configuring the VPN connection210Connecting to the PPTP VPN211Configuring L2TP211Configuring the FortiGate unit as a L2TP gateway212Adding users and user groups212Enabling L2TP and specifying an address range212Adding a source address213Adding an address group213Adding a destination address214Adding a firewall policy214Configuring a Windows 2000 client for L2TP215Configuring an L2TP dialup connection215Disabling IPSec215Connecting to the L2TP VPN216Configuring a Windows XP client for L2TP216Configuring an L2TP VPN dialup connection216Configuring the VPN connection216Disabling IPSec217Connecting to the L2TP VPN218Network Intrusion Detection System (NIDS)219Detecting attacks219Selecting the interfaces to monitor220Disabling the NIDS220Configuring checksum verification220Viewing the signature list221Viewing attack descriptions221Enabling and disabling NIDS attack signatures222Adding user-defined signatures222Downloading the user-defined signature list223Preventing attacks223Enabling NIDS attack prevention223Enabling NIDS attack prevention signatures224Setting signature threshold values224Configuring synflood signature values226Logging attacks226Logging attack messages to the attack log226Reducing the number of NIDS attack log and email messages227Automatic message reduction227Manual message reduction227Antivirus protection229General configuration steps229Antivirus scanning230File blocking231Blocking files in firewall traffic231Adding file patterns to block231Blocking oversized files and emails232Configuring limits for oversized files and email232Exempting fragmented email from blocking232Viewing the virus list232Web filtering233General configuration steps233Content blocking234Adding words and phrases to the banned word list234URL blocking235Using the FortiGate web filter235Adding URLs or URL patterns to the block list235Clearing the URL block list236Downloading the URL block list237Uploading a URL block list237Using the Cerberian web filter238General configuration steps238Installing a Cerberian license key on the FortiGate unit238Adding a Cerberian user to the FortiGate unit238Configuring Cerberian web filter239Enabling Cerberian URL filtering239Script filtering240Enabling the script filter240Selecting script filter options240Exempt URL list241Adding URLs to the exempt URL list241Email filter243General configuration steps243Email banned word list244Adding words and phrases to the banned word list244Email block list245Adding address patterns to the email block list245Email exempt list245Adding address patterns to the email exempt list246Adding a subject tag246Logging and reporting247Recording logs247Recording logs on a remote computer248Recording logs on a NetIQ WebTrends server248Recording logs in system memory249Filtering log messages249Configuring traffic logging251Enabling traffic logging251Enabling traffic logging for an interface251Enabling traffic logging for a firewall policy251Configuring traffic filter settings252Adding traffic filter entries252Viewing logs saved to memory253Viewing logs253Searching logs254Configuring alert email254Adding alert email addresses254Testing alert email255Enabling alert email255Glossary257Index261Size: 4.18 MBPages: 270Language: EnglishOpen manual