Fortigate 100 b manual

When shipped, the FortiGate unit has a default address of You need to configure this and other ports for use on your network. Set the Addressing Mode for the interface. Enter the administrative distance, between 1 and for the. Retrieve default gateway from server. Enable to retrieve a default gateway IP address from the. DHCP server. The default gateway is added to the static.

On FortiGate Enter the username for the PPPoE server. This may have. Adding port forwarding virtual IPs Adding policies with virtual IPs IP pools Adding an IP pool IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT Default content profiles Adding a content profile Adding a content profile to a policy Setting authentication timeout Adding user names and configuring authentication Deleting user names from the internal database Configuring LDAP support Adding LDAP servers Deleting LDAP servers Configuring user groups Adding user groups Deleting user groups Key management Manual Keys General configuration steps for a manual key VPN Adding a manual key VPN tunnel Managing digital certificates Obtaining a signed local certificate Obtaining a CA certificate Configuring encrypt policies Adding a source address Adding a destination address Adding an encrypt policy VPN concentrator hub general configuration steps Adding a VPN concentrator VPN spoke general configuration steps Monitoring and Troubleshooting VPNs Viewing VPN tunnel status Viewing dialup VPN connection status Testing a VPN Configuring PPTP Configuring L2TP Configuring a Windows client for L2TP Detecting attacks Selecting the interfaces to monitor Disabling the NIDS Configuring checksum verification Viewing the signature list Viewing attack descriptions Enabling and disabling NIDS attack signatures Adding user-defined signatures Preventing attacks Enabling NIDS attack prevention Enabling NIDS attack prevention signatures Setting signature threshold values Configuring synflood signature values Logging attacks Logging attack messages to the attack log Reducing the number of NIDS attack log and email messages General configuration steps Antivirus scanning File blocking Blocking files in firewall traffic Adding file patterns to block Blocking oversized files and emails Configuring limits for oversized files and email Exempting fragmented email from blocking Viewing the virus list Web filtering Content blocking Adding words and phrases to the banned word list URL blocking Using the FortiGate web filter Using the Cerberian web filter Script filtering Enabling the script filter Selecting script filter options Exempt URL list Email banned word list Email block list Adding address patterns to the email block list Email exempt list Adding address patterns to the email exempt list Adding a subject tag Recording logs Recording logs on a remote computer Recording logs in system memory Filtering log messages Configuring traffic logging Enabling traffic logging Configuring traffic filter settings Adding traffic filter entries Viewing logs saved to memory Viewing logs Searching logs Configuring alert email Adding alert email addresses Testing alert email Enabling alert email The FortiGate Antivirus Firewall supports network-based deployment of application-level services—including antivirus protection and full-scan content filtering.

FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. Your FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include:.

The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks. The FortiGate series complements existing solutions, such as host-based antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration and maintenance.

The FortiGate model is an easy-to- deploy and easy-to-administer solution that delivers exceptional value and performance for small office, home office, and branch office applications. FortiGate installation wizard guides users through a simple process that enables most installations to be up and running in minutes.

If a virus is found, antivirus protection removes the file containing the virus from the content stream and forwards an replacement message to the intended recipient. For extra protection, you also configure antivirus protection to block files of specified file types from passing through the FortiGate unit. You can use the feature to stop files that may contain new viruses. If the FortiGate unit contains a hard disk, infected or blocked files can be quarantined.

The FortiGate administrator can download quarantined files, so that they can be virus scanned, cleaned, and forwarded to the intended recipient. You can also configure the FortiGate unit to automatically delete quarantined files after a specified time period. The FortiGate unit can send email alerts to system administrators when it detects and removes a virus from a content stream.

If a match is found between a URL on the URL block list, or if a web page is found to contain a word or phrase in the content block list, the FortiGate blocks the web page. The blocked web page is replaced with a message that you can edit using the FortiGate web-based manager. You can configure URL blocking to block all or just some of the pages on a web site. Using this feature you can deny access to parts of a web site without denying access to it completely. To prevent unintentional blocking of legitimate web pages, you can add URLs to an Exempt List that overrides the URL blocking and content blocking lists.

Web content filtering also includes a script filter feature that can be configured to block unsecure web content such as Java Applets, Cookies, and ActiveX.

If a match is found between a sender address pattern on the Email block list, or if an email is found to contain a word or phrase in the banned word list, the FortiGate adds a Email tag to subject line of the email.

Receivers can then use their mail client software to filter messages based on the Email tag. You can configure Email blocking to tag email from all or some senders within organizations that are known to send spam email.

To prevent unintentional tagging of email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned word lists. After basic installation of the FortiGate unit, the firewall allows users on the protected network to access the Internet while blocking Internet access to internal networks. You can modify this firewall configuration to place controls on access to the Internet from the protected networks and to allow controlled access to internal networks.

Transparent mode provides the same basic firewall protection as NAT mode. Packets received by the FortiGate unit are intelligently forwarded or blocked according to firewall policies. The FortiGate unit can be inserted in your network at any point without the need to make changes to your network or any of its components.

NIDS detection uses attack signatures to identify over attacks. You can enable and disable the attacks that the NIDS detects. You can also write your own user-defined detection attack signatures.

NIDS prevention detects and prevents many common denial of service and packetbased attacks. You can enable and disable prevention attack signatures and customize attack signature thresholds and other parameters. To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log and can be configured to send alert emails.

Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually, or you can configure the FortiGate to automatically check for and download attack definition updates. Using FortiGate virtual private networking VPN , you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network.

Installation is quick and simple. The first time you turn on the FortiGate unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the setup wizard to customize FortiGate IP addresses for your network, and the FortiGate unit is set to protect your network. You can then use the web-based manager to customize advanced FortiGate features to meet your needs.

The web-based manager supports multiple languages. You can use the web-based manager for most FortiGate configuration settings. You can also use the web-based manager to monitor the status of the FortiGate unit.

Configuration changes made with the web-based manager are effective immediately without the need to reset the firewall or interrupt service. Once a satisfactory configuration has been established, it can be downloaded and saved. The saved configuration can be restored at any time. The CLI supports the same configuration and monitoring functionality as the web-based manager. In addition, you can use the CLI for advanced configuration options not available from the web-based manager.

The FortiGate supports logging of various categories of traffic and of configuration changes. You can configure logging to:. Some models can also save logs to an optional internal hard drive. If a hard drive is not installed, you can configure most FortiGates to log the most recent events and attacks detected by the NIDS to shared system memory. This section presents a brief summary of some of the new features in FortiOS v2.

You can register your FortiGate unit and get access to other technical support resources. New features include:. This installation and configuration guide describes how to install and configure the. This chapter also contains procedures for connecting to the FortiGate tech support webs site and for registering your FortiGate unit.

This chapter describes setting system time, adding and changed administrative users, configuring SNMP, and editing replacement messages. You enter restore config myfile. You can enter set system opmode nat or set system opmode transparent. Describes installation and basic configuration for the FortiGate unit. Also describes how to use FortiGate firewall policies to control traffic flow through the FortiGate unit and how to use firewall policies to apply antivirus protection, web content filtering, and email filtering to HTTP, FTP and email content passing through the FortiGate unit.

Describes how to configure antivirus protection, web content filtering, and email filtering to protect content as it passes through the FortiGate unit.

Describes how to configure FortiGate logging and alert email. Also contains the FortiGate log message reference. The FortiGate online help also contains procedures for using the FortiGate web-based manager to configure and manage your FortiGate unit. You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc fortinet. This chapter describes unpacking, setting up, and powering on your FortiGate Antivirus Firewall.

When you have completed the procedures in this chapter, you can proceed to one of the following:. The FortiGate unit can be installed on any stable surface.

Make sure that the appliance has at least 1. The FortiGate unit starts up. The Power and Status lights light. The Status light flashes while the FortiGate unit is starting up and remains lit when the system is up and running. Use the following procedure to connect to the web-based manager for the first time. Note: You can use the web-based manager with recent versions of most popular web browsers.

The web-based manager is fully supported for Internet Explorer version 4. The Register Now window is displayed. Use the information on this window to register your FortiGate unit so that Fortinet can contact you for firmware updates. You must also register to receive updates to the FortiGate virus and attack definitions. As an alternative to the web-based manager, you can install and configure the FortiGate unit using the CLI.

Configuration changes made with the CLI are effective immediately without the need to reset the firewall or interrupt service. The following prompt appears:. The FortiGate unit is shipped with a factory default configuration.

This default configuration allows you to connect to and use the FortiGate web-based manager to configure the FortiGate unit onto your network.

To configure the FortiGate unit onto your network you add an administrator password, change network interface IP addresses, add DNS server IP addresses, and configuring routing if required. If you are planning on operating the FortiGate unit in Transparent mode, you can switch to transparent mode from the factory default configuration and then configure the FortiGate unit onto your network in Transparent mode.

Once the network configuration is complete, you can perform additional configuration tasks such as setting system time, configuring virus and attack definition updates, and registering the FortiGate unit.

The factory default firewall configuration includes a single network address translation NAT policy that allows users on your internal network to connect to the external network, and stops users on the external network from connecting to the internal network. You can add more policies to provide more control of the network traffic passing through the FortiGate unit. The factory default content profiles can be used to quickly apply different levels of antivirus protection, web content filtering, and email filtering to the network traffic controlled by firewall policies.

This configuration allows you to connect to the FortiGate unit web-based manager and establish the configuration required to connect the FortiGate unit to your network. Ping management access means this interface responds to ping requests.

If you switch the FortiGate unit to Transparent mode, it has the default network configuration listed in Table 3. You can use content profiles to apply different protection settings for content traffic controlled by firewall policies.

You can use content profiles for:. Using content profiles you can build up protection configurations that can be easily applied to different types of Firewall policies. This allows you to customize different types and different levels of protection for different firewall policies. For example, while traffic between internal and external addresses might need strict protection, traffic between trusted internal addresses might need moderate protection.

You can configure policies for different traffic services to use the same or different content profiles. You would not use the strict content profile under normal circumstances, but it is available if you are having extreme problems with viruses and require maximum content screening protection. Use the web content profile to apply antivirus scanning and Web content blocking to. HTTP content traffic. You can add this content profile to firewall policies that control.

Use the unfiltered content profile if you do not want to apply any content protection to content traffic. You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. Before beginning to configure the FortiGate unit, you need to plan how to integrate the unit into your network.

Among other things, you have to decide whether or not the unit will be visible to the network, which firewall functions it will provide, and how it will control the traffic flowing between its interfaces. Your configuration plan is dependent upon the operating mode that you select. Like a router, all of its interfaces are on different subnets. You can add security policies to control whether communications through the FortiGate unit operate in NAT mode or in route mode.

In NAT mode, the FortiGate performs network address translation before the packet is sent to the destination network. In route mode, no translation takes place. By default, the FortiGate unit has a NAT mode security policy that allows users on the internal network to securely download content from the external network. No other traffic is possible until you have configured more security policies. In this configuration, you would create NAT mode policies to control traffic flowing between the internal, private network and the external, public network usually the Internet.

If you have multiple internal networks, such as a DMZ network in addition to the internal, private network, you could create route mode policies for traffic flowing between them. For example, you could create the following configuration:. You must configure routing to support redundant internet connections. Routing can be used to automatically re-direct connections from an interface if its connection to the external network fails.

You would create NAT mode policies to control traffic flowing between the internal, private network and the external, public network usually the Internet. In Transparent mode, the FortiGate unit is invisible to the network. Similar to a network bridge, all of FortiGate interfaces must be on the same subnet.

You only have to configure a management IP address so that you can make configuration changes. The management IP address is also used for antivirus and attack definition updates. You would typically use the FortiGate unit in Transparent mode on a private network behind an existing firewall or behind a router. You can connect up to three network segments to the FortiGate unit to control traffic between these network segments. You can use the web-based manager setup wizard or the command line interface CLI for the basic configuration of the FortiGate unit.

Using the wizard, you can also add DNS server IP addresses and a default route for the external interface. If you are configuring the FortiGate unit to operate in Transparent mode, you can switch to Transparent mode from the web-based manager and then use the Setup Wizard to add the administration password, the management IP address and gateway, and the DNS server addresses.

If you are configuring the FortiGate unit to operate in Transparent mode, you can use the CLI to switch to Transparent mode, Then you can add the administration password, the management IP address and gateway, and the DNS server addresses. Now that your FortiGate unit is operating, you can proceed to configure it to connect to networks:.

From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiGate unit. Select the Next button to step through the wizard pages. Note: If you use the setup wizard to configure internal server settings, the FortiGate unit adds port forwarding virtual IPs and firewall policies for each server.

If you used the setup wizard to change the IP address of the internal interface, you must reconnect to the web-based manager using a new IP address. As an alternative to using the setup wizard, you can configure the FortiGate unit using the command line interface CLI. Use the information that you gathered in Table 10 on page 43 to complete the following procedures.

When you have completed the initial configuration, you can connect the FortiGate unit between your internal network and the Internet. Note: You can also connect both the external and DMZ interfaces to different Internet connections to provide a redundant connection to the Internet.

Connect to the public switch or router provided by your Internet Service Provider. You can use a DMZ network to provide access from the Internet to a web server or other server without installing the servers on your internal network. For your internal network, change the default gateway address of all computers and routers connected directly to your internal network to the IP address of the FortiGate internal interface.

For your external network, route all packets to the FortiGate external interface. Make sure that the connected FortiGate unit is functioning properly by connecting to the Internet from a computer on your internal network. You should be able to connect to any Internet address. Use the information in this section to complete the initial configuration of the FortiGate unit.

Use the following procedure to configure the DMZ interface using the web-based manager. For effective scheduling and logging, the FortiGate system date and time should be accurate. You can either manually set the system date and time or you can configure the FortiGate unit to automatically keep its time correct by synchronizing with a Network Time Protocol NTP server. To enable antivirus protection to protect users on your internal network from downloading a virus from the Internet:. Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased.

Registration is quick and easy. You can register multiple FortiGate units in a single session without re-entering your contact information. If it finds new versions, the FortiGate unit automatically downloads and installs the updated definitions.

This section describes some basic routing and firewall policy configuration examples for a FortiGate unit with multiple connections to the Internet see Figure 8.

In this topology, the organization operating the FortiGate unit uses two Internet service providers to connect to the Internet. By adding ping servers to interfaces, and by configuring routing you can control how traffic uses each Internet connection.

With this routing configuration is place you can proceed to create firewall policies to support multiple internet connections.